fix: jumpbox authorized_keys must include port-forwarding to actually…#90
Merged
fix: jumpbox authorized_keys must include port-forwarding to actually…#90
Conversation
… forward The previous options string was restrict,permitopen="127.0.0.1:*",permitopen="localhost:*" which authenticates fine but blocks every channel-open request: channel 0: open failed: administratively prohibited stdio forwarding failed Connection closed by UNKNOWN port 65535 Reason: OpenSSH's `restrict` sets permit_port_forwarding_flag = 0, and `permitopen` only adds entries to a filter list — it does not flip the flag back on. The channel-open hook checks the flag BEFORE consulting permitopen, so the restriction wins and the permitopen entries are dead config. The man page hints at this: "may be followed by other options (e.g., port-forwarding) that re-enable specific functionality." `port-forwarding` is the explicit re-enable; `permitopen` is the narrower filter that applies once forwarding is enabled. Adding it between `restrict` and the permitopens fixes the operator's `ssh -J gopher-jump@vps -p <rathole_port> ...` flow without loosening any of the other restrict-imposed protections (no shell, no X11, no agent, no env, no ~/.ssh/rc, no PTY). The next ReconcileAuthorizedKeys cycle after this ships rewrites every existing options line in place — addToAuthorizedKeysFor matches by type+keydata token, ignoring options, so updating the prefix doesn't duplicate or scrub the keys. Operators who already migrated to the new authorized_keys layout get the fix on the next service start. Regression test guards against a future refactor that drops `port-forwarding` from the options string.
|
Unit tests run: 282 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… forward
The previous options string was
restrict,permitopen="127.0.0.1:",permitopen="localhost:"
which authenticates fine but blocks every channel-open request:
channel 0: open failed: administratively prohibited
stdio forwarding failed
Connection closed by UNKNOWN port 65535
Reason: OpenSSH's
restrictsets permit_port_forwarding_flag = 0, andpermitopenonly adds entries to a filter list — it does not flip the flag back on. The channel-open hook checks the flag BEFORE consulting permitopen, so the restriction wins and the permitopen entries are dead config. The man page hints at this: "may be followed by other options (e.g., port-forwarding) that re-enable specific functionality."port-forwardingis the explicit re-enable;permitopenis the narrower filter that applies once forwarding is enabled. Adding it betweenrestrictand the permitopens fixes the operator'sssh -J gopher-jump@vps -p <rathole_port> ...flow without loosening any of the other restrict-imposed protections (no shell, no X11, no agent, no env, no ~/.ssh/rc, no PTY).The next ReconcileAuthorizedKeys cycle after this ships rewrites every existing options line in place — addToAuthorizedKeysFor matches by type+keydata token, ignoring options, so updating the prefix doesn't duplicate or scrub the keys. Operators who already migrated to the new authorized_keys layout get the fix on the next service start.
Regression test guards against a future refactor that drops
port-forwardingfrom the options string.Description
Resolves #__
Changes Made
Testing
Screenshots (if applicable)