diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-06-19 02:59:41 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-06-19 13:00:50 +1000 |
commit | 87ddd676da0f3abd08b778b12b53b91b670dc93c (patch) | |
tree | 57bf11cf56aeddffdafdc97b74d7bc632c317df7 | |
parent | 26f96ca10ad0ec5da9b05b99de1e1ccea15a11be (diff) |
upstream: allow bare port numbers to appear in PermitListen directives,
e.g.
PermitListen 2222 8080
is equivalent to:
PermitListen *:2222 *:8080
Some bonus manpage improvements, mostly from markus@
"looks fine" markus@
OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
-rw-r--r-- | auth-options.c | 22 | ||||
-rw-r--r-- | servconf.c | 26 | ||||
-rw-r--r-- | sshd.8 | 19 | ||||
-rw-r--r-- | sshd_config.5 | 22 |
4 files changed, 62 insertions, 27 deletions
diff --git a/auth-options.c b/auth-options.c index 151b16ece..27c0eb05e 100644 --- a/auth-options.c +++ b/auth-options.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth-options.c,v 1.82 2018/06/07 09:26:42 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.83 2018/06/19 02:59:41 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> | 3 | * Copyright (c) 2018 Damien Miller <djm@mindrot.org> |
4 | * | 4 | * |
@@ -313,8 +313,8 @@ sshauthopt_new_with_keys_defaults(void) | |||
313 | * Return 0 on success. Return -1 on failure and sets *errstrp to error reason. | 313 | * Return 0 on success. Return -1 on failure and sets *errstrp to error reason. |
314 | */ | 314 | */ |
315 | static int | 315 | static int |
316 | handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp, | 316 | handle_permit(const char **optsp, int allow_bare_port, |
317 | const char **errstrp) | 317 | char ***permitsp, size_t *npermitsp, const char **errstrp) |
318 | { | 318 | { |
319 | char *opt, *tmp, *cp, *host, **permits = *permitsp; | 319 | char *opt, *tmp, *cp, *host, **permits = *permitsp; |
320 | size_t npermits = *npermitsp; | 320 | size_t npermits = *npermitsp; |
@@ -327,6 +327,18 @@ handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp, | |||
327 | if ((opt = opt_dequote(optsp, &errstr)) == NULL) { | 327 | if ((opt = opt_dequote(optsp, &errstr)) == NULL) { |
328 | return -1; | 328 | return -1; |
329 | } | 329 | } |
330 | if (allow_bare_port && strchr(opt, ':') == NULL) { | ||
331 | /* | ||
332 | * Allow a bare port number in permitlisten to indicate a | ||
333 | * listen_host wildcard. | ||
334 | */ | ||
335 | if (asprintf(&tmp, "*:%s", opt) < 0) { | ||
336 | *errstrp = "memory allocation failed"; | ||
337 | return -1; | ||
338 | } | ||
339 | free(opt); | ||
340 | opt = tmp; | ||
341 | } | ||
330 | if ((tmp = strdup(opt)) == NULL) { | 342 | if ((tmp = strdup(opt)) == NULL) { |
331 | free(opt); | 343 | free(opt); |
332 | *errstrp = "memory allocation failed"; | 344 | *errstrp = "memory allocation failed"; |
@@ -474,11 +486,11 @@ sshauthopt_parse(const char *opts, const char **errstrp) | |||
474 | } | 486 | } |
475 | ret->env[ret->nenv++] = opt; | 487 | ret->env[ret->nenv++] = opt; |
476 | } else if (opt_match(&opts, "permitopen")) { | 488 | } else if (opt_match(&opts, "permitopen")) { |
477 | if (handle_permit(&opts, &ret->permitopen, | 489 | if (handle_permit(&opts, 0, &ret->permitopen, |
478 | &ret->npermitopen, &errstr) != 0) | 490 | &ret->npermitopen, &errstr) != 0) |
479 | goto fail; | 491 | goto fail; |
480 | } else if (opt_match(&opts, "permitlisten")) { | 492 | } else if (opt_match(&opts, "permitlisten")) { |
481 | if (handle_permit(&opts, &ret->permitlisten, | 493 | if (handle_permit(&opts, 1, &ret->permitlisten, |
482 | &ret->npermitlisten, &errstr) != 0) | 494 | &ret->npermitlisten, &errstr) != 0) |
483 | goto fail; | 495 | goto fail; |
484 | } else if (opt_match(&opts, "tunnel")) { | 496 | } else if (opt_match(&opts, "tunnel")) { |
diff --git a/servconf.c b/servconf.c index 6e70e6312..cb5786583 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -1870,15 +1870,23 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1870 | break; | 1870 | break; |
1871 | } | 1871 | } |
1872 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { | 1872 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { |
1873 | arg2 = xstrdup(arg); | 1873 | if (opcode == sPermitListen && |
1874 | p = hpdelim(&arg); | 1874 | strchr(arg, ':') == NULL) { |
1875 | /* XXX support bare port number for PermitListen */ | 1875 | /* |
1876 | if (p == NULL) { | 1876 | * Allow bare port number for PermitListen |
1877 | fatal("%s line %d: missing host in %s", | 1877 | * to indicate a wildcard listen host. |
1878 | filename, linenum, | 1878 | */ |
1879 | lookup_opcode_name(opcode)); | 1879 | xasprintf(&arg2, "*:%s", arg); |
1880 | } else { | ||
1881 | arg2 = xstrdup(arg); | ||
1882 | p = hpdelim(&arg); | ||
1883 | if (p == NULL) { | ||
1884 | fatal("%s line %d: missing host in %s", | ||
1885 | filename, linenum, | ||
1886 | lookup_opcode_name(opcode)); | ||
1887 | } | ||
1888 | p = cleanhostname(p); | ||
1880 | } | 1889 | } |
1881 | p = cleanhostname(p); | ||
1882 | if (arg == NULL || | 1890 | if (arg == NULL || |
1883 | ((port = permitopen_port(arg)) < 0)) { | 1891 | ((port = permitopen_port(arg)) < 0)) { |
1884 | fatal("%s line %d: bad port number in %s", | 1892 | fatal("%s line %d: bad port number in %s", |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $ |
37 | .Dd $Mdocdate: June 7 2018 $ | 37 | .Dd $Mdocdate: June 19 2018 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -554,11 +554,11 @@ Disables execution of | |||
554 | .It Cm no-X11-forwarding | 554 | .It Cm no-X11-forwarding |
555 | Forbids X11 forwarding when this key is used for authentication. | 555 | Forbids X11 forwarding when this key is used for authentication. |
556 | Any X11 forward requests by the client will return an error. | 556 | Any X11 forward requests by the client will return an error. |
557 | .It Cm permitlisten="host:port" | 557 | .It Cm permitlisten="[host:]port" |
558 | Limit remote port forwarding with the | 558 | Limit remote port forwarding with the |
559 | .Xr ssh 1 | 559 | .Xr ssh 1 |
560 | .Fl R | 560 | .Fl R |
561 | option such that it may only listen on the specified host and port. | 561 | option such that it may only listen on the specified host (optional) and port. |
562 | IPv6 addresses can be specified by enclosing the address in square brackets. | 562 | IPv6 addresses can be specified by enclosing the address in square brackets. |
563 | Multiple | 563 | Multiple |
564 | .Cm permitlisten | 564 | .Cm permitlisten |
@@ -571,6 +571,15 @@ matches any port. | |||
571 | Note that the setting of | 571 | Note that the setting of |
572 | .Cm GatewayPorts | 572 | .Cm GatewayPorts |
573 | may further restrict listen addresses. | 573 | may further restrict listen addresses. |
574 | Note that | ||
575 | .Xr ssh 1 | ||
576 | will send a hostname of | ||
577 | .Dq localhost | ||
578 | if a listen host was not specified when the forwarding was requested, and | ||
579 | that his name is treated differently to the explicit localhost addresses | ||
580 | .Dq 127.0.0.1 | ||
581 | and | ||
582 | .Dq ::1 . | ||
574 | .It Cm permitopen="host:port" | 583 | .It Cm permitopen="host:port" |
575 | Limit local port forwarding with the | 584 | Limit local port forwarding with the |
576 | .Xr ssh 1 | 585 | .Xr ssh 1 |
@@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss | |||
639 | AAAAC3...51R== example.net | 648 | AAAAC3...51R== example.net |
640 | permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss | 649 | permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss |
641 | AAAAB5...21S== | 650 | AAAAB5...21S== |
651 | permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss | ||
652 | AAAAB5...21S== | ||
642 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== | 653 | tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== |
643 | jane@example.net | 654 | jane@example.net |
644 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== | 655 | restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== |
diff --git a/sshd_config.5 b/sshd_config.5 index 14ebafd7b..c0683d4a1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.275 2018/06/09 03:18:11 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.276 2018/06/19 02:59:41 djm Exp $ |
37 | .Dd $Mdocdate: June 9 2018 $ | 37 | .Dd $Mdocdate: June 19 2018 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1196,17 +1196,12 @@ The listen specification must be one of the following forms: | |||
1196 | .It | 1196 | .It |
1197 | .Cm PermitListen | 1197 | .Cm PermitListen |
1198 | .Sm off | 1198 | .Sm off |
1199 | .Ar host : port | 1199 | .Ar port |
1200 | .Sm on | ||
1201 | .It | ||
1202 | .Cm PermitListen | ||
1203 | .Sm off | ||
1204 | .Ar IPv4_addr : port | ||
1205 | .Sm on | 1200 | .Sm on |
1206 | .It | 1201 | .It |
1207 | .Cm PermitListen | 1202 | .Cm PermitListen |
1208 | .Sm off | 1203 | .Sm off |
1209 | .Ar \&[ IPv6_addr \&] : port | 1204 | .Ar host : port |
1210 | .Sm on | 1205 | .Sm on |
1211 | .El | 1206 | .El |
1212 | .Pp | 1207 | .Pp |
@@ -1226,6 +1221,15 @@ By default all port forwarding listen requests are permitted. | |||
1226 | Note that the | 1221 | Note that the |
1227 | .Cm GatewayPorts | 1222 | .Cm GatewayPorts |
1228 | option may further restrict which addresses may be listened on. | 1223 | option may further restrict which addresses may be listened on. |
1224 | Note also that | ||
1225 | .Xr ssh 1 | ||
1226 | will request a listen host of | ||
1227 | .Dq localhost | ||
1228 | if no listen host was specifically requested, and this this name is | ||
1229 | treated differently to explict localhost addresses of | ||
1230 | .Dq 127.0.0.1 | ||
1231 | and | ||
1232 | .Dq ::1 . | ||
1229 | .It Cm PermitOpen | 1233 | .It Cm PermitOpen |
1230 | Specifies the destinations to which TCP port forwarding is permitted. | 1234 | Specifies the destinations to which TCP port forwarding is permitted. |
1231 | The forwarding specification must be one of the following forms: | 1235 | The forwarding specification must be one of the following forms: |