Attachment #2517 for bug #2038




	}
	forced_tun_device = -1;
	channel_clear_permitted_opens();
	channel_clear_permitted_remote_opens();
}

/*

			free(patterns);
			goto next_option;
		}
		debug("AA trying permitremoteopen %s", opts);
		cp = "permitremoteopen=\"";
		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
			char *p;
			int port;
			char *patterns = xmalloc(strlen(opts) + 1);

			opts += strlen(cp);
			i = 0;
			while (*opts) {
				if (*opts == '"')
					break;
				if (*opts == '\\' && opts[1] == '"') {
					opts += 2;
					patterns[i++] = '"';
					continue;
				}
				patterns[i++] = *opts++;
			}
			if (!*opts) {
				debug("%.100s, line %lu: missing end quote",
				    file, linenum);
				auth_debug_add("%.100s, line %lu: missing "
				    "end quote", file, linenum);
				free(patterns);
				goto bad_option;
			}
			patterns[i] = '\0';
			opts++;
			p = patterns;
			if (p == NULL || (port = permitopen_port(p)) < 0) {
				debug("%.100s, line %lu: Bad permitremoteopen "
				     "port <%.100s>", file, linenum, p ? p :
				      "");
				auth_debug_add("%.100s, line %lu: "
						"Bad permitremoteopen port",
						file, linenum);
				free(patterns);
				goto bad_option;
			}
			if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
				channel_add_permitted_remote_opens(port);
			free(patterns);
			goto next_option;
		}
		cp = "tunnel=\"";
		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
			char *tun = NULL;





/* List of all permitted host/port pairs to connect by the user. */
static ForwardPermission *permitted_opens = NULL;
static ForwardPermission *permitted_remote_opens = NULL;

/* List of all permitted host/port pairs to connect by the admin. */
static ForwardPermission *permitted_adm_opens = NULL;
static ForwardPermission *permitted_adm_remote_opens = NULL;

/* Number of permitted host/port pairs in the array permitted by the user. */
static int num_permitted_opens = 0;
static int num_permitted_remote_opens = 0;

/* Number of permitted host/port pair in the array permitted by the admin. */
static int num_adm_permitted_opens = 0;
static int num_adm_permitted_remote_opens = 0;

/* special-case port number meaning allow any port */
#define FWD_PERMIT_ANY_PORT	0

 * anything after logging in anyway.
 */
static int all_opens_permitted = 0;
static int all_remote_opens_permitted = 0;


/* -- X11 forwarding */

	if (num_permitted_opens == 0)
		all_opens_permitted = 1;
}
void
channel_permit_all_remote_opens(void)
{
	if (num_permitted_remote_opens == 0)
		all_remote_opens_permitted = 1;
}


void
channel_add_permitted_opens(char *host, int port)

	all_opens_permitted = 0;
}

void
channel_add_permitted_remote_opens(int port)
{
	debug("allow remote port forwarding %d", port);

	permitted_remote_opens = xrealloc(permitted_remote_opens,
	    num_permitted_remote_opens + 1, sizeof(*permitted_remote_opens));
	permitted_remote_opens[num_permitted_remote_opens].listen_port = port;
	num_permitted_remote_opens++;

	all_remote_opens_permitted = 0;
}

/*
 * Update the listen port for a dynamic remote forward, after
 * the actual 'newport' has been allocated. If 'newport' < 0 is

	return ++num_adm_permitted_opens;
}

int
channel_add_adm_permitted_remote_opens(int port)
{
	debug("config allows remote port forwarding,  port %d", port);

	permitted_adm_remote_opens = xrealloc(permitted_adm_remote_opens,
	    num_adm_permitted_remote_opens + 1, sizeof(*permitted_adm_remote_opens));
	permitted_adm_remote_opens[num_adm_permitted_remote_opens].listen_port = port;
	return ++num_adm_permitted_remote_opens;
}


void
channel_disable_adm_local_opens(void)
{

}

void
channel_disable_adm_remote_opens(void)
{
	channel_clear_adm_permitted_remote_opens();
	permitted_adm_remote_opens = xmalloc(sizeof(*permitted_adm_remote_opens));
	permitted_adm_remote_opens[num_adm_permitted_remote_opens].host_to_connect = NULL;
	num_adm_permitted_remote_opens = 1;
}

void
channel_clear_permitted_opens(void)
{
	int i;

}

void
channel_clear_permitted_remote_opens(void)
{

	free(permitted_remote_opens);
	permitted_remote_opens = NULL;
	num_permitted_remote_opens = 0;
}


void
channel_clear_adm_permitted_opens(void)
{
	int i;

}

void
channel_clear_adm_permitted_remote_opens(void)
{
	free(permitted_adm_remote_opens);
	permitted_adm_remote_opens = NULL;
	num_adm_permitted_remote_opens = 0;
}


void
channel_print_adm_permitted_opens(void)
{
	int i;

	return connect_to(path, PORT_STREAMLOCAL, ctype, rname);
}

static int
remote_port_match(u_short allowedport, u_short requestedport)
{
        if (allowedport == FWD_PERMIT_ANY_PORT ||
            allowedport == requestedport)
                return 1;
        return 0;
}

/* Check if remote port is permitted and connect. */
int
channel_connect_remote_to(u_short port)
{
	int i, permit, permit_adm = 1;
	int allowed_port = 0;

	permit = all_remote_opens_permitted;
	if (!permit) {
		for (i = 0; i < num_permitted_remote_opens; i++) {
			allowed_port = permitted_remote_opens[i].listen_port;
			debug("i=%d check remote permitted vs requested "
					"%u vs %u", i, allowed_port, port);
			if ( remote_port_match(allowed_port, port)) {
				debug2("i=%d found match remote permitted vs "
						"requested %u==%u", i, allowed_port, port);
				permit = 1;
				break;
			}
		}
	}
	if (num_adm_permitted_remote_opens > 0) {
		permit_adm = 0;
		for (i = 0; i < num_adm_permitted_remote_opens; i++)
			if (remote_port_match(allowed_port, port) ) {
				/*  && strcmp(permitted_adm_remote_opens[i].host_to_connect, host) == 0) */
				debug2("i=%d found match admin remote permitted vs "
						"requested %u==%u", i, allowed_port, port);
				permit_adm = 1;
			}
	}

	if (!permit || !permit_adm) {
		logit("Received request to forward remote port %d, "
		      "but the request was denied. return %d", port, permit);
		return 0;
	}
	return ( permit | permit_adm);
}



void
channel_send_window_changes(void)
{

	packet_send();
	packet_write_wait();
}


Lines 260-273 struct Forward; Link Here

(-)a/channels.h (-1 / +8 lines)
260	struct ForwardOptions;	260	struct ForwardOptions;
261	void channel_set_af(int af);	261	void channel_set_af(int af);
262	void channel_permit_all_opens(void);	262	void channel_permit_all_opens(void);
263	void channel_add_permitted_opens(char *, int);	263	void channel_permit_all_remote_opens(void);
		264	void channel_add_permitted_opens(char *, int);
		265	void channel_add_permitted_remote_opens(int);
264	int channel_add_adm_permitted_opens(char *, int);	266	int channel_add_adm_permitted_opens(char *, int);
		267	int channel_add_adm_permitted_remote_opens(int);
265	void channel_disable_adm_local_opens(void);	268	void channel_disable_adm_local_opens(void);
		269	void channel_disable_adm_remote_opens(void);
266	void channel_update_permitted_opens(int, int);	270	void channel_update_permitted_opens(int, int);
267	void channel_clear_permitted_opens(void);	271	void channel_clear_permitted_opens(void);
268	void channel_clear_adm_permitted_opens(void);	272	void channel_clear_adm_permitted_opens(void);
		273	void channel_clear_permitted_remote_opens(void);
		274	void channel_clear_adm_permitted_remote_opens(void);
269	void channel_print_adm_permitted_opens(void);	275	void channel_print_adm_permitted_opens(void);
270	int channel_input_port_forward_request(int, struct ForwardOptions *);	276	int channel_input_port_forward_request(int, struct ForwardOptions *);
		277	int channel_connect_remote_to(u_short);
271	Channel channel_connect_to_port(const char , u_short, char , char );	278	Channel channel_connect_to_port(const char , u_short, char , char );
272	Channel channel_connect_to_path(const char , char , char );	279	Channel channel_connect_to_path(const char , char , char );
273	Channel channel_connect_stdio_fwd(const char, u_short, int, int);	280	Channel channel_connect_stdio_fwd(const char, u_short, int, int);




	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile,
	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch, sPermitOpen, sPermitRemoteOpen, sForceCommand, sChrootDirectory,
	sUsePrivilegeSeparation, sAllowAgentForwarding,
	sHostCertificate,
	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,

	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
	{ "match", sMatch, SSHCFG_ALL },
	{ "permitopen", sPermitOpen, SSHCFG_ALL },
	{ "permitremoteopen", sPermitRemoteOpen, SSHCFG_ALL },
	{ "forcecommand", sForceCommand, SSHCFG_ALL },
	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },

				    channel_add_adm_permitted_opens(p, port);
		}
		break;
	case sPermitRemoteOpen:
		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: missing PermitRemoteOpen "
				" specification", filename, linenum);
		n = options->num_permitted_remote_opens; /* modified later */
		if (strcmp(arg, "any") == 0) {
			if (*activep && n == -1) {
				channel_clear_adm_permitted_remote_opens();
				options->num_permitted_remote_opens = 0;
			}
			break;
		}
		if (strcmp(arg, "none") == 0) {
			if (*activep && n == -1) {
				options->num_permitted_remote_opens = 1;
				channel_disable_adm_remote_opens();
			}
			break;
		}
		if (*activep && n == -1)
			channel_clear_adm_permitted_remote_opens();
		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
			if (arg == NULL || ((port = permitopen_port(arg)) < 0))
				fatal("%s line %d: bad port number in "
				      "PermitRemoteOpen", filename, linenum);
			if (*activep && n == -1)
				options->num_permitted_remote_opens =
					channel_add_adm_permitted_remote_opens(port);
		}
		break;

	case sForceCommand:
		if (cp == NULL)

Lines 170-175 typedef struct { Link Here

(-)a/servconf.h (+1 lines)
170	int permit_tun;	170	int permit_tun;
171		171
172	int num_permitted_opens;	172	int num_permitted_opens;
		173	int num_permitted_remote_opens;
173		174
174	char *chroot_directory;	175	char *chroot_directory;
175	char *revoked_keys_file;	176	char *revoked_keys_file;




			success = 0;
			packet_send_debug("Server has disabled port forwarding.");
		} else {
			debug2("check permitted remote opens");
			if (!channel_connect_remote_to(fwd.listen_port)) {
				success = 0;
				packet_send_debug("Server denied remote port forward request.");
			}
			else {
				/* Start listening on the port */
				success = channel_setup_remote_fwd_listener(&fwd,
						&allocated_listen_port,
						&options.fwd_opts);
			}
		}
		free(fwd.listen_host);
	} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {

Lines 257-266 do_authenticated(Authctxt *authctxt) Link Here

(-)a/session.c (-2 / +6 lines)
257	/* setup the channel layer */	257	/* setup the channel layer */
258	/* XXX - streamlocal? */	258	/* XXX - streamlocal? */
259	if (no_port_forwarding_flag \|\|	259	if (no_port_forwarding_flag \|\|
260	(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)	260	(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0) {
261	channel_disable_adm_local_opens();	261	channel_disable_adm_local_opens();
262	else	262	channel_disable_adm_remote_opens();
		263	}
		264	else {
263	channel_permit_all_opens();	265	channel_permit_all_opens();
		266	channel_permit_all_remote_opens();
		267	}
264		268
265	auth_debug_send();	269	auth_debug_send();
266		270




A port specification of
.Cm *
matches any port.
.It Cm permitremoteopen="port"
Limit remote
.Li ``ssh -R''
port forwarding such that it may only forward the specified port to the client.
Multiple
.Cm permitremoteopen
options may be applied separated by commas.
Specified port must be a single port.
A port specification of
.Cm *
matches any port.
.It Cm principals="principals"
On a
.Cm cert-authority




.Dq none
can be used to prohibit all forwarding requests.
By default all port forwarding requests are permitted.
.It Cm PermitRemoteOpen
Specifies the TCP ports which may be opened by clients with the
RemoteForward option.
Multiple forwards may be specified by separating them with whitespace.
An argument of
.Dq any
can be used to remove all restrictions and permit any remote
forwarding requests.
An argument of
.Dq none
can be used to prohibit all forwarding requests.
By default all port forwarding requests are permitted.
.It Cm PermitRootLogin
Specifies whether root can log in using
.Xr ssh 1 .
- 

Return to bug 2038

Lines 81-86 auth_clear_options(void) Link Here

(-)a/auth-options.c (+46 lines)
81	}	81	}
82	forced_tun_device = -1;	82	forced_tun_device = -1;
83	channel_clear_permitted_opens();	83	channel_clear_permitted_opens();
		84	channel_clear_permitted_remote_opens();
84	}	85	}
85		86
86	/*	87	/*
Lines 351-356 auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum) Link Here
351	free(patterns);	352	free(patterns);
352	goto next_option;	353	goto next_option;
353	}	354	}
		355	debug("AA trying permitremoteopen %s", opts);
		356	cp = "permitremoteopen=\"";
		357	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
		358	char *p;
		359	int port;
		360	char *patterns = xmalloc(strlen(opts) + 1);
		361
		362	opts += strlen(cp);
		363	i = 0;
		364	while (*opts) {
		365	if (*opts == '"')
		366	break;
		367	if (*opts == '\\' && opts[1] == '"') {
		368	opts += 2;
		369	patterns[i++] = '"';
		370	continue;
		371	}
		372	patterns[i++] = *opts++;
		373	}
		374	if (!*opts) {
		375	debug("%.100s, line %lu: missing end quote",
		376	file, linenum);
		377	auth_debug_add("%.100s, line %lu: missing "
		378	"end quote", file, linenum);
		379	free(patterns);
		380	goto bad_option;
		381	}
		382	patterns[i] = '\0';
		383	opts++;
		384	p = patterns;
		385	if (p == NULL \|\| (port = permitopen_port(p)) < 0) {
		386	debug("%.100s, line %lu: Bad permitremoteopen "
		387	"port <%.100s>", file, linenum, p ? p :
		388	"");
		389	auth_debug_add("%.100s, line %lu: "
		390	"Bad permitremoteopen port",
		391	file, linenum);
		392	free(patterns);
		393	goto bad_option;
		394	}
		395	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
		396	channel_add_permitted_remote_opens(port);
		397	free(patterns);
		398	goto next_option;
		399	}
354	cp = "tunnel=\"";	400	cp = "tunnel=\"";
355	if (strncasecmp(opts, cp, strlen(cp)) == 0) {	401	if (strncasecmp(opts, cp, strlen(cp)) == 0) {
356	char *tun = NULL;	402	char *tun = NULL;

Lines 121-135 typedef struct { Link Here

(-)a/channels.c (+117 lines)
121		121
122	/* List of all permitted host/port pairs to connect by the user. */	122	/* List of all permitted host/port pairs to connect by the user. */
123	static ForwardPermission *permitted_opens = NULL;	123	static ForwardPermission *permitted_opens = NULL;
		124	static ForwardPermission *permitted_remote_opens = NULL;
124		125
125	/* List of all permitted host/port pairs to connect by the admin. */	126	/* List of all permitted host/port pairs to connect by the admin. */
126	static ForwardPermission *permitted_adm_opens = NULL;	127	static ForwardPermission *permitted_adm_opens = NULL;
		128	static ForwardPermission *permitted_adm_remote_opens = NULL;
127		129
128	/* Number of permitted host/port pairs in the array permitted by the user. */	130	/* Number of permitted host/port pairs in the array permitted by the user. */
129	static int num_permitted_opens = 0;	131	static int num_permitted_opens = 0;
		132	static int num_permitted_remote_opens = 0;
130		133
131	/* Number of permitted host/port pair in the array permitted by the admin. */	134	/* Number of permitted host/port pair in the array permitted by the admin. */
132	static int num_adm_permitted_opens = 0;	135	static int num_adm_permitted_opens = 0;
		136	static int num_adm_permitted_remote_opens = 0;
133		137
134	/* special-case port number meaning allow any port */	138	/* special-case port number meaning allow any port */
135	#define FWD_PERMIT_ANY_PORT 0	139	#define FWD_PERMIT_ANY_PORT 0
Lines 140-145 static int num_adm_permitted_opens = 0; Link Here
140	* anything after logging in anyway.	144	* anything after logging in anyway.
141	*/	145	*/
142	static int all_opens_permitted = 0;	146	static int all_opens_permitted = 0;
		147	static int all_remote_opens_permitted = 0;
143		148
144		149
145	/* -- X11 forwarding */	150	/* -- X11 forwarding */
Lines 3449-3454 channel_permit_all_opens(void) Link Here
3449	if (num_permitted_opens == 0)	3454	if (num_permitted_opens == 0)
3450	all_opens_permitted = 1;	3455	all_opens_permitted = 1;
3451	}	3456	}
		3457	void
		3458	channel_permit_all_remote_opens(void)
		3459	{
		3460	if (num_permitted_remote_opens == 0)
		3461	all_remote_opens_permitted = 1;
		3462	}
		3463
3452		3464
3453	void	3465	void
3454	channel_add_permitted_opens(char *host, int port)	3466	channel_add_permitted_opens(char *host, int port)
Lines 3467-3472 channel_add_permitted_opens(char *host, int port) Link Here
3467	all_opens_permitted = 0;	3479	all_opens_permitted = 0;
3468	}	3480	}
3469		3481
		3482	void
		3483	channel_add_permitted_remote_opens(int port)
		3484	{
		3485	debug("allow remote port forwarding %d", port);
		3486
		3487	permitted_remote_opens = xrealloc(permitted_remote_opens,
		3488	num_permitted_remote_opens + 1, sizeof(*permitted_remote_opens));
		3489	permitted_remote_opens[num_permitted_remote_opens].listen_port = port;
		3490	num_permitted_remote_opens++;
		3491
		3492	all_remote_opens_permitted = 0;
		3493	}
		3494
3470	/*	3495	/*
3471	* Update the listen port for a dynamic remote forward, after	3496	* Update the listen port for a dynamic remote forward, after
3472	* the actual 'newport' has been allocated. If 'newport' < 0 is	3497	* the actual 'newport' has been allocated. If 'newport' < 0 is
Lines 3516-3521 channel_add_adm_permitted_opens(char *host, int port) Link Here
3516	return ++num_adm_permitted_opens;	3541	return ++num_adm_permitted_opens;
3517	}	3542	}
3518		3543
		3544	int
		3545	channel_add_adm_permitted_remote_opens(int port)
		3546	{
		3547	debug("config allows remote port forwarding, port %d", port);
		3548
		3549	permitted_adm_remote_opens = xrealloc(permitted_adm_remote_opens,
		3550	num_adm_permitted_remote_opens + 1, sizeof(*permitted_adm_remote_opens));
		3551	permitted_adm_remote_opens[num_adm_permitted_remote_opens].listen_port = port;
		3552	return ++num_adm_permitted_remote_opens;
		3553	}
		3554
		3555
3519	void	3556	void
3520	channel_disable_adm_local_opens(void)	3557	channel_disable_adm_local_opens(void)
3521	{	3558	{
Lines 3526-3531 channel_disable_adm_local_opens(void) Link Here
3526	}	3563	}
3527		3564
3528	void	3565	void
		3566	channel_disable_adm_remote_opens(void)
		3567	{
		3568	channel_clear_adm_permitted_remote_opens();
		3569	permitted_adm_remote_opens = xmalloc(sizeof(*permitted_adm_remote_opens));
		3570	permitted_adm_remote_opens[num_adm_permitted_remote_opens].host_to_connect = NULL;
		3571	num_adm_permitted_remote_opens = 1;
		3572	}
		3573
		3574	void
3529	channel_clear_permitted_opens(void)	3575	channel_clear_permitted_opens(void)
3530	{	3576	{
3531	int i;	3577	int i;
Lines 3541-3546 channel_clear_permitted_opens(void) Link Here
3541	}	3587	}
3542		3588
3543	void	3589	void
		3590	channel_clear_permitted_remote_opens(void)
		3591	{
		3592
		3593	free(permitted_remote_opens);
		3594	permitted_remote_opens = NULL;
		3595	num_permitted_remote_opens = 0;
		3596	}
		3597
		3598
		3599	void
3544	channel_clear_adm_permitted_opens(void)	3600	channel_clear_adm_permitted_opens(void)
3545	{	3601	{
3546	int i;	3602	int i;
Lines 3556-3561 channel_clear_adm_permitted_opens(void) Link Here
3556	}	3612	}
3557		3613
3558	void	3614	void
		3615	channel_clear_adm_permitted_remote_opens(void)
		3616	{
		3617	free(permitted_adm_remote_opens);
		3618	permitted_adm_remote_opens = NULL;
		3619	num_adm_permitted_remote_opens = 0;
		3620	}
		3621
		3622
		3623	void
3559	channel_print_adm_permitted_opens(void)	3624	channel_print_adm_permitted_opens(void)
3560	{	3625	{
3561	int i;	3626	int i;
Lines 3824-3829 channel_connect_to_path(const char path, char ctype, char *rname) Link Here
3824	return connect_to(path, PORT_STREAMLOCAL, ctype, rname);	3889	return connect_to(path, PORT_STREAMLOCAL, ctype, rname);
3825	}	3890	}
3826		3891
		3892	static int
		3893	remote_port_match(u_short allowedport, u_short requestedport)
		3894	{
		3895	if (allowedport == FWD_PERMIT_ANY_PORT \|\|
		3896	allowedport == requestedport)
		3897	return 1;
		3898	return 0;
		3899	}
		3900
		3901	/* Check if remote port is permitted and connect. */
		3902	int
		3903	channel_connect_remote_to(u_short port)
		3904	{
		3905	int i, permit, permit_adm = 1;
		3906	int allowed_port = 0;
		3907
		3908	permit = all_remote_opens_permitted;
		3909	if (!permit) {
		3910	for (i = 0; i < num_permitted_remote_opens; i++) {
		3911	allowed_port = permitted_remote_opens[i].listen_port;
		3912	debug("i=%d check remote permitted vs requested "
		3913	"%u vs %u", i, allowed_port, port);
		3914	if ( remote_port_match(allowed_port, port)) {
		3915	debug2("i=%d found match remote permitted vs "
		3916	"requested %u==%u", i, allowed_port, port);
		3917	permit = 1;
		3918	break;
		3919	}
		3920	}
		3921	}
		3922	if (num_adm_permitted_remote_opens > 0) {
		3923	permit_adm = 0;
		3924	for (i = 0; i < num_adm_permitted_remote_opens; i++)
		3925	if (remote_port_match(allowed_port, port) ) {
		3926	/* && strcmp(permitted_adm_remote_opens[i].host_to_connect, host) == 0) */
		3927	debug2("i=%d found match admin remote permitted vs "
		3928	"requested %u==%u", i, allowed_port, port);
		3929	permit_adm = 1;
		3930	}
		3931	}
		3932
		3933	if (!permit \|\| !permit_adm) {
		3934	logit("Received request to forward remote port %d, "
		3935	"but the request was denied. return %d", port, permit);
		3936	return 0;
		3937	}
		3938	return ( permit \| permit_adm);
		3939	}
		3940
		3941
		3942
3827	void	3943	void
3828	channel_send_window_changes(void)	3944	channel_send_window_changes(void)
3829	{	3945	{
Lines 4245-4247 auth_request_forwarding(void) Link Here
4245	packet_send();	4361	packet_send();
4246	packet_write_wait();	4362	packet_write_wait();
4247	}	4363	}
		4364

Lines 353-359 typedef enum { Link Here

(-)a/servconf.c (-1 / +33 lines)
353	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	353	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
354	sClientAliveCountMax, sAuthorizedKeysFile,	354	sClientAliveCountMax, sAuthorizedKeysFile,
355	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,	355	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
356	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	356	sMatch, sPermitOpen, sPermitRemoteOpen, sForceCommand, sChrootDirectory,
357	sUsePrivilegeSeparation, sAllowAgentForwarding,	357	sUsePrivilegeSeparation, sAllowAgentForwarding,
358	sHostCertificate,	358	sHostCertificate,
359	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,	359	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
Lines 477-482 static struct { Link Here
477	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },	477	{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
478	{ "match", sMatch, SSHCFG_ALL },	478	{ "match", sMatch, SSHCFG_ALL },
479	{ "permitopen", sPermitOpen, SSHCFG_ALL },	479	{ "permitopen", sPermitOpen, SSHCFG_ALL },
		480	{ "permitremoteopen", sPermitRemoteOpen, SSHCFG_ALL },
480	{ "forcecommand", sForceCommand, SSHCFG_ALL },	481	{ "forcecommand", sForceCommand, SSHCFG_ALL },
481	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },	482	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
482	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },	483	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
Lines 1548-1553 process_server_config_line(ServerOptions options, char line, Link Here
1548	channel_add_adm_permitted_opens(p, port);	1549	channel_add_adm_permitted_opens(p, port);
1549	}	1550	}
1550	break;	1551	break;
		1552	case sPermitRemoteOpen:
		1553	arg = strdelim(&cp);
		1554	if (!arg \|\| *arg == '\0')
		1555	fatal("%s line %d: missing PermitRemoteOpen "
		1556	" specification", filename, linenum);
		1557	n = options->num_permitted_remote_opens; /* modified later */
		1558	if (strcmp(arg, "any") == 0) {
		1559	if (*activep && n == -1) {
		1560	channel_clear_adm_permitted_remote_opens();
		1561	options->num_permitted_remote_opens = 0;
		1562	}
		1563	break;
		1564	}
		1565	if (strcmp(arg, "none") == 0) {
		1566	if (*activep && n == -1) {
		1567	options->num_permitted_remote_opens = 1;
		1568	channel_disable_adm_remote_opens();
		1569	}
		1570	break;
		1571	}
		1572	if (*activep && n == -1)
		1573	channel_clear_adm_permitted_remote_opens();
		1574	for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
		1575	if (arg == NULL \|\| ((port = permitopen_port(arg)) < 0))
		1576	fatal("%s line %d: bad port number in "
		1577	"PermitRemoteOpen", filename, linenum);
		1578	if (*activep && n == -1)
		1579	options->num_permitted_remote_opens =
		1580	channel_add_adm_permitted_remote_opens(port);
		1581	}
		1582	break;
1551		1583
1552	case sForceCommand:	1584	case sForceCommand:
1553	if (cp == NULL)	1585	if (cp == NULL)

Lines 1182-1190 server_input_global_request(int type, u_int32_t seq, void *ctxt) Link Here

(-)a/serverloop.c (-3 / +11 lines)
1182	success = 0;	1182	success = 0;
1183	packet_send_debug("Server has disabled port forwarding.");	1183	packet_send_debug("Server has disabled port forwarding.");
1184	} else {	1184	} else {
1185	/* Start listening on the port */	1185	debug2("check permitted remote opens");
1186	success = channel_setup_remote_fwd_listener(&fwd,	1186	if (!channel_connect_remote_to(fwd.listen_port)) {
1187	&allocated_listen_port, &options.fwd_opts);	1187	success = 0;
		1188	packet_send_debug("Server denied remote port forward request.");
		1189	}
		1190	else {
		1191	/* Start listening on the port */
		1192	success = channel_setup_remote_fwd_listener(&fwd,
		1193	&allocated_listen_port,
		1194	&options.fwd_opts);
		1195	}
1188	}	1196	}
1189	free(fwd.listen_host);	1197	free(fwd.listen_host);
1190	} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {	1198	} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {

Lines 617-622 they must be literal domains or addresses. Link Here

(-)a/sshd.8 (+11 lines)
617	A port specification of	617	A port specification of
618	.Cm *	618	.Cm *
619	matches any port.	619	matches any port.
		620	.It Cm permitremoteopen="port"
		621	Limit remote
		622	.Li ``ssh -R''
		623	port forwarding such that it may only forward the specified port to the client.
		624	Multiple
		625	.Cm permitremoteopen
		626	options may be applied separated by commas.
		627	Specified port must be a single port.
		628	A port specification of
		629	.Cm *
		630	matches any port.
620	.It Cm principals="principals"	631	.It Cm principals="principals"
621	On a	632	On a
622	.Cm cert-authority	633	.Cm cert-authority

Lines 1013-1018 An argument of Link Here

(-)a/sshd_config.5 (-1 / +12 lines)
1013	.Dq none	1013	.Dq none
1014	can be used to prohibit all forwarding requests.	1014	can be used to prohibit all forwarding requests.
1015	By default all port forwarding requests are permitted.	1015	By default all port forwarding requests are permitted.
		1016	.It Cm PermitRemoteOpen
		1017	Specifies the TCP ports which may be opened by clients with the
		1018	RemoteForward option.
		1019	Multiple forwards may be specified by separating them with whitespace.
		1020	An argument of
		1021	.Dq any
		1022	can be used to remove all restrictions and permit any remote
		1023	forwarding requests.
		1024	An argument of
		1025	.Dq none
		1026	can be used to prohibit all forwarding requests.
		1027	By default all port forwarding requests are permitted.
1016	.It Cm PermitRootLogin	1028	.It Cm PermitRootLogin
1017	Specifies whether root can log in using	1029	Specifies whether root can log in using
1018	.Xr ssh 1 .	1030	.Xr ssh 1 .
1019	-