Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added FWD_PERMIT_ANY_HOST to add the ability to use an asterisk to #44

Closed
wants to merge 1 commit into from
Closed

Added FWD_PERMIT_ANY_HOST to add the ability to use an asterisk to #44

wants to merge 1 commit into from

Conversation

mzpqnxow
Copy link

@mzpqnxow mzpqnxow commented Jun 5, 2016

mean any hostname matches in a PermitOpen rule. This is simple and
looks like this:

PermitOpen *:443

One use case here is when OpenSSH is used to broker connectivity to
a specific TCP based service in a trusted network when the client
is in an untrusted network. This allows a simple configuration that
can allow all forwards to service X without the need to provide a
large list of every server on the trusted network in the sshd_config
file. Doing doing so is impractical when the trusted network is
larger than a few hosts as a large list of hosts in sshd_config
would be unwieldy and would need to be updated constantly if the
trusted network changes often.

This is a real use case for me- I need to provide this type of
access to several thousand systems. In any given week there
might be 2-3 new servers and there might be 2-3 servers that have
been decommissioned.

This patch is a huge improvement over allowing all ports to all
hosts, which is all that I can do at this point without having
a huge management headache. I was very surprised this wasn't
supported alongside FWD_PERMIT_ANY_PORT. It's a simple enough
change. I wonder if there was any debate on this or if it just
slipped through the cracks as an uncommon use case?

Note that this doesn't go down the more complex road of allowing
more finegrained cases. The '*' is NOT actually a pattern, it is
a symbol that means any host. Using *.bah.org will not work and
is not intended to work.

mean any hostname matches in a PermitOpen rule. This is simple and
looks like this:

PermitOpen *:443

One use case here is when OpenSSH is used to broker connectivity to
a specific TCP based service in a trusted network when the client
is in an untrusted network. This allows a simple configuration that
can allow all forwards to service X without the need to provide a
large list of every server on the trusted network in the sshd_config
file. Doing doing so is impractical when the trusted network is
larger than a few hosts as a large list of hosts in sshd_config
would be unwieldy and would need to be updated constantly if the
trusted network changes often.

This is a real use case for me- I need to provide this type of
access to several thousand systems. In any given week there
might be 2-3 new servers and there might be 2-3 servers that have
been decommissioned.

This patch is a huge improvement over allowing all ports to all
hosts, which is all that I can do at this point without having
a huge management headache. I was very surprised this wasn't
supported alongside FWD_PERMIT_ANY_PORT. It's a simple enough
change. I wonder if there was any debate on this or if it just
slipped through the cracks as an uncommon use case?

Note that this doesn't go down the more complex road of allowing
more finegrained cases. The '*' is NOT actually a pattern, it is
a symbol that means any host. Using *.bah.org will not work and
is not intended to work.
@mzpqnxow
Copy link
Author

mzpqnxow commented Jun 5, 2016

I've created a bugzilla entry @ https://bugzilla.mindrot.org/show_bug.cgi?id=2582 and sent a note to openssh-unix-dev @ http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-June/035133.html

@daztucker
Copy link
Contributor

Applied upstream.

@daztucker daztucker closed this Aug 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants