- djm@cvs.openbsd.org 2007/08/07 07:32:53

[clientloop.c clientloop.h ssh.c] bz#1232: ensure that any specified LocalCommand is executed after the tunnel device is opened. Also, make failures to open a tunnel device fatal when ExitOnForwardFailure is active. Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
author: Damien Miller <djm@mindrot.org> 2007-08-08 14:32:41 +1000
committer: Damien Miller <djm@mindrot.org> 2007-08-08 14:32:41 +1000
commit: b3ce9fec309a6dd695811d977593961d6dfac710 (patch)
tree: e6449a59c3fcb324aac3da765c0dbf5eee56d559
parent: 647d97b1ab1f8ef4dfa6c7a085b409e1c3609c6f (diff)
4 files changed, 69 insertions, 32 deletions
diff --git a/ChangeLog b/ChangeLog
index c4a7d1261..55319fc23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,12 @@
     and synopsis of commands
     lots of good ideas by jmc@
     ok jmc@
+   - djm@cvs.openbsd.org 2007/08/07 07:32:53
+     [clientloop.c clientloop.h ssh.c]
+     bz#1232: ensure that any specified LocalCommand is executed after the
+     tunnel device is opened. Also, make failures to open a tunnel device
+     fatal when ExitOnForwardFailure is active.
+     Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
 20070724
 - (tim) [openssh.xml.in] make FMRI match what package scripts use.
@@ -3129,4 +3135,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.4717 2007/08/08 04:29:58 djm Exp $
+$Id: ChangeLog,v 1.4718 2007/08/08 04:32:41 djm Exp $
diff --git a/clientloop.c b/clientloop.c
index 1aeb412a9..538644c20 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.179 2007/03/20 03:56:12 tedu Exp $ */
+/* $OpenBSD: clientloop.c,v 1.180 2007/08/07 07:32:53 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1773,6 +1773,50 @@ client_request_agent(const char *request_type, int rchan)
        return c;
 }
+int
+client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
+{
+        Channel *c;
+        int fd;
+        if (tun_mode == SSH_TUNMODE_NO)
+                return 0;
+        if (!compat20) {
+                error("Tunnel forwarding is not support for protocol 1");
+                return -1;
+        }
+        debug("Requesting tun unit %d in mode %d", local_tun, tun_mode);
+        /* Open local tunnel device */
+        if ((fd = tun_open(local_tun, tun_mode)) == -1) {
+                error("Tunnel device open failed.");
+                return -1;
+        }
+        c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+            CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+        c->datagram = 1;
+#if defined(SSH_TUN_FILTER)
+        if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+                channel_register_filter(c->self, sys_tun_infilter,
+                    sys_tun_outfilter);
+#endif
+        packet_start(SSH2_MSG_CHANNEL_OPEN);
+        packet_put_cstring("tun@openssh.com");
+        packet_put_int(c->self);
+        packet_put_int(c->local_window_max);
+        packet_put_int(c->local_maxpacket);
+        packet_put_int(tun_mode);
+        packet_put_int(remote_tun);
+        packet_send();
+        return 0;
+}
 /* XXXX move to generic input handler */
 static void
 client_input_channel_open(int type, u_int32_t seq, void *ctxt)
diff --git a/clientloop.h b/clientloop.h
index beec62f70..c7d2233d0 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
+/* $OpenBSD: clientloop.h,v 1.17 2007/08/07 07:32:53 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -44,6 +44,7 @@ void	 client_x11_get_proto(const char *, const char *, u_int,
 void     client_global_request_reply_fwd(int, u_int32_t, void *);
 void     client_session2_setup(int, int, int, const char *, struct termios *,
            int, Buffer *, char **, dispatch_fn *);
+int      client_request_tun_fwd(int, int, int);
 /* Multiplexing protocol version */
 #define SSHMUX_VER                      1
diff --git a/ssh.c b/ssh.c
index 449ec256e..d3a7ffc9b 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.300 2007/06/14 22:48:05 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.301 2007/08/07 07:32:53 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -857,6 +857,17 @@ ssh_init_forwarding(void)
                                    "forwarding.");
                }
        }
+        /* Initiate tunnel forwarding. */
+        if (options.tun_open != SSH_TUNMODE_NO) {
+                if (client_request_tun_fwd(options.tun_open,
+                    options.tun_local, options.tun_remote) == -1) {
+                        if (options.exit_on_forward_failure)
+                                fatal("Could not request tunnel forwarding.");
+                        else
+                                error("Could not request tunnel forwarding.");
+                }
+        }                       
 }
 static void
@@ -1119,33 +1130,6 @@ ssh_session2_setup(int id, void *arg)
                packet_send();
        }
-        if (options.tun_open != SSH_TUNMODE_NO) {
-                Channel *c;
-                int fd;
-                debug("Requesting tun.");
-                if ((fd = tun_open(options.tun_local,
-                    options.tun_open)) >= 0) {
-                        c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-                            CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-                            0, "tun", 1);
-                        c->datagram = 1;
-#if defined(SSH_TUN_FILTER)
-                        if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
-                                channel_register_filter(c->self, sys_tun_infilter,
-                                    sys_tun_outfilter);
-#endif
-                        packet_start(SSH2_MSG_CHANNEL_OPEN);
-                        packet_put_cstring("tun@openssh.com");
-                        packet_put_int(c->self);
-                        packet_put_int(c->local_window_max);
-                        packet_put_int(c->local_maxpacket);
-                        packet_put_int(options.tun_open);
-                        packet_put_int(options.tun_remote);
-                        packet_send();
-                }
-        }
        client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
            NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
@@ -1205,7 +1189,6 @@ ssh_session2(void)
        /* XXX should be pre-session */
        ssh_init_forwarding();
-        ssh_control_listener();
        if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
                id = ssh_session2_open();
@@ -1215,6 +1198,9 @@ ssh_session2(void)
            options.permit_local_command)
                ssh_local_cmd(options.local_command);
+        /* Start listening for multiplex clients */
+        ssh_control_listener();
        /* If requested, let ssh continue in the background. */
        if (fork_after_authentication_flag)
                if (daemon(1, 1) < 0)
author	Damien Miller <djm@mindrot.org>	2007-08-08 14:32:41 +1000
committer	Damien Miller <djm@mindrot.org>	2007-08-08 14:32:41 +1000
commit	b3ce9fec309a6dd695811d977593961d6dfac710 (patch)
tree	e6449a59c3fcb324aac3da765c0dbf5eee56d559
parent	647d97b1ab1f8ef4dfa6c7a085b409e1c3609c6f (diff)