summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--auth-options.c62
-rw-r--r--channels.c139
-rw-r--r--channels.h16
-rw-r--r--serverloop.c8
-rw-r--r--session.c11
6 files changed, 159 insertions, 83 deletions
diff --git a/ChangeLog b/ChangeLog
index 18256d03..50cc97d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,10 @@
- markus@cvs.openbsd.org 2001/03/16 13:44:24
[sftp-int.c]
discourage strcat/strcpy
+ - markus@cvs.openbsd.org 2001/03/16 19:06:30
+ [auth-options.c channels.c channels.h serverloop.c session.c]
+ implement "permitopen" key option, restricts -L style forwarding to
+ to specified host:port pairs. based on work by harlan@genua.de
20010315
- OpenBSD CVS Sync
@@ -4580,4 +4584,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.966 2001/03/17 00:37:31 mouring Exp $
+$Id: ChangeLog,v 1.967 2001/03/17 00:47:54 mouring Exp $
diff --git a/auth-options.c b/auth-options.c
index bfb1af86..7ce1e4b0 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,13 +10,14 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.14 2001/03/13 17:34:42 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.15 2001/03/16 19:06:28 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
#include "match.h"
#include "log.h"
#include "canohost.h"
+#include "channels.h"
#include "auth-options.h"
#include "servconf.h"
@@ -51,6 +52,7 @@ auth_clear_options(void)
xfree(forced_command);
forced_command = NULL;
}
+ channel_clear_permitted_opens();
}
/*
@@ -61,6 +63,7 @@ int
auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
{
const char *cp;
+ int i;
/* reset options */
auth_clear_options();
@@ -99,7 +102,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
}
cp = "command=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- int i;
opts += strlen(cp);
forced_command = xmalloc(strlen(opts) + 1);
i = 0;
@@ -129,9 +131,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
}
cp = "environment=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
- int i;
char *s;
struct envstring *new_envstring;
+
opts += strlen(cp);
s = xmalloc(strlen(opts) + 1);
i = 0;
@@ -170,7 +172,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
const char *remote_host = get_canonical_hostname(
options.reverse_mapping_check);
char *patterns = xmalloc(strlen(opts) + 1);
- int i;
+
opts += strlen(cp);
i = 0;
while (*opts) {
@@ -218,6 +220,58 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
/* Host name matches. */
goto next_option;
}
+ cp = "permitopen=\"";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ u_short port;
+ char *c, *ep;
+ char *patterns = xmalloc(strlen(opts) + 1);
+
+ opts += strlen(cp);
+ i = 0;
+ while (*opts) {
+ if (*opts == '"')
+ break;
+ if (*opts == '\\' && opts[1] == '"') {
+ opts += 2;
+ patterns[i++] = '"';
+ continue;
+ }
+ patterns[i++] = *opts++;
+ }
+ if (!*opts) {
+ debug("%.100s, line %lu: missing end quote",
+ file, linenum);
+ packet_send_debug("%.100s, line %lu: missing end quote",
+ file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+ patterns[i] = 0;
+ opts++;
+ c = strchr(patterns, ':');
+ if (c == NULL) {
+ debug("%.100s, line %lu: permitopen: missing colon <%.100s>",
+ file, linenum, patterns);
+ packet_send_debug("%.100s, line %lu: missing colon",
+ file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+ *c = 0;
+ c++;
+ port = strtol(c, &ep, 0);
+ if (c == ep) {
+ debug("%.100s, line %lu: permitopen: missing port <%.100s>",
+ file, linenum, patterns);
+ packet_send_debug("%.100s, line %lu: missing port",
+ file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+ channel_add_permitted_opens(patterns, port);
+ xfree(patterns);
+ goto next_option;
+ }
next_option:
/*
* Skip the comma, and move to the next option
diff --git a/channels.c b/channels.c
index bb872dc9..941556ac 100644
--- a/channels.c
+++ b/channels.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.98 2001/03/04 17:42:28 millert Exp $");
+RCSID("$OpenBSD: channels.c,v 1.99 2001/03/16 19:06:29 markus Exp $");
#include <openssl/rsa.h>
#include <openssl/dsa.h>
@@ -141,18 +141,6 @@ channel_set_options(int hostname_in_open)
have_hostname_in_open = hostname_in_open;
}
-/*
- * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
- * called by the server, because the user could connect to any port anyway,
- * and the server has no way to know but to trust the client anyway.
- */
-
-void
-channel_permit_all_opens()
-{
- all_opens_permitted = 1;
-}
-
/* lookup channel by id */
Channel *
@@ -1791,9 +1779,47 @@ channel_input_port_forward_request(int is_root, int gateway_ports)
xfree(hostname);
}
-/* XXX move to aux.c */
+/*
+ * Permits opening to any host/port if permitted_opens[] is empty. This is
+ * usually called by the server, because the user could connect to any port
+ * anyway, and the server has no way to know but to trust the client anyway.
+ */
+void
+channel_permit_all_opens()
+{
+ if (num_permitted_opens == 0)
+ all_opens_permitted = 1;
+}
+
+void
+channel_add_permitted_opens(char *host, int port)
+{
+ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+ fatal("channel_request_remote_forwarding: too many forwards");
+ debug("allow port forwarding to host %s port %d", host, port);
+
+ permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
+ permitted_opens[num_permitted_opens].port_to_connect = port;
+ num_permitted_opens++;
+
+ all_opens_permitted = 0;
+}
+
+void
+channel_clear_permitted_opens(void)
+{
+ int i;
+
+ for (i = 0; i < num_permitted_opens; i++)
+ xfree(permitted_opens[i].host_to_connect);
+ num_permitted_opens = 0;
+
+}
+
+
+/* return socket to remote host, port */
int
-channel_connect_to(const char *host, u_short host_port)
+connect_to(const char *host, u_short port)
{
struct addrinfo hints, *ai, *aitop;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1803,9 +1829,10 @@ channel_connect_to(const char *host, u_short host_port)
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%d", host_port);
+ snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
- error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
+ error("connect_to %.100s: unknown host (%s)", host,
+ gai_strerror(gaierr));
return -1;
}
for (ai = aitop; ai; ai = ai->ai_next) {
@@ -1813,10 +1840,9 @@ channel_connect_to(const char *host, u_short host_port)
continue;
if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
- error("channel_connect_to: getnameinfo failed");
+ error("connect_to: getnameinfo failed");
continue;
}
- /* Create the socket. */
sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0) {
error("socket: %.100s", strerror(errno));
@@ -1824,10 +1850,9 @@ channel_connect_to(const char *host, u_short host_port)
}
if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
fatal("connect_to: F_SETFL: %s", strerror(errno));
- /* Connect to the host/port. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
errno != EINPROGRESS) {
- error("connect %.100s port %s: %.100s", ntop, strport,
+ error("connect_to %.100s port %s: %.100s", ntop, strport,
strerror(errno));
close(sock);
continue; /* fail -- try next */
@@ -1837,19 +1862,21 @@ channel_connect_to(const char *host, u_short host_port)
}
freeaddrinfo(aitop);
if (!ai) {
- error("connect %.100s port %d: failed.", host, host_port);
+ error("connect_to %.100s port %d: failed.", host, port);
return -1;
}
/* success */
return sock;
}
+
int
channel_connect_by_listen_adress(u_short listen_port)
{
int i;
+
for (i = 0; i < num_permitted_opens; i++)
if (permitted_opens[i].listen_port == listen_port)
- return channel_connect_to(
+ return connect_to(
permitted_opens[i].host_to_connect,
permitted_opens[i].port_to_connect);
error("WARNING: Server requests forwarding for unknown listen_port %d",
@@ -1857,6 +1884,28 @@ channel_connect_by_listen_adress(u_short listen_port)
return -1;
}
+/* Check if connecting to that port is permitted and connect. */
+int
+channel_connect_to(const char *host, u_short port)
+{
+ int i, permit;
+
+ permit = all_opens_permitted;
+ if (!permit) {
+ for (i = 0; i < num_permitted_opens; i++)
+ if (permitted_opens[i].port_to_connect == port &&
+ strcmp(permitted_opens[i].host_to_connect, host) == 0)
+ permit = 1;
+
+ }
+ if (!permit) {
+ log("Received request to connect to host %.100s port %d, "
+ "but the request was denied.", host, port);
+ return -1;
+ }
+ return connect_to(host, port);
+}
+
/*
* This is called after receiving PORT_OPEN message. This attempts to
* connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
@@ -1868,55 +1917,25 @@ channel_input_port_open(int type, int plen, void *ctxt)
{
u_short host_port;
char *host, *originator_string;
- int remote_channel, sock = -1, newch, i, denied;
- u_int host_len, originator_len;
+ int remote_channel, sock = -1, newch;
- /* Get remote channel number. */
remote_channel = packet_get_int();
-
- /* Get host name to connect to. */
- host = packet_get_string(&host_len);
-
- /* Get port to connect to. */
+ host = packet_get_string(NULL);
host_port = packet_get_int();
- /* Get remote originator name. */
if (have_hostname_in_open) {
- originator_string = packet_get_string(&originator_len);
- originator_len += 4; /* size of packet_int */
+ originator_string = packet_get_string(NULL);
} else {
originator_string = xstrdup("unknown (remote did not supply name)");
- originator_len = 0; /* no originator supplied */
- }
-
- packet_integrity_check(plen,
- 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
-
- /* Check if opening that port is permitted. */
- denied = 0;
- if (!all_opens_permitted) {
- /* Go trough all permitted ports. */
- for (i = 0; i < num_permitted_opens; i++)
- if (permitted_opens[i].port_to_connect == host_port &&
- strcmp(permitted_opens[i].host_to_connect, host) == 0)
- break;
-
- /* Check if we found the requested port among those permitted. */
- if (i >= num_permitted_opens) {
- /* The port is not permitted. */
- log("Received request to connect to %.100s:%d, but the request was denied.",
- host, host_port);
- denied = 1;
- }
}
- sock = denied ? -1 : channel_connect_to(host, host_port);
- if (sock > 0) {
- /* Allocate a channel for this connection. */
+ packet_done();
+ sock = channel_connect_to(host, host_port);
+ if (sock != -1) {
newch = channel_allocate(SSH_CHANNEL_CONNECTING,
sock, originator_string);
-/*XXX delay answer? */
channels[newch].remote_id = remote_channel;
+ /*XXX delay answer? */
packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
packet_put_int(remote_channel);
packet_put_int(newch);
diff --git a/channels.h b/channels.h
index f57029a1..493b04aa 100644
--- a/channels.h
+++ b/channels.h
@@ -32,11 +32,13 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* RCSID("$OpenBSD: channels.h,v 1.27 2001/02/15 23:19:59 markus Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.28 2001/03/16 19:06:29 markus Exp $"); */
#ifndef CHANNELS_H
#define CHANNELS_H
+#include "buffer.h"
+
/* Definitions for channel types. */
#define SSH_CHANNEL_FREE 0 /* This channel is free (unused). */
#define SSH_CHANNEL_X11_LISTENER 1 /* Listening for inet X11 conn. */
@@ -226,12 +228,18 @@ channel_request_remote_forwarding(u_short port, const char *host,
u_short remote_port);
/*
- * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
- * called by the server, because the user could connect to any port anyway,
- * and the server has no way to know but to trust the client anyway.
+ * Permits opening to any host/port if permitted_opens[] is empty. This is
+ * usually called by the server, because the user could connect to any port
+ * anyway, and the server has no way to know but to trust the client anyway.
*/
void channel_permit_all_opens(void);
+/* Add host/port to list of allowed targets for port forwarding */
+void channel_add_permitted_opens(char *host, int port);
+
+/* Flush list */
+void channel_clear_permitted_opens(void);
+
/*
* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
* listening for the port, and sends back a success reply (or disconnect
diff --git a/serverloop.c b/serverloop.c
index 8b1ee991..66bc5257 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: serverloop.c,v 1.54 2001/03/04 01:46:30 djm Exp $");
+RCSID("$OpenBSD: serverloop.c,v 1.55 2001/03/16 19:06:29 markus Exp $");
#include "xmalloc.h"
#include "packet.h"
@@ -756,11 +756,6 @@ server_request_direct_tcpip(char *ctype)
originator, originator_port, target, target_port);
/* XXX check permission */
- if (no_port_forwarding_flag || !options.allow_tcp_forwarding) {
- xfree(target);
- xfree(originator);
- return NULL;
- }
sock = channel_connect_to(target, target_port);
xfree(target);
xfree(originator);
@@ -858,6 +853,7 @@ server_input_global_request(int type, int plen, void *ctxt)
want_reply = packet_get_char();
debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply);
+ /* -R style forwarding */
if (strcmp(rtype, "tcpip-forward") == 0) {
struct passwd *pw;
char *listen_address;
diff --git a/session.c b/session.c
index 5e6926b5..9c4828ac 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.60 2001/03/15 22:07:08 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.61 2001/03/16 19:06:30 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
@@ -228,13 +228,6 @@ do_authenticated(struct passwd * pw)
startup_pipe = -1;
}
- /*
- * Inform the channel mechanism that we are the server side and that
- * the client may request to connect to any port at all. (The user
- * could do it anyway, and we wouldn\'t know what is permitted except
- * by the client telling us, so we can equally well trust the client
- * not to request anything bogus.)
- */
if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
channel_permit_all_opens();
@@ -2037,6 +2030,8 @@ do_authenticated2(Authctxt *authctxt)
close(startup_pipe);
startup_pipe = -1;
}
+ if (!no_port_forwarding_flag && options.allow_tcp_forwarding)
+ channel_permit_all_opens();
#if defined(HAVE_LOGIN_CAP) && defined(HAVE_PW_CLASS_IN_PASSWD)
if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL) {
error("unable to get login class");