diff options
author | markus@openbsd.org <markus@openbsd.org> | 2021-02-15 20:43:15 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@dtucker.net> | 2021-02-17 15:03:41 +1100 |
commit | da0a9afcc446a30ca49dd216612c41ac3cb1f2d4 (patch) | |
tree | 59583623e3eacb7a9f7b511f2ed2e4da70f9e187 /ssh.c | |
parent | b696858a7f9db72a83d02cb6edaca4b30a91b386 (diff) | |
download | openssh-git-da0a9afcc446a30ca49dd216612c41ac3cb1f2d4.tar.gz |
upstream: ssh: add PermitRemoteOpen for remote dynamic forwarding
with SOCKS ok djm@, dtucker@
OpenBSD-Commit-ID: 64fe7b6360acc4ea56aa61b66498b5ecc0a96a7c
Diffstat (limited to 'ssh.c')
-rw-r--r-- | ssh.c | 43 |
1 files changed, 42 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.550 2021/02/02 22:36:59 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.551 2021/02/15 20:43:15 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1875,11 +1875,52 @@ ssh_init_stdio_forwarding(struct ssh *ssh) } static void +ssh_init_forward_permissions(struct ssh *ssh, const char *what, char **opens, + u_int num_opens) +{ + u_int i; + int port; + char *addr, *arg, *oarg, ch; + int where = FORWARD_LOCAL; + + channel_clear_permission(ssh, FORWARD_ADM, where); + if (num_opens == 0) + return; /* permit any */ + + /* handle keywords: "any" / "none" */ + if (num_opens == 1 && strcmp(opens[0], "any") == 0) + return; + if (num_opens == 1 && strcmp(opens[0], "none") == 0) { + channel_disable_admin(ssh, where); + return; + } + /* Otherwise treat it as a list of permitted host:port */ + for (i = 0; i < num_opens; i++) { + oarg = arg = xstrdup(opens[i]); + ch = '\0'; + addr = hpdelim2(&arg, &ch); + if (addr == NULL || ch == '/') + fatal_f("missing host in %s", what); + addr = cleanhostname(addr); + if (arg == NULL || ((port = permitopen_port(arg)) < 0)) + fatal_f("bad port number in %s", what); + /* Send it to channels layer */ + channel_add_permission(ssh, FORWARD_ADM, + where, addr, port); + free(oarg); + } +} + +static void ssh_init_forwarding(struct ssh *ssh, char **ifname) { int success = 0; int i; + ssh_init_forward_permissions(ssh, "permitremoteopen", + options.permitted_remote_opens, + options.num_permitted_remote_opens); + if (options.exit_on_forward_failure) forward_confirms_pending = 0; /* track pending requests */ /* Initiate local TCP/IP port forwardings. */ |