From cdc3ded5cf05f2c9815425bb442656fca9ca6b0e Mon Sep 17 00:00:00 2001 From: Markus Friedl Date: Fri, 16 Mar 2001 19:06:31 +0000 Subject: implement "permitopen" key option, restricts -L style forwarding to to specified host:port pairs. based on work by harlan@genua.de --- usr.bin/ssh/session.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) (limited to 'usr.bin/ssh/session.c') diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index d99bc7bec2d..d97dd68f248 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.60 2001/03/15 22:07:08 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -192,19 +192,12 @@ do_authenticated(struct passwd * pw) startup_pipe = -1; } - /* - * Inform the channel mechanism that we are the server side and that - * the client may request to connect to any port at all. (The user - * could do it anyway, and we wouldn\'t know what is permitted except - * by the client telling us, so we can equally well trust the client - * not to request anything bogus.) - */ - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) - channel_permit_all_opens(); - s = session_new(); s->pw = pw; + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); + #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(pw->pw_class)) == NULL) { error("unable to get login class"); @@ -1700,6 +1693,8 @@ do_authenticated2(Authctxt *authctxt) close(startup_pipe); startup_pipe = -1; } + if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + channel_permit_all_opens(); #ifdef HAVE_LOGIN_CAP if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) { error("unable to get login class"); -- cgit v1.2.3