- markus@cvs.openbsd.org 2001/03/16 19:06:30

[auth-options.c channels.c channels.h serverloop.c session.c] implement "permitopen" key option, restricts -L style forwarding to to specified host:port pairs. based on work by harlan@genua.de
2001-03-17 00:47:54 +00:00 · 2001-03-17 00:47:54 +00:00 · 7bb8b49596
parent cf00df6344
commit 7bb8b49596
6 changed files with 159 additions and 83 deletions
--- a/6
+++ b/6
@ -18,6 +18,10 @@
   - markus@cvs.openbsd.org 2001/03/16 13:44:24
     [sftp-int.c]
     discourage strcat/strcpy
   - markus@cvs.openbsd.org 2001/03/16 19:06:30
     [auth-options.c channels.c channels.h serverloop.c session.c]
     implement "permitopen" key option, restricts -L style forwarding to
     to specified host:port pairs. based on work by harlan@genua.de
 20010315
 - OpenBSD CVS Sync
@ -4580,4 +4584,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.966 2001/03/17 00:37:31 mouring Exp $
+$Id: ChangeLog,v 1.967 2001/03/17 00:47:54 mouring Exp $
--- a/auth-options.c
+++ b/auth-options.c
@ -10,13 +10,14 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.14 2001/03/13 17:34:42 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.15 2001/03/16 19:06:28 markus Exp $");
 #include "packet.h"
 #include "xmalloc.h"
 #include "match.h"
 #include "log.h"
 #include "canohost.h"
 #include "channels.h"
 #include "auth-options.h"
 #include "servconf.h"
@ -51,6 +52,7 @@ auth_clear_options(void)
 		xfree(forced_command);
 		forced_command = NULL;
 	}
 	channel_clear_permitted_opens();
 }
 /*
@ -61,6 +63,7 @@ int
 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 {
 	const char *cp;
 	int i;
 	/* reset options */
 	auth_clear_options();
@ -99,7 +102,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		}
 		cp = "command=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			int i;
 			opts += strlen(cp);
 			forced_command = xmalloc(strlen(opts) + 1);
 			i = 0;
@ -129,9 +131,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		}
 		cp = "environment=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			int i;
 			char *s;
 			struct envstring *new_envstring;
 			opts += strlen(cp);
 			s = xmalloc(strlen(opts) + 1);
 			i = 0;
@ -170,7 +172,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			const char *remote_host = get_canonical_hostname(
 			    options.reverse_mapping_check);
 			char *patterns = xmalloc(strlen(opts) + 1);
-			int i;
+
 			opts += strlen(cp);
 			i = 0;
 			while (*opts) {
@ -218,6 +220,58 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			/* Host name matches. */
 			goto next_option;
 		}
 		cp = "permitopen=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			u_short port;
 			char *c, *ep;
 			char *patterns = xmalloc(strlen(opts) + 1);
 			opts += strlen(cp);
 			i = 0;
 			while (*opts) {
 				if (*opts == '"')
 					break;
 				if (*opts == '\\' && opts[1] == '"') {
 					opts += 2;
 					patterns[i++] = '"';
 					continue;
 				}
 				patterns[i++] = *opts++;
 			}
 			if (!*opts) {
 				debug("%.100s, line %lu: missing end quote",
 				    file, linenum);
 				packet_send_debug("%.100s, line %lu: missing end quote",
 				    file, linenum);
 				xfree(patterns);
 				goto bad_option;
 			}
 			patterns[i] = 0;
 			opts++;
 			c = strchr(patterns, ':');
 			if (c == NULL) {
 				debug("%.100s, line %lu: permitopen: missing colon <%.100s>",
 				    file, linenum, patterns);
 				packet_send_debug("%.100s, line %lu: missing colon",
 				    file, linenum);
 				xfree(patterns);
 				goto bad_option;
 			}
 			*c = 0;
 			c++;
 			port = strtol(c, &ep, 0);
 			if (c == ep) {
 				debug("%.100s, line %lu: permitopen: missing port <%.100s>",
 				    file, linenum, patterns);
 				packet_send_debug("%.100s, line %lu: missing port",
 				    file, linenum);
 				xfree(patterns);
 				goto bad_option;
 			}
 			channel_add_permitted_opens(patterns, port);
 			xfree(patterns);
 			goto next_option;
 		}
 next_option:
 		/*
 		 * Skip the comma, and move to the next option
--- a/channels.c
+++ b/channels.c
@ -40,7 +40,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.98 2001/03/04 17:42:28 millert Exp $");
+RCSID("$OpenBSD: channels.c,v 1.99 2001/03/16 19:06:29 markus Exp $");
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@ -141,18 +141,6 @@ channel_set_options(int hostname_in_open)
 	have_hostname_in_open = hostname_in_open;
 }
 /*
 * Permits opening to any host/port in SSH_MSG_PORT_OPEN.  This is usually
 * called by the server, because the user could connect to any port anyway,
 * and the server has no way to know but to trust the client anyway.
 */
 void
 channel_permit_all_opens()
 {
 	all_opens_permitted = 1;
 }
 /* lookup channel by id */
 Channel *
@ -1791,9 +1779,47 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
 	xfree(hostname);
 }
-/* XXX move to aux.c */
+/*
 * Permits opening to any host/port if permitted_opens[] is empty.  This is
 * usually called by the server, because the user could connect to any port
 * anyway, and the server has no way to know but to trust the client anyway.
 */
 void
 channel_permit_all_opens()
 {
 	if (num_permitted_opens == 0)
 		all_opens_permitted = 1;
 }
 void 
 channel_add_permitted_opens(char *host, int port)
 {
 	if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
 		fatal("channel_request_remote_forwarding: too many forwards");
 	debug("allow port forwarding to host %s port %d", host, port);
 	permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
 	permitted_opens[num_permitted_opens].port_to_connect = port;
 	num_permitted_opens++;
 	all_opens_permitted = 0;
 }
 void 
 channel_clear_permitted_opens(void)
 {
 	int i;
 	for (i = 0; i < num_permitted_opens; i++)
 		xfree(permitted_opens[i].host_to_connect);
 	num_permitted_opens = 0;
 }
 /* return socket to remote host, port */
 int
-channel_connect_to(const char *host, u_short host_port)
+connect_to(const char *host, u_short port)
 {
 	struct addrinfo hints, *ai, *aitop;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@ -1803,9 +1829,10 @@ channel_connect_to(const char *host, u_short host_port)
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = IPv4or6;
 	hints.ai_socktype = SOCK_STREAM;
-	snprintf(strport, sizeof strport, "%d", host_port);
+	snprintf(strport, sizeof strport, "%d", port);
 	if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
-		error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
+		error("connect_to %.100s: unknown host (%s)", host,
 		    gai_strerror(gaierr));
 		return -1;
 	}
 	for (ai = aitop; ai; ai = ai->ai_next) {
@ -1813,10 +1840,9 @@ channel_connect_to(const char *host, u_short host_port)
 			continue;
 		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
 		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-			error("channel_connect_to: getnameinfo failed");
+			error("connect_to: getnameinfo failed");
 			continue;
 		}
 		/* Create the socket. */
 		sock = socket(ai->ai_family, SOCK_STREAM, 0);
 		if (sock < 0) {
 			error("socket: %.100s", strerror(errno));
@ -1824,10 +1850,9 @@ channel_connect_to(const char *host, u_short host_port)
 		}
 		if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
 			fatal("connect_to: F_SETFL: %s", strerror(errno));
 		/* Connect to the host/port. */
 		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
 		    errno != EINPROGRESS) {
-			error("connect %.100s port %s: %.100s", ntop, strport,
+			error("connect_to %.100s port %s: %.100s", ntop, strport,
 			    strerror(errno));
 			close(sock);
 			continue;	/* fail -- try next */
@ -1837,19 +1862,21 @@ channel_connect_to(const char *host, u_short host_port)
 	}
 	freeaddrinfo(aitop);
 	if (!ai) {
-		error("connect %.100s port %d: failed.", host, host_port);
+		error("connect_to %.100s port %d: failed.", host, port);
 		return -1;
 	}
 	/* success */
 	return sock;
 }
 int
 channel_connect_by_listen_adress(u_short listen_port)
 {
 	int i;
 	for (i = 0; i < num_permitted_opens; i++)
 		if (permitted_opens[i].listen_port == listen_port)
-			return channel_connect_to(
+			return connect_to(
 			    permitted_opens[i].host_to_connect,
 			    permitted_opens[i].port_to_connect);
 	error("WARNING: Server requests forwarding for unknown listen_port %d",
@ -1857,6 +1884,28 @@ channel_connect_by_listen_adress(u_short listen_port)
 	return -1;
 }
 /* Check if connecting to that port is permitted and connect. */
 int
 channel_connect_to(const char *host, u_short port)
 {
 	int i, permit;
 	permit = all_opens_permitted;
 	if (!permit) {
 		for (i = 0; i < num_permitted_opens; i++)
 			if (permitted_opens[i].port_to_connect == port &&
 			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
 				permit = 1;
 	}
 	if (!permit) {
 		log("Received request to connect to host %.100s port %d, "
 		    "but the request was denied.", host, port);
 		return -1;
 	}
 	return connect_to(host, port);
 }
 /*
 * This is called after receiving PORT_OPEN message.  This attempts to
 * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
@ -1868,55 +1917,25 @@ channel_input_port_open(int type, int plen, void *ctxt)
 {
 	u_short host_port;
 	char *host, *originator_string;
-	int remote_channel, sock = -1, newch, i, denied;
+	int remote_channel, sock = -1, newch;
 	u_int host_len, originator_len;
 	/* Get remote channel number. */
 	remote_channel = packet_get_int();
-
+	host = packet_get_string(NULL);
 	/* Get host name to connect to. */
 	host = packet_get_string(&host_len);
 	/* Get port to connect to. */
 	host_port = packet_get_int();
 	/* Get remote originator name. */
 	if (have_hostname_in_open) {
-		originator_string = packet_get_string(&originator_len);
+		originator_string = packet_get_string(NULL);
 		originator_len += 4;	/* size of packet_int */
 	} else {
 		originator_string = xstrdup("unknown (remote did not supply name)");
 		originator_len = 0;	/* no originator supplied */
 	}
-
+	packet_done();
-	packet_integrity_check(plen,
+	sock = channel_connect_to(host, host_port);
-	    4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
+	if (sock != -1) {
 	/* Check if opening that port is permitted. */
 	denied = 0;
 	if (!all_opens_permitted) {
 		/* Go trough all permitted ports. */
 		for (i = 0; i < num_permitted_opens; i++)
 			if (permitted_opens[i].port_to_connect == host_port &&
 			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
 				break;
 		/* Check if we found the requested port among those permitted. */
 		if (i >= num_permitted_opens) {
 			/* The port is not permitted. */
 			log("Received request to connect to %.100s:%d, but the request was denied.",
 			    host, host_port);
 			denied = 1;
 		}
 	}
 	sock = denied ? -1 : channel_connect_to(host, host_port);
 	if (sock > 0) {
 		/* Allocate a channel for this connection. */
 		newch = channel_allocate(SSH_CHANNEL_CONNECTING,
 		    sock, originator_string);
 /*XXX delay answer? */
 		channels[newch].remote_id = remote_channel;
 		/*XXX delay answer? */
 		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
 		packet_put_int(remote_channel);
 		packet_put_int(newch);
--- a/channels.h
+++ b/channels.h
@ -32,11 +32,13 @@
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/* RCSID("$OpenBSD: channels.h,v 1.27 2001/02/15 23:19:59 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.28 2001/03/16 19:06:29 markus Exp $"); */
 #ifndef CHANNELS_H
 #define CHANNELS_H
 #include "buffer.h"
 /* Definitions for channel types. */
 #define SSH_CHANNEL_FREE		0	/* This channel is free (unused). */
 #define SSH_CHANNEL_X11_LISTENER	1	/* Listening for inet X11 conn. */
@ -226,12 +228,18 @@ channel_request_remote_forwarding(u_short port, const char *host,
    u_short remote_port);
 /*
- * Permits opening to any host/port in SSH_MSG_PORT_OPEN.  This is usually
+ * Permits opening to any host/port if permitted_opens[] is empty.  This is
- * called by the server, because the user could connect to any port anyway,
+ * usually called by the server, because the user could connect to any port
- * and the server has no way to know but to trust the client anyway.
+ * anyway, and the server has no way to know but to trust the client anyway.
 */
 void    channel_permit_all_opens(void);
 /* Add host/port to list of allowed targets for port forwarding */
 void	channel_add_permitted_opens(char *host, int port);
 /* Flush list */
 void	channel_clear_permitted_opens(void);
 /*
 * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
 * listening for the port, and sends back a success reply (or disconnect
--- a/serverloop.c
+++ b/serverloop.c
@ -35,7 +35,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.54 2001/03/04 01:46:30 djm Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
 #include "xmalloc.h"
 #include "packet.h"
@ -756,11 +756,6 @@ server_request_direct_tcpip(char *ctype)
 	   originator, originator_port, target, target_port);
 	/* XXX check permission */
 	if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
 		xfree(target);
 		xfree(originator);
 		return NULL;
 	}
 	sock = channel_connect_to(target, target_port);
 	xfree(target);
 	xfree(originator);
@ -858,6 +853,7 @@ server_input_global_request(int type, int plen, void *ctxt)
 	want_reply = packet_get_char();
 	debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
 	/* -R style forwarding */
 	if (strcmp(rtype, "tcpip-forward") == 0) {
 		struct passwd *pw;
 		char *listen_address;
--- a/session.c
+++ b/session.c
@ -33,7 +33,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.60 2001/03/15 22:07:08 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@ -228,13 +228,6 @@ do_authenticated(struct passwd * pw)
 		startup_pipe = -1;
 	}
 	/*
 	 * Inform the channel mechanism that we are the server side and that
 	 * the client may request to connect to any port at all. (The user
 	 * could do it anyway, and we wouldn\'t know what is permitted except
 	 * by the client telling us, so we can equally well trust the client
 	 * not to request anything bogus.)
 	 */
 	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
 		channel_permit_all_opens();
@ -2037,6 +2030,8 @@ do_authenticated2(Authctxt *authctxt)
 		close(startup_pipe);
 		startup_pipe = -1;
 	}
 	if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
 		channel_permit_all_opens();
 #if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
 	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
 		error("unable to get login class");