diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | channels.c | 8 | ||||
-rw-r--r-- | channels.h | 4 | ||||
-rw-r--r-- | servconf.c | 32 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | sshd_config.5 | 6 |
6 files changed, 37 insertions, 24 deletions
@@ -65,6 +65,11 @@ | |||
65 | [auth1.c serverloop.c session.c sshconnect2.c] | 65 | [auth1.c serverloop.c session.c sshconnect2.c] |
66 | missed some needed #include <unistd.h> when KERBEROS5=no; issue from | 66 | missed some needed #include <unistd.h> when KERBEROS5=no; issue from |
67 | massimo@cedoc.mo.it | 67 | massimo@cedoc.mo.it |
68 | - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 | ||
69 | [channels.c channels.h servconf.c servconf.h sshd_config.5] | ||
70 | Make PermitOpen take a list of permitted ports and act more like most | ||
71 | other keywords (ie the first match is the effective setting). This | ||
72 | also makes it easier to override a previously set PermitOpen. ok djm@ | ||
68 | 73 | ||
69 | 20060713 | 74 | 20060713 |
70 | - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h | 75 | - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h |
@@ -4983,4 +4988,4 @@ | |||
4983 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 4988 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
4984 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 4989 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
4985 | 4990 | ||
4986 | $Id: ChangeLog,v 1.4423 2006/07/24 04:07:35 djm Exp $ | 4991 | $Id: ChangeLog,v 1.4424 2006/07/24 04:08:13 djm Exp $ |
diff --git a/channels.c b/channels.c index 9aaf7e9d7..c6c5c8899 100644 --- a/channels.c +++ b/channels.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */ | 1 | /* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -2653,17 +2653,17 @@ channel_add_permitted_opens(char *host, int port) | |||
2653 | all_opens_permitted = 0; | 2653 | all_opens_permitted = 0; |
2654 | } | 2654 | } |
2655 | 2655 | ||
2656 | void | 2656 | int |
2657 | channel_add_adm_permitted_opens(char *host, int port) | 2657 | channel_add_adm_permitted_opens(char *host, int port) |
2658 | { | 2658 | { |
2659 | if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) | 2659 | if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) |
2660 | fatal("channel_add_adm_permitted_opens: too many forwards"); | 2660 | fatal("channel_add_adm_permitted_opens: too many forwards"); |
2661 | debug("allow port forwarding to host %s port %d", host, port); | 2661 | debug("config allows port forwarding to host %s port %d", host, port); |
2662 | 2662 | ||
2663 | permitted_adm_opens[num_adm_permitted_opens].host_to_connect | 2663 | permitted_adm_opens[num_adm_permitted_opens].host_to_connect |
2664 | = xstrdup(host); | 2664 | = xstrdup(host); |
2665 | permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; | 2665 | permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; |
2666 | num_adm_permitted_opens++; | 2666 | return ++num_adm_permitted_opens; |
2667 | } | 2667 | } |
2668 | 2668 | ||
2669 | void | 2669 | void |
diff --git a/channels.h b/channels.h index c473b730c..ed719f724 100644 --- a/channels.h +++ b/channels.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */ | 1 | /* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -207,7 +207,7 @@ int channel_find_open(void); | |||
207 | void channel_set_af(int af); | 207 | void channel_set_af(int af); |
208 | void channel_permit_all_opens(void); | 208 | void channel_permit_all_opens(void); |
209 | void channel_add_permitted_opens(char *, int); | 209 | void channel_add_permitted_opens(char *, int); |
210 | void channel_add_adm_permitted_opens(char *, int); | 210 | int channel_add_adm_permitted_opens(char *, int); |
211 | void channel_clear_permitted_opens(void); | 211 | void channel_clear_permitted_opens(void); |
212 | void channel_clear_adm_permitted_opens(void); | 212 | void channel_clear_adm_permitted_opens(void); |
213 | int channel_input_port_forward_request(int, int); | 213 | int channel_input_port_forward_request(int, int); |
diff --git a/servconf.c b/servconf.c index e2c1d4458..46558b690 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) | |||
113 | options->authorized_keys_file2 = NULL; | 113 | options->authorized_keys_file2 = NULL; |
114 | options->num_accept_env = 0; | 114 | options->num_accept_env = 0; |
115 | options->permit_tun = -1; | 115 | options->permit_tun = -1; |
116 | options->num_permitted_opens = -1; | ||
116 | options->adm_forced_command = NULL; | 117 | options->adm_forced_command = NULL; |
117 | } | 118 | } |
118 | 119 | ||
@@ -1161,20 +1162,27 @@ parse_flag: | |||
1161 | fatal("%s line %d: missing PermitOpen specification", | 1162 | fatal("%s line %d: missing PermitOpen specification", |
1162 | filename, linenum); | 1163 | filename, linenum); |
1163 | if (strcmp(arg, "any") == 0) { | 1164 | if (strcmp(arg, "any") == 0) { |
1164 | if (*activep) | 1165 | if (*activep) { |
1165 | channel_clear_adm_permitted_opens(); | 1166 | channel_clear_adm_permitted_opens(); |
1167 | options->num_permitted_opens = 0; | ||
1168 | } | ||
1166 | break; | 1169 | break; |
1167 | } | 1170 | } |
1168 | p = hpdelim(&arg); | 1171 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { |
1169 | if (p == NULL) | 1172 | p = hpdelim(&arg); |
1170 | fatal("%s line %d: missing host in PermitOpen", | 1173 | if (p == NULL) |
1171 | filename, linenum); | 1174 | fatal("%s line %d: missing host in PermitOpen", |
1172 | p = cleanhostname(p); | 1175 | filename, linenum); |
1173 | if (arg == NULL || (port = a2port(arg)) == 0) | 1176 | p = cleanhostname(p); |
1174 | fatal("%s line %d: bad port number in PermitOpen", | 1177 | if (arg == NULL || (port = a2port(arg)) == 0) |
1175 | filename, linenum); | 1178 | fatal("%s line %d: bad port number in " |
1176 | if (*activep) | 1179 | "PermitOpen", filename, linenum); |
1177 | channel_add_adm_permitted_opens(p, port); | 1180 | if (*activep && options->num_permitted_opens == -1) { |
1181 | channel_clear_adm_permitted_opens(); | ||
1182 | options->num_permitted_opens = | ||
1183 | channel_add_adm_permitted_opens(p, port); | ||
1184 | } | ||
1185 | } | ||
1178 | break; | 1186 | break; |
1179 | 1187 | ||
1180 | case sForceCommand: | 1188 | case sForceCommand: |
diff --git a/servconf.h b/servconf.h index 41dce7686..0add6518d 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -140,6 +140,8 @@ typedef struct { | |||
140 | int use_pam; /* Enable auth via PAM */ | 140 | int use_pam; /* Enable auth via PAM */ |
141 | 141 | ||
142 | int permit_tun; | 142 | int permit_tun; |
143 | |||
144 | int num_permitted_opens; | ||
143 | } ServerOptions; | 145 | } ServerOptions; |
144 | 146 | ||
145 | void initialize_server_options(ServerOptions *); | 147 | void initialize_server_options(ServerOptions *); |
diff --git a/sshd_config.5 b/sshd_config.5 index 26c895f7a..ff5457dff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms: | |||
564 | .Sm on | 564 | .Sm on |
565 | .El | 565 | .El |
566 | .Pp | 566 | .Pp |
567 | Multiple instances of | 567 | Multiple forwards may be specified by separating them with whitespace. |
568 | .Cm PermitOpen | ||
569 | are permitted. | ||
570 | An argument of | 568 | An argument of |
571 | .Dq any | 569 | .Dq any |
572 | can be used to remove all restrictions and permit any forwarding requests. | 570 | can be used to remove all restrictions and permit any forwarding requests. |