diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-06-06 20:22:41 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-06-06 20:27:20 +0200 |
| commit | 115063a6647007286cc8ca70abfd2a7585f26ccc (patch) | |
| tree | 7bd8d46ae55ff7fc1f8699740d2d2e106c3d5fe8 /session.c | |
| parent | Use ssh-keygen -A to generate missing host keys. (diff) | |
| download | openssh-115063a6647007286cc8ca70abfd2a7585f26ccc.tar.xz openssh-115063a6647007286cc8ca70abfd2a7585f26ccc.zip | |
upstream: Add a PermitListen directive to control which server-side
addresses may be listened on when the client requests remote forwarding (ssh
-R).
This is the converse of the existing PermitOpen directive and this
includes some refactoring to share much of its implementation.
feedback and ok markus@
OpenBSD-Commit-ID: 15a931238c61a3f2ac74ea18a98c933e358e277f
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 27 |
1 files changed, 18 insertions, 9 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.295 2018/06/01 03:33:53 djm Exp $ */ +/* $OpenBSD: session.c,v 1.296 2018/06/06 18:22:41 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -298,7 +298,7 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) return; - channel_clear_permitted_opens(ssh); + channel_clear_permission(ssh, FORWARD_USER, FORWARD_LOCAL); for (i = 0; i < auth_opts->npermitopen; i++) { tmp = cp = xstrdup(auth_opts->permitopen[i]); /* This shouldn't fail as it has already been checked */ @@ -308,7 +308,8 @@ set_permitopen_from_authopts(struct ssh *ssh, const struct sshauthopt *opts) if (cp == NULL || (port = permitopen_port(cp)) < 0) fatal("%s: internal error: permitopen port", __func__); - channel_add_permitted_opens(ssh, host, port); + channel_add_permission(ssh, FORWARD_USER, FORWARD_LOCAL, + host, port); free(tmp); } } @@ -323,13 +324,21 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt) /* setup the channel layer */ /* XXX - streamlocal? */ set_permitopen_from_authopts(ssh, auth_opts); - if (!auth_opts->permit_port_forwarding_flag || - options.disable_forwarding || - (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) - channel_disable_adm_local_opens(ssh); - else - channel_permit_all_opens(ssh); + if (!auth_opts->permit_port_forwarding_flag || + options.disable_forwarding) { + channel_disable_admin(ssh, FORWARD_LOCAL); + channel_disable_admin(ssh, FORWARD_REMOTE); + } else { + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) + channel_disable_admin(ssh, FORWARD_LOCAL); + else + channel_permit_all(ssh, FORWARD_LOCAL); + if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0) + channel_disable_admin(ssh, FORWARD_REMOTE); + else + channel_permit_all(ssh, FORWARD_REMOTE); + } auth_debug_send(); prepare_auth_info_file(authctxt->pw, authctxt->session_info); |