[channels.c channels.h servconf.c servconf.h sshd_config.5]
Make PermitOpen take a list of permitted ports and act more like most
other keywords (ie the first match is the effective setting). This
also makes it easier to override a previously set PermitOpen. ok djm@
[auth1.c serverloop.c session.c sshconnect2.c]
missed some needed #include <unistd.h> when KERBEROS5=no; issue from
massimo@cedoc.mo.it
[auth1.c serverloop.c session.c sshconnect2.c]
missed some needed #include <unistd.h> when KERBEROS5=no; issue from
massimo@cedoc.mo.it
+ - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
+ [channels.c channels.h servconf.c servconf.h sshd_config.5]
+ Make PermitOpen take a list of permitted ports and act more like most
+ other keywords (ie the first match is the effective setting). This
+ also makes it easier to override a previously set PermitOpen. ok djm@
20060713
- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
20060713
- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
-/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
all_opens_permitted = 0;
}
all_opens_permitted = 0;
}
channel_add_adm_permitted_opens(char *host, int port)
{
if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
fatal("channel_add_adm_permitted_opens: too many forwards");
channel_add_adm_permitted_opens(char *host, int port)
{
if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
fatal("channel_add_adm_permitted_opens: too many forwards");
- debug("allow port forwarding to host %s port %d", host, port);
+ debug("config allows port forwarding to host %s port %d", host, port);
permitted_adm_opens[num_adm_permitted_opens].host_to_connect
= xstrdup(host);
permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
permitted_adm_opens[num_adm_permitted_opens].host_to_connect
= xstrdup(host);
permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
- num_adm_permitted_opens++;
+ return ++num_adm_permitted_opens;
-/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
-void channel_add_adm_permitted_opens(char *, int);
+int channel_add_adm_permitted_opens(char *, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
int channel_input_port_forward_request(int, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
int channel_input_port_forward_request(int, int);
-/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
options->authorized_keys_file2 = NULL;
options->num_accept_env = 0;
options->permit_tun = -1;
options->authorized_keys_file2 = NULL;
options->num_accept_env = 0;
options->permit_tun = -1;
+ options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
}
options->adm_forced_command = NULL;
}
fatal("%s line %d: missing PermitOpen specification",
filename, linenum);
if (strcmp(arg, "any") == 0) {
fatal("%s line %d: missing PermitOpen specification",
filename, linenum);
if (strcmp(arg, "any") == 0) {
channel_clear_adm_permitted_opens();
channel_clear_adm_permitted_opens();
+ options->num_permitted_opens = 0;
+ }
- p = hpdelim(&arg);
- if (p == NULL)
- fatal("%s line %d: missing host in PermitOpen",
- filename, linenum);
- p = cleanhostname(p);
- if (arg == NULL || (port = a2port(arg)) == 0)
- fatal("%s line %d: bad port number in PermitOpen",
- filename, linenum);
- if (*activep)
- channel_add_adm_permitted_opens(p, port);
+ for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
+ p = hpdelim(&arg);
+ if (p == NULL)
+ fatal("%s line %d: missing host in PermitOpen",
+ filename, linenum);
+ p = cleanhostname(p);
+ if (arg == NULL || (port = a2port(arg)) == 0)
+ fatal("%s line %d: bad port number in "
+ "PermitOpen", filename, linenum);
+ if (*activep && options->num_permitted_opens == -1) {
+ channel_clear_adm_permitted_opens();
+ options->num_permitted_opens =
+ channel_add_adm_permitted_opens(p, port);
+ }
+ }
break;
case sForceCommand:
break;
case sForceCommand:
-/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */
+/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int use_pam; /* Enable auth via PAM */
int permit_tun;
int use_pam; /* Enable auth via PAM */
int permit_tun;
+
+ int num_permitted_opens;
} ServerOptions;
void initialize_server_options(ServerOptions *);
} ServerOptions;
void initialize_server_options(ServerOptions *);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
-Multiple instances of
-.Cm PermitOpen
-are permitted.
+Multiple forwards may be specified by separating them with whitespace.
An argument of
.Dq any
can be used to remove all restrictions and permit any forwarding requests.
An argument of
.Dq any
can be used to remove all restrictions and permit any forwarding requests.