[Bug 3922] New: no support for permitlisten and permitopen in certificate extension
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Feb 14 04:33:49 AEDT 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3922
Bug ID: 3922
Summary: no support for permitlisten and permitopen in
certificate extension
Product: Portable OpenSSH
Version: 10.2p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: mathieu.lacage at gmail.com
For a while, I have been looking for a way to allow me to create
certificates that allow port forwarding for only a specific list of
ports.
Specifically, I would like to specify a certificate extension similar
in spirit to permitlisten and permitopen.
Here is a proposal for these certificate extensions (naming based on
the way the current certificate extensions are named)
permit-listen Indicates that sessions authenticated with
this certificate may request authentication TCP forwarding using
the "direct-tcpip" SSH channel requests defined in Section 7 of
[RFC4254]. Certificates that lack this extension or the
"permit-port-forwarding" extension MUST not permit these protocol
features be enabled on SSH server implementations that support
them.
This is a string-type option. Its value contains a nested string
which holds a comma-separated list of host:port pairs.
permit-open Indicates that sessions authenticated with
this certificate may request authentication TCP forwarding using
the "forwarded-tcpip" SSH channel requests defined in Section 7
of
[RFC4254]. Certificates that lack this extension or the
"permit-port-forwarding" extension MUST not permit these protocol
features be enabled on SSH server implementations that support
them.
This is a string-type option. Its value contains a nested string
which holds a comma-separated list of host:port pairs.
Would there be interest in a PR that implements this ? If so, I would
be happy to take a stab at it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list