summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-06-06 18:23:32 +0000
committerDamien Miller <djm@mindrot.org>2018-06-07 04:27:20 +1000
commit93c06ab6b77514e0447fe4f1d822afcbb2a9be08 (patch)
tree86b19179eaa51962f0dae9ab02d6d37197942265 /session.c
parent115063a6647007286cc8ca70abfd2a7585f26ccc (diff)
upstream: permitlisten option for authorized_keys; ok markus@
OpenBSD-Commit-ID: 8650883018d7aa893173d703379e4456a222c672
Diffstat (limited to 'session.c')
-rw-r--r--session.c52
1 files changed, 34 insertions, 18 deletions
diff --git a/session.c b/session.c
index 3a3fd841a..e72fcb0a8 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.296 2018/06/06 18:22:41 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.297 2018/06/06 18:23:32 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -290,27 +290,43 @@ prepare_auth_info_file(struct passwd *pw, struct sshbuf *info)
290} 290}
291 291
292static void 292static void
293set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) 293set_fwdpermit_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
294{ 294{
295 char *tmp, *cp, *host; 295 char *tmp, *cp, *host;
296 int port; 296 int port;
297 size_t i; 297 size_t i;
298 298
299 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) 299 if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) {
300 return; 300 channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL);
301 channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL); 301 for (i = 0; i < auth_opts->npermitopen; i++) {
302 for (i = 0; i < auth_opts->npermitopen; i++) { 302 tmp = cp = xstrdup(auth_opts->permitopen[i]);
303 tmp = cp = xstrdup(auth_opts->permitopen[i]); 303 /* This shouldn't fail as it has already been checked */
304 /* This shouldn't fail as it has already been checked */ 304 if ((host = hpdelim(&cp)) == NULL)
305 if ((host = hpdelim(&cp)) == NULL) 305 fatal("%s: internal error: hpdelim", __func__);
306 fatal("%s: internal error: hpdelim", __func__); 306 host = cleanhostname(host);
307 host = cleanhostname(host); 307 if (cp == NULL || (port = permitopen_port(cp)) < 0)
308 if (cp == NULL || (port = permitopen_port(cp)) < 0) 308 fatal("%s: internal error: permitopen port",
309 fatal("%s: internal error: permitopen port", 309 __func__);
310 __func__); 310 channel_add_permission(ssh,
311 channel_add_permission(ssh, FORWARD_USER, FORWARD_LOCAL, 311 FORWARD_USER, FORWARD_LOCAL, host, port);
312 host, port); 312 free(tmp);
313 free(tmp); 313 }
314 }
315 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) != 0) {
316 channel_clear_permission(ssh, FORWARD_USER, FORWARD_REMOTE);
317 for (i = 0; i < auth_opts->npermitlisten; i++) {
318 tmp = cp = xstrdup(auth_opts->permitlisten[i]);
319 /* This shouldn't fail as it has already been checked */
320 if ((host = hpdelim(&cp)) == NULL)
321 fatal("%s: internal error: hpdelim", __func__);
322 host = cleanhostname(host);
323 if (cp == NULL || (port = permitopen_port(cp)) < 0)
324 fatal("%s: internal error: permitlisten port",
325 __func__);
326 channel_add_permission(ssh,
327 FORWARD_USER, FORWARD_REMOTE, host, port);
328 free(tmp);
329 }
314 } 330 }
315} 331}
316 332
@@ -323,7 +339,7 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
323 339
324 /* setup the channel layer */ 340 /* setup the channel layer */
325 /* XXX - streamlocal? */ 341 /* XXX - streamlocal? */
326 set_permitopen_from_authopts(ssh, auth_opts); 342 set_fwdpermit_from_authopts(ssh, auth_opts);
327 343
328 if (!auth_opts->permit_port_forwarding_flag || 344 if (!auth_opts->permit_port_forwarding_flag ||
329 options.disable_forwarding) { 345 options.disable_forwarding) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 00:04:52 +0000