tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2012/12/02 20:46:11 

[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
     [sshd_config.5]
     make AllowTcpForwarding accept "local" and "remote" in addition to its
     current "yes"/"no" to allow the server to specify whether just local or
     remote TCP forwarding is enabled. ok markus@
This commit is contained in:
Damien Miller 2012-12-03 09:50:54 +11:00
parent 33a813613a
commit aa5b3f8314
8 changed files with 68 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -12,6 +12,12 @@
make deleting explicit keys "ssh-add -d" symmetric with adding keys - make deleting explicit keys "ssh-add -d" symmetric with adding keys -
try to delete the corresponding certificate too and respect the -k option try to delete the corresponding certificate too and respect the -k option
to allow deleting of the key only; feedback and ok markus@ to allow deleting of the key only; feedback and ok markus@
- djm@cvs.openbsd.org 2012/12/02 20:46:11
[auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
[sshd_config.5]
make AllowTcpForwarding accept "local" and "remote" in addition to its
current "yes"/"no" to allow the server to specify whether just local or
remote TCP forwarding is enabled. ok markus@
20121114 20121114
- (djm) OpenBSD CVS Sync - (djm) OpenBSD CVS Sync

4
auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.56 2011/10/18 04:58:26 djm Exp $ */ /* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -349,7 +349,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
xfree(patterns); xfree(patterns);
goto bad_option; goto bad_option;
} }
if (options.allow_tcp_forwarding) if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
channel_add_permitted_opens(host, port); channel_add_permitted_opens(host, port);
xfree(patterns); xfree(patterns);
goto next_option; goto next_option;

8
channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.318 2012/04/23 08:18:17 djm Exp $ */ /* $OpenBSD: channels.c,v 1.319 2012/12/02 20:46:11 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -3165,12 +3165,10 @@ channel_add_adm_permitted_opens(char *host, int port)
void void
channel_disable_adm_local_opens(void) channel_disable_adm_local_opens(void)
{ {
if (num_adm_permitted_opens == 0) { channel_clear_adm_permitted_opens();
permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens));
permitted_adm_opens[num_adm_permitted_opens].host_to_connect permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL;
= NULL;
num_adm_permitted_opens = 1; num_adm_permitted_opens = 1;
}
} }
void void

18
servconf.c
View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.232 2012/11/04 11:09:15 djm Exp $ */ /* $OpenBSD: servconf.c,v 1.233 2012/12/02 20:46:11 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -250,7 +250,7 @@ fill_default_server_options(ServerOptions *options)
if (options->compression == -1) if (options->compression == -1)
options->compression = COMP_DELAYED; options->compression = COMP_DELAYED;
if (options->allow_tcp_forwarding == -1) if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1; options->allow_tcp_forwarding = FORWARD_ALLOW;
if (options->allow_agent_forwarding == -1) if (options->allow_agent_forwarding == -1)
options->allow_agent_forwarding = 1; options->allow_agent_forwarding = 1;
if (options->gateway_ports == -1) if (options->gateway_ports == -1)
@ -786,6 +786,14 @@ static const struct multistate multistate_privsep[] = {
{ "no", PRIVSEP_OFF }, { "no", PRIVSEP_OFF },
{ NULL, -1 } { NULL, -1 }
}; };
static const struct multistate multistate_tcpfwd[] = {
{ "yes", FORWARD_ALLOW },
{ "all", FORWARD_ALLOW },
{ "no", FORWARD_DENY },
{ "remote", FORWARD_REMOTE },
{ "local", FORWARD_LOCAL },
{ NULL, -1 }
};
int int
process_server_config_line(ServerOptions *options, char *line, process_server_config_line(ServerOptions *options, char *line,
@ -1143,7 +1151,8 @@ process_server_config_line(ServerOptions *options, char *line,
case sAllowTcpForwarding: case sAllowTcpForwarding:
intptr = &options->allow_tcp_forwarding; intptr = &options->allow_tcp_forwarding;
goto parse_flag; multistate_ptr = multistate_tcpfwd;
goto parse_multistate;
case sAllowAgentForwarding: case sAllowAgentForwarding:
intptr = &options->allow_agent_forwarding; intptr = &options->allow_agent_forwarding;
@ -1423,7 +1432,6 @@ process_server_config_line(ServerOptions *options, char *line,
} }
if (strcmp(arg, "none") == 0) { if (strcmp(arg, "none") == 0) {
if (*activep && n == -1) { if (*activep && n == -1) {
channel_clear_adm_permitted_opens();
options->num_permitted_opens = 1; options->num_permitted_opens = 1;
channel_disable_adm_local_opens(); channel_disable_adm_local_opens();
} }
@ -1780,6 +1788,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_compression); return fmt_multistate_int(val, multistate_compression);
case sUsePrivilegeSeparation: case sUsePrivilegeSeparation:
return fmt_multistate_int(val, multistate_privsep); return fmt_multistate_int(val, multistate_privsep);
case sAllowTcpForwarding:
return fmt_multistate_int(val, multistate_tcpfwd);
case sProtocol: case sProtocol:
switch (val) { switch (val) {
case SSH_PROTO_1: case SSH_PROTO_1:

10
servconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.105 2012/11/04 11:09:15 djm Exp $ */ /* $OpenBSD: servconf.h,v 1.106 2012/12/02 20:46:11 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -42,6 +42,12 @@
#define PRIVSEP_ON 1 #define PRIVSEP_ON 1
#define PRIVSEP_NOSANDBOX 2 #define PRIVSEP_NOSANDBOX 2
/* AllowTCPForwarding */
#define FORWARD_DENY 0
#define FORWARD_REMOTE (1)
#define FORWARD_LOCAL (1<<1)
#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
@ -116,7 +122,7 @@ typedef struct {
int permit_user_env; /* If true, read ~/.ssh/environment */ int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */ int use_login; /* If true, login(1) is used */
int compression; /* If true, compression is allowed */ int compression; /* If true, compression is allowed */
int allow_tcp_forwarding; int allow_tcp_forwarding; /* One of FORWARD_* */
int allow_agent_forwarding; int allow_agent_forwarding;
u_int num_allow_users; u_int num_allow_users;
char *allow_users[MAX_ALLOW_USERS]; char *allow_users[MAX_ALLOW_USERS];

15
serverloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */ /* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
static Channel * static Channel *
server_request_direct_tcpip(void) server_request_direct_tcpip(void)
{ {
Channel *c; Channel *c = NULL;
char *target, *originator; char *target, *originator;
u_short target_port, originator_port; u_short target_port, originator_port;
@ -963,9 +963,16 @@ server_request_direct_tcpip(void)
debug("server_request_direct_tcpip: originator %s port %d, target %s " debug("server_request_direct_tcpip: originator %s port %d, target %s "
"port %d", originator, originator_port, target, target_port); "port %d", originator, originator_port, target, target_port);
/* XXX check permission */ /* XXX fine grained permissions */
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
!no_port_forwarding_flag) {
c = channel_connect_to(target, target_port, c = channel_connect_to(target, target_port,
"direct-tcpip", "direct-tcpip"); "direct-tcpip", "direct-tcpip");
} else {
logit("refused local port forward: "
"originator %s port %d, target %s port %d",
originator, originator_port, target, target_port);
}
xfree(originator); xfree(originator);
xfree(target); xfree(target);
@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
listen_address, listen_port); listen_address, listen_port);
/* check permissions */ /* check permissions */
if (!options.allow_tcp_forwarding || if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
no_port_forwarding_flag || no_port_forwarding_flag ||
(!want_reply && listen_port == 0) (!want_reply && listen_port == 0)
#ifndef NO_IPPORT_RESERVED_CONCEPT #ifndef NO_IPPORT_RESERVED_CONCEPT

9
session.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.260 2012/03/15 03:10:27 guenther Exp $ */ /* $OpenBSD: session.c,v 1.261 2012/12/02 20:46:11 djm Exp $ */
/* /*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved * All rights reserved
@ -273,7 +273,10 @@ do_authenticated(Authctxt *authctxt)
setproctitle("%s", authctxt->pw->pw_name); setproctitle("%s", authctxt->pw->pw_name);
/* setup the channel layer */ /* setup the channel layer */
if (!no_port_forwarding_flag && options.allow_tcp_forwarding) if (no_port_forwarding_flag ||
(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
channel_disable_adm_local_opens();
else
channel_permit_all_opens(); channel_permit_all_opens();
auth_debug_send(); auth_debug_send();
@ -383,7 +386,7 @@ do_authenticated1(Authctxt *authctxt)
debug("Port forwarding not permitted for this authentication."); debug("Port forwarding not permitted for this authentication.");
break; break;
} }
if (!options.allow_tcp_forwarding) { if (!(options.allow_tcp_forwarding & FORWARD_REMOTE)) {
debug("Port forwarding not permitted."); debug("Port forwarding not permitted.");
break; break;
} }

16
sshd_config.5
View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.149 2012/11/04 11:09:15 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.150 2012/12/02 20:46:11 djm Exp $
.Dd $Mdocdate: November 4 2012 $ .Dd $Mdocdate: December 2 2012 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -124,6 +124,18 @@ in
for more information on patterns. for more information on patterns.
.It Cm AllowTcpForwarding .It Cm AllowTcpForwarding
Specifies whether TCP forwarding is permitted. Specifies whether TCP forwarding is permitted.
The available options are
.Dq yes
or
.Dq all
to allow TCP forwarding,
.Dq no
to prevent all TCP forwarding,
.Dq local
to allow local (from the perspective of
.Xr ssh 1 ) forwarding only or
.Dq remote
to allow remote forwarding only.
The default is The default is
.Dq yes . .Dq yes .
Note that disabling TCP forwarding does not improve security unless Note that disabling TCP forwarding does not improve security unless