upstream: allow bare port numbers to appear in PermitListen directives,
e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
This commit is contained in:
parent
26f96ca10a
commit
87ddd676da
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: auth-options.c,v 1.82 2018/06/07 09:26:42 djm Exp $ */
|
/* $OpenBSD: auth-options.c,v 1.83 2018/06/19 02:59:41 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
|
* Copyright (c) 2018 Damien Miller <djm@mindrot.org>
|
||||||
*
|
*
|
||||||
|
@ -313,8 +313,8 @@ sshauthopt_new_with_keys_defaults(void)
|
||||||
* Return 0 on success. Return -1 on failure and sets *errstrp to error reason.
|
* Return 0 on success. Return -1 on failure and sets *errstrp to error reason.
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp,
|
handle_permit(const char **optsp, int allow_bare_port,
|
||||||
const char **errstrp)
|
char ***permitsp, size_t *npermitsp, const char **errstrp)
|
||||||
{
|
{
|
||||||
char *opt, *tmp, *cp, *host, **permits = *permitsp;
|
char *opt, *tmp, *cp, *host, **permits = *permitsp;
|
||||||
size_t npermits = *npermitsp;
|
size_t npermits = *npermitsp;
|
||||||
|
@ -327,6 +327,18 @@ handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp,
|
||||||
if ((opt = opt_dequote(optsp, &errstr)) == NULL) {
|
if ((opt = opt_dequote(optsp, &errstr)) == NULL) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
if (allow_bare_port && strchr(opt, ':') == NULL) {
|
||||||
|
/*
|
||||||
|
* Allow a bare port number in permitlisten to indicate a
|
||||||
|
* listen_host wildcard.
|
||||||
|
*/
|
||||||
|
if (asprintf(&tmp, "*:%s", opt) < 0) {
|
||||||
|
*errstrp = "memory allocation failed";
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
free(opt);
|
||||||
|
opt = tmp;
|
||||||
|
}
|
||||||
if ((tmp = strdup(opt)) == NULL) {
|
if ((tmp = strdup(opt)) == NULL) {
|
||||||
free(opt);
|
free(opt);
|
||||||
*errstrp = "memory allocation failed";
|
*errstrp = "memory allocation failed";
|
||||||
|
@ -474,11 +486,11 @@ sshauthopt_parse(const char *opts, const char **errstrp)
|
||||||
}
|
}
|
||||||
ret->env[ret->nenv++] = opt;
|
ret->env[ret->nenv++] = opt;
|
||||||
} else if (opt_match(&opts, "permitopen")) {
|
} else if (opt_match(&opts, "permitopen")) {
|
||||||
if (handle_permit(&opts, &ret->permitopen,
|
if (handle_permit(&opts, 0, &ret->permitopen,
|
||||||
&ret->npermitopen, &errstr) != 0)
|
&ret->npermitopen, &errstr) != 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
} else if (opt_match(&opts, "permitlisten")) {
|
} else if (opt_match(&opts, "permitlisten")) {
|
||||||
if (handle_permit(&opts, &ret->permitlisten,
|
if (handle_permit(&opts, 1, &ret->permitlisten,
|
||||||
&ret->npermitlisten, &errstr) != 0)
|
&ret->npermitlisten, &errstr) != 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
} else if (opt_match(&opts, "tunnel")) {
|
} else if (opt_match(&opts, "tunnel")) {
|
||||||
|
|
26
servconf.c
26
servconf.c
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */
|
/* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
* All rights reserved
|
* All rights reserved
|
||||||
|
@ -1870,15 +1870,23 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
|
for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
|
||||||
arg2 = xstrdup(arg);
|
if (opcode == sPermitListen &&
|
||||||
p = hpdelim(&arg);
|
strchr(arg, ':') == NULL) {
|
||||||
/* XXX support bare port number for PermitListen */
|
/*
|
||||||
if (p == NULL) {
|
* Allow bare port number for PermitListen
|
||||||
fatal("%s line %d: missing host in %s",
|
* to indicate a wildcard listen host.
|
||||||
filename, linenum,
|
*/
|
||||||
lookup_opcode_name(opcode));
|
xasprintf(&arg2, "*:%s", arg);
|
||||||
|
} else {
|
||||||
|
arg2 = xstrdup(arg);
|
||||||
|
p = hpdelim(&arg);
|
||||||
|
if (p == NULL) {
|
||||||
|
fatal("%s line %d: missing host in %s",
|
||||||
|
filename, linenum,
|
||||||
|
lookup_opcode_name(opcode));
|
||||||
|
}
|
||||||
|
p = cleanhostname(p);
|
||||||
}
|
}
|
||||||
p = cleanhostname(p);
|
|
||||||
if (arg == NULL ||
|
if (arg == NULL ||
|
||||||
((port = permitopen_port(arg)) < 0)) {
|
((port = permitopen_port(arg)) < 0)) {
|
||||||
fatal("%s line %d: bad port number in %s",
|
fatal("%s line %d: bad port number in %s",
|
||||||
|
|
19
sshd.8
19
sshd.8
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $
|
.\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $
|
||||||
.Dd $Mdocdate: June 7 2018 $
|
.Dd $Mdocdate: June 19 2018 $
|
||||||
.Dt SSHD 8
|
.Dt SSHD 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -554,11 +554,11 @@ Disables execution of
|
||||||
.It Cm no-X11-forwarding
|
.It Cm no-X11-forwarding
|
||||||
Forbids X11 forwarding when this key is used for authentication.
|
Forbids X11 forwarding when this key is used for authentication.
|
||||||
Any X11 forward requests by the client will return an error.
|
Any X11 forward requests by the client will return an error.
|
||||||
.It Cm permitlisten="host:port"
|
.It Cm permitlisten="[host:]port"
|
||||||
Limit remote port forwarding with the
|
Limit remote port forwarding with the
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
.Fl R
|
.Fl R
|
||||||
option such that it may only listen on the specified host and port.
|
option such that it may only listen on the specified host (optional) and port.
|
||||||
IPv6 addresses can be specified by enclosing the address in square brackets.
|
IPv6 addresses can be specified by enclosing the address in square brackets.
|
||||||
Multiple
|
Multiple
|
||||||
.Cm permitlisten
|
.Cm permitlisten
|
||||||
|
@ -571,6 +571,15 @@ matches any port.
|
||||||
Note that the setting of
|
Note that the setting of
|
||||||
.Cm GatewayPorts
|
.Cm GatewayPorts
|
||||||
may further restrict listen addresses.
|
may further restrict listen addresses.
|
||||||
|
Note that
|
||||||
|
.Xr ssh 1
|
||||||
|
will send a hostname of
|
||||||
|
.Dq localhost
|
||||||
|
if a listen host was not specified when the forwarding was requested, and
|
||||||
|
that his name is treated differently to the explicit localhost addresses
|
||||||
|
.Dq 127.0.0.1
|
||||||
|
and
|
||||||
|
.Dq ::1 .
|
||||||
.It Cm permitopen="host:port"
|
.It Cm permitopen="host:port"
|
||||||
Limit local port forwarding with the
|
Limit local port forwarding with the
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
|
@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss
|
||||||
AAAAC3...51R== example.net
|
AAAAC3...51R== example.net
|
||||||
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
|
permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
|
||||||
AAAAB5...21S==
|
AAAAB5...21S==
|
||||||
|
permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss
|
||||||
|
AAAAB5...21S==
|
||||||
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
|
tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
|
||||||
jane@example.net
|
jane@example.net
|
||||||
restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
|
restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
|
||||||
|
|
|
@ -33,8 +33,8 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: sshd_config.5,v 1.275 2018/06/09 03:18:11 djm Exp $
|
.\" $OpenBSD: sshd_config.5,v 1.276 2018/06/19 02:59:41 djm Exp $
|
||||||
.Dd $Mdocdate: June 9 2018 $
|
.Dd $Mdocdate: June 19 2018 $
|
||||||
.Dt SSHD_CONFIG 5
|
.Dt SSHD_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -1196,18 +1196,13 @@ The listen specification must be one of the following forms:
|
||||||
.It
|
.It
|
||||||
.Cm PermitListen
|
.Cm PermitListen
|
||||||
.Sm off
|
.Sm off
|
||||||
|
.Ar port
|
||||||
|
.Sm on
|
||||||
|
.It
|
||||||
|
.Cm PermitListen
|
||||||
|
.Sm off
|
||||||
.Ar host : port
|
.Ar host : port
|
||||||
.Sm on
|
.Sm on
|
||||||
.It
|
|
||||||
.Cm PermitListen
|
|
||||||
.Sm off
|
|
||||||
.Ar IPv4_addr : port
|
|
||||||
.Sm on
|
|
||||||
.It
|
|
||||||
.Cm PermitListen
|
|
||||||
.Sm off
|
|
||||||
.Ar \&[ IPv6_addr \&] : port
|
|
||||||
.Sm on
|
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
Multiple permissions may be specified by separating them with whitespace.
|
Multiple permissions may be specified by separating them with whitespace.
|
||||||
|
@ -1226,6 +1221,15 @@ By default all port forwarding listen requests are permitted.
|
||||||
Note that the
|
Note that the
|
||||||
.Cm GatewayPorts
|
.Cm GatewayPorts
|
||||||
option may further restrict which addresses may be listened on.
|
option may further restrict which addresses may be listened on.
|
||||||
|
Note also that
|
||||||
|
.Xr ssh 1
|
||||||
|
will request a listen host of
|
||||||
|
.Dq localhost
|
||||||
|
if no listen host was specifically requested, and this this name is
|
||||||
|
treated differently to explict localhost addresses of
|
||||||
|
.Dq 127.0.0.1
|
||||||
|
and
|
||||||
|
.Dq ::1 .
|
||||||
.It Cm PermitOpen
|
.It Cm PermitOpen
|
||||||
Specifies the destinations to which TCP port forwarding is permitted.
|
Specifies the destinations to which TCP port forwarding is permitted.
|
||||||
The forwarding specification must be one of the following forms:
|
The forwarding specification must be one of the following forms:
|
||||||
|
|
Loading…
Reference in New Issue