- dtucker@cvs.openbsd.org 2006/07/21 12:43:36

     [channels.c channels.h servconf.c servconf.h sshd_config.5]
     Make PermitOpen take a list of permitted ports and act more like most
     other keywords (ie the first match is the effective setting). This
     also makes it easier to override a previously set PermitOpen. ok djm@

diff --git a/ChangeLog b/ChangeLog
index ff261d3033462603b53407c54c4feaac2dca9cbd..033251c46d5eeb661ef2fc78be96652bfbe8f00e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -65,6 +65,11 @@
      [auth1.c serverloop.c session.c sshconnect2.c]
      missed some needed #include <unistd.h> when KERBEROS5=no; issue from
      massimo@cedoc.mo.it
+   - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
+     [channels.c channels.h servconf.c servconf.h sshd_config.5]
+     Make PermitOpen take a list of permitted ports and act more like most
+     other keywords (ie the first match is the effective setting). This
+     also makes it easier to override a previously set PermitOpen. ok djm@
 
 20060713
  - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h

diff --git a/channels.c b/channels.c
index 9aaf7e9d7a7dcb5f8d1803e31a0281be53a785e4..c6c5c889945ecbc3532de15923f06e2e70ebcd63 100644 (file)
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2653,17 +2653,17 @@ channel_add_permitted_opens(char *host, int port)
        all_opens_permitted = 0;
 }
 
-void
+int
 channel_add_adm_permitted_opens(char *host, int port)
 {
        if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
                fatal("channel_add_adm_permitted_opens: too many forwards");
-       debug("allow port forwarding to host %s port %d", host, port);
+       debug("config allows port forwarding to host %s port %d", host, port);
 
        permitted_adm_opens[num_adm_permitted_opens].host_to_connect
             = xstrdup(host);
        permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
-       num_adm_permitted_opens++;
+       return ++num_adm_permitted_opens;
 }
 
 void

diff --git a/channels.h b/channels.h
index c473b730c1e5751652ce16a683185423713e482b..ed719f724c3949b8b025ff95cadff99b39c07e23 100644 (file)
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -207,7 +207,7 @@ int  channel_find_open(void);
 void    channel_set_af(int af);
 void     channel_permit_all_opens(void);
 void    channel_add_permitted_opens(char *, int);
-void    channel_add_adm_permitted_opens(char *, int);
+int     channel_add_adm_permitted_opens(char *, int);
 void    channel_clear_permitted_opens(void);
 void    channel_clear_adm_permitted_opens(void);
 int      channel_input_port_forward_request(int, int);

diff --git a/servconf.c b/servconf.c
index e2c1d4458af49d261dd1f5b8131310427924afa7..46558b69073095707a16ec13a9d0f664ad837346 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options)
        options->authorized_keys_file2 = NULL;
        options->num_accept_env = 0;
        options->permit_tun = -1;
+       options->num_permitted_opens = -1;
        options->adm_forced_command = NULL;
 }
 
@@ -1161,20 +1162,27 @@ parse_flag:
                        fatal("%s line %d: missing PermitOpen specification",
                            filename, linenum);
                if (strcmp(arg, "any") == 0) {
-                       if (*activep)
+                       if (*activep) {
                                channel_clear_adm_permitted_opens();
+                               options->num_permitted_opens = 0;
+                       }
                        break;
                }
-               p = hpdelim(&arg);
-               if (p == NULL)
-                       fatal("%s line %d: missing host in PermitOpen",
-                           filename, linenum);
-               p = cleanhostname(p);
-               if (arg == NULL || (port = a2port(arg)) == 0)
-                       fatal("%s line %d: bad port number in PermitOpen",
-                           filename, linenum);
-               if (*activep)
-                       channel_add_adm_permitted_opens(p, port);
+               for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
+                       p = hpdelim(&arg);
+                       if (p == NULL)
+                               fatal("%s line %d: missing host in PermitOpen",
+                                   filename, linenum);
+                       p = cleanhostname(p);
+                       if (arg == NULL || (port = a2port(arg)) == 0)
+                               fatal("%s line %d: bad port number in "
+                                   "PermitOpen", filename, linenum);
+                       if (*activep && options->num_permitted_opens == -1) {
+                               channel_clear_adm_permitted_opens();
+                               options->num_permitted_opens =
+                                   channel_add_adm_permitted_opens(p, port);
+                       }
+               }
                break;
 
        case sForceCommand:

diff --git a/servconf.h b/servconf.h
index 41dce7686acbf98e96ee9290db3b389c326ddafa..0add6518de816e7303e803db8bd6dc1d411dfd79 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -140,6 +140,8 @@ typedef struct {
        int     use_pam;                /* Enable auth via PAM */
 
        int     permit_tun;
+
+       int     num_permitted_opens;
 }       ServerOptions;
 
 void    initialize_server_options(ServerOptions *);

diff --git a/sshd_config.5 b/sshd_config.5
index 26c895f7a560f2f8667d18f767ebe18ff6b3e431..ff5457dff0d999085e8cc003f44eb9cfa985de23 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms:
 .Sm on
 .El
 .Pp
-Multiple instances of
-.Cm PermitOpen
-are permitted.
+Multiple forwards may be specified by separating them with whitespace.
 An argument of
 .Dq any
 can be used to remove all restrictions and permit any forwarding requests.