diff options
Diffstat (limited to 'serverloop.c')
-rw-r--r-- | serverloop.c | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/serverloop.c b/serverloop.c index 7e2abd52f..d6fe24cc1 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: serverloop.c,v 1.204 2018/02/11 21:16:56 dtucker Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.205 2018/03/03 03:15:51 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -82,6 +82,7 @@ extern ServerOptions options; | |||
82 | 82 | ||
83 | /* XXX */ | 83 | /* XXX */ |
84 | extern Authctxt *the_authctxt; | 84 | extern Authctxt *the_authctxt; |
85 | extern struct sshauthopt *auth_opts; | ||
85 | extern int use_privsep; | 86 | extern int use_privsep; |
86 | 87 | ||
87 | static int no_more_sessions = 0; /* Disallow further sessions. */ | 88 | static int no_more_sessions = 0; /* Disallow further sessions. */ |
@@ -456,12 +457,13 @@ server_request_direct_tcpip(struct ssh *ssh, int *reason, const char **errmsg) | |||
456 | originator_port = packet_get_int(); | 457 | originator_port = packet_get_int(); |
457 | packet_check_eom(); | 458 | packet_check_eom(); |
458 | 459 | ||
459 | debug("server_request_direct_tcpip: originator %s port %d, target %s " | 460 | debug("%s: originator %s port %d, target %s port %d", __func__, |
460 | "port %d", originator, originator_port, target, target_port); | 461 | originator, originator_port, target, target_port); |
461 | 462 | ||
462 | /* XXX fine grained permissions */ | 463 | /* XXX fine grained permissions */ |
463 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && | 464 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && |
464 | !no_port_forwarding_flag && !options.disable_forwarding) { | 465 | auth_opts->permit_port_forwarding_flag && |
466 | !options.disable_forwarding) { | ||
465 | c = channel_connect_to_port(ssh, target, target_port, | 467 | c = channel_connect_to_port(ssh, target, target_port, |
466 | "direct-tcpip", "direct-tcpip", reason, errmsg); | 468 | "direct-tcpip", "direct-tcpip", reason, errmsg); |
467 | } else { | 469 | } else { |
@@ -487,20 +489,20 @@ server_request_direct_streamlocal(struct ssh *ssh) | |||
487 | struct passwd *pw = the_authctxt->pw; | 489 | struct passwd *pw = the_authctxt->pw; |
488 | 490 | ||
489 | if (pw == NULL || !the_authctxt->valid) | 491 | if (pw == NULL || !the_authctxt->valid) |
490 | fatal("server_input_global_request: no/invalid user"); | 492 | fatal("%s: no/invalid user", __func__); |
491 | 493 | ||
492 | target = packet_get_string(NULL); | 494 | target = packet_get_string(NULL); |
493 | originator = packet_get_string(NULL); | 495 | originator = packet_get_string(NULL); |
494 | originator_port = packet_get_int(); | 496 | originator_port = packet_get_int(); |
495 | packet_check_eom(); | 497 | packet_check_eom(); |
496 | 498 | ||
497 | debug("server_request_direct_streamlocal: originator %s port %d, target %s", | 499 | debug("%s: originator %s port %d, target %s", __func__, |
498 | originator, originator_port, target); | 500 | originator, originator_port, target); |
499 | 501 | ||
500 | /* XXX fine grained permissions */ | 502 | /* XXX fine grained permissions */ |
501 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && | 503 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && |
502 | !no_port_forwarding_flag && !options.disable_forwarding && | 504 | auth_opts->permit_port_forwarding_flag && |
503 | (pw->pw_uid == 0 || use_privsep)) { | 505 | !options.disable_forwarding && (pw->pw_uid == 0 || use_privsep)) { |
504 | c = channel_connect_to_path(ssh, target, | 506 | c = channel_connect_to_path(ssh, target, |
505 | "direct-streamlocal@openssh.com", "direct-streamlocal"); | 507 | "direct-streamlocal@openssh.com", "direct-streamlocal"); |
506 | } else { | 508 | } else { |
@@ -519,8 +521,7 @@ static Channel * | |||
519 | server_request_tun(struct ssh *ssh) | 521 | server_request_tun(struct ssh *ssh) |
520 | { | 522 | { |
521 | Channel *c = NULL; | 523 | Channel *c = NULL; |
522 | int mode, tun; | 524 | int mode, tun, sock; |
523 | int sock; | ||
524 | char *tmp, *ifname = NULL; | 525 | char *tmp, *ifname = NULL; |
525 | 526 | ||
526 | mode = packet_get_int(); | 527 | mode = packet_get_int(); |
@@ -539,10 +540,10 @@ server_request_tun(struct ssh *ssh) | |||
539 | } | 540 | } |
540 | 541 | ||
541 | tun = packet_get_int(); | 542 | tun = packet_get_int(); |
542 | if (forced_tun_device != -1) { | 543 | if (auth_opts->force_tun_device != -1) { |
543 | if (tun != SSH_TUNID_ANY && forced_tun_device != tun) | 544 | if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != tun) |
544 | goto done; | 545 | goto done; |
545 | tun = forced_tun_device; | 546 | tun = auth_opts->force_tun_device; |
546 | } | 547 | } |
547 | sock = tun_open(tun, mode, &ifname); | 548 | sock = tun_open(tun, mode, &ifname); |
548 | if (sock < 0) | 549 | if (sock < 0) |
@@ -767,7 +768,8 @@ server_input_global_request(int type, u_int32_t seq, struct ssh *ssh) | |||
767 | 768 | ||
768 | /* check permissions */ | 769 | /* check permissions */ |
769 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || | 770 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
770 | no_port_forwarding_flag || options.disable_forwarding || | 771 | !auth_opts->permit_port_forwarding_flag || |
772 | options.disable_forwarding || | ||
771 | (!want_reply && fwd.listen_port == 0) || | 773 | (!want_reply && fwd.listen_port == 0) || |
772 | (fwd.listen_port != 0 && | 774 | (fwd.listen_port != 0 && |
773 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { | 775 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { |
@@ -805,7 +807,8 @@ server_input_global_request(int type, u_int32_t seq, struct ssh *ssh) | |||
805 | 807 | ||
806 | /* check permissions */ | 808 | /* check permissions */ |
807 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 | 809 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 |
808 | || no_port_forwarding_flag || options.disable_forwarding || | 810 | || !auth_opts->permit_port_forwarding_flag || |
811 | options.disable_forwarding || | ||
809 | (pw->pw_uid != 0 && !use_privsep)) { | 812 | (pw->pw_uid != 0 && !use_privsep)) { |
810 | success = 0; | 813 | success = 0; |
811 | packet_send_debug("Server has disabled " | 814 | packet_send_debug("Server has disabled " |