- dtucker@cvs.openbsd.org 2006/07/17 12:06:00

[channels.c channels.h servconf.c sshd_config.5] Add PermitOpen directive to sshd_config which is equivalent to the "permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@.
author: Damien Miller <djm@mindrot.org> 2006-07-24 14:04:00 +1000
committer: Damien Miller <djm@mindrot.org> 2006-07-24 14:04:00 +1000
commit: 9b439df18a9d56683584811ce38dcf72acd4cb20 (patch)
tree: dc7d64d4ae9ce7c47d52804671e8b5d2aedddae3 /servconf.c
parent: 98299261eb970688a7bad346491cffdf2a7f6072 (diff)
1 files changed, 27 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c
index 330e79143..4f5cb19db 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.155 2006/07/17 01:31:09 stevesk Exp $ */
+/* $OpenBSD: servconf.c,v 1.156 2006/07/17 12:06:00 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -31,6 +31,7 @@
 #include "kex.h"
 #include "mac.h"
 #include "match.h"
+#include "channels.h"
 static void add_listen_addr(ServerOptions *, char *, u_short);
 static void add_one_listen_addr(ServerOptions *, char *, u_short);
@@ -281,7 +282,7 @@ typedef enum {
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
        sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-        sMatch,
+        sMatch, sPermitOpen,
        sUsePrivilegeSeparation,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -390,6 +391,8 @@ static struct {
        { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
        { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
        { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
+        { "match", sMatch, SSHCFG_ALL },
+        { "permitopen", sPermitOpen, SSHCFG_ALL },
        { NULL, sBadOption, 0 }
 };
@@ -1148,6 +1151,28 @@ parse_flag:
                *activep = value;
                break;
+        case sPermitOpen:
+                arg = strdelim(&cp);
+                if (!arg || *arg == '\0')
+                        fatal("%s line %d: missing PermitOpen specification",
+                            filename, linenum);
+                if (strcmp(arg, "any") == 0) {
+                        if (*activep)
+                                channel_clear_adm_permitted_opens();
+                        break;
+                }
+                p = hpdelim(&arg);
+                if (p == NULL)
+                        fatal("%s line %d: missing host in PermitOpen",
+                            filename, linenum);
+                p = cleanhostname(p);
+                if (arg == NULL || (port = a2port(arg)) == 0)
+                        fatal("%s line %d: bad port number in PermitOpen",
+                            filename, linenum);
+                if (*activep)
+                        channel_add_adm_permitted_opens(p, port);
+                break;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
author	Damien Miller <djm@mindrot.org>	2006-07-24 14:04:00 +1000
committer	Damien Miller <djm@mindrot.org>	2006-07-24 14:04:00 +1000
commit	9b439df18a9d56683584811ce38dcf72acd4cb20 (patch)
tree	dc7d64d4ae9ce7c47d52804671e8b5d2aedddae3 /servconf.c
parent	98299261eb970688a7bad346491cffdf2a7f6072 (diff)