|
Lines 121-135
typedef struct {
Link Here
|
| 121 |
|
121 |
|
| 122 |
/* List of all permitted host/port pairs to connect by the user. */ |
122 |
/* List of all permitted host/port pairs to connect by the user. */ |
| 123 |
static ForwardPermission *permitted_opens = NULL; |
123 |
static ForwardPermission *permitted_opens = NULL; |
|
|
124 |
static ForwardPermission *permitted_remote_opens = NULL; |
| 124 |
|
125 |
|
| 125 |
/* List of all permitted host/port pairs to connect by the admin. */ |
126 |
/* List of all permitted host/port pairs to connect by the admin. */ |
| 126 |
static ForwardPermission *permitted_adm_opens = NULL; |
127 |
static ForwardPermission *permitted_adm_opens = NULL; |
|
|
128 |
static ForwardPermission *permitted_adm_remote_opens = NULL; |
| 127 |
|
129 |
|
| 128 |
/* Number of permitted host/port pairs in the array permitted by the user. */ |
130 |
/* Number of permitted host/port pairs in the array permitted by the user. */ |
| 129 |
static int num_permitted_opens = 0; |
131 |
static int num_permitted_opens = 0; |
|
|
132 |
static int num_permitted_remote_opens = 0; |
| 130 |
|
133 |
|
| 131 |
/* Number of permitted host/port pair in the array permitted by the admin. */ |
134 |
/* Number of permitted host/port pair in the array permitted by the admin. */ |
| 132 |
static int num_adm_permitted_opens = 0; |
135 |
static int num_adm_permitted_opens = 0; |
|
|
136 |
static int num_adm_permitted_remote_opens = 0; |
| 133 |
|
137 |
|
| 134 |
/* special-case port number meaning allow any port */ |
138 |
/* special-case port number meaning allow any port */ |
| 135 |
#define FWD_PERMIT_ANY_PORT 0 |
139 |
#define FWD_PERMIT_ANY_PORT 0 |
|
Lines 140-145
static int num_adm_permitted_opens = 0;
Link Here
|
| 140 |
* anything after logging in anyway. |
144 |
* anything after logging in anyway. |
| 141 |
*/ |
145 |
*/ |
| 142 |
static int all_opens_permitted = 0; |
146 |
static int all_opens_permitted = 0; |
|
|
147 |
static int all_remote_opens_permitted = 0; |
| 143 |
|
148 |
|
| 144 |
|
149 |
|
| 145 |
/* -- X11 forwarding */ |
150 |
/* -- X11 forwarding */ |
|
Lines 3449-3454
channel_permit_all_opens(void)
Link Here
|
| 3449 |
if (num_permitted_opens == 0) |
3454 |
if (num_permitted_opens == 0) |
| 3450 |
all_opens_permitted = 1; |
3455 |
all_opens_permitted = 1; |
| 3451 |
} |
3456 |
} |
|
|
3457 |
void |
| 3458 |
channel_permit_all_remote_opens(void) |
| 3459 |
{ |
| 3460 |
if (num_permitted_remote_opens == 0) |
| 3461 |
all_remote_opens_permitted = 1; |
| 3462 |
} |
| 3463 |
|
| 3452 |
|
3464 |
|
| 3453 |
void |
3465 |
void |
| 3454 |
channel_add_permitted_opens(char *host, int port) |
3466 |
channel_add_permitted_opens(char *host, int port) |
|
Lines 3467-3472
channel_add_permitted_opens(char *host, int port)
Link Here
|
| 3467 |
all_opens_permitted = 0; |
3479 |
all_opens_permitted = 0; |
| 3468 |
} |
3480 |
} |
| 3469 |
|
3481 |
|
|
|
3482 |
void |
| 3483 |
channel_add_permitted_remote_opens(int port) |
| 3484 |
{ |
| 3485 |
debug("allow remote port forwarding %d", port); |
| 3486 |
|
| 3487 |
permitted_remote_opens = xrealloc(permitted_remote_opens, |
| 3488 |
num_permitted_remote_opens + 1, sizeof(*permitted_remote_opens)); |
| 3489 |
permitted_remote_opens[num_permitted_remote_opens].listen_port = port; |
| 3490 |
num_permitted_remote_opens++; |
| 3491 |
|
| 3492 |
all_remote_opens_permitted = 0; |
| 3493 |
} |
| 3494 |
|
| 3470 |
/* |
3495 |
/* |
| 3471 |
* Update the listen port for a dynamic remote forward, after |
3496 |
* Update the listen port for a dynamic remote forward, after |
| 3472 |
* the actual 'newport' has been allocated. If 'newport' < 0 is |
3497 |
* the actual 'newport' has been allocated. If 'newport' < 0 is |
|
Lines 3516-3521
channel_add_adm_permitted_opens(char *host, int port)
Link Here
|
| 3516 |
return ++num_adm_permitted_opens; |
3541 |
return ++num_adm_permitted_opens; |
| 3517 |
} |
3542 |
} |
| 3518 |
|
3543 |
|
|
|
3544 |
int |
| 3545 |
channel_add_adm_permitted_remote_opens(int port) |
| 3546 |
{ |
| 3547 |
debug("config allows remote port forwarding, port %d", port); |
| 3548 |
|
| 3549 |
permitted_adm_remote_opens = xrealloc(permitted_adm_remote_opens, |
| 3550 |
num_adm_permitted_remote_opens + 1, sizeof(*permitted_adm_remote_opens)); |
| 3551 |
permitted_adm_remote_opens[num_adm_permitted_remote_opens].listen_port = port; |
| 3552 |
return ++num_adm_permitted_remote_opens; |
| 3553 |
} |
| 3554 |
|
| 3555 |
|
| 3519 |
void |
3556 |
void |
| 3520 |
channel_disable_adm_local_opens(void) |
3557 |
channel_disable_adm_local_opens(void) |
| 3521 |
{ |
3558 |
{ |
|
Lines 3526-3531
channel_disable_adm_local_opens(void)
Link Here
|
| 3526 |
} |
3563 |
} |
| 3527 |
|
3564 |
|
| 3528 |
void |
3565 |
void |
|
|
3566 |
channel_disable_adm_remote_opens(void) |
| 3567 |
{ |
| 3568 |
channel_clear_adm_permitted_remote_opens(); |
| 3569 |
permitted_adm_remote_opens = xmalloc(sizeof(*permitted_adm_remote_opens)); |
| 3570 |
permitted_adm_remote_opens[num_adm_permitted_remote_opens].host_to_connect = NULL; |
| 3571 |
num_adm_permitted_remote_opens = 1; |
| 3572 |
} |
| 3573 |
|
| 3574 |
void |
| 3529 |
channel_clear_permitted_opens(void) |
3575 |
channel_clear_permitted_opens(void) |
| 3530 |
{ |
3576 |
{ |
| 3531 |
int i; |
3577 |
int i; |
|
Lines 3541-3546
channel_clear_permitted_opens(void)
Link Here
|
| 3541 |
} |
3587 |
} |
| 3542 |
|
3588 |
|
| 3543 |
void |
3589 |
void |
|
|
3590 |
channel_clear_permitted_remote_opens(void) |
| 3591 |
{ |
| 3592 |
|
| 3593 |
free(permitted_remote_opens); |
| 3594 |
permitted_remote_opens = NULL; |
| 3595 |
num_permitted_remote_opens = 0; |
| 3596 |
} |
| 3597 |
|
| 3598 |
|
| 3599 |
void |
| 3544 |
channel_clear_adm_permitted_opens(void) |
3600 |
channel_clear_adm_permitted_opens(void) |
| 3545 |
{ |
3601 |
{ |
| 3546 |
int i; |
3602 |
int i; |
|
Lines 3556-3561
channel_clear_adm_permitted_opens(void)
Link Here
|
| 3556 |
} |
3612 |
} |
| 3557 |
|
3613 |
|
| 3558 |
void |
3614 |
void |
|
|
3615 |
channel_clear_adm_permitted_remote_opens(void) |
| 3616 |
{ |
| 3617 |
free(permitted_adm_remote_opens); |
| 3618 |
permitted_adm_remote_opens = NULL; |
| 3619 |
num_adm_permitted_remote_opens = 0; |
| 3620 |
} |
| 3621 |
|
| 3622 |
|
| 3623 |
void |
| 3559 |
channel_print_adm_permitted_opens(void) |
3624 |
channel_print_adm_permitted_opens(void) |
| 3560 |
{ |
3625 |
{ |
| 3561 |
int i; |
3626 |
int i; |
|
Lines 3824-3829
channel_connect_to_path(const char *path, char *ctype, char *rname)
Link Here
|
| 3824 |
return connect_to(path, PORT_STREAMLOCAL, ctype, rname); |
3889 |
return connect_to(path, PORT_STREAMLOCAL, ctype, rname); |
| 3825 |
} |
3890 |
} |
| 3826 |
|
3891 |
|
|
|
3892 |
static int |
| 3893 |
remote_port_match(u_short allowedport, u_short requestedport) |
| 3894 |
{ |
| 3895 |
if (allowedport == FWD_PERMIT_ANY_PORT || |
| 3896 |
allowedport == requestedport) |
| 3897 |
return 1; |
| 3898 |
return 0; |
| 3899 |
} |
| 3900 |
|
| 3901 |
/* Check if remote port is permitted and connect. */ |
| 3902 |
int |
| 3903 |
channel_connect_remote_to(u_short port) |
| 3904 |
{ |
| 3905 |
int i, permit, permit_adm = 1; |
| 3906 |
int allowed_port = 0; |
| 3907 |
|
| 3908 |
permit = all_remote_opens_permitted; |
| 3909 |
if (!permit) { |
| 3910 |
for (i = 0; i < num_permitted_remote_opens; i++) { |
| 3911 |
allowed_port = permitted_remote_opens[i].listen_port; |
| 3912 |
debug("i=%d check remote permitted vs requested " |
| 3913 |
"%u vs %u", i, allowed_port, port); |
| 3914 |
if ( remote_port_match(allowed_port, port)) { |
| 3915 |
debug2("i=%d found match remote permitted vs " |
| 3916 |
"requested %u==%u", i, allowed_port, port); |
| 3917 |
permit = 1; |
| 3918 |
break; |
| 3919 |
} |
| 3920 |
} |
| 3921 |
} |
| 3922 |
if (num_adm_permitted_remote_opens > 0) { |
| 3923 |
permit_adm = 0; |
| 3924 |
for (i = 0; i < num_adm_permitted_remote_opens; i++) |
| 3925 |
if (remote_port_match(allowed_port, port) ) { |
| 3926 |
/* && strcmp(permitted_adm_remote_opens[i].host_to_connect, host) == 0) */ |
| 3927 |
debug2("i=%d found match admin remote permitted vs " |
| 3928 |
"requested %u==%u", i, allowed_port, port); |
| 3929 |
permit_adm = 1; |
| 3930 |
} |
| 3931 |
} |
| 3932 |
|
| 3933 |
if (!permit || !permit_adm) { |
| 3934 |
logit("Received request to forward remote port %d, " |
| 3935 |
"but the request was denied. return %d", port, permit); |
| 3936 |
return 0; |
| 3937 |
} |
| 3938 |
return ( permit | permit_adm); |
| 3939 |
} |
| 3940 |
|
| 3941 |
|
| 3942 |
|
| 3827 |
void |
3943 |
void |
| 3828 |
channel_send_window_changes(void) |
3944 |
channel_send_window_changes(void) |
| 3829 |
{ |
3945 |
{ |
|
Lines 4245-4247
auth_request_forwarding(void)
Link Here
|
| 4245 |
packet_send(); |
4361 |
packet_send(); |
| 4246 |
packet_write_wait(); |
4362 |
packet_write_wait(); |
| 4247 |
} |
4363 |
} |
|
|
4364 |
|