diff --git a/ChangeLog b/ChangeLog index 76a5dd086..2e1780a50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 2011101 - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2011/09/23 00:22:04 + [channels.c auth-options.c servconf.c channels.h sshd.8] + Add wildcard support to PermitOpen, allowing things like "PermitOpen + localhost:*". bz #1857, ok djm markus. 20110929 - (djm) [configure.ac defines.h] No need to detect sizeof(char); patch diff --git a/auth-options.c b/auth-options.c index eae45cf2b..b3c19c1c0 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.55 2011/09/23 00:22:04 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -341,7 +341,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) goto bad_option; } host = cleanhostname(host); - if (p == NULL || (port = a2port(p)) <= 0) { + if (p == NULL || (port = permitopen_port(p)) < 0) { debug("%.100s, line %lu: Bad permitopen port " "<%.100s>", file, linenum, p ? p : ""); auth_debug_add("%.100s, line %lu: " diff --git a/channels.c b/channels.c index b6663de8f..00e9af84a 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.313 2011/09/10 22:26:34 markus Exp $ */ +/* $OpenBSD: channels.c,v 1.314 2011/09/23 00:22:04 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -125,6 +125,9 @@ static int num_permitted_opens = 0; /* Number of permitted host/port pair in the array permitted by the admin. */ static int num_adm_permitted_opens = 0; +/* special-case port number meaning allow any port */ +#define FWD_PERMIT_ANY_PORT 0 + /* * If this is true, all opens are permitted. This is the case on the server * on which we have to trust the client anyway, and the user could do @@ -3135,6 +3138,28 @@ channel_print_adm_permitted_opens(void) printf("\n"); } +/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ +int +permitopen_port(const char *p) +{ + int port; + + if (strcmp(p, "*") == 0) + return FWD_PERMIT_ANY_PORT; + if ((port = a2port(p)) > 0) + return port; + return -1; +} + +static int +port_match(u_short allowedport, u_short requestedport) +{ + if (allowedport == FWD_PERMIT_ANY_PORT || + allowedport == requestedport) + return 1; + return 0; +} + /* Try to start non-blocking connect to next host in cctx list */ static int connect_next(struct channel_connect *cctx) @@ -3237,7 +3262,7 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) for (i = 0; i < num_permitted_opens; i++) { if (permitted_opens[i].host_to_connect != NULL && - permitted_opens[i].listen_port == listen_port) { + port_match(permitted_opens[i].listen_port, listen_port)) { return connect_to( permitted_opens[i].host_to_connect, permitted_opens[i].port_to_connect, ctype, rname); @@ -3258,7 +3283,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname) if (!permit) { for (i = 0; i < num_permitted_opens; i++) if (permitted_opens[i].host_to_connect != NULL && - permitted_opens[i].port_to_connect == port && + port_match(permitted_opens[i].port_to_connect, port) && strcmp(permitted_opens[i].host_to_connect, host) == 0) permit = 1; } @@ -3267,7 +3292,7 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname) permit_adm = 0; for (i = 0; i < num_adm_permitted_opens; i++) if (permitted_adm_opens[i].host_to_connect != NULL && - permitted_adm_opens[i].port_to_connect == port && + port_match(permitted_adm_opens[i].port_to_connect, port) && strcmp(permitted_adm_opens[i].host_to_connect, host) == 0) permit_adm = 1; diff --git a/channels.h b/channels.h index ff84ea54f..6f316c824 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.107 2011/09/10 22:26:34 markus Exp $ */ +/* $OpenBSD: channels.h,v 1.108 2011/09/23 00:22:04 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -268,6 +268,7 @@ int channel_request_rforward_cancel(const char *host, u_short port); int channel_setup_remote_fwd_listener(const char *, u_short, int *, int); int channel_cancel_rport_listener(const char *, u_short); int channel_cancel_lport_listener(const char *, u_short, int, int); +int permitopen_port(const char *); /* x11 forwarding */ diff --git a/servconf.c b/servconf.c index 91986e55d..8ec5ca0e6 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1341,7 +1341,7 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: missing host in PermitOpen", filename, linenum); p = cleanhostname(p); - if (arg == NULL || (port = a2port(arg)) <= 0) + if (arg == NULL || ((port = permitopen_port(arg)) < 0)) fatal("%s line %d: bad port number in " "PermitOpen", filename, linenum); if (*activep && n == -1) diff --git a/sshd.8 b/sshd.8 index a91be0fad..721015709 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $ -.Dd $Mdocdate: August 2 2011 $ +.\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $ +.Dd $Mdocdate: September 23 2011 $ .Dt SSHD 8 .Os .Sh NAME @@ -608,6 +608,9 @@ Multiple options may be applied separated by commas. No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. +A port specification of +.Cm * +matches any port. .It Cm principals="principals" On a .Cm cert-authority