[Bug 3922] New: no support for permitlisten and permitopen in certificate extension

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Feb 14 04:33:49 AEDT 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3922

            Bug ID: 3922
           Summary: no support for permitlisten and permitopen in
                    certificate extension
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mathieu.lacage at gmail.com

For a while, I have been looking for a way to allow me to create
certificates that allow port forwarding for only a specific list of
ports. 

Specifically, I would like to specify a certificate extension similar
in spirit to permitlisten and permitopen.

Here is a proposal for these certificate extensions (naming based on
the way the current certificate extensions are named)

   permit-listen  Indicates that sessions authenticated with
      this certificate may request authentication TCP forwarding using
      the "direct-tcpip" SSH channel requests defined in Section 7 of
      [RFC4254]. Certificates that lack this extension or the
      "permit-port-forwarding" extension MUST not permit these protocol
      features be enabled on SSH server implementations that support
them.

      This is a string-type option.  Its value contains a nested string
      which holds a comma-separated list of host:port pairs.

   permit-open  Indicates that sessions authenticated with
      this certificate may request authentication TCP forwarding using
      the "forwarded-tcpip" SSH channel requests defined in Section 7
of
      [RFC4254]. Certificates that lack this extension or the
      "permit-port-forwarding" extension MUST not permit these protocol
      features be enabled on SSH server implementations that support
them.

      This is a string-type option.  Its value contains a nested string
      which holds a comma-separated list of host:port pairs.

Would there be interest in a PR that implements this ? If so, I would
be happy to take a stab at it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list