Bugzilla – Attachment 3052 Details for
Bug 2778
blacklist hostports for port forwarding
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add DenyOpen feature to sshd_config
deny-open.patch (text/plain), 39.71 KB, created by
Mihai Chiorean
on 2017-09-15 04:51:03 AEST
(
hide
)
Description:
add DenyOpen feature to sshd_config
Filename:
MIME Type:
Creator:
Mihai Chiorean
Created:
2017-09-15 04:51:03 AEST
Size:
39.71 KB
patch
obsolete
>From 7d1e2028de11921829883e059aafd79503b30ffa Mon Sep 17 00:00:00 2001 >From: Mihai Chiorean <mihai@uber.com> >Date: Wed, 23 Aug 2017 21:27:52 +0000 >Subject: [PATCH] Add DenyOpen Feature > >--- > auth-options.c | 55 +++++++++ > channels.c | 56 +++++++++ > channels.h | 2 + > config.guess | 327 ++++++++++++++++----------------------------------- > config.h.in | 43 +++++-- > config.sub | 82 +++++++------ > regress/cfgmatch.sh | 43 +++++++ > regress/test-exec.sh | 0 > servconf.c | 38 +++++- > servconf.h | 1 + > sshd_config.0 | 16 +++ > sshd_config.5 | 31 +++++ > 12 files changed, 421 insertions(+), 273 deletions(-) > mode change 100644 => 100755 regress/cfgmatch.sh > mode change 100644 => 100755 regress/test-exec.sh > >diff --git a/auth-options.c b/auth-options.c >index b399b91..dee8283 100644 >--- a/auth-options.c >+++ b/auth-options.c >@@ -383,6 +383,61 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) > free(patterns); > goto next_option; > } >+ cp = "denyopen=\""; >+ if (strncasecmp(opts, cp, strlen(cp)) == 0) { >+ char *host, *p; >+ int port; >+ char *patterns = xmalloc(strlen(opts) + 1); >+ >+ opts += strlen(cp); >+ i = 0; >+ while (*opts) { >+ if (*opts == '"') >+ break; >+ if (*opts == '\\' && opts[1] == '"') { >+ opts += 2; >+ patterns[i++] = '"'; >+ continue; >+ } >+ patterns[i++] = *opts++; >+ } >+ if (!*opts) { >+ debug("%.100s, line %lu: missing end quote", >+ file, linenum); >+ auth_debug_add("%.100s, line %lu: missing " >+ "end quote", file, linenum); >+ free(patterns); >+ goto bad_option; >+ } >+ patterns[i] = '\0'; >+ opts++; >+ p = patterns; >+ /* XXX - add streamlocal support */ >+ host = hpdelim(&p); >+ if (host == NULL || strlen(host) >= NI_MAXHOST) { >+ debug("%.100s, line %lu: Bad denyopen " >+ "specification <%.100s>", file, linenum, >+ patterns); >+ auth_debug_add("%.100s, line %lu: " >+ "Bad denyopen specification", file, >+ linenum); >+ free(patterns); >+ goto bad_option; >+ } >+ host = cleanhostname(host); >+ if (p == NULL || (port = permitopen_port(p)) < 0) { >+ debug("%.100s, line %lu: Bad port " >+ "<%.100s>", file, linenum, p ? p : ""); >+ auth_debug_add("%.100s, line %lu: " >+ "Bad permitopen port", file, linenum); >+ free(patterns); >+ goto bad_option; >+ } >+ if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0) >+ channel_add_denied_opens(host, port); >+ free(patterns); >+ goto next_option; >+ } > cp = "tunnel=\""; > if (strncasecmp(opts, cp, strlen(cp)) == 0) { > char *tun = NULL; >diff --git a/channels.c b/channels.c >index 9f9e972..dc1013a 100644 >--- a/channels.c >+++ b/channels.c >@@ -124,12 +124,18 @@ typedef struct { > } ForwardPermission; > > /* List of all permitted host/port pairs to connect by the user. */ >+static ForwardPermission *denied_opens = NULL; >+ >+/* List of all permitted host/port pairs to connect by the user. */ > static ForwardPermission *permitted_opens = NULL; > > /* List of all permitted host/port pairs to connect by the admin. */ > static ForwardPermission *permitted_adm_opens = NULL; > > /* Number of permitted host/port pairs in the array permitted by the user. */ >+static int num_denied_opens = 0; >+ >+/* Number of permitted host/port pairs in the array permitted by the user. */ > static int num_permitted_opens = 0; > > /* Number of permitted host/port pair in the array permitted by the admin. */ >@@ -3507,6 +3513,25 @@ channel_add_permitted_opens(char *host, int port) > all_opens_permitted = 0; > } > >+int >+channel_add_denied_opens(char *host, int port) >+{ >+ debug("deny port forwarding to host %s port %d", host, port); >+ >+ denied_opens = xreallocarray(denied_opens, >+ num_denied_opens + 1, sizeof(*denied_opens)); >+ denied_opens[num_denied_opens].host_to_connect = xstrdup(host); >+ denied_opens[num_denied_opens].port_to_connect = port; >+ denied_opens[num_denied_opens].listen_host = NULL; >+ denied_opens[num_denied_opens].listen_path = NULL; >+ denied_opens[num_denied_opens].listen_port = 0; >+ num_denied_opens++; >+ >+ all_opens_permitted = 0; >+ >+ return ++num_denied_opens; >+} >+ > /* > * Update the listen port for a dynamic remote forward, after > * the actual 'newport' has been allocated. If 'newport' < 0 is >@@ -3581,6 +3606,21 @@ channel_clear_permitted_opens(void) > } > > void >+channel_clear_denied_opens(void) >+{ >+ int i; >+ >+ for (i = 0; i < num_denied_opens; i++) { >+ free(denied_opens[i].host_to_connect); >+ free(denied_opens[i].listen_host); >+ free(denied_opens[i].listen_path); >+ } >+ free(denied_opens); >+ denied_opens = NULL; >+ num_denied_opens = 0; >+} >+ >+void > channel_clear_adm_permitted_opens(void) > { > int i; >@@ -3815,6 +3855,14 @@ channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname > } > } > >+ if (permit) { >+ for (i = 0; i < num_denied_opens; i++) >+ if (open_match(&denied_opens[i], host, port)) { >+ permit = 0; >+ break; >+ } >+ } >+ > if (num_adm_permitted_opens > 0) { > permit_adm = 0; > for (i = 0; i < num_adm_permitted_opens; i++) >@@ -3847,6 +3895,14 @@ channel_connect_to_path(const char *path, char *ctype, char *rname) > } > } > >+ if (permit) { >+ for (i = 0; i < num_denied_opens; i++) >+ if (open_match(&denied_opens[i], path, PORT_STREAMLOCAL)) { >+ permit = 0; >+ break; >+ } >+ } >+ > if (num_adm_permitted_opens > 0) { > permit_adm = 0; > for (i = 0; i < num_adm_permitted_opens; i++) >diff --git a/channels.h b/channels.h >index 9d76c9d..730c7d9 100644 >--- a/channels.h >+++ b/channels.h >@@ -261,10 +261,12 @@ struct ForwardOptions; > void channel_set_af(int af); > void channel_permit_all_opens(void); > void channel_add_permitted_opens(char *, int); >+int channel_add_denied_opens(char *, int); > int channel_add_adm_permitted_opens(char *, int); > void channel_disable_adm_local_opens(void); > void channel_update_permitted_opens(int, int); > void channel_clear_permitted_opens(void); >+void channel_clear_denied_opens(void); > void channel_clear_adm_permitted_opens(void); > void channel_print_adm_permitted_opens(void); > int channel_input_port_forward_request(int, struct ForwardOptions *); >diff --git a/config.guess b/config.guess >index c563628..1f5c50c 100755 >--- a/config.guess >+++ b/config.guess >@@ -1,14 +1,12 @@ > #! /bin/sh > # Attempt to guess a canonical system name. >-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, >-# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, >-# 2011, 2012, 2013 Free Software Foundation, Inc. >+# Copyright 1992-2014 Free Software Foundation, Inc. > >-timestamp='2012-12-23' >+timestamp='2014-03-23' > > # This file is free software; you can redistribute it and/or modify it > # under the terms of the GNU General Public License as published by >-# the Free Software Foundation; either version 2 of the License, or >+# the Free Software Foundation; either version 3 of the License, or > # (at your option) any later version. > # > # This program is distributed in the hope that it will be useful, but >@@ -22,19 +20,17 @@ timestamp='2012-12-23' > # As a special exception to the GNU General Public License, if you > # distribute this file as part of a program that contains a > # configuration script generated by Autoconf, you may include it under >-# the same distribution terms that you use for the rest of that program. >- >- >-# Originally written by Per Bothner. Please send patches (context >-# diff format) to <config-patches@gnu.org> and include a ChangeLog >-# entry. >+# the same distribution terms that you use for the rest of that >+# program. This Exception is an additional permission under section 7 >+# of the GNU General Public License, version 3 ("GPLv3"). > # >-# This script attempts to guess a canonical system name similar to >-# config.sub. If it succeeds, it prints the system name on stdout, and >-# exits with 0. Otherwise, it exits with 1. >+# Originally written by Per Bothner. > # > # You can get the latest version of this script from: > # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD >+# >+# Please send patches with a ChangeLog entry to config-patches@gnu.org. >+ > > me=`echo "$0" | sed -e 's,.*/,,'` > >@@ -54,9 +50,7 @@ version="\ > GNU config.guess ($timestamp) > > Originally written by Per Bothner. >-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, >-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, >-2012, 2013 Free Software Foundation, Inc. >+Copyright 1992-2014 Free Software Foundation, Inc. > > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." >@@ -138,6 +132,27 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown > UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown > UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown > >+case "${UNAME_SYSTEM}" in >+Linux|GNU|GNU/*) >+ # If the system lacks a compiler, then just pick glibc. >+ # We could probably try harder. >+ LIBC=gnu >+ >+ eval $set_cc_for_build >+ cat <<-EOF > $dummy.c >+ #include <features.h> >+ #if defined(__UCLIBC__) >+ LIBC=uclibc >+ #elif defined(__dietlibc__) >+ LIBC=dietlibc >+ #else >+ LIBC=gnu >+ #endif >+ EOF >+ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` >+ ;; >+esac >+ > # Note: order is significant - the case branches are not exclusive. > > case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in >@@ -811,7 +826,7 @@ EOF > *:MINGW*:*) > echo ${UNAME_MACHINE}-pc-mingw32 > exit ;; >- i*:MSYS*:*) >+ *:MSYS*:*) > echo ${UNAME_MACHINE}-pc-msys > exit ;; > i*:windows32*:*) >@@ -859,21 +874,21 @@ EOF > exit ;; > *:GNU:*:*) > # the GNU system >- echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` >+ echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` > exit ;; > *:GNU/*:*:*) > # other systems with GNU libc and userland >- echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu >+ echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} > exit ;; > i*86:Minix:*:*) > echo ${UNAME_MACHINE}-pc-minix > exit ;; > aarch64:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > aarch64_be:Linux:*:*) > UNAME_MACHINE=aarch64_be >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > alpha:Linux:*:*) > case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in >@@ -886,59 +901,54 @@ EOF > EV68*) UNAME_MACHINE=alphaev68 ;; > esac > objdump --private-headers /bin/sh | grep -q ld.so.1 >- if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi >- echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} >+ if test "$?" = 0 ; then LIBC="gnulibc1" ; fi >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} >+ exit ;; >+ arc:Linux:*:* | arceb:Linux:*:*) >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > arm*:Linux:*:*) > eval $set_cc_for_build > if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ > | grep -q __ARM_EABI__ > then >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > else > if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ > | grep -q __ARM_PCS_VFP > then >- echo ${UNAME_MACHINE}-unknown-linux-gnueabi >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi > else >- echo ${UNAME_MACHINE}-unknown-linux-gnueabihf >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf > fi > fi > exit ;; > avr32*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > cris:Linux:*:*) >- echo ${UNAME_MACHINE}-axis-linux-gnu >+ echo ${UNAME_MACHINE}-axis-linux-${LIBC} > exit ;; > crisv32:Linux:*:*) >- echo ${UNAME_MACHINE}-axis-linux-gnu >+ echo ${UNAME_MACHINE}-axis-linux-${LIBC} > exit ;; > frv:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > hexagon:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > i*86:Linux:*:*) >- LIBC=gnu >- eval $set_cc_for_build >- sed 's/^ //' << EOF >$dummy.c >- #ifdef __dietlibc__ >- LIBC=dietlibc >- #endif >-EOF >- eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` >- echo "${UNAME_MACHINE}-pc-linux-${LIBC}" >+ echo ${UNAME_MACHINE}-pc-linux-${LIBC} > exit ;; > ia64:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > m32r*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > m68*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > mips:Linux:*:* | mips64:Linux:*:*) > eval $set_cc_for_build >@@ -957,60 +967,63 @@ EOF > #endif > EOF > eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` >- test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } >+ test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } > ;; >- or32:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ openrisc*:Linux:*:*) >+ echo or1k-unknown-linux-${LIBC} >+ exit ;; >+ or32:Linux:*:* | or1k*:Linux:*:*) >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > padre:Linux:*:*) >- echo sparc-unknown-linux-gnu >+ echo sparc-unknown-linux-${LIBC} > exit ;; > parisc64:Linux:*:* | hppa64:Linux:*:*) >- echo hppa64-unknown-linux-gnu >+ echo hppa64-unknown-linux-${LIBC} > exit ;; > parisc:Linux:*:* | hppa:Linux:*:*) > # Look for CPU level > case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in >- PA7*) echo hppa1.1-unknown-linux-gnu ;; >- PA8*) echo hppa2.0-unknown-linux-gnu ;; >- *) echo hppa-unknown-linux-gnu ;; >+ PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; >+ PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; >+ *) echo hppa-unknown-linux-${LIBC} ;; > esac > exit ;; > ppc64:Linux:*:*) >- echo powerpc64-unknown-linux-gnu >+ echo powerpc64-unknown-linux-${LIBC} > exit ;; > ppc:Linux:*:*) >- echo powerpc-unknown-linux-gnu >+ echo powerpc-unknown-linux-${LIBC} > exit ;; > ppc64le:Linux:*:*) >- echo powerpc64le-unknown-linux-gnu >+ echo powerpc64le-unknown-linux-${LIBC} > exit ;; > ppcle:Linux:*:*) >- echo powerpcle-unknown-linux-gnu >+ echo powerpcle-unknown-linux-${LIBC} > exit ;; > s390:Linux:*:* | s390x:Linux:*:*) >- echo ${UNAME_MACHINE}-ibm-linux >+ echo ${UNAME_MACHINE}-ibm-linux-${LIBC} > exit ;; > sh64*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > sh*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > sparc:Linux:*:* | sparc64:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > tile*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > vax:Linux:*:*) >- echo ${UNAME_MACHINE}-dec-linux-gnu >+ echo ${UNAME_MACHINE}-dec-linux-${LIBC} > exit ;; > x86_64:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > xtensa*:Linux:*:*) >- echo ${UNAME_MACHINE}-unknown-linux-gnu >+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC} > exit ;; > i*86:DYNIX/ptx:4*:*) > # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. >@@ -1243,19 +1256,31 @@ EOF > exit ;; > *:Darwin:*:*) > UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown >- case $UNAME_PROCESSOR in >- i386) >- eval $set_cc_for_build >- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then >- if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ >- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ >- grep IS_64BIT_ARCH >/dev/null >- then >- UNAME_PROCESSOR="x86_64" >- fi >- fi ;; >- unknown) UNAME_PROCESSOR=powerpc ;; >- esac >+ eval $set_cc_for_build >+ if test "$UNAME_PROCESSOR" = unknown ; then >+ UNAME_PROCESSOR=powerpc >+ fi >+ if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then >+ if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then >+ if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ >+ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ >+ grep IS_64BIT_ARCH >/dev/null >+ then >+ case $UNAME_PROCESSOR in >+ i386) UNAME_PROCESSOR=x86_64 ;; >+ powerpc) UNAME_PROCESSOR=powerpc64 ;; >+ esac >+ fi >+ fi >+ elif test "$UNAME_PROCESSOR" = i386 ; then >+ # Avoid executing cc on OS X 10.9, as it ships with a stub >+ # that puts up a graphical alert prompting to install >+ # developer tools. Any system running Mac OS X 10.7 or >+ # later (Darwin 11 and later) is required to have a 64-bit >+ # processor. This is not true of the ARM version of Darwin >+ # that Apple uses in portable devices. >+ UNAME_PROCESSOR=x86_64 >+ fi > echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} > exit ;; > *:procnto*:*:* | *:QNX:[0123456789]*:*) >@@ -1346,154 +1371,6 @@ EOF > exit ;; > esac > >-eval $set_cc_for_build >-cat >$dummy.c <<EOF >-#ifdef _SEQUENT_ >-# include <sys/types.h> >-# include <sys/utsname.h> >-#endif >-main () >-{ >-#if defined (sony) >-#if defined (MIPSEB) >- /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, >- I don't know.... */ >- printf ("mips-sony-bsd\n"); exit (0); >-#else >-#include <sys/param.h> >- printf ("m68k-sony-newsos%s\n", >-#ifdef NEWSOS4 >- "4" >-#else >- "" >-#endif >- ); exit (0); >-#endif >-#endif >- >-#if defined (__arm) && defined (__acorn) && defined (__unix) >- printf ("arm-acorn-riscix\n"); exit (0); >-#endif >- >-#if defined (hp300) && !defined (hpux) >- printf ("m68k-hp-bsd\n"); exit (0); >-#endif >- >-#if defined (NeXT) >-#if !defined (__ARCHITECTURE__) >-#define __ARCHITECTURE__ "m68k" >-#endif >- int version; >- version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; >- if (version < 4) >- printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); >- else >- printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); >- exit (0); >-#endif >- >-#if defined (MULTIMAX) || defined (n16) >-#if defined (UMAXV) >- printf ("ns32k-encore-sysv\n"); exit (0); >-#else >-#if defined (CMU) >- printf ("ns32k-encore-mach\n"); exit (0); >-#else >- printf ("ns32k-encore-bsd\n"); exit (0); >-#endif >-#endif >-#endif >- >-#if defined (__386BSD__) >- printf ("i386-pc-bsd\n"); exit (0); >-#endif >- >-#if defined (sequent) >-#if defined (i386) >- printf ("i386-sequent-dynix\n"); exit (0); >-#endif >-#if defined (ns32000) >- printf ("ns32k-sequent-dynix\n"); exit (0); >-#endif >-#endif >- >-#if defined (_SEQUENT_) >- struct utsname un; >- >- uname(&un); >- >- if (strncmp(un.version, "V2", 2) == 0) { >- printf ("i386-sequent-ptx2\n"); exit (0); >- } >- if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ >- printf ("i386-sequent-ptx1\n"); exit (0); >- } >- printf ("i386-sequent-ptx\n"); exit (0); >- >-#endif >- >-#if defined (vax) >-# if !defined (ultrix) >-# include <sys/param.h> >-# if defined (BSD) >-# if BSD == 43 >- printf ("vax-dec-bsd4.3\n"); exit (0); >-# else >-# if BSD == 199006 >- printf ("vax-dec-bsd4.3reno\n"); exit (0); >-# else >- printf ("vax-dec-bsd\n"); exit (0); >-# endif >-# endif >-# else >- printf ("vax-dec-bsd\n"); exit (0); >-# endif >-# else >- printf ("vax-dec-ultrix\n"); exit (0); >-# endif >-#endif >- >-#if defined (alliant) && defined (i860) >- printf ("i860-alliant-bsd\n"); exit (0); >-#endif >- >- exit (1); >-} >-EOF >- >-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && >- { echo "$SYSTEM_NAME"; exit; } >- >-# Apollos put the system type in the environment. >- >-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } >- >-# Convex versions that predate uname can use getsysinfo(1) >- >-if [ -x /usr/convex/getsysinfo ] >-then >- case `getsysinfo -f cpu_type` in >- c1*) >- echo c1-convex-bsd >- exit ;; >- c2*) >- if getsysinfo -f scalar_acc >- then echo c32-convex-bsd >- else echo c2-convex-bsd >- fi >- exit ;; >- c34*) >- echo c34-convex-bsd >- exit ;; >- c38*) >- echo c38-convex-bsd >- exit ;; >- c4*) >- echo c4-convex-bsd >- exit ;; >- esac >-fi >- > cat >&2 <<EOF > $0: unable to guess system type > >diff --git a/config.h.in b/config.h.in >index 39d018f..60664a9 100644 >--- a/config.h.in >+++ b/config.h.in >@@ -1,5 +1,8 @@ > /* config.h.in. Generated from configure.ac by autoheader. */ > >+/* Define if building universal (internal helper macro) */ >+#undef AC_APPLE_UNIVERSAL_BUILD >+ > /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address > */ > #undef AIX_GETNAMEINFO_HACK >@@ -1130,28 +1133,28 @@ > /* define if you have struct in6_addr data type */ > #undef HAVE_STRUCT_IN6_ADDR > >-/* Define to 1 if `pw_change' is member of `struct passwd'. */ >+/* Define to 1 if `pw_change' is a member of `struct passwd'. */ > #undef HAVE_STRUCT_PASSWD_PW_CHANGE > >-/* Define to 1 if `pw_class' is member of `struct passwd'. */ >+/* Define to 1 if `pw_class' is a member of `struct passwd'. */ > #undef HAVE_STRUCT_PASSWD_PW_CLASS > >-/* Define to 1 if `pw_expire' is member of `struct passwd'. */ >+/* Define to 1 if `pw_expire' is a member of `struct passwd'. */ > #undef HAVE_STRUCT_PASSWD_PW_EXPIRE > >-/* Define to 1 if `pw_gecos' is member of `struct passwd'. */ >+/* Define to 1 if `pw_gecos' is a member of `struct passwd'. */ > #undef HAVE_STRUCT_PASSWD_PW_GECOS > > /* define if you have struct sockaddr_in6 data type */ > #undef HAVE_STRUCT_SOCKADDR_IN6 > >-/* Define to 1 if `sin6_scope_id' is member of `struct sockaddr_in6'. */ >+/* Define to 1 if `sin6_scope_id' is a member of `struct sockaddr_in6'. */ > #undef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID > > /* define if you have struct sockaddr_storage data type */ > #undef HAVE_STRUCT_SOCKADDR_STORAGE > >-/* Define to 1 if `st_blksize' is member of `struct stat'. */ >+/* Define to 1 if `st_blksize' is a member of `struct stat'. */ > #undef HAVE_STRUCT_STAT_ST_BLKSIZE > > /* Define to 1 if the system has the type `struct timespec'. */ >@@ -1433,6 +1436,9 @@ > /* Define if pututxline updates lastlog too */ > #undef LASTLOG_WRITE_PUTUTXLINE > >+/* Define if you want TCP Wrappers support */ >+#undef LIBWRAP >+ > /* Define to whatever link() returns for "not supported" if it doesn't return > EOPNOTSUPP. */ > #undef LINK_OPNOTSUPP_ERRNO >@@ -1525,6 +1531,9 @@ > /* Define to the one symbol short name of this package. */ > #undef PACKAGE_TARNAME > >+/* Define to the home page for this package. */ >+#undef PACKAGE_URL >+ > /* Define to the version of this package. */ > #undef PACKAGE_VERSION > >@@ -1668,6 +1677,9 @@ > /* Use btmp to log bad logins */ > #undef USE_BTMP > >+/* Define if you want ConsoleKit support. */ >+#undef USE_CONSOLEKIT >+ > /* Use libedit for sftp */ > #undef USE_LIBEDIT > >@@ -1720,13 +1732,26 @@ > /* include SSH protocol version 1 support */ > #undef WITH_SSH1 > >-/* Define to 1 if your processor stores words with the most significant byte >- first (like Motorola and SPARC, unlike Intel and VAX). */ >-#undef WORDS_BIGENDIAN >+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most >+ significant byte first (like Motorola and SPARC, unlike Intel). */ >+#if defined AC_APPLE_UNIVERSAL_BUILD >+# if defined __BIG_ENDIAN__ >+# define WORDS_BIGENDIAN 1 >+# endif >+#else >+# ifndef WORDS_BIGENDIAN >+# undef WORDS_BIGENDIAN >+# endif >+#endif > > /* Define if xauth is found in your path */ > #undef XAUTH_PATH > >+/* Enable large inode numbers on Mac OS X 10.5. */ >+#ifndef _DARWIN_USE_64_BIT_INODE >+# define _DARWIN_USE_64_BIT_INODE 1 >+#endif >+ > /* Number of bits in a file offset, on hosts where this is settable. */ > #undef _FILE_OFFSET_BITS > >diff --git a/config.sub b/config.sub >index eee8dcc..bba4efb 100755 >--- a/config.sub >+++ b/config.sub >@@ -1,24 +1,18 @@ > #! /bin/sh > # Configuration validation subroutine script. >-# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, >-# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, >-# 2011, 2012, 2013 Free Software Foundation, Inc. >+# Copyright 1992-2014 Free Software Foundation, Inc. > >-timestamp='2012-12-23' >+timestamp='2014-09-11' > >-# This file is (in principle) common to ALL GNU software. >-# The presence of a machine in this file suggests that SOME GNU software >-# can handle that machine. It does not imply ALL GNU software can. >-# >-# This file is free software; you can redistribute it and/or modify >-# it under the terms of the GNU General Public License as published by >-# the Free Software Foundation; either version 2 of the License, or >+# This file is free software; you can redistribute it and/or modify it >+# under the terms of the GNU General Public License as published by >+# the Free Software Foundation; either version 3 of the License, or > # (at your option) any later version. > # >-# This program is distributed in the hope that it will be useful, >-# but WITHOUT ANY WARRANTY; without even the implied warranty of >-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >-# GNU General Public License for more details. >+# This program is distributed in the hope that it will be useful, but >+# WITHOUT ANY WARRANTY; without even the implied warranty of >+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >+# General Public License for more details. > # > # You should have received a copy of the GNU General Public License > # along with this program; if not, see <http://www.gnu.org/licenses/>. >@@ -26,11 +20,12 @@ timestamp='2012-12-23' > # As a special exception to the GNU General Public License, if you > # distribute this file as part of a program that contains a > # configuration script generated by Autoconf, you may include it under >-# the same distribution terms that you use for the rest of that program. >+# the same distribution terms that you use for the rest of that >+# program. This Exception is an additional permission under section 7 >+# of the GNU General Public License, version 3 ("GPLv3"). > > >-# Please send patches to <config-patches@gnu.org>. Submit a context >-# diff and a properly formatted GNU ChangeLog entry. >+# Please send patches with a ChangeLog entry to config-patches@gnu.org. > # > # Configuration subroutine to validate and canonicalize a configuration type. > # Supply the specified configuration type as an argument. >@@ -73,9 +68,7 @@ Report bugs and patches to <config-patches@gnu.org>." > version="\ > GNU config.sub ($timestamp) > >-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, >-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, >-2012, 2013 Free Software Foundation, Inc. >+Copyright 1992-2014 Free Software Foundation, Inc. > > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." >@@ -259,12 +252,12 @@ case $basic_machine in > | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ > | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ > | am33_2.0 \ >- | arc \ >+ | arc | arceb \ > | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ > | avr | avr32 \ > | be32 | be64 \ > | bfin \ >- | c4x | clipper \ >+ | c4x | c8051 | clipper \ > | d10v | d30v | dlx | dsp16xx \ > | epiphany \ > | fido | fr30 | frv \ >@@ -272,6 +265,7 @@ case $basic_machine in > | hexagon \ > | i370 | i860 | i960 | ia64 \ > | ip2k | iq2000 \ >+ | k1om \ > | le32 | le64 \ > | lm32 \ > | m32c | m32r | m32rle | m68000 | m68k | m88k \ >@@ -289,23 +283,26 @@ case $basic_machine in > | mips64vr5900 | mips64vr5900el \ > | mipsisa32 | mipsisa32el \ > | mipsisa32r2 | mipsisa32r2el \ >+ | mipsisa32r6 | mipsisa32r6el \ > | mipsisa64 | mipsisa64el \ > | mipsisa64r2 | mipsisa64r2el \ >+ | mipsisa64r6 | mipsisa64r6el \ > | mipsisa64sb1 | mipsisa64sb1el \ > | mipsisa64sr71k | mipsisa64sr71kel \ >+ | mipsr5900 | mipsr5900el \ > | mipstx39 | mipstx39el \ > | mn10200 | mn10300 \ > | moxie \ > | mt \ > | msp430 \ > | nds32 | nds32le | nds32be \ >- | nios | nios2 \ >+ | nios | nios2 | nios2eb | nios2el \ > | ns16k | ns32k \ >- | open8 \ >- | or32 \ >+ | open8 | or1k | or1knd | or32 \ > | pdp10 | pdp11 | pj | pjl \ > | powerpc | powerpc64 | powerpc64le | powerpcle \ > | pyramid \ >+ | riscv32 | riscv64 \ > | rl78 | rx \ > | score \ > | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ >@@ -330,7 +327,7 @@ case $basic_machine in > c6x) > basic_machine=tic6x-unknown > ;; >- m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) >+ m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) > basic_machine=$basic_machine-unknown > os=-none > ;; >@@ -372,13 +369,13 @@ case $basic_machine in > | aarch64-* | aarch64_be-* \ > | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ > | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ >- | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ >+ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ > | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ > | avr-* | avr32-* \ > | be32-* | be64-* \ > | bfin-* | bs2000-* \ > | c[123]* | c30-* | [cjt]90-* | c4x-* \ >- | clipper-* | craynv-* | cydra-* \ >+ | c8051-* | clipper-* | craynv-* | cydra-* \ > | d10v-* | d30v-* | dlx-* \ > | elxsi-* \ > | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ >@@ -387,6 +384,7 @@ case $basic_machine in > | hexagon-* \ > | i*86-* | i860-* | i960-* | ia64-* \ > | ip2k-* | iq2000-* \ >+ | k1om-* \ > | le32-* | le64-* \ > | lm32-* \ > | m32c-* | m32r-* | m32rle-* \ >@@ -406,18 +404,22 @@ case $basic_machine in > | mips64vr5900-* | mips64vr5900el-* \ > | mipsisa32-* | mipsisa32el-* \ > | mipsisa32r2-* | mipsisa32r2el-* \ >+ | mipsisa32r6-* | mipsisa32r6el-* \ > | mipsisa64-* | mipsisa64el-* \ > | mipsisa64r2-* | mipsisa64r2el-* \ >+ | mipsisa64r6-* | mipsisa64r6el-* \ > | mipsisa64sb1-* | mipsisa64sb1el-* \ > | mipsisa64sr71k-* | mipsisa64sr71kel-* \ >+ | mipsr5900-* | mipsr5900el-* \ > | mipstx39-* | mipstx39el-* \ > | mmix-* \ > | mt-* \ > | msp430-* \ > | nds32-* | nds32le-* | nds32be-* \ >- | nios-* | nios2-* \ >+ | nios-* | nios2-* | nios2eb-* | nios2el-* \ > | none-* | np1-* | ns16k-* | ns32k-* \ > | open8-* \ >+ | or1k*-* \ > | orion-* \ > | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ > | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ >@@ -799,7 +801,7 @@ case $basic_machine in > os=-mingw64 > ;; > mingw32) >- basic_machine=i386-pc >+ basic_machine=i686-pc > os=-mingw32 > ;; > mingw32ce) >@@ -827,6 +829,10 @@ case $basic_machine in > basic_machine=powerpc-unknown > os=-morphos > ;; >+ moxiebox) >+ basic_machine=moxie-unknown >+ os=-moxiebox >+ ;; > msdos) > basic_machine=i386-pc > os=-msdos >@@ -835,7 +841,7 @@ case $basic_machine in > basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` > ;; > msys) >- basic_machine=i386-pc >+ basic_machine=i686-pc > os=-msys > ;; > mvs) >@@ -1357,7 +1363,7 @@ case $os in > -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ > | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ > | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ >- | -sym* | -kopensolaris* \ >+ | -sym* | -kopensolaris* | -plan9* \ > | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ > | -aos* | -aros* \ > | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ >@@ -1372,14 +1378,14 @@ case $os in > | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ > | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ > | -linux-newlib* | -linux-musl* | -linux-uclibc* \ >- | -uxpv* | -beos* | -mpeix* | -udk* \ >+ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ > | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ > | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ > | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ > | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ > | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ > | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ >- | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) >+ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) > # Remember, each alternative MUST END IN *, to match a version number. > ;; > -qnx*) >@@ -1503,9 +1509,6 @@ case $os in > -aros*) > os=-aros > ;; >- -kaos*) >- os=-kaos >- ;; > -zvmoe) > os=-zvmoe > ;; >@@ -1554,6 +1557,9 @@ case $basic_machine in > c4x-* | tic4x-*) > os=-coff > ;; >+ c8051-*) >+ os=-elf >+ ;; > hexagon-*) > os=-elf > ;; >diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh >old mode 100644 >new mode 100755 >index 0562963..68d2f79 >--- a/regress/cfgmatch.sh >+++ b/regress/cfgmatch.sh >@@ -51,6 +51,7 @@ echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy > echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy > echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy > >+ > start_sshd > > #set -x >@@ -64,6 +65,18 @@ for p in ${SSH_PROTOCOLS}; do > stop_client > done > >+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy >+echo "DenyOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy >+ >+# Test Match + PermitOpen in sshd_config. This should be permitted >+for p in ${SSH_PROTOCOLS}; do >+ trace "match denyopen localhost proto $p" >+ start_client -F $OBJ/ssh_config >+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ >+ fail "match denyopen deny proto $p" >+ stop_client >+done >+ > # Same but from different source. This should not be permitted > for p in ${SSH_PROTOCOLS}; do > trace "match permitopen proxy proto $p" >@@ -125,3 +138,33 @@ for p in ${SSH_PROTOCOLS}; do > fail "nomatch override permitopen proto $p" > stop_client > done >+ >+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy >+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy >+echo "Match User NoSuchUser" >>$OBJ/sshd_proxy >+echo "DenyOpen 127.0.0.1:1 127.0.0.1:2 127.0.0.1:$PORT" >>$OBJ/sshd_proxy >+ >+# Test that a rule that doesn't match doesn't override, plus test a >+# PermitOpen entry that's not at the start of the list >+for p in ${SSH_PROTOCOLS}; do >+ trace "nomatch permitopen proxy w/key opts proto $p" >+ start_client -F $OBJ/ssh_proxy >+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ >+ fail "nomatch override permitopen proto $p" >+ stop_client >+done >+ >+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy >+echo "DeniedOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy >+echo "Match User NoSuchUser" >>$OBJ/sshd_proxy >+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy >+ >+# Test that a rule that doesn't match doesn't override, plus test a >+# PermitOpen entry that's not at the start of the list >+for p in ${SSH_PROTOCOLS}; do >+ trace "nomatch permitopen proxy w/key opts proto $p" >+ start_client -F $OBJ/ssh_proxy >+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ >+ fail "nomatch override permitopen proto $p" >+ stop_client >+done >diff --git a/regress/test-exec.sh b/regress/test-exec.sh >old mode 100644 >new mode 100755 >diff --git a/servconf.c b/servconf.c >index 873b0d0..d6ddd6a 100644 >--- a/servconf.c >+++ b/servconf.c >@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) > options->num_accept_env = 0; > options->permit_tun = -1; > options->num_permitted_opens = -1; >+ options->num_denied_opens = -1; > options->adm_forced_command = NULL; > options->chroot_directory = NULL; > options->authorized_keys_command = NULL; >@@ -428,7 +429,7 @@ typedef enum { > sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, > sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, > sAcceptEnv, sPermitTunnel, >- sMatch, sPermitOpen, sForceCommand, sChrootDirectory, >+ sMatch, sPermitOpen, sDenyOpen, sForceCommand, sChrootDirectory, > sUsePrivilegeSeparation, sAllowAgentForwarding, > sHostCertificate, > sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, >@@ -562,6 +563,7 @@ static struct { > { "permituserrc", sPermitUserRC, SSHCFG_ALL }, > { "match", sMatch, SSHCFG_ALL }, > { "permitopen", sPermitOpen, SSHCFG_ALL }, >+ { "denyopen", sDenyOpen, SSHCFG_ALL }, > { "forcecommand", sForceCommand, SSHCFG_ALL }, > { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, > { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, >@@ -1696,6 +1698,40 @@ process_server_config_line(ServerOptions *options, char *line, > } > break; > >+ case sDenyOpen: >+ arg = strdelim(&cp); >+ if (!arg || *arg == '\0') >+ fatal("%s line %d: missing DenyOpen specification", >+ filename, linenum); >+ n = options->num_denied_opens; /* modified later */ >+ if (strcmp(arg, "any") == 0) { >+ if (*activep && n == -1) { >+ options->num_denied_opens = 0; >+ } >+ break; >+ } >+ if (strcmp(arg, "none") == 0) { >+ if (*activep && n == -1) { >+ options->num_denied_opens = 1; >+ } >+ break; >+ } >+ if (*activep && n == -1) >+ channel_clear_denied_opens(); >+ for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { >+ p = hpdelim(&arg); >+ if (p == NULL) >+ fatal("%s line %d: missing host in DenyOpen", >+ filename, linenum); >+ p = cleanhostname(p); >+ if (arg == NULL || ((port = permitopen_port(arg)) < 0)) >+ fatal("%s line %d: bad port number in " >+ "DenyOpen", filename, linenum); >+ if (*activep && n == -1) >+ options->num_denied_opens = >+ channel_add_denied_opens(p, port); >+ } >+ break; > case sForceCommand: > if (cp == NULL || *cp == '\0') > fatal("%.200s line %d: Missing argument.", filename, >diff --git a/servconf.h b/servconf.h >index f4137af..597efc0 100644 >--- a/servconf.h >+++ b/servconf.h >@@ -176,6 +176,7 @@ typedef struct { > int permit_tun; > > int num_permitted_opens; >+ int num_denied_opens; > > char *chroot_directory; > char *revoked_keys_file; >diff --git a/sshd_config.0 b/sshd_config.0 >index 85379dc..453b347 100644 >--- a/sshd_config.0 >+++ b/sshd_config.0 >@@ -337,6 +337,22 @@ DESCRIPTION > > See PATTERNS in ssh_config(5) for more information on patterns. > >+ DenyOpen >+ Specifies the destinations to which TCP port forwarding is >+ blocked. The forwarding specification must be one of the >+ following forms: >+ >+ DenyOpen host:port >+ DenyOpen IPv4_addr:port >+ DenyOpen [IPv6_addr]:port >+ >+ Multiple destinations may be specified by separating them with >+ whitespace. An argument of M-bM-^@M-^\anyM-bM-^@M-^] can be used to remove all >+ restrictions and permit any forwarding requests. The >+ wildcard M-bM-^@M-^\*M-bM-^@M-^] can be used for host or port to block all hosts or >+ ports, respectively. By default all port forwarding requests are >+ permitted. >+ > DenyUsers > This keyword can be followed by a list of user name patterns, > separated by spaces. Login is disallowed for user names that >diff --git a/sshd_config.5 b/sshd_config.5 >index 1bc26ec..9618b47 100644 >--- a/sshd_config.5 >+++ b/sshd_config.5 >@@ -558,6 +558,36 @@ and finally > See PATTERNS in > .Xr ssh_config 5 > for more information on patterns. >+.It Cm DenyOpen >+Specifies the destinations to which TCP port forwarding is blocked. >+The forwarding specification must be one of the following forms: >+.Pp >+.Bl -item -offset indent -compact >+.It >+.Cm DenyOpen >+.Sm off >+.Ar host : port >+.Sm on >+.It >+.Cm DenyOpen >+.Sm off >+.Ar IPv4_addr : port >+.Sm on >+.It >+.Cm DenyOpen >+.Sm off >+.Ar \&[ IPv6_addr \&] : port >+.Sm on >+.El >+.Pp >+Multiple destinations may be specified by separating them with whitespace. >+An argument of >+.Dq none >+can be used to remove all restrictions and permit any forwarding requests. >+The wildcard >+.Dq * >+can be used for host or port to allow all hosts or ports, respectively. >+By default all port forwarding requests are permitted. > .It Cm DenyUsers > This keyword can be followed by a list of user name patterns, separated > by spaces. >@@ -1104,6 +1134,7 @@ Available keywords are > .Cm Banner , > .Cm ChrootDirectory , > .Cm DenyGroups , >+.Cm DenyOpen , > .Cm DenyUsers , > .Cm ForceCommand , > .Cm GatewayPorts , >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3052">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2778
: 3052