diff options
Diffstat (limited to 'serverloop.c')
-rw-r--r-- | serverloop.c | 109 |
1 files changed, 85 insertions, 24 deletions
diff --git a/serverloop.c b/serverloop.c index 441d73b4d..813e5bf38 100644 --- a/serverloop.c +++ b/serverloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: serverloop.c,v 1.170 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.172 2014/07/15 15:54:14 millert Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -61,6 +61,7 @@ | |||
61 | #include "packet.h" | 61 | #include "packet.h" |
62 | #include "buffer.h" | 62 | #include "buffer.h" |
63 | #include "log.h" | 63 | #include "log.h" |
64 | #include "misc.h" | ||
64 | #include "servconf.h" | 65 | #include "servconf.h" |
65 | #include "canohost.h" | 66 | #include "canohost.h" |
66 | #include "sshpty.h" | 67 | #include "sshpty.h" |
@@ -77,7 +78,6 @@ | |||
77 | #include "dispatch.h" | 78 | #include "dispatch.h" |
78 | #include "auth-options.h" | 79 | #include "auth-options.h" |
79 | #include "serverloop.h" | 80 | #include "serverloop.h" |
80 | #include "misc.h" | ||
81 | #include "roaming.h" | 81 | #include "roaming.h" |
82 | 82 | ||
83 | extern ServerOptions options; | 83 | extern ServerOptions options; |
@@ -970,7 +970,7 @@ server_request_direct_tcpip(void) | |||
970 | /* XXX fine grained permissions */ | 970 | /* XXX fine grained permissions */ |
971 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && | 971 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && |
972 | !no_port_forwarding_flag) { | 972 | !no_port_forwarding_flag) { |
973 | c = channel_connect_to(target, target_port, | 973 | c = channel_connect_to_port(target, target_port, |
974 | "direct-tcpip", "direct-tcpip"); | 974 | "direct-tcpip", "direct-tcpip"); |
975 | } else { | 975 | } else { |
976 | logit("refused local port forward: " | 976 | logit("refused local port forward: " |
@@ -985,6 +985,38 @@ server_request_direct_tcpip(void) | |||
985 | } | 985 | } |
986 | 986 | ||
987 | static Channel * | 987 | static Channel * |
988 | server_request_direct_streamlocal(void) | ||
989 | { | ||
990 | Channel *c = NULL; | ||
991 | char *target, *originator; | ||
992 | u_short originator_port; | ||
993 | |||
994 | target = packet_get_string(NULL); | ||
995 | originator = packet_get_string(NULL); | ||
996 | originator_port = packet_get_int(); | ||
997 | packet_check_eom(); | ||
998 | |||
999 | debug("server_request_direct_streamlocal: originator %s port %d, target %s", | ||
1000 | originator, originator_port, target); | ||
1001 | |||
1002 | /* XXX fine grained permissions */ | ||
1003 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && | ||
1004 | !no_port_forwarding_flag) { | ||
1005 | c = channel_connect_to_path(target, | ||
1006 | "direct-streamlocal@openssh.com", "direct-streamlocal"); | ||
1007 | } else { | ||
1008 | logit("refused streamlocal port forward: " | ||
1009 | "originator %s port %d, target %s", | ||
1010 | originator, originator_port, target); | ||
1011 | } | ||
1012 | |||
1013 | free(originator); | ||
1014 | free(target); | ||
1015 | |||
1016 | return c; | ||
1017 | } | ||
1018 | |||
1019 | static Channel * | ||
988 | server_request_tun(void) | 1020 | server_request_tun(void) |
989 | { | 1021 | { |
990 | Channel *c = NULL; | 1022 | Channel *c = NULL; |
@@ -1081,6 +1113,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) | |||
1081 | c = server_request_session(); | 1113 | c = server_request_session(); |
1082 | } else if (strcmp(ctype, "direct-tcpip") == 0) { | 1114 | } else if (strcmp(ctype, "direct-tcpip") == 0) { |
1083 | c = server_request_direct_tcpip(); | 1115 | c = server_request_direct_tcpip(); |
1116 | } else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) { | ||
1117 | c = server_request_direct_streamlocal(); | ||
1084 | } else if (strcmp(ctype, "tun@openssh.com") == 0) { | 1118 | } else if (strcmp(ctype, "tun@openssh.com") == 0) { |
1085 | c = server_request_tun(); | 1119 | c = server_request_tun(); |
1086 | } | 1120 | } |
@@ -1125,47 +1159,74 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) | |||
1125 | /* -R style forwarding */ | 1159 | /* -R style forwarding */ |
1126 | if (strcmp(rtype, "tcpip-forward") == 0) { | 1160 | if (strcmp(rtype, "tcpip-forward") == 0) { |
1127 | struct passwd *pw; | 1161 | struct passwd *pw; |
1128 | char *listen_address; | 1162 | struct Forward fwd; |
1129 | u_short listen_port; | ||
1130 | 1163 | ||
1131 | pw = the_authctxt->pw; | 1164 | pw = the_authctxt->pw; |
1132 | if (pw == NULL || !the_authctxt->valid) | 1165 | if (pw == NULL || !the_authctxt->valid) |
1133 | fatal("server_input_global_request: no/invalid user"); | 1166 | fatal("server_input_global_request: no/invalid user"); |
1134 | listen_address = packet_get_string(NULL); | 1167 | memset(&fwd, 0, sizeof(fwd)); |
1135 | listen_port = (u_short)packet_get_int(); | 1168 | fwd.listen_host = packet_get_string(NULL); |
1169 | fwd.listen_port = (u_short)packet_get_int(); | ||
1136 | debug("server_input_global_request: tcpip-forward listen %s port %d", | 1170 | debug("server_input_global_request: tcpip-forward listen %s port %d", |
1137 | listen_address, listen_port); | 1171 | fwd.listen_host, fwd.listen_port); |
1138 | 1172 | ||
1139 | /* check permissions */ | 1173 | /* check permissions */ |
1140 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || | 1174 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
1141 | no_port_forwarding_flag || | 1175 | no_port_forwarding_flag || |
1142 | (!want_reply && listen_port == 0) | 1176 | (!want_reply && fwd.listen_port == 0) |
1143 | #ifndef NO_IPPORT_RESERVED_CONCEPT | 1177 | #ifndef NO_IPPORT_RESERVED_CONCEPT |
1144 | || (listen_port != 0 && listen_port < IPPORT_RESERVED && | 1178 | || (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED && |
1145 | pw->pw_uid != 0) | 1179 | pw->pw_uid != 0) |
1146 | #endif | 1180 | #endif |
1147 | ) { | 1181 | ) { |
1148 | success = 0; | 1182 | success = 0; |
1149 | packet_send_debug("Server has disabled port forwarding."); | 1183 | packet_send_debug("Server has disabled port forwarding."); |
1150 | } else { | 1184 | } else { |
1151 | /* Start listening on the port */ | 1185 | /* Start listening on the port */ |
1152 | success = channel_setup_remote_fwd_listener( | 1186 | success = channel_setup_remote_fwd_listener(&fwd, |
1153 | listen_address, listen_port, | 1187 | &allocated_listen_port, &options.fwd_opts); |
1154 | &allocated_listen_port, options.gateway_ports); | ||
1155 | } | 1188 | } |
1156 | free(listen_address); | 1189 | free(fwd.listen_host); |
1157 | } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { | 1190 | } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { |
1158 | char *cancel_address; | 1191 | struct Forward fwd; |
1159 | u_short cancel_port; | ||
1160 | 1192 | ||
1161 | cancel_address = packet_get_string(NULL); | 1193 | memset(&fwd, 0, sizeof(fwd)); |
1162 | cancel_port = (u_short)packet_get_int(); | 1194 | fwd.listen_host = packet_get_string(NULL); |
1195 | fwd.listen_port = (u_short)packet_get_int(); | ||
1163 | debug("%s: cancel-tcpip-forward addr %s port %d", __func__, | 1196 | debug("%s: cancel-tcpip-forward addr %s port %d", __func__, |
1164 | cancel_address, cancel_port); | 1197 | fwd.listen_host, fwd.listen_port); |
1198 | |||
1199 | success = channel_cancel_rport_listener(&fwd); | ||
1200 | free(fwd.listen_host); | ||
1201 | } else if (strcmp(rtype, "streamlocal-forward@openssh.com") == 0) { | ||
1202 | struct Forward fwd; | ||
1203 | |||
1204 | memset(&fwd, 0, sizeof(fwd)); | ||
1205 | fwd.listen_path = packet_get_string(NULL); | ||
1206 | debug("server_input_global_request: streamlocal-forward listen path %s", | ||
1207 | fwd.listen_path); | ||
1208 | |||
1209 | /* check permissions */ | ||
1210 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 | ||
1211 | || no_port_forwarding_flag) { | ||
1212 | success = 0; | ||
1213 | packet_send_debug("Server has disabled port forwarding."); | ||
1214 | } else { | ||
1215 | /* Start listening on the socket */ | ||
1216 | success = channel_setup_remote_fwd_listener( | ||
1217 | &fwd, NULL, &options.fwd_opts); | ||
1218 | } | ||
1219 | free(fwd.listen_path); | ||
1220 | } else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) { | ||
1221 | struct Forward fwd; | ||
1222 | |||
1223 | memset(&fwd, 0, sizeof(fwd)); | ||
1224 | fwd.listen_path = packet_get_string(NULL); | ||
1225 | debug("%s: cancel-streamlocal-forward path %s", __func__, | ||
1226 | fwd.listen_path); | ||
1165 | 1227 | ||
1166 | success = channel_cancel_rport_listener(cancel_address, | 1228 | success = channel_cancel_rport_listener(&fwd); |
1167 | cancel_port); | 1229 | free(fwd.listen_path); |
1168 | free(cancel_address); | ||
1169 | } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { | 1230 | } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { |
1170 | no_more_sessions = 1; | 1231 | no_more_sessions = 1; |
1171 | success = 1; | 1232 | success = 1; |
@@ -1204,7 +1265,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt) | |||
1204 | } else if ((c->type == SSH_CHANNEL_LARVAL || | 1265 | } else if ((c->type == SSH_CHANNEL_LARVAL || |
1205 | c->type == SSH_CHANNEL_OPEN) && strcmp(c->ctype, "session") == 0) | 1266 | c->type == SSH_CHANNEL_OPEN) && strcmp(c->ctype, "session") == 0) |
1206 | success = session_input_channel_req(c, rtype); | 1267 | success = session_input_channel_req(c, rtype); |
1207 | if (reply) { | 1268 | if (reply && !(c->flags & CHAN_CLOSE_SENT)) { |
1208 | packet_start(success ? | 1269 | packet_start(success ? |
1209 | SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); | 1270 | SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); |
1210 | packet_put_int(c->remote_id); | 1271 | packet_put_int(c->remote_id); |