[Bug 3275] New: PermitListen does not work in Match block and permitlisten= does not work in authorized_keys file

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Mar 10 19:23:43 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3275

            Bug ID: 3275
           Summary: PermitListen does not work in Match block and
                    permitlisten= does not work in authorized_keys file
           Product: Portable OpenSSH
           Version: 8.5p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: evgeny.vasilchenko at protonmail.com

* CentOS Linux release 7.9.2009 (Core)
* OpenSSH_8.5p1, OpenSSL 1.0.2k-fips  26 Jan 2017 built from sources:
./configure --with-md5-passwords --with-pam --with-selinux
--with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh

1) as per https://man.openbsd.org/sshd_config.5#Match - Match block
allows "PermitListen" keyword - however:

----- /etc/ssh/sshd_config -----------
Match User user
        PermitListen localhost:5555
--------------------------------------


# systemctl restart sshd
Job for sshd.service failed because the control process exited with
error code. See "systemctl status sshd.service" and "journalctl -xe"
for details

# journalctl -xe

[...skipped...]

Mar 10 08:21:32 lbtest1 systemd[1]: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sshd.service has begun starting up.
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config: line 142: Bad
configuration option: PermitListen
Mar 10 08:21:32 lbtest1 sshd[3973]: /etc/ssh/sshd_config line 142:
Directive 'PermitListen' is not allowed within a Match block
Mar 10 08:21:32 lbtest1 systemd[1]: sshd.service: main process exited,
code=exited, status=255/n/a
Mar 10 08:21:32 lbtest1 systemd[1]: Failed to start OpenSSH server
daemon.
-- Subject: Unit sshd.service has failed
--------------------------------------


2) The permitlisten= option does not work with or without IP address
while permitopen= works fine in authorized_key file.

---/home/user/.ssh/authorized_key ----
restrict,pty,port-forwarding,permitopen="localhost:22",permitlisten="5555"
ssh-rsa AAAAB3Nza
--------------------------------------


--- Remote port forwarding command and result ----
$ ssh 5555:localhost:22 user at xxx.xxx.xxx.xxx
user at xxx.xxx.xxx.xxx: Permission denied (publickey).
--------------------------------------

SSHD log file with DEBUG

------------------------
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: trying public key file
/home/user/.ssh/authorized_keys
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: fd 4 clearing O_NONBLOCK
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: allow port forwarding to
host localhost port 22
Mar 10 07:53:26 lbtest1 sshd[3781]: Bad options in
/home/user/.ssh/authorized_keys file, line 1: permitlisten="5555"
ssh-rsa AAAAB3NzaC1yc2EAAAADAQ
Mar 10 07:53:26 lbtest1 sshd[3781]: debug1: restore_uid: 0/0
Mar 10 07:53:26 lbtest1 sshd[3781]: Failed publickey for user from
xxx.xxx.xxx.xxx port 17445 ssh2: RSA
------------------------

------------------------
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: allow port forwarding to
host localhost port 22
Mar 10 07:52:32 lbtest1 sshd[3773]: Bad options in
/home/user/.ssh/authorized_keys file, line 1:
permitlisten="localhost:5555" ssh-rsa AAAAB3NzaC1y
Mar 10 07:52:32 lbtest1 sshd[3773]: debug1: restore_uid: 0/0
Mar 10 07:52:32 lbtest1 sshd[3773]: Failed publickey for user from
xxx.xxx.xxx.xxx port 50403 ssh2: RSA
------------------------

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list