diff options
author | Darren Tucker <dtucker@cvs.openbsd.org> | 2006-07-21 12:43:37 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2006-07-21 12:43:37 +0000 |
commit | 89cfae38eaeda7d6d65a73ed0bdb0bac0435af93 (patch) | |
tree | 955dd1cc6bbb3e8cc0c8e27513ddce0fede9ae44 /usr.bin | |
parent | 5c5f5d9ed37fd5eb31caca10e723a3d418b3152e (diff) |
Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it
easier to override a previously set PermitOpen. ok djm@
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/channels.c | 8 | ||||
-rw-r--r-- | usr.bin/ssh/channels.h | 4 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.c | 32 | ||||
-rw-r--r-- | usr.bin/ssh/servconf.h | 4 | ||||
-rw-r--r-- | usr.bin/ssh/sshd_config.5 | 6 |
5 files changed, 31 insertions, 23 deletions
diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 0e9f9e596bd..adb7e079653 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2633,17 +2633,17 @@ channel_add_permitted_opens(char *host, int port) all_opens_permitted = 0; } -void +int channel_add_adm_permitted_opens(char *host, int port) { if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_add_adm_permitted_opens: too many forwards"); - debug("allow port forwarding to host %s port %d", host, port); + debug("config allows port forwarding to host %s port %d", host, port); permitted_adm_opens[num_adm_permitted_opens].host_to_connect = xstrdup(host); permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; - num_adm_permitted_opens++; + return ++num_adm_permitted_opens; } void diff --git a/usr.bin/ssh/channels.h b/usr.bin/ssh/channels.h index f3742c15693..86e7ee88a61 100644 --- a/usr.bin/ssh/channels.h +++ b/usr.bin/ssh/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -206,7 +206,7 @@ int channel_find_open(void); void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); -void channel_add_adm_permitted_opens(char *, int); +int channel_add_adm_permitted_opens(char *, int); void channel_clear_permitted_opens(void); void channel_clear_adm_permitted_opens(void); int channel_input_port_forward_request(int, int); diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 9801d3e1ae1..45caf42bb4b 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -106,6 +106,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + options->num_permitted_opens = -1; options->adm_forced_command = NULL; } @@ -1118,20 +1119,27 @@ parse_flag: fatal("%s line %d: missing PermitOpen specification", filename, linenum); if (strcmp(arg, "any") == 0) { - if (*activep) + if (*activep) { channel_clear_adm_permitted_opens(); + options->num_permitted_opens = 0; + } break; } - p = hpdelim(&arg); - if (p == NULL) - fatal("%s line %d: missing host in PermitOpen", - filename, linenum); - p = cleanhostname(p); - if (arg == NULL || (port = a2port(arg)) == 0) - fatal("%s line %d: bad port number in PermitOpen", - filename, linenum); - if (*activep) - channel_add_adm_permitted_opens(p, port); + for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { + p = hpdelim(&arg); + if (p == NULL) + fatal("%s line %d: missing host in PermitOpen", + filename, linenum); + p = cleanhostname(p); + if (arg == NULL || (port = a2port(arg)) == 0) + fatal("%s line %d: bad port number in " + "PermitOpen", filename, linenum); + if (*activep && options->num_permitted_opens == -1) { + channel_clear_adm_permitted_opens(); + options->num_permitted_opens = + channel_add_adm_permitted_opens(p, port); + } + } break; case sForceCommand: diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index dd5d50533fa..3665c07b3ae 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -138,6 +138,8 @@ typedef struct { char *adm_forced_command; int permit_tun; + + int num_permitted_opens; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index ddc921a8c3e..f29ff199752 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms: .Sm on .El .Pp -Multiple instances of -.Cm PermitOpen -are permitted. +Multiple forwards may be specified by separating them with whitespace. An argument of .Dq any can be used to remove all restrictions and permit any forwarding requests. |