diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | channels.c | 8 | ||||
| -rw-r--r-- | channels.h | 4 | ||||
| -rw-r--r-- | servconf.c | 32 | ||||
| -rw-r--r-- | servconf.h | 4 | ||||
| -rw-r--r-- | sshd_config.5 | 6 |
6 files changed, 37 insertions, 24 deletions
@@ -65,6 +65,11 @@ [auth1.c serverloop.c session.c sshconnect2.c] missed some needed #include <unistd.h> when KERBEROS5=no; issue from massimo@cedoc.mo.it + - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 + [channels.c channels.h servconf.c servconf.h sshd_config.5] + Make PermitOpen take a list of permitted ports and act more like most + other keywords (ie the first match is the effective setting). This + also makes it easier to override a previously set PermitOpen. ok djm@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4983,4 +4988,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4423 2006/07/24 04:07:35 djm Exp $ +$Id: ChangeLog,v 1.4424 2006/07/24 04:08:13 djm Exp $ @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2653,17 +2653,17 @@ channel_add_permitted_opens(char *host, int port) all_opens_permitted = 0; } -void +int channel_add_adm_permitted_opens(char *host, int port) { if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_add_adm_permitted_opens: too many forwards"); - debug("allow port forwarding to host %s port %d", host, port); + debug("config allows port forwarding to host %s port %d", host, port); permitted_adm_opens[num_adm_permitted_opens].host_to_connect = xstrdup(host); permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; - num_adm_permitted_opens++; + return ++num_adm_permitted_opens; } void @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -207,7 +207,7 @@ int channel_find_open(void); void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); -void channel_add_adm_permitted_opens(char *, int); +int channel_add_adm_permitted_opens(char *, int); void channel_clear_permitted_opens(void); void channel_clear_adm_permitted_opens(void); int channel_input_port_forward_request(int, int); @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + options->num_permitted_opens = -1; options->adm_forced_command = NULL; } @@ -1161,20 +1162,27 @@ parse_flag: fatal("%s line %d: missing PermitOpen specification", filename, linenum); if (strcmp(arg, "any") == 0) { - if (*activep) + if (*activep) { channel_clear_adm_permitted_opens(); + options->num_permitted_opens = 0; + } break; } - p = hpdelim(&arg); - if (p == NULL) - fatal("%s line %d: missing host in PermitOpen", - filename, linenum); - p = cleanhostname(p); - if (arg == NULL || (port = a2port(arg)) == 0) - fatal("%s line %d: bad port number in PermitOpen", - filename, linenum); - if (*activep) - channel_add_adm_permitted_opens(p, port); + for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { + p = hpdelim(&arg); + if (p == NULL) + fatal("%s line %d: missing host in PermitOpen", + filename, linenum); + p = cleanhostname(p); + if (arg == NULL || (port = a2port(arg)) == 0) + fatal("%s line %d: bad port number in " + "PermitOpen", filename, linenum); + if (*activep && options->num_permitted_opens == -1) { + channel_clear_adm_permitted_opens(); + options->num_permitted_opens = + channel_add_adm_permitted_opens(p, port); + } + } break; case sForceCommand: @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -140,6 +140,8 @@ typedef struct { int use_pam; /* Enable auth via PAM */ int permit_tun; + + int num_permitted_opens; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/sshd_config.5 b/sshd_config.5 index 26c895f7..ff5457df 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms: .Sm on .El .Pp -Multiple instances of -.Cm PermitOpen -are permitted. +Multiple forwards may be specified by separating them with whitespace. An argument of .Dq any can be used to remove all restrictions and permit any forwarding requests. |