GatewayPorts and ssh -g; markus.friedl@informatik.uni-erlangen.de

6 files changed, 40 insertions, 11 deletions

diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c
index 18bb8a8e686..a990bbd1088 100644
--- a/usr.bin/ssh/channels.c
+++ b/usr.bin/ssh/channels.c
@@ -16,7 +16,7 @@ arbitrary tcp/ip connections, and the authentication agent connection.
 */
 
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.3 1999/09/28 07:56:47 deraadt Exp $");
+RCSID("$Id: channels.c,v 1.4 1999/09/29 00:10:16 deraadt Exp $");
 
 #ifndef HAVE_GETHOSTNAME
 #include <sys/utsname.h>
@@ -829,6 +829,7 @@ void channel_request_local_forwarding(int port, const char *host,
 {
   int ch, sock;
   struct sockaddr_in sin;
+  extern Options options;
 
   if (strlen(host) > sizeof(channels[0].path) - 1)
     packet_disconnect("Forward host name too long.");
@@ -841,7 +842,10 @@ void channel_request_local_forwarding(int port, const char *host,
   /* Initialize socket address. */
   memset(&sin, 0, sizeof(sin));
   sin.sin_family = AF_INET;
-  sin.sin_addr.s_addr = INADDR_ANY;
+  if (options.gateway_ports == 1)
+    sin.sin_addr.s_addr = htonl(INADDR_ANY);
+  else
+    sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
   sin.sin_port = htons(port);
   
   /* Bind the socket to the address. */
@@ -1068,7 +1072,7 @@ char *x11_create_display_inet(int screen_number)
       port = 6000 + display_number;
       memset(&sin, 0, sizeof(sin));
       sin.sin_family = AF_INET;
-      sin.sin_addr.s_addr = INADDR_ANY;
+      sin.sin_addr.s_addr = htonl(INADDR_ANY);
       sin.sin_port = htons(port);
       
       sock = socket(AF_INET, SOCK_STREAM, 0);
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index 8d74d5ac754..6bcd6194c5a 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -14,7 +14,7 @@ Functions for reading the configuration files.
 */
 
 #include "includes.h"
-RCSID("$Id: readconf.c,v 1.2 1999/09/28 04:45:36 provos Exp $");
+RCSID("$Id: readconf.c,v 1.3 1999/09/29 00:10:16 deraadt Exp $");
 
 #include "ssh.h"
 #include "cipher.h"
@@ -88,7 +88,7 @@ RCSID("$Id: readconf.c,v 1.2 1999/09/28 04:45:36 provos Exp $");
 
 typedef enum
 {
-  oForwardAgent, oForwardX11, oRhostsAuthentication,
+  oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
   oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
 #ifdef KRB4
   oKerberosAuthentication,
@@ -116,6 +116,7 @@ static struct
 {
   { "forwardagent", oForwardAgent },
   { "forwardx11", oForwardX11 },
+  { "gatewayports", oGatewayPorts },
   { "rhostsauthentication", oRhostsAuthentication },
   { "passwordauthentication", oPasswordAuthentication },
   { "rsaauthentication", oRSAAuthentication },
@@ -254,6 +255,10 @@ void process_config_line(Options *options, const char *host,
     case oForwardX11:
       intptr = &options->forward_x11;
       goto parse_flag;
+
+    case oGatewayPorts:
+      intptr = &options->gateway_ports;
+      goto parse_flag;
       
     case oRhostsAuthentication:
       intptr = &options->rhosts_authentication;
@@ -558,6 +563,7 @@ void initialize_options(Options *options)
   memset(options, 'X', sizeof(*options));
   options->forward_agent = -1;
   options->forward_x11 = -1;
+  options->gateway_ports = -1;
   options->rhosts_authentication = -1;
   options->rsa_authentication = -1;
 #ifdef KRB4
@@ -605,6 +611,8 @@ void fill_default_options(Options *options)
     options->forward_agent = 1;
   if (options->forward_x11 == -1)
     options->forward_x11 = 1;
+  if (options->gateway_ports == -1)
+    options->gateway_ports = 0;
   if (options->rhosts_authentication == -1)
     options->rhosts_authentication = 1;
   if (options->rsa_authentication == -1)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 2ad83aec67b..079e20325a4 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -13,7 +13,7 @@ Functions for reading the configuration file.
 
 */
 
-/* RCSID("$Id: readconf.h,v 1.1 1999/09/26 20:53:37 deraadt Exp $"); */
+/* RCSID("$Id: readconf.h,v 1.2 1999/09/29 00:10:16 deraadt Exp $"); */
 
 #ifndef READCONF_H
 #define READCONF_H
@@ -33,6 +33,7 @@ typedef struct
 {
   int forward_agent;		/* Forward authentication agent. */
   int forward_x11;		/* Forward X11 display. */
+  int gateway_ports;		/* Allow remote connects to forwarded ports. */
   int rhosts_authentication;	/* Try rhosts authentication. */
   int rhosts_rsa_authentication;/* Try rhosts with RSA authentication. */
   int rsa_authentication;	/* Try RSA authentication. */
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index e8d4d55dcf7..aef557bb0f8 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -12,7 +12,7 @@ Created: Mon Aug 21 15:48:58 1995 ylo
 */
 
 #include "includes.h"
-RCSID("$Id: servconf.c,v 1.2 1999/09/28 07:56:47 deraadt Exp $");
+RCSID("$Id: servconf.c,v 1.3 1999/09/29 00:10:16 deraadt Exp $");
 
 #include "ssh.h"
 #include "servconf.h"
@@ -24,7 +24,7 @@ void initialize_server_options(ServerOptions *options)
 {
   memset(options, 0, sizeof(*options));
   options->port = -1;
-  options->listen_addr.s_addr = INADDR_ANY;
+  options->listen_addr.s_addr = htonl(INADDR_ANY);
   options->host_key_file = NULL;
   options->random_seed_file = NULL;
   options->server_key_bits = -1;
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 5f76bedf028..19999b4c2cc 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -9,7 +9,7 @@
 .\"
 .\" Created: Sat Apr 22 21:55:14 1995 ylo
 .\"
-.\" $Id: ssh.1,v 1.2 1999/09/26 22:30:06 deraadt Exp $
+.\" $Id: ssh.1,v 1.3 1999/09/29 00:10:16 deraadt Exp $
 .\"
 .Dd September 25, 1999
 .Dt SSH 1
@@ -24,7 +24,7 @@
 .Op Ar command
 .Pp
 .Nm ssh
-.Op Fl knqtvxXC
+.Op Fl gknqtvxXC
 .Op Fl c Ar blowfish|idea|des|3des|none
 .Op Fl e Ar escape_char
 .Op Fl i Ar identity_file
@@ -296,6 +296,8 @@ multiple
 .Fl i
 options (and multiple identities specified in
 configuration files).
+.It Fl g
+Allows remote hosts to connect to local forwarded ports.
 .It Fl k
 Disables forwarding of Kerberos tickets / AFS tokens. This may
 also be specified on a per-host basis in the configuration file.
@@ -509,6 +511,15 @@ set.  The argument must be
 .Dq yes
 or
 .Dq no .
+.It Cm GatewayPorts
+Specifies whether remote hosts are allowed to connect to local
+forwarded ports.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm GlobalKnownHostsFile
 Specifies a file to use instead of 
 .Pa /etc/ssh_known_hosts .
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index cc938505d00..018dda25347 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -18,7 +18,7 @@ Modified to work with SSL by Niels Provos <provos@citi.umich.edu> in Canada.
 */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.3 1999/09/28 07:57:42 deraadt Exp $");
+RCSID("$Id: ssh.c,v 1.4 1999/09/29 00:10:16 deraadt Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -110,6 +110,7 @@ usage()
   fprintf(stderr, "or none.\n");
 
   fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
+  fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
   fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
   fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
   fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", av0);
@@ -290,6 +291,10 @@ main(int ac, char **av)
 	  options.forward_x11 = 1;
 	  break;
 
+	case 'g':
+	  options.gateway_ports = 1;
+	  break;
+
 	case 'a':
 	  options.forward_agent = 0;
 #ifdef KERBEROS_TGT_PASSING