Bugzilla – Attachment 2720 Details for
Bug 2473
sshd and -R port forwardings on 127.0.0.0/8
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add GatewayPortsAddresses option
bz2473.diff (text/plain), 6.99 KB, created by
Damien Miller
on 2015-10-06 05:52:07 AEDT
(
hide
)
Description:
add GatewayPortsAddresses option
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2015-10-06 05:52:07 AEDT
Size:
6.99 KB
patch
obsolete
>diff --git a/channels.c b/channels.c >index a84b487..48f2a5f 100644 >--- a/channels.c >+++ b/channels.c >@@ -82,6 +82,7 @@ > #include "key.h" > #include "authfd.h" > #include "pathnames.h" >+#include "match.h" > > /* -- channel core */ > >@@ -2818,11 +2819,13 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, > int *allocated_listen_port, struct ForwardOptions *fwd_opts) > { > Channel *c; >- int sock, r, success = 0, wildcard = 0, is_client; >+ int sock, r, success = 0, wildcard = 0, is_client, is_loopback; > struct addrinfo hints, *ai, *aitop; > const char *host, *addr; > char ntop[NI_MAXHOST], strport[NI_MAXSERV]; > in_port_t *lport_p; >+ struct sockaddr_in *a4; >+ struct sockaddr_in6 *a6; > > is_client = (type == SSH_CHANNEL_PORT_LISTENER); > >@@ -2870,18 +2873,41 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, > if (allocated_listen_port != NULL) > *allocated_listen_port = 0; > for (ai = aitop; ai; ai = ai->ai_next) { >+ is_loopback = 0; > switch (ai->ai_family) { > case AF_INET: >- lport_p = &((struct sockaddr_in *)ai->ai_addr)-> >- sin_port; >+ a4 = (struct sockaddr_in *)ai->ai_addr; >+ is_loopback = a4->sin_addr.s_addr == >+ htonl(INADDR_LOOPBACK); >+ lport_p = &a4->sin_port; > break; > case AF_INET6: >- lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> >- sin6_port; >+ a6 = (struct sockaddr_in6 *)ai->ai_addr; >+ is_loopback = IN6_IS_ADDR_LOOPBACK(&a6->sin6_addr); >+ lport_p = &a6->sin6_port; > break; > default: > continue; > } >+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), >+ strport, sizeof(strport), >+ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { >+ error("%s: getnameinfo failed", __func__); >+ continue; >+ } >+ /* >+ * Check remote port forwardings against GatewayPortsAddresses >+ * XXX: streamlocal paths? >+ */ >+ if (type == SSH_CHANNEL_RPORT_LISTENER && !is_loopback && >+ fwd_opts->gateway_ports_explicit != NULL && >+ addr_match_cidr_list(ntop, >+ fwd_opts->gateway_ports_explicit) != 1) { >+ debug("%s: listen address %s excluded by " >+ "GatewayPortsAddresses", __func__, ntop); >+ continue; >+ } >+ > /* > * If allocating a port for -R forwards, then use the > * same port for all address families. >@@ -2890,11 +2916,6 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, > allocated_listen_port != NULL && *allocated_listen_port > 0) > *lport_p = htons(*allocated_listen_port); > >- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), >- strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { >- error("%s: getnameinfo failed", __func__); >- continue; >- } > /* Create a port to listen for the host. */ > sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); > if (sock < 0) { >@@ -3019,6 +3040,7 @@ channel_setup_fwd_listener_streamlocal(int type, struct Forward *fwd, > sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG, > fwd_opts->streamlocal_bind_unlink); > umask(omask); >+ /* XXX GatewayPortsAddresses check */ > if (sock < 0) > return 0; > >diff --git a/misc.h b/misc.h >index 374c33c..ffb85d1 100644 >--- a/misc.h >+++ b/misc.h >@@ -30,6 +30,7 @@ struct Forward { > /* Common server and client forwarding options. */ > struct ForwardOptions { > int gateway_ports; /* Allow remote connects to forwarded ports. */ >+ char *gateway_ports_explicit; /* Explicit address list */ > mode_t streamlocal_bind_mask; /* umask for streamlocal binds */ > int streamlocal_bind_unlink; /* unlink socket before bind */ > }; >diff --git a/servconf.c b/servconf.c >index b5db0f7..097b277 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -140,6 +140,7 @@ initialize_server_options(ServerOptions *options) > options->kex_algorithms = NULL; > options->protocol = SSH_PROTO_UNKNOWN; > options->fwd_opts.gateway_ports = -1; >+ options->fwd_opts.gateway_ports_explicit = NULL; > options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; > options->fwd_opts.streamlocal_bind_unlink = -1; > options->num_subsystems = 0; >@@ -368,6 +369,7 @@ fill_default_server_options(ServerOptions *options) > CLEAR_ON_NONE(options->trusted_user_ca_keys); > CLEAR_ON_NONE(options->revoked_keys_file); > CLEAR_ON_NONE(options->authorized_principals_file); >+ CLEAR_ON_NONE(options->fwd_opts.gateway_ports_explicit); > for (i = 0; i < options->num_host_key_files; i++) > CLEAR_ON_NONE(options->host_key_files[i]); > for (i = 0; i < options->num_host_cert_files; i++) >@@ -405,7 +407,8 @@ typedef enum { > sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, > sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, >- sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, >+ sGatewayPorts, sGatewayPortsAddresses, >+ sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, > sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, > sBanner, sUseDNS, sHostbasedAuthentication, > sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, >@@ -524,6 +527,7 @@ static struct { > { "macs", sMacs, SSHCFG_GLOBAL }, > { "protocol", sProtocol, SSHCFG_GLOBAL }, > { "gatewayports", sGatewayPorts, SSHCFG_ALL }, >+ { "gatewayportsaddresses", sGatewayPortsAddresses, SSHCFG_ALL }, > { "subsystem", sSubsystem, SSHCFG_GLOBAL }, > { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, > { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, >@@ -1344,6 +1348,21 @@ process_server_config_line(ServerOptions *options, char *line, > multistate_ptr = multistate_gatewayports; > goto parse_multistate; > >+ case sGatewayPortsAddresses: >+ arg = strdelim(&cp); >+ if (arg == NULL || *arg != '\0') >+ fatal("%s line %d: Missing argument.", >+ filename, linenum); >+ /* XXX handle streamlocal paths */ >+ if (strcasecmp(arg, "none") != 0 && >+ addr_match_cidr_list(NULL, arg) == -1) >+ fatal("%s line %d: Invalid address list.", >+ filename, linenum); >+ if (*activep && >+ options->fwd_opts.gateway_ports_explicit == NULL) >+ options->fwd_opts.gateway_ports_explicit = xstrdup(arg); >+ break; >+ > case sUseDNS: > intptr = &options->use_dns; > goto parse_flag; >@@ -2292,6 +2311,8 @@ dump_config(ServerOptions *o) > dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); > dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); > dump_cfg_string(sHostKeyAgent, o->host_key_agent); >+ dump_cfg_string(sGatewayPortsAddresses, >+ o->fwd_opts.gateway_ports_explicit); > dump_cfg_string(sKexAlgorithms, > o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); > dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? >diff --git a/servconf.h b/servconf.h >index f4137af..a3618d6 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -227,6 +227,7 @@ struct connection_info { > M_CP_STROPT(authorized_principals_command_user); \ > M_CP_STROPT(hostbased_key_types); \ > M_CP_STROPT(pubkey_key_types); \ >+ M_CP_STROPT(fwd_opts.gateway_ports_explicit); \ > M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ > M_CP_STRARRAYOPT(allow_users, num_allow_users); \ > M_CP_STRARRAYOPT(deny_users, num_deny_users); \
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2720">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2473
: 2720