diff options
author | Damien Miller <djm@mindrot.org> | 2014-07-18 14:11:24 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-07-18 14:11:24 +1000 |
commit | 7acefbbcbeab725420ea07397ae35992f505f702 (patch) | |
tree | bfb07917715d425438dab987a47ccd7a8d7f118b /session.c | |
parent | 6262d760e00714523633bd989d62e273a3dca99a (diff) |
- millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 34 |
1 files changed, 8 insertions, 26 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.273 2014/07/03 22:40:43 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.274 2014/07/15 15:54:14 millert Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -84,11 +84,11 @@ | |||
84 | #include "authfd.h" | 84 | #include "authfd.h" |
85 | #include "pathnames.h" | 85 | #include "pathnames.h" |
86 | #include "log.h" | 86 | #include "log.h" |
87 | #include "misc.h" | ||
87 | #include "servconf.h" | 88 | #include "servconf.h" |
88 | #include "sshlogin.h" | 89 | #include "sshlogin.h" |
89 | #include "serverloop.h" | 90 | #include "serverloop.h" |
90 | #include "canohost.h" | 91 | #include "canohost.h" |
91 | #include "misc.h" | ||
92 | #include "session.h" | 92 | #include "session.h" |
93 | #include "kex.h" | 93 | #include "kex.h" |
94 | #include "monitor_wrap.h" | 94 | #include "monitor_wrap.h" |
@@ -183,7 +183,6 @@ auth_input_request_forwarding(struct passwd * pw) | |||
183 | { | 183 | { |
184 | Channel *nc; | 184 | Channel *nc; |
185 | int sock = -1; | 185 | int sock = -1; |
186 | struct sockaddr_un sunaddr; | ||
187 | 186 | ||
188 | if (auth_sock_name != NULL) { | 187 | if (auth_sock_name != NULL) { |
189 | error("authentication forwarding requested twice."); | 188 | error("authentication forwarding requested twice."); |
@@ -209,33 +208,15 @@ auth_input_request_forwarding(struct passwd * pw) | |||
209 | xasprintf(&auth_sock_name, "%s/agent.%ld", | 208 | xasprintf(&auth_sock_name, "%s/agent.%ld", |
210 | auth_sock_dir, (long) getpid()); | 209 | auth_sock_dir, (long) getpid()); |
211 | 210 | ||
212 | /* Create the socket. */ | 211 | /* Start a Unix listener on auth_sock_name. */ |
213 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | 212 | sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0); |
214 | if (sock < 0) { | ||
215 | error("socket: %.100s", strerror(errno)); | ||
216 | restore_uid(); | ||
217 | goto authsock_err; | ||
218 | } | ||
219 | |||
220 | /* Bind it to the name. */ | ||
221 | memset(&sunaddr, 0, sizeof(sunaddr)); | ||
222 | sunaddr.sun_family = AF_UNIX; | ||
223 | strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); | ||
224 | |||
225 | if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { | ||
226 | error("bind: %.100s", strerror(errno)); | ||
227 | restore_uid(); | ||
228 | goto authsock_err; | ||
229 | } | ||
230 | 213 | ||
231 | /* Restore the privileged uid. */ | 214 | /* Restore the privileged uid. */ |
232 | restore_uid(); | 215 | restore_uid(); |
233 | 216 | ||
234 | /* Start listening on the socket. */ | 217 | /* Check for socket/bind/listen failure. */ |
235 | if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { | 218 | if (sock < 0) |
236 | error("listen: %.100s", strerror(errno)); | ||
237 | goto authsock_err; | 219 | goto authsock_err; |
238 | } | ||
239 | 220 | ||
240 | /* Allocate a channel for the authentication agent socket. */ | 221 | /* Allocate a channel for the authentication agent socket. */ |
241 | nc = channel_new("auth socket", | 222 | nc = channel_new("auth socket", |
@@ -274,6 +255,7 @@ do_authenticated(Authctxt *authctxt) | |||
274 | setproctitle("%s", authctxt->pw->pw_name); | 255 | setproctitle("%s", authctxt->pw->pw_name); |
275 | 256 | ||
276 | /* setup the channel layer */ | 257 | /* setup the channel layer */ |
258 | /* XXX - streamlocal? */ | ||
277 | if (no_port_forwarding_flag || | 259 | if (no_port_forwarding_flag || |
278 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | 260 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) |
279 | channel_disable_adm_local_opens(); | 261 | channel_disable_adm_local_opens(); |
@@ -393,7 +375,7 @@ do_authenticated1(Authctxt *authctxt) | |||
393 | } | 375 | } |
394 | debug("Received TCP/IP port forwarding request."); | 376 | debug("Received TCP/IP port forwarding request."); |
395 | if (channel_input_port_forward_request(s->pw->pw_uid == 0, | 377 | if (channel_input_port_forward_request(s->pw->pw_uid == 0, |
396 | options.gateway_ports) < 0) { | 378 | &options.fwd_opts) < 0) { |
397 | debug("Port forwarding failed."); | 379 | debug("Port forwarding failed."); |
398 | break; | 380 | break; |
399 | } | 381 | } |