Permitopen directive won t allow name resolution or pattern matching

Pascal Tempier pascal.tempier at inria.fr
Thu Feb 2 23:20:42 AEDT 2023


Hello

I am trying to setup a jump only host that filters the allowed network destination depending on the ldap user group.

Example :
printers network can be accessed by everyone
users from groupA can access : groupA + printers networks
users from groupB can access : groupB + printers networks
users from admin group may access : printers + groupA + groupB + admin network s

I wanted to build this using the Match and PermitOpen directive, but :
- Match clause allow to filter only using a source element (like origin ip), or user group, but not the destination ip, however it can do pattern matching.
- PermitOpen directive won't allow name resolution. So this would require to ask users to connect using the destination host ip and not dns, or to specify every alias for every hosts.
- PermitOpen directive won't allow pattern matching So i can't just specify a network mask/subnet or use an ip with wildcard. And anyway there's no name resolution

I tried to have a go at a custom AuthorizedKeysCommand that would return nothing or PermitOpen none.
But the destination ip or hostname isn't passed to it via a parameter or env var, the script only receive the username as parameter.
I could specify a token, but the destination ip or hostname can't be used as token.

Is there any workaround to achieve what i want to do, could these be implemented as a new feature ?

Pascal


More information about the openssh-unix-dev mailing list