My port forwarding changes require an authorization (authentication) context in channel_connect_to(). I'd like to change the dispatch_* functions so that they accept an Authctxt * instead of a void * (this parameter is already used this way). In addition, I'd have to pass the authctxt all the way down to channel_connect_to(). As a side effect, it's possible to get rid of the global variable x_authctxt (which seems to be sort of a hack), because it's easy to provide the authctxt information in all places where auth_get_user() is currently called. In addition, server_loop() would be changed to accept a struct passwd * and build a fake authctxt for it, to be compatible with the v2 code path. Thoughts? -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
On Fri, Nov 24, 2000 at 06:19:58PM +0100, Florian Weimer wrote:> My port forwarding changes require an authorization (authentication) > context in channel_connect_to(). I'd like to change the dispatch_* > functions so that they accept an Authctxt * instead of a void * (this > parameter is already used this way).void * should be replaced by a more general Context structure. this will be necessary for the implementation of rekeying in SSH2. moreover, i'd like to add a more general 'policy API' to ssh, see example below. this should include not only port, but also agent and X11 forwarding.> In addition, I'd have to pass > the authctxt all the way down to channel_connect_to(). As a side > effect, it's possible to get rid of the global variable x_authctxt > (which seems to be sort of a hack), because it's easy to provide the > authctxt information in all places where auth_get_user() is currently > called.yes, this would be nice. i think that the Authctxt will be passed to. do_authenticated(Authctxt *a); do_authenticated2(Authctxt *a); or something similar. more integration is definitly needed (e.g. usage of Authctxt for ssh1, too).> In addition, server_loop() would be changed to accept a struct passwd * > and build a fake authctxt for it, to be compatible with the v2 code > path. > > Thoughts?-markus #ifndef _POLICY_H #define _POLICY_H typedef struct { char *cipher_send; char *cipher_receive; } transport_info_t; int policy_login(const char *user, const char *version, const char *service, const char *clienthost, const char *clientip, const char *serverhost, const char *serverip, transport_info_t *tinfo, char **allowed_auths, struct passwd **pw); void policy_init(const char *user, const char *version, const char *authmethod, const char *clienthost, const char *clientip, const char *serverhost, const char *serverip); int policy_portforward_local(const char *dsthost, int dstport, const char *originhost, int originport); int policy_portforward_remote(const char *listenhost, int listenport); int policy_portforward_x11(int single, const char *proto); int policy_forward_agent(void); int policy_cmd(const char *type, const char *arg1, const char *arg2); #endif /* _POLICY_H */
Florian Weimer <Florian.Weimer at RUS.Uni-Stuttgart.DE> writes:> My port forwarding changes require an authorization (authentication) > context in channel_connect_to(). I'd like to change the dispatch_* > functions so that they accept an Authctxt * instead of a void * (this > parameter is already used this way). In addition, I'd have to pass > the authctxt all the way down to channel_connect_to().I've finished these changes and integrated our old port forwarding control patches (in a bit hackish way :-/). The current version is still not in production use here ;-), but some initial test were quite promising. A diff to portable OpenSSH 2.3.0p1 and an OpenPGP signature is avaliable at: http://cert.uni-stuttgart.de/files/openssh/openssh-2.3.0p1-RUS-CERT-1.diff http://cert.uni-stuttgart.de/files/openssh/openssh-2.3.0p1-RUS-CERT-1.diff.sig Updates/improvements/bug fixes will be announced at: http://cert.uni-stuttgart.de/projects/openssh.php Of course, it would be nice if this patch (or a modified version) would find its way into the official source tree, so that we don't have to keep track of OpenSSH and patch in our modifications each time a new version is released. Directions regarding patch submission are therefore greatly appreciated. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898