summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog6
-rw-r--r--auth-options.c32
-rw-r--r--sshd.87
3 files changed, 25 insertions, 20 deletions
diff --git a/ChangeLog b/ChangeLog
index a90b6702d..03c0024cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -66,6 +66,10 @@
66 validate ports for LocalForward/RemoteForward. 66 validate ports for LocalForward/RemoteForward.
67 add host/port alternative syntax for IPv6 (like -L/-R). 67 add host/port alternative syntax for IPv6 (like -L/-R).
68 ok markus@ 68 ok markus@
69 - stevesk@cvs.openbsd.org 2001/08/30 20:36:34
70 [auth-options.c sshd.8]
71 validate ports for permitopen key file option. add host/port
72 alternative syntax for IPv6. ok markus@
69 73
7020010815 7420010815
71 - (bal) Fixed stray code in readconf.c that went in by mistake. 75 - (bal) Fixed stray code in readconf.c that went in by mistake.
@@ -6389,4 +6393,4 @@
6389 - Wrote replacements for strlcpy and mkdtemp 6393 - Wrote replacements for strlcpy and mkdtemp
6390 - Released 1.0pre1 6394 - Released 1.0pre1
6391 6395
6392$Id: ChangeLog,v 1.1504 2001/09/12 18:01:59 mouring Exp $ 6396$Id: ChangeLog,v 1.1505 2001/09/12 18:03:31 mouring Exp $
diff --git a/auth-options.c b/auth-options.c
index 83ef02c42..9f90437ca 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $"); 13RCSID("$OpenBSD: auth-options.c,v 1.20 2001/08/30 20:36:34 stevesk Exp $");
14 14
15#include "packet.h" 15#include "packet.h"
16#include "xmalloc.h" 16#include "xmalloc.h"
@@ -20,6 +20,7 @@ RCSID("$OpenBSD: auth-options.c,v 1.19 2001/06/24 05:25:09 markus Exp $");
20#include "channels.h" 20#include "channels.h"
21#include "auth-options.h" 21#include "auth-options.h"
22#include "servconf.h" 22#include "servconf.h"
23#include "misc.h"
23 24
24/* Flags set authorized_keys flags */ 25/* Flags set authorized_keys flags */
25int no_port_forwarding_flag = 0; 26int no_port_forwarding_flag = 0;
@@ -213,8 +214,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
213 } 214 }
214 cp = "permitopen=\""; 215 cp = "permitopen=\"";
215 if (strncasecmp(opts, cp, strlen(cp)) == 0) { 216 if (strncasecmp(opts, cp, strlen(cp)) == 0) {
217 char host[256], sport[6];
216 u_short port; 218 u_short port;
217 char *c, *ep;
218 char *patterns = xmalloc(strlen(opts) + 1); 219 char *patterns = xmalloc(strlen(opts) + 1);
219 220
220 opts += strlen(cp); 221 opts += strlen(cp);
@@ -239,28 +240,25 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
239 } 240 }
240 patterns[i] = 0; 241 patterns[i] = 0;
241 opts++; 242 opts++;
242 c = strchr(patterns, ':'); 243 if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 &&
243 if (c == NULL) { 244 sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) {
244 debug("%.100s, line %lu: permitopen: missing colon <%.100s>", 245 debug("%.100s, line %lu: Bad permitopen specification "
245 file, linenum, patterns); 246 "<%.100s>", file, linenum, patterns);
246 packet_send_debug("%.100s, line %lu: missing colon", 247 packet_send_debug("%.100s, line %lu: "
247 file, linenum); 248 "Bad permitopen specification", file, linenum);
248 xfree(patterns); 249 xfree(patterns);
249 goto bad_option; 250 goto bad_option;
250 } 251 }
251 *c = 0; 252 if ((port = a2port(sport)) == 0) {
252 c++; 253 debug("%.100s, line %lu: Bad permitopen port <%.100s>",
253 port = strtol(c, &ep, 0); 254 file, linenum, sport);
254 if (c == ep) { 255 packet_send_debug("%.100s, line %lu: "
255 debug("%.100s, line %lu: permitopen: missing port <%.100s>", 256 "Bad permitopen port", file, linenum);
256 file, linenum, patterns);
257 packet_send_debug("%.100s, line %lu: missing port",
258 file, linenum);
259 xfree(patterns); 257 xfree(patterns);
260 goto bad_option; 258 goto bad_option;
261 } 259 }
262 if (options.allow_tcp_forwarding) 260 if (options.allow_tcp_forwarding)
263 channel_add_permitted_opens(patterns, port); 261 channel_add_permitted_opens(host, port);
264 xfree(patterns); 262 xfree(patterns);
265 goto next_option; 263 goto next_option;
266 } 264 }
diff --git a/sshd.8 b/sshd.8
index ff3717b0c..97de98cca 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.145 2001/08/29 23:39:40 stevesk Exp $ 37.\" $OpenBSD: sshd.8,v 1.146 2001/08/30 20:36:34 stevesk Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -1031,7 +1031,10 @@ Prevents tty allocation (a request to allocate a pty will fail).
1031Limit local 1031Limit local
1032.Li ``ssh -L'' 1032.Li ``ssh -L''
1033port forwarding such that it may only connect to the specified host and 1033port forwarding such that it may only connect to the specified host and
1034port. Multiple 1034port.
1035IPv6 addresses can be specified with an alternative syntax:
1036.Ar host/port .
1037Multiple
1035.Cm permitopen 1038.Cm permitopen
1036options may be applied separated by commas. No pattern matching is 1039options may be applied separated by commas. No pattern matching is
1037performed on the specified hostnames, they must be literal domains or 1040performed on the specified hostnames, they must be literal domains or
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 22:29:41 +0000