From 115063a6647007286cc8ca70abfd2a7585f26ccc Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 6 Jun 2018 18:22:41 +0000
Subject: upstream: Add a PermitListen directive to control which server-side

addresses may be listened on when the client requests remote forwarding (ssh
-R).

This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.

feedback and ok markus@

OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
---
 session.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

(limited to 'session.c')

diff --git a/session.c b/session.c
index 5ceebff51..3a3fd841a 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.295 2018/06/01 03:33:53 djm Exp $ */
+/* $OpenBSD: session.c,v 1.296 2018/06/06 18:22:41 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -298,7 +298,7 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
 
 	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
 		return;
-	channel_clear_permitted_opens(ssh);
+	channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL);
 	for (i = 0; i < auth_opts->npermitopen; i++) {
 		tmp = cp = xstrdup(auth_opts->permitopen[i]);
 		/* This shouldn't fail as it has already been checked */
@@ -308,7 +308,8 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts)
 		if (cp == NULL || (port = permitopen_port(cp)) < 0)
 			fatal("%s: internal error: permitopen port",
 			    __func__);
-		channel_add_permitted_opens(ssh, host, port);
+		channel_add_permission(ssh, FORWARD_USER, FORWARD_LOCAL,
+		    host, port);
 		free(tmp);
 	}
 }
@@ -323,13 +324,21 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
 	/* setup the channel layer */
 	/* XXX - streamlocal? */
 	set_permitopen_from_authopts(ssh, auth_opts);
-	if (!auth_opts->permit_port_forwarding_flag ||
-	    options.disable_forwarding ||
-	    (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
-		channel_disable_adm_local_opens(ssh);
-	else
-		channel_permit_all_opens(ssh);
 
+	if (!auth_opts->permit_port_forwarding_flag ||
+	    options.disable_forwarding) {
+		channel_disable_admin(ssh, FORWARD_LOCAL);
+		channel_disable_admin(ssh, FORWARD_REMOTE);
+	} else {
+		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+			channel_disable_admin(ssh, FORWARD_LOCAL);
+		else
+			channel_permit_all(ssh, FORWARD_LOCAL);
+		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
+			channel_disable_admin(ssh, FORWARD_REMOTE);
+		else
+			channel_permit_all(ssh, FORWARD_REMOTE);
+	}
 	auth_debug_send();
 
 	prepare_auth_info_file(authctxt->pw, authctxt->session_info);
-- 
cgit v1.2.3