- dtucker@cvs.openbsd.org 2011/09/23 00:22:04
[channels.c auth-options.c servconf.c channels.h sshd.8]
Add wildcard support to PermitOpen, allowing things like "PermitOpen
localhost:*". bz #1857, ok djm markus.
diff --git a/ChangeLog b/ChangeLog
index 76a5dd0..2e1780a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2011101
- (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2011/09/23 00:22:04
+ [channels.c auth-options.c servconf.c channels.h sshd.8]
+ Add wildcard support to PermitOpen, allowing things like "PermitOpen
+ localhost:*". bz #1857, ok djm markus.
20110929
- (djm) [configure.ac defines.h] No need to detect sizeof(char); patch
diff --git a/auth-options.c b/auth-options.c
index eae45cf..b3c19c1 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.54 2010/12/24 21:41:48 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.55 2011/09/23 00:22:04 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -341,7 +341,7 @@
goto bad_option;
}
host = cleanhostname(host);
- if (p == NULL || (port = a2port(p)) <= 0) {
+ if (p == NULL || (port = permitopen_port(p)) < 0) {
debug("%.100s, line %lu: Bad permitopen port "
"<%.100s>", file, linenum, p ? p : "");
auth_debug_add("%.100s, line %lu: "
diff --git a/channels.c b/channels.c
index b6663de..00e9af8 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.313 2011/09/10 22:26:34 markus Exp $ */
+/* $OpenBSD: channels.c,v 1.314 2011/09/23 00:22:04 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -125,6 +125,9 @@
/* Number of permitted host/port pair in the array permitted by the admin. */
static int num_adm_permitted_opens = 0;
+/* special-case port number meaning allow any port */
+#define FWD_PERMIT_ANY_PORT 0
+
/*
* If this is true, all opens are permitted. This is the case on the server
* on which we have to trust the client anyway, and the user could do
@@ -3135,6 +3138,28 @@
printf("\n");
}
+/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
+int
+permitopen_port(const char *p)
+{
+ int port;
+
+ if (strcmp(p, "*") == 0)
+ return FWD_PERMIT_ANY_PORT;
+ if ((port = a2port(p)) > 0)
+ return port;
+ return -1;
+}
+
+static int
+port_match(u_short allowedport, u_short requestedport)
+{
+ if (allowedport == FWD_PERMIT_ANY_PORT ||
+ allowedport == requestedport)
+ return 1;
+ return 0;
+}
+
/* Try to start non-blocking connect to next host in cctx list */
static int
connect_next(struct channel_connect *cctx)
@@ -3237,7 +3262,7 @@
for (i = 0; i < num_permitted_opens; i++) {
if (permitted_opens[i].host_to_connect != NULL &&
- permitted_opens[i].listen_port == listen_port) {
+ port_match(permitted_opens[i].listen_port, listen_port)) {
return connect_to(
permitted_opens[i].host_to_connect,
permitted_opens[i].port_to_connect, ctype, rname);
@@ -3258,7 +3283,7 @@
if (!permit) {
for (i = 0; i < num_permitted_opens; i++)
if (permitted_opens[i].host_to_connect != NULL &&
- permitted_opens[i].port_to_connect == port &&
+ port_match(permitted_opens[i].port_to_connect, port) &&
strcmp(permitted_opens[i].host_to_connect, host) == 0)
permit = 1;
}
@@ -3267,7 +3292,7 @@
permit_adm = 0;
for (i = 0; i < num_adm_permitted_opens; i++)
if (permitted_adm_opens[i].host_to_connect != NULL &&
- permitted_adm_opens[i].port_to_connect == port &&
+ port_match(permitted_adm_opens[i].port_to_connect, port) &&
strcmp(permitted_adm_opens[i].host_to_connect, host)
== 0)
permit_adm = 1;
diff --git a/channels.h b/channels.h
index ff84ea5..6f316c8 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.107 2011/09/10 22:26:34 markus Exp $ */
+/* $OpenBSD: channels.h,v 1.108 2011/09/23 00:22:04 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -268,6 +268,7 @@
int channel_setup_remote_fwd_listener(const char *, u_short, int *, int);
int channel_cancel_rport_listener(const char *, u_short);
int channel_cancel_lport_listener(const char *, u_short, int, int);
+int permitopen_port(const char *);
/* x11 forwarding */
diff --git a/servconf.c b/servconf.c
index 91986e5..8ec5ca0 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.222 2011/06/22 21:57:01 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.223 2011/09/23 00:22:04 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1341,7 +1341,7 @@
fatal("%s line %d: missing host in PermitOpen",
filename, linenum);
p = cleanhostname(p);
- if (arg == NULL || (port = a2port(arg)) <= 0)
+ if (arg == NULL || ((port = permitopen_port(arg)) < 0))
fatal("%s line %d: bad port number in "
"PermitOpen", filename, linenum);
if (*activep && n == -1)
diff --git a/sshd.8 b/sshd.8
index a91be0f..7210157 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $
-.Dd $Mdocdate: August 2 2011 $
+.\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $
+.Dd $Mdocdate: September 23 2011 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -608,6 +608,9 @@
options may be applied separated by commas.
No pattern matching is performed on the specified hostnames,
they must be literal domains or addresses.
+A port specification of
+.Cm *
+matches any port.
.It Cm principals="principals"
On a
.Cm cert-authority