search for: fwd_permit_any_port

On Thu, May 04, 2017 at 09:37:59AM +1000, Adam Eijdenberg wrote: > Hi Devin, have you looked at using openssh certificates to help manage [...] > While the feature has been around for a while now (and is really > useful), there doesn't seem to be huge amount of documentation around > it. I found the following useful when getting a client of my running Yeah, when I wrote about it

...vers and there might be 2-3 servers that have been decommissioned. This patch is a huge improvement over allowing all ports to all hosts, which is all that I can do at this point without having a huge management headache. I was very surprised this wasn't supported alongside FWD_PERMIT_ANY_PORT. It's a simple enough change. I wonder if there was any debate on this or if it just slipped through the cracks as an uncommon use case? Note that this doesn't go down the more complex road of allowing more finegrained cases. The '*' is NOT actually a pattern, it is...

...nnel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) for (i = 0; i < num_permitted_opens; i++) { if (permitted_opens[i].host_to_connect != NULL && port_match(permitted_opens[i].listen_port, listen_port)) { + if (permitted_opens[i].port_to_connect == FWD_PERMIT_ANY_PORT) + return channel_new(ctype, SSH_CHANNEL_RDYNAMIC, -1, -1, -1, + CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); + return connect_to( permitted_opens[i].host_to_connect, permitted_opens[i].port_to_connect, ctype, rname); diff --git a/channels.h b/channe...