From ad8b4217d5e5650f1ff180fbcfe83afb335f7b60 Mon Sep 17 00:00:00 2001 From: Giuseppe Guerrini Date: Tue, 1 Oct 2024 00:09:21 +0200 Subject: [PATCH] Removed "TunnelOptions" option. Its function is now fulfilled by "PermitTunnel"(sshd) and "Tunnel" (ssh): you can append to the type of tunnel a ":" followed by options (e.g. Tunnel=ethernet:my_option) --- clientloop.c | 2 +- misc.c | 4 ++-- openbsd-compat/port-net.c | 4 ++-- readconf.c | 20 ++++++-------------- readconf.h | 2 +- servconf.c | 29 ++++++++++++++--------------- servconf.h | 2 +- serverloop.c | 2 +- 8 files changed, 28 insertions(+), 37 deletions(-) diff --git a/clientloop.c b/clientloop.c index cc31c3e4e..608cf20fa 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1861,7 +1861,7 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, debug("Requesting tun unit %d in mode %d", local_tun, tun_mode); /* Open local tunnel device */ - if ((fd = tun_open(local_tun, tun_mode, options.tunnel_options, &ifname)) == -1) { + if ((fd = tun_open(local_tun, tun_mode, options.tun_options, &ifname)) == -1) { error("Tunnel device open failed."); return NULL; } diff --git a/misc.c b/misc.c index 3916de879..3eb27cf3d 100644 --- a/misc.c +++ b/misc.c @@ -1492,10 +1492,10 @@ percent_dollar_expand(const char *string, ...) } int -tun_open(int tun, int mode, const char* tunnel_options, char **ifname) +tun_open(int tun, int mode, const char* tun_options, char **ifname) { #if defined(CUSTOM_SYS_TUN_OPEN) - return (sys_tun_open(tun, mode, tunnel_options, ifname)); + return (sys_tun_open(tun, mode, tun_options, ifname)); #elif defined(SSH_TUN_OPENBSD) struct ifreq ifr; char name[100]; diff --git a/openbsd-compat/port-net.c b/openbsd-compat/port-net.c index 64db19ea4..58b24749c 100644 --- a/openbsd-compat/port-net.c +++ b/openbsd-compat/port-net.c @@ -687,12 +687,12 @@ FAIL: } int -sys_tun_open(int tun, int mode, const char *tunnel_options, char** ifname) +sys_tun_open(int tun, int mode, const char *tun_options, char** ifname) { int tun_fd = -1; const char *prefix = NULL; - prefix = tunnel_options; + prefix = tun_options; if (ifname != NULL) { *ifname = NULL; diff --git a/readconf.c b/readconf.c index 2467e737e..c231e3bc2 100644 --- a/readconf.c +++ b/readconf.c @@ -180,7 +180,6 @@ typedef enum { oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, oEnableEscapeCommandline, oObscureKeystrokeTiming, oChannelTimeout, - oTunnelOptions, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -331,7 +330,6 @@ static struct { { "enableescapecommandline", oEnableEscapeCommandline }, { "obscurekeystroketiming", oObscureKeystrokeTiming }, { "channeltimeout", oChannelTimeout }, - { "tunneloptions", oTunnelOptions }, { NULL, oBadOption } }; @@ -1185,6 +1183,7 @@ parse_time: multistate_ptr = multistate_flag; parse_multistate: arg = argv_next(&ac, &av); + parse_multistate_arg: if ((value = parse_multistate_value(arg, filename, linenum, multistate_ptr)) == -1) { error("%s line %d: unsupported option \"%s\".", @@ -1949,7 +1948,8 @@ parse_pubkey_algos: case oTunnel: intptr = &options->tun_open; multistate_ptr = multistate_tunnel; - goto parse_multistate; + arg = argv_next(&ac, &av); + goto parse_multistate_arg; case oTunnelDevice: arg = argv_next(&ac, &av); @@ -2413,13 +2413,6 @@ parse_pubkey_algos: argv_consume(&ac); break; - case oTunnelOptions: - charptr = &options->tunnel_options; - arg = argv_next(&ac, &av); - if (*activep && *charptr == NULL) - *charptr = xstrdup((arg == NULL) ? "" : arg); - break; - default: error("%s line %d: Unimplemented opcode %d", filename, linenum, opcode); @@ -2672,7 +2665,7 @@ initialize_options(Options * options) options->required_rsa_size = -1; options->enable_escape_commandline = -1; options->obscure_keystroke_timing_interval = -1; - options->tunnel_options = NULL; + options->tun_options = NULL; options->tag = NULL; options->channel_timeouts = NULL; options->num_channel_timeouts = 0; @@ -2837,6 +2830,8 @@ fill_default_options(Options * options) options->hash_known_hosts = 0; if (options->tun_open == -1) options->tun_open = SSH_TUNMODE_NO; + if (options->tun_options == NULL) + options->tun_options = xstrdup(""); if (options->tun_local == -1) options->tun_local = SSH_TUNID_ANY; if (options->tun_remote == -1) @@ -2940,7 +2935,6 @@ fill_default_options(Options * options) CLEAR_ON_NONE(options->pkcs11_provider); CLEAR_ON_NONE(options->sk_provider); CLEAR_ON_NONE(options->known_hosts_command); - CLEAR_ON_NONE(options->tunnel_options); CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none"); #undef CLEAR_ON_NONE #undef CLEAR_ON_NONE_ARRAY @@ -3693,8 +3687,6 @@ dump_client_config(Options *o, const char *host) printf(":%d", o->tun_remote); printf("\n"); - dump_cfg_string(oTunnelOptions, o->tunnel_options); - /* oCanonicalizePermittedCNAMEs */ printf("canonicalizePermittedcnames"); diff --git a/readconf.h b/readconf.h index 9d6e09692..ca22d03cb 100644 --- a/readconf.h +++ b/readconf.h @@ -184,7 +184,7 @@ typedef struct { char **channel_timeouts; /* inactivity timeout by channel type */ u_int num_channel_timeouts; - char *tunnel_options; + char *tun_options; char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/servconf.c b/servconf.c index 216c81c84..d98fa86e7 100644 --- a/servconf.c +++ b/servconf.c @@ -194,7 +194,7 @@ initialize_server_options(ServerOptions *options) options->num_accept_env = 0; options->num_setenv = 0; options->permit_tun = -1; - options->tunnel_options = NULL; + options->tun_options = NULL; options->permitted_opens = NULL; options->permitted_listens = NULL; options->adm_forced_command = NULL; @@ -472,6 +472,8 @@ fill_default_server_options(ServerOptions *options) } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; + if (options->tun_options == NULL) + options->tun_options = xstrdup(""); if (options->ip_qos_interactive == -1) options->ip_qos_interactive = IPTOS_DSCP_AF21; if (options->ip_qos_bulk == -1) @@ -531,7 +533,6 @@ fill_default_server_options(ServerOptions *options) CLEAR_ON_NONE(options->chroot_directory); CLEAR_ON_NONE(options->routing_domain); CLEAR_ON_NONE(options->host_key_agent); - CLEAR_ON_NONE(options->tunnel_options); CLEAR_ON_NONE(options->per_source_penalty_exempt); for (i = 0; i < options->num_host_key_files; i++) @@ -570,7 +571,7 @@ typedef enum { sPerSourcePenalties, sPerSourcePenaltyExemptList, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sAcceptEnv, sSetEnv, sPermitTunnel, sTunnelOptions, + sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sInclude, @@ -718,7 +719,6 @@ static struct { { "acceptenv", sAcceptEnv, SSHCFG_ALL }, { "setenv", sSetEnv, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, - { "tunneloptions", sTunnelOptions, SSHCFG_GLOBAL }, { "permittty", sPermitTTY, SSHCFG_ALL }, { "permituserrc", sPermitUserRC, SSHCFG_ALL }, { "match", sMatch, SSHCFG_ALL }, @@ -2292,9 +2292,17 @@ process_server_config_line_depth(ServerOptions *options, char *line, case sPermitTunnel: intptr = &options->permit_tun; arg = argv_next(&ac, &av); - if (!arg || *arg == '\0') + if (!arg || *arg == '\0') { fatal("%s line %d: %s missing argument.", - filename, linenum, keyword); + filename, linenum, keyword); + } + else { + char* opt = strchr(arg, ':'); + if (opt != NULL) { + options->tun_options = xstrdup(opt + 1); + *opt = '\0'; + } + } value = -1; for (i = 0; tunmode_desc[i].val != -1; i++) if (strcmp(tunmode_desc[i].text, arg) == 0) { @@ -2308,14 +2316,6 @@ process_server_config_line_depth(ServerOptions *options, char *line, *intptr = value; break; - case sTunnelOptions: - charptr = &options->tunnel_options; - arg = argv_next(&ac, &av); - if (*activep && *charptr == NULL) - *charptr = xstrdup((arg == NULL) ? "" : arg); - break; - - case sInclude: if (cmdline) { fatal("Include directive not supported as a " @@ -3436,7 +3436,6 @@ dump_config(ServerOptions *o) } } dump_cfg_string(sPermitTunnel, s); - dump_cfg_string(sTunnelOptions, o->tunnel_options); printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); printf("%s\n", iptos2str(o->ip_qos_bulk)); diff --git a/servconf.h b/servconf.h index d6122124b..aaf63a2ef 100644 --- a/servconf.h +++ b/servconf.h @@ -214,7 +214,7 @@ typedef struct { int permit_tun; - char* tunnel_options; + char* tun_options; char **permitted_opens; /* May also be one of PERMITOPEN_* */ u_int num_permitted_opens; diff --git a/serverloop.c b/serverloop.c index 86932e2ad..04176610d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -516,7 +516,7 @@ server_request_tun(struct ssh *ssh) goto done; tun = auth_opts->force_tun_device; } - sock = tun_open(tun, mode, options.tunnel_options, &ifname); + sock = tun_open(tun, mode, options.tun_options, &ifname); if (sock < 0) goto done; debug("Tunnel forwarding using interface %s", ifname);