Patch for PermitOpen hostname wildcard with fixed port feature

AG openssh at mzpqnxow.com
Mon Jun 6 07:30:05 AEST 2016


Hello,

Attached is a patch for anongit OpenSSH:

Added FWD_PERMIT_ANY_HOST to add the ability to use an asterisk to
mean any hostname matches in a PermitOpen rule. This is simple and
looks like this:

PermitOpen *:443

One use case here is when OpenSSH is used to be a multi-factor
authenticated broker to a specific TCP based service across many
servers in a trusted network when the client is in an untrusted
network. This patch allows a simple configuration that can allow all
forwards to service X without the need to provide a large list
of every server on the trusted network in the sshd_config file.
Doing doing so is impractical when the trusted network is larger
than a few hosts- a large list of hosts in sshd_config would
be unwieldy and would need to be updated constantly if the trusted
network changes often.

This is a real use case for me- I need to provide this type of
authenticated and limited access to several thousand systems. In
any given week in my environment there might be 2-3 new servers
and there might be 2-3 servers that have been decommissioned.

This patch is a huge improvement over allowing all ports to all
hosts, which is all that I can do at this point without having
a huge management headache maintaining a gigantic list.

I was very surprised this wasn't supported alongside FWD_PERMIT_ANY_PORT.
It's a simple enough change. I wonder if there was any debate on
this or if it just slipped through the cracks as an uncommon use case?

Note that this doesn't go down the more complex road of allowing
more finegrained cases. The '*' is NOT actually a pattern, it is
a symbol that means any host. Using *.bah.org will not work and
is not intended to work.

I'd appreciate this feature being considered for inclusion into the
next release of OpenSSH.

I have also entered a bug for this:
https://bugzilla.mindrot.org/show_bug.cgi?id=2582

Thx.

Adam
-------------- next part --------------
diff --git a/channels.c b/channels.c
index 7ee1f98..ba0d728 100644
--- a/channels.c
+++ b/channels.c
@@ -138,6 +138,9 @@ static int num_adm_permitted_opens = 0;
 /* special-case port number meaning allow any port */
 #define FWD_PERMIT_ANY_PORT	0
 
+/* special-case port number meaning allow any host */
+#define FWD_PERMIT_ANY_HOST	"*"
+
 /*
  * If this is true, all opens are permitted.  This is the case on the server
  * on which we have to trust the client anyway, and the user could do
@@ -3296,10 +3299,13 @@ open_match(ForwardPermission *allowed_open, const char *requestedhost,
 	if (allowed_open->host_to_connect == NULL)
 		return 0;
 	if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
-	    allowed_open->port_to_connect != requestedport)
-		return 0;
-	if (strcmp(allowed_open->host_to_connect, requestedhost) != 0)
-		return 0;
+		allowed_open->port_to_connect != requestedport)
+			return 0;
+
+	if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
+		strcmp(allowed_open->host_to_connect, requestedhost) != 0)
+			return 0;
+
 	return 1;
 }
 


More information about the openssh-unix-dev mailing list