summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2006-07-21 12:43:37 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2006-07-21 12:43:37 +0000
commit89cfae38eaeda7d6d65a73ed0bdb0bac0435af93 (patch)
tree955dd1cc6bbb3e8cc0c8e27513ddce0fede9ae44 /usr.bin
parent5c5f5d9ed37fd5eb31caca10e723a3d418b3152e (diff)
Make PermitOpen take a list of permitted ports and act more like most other
keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/channels.c8
-rw-r--r--usr.bin/ssh/channels.h4
-rw-r--r--usr.bin/ssh/servconf.c32
-rw-r--r--usr.bin/ssh/servconf.h4
-rw-r--r--usr.bin/ssh/sshd_config.56
5 files changed, 31 insertions, 23 deletions
diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c
index 0e9f9e596bd..adb7e079653 100644
--- a/usr.bin/ssh/channels.c
+++ b/usr.bin/ssh/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2633,17 +2633,17 @@ channel_add_permitted_opens(char *host, int port)
all_opens_permitted = 0;
}
-void
+int
channel_add_adm_permitted_opens(char *host, int port)
{
if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
fatal("channel_add_adm_permitted_opens: too many forwards");
- debug("allow port forwarding to host %s port %d", host, port);
+ debug("config allows port forwarding to host %s port %d", host, port);
permitted_adm_opens[num_adm_permitted_opens].host_to_connect
= xstrdup(host);
permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
- num_adm_permitted_opens++;
+ return ++num_adm_permitted_opens;
}
void
diff --git a/usr.bin/ssh/channels.h b/usr.bin/ssh/channels.h
index f3742c15693..86e7ee88a61 100644
--- a/usr.bin/ssh/channels.h
+++ b/usr.bin/ssh/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -206,7 +206,7 @@ int channel_find_open(void);
void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
-void channel_add_adm_permitted_opens(char *, int);
+int channel_add_adm_permitted_opens(char *, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
int channel_input_port_forward_request(int, int);
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 9801d3e1ae1..45caf42bb4b 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -106,6 +106,7 @@ initialize_server_options(ServerOptions *options)
options->authorized_keys_file2 = NULL;
options->num_accept_env = 0;
options->permit_tun = -1;
+ options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
}
@@ -1118,20 +1119,27 @@ parse_flag:
fatal("%s line %d: missing PermitOpen specification",
filename, linenum);
if (strcmp(arg, "any") == 0) {
- if (*activep)
+ if (*activep) {
channel_clear_adm_permitted_opens();
+ options->num_permitted_opens = 0;
+ }
break;
}
- p = hpdelim(&arg);
- if (p == NULL)
- fatal("%s line %d: missing host in PermitOpen",
- filename, linenum);
- p = cleanhostname(p);
- if (arg == NULL || (port = a2port(arg)) == 0)
- fatal("%s line %d: bad port number in PermitOpen",
- filename, linenum);
- if (*activep)
- channel_add_adm_permitted_opens(p, port);
+ for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
+ p = hpdelim(&arg);
+ if (p == NULL)
+ fatal("%s line %d: missing host in PermitOpen",
+ filename, linenum);
+ p = cleanhostname(p);
+ if (arg == NULL || (port = a2port(arg)) == 0)
+ fatal("%s line %d: bad port number in "
+ "PermitOpen", filename, linenum);
+ if (*activep && options->num_permitted_opens == -1) {
+ channel_clear_adm_permitted_opens();
+ options->num_permitted_opens =
+ channel_add_adm_permitted_opens(p, port);
+ }
+ }
break;
case sForceCommand:
diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h
index dd5d50533fa..3665c07b3ae 100644
--- a/usr.bin/ssh/servconf.h
+++ b/usr.bin/ssh/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -138,6 +138,8 @@ typedef struct {
char *adm_forced_command;
int permit_tun;
+
+ int num_permitted_opens;
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index ddc921a8c3e..f29ff199752 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms:
.Sm on
.El
.Pp
-Multiple instances of
-.Cm PermitOpen
-are permitted.
+Multiple forwards may be specified by separating them with whitespace.
An argument of
.Dq any
can be used to remove all restrictions and permit any forwarding requests.