Bug#252649: sshd manpage unclear regarding permitopen, no-port-forwarding

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#252649: sshd manpage unclear regarding permitopen, no-port-forwarding
From: Marc Haber <mh+debian-bugs@zugschlus.de>
Date: Fri, 04 Jun 2004 16:56:58 +0200
Message-id: <[🔎] E1BWG7u-0003b4-Jo@torres.ka0.zugschlus.de>
Reply-to: Marc Haber <mh+debian-bugs@zugschlus.de>, 252649@bugs.debian.org

Package: ssh
Version: 1:3.8.1p1-4
Severity: wishlist

I just got very confused by the sshd manpage which says:

------------------
no-port-forwarding 
Forbids TCP/IP forwarding when this key is used for authentication.
Any port forward requests by the client will return an error. This
might be used, e.g., in connection with the command option. 

permitopen=host:port 
Limit local `ssh -L'' port forwarding such that it may only connect to
the specified host and port. IPv6 addresses can be specified with an
alternative syntax: host / port Multiple permitopen options may be
applied separated by commas. No pattern matching is performed on the
specified hostnames, they must be literal domains or addresses. 
------------------

It should be more clearly mentioned that no-port-forwarding completely
disabled forwarding, and that a permitopen="" clause isn't necessary
if no-port-forwarding is set. Additionally, sshd should not barf on a
permitopen="" clause, but instead interpret that clause as
"no-port-forwarding".

For orthogonality, there should be control for -R port forwarding as
well.

Greetings
Marc, who hopes that he is on the safe side with only
no-port-forwarding set.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-janeway
Locale: LANG=C, LC_CTYPE=C

Versions of packages ssh depends on:
ii  adduser                     3.56         Add and remove users and groups
ii  debconf                     1.4.25       Debian configuration management sy
ii  dpkg                        1.10.22      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-21      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-21      Runtime support for the PAM librar
ii  libpam0g                    0.76-21      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7d-3     SSL shared libraries
ii  libwrap0                    7.6.dbs-4    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1.1-3  compression library - runtime

-- debconf information excluded

Reply to:

Prev by Date: Bug#248747: ssh/timing issues with invalid/valid users
Next by Date: Bug#252676: sshd failure
Previous by thread: Bug#248747: ssh/timing issues with invalid/valid users
Next by thread: Bug#252676: sshd failure
Index(es):
- Date
- Thread