kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
f8987c
diff -up openssh-6.6p1/channels.c.permitopen openssh-6.6p1/channels.c
f8987c
--- openssh-6.6p1/channels.c.permitopen	2016-06-29 15:37:08.780327108 +0200
f8987c
+++ openssh-6.6p1/channels.c	2016-06-29 16:04:38.480857525 +0200
f8987c
@@ -128,6 +128,9 @@ static int num_adm_permitted_opens = 0;
f8987c
 /* special-case port number meaning allow any port */
f8987c
 #define FWD_PERMIT_ANY_PORT	0
f8987c
 
f8987c
+/* special-case wildcard meaning allow any host */
f8987c
+#define FWD_PERMIT_ANY_HOST	"*"
f8987c
+
f8987c
 /*
f8987c
  * If this is true, all opens are permitted.  This is the case on the server
f8987c
  * on which we have to trust the client anyway, and the user could do
f8987c
@@ -3271,6 +3274,21 @@ port_match(u_short allowedport, u_short
f8987c
 	return 0;
f8987c
 }
f8987c
 
f8987c
+static int
f8987c
+open_match(ForwardPermission *allowed_open, const char *requestedhost,
f8987c
+    u_short requestedport)
f8987c
+{
f8987c
+	if (allowed_open->host_to_connect == NULL)
f8987c
+		return 0;
f8987c
+	if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
f8987c
+	    allowed_open->port_to_connect != requestedport)
f8987c
+		return 0;
f8987c
+	if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
f8987c
+	    strcmp(allowed_open->host_to_connect, requestedhost) != 0)
f8987c
+		return 0;
f8987c
+	return 1;
f8987c
+}
f8987c
+
f8987c
 /* Try to start non-blocking connect to next host in cctx list */
f8987c
 static int
f8987c
 connect_next(struct channel_connect *cctx)
f8987c
@@ -3391,20 +3409,18 @@ channel_connect_to(const char *host, u_s
f8987c
 	permit = all_opens_permitted;
f8987c
 	if (!permit) {
f8987c
 		for (i = 0; i < num_permitted_opens; i++)
f8987c
-			if (permitted_opens[i].host_to_connect != NULL &&
f8987c
-			    port_match(permitted_opens[i].port_to_connect, port) &&
f8987c
-			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
f8987c
+			if (open_match(&permitted_opens[i], host, port)) {
f8987c
 				permit = 1;
f8987c
+			}
f8987c
 	}
f8987c
 
f8987c
 	if (num_adm_permitted_opens > 0) {
f8987c
 		permit_adm = 0;
f8987c
 		for (i = 0; i < num_adm_permitted_opens; i++)
f8987c
-			if (permitted_adm_opens[i].host_to_connect != NULL &&
f8987c
-			    port_match(permitted_adm_opens[i].port_to_connect, port) &&
f8987c
-			    strcmp(permitted_adm_opens[i].host_to_connect, host)
f8987c
-			    == 0)
f8987c
+			if (open_match(&permitted_adm_opens[i], host, port)) {
f8987c
 				permit_adm = 1;
f8987c
+				break;
f8987c
+			}
f8987c
 	}
f8987c
 
f8987c
 	if (!permit || !permit_adm) {
f8987c
diff -up openssh-6.6p1/sshd_config.5.permitopen openssh-6.6p1/sshd_config.5
f8987c
--- openssh-6.6p1/sshd_config.5.permitopen	2016-06-29 15:37:08.778327110 +0200
f8987c
+++ openssh-6.6p1/sshd_config.5	2016-06-29 15:37:08.782327106 +0200
f8987c
@@ -1005,6 +1005,9 @@ can be used to remove all restrictions a
f8987c
 An argument of
f8987c
 .Dq none
f8987c
 can be used to prohibit all forwarding requests.
f8987c
+Wildcard
f8987c
+.Dq *
f8987c
+can be used for host or port to allow all hosts or all ports respectively.
f8987c
 By default all port forwarding requests are permitted.
f8987c
 .It Cm PermitRootLogin
f8987c
 Specifies whether root can log in using