Attachment #3061 for bug #2784

Lines 156-162 typedef enum { Link Here

(-)a/readconf.c (-1 / +8 lines)
156	oPubkeyAuthentication,	156	oPubkeyAuthentication,
157	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,	157	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
158	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,	158	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
159	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,	159	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oBindDevice,
160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,	160	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,	161	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,	162	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
Lines 305-310 static struct { Link Here
305	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },	305	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
306	{ "ignoreunknown", oIgnoreUnknown },	306	{ "ignoreunknown", oIgnoreUnknown },
307	{ "proxyjump", oProxyJump },	307	{ "proxyjump", oProxyJump },
		308	{ "binddevice", oBindDevice },
308		309
309	{ NULL, oBadOption }	310	{ NULL, oBadOption }
310	};	311	};
Lines 1669-1674 parse_keytypes: Link Here
1669	charptr = &options->identity_agent;	1670	charptr = &options->identity_agent;
1670	goto parse_string;	1671	goto parse_string;
1671		1672
		1673	case oBindDevice:
		1674	charptr = &options->bind_device;
		1675	goto parse_string;
		1676
1672	case oDeprecated:	1677	case oDeprecated:
1673	debug("%s line %d: Deprecated option \"%s\"",	1678	debug("%s line %d: Deprecated option \"%s\"",
1674	filename, linenum, keyword);	1679	filename, linenum, keyword);
Lines 1869-1874 initialize_options(Options * options) Link Here
1869	options->update_hostkeys = -1;	1874	options->update_hostkeys = -1;
1870	options->hostbased_key_types = NULL;	1875	options->hostbased_key_types = NULL;
1871	options->pubkey_key_types = NULL;	1876	options->pubkey_key_types = NULL;
		1877	options->bind_device = NULL;
1872	}	1878	}
1873		1879
1874	/*	1880	/*
Lines 2544-2549 dump_client_config(Options o, const char host) Link Here
2544	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);	2550	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
2545	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);	2551	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
2546	dump_cfg_string(oXAuthLocation, o->xauth_location);	2552	dump_cfg_string(oXAuthLocation, o->xauth_location);
		2553	dump_cfg_string(oBindDevice, o->bind_device);
2547		2554
2548	/* Forwards */	2555	/* Forwards */
2549	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);	2556	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);

Lines 163-168 typedef struct { Link Here

(-)a/readconf.h (+2 lines)
163	int jump_port;	163	int jump_port;
164	char *jump_extra;	164	char *jump_extra;
165		165
		166	char bind_device; / network device to bind to */
		167
166	char ignored_unknown; / Pattern list of unknown tokens to ignore */	168	char ignored_unknown; / Pattern list of unknown tokens to ignore */
167	} Options;	169	} Options;
168		170




	options->fingerprint_hash = -1;
	options->disable_forwarding = -1;
	options->expose_userauth_info = -1;
	options->bind_device = NULL;
}

/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */

	sKerberosGetAFSToken,
	sKerberosTgtPassing, sChallengeResponseAuthentication,
	sPasswordAuthentication, sKbdInteractiveAuthentication,
	sListenAddress, sAddressFamily, sBindDevice,
	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,

	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
	{ "binddevice", sBindDevice },
	{ NULL, sBadOption, 0 }
};


			options->fingerprint_hash = value;
		break;

	case sBindDevice:
		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing argument.", filename, linenum);
		if (options->bind_device == NULL)
			options->bind_device = xstrdup(arg);
		break;

	case sExposeAuthInfo:
		intptr = &options->expose_userauth_info;
		goto parse_flag;

	    o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
	    o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
	dump_cfg_string(sBindDevice, o->bind_device);

	/* string arguments requiring a lookup */
	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 198-203 typedef struct { Link Here

(-)a/servconf.h (+2 lines)
198		198
199	int fingerprint_hash;	199	int fingerprint_hash;
200	int expose_userauth_info;	200	int expose_userauth_info;
		201
		202	char bind_device; / network device to bind to */
201	} ServerOptions;	203	} ServerOptions;
202		204
203	/* Information about the incoming connection as used by Match */	205	/* Information about the incoming connection as used by Match */

Lines 45-50 Link Here

(-)a/ssh.1 (+8 lines)
45	.Bk -words	45	.Bk -words
46	.Op Fl 46AaCfGgKkMNnqsTtVvXxYy	46	.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
		48	.Op Fl B Ar bind_device
48	.Op Fl c Ar cipher_spec	49	.Op Fl c Ar cipher_spec
49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port	50	.Op Fl D Oo Ar bind_address : Oc Ns Ar port
50	.Op Fl E Ar log_file	51	.Op Fl E Ar log_file
Lines 128-133 on the local machine as the source address Link Here
128	of the connection.	129	of the connection.
129	Only useful on systems with more than one address.	130	Only useful on systems with more than one address.
130	.Pp	131	.Pp
		132	.It Fl B Ar bind_device
		133	Bind the connecting socket to
		134	.Ar bind_device
		135	on the local machine.
		136	Useful on systems that use
		137	.Cm VRF .
		138	.Pp
131	.It Fl C	139	.It Fl C
132	Requests compression of all data (including stdin, stdout, stderr, and	140	Requests compression of all data (including stdin, stdout, stderr, and
133	data for forwarded X11, TCP and	141	data for forwarded X11, TCP and

Lines 197-203 static void Link Here

(-)a/ssh.c (-2 / +5 lines)
197	usage(void)	197	usage(void)
198	{	198	{
199	fprintf(stderr,	199	fprintf(stderr,
200	"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"	200	"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-B bind_device] [-c cipher_spec]\n"
201	" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"	201	" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
202	" [-F configfile] [-I pkcs11] [-i identity_file]\n"	202	" [-F configfile] [-I pkcs11] [-i identity_file]\n"
203	" [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"	203	" [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
Lines 612-618 main(int ac, char **av) Link Here
612		612
613	again:	613	again:
614	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"	614	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
615	"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {	615	"AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
616	switch (opt) {	616	switch (opt) {
617	case '1':	617	case '1':
618	fatal("SSH protocol v.1 is no longer supported");	618	fatal("SSH protocol v.1 is no longer supported");
Lines 918-923 main(int ac, char **av) Link Here
918	case 'b':	918	case 'b':
919	options.bind_address = optarg;	919	options.bind_address = optarg;
920	break;	920	break;
		921	case 'B':
		922	options.bind_device = optarg;
		923	break;
921	case 'F':	924	case 'F':
922	config = optarg;	925	config = optarg;
923	break;	926	break;

Lines 262-267 Note that this option does not work if Link Here

(-)a/ssh_config.5 (+4 lines)
262	.Cm UsePrivilegedPort	262	.Cm UsePrivilegedPort
263	is set to	263	is set to
264	.Cm yes .	264	.Cm yes .
		265	.It Cm BindDevice
		266	Bind the connecting socket to the specified device on the local machine.
		267	Useful on systems that use
		268	.Cm VRF .
265	.It Cm CanonicalDomains	269	.It Cm CanonicalDomains
266	When	270	When
267	.Cm CanonicalizeHostname	271	.Cm CanonicalizeHostname




	}
	fcntl(sock, F_SETFD, FD_CLOEXEC);

	if (options.bind_device != NULL) {
#ifdef SO_BINDTODEVICE
		r = setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE,
		    options.bind_device, strlen(options.bind_device));
		if (r != 0) {
			error("Bind to: %s failed %s", options.bind_device,
			    strerror(errno));
			close(sock);
			return -1;
		}
		debug("Bound to device: %s", options.bind_device);
#else
		error("No SO_BINDTODEVICE, unable to bind to: %s",
		    options.bind_device);
		close(sock);
		return -1;
#endif
	}


	/* Bind the socket to an alternative local IP address */
	if (options.bind_address == NULL && !privileged)
		return sock;

Lines 44-49 Link Here

(-)a/sshd.8 (+7 lines)
44	.Nm sshd	44	.Nm sshd
45	.Bk -words	45	.Bk -words
46	.Op Fl 46DdeiqTt	46	.Op Fl 46DdeiqTt
		47	.Op Fl B Ar bind_device
47	.Op Fl C Ar connection_spec	48	.Op Fl C Ar connection_spec
48	.Op Fl c Ar host_certificate_file	49	.Op Fl c Ar host_certificate_file
49	.Op Fl E Ar log_file	50	.Op Fl E Ar log_file
Lines 94-99 to use IPv4 addresses only. Link Here
94	Forces	95	Forces
95	.Nm	96	.Nm
96	to use IPv6 addresses only.	97	to use IPv6 addresses only.
		98	.It Fl B Ar bind_device
		99	Bind the listening sockets to
		100	.Ar bind_device
		101	on the local machine.
		102	Useful on systems that use
		103	.Cm VRF .
97	.It Fl C Ar connection_spec	104	.It Fl C Ar connection_spec
98	Specify the connection parameters to use for the	105	Specify the connection parameters to use for the
99	.Fl T	106	.Fl T




#endif
	);
	fprintf(stderr,
"usage: sshd [-46DdeiqTt] [-B bind_device] [-C connection_spec] [-c host_cert_file]\n"
"            [-E log_file] [-f config_file] [-g login_grace_time]\n"
"            [-h host_key_file] [-o option] [-p port] [-u len]\n"
	);

		if (ai->ai_family == AF_INET6)
			sock_set_v6only(listen_sock);

		if (options.bind_device != NULL) {
#ifdef SO_BINDTODEVICE
			ret = setsockopt(listen_sock, SOL_SOCKET,
			    SO_BINDTODEVICE, options.bind_device,
			    strlen(options.bind_device));
			if (ret != 0) {
				error("Bind to: %s failed: %s",
				    options.bind_device, strerror(errno));
				close(listen_sock);
				continue;
			}
			debug("Bind to device %s", options.bind_device);
#else
			error("No SO_BINDTODEVICE, unable to bind to: %s",
			    options.bind_device);
			close(listen_sock);
			continue;
#endif
		}

		debug("Bind to port %s on %s.", strport, ntop);

		/* Bind the socket to the desired port. */

		if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
			fatal("listen on [%s]:%s: %.100s",
			    ntop, strport, strerror(errno));
		if (options.bind_device == NULL) {
			logit("Server listening on %s port %s.", ntop, strport);
		} else {
			logit("Server listening on %s port %s device %s.", ntop,
			    strport, options.bind_device);
		}
	}
	freeaddrinfo(options.listen_addrs);



	/* Parse command-line arguments. */
	while ((opt = getopt(ac, av,
	    "C:E:b:c:B:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
		switch (opt) {
		case '4':
			options.address_family = AF_INET;

				exit(1);
			free(line);
			break;
		case 'B':
			options.bind_device = optarg;
			break;
		case '?':
		default:
			usage();

Lines 380-385 If the argument is Link Here

(-)a/sshd_config.5 (-1 / +4 lines)
380	.Cm none	380	.Cm none
381	then no banner is displayed.	381	then no banner is displayed.
382	By default, no banner is displayed.	382	By default, no banner is displayed.
		383	.It Cm BindDevice
		384	Bind the listening sockets to the specified device on the local machine.
		385	Useful on systems that use
		386	.Cm VRF .
383	.It Cm ChallengeResponseAuthentication	387	.It Cm ChallengeResponseAuthentication
384	Specifies whether challenge-response authentication is allowed (e.g. via	388	Specifies whether challenge-response authentication is allowed (e.g. via
385	PAM or through authentication styles supported in	389	PAM or through authentication styles supported in
386	-

Return to bug 2784

Lines 908-914 usage(void) Link Here

(-)a/sshd.c (-3 / +31 lines)
908	#endif	908	#endif
909	);	909	);
910	fprintf(stderr,	910	fprintf(stderr,
911	"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"	911	"usage: sshd [-46DdeiqTt] [-B bind_device] [-C connection_spec] [-c host_cert_file]\n"
912	" [-E log_file] [-f config_file] [-g login_grace_time]\n"	912	" [-E log_file] [-f config_file] [-g login_grace_time]\n"
913	" [-h host_key_file] [-o option] [-p port] [-u len]\n"	913	" [-h host_key_file] [-o option] [-p port] [-u len]\n"
914	);	914	);
Lines 1062-1067 server_listen(void) Link Here
1062	if (ai->ai_family == AF_INET6)	1062	if (ai->ai_family == AF_INET6)
1063	sock_set_v6only(listen_sock);	1063	sock_set_v6only(listen_sock);
1064		1064
		1065	if (options.bind_device != NULL) {
		1066	#ifdef SO_BINDTODEVICE
		1067	ret = setsockopt(listen_sock, SOL_SOCKET,
		1068	SO_BINDTODEVICE, options.bind_device,
		1069	strlen(options.bind_device));
		1070	if (ret != 0) {
		1071	error("Bind to: %s failed: %s",
		1072	options.bind_device, strerror(errno));
		1073	close(listen_sock);
		1074	continue;
		1075	}
		1076	debug("Bind to device %s", options.bind_device);
		1077	#else
		1078	error("No SO_BINDTODEVICE, unable to bind to: %s",
		1079	options.bind_device);
		1080	close(listen_sock);
		1081	continue;
		1082	#endif
		1083	}
		1084
1065	debug("Bind to port %s on %s.", strport, ntop);	1085	debug("Bind to port %s on %s.", strport, ntop);
1066		1086
1067	/* Bind the socket to the desired port. */	1087	/* Bind the socket to the desired port. */
Lines 1078-1084 server_listen(void) Link Here
1078	if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)	1098	if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
1079	fatal("listen on [%s]:%s: %.100s",	1099	fatal("listen on [%s]:%s: %.100s",
1080	ntop, strport, strerror(errno));	1100	ntop, strport, strerror(errno));
1081	logit("Server listening on %s port %s.", ntop, strport);	1101	if (options.bind_device == NULL) {
		1102	logit("Server listening on %s port %s.", ntop, strport);
		1103	} else {
		1104	logit("Server listening on %s port %s device %s.", ntop,
		1105	strport, options.bind_device);
		1106	}
1082	}	1107	}
1083	freeaddrinfo(options.listen_addrs);	1108	freeaddrinfo(options.listen_addrs);
1084		1109
Lines 1404-1410 main(int ac, char **av) Link Here
1404		1429
1405	/* Parse command-line arguments. */	1430	/* Parse command-line arguments. */
1406	while ((opt = getopt(ac, av,	1431	while ((opt = getopt(ac, av,
1407	"C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {	1432	"C:E:b:c:B:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
1408	switch (opt) {	1433	switch (opt) {
1409	case '4':	1434	case '4':
1410	options.address_family = AF_INET;	1435	options.address_family = AF_INET;
Lines 1512-1517 main(int ac, char **av) Link Here
1512	exit(1);	1537	exit(1);
1513	free(line);	1538	free(line);
1514	break;	1539	break;
		1540	case 'B':
		1541	options.bind_device = optarg;
		1542	break;
1515	case '?':	1543	case '?':
1516	default:	1544	default:
1517	usage();	1545	usage();

Lines 165-170 initialize_server_options(ServerOptions *options) Link Here

(-)a/servconf.c (-1 / +12 lines)
165	options->fingerprint_hash = -1;	165	options->fingerprint_hash = -1;
166	options->disable_forwarding = -1;	166	options->disable_forwarding = -1;
167	options->expose_userauth_info = -1;	167	options->expose_userauth_info = -1;
		168	options->bind_device = NULL;
168	}	169	}
169		170
170	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */	171	/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
Lines 396-402 typedef enum { Link Here
396	sKerberosGetAFSToken,	397	sKerberosGetAFSToken,
397	sKerberosTgtPassing, sChallengeResponseAuthentication,	398	sKerberosTgtPassing, sChallengeResponseAuthentication,
398	sPasswordAuthentication, sKbdInteractiveAuthentication,	399	sPasswordAuthentication, sKbdInteractiveAuthentication,
399	sListenAddress, sAddressFamily,	400	sListenAddress, sAddressFamily, sBindDevice,
400	sPrintMotd, sPrintLastLog, sIgnoreRhosts,	401	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
401	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,	402	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
402	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,	403	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
Lines 566-571 static struct { Link Here
566	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },	567	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
567	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },	568	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
568	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },	569	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
		570	{ "binddevice", sBindDevice },
569	{ NULL, sBadOption, 0 }	571	{ NULL, sBadOption, 0 }
570	};	572	};
571		573
Lines 1879-1884 process_server_config_line(ServerOptions options, char line, Link Here
1879	options->fingerprint_hash = value;	1881	options->fingerprint_hash = value;
1880	break;	1882	break;
1881		1883
		1884	case sBindDevice:
		1885	arg = strdelim(&cp);
		1886	if (!arg \|\| *arg == '\0')
		1887	fatal("%s line %d: Missing argument.", filename, linenum);
		1888	if (options->bind_device == NULL)
		1889	options->bind_device = xstrdup(arg);
		1890	break;
		1891
1882	case sExposeAuthInfo:	1892	case sExposeAuthInfo:
1883	intptr = &options->expose_userauth_info;	1893	intptr = &options->expose_userauth_info;
1884	goto parse_flag;	1894	goto parse_flag;
Lines 2350-2355 dump_config(ServerOptions *o) Link Here
2350	o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);	2360	o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2351	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?	2361	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2352	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);	2362	o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
		2363	dump_cfg_string(sBindDevice, o->bind_device);
2353		2364
2354	/* string arguments requiring a lookup */	2365	/* string arguments requiring a lookup */
2355	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	2366	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 286-291 ssh_create_socket(int privileged, struct addrinfo *ai) Link Here

(-)a/sshconnect.c (+20 lines)
286	}	286	}
287	fcntl(sock, F_SETFD, FD_CLOEXEC);	287	fcntl(sock, F_SETFD, FD_CLOEXEC);
288		288
		289	if (options.bind_device != NULL) {
		290	#ifdef SO_BINDTODEVICE
		291	r = setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE,
		292	options.bind_device, strlen(options.bind_device));
		293	if (r != 0) {
		294	error("Bind to: %s failed %s", options.bind_device,
		295	strerror(errno));
		296	close(sock);
		297	return -1;
		298	}
		299	debug("Bound to device: %s", options.bind_device);
		300	#else
		301	error("No SO_BINDTODEVICE, unable to bind to: %s",
		302	options.bind_device);
		303	close(sock);
		304	return -1;
		305	#endif
		306	}
		307
		308
289	/* Bind the socket to an alternative local IP address */	309	/* Bind the socket to an alternative local IP address */
290	if (options.bind_address == NULL && !privileged)	310	if (options.bind_address == NULL && !privileged)
291	return sock;	311	return sock;