Attachment #1997 for bug #1857

View | Details | Raw Unified | Return to bug 1857
Collapse All | Expand All

Lines 341-347 auth_parse_options(struct passwd *pw, ch Link Here

(-)auth-options.c (-1 / +1 lines)
341	goto bad_option;	341	goto bad_option;
342	}	342	}
343	host = cleanhostname(host);	343	host = cleanhostname(host);
344	if (p == NULL \|\| (port = a2port(p)) <= 0) {	344	if (p == NULL \|\| (port = permitopen_port(p)) < 0) {
345	debug("%.100s, line %lu: Bad permitopen port "	345	debug("%.100s, line %lu: Bad permitopen port "
346	"<%.100s>", file, linenum, p ? p : "");	346	"<%.100s>", file, linenum, p ? p : "");
347	auth_debug_add("%.100s, line %lu: "	347	auth_debug_add("%.100s, line %lu: "

Lines 125-130 static int num_permitted_opens = 0; Link Here

(-)channels.c (-3 / +28 lines)
125	/* Number of permitted host/port pair in the array permitted by the admin. */	125	/* Number of permitted host/port pair in the array permitted by the admin. */
126	static int num_adm_permitted_opens = 0;	126	static int num_adm_permitted_opens = 0;
127		127
		128	/* special-case port number meaning allow any port */
		129	#define FWD_PERMIT_ANY_PORT 0
		130
128	/*	131	/*
129	* If this is true, all opens are permitted. This is the case on the server	132	* If this is true, all opens are permitted. This is the case on the server
130	* on which we have to trust the client anyway, and the user could do	133	* on which we have to trust the client anyway, and the user could do
Lines 3073-3078 channel_print_adm_permitted_opens(void) Link Here
3073	printf("\n");	3076	printf("\n");
3074	}	3077	}
3075		3078
		3079	/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
		3080	int
		3081	permitopen_port(const char *p)
		3082	{
		3083	int port;
		3084
		3085	if (strcmp(p, "*") == 0)
		3086	return FWD_PERMIT_ANY_PORT;
		3087	if ((port = a2port(p)) > 0)
		3088	return port;
		3089	return -1;
		3090	}
		3091
		3092	static int
		3093	port_match(u_short allowedport, u_short requestedport)
		3094	{
		3095	if (allowedport == FWD_PERMIT_ANY_PORT \|\|
		3096	allowedport == requestedport)
		3097	return 1;
		3098	return 0;
		3099	}
		3100
3076	/* Try to start non-blocking connect to next host in cctx list */	3101	/* Try to start non-blocking connect to next host in cctx list */
3077	static int	3102	static int
3078	connect_next(struct channel_connect *cctx)	3103	connect_next(struct channel_connect *cctx)
Lines 3175-3181 channel_connect_by_listen_address(u_shor Link Here
3175		3200
3176	for (i = 0; i < num_permitted_opens; i++) {	3201	for (i = 0; i < num_permitted_opens; i++) {
3177	if (permitted_opens[i].host_to_connect != NULL &&	3202	if (permitted_opens[i].host_to_connect != NULL &&
3178	permitted_opens[i].listen_port == listen_port) {	3203	port_match(permitted_opens[i].listen_port, listen_port)) {
3179	return connect_to(	3204	return connect_to(
3180	permitted_opens[i].host_to_connect,	3205	permitted_opens[i].host_to_connect,
3181	permitted_opens[i].port_to_connect, ctype, rname);	3206	permitted_opens[i].port_to_connect, ctype, rname);
Lines 3196-3202 channel_connect_to(const char *host, u_s Link Here
3196	if (!permit) {	3221	if (!permit) {
3197	for (i = 0; i < num_permitted_opens; i++)	3222	for (i = 0; i < num_permitted_opens; i++)
3198	if (permitted_opens[i].host_to_connect != NULL &&	3223	if (permitted_opens[i].host_to_connect != NULL &&
3199	permitted_opens[i].port_to_connect == port &&	3224	port_match(permitted_opens[i].port_to_connect, port) &&
3200	strcmp(permitted_opens[i].host_to_connect, host) == 0)	3225	strcmp(permitted_opens[i].host_to_connect, host) == 0)
3201	permit = 1;	3226	permit = 1;
3202	}	3227	}
Lines 3205-3211 channel_connect_to(const char *host, u_s Link Here
3205	permit_adm = 0;	3230	permit_adm = 0;
3206	for (i = 0; i < num_adm_permitted_opens; i++)	3231	for (i = 0; i < num_adm_permitted_opens; i++)
3207	if (permitted_adm_opens[i].host_to_connect != NULL &&	3232	if (permitted_adm_opens[i].host_to_connect != NULL &&
3208	permitted_adm_opens[i].port_to_connect == port &&	3233	port_match(permitted_adm_opens[i].port_to_connect, port) &&
3209	strcmp(permitted_adm_opens[i].host_to_connect, host)	3234	strcmp(permitted_adm_opens[i].host_to_connect, host)
3210	== 0)	3235	== 0)
3211	permit_adm = 1;	3236	permit_adm = 1;

Lines 264-269 int channel_setup_local_fwd_listener(co Link Here

(-)channels.h (+1 lines)
264	void channel_request_rforward_cancel(const char *host, u_short port);	264	void channel_request_rforward_cancel(const char *host, u_short port);
265	int channel_setup_remote_fwd_listener(const char , u_short, int , int);	265	int channel_setup_remote_fwd_listener(const char , u_short, int , int);
266	int channel_cancel_rport_listener(const char *, u_short);	266	int channel_cancel_rport_listener(const char *, u_short);
		267	int permitopen_port(const char *);
267		268
268	/* x11 forwarding */	269	/* x11 forwarding */
269		270

Lines 1344-1350 process_server_config_line(ServerOptions Link Here

(-)servconf.c (-1 / +1 lines)
1344	fatal("%s line %d: missing host in PermitOpen",	1344	fatal("%s line %d: missing host in PermitOpen",
1345	filename, linenum);	1345	filename, linenum);
1346	p = cleanhostname(p);	1346	p = cleanhostname(p);
1347	if (arg == NULL \|\| (port = a2port(arg)) <= 0)	1347	if (arg == NULL \|\| ((port = permitopen_port(arg)) < 0))
1348	fatal("%s line %d: bad port number in "	1348	fatal("%s line %d: bad port number in "
1349	"PermitOpen", filename, linenum);	1349	"PermitOpen", filename, linenum);
1350	if (*activep && n == -1)	1350	if (*activep && n == -1)

Lines 605-610 Multiple Link Here

(-)sshd.8 (+3 lines)
605	options may be applied separated by commas.	605	options may be applied separated by commas.
606	No pattern matching is performed on the specified hostnames,	606	No pattern matching is performed on the specified hostnames,
607	they must be literal domains or addresses.	607	they must be literal domains or addresses.
		608	A port specification of
		609	.Cm *
		610	matches any port.
608	.It Cm principals="principals"	611	.It Cm principals="principals"
609	On a	612	On a
610	.Cm cert-authority	613	.Cm cert-authority

Return to bug 1857