From aa5b3f831417bac9538d2b6f21d55fef278e8926 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 3 Dec 2012 09:50:54 +1100 Subject: - djm@cvs.openbsd.org 2012/12/02 20:46:11 [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] [sshd_config.5] make AllowTcpForwarding accept "local" and "remote" in addition to its current "yes"/"no" to allow the server to specify whether just local or remote TCP forwarding is enabled. ok markus@ --- serverloop.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'serverloop.c') diff --git a/serverloop.c b/serverloop.c index 741c5befb..14e60c6dc 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) static Channel * server_request_direct_tcpip(void) { - Channel *c; + Channel *c = NULL; char *target, *originator; u_short target_port, originator_port; @@ -963,9 +963,16 @@ server_request_direct_tcpip(void) debug("server_request_direct_tcpip: originator %s port %d, target %s " "port %d", originator, originator_port, target, target_port); - /* XXX check permission */ - c = channel_connect_to(target, target_port, - "direct-tcpip", "direct-tcpip"); + /* XXX fine grained permissions */ + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && + !no_port_forwarding_flag) { + c = channel_connect_to(target, target_port, + "direct-tcpip", "direct-tcpip"); + } else { + logit("refused local port forward: " + "originator %s port %d, target %s port %d", + originator, originator_port, target, target_port); + } xfree(originator); xfree(target); @@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port); /* check permissions */ - if (!options.allow_tcp_forwarding || + if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || no_port_forwarding_flag || (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT -- cgit v1.2.3 From 3e1027cd1fff4b3b6320f186ccc69efe06a50466 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 7 Dec 2012 13:07:46 +1100 Subject: - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 [serverloop.c] Cast signal to int for logging. A no-op on openbsd (they're always ints) but will prevent warnings in portable. ok djm@ --- ChangeLog | 4 ++++ serverloop.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'serverloop.c') diff --git a/ChangeLog b/ChangeLog index 7a3f272e1..85f251ce5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ - markus@cvs.openbsd.org 2012/12/05 15:42:52 [ssh-add.c] prevent double-free of comment; ok djm@ + - dtucker@cvs.openbsd.org 2012/12/07 01:51:35 + [serverloop.c] + Cast signal to int for logging. A no-op on openbsd (they're always ints) + but will prevent warnings in portable. ok djm@ 20121205 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@. diff --git a/serverloop.c b/serverloop.c index 14e60c6dc..e224bd08a 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.164 2012/12/07 01:51:35 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -708,7 +708,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) &nalloc, max_time_milliseconds); if (received_sigterm) { - logit("Exiting on signal %d", received_sigterm); + logit("Exiting on signal %d", (int)received_sigterm); /* Clean up sessions, utmp, etc. */ cleanup_exit(255); } @@ -858,7 +858,7 @@ server_loop2(Authctxt *authctxt) &nalloc, 0); if (received_sigterm) { - logit("Exiting on signal %d", received_sigterm); + logit("Exiting on signal %d", (int)received_sigterm); /* Clean up sessions, utmp, etc. */ cleanup_exit(255); } -- cgit v1.2.3