Attachment 3061 Details for Bug 2784 – patch

[patch] patch

Add-support-for-SO_BINDTODEVICE-via-B-options.patch (text/plain), 11.39 KB, created by Luca Boccassi on 2017-09-26 03:33:35 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Luca Boccassi

Created: 2017-09-26 03:33:35 AEST

Size: 11.39 KB

patch

obsolete

>From f9ecbe3f503a4e6fdb134cd633ef6fe41dee383f Mon Sep 17 00:00:00 2001
>From: Luca Boccassi <luca.boccassi@gmail.com>
>Date: Fri, 22 Sep 2017 17:09:05 +0100
>Subject: [PATCH] Add support for SO_BINDTODEVICE via -B options
>
>In the past couple of years the Linux kernel gained support for VRF.
>Applications can bind to a specific VRF via the SO_BINDTODEVICE socket
>option.
>Add a new -B option that takes a string as a parameter to both ssh and
>sshd, and use it to bind the socket.
>
>https://www.kernel.org/doc/Documentation/networking/vrf.txt
>
>Original mailing list thread  asking for this feature:
>https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-November/034525.html
>---
> readconf.c    |  9 ++++++++-
> readconf.h    |  2 ++
> servconf.c    | 13 ++++++++++++-
> servconf.h    |  2 ++
> ssh.1         |  8 ++++++++
> ssh.c         |  7 +++++--
> ssh_config.5  |  4 ++++
> sshconnect.c  | 20 ++++++++++++++++++++
> sshd.8        |  7 +++++++
> sshd.c        | 34 +++++++++++++++++++++++++++++++---
> sshd_config.5 |  4 ++++
> 11 files changed, 103 insertions(+), 7 deletions(-)
>
>diff --git a/readconf.c b/readconf.c
>index f63894f9..f7331b43 100644
>--- a/readconf.c
>+++ b/readconf.c
>@@ -156,7 +156,7 @@ typedef enum {
> 	oPubkeyAuthentication,
> 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
> 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
>-	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
>+	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, oBindDevice,
> 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
> 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
> 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
>@@ -305,6 +305,7 @@ static struct {
> 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
> 	{ "ignoreunknown", oIgnoreUnknown },
> 	{ "proxyjump", oProxyJump },
>+	{ "binddevice", oBindDevice },
> 
> 	{ NULL, oBadOption }
> };
>@@ -1669,6 +1670,10 @@ parse_keytypes:
> 		charptr = &options->identity_agent;
> 		goto parse_string;
> 
>+	case oBindDevice:
>+		charptr = &options->bind_device;
>+		goto parse_string;
>+
> 	case oDeprecated:
> 		debug("%s line %d: Deprecated option \"%s\"",
> 		    filename, linenum, keyword);
>@@ -1869,6 +1874,7 @@ initialize_options(Options * options)
> 	options->update_hostkeys = -1;
> 	options->hostbased_key_types = NULL;
> 	options->pubkey_key_types = NULL;
>+	options->bind_device = NULL;
> }
> 
> /*
>@@ -2544,6 +2550,7 @@ dump_client_config(Options *o, const char *host)
> 	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
> 	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);
> 	dump_cfg_string(oXAuthLocation, o->xauth_location);
>+	dump_cfg_string(oBindDevice, o->bind_device);
> 
> 	/* Forwards */
> 	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);
>diff --git a/readconf.h b/readconf.h
>index 22fe5c18..a486ffa5 100644
>--- a/readconf.h
>+++ b/readconf.h
>@@ -163,6 +163,8 @@ typedef struct {
> 	int	jump_port;
> 	char   *jump_extra;
> 
>+	char   *bind_device;	/* network device to bind to */
>+
> 	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
> }       Options;
> 
>diff --git a/servconf.c b/servconf.c
>index 16436512..75425218 100644
>--- a/servconf.c
>+++ b/servconf.c
>@@ -165,6 +165,7 @@ initialize_server_options(ServerOptions *options)
> 	options->fingerprint_hash = -1;
> 	options->disable_forwarding = -1;
> 	options->expose_userauth_info = -1;
>+	options->bind_device = NULL;
> }
> 
> /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
>@@ -396,7 +397,7 @@ typedef enum {
> 	sKerberosGetAFSToken,
> 	sKerberosTgtPassing, sChallengeResponseAuthentication,
> 	sPasswordAuthentication, sKbdInteractiveAuthentication,
>-	sListenAddress, sAddressFamily,
>+	sListenAddress, sAddressFamily, sBindDevice,
> 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
> 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
> 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
>@@ -566,6 +567,7 @@ static struct {
> 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
> 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
> 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
>+	{ "binddevice", sBindDevice },
> 	{ NULL, sBadOption, 0 }
> };
> 
>@@ -1879,6 +1881,14 @@ process_server_config_line(ServerOptions *options, char *line,
> 			options->fingerprint_hash = value;
> 		break;
> 
>+	case sBindDevice:
>+		arg = strdelim(&cp);
>+		if (!arg || *arg == '\0')
>+			fatal("%s line %d: Missing argument.", filename, linenum);
>+		if (options->bind_device == NULL)
>+			options->bind_device = xstrdup(arg);
>+		break;
>+
> 	case sExposeAuthInfo:
> 		intptr = &options->expose_userauth_info;
> 		goto parse_flag;
>@@ -2350,6 +2360,7 @@ dump_config(ServerOptions *o)
> 	    o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
> 	dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
> 	    o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
>+	dump_cfg_string(sBindDevice, o->bind_device);
> 
> 	/* string arguments requiring a lookup */
> 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
>diff --git a/servconf.h b/servconf.h
>index ffcbc331..e5450b4f 100644
>--- a/servconf.h
>+++ b/servconf.h
>@@ -198,6 +198,8 @@ typedef struct {
> 
> 	int	fingerprint_hash;
> 	int	expose_userauth_info;
>+
>+	char   *bind_device;	/* network device to bind to */
> }       ServerOptions;
> 
> /* Information about the incoming connection as used by Match */
>diff --git a/ssh.1 b/ssh.1
>index 2ab1697f..f818ea3f 100644
>--- a/ssh.1
>+++ b/ssh.1
>@@ -45,6 +45,7 @@
> .Bk -words
> .Op Fl 46AaCfGgKkMNnqsTtVvXxYy
> .Op Fl b Ar bind_address
>+.Op Fl B Ar bind_device
> .Op Fl c Ar cipher_spec
> .Op Fl D Oo Ar bind_address : Oc Ns Ar port
> .Op Fl E Ar log_file
>@@ -128,6 +129,13 @@ on the local machine as the source address
> of the connection.
> Only useful on systems with more than one address.
> .Pp
>+.It Fl B Ar bind_device
>+Bind the connecting socket to
>+.Ar bind_device
>+on the local machine.
>+Useful on systems that use
>+.Cm VRF .
>+.Pp
> .It Fl C
> Requests compression of all data (including stdin, stdout, stderr, and
> data for forwarded X11, TCP and
>diff --git a/ssh.c b/ssh.c
>index ae37432b..b3305575 100644
>--- a/ssh.c
>+++ b/ssh.c
>@@ -197,7 +197,7 @@ static void
> usage(void)
> {
> 	fprintf(stderr,
>-"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
>+"usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-B bind_device] [-c cipher_spec]\n"
> "           [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
> "           [-F configfile] [-I pkcs11] [-i identity_file]\n"
> "           [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
>@@ -612,7 +612,7 @@ main(int ac, char **av)
> 
>  again:
> 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
>-	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
>+	    "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
> 		switch (opt) {
> 		case '1':
> 			fatal("SSH protocol v.1 is no longer supported");
>@@ -918,6 +918,9 @@ main(int ac, char **av)
> 		case 'b':
> 			options.bind_address = optarg;
> 			break;
>+		case 'B':
>+			options.bind_device = optarg;
>+			break;
> 		case 'F':
> 			config = optarg;
> 			break;
>diff --git a/ssh_config.5 b/ssh_config.5
>index eab8dd01..489a21dc 100644
>--- a/ssh_config.5
>+++ b/ssh_config.5
>@@ -262,6 +262,10 @@ Note that this option does not work if
> .Cm UsePrivilegedPort
> is set to
> .Cm yes .
>+.It Cm BindDevice
>+Bind the connecting socket to the specified device on the local machine.
>+Useful on systems that use
>+.Cm VRF .
> .It Cm CanonicalDomains
> When
> .Cm CanonicalizeHostname
>diff --git a/sshconnect.c b/sshconnect.c
>index dc7a704d..8cb7108b 100644
>--- a/sshconnect.c
>+++ b/sshconnect.c
>@@ -286,6 +286,26 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
> 	}
> 	fcntl(sock, F_SETFD, FD_CLOEXEC);
> 
>+	if (options.bind_device != NULL) {
>+#ifdef SO_BINDTODEVICE
>+		r = setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE,
>+		    options.bind_device, strlen(options.bind_device));
>+		if (r != 0) {
>+			error("Bind to: %s failed %s", options.bind_device,
>+			    strerror(errno));
>+			close(sock);
>+			return -1;
>+		}
>+		debug("Bound to device: %s", options.bind_device);
>+#else
>+		error("No SO_BINDTODEVICE, unable to bind to: %s",
>+		    options.bind_device);
>+		close(sock);
>+		return -1;
>+#endif
>+	}
>+
>+
> 	/* Bind the socket to an alternative local IP address */
> 	if (options.bind_address == NULL && !privileged)
> 		return sock;
>diff --git a/sshd.8 b/sshd.8
>index a4201146..9023c1c5 100644
>--- a/sshd.8
>+++ b/sshd.8
>@@ -44,6 +44,7 @@
> .Nm sshd
> .Bk -words
> .Op Fl 46DdeiqTt
>+.Op Fl B Ar bind_device
> .Op Fl C Ar connection_spec
> .Op Fl c Ar host_certificate_file
> .Op Fl E Ar log_file
>@@ -94,6 +95,12 @@ to use IPv4 addresses only.
> Forces
> .Nm
> to use IPv6 addresses only.
>+.It Fl B Ar bind_device
>+Bind the listening sockets to
>+.Ar bind_device
>+on the local machine.
>+Useful on systems that use
>+.Cm VRF .
> .It Fl C Ar connection_spec
> Specify the connection parameters to use for the
> .Fl T
>diff --git a/sshd.c b/sshd.c
>index 51a1aaf6..baa8a18b 100644
>--- a/sshd.c
>+++ b/sshd.c
>@@ -908,7 +908,7 @@ usage(void)
> #endif
> 	);
> 	fprintf(stderr,
>-"usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]\n"
>+"usage: sshd [-46DdeiqTt] [-B bind_device] [-C connection_spec] [-c host_cert_file]\n"
> "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
> "            [-h host_key_file] [-o option] [-p port] [-u len]\n"
> 	);
>@@ -1062,6 +1062,26 @@ server_listen(void)
> 		if (ai->ai_family == AF_INET6)
> 			sock_set_v6only(listen_sock);
> 
>+		if (options.bind_device != NULL) {
>+#ifdef SO_BINDTODEVICE
>+			ret = setsockopt(listen_sock, SOL_SOCKET,
>+			    SO_BINDTODEVICE, options.bind_device,
>+			    strlen(options.bind_device));
>+			if (ret != 0) {
>+				error("Bind to: %s failed: %s",
>+				    options.bind_device, strerror(errno));
>+				close(listen_sock);
>+				continue;
>+			}
>+			debug("Bind to device %s", options.bind_device);
>+#else
>+			error("No SO_BINDTODEVICE, unable to bind to: %s",
>+			    options.bind_device);
>+			close(listen_sock);
>+			continue;
>+#endif
>+		}
>+
> 		debug("Bind to port %s on %s.", strport, ntop);
> 
> 		/* Bind the socket to the desired port. */
>@@ -1078,7 +1098,12 @@ server_listen(void)
> 		if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0)
> 			fatal("listen on [%s]:%s: %.100s",
> 			    ntop, strport, strerror(errno));
>-		logit("Server listening on %s port %s.", ntop, strport);
>+		if (options.bind_device == NULL) {
>+			logit("Server listening on %s port %s.", ntop, strport);
>+		} else {
>+			logit("Server listening on %s port %s device %s.", ntop,
>+			    strport, options.bind_device);
>+		}
> 	}
> 	freeaddrinfo(options.listen_addrs);
> 
>@@ -1404,7 +1429,7 @@ main(int ac, char **av)
> 
> 	/* Parse command-line arguments. */
> 	while ((opt = getopt(ac, av,
>-	    "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
>+	    "C:E:b:c:B:f:g:h:k:o:p:u:46DQRTdeiqrt")) != -1) {
> 		switch (opt) {
> 		case '4':
> 			options.address_family = AF_INET;
>@@ -1512,6 +1537,9 @@ main(int ac, char **av)
> 				exit(1);
> 			free(line);
> 			break;
>+		case 'B':
>+			options.bind_device = optarg;
>+			break;
> 		case '?':
> 		default:
> 			usage();
>diff --git a/sshd_config.5 b/sshd_config.5
>index 136601d6..f2924c3c 100644
>--- a/sshd_config.5
>+++ b/sshd_config.5
>@@ -380,6 +380,10 @@ If the argument is
> .Cm none
> then no banner is displayed.
> By default, no banner is displayed.
>+.It Cm BindDevice
>+Bind the listening sockets to the specified device on the local machine.
>+Useful on systems that use
>+.Cm VRF .
> .It Cm ChallengeResponseAuthentication
> Specifies whether challenge-response authentication is allowed (e.g. via
> PAM or through authentication styles supported in
>-- 
>2.11.0
>

Actions: View | Diff

Attachments on bug 2784: 3061 | 3064 | 3070 | 3071 | 3072 | 3075 | 3076 | 3077 | 3078 | 3079 | 3080 | 3081 | 3082