commit 9b439df18a9d56683584811ce38dcf72acd4cb20
author Damien Miller <djm@mindrot.org> Mon Jul 24 14:04:00 2006 +1000
committer Damien Miller <djm@mindrot.org> Mon Jul 24 14:04:00 2006 +1000
tree dc7d64d4ae9ce7c47d52804671e8b5d2aedddae3
parent 98299261eb970688a7bad346491cffdf2a7f6072

   - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
     [channels.c channels.h servconf.c sshd_config.5]
     Add PermitOpen directive to sshd_config which is equivalent to the
     "permitopen" key option.  Allows server admin to allow TCP port
     forwarding only two specific host/port pairs.  Useful when combined
     with Match.
     If permitopen is used in both sshd_config and a key option, both
     must allow a given connection before it will be permitted.
     Note that users can still use external forwarders such as netcat,
     so to be those must be controlled too for the limits to be effective.
     Feedback & ok djm@, man page corrections & ok jmc@.

channels.c

diff --git a/channels.c b/channels.c
index fbbae9e..9aaf7e9 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.256 2006/07/17 01:31:09 stevesk Exp $ */
+/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -106,11 +106,18 @@
 	u_short listen_port;		/* Remote side should listen port number. */
 } ForwardPermission;
 
-/* List of all permitted host/port pairs to connect. */
+/* List of all permitted host/port pairs to connect by the user. */
 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
 
-/* Number of permitted host/port pairs in the array. */
+/* List of all permitted host/port pairs to connect by the admin. */
+static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
+
+/* Number of permitted host/port pairs in the array permitted by the user. */
 static int num_permitted_opens = 0;
+
+/* Number of permitted host/port pair in the array permitted by the admin. */
+static int num_adm_permitted_opens = 0;
+
 /*
  * If this is true, all opens are permitted.  This is the case on the server
  * on which we have to trust the client anyway, and the user could do
@@ -2647,6 +2654,19 @@
 }
 
 void
+channel_add_adm_permitted_opens(char *host, int port)
+{
+	if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
+		fatal("channel_add_adm_permitted_opens: too many forwards");
+	debug("allow port forwarding to host %s port %d", host, port);
+
+	permitted_adm_opens[num_adm_permitted_opens].host_to_connect
+	     = xstrdup(host);
+	permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
+	num_adm_permitted_opens++;
+}
+
+void
 channel_clear_permitted_opens(void)
 {
 	int i;
@@ -2655,7 +2675,17 @@
 		if (permitted_opens[i].host_to_connect != NULL)
 			xfree(permitted_opens[i].host_to_connect);
 	num_permitted_opens = 0;
+}
 
+void
+channel_clear_adm_permitted_opens(void)
+{
+	int i;
+
+	for (i = 0; i < num_adm_permitted_opens; i++)
+		if (permitted_adm_opens[i].host_to_connect != NULL)
+			xfree(permitted_adm_opens[i].host_to_connect);
+	num_adm_permitted_opens = 0;
 }
 
 /* return socket to remote host, port */
@@ -2734,7 +2764,7 @@
 int
 channel_connect_to(const char *host, u_short port)
 {
-	int i, permit;
+	int i, permit, permit_adm = 1;
 
 	permit = all_opens_permitted;
 	if (!permit) {
@@ -2743,9 +2773,19 @@
 			    permitted_opens[i].port_to_connect == port &&
 			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
 				permit = 1;
-
 	}
-	if (!permit) {
+
+	if (num_adm_permitted_opens > 0) {
+		permit_adm = 0;
+		for (i = 0; i < num_adm_permitted_opens; i++)
+			if (permitted_adm_opens[i].host_to_connect != NULL &&
+			    permitted_adm_opens[i].port_to_connect == port &&
+			    strcmp(permitted_adm_opens[i].host_to_connect, host)
+			    == 0)
+				permit_adm = 1;
+	}
+
+	if (!permit || !permit_adm) {
 		logit("Received request to connect to host %.100s port %d, "
 		    "but the request was denied.", host, port);
 		return -1;