- markus@cvs.openbsd.org 2001/03/16 19:06:30

[auth-options.c channels.c channels.h serverloop.c session.c]
     implement "permitopen" key option, restricts -L style forwarding to
     to specified host:port pairs. based on work by harlan@genua.de

ChangeLog

@@ -18,6 +18,10 @@
    - markus@cvs.openbsd.org 2001/03/16 13:44:24
      [sftp-int.c]
      discourage strcat/strcpy
+   - markus@cvs.openbsd.org 2001/03/16 19:06:30
+     [auth-options.c channels.c channels.h serverloop.c session.c]
+     implement "permitopen" key option, restricts -L style forwarding to
+     to specified host:port pairs. based on work by harlan@genua.de
 
 20010315
  - OpenBSD CVS Sync
@@ -4580,4 +4584,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.966 2001/03/17 00:37:31 mouring Exp $
+$Id: ChangeLog,v 1.967 2001/03/17 00:47:54 mouring Exp $

auth-options.c

@@ -10,13 +10,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.14 2001/03/13 17:34:42 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.15 2001/03/16 19:06:28 markus Exp $");
 
 #include "packet.h"
 #include "xmalloc.h"
 #include "match.h"
 #include "log.h"
 #include "canohost.h"
+#include "channels.h"
 #include "auth-options.h"
 #include "servconf.h"
 
@@ -51,6 +52,7 @@ auth_clear_options(void)
 		xfree(forced_command);
 		forced_command = NULL;
 	}
+	channel_clear_permitted_opens();
 }
 
 /*
@@ -61,6 +63,7 @@ int
 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 {
 	const char *cp;
+	int i;
 
 	/* reset options */
 	auth_clear_options();
@@ -99,7 +102,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		}
 		cp = "command=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			int i;
 			opts += strlen(cp);
 			forced_command = xmalloc(strlen(opts) + 1);
 			i = 0;
@@ -129,9 +131,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		}
 		cp = "environment=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			int i;
 			char *s;
 			struct envstring *new_envstring;
+
 			opts += strlen(cp);
 			s = xmalloc(strlen(opts) + 1);
 			i = 0;
@@ -170,7 +172,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			const char *remote_host = get_canonical_hostname(
 			    options.reverse_mapping_check);
 			char *patterns = xmalloc(strlen(opts) + 1);
-			int i;
+
 			opts += strlen(cp);
 			i = 0;
 			while (*opts) {
@@ -218,6 +220,58 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			/* Host name matches. */
 			goto next_option;
 		}
+		cp = "permitopen=\"";
+		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			u_short port;
+			char *c, *ep;
+			char *patterns = xmalloc(strlen(opts) + 1);
+
+			opts += strlen(cp);
+			i = 0;
+			while (*opts) {
+				if (*opts == '"')
+					break;
+				if (*opts == '\\' && opts[1] == '"') {
+					opts += 2;
+					patterns[i++] = '"';
+					continue;
+				}
+				patterns[i++] = *opts++;
+			}
+			if (!*opts) {
+				debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			patterns[i] = 0;
+			opts++;
+			c = strchr(patterns, ':');
+			if (c == NULL) {
+				debug("%.100s, line %lu: permitopen: missing colon <%.100s>",
+				    file, linenum, patterns);
+				packet_send_debug("%.100s, line %lu: missing colon",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			*c = 0;
+			c++;
+			port = strtol(c, &ep, 0);
+			if (c == ep) {
+				debug("%.100s, line %lu: permitopen: missing port <%.100s>",
+				    file, linenum, patterns);
+				packet_send_debug("%.100s, line %lu: missing port",
+				    file, linenum);
+				xfree(patterns);
+				goto bad_option;
+			}
+			channel_add_permitted_opens(patterns, port);
+			xfree(patterns);
+			goto next_option;
+		}
 next_option:
 		/*
 		 * Skip the comma, and move to the next option

channels.c

@@ -40,7 +40,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.98 2001/03/04 17:42:28 millert Exp $");
+RCSID("$OpenBSD: channels.c,v 1.99 2001/03/16 19:06:29 markus Exp $");
 
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@@ -141,18 +141,6 @@ channel_set_options(int hostname_in_open)
 	have_hostname_in_open = hostname_in_open;
 }
 
-/*
- * Permits opening to any host/port in SSH_MSG_PORT_OPEN.  This is usually
- * called by the server, because the user could connect to any port anyway,
- * and the server has no way to know but to trust the client anyway.
- */
-
-void
-channel_permit_all_opens()
-{
-	all_opens_permitted = 1;
-}
-
 /* lookup channel by id */
 
 Channel *
@@ -1791,9 +1779,47 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
 	xfree(hostname);
 }
 
-/* XXX move to aux.c */
+/*
+ * Permits opening to any host/port if permitted_opens[] is empty.  This is
+ * usually called by the server, because the user could connect to any port
+ * anyway, and the server has no way to know but to trust the client anyway.
+ */
+void
+channel_permit_all_opens()
+{
+	if (num_permitted_opens == 0)
+		all_opens_permitted = 1;
+}
+
+void 
+channel_add_permitted_opens(char *host, int port)
+{
+	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("channel_request_remote_forwarding: too many forwards");
+	debug("allow port forwarding to host %s port %d", host, port);
+
+	permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
+	permitted_opens[num_permitted_opens].port_to_connect = port;
+	num_permitted_opens++;
+
+	all_opens_permitted = 0;
+}
+
+void 
+channel_clear_permitted_opens(void)
+{
+	int i;
+
+	for (i = 0; i < num_permitted_opens; i++)
+		xfree(permitted_opens[i].host_to_connect);
+	num_permitted_opens = 0;
+
+}
+
+
+/* return socket to remote host, port */
 int
-channel_connect_to(const char *host, u_short host_port)
+connect_to(const char *host, u_short port)
 {
 	struct addrinfo hints, *ai, *aitop;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1803,9 +1829,10 @@ channel_connect_to(const char *host, u_short host_port)
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = IPv4or6;
 	hints.ai_socktype = SOCK_STREAM;
-	snprintf(strport, sizeof strport, "%d", host_port);
+	snprintf(strport, sizeof strport, "%d", port);
 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
-		error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
+		error("connect_to %.100s: unknown host (%s)", host,
+		    gai_strerror(gaierr));
 		return -1;
 	}
 	for (ai = aitop; ai; ai = ai->ai_next) {
@@ -1813,10 +1840,9 @@ channel_connect_to(const char *host, u_short host_port)
 			continue;
 		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
 		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-			error("channel_connect_to: getnameinfo failed");
+			error("connect_to: getnameinfo failed");
 			continue;
 		}
-		/* Create the socket. */
 		sock = socket(ai->ai_family, SOCK_STREAM, 0);
 		if (sock < 0) {
 			error("socket: %.100s", strerror(errno));
@@ -1824,10 +1850,9 @@ channel_connect_to(const char *host, u_short host_port)
 		}
 		if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
 			fatal("connect_to: F_SETFL: %s", strerror(errno));
-		/* Connect to the host/port. */
 		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
 		    errno != EINPROGRESS) {
-			error("connect %.100s port %s: %.100s", ntop, strport,
+			error("connect_to %.100s port %s: %.100s", ntop, strport,
 			    strerror(errno));
 			close(sock);
 			continue;	/* fail -- try next */
@@ -1837,19 +1862,21 @@ channel_connect_to(const char *host, u_short host_port)
 	}
 	freeaddrinfo(aitop);
 	if (!ai) {
-		error("connect %.100s port %d: failed.", host, host_port);
+		error("connect_to %.100s port %d: failed.", host, port);
 		return -1;
 	}
 	/* success */
 	return sock;
 }
+
 int
 channel_connect_by_listen_adress(u_short listen_port)
 {
 	int i;
+
 	for (i = 0; i < num_permitted_opens; i++)
 		if (permitted_opens[i].listen_port == listen_port)
-			return channel_connect_to(
+			return connect_to(
 			    permitted_opens[i].host_to_connect,
 			    permitted_opens[i].port_to_connect);
 	error("WARNING: Server requests forwarding for unknown listen_port %d",
@@ -1857,6 +1884,28 @@ channel_connect_by_listen_adress(u_short listen_port)
 	return -1;
 }
 
+/* Check if connecting to that port is permitted and connect. */
+int
+channel_connect_to(const char *host, u_short port)
+{
+	int i, permit;
+
+	permit = all_opens_permitted;
+	if (!permit) {
+		for (i = 0; i < num_permitted_opens; i++)
+			if (permitted_opens[i].port_to_connect == port &&
+			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
+				permit = 1;
+
+	}
+	if (!permit) {
+		log("Received request to connect to host %.100s port %d, "
+		    "but the request was denied.", host, port);
+		return -1;
+	}
+	return connect_to(host, port);
+}
+
 /*
  * This is called after receiving PORT_OPEN message.  This attempts to
  * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
@@ -1868,55 +1917,25 @@ channel_input_port_open(int type, int plen, void *ctxt)
 {
 	u_short host_port;
 	char *host, *originator_string;
-	int remote_channel, sock = -1, newch, i, denied;
-	u_int host_len, originator_len;
+	int remote_channel, sock = -1, newch;
 
-	/* Get remote channel number. */
 	remote_channel = packet_get_int();
-
-	/* Get host name to connect to. */
-	host = packet_get_string(&host_len);
-
-	/* Get port to connect to. */
+	host = packet_get_string(NULL);
 	host_port = packet_get_int();
 
-	/* Get remote originator name. */
 	if (have_hostname_in_open) {
-		originator_string = packet_get_string(&originator_len);
-		originator_len += 4;	/* size of packet_int */
+		originator_string = packet_get_string(NULL);
 	} else {
 		originator_string = xstrdup("unknown (remote did not supply name)");
-		originator_len = 0;	/* no originator supplied */
 	}
-
-	packet_integrity_check(plen,
-	    4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
-
-	/* Check if opening that port is permitted. */
-	denied = 0;
-	if (!all_opens_permitted) {
-		/* Go trough all permitted ports. */
-		for (i = 0; i < num_permitted_opens; i++)
-			if (permitted_opens[i].port_to_connect == host_port &&
-			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
-				break;
-
-		/* Check if we found the requested port among those permitted. */
-		if (i >= num_permitted_opens) {
-			/* The port is not permitted. */
-			log("Received request to connect to %.100s:%d, but the request was denied.",
-			    host, host_port);
-			denied = 1;
-		}
-	}
-	sock = denied ? -1 : channel_connect_to(host, host_port);
-	if (sock > 0) {
-		/* Allocate a channel for this connection. */
+	packet_done();
+	sock = channel_connect_to(host, host_port);
+	if (sock != -1) {
 		newch = channel_allocate(SSH_CHANNEL_CONNECTING,
 		    sock, originator_string);
-/*XXX delay answer? */
 		channels[newch].remote_id = remote_channel;
 
+		/*XXX delay answer? */
 		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
 		packet_put_int(remote_channel);
 		packet_put_int(newch);

channels.h

@@ -32,11 +32,13 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: channels.h,v 1.27 2001/02/15 23:19:59 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.28 2001/03/16 19:06:29 markus Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
 
+#include "buffer.h"
+
 /* Definitions for channel types. */
 #define SSH_CHANNEL_FREE		0	/* This channel is free (unused). */
 #define SSH_CHANNEL_X11_LISTENER	1	/* Listening for inet X11 conn. */
@@ -226,12 +228,18 @@ channel_request_remote_forwarding(u_short port, const char *host,
     u_short remote_port);
 
 /*
- * Permits opening to any host/port in SSH_MSG_PORT_OPEN.  This is usually
- * called by the server, because the user could connect to any port anyway,
- * and the server has no way to know but to trust the client anyway.
+ * Permits opening to any host/port if permitted_opens[] is empty.  This is
+ * usually called by the server, because the user could connect to any port
+ * anyway, and the server has no way to know but to trust the client anyway.
  */
 void    channel_permit_all_opens(void);
 
+/* Add host/port to list of allowed targets for port forwarding */
+void	channel_add_permitted_opens(char *host, int port);
+
+/* Flush list */
+void	channel_clear_permitted_opens(void);
+
 /*
  * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
  * listening for the port, and sends back a success reply (or disconnect

serverloop.c

@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.54 2001/03/04 01:46:30 djm Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
 
 #include "xmalloc.h"
 #include "packet.h"
@@ -756,11 +756,6 @@ server_request_direct_tcpip(char *ctype)
 	   originator, originator_port, target, target_port);
 
 	/* XXX check permission */
-	if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
-		xfree(target);
-		xfree(originator);
-		return NULL;
-	}
 	sock = channel_connect_to(target, target_port);
 	xfree(target);
 	xfree(originator);
@@ -858,6 +853,7 @@ server_input_global_request(int type, int plen, void *ctxt)
 	want_reply = packet_get_char();
 	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
 
+	/* -R style forwarding */
 	if (strcmp(rtype, "tcpip-forward") == 0) {
 		struct passwd *pw;
 		char *listen_address;

session.c

@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.60 2001/03/15 22:07:08 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -228,13 +228,6 @@ do_authenticated(struct passwd * pw)
 		startup_pipe = -1;
 	}
 
-	/*
-	 * Inform the channel mechanism that we are the server side and that
-	 * the client may request to connect to any port at all. (The user
-	 * could do it anyway, and we wouldn\'t know what is permitted except
-	 * by the client telling us, so we can equally well trust the client
-	 * not to request anything bogus.)
-	 */
 	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
 		channel_permit_all_opens();
 
@@ -2037,6 +2030,8 @@ do_authenticated2(Authctxt *authctxt)
 		close(startup_pipe);
 		startup_pipe = -1;
 	}
+	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+		channel_permit_all_opens();
 #if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
 	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
 		error("unable to get login class");