[openssh-commits] [openssh] 02/03: upstream: allow bare port numbers to appear in PermitListen directives,

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Jun 19 13:03:47 AEST 2018 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 87ddd676da0f3abd08b778b12b53b91b670dc93c
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Jun 19 02:59:41 2018 +0000

    upstream: allow bare port numbers to appear in PermitListen directives,
    
    e.g.
    
    PermitListen 2222 8080
    
    is equivalent to:
    
    PermitListen *:2222 *:8080
    
    Some bonus manpage improvements, mostly from markus@
    
    "looks fine" markus@
    
    OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24
---
 auth-options.c | 22 +++++++++++++++++-----
 servconf.c     | 26 +++++++++++++++++---------
 sshd.8         | 19 +++++++++++++++----
 sshd_config.5  | 28 ++++++++++++++++------------
 4 files changed, 65 insertions(+), 30 deletions(-)

diff --git a/auth-options.c b/auth-options.c
index 151b16ec..27c0eb05 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.82 2018/06/07 09:26:42 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.83 2018/06/19 02:59:41 djm Exp $ */
 /*
  * Copyright (c) 2018 Damien Miller <djm at mindrot.org>
  *
@@ -313,8 +313,8 @@ sshauthopt_new_with_keys_defaults(void)
  * Return 0 on success. Return -1 on failure and sets *errstrp to error reason.
  */
 static int
-handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp,
-    const char **errstrp)
+handle_permit(const char **optsp, int allow_bare_port,
+    char ***permitsp, size_t *npermitsp, const char **errstrp)
 {
 	char *opt, *tmp, *cp, *host, **permits = *permitsp;
 	size_t npermits = *npermitsp;
@@ -327,6 +327,18 @@ handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp,
 	if ((opt = opt_dequote(optsp, &errstr)) == NULL) {
 		return -1;
 	}
+	if (allow_bare_port && strchr(opt, ':') == NULL) {
+		/*
+		 * Allow a bare port number in permitlisten to indicate a
+		 * listen_host wildcard.
+		 */
+		if (asprintf(&tmp, "*:%s", opt) < 0) {
+			*errstrp = "memory allocation failed";
+			return -1;
+		}
+		free(opt);
+		opt = tmp;
+	}
 	if ((tmp = strdup(opt)) == NULL) {
 		free(opt);
 		*errstrp = "memory allocation failed";
@@ -474,11 +486,11 @@ sshauthopt_parse(const char *opts, const char **errstrp)
 			}
 			ret->env[ret->nenv++] = opt;
 		} else if (opt_match(&opts, "permitopen")) {
-			if (handle_permit(&opts, &ret->permitopen,
+			if (handle_permit(&opts, 0, &ret->permitopen,
 			    &ret->npermitopen, &errstr) != 0)
 				goto fail;
 		} else if (opt_match(&opts, "permitlisten")) {
-			if (handle_permit(&opts, &ret->permitlisten,
+			if (handle_permit(&opts, 1, &ret->permitlisten,
 			    &ret->npermitlisten, &errstr) != 0)
 				goto fail;
 		} else if (opt_match(&opts, "tunnel")) {
diff --git a/servconf.c b/servconf.c
index 6e70e631..cb578658 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1870,15 +1870,23 @@ process_server_config_line(ServerOptions *options, char *line,
 			break;
 		}
 		for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
-			arg2 = xstrdup(arg);
-			p = hpdelim(&arg);
-			/* XXX support bare port number for PermitListen */
-			if (p == NULL) {
-				fatal("%s line %d: missing host in %s",
-				    filename, linenum,
-				    lookup_opcode_name(opcode));
+			if (opcode == sPermitListen &&
+			    strchr(arg, ':') == NULL) {
+				/*
+				 * Allow bare port number for PermitListen
+				 * to indicate a wildcard listen host.
+				 */
+				xasprintf(&arg2, "*:%s", arg);
+			} else {
+				arg2 = xstrdup(arg);
+				p = hpdelim(&arg);
+				if (p == NULL) {
+					fatal("%s line %d: missing host in %s",
+					    filename, linenum,
+					    lookup_opcode_name(opcode));
+				}
+				p = cleanhostname(p);
 			}
-			p = cleanhostname(p);
 			if (arg == NULL ||
 			    ((port = permitopen_port(arg)) < 0)) {
 				fatal("%s line %d: bad port number in %s",
diff --git a/sshd.8 b/sshd.8
index 6127bb57..c05bbe65 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $
-.Dd $Mdocdate: June 7 2018 $
+.\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $
+.Dd $Mdocdate: June 19 2018 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -554,11 +554,11 @@ Disables execution of
 .It Cm no-X11-forwarding
 Forbids X11 forwarding when this key is used for authentication.
 Any X11 forward requests by the client will return an error.
-.It Cm permitlisten="host:port"
+.It Cm permitlisten="[host:]port"
 Limit remote port forwarding with the
 .Xr ssh 1
 .Fl R
-option such that it may only listen on the specified host and port.
+option such that it may only listen on the specified host (optional) and port.
 IPv6 addresses can be specified by enclosing the address in square brackets.
 Multiple
 .Cm permitlisten
@@ -571,6 +571,15 @@ matches any port.
 Note that the setting of
 .Cm GatewayPorts
 may further restrict listen addresses.
+Note that
+.Xr ssh 1
+will send a hostname of
+.Dq localhost
+if a listen host was not specified when the forwarding was requested, and
+that his name is treated differently to the explicit localhost addresses
+.Dq 127.0.0.1
+and
+.Dq ::1 .
 .It Cm permitopen="host:port"
 Limit local port forwarding with the
 .Xr ssh 1
@@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss
 AAAAC3...51R== example.net
 permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss
 AAAAB5...21S==
+permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss
+AAAAB5...21S==
 tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...==
 jane at example.net
 restrict,command="uptime" ssh-rsa AAAA1C8...32Tv==
diff --git a/sshd_config.5 b/sshd_config.5
index 14ebafd7..c0683d4a 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.275 2018/06/09 03:18:11 djm Exp $
-.Dd $Mdocdate: June 9 2018 $
+.\" $OpenBSD: sshd_config.5,v 1.276 2018/06/19 02:59:41 djm Exp $
+.Dd $Mdocdate: June 19 2018 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1196,18 +1196,13 @@ The listen specification must be one of the following forms:
 .It
 .Cm PermitListen
 .Sm off
+.Ar port
+.Sm on
+.It
+.Cm PermitListen
+.Sm off
 .Ar host : port
 .Sm on
-.It
-.Cm PermitListen
-.Sm off
-.Ar IPv4_addr : port
-.Sm on
-.It
-.Cm PermitListen
-.Sm off
-.Ar \&[ IPv6_addr \&] : port
-.Sm on
 .El
 .Pp
 Multiple permissions may be specified by separating them with whitespace.
@@ -1226,6 +1221,15 @@ By default all port forwarding listen requests are permitted.
 Note that the
 .Cm GatewayPorts
 option may further restrict which addresses may be listened on.
+Note also that
+.Xr ssh 1
+will request a listen host of
+.Dq localhost
+if no listen host was specifically requested, and this this name is
+treated differently to explict localhost addresses of
+.Dq 127.0.0.1
+and
+.Dq ::1 .
 .It Cm PermitOpen
 Specifies the destinations to which TCP port forwarding is permitted.
 The forwarding specification must be one of the following forms:

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list