diff options
| author | Damien Miller <djm@mindrot.org> | 2005-12-13 19:33:19 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2005-12-13 19:33:19 +1100 |
| commit | 7b58e800364870d05630514945687d2f26e3c065 (patch) | |
| tree | f8b436c13a767fcb014125513fe53b6bc0bde9a2 | |
| parent | 957d4e430ed40265cffc483abdc5b0e6a58c69ed (diff) | |
- reyk@cvs.openbsd.org 2005/12/08 18:34:11
[auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
[serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
two changes to the new ssh tunnel support. this breaks compatibility
with the initial commit but is required for a portable approach.
- make the tunnel id u_int and platform friendly, use predefined types.
- support configuration of layer 2 (ethernet) or layer 3
(point-to-point, default) modes. configuration is done using the
Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
in sshd_config(5).
ok djm@, man page bits by jmc@
| -rw-r--r-- | ChangeLog | 14 | ||||
| -rw-r--r-- | auth-options.c | 4 | ||||
| -rw-r--r-- | configure.ac | 3 | ||||
| -rw-r--r-- | includes.h | 5 | ||||
| -rw-r--r-- | misc.c | 75 | ||||
| -rw-r--r-- | misc.h | 16 | ||||
| -rw-r--r-- | readconf.c | 32 | ||||
| -rw-r--r-- | servconf.c | 24 | ||||
| -rw-r--r-- | serverloop.c | 25 | ||||
| -rw-r--r-- | ssh.c | 13 | ||||
| -rw-r--r-- | ssh_config.5 | 10 | ||||
| -rw-r--r-- | sshd_config.5 | 8 |
12 files changed, 177 insertions, 52 deletions
| @@ -36,6 +36,18 @@ | |||
| 36 | - jmc@cvs.openbsd.org 2005/12/08 15:06:29 | 36 | - jmc@cvs.openbsd.org 2005/12/08 15:06:29 |
| 37 | [ssh_config.5] | 37 | [ssh_config.5] |
| 38 | keep options in order; | 38 | keep options in order; |
| 39 | - reyk@cvs.openbsd.org 2005/12/08 18:34:11 | ||
| 40 | [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] | ||
| 41 | [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] | ||
| 42 | two changes to the new ssh tunnel support. this breaks compatibility | ||
| 43 | with the initial commit but is required for a portable approach. | ||
| 44 | - make the tunnel id u_int and platform friendly, use predefined types. | ||
| 45 | - support configuration of layer 2 (ethernet) or layer 3 | ||
| 46 | (point-to-point, default) modes. configuration is done using the | ||
| 47 | Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and | ||
| 48 | restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option | ||
| 49 | in sshd_config(5). | ||
| 50 | ok djm@, man page bits by jmc@ | ||
| 39 | 51 | ||
| 40 | 20051201 | 52 | 20051201 |
| 41 | - (djm) [envpass.sh] Remove regress script that was accidentally committed | 53 | - (djm) [envpass.sh] Remove regress script that was accidentally committed |
| @@ -3428,4 +3440,4 @@ | |||
| 3428 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 3440 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 3429 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 3441 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 3430 | 3442 | ||
| 3431 | $Id: ChangeLog,v 1.4023 2005/12/13 08:30:45 djm Exp $ | 3443 | $Id: ChangeLog,v 1.4024 2005/12/13 08:33:19 djm Exp $ |
diff --git a/auth-options.c b/auth-options.c index 54798d9ad..ad97e6129 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include "includes.h" | 12 | #include "includes.h" |
| 13 | RCSID("$OpenBSD: auth-options.c,v 1.32 2005/12/06 22:38:27 reyk Exp $"); | 13 | RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $"); |
| 14 | 14 | ||
| 15 | #include "xmalloc.h" | 15 | #include "xmalloc.h" |
| 16 | #include "match.h" | 16 | #include "match.h" |
| @@ -296,7 +296,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | |||
| 296 | tun[i] = 0; | 296 | tun[i] = 0; |
| 297 | forced_tun_device = a2tun(tun, NULL); | 297 | forced_tun_device = a2tun(tun, NULL); |
| 298 | xfree(tun); | 298 | xfree(tun); |
| 299 | if (forced_tun_device < -1) { | 299 | if (forced_tun_device == SSH_TUNID_ERR) { |
| 300 | debug("%.100s, line %lu: invalid tun device", | 300 | debug("%.100s, line %lu: invalid tun device", |
| 301 | file, linenum); | 301 | file, linenum); |
| 302 | auth_debug_add("%.100s, line %lu: invalid tun device", | 302 | auth_debug_add("%.100s, line %lu: invalid tun device", |
diff --git a/configure.ac b/configure.ac index 0afb48716..b24d37178 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $Id: configure.ac,v 1.312 2005/11/29 02:40:34 tim Exp $ | 1 | # $Id: configure.ac,v 1.313 2005/12/13 08:33:20 djm Exp $ |
| 2 | # | 2 | # |
| 3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
| 4 | # | 4 | # |
| @@ -654,6 +654,7 @@ AC_CHECK_HEADERS( \ | |||
| 654 | login_cap.h \ | 654 | login_cap.h \ |
| 655 | maillock.h \ | 655 | maillock.h \ |
| 656 | ndir.h \ | 656 | ndir.h \ |
| 657 | net/if.h \ | ||
| 657 | netdb.h \ | 658 | netdb.h \ |
| 658 | netgroup.h \ | 659 | netgroup.h \ |
| 659 | netinet/in_systm.h \ | 660 | netinet/in_systm.h \ |
diff --git a/includes.h b/includes.h index 12d948b6f..cf2d6c699 100644 --- a/includes.h +++ b/includes.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: includes.h,v 1.20 2005/11/15 11:59:54 millert Exp $ */ | 1 | /* $OpenBSD: includes.h,v 1.21 2005/12/08 18:34:11 reyk Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -148,6 +148,9 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "\100(#)" msg } | |||
| 148 | #include <netinet/in.h> /* For IPv6 macros */ | 148 | #include <netinet/in.h> /* For IPv6 macros */ |
| 149 | #include <netinet/ip.h> /* For IPTOS macros */ | 149 | #include <netinet/ip.h> /* For IPTOS macros */ |
| 150 | #include <netinet/tcp.h> | 150 | #include <netinet/tcp.h> |
| 151 | #ifdef HAVE_NET_IF_H | ||
| 152 | # include <net/if.h> | ||
| 153 | #endif | ||
| 151 | #include <arpa/inet.h> | 154 | #include <arpa/inet.h> |
| 152 | #if defined(HAVE_NETDB_H) | 155 | #if defined(HAVE_NETDB_H) |
| 153 | # include <netdb.h> | 156 | # include <netdb.h> |
| @@ -24,7 +24,7 @@ | |||
| 24 | */ | 24 | */ |
| 25 | 25 | ||
| 26 | #include "includes.h" | 26 | #include "includes.h" |
| 27 | RCSID("$OpenBSD: misc.c,v 1.36 2005/12/06 22:38:27 reyk Exp $"); | 27 | RCSID("$OpenBSD: misc.c,v 1.37 2005/12/08 18:34:11 reyk Exp $"); |
| 28 | 28 | ||
| 29 | #include "misc.h" | 29 | #include "misc.h" |
| 30 | #include "log.h" | 30 | #include "log.h" |
| @@ -202,7 +202,7 @@ a2tun(const char *s, int *remote) | |||
| 202 | int tun; | 202 | int tun; |
| 203 | 203 | ||
| 204 | if (remote != NULL) { | 204 | if (remote != NULL) { |
| 205 | *remote = -1; | 205 | *remote = SSH_TUNID_ANY; |
| 206 | sp = xstrdup(s); | 206 | sp = xstrdup(s); |
| 207 | if ((ep = strchr(sp, ':')) == NULL) { | 207 | if ((ep = strchr(sp, ':')) == NULL) { |
| 208 | xfree(sp); | 208 | xfree(sp); |
| @@ -212,15 +212,15 @@ a2tun(const char *s, int *remote) | |||
| 212 | *remote = a2tun(ep, NULL); | 212 | *remote = a2tun(ep, NULL); |
| 213 | tun = a2tun(sp, NULL); | 213 | tun = a2tun(sp, NULL); |
| 214 | xfree(sp); | 214 | xfree(sp); |
| 215 | return (tun); | 215 | return (*remote == SSH_TUNID_ERR ? *remote : tun); |
| 216 | } | 216 | } |
| 217 | 217 | ||
| 218 | if (strcasecmp(s, "any") == 0) | 218 | if (strcasecmp(s, "any") == 0) |
| 219 | return (-1); | 219 | return (SSH_TUNID_ANY); |
| 220 | 220 | ||
| 221 | tun = strtonum(s, 0, INT_MAX, &errstr); | 221 | tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr); |
| 222 | if (errstr != NULL || tun < -1) | 222 | if (errstr != NULL) |
| 223 | return (-2); | 223 | return (SSH_TUNID_ERR); |
| 224 | 224 | ||
| 225 | return (tun); | 225 | return (tun); |
| 226 | } | 226 | } |
| @@ -539,27 +539,60 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, | |||
| 539 | } | 539 | } |
| 540 | 540 | ||
| 541 | int | 541 | int |
| 542 | tun_open(int tun) | 542 | tun_open(int tun, int mode) |
| 543 | { | 543 | { |
| 544 | struct ifreq ifr; | ||
| 544 | char name[100]; | 545 | char name[100]; |
| 545 | int i, fd; | 546 | int fd = -1, sock; |
| 546 | 547 | ||
| 547 | if (tun > -1) { | 548 | /* Open the tunnel device */ |
| 549 | if (tun <= SSH_TUNID_MAX) { | ||
| 548 | snprintf(name, sizeof(name), "/dev/tun%d", tun); | 550 | snprintf(name, sizeof(name), "/dev/tun%d", tun); |
| 549 | if ((fd = open(name, O_RDWR)) >= 0) { | 551 | fd = open(name, O_RDWR); |
| 550 | debug("%s: %s: %d", __func__, name, fd); | 552 | } else if (tun == SSH_TUNID_ANY) { |
| 551 | return (fd); | 553 | for (tun = 100; tun >= 0; tun--) { |
| 554 | snprintf(name, sizeof(name), "/dev/tun%d", tun); | ||
| 555 | if ((fd = open(name, O_RDWR)) >= 0) | ||
| 556 | break; | ||
| 552 | } | 557 | } |
| 553 | } else { | 558 | } else { |
| 554 | for (i = 100; i >= 0; i--) { | 559 | debug("%s: invalid tunnel %u\n", __func__, tun); |
| 555 | snprintf(name, sizeof(name), "/dev/tun%d", i); | 560 | return (-1); |
| 556 | if ((fd = open(name, O_RDWR)) >= 0) { | 561 | } |
| 557 | debug("%s: %s: %d", __func__, name, fd); | 562 | |
| 558 | return (fd); | 563 | if (fd < 0) { |
| 559 | } | 564 | debug("%s: %s open failed: %s", __func__, name, strerror(errno)); |
| 560 | } | 565 | return (-1); |
| 566 | } | ||
| 567 | |||
| 568 | debug("%s: %s mode %d fd %d", __func__, name, mode, fd); | ||
| 569 | |||
| 570 | /* Set the tunnel device operation mode */ | ||
| 571 | snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun); | ||
| 572 | if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) | ||
| 573 | goto failed; | ||
| 574 | |||
| 575 | if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) | ||
| 576 | goto failed; | ||
| 577 | if (mode == SSH_TUNMODE_ETHERNET) { | ||
| 578 | ifr.ifr_flags |= IFF_LINK0; | ||
| 579 | if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) | ||
| 580 | goto failed; | ||
| 561 | } | 581 | } |
| 562 | debug("%s: %s failed: %s", __func__, name, strerror(errno)); | 582 | ifr.ifr_flags |= IFF_UP; |
| 583 | if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) | ||
| 584 | goto failed; | ||
| 585 | |||
| 586 | close(sock); | ||
| 587 | return (fd); | ||
| 588 | |||
| 589 | failed: | ||
| 590 | if (fd >= 0) | ||
| 591 | close(fd); | ||
| 592 | if (sock >= 0) | ||
| 593 | close(sock); | ||
| 594 | debug("%s: failed to set %s mode %d: %s", __func__, name, | ||
| 595 | mode, strerror(errno)); | ||
| 563 | return (-1); | 596 | return (-1); |
| 564 | } | 597 | } |
| 565 | 598 | ||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: misc.h,v 1.27 2005/12/06 22:38:27 reyk Exp $ */ | 1 | /* $OpenBSD: misc.h,v 1.28 2005/12/08 18:34:11 reyk Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -50,4 +50,16 @@ void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); | |||
| 50 | char *read_passphrase(const char *, int); | 50 | char *read_passphrase(const char *, int); |
| 51 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 51 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
| 52 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 52 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
| 53 | int tun_open(int); | 53 | |
| 54 | int tun_open(int, int); | ||
| 55 | |||
| 56 | /* Common definitions for ssh tunnel device forwarding */ | ||
| 57 | #define SSH_TUNMODE_NO 0x00 | ||
| 58 | #define SSH_TUNMODE_POINTOPOINT 0x01 | ||
| 59 | #define SSH_TUNMODE_ETHERNET 0x02 | ||
| 60 | #define SSH_TUNMODE_DEFAULT SSH_TUNMODE_POINTOPOINT | ||
| 61 | #define SSH_TUNMODE_YES (SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET) | ||
| 62 | |||
| 63 | #define SSH_TUNID_ANY 0x7fffffff | ||
| 64 | #define SSH_TUNID_ERR (SSH_TUNID_ANY - 1) | ||
| 65 | #define SSH_TUNID_MAX (SSH_TUNID_ANY - 2) | ||
diff --git a/readconf.c b/readconf.c index b6aad9d8d..1fbf59793 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -12,7 +12,7 @@ | |||
| 12 | */ | 12 | */ |
| 13 | 13 | ||
| 14 | #include "includes.h" | 14 | #include "includes.h" |
| 15 | RCSID("$OpenBSD: readconf.c,v 1.144 2005/12/06 22:38:27 reyk Exp $"); | 15 | RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $"); |
| 16 | 16 | ||
| 17 | #include "ssh.h" | 17 | #include "ssh.h" |
| 18 | #include "xmalloc.h" | 18 | #include "xmalloc.h" |
| @@ -273,7 +273,7 @@ clear_forwardings(Options *options) | |||
| 273 | xfree(options->remote_forwards[i].connect_host); | 273 | xfree(options->remote_forwards[i].connect_host); |
| 274 | } | 274 | } |
| 275 | options->num_remote_forwards = 0; | 275 | options->num_remote_forwards = 0; |
| 276 | options->tun_open = 0; | 276 | options->tun_open = SSH_TUNMODE_NO; |
| 277 | } | 277 | } |
| 278 | 278 | ||
| 279 | /* | 279 | /* |
| @@ -835,14 +835,32 @@ parse_int: | |||
| 835 | 835 | ||
| 836 | case oTunnel: | 836 | case oTunnel: |
| 837 | intptr = &options->tun_open; | 837 | intptr = &options->tun_open; |
| 838 | goto parse_flag; | 838 | arg = strdelim(&s); |
| 839 | if (!arg || *arg == '\0') | ||
| 840 | fatal("%s line %d: Missing yes/point-to-point/" | ||
| 841 | "ethernet/no argument.", filename, linenum); | ||
| 842 | value = 0; /* silence compiler */ | ||
| 843 | if (strcasecmp(arg, "ethernet") == 0) | ||
| 844 | value = SSH_TUNMODE_ETHERNET; | ||
| 845 | else if (strcasecmp(arg, "point-to-point") == 0) | ||
| 846 | value = SSH_TUNMODE_POINTOPOINT; | ||
| 847 | else if (strcasecmp(arg, "yes") == 0) | ||
| 848 | value = SSH_TUNMODE_DEFAULT; | ||
| 849 | else if (strcasecmp(arg, "no") == 0) | ||
| 850 | value = SSH_TUNMODE_NO; | ||
| 851 | else | ||
| 852 | fatal("%s line %d: Bad yes/point-to-point/ethernet/" | ||
| 853 | "no argument: %s", filename, linenum, arg); | ||
| 854 | if (*activep) | ||
| 855 | *intptr = value; | ||
| 856 | break; | ||
| 839 | 857 | ||
| 840 | case oTunnelDevice: | 858 | case oTunnelDevice: |
| 841 | arg = strdelim(&s); | 859 | arg = strdelim(&s); |
| 842 | if (!arg || *arg == '\0') | 860 | if (!arg || *arg == '\0') |
| 843 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 861 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
| 844 | value = a2tun(arg, &value2); | 862 | value = a2tun(arg, &value2); |
| 845 | if (value < -1) | 863 | if (value == SSH_TUNID_ERR) |
| 846 | fatal("%.200s line %d: Bad tun device.", filename, linenum); | 864 | fatal("%.200s line %d: Bad tun device.", filename, linenum); |
| 847 | if (*activep) { | 865 | if (*activep) { |
| 848 | options->tun_local = value; | 866 | options->tun_local = value; |
| @@ -1132,7 +1150,11 @@ fill_default_options(Options * options) | |||
| 1132 | if (options->hash_known_hosts == -1) | 1150 | if (options->hash_known_hosts == -1) |
| 1133 | options->hash_known_hosts = 0; | 1151 | options->hash_known_hosts = 0; |
| 1134 | if (options->tun_open == -1) | 1152 | if (options->tun_open == -1) |
| 1135 | options->tun_open = 0; | 1153 | options->tun_open = SSH_TUNMODE_NO; |
| 1154 | if (options->tun_local == -1) | ||
| 1155 | options->tun_local = SSH_TUNID_ANY; | ||
| 1156 | if (options->tun_remote == -1) | ||
| 1157 | options->tun_remote = SSH_TUNID_ANY; | ||
| 1136 | if (options->permit_local_command == -1) | 1158 | if (options->permit_local_command == -1) |
| 1137 | options->permit_local_command = 0; | 1159 | options->permit_local_command = 0; |
| 1138 | /* options->local_command should not be set by default */ | 1160 | /* options->local_command should not be set by default */ |
diff --git a/servconf.c b/servconf.c index 91a0ced29..81953bb80 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -10,7 +10,7 @@ | |||
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include "includes.h" | 12 | #include "includes.h" |
| 13 | RCSID("$OpenBSD: servconf.c,v 1.145 2005/12/06 22:38:27 reyk Exp $"); | 13 | RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $"); |
| 14 | 14 | ||
| 15 | #include "ssh.h" | 15 | #include "ssh.h" |
| 16 | #include "log.h" | 16 | #include "log.h" |
| @@ -231,7 +231,7 @@ fill_default_server_options(ServerOptions *options) | |||
| 231 | if (options->authorized_keys_file == NULL) | 231 | if (options->authorized_keys_file == NULL) |
| 232 | options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; | 232 | options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; |
| 233 | if (options->permit_tun == -1) | 233 | if (options->permit_tun == -1) |
| 234 | options->permit_tun = 0; | 234 | options->permit_tun = SSH_TUNMODE_NO; |
| 235 | 235 | ||
| 236 | /* Turn privilege separation on by default */ | 236 | /* Turn privilege separation on by default */ |
| 237 | if (use_privsep == -1) | 237 | if (use_privsep == -1) |
| @@ -968,7 +968,25 @@ parse_flag: | |||
| 968 | 968 | ||
| 969 | case sPermitTunnel: | 969 | case sPermitTunnel: |
| 970 | intptr = &options->permit_tun; | 970 | intptr = &options->permit_tun; |
| 971 | goto parse_flag; | 971 | arg = strdelim(&cp); |
| 972 | if (!arg || *arg == '\0') | ||
| 973 | fatal("%s line %d: Missing yes/point-to-point/" | ||
| 974 | "ethernet/no argument.", filename, linenum); | ||
| 975 | value = 0; /* silence compiler */ | ||
| 976 | if (strcasecmp(arg, "ethernet") == 0) | ||
| 977 | value = SSH_TUNMODE_ETHERNET; | ||
| 978 | else if (strcasecmp(arg, "point-to-point") == 0) | ||
| 979 | value = SSH_TUNMODE_POINTOPOINT; | ||
| 980 | else if (strcasecmp(arg, "yes") == 0) | ||
| 981 | value = SSH_TUNMODE_YES; | ||
| 982 | else if (strcasecmp(arg, "no") == 0) | ||
| 983 | value = SSH_TUNMODE_NO; | ||
| 984 | else | ||
| 985 | fatal("%s line %d: Bad yes/point-to-point/ethernet/" | ||
| 986 | "no argument: %s", filename, linenum, arg); | ||
| 987 | if (*intptr == -1) | ||
| 988 | *intptr = value; | ||
| 989 | break; | ||
| 972 | 990 | ||
| 973 | case sDeprecated: | 991 | case sDeprecated: |
| 974 | logit("%s line %d: Deprecated option %s", | 992 | logit("%s line %d: Deprecated option %s", |
diff --git a/serverloop.c b/serverloop.c index 199f7696d..eff27d9d6 100644 --- a/serverloop.c +++ b/serverloop.c | |||
| @@ -35,7 +35,7 @@ | |||
| 35 | */ | 35 | */ |
| 36 | 36 | ||
| 37 | #include "includes.h" | 37 | #include "includes.h" |
| 38 | RCSID("$OpenBSD: serverloop.c,v 1.122 2005/12/06 22:38:27 reyk Exp $"); | 38 | RCSID("$OpenBSD: serverloop.c,v 1.123 2005/12/08 18:34:11 reyk Exp $"); |
| 39 | 39 | ||
| 40 | #include "xmalloc.h" | 40 | #include "xmalloc.h" |
| 41 | #include "packet.h" | 41 | #include "packet.h" |
| @@ -917,20 +917,31 @@ static Channel * | |||
| 917 | server_request_tun(void) | 917 | server_request_tun(void) |
| 918 | { | 918 | { |
| 919 | Channel *c = NULL; | 919 | Channel *c = NULL; |
| 920 | int sock, tun; | 920 | int mode, tun; |
| 921 | int sock; | ||
| 921 | 922 | ||
| 922 | if (!options.permit_tun) { | 923 | mode = packet_get_int(); |
| 923 | packet_send_debug("Server has disabled tunnel device forwarding."); | 924 | switch (mode) { |
| 925 | case SSH_TUNMODE_POINTOPOINT: | ||
| 926 | case SSH_TUNMODE_ETHERNET: | ||
| 927 | break; | ||
| 928 | default: | ||
| 929 | packet_send_debug("Unsupported tunnel device mode."); | ||
| 930 | return NULL; | ||
| 931 | } | ||
| 932 | if ((options.permit_tun & mode) == 0) { | ||
| 933 | packet_send_debug("Server has rejected tunnel device " | ||
| 934 | "forwarding"); | ||
| 924 | return NULL; | 935 | return NULL; |
| 925 | } | 936 | } |
| 926 | 937 | ||
| 927 | tun = packet_get_int(); | 938 | tun = packet_get_int(); |
| 928 | if (forced_tun_device != -1) { | 939 | if (forced_tun_device != SSH_TUNID_ANY) { |
| 929 | if (tun != -1 && forced_tun_device != tun) | 940 | if (tun != SSH_TUNID_ANY && forced_tun_device != tun) |
| 930 | goto done; | 941 | goto done; |
| 931 | tun = forced_tun_device; | 942 | tun = forced_tun_device; |
| 932 | } | 943 | } |
| 933 | sock = tun_open(tun); | 944 | sock = tun_open(tun, mode); |
| 934 | if (sock < 0) | 945 | if (sock < 0) |
| 935 | goto done; | 946 | goto done; |
| 936 | c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, | 947 | c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, |
| @@ -40,7 +40,7 @@ | |||
| 40 | */ | 40 | */ |
| 41 | 41 | ||
| 42 | #include "includes.h" | 42 | #include "includes.h" |
| 43 | RCSID("$OpenBSD: ssh.c,v 1.255 2005/12/06 22:38:27 reyk Exp $"); | 43 | RCSID("$OpenBSD: ssh.c,v 1.256 2005/12/08 18:34:11 reyk Exp $"); |
| 44 | 44 | ||
| 45 | #include <openssl/evp.h> | 45 | #include <openssl/evp.h> |
| 46 | #include <openssl/err.h> | 46 | #include <openssl/err.h> |
| @@ -341,9 +341,10 @@ again: | |||
| 341 | exit(0); | 341 | exit(0); |
| 342 | break; | 342 | break; |
| 343 | case 'w': | 343 | case 'w': |
| 344 | options.tun_open = 1; | 344 | if (options.tun_open == -1) |
| 345 | options.tun_open = SSH_TUNMODE_DEFAULT; | ||
| 345 | options.tun_local = a2tun(optarg, &options.tun_remote); | 346 | options.tun_local = a2tun(optarg, &options.tun_remote); |
| 346 | if (options.tun_local < -1) { | 347 | if (options.tun_local == SSH_TUNID_ERR) { |
| 347 | fprintf(stderr, "Bad tun device '%s'\n", optarg); | 348 | fprintf(stderr, "Bad tun device '%s'\n", optarg); |
| 348 | exit(1); | 349 | exit(1); |
| 349 | } | 350 | } |
| @@ -1067,12 +1068,13 @@ ssh_session2_setup(int id, void *arg) | |||
| 1067 | packet_send(); | 1068 | packet_send(); |
| 1068 | } | 1069 | } |
| 1069 | 1070 | ||
| 1070 | if (options.tun_open) { | 1071 | if (options.tun_open != SSH_TUNMODE_NO) { |
| 1071 | Channel *c; | 1072 | Channel *c; |
| 1072 | int fd; | 1073 | int fd; |
| 1073 | 1074 | ||
| 1074 | debug("Requesting tun."); | 1075 | debug("Requesting tun."); |
| 1075 | if ((fd = tun_open(options.tun_local)) >= 0) { | 1076 | if ((fd = tun_open(options.tun_local, |
| 1077 | options.tun_open)) >= 0) { | ||
| 1076 | c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, | 1078 | c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
| 1077 | CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, | 1079 | CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, |
| 1078 | 0, "tun", 1); | 1080 | 0, "tun", 1); |
| @@ -1082,6 +1084,7 @@ ssh_session2_setup(int id, void *arg) | |||
| 1082 | packet_put_int(c->self); | 1084 | packet_put_int(c->self); |
| 1083 | packet_put_int(c->local_window_max); | 1085 | packet_put_int(c->local_window_max); |
| 1084 | packet_put_int(c->local_maxpacket); | 1086 | packet_put_int(c->local_maxpacket); |
| 1087 | packet_put_int(options.tun_open); | ||
| 1085 | packet_put_int(options.tun_remote); | 1088 | packet_put_int(options.tun_remote); |
| 1086 | packet_send(); | 1089 | packet_send(); |
| 1087 | } | 1090 | } |
diff --git a/ssh_config.5 b/ssh_config.5 index 281b4046b..68061182c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: ssh_config.5,v 1.67 2005/12/08 15:06:29 jmc Exp $ | 37 | .\" $OpenBSD: ssh_config.5,v 1.68 2005/12/08 18:34:11 reyk Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSH_CONFIG 5 | 39 | .Dt SSH_CONFIG 5 |
| 40 | .Os | 40 | .Os |
| @@ -911,9 +911,13 @@ with older servers. | |||
| 911 | .It Cm Tunnel | 911 | .It Cm Tunnel |
| 912 | Request starting | 912 | Request starting |
| 913 | .Xr tun 4 | 913 | .Xr tun 4 |
| 914 | device forwarding between the client and the server. | 914 | device forwarding between the client and the server. This option also |
| 915 | allows requesting layer 2 (ethernet) instead of layer 3 | ||
| 916 | (point-to-point) tunneling from the server. | ||
| 915 | The argument must be | 917 | The argument must be |
| 916 | .Dq yes | 918 | .Dq yes , |
| 919 | .Dq point-to-point , | ||
| 920 | .Dq ethernet | ||
| 917 | or | 921 | or |
| 918 | .Dq no . | 922 | .Dq no . |
| 919 | The default is | 923 | The default is |
diff --git a/sshd_config.5 b/sshd_config.5 index 3835fcd62..a10b365d3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -34,7 +34,7 @@ | |||
| 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 36 | .\" | 36 | .\" |
| 37 | .\" $OpenBSD: sshd_config.5,v 1.46 2005/12/06 22:38:28 reyk Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.47 2005/12/08 18:34:11 reyk Exp $ |
| 38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
| 39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
| 40 | .Os | 40 | .Os |
| @@ -506,6 +506,12 @@ root is not allowed to log in. | |||
| 506 | Specifies whether | 506 | Specifies whether |
| 507 | .Xr tun 4 | 507 | .Xr tun 4 |
| 508 | device forwarding is allowed. | 508 | device forwarding is allowed. |
| 509 | The argument must be | ||
| 510 | .Dq yes , | ||
| 511 | .Dq point-to-point , | ||
| 512 | .Dq ethernet | ||
| 513 | or | ||
| 514 | .Dq no . | ||
| 509 | The default is | 515 | The default is |
| 510 | .Dq no . | 516 | .Dq no . |
| 511 | .It Cm PermitUserEnvironment | 517 | .It Cm PermitUserEnvironment |