[Bug 1949] New: PermitOpen none option

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Nov 6 19:51:23 EST 2011


https://bugzilla.mindrot.org/show_bug.cgi?id=1949

             Bug #: 1949
           Summary: PermitOpen none option
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: OpenBSD
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: loganaden at gmail.com


Created attachment 2104
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2104
permitopen_none option diff

>From debian bug tracker:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543683

Package: openssh-server
Version: 1:5.1p1-7
Severity: wishlist

I'm trying to setup a reverse SSH box (i.e. one where people stuck
behind NAT can SSH in and initiate a tunnel back to their machine).
They use this something like this:

  ssh login at box -R 2000:localhost:22

I'm trying to lock this down as far as possible - in particular I'd
like to disable AllowTcpForwarding, however if I do this it prevents
both local _and_ remote tunnels.

Leaving AllowTcpForwarding open and setting "PermitOpen
127.0.0.1:65535" gets close - all the reverse tunnels work, but the
only local tunnel that will work is "ssh login at box -L
xxxx:localhost:65535".   

I'd like to use "PermitOpen none" (or just blank) however sshd doesn't
allow this (just checked the source code).

Thanks,

Adrian
-- 
Email: adrian at smop.co.uk  -*-  GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution   -*-  www.debian.org

I thought I'd give it a try.

I added a new function that populates list of allowed sockets
with NULL, and also added the permitopen none option.

Any feedback on how to improve the code would be nice :-)

//Logan
C-x-C-c

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list