upstream: Add a PermitListen directive to control which server-side

addresses may be listened on when the client requests remote forwarding (ssh -R). This is the converse of the existing PermitOpen directive and this includes some refactoring to share much of its implementation. feedback and ok markus@ OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
author: djm@openbsd.org <djm@openbsd.org> 2018-06-06 18:22:41 +0000
committer: Damien Miller <djm@mindrot.org> 2018-06-07 04:27:20 +1000
commit: 115063a6647007286cc8ca70abfd2a7585f26ccc (patch)
tree: 7bd8d46ae55ff7fc1f8699740d2d2e106c3d5fe8 /session.c
parent: 7703ae5f5d42eb302ded51705166ff6e19c92892 (diff)
1 files changed, 18 insertions, 9 deletions
diff --git a/session.c b/session.c
index 5ceebff51..3a3fd841a 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.295 2018/06/01 03:33:53 djm Exp $ */
+/* $OpenBSD: session.c,v 1.296 2018/06/06 18:22:41 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -298,7 +298,7 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
                return;
-        channel_clear_permitted_opens(ssh);
+        channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL);
        for (i = 0; i < auth_opts->npermitopen; i++) {
                tmp = cp = xstrdup(auth_opts->permitopen[i]);
                /* This shouldn't fail as it has already been checked */
@@ -308,7 +308,8 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
                if (cp == NULL || (port = permitopen_port(cp)) < 0)
                        fatal("%s: internal error: permitopen port",
                            __func__);
-                channel_add_permitted_opens(ssh, host, port);
+                channel_add_permission(ssh, FORWARD_USER, FORWARD_LOCAL,
+                    host, port);
                free(tmp);
        }
 }
@@ -323,13 +324,21 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
        /* setup the channel layer */
        /* XXX - streamlocal? */
        set_permitopen_from_authopts(ssh, auth_opts);
-        if (!auth_opts->permit_port_forwarding_flag ||
-            options.disable_forwarding ||
-            (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
-                channel_disable_adm_local_opens(ssh);
-        else
-                channel_permit_all_opens(ssh);
+        if (!auth_opts->permit_port_forwarding_flag ||
+            options.disable_forwarding) {
+                channel_disable_admin(ssh, FORWARD_LOCAL);
+                channel_disable_admin(ssh, FORWARD_REMOTE);
+        } else {
+                if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+                        channel_disable_admin(ssh, FORWARD_LOCAL);
+                else
+                        channel_permit_all(ssh, FORWARD_LOCAL);
+                if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
+                        channel_disable_admin(ssh, FORWARD_REMOTE);
+                else
+                        channel_permit_all(ssh, FORWARD_REMOTE);
+        }
        auth_debug_send();
        prepare_auth_info_file(authctxt->pw, authctxt->session_info);
author	djm@openbsd.org <djm@openbsd.org>	2018-06-06 18:22:41 +0000
committer	Damien Miller <djm@mindrot.org>	2018-06-07 04:27:20 +1000
commit	115063a6647007286cc8ca70abfd2a7585f26ccc (patch)
tree	7bd8d46ae55ff7fc1f8699740d2d2e106c3d5fe8 /session.c
parent	7703ae5f5d42eb302ded51705166ff6e19c92892 (diff)