#8423 Multiple permitopen in SSH-key
Closed: fixed 2 years ago by antorres. Opened 3 years ago by itsvmarkus.

Request for enhancement

As admin , I want to define mutliple permitopen in a ssh-key so that the user can only create tunnels to those IP-adresses.

Issue

I want to create a user which can only be used to create ssh-tunnels to specific targets. I was able to restrict such a user to only be able to create a ssh-tunnel to one specific adress via permitopen in the ssh-key. However I am unable to define a second tunnel. Accoriding to the man-page of authorized_keys "Multiple permitopen options may be applied separated by commas." which doesn't work. It seems that freeipa removes the second permitopen.

Steps to Reproduce

  1. create a user test
  2. add an ssh-key: command="",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen="192.168.178.3:9000" ssh-rsa AA...."
  3. Port forwarding to 192.168.178.3:9000 is possible
  4. add anothre permitopen in the ssh-key: command="",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen="192.168.178.3:9000",permitopen="192.168.178.4:6666" ssh-rsa AA...."
  5. creating a tunnel to 192.168.178.4:6666 is still not possible
  6. checking the config via sss_ssh_authorizedkeys test still shows the old ssh-key from 2.
  7. trying to update the ssh-key via the cli command I get an error that no change was detected: ipa user-mod sshtest1 --sshpubkey="command=\"\",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen=\"192.168.178.3:9000\",permitopen=\"192.168.178.4:6666\" ssh-rsa AA...

Expected behavior

I was expecting freeipa to write multiple permitopen which sssd would use as an authorized_keys file

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
389-ds-base-1.4.2.4-8.module_el8.2.0+366+71e3276f.x86_64
pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch
krb5-server-1.17-18.el8.x86_64

Thanks in advance for your time and effort!


I'm guessing that the first key was cached. See sss_cache(8).

The erorr in step 7 is expected since you made no changes.

I don't think it is a caching issue.
I've created a new test user and added a sshkey with both permitopen.
However it only saves one permitopen :-(

I can reproduce the issue. ipapython.ssh.SSHPublicKey._parse_openssh_with_options() uses a temporary dictionary to hold options. The parser does not handle multi-valued options. The last occurence of an option wins.

$ ipa user-mod sshtest1 --sshpubkey="command=\"\",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen=\"192.168.178.3:9000\",permitopen=\"192.168.178.4:6666\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0J8xibGLByZZIpmotatS99R3EQZAZ1hl8tEb7oaGIEDYv/KrNSBKwYgs3u8OvuREJWnls5Grp3AlQx5liirefzRg5s/gY1N0rxI/1eKkUyI854HN+NucqUHts9UVwMtuBfakBhJu0mfY+/8KuOFWnDsUIKtUUDIIeETWFmSuBDZiPCbaX9VUcTfjtyQqejH6Nyq/0+imZrkWlhskdRxAL9YxWbmzTA9yEyj9fMS9lJ7mh6/SNg1rOys4sl4HCLPcnQxx/HijyNpV/+6CPwHT3eaFJY2LvRuUxcjx2xLoKuhuM+0fR/eizwPfcdN66rpS3yb1FtqIDasO80I2SfmiFweGUnk0ixKjwXJPWMoNFZJ9qiAJTe88M4/Im3HitOfjv2iLfp2xKMHwOev5IFgI+3SKf91Jz7fjAi6R3a1Z4bnHhJnI9G8mm8zy2Jvo9eLZNibQy+pmaw17NEKfMRsg0eRCQx483A7XrrO2MsTS179G305asYQNw6503ZE9xfnM="
------------------------
Modified user "sshtest1"
------------------------
  User login: sshtest1
  First name: SSH
  Last name: Test1
  Home directory: /home/sshtest1
  Login shell: /bin/sh
  Principal name: sshtest1@FAS.EXAMPLE
  Principal alias: sshtest1@FAS.EXAMPLE
  Email address: sshtest1@fas.example
  UID: 748400010
  GID: 748400010
  SSH public key: command="",no-agent-forwarding,no-pty,no-x11-forwarding,permitopen="192.168.178.4:6666" ssh-rsa
                  AAAAB3NzaC1yc2EAAAADAQABAAABgQC0J8xibGLByZZIpmotatS99R3EQZAZ1hl8tEb7oaGIEDYv/KrNSBKwYgs3u8OvuREJWnls5Grp3AlQx5liirefzRg5s/gY1N0rxI/1eKkUyI854HN+NucqUHts9UVwMtuBfakBhJu0mfY+/8KuOFWnDsUIKtUUDIIeETWFmSuBDZiPCbaX9VUcTfjtyQqejH6Nyq/0+imZrkWlhskdRxAL9YxWbmzTA9yEyj9fMS9lJ7mh6/SNg1rOys4sl4HCLPcnQxx/HijyNpV/+6CPwHT3eaFJY2LvRuUxcjx2xLoKuhuM+0fR/eizwPfcdN66rpS3yb1FtqIDasO80I2SfmiFweGUnk0ixKjwXJPWMoNFZJ9qiAJTe88M4/Im3HitOfjv2iLfp2xKMHwOev5IFgI+3SKf91Jz7fjAi6R3a1Z4bnHhJnI9G8mm8zy2Jvo9eLZNibQy+pmaw17NEKfMRsg0eRCQx483A7XrrO2MsTS179G305asYQNw6503ZE9xfnM=
  SSH public key fingerprint: SHA256:2aeRnE+UU3BRADK98VgNuVx5LA6z91WYHvJGYfiZgww (ssh-rsa)
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Metadata Update from @antorres:
- Issue assigned to antorres

3 years ago

master:

  • c8b5779 Allow multiple permitopen/permitlisten in SSH keys
  • 6cd544d ipatests: add test for multiple permitopen entries in SSH keys

Metadata Update from @antorres:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

ipa-4-9:

  • 3dc5896 Allow multiple permitopen/permitlisten in SSH keys
  • dc799a5 ipatests: add test for multiple permitopen entries in SSH keys

Login to comment on this ticket.

Metadata