[PATCH] / permitgwports / permitlisten

Devin Nate devin.nate at QHRtech.com
Fri May 19 01:53:11 AEST 2017

Hi Philipp;

Yes, the patch I submitted is one we use to accomplish a specific outcome, and it would break configuration in the wild with respect to permitopen. We provided it in case anyone else gets use out of similar needs. By the same token, the patch I submitted will break gateway ports also (ssh -R), since if they are not explicitly defined our patch will preclude all gateway ports.

To do it more generically, I suppose you would need to have a global config value to identify if the sshd should be either:
1.  default allow all port forwards except as restricted by an authorized_key, or
2.  default deny all port forwards except as permitted by an authorized_key.

The extra wrinkle is what to do about users that auth with username and password or something different which does not allow configuration like authorized_keys, which gets into a whole bunch more complexity.

In our case we wanted the default deny, and our use case does not need to work about breaking everyone else.


>    While I generally agree with having to explicitly whitelist
>   "permitopen" host/port pairs, it does change the default behavior and
>    would probably break configuration in the wild. Or am I mistaken here?

More information about the openssh-unix-dev mailing list