Bugzilla – Attachment 704 Details for
Bug 708
Remote forward: Connect from privileged port if originator connected from privileged port
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch for 3.9p1
remote_forwarding_privileged-3.9p1.patch (text/plain), 9.58 KB, created by
Robert Dahlem
on 2004-08-26 00:08:36 AEST
(
hide
)
Description:
proposed patch for 3.9p1
Filename:
MIME Type:
Creator:
Robert Dahlem
Created:
2004-08-26 00:08:36 AEST
Size:
9.58 KB
patch
obsolete
>diff -u -r openssh-3.9p1.orig/Makefile.in openssh-3.9p1/Makefile.in >--- openssh-3.9p1.orig/Makefile.in 2004-08-15 13:01:37.000000000 +0200 >+++ openssh-3.9p1/Makefile.in 2004-08-25 15:25:22.719758000 +0200 >@@ -115,7 +115,7 @@ > all: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) > > $(LIBSSH_OBJS): Makefile.in config.h >-$(SSHOBJS): Makefile.in config.h >+$(SSHOBJS): Makefile.in config.h readconf.h > $(SSHDOBJS): Makefile.in config.h > > .c.o: >diff -u -r openssh-3.9p1.orig/channels.c openssh-3.9p1/channels.c >--- openssh-3.9p1.orig/channels.c 2004-08-13 13:18:01.000000000 +0200 >+++ openssh-3.9p1/channels.c 2004-08-25 15:25:22.739763000 +0200 >@@ -2477,7 +2477,7 @@ > > /* return socket to remote host, port */ > static int >-connect_to(const char *host, u_short port) >+connect_to(const char *host, u_short port, int try_privileged_originator_port) > { > struct addrinfo hints, *ai, *aitop; > char ntop[NI_MAXHOST], strport[NI_MAXSERV]; >@@ -2501,7 +2501,21 @@ > error("connect_to: getnameinfo failed"); > continue; > } >- sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); >+ sock = -1; >+ if (try_privileged_originator_port) { >+ int p = IPPORT_RESERVED - 1; >+ >+ sock = rresvport_af(&p, ai->ai_family); >+ if (sock < 0) { >+ debug("rresvport: %.100s", strerror(errno)); >+ debug("connect_to: fallback to unprivileged port"); >+ } else { >+ debug("connect_to: using privileged port %d.", p); >+ } >+ } >+ if (sock < 0) { >+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); >+ } > if (sock < 0) { > if (ai->ai_next == NULL) > error("socket: %.100s", strerror(errno)); >@@ -2532,7 +2546,8 @@ > } > > int >-channel_connect_by_listen_address(u_short listen_port) >+channel_connect_by_listen_address(u_short listen_port, >+ int originator_port_privileged) > { > int i; > >@@ -2541,7 +2556,8 @@ > permitted_opens[i].listen_port == listen_port) > return connect_to( > permitted_opens[i].host_to_connect, >- permitted_opens[i].port_to_connect); >+ permitted_opens[i].port_to_connect, >+ originator_port_privileged); > error("WARNING: Server requests forwarding for unknown listen_port %d", > listen_port); > return -1; >@@ -2567,7 +2583,7 @@ > "but the request was denied.", host, port); > return -1; > } >- return connect_to(host, port); >+ return connect_to(host, port, 0); > } > > void >diff -u -r openssh-3.9p1.orig/channels.h openssh-3.9p1/channels.h >--- openssh-3.9p1.orig/channels.h 2004-08-13 13:18:01.000000000 +0200 >+++ openssh-3.9p1/channels.h 2004-08-25 15:25:22.769713000 +0200 >@@ -201,7 +201,7 @@ > void channel_clear_permitted_opens(void); > void channel_input_port_forward_request(int, int); > int channel_connect_to(const char *, u_short); >-int channel_connect_by_listen_address(u_short); >+int channel_connect_by_listen_address(u_short, int); > void channel_request_remote_forwarding(u_short, const char *, u_short); > void channel_request_rforward_cancel(u_short port); > int channel_setup_local_fwd_listener(u_short, const char *, u_short, int); >diff -u -r openssh-3.9p1.orig/clientloop.c openssh-3.9p1/clientloop.c >--- openssh-3.9p1.orig/clientloop.c 2004-08-13 13:18:01.000000000 +0200 >+++ openssh-3.9p1/clientloop.c 2004-08-25 15:25:22.799744000 +0200 >@@ -1490,7 +1490,9 @@ > debug("client_request_forwarded_tcpip: listen %s port %d, originator %s port %d", > listen_address, listen_port, originator_address, originator_port); > >- sock = channel_connect_by_listen_address(listen_port); >+ sock = channel_connect_by_listen_address(listen_port, >+ (options.try_outgoing_privileged_port & >+ (originator_port < IPPORT_RESERVED))); > if (sock < 0) { > xfree(originator_address); > xfree(listen_address); >diff -u -r openssh-3.9p1.orig/readconf.c openssh-3.9p1/readconf.c >--- openssh-3.9p1.orig/readconf.c 2004-07-17 08:12:08.000000000 +0200 >+++ openssh-3.9p1/readconf.c 2004-08-25 15:25:22.829749000 +0200 >@@ -97,7 +97,8 @@ > oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, > oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, > oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, >- oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, >+ oUsePrivilegedPort, oTryOutgoingPrivilegedPort, oLogLevel, oCiphers, >+ oProtocol, oMacs, > oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, > oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, > oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, >@@ -122,6 +123,7 @@ > { "xauthlocation", oXAuthLocation }, > { "gatewayports", oGatewayPorts }, > { "useprivilegedport", oUsePrivilegedPort }, >+ { "tryoutgoingprivilegedport", oTryOutgoingPrivilegedPort }, > { "rhostsauthentication", oDeprecated }, > { "passwordauthentication", oPasswordAuthentication }, > { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, >@@ -360,6 +362,10 @@ > intptr = &options->use_privileged_port; > goto parse_flag; > >+ case oTryOutgoingPrivilegedPort: >+ intptr = &options->try_outgoing_privileged_port; >+ goto parse_flag; >+ > case oPasswordAuthentication: > intptr = &options->password_authentication; > goto parse_flag; >@@ -864,6 +870,7 @@ > options->xauth_location = NULL; > options->gateway_ports = -1; > options->use_privileged_port = -1; >+ options->try_outgoing_privileged_port = -1; > options->rsa_authentication = -1; > options->pubkey_authentication = -1; > options->challenge_response_authentication = -1; >@@ -941,6 +948,8 @@ > options->gateway_ports = 0; > if (options->use_privileged_port == -1) > options->use_privileged_port = 0; >+ if (options->try_outgoing_privileged_port == -1) >+ options->try_outgoing_privileged_port = 0; > if (options->rsa_authentication == -1) > options->rsa_authentication = 1; > if (options->pubkey_authentication == -1) >diff -u -r openssh-3.9p1.orig/readconf.h openssh-3.9p1/readconf.h >--- openssh-3.9p1.orig/readconf.h 2004-07-17 08:12:08.000000000 +0200 >+++ openssh-3.9p1/readconf.h 2004-08-25 15:25:22.839711000 +0200 >@@ -36,6 +36,12 @@ > char *xauth_location; /* Location for xauth program */ > int gateway_ports; /* Allow remote connects to forwarded ports. */ > int use_privileged_port; /* Don't use privileged port if false. */ >+ int try_outgoing_privileged_port; /* >+ * local_forward/remote_forward: >+ * Try connect() from privileged >+ * port when connection came >+ * from privileged port >+ */ > int rhosts_rsa_authentication; /* Try rhosts with RSA > * authentication. */ > int rsa_authentication; /* Try RSA authentication. */ >diff -u -r openssh-3.9p1.orig/ssh.1 openssh-3.9p1/ssh.1 >--- openssh-3.9p1.orig/ssh.1 2004-08-13 13:22:40.000000000 +0200 >+++ openssh-3.9p1/ssh.1 2004-08-25 15:25:22.859730000 +0200 >@@ -43,7 +43,7 @@ > .Nd OpenSSH SSH client (remote login program) > .Sh SYNOPSIS > .Nm ssh >-.Op Fl 1246AaCfgkMNnqsTtVvXxY >+.Op Fl 1246AaCfgkMNnQqsTtVvXxY > .Op Fl b Ar bind_address > .Op Fl c Ar cipher_spec > .Bk -words >@@ -693,7 +693,8 @@ > .It MACs > .It NoHostAuthenticationForLocalhost > .It NumberOfPasswordPrompts >-.It PasswordAuthentication >+.It >+PasswordAuthentication > .It Port > .It PreferredAuthentications > .It Protocol >@@ -744,8 +745,25 @@ > .Sm off > .Xo > .Ar port No / Ar host No / >-.Ar hostport . > .Xc >+.It Fl Q >+Extension to the >+.Fl R >+option (protocol version 2 only): Specifies that if the connection to >+.Ar hostport . >+on the remote side was made from a privileged port then the >+connection from the local machine to >+.Ar host >+port >+.Ar hostport >+should be originating from a privileged port too. Only root can >+originate connections from privileged ports. In case of non-root >+users or lack of free privileged ports, ssh silently falls back >+to connecting from non-privileged ports. >+ >+This should be enabled with caution. The originating port number >+is retrieved from the remote side and could be forged. Only enable >+this if the remote machine is trusted. > .Sm on > .It Fl S Ar ctl > Specifies the location of a control socket for connection sharing. >diff -u -r openssh-3.9p1.orig/ssh.c openssh-3.9p1/ssh.c >--- openssh-3.9p1.orig/ssh.c 2004-08-15 09:23:34.000000000 +0200 >+++ openssh-3.9p1/ssh.c 2004-08-25 15:25:22.869744000 +0200 >@@ -236,7 +236,7 @@ > > again: > while ((opt = getopt(ac, av, >- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNPR:S:TVXY")) != -1) { >+ "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNQPR:S:TVXY")) != -1) { > switch (opt) { > case '1': > options.protocol = SSH_PROTO_1; >@@ -273,6 +273,9 @@ > case 'P': /* deprecated */ > options.use_privileged_port = 0; > break; >+ case 'Q': >+ options.try_outgoing_privileged_port = 1; >+ break; > case 'a': > options.forward_agent = 0; > break; >diff -u -r openssh-3.9p1.orig/ssh_config.5 openssh-3.9p1/ssh_config.5 >--- openssh-3.9p1.orig/ssh_config.5 2004-06-30 14:38:52.000000000 +0200 >+++ openssh-3.9p1/ssh_config.5 2004-08-25 15:25:22.889720000 +0200 >@@ -778,6 +778,24 @@ > The default is > .Dq no . > Note that this option applies to protocol version 2 only. >+.It Cm TryOutgoingPrivilegedPort >+Extension to RemoteForward. If set to >+.Dq yes >+then if the connection to >+.Ar port >+on the remote side was made from a privileged port then the >+connection from the local machine to >+.Ar host:port >+should be originating from a privileged port too. Only root can >+originate connections from privileged ports. In case of non-root >+users or lack of free privileged ports, ssh silently falls back >+to connecting from non-privileged ports. The default is >+.Dq no . >+This option applies to protocol version 2 only. >+.Pp >+This should be enabled with caution. The originating port number >+is retrieved from the remote side and could be forged. Only enable >+this if the remote machine is trusted. > .It Cm XAuthLocation > Specifies the full pathname of the > .Xr xauth 1
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=704">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 708
:
460
| 704