[Bug 2716] New: [PATCH] Add "permitlisten" support for -R style forward
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon May 8 22:57:11 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2716
Bug ID: 2716
Summary: [PATCH] Add "permitlisten" support for -R style
forward
Product: Portable OpenSSH
Version: 7.5p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: philipp.heckel at gmail.com
Created attachment 2977
--> https://bugzilla.mindrot.org/attachment.cgi?id=2977&action=edit
Add "permitlisten" support for -R style forward
Hi there,
my apologies for duplicating this message here. I saw too late that
there is also a public bug tracker.
This patch adds support for per-key restriction of -R style forwards
via a "permitlisten"-option in the authorized_keys file -- similar to
the "permitopen"-option for -L style forwards.
This is desirable if you want to have restricted accounts/keys that
can only be used for -R style forwards on certain ports.
With this example authorized_keys file:
restrict,permitlisten="localhost:8080" ssh-rsa AAAAB3Nza...
This is allowed:
$ ssh -R 8080:localhost:80 root at localhost -N
While this is not allowed (note port 8081):
$ ssh -R 8081:localhost:80 root at localhost -N
Error: remote port forwarding failed for listen port 8081
This is a preliminary patch (no support for a servconf option
"PermitListen" yet), because I wanted to get early feedback before
continuing.
Do you think this approach is correct? Would this be a desirable
feature? Is "permitlisten" the correct name for this? Or would
"permitropen", "permitremoteopen" be better suited?
Best,
Philipp Heckel
WIP branch/pull:
https://github.com/openssh/openssh-portable/pull/65
Mailing list:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-May/036000.html
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list