search for: permitted_open

...-O to occur only once. So, to add or remove multiple channels ssh has to be called multiple times. Would it make sense to extend the code to allow it to occur multiple times? ssh -S ~/.ssh/ctl \ -O add-rforward 2000:forward:80 \ -O add-rforward 2001:forward:80 \ localhost 3) permitted_opens in channels.c is a real problem. The current code allocates a new element from the end of this array while adding a new forwarding. But when the forwarding is cancelled the element is not really freed. It is marked somehow to be not in use but the current code cannot reuse it. 4) again permit...

....1p4/channels.c Mon Jun 26 03:22:53 2000 +++ openssh-2.1.1p4-jhchanges/channels.c Tue Aug 15 19:10:49 2000 @@ -1506,38 +1509,139 @@ u_short port_to_connect) { int payload_len; + int type; + int success = 0; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_per...

...-O to occur only once. So, to add or remove multiple channels ssh has to be called multiple times. Would it make sense to extend the code to allow it to occur multiple times? ssh -S ~/.ssh/ctl \ -O add-rforward 2000:forward:80 \ -O add-rforward 2001:forward:80 \ localhost 3) permitted_opens in channels.c is a real problem. The current code allocates a new element from the end of this array while adding a new forwarding. But when the forwarding is cancelled the element is not really freed. It is marked somehow to be not in use but the current code cannot reuse it. 4) again permit...

...1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("port listener"), 1); @@ -1536,15 +1639,12 @@ u_short port_to_connect) { int payload_len; + int type; + int success = 0; /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_per...

...ptions options; + /* * Maximum file descriptor value used in any of the channels. This is * updated in channel_allocate. @@ -1506,15 +1509,12 @@ u_short port_to_connect) { int payload_len; + int type; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_per...

...1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("port listener")); @@ -1506,38 +1645,149 @@ u_short port_to_connect) { int payload_len; + int type; + int success = 0; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_per...

...erent addresses), the client always matches on the first listener > with that port, as seen in the following code snippet: > > Channel * > channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) > { > int i; > > for (i = 0; i < num_permitted_opens; i++) { > if (permitted_opens[i].host_to_connect != NULL && > port_match(permitted_opens[i].listen_port, listen_port)) { > return connect_to( > permitted_opens[i].host_to_connect, >...

...t;auth.h" /* -- channel core */ @@ -91,11 +92,27 @@ u_short listen_port; /* Remote side should listen port number. */ } ForwardPermission; +/* That structure _only_ stocks authorized permitopennet demands + * A ForwardPermission entry is added at each incoming connexion + * in "permitted_opens" array + */ +typedef struct { + struct in_addr * netblock_to_connect; + struct in_addr * netmask_to_connect; + u_short porta_to_connect; + u_short portb_to_connect; +} ForwardNetPermission; + /* List of all permitted host/port pairs to connect. */ static ForwardPermission permitted_opens[SS...

...NULL; + c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); c->connect_ctx = cctx; @@ -3347,6 +3479,10 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) for (i = 0; i < num_permitted_opens; i++) { if (permitted_opens[i].host_to_connect != NULL && port_match(permitted_opens[i].listen_port, listen_port)) { + if (permitted_opens[i].port_to_connect == FWD_PERMIT_ANY_PORT) + return channel_new(ctype, SSH_CHANNEL_RDYNAMIC, -1, -1, -1, + CHAN_TCP_WINDOW_DEFAUL...

Hello everybody, running make tests on latest openssh-portable git master (V_6_6_P1-114-g72e6b5c) fails: [...] run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection

....0.0"; + const char *address_to_bind = + listen_host == NULL ? "0.0.0.0" : listen_host; packet_start(SSH2_MSG_GLOBAL_REQUEST); packet_put_cstring("tcpip-forward"); packet_put_char(1); /* boolean: want reply */ @@ -2297,6 +2299,7 @@ } } if (success) { + permitted_opens[num_permitted_opens].listen_host = listen_host == NULL ? NULL : xstrdup(listen_host); permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; permitted_opens[num_permitted_opens].listen_port =...

https://bugzilla.mindrot.org/show_bug.cgi?id=2147 Bug ID: 2147 Summary: OpenSSH remote forwarding of dynamic ports doesn't work when you create more than one Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: normal Priority: P5

...terns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -247,8 +245,7 @@ } patterns[i] = 0; opts++; - if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 && - sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { + if (channel_add_permitted_opens(patterns) < 0) { debug("%.100s, line %lu: Bad permitopen specification " "<%.100s>", file, linenum, patterns); auth_debug_add("%.100s, line %lu: " @@ -256,16 +253,6 @@ xfree(patterns); goto bad_option; } - if ((port = a2port...

...terns = xmalloc(strlen(opts) + 1); opts += strlen(cp); @@ -243,8 +243,7 @@ } patterns[i] = 0; opts++; - if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 && - sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) { + if (channel_add_permitted_opens(patterns) < 0) { debug("%.100s, line %lu: Bad permitopen specification " "<%.100s>", file, linenum, patterns); auth_debug_add("%.100s, line %lu: " @@ -252,16 +251,6 @@ xfree(patterns); goto bad_option; } - if ((port = a2port...

Hi, sorry if it is the wrong approuch to suggest improvments to OpenSSH, but here comes my suggestion: I recently stumbled upon the scponly shell which in it's chroot:ed form is an ideal solution when you want to share some files with people you trust more or less. The problem is, if you use the scponlyc as shell, port forwarding is still allowed. This can of course be dissallowed in

These patches implement a new mux client request to list the currently opened TCP forwardings. It also removes some todos regarding keeping the list of forwardings in the options up-to-date. Bert Wesarg (6): attach the forwarding type to struct Forward merge local and remote forward lists generate unique ids for forwardings to be used for identification remove closed forwardings from