TR: 3.8.1p1 option "permitopennet" added

Patch is below :

diff -nru openssh-3.8.1p1/auth-options.c =
openssh-3.8.1p1-devs//auth-options.c
--- openssh-3.8.1p1/auth-options.c Tue Jun 3 02:25:48 2003
+++ openssh-3.8.1p1-devs//auth-options.c Mon Feb 21 16:56:49 2005
@@ -265,6 +265,81 @@
xfree(patterns);
goto next_option;
}
+
+/* e.g: permitopenned=3D"158.156.0.0/255.255.255.0:25[-1024]"
+ * note that part between [] is optionnal for 1 port specification
+ */
+ cp =3D "permitopennet=3D\"";
+ if (strncasecmp(opts, cp, strlen(cp)) =3D=3D 0) {
+ char netblock[256], netmask[256],
+ sporta[6], sportb[6];
+ u_short porta, portb;
+
+ char *patterns =3D xmalloc(strlen(opts) + 1);
+ netblock[0] =3D netmask[0] =3D sporta[0] =3D sportb[0] =3D 0;
+ porta =3D portb =3D 0;
+
+ opts +=3D strlen(cp);
+ i =3D 0;
+ while (*opts) {
+ if (*opts =3D=3D '"')
+ break;
+ if (*opts =3D=3D '\\' && opts[1] =3D=3D '"') {
+ opts +=3D 2;
+ patterns[i++] =3D '"';
+ continue;
+ }
+ patterns[i++] =3D *opts++;
+ }
+ if (!*opts) {
+ debug("%.100s, line %lu: missing end quote",
+ file, linenum);
+ auth_debug_add("%.100s, line %lu: missing end quote",
+ file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+ patterns[i] =3D 0;
+ opts++;
+
+ if (sscanf(patterns, "%255[^:/]/%255[^:]:%5[0-9]-%5[0-9]", netblock, =
netmask , sporta, sportb) !=3D 4 &&
+ sscanf(patterns, "%255[^:/]/%255[^:]:%5[0-9]", netblock, netmask , =
sporta) !=3D 3 ) {
+ debug("%.100s, line %lu: Bad permitopennet specification "
+ "<%.100s>", file, linenum, patterns);
+ auth_debug_add("%.100s, line %lu: "
+ "Bad permitopennet specification", file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+
+ if ((porta =3D a2port(sporta)) =3D=3D 0) {
+ debug("%.100s, line %lu: Bad permitopen port <%.100s>",
+ file, linenum, sporta);
+ auth_debug_add("%.100s, line %lu: "
+ "Bad permitopennet port a", file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+
+ if ( *sportb && ((portb =3D a2port(sportb)) =3D=3D 0)) {
+ debug("%.100s, line %lu: Bad permitopen port <%.100s>",
+ file, linenum, sportb);
+ auth_debug_add("%.100s, line %lu: "
+ "Bad permitopennet port b", file, linenum);
+ xfree(patterns);
+ goto bad_option;
+ }
+
+ auth_debug_add("%.100s, line %lu: "
+ "permitopennet specification : %s/%s : %d %d", file, linenum,
+ netblock, netmask, porta, portb);
+
+ if (options.allow_tcp_forwarding)
+ channel_add_permittednet_opens(netblock, netmask, porta, portb);
+
+ xfree(patterns);
+ goto next_option;
+ }
next_option:
/*
* Skip the comma, and move to the next option
diff -nru openssh-3.8.1p1/channels.c openssh-3.8.1p1-devs//channels.c
--- openssh-3.8.1p1/channels.c Wed Jan 21 01:02:09 2004
+++ openssh-3.8.1p1-devs//channels.c Tue Feb 22 10:36:55 2005
@@ -55,6 +55,7 @@
#include "authfd.h"
#include "pathnames.h"
#include "bufaux.h"
+#include "auth.h"
=20
/* -- channel core */
=20
@@ -91,11 +92,27 @@
u_short listen_port; /* Remote side should listen port number. */
} ForwardPermission;
=20
+/* That structure _only_ stocks authorized permitopennet demands
+ * A ForwardPermission entry is added at each incoming connexion
+ * in "permitted_opens" array
+ */
+typedef struct {
+ struct in_addr * netblock_to_connect;
+ struct in_addr * netmask_to_connect;
+ u_short porta_to_connect;
+ u_short portb_to_connect;
+} ForwardNetPermission;
+
/* List of all permitted host/port pairs to connect. */
static ForwardPermission =
permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
=20
+/* List of all permitted netblock/portblock pairs to connect. */
+static ForwardNetPermission =
permittednet_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
+
/* Number of permitted host/port pairs in the array. */
static int num_permitted_opens =3D 0;
+/* Number of permitted netblock/portblock pairs in the array. */
+static int num_permittednet_opens =3D 0;
/*
* If this is true, all opens are permitted. This is the case on the =
server
* on which we have to trust the client anyway, and the user could do
@@ -2110,7 +2127,7 @@
originator_string =3D xstrdup("unknown (remote did not supply =
name)");
}
packet_check_eom();
- sock =3D channel_connect_to(host, host_port);
+ sock =3D channel_connect_to(host, host_port, ctxt);
if (sock !=3D -1) {
c =3D channel_new("connected socket",
SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0,
@@ -2349,7 +2366,7 @@
void
channel_permit_all_opens(void)
{
- if (num_permitted_opens =3D=3D 0)
+ if (num_permitted_opens =3D=3D 0 && num_permittednet_opens =3D=3D 0)
all_opens_permitted =3D 1;
}
=20
@@ -2368,6 +2385,35 @@
}
=20
void
+channel_add_permittednet_opens(char *netblock, char *netmask, int =
porta, int portb)
+{
+ /* XXX this does not make any sens */
+ if (num_permittednet_opens >=3D SSH_MAX_FORWARDS_PER_DIRECTION)
+ fatal("channel_request_remote_forwarding: too many forwards");
+
+ if (portb) debug("allow port forwarding to netblock %s/%s port %d-%d", =
netblock,netmask, porta, portb);
+ else debug("allow port forwarding to netblock %s/%s port %d", =
netblock,netmask, porta);
+
+ /* Continue if conversion fails - checked while parsing option ...
+ Note that "permitted_opens" array int not affected */
+
+ permittednet_opens[num_permittednet_opens].netblock_to_connect =3D =
(struct in_addr *)malloc(sizeof(struct in_addr));
+ permittednet_opens[num_permittednet_opens].netmask_to_connect =3D =
(struct in_addr *)malloc(sizeof(struct in_addr));
+
+ if (! inet_aton(netblock, =
permittednet_opens[num_permittednet_opens].netblock_to_connect))=20
+ error("channel_add_permittednet_opens: pbm while converting netblock =
[%s]", netblock);
+
+ if (! inet_aton(netmask, =
permittednet_opens[num_permittednet_opens].netmask_to_connect))=20
+ error("channel_add_permittednet_opens: pbm while converting netmask =
[%s]", netmask);
+
+ permittednet_opens[num_permittednet_opens].porta_to_connect =3D porta;
+ permittednet_opens[num_permittednet_opens].portb_to_connect =3D portb;
+ num_permittednet_opens++;
+
+ all_opens_permitted =3D 0;
+}
+
+void
channel_clear_permitted_opens(void)
{
int i;
@@ -2374,6 +2420,10 @@
=20
for (i =3D 0; i < num_permitted_opens; i++)
xfree(permitted_opens[i].host_to_connect);
+ for (i =3D 0; i < num_permittednet_opens; i++) {
+ xfree(permittednet_opens[i].netblock_to_connect);
+ xfree(permittednet_opens[i].netmask_to_connect);
+ }
num_permitted_opens =3D 0;
=20
}
@@ -2452,23 +2502,52 @@
=20
/* Check if connecting to that port is permitted and connect. */
int
-channel_connect_to(const char *host, u_short port)
+channel_connect_to(const char *host, u_short port, void * a_ctxt)
{
int i, permit;
+ struct in_addr *host_dst;
+ Authctxt * ctxt =3D a_ctxt;
+ struct passwd *pw =3D ctxt->pw;
=20
permit =3D all_opens_permitted;
if (!permit) {
- for (i =3D 0; i < num_permitted_opens; i++)
+ /* check against "permitopen" option */
+ for (i =3D 0; i < num_permitted_opens && !permit; i++)
if (permitted_opens[i].port_to_connect =3D=3D port &&
strcmp(permitted_opens[i].host_to_connect, host) =3D=3D 0)
permit =3D 1;
-
}
if (!permit) {
- logit("Received request to connect to host %.100s port %d, "
- "but the request was denied.", host, port);
+ /* last check : against "permitopennet" option */
+ host_dst =3D (struct in_addr *)malloc(sizeof(struct in_addr));
+ if (inet_aton(host, host_dst)) {
+ for (i =3D 0 ; i < num_permittednet_opens && !permit ; i++) {
+ if ((host_dst->s_addr & =
permittednet_opens[i].netmask_to_connect->s_addr) =3D=3D
+ permittednet_opens[i].netblock_to_connect->s_addr) {
+ if ((permittednet_opens[i].porta_to_connect && =
permittednet_opens[i].portb_to_connect &&
+ port >=3D permittednet_opens[i].porta_to_connect &&
+ port <=3D permittednet_opens[i].portb_to_connect) ||
+ (!permittednet_opens[i].portb_to_connect &&
+ permittednet_opens[i].porta_to_connect =3D=3D port)) {
+ channel_add_permitted_opens(host,port);
+ permit =3D 1;
+ }
+ }
+ }
+ xfree(host_dst);
+ }
+ }
+ if (!permit) {
+ if (pw && ctxt->valid)=20
+ logit("%s (uid:%d) requests to connect to host %.100s port %d, "
+ "but the request was =
denied.",ctxt->pw->pw_name,ctxt->pw->pw_uid, host, port);
return -1;
}
+
+ if (pw && ctxt->valid)=20
+ logit("%s (uid:%d) requests to connect to host %.100s port %d, "
+ "and the request was =
accepted.",ctxt->pw->pw_name,ctxt->pw->pw_uid, host, port);
+
return connect_to(host, port);
}
=20
diff -nru openssh-3.8.1p1/channels.h openssh-3.8.1p1-devs//channels.h
--- openssh-3.8.1p1/channels.h Thu Oct 2 08:17:00 2003
+++ openssh-3.8.1p1-devs//channels.h Mon Feb 21 17:09:18 2005
@@ -195,9 +195,10 @@
void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
+void channel_add_permittednet_opens(char *, char *, int, int);
void channel_clear_permitted_opens(void);
void channel_input_port_forward_request(int, int);
-int channel_connect_to(const char *, u_short);
+int channel_connect_to(const char *, u_short, void *);
int channel_connect_by_listen_address(u_short);
void channel_request_remote_forwarding(u_short, const char *, =
u_short);
int channel_setup_local_fwd_listener(u_short, const char *, u_short, =
int);
diff -nru openssh-3.8.1p1/serverloop.c =
openssh-3.8.1p1-devs//serverloop.c
--- openssh-3.8.1p1/serverloop.c Wed Jan 21 01:02:50 2004
+++ openssh-3.8.1p1-devs//serverloop.c Mon Feb 21 11:33:13 2005
@@ -867,7 +867,7 @@
originator, originator_port, target, target_port);
=20
/* XXX check permission */
- sock =3D channel_connect_to(target, target_port);
+ sock =3D channel_connect_to(target, target_port, the_authctxt);
xfree(target);
xfree(originator);
if (sock < 0)

-----Message d'origine-----
De : Bucaille, Lionel=20
Envoy=E9 : mardi 22 f=E9vrier 2005 11:21
=C0 : 'openssh-unix-dev@mindrot.org'
Objet : 3.8.1p1 option "permitopennet" added

Hello,

I send you a small patch about a "new" option called "permitopennet". =
The behaviour is the same as "permitopen" except the accept/deny =
statement is based on this syntax : "netblock/netmask:porta[-portb]".

Moreover, I also added some useful log lines : the uid is logged while =
doing port forwarding.

Sample conf :=20

permitopennet=3D"158.156.156.128/255.255.255.128:25-1024" ssh-dss =
AAAAB3NzaC1kc3MAAACAbAehy7ov+HQvaSalGdJaNA3YAunrEI T3sqNqqs8CVIAgv2p ...

Logs :

eym59365 (uid:620) requests to connect to host 158.156.156.70 port 80, =
but the request was denied.

eym59365 (uid:620) requests to connect to host 158.156.156.251 port 80, =
and the request was accepted.

Waiting for your remarks or comments.

Lionel.



Ce message et toutes les pi=E8ces jointes (ci-apr=E8s le =AB message =
=BB) sont confidentiels et =E9tablis =E0 l'intention exclusive de ses =
destinataires. Toute utilisation de ce message non conforme =E0 sa =
destination, toute diffusion ou toute publication, totale ou partielle, =
est interdite, sauf autorisation expresse. Si vous recevez ce message =
par erreur, merci de le d=E9truire sans en conserver de copie et d'en =
avertir imm=E9diatement l'exp=E9diteur. Internet ne permettant pas de =
garantir l'int=E9grit=E9 de ce message, la Caisse des d=E9p=F4ts et =
consignations d=E9cline toute responsabilit=E9 au titre de ce message =
s'il a =E9t=E9 modifi=E9, alt=E9r=E9, d=E9form=E9 ou falsifi=E9.

This message and any attachments (the =AB message =BB) are confidential =
and intended solely for the addresses. Any use not in accord with its =
purpose, any dissemination or disclosure, either whole or partial, is =
prohibited without formal approval. If you receive this message in =
error, please delete it without storing any evidence and immediately =
notify the sender. Internet can not guarantee the integrity of this =
message, neither shall Caisse des depots et consignations be liable for =
the message if modified, altered, changed or falsified.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev