permitopen for -R connections?

Thu Dec 6 08:37:02 EST 2001

It looks like there is good support for limiting connections on the
server side when the client uses the -L flag. What about support for
server side connections (listens) when the client uses the -R flag?

I am looking for an equivalent to permitopen that says what ports are
valid for the remote host when using the -R flag. As it sits now, an
unscrupulous ssh user can bind to any port above 1024 (on a unix box)
or bind to any port on a windows box.

Does anybody have any ideas? I am working from the 3.0.2p1 release of
the code. It seems like channels.c is the proper place to put this
code if I can develop it. Is there any roadmap to how the code in
connect.c is used or is this a case of UTSL? I just took a cursory
glance through the code and I fail to see any functions in channels.c
that are intended for setting up the reverse forwarded connections.

I assume I will have to add a new check function in:

 serverloop.c:server_input_global_request

at:

 /* check permissions */
                if (!options.allow_tcp_forwarding ||
                    no_port_forwarding_flag ||
                    (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) {
                        success = 0;
                        packet_send_debug("Server has disabled port forwarding."

I assumed I could implement a parallel mechanism to the -L port
checking, but I am having trouble figuring out how restriction of the
-L ports is implemented.

Any assistance welcome.

				-- rouilj
John Rouillard
===============================================================================
My employers don't acknowledge my existence much less my opinions.