search for: all_opens_permit

...txt); if (sock != -1) { c = channel_new("connected socket", SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, @@ -2349,7 +2366,7 @@ void channel_permit_all_opens(void) { - if (num_permitted_opens == 0) + if (num_permitted_opens == 0 && num_permittednet_opens == 0) all_opens_permitted = 1; } @@ -2368,6 +2385,35 @@ } void +channel_add_permittednet_opens(char *netblock, char *netmask, int porta, int portb) +{ + /* XXX this does not make any sens */ + if (num_permittednet_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + fatal("channel_request_remote_forwarding: too man...

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

...atic int num_permitted_opens = 0; + +/* Don't allow any more to be added. */ +static int fix_permitted_opens = 0; + /* * If this is true, all opens are permitted. This is the case on the server * on which we have to trust the client anyway, and the user could do @@ -2212,10 +2216,31 @@ all_opens_permitted = 1; } +/* + * If the server-wide configuration specifies some permitted_opens + * then don't allow users to add to them. + */ void -channel_add_permitted_opens(char *host, int port) +channel_fix_permitted_opens(void) { - if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + i...

...dif /* Initiate forwarding */ + log("TCP forwarding listening on port %d %s", port, + gateway_ports ? "open" : "private"); channel_setup_local_fwd_listener(port, hostname, host_port, gateway_ports); /* Free the argument string. */ @@ -2227,10 +2249,31 @@ all_opens_permitted = 1; } +/* + * If the server-wide configuration specifies some permitted_opens + * then don't allow users to add to them. + */ void -channel_add_permitted_opens(char *host, int port) +channel_fix_permitted_opens(void) { - if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + i...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...is permitted and connect. */ Channel * -channel_connect_to_path(const char *path, char *ctype, char *rname) +channel_connect_to_path(const char *path, char *ctype, char *rname, + struct ForwardOptions *fwd_opts) { int i, permit, permit_adm = 1; + char *connect_path; + Channel *c; permit = all_opens_permitted; if (!permit) { @@ -3852,7 +3926,21 @@ channel_connect_to_path(const char *path, char *ctype, char *rname) "but the request was denied.", path); return NULL; } - return connect_to(path, PORT_STREAMLOCAL, ctype, rname); + + if (path[0] != '/') { + if (fwd_opts-&gt...

...ff -u -r1.140 channels.c --- channels.c 10 Oct 2001 22:18:47 -0000 1.140 +++ channels.c 22 Oct 2001 18:25:31 -0000 @@ -76,7 +76,7 @@ */ static int channel_max_fd = 0; - +#ifdef WITH_TCPFWD /* -- tcp forwarding */ /* @@ -102,8 +102,9 @@ * anything after logging in anyway. */ static int all_opens_permitted = 0; +#endif - +#ifdef WITH_X11FWD /* -- X11 forwarding */ /* Maximum number of fake X11 displays to try. */ @@ -122,8 +123,9 @@ */ static char *x11_fake_data = NULL; static u_int x11_fake_data_len; +#endif - +#ifdef WITH_AGENTFWD /* -- agent forwarding */ #define NUM_SOCKS 10 @@...