Restricting users using one port
djm at mindrot.org
Mon Oct 17 08:06:57 EST 2011
On Mon, 17 Oct 2011, Darren Tucker wrote:
> It's feasible. The initial Match processing is done just after the
> client sends the username so both the local address and port are known
> and there should be no additional hooks needed.
> I'd suggest calling them LocalAddress and LocalPort (or ServerAddress
> and ServerPort) though.
> Attached are two patches: openssh-match-struct.patch
> which moves the items that are checked to a struct, and
> openssh-match-localaddrport.patch which implements the requested
> functionality. (You only need the latter to try it, the former is just
> for review).
I like this, but I prefer LocalAddress/LocalPort over
ListenAddress/ListenPort. Instead of adding another global, perhaps you
could add a canohost.c function that returns a (cached) ConnectionInfo?
More information about the openssh-unix-dev