Re: port forwarding trouble
This is a discussion on Re: port forwarding trouble within the OpenSSH Development forums, part of the Networking and Network Related category; This is a multi-part message in MIME format. --------------080909080505040207080501 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-11-2005
|
|||
|
|||
Re: port forwarding trouble
This is a multi-part message in MIME format.
--------------080909080505040207080501 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Darren Tucker wrote: > Alright, I've made an attempt to implement this and attached it to > the bug. Please let us know how reviewing and testing the patch goes. > Better wording for the man page would also be appreciated. > > http://bugzilla.mindrot.org/show_bug.cgi?id=910 > > Brief overview from patch description: > Implement port spec as per sshd(8) ListenAddress > > The following are valid hostname entries: > localhost > 127.0.0.1 > ::1 > localhost:222 > 127.0.0.1:222 > [::1]:222 > > The first 3 should remain backward compatible with older versions and > are still written if possible. The syntax is compatible with the sshd(8) > ListenAddress option (uses the same parser). It occurrs to me that since it doesn't actually need *parse* the host:port identifiers then factoring out that code is a waste of time, so this diff is much simpler :-) (I can't connect to bugzilla right now but I will attach it to bug #910 when I can.) Testing still appreciated. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. --------------080909080505040207080501 Content-Type: text/plain; name="openssh-bug910.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="openssh-bug910.patch" Index: misc.c ================================================== ================= RCS file: /cvs/src/usr.bin/ssh/misc.c,v retrieving revision 1.34 diff -u -p -r1.34 misc.c --- misc.c 2005/07/08 09:26:18 1.34 +++ misc.c 2005/08/10 14:20:31 @@ -29,6 +29,7 @@ RCSID("$OpenBSD: misc.c,v 1.34 2005/07/0 #include "misc.h" #include "log.h" #include "xmalloc.h" +#include "ssh.h" /* remove newline at end of string */ char * @@ -268,6 +269,25 @@ convtime(const char *s) } return total; +} + +char * +put_host_port(const char *host, u_short port) +{ + int ret; + char *p; + + if (port == 0 || port == SSH_DEFAULT_PORT) + return(xstrdup(host)); + if ((p = strchr(host, ':')) != NULL && strchr(p+1, ':') != NULL) + ret = asprintf(&p, "[%s]:%hd", host, port); /* IPv6 */ + else + ret = asprintf(&p, "%s:%hd", host, port); + + if (ret == -1) + fatal("put_host_port: %s", strerror(errno)); + debug3("put_host_port: %s", p); + return p; } /* Index: misc.h ================================================== ================= RCS file: /cvs/src/usr.bin/ssh/misc.h,v retrieving revision 1.25 diff -u -p -r1.25 misc.h --- misc.h 2005/07/14 04:00:43 1.25 +++ misc.h 2005/08/10 14:20:31 @@ -20,6 +20,7 @@ int set_nonblock(int); int unset_nonblock(int); void set_nodelay(int); int a2port(const char *); +char *put_host_port(const char *, u_short); char *hpdelim(char **); char *cleanhostname(char *); char *colon(char *); Index: sshconnect.c ================================================== ================= RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v retrieving revision 1.168 diff -u -p -r1.168 sshconnect.c --- sshconnect.c 2005/07/17 07:17:55 1.168 +++ sshconnect.c 2005/08/10 14:20:31 @@ -520,7 +520,7 @@ check_host_key(char *host, struct sockad { Key *file_key; const char *type = key_type(host_key); - char *ip = NULL; + char *ip = NULL, *hoststr = NULL, *ipstr = NULL; char hostline[1000], *hostp, *fp; HostStatus host_status; HostStatus ip_status; @@ -580,14 +580,19 @@ check_host_key(char *host, struct sockad options.check_host_ip = 0; /* - * Allow the user to record the key under a different name. This is - * useful for ssh tunneling over forwarded connections or if you run - * multiple sshd's on different ports on the same machine. + * Allow the user to record the key under a different name or + * differentiate a non-standard port. This is useful for ssh + * tunneling over forwarded connections or if you run multiple + * sshd's on different ports on the same machine. */ if (options.host_key_alias != NULL) { host = options.host_key_alias; debug("using hostkeyalias: %s", host); + hoststr = xstrdup(host); + } else { + hoststr = put_host_port(host, options.port); } + ipstr = put_host_port(ip, options.port); /* * Store the host key from the known host file in here so that we can @@ -600,12 +605,12 @@ check_host_key(char *host, struct sockad * hosts or in the systemwide list. */ host_file = user_hostfile; - host_status = check_host_in_hostfile(host_file, host, host_key, + host_status = check_host_in_hostfile(host_file, hoststr, host_key, file_key, &host_line); if (host_status == HOST_NEW) { host_file = system_hostfile; - host_status = check_host_in_hostfile(host_file, host, host_key, - file_key, &host_line); + host_status = check_host_in_hostfile(host_file, hoststr, + host_key, file_key, &host_line); } /* * Also perform check for the ip address, skip the check if we are @@ -615,11 +620,11 @@ check_host_key(char *host, struct sockad Key *ip_key = key_new(host_key->type); ip_file = user_hostfile; - ip_status = check_host_in_hostfile(ip_file, ip, host_key, + ip_status = check_host_in_hostfile(ip_file, ipstr, host_key, ip_key, &ip_line); if (ip_status == HOST_NEW) { ip_file = system_hostfile; - ip_status = check_host_in_hostfile(ip_file, ip, + ip_status = check_host_in_hostfile(ip_file, ipstr, host_key, ip_key, &ip_line); } if (host_status == HOST_CHANGED && @@ -636,22 +641,23 @@ check_host_key(char *host, struct sockad case HOST_OK: /* The host is known and the key matches. */ debug("Host '%.200s' is known and matches the %s host key.", - host, type); + hoststr, type); debug("Found key in %s:%d", host_file, host_line); if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly) logit("%s host key for IP address " "'%.128s' not in list of known hosts.", - type, ip); + type, ipstr); else if (!add_host_to_hostfile(user_hostfile, ip, host_key, options.hash_known_hosts)) logit("Failed to add the %s host key for IP " "address '%.128s' to the list of known " - "hosts (%.30s).", type, ip, user_hostfile); + "hosts (%.30s).", type, ipstr, + user_hostfile); else logit("Warning: Permanently added the %s host " "key for IP address '%.128s' to the list " - "of known hosts.", type, ip); + "of known hosts.", type, ipstr); } break; case HOST_NEW: @@ -665,12 +671,12 @@ check_host_key(char *host, struct sockad * alternative left is to abort. */ error("No %s host key is known for %.200s and you " - "have requested strict checking.", type, host); + "have requested strict checking.", type, hoststr); goto fail; } else if (options.strict_host_key_checking == 2) { char msg1[1024], msg2[1024]; - if (show_other_keys(host, host_key)) + if (show_other_keys(hoststr, host_key)) snprintf(msg1, sizeof(msg1), "\nbut keys of different type are already" " known for this host."); @@ -695,7 +701,7 @@ check_host_key(char *host, struct sockad "%s key fingerprint is %s.\n%s" "Are you sure you want to continue connecting " "(yes/no)? ", - host, ip, msg1, type, fp, msg2); + hoststr, ipstr, msg1, type, fp, msg2); xfree(fp); if (!confirm(msg)) goto fail; @@ -706,13 +712,13 @@ check_host_key(char *host, struct sockad */ if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", - host, ip); + hoststr, ipstr); hostp = hostline; if (options.hash_known_hosts) { /* Add hash of host and IP separately */ - r = add_host_to_hostfile(user_hostfile, host, + r = add_host_to_hostfile(user_hostfile, hoststr, host_key, options.hash_known_hosts) && - add_host_to_hostfile(user_hostfile, ip, + add_host_to_hostfile(user_hostfile, ipstr, host_key, options.hash_known_hosts); } else { /* Add unhashed "host,ip" */ @@ -721,9 +727,9 @@ check_host_key(char *host, struct sockad options.hash_known_hosts); } } else { - r = add_host_to_hostfile(user_hostfile, host, host_key, - options.hash_known_hosts); - hostp = host; + r = add_host_to_hostfile(user_hostfile, hoststr, + host_key, options.hash_known_hosts); + hostp = hoststr; } if (!r) @@ -745,8 +751,8 @@ check_host_key(char *host, struct sockad error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@"); error("@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@"); - error("The %s host key for %s has changed,", type, host); - error("and the key for the according IP address %s", ip); + error("The %s host key for %s has changed,", type, hoststr); + error("and the key for the according IP address %s", ipstr); error("%s. This could either mean that", key_msg); error("DNS SPOOFING is happening or the IP address for the host"); error("and its host key have changed at the same time."); @@ -765,7 +771,7 @@ check_host_key(char *host, struct sockad */ if (options.strict_host_key_checking) { error("%s host key for %.200s has changed and you have " - "requested strict checking.", type, host); + "requested strict checking.", type, hoststr); goto fail; } @@ -826,7 +832,7 @@ check_host_key(char *host, struct sockad "Warning: the %s host key for '%.200s' " "differs from the key for the IP address '%.128s'" "\nOffending key for IP in %s:%d", - type, host, ip, ip_file, ip_line); + type, hoststr, ipstr, ip_file, ip_line); if (host_status == HOST_OK) { len = strlen(msg); snprintf(msg + len, sizeof(msg) - len, @@ -848,10 +854,14 @@ check_host_key(char *host, struct sockad } xfree(ip); + xfree(hoststr); + xfree(ipstr); return 0; fail: xfree(ip); + xfree(hoststr); + xfree(ipstr); return -1; } Index: sshd.8 ================================================== ================= RCS file: /cvs/src/usr.bin/ssh/sshd.8,v retrieving revision 1.208 diff -u -p -r1.208 sshd.8 --- sshd.8 2005/06/08 03:50:00 1.208 +++ sshd.8 2005/08/10 14:20:31 @@ -530,6 +530,15 @@ A pattern may also be preceded by to indicate negation: if the host name matches a negated pattern, it is not accepted (by that line) even if it matched another pattern on the line. +A hostname may optionally be followed by a +.Ql : +and then a non-standard port number. +If an IPv6 address has a non-standard port number then the address must +be enclosed within +.Ql [ +and +.Ql ] +brackets. .Pp Alternately, hostnames may be stored in a hashed form which hides host names and addresses should the file's contents be disclosed. --------------080909080505040207080501 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev --------------080909080505040207080501-- 
|
Linear Mode
