AllowTcpForwarding; from naddy@

5 files changed, 30 insertions, 6 deletions

diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index e90defe61e5..76702a83612 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.52 2000/10/11 20:14:39 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.53 2000/10/14 12:12:09 markus Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -67,6 +67,7 @@ initialize_server_options(ServerOptions *options)
 #endif
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
+	options->allow_tcp_forwarding = -1;
 	options->num_allow_users = 0;
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
@@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options)
 		options->permit_empty_passwd = 0;
 	if (options->use_login == -1)
 		options->use_login = 0;
+	if (options->allow_tcp_forwarding == -1)
+		options->allow_tcp_forwarding = 1;
 	if (options->protocol == SSH_PROTO_UNKNOWN)
 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
 	if (options->gateway_ports == -1)
@@ -189,7 +192,8 @@ typedef enum {
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
-	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+	sUseLogin, sAllowTcpForwarding,
+	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
 	sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
 } ServerOpCodes;
@@ -240,6 +244,7 @@ static struct {
 	{ "uselogin", sUseLogin },
 	{ "randomseed", sRandomSeedFile },
 	{ "keepalive", sKeepAlives },
+	{ "allowtcpforwarding", sAllowTcpForwarding },
 	{ "allowusers", sAllowUsers },
 	{ "denyusers", sDenyUsers },
 	{ "allowgroups", sAllowGroups },
@@ -573,6 +578,10 @@ parse_flag:
 				*intptr = (LogLevel) value;
 			break;
 
+		case sAllowTcpForwarding:
+			intptr = &options->allow_tcp_forwarding;
+			goto parse_flag;
+
 		case sAllowUsers:
 			while ((arg = strdelim(&cp)) && *arg != '\0') {
 				if (options->num_allow_users >= MAX_ALLOW_USERS)
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index ef0790c7beb..0188b9b893c 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -11,7 +11,7 @@
  * called by a name other than "ssh" or "Secure Shell".
  */
 
-/* RCSID("$OpenBSD: servconf.h,v 1.29 2000/10/11 20:14:39 markus Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.30 2000/10/14 12:12:09 markus Exp $"); */
 
 #ifndef SERVCONF_H
 #define SERVCONF_H
@@ -86,6 +86,7 @@ typedef struct {
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     use_login;	/* If true, login(1) is used */
+	int	allow_tcp_forwarding;
 	unsigned int num_allow_users;
 	char   *allow_users[MAX_ALLOW_USERS];
 	unsigned int num_deny_users;
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c
index 97e01754256..7ba4832191d 100644
--- a/usr.bin/ssh/serverloop.c
+++ b/usr.bin/ssh/serverloop.c
@@ -49,6 +49,8 @@
 #include "dispatch.h"
 #include "auth-options.h"
 
+extern ServerOptions options;
+
 static Buffer stdin_buffer;	/* Buffer for stdin data. */
 static Buffer stdout_buffer;	/* Buffer for stdout data. */
 static Buffer stderr_buffer;	/* Buffer for stderr data. */
@@ -733,7 +735,7 @@ input_direct_tcpip(void)
 	   originator, originator_port, target, target_port);
 
 	/* XXX check permission */
-	if (no_port_forwarding_flag) {
+	if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
 		xfree(target);
 		xfree(originator);
 		return -1;
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 4e83f2bcf1c..df8809d7ac8 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.38 2000/10/11 20:27:23 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.39 2000/10/14 12:12:09 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -196,7 +196,7 @@ do_authenticated(struct passwd * pw)
 	 * by the client telling us, so we can equally well trust the client
 	 * not to request anything bogus.)
 	 */
-	if (!no_port_forwarding_flag)
+	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
 		channel_permit_all_opens();
 
 	s = session_new();
@@ -348,6 +348,10 @@ do_authenticated(struct passwd * pw)
 				debug("Port forwarding not permitted for this authentication.");
 				break;
 			}
+			if (!options.allow_tcp_forwarding) {
+				debug("Port forwarding not permitted.");
+				break;
+			}
 			debug("Received TCP/IP port forwarding request.");
 			channel_input_port_forward_request(pw->pw_uid == 0, options.gateway_ports);
 			success = 1;
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 1f9ba951a63..814143d7343 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -303,6 +303,14 @@ wildcards in the patterns.
 Only group names are valid; a numerical group ID isn't recognized.
 By default login is allowed regardless of the primary group.
 .Pp
+.It Cm AllowTcpForwarding
+Specifies whether TCP forwarding is permitted.
+The default is
+.Dq yes .
+Note that disabling TCP forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
+.Pp
 .It Cm AllowUsers
 This keyword can be followed by a number of user names, separated
 by spaces.