diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 87 |
1 files changed, 66 insertions, 21 deletions
diff --git a/servconf.c b/servconf.c index ed1fc71cf..e0e43c3dd 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.309 2017/06/24 06:34:38 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.310 2017/09/12 06:32:07 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -149,7 +149,7 @@ initialize_server_options(ServerOptions *options) | |||
149 | options->num_authkeys_files = 0; | 149 | options->num_authkeys_files = 0; |
150 | options->num_accept_env = 0; | 150 | options->num_accept_env = 0; |
151 | options->permit_tun = -1; | 151 | options->permit_tun = -1; |
152 | options->num_permitted_opens = -1; | 152 | options->permitted_opens = NULL; |
153 | options->adm_forced_command = NULL; | 153 | options->adm_forced_command = NULL; |
154 | options->chroot_directory = NULL; | 154 | options->chroot_directory = NULL; |
155 | options->authorized_keys_command = NULL; | 155 | options->authorized_keys_command = NULL; |
@@ -697,6 +697,44 @@ process_queued_listen_addrs(ServerOptions *options) | |||
697 | options->num_queued_listens = 0; | 697 | options->num_queued_listens = 0; |
698 | } | 698 | } |
699 | 699 | ||
700 | /* | ||
701 | * Inform channels layer of permitopen options from configuration. | ||
702 | */ | ||
703 | void | ||
704 | process_permitopen(struct ssh *ssh, ServerOptions *options) | ||
705 | { | ||
706 | u_int i; | ||
707 | int port; | ||
708 | char *host, *arg, *oarg; | ||
709 | |||
710 | channel_clear_adm_permitted_opens(ssh); | ||
711 | if (options->num_permitted_opens == 0) | ||
712 | return; /* permit any */ | ||
713 | |||
714 | /* handle keywords: "any" / "none" */ | ||
715 | if (options->num_permitted_opens == 1 && | ||
716 | strcmp(options->permitted_opens[0], "any") == 0) | ||
717 | return; | ||
718 | if (options->num_permitted_opens == 1 && | ||
719 | strcmp(options->permitted_opens[0], "none") == 0) { | ||
720 | channel_disable_adm_local_opens(ssh); | ||
721 | return; | ||
722 | } | ||
723 | /* Otherwise treat it as a list of permitted host:port */ | ||
724 | for (i = 0; i < options->num_permitted_opens; i++) { | ||
725 | oarg = arg = xstrdup(options->permitted_opens[i]); | ||
726 | host = hpdelim(&arg); | ||
727 | if (host == NULL) | ||
728 | fatal("%s: missing host in PermitOpen", __func__); | ||
729 | host = cleanhostname(host); | ||
730 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) | ||
731 | fatal("%s: bad port number in PermitOpen", __func__); | ||
732 | /* Send it to channels layer */ | ||
733 | channel_add_adm_permitted_opens(ssh, host, port); | ||
734 | free(oarg); | ||
735 | } | ||
736 | } | ||
737 | |||
700 | struct connection_info * | 738 | struct connection_info * |
701 | get_connection_info(int populate, int use_dns) | 739 | get_connection_info(int populate, int use_dns) |
702 | { | 740 | { |
@@ -954,7 +992,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
954 | const char *filename, int linenum, int *activep, | 992 | const char *filename, int linenum, int *activep, |
955 | struct connection_info *connectinfo) | 993 | struct connection_info *connectinfo) |
956 | { | 994 | { |
957 | char *cp, **charptr, *arg, *p; | 995 | char *cp, **charptr, *arg, *arg2, *p; |
958 | int cmdline = 0, *intptr, value, value2, n, port; | 996 | int cmdline = 0, *intptr, value, value2, n, port; |
959 | SyslogFacility *log_facility_ptr; | 997 | SyslogFacility *log_facility_ptr; |
960 | LogLevel *log_level_ptr; | 998 | LogLevel *log_level_ptr; |
@@ -1625,24 +1663,17 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1625 | if (!arg || *arg == '\0') | 1663 | if (!arg || *arg == '\0') |
1626 | fatal("%s line %d: missing PermitOpen specification", | 1664 | fatal("%s line %d: missing PermitOpen specification", |
1627 | filename, linenum); | 1665 | filename, linenum); |
1628 | n = options->num_permitted_opens; /* modified later */ | 1666 | i = options->num_permitted_opens; /* modified later */ |
1629 | if (strcmp(arg, "any") == 0) { | 1667 | if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { |
1630 | if (*activep && n == -1) { | 1668 | if (*activep && i == 0) |
1631 | channel_clear_adm_permitted_opens(); | ||
1632 | options->num_permitted_opens = 0; | ||
1633 | } | ||
1634 | break; | ||
1635 | } | ||
1636 | if (strcmp(arg, "none") == 0) { | ||
1637 | if (*activep && n == -1) { | ||
1638 | options->num_permitted_opens = 1; | 1669 | options->num_permitted_opens = 1; |
1639 | channel_disable_adm_local_opens(); | 1670 | options->permitted_opens = xcalloc(1, |
1640 | } | 1671 | sizeof(*options->permitted_opens)); |
1672 | options->permitted_opens[0] = xstrdup(arg); | ||
1641 | break; | 1673 | break; |
1642 | } | 1674 | } |
1643 | if (*activep && n == -1) | ||
1644 | channel_clear_adm_permitted_opens(); | ||
1645 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { | 1675 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { |
1676 | arg2 = xstrdup(arg); | ||
1646 | p = hpdelim(&arg); | 1677 | p = hpdelim(&arg); |
1647 | if (p == NULL) | 1678 | if (p == NULL) |
1648 | fatal("%s line %d: missing host in PermitOpen", | 1679 | fatal("%s line %d: missing host in PermitOpen", |
@@ -1651,9 +1682,16 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1651 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) | 1682 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) |
1652 | fatal("%s line %d: bad port number in " | 1683 | fatal("%s line %d: bad port number in " |
1653 | "PermitOpen", filename, linenum); | 1684 | "PermitOpen", filename, linenum); |
1654 | if (*activep && n == -1) | 1685 | if (*activep && i == 0) { |
1655 | options->num_permitted_opens = | 1686 | options->permitted_opens = xrecallocarray( |
1656 | channel_add_adm_permitted_opens(p, port); | 1687 | options->permitted_opens, |
1688 | options->num_permitted_opens, | ||
1689 | options->num_permitted_opens + 1, | ||
1690 | sizeof(*options->permitted_opens)); | ||
1691 | i = options->num_permitted_opens++; | ||
1692 | options->permitted_opens[i] = arg2; | ||
1693 | } else | ||
1694 | free(arg2); | ||
1657 | } | 1695 | } |
1658 | break; | 1696 | break; |
1659 | 1697 | ||
@@ -2352,5 +2390,12 @@ dump_config(ServerOptions *o) | |||
2352 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, | 2390 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
2353 | o->rekey_interval); | 2391 | o->rekey_interval); |
2354 | 2392 | ||
2355 | channel_print_adm_permitted_opens(); | 2393 | printf("permitopen"); |
2394 | if (o->num_permitted_opens == 0) | ||
2395 | printf(" any"); | ||
2396 | else { | ||
2397 | for (i = 0; i < o->num_permitted_opens; i++) | ||
2398 | printf(" %s", o->permitted_opens[i]); | ||
2399 | } | ||
2400 | printf("\n"); | ||
2356 | } | 2401 | } |