diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2012-12-02 20:46:12 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2012-12-02 20:46:12 +0000 |
| commit | cf2a2a8842b0f038a70ff247e1abf605129c40db (patch) | |
| tree | 4107f08cf06e849a83c21ed5237d2b37250765ab /usr.bin | |
| parent | 1920cce5a2226aa8fdd5eb43a697c5f3dca7ba43 (diff) | |
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/auth-options.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/channels.c | 12 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.c | 18 | ||||
| -rw-r--r-- | usr.bin/ssh/servconf.h | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/serverloop.c | 19 | ||||
| -rw-r--r-- | usr.bin/ssh/session.c | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 16 |
7 files changed, 62 insertions, 26 deletions
diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c index c6116ec1c2e..d3a922842fb 100644 --- a/usr.bin/ssh/auth-options.c +++ b/usr.bin/ssh/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -347,7 +347,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto bad_option; } - if (options.allow_tcp_forwarding) + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index 635e4833cff..b277d5fd2ec 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -3135,12 +3135,10 @@ channel_add_adm_permitted_opens(char *host, int port) void channel_disable_adm_local_opens(void) { - if (num_adm_permitted_opens == 0) { - permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); - permitted_adm_opens[num_adm_permitted_opens].host_to_connect - = NULL; - num_adm_permitted_opens = 1; - } + channel_clear_adm_permitted_opens(); + permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); + permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; + num_adm_permitted_opens = 1; } void diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 99197785ea3..4ecfc8d0b8d 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -236,7 +236,7 @@ fill_default_server_options(ServerOptions *options) if (options->compression == -1) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) - options->allow_tcp_forwarding = 1; + options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) @@ -747,6 +747,14 @@ static const struct multistate multistate_privsep[] = { { "no", PRIVSEP_OFF }, { NULL, -1 } }; +static const struct multistate multistate_tcpfwd[] = { + { "yes", FORWARD_ALLOW }, + { "all", FORWARD_ALLOW }, + { "no", FORWARD_DENY }, + { "remote", FORWARD_REMOTE }, + { "local", FORWARD_LOCAL }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1098,7 +1106,8 @@ process_server_config_line(ServerOptions *options, char *line, case sAllowTcpForwarding: intptr = &options->allow_tcp_forwarding; - goto parse_flag; + multistate_ptr = multistate_tcpfwd; + goto parse_multistate; case sAllowAgentForwarding: intptr = &options->allow_agent_forwarding; @@ -1378,7 +1387,6 @@ process_server_config_line(ServerOptions *options, char *line, } if (strcmp(arg, "none") == 0) { if (*activep && n == -1) { - channel_clear_adm_permitted_opens(); options->num_permitted_opens = 1; channel_disable_adm_local_opens(); } @@ -1735,6 +1743,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_compression); case sUsePrivilegeSeparation: return fmt_multistate_int(val, multistate_privsep); + case sAllowTcpForwarding: + return fmt_multistate_int(val, multistate_tcpfwd); case sProtocol: switch (val) { case SSH_PROTO_1: diff --git a/usr.bin/ssh/servconf.h b/usr.bin/ssh/servconf.h index da2374be289..48cf303fb06 100644 --- a/usr.bin/ssh/servconf.h +++ b/usr.bin/ssh/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.105 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.106 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -42,6 +42,12 @@ #define PRIVSEP_ON 1 #define PRIVSEP_NOSANDBOX 2 +/* AllowTCPForwarding */ +#define FORWARD_DENY 0 +#define FORWARD_REMOTE (1) +#define FORWARD_LOCAL (1<<1) +#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ @@ -116,7 +122,7 @@ typedef struct { int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ - int allow_tcp_forwarding; + int allow_tcp_forwarding; /* One of FORWARD_* */ int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c index 2105cc818ff..c47d03dfd39 100644 --- a/usr.bin/ssh/serverloop.c +++ b/usr.bin/ssh/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -918,7 +918,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) static Channel * server_request_direct_tcpip(void) { - Channel *c; + Channel *c = NULL; char *target, *originator; u_short target_port, originator_port; @@ -931,9 +931,16 @@ server_request_direct_tcpip(void) debug("server_request_direct_tcpip: originator %s port %d, target %s " "port %d", originator, originator_port, target, target_port); - /* XXX check permission */ - c = channel_connect_to(target, target_port, - "direct-tcpip", "direct-tcpip"); + /* XXX fine grained permissions */ + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && + !no_port_forwarding_flag) { + c = channel_connect_to(target, target_port, + "direct-tcpip", "direct-tcpip"); + } else { + logit("refused local port forward: " + "originator %s port %d, target %s port %d", + originator, originator_port, target, target_port); + } xfree(originator); xfree(target); @@ -1089,7 +1096,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port); /* check permissions */ - if (!options.allow_tcp_forwarding || + if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || no_port_forwarding_flag || (!want_reply && listen_port == 0) || (listen_port != 0 && listen_port < IPPORT_RESERVED && diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index 2beb2430ab1..41bcd577bd3 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ +/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -256,7 +256,10 @@ do_authenticated(Authctxt *authctxt) setproctitle("%s", authctxt->pw->pw_name); /* setup the channel layer */ - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (no_port_forwarding_flag || + (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) + channel_disable_adm_local_opens(); + else channel_permit_all_opens(); auth_debug_send(); @@ -366,7 +369,7 @@ do_authenticated1(Authctxt *authctxt) debug("Port forwarding not permitted for this authentication."); break; } - if (!options.allow_tcp_forwarding) { + if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) { debug("Port forwarding not permitted."); break; } diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 91935d0291a..4d16bd35518 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $ -.Dd $Mdocdate: November 4 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.150 2012/12/02 20:46:11 djm Exp $ +.Dd $Mdocdate: December 2 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -124,6 +124,18 @@ in for more information on patterns. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. +The available options are +.Dq yes +or +.Dq all +to allow TCP forwarding, +.Dq no +to prevent all TCP forwarding, +.Dq local +to allow local (from the perspective of +.Xr ssh 1 ) forwarding only or +.Dq remote +to allow remote forwarding only. The default is .Dq yes . Note that disabling TCP forwarding does not improve security unless |