diff options
author | florian@openbsd.org <florian@openbsd.org> | 2019-05-10 18:55:17 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2019-05-17 10:07:42 +1000 |
commit | cb4accb1233865d9151f8a50cc5f0c61a3fd4077 (patch) | |
tree | 8d64bd0e40fa3fbb03b9d653e88a86a3688953b6 | |
parent | cd16aceec148d55088fc8df6be88335578d85258 (diff) |
upstream: For PermitOpen violations add the remote host and port to
be able to find out from where the request was comming.
Add the same logging for PermitListen violations which where not
logged at all.
Pointed out by Robert Kisteleki (robert AT ripe.net)
input markus
OK deraadt
OpenBSD-Commit-ID: 8a7d0f1b7175504c0d1dca8d9aca1588b66448c8
-rw-r--r-- | channels.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/channels.c b/channels.c index 07cb4f9a7..674a6a001 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.390 2019/05/03 04:11:00 dtucker Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.391 2019/05/10 18:55:17 florian Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -3823,6 +3823,23 @@ channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, | |||
3823 | { | 3823 | { |
3824 | if (!check_rfwd_permission(ssh, fwd)) { | 3824 | if (!check_rfwd_permission(ssh, fwd)) { |
3825 | ssh_packet_send_debug(ssh, "port forwarding refused"); | 3825 | ssh_packet_send_debug(ssh, "port forwarding refused"); |
3826 | if (fwd->listen_path != NULL) | ||
3827 | /* XXX always allowed, see remote_open_match() */ | ||
3828 | logit("Received request from %.100s port %d to " | ||
3829 | "remote forward to path \"%.100s\", " | ||
3830 | "but the request was denied.", | ||
3831 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
3832 | fwd->listen_path); | ||
3833 | else if(fwd->listen_host != NULL) | ||
3834 | logit("Received request from %.100s port %d to " | ||
3835 | "remote forward to host %.100s port %d, " | ||
3836 | "but the request was denied.", | ||
3837 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | ||
3838 | fwd->listen_host, fwd->listen_port ); | ||
3839 | else | ||
3840 | logit("Received request from %.100s port %d to remote " | ||
3841 | "forward, but the request was denied.", | ||
3842 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); | ||
3826 | return 0; | 3843 | return 0; |
3827 | } | 3844 | } |
3828 | if (fwd->listen_path != NULL) { | 3845 | if (fwd->listen_path != NULL) { |
@@ -4418,8 +4435,9 @@ channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, | |||
4418 | } | 4435 | } |
4419 | 4436 | ||
4420 | if (!permit || !permit_adm) { | 4437 | if (!permit || !permit_adm) { |
4421 | logit("Received request to connect to host %.100s port %d, " | 4438 | logit("Received request from %.100s port %d to connect to " |
4422 | "but the request was denied.", host, port); | 4439 | "host %.100s port %d, but the request was denied.", |
4440 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port); | ||
4423 | if (reason != NULL) | 4441 | if (reason != NULL) |
4424 | *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; | 4442 | *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; |
4425 | return NULL; | 4443 | return NULL; |