Bugzilla – Attachment 460 Details for
Bug 708
Remote forward: Connect from privileged port if originator connected from privileged port
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch
remote_forwarding_privileged-3.7.1p2.patch (text/plain), 11.03 KB, created by
Robert Dahlem
on 2003-09-24 02:17:19 AEST
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Robert Dahlem
Created:
2003-09-24 02:17:19 AEST
Size:
11.03 KB
patch
obsolete
>diff -u -r openssh-3.7.1p2.orig/Makefile.in openssh-3.7.1p2/Makefile.in >--- openssh-3.7.1p2.orig/Makefile.in 2003-09-22 03:00:12.000000000 +0200 >+++ openssh-3.7.1p2/Makefile.in 2003-09-23 16:30:59.758500005 +0200 >@@ -115,7 +115,7 @@ > all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) > > $(LIBSSH_OBJS): Makefile.in config.h >-$(SSHOBJS): Makefile.in config.h >+$(SSHOBJS): Makefile.in config.h readconf.h > $(SSHDOBJS): Makefile.in config.h > > .c.o: >@@ -148,7 +148,7 @@ > ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o > $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) > >-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o >+ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.h > $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) > > ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o >diff -u -r openssh-3.7.1p2.orig/channels.c openssh-3.7.1p2/channels.c >--- openssh-3.7.1p2.orig/channels.c 2003-09-16 23:34:12.000000000 +0200 >+++ openssh-3.7.1p2/channels.c 2003-09-23 16:30:59.878500022 +0200 >@@ -2370,7 +2370,7 @@ > > /* return socket to remote host, port */ > static int >-connect_to(const char *host, u_short port) >+connect_to(const char *host, u_short port, int try_privileged_originator_port) > { > struct addrinfo hints, *ai, *aitop; > char ntop[NI_MAXHOST], strport[NI_MAXSERV]; >@@ -2394,7 +2394,21 @@ > error("connect_to: getnameinfo failed"); > continue; > } >- sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); >+ sock = -1; >+ if (try_privileged_originator_port) { >+ int p = IPPORT_RESERVED - 1; >+ >+ sock = rresvport_af(&p, ai->ai_family); >+ if (sock < 0) { >+ debug("rresvport: %.100s", strerror(errno)); >+ debug("connect_to: fallback to unprivileged port"); >+ } else { >+ debug("connect_to: using privileged port %d.", p); >+ } >+ } >+ if (sock < 0) { >+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); >+ } > if (sock < 0) { > if (ai->ai_next == NULL) > error("socket: %.100s", strerror(errno)); >@@ -2425,7 +2439,8 @@ > } > > int >-channel_connect_by_listen_address(u_short listen_port) >+channel_connect_by_listen_address(u_short listen_port, >+ int originator_port_privileged) > { > int i; > >@@ -2433,7 +2448,8 @@ > if (permitted_opens[i].listen_port == listen_port) > return connect_to( > permitted_opens[i].host_to_connect, >- permitted_opens[i].port_to_connect); >+ permitted_opens[i].port_to_connect, >+ originator_port_privileged); > error("WARNING: Server requests forwarding for unknown listen_port %d", > listen_port); > return -1; >@@ -2458,7 +2474,7 @@ > "but the request was denied.", host, port); > return -1; > } >- return connect_to(host, port); >+ return connect_to(host, port, 0); > } > > /* -- X11 forwarding */ >diff -u -r openssh-3.7.1p2.orig/channels.h openssh-3.7.1p2/channels.h >--- openssh-3.7.1p2.orig/channels.h 2002-07-22 17:28:54.000000000 +0200 >+++ openssh-3.7.1p2/channels.h 2003-09-23 16:30:59.948500005 +0200 >@@ -198,7 +198,7 @@ > void channel_clear_permitted_opens(void); > void channel_input_port_forward_request(int, int); > int channel_connect_to(const char *, u_short); >-int channel_connect_by_listen_address(u_short); >+int channel_connect_by_listen_address(u_short, int); > void channel_request_remote_forwarding(u_short, const char *, u_short); > int channel_setup_local_fwd_listener(u_short, const char *, u_short, int); > int channel_setup_remote_fwd_listener(const char *, u_short, int); >diff -u -r openssh-3.7.1p2.orig/clientloop.c openssh-3.7.1p2/clientloop.c >--- openssh-3.7.1p2.orig/clientloop.c 2003-07-03 05:46:56.000000000 +0200 >+++ openssh-3.7.1p2/clientloop.c 2003-09-23 16:31:00.048500012 +0200 >@@ -1150,7 +1150,9 @@ > debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d", > listen_address, listen_port, originator_address, originator_port); > >- sock = channel_connect_by_listen_address(listen_port); >+ sock = channel_connect_by_listen_address(listen_port, >+ (options.try_outgoing_privileged_port & >+ (originator_port < IPPORT_RESERVED))); > if (sock < 0) { > xfree(originator_address); > xfree(listen_address); >diff -u -r openssh-3.7.1p2.orig/readconf.c openssh-3.7.1p2/readconf.c >--- openssh-3.7.1p2.orig/readconf.c 2003-09-02 14:58:22.000000000 +0200 >+++ openssh-3.7.1p2/readconf.c 2003-09-23 16:31:00.158500010 +0200 >@@ -97,10 +97,11 @@ > oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, > oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, > oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, >- oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, >- oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, >- oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, >- oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, >+ oUsePrivilegedPort, oTryOutgoingPrivilegedPort, oLogLevel, oCiphers, >+ oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, >+ oPubkeyAuthentication, oKbdInteractiveAuthentication, >+ oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, >+ oPreferredAuthentications, oHostbasedAuthentication, > oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, > oClearAllForwardings, oNoHostAuthenticationForLocalhost, > oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, >@@ -119,6 +120,7 @@ > { "xauthlocation", oXAuthLocation }, > { "gatewayports", oGatewayPorts }, > { "useprivilegedport", oUsePrivilegedPort }, >+ { "tryoutgoingprivilegedport", oTryOutgoingPrivilegedPort }, > { "rhostsauthentication", oDeprecated }, > { "passwordauthentication", oPasswordAuthentication }, > { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, >@@ -350,6 +352,10 @@ > intptr = &options->use_privileged_port; > goto parse_flag; > >+ case oTryOutgoingPrivilegedPort: >+ intptr = &options->try_outgoing_privileged_port; >+ goto parse_flag; >+ > case oPasswordAuthentication: > intptr = &options->password_authentication; > goto parse_flag; >@@ -809,6 +815,7 @@ > options->xauth_location = NULL; > options->gateway_ports = -1; > options->use_privileged_port = -1; >+ options->try_outgoing_privileged_port = -1; > options->rsa_authentication = -1; > options->pubkey_authentication = -1; > options->challenge_response_authentication = -1; >@@ -878,6 +885,8 @@ > options->gateway_ports = 0; > if (options->use_privileged_port == -1) > options->use_privileged_port = 0; >+ if (options->try_outgoing_privileged_port == -1) >+ options->try_outgoing_privileged_port = 0; > if (options->rsa_authentication == -1) > options->rsa_authentication = 1; > if (options->pubkey_authentication == -1) >diff -u -r openssh-3.7.1p2.orig/readconf.h openssh-3.7.1p2/readconf.h >--- openssh-3.7.1p2.orig/readconf.h 2003-09-02 14:58:22.000000000 +0200 >+++ openssh-3.7.1p2/readconf.h 2003-09-23 16:31:00.228500001 +0200 >@@ -33,6 +33,12 @@ > char *xauth_location; /* Location for xauth program */ > int gateway_ports; /* Allow remote connects to forwarded ports. */ > int use_privileged_port; /* Don't use privileged port if false. */ >+ int try_outgoing_privileged_port; /* >+ * local_forward/remote_forward: >+ * Try connect() from privileged >+ * port when connection came >+ * from privileged port >+ */ > int rhosts_rsa_authentication; /* Try rhosts with RSA > * authentication. */ > int rsa_authentication; /* Try RSA authentication. */ >diff -u -r openssh-3.7.1p2.orig/ssh.1 openssh-3.7.1p2/ssh.1 >--- openssh-3.7.1p2.orig/ssh.1 2003-08-02 14:24:50.000000000 +0200 >+++ openssh-3.7.1p2/ssh.1 2003-09-23 16:31:00.338500010 +0200 >@@ -49,7 +49,7 @@ > .Pp > .Nm ssh > .Bk -words >-.Op Fl afgknqstvxACNTVX1246 >+.Op Fl afgknqstvxACNQTVX1246 > .Op Fl b Ar bind_address > .Op Fl c Ar cipher_spec > .Op Fl e Ar escape_char >@@ -639,6 +639,23 @@ > logging in as root on the remote machine. > IPv6 addresses can be specified with an alternative syntax: > .Ar port/host/hostport >+.It Fl Q >+Extension to the >+option (protocol version 2 only): Specifies that if the connection to >+.Ar port >+on the remote side was made from a privileged port then the >+connection from the local machine to >+.Ar host >+port >+.Ar hostport >+should be originating from a privileged port too. Only root can >+originate connections from privileged ports. In case of non-root >+users or lack of free privileged ports, ssh silently falls back >+to connecting from non-privileged ports. >+.Pp >+This should be enabled with caution. The originating port number >+is retrieved from the remote side and could be forged. Only enable >+this if the remote machine is trusted. > .It Fl D Ar port > Specifies a local > .Dq dynamic >diff -u -r openssh-3.7.1p2.orig/ssh.c openssh-3.7.1p2/ssh.c >--- openssh-3.7.1p2.orig/ssh.c 2003-09-02 14:58:22.000000000 +0200 >+++ openssh-3.7.1p2/ssh.c 2003-09-23 16:31:00.428500008 +0200 >@@ -177,6 +177,9 @@ > fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); > fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); > fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); >+ fprintf(stderr, " -Q Extension to -R, if connection to listen-port comes from\n"); >+ fprintf(stderr, " privileged port then try to connect to host:port\n"); >+ fprintf(stderr, " from privileged port (protocol version 2 only).\n"); > fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n"); > fprintf(stderr, " -C Enable compression.\n"); > fprintf(stderr, " -N Do not execute a shell or command.\n"); >@@ -264,7 +267,7 @@ > > again: > while ((opt = getopt(ac, av, >- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { >+ "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NQPR:TVX")) != -1) { > switch (opt) { > case '1': > options.protocol = SSH_PROTO_1; >@@ -297,6 +300,9 @@ > case 'P': /* deprecated */ > options.use_privileged_port = 0; > break; >+ case 'Q': >+ options.try_outgoing_privileged_port = 1; >+ break; > case 'a': > options.forward_agent = 0; > break; >diff -u -r openssh-3.7.1p2.orig/ssh_config.5 openssh-3.7.1p2/ssh_config.5 >--- openssh-3.7.1p2.orig/ssh_config.5 2003-09-03 04:13:30.000000000 +0200 >+++ openssh-3.7.1p2/ssh_config.5 2003-09-23 16:31:00.518500007 +0200 >@@ -627,6 +627,24 @@ > The default is > .Dq no . > Note that this option applies to protocol version 2 only. >+.It Cm TryOutgoingPrivilegedPort >+Extension to RemoteForward. If set to >+.Dq yes >+then if the connection to >+.Ar port >+on the remote side was made from a privileged port then the >+connection from the local machine to >+.Ar host:port >+should be originating from a privileged port too. Only root can >+originate connections from privileged ports. In case of non-root >+users or lack of free privileged ports, ssh silently falls back >+to connecting from non-privileged ports. The default is >+.Dq no . >+This option applies to protocol version 2 only. >+.Pp >+This should be enabled with caution. The originating port number >+is retrieved from the remote side and could be forged. Only enable >+this if the remote machine is trusted. > .It Cm XAuthLocation > Specifies the full pathname of the > .Xr xauth 1
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=460">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 708
:
460
|
704