- dtucker@cvs.openbsd.org 2012/03/29 23:54:36

     [channels.c channels.h servconf.c]
     Add PermitOpen none option based on patch from Loganaden Velvindron
     (bz #1949).  ok djm@

4 files changed, 30 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index f89e1b17c..1b5e78a42 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,10 @@
      [PROTOCOL.certkeys]
      explain certificate extensions/crit split rationale. Mention requirement
      that each appear at most once per cert.
+   - dtucker@cvs.openbsd.org 2012/03/29 23:54:36
+     [channels.c channels.h servconf.c]
+     Add PermitOpen none option based on patch from Loganaden Velvindron
+     (bz #1949).  ok djm@
 
 20120420
  - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
diff --git a/channels.c b/channels.c
index f6e9b4d8c..e5783b197 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.315 2011/09/23 07:45:05 markus Exp $ */
+/* $OpenBSD: channels.c,v 1.316 2012/03/29 23:54:36 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3127,6 +3127,17 @@ channel_add_adm_permitted_opens(char *host, int port)
 }
 
 void
+channel_disable_adm_local_opens(void)
+{
+        if (num_adm_permitted_opens == 0) {
+                permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
+                permitted_adm_opens[num_adm_permitted_opens].host_to_connect
+                   = NULL;
+                num_adm_permitted_opens = 1;
+        }
+}
+
+void
 channel_clear_permitted_opens(void)
 {
         int i;
@@ -3167,7 +3178,9 @@ channel_print_adm_permitted_opens(void)
                 return;
         }
         for (i = 0; i < num_adm_permitted_opens; i++)
-                if (permitted_adm_opens[i].host_to_connect != NULL)
+                if (permitted_adm_opens[i].host_to_connect == NULL)
+                        printf(" none");
+                else
                         printf(" %s:%d", permitted_adm_opens[i].host_to_connect,
                             permitted_adm_opens[i].port_to_connect);
         printf("\n");
diff --git a/channels.h b/channels.h
index c1f01c48b..6ed1ce00c 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.109 2011/09/23 07:45:05 markus Exp $ */
+/* $OpenBSD: channels.h,v 1.110 2012/03/29 23:54:36 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -253,6 +253,7 @@ void	 channel_set_af(int af);
 void     channel_permit_all_opens(void);
 void     channel_add_permitted_opens(char *, int);
 int      channel_add_adm_permitted_opens(char *, int);
+void     channel_disable_adm_local_opens(void);
 void     channel_update_permitted_opens(int, int);
 void     channel_clear_permitted_opens(void);
 void     channel_clear_adm_permitted_opens(void);
diff --git a/servconf.c b/servconf.c
index 8ec5ca0e6..6de77164e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.224 2012/03/29 23:54:36 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1333,6 +1333,14 @@ process_server_config_line(ServerOptions *options, char *line,
                         }
                         break;
                 }
+                if (strcmp(arg, "none") == 0) {
+                        if (*activep && n == -1) {
+                                channel_clear_adm_permitted_opens();
+                                options->num_permitted_opens = 1;
+                                channel_disable_adm_local_opens();
+                        }
+                        break;
+                }
                 if (*activep && n == -1)
                         channel_clear_adm_permitted_opens();
                 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {