[Bug 3275] New: PermitListen does not work in Match block and permitlisten= does not work in authorized_keys file
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Mar 10 19:23:43 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3275
Bug ID: 3275
Summary: PermitListen does not work in Match block and
permitlisten= does not work in authorized_keys file
Product: Portable OpenSSH
Version: 8.5p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: evgeny.vasilchenko at protonmail.com
* CentOS Linux release 7.9.2009 (Core)
* OpenSSH_8.5p1, OpenSSL 1.0.2k-fips 26 Jan 2017 built from sources:
./configure --with-md5-passwords --with-pam --with-selinux
--with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
1) as per https://man.openbsd.org/sshd_config.5#Match - Match block
allows "PermitListen" keyword - however:
----- /etc/ssh/sshd_config -----------
Match User user
PermitListen localhost:5555
--------------------------------------
# systemctl restart sshd
Job for sshd.service failed because the control process exited with
error code. See "systemctl status sshd.service" and "journalctl -xe"
for details
# journalctl -xe
[...skipped...]
Mar 10 08:21:32 lbtest1 systemd[1]: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has begun starting up.
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config: line 142: Bad
configuration option: PermitListen
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config line 142:
Directive 'PermitListen' is not allowed within a Match block
Mar 10 08:21:32 lbtest1 systemd[1]: sshd.service: main process exited,
code=exited, status=255/n/a
Mar 10 08:21:32 lbtest1 systemd[1]: Failed to start OpenSSH server
daemon.
-- Subject: Unit sshd.service has failed
--------------------------------------
2) The permitlisten= option does not work with or without IP address
while permitopen= works fine in authorized_key file.
---/home/user/.ssh/authorized_key ----
restrict,pty,port-forwarding,permitopen="localhost:22",permitlisten="5555"
ssh-rsa AAAAB3Nza
--------------------------------------
--- Remote port forwarding command and result ----
$ ssh 5555:localhost:22 user at xxx.xxx.xxx.xxx
user at xxx.xxx.xxx.xxx: Permission denied (publickey).
--------------------------------------
SSHD log file with DEBUG
------------------------
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: trying public key file
/home/user/.ssh/authorized_keys
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: fd 4 clearing O_NONBLOCK
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: allow port forwarding to
host localhost port 22
Mar 10 07:53:26 lbtest1 sshd[3781]: Bad options in
/home/user/.ssh/authorized_keys file, line 1: permitlisten="5555"
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: restore_uid: 0/0
Mar 10 07:53:26 lbtest1 sshd[3781]: Failed publickey for user from
xxx.xxx.xxx.xxx port 17445 ssh2: RSA
------------------------
------------------------
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: allow port forwarding to
host localhost port 22
Mar 10 07:52:32 lbtest1 sshd[3773]: Bad options in
/home/user/.ssh/authorized_keys file, line 1:
permitlisten="localhost:5555" ssh-rsa AAAAB3NzaC1y
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: restore_uid: 0/0
Mar 10 07:52:32 lbtest1 sshd[3773]: Failed publickey for user from
xxx.xxx.xxx.xxx port 50403 ssh2: RSA
------------------------
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list