- dtucker@cvs.openbsd.org 2006/07/21 12:43:36

[channels.c channels.h servconf.c servconf.h sshd_config.5]
     Make PermitOpen take a list of permitted ports and act more like most
     other keywords (ie the first match is the effective setting). This
     also makes it easier to override a previously set PermitOpen. ok djm@

ChangeLog

@@ -65,6 +65,11 @@
      [auth1.c serverloop.c session.c sshconnect2.c]
      missed some needed #include <unistd.h> when KERBEROS5=no; issue from
      massimo@cedoc.mo.it
+   - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
+     [channels.c channels.h servconf.c servconf.h sshd_config.5]
+     Make PermitOpen take a list of permitted ports and act more like most
+     other keywords (ie the first match is the effective setting). This
+     also makes it easier to override a previously set PermitOpen. ok djm@
 
 20060713
  - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
@@ -4983,4 +4988,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4423 2006/07/24 04:07:35 djm Exp $
+$Id: ChangeLog,v 1.4424 2006/07/24 04:08:13 djm Exp $

channels.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2653,17 +2653,17 @@ channel_add_permitted_opens(char *host, int port)
 	all_opens_permitted = 0;
 }
 
-void
+int
 channel_add_adm_permitted_opens(char *host, int port)
 {
 	if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
 		fatal("channel_add_adm_permitted_opens: too many forwards");
-	debug("allow port forwarding to host %s port %d", host, port);
+	debug("config allows port forwarding to host %s port %d", host, port);
 
 	permitted_adm_opens[num_adm_permitted_opens].host_to_connect
 	     = xstrdup(host);
 	permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
-	num_adm_permitted_opens++;
+	return ++num_adm_permitted_opens;
 }
 
 void

channels.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -207,7 +207,7 @@ int	 channel_find_open(void);
 void	 channel_set_af(int af);
 void     channel_permit_all_opens(void);
 void	 channel_add_permitted_opens(char *, int);
-void	 channel_add_adm_permitted_opens(char *, int);
+int	 channel_add_adm_permitted_opens(char *, int);
 void	 channel_clear_permitted_opens(void);
 void	 channel_clear_adm_permitted_opens(void);
 int      channel_input_port_forward_request(int, int);

servconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options)
 	options->authorized_keys_file2 = NULL;
 	options->num_accept_env = 0;
 	options->permit_tun = -1;
+	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 }
 
@@ -1161,20 +1162,27 @@ parse_flag:
 			fatal("%s line %d: missing PermitOpen specification",
 			    filename, linenum);
 		if (strcmp(arg, "any") == 0) {
-			if (*activep)
+			if (*activep) {
 				channel_clear_adm_permitted_opens();
+				options->num_permitted_opens = 0;
+			}
 			break;
 		}
-		p = hpdelim(&arg);
+		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
-		if (p == NULL)
+			p = hpdelim(&arg);
-			fatal("%s line %d: missing host in PermitOpen",
+			if (p == NULL)
-			    filename, linenum);
+				fatal("%s line %d: missing host in PermitOpen",
-		p = cleanhostname(p);
+				    filename, linenum);
-		if (arg == NULL || (port = a2port(arg)) == 0)
+			p = cleanhostname(p);
-			fatal("%s line %d: bad port number in PermitOpen",
+			if (arg == NULL || (port = a2port(arg)) == 0)
-			    filename, linenum);
+				fatal("%s line %d: bad port number in "
-		if (*activep)
+				    "PermitOpen", filename, linenum);
-			channel_add_adm_permitted_opens(p, port);
+			if (*activep && options->num_permitted_opens == -1) {
+				channel_clear_adm_permitted_opens();
+				options->num_permitted_opens =
+				    channel_add_adm_permitted_opens(p, port);
+			}
+		}
 		break;
 
 	case sForceCommand:

servconf.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -140,6 +140,8 @@ typedef struct {
 	int	use_pam;		/* Enable auth via PAM */
 
 	int	permit_tun;
+
+	int	num_permitted_opens;
 }       ServerOptions;
 
 void	 initialize_server_options(ServerOptions *);

sshd_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms:
 .Sm on
 .El
 .Pp
-Multiple instances of
+Multiple forwards may be specified by separating them with whitespace.
-.Cm PermitOpen
-are permitted.
 An argument of
 .Dq any
 can be used to remove all restrictions and permit any forwarding requests.