Bugzilla – Attachment 1997 Details for
Bug 1857
[RFE] restrict port forwarding to localhost
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add port wildcard to permitopen ("permitopen localhost:*")
openssh-portfwd-anyport.patch (text/plain), 4.95 KB, created by
Darren Tucker
on 2011-02-15 15:24:33 AEDT
(
hide
)
Description:
Add port wildcard to permitopen ("permitopen localhost:*")
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2011-02-15 15:24:33 AEDT
Size:
4.95 KB
patch
obsolete
>Index: auth-options.c >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/auth-options.c,v >retrieving revision 1.53 >diff -u -p -r1.53 auth-options.c >--- auth-options.c 6 Jan 2011 11:44:18 -0000 1.53 >+++ auth-options.c 15 Feb 2011 03:09:52 -0000 >@@ -341,7 +341,7 @@ auth_parse_options(struct passwd *pw, ch > goto bad_option; > } > host = cleanhostname(host); >- if (p == NULL || (port = a2port(p)) <= 0) { >+ if (p == NULL || (port = permitopen_port(p)) < 0) { > debug("%.100s, line %lu: Bad permitopen port " > "<%.100s>", file, linenum, p ? p : ""); > auth_debug_add("%.100s, line %lu: " >Index: channels.c >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/channels.c,v >retrieving revision 1.301 >diff -u -p -r1.301 channels.c >--- channels.c 1 Dec 2010 01:02:35 -0000 1.301 >+++ channels.c 15 Feb 2011 04:12:18 -0000 >@@ -125,6 +125,9 @@ static int num_permitted_opens = 0; > /* Number of permitted host/port pair in the array permitted by the admin. */ > static int num_adm_permitted_opens = 0; > >+/* special-case port number meaning allow any port */ >+#define FWD_PERMIT_ANY_PORT 0 >+ > /* > * If this is true, all opens are permitted. This is the case on the server > * on which we have to trust the client anyway, and the user could do >@@ -3073,6 +3076,28 @@ channel_print_adm_permitted_opens(void) > printf("\n"); > } > >+/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ >+int >+permitopen_port(const char *p) >+{ >+ int port; >+ >+ if (strcmp(p, "*") == 0) >+ return FWD_PERMIT_ANY_PORT; >+ if ((port = a2port(p)) > 0) >+ return port; >+ return -1; >+} >+ >+static int >+port_match(u_short allowedport, u_short requestedport) >+{ >+ if (allowedport == FWD_PERMIT_ANY_PORT || >+ allowedport == requestedport) >+ return 1; >+ return 0; >+} >+ > /* Try to start non-blocking connect to next host in cctx list */ > static int > connect_next(struct channel_connect *cctx) >@@ -3175,7 +3200,7 @@ channel_connect_by_listen_address(u_shor > > for (i = 0; i < num_permitted_opens; i++) { > if (permitted_opens[i].host_to_connect != NULL && >- permitted_opens[i].listen_port == listen_port) { >+ port_match(permitted_opens[i].listen_port, listen_port)) { > return connect_to( > permitted_opens[i].host_to_connect, > permitted_opens[i].port_to_connect, ctype, rname); >@@ -3196,7 +3221,7 @@ channel_connect_to(const char *host, u_s > if (!permit) { > for (i = 0; i < num_permitted_opens; i++) > if (permitted_opens[i].host_to_connect != NULL && >- permitted_opens[i].port_to_connect == port && >+ port_match(permitted_opens[i].port_to_connect, port) && > strcmp(permitted_opens[i].host_to_connect, host) == 0) > permit = 1; > } >@@ -3205,7 +3230,7 @@ channel_connect_to(const char *host, u_s > permit_adm = 0; > for (i = 0; i < num_adm_permitted_opens; i++) > if (permitted_adm_opens[i].host_to_connect != NULL && >- permitted_adm_opens[i].port_to_connect == port && >+ port_match(permitted_adm_opens[i].port_to_connect, port) && > strcmp(permitted_adm_opens[i].host_to_connect, host) > == 0) > permit_adm = 1; >Index: channels.h >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/channels.h,v >retrieving revision 1.97 >diff -u -p -r1.97 channels.h >--- channels.h 21 May 2010 04:57:10 -0000 1.97 >+++ channels.h 15 Feb 2011 03:34:13 -0000 >@@ -264,6 +264,7 @@ int channel_setup_local_fwd_listener(co > void channel_request_rforward_cancel(const char *host, u_short port); > int channel_setup_remote_fwd_listener(const char *, u_short, int *, int); > int channel_cancel_rport_listener(const char *, u_short); >+int permitopen_port(const char *); > > /* x11 forwarding */ > >Index: servconf.c >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/servconf.c,v >retrieving revision 1.209 >diff -u -p -r1.209 servconf.c >--- servconf.c 20 Nov 2010 04:19:38 -0000 1.209 >+++ servconf.c 15 Feb 2011 04:11:39 -0000 >@@ -1344,7 +1344,7 @@ process_server_config_line(ServerOptions > fatal("%s line %d: missing host in PermitOpen", > filename, linenum); > p = cleanhostname(p); >- if (arg == NULL || (port = a2port(arg)) <= 0) >+ if (arg == NULL || ((port = permitopen_port(arg)) < 0)) > fatal("%s line %d: bad port number in " > "PermitOpen", filename, linenum); > if (*activep && n == -1) >Index: sshd.8 >=================================================================== >RCS file: /home/dtucker/openssh/cvs/openssh/sshd.8,v >retrieving revision 1.221 >diff -u -p -r1.221 sshd.8 >--- sshd.8 4 Nov 2010 23:20:14 -0000 1.221 >+++ sshd.8 15 Feb 2011 02:48:17 -0000 >@@ -605,6 +605,9 @@ Multiple > options may be applied separated by commas. > No pattern matching is performed on the specified hostnames, > they must be literal domains or addresses. >+A port specification of >+.Cm * >+matches any port. > .It Cm principals="principals" > On a > .Cm cert-authority
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1997">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1857
: 1997