diff options
-rw-r--r-- | misc.c | 20 | ||||
-rw-r--r-- | misc.h | 3 | ||||
-rw-r--r-- | packet.c | 14 | ||||
-rw-r--r-- | packet.h | 4 | ||||
-rw-r--r-- | servconf.c | 21 | ||||
-rw-r--r-- | servconf.h | 5 | ||||
-rw-r--r-- | sshd.c | 30 | ||||
-rw-r--r-- | sshd_config.5 | 17 |
8 files changed, 104 insertions, 10 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: misc.c,v 1.117 2017/10/25 00:15:35 djm Exp $ */ | 1 | /* $OpenBSD: misc.c,v 1.118 2017/10/25 00:17:08 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. | 4 | * Copyright (c) 2005,2006 Damien Miller. All rights reserved. |
@@ -180,7 +180,23 @@ set_reuseaddr(int fd) | |||
180 | return 0; | 180 | return 0; |
181 | } | 181 | } |
182 | 182 | ||
183 | /* Set routing table */ | 183 | /* Get/set routing domain */ |
184 | char * | ||
185 | get_rdomain(int fd) | ||
186 | { | ||
187 | int rtable; | ||
188 | char *ret; | ||
189 | socklen_t len = sizeof(rtable); | ||
190 | |||
191 | if (getsockopt(fd, SOL_SOCKET, SO_RTABLE, &rtable, &len) == -1) { | ||
192 | error("Failed to get routing domain for fd %d: %s", | ||
193 | fd, strerror(errno)); | ||
194 | return NULL; | ||
195 | } | ||
196 | xasprintf(&ret, "%d", rtable); | ||
197 | return ret; | ||
198 | } | ||
199 | |||
184 | int | 200 | int |
185 | set_rdomain(int fd, const char *name) | 201 | set_rdomain(int fd, const char *name) |
186 | { | 202 | { |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: misc.h,v 1.66 2017/10/25 00:15:35 djm Exp $ */ | 1 | /* $OpenBSD: misc.h,v 1.67 2017/10/25 00:17:08 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -49,6 +49,7 @@ int set_nonblock(int); | |||
49 | int unset_nonblock(int); | 49 | int unset_nonblock(int); |
50 | void set_nodelay(int); | 50 | void set_nodelay(int); |
51 | int set_reuseaddr(int); | 51 | int set_reuseaddr(int); |
52 | char *get_rdomain(int); | ||
52 | int set_rdomain(int, const char *); | 53 | int set_rdomain(int, const char *); |
53 | int a2port(const char *); | 54 | int a2port(const char *); |
54 | int a2tun(const char *, int *); | 55 | int a2tun(const char *, int *); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.265 2017/10/13 21:13:54 djm Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.266 2017/10/25 00:17:08 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -557,6 +557,18 @@ ssh_local_port(struct ssh *ssh) | |||
557 | return ssh->local_port; | 557 | return ssh->local_port; |
558 | } | 558 | } |
559 | 559 | ||
560 | /* Returns the routing domain of the input socket, or NULL if unavailable */ | ||
561 | const char * | ||
562 | ssh_packet_rdomain_in(struct ssh *ssh) | ||
563 | { | ||
564 | if (ssh->rdomain_in != NULL) | ||
565 | return ssh->rdomain_in; | ||
566 | if (!ssh_packet_connection_is_on_socket(ssh)) | ||
567 | return NULL; | ||
568 | ssh->rdomain_in = get_rdomain(ssh->state->connection_in); | ||
569 | return ssh->rdomain_in; | ||
570 | } | ||
571 | |||
560 | /* Closes the connection and clears and frees internal data structures. */ | 572 | /* Closes the connection and clears and frees internal data structures. */ |
561 | 573 | ||
562 | static void | 574 | static void |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.h,v 1.82 2017/09/12 06:32:07 djm Exp $ */ | 1 | /* $OpenBSD: packet.h,v 1.83 2017/10/25 00:17:08 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -61,6 +61,7 @@ struct ssh { | |||
61 | int remote_port; | 61 | int remote_port; |
62 | char *local_ipaddr; | 62 | char *local_ipaddr; |
63 | int local_port; | 63 | int local_port; |
64 | char *rdomain_in; | ||
64 | 65 | ||
65 | /* Optional preamble for log messages (e.g. username) */ | 66 | /* Optional preamble for log messages (e.g. username) */ |
66 | char *log_preamble; | 67 | char *log_preamble; |
@@ -162,6 +163,7 @@ const char *ssh_remote_ipaddr(struct ssh *); | |||
162 | int ssh_remote_port(struct ssh *); | 163 | int ssh_remote_port(struct ssh *); |
163 | const char *ssh_local_ipaddr(struct ssh *); | 164 | const char *ssh_local_ipaddr(struct ssh *); |
164 | int ssh_local_port(struct ssh *); | 165 | int ssh_local_port(struct ssh *); |
166 | const char *ssh_packet_rdomain_in(struct ssh *); | ||
165 | 167 | ||
166 | void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, u_int32_t); | 168 | void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, u_int32_t); |
167 | time_t ssh_packet_get_rekey_timeout(struct ssh *); | 169 | time_t ssh_packet_get_rekey_timeout(struct ssh *); |
diff --git a/servconf.c b/servconf.c index 68db047f2..51139c31c 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.315 2017/10/25 00:15:35 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.316 2017/10/25 00:17:08 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -91,6 +91,7 @@ initialize_server_options(ServerOptions *options) | |||
91 | options->listen_addrs = NULL; | 91 | options->listen_addrs = NULL; |
92 | options->num_listen_addrs = 0; | 92 | options->num_listen_addrs = 0; |
93 | options->address_family = -1; | 93 | options->address_family = -1; |
94 | options->routing_domain = NULL; | ||
94 | options->num_host_key_files = 0; | 95 | options->num_host_key_files = 0; |
95 | options->num_host_cert_files = 0; | 96 | options->num_host_cert_files = 0; |
96 | options->host_key_agent = NULL; | 97 | options->host_key_agent = NULL; |
@@ -406,6 +407,7 @@ fill_default_server_options(ServerOptions *options) | |||
406 | CLEAR_ON_NONE(options->authorized_principals_file); | 407 | CLEAR_ON_NONE(options->authorized_principals_file); |
407 | CLEAR_ON_NONE(options->adm_forced_command); | 408 | CLEAR_ON_NONE(options->adm_forced_command); |
408 | CLEAR_ON_NONE(options->chroot_directory); | 409 | CLEAR_ON_NONE(options->chroot_directory); |
410 | CLEAR_ON_NONE(options->routing_domain); | ||
409 | for (i = 0; i < options->num_host_key_files; i++) | 411 | for (i = 0; i < options->num_host_key_files; i++) |
410 | CLEAR_ON_NONE(options->host_key_files[i]); | 412 | CLEAR_ON_NONE(options->host_key_files[i]); |
411 | for (i = 0; i < options->num_host_cert_files; i++) | 413 | for (i = 0; i < options->num_host_cert_files; i++) |
@@ -469,7 +471,7 @@ typedef enum { | |||
469 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 471 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
470 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 472 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
471 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 473 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
472 | sExposeAuthInfo, | 474 | sExposeAuthInfo, sRDomain, |
473 | sDeprecated, sIgnore, sUnsupported | 475 | sDeprecated, sIgnore, sUnsupported |
474 | } ServerOpCodes; | 476 | } ServerOpCodes; |
475 | 477 | ||
@@ -614,6 +616,7 @@ static struct { | |||
614 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | 616 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
615 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | 617 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
616 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | 618 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
619 | { "rdomain", sRDomain, SSHCFG_ALL }, | ||
617 | { NULL, sBadOption, 0 } | 620 | { NULL, sBadOption, 0 } |
618 | }; | 621 | }; |
619 | 622 | ||
@@ -1984,6 +1987,19 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1984 | intptr = &options->expose_userauth_info; | 1987 | intptr = &options->expose_userauth_info; |
1985 | goto parse_flag; | 1988 | goto parse_flag; |
1986 | 1989 | ||
1990 | case sRDomain: | ||
1991 | charptr = &options->routing_domain; | ||
1992 | arg = strdelim(&cp); | ||
1993 | if (!arg || *arg == '\0') | ||
1994 | fatal("%.200s line %d: Missing argument.", | ||
1995 | filename, linenum); | ||
1996 | if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 && | ||
1997 | !valid_rdomain(arg)) | ||
1998 | fatal("%s line %d: bad routing domain", | ||
1999 | filename, linenum); | ||
2000 | if (*activep && *charptr == NULL) | ||
2001 | *charptr = xstrdup(arg); | ||
2002 | |||
1987 | case sDeprecated: | 2003 | case sDeprecated: |
1988 | case sIgnore: | 2004 | case sIgnore: |
1989 | case sUnsupported: | 2005 | case sUnsupported: |
@@ -2473,6 +2489,7 @@ dump_config(ServerOptions *o) | |||
2473 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | 2489 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); |
2474 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | 2490 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? |
2475 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); | 2491 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); |
2492 | dump_cfg_string(sRDomain, o->routing_domain); | ||
2476 | 2493 | ||
2477 | /* string arguments requiring a lookup */ | 2494 | /* string arguments requiring a lookup */ |
2478 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2495 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
diff --git a/servconf.h b/servconf.h index 3d0a0653f..1f042e872 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.128 2017/10/25 00:15:35 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.129 2017/10/25 00:17:08 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -78,6 +78,8 @@ typedef struct { | |||
78 | u_int num_listen_addrs; | 78 | u_int num_listen_addrs; |
79 | int address_family; /* Address family used by the server. */ | 79 | int address_family; /* Address family used by the server. */ |
80 | 80 | ||
81 | char *routing_domain; /* Bind session to routing domain */ | ||
82 | |||
81 | char **host_key_files; /* Files containing host keys. */ | 83 | char **host_key_files; /* Files containing host keys. */ |
82 | u_int num_host_key_files; /* Number of files for host keys. */ | 84 | u_int num_host_key_files; /* Number of files for host keys. */ |
83 | char **host_cert_files; /* Files containing host certs. */ | 85 | char **host_cert_files; /* Files containing host certs. */ |
@@ -239,6 +241,7 @@ struct connection_info { | |||
239 | M_CP_STROPT(authorized_principals_command_user); \ | 241 | M_CP_STROPT(authorized_principals_command_user); \ |
240 | M_CP_STROPT(hostbased_key_types); \ | 242 | M_CP_STROPT(hostbased_key_types); \ |
241 | M_CP_STROPT(pubkey_key_types); \ | 243 | M_CP_STROPT(pubkey_key_types); \ |
244 | M_CP_STROPT(routing_domain); \ | ||
242 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ | 245 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ |
243 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ | 246 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ |
244 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ | 247 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.494 2017/10/25 00:15:35 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.495 2017/10/25 00:17:08 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1368,6 +1368,31 @@ check_ip_options(struct ssh *ssh) | |||
1368 | #endif /* IP_OPTIONS */ | 1368 | #endif /* IP_OPTIONS */ |
1369 | } | 1369 | } |
1370 | 1370 | ||
1371 | /* Set the routing domain for this process */ | ||
1372 | static void | ||
1373 | set_process_rdomain(struct ssh *ssh, const char *name) | ||
1374 | { | ||
1375 | int rtable, ortable = getrtable(); | ||
1376 | const char *errstr; | ||
1377 | |||
1378 | if (name == NULL) | ||
1379 | return; /* default */ | ||
1380 | |||
1381 | if (strcmp(name, "%D") == 0) { | ||
1382 | /* "expands" to routing domain of connection */ | ||
1383 | if ((name = ssh_packet_rdomain_in(ssh)) == NULL) | ||
1384 | return; | ||
1385 | } | ||
1386 | |||
1387 | rtable = (int)strtonum(name, 0, 255, &errstr); | ||
1388 | if (errstr != NULL) /* Shouldn't happen */ | ||
1389 | fatal("Invalid routing domain \"%s\": %s", name, errstr); | ||
1390 | if (rtable != ortable && setrtable(rtable) != 0) | ||
1391 | fatal("Unable to set routing domain %d: %s", | ||
1392 | rtable, strerror(errno)); | ||
1393 | debug("%s: set routing domain %d (was %d)", __func__, rtable, ortable); | ||
1394 | } | ||
1395 | |||
1371 | /* | 1396 | /* |
1372 | * Main program for the daemon. | 1397 | * Main program for the daemon. |
1373 | */ | 1398 | */ |
@@ -1983,6 +2008,9 @@ main(int ac, char **av) | |||
1983 | cleanup_exit(255); | 2008 | cleanup_exit(255); |
1984 | } | 2009 | } |
1985 | 2010 | ||
2011 | if (options.routing_domain != NULL) | ||
2012 | set_process_rdomain(ssh, options.routing_domain); | ||
2013 | |||
1986 | /* | 2014 | /* |
1987 | * The rest of the code depends on the fact that | 2015 | * The rest of the code depends on the fact that |
1988 | * ssh_remote_ipaddr() caches the remote ip, even if | 2016 | * ssh_remote_ipaddr() caches the remote ip, even if |
diff --git a/sshd_config.5 b/sshd_config.5 index b63a022b7..c216fb75b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,7 +33,7 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.256 2017/10/25 00:15:35 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.257 2017/10/25 00:17:08 djm Exp $ |
37 | .Dd $Mdocdate: October 25 2017 $ | 37 | .Dd $Mdocdate: October 25 2017 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
@@ -1118,6 +1118,7 @@ Available keywords are | |||
1118 | .Cm PubkeyAuthentication , | 1118 | .Cm PubkeyAuthentication , |
1119 | .Cm RekeyLimit , | 1119 | .Cm RekeyLimit , |
1120 | .Cm RevokedKeys , | 1120 | .Cm RevokedKeys , |
1121 | .Cm RDomain , | ||
1121 | .Cm StreamLocalBindMask , | 1122 | .Cm StreamLocalBindMask , |
1122 | .Cm StreamLocalBindUnlink , | 1123 | .Cm StreamLocalBindUnlink , |
1123 | .Cm TrustedUserCAKeys , | 1124 | .Cm TrustedUserCAKeys , |
@@ -1378,6 +1379,15 @@ an OpenSSH Key Revocation List (KRL) as generated by | |||
1378 | .Xr ssh-keygen 1 . | 1379 | .Xr ssh-keygen 1 . |
1379 | For more information on KRLs, see the KEY REVOCATION LISTS section in | 1380 | For more information on KRLs, see the KEY REVOCATION LISTS section in |
1380 | .Xr ssh-keygen 1 . | 1381 | .Xr ssh-keygen 1 . |
1382 | .It Cm RDomain | ||
1383 | Specifies an explicit routing domain that is applied after authentication | ||
1384 | has completed. | ||
1385 | The user session, as well and any forwarded or listening IP sockets will | ||
1386 | be bound to this | ||
1387 | .Xr rdomain 4 . | ||
1388 | If the routing domain is set to | ||
1389 | .Cm \&%D , | ||
1390 | then the domain in which the incoming connection was recieved will be applied. | ||
1381 | .It Cm StreamLocalBindMask | 1391 | .It Cm StreamLocalBindMask |
1382 | Sets the octal file creation mode mask | 1392 | Sets the octal file creation mode mask |
1383 | .Pq umask | 1393 | .Pq umask |
@@ -1643,6 +1653,8 @@ which are expanded at runtime: | |||
1643 | .It %% | 1653 | .It %% |
1644 | A literal | 1654 | A literal |
1645 | .Sq % . | 1655 | .Sq % . |
1656 | .It \&%D | ||
1657 | The routing domain in which the incoming connection was received. | ||
1646 | .It %F | 1658 | .It %F |
1647 | The fingerprint of the CA key. | 1659 | The fingerprint of the CA key. |
1648 | .It %f | 1660 | .It %f |
@@ -1679,6 +1691,9 @@ accepts the tokens %%, %h, and %u. | |||
1679 | .Pp | 1691 | .Pp |
1680 | .Cm ChrootDirectory | 1692 | .Cm ChrootDirectory |
1681 | accepts the tokens %%, %h, and %u. | 1693 | accepts the tokens %%, %h, and %u. |
1694 | .Pp | ||
1695 | .Cm RoutingDomain | ||
1696 | accepts the token %D. | ||
1682 | .Sh FILES | 1697 | .Sh FILES |
1683 | .Bl -tag -width Ds | 1698 | .Bl -tag -width Ds |
1684 | .It Pa /etc/ssh/sshd_config | 1699 | .It Pa /etc/ssh/sshd_config |