tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: allow bare port numbers to appear in PermitListen directives, 

e.g.

PermitListen 2222 8080

is equivalent to:

PermitListen *:2222 *:8080

Some bonus manpage improvements, mostly from markus@

"looks fine" markus@

OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
This commit is contained in:
djm@openbsd.org 2018-06-19 02:59:41 +00:00 committed by Damien Miller
parent 26f96ca10a
commit 87ddd676da
4 changed files with 65 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.82 2018/06/07 09:26:42 djm Exp $ */ /* $OpenBSD: auth-options.c,v 1.83 2018/06/19 02:59:41 djm Exp $ */
/* /*
* Copyright (c) 2018 Damien Miller <djm@mindrot.org> * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
* *
@ -313,8 +313,8 @@ sshauthopt_new_with_keys_defaults(void)
* Return 0 on success. Return -1 on failure and sets *errstrp to error reason. * Return 0 on success. Return -1 on failure and sets *errstrp to error reason.
*/ */
static int static int
handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp, handle_permit(const char **optsp, int allow_bare_port,
const char **errstrp) char ***permitsp, size_t *npermitsp, const char **errstrp)
{ {
char *opt, *tmp, *cp, *host, **permits = *permitsp; char *opt, *tmp, *cp, *host, **permits = *permitsp;
size_t npermits = *npermitsp; size_t npermits = *npermitsp;
@ -327,6 +327,18 @@ handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp,
if ((opt = opt_dequote(optsp, &errstr)) == NULL) { if ((opt = opt_dequote(optsp, &errstr)) == NULL) {
return -1; return -1;
} }
if (allow_bare_port && strchr(opt, ':') == NULL) {
/*
* Allow a bare port number in permitlisten to indicate a
* listen_host wildcard.
*/
if (asprintf(&tmp, "*:%s", opt) < 0) {
*errstrp = "memory allocation failed";
return -1;
}
free(opt);
opt = tmp;
}
if ((tmp = strdup(opt)) == NULL) { if ((tmp = strdup(opt)) == NULL) {
free(opt); free(opt);
*errstrp = "memory allocation failed"; *errstrp = "memory allocation failed";
@ -474,11 +486,11 @@ sshauthopt_parse(const char *opts, const char **errstrp)
} }
ret->env[ret->nenv++] = opt; ret->env[ret->nenv++] = opt;
} else if (opt_match(&opts, "permitopen")) { } else if (opt_match(&opts, "permitopen")) {
if (handle_permit(&opts, &ret->permitopen, if (handle_permit(&opts, 0, &ret->permitopen,
&ret->npermitopen, &errstr) != 0) &ret->npermitopen, &errstr) != 0)
goto fail; goto fail;
} else if (opt_match(&opts, "permitlisten")) { } else if (opt_match(&opts, "permitlisten")) {
if (handle_permit(&opts, &ret->permitlisten, if (handle_permit(&opts, 1, &ret->permitlisten,
&ret->npermitlisten, &errstr) != 0) &ret->npermitlisten, &errstr) != 0)
goto fail; goto fail;
} else if (opt_match(&opts, "tunnel")) { } else if (opt_match(&opts, "tunnel")) {

12
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -1870,15 +1870,23 @@ process_server_config_line(ServerOptions *options, char *line,
break; break;
} }
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
if (opcode == sPermitListen &&
strchr(arg, ':') == NULL) {
/*
* Allow bare port number for PermitListen
* to indicate a wildcard listen host.
*/
xasprintf(&arg2, "*:%s", arg);
} else {
arg2 = xstrdup(arg); arg2 = xstrdup(arg);
p = hpdelim(&arg); p = hpdelim(&arg);
/* XXX support bare port number for PermitListen */
if (p == NULL) { if (p == NULL) {
fatal("%s line %d: missing host in %s", fatal("%s line %d: missing host in %s",
filename, linenum, filename, linenum,
lookup_opcode_name(opcode)); lookup_opcode_name(opcode));
} }
p = cleanhostname(p); p = cleanhostname(p);
}
if (arg == NULL || if (arg == NULL ||
((port = permitopen_port(arg)) < 0)) { ((port = permitopen_port(arg)) < 0)) {
fatal("%s line %d: bad port number in %s", fatal("%s line %d: bad port number in %s",

19
sshd.8
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $ .\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $
.Dd $Mdocdate: June 7 2018 $ .Dd $Mdocdate: June 19 2018 $
.Dt SSHD 8 .Dt SSHD 8
.Os .Os
.Sh NAME .Sh NAME
@ -554,11 +554,11 @@ Disables execution of
.It Cm no-X11-forwarding .It Cm no-X11-forwarding
Forbids X11 forwarding when this key is used for authentication. Forbids X11 forwarding when this key is used for authentication.
Any X11 forward requests by the client will return an error. Any X11 forward requests by the client will return an error.
.It Cm permitlisten="host:port" .It Cm permitlisten="[host:]port"
Limit remote port forwarding with the Limit remote port forwarding with the
.Xr ssh 1 .Xr ssh 1
.Fl R .Fl R
option such that it may only listen on the specified host and port. option such that it may only listen on the specified host (optional) and port.
IPv6 addresses can be specified by enclosing the address in square brackets. IPv6 addresses can be specified by enclosing the address in square brackets.
Multiple Multiple
.Cm permitlisten .Cm permitlisten
@ -571,6 +571,15 @@ matches any port.
Note that the setting of Note that the setting of
.Cm GatewayPorts .Cm GatewayPorts
may further restrict listen addresses. may further restrict listen addresses.
Note that
.Xr ssh 1
will send a hostname of
.Dq localhost
if a listen host was not specified when the forwarding was requested, and
that his name is treated differently to the explicit localhost addresses
.Dq 127.0.0.1
and
.Dq ::1 .
.It Cm permitopen="host:port" .It Cm permitopen="host:port"
Limit local port forwarding with the Limit local port forwarding with the
.Xr ssh 1 .Xr ssh 1
@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss
AAAAC3...51R== example.net AAAAC3...51R== example.net
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
AAAAB5...21S== AAAAB5...21S==
permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss
AAAAB5...21S==
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
jane@example.net jane@example.net
restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==

28
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.275 2018/06/09 03:18:11 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.276 2018/06/19 02:59:41 djm Exp $
.Dd $Mdocdate: June 9 2018 $ .Dd $Mdocdate: June 19 2018 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -1196,18 +1196,13 @@ The listen specification must be one of the following forms:
.It .It
.Cm PermitListen .Cm PermitListen
.Sm off .Sm off
.Ar port
.Sm on
.It
.Cm PermitListen
.Sm off
.Ar host : port .Ar host : port
.Sm on .Sm on
.It
.Cm PermitListen
.Sm off
.Ar IPv4_addr : port
.Sm on
.It
.Cm PermitListen
.Sm off
.Ar \&[ IPv6_addr \&] : port
.Sm on
.El .El
.Pp .Pp
Multiple permissions may be specified by separating them with whitespace. Multiple permissions may be specified by separating them with whitespace.
@ -1226,6 +1221,15 @@ By default all port forwarding listen requests are permitted.
Note that the Note that the
.Cm GatewayPorts .Cm GatewayPorts
option may further restrict which addresses may be listened on. option may further restrict which addresses may be listened on.
Note also that
.Xr ssh 1
will request a listen host of
.Dq localhost
if no listen host was specifically requested, and this this name is
treated differently to explict localhost addresses of
.Dq 127.0.0.1
and
.Dq ::1 .
.It Cm PermitOpen .It Cm PermitOpen
Specifies the destinations to which TCP port forwarding is permitted. Specifies the destinations to which TCP port forwarding is permitted.
The forwarding specification must be one of the following forms: The forwarding specification must be one of the following forms: