Description of problem: Port forwarding is a convenient feature of openssh. Sadly in default install, you can enable/disable/limit but barely audit it. A small patch exists which would allow that. It would be a nice addition to improve system security https://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/ it has been submitted to openssh devs but without feedback. https://marc.info/?l=openssh-unix-dev&m=100229250303129&w=2 https://marc.info/?l=openssh-unix-dev&m=136197476517114&w=2 https://marc.info/?l=openssh-unix-dev&m=144287437115578&w=2 How reproducible: Always Steps to Reproduce: 1. connect to a ssh server with a port forwarding configuration 2. check system auth log Actual results: find user connection but no details of port forwarding Expected results: Have a list of used forwarded port. syslog DEBUG also have the information but is not really manageable for production. this kind of message (port forwarding) should better be in INFO or VERBOSE. Thanks
This sounds like reasonable and helpful feature. But we are not in the position to tell openssh upstream what to merge into openssh. And I am not fan of dragging another downstream patches into Fedora. As I see, the patch is pretty simple, but has a bit problem with wording (Tunnel and TCP forwarding is a different thing in openssh). When proposing changes, it is usually a good practice to come with patch, that is directly applicable to current head and fill a feature request in their (openssh) bugzilla. Upstream can't track everything what is going on on their mailing lists. This patch is 7 years old and will need some care to work flawlessly. It would be also good to add the other forwardings (Dynamic, UNIX domain sockets). I can fill upstream feature request with patch, but I don't know when I will find some time to do that.
Asking original author for recent patch
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
openssh-7.2p2-11.fc24 selinux-policy-3.13.1-191.8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab
Reverting to NEW state. BZ was switched to MODIFIED due to wrong bodhi update.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.