summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2016-07-19 11:38:53 +0000
committerDamien Miller <djm@mindrot.org>2016-07-22 13:36:40 +1000
commitd7eabc86fa049a12ba2c3fb198bd1d51b37f7025 (patch)
tree8ebcc4c4e40c9d4d193e6e109287aea71069ffca
parentb98a2a8348e907b3d71caafd80f0be8fdd075943 (diff)
upstream commit
Allow wildcard for PermitOpen hosts as well as ports. bz#2582, patch from openssh at mzpqnxow.com and jjelen at redhat.com. ok markus@ Upstream-ID: af0294e9b9394c4e16e991424ca0a47a7cc605f2
Diffstat
-rw-r--r--channels.c8
-rw-r--r--sshd_config.57
2 files changed, 11 insertions, 4 deletions
diff --git a/channels.c b/channels.c
index 7ee1f98d0..9f9e972f4 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.c,v 1.350 2016/03/07 19:02:43 djm Exp $ */ 1/* $OpenBSD: channels.c,v 1.351 2016/07/19 11:38:53 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -138,6 +138,9 @@ static int num_adm_permitted_opens = 0;
138/* special-case port number meaning allow any port */ 138/* special-case port number meaning allow any port */
139#define FWD_PERMIT_ANY_PORT 0 139#define FWD_PERMIT_ANY_PORT 0
140 140
141/* special-case wildcard meaning allow any host */
142#define FWD_PERMIT_ANY_HOST "*"
143
141/* 144/*
142 * If this is true, all opens are permitted. This is the case on the server 145 * If this is true, all opens are permitted. This is the case on the server
143 * on which we have to trust the client anyway, and the user could do 146 * on which we have to trust the client anyway, and the user could do
@@ -3298,7 +3301,8 @@ open_match(ForwardPermission *allowed_open, const char *requestedhost,
3298 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT && 3301 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
3299 allowed_open->port_to_connect != requestedport) 3302 allowed_open->port_to_connect != requestedport)
3300 return 0; 3303 return 0;
3301 if (strcmp(allowed_open->host_to_connect, requestedhost) != 0) 3304 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
3305 strcmp(allowed_open->host_to_connect, requestedhost) != 0)
3302 return 0; 3306 return 0;
3303 return 1; 3307 return 1;
3304} 3308}
diff --git a/sshd_config.5 b/sshd_config.5
index babe2ae8f..877eb92c5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.225 2016/06/17 06:33:30 jmc Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.226 2016/07/19 11:38:53 dtucker Exp $
37.Dd $Mdocdate: June 17 2016 $ 37.Dd $Mdocdate: July 19 2016 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -1215,6 +1215,9 @@ can be used to remove all restrictions and permit any forwarding requests.
1215An argument of 1215An argument of
1216.Dq none 1216.Dq none
1217can be used to prohibit all forwarding requests. 1217can be used to prohibit all forwarding requests.
1218Wildcard
1219.Dq *
1220can be used for host or port to allow all hosts or port respectively.
1218By default all port forwarding requests are permitted. 1221By default all port forwarding requests are permitted.
1219.It Cm PermitRootLogin 1222.It Cm PermitRootLogin
1220Specifies whether root can log in using 1223Specifies whether root can log in using
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 07:19:55 +0000