Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AllowTcpForwarding to hosts. #6783

Closed
russjones opened this issue May 7, 2021 · 1 comment · Fixed by #6989
Closed

Add support for AllowTcpForwarding to hosts. #6783

russjones opened this issue May 7, 2021 · 1 comment · Fixed by #6989
Assignees
@tcsc
Labels
bug c-q7j Internal Customer Reference
Milestone
7.0 "Stockholm"

Comments

@russjones
Copy link
Contributor

A customer has asked to add support for AllowTcpForwarding on a per-host basis. This would allow customers to enable port forwarding for a user within their role but not allow forwarding for specific hosts.

For example, for the hosts whose teleport.yaml contains the below, in effect this function would return an error: reexec.go#L256-L337.

ssh_service:
  allow_tcp_forwarding: false

From man sshd_config:

     AllowTcpForwarding
             Specifies whether TCP forwarding is permitted.  The available
             options are yes (the default) or all to allow TCP forwarding, no
             to prevent all TCP forwarding, local to allow local (from the
             perspective of ssh(1)) forwarding only or remote to allow remote
             forwarding only.  Note that disabling TCP forwarding does not
             improve security unless users are also denied shell access, as
             they can always install their own forwarders.
@russjones russjones added bug c-q7j Internal Customer Reference labels May 7, 2021
@russjones russjones mentioned this issue May 7, 2021
Closed
@russjones russjones added this to the 7.0 "Stockholm" milestone May 7, 2021
tcsc added a commit that referenced this issue May 21, 2021
@tcsc
Adds per-node ability to disable ssh tcp forwarding
09f60f3 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds
 * the `allow_tcp_forwarding` key to the yaml SSH config block, with values
   compatable with the equivalent setting for OpenSSH `sshd`, i.e.
   "yes", "no", "all" and "local"
 * Plumbing to pipe the resulting config value through to the SSH server
 * A predicate check in the SSH server to [dis]allow port forwarding
   based on the setting.

See-Also: Issue #6783
@tcsc tcsc mentioned this issue May 21, 2021
Merged
tcsc added a commit that referenced this issue May 28, 2021
@tcsc
Adds per-node ability to disable ssh tcp forwarding
eaf67eb 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds
 * the `allow_tcp_forwarding` key to the yaml SSH config block, with values
   compatable with the equivalent setting for OpenSSH `sshd`, i.e.
   "yes", "no", "all" and "local"
 * Plumbing to pipe the resulting config value through to the SSH server
 * A predicate check in the SSH server to [dis]allow port forwarding
   based on the setting.

See-Also: Issue #6783
tcsc added a commit that referenced this issue Jun 9, 2021
@tcsc
Adds per-node ability to disable ssh tcp forwarding
58afbb7 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds
 * the `allow_tcp_forwarding` key to the yaml SSH config block, with values
   compatable with the equivalent setting for OpenSSH `sshd`, i.e.
   "yes", "no", "all" and "local"
 * Plumbing to pipe the resulting config value through to the SSH server
 * A predicate check in the SSH server to [dis]allow port forwarding
   based on the setting.

See-Also: Issue #6783
tcsc added a commit that referenced this issue Jun 17, 2021
@tcsc
Adds per-node ability to disable ssh TCP forwarding (#6989)
52fb813 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds:
  * the`port_forwarding` key to the yaml SSH config block, with a boolean value
  * Plumbing to pipe the resulting config value through to the SSH server
  * A predicate check in the SSH server to [dis]allow port forwarding based on the setting.

This change also:
    * adds a common way for integration tests to await the establishment of an SSH session
    * refactors several integration tests to use this new method rather than manually waiting
    * adds some marshaling code to move errors from spawned goroutines back into the 
      main test routine in verifySessionJoin()

See-Also: Issue #6783
@russjones russjones linked a pull request Jun 17, 2021 that will close this issue
Adds per-node ability to disable ssh TCP forwarding #6989
Merged
tcsc added a commit that referenced this issue Jun 18, 2021
@tcsc
Adds per-node ability to disable ssh TCP forwarding (#6989)
1ab7674 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds:
  * the`port_forwarding` key to the yaml SSH config block, with a boolean value
  * Plumbing to pipe the resulting config value through to the SSH server
  * A predicate check in the SSH server to [dis]allow port forwarding based on the setting.

This change also:
    * adds a common way for integration tests to await the establishment of an SSH session
    * refactors several integration tests to use this new method rather than manually waiting
    * adds some marshaling code to move errors from spawned goroutines back into the
      main test routine in verifySessionJoin()

See-Also: Issue #6783
tcsc added a commit that referenced this issue Jun 18, 2021
@tcsc
Adds per-node ability to disable ssh TCP forwarding (#6989)
33c6160 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds:
  * the`port_forwarding` key to the yaml SSH config block, with a boolean value
  * Plumbing to pipe the resulting config value through to the SSH server
  * A predicate check in the SSH server to [dis]allow port forwarding based on the setting.

This change also:
    * adds a common way for integration tests to await the establishment of an SSH session
    * refactors several integration tests to use this new method rather than manually waiting
    * adds some marshaling code to move errors from spawned goroutines back into the
      main test routine in verifySessionJoin()

See-Also: Issue #6783
tcsc added a commit that referenced this issue Jun 18, 2021
@tcsc
Adds per-node ability to disable ssh TCP forwarding (#6989) (#7354)
ee7fb99 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds:
  * the`port_forwarding` key to the yaml SSH config block, with a boolean value
  * Plumbing to pipe the resulting config value through to the SSH server
  * A predicate check in the SSH server to [dis]allow port forwarding based on the setting.

This change also:
    * adds a common way for integration tests to await the establishment of an SSH session
    * refactors several integration tests to use this new method rather than manually waiting
    * adds some marshaling code to move errors from spawned goroutines back into the
      main test routine in verifySessionJoin()

See-Also: Issue #6783
tcsc added a commit that referenced this issue Jun 18, 2021
@tcsc
Adds per-node ability to disable ssh TCP forwarding (#6989) (#7355)
dcca6ac 
Prior to this change, TCP forwarding over SSH could only be disallowed
by user-based rules, rather than by individual target nodes.

This change adds:
  * the`port_forwarding` key to the yaml SSH config block, with a boolean value
  * Plumbing to pipe the resulting config value through to the SSH server
  * A predicate check in the SSH server to [dis]allow port forwarding based on the setting.

This change also:
    * adds a common way for integration tests to await the establishment of an SSH session
    * refactors several integration tests to use this new method rather than manually waiting
    * adds some marshaling code to move errors from spawned goroutines back into the
      main test routine in verifySessionJoin()

See-Also: Issue #6783
@tcsc
Copy link
Contributor

tcsc commented Jun 21, 2021

Closed by #6989, backported to v6 with #7354 and #7355

@tcsc tcsc closed this as completed Jun 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tcsc tcsc

Labels
bug c-q7j Internal Customer Reference
Projects
None yet
Milestone
7.0 "Stockholm"
Development

Successfully merging a pull request may close this issue.

Adds per-node ability to disable ssh TCP forwarding gravitational/teleport
2 participants
@tcsc @russjones