GatewayPorts for sshd, ok deraadt@

6 files changed, 30 insertions, 12 deletions

diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c
index 942b62e2125..38e5d8d703e 100644
--- a/usr.bin/ssh/channels.c
+++ b/usr.bin/ssh/channels.c
@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.55 2000/05/02 19:33:12 markus Exp $");
+RCSID("$Id: channels.c,v 1.56 2000/05/03 18:03:06 markus Exp $");
 
 #include "ssh.h"
 #include "packet.h"
@@ -1552,7 +1552,7 @@ channel_request_remote_forwarding(u_short listen_port, const char *host_to_conne
  */
 
 void
-channel_input_port_forward_request(int is_root)
+channel_input_port_forward_request(int is_root, int gateway_ports)
 {
 	u_short port, host_port;
 	char *hostname;
@@ -1571,9 +1571,8 @@ channel_input_port_forward_request(int is_root)
 				  port);
 	/*
 	 * Initiate forwarding,
-	 * bind port to localhost only (gateway ports == 0).
 	 */
-	channel_request_local_forwarding(port, hostname, host_port, 0);
+	channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
 
 	/* Free the argument string. */
 	xfree(hostname);
diff --git a/usr.bin/ssh/channels.h b/usr.bin/ssh/channels.h
index 7816752e835..24ae2b8288f 100644
--- a/usr.bin/ssh/channels.h
+++ b/usr.bin/ssh/channels.h
@@ -1,4 +1,4 @@
-/* RCSID("$Id: channels.h,v 1.11 2000/05/02 12:44:38 markus Exp $"); */
+/* RCSID("$Id: channels.h,v 1.12 2000/05/03 18:03:06 markus Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
@@ -175,7 +175,7 @@ void    channel_permit_all_opens(void);
  * listening for the port, and sends back a success reply (or disconnect
  * message if there was an error).  This never returns if there was an error.
  */
-void    channel_input_port_forward_request(int is_root);
+void    channel_input_port_forward_request(int is_root, int gateway_ports);
 
 /*
  * Creates a port for X11 connections, and starts listening for it. Returns
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 5fadc0cc048..0787c2c1c63 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.37 2000/05/03 10:21:47 markus Exp $");
+RCSID("$Id: servconf.c,v 1.38 2000/05/03 18:03:06 markus Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options)
 	options->num_deny_groups = 0;
 	options->ciphers = NULL;
 	options->protocol = SSH_PROTO_UNKNOWN;
+	options->gateway_ports = -1;
 }
 
 void
@@ -147,6 +148,8 @@ fill_default_server_options(ServerOptions *options)
 		options->use_login = 0;
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+	if (options->gateway_ports == -1)
+		options->gateway_ports = 0;
 }
 
 #define WHITESPACE " \t\r\n"
@@ -170,7 +173,8 @@ typedef enum {
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
-	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile
+	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
+	sGatewayPorts
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@ -222,6 +226,7 @@ static struct {
 	{ "denygroups", sDenyGroups },
 	{ "ciphers", sCiphers },
 	{ "protocol", sProtocol },
+	{ "gatewayports", sGatewayPorts },
 	{ NULL, 0 }
 };
 
@@ -511,6 +516,10 @@ parse_flag:
 			intptr = &options->use_login;
 			goto parse_flag;
 
+		case sGatewayPorts:
+			intptr = &options->gateway_ports;
+			goto parse_flag;
+
 		case sLogFacility:
 			intptr = (int *) &options->log_facility;
 			cp = strtok(NULL, WHITESPACE);
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index 7d074e6a2c0..91928114e55 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -13,7 +13,7 @@
  *
  */
 
-/* RCSID("$Id: servconf.h,v 1.20 2000/05/03 10:21:48 markus Exp $"); */
+/* RCSID("$Id: servconf.h,v 1.21 2000/05/03 18:03:07 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -51,6 +51,7 @@ typedef struct {
 	int     keepalives;	/* If true, set SO_KEEPALIVE. */
 	char   *ciphers;	/* Ciphers in order of preference. */
 	int	protocol;	/* Protocol in order of preference. */
+	int     gateway_ports;	/* If true, allow remote connects to forwarded ports. */
 	SyslogFacility log_facility;	/* Facility for system logging. */
 	LogLevel log_level;	/* Level for system logging. */
 	int     rhosts_authentication;	/* If true, permit rhosts
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 347eb8622be..53d20c59cf2 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -8,7 +8,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.11 2000/05/02 12:44:38 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.12 2000/05/03 18:03:07 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -310,7 +310,7 @@ do_authenticated(struct passwd * pw)
 				break;
 			}
 			debug("Received TCP/IP port forwarding request.");
-			channel_input_port_forward_request(pw->pw_uid == 0);
+			channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
 			success = 1;
 			break;
 
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 41d58989aa0..33eb8789bac 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: sshd.8,v 1.46 2000/05/03 10:21:49 markus Exp $
+.\" $Id: sshd.8,v 1.47 2000/05/03 18:03:07 markus Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSHD 8
@@ -280,6 +280,15 @@ and
 can be used as wildcards in the patterns.
 Only user names are valid, a numerical user ID isn't recognized.
 By default login is allowed regardless of the user name.
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to ports
+forwarded for the client.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm HostDsaKey
 Specifies the file containing the private DSA host key (default
 .Pa /etc/ssh_host_dsa_key )