diff options
| author | Damien Miller <djm@mindrot.org> | 2014-07-18 14:11:24 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2014-07-18 14:11:24 +1000 |
| commit | 7acefbbcbeab725420ea07397ae35992f505f702 (patch) | |
| tree | bfb07917715d425438dab987a47ccd7a8d7f118b /session.c | |
| parent | 6262d760e00714523633bd989d62e273a3dca99a (diff) | |
- millert@cvs.openbsd.org 2014/07/15 15:54:14
[PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
[auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
[auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
[clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
[readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
[ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
[sshd_config.5 sshlogin.c]
Add support for Unix domain socket forwarding. A remote TCP port
may be forwarded to a local Unix domain socket and vice versa or
both ends may be a Unix domain socket. This is a reimplementation
of the streamlocal patches by William Ahern from:
http://www.25thandclement.com/~william/projects/streamlocal.html
OK djm@ markus@
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 34 |
1 files changed, 8 insertions, 26 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.273 2014/07/03 22:40:43 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.274 2014/07/15 15:54:14 millert Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -84,11 +84,11 @@ | |||
| 84 | #include "authfd.h" | 84 | #include "authfd.h" |
| 85 | #include "pathnames.h" | 85 | #include "pathnames.h" |
| 86 | #include "log.h" | 86 | #include "log.h" |
| 87 | #include "misc.h" | ||
| 87 | #include "servconf.h" | 88 | #include "servconf.h" |
| 88 | #include "sshlogin.h" | 89 | #include "sshlogin.h" |
| 89 | #include "serverloop.h" | 90 | #include "serverloop.h" |
| 90 | #include "canohost.h" | 91 | #include "canohost.h" |
| 91 | #include "misc.h" | ||
| 92 | #include "session.h" | 92 | #include "session.h" |
| 93 | #include "kex.h" | 93 | #include "kex.h" |
| 94 | #include "monitor_wrap.h" | 94 | #include "monitor_wrap.h" |
| @@ -183,7 +183,6 @@ auth_input_request_forwarding(struct passwd * pw) | |||
| 183 | { | 183 | { |
| 184 | Channel *nc; | 184 | Channel *nc; |
| 185 | int sock = -1; | 185 | int sock = -1; |
| 186 | struct sockaddr_un sunaddr; | ||
| 187 | 186 | ||
| 188 | if (auth_sock_name != NULL) { | 187 | if (auth_sock_name != NULL) { |
| 189 | error("authentication forwarding requested twice."); | 188 | error("authentication forwarding requested twice."); |
| @@ -209,33 +208,15 @@ auth_input_request_forwarding(struct passwd * pw) | |||
| 209 | xasprintf(&auth_sock_name, "%s/agent.%ld", | 208 | xasprintf(&auth_sock_name, "%s/agent.%ld", |
| 210 | auth_sock_dir, (long) getpid()); | 209 | auth_sock_dir, (long) getpid()); |
| 211 | 210 | ||
| 212 | /* Create the socket. */ | 211 | /* Start a Unix listener on auth_sock_name. */ |
| 213 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | 212 | sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0); |
| 214 | if (sock < 0) { | ||
| 215 | error("socket: %.100s", strerror(errno)); | ||
| 216 | restore_uid(); | ||
| 217 | goto authsock_err; | ||
| 218 | } | ||
| 219 | |||
| 220 | /* Bind it to the name. */ | ||
| 221 | memset(&sunaddr, 0, sizeof(sunaddr)); | ||
| 222 | sunaddr.sun_family = AF_UNIX; | ||
| 223 | strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); | ||
| 224 | |||
| 225 | if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { | ||
| 226 | error("bind: %.100s", strerror(errno)); | ||
| 227 | restore_uid(); | ||
| 228 | goto authsock_err; | ||
| 229 | } | ||
| 230 | 213 | ||
| 231 | /* Restore the privileged uid. */ | 214 | /* Restore the privileged uid. */ |
| 232 | restore_uid(); | 215 | restore_uid(); |
| 233 | 216 | ||
| 234 | /* Start listening on the socket. */ | 217 | /* Check for socket/bind/listen failure. */ |
| 235 | if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { | 218 | if (sock < 0) |
| 236 | error("listen: %.100s", strerror(errno)); | ||
| 237 | goto authsock_err; | 219 | goto authsock_err; |
| 238 | } | ||
| 239 | 220 | ||
| 240 | /* Allocate a channel for the authentication agent socket. */ | 221 | /* Allocate a channel for the authentication agent socket. */ |
| 241 | nc = channel_new("auth socket", | 222 | nc = channel_new("auth socket", |
| @@ -274,6 +255,7 @@ do_authenticated(Authctxt *authctxt) | |||
| 274 | setproctitle("%s", authctxt->pw->pw_name); | 255 | setproctitle("%s", authctxt->pw->pw_name); |
| 275 | 256 | ||
| 276 | /* setup the channel layer */ | 257 | /* setup the channel layer */ |
| 258 | /* XXX - streamlocal? */ | ||
| 277 | if (no_port_forwarding_flag || | 259 | if (no_port_forwarding_flag || |
| 278 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) | 260 | (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) |
| 279 | channel_disable_adm_local_opens(); | 261 | channel_disable_adm_local_opens(); |
| @@ -393,7 +375,7 @@ do_authenticated1(Authctxt *authctxt) | |||
| 393 | } | 375 | } |
| 394 | debug("Received TCP/IP port forwarding request."); | 376 | debug("Received TCP/IP port forwarding request."); |
| 395 | if (channel_input_port_forward_request(s->pw->pw_uid == 0, | 377 | if (channel_input_port_forward_request(s->pw->pw_uid == 0, |
| 396 | options.gateway_ports) < 0) { | 378 | &options.fwd_opts) < 0) { |
| 397 | debug("Port forwarding failed."); | 379 | debug("Port forwarding failed."); |
| 398 | break; | 380 | break; |
| 399 | } | 381 | } |