Displaying 20 results from an estimated 3000 matches similar to: "[Bug 3159] New: authorized_keys: gap in port forwarding restrictions"
2017 May 08
2
[Bug 2716] New: [PATCH] Add "permitlisten" support for -R style forward
https://bugzilla.mindrot.org/show_bug.cgi?id=2716
Bug ID: 2716
Summary: [PATCH] Add "permitlisten" support for -R style
forward
Product: Portable OpenSSH
Version: 7.5p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
2017 May 05
3
[Bug 2711] New: Patch to add permitgwport and restrict permitopen to be a default deny
https://bugzilla.mindrot.org/show_bug.cgi?id=2711
Bug ID: 2711
Summary: Patch to add permitgwport and restrict permitopen to
be a default deny
Product: Portable OpenSSH
Version: 7.2p2
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component:
2019 Oct 09
0
Announce: OpenSSH 8.1 released
OpenSSH 8.1 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested
2017 May 08
2
[PATCH] / permitgwports / permitlisten
Hi Phillipp, developers;
I likewise just submitted a patch for similar. It i buried under the thread named OpenSSH contract development / patch.
At the request of the OpenSSH dev team, I submitted our patch in the mindrot Bugzilla
https://bugzilla.mindrot.org/show_bug.cgi?id=2711
Your patch, I see is available there too
https://bugzilla.mindrot.org/show_bug.cgi?id=2716
Anyhow, just drawing
2001 Aug 27
1
permitopen flag in authorized_keys file
I've just discovered the permitopen flag. We need such a feature for
our poor man's VPN services, but this flag seems to be usable only if
you generate your authorized_keys file from a database or something
like that: keeping a long list of host/port combinations up to date
for several users and keys is no fun.
As announced before, we have developed a far more powerful mechanism
for
2002 Aug 13
1
[PATCH] global port forwarding restriction
Here's another patch for people providing ssh access to restricted
environments.
We allow our users to use port forwarding when logging into our mail
servers so that they can use it to fetch mail over an encrypted channel
using clients that don't support TLS, for example fetchmail. (In fact,
fetchmail has built-in ssh support.) However we don't want them connecting
to other places
2012 Aug 29
39
[Bug 2038] New: permitopen functionality but for remote forwards
https://bugzilla.mindrot.org/show_bug.cgi?id=2038
Priority: P5
Bug ID: 2038
Assignee: unassigned-bugs at mindrot.org
Summary: permitopen functionality but for remote forwards
Severity: enhancement
Classification: Unclassified
OS: Other
Reporter: damonswirled at gmail.com
Hardware: Other
2008 Aug 22
1
CIDR address/masklen matching support for permitopen="host:port" restrictions?
Dear openssh-unix-dev list,
in OpenSSH 5.1 you introduced CIDR address/masklen matching for "Match address" blocks in sshd_config as well as supporting CIDR matching in ~/.ssh/authorized_keys from="..." restrictions in sshd.
I wonder whether CIDR address/masklen matching will be implemented for permitopen="host:port" restrictions in sshd as well, that would be quite
2019 Oct 01
9
Call for testing: OpenSSH 8.1
Hi,
OpenSSH 8.1p1 is almost ready for release, so we would appreciate testing
on as many platforms and systems as possible. This is a bugfix release.
Snapshot releases for portable OpenSSH are available from
http://www.mindrot.org/openssh_snap/
The OpenBSD version is available in CVS HEAD:
http://www.openbsd.org/anoncvs.html
Portable OpenSSH is also available via git using the
instructions at
2003 Aug 29
2
authorized_keys options for remote forwarding
Hi,
I've recently run into a situation where it I want clients (or certain
keys) to connect to an OpenSSH server and set up a remote port
forwarding channel (-R) without allowing them to do anything else.
It seems that current OpenSSH doesn't support this. I would like to
suggest the following changes to the options for authorized_keys:
* add a no-local-forwarding option that denies
2020 Jun 14
12
[Bug 3181] New: ssh-agent doesn't exit automatically after child program exits
https://bugzilla.mindrot.org/show_bug.cgi?id=3181
Bug ID: 3181
Summary: ssh-agent doesn't exit automatically after child
program exits
Product: Portable OpenSSH
Version: 8.0p1
Hardware: All
OS: All
Status: NEW
Severity: trivial
Priority: P5
Component: ssh-agent
2011 Feb 10
6
[Bug 1857] New: [RFE] restrict port forwarding to localhost
https://bugzilla.mindrot.org/show_bug.cgi?id=1857
Summary: [RFE] restrict port forwarding to localhost
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy:
2011 Sep 30
0
openssh remote port forwarding and permitopen
I have an application where a lot of end user CPE devices ssh in
automatically to a central server, and are authenticated
by public key, to do remote (-R) port forwarding, so we can open
a connection back to a particular port on the remote device whether
it's behind some NAT or firewall or whatever. I want to be certain,
however, that if I open port 12345, it is connected to the correct
end
2015 Feb 01
7
[Bug 2347] New: permitopen doesn't work with unix domain sockets
https://bugzilla.mindrot.org/show_bug.cgi?id=2347
Bug ID: 2347
Summary: permitopen doesn't work with unix domain sockets
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs
2010 Nov 28
0
Forwarding Remote Ports.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I was setting up sshd on a netbsd box to allow cygwin users to auto-ssh
in, and be rsync'ed. I wanted to secure the install such that a
compromised or stolen cygwin client could not be used to attack the sshd
server.
Setting shell to /usr/bin/false and using -N client side were helpful. I
disabled portforwarding for the client sshkey, and
2009 Jun 12
2
Restrict port forwarding on server
Hi,
Is there a way to restrict port forwarding on the server?
I want only port 8080 on the server to be available to clients.
Example when i give this command clients should be able to connect:
ssh -L 30300:localhost:8080 ....
When i give this for example clients should not be able to connect:
ssh -L 30300:localhost:4040 ....
I tried this option in config file of server:
PermitOpen
2023 Nov 12
1
Match Principal enhancement
AFAIK everything you described here could be done using the
AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These
can emit authorized_keys options (inc. permitopen) as well as the allowed
keys/principals.
On Sun, 12 Nov 2023, Bret Giddings wrote:
> Hi OpenSSH devs,
>
> I?m wondering if the following has any merit and can be done securely ...
>
> If you could
2003 Jan 29
0
[PATCH] features for restricted shell environments
The patch below implements a couple of features which are useful
in an environment where users do not have a regular shell login.
It allows you to selectively disable certain features on a
system-wide level for users with a certain shell; it also allows
you to control and audit TCP forwarding in more detail.
Our system is an email server with a menu for the login shell;
we selectively allow port
2023 Nov 12
1
Match Principal enhancement
Hi OpenSSH devs,
I?m wondering if the following has any merit and can be done securely ...
If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like
/etc/ssh/authorized_keys/sshfwd:
cert-authority,principals=?batcha-fwd,batchb-fwd? ...
/etc/ssh/sshd_config containing:
Match User sshfwd
PubkeyAuthentication yes
2018 Aug 24
0
Announce: OpenSSH 7.8 released
OpenSSH 7.8 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested