Attachment #3371 for bug #3014

View | Details | Raw Unified | Return to bug 3014
Collapse All | Expand All




/* Various strings used to to percent_expand() arguments */
static char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
static char uidstr[32], *host_arg, *conn_hash_hex;
#define DEFAULT_CLIENT_PERCENT_EXPAND_ARGS \
    "C", conn_hash_hex, \
    "L", shorthost, \
    "i", uidstr, \
    "l", thishost, \
    "n", host_arg, \
    "p", portstr

/* socket address the host resolves to */
struct sockaddr_storage hostaddr;

	}
}

#define DEFAULT_CLIENT_PERCENT_EXPAND_ARGS \
    "C", conn_hash_hex, \
    "L", shorthost, \
    "i", uidstr, \
    "l", thishost, \
    "n", host_arg, \
    "p", portstr

/*
 * Expands the set of percent_expand options used by the majority of keywords
 * in the client that support percent expansion.
 * Caller must free returned string.
 */
static char *
default_client_percent_expand(const char *str, const char *homedir,
    const char *remhost, const char *remuser, const char *locuser)
{
	return percent_expand(str,
	    /* values from statics above */
	    DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,
	    /* values from arguments */
	    "d", homedir,
	    "h", remhost,
	    "r", remuser,
	    "u", locuser,
	    (char *)NULL);
}

/*
 * Attempt to resolve a host name / port to a set of addresses and
 * optionally return any CNAMEs encountered along the way.

	if (options.remote_command != NULL) {
		debug3("expanding RemoteCommand: %s", options.remote_command);
		cp = options.remote_command;
		options.remote_command = default_client_percent_expand(cp,
		    pw->pw_dir, host, options.user, pw->pw_name);
		    "d", pw->pw_dir,
		    "h", host,
		    "r", options.user,
		    "u", pw->pw_name,
		    (char *)NULL);
		debug3("expanded RemoteCommand: %s", options.remote_command);
		free(cp);
		if ((r = sshbuf_put(command, options.remote_command,

	if (options.control_path != NULL) {
		cp = tilde_expand_filename(options.control_path, getuid());
		free(options.control_path);
		options.control_path = default_client_percent_expand(cp,
		    pw->pw_dir, host, options.user, pw->pw_name);
		    "d", pw->pw_dir,
		    "h", host,
		    "r", options.user,
		    "u", pw->pw_name,
		    (char *)NULL);
		free(cp);
	}

	if (options.identity_agent != NULL) {
		p = tilde_expand_filename(options.identity_agent, getuid());
		cp = default_client_percent_expand(p,
		    pw->pw_dir, host, options.user, pw->pw_name);
		    "d", pw->pw_dir,
		    "h", host,
		    "r", options.user,
		    "u", pw->pw_name,
		    (char *)NULL);
		free(p);
		free(options.identity_agent);
		options.identity_agent = cp;

	if (options.forward_agent_sock_path != NULL) {
		p = tilde_expand_filename(options.forward_agent_sock_path,
		    getuid());
		cp = default_client_percent_expand(p,
		    pw->pw_dir, host, options.user, pw->pw_name);
		    "d", pw->pw_dir,
		    "h", host,
		    "r", options.user,
		    "u", pw->pw_name,
		    (char *)NULL);
		free(p);
		free(options.forward_agent_sock_path);
		options.forward_agent_sock_path = cp;
	}

	for (i = 0; i < options.num_local_forwards; i++) {
		if (options.local_forwards[i].listen_path != NULL) {
			cp = options.local_forwards[i].listen_path;
			p = options.local_forwards[i].listen_path =
			    default_client_percent_expand(cp,
			    pw->pw_dir, host, options.user, pw->pw_name);
			if (strcmp(cp, p) != 0)
				debug3("expanded LocalForward listen path "
				    "'%s' -> '%s'", cp, p);
			free(cp);
		}
		if (options.local_forwards[i].connect_path != NULL) {
			cp = options.local_forwards[i].connect_path;
			p = options.local_forwards[i].connect_path =
			    default_client_percent_expand(cp,
			    pw->pw_dir, host, options.user, pw->pw_name);
			if (strcmp(cp, p) != 0)
				debug3("expanded LocalForward connect path "
				    "'%s' -> '%s'", cp, p);
			free(cp);
		}
	}

	for (i = 0; i < options.num_remote_forwards; i++) {
		if (options.remote_forwards[i].listen_path != NULL) {
			cp = options.remote_forwards[i].listen_path;
			p = options.remote_forwards[i].listen_path =
			    default_client_percent_expand(cp,
			    pw->pw_dir, host, options.user, pw->pw_name);
			if (strcmp(cp, p) != 0)
				debug3("expanded RemoteForward listen path "
				    "'%s' -> '%s'", cp, p);
			free(cp);
		}
		if (options.remote_forwards[i].connect_path != NULL) {
			cp = options.remote_forwards[i].connect_path;
			p = options.remote_forwards[i].connect_path =
			    default_client_percent_expand(cp,
			    pw->pw_dir, host, options.user, pw->pw_name);
			if (strcmp(cp, p) != 0)
				debug3("expanded RemoteForward connect path "
				    "'%s' -> '%s'", cp, p);
			free(cp);
		}
	}

	if (config_test) {
		dump_client_config(&options, host);
		exit(0);

			continue;
		}
		cp = tilde_expand_filename(options.identity_files[i], getuid());
		filename = default_client_percent_expand(cp,
		    pw->pw_dir, host, options.user, pw->pw_name);
		    "d", pw->pw_dir,
		    "h", host,
		    "r", options.user,
		    "u", pw->pw_name,
		    (char *)NULL);
		free(cp);
		check_load(sshkey_load_public(filename, &public, NULL),
		    filename, "pubkey");

	for (i = 0; i < options.num_certificate_files; i++) {
		cp = tilde_expand_filename(options.certificate_files[i],
		    getuid());
		filename = default_client_percent_expand(cp,
		    pw->pw_dir, host, options.user, pw->pw_name);
		    "d", pw->pw_dir,
		    "h", host,
		    "r", options.user,
		    "u", pw->pw_name,
		    (char *)NULL);
		free(cp);

		check_load(sshkey_load_public(filename, &public, NULL),

Lines 1126-1137 has been enabled. Link Here

(-)usr.bin/ssh/ssh_config.5 (-7 / +20 lines)
1126	.It Cm LocalForward	1126	.It Cm LocalForward
1127	Specifies that a TCP port on the local machine be forwarded over	1127	Specifies that a TCP port on the local machine be forwarded over
1128	the secure channel to the specified host and port from the remote machine.	1128	the secure channel to the specified host and port from the remote machine.
1129	The first argument must be	1129	The first argument specifies the listener and may be
1130	.Sm off	1130	.Sm off
1131	.Oo Ar bind_address : Oc Ar port	1131	.Oo Ar bind_address : Oc Ar port
1132	.Sm on	1132	.Sm on
1133	and the second argument must be	1133	or a Unix domain socket path.
1134	.Ar host : Ns Ar hostport .	1134	The second argument is the destination and may be
		1135	.Ar host : Ns Ar hostport
		1136	or a Unix domain socket path if the remote host supports it.
		1137	.Pp
1135	IPv6 addresses can be specified by enclosing addresses in square brackets.	1138	IPv6 addresses can be specified by enclosing addresses in square brackets.
1136	Multiple forwardings may be specified, and additional forwardings can be	1139	Multiple forwardings may be specified, and additional forwardings can be
1137	given on the command line.	1140	given on the command line.
Lines 1150-1155 indicates that the listening port be bou Link Here
1150	empty address or	1153	empty address or
1151	.Sq *	1154	.Sq *
1152	indicates that the port should be available from all interfaces.	1155	indicates that the port should be available from all interfaces.
		1156	Unix domain socket paths accept the tokens described in the
		1157	.Sx TOKENS
		1158	section.
1153	.It Cm LogLevel	1159	.It Cm LogLevel
1154	Gives the verbosity level that is used when logging messages from	1160	Gives the verbosity level that is used when logging messages from
1155	.Xr ssh 1 .	1161	.Xr ssh 1 .
Lines 1402-1413 the secure channel. Link Here
1402	The remote port may either be forwarded to a specified host and port	1408	The remote port may either be forwarded to a specified host and port
1403	from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote	1409	from the local machine, or may act as a SOCKS 4/5 proxy that allows a remote
1404	client to connect to arbitrary destinations from the local machine.	1410	client to connect to arbitrary destinations from the local machine.
1405	The first argument must be	1411	The first argument is the listening specification and may be
1406	.Sm off	1412	.Sm off
1407	.Oo Ar bind_address : Oc Ar port	1413	.Oo Ar bind_address : Oc Ar port
1408	.Sm on	1414	.Sm on
		1415	or, if the remote host supports it, a Unix domain socket path.
1409	If forwarding to a specific destination then the second argument must be	1416	If forwarding to a specific destination then the second argument must be
1410	.Ar host : Ns Ar hostport ,	1417	.Ar host : Ns Ar hostport
		1418	or a Unix domain socket path,
1411	otherwise if no destination argument is specified then the remote forwarding	1419	otherwise if no destination argument is specified then the remote forwarding
1412	will be established as a SOCKS proxy.	1420	will be established as a SOCKS proxy.
1413	.Pp	1421	.Pp
Lines 1416-1421 Multiple forwardings may be specified, a Link Here
1416	forwardings can be given on the command line.	1424	forwardings can be given on the command line.
1417	Privileged ports can be forwarded only when	1425	Privileged ports can be forwarded only when
1418	logging in as root on the remote machine.	1426	logging in as root on the remote machine.
		1427	Unix domain socket paths accept the tokens described in the
		1428	.Sx TOKENS
		1429	section.
1419	.Pp	1430	.Pp
1420	If the	1431	If the
1421	.Ar port	1432	.Ar port
Lines 1846-1858 otherwise. Link Here
1846	The local username.	1857	The local username.
1847	.El	1858	.El
1848	.Pp	1859	.Pp
1849	.Cm Match exec ,
1850	.Cm CertificateFile ,	1860	.Cm CertificateFile ,
1851	.Cm ControlPath ,	1861	.Cm ControlPath ,
1852	.Cm IdentityAgent ,	1862	.Cm IdentityAgent ,
1853	.Cm IdentityFile ,	1863	.Cm IdentityFile ,
		1864	.Cm LocalForward,
		1865	.Cm Match exec ,
		1866	.Cm RemoteCommand ,
1854	and	1867	and
1855	.Cm RemoteCommand	1868	.Cm RemoteForward
1856	accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.	1869	accept the tokens %%, %C, %d, %h, %i, %L, %l, %n, %p, %r, and %u.
1857	.Pp	1870	.Pp
1858	.Cm Hostname	1871	.Cm Hostname

Lines 33-38 trial() Link Here

(-)regress/usr.bin/ssh/percent.sh (-1 / +8 lines)
33	${SSH} -F $OBJ/ssh_proxy_match remuser@somehost true \|\| true	33	${SSH} -F $OBJ/ssh_proxy_match remuser@somehost true \|\| true
34	got=`cat $OBJ/actual`	34	got=`cat $OBJ/actual`
35	;;	35	;;
		36	*forward)
		37	# LocalForward and RemoteForward take two args and only
		38	# operate on Unix domain socket paths
		39	got=`${SSH} -F $OBJ/ssh_proxy -o $opt="/$arg /$arg" -G \
		40	remuser@somehost \| awk '$1=="'$opt'"{print $2" "$3}'`
		41	expect="/$expect /$expect"
		42	;;
36	*)	43	*)
37	got=`${SSH} -F $OBJ/ssh_proxy -o $opt="$arg" -G \	44	got=`${SSH} -F $OBJ/ssh_proxy -o $opt="$arg" -G \
38	remuser@somehost \| awk '$1=="'$opt'"{print $2}'`	45	remuser@somehost \| awk '$1=="'$opt'"{print $2}'`
Lines 45-51 trial() Link Here
45	}	52	}
46		53
47	for i in matchexec localcommand remotecommand controlpath identityagent \	54	for i in matchexec localcommand remotecommand controlpath identityagent \
48	forwardagent; do	55	forwardagent localforward remoteforward; do
49	if [ "$i" = "localcommand" ]; then	56	if [ "$i" = "localcommand" ]; then
50	HASH=94237ca18fe6b187dccf57e5593c0bb0a29cc302	57	HASH=94237ca18fe6b187dccf57e5593c0bb0a29cc302
51	REMUSER=$USER	58	REMUSER=$USER

Return to bug 3014

Lines 160-172 char *forward_agent_sock_path = NULL; Link Here

(-)usr.bin/ssh/ssh.c (-49 / +86 lines)
160	/* Various strings used to to percent_expand() arguments */	160	/* Various strings used to to percent_expand() arguments */
161	static char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];	161	static char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
162	static char uidstr[32], host_arg, conn_hash_hex;	162	static char uidstr[32], host_arg, conn_hash_hex;
163	#define DEFAULT_CLIENT_PERCENT_EXPAND_ARGS \
164	"C", conn_hash_hex, \
165	"L", shorthost, \
166	"i", uidstr, \
167	"l", thishost, \
168	"n", host_arg, \
169	"p", portstr
170		163
171	/* socket address the host resolves to */	164	/* socket address the host resolves to */
172	struct sockaddr_storage hostaddr;	165	struct sockaddr_storage hostaddr;
Lines 222-227 tilde_expand_paths(char **paths, u_int n Link Here
222	}	215	}
223	}	216	}
224		217
		218	#define DEFAULT_CLIENT_PERCENT_EXPAND_ARGS \
		219	"C", conn_hash_hex, \
		220	"L", shorthost, \
		221	"i", uidstr, \
		222	"l", thishost, \
		223	"n", host_arg, \
		224	"p", portstr
		225
		226	/*
		227	* Expands the set of percent_expand options used by the majority of keywords
		228	* in the client that support percent expansion.
		229	* Caller must free returned string.
		230	*/
		231	static char *
		232	default_client_percent_expand(const char str, const char homedir,
		233	const char remhost, const char remuser, const char *locuser)
		234	{
		235	return percent_expand(str,
		236	/* values from statics above */
		237	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,
		238	/* values from arguments */
		239	"d", homedir,
		240	"h", remhost,
		241	"r", remuser,
		242	"u", locuser,
		243	(char *)NULL);
		244	}
		245
225	/*	246	/*
226	* Attempt to resolve a host name / port to a set of addresses and	247	* Attempt to resolve a host name / port to a set of addresses and
227	* optionally return any CNAMEs encountered along the way.	248	* optionally return any CNAMEs encountered along the way.
Lines 1324-1336 main(int ac, char **av) Link Here
1324	if (options.remote_command != NULL) {	1345	if (options.remote_command != NULL) {
1325	debug3("expanding RemoteCommand: %s", options.remote_command);	1346	debug3("expanding RemoteCommand: %s", options.remote_command);
1326	cp = options.remote_command;	1347	cp = options.remote_command;
1327	options.remote_command = percent_expand(cp,	1348	options.remote_command = default_client_percent_expand(cp,
1328	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,	1349	pw->pw_dir, host, options.user, pw->pw_name);
1329	"d", pw->pw_dir,
1330	"h", host,
1331	"r", options.user,
1332	"u", pw->pw_name,
1333	(char *)NULL);
1334	debug3("expanded RemoteCommand: %s", options.remote_command);	1350	debug3("expanded RemoteCommand: %s", options.remote_command);
1335	free(cp);	1351	free(cp);
1336	if ((r = sshbuf_put(command, options.remote_command,	1352	if ((r = sshbuf_put(command, options.remote_command,
Lines 1341-1365 main(int ac, char **av) Link Here
1341	if (options.control_path != NULL) {	1357	if (options.control_path != NULL) {
1342	cp = tilde_expand_filename(options.control_path, getuid());	1358	cp = tilde_expand_filename(options.control_path, getuid());
1343	free(options.control_path);	1359	free(options.control_path);
1344	options.control_path = percent_expand(cp,	1360	options.control_path = default_client_percent_expand(cp,
1345	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,	1361	pw->pw_dir, host, options.user, pw->pw_name);
1346	"d", pw->pw_dir,
1347	"h", host,
1348	"r", options.user,
1349	"u", pw->pw_name,
1350	(char *)NULL);
1351	free(cp);	1362	free(cp);
1352	}	1363	}
1353		1364
1354	if (options.identity_agent != NULL) {	1365	if (options.identity_agent != NULL) {
1355	p = tilde_expand_filename(options.identity_agent, getuid());	1366	p = tilde_expand_filename(options.identity_agent, getuid());
1356	cp = percent_expand(p,	1367	cp = default_client_percent_expand(p,
1357	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,	1368	pw->pw_dir, host, options.user, pw->pw_name);
1358	"d", pw->pw_dir,
1359	"h", host,
1360	"r", options.user,
1361	"u", pw->pw_name,
1362	(char *)NULL);
1363	free(p);	1369	free(p);
1364	free(options.identity_agent);	1370	free(options.identity_agent);
1365	options.identity_agent = cp;	1371	options.identity_agent = cp;
Lines 1368-1385 main(int ac, char **av) Link Here
1368	if (options.forward_agent_sock_path != NULL) {	1374	if (options.forward_agent_sock_path != NULL) {
1369	p = tilde_expand_filename(options.forward_agent_sock_path,	1375	p = tilde_expand_filename(options.forward_agent_sock_path,
1370	getuid());	1376	getuid());
1371	cp = percent_expand(p,	1377	cp = default_client_percent_expand(p,
1372	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,	1378	pw->pw_dir, host, options.user, pw->pw_name);
1373	"d", pw->pw_dir,
1374	"h", host,
1375	"r", options.user,
1376	"u", pw->pw_name,
1377	(char *)NULL);
1378	free(p);	1379	free(p);
1379	free(options.forward_agent_sock_path);	1380	free(options.forward_agent_sock_path);
1380	options.forward_agent_sock_path = cp;	1381	options.forward_agent_sock_path = cp;
1381	}	1382	}
1382		1383
		1384	for (i = 0; i < options.num_local_forwards; i++) {
		1385	if (options.local_forwards[i].listen_path != NULL) {
		1386	cp = options.local_forwards[i].listen_path;
		1387	p = options.local_forwards[i].listen_path =
		1388	default_client_percent_expand(cp,
		1389	pw->pw_dir, host, options.user, pw->pw_name);
		1390	if (strcmp(cp, p) != 0)
		1391	debug3("expanded LocalForward listen path "
		1392	"'%s' -> '%s'", cp, p);
		1393	free(cp);
		1394	}
		1395	if (options.local_forwards[i].connect_path != NULL) {
		1396	cp = options.local_forwards[i].connect_path;
		1397	p = options.local_forwards[i].connect_path =
		1398	default_client_percent_expand(cp,
		1399	pw->pw_dir, host, options.user, pw->pw_name);
		1400	if (strcmp(cp, p) != 0)
		1401	debug3("expanded LocalForward connect path "
		1402	"'%s' -> '%s'", cp, p);
		1403	free(cp);
		1404	}
		1405	}
		1406
		1407	for (i = 0; i < options.num_remote_forwards; i++) {
		1408	if (options.remote_forwards[i].listen_path != NULL) {
		1409	cp = options.remote_forwards[i].listen_path;
		1410	p = options.remote_forwards[i].listen_path =
		1411	default_client_percent_expand(cp,
		1412	pw->pw_dir, host, options.user, pw->pw_name);
		1413	if (strcmp(cp, p) != 0)
		1414	debug3("expanded RemoteForward listen path "
		1415	"'%s' -> '%s'", cp, p);
		1416	free(cp);
		1417	}
		1418	if (options.remote_forwards[i].connect_path != NULL) {
		1419	cp = options.remote_forwards[i].connect_path;
		1420	p = options.remote_forwards[i].connect_path =
		1421	default_client_percent_expand(cp,
		1422	pw->pw_dir, host, options.user, pw->pw_name);
		1423	if (strcmp(cp, p) != 0)
		1424	debug3("expanded RemoteForward connect path "
		1425	"'%s' -> '%s'", cp, p);
		1426	free(cp);
		1427	}
		1428	}
		1429
1383	if (config_test) {	1430	if (config_test) {
1384	dump_client_config(&options, host);	1431	dump_client_config(&options, host);
1385	exit(0);	1432	exit(0);
Lines 2099-2111 load_public_identity_files(struct passwd Link Here
2099	continue;	2146	continue;
2100	}	2147	}
2101	cp = tilde_expand_filename(options.identity_files[i], getuid());	2148	cp = tilde_expand_filename(options.identity_files[i], getuid());
2102	filename = percent_expand(cp,	2149	filename = default_client_percent_expand(cp,
2103	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,	2150	pw->pw_dir, host, options.user, pw->pw_name);
2104	"d", pw->pw_dir,
2105	"h", host,
2106	"r", options.user,
2107	"u", pw->pw_name,
2108	(char *)NULL);
2109	free(cp);	2151	free(cp);
2110	check_load(sshkey_load_public(filename, &public, NULL),	2152	check_load(sshkey_load_public(filename, &public, NULL),
2111	filename, "pubkey");	2153	filename, "pubkey");
Lines 2154-2166 load_public_identity_files(struct passwd Link Here
2154	for (i = 0; i < options.num_certificate_files; i++) {	2196	for (i = 0; i < options.num_certificate_files; i++) {
2155	cp = tilde_expand_filename(options.certificate_files[i],	2197	cp = tilde_expand_filename(options.certificate_files[i],
2156	getuid());	2198	getuid());
2157	filename = percent_expand(cp,	2199	filename = default_client_percent_expand(cp,
2158	DEFAULT_CLIENT_PERCENT_EXPAND_ARGS,	2200	pw->pw_dir, host, options.user, pw->pw_name);
2159	"d", pw->pw_dir,
2160	"h", host,
2161	"r", options.user,
2162	"u", pw->pw_name,
2163	(char *)NULL);
2164	free(cp);	2201	free(cp);
2165		2202
2166	check_load(sshkey_load_public(filename, &public, NULL),	2203	check_load(sshkey_load_public(filename, &public, NULL),