=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/readconf.c,v retrieving revision 1.350 retrieving revision 1.351 diff -u -r1.350 -r1.351 --- src/usr.bin/ssh/readconf.c 2021/01/26 05:32:21 1.350 +++ src/usr.bin/ssh/readconf.c 2021/02/15 20:43:15 1.351 @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.350 2021/01/26 05:32:21 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.351 2021/02/15 20:43:15 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -133,6 +133,7 @@ oPasswordAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostname, oPort, oRemoteForward, oLocalForward, + oPermitRemoteOpen, oCertificateFile, oAddKeysToAgent, oIdentityAgent, oUser, oEscapeChar, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, @@ -233,6 +234,7 @@ { "macs", oMacs }, { "remoteforward", oRemoteForward }, { "localforward", oLocalForward }, + { "permitremoteopen", oPermitRemoteOpen }, { "user", oUser }, { "host", oHost }, { "match", oMatch }, @@ -304,6 +306,7 @@ { NULL, oBadOption } }; +static const char *lookup_opcode_name(OpCodes code); const char * kex_default_pk_alg(void) @@ -898,9 +901,9 @@ const char *original_host, char *line, const char *filename, int linenum, int *activep, int flags, int *want_final_pass, int depth) { - char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; + char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, *p, ch; char **cpptr, ***cppptr, fwdarg[256]; - u_int i, *uintptr, max_entries = 0; + u_int i, *uintptr, uvalue, max_entries = 0; int r, oactive, negated, opcode, *intptr, value, value2, cmdline = 0; int remotefwd, dynamicfwd; LogLevel *log_level_ptr; @@ -1468,6 +1471,51 @@ } break; + case oPermitRemoteOpen: + uintptr = &options->num_permitted_remote_opens; + cppptr = &options->permitted_remote_opens; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: missing %s specification", + filename, linenum, lookup_opcode_name(opcode)); + uvalue = *uintptr; /* modified later */ + if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { + if (*activep && uvalue == 0) { + *uintptr = 1; + *cppptr = xcalloc(1, sizeof(**cppptr)); + (*cppptr)[0] = xstrdup(arg); + } + break; + } + for (; arg != NULL && *arg != '\0'; arg = strdelim(&s)) { + arg2 = xstrdup(arg); + ch = '\0'; + p = hpdelim2(&arg, &ch); + if (p == NULL || ch == '/') { + fatal("%s line %d: missing host in %s", + filename, linenum, + lookup_opcode_name(opcode)); + } + p = cleanhostname(p); + /* + * don't want to use permitopen_port to avoid + * dependency on channels.[ch] here. + */ + if (arg == NULL || + (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) { + fatal("%s line %d: bad port number in %s", + filename, linenum, + lookup_opcode_name(opcode)); + } + if (*activep && uvalue == 0) { + opt_array_append(filename, linenum, + lookup_opcode_name(opcode), + cppptr, uintptr, arg2); + } + free(arg2); + } + break; + case oClearAllForwardings: intptr = &options->clear_forwardings; goto parse_flag; @@ -2159,6 +2207,8 @@ options->num_local_forwards = 0; options->remote_forwards = NULL; options->num_remote_forwards = 0; + options->permitted_remote_opens = NULL; + options->num_permitted_remote_opens = 0; options->log_facility = SYSLOG_FACILITY_NOT_SET; options->log_level = SYSLOG_LEVEL_NOT_SET; options->num_log_verbose = 0; @@ -3104,6 +3154,13 @@ o->num_log_verbose, o->log_verbose); /* Special cases */ + + /* PermitRemoteOpen */ + if (o->num_permitted_remote_opens == 0) + printf("%s any\n", lookup_opcode_name(oPermitRemoteOpen)); + else + dump_cfg_strarray_oneline(oPermitRemoteOpen, + o->num_permitted_remote_opens, o->permitted_remote_opens); /* AddKeysToAgent */ if (o->add_keys_to_agent_lifespan <= 0)