Hi !
I hacked together a couple of patches for Openssh 2.1.1p4 port forwarding.
It is a one patch file that does the following two things:
First:
If the server is configured not to allow port forwardings it sends
SSH_SMSG_FAILURE (protocol 1) while openssh client expects SSH_SMSG_SUCCESS.
When the client gets the failure it exists with protocol error message.
This patch will accept both failure and success messages.
Second:
I added a new configuration option to sshd_config: PortForwarding
that can be used to disable port forwarding on the server (It does
nothing to the client).
This option can be used to mimic the commercial
ssh compile time option --disable-server-port-forwarding (or something
like that). I think a better solution would be to have tcp_wrappers like
access control to port forwarding (like the commercial ssh2) and/or
something like allow/deny port forwarding users ? What do you think ...
TEST the patch BEFORE using it in production !
-Jarno
--
Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi
University of Kuopio - Computer Center | Work: +358 17 162822
PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
-------------- next part --------------
diff -u -r openssh-2.1.1p4/channels.c openssh-2.1.1p4-jhchanges/channels.c
--- openssh-2.1.1p4/channels.c Mon Jun 26 03:22:53 2000
+++ openssh-2.1.1p4-jhchanges/channels.c Sun Aug 13 02:22:42 2000
@@ -59,6 +59,9 @@
*/
static int channels_alloc = 0;
+/* Jarno: Needed to check if port_forwarding is allowed */
+extern ServerOptions options;
+
/*
* Maximum file descriptor value used in any of the channels. This is
* updated in channel_allocate.
@@ -1506,15 +1509,12 @@
u_short port_to_connect)
{
int payload_len;
+ int type;
+
/* Record locally that connection to this host/port is permitted. */
if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
fatal("channel_request_remote_forwarding: too many forwards");
- permitted_opens[num_permitted_opens].host_to_connect =
xstrdup(host_to_connect);
- permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
- permitted_opens[num_permitted_opens].listen_port = listen_port;
- num_permitted_opens++;
-
/* Send the forward request to the remote side. */
if (compat20) {
const char *address_to_bind = "0.0.0.0";
@@ -1534,7 +1534,28 @@
* Wait for response from the remote side. It will send a disconnect
* message on failure, and we will never see it here.
*/
- packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
+
+ /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port
+ forwardings !
+ */
+
+ type = packet_read(&payload_len);
+
+ switch (type) {
+ case SSH_SMSG_SUCCESS:
+ permitted_opens[num_permitted_opens].host_to_connect =
xstrdup(host_to_connect);
+ permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
+ permitted_opens[num_permitted_opens].listen_port = listen_port;
+ num_permitted_opens++;
+ break;
+ case SSH_SMSG_FAILURE:
+ /* OK: Server won't do forwardings */
+ log("Warning: Server doesn't do port forwarding.");
+ break;
+ default:
+ /* Unknown packet */
+ packet_disconnect("Protocol error for port forward request: received
packet type %d.", type);
+ }
}
}
@@ -1637,6 +1658,17 @@
/* Get remote channel number. */
remote_channel = packet_get_int();
+
+ /* Jarno */
+ if (!options.port_forwarding) {
+ /* packet_get_all(); */
+ debug("Refused port forward request.");
+ packet_send_debug("Server configuration rejects port
forwardings.");
+ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+ packet_put_int(remote_channel);
+ packet_send();
+ return;
+ }
/* Get host name to connect to. */
host = packet_get_string(&host_len);
diff -u -r openssh-2.1.1p4/servconf.c openssh-2.1.1p4-jhchanges/servconf.c
--- openssh-2.1.1p4/servconf.c Sat Jul 15 07:14:17 2000
+++ openssh-2.1.1p4-jhchanges/servconf.c Sun Aug 13 00:06:25 2000
@@ -45,6 +45,7 @@
options->x11_forwarding = -1;
options->x11_display_offset = -1;
options->xauth_location = NULL;
+ options->port_forwarding = -1;
options->strict_modes = -1;
options->keepalives = -1;
options->log_facility = (SyslogFacility) - 1;
@@ -116,6 +117,8 @@
if (options->xauth_location == NULL)
options->xauth_location = XAUTH_PATH;
#endif /* XAUTH_PATH */
+ if (options->port_forwarding == -1)
+ options->port_forwarding = 1; /* Allow forwarding */
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->keepalives == -1)
@@ -180,9 +183,9 @@
sSkeyAuthentication,
#endif
sPasswordAuthentication, sListenAddress,
- sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
- sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
- sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
+ sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
+ sPortForwarding, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives,
+ sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
} ServerOpCodes;
@@ -227,6 +230,7 @@
{ "x11forwarding", sX11Forwarding },
{ "x11displayoffset", sX11DisplayOffset },
{ "xauthlocation", sXAuthLocation },
+ { "portforwarding", sPortForwarding },
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "uselogin", sUseLogin },
@@ -518,7 +522,11 @@
case sXAuthLocation:
charptr = &options->xauth_location;
goto parse_filename;
-
+
+ case sPortForwarding:
+ intptr = &options->port_forwarding;
+ goto parse_flag;
+
case sStrictModes:
intptr = &options->strict_modes;
goto parse_flag;
diff -u -r openssh-2.1.1p4/servconf.h openssh-2.1.1p4-jhchanges/servconf.h
--- openssh-2.1.1p4/servconf.h Tue Jul 11 10:31:38 2000
+++ openssh-2.1.1p4-jhchanges/servconf.h Sat Aug 12 18:25:21 2000
@@ -49,6 +49,7 @@
int x11_display_offset; /* What DISPLAY number to start
* searching at */
char *xauth_location; /* Location of xauth program */
+ int port_forwarding; /* If true allow port forwarding */
int strict_modes; /* If true, require string home dir modes. */
int keepalives; /* If true, set SO_KEEPALIVE. */
char *ciphers; /* Ciphers in order of preference. */
diff -u -r openssh-2.1.1p4/serverloop.c openssh-2.1.1p4-jhchanges/serverloop.c
--- openssh-2.1.1p4/serverloop.c Tue Jul 11 10:31:38 2000
+++ openssh-2.1.1p4-jhchanges/serverloop.c Sun Aug 13 14:06:06 2000
@@ -58,6 +58,9 @@
static volatile int child_has_selected; /* Child has had chance to drain. */
static volatile int child_wait_status; /* Status from wait(). */
+/* Jarno: Needed to check if port_forwarding is allowed */
+extern ServerOptions options;
+
void server_init_dispatch(void);
void
@@ -722,7 +725,10 @@
originator, originator_port, target, target_port);
/* XXX check permission */
- if (no_port_forwarding_flag) {
+ /* Jarno: */
+ if (no_port_forwarding_flag || !options.port_forwarding) {
+ packet_send_debug("Server configuration rejects port
forwardings.");
+ debug("Port forwarding disabled in server configuration.");
xfree(target);
xfree(originator);
return -1;
diff -u -r openssh-2.1.1p4/session.c openssh-2.1.1p4-jhchanges/session.c
--- openssh-2.1.1p4/session.c Wed Jul 12 02:45:27 2000
+++ openssh-2.1.1p4-jhchanges/session.c Sun Aug 13 00:51:47 2000
@@ -324,6 +324,13 @@
debug("Port forwarding not permitted for this authentication.");
break;
}
+ if (!options.port_forwarding) {
+ debug("Port forwarding disabled in server configuration.");
+ packet_send_debug("Port forwarding disabled in server configuration
file.");
+ success = 0;
+ break;
+ }
+
debug("Received TCP/IP port forwarding request.");
channel_input_port_forward_request(pw->pw_uid == 0,
options.gateway_ports);
success = 1;
diff -u -r openssh-2.1.1p4/sshd.8 openssh-2.1.1p4-jhchanges/sshd.8
--- openssh-2.1.1p4/sshd.8 Tue Jul 11 10:31:39 2000
+++ openssh-2.1.1p4-jhchanges/sshd.8 Sun Aug 13 13:47:46 2000
@@ -485,6 +485,10 @@
listens on.
The default is 22.
Multiple options of this type are permitted.
+.It Cm PortForwarding
+Specifies whether TCP/IP port forwarding is permitted.
+The default is
+.Dq yes .
.It Cm PrintMotd
Specifies whether
.Nm