Attachment #2720 for bug #2473

View | Details | Raw Unified | Return to bug 2473
Collapse All | Expand All

Lines 82-87 Link Here

(-)a/channels.c (-10 / +32 lines)
82	#include "key.h"	82	#include "key.h"
83	#include "authfd.h"	83	#include "authfd.h"
84	#include "pathnames.h"	84	#include "pathnames.h"
		85	#include "match.h"
85		86
86	/* -- channel core */	87	/* -- channel core */
87		88
Lines 2818-2828 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, Link Here
2818	int allocated_listen_port, struct ForwardOptions fwd_opts)	2819	int allocated_listen_port, struct ForwardOptions fwd_opts)
2819	{	2820	{
2820	Channel *c;	2821	Channel *c;
2821	int sock, r, success = 0, wildcard = 0, is_client;	2822	int sock, r, success = 0, wildcard = 0, is_client, is_loopback;
2822	struct addrinfo hints, ai, aitop;	2823	struct addrinfo hints, ai, aitop;
2823	const char host, addr;	2824	const char host, addr;
2824	char ntop[NI_MAXHOST], strport[NI_MAXSERV];	2825	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
2825	in_port_t *lport_p;	2826	in_port_t *lport_p;
		2827	struct sockaddr_in *a4;
		2828	struct sockaddr_in6 *a6;
2826		2829
2827	is_client = (type == SSH_CHANNEL_PORT_LISTENER);	2830	is_client = (type == SSH_CHANNEL_PORT_LISTENER);
2828		2831
Lines 2870-2887 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, Link Here
2870	if (allocated_listen_port != NULL)	2873	if (allocated_listen_port != NULL)
2871	*allocated_listen_port = 0;	2874	*allocated_listen_port = 0;
2872	for (ai = aitop; ai; ai = ai->ai_next) {	2875	for (ai = aitop; ai; ai = ai->ai_next) {
		2876	is_loopback = 0;
2873	switch (ai->ai_family) {	2877	switch (ai->ai_family) {
2874	case AF_INET:	2878	case AF_INET:
2875	lport_p = &((struct sockaddr_in *)ai->ai_addr)->	2879	a4 = (struct sockaddr_in *)ai->ai_addr;
2876	sin_port;	2880	is_loopback = a4->sin_addr.s_addr ==
		2881	htonl(INADDR_LOOPBACK);
		2882	lport_p = &a4->sin_port;
2877	break;	2883	break;
2878	case AF_INET6:	2884	case AF_INET6:
2879	lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->	2885	a6 = (struct sockaddr_in6 *)ai->ai_addr;
2880	sin6_port;	2886	is_loopback = IN6_IS_ADDR_LOOPBACK(&a6->sin6_addr);
		2887	lport_p = &a6->sin6_port;
2881	break;	2888	break;
2882	default:	2889	default:
2883	continue;	2890	continue;
2884	}	2891	}
		2892	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
		2893	strport, sizeof(strport),
		2894	NI_NUMERICHOST\|NI_NUMERICSERV) != 0) {
		2895	error("%s: getnameinfo failed", __func__);
		2896	continue;
		2897	}
		2898	/*
		2899	* Check remote port forwardings against GatewayPortsAddresses
		2900	* XXX: streamlocal paths?
		2901	*/
		2902	if (type == SSH_CHANNEL_RPORT_LISTENER && !is_loopback &&
		2903	fwd_opts->gateway_ports_explicit != NULL &&
		2904	addr_match_cidr_list(ntop,
		2905	fwd_opts->gateway_ports_explicit) != 1) {
		2906	debug("%s: listen address %s excluded by "
		2907	"GatewayPortsAddresses", __func__, ntop);
		2908	continue;
		2909	}
		2910
2885	/*	2911	/*
2886	* If allocating a port for -R forwards, then use the	2912	* If allocating a port for -R forwards, then use the
2887	* same port for all address families.	2913	* same port for all address families.
Lines 2890-2900 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, Link Here
2890	allocated_listen_port != NULL && *allocated_listen_port > 0)	2916	allocated_listen_port != NULL && *allocated_listen_port > 0)
2891	lport_p = htons(allocated_listen_port);	2917	lport_p = htons(allocated_listen_port);
2892		2918
2893	if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
2894	strport, sizeof(strport), NI_NUMERICHOST\|NI_NUMERICSERV) != 0) {
2895	error("%s: getnameinfo failed", __func__);
2896	continue;
2897	}
2898	/* Create a port to listen for the host. */	2919	/* Create a port to listen for the host. */
2899	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);	2920	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2900	if (sock < 0) {	2921	if (sock < 0) {
Lines 3019-3024 channel_setup_fwd_listener_streamlocal(int type, struct Forward *fwd, Link Here
3019	sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,	3040	sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3020	fwd_opts->streamlocal_bind_unlink);	3041	fwd_opts->streamlocal_bind_unlink);
3021	umask(omask);	3042	umask(omask);
		3043	/* XXX GatewayPortsAddresses check */
3022	if (sock < 0)	3044	if (sock < 0)
3023	return 0;	3045	return 0;
3024		3046

Lines 30-35 struct Forward { Link Here

(-)a/misc.h (+1 lines)
30	/* Common server and client forwarding options. */	30	/* Common server and client forwarding options. */
31	struct ForwardOptions {	31	struct ForwardOptions {
32	int gateway_ports; /* Allow remote connects to forwarded ports. */	32	int gateway_ports; /* Allow remote connects to forwarded ports. */
		33	char gateway_ports_explicit; / Explicit address list */
33	mode_t streamlocal_bind_mask; /* umask for streamlocal binds */	34	mode_t streamlocal_bind_mask; /* umask for streamlocal binds */
34	int streamlocal_bind_unlink; /* unlink socket before bind */	35	int streamlocal_bind_unlink; /* unlink socket before bind */
35	};	36	};




	options->kex_algorithms = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
	options->fwd_opts.gateway_ports = -1;
	options->fwd_opts.gateway_ports_explicit = NULL;
	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
	options->fwd_opts.streamlocal_bind_unlink = -1;
	options->num_subsystems = 0;

	CLEAR_ON_NONE(options->trusted_user_ca_keys);
	CLEAR_ON_NONE(options->revoked_keys_file);
	CLEAR_ON_NONE(options->authorized_principals_file);
	CLEAR_ON_NONE(options->fwd_opts.gateway_ports_explicit);
	for (i = 0; i < options->num_host_key_files; i++)
		CLEAR_ON_NONE(options->host_key_files[i]);
	for (i = 0; i < options->num_host_cert_files; i++)

	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
	sGatewayPorts, sGatewayPortsAddresses,
	sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
	sBanner, sUseDNS, sHostbasedAuthentication,
	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,

	{ "macs", sMacs, SSHCFG_GLOBAL },
	{ "protocol", sProtocol, SSHCFG_GLOBAL },
	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
	{ "gatewayportsaddresses", sGatewayPortsAddresses, SSHCFG_ALL },
	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },

		multistate_ptr = multistate_gatewayports;
		goto parse_multistate;

	case sGatewayPortsAddresses:
		arg = strdelim(&cp);
		if (arg == NULL || *arg != '\0')
			fatal("%s line %d: Missing argument.",
			    filename, linenum);
		/* XXX handle streamlocal paths */
		if (strcasecmp(arg, "none") != 0 &&
		    addr_match_cidr_list(NULL, arg) == -1)
			fatal("%s line %d: Invalid address list.",
			    filename, linenum);
		if (*activep &&
		    options->fwd_opts.gateway_ports_explicit == NULL)
			options->fwd_opts.gateway_ports_explicit = xstrdup(arg);
		break;

	case sUseDNS:
		intptr = &options->use_dns;
		goto parse_flag;

	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
	dump_cfg_string(sGatewayPortsAddresses,
	    o->fwd_opts.gateway_ports_explicit);
	dump_cfg_string(sKexAlgorithms,
	    o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?

Lines 227-232 struct connection_info { Link Here

(-)a/servconf.h (+1 lines)
227	M_CP_STROPT(authorized_principals_command_user); \	227	M_CP_STROPT(authorized_principals_command_user); \
228	M_CP_STROPT(hostbased_key_types); \	228	M_CP_STROPT(hostbased_key_types); \
229	M_CP_STROPT(pubkey_key_types); \	229	M_CP_STROPT(pubkey_key_types); \
		230	M_CP_STROPT(fwd_opts.gateway_ports_explicit); \
230	M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \	231	M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
231	M_CP_STRARRAYOPT(allow_users, num_allow_users); \	232	M_CP_STRARRAYOPT(allow_users, num_allow_users); \
232	M_CP_STRARRAYOPT(deny_users, num_deny_users); \	233	M_CP_STRARRAYOPT(deny_users, num_deny_users); \

Return to bug 2473

Lines 140-145 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +22 lines)
140	options->kex_algorithms = NULL;	140	options->kex_algorithms = NULL;
141	options->protocol = SSH_PROTO_UNKNOWN;	141	options->protocol = SSH_PROTO_UNKNOWN;
142	options->fwd_opts.gateway_ports = -1;	142	options->fwd_opts.gateway_ports = -1;
		143	options->fwd_opts.gateway_ports_explicit = NULL;
143	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;	144	options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
144	options->fwd_opts.streamlocal_bind_unlink = -1;	145	options->fwd_opts.streamlocal_bind_unlink = -1;
145	options->num_subsystems = 0;	146	options->num_subsystems = 0;
Lines 368-373 fill_default_server_options(ServerOptions *options) Link Here
368	CLEAR_ON_NONE(options->trusted_user_ca_keys);	369	CLEAR_ON_NONE(options->trusted_user_ca_keys);
369	CLEAR_ON_NONE(options->revoked_keys_file);	370	CLEAR_ON_NONE(options->revoked_keys_file);
370	CLEAR_ON_NONE(options->authorized_principals_file);	371	CLEAR_ON_NONE(options->authorized_principals_file);
		372	CLEAR_ON_NONE(options->fwd_opts.gateway_ports_explicit);
371	for (i = 0; i < options->num_host_key_files; i++)	373	for (i = 0; i < options->num_host_key_files; i++)
372	CLEAR_ON_NONE(options->host_key_files[i]);	374	CLEAR_ON_NONE(options->host_key_files[i]);
373	for (i = 0; i < options->num_host_cert_files; i++)	375	for (i = 0; i < options->num_host_cert_files; i++)
Lines 405-411 typedef enum { Link Here
405	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,	407	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
406	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,	408	sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
407	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,	409	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
408	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,	410	sGatewayPorts, sGatewayPortsAddresses,
		411	sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
409	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,	412	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
410	sBanner, sUseDNS, sHostbasedAuthentication,	413	sBanner, sUseDNS, sHostbasedAuthentication,
411	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,	414	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
Lines 524-529 static struct { Link Here
524	{ "macs", sMacs, SSHCFG_GLOBAL },	527	{ "macs", sMacs, SSHCFG_GLOBAL },
525	{ "protocol", sProtocol, SSHCFG_GLOBAL },	528	{ "protocol", sProtocol, SSHCFG_GLOBAL },
526	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },	529	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
		530	{ "gatewayportsaddresses", sGatewayPortsAddresses, SSHCFG_ALL },
527	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },	531	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
528	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },	532	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
529	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },	533	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
Lines 1344-1349 process_server_config_line(ServerOptions options, char line, Link Here
1344	multistate_ptr = multistate_gatewayports;	1348	multistate_ptr = multistate_gatewayports;
1345	goto parse_multistate;	1349	goto parse_multistate;
1346		1350
		1351	case sGatewayPortsAddresses:
		1352	arg = strdelim(&cp);
		1353	if (arg == NULL \|\| *arg != '\0')
		1354	fatal("%s line %d: Missing argument.",
		1355	filename, linenum);
		1356	/* XXX handle streamlocal paths */
		1357	if (strcasecmp(arg, "none") != 0 &&
		1358	addr_match_cidr_list(NULL, arg) == -1)
		1359	fatal("%s line %d: Invalid address list.",
		1360	filename, linenum);
		1361	if (*activep &&
		1362	options->fwd_opts.gateway_ports_explicit == NULL)
		1363	options->fwd_opts.gateway_ports_explicit = xstrdup(arg);
		1364	break;
		1365
1347	case sUseDNS:	1366	case sUseDNS:
1348	intptr = &options->use_dns;	1367	intptr = &options->use_dns;
1349	goto parse_flag;	1368	goto parse_flag;
Lines 2292-2297 dump_config(ServerOptions *o) Link Here
2292	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);	2311	dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2293	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);	2312	dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2294	dump_cfg_string(sHostKeyAgent, o->host_key_agent);	2313	dump_cfg_string(sHostKeyAgent, o->host_key_agent);
		2314	dump_cfg_string(sGatewayPortsAddresses,
		2315	o->fwd_opts.gateway_ports_explicit);
2295	dump_cfg_string(sKexAlgorithms,	2316	dump_cfg_string(sKexAlgorithms,
2296	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);	2317	o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2297	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?	2318	dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?