search for: channel_connect_to

I just want to make sure I'm interpreting this correctly. In 5.0 channel_connect_to would only return the requested socket. You'd then need to use this socket to create the channel with with channel_new. In 5.1 channel_connect_to doesn't return the socket but rolls in channel_new and now returns the channel directly. The usage of channel_new hasn't changed though,...

My port forwarding changes require an authorization (authentication) context in channel_connect_to(). I'd like to change the dispatch_* functions so that they accept an Authctxt * instead of a void * (this parameter is already used this way). In addition, I'd have to pass the authctxt all the way down to channel_connect_to(). As a side effect, it's possible to get rid of the globa...

...ns = 0; /* * If this is true, all opens are permitted. This is the case on the server * on which we have to trust the client anyway, and the user could do @@ -2110,7 +2127,7 @@ originator_string = xstrdup("unknown (remote did not supply name)"); } packet_check_eom(); - sock = channel_connect_to(host, host_port); + sock = channel_connect_to(host, host_port, ctxt); if (sock != -1) { c = channel_new("connected socket", SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, @@ -2349,7 +2366,7 @@ void channel_permit_all_opens(void) { - if (num_permitted_opens == 0) + if (num...

Hi, Just a usecase that I'm sure has been covered before but just in case its not an openssh solution would be very helpful. I was trying to install software on a server that was firewalled so no outbound http connections would work. I was also tunnelling via another server. Outbound ssh connections also were a convenient option. What would have been nice would be a remote version of

...for all I know, but I for one definitely would like to see this end up in the codebase, so I'm submitting it. *** openssh-5.1p1/serverloop.c Fri Jul 4 09:10:49 2008 --- openssh-5.1p1-RCFHACKS/serverloop.c Thu Jan 29 08:56:11 2009 *************** *** 957,962 **** --- 957,968 ---- c = channel_connect_to(target, target_port, "direct-tcpip", "direct-tcpip"); + if (c == NULL){ + verbose("Tunnel denied: user '%s' from %s to %s:%d", the_authctxt->user, get_remote_ipaddr(), target, target_port); + } else { + verbose("Tunn...

...eq, void *ctxt, int loud) { Channel *c = NULL; u_short host_port; @@ -1989,6 +1995,8 @@ originator_string = xstrdup("unknown (remote did not supply name)"); } packet_check_eom(); + if (loud) + log("TCP forwarding connection to %s port %d", host, host_port); sock = channel_connect_to(host, host_port); if (sock != -1) { c = channel_new("connected socket", @@ -2004,6 +2012,18 @@ xfree(host); } +void +channel_input_port_open_quiet(int type, u_int32_t seq, void *ctxt) +{ + channel_input_port_open(type, seq, ctxt, 0); +} + +void +channel_input_port_open_loud(int...

...for all I know, but I for one definitely would like to see this end up in the codebase, so I'm submitting it. *** openssh-5.1p1/serverloop.c Fri Jul 4 09:10:49 2008 --- openssh-5.1p1-RCFHACKS/serverloop.c Thu Jan 29 08:56:11 2009 *************** *** 957,962 **** --- 957,968 ---- c = channel_connect_to(target, target_port, "direct-tcpip", "direct-tcpip"); + if (c == NULL){ + verbose("Tunnel denied: user '%s' from %s to %s:%d", the_authctxt->user, get_remote_ipaddr(), target, target_port); + } else { + verbose("Tunn...

...hat forwards users requested port forwards as root, so the connection seems to come from root. Is it enough to open the socket as normal user so the connection would appear to come from that user ? (On Linux this seems to work, but what about other OS's ?) I tested this briefly by wrapping the channel_connect_to(target,target_port); (in serverloop.c:server_request_direct_tcpip) with temporarily_use_uid and restore_uid calls and it seems to work (I used hardcoded values for temporarily_use_uid). Is it possible to acquire the username/uid/gid info in server_request_direct_tcpip (and where the socket is open...

...p.c, function server_input_channel_open(), the ctype variable is a char *, dynamically allocated in packet_get_string. It's xfree'd at the end of the function. However, before that, it's passed to server_request_session/server_request_direct_tcpip, which call either channel_new or channel_connect_to, passing in ctype. The channel structure keeps a pointer to ctype, so when server_input_channel_open returns, and xfree's the ctype pointer, the pointer held by the channel structure is now pointing at free'd memory. The channel never appears to use the ctype at all (at least on the s...

...on: if (((strcmp(target, "localhost") == 0) && (!options.allow_nonlocal_port_forward_destinations)) || (options.allow_nonlocal_port_forward_destinations)) { debug("port forwarding to target %s allowed", target); sock = channel_connect_to(target, target_port); } else { debug("port forwarding to target %s not allowed", target); sock = -1; } This code effecitvely allows the OpenSSH server to be configured to only allow port forwarding if the destination host is the OpenSSH server itself (...

...log("Received request to open remote forwarded channel (%d) but the request was denied", rchan); + return NULL; + } + + /* TODO: Somekind of access control ?? + * Maybe tcp_wrappers/username/group based access control ?? + */ + + /* Open socket and allocate a channel for it */ + sock = channel_connect_to(permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + + if ( sock >= 0 ) { + newch = channel_new("forwarded-tcpip", SSH_CHANNEL_OPEN, + sock, sock, -1, 4*1024, 32*1024, 0, + xstrdup(originator_address)); + c = channel_lookup...

...ceived request to open remote forwarded channel (%d) but the request was denied", rchan); + return NULL; + } + + /* TODO: call somekind of forward allowed function to check if connection + * is allowed. + */ + /* int allowed = allow_forwarded_tcpip( .... ); */ + + /* Open socket */ + sock = channel_connect_to(permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + + if ( sock >= 0 ) { + newch = channel_new("forwarded-tcpip", SSH_CHANNEL_OPEN, + sock, sock, -1, 4*1024, 32*1024, 0, + xstrdup(client_address)); + c = channel_lookup( ne...

...et_af(int af); void channel_permit_all_opens(void); -void channel_add_permitted_opens(char *, int); +void channel_fix_permitted_opens(void); +int channel_add_permitted_opens(char *); void channel_clear_permitted_opens(void); void channel_input_port_forward_request(int, int); int channel_connect_to(const char *, u_short); --- servconf.c 26 Jul 2002 11:02:28 -0000 1.3 +++ servconf.c 13 Aug 2002 18:50:33 -0000 @@ -41,6 +41,7 @@ #include "cipher.h" #include "kex.h" #include "mac.h" +#include "channels.h" static void add_listen_addr(ServerOptions *, c...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

...port, gateway_ports); /* Free the argument string. */ xfree(hostname); diff -ru openssh-3.0.2p1/channels.h openssh-3.0.2p1-NewFeature/channels.h --- openssh-3.0.2p1/channels.h Sun Nov 11 18:04:55 2001 +++ openssh-3.0.2p1-NewFeature/channels.h Sat Jan 5 14:34:05 2002 @@ -189,7 +189,7 @@ int channel_connect_to(const char *, u_short); int channel_connect_by_listen_address(u_short); void channel_request_remote_forwarding(u_short, const char *, u_short); -int channel_request_local_forwarding(u_short, const char *, u_short, int); +int channel_request_local_forwarding(const char *, u_short, const char *...

...: warning: implicit declaration of function `socket' channels.c:1494: warning: implicit declaration of function `setsockopt' channels.c:1501: warning: implicit declaration of function `bind' channels.c:1512: warning: implicit declaration of function `listen' channels.c: In function `channel_connect_to': channels.c:1642: warning: implicit declaration of function `connect' channels.c: In function `x11_create_display_inet': channels.c:1819: warning: implicit declaration of function `gethostname' cipher.c: In function `cipher_by_name': cipher.c:450: warning: implicit declaration...

https://bugzilla.mindrot.org/show_bug.cgi?id=1513 Summary: CIDR address/masklen matching support for permitopen= Product: Portable OpenSSH Version: 5.1p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org

...name); diff -u -r openssh-3.8p1/channels.h openssh-3.8p1-localbind/channels.h --- openssh-3.8p1/channels.h 2003-10-01 23:17:00.000000000 -0700 +++ openssh-3.8p1-localbind/channels.h 2004-08-05 09:44:22.159094328 -0700 @@ -199,9 +199,9 @@ void channel_input_port_forward_request(int, int); int channel_connect_to(const char *, u_short); int channel_connect_by_listen_address(u_short); -void channel_request_remote_forwarding(u_short, const char *, u_short); -int channel_setup_local_fwd_listener(u_short, const char *, u_short, int); -int channel_setup_remote_fwd_listener(const char *, u_short, int); +void...

...log("Received request to open remote forwarded channel (%d) but the request was denied", rchan); + return NULL; } + + /* TODO: Somekind of access control ?? + * Maybe tcp_wrappers/username/group based access control ?? + */ + + /* Open socket and allocate a channel for it */ + sock = channel_connect_to(permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + + if ( sock >= 0 ) { + newch = channel_new("forwarded-tcpip", SSH_CHANNEL_OPEN, + sock, sock, -1, 4*1024, 32*1024, 0, + xstrdup(originator_address), 1); + c = channel_lookup( newch ); +...