diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-06-06 18:22:41 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-06-07 04:27:20 +1000 |
commit | 115063a6647007286cc8ca70abfd2a7585f26ccc (patch) | |
tree | 7bd8d46ae55ff7fc1f8699740d2d2e106c3d5fe8 /session.c | |
parent | 7703ae5f5d42eb302ded51705166ff6e19c92892 (diff) |
upstream: Add a PermitListen directive to control which server-side
addresses may be listened on when the client requests remote forwarding (ssh
-R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 27 |
1 files changed, 18 insertions, 9 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.295 2018/06/01 03:33:53 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.296 2018/06/06 18:22:41 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -298,7 +298,7 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) | |||
298 | 298 | ||
299 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | 299 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) |
300 | return; | 300 | return; |
301 | channel_clear_permitted_opens(ssh); | 301 | channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL); |
302 | for (i = 0; i < auth_opts->npermitopen; i++) { | 302 | for (i = 0; i < auth_opts->npermitopen; i++) { |
303 | tmp = cp = xstrdup(auth_opts->permitopen[i]); | 303 | tmp = cp = xstrdup(auth_opts->permitopen[i]); |
304 | /* This shouldn't fail as it has already been checked */ | 304 | /* This shouldn't fail as it has already been checked */ |
@@ -308,7 +308,8 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) | |||
308 | if (cp == NULL || (port = permitopen_port(cp)) < 0) | 308 | if (cp == NULL || (port = permitopen_port(cp)) < 0) |
309 | fatal("%s: internal error: permitopen port", | 309 | fatal("%s: internal error: permitopen port", |
310 | __func__); | 310 | __func__); |
311 | channel_add_permitted_opens(ssh, host, port); | 311 | channel_add_permission(ssh, FORWARD_USER, FORWARD_LOCAL, |
312 | host, port); | ||
312 | free(tmp); | 313 | free(tmp); |
313 | } | 314 | } |
314 | } | 315 | } |
@@ -323,13 +324,21 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt) | |||
323 | /* setup the channel layer */ | 324 | /* setup the channel layer */ |
324 | /* XXX - streamlocal? */ | 325 | /* XXX - streamlocal? */ |
325 | set_permitopen_from_authopts(ssh, auth_opts); | 326 | set_permitopen_from_authopts(ssh, auth_opts); |
326 | if (!auth_opts->permit_port_forwarding_flag || | ||
327 | options.disable_forwarding || | ||
328 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | ||
329 | channel_disable_adm_local_opens(ssh); | ||
330 | else | ||
331 | channel_permit_all_opens(ssh); | ||
332 | 327 | ||
328 | if (!auth_opts->permit_port_forwarding_flag || | ||
329 | options.disable_forwarding) { | ||
330 | channel_disable_admin(ssh, FORWARD_LOCAL); | ||
331 | channel_disable_admin(ssh, FORWARD_REMOTE); | ||
332 | } else { | ||
333 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | ||
334 | channel_disable_admin(ssh, FORWARD_LOCAL); | ||
335 | else | ||
336 | channel_permit_all(ssh, FORWARD_LOCAL); | ||
337 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0) | ||
338 | channel_disable_admin(ssh, FORWARD_REMOTE); | ||
339 | else | ||
340 | channel_permit_all(ssh, FORWARD_REMOTE); | ||
341 | } | ||
333 | auth_debug_send(); | 342 | auth_debug_send(); |
334 | 343 | ||
335 | prepare_auth_info_file(authctxt->pw, authctxt->session_info); | 344 | prepare_auth_info_file(authctxt->pw, authctxt->session_info); |