upstream commit

add a "rdomain" criteria for the sshd_config Match
keyword to allow conditional configuration that depends on which rdomain(4) a
connection was recevied on. ok markus@

Upstream-ID: 27d8fd5a3f1bae18c9c6e533afdf99bff887a4fb

servconf.c

@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.316 2017/10/25 00:17:08 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.317 2017/10/25 00:19:47 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -855,6 +855,7 @@ get_connection_info(int populate, int use_dns)
 	ci.address = ssh_remote_ipaddr(ssh);
 	ci.laddress = ssh_local_ipaddr(ssh);
 	ci.lport = ssh_local_port(ssh);
+	ci.rdomain = ssh_packet_rdomain_in(ssh);
 	return &ci;
 }
 
@@ -1038,6 +1039,16 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 				    ci->laddress, port, line);
 			else
 				result = 0;
+		} else if (strcasecmp(attrib, "rdomain") == 0) {
+			if (ci == NULL || ci->rdomain == NULL) {
+				result = 0;
+				continue;
+			}
+			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
+				result = 0;
+			else
+				debug("user %.100s matched 'RDomain %.100s' at "
+				    "line %d", ci->rdomain, arg, line);
 		} else {
 			error("Unsupported Match attribute %s", attrib);
 			return -1;
@@ -2080,6 +2091,8 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec)
 			ci->user = xstrdup(p + 5);
 		} else if (strncmp(p, "laddr=", 6) == 0) {
 			ci->laddress = xstrdup(p + 6);
+		} else if (strncmp(p, "rdomain=", 8) == 0) {
+			ci->rdomain = xstrdup(p + 8);
 		} else if (strncmp(p, "lport=", 6) == 0) {
 			ci->lport = a2port(p + 6);
 			if (ci->lport == -1) {

servconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.129 2017/10/25 00:17:08 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.130 2017/10/25 00:19:47 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -218,6 +218,7 @@ struct connection_info {
 	const char *address; 	/* remote address */
 	const char *laddress;	/* local address */
 	int lport;		/* local port */
+	const char *rdomain;	/* routing domain if available */
 };
 
 

sshd.8

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.291 2017/06/24 06:28:50 jmc Exp $
-.Dd $Mdocdate: June 24 2017 $
+.\" $OpenBSD: sshd.8,v 1.292 2017/10/25 00:19:47 djm Exp $
+.Dd $Mdocdate: October 25 2017 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -109,6 +109,7 @@ The keywords are
 .Dq host ,
 .Dq laddr ,
 .Dq lport ,
+.Dq rdomain
 and
 .Dq addr .
 All are required and may be supplied in any order, either with multiple

sshd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.495 2017/10/25 00:17:08 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.496 2017/10/25 00:19:47 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1404,7 +1404,7 @@ main(int ac, char **av)
 	extern int optind;
 	int r, opt, on = 1, already_daemon, remote_port;
 	int sock_in = -1, sock_out = -1, newsock = -1;
-	const char *remote_ip;
+	const char *remote_ip, *rdomain;
 	char *fp, *line, *laddr, *logfile = NULL;
 	int config_s[2] = { -1 , -1 };
 	u_int i, j;
@@ -2022,10 +2022,14 @@ main(int ac, char **av)
 	audit_connection_from(remote_ip, remote_port);
 #endif
 
+	rdomain = ssh_packet_rdomain_in(ssh);
+
 	/* Log the connection. */
 	laddr = get_local_ipaddr(sock_in);
-	verbose("Connection from %s port %d on %s port %d",
-	    remote_ip, remote_port, laddr,  ssh_local_port(ssh));
+	verbose("Connection from %s port %d on %s port %d%s%s",
+	    remote_ip, remote_port, laddr,  ssh_local_port(ssh),
+	    rdomain == NULL ? "" : " rdomain ",
+	    rdomain == NULL ? "" : rdomain);
 	free(laddr);
 
 	/*

sshd_config.5

@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.257 2017/10/25 00:17:08 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.258 2017/10/25 00:19:47 djm Exp $
 .Dd $Mdocdate: October 25 2017 $
 .Dt SSHD_CONFIG 5
 .Os
@@ -1054,8 +1054,15 @@ The available criteria are
 .Cm Host ,
 .Cm LocalAddress ,
 .Cm LocalPort ,
+.Cm RDomain ,
 and
-.Cm Address .
+.Cm Address
+(with
+.Cm RDomain
+representing the
+.Xr rdomain 4
+on which the connection was received.)
+.Pp
 The match patterns may consist of single entries or comma-separated
 lists and may use the wildcard and negation operators described in the
 .Sx PATTERNS