8 files changed, 68 insertions, 26 deletions

diff --git a/ChangeLog b/ChangeLog
index 7cea00cb5..cee038727 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,12 @@
      make deleting explicit keys "ssh-add -d" symmetric with adding keys -
      try to delete the corresponding certificate too and respect the -k option
      to allow deleting of the key only; feedback and ok markus@
+   - djm@cvs.openbsd.org 2012/12/02 20:46:11
+     [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
+     [sshd_config.5]
+     make AllowTcpForwarding accept "local" and "remote" in addition to its
+     current "yes"/"no" to allow the server to specify whether just local or
+     remote TCP forwarding is enabled. ok markus@
 
 20121114
  - (djm) OpenBSD CVS Sync
diff --git a/auth-options.c b/auth-options.c
index 0e67bd8c0..23d0423e1 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -349,7 +349,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 xfree(patterns);
                                 goto bad_option;
                         }
-                        if (options.allow_tcp_forwarding)
+                        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
                                 channel_add_permitted_opens(host, port);
                         xfree(patterns);
                         goto next_option;
diff --git a/channels.c b/channels.c
index 7791febd7..9cf85a38d 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port)
 void
 channel_disable_adm_local_opens(void)
 {
-        if (num_adm_permitted_opens == 0) {
-                permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
-                permitted_adm_opens[num_adm_permitted_opens].host_to_connect
-                   = NULL;
-                num_adm_permitted_opens = 1;
-        }
+        channel_clear_adm_permitted_opens();
+        permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
+        permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL;
+        num_adm_permitted_opens = 1;
 }
 
 void
diff --git a/servconf.c b/servconf.c
index b90dba63b..21b371c84 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -250,7 +250,7 @@ fill_default_server_options(ServerOptions *options)
         if (options->compression == -1)
                 options->compression = COMP_DELAYED;
         if (options->allow_tcp_forwarding == -1)
-                options->allow_tcp_forwarding = 1;
+                options->allow_tcp_forwarding = FORWARD_ALLOW;
         if (options->allow_agent_forwarding == -1)
                 options->allow_agent_forwarding = 1;
         if (options->gateway_ports == -1)
@@ -786,6 +786,14 @@ static const struct multistate multistate_privsep[] = {
         { "no",                         PRIVSEP_OFF },
         { NULL, -1 }
 };
+static const struct multistate multistate_tcpfwd[] = {
+        { "yes",                        FORWARD_ALLOW },
+        { "all",                        FORWARD_ALLOW },
+        { "no",                         FORWARD_DENY },
+        { "remote",                     FORWARD_REMOTE },
+        { "local",                      FORWARD_LOCAL },
+        { NULL, -1 }
+};
 
 int
 process_server_config_line(ServerOptions *options, char *line,
@@ -1143,7 +1151,8 @@ process_server_config_line(ServerOptions *options, char *line,
 
         case sAllowTcpForwarding:
                 intptr = &options->allow_tcp_forwarding;
-                goto parse_flag;
+                multistate_ptr = multistate_tcpfwd;
+                goto parse_multistate;
 
         case sAllowAgentForwarding:
                 intptr = &options->allow_agent_forwarding;
@@ -1423,7 +1432,6 @@ process_server_config_line(ServerOptions *options, char *line,
                 }
                 if (strcmp(arg, "none") == 0) {
                         if (*activep && n == -1) {
-                                channel_clear_adm_permitted_opens();
                                 options->num_permitted_opens = 1;
                                 channel_disable_adm_local_opens();
                         }
@@ -1780,6 +1788,8 @@ fmt_intarg(ServerOpCodes code, int val)
                 return fmt_multistate_int(val, multistate_compression);
         case sUsePrivilegeSeparation:
                 return fmt_multistate_int(val, multistate_privsep);
+        case sAllowTcpForwarding:
+                return fmt_multistate_int(val, multistate_tcpfwd);
         case sProtocol:
                 switch (val) {
                 case SSH_PROTO_1:
diff --git a/servconf.h b/servconf.h
index 68fcdb764..a23ef7f3a 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.105 2012/11/04 11:09:15 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.106 2012/12/02 20:46:11 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -42,6 +42,12 @@
 #define PRIVSEP_ON              1
 #define PRIVSEP_NOSANDBOX       2
 
+/* AllowTCPForwarding */
+#define FORWARD_DENY            0
+#define FORWARD_REMOTE          (1)
+#define FORWARD_LOCAL           (1<<1)
+#define FORWARD_ALLOW           (FORWARD_REMOTE|FORWARD_LOCAL)
+
 #define DEFAULT_AUTH_FAIL_MAX   6       /* Default for MaxAuthTries */
 #define DEFAULT_SESSIONS_MAX    10      /* Default for MaxSessions */
 
@@ -116,7 +122,7 @@ typedef struct {
         int     permit_user_env;        /* If true, read ~/.ssh/environment */
         int     use_login;      /* If true, login(1) is used */
         int     compression;    /* If true, compression is allowed */
-        int     allow_tcp_forwarding;
+        int     allow_tcp_forwarding; /* One of FORWARD_* */
         int     allow_agent_forwarding;
         u_int num_allow_users;
         char   *allow_users[MAX_ALLOW_USERS];
diff --git a/serverloop.c b/serverloop.c
index 741c5befb..14e60c6dc 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
 static Channel *
 server_request_direct_tcpip(void)
 {
-        Channel *c;
+        Channel *c = NULL;
         char *target, *originator;
         u_short target_port, originator_port;
 
@@ -963,9 +963,16 @@ server_request_direct_tcpip(void)
         debug("server_request_direct_tcpip: originator %s port %d, target %s "
             "port %d", originator, originator_port, target, target_port);
 
-        /* XXX check permission */
-        c = channel_connect_to(target, target_port,
-            "direct-tcpip", "direct-tcpip");
+        /* XXX fine grained permissions */
+        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
+            !no_port_forwarding_flag) {
+                c = channel_connect_to(target, target_port,
+                    "direct-tcpip", "direct-tcpip");
+        } else {
+                logit("refused local port forward: "
+                    "originator %s port %d, target %s port %d",
+                    originator, originator_port, target, target_port);
+        }
 
         xfree(originator);
         xfree(target);
@@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                     listen_address, listen_port);
 
                 /* check permissions */
-                if (!options.allow_tcp_forwarding ||
+                if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
                     no_port_forwarding_flag ||
                     (!want_reply && listen_port == 0)
 #ifndef NO_IPPORT_RESERVED_CONCEPT
diff --git a/session.c b/session.c
index 65bf28776..643e7fc59 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */
+/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt)
         setproctitle("%s", authctxt->pw->pw_name);
 
         /* setup the channel layer */
-        if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+        if (no_port_forwarding_flag ||
+            (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+                channel_disable_adm_local_opens();
+        else
                 channel_permit_all_opens();
 
         auth_debug_send();
@@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt)
                                 debug("Port forwarding not permitted for this authentication.");
                                 break;
                         }
-                        if (!options.allow_tcp_forwarding) {
+                        if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) {
                                 debug("Port forwarding not permitted.");
                                 break;
                         }
diff --git a/sshd_config.5 b/sshd_config.5
index 05f3374fb..d2c4db55b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $
-.Dd $Mdocdate: November 4 2012 $
+.\" $OpenBSD: sshd_config.5,v 1.150 2012/12/02 20:46:11 djm Exp $
+.Dd $Mdocdate: December 2 2012 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -124,6 +124,18 @@ in
 for more information on patterns.
 .It Cm AllowTcpForwarding
 Specifies whether TCP forwarding is permitted.
+The available options are
+.Dq yes
+or
+.Dq all
+to allow TCP forwarding,
+.Dq no
+to prevent all TCP forwarding,
+.Dq local
+to allow local (from the perspective of
+.Xr ssh 1 ) forwarding only or
+.Dq remote
+to allow remote forwarding only.
 The default is
 .Dq yes .
 Note that disabling TCP forwarding does not improve security unless