diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | auth-options.c | 4 | ||||
| -rw-r--r-- | channels.c | 12 | ||||
| -rw-r--r-- | servconf.c | 18 | ||||
| -rw-r--r-- | servconf.h | 10 | ||||
| -rw-r--r-- | serverloop.c | 19 | ||||
| -rw-r--r-- | session.c | 9 | ||||
| -rw-r--r-- | sshd_config.5 | 16 |
8 files changed, 68 insertions, 26 deletions
@@ -12,6 +12,12 @@ make deleting explicit keys "ssh-add -d" symmetric with adding keys - try to delete the corresponding certificate too and respect the -k option to allow deleting of the key only; feedback and ok markus@ + - djm@cvs.openbsd.org 2012/12/02 20:46:11 + [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c] + [sshd_config.5] + make AllowTcpForwarding accept "local" and "remote" in addition to its + current "yes"/"no" to allow the server to specify whether just local or + remote TCP forwarding is enabled. ok markus@ 20121114 - (djm) OpenBSD CVS Sync diff --git a/auth-options.c b/auth-options.c index 0e67bd8c..23d0423e 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -349,7 +349,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) xfree(patterns); goto bad_option; } - if (options.allow_tcp_forwarding) + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) channel_add_permitted_opens(host, port); xfree(patterns); goto next_option; @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ +/* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port) void channel_disable_adm_local_opens(void) { - if (num_adm_permitted_opens == 0) { - permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); - permitted_adm_opens[num_adm_permitted_opens].host_to_connect - = NULL; - num_adm_permitted_opens = 1; - } + channel_clear_adm_permitted_opens(); + permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); + permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; + num_adm_permitted_opens = 1; } void @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -250,7 +250,7 @@ fill_default_server_options(ServerOptions *options) if (options->compression == -1) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) - options->allow_tcp_forwarding = 1; + options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) @@ -786,6 +786,14 @@ static const struct multistate multistate_privsep[] = { { "no", PRIVSEP_OFF }, { NULL, -1 } }; +static const struct multistate multistate_tcpfwd[] = { + { "yes", FORWARD_ALLOW }, + { "all", FORWARD_ALLOW }, + { "no", FORWARD_DENY }, + { "remote", FORWARD_REMOTE }, + { "local", FORWARD_LOCAL }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1143,7 +1151,8 @@ process_server_config_line(ServerOptions *options, char *line, case sAllowTcpForwarding: intptr = &options->allow_tcp_forwarding; - goto parse_flag; + multistate_ptr = multistate_tcpfwd; + goto parse_multistate; case sAllowAgentForwarding: intptr = &options->allow_agent_forwarding; @@ -1423,7 +1432,6 @@ process_server_config_line(ServerOptions *options, char *line, } if (strcmp(arg, "none") == 0) { if (*activep && n == -1) { - channel_clear_adm_permitted_opens(); options->num_permitted_opens = 1; channel_disable_adm_local_opens(); } @@ -1780,6 +1788,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_compression); case sUsePrivilegeSeparation: return fmt_multistate_int(val, multistate_privsep); + case sAllowTcpForwarding: + return fmt_multistate_int(val, multistate_tcpfwd); case sProtocol: switch (val) { case SSH_PROTO_1: @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.105 2012/11/04 11:09:15 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.106 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -42,6 +42,12 @@ #define PRIVSEP_ON 1 #define PRIVSEP_NOSANDBOX 2 +/* AllowTCPForwarding */ +#define FORWARD_DENY 0 +#define FORWARD_REMOTE (1) +#define FORWARD_LOCAL (1<<1) +#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL) + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ @@ -116,7 +122,7 @@ typedef struct { int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ - int allow_tcp_forwarding; + int allow_tcp_forwarding; /* One of FORWARD_* */ int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; diff --git a/serverloop.c b/serverloop.c index 741c5bef..14e60c6d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ +/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) static Channel * server_request_direct_tcpip(void) { - Channel *c; + Channel *c = NULL; char *target, *originator; u_short target_port, originator_port; @@ -963,9 +963,16 @@ server_request_direct_tcpip(void) debug("server_request_direct_tcpip: originator %s port %d, target %s " "port %d", originator, originator_port, target, target_port); - /* XXX check permission */ - c = channel_connect_to(target, target_port, - "direct-tcpip", "direct-tcpip"); + /* XXX fine grained permissions */ + if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && + !no_port_forwarding_flag) { + c = channel_connect_to(target, target_port, + "direct-tcpip", "direct-tcpip"); + } else { + logit("refused local port forward: " + "originator %s port %d, target %s port %d", + originator, originator_port, target, target_port); + } xfree(originator); xfree(target); @@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) listen_address, listen_port); /* check permissions */ - if (!options.allow_tcp_forwarding || + if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || no_port_forwarding_flag || (!want_reply && listen_port == 0) #ifndef NO_IPPORT_RESERVED_CONCEPT @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ +/* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt) setproctitle("%s", authctxt->pw->pw_name); /* setup the channel layer */ - if (!no_port_forwarding_flag && options.allow_tcp_forwarding) + if (no_port_forwarding_flag || + (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) + channel_disable_adm_local_opens(); + else channel_permit_all_opens(); auth_debug_send(); @@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt) debug("Port forwarding not permitted for this authentication."); break; } - if (!options.allow_tcp_forwarding) { + if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) { debug("Port forwarding not permitted."); break; } diff --git a/sshd_config.5 b/sshd_config.5 index 05f3374f..d2c4db55 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $ -.Dd $Mdocdate: November 4 2012 $ +.\" $OpenBSD: sshd_config.5,v 1.150 2012/12/02 20:46:11 djm Exp $ +.Dd $Mdocdate: December 2 2012 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -124,6 +124,18 @@ in for more information on patterns. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. +The available options are +.Dq yes +or +.Dq all +to allow TCP forwarding, +.Dq no +to prevent all TCP forwarding, +.Dq local +to allow local (from the perspective of +.Xr ssh 1 ) forwarding only or +.Dq remote +to allow remote forwarding only. The default is .Dq yes . Note that disabling TCP forwarding does not improve security unless |