diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-03 09:50:54 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-03 09:50:54 +1100 |
| commit | aa5b3f831417bac9538d2b6f21d55fef278e8926 (patch) | |
| tree | dfaa5a58efa8195f1f72761fb9e2ba4fad7021b4 /serverloop.c | |
| parent | 33a813613a9f48acba0e88f4c51a6a25259bbebc (diff) | |
- djm@cvs.openbsd.org 2012/12/02 20:46:11
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
Diffstat (limited to 'serverloop.c')
| -rw-r--r-- | serverloop.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/serverloop.c b/serverloop.c index 741c5befb..14e60c6dc 100644 --- a/serverloop.c +++ b/serverloop.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) | |||
| 950 | static Channel * | 950 | static Channel * |
| 951 | server_request_direct_tcpip(void) | 951 | server_request_direct_tcpip(void) |
| 952 | { | 952 | { |
| 953 | Channel *c; | 953 | Channel *c = NULL; |
| 954 | char *target, *originator; | 954 | char *target, *originator; |
| 955 | u_short target_port, originator_port; | 955 | u_short target_port, originator_port; |
| 956 | 956 | ||
| @@ -963,9 +963,16 @@ server_request_direct_tcpip(void) | |||
| 963 | debug("server_request_direct_tcpip: originator %s port %d, target %s " | 963 | debug("server_request_direct_tcpip: originator %s port %d, target %s " |
| 964 | "port %d", originator, originator_port, target, target_port); | 964 | "port %d", originator, originator_port, target, target_port); |
| 965 | 965 | ||
| 966 | /* XXX check permission */ | 966 | /* XXX fine grained permissions */ |
| 967 | c = channel_connect_to(target, target_port, | 967 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && |
| 968 | "direct-tcpip", "direct-tcpip"); | 968 | !no_port_forwarding_flag) { |
| 969 | c = channel_connect_to(target, target_port, | ||
| 970 | "direct-tcpip", "direct-tcpip"); | ||
| 971 | } else { | ||
| 972 | logit("refused local port forward: " | ||
| 973 | "originator %s port %d, target %s port %d", | ||
| 974 | originator, originator_port, target, target_port); | ||
| 975 | } | ||
| 969 | 976 | ||
| 970 | xfree(originator); | 977 | xfree(originator); |
| 971 | xfree(target); | 978 | xfree(target); |
| @@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
| 1126 | listen_address, listen_port); | 1133 | listen_address, listen_port); |
| 1127 | 1134 | ||
| 1128 | /* check permissions */ | 1135 | /* check permissions */ |
| 1129 | if (!options.allow_tcp_forwarding || | 1136 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
| 1130 | no_port_forwarding_flag || | 1137 | no_port_forwarding_flag || |
| 1131 | (!want_reply && listen_port == 0) | 1138 | (!want_reply && listen_port == 0) |
| 1132 | #ifndef NO_IPPORT_RESERVED_CONCEPT | 1139 | #ifndef NO_IPPORT_RESERVED_CONCEPT |