Feature request: virtual servers
Darren Tucker
dtucker at zip.com.au
Thu Apr 26 13:50:42 EST 2012
On Thu, Apr 26, 2012 at 09:34:53AM +1000, Damien Miller wrote:
> On Wed, 25 Apr 2012, Philipp Marek wrote:
[...]
> > So I'd like to ask for the "Match" statements to allow matching the
> > accepting port number and/or IP address.
>
> I think Darren had a pending patch for this. Darren?
Here's the diff (I haven't looked at in a while, but it should apply
cleanly to 6.0. It still builds OK).
It adds "Match LocalAddress" and "Match LocalPort" which does pretty
much what it says on the tin.
Index: auth.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/auth.c,v
retrieving revision 1.150
diff -u -p -r1.150 auth.c
--- auth.c 22 Apr 2012 01:21:43 -0000 1.150
+++ auth.c 26 Apr 2012 03:37:07 -0000
@@ -545,9 +545,14 @@ getpwnamallow(const char *user)
#endif
#endif
struct passwd *pw;
+ extern ConnectionInfo connection_info;
- parse_server_match_config(&options, user,
- get_canonical_hostname(options.use_dns), get_remote_ipaddr());
+ connection_info.user = user;
+ connection_info.host = get_canonical_hostname(options.use_dns);
+ connection_info.address = get_remote_ipaddr();
+ connection_info.laddress = get_local_ipaddr(packet_get_connection_in());
+ connection_info.lport = get_local_port();
+ parse_server_match_config(&options, &connection_info);
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_setauthdb(user);
Index: servconf.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/servconf.c,v
retrieving revision 1.222
diff -u -p -r1.222 servconf.c
--- servconf.c 22 Apr 2012 01:24:44 -0000 1.222
+++ servconf.c 26 Apr 2012 03:37:07 -0000
@@ -601,19 +601,20 @@ out:
}
static int
-match_cfg_line(char **condition, int line, const char *user, const char *host,
- const char *address)
+match_cfg_line(char **condition, int line, ConnectionInfo *ci)
{
- int result = 1;
+ int result = 1, port;
char *arg, *attrib, *cp = *condition;
size_t len;
- if (user == NULL)
+ if (ci == NULL)
debug3("checking syntax for 'Match %s'", cp);
else
- debug3("checking match for '%s' user %s host %s addr %s", cp,
- user ? user : "(null)", host ? host : "(null)",
- address ? address : "(null)");
+ debug3("checking match for '%s' user %s host %s addr %s "
+ "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
+ ci->host ? ci->host : "(null)",
+ ci->address ? ci->address : "(null)",
+ ci->laddress ? ci->laddress : "(null)", ci->lport);
while ((attrib = strdelim(&cp)) && *attrib != '\0') {
if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
@@ -622,37 +623,45 @@ match_cfg_line(char **condition, int lin
}
len = strlen(arg);
if (strcasecmp(attrib, "user") == 0) {
- if (!user) {
+ if (ci == NULL || ci->user == NULL) {
result = 0;
continue;
}
- if (match_pattern_list(user, arg, len, 0) != 1)
+ if (match_pattern_list(ci->user, arg, len, 0) != 1)
result = 0;
else
debug("user %.100s matched 'User %.100s' at "
- "line %d", user, arg, line);
+ "line %d", ci->user, arg, line);
} else if (strcasecmp(attrib, "group") == 0) {
- switch (match_cfg_line_group(arg, line, user)) {
+ if (ci == NULL || ci->user == NULL) {
+ result = 0;
+ continue;
+ }
+ switch (match_cfg_line_group(arg, line, ci->user)) {
case -1:
return -1;
case 0:
result = 0;
}
} else if (strcasecmp(attrib, "host") == 0) {
- if (!host) {
+ if (ci == NULL || ci->host == NULL) {
result = 0;
continue;
}
- if (match_hostname(host, arg, len) != 1)
+ if (match_hostname(ci->host, arg, len) != 1)
result = 0;
else
debug("connection from %.100s matched 'Host "
- "%.100s' at line %d", host, arg, line);
+ "%.100s' at line %d", ci->host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
- switch (addr_match_list(address, arg)) {
+ if (ci == NULL || ci->address == NULL) {
+ result = 0;
+ continue;
+ }
+ switch (addr_match_list(ci->address, arg)) {
case 1:
debug("connection from %.100s matched 'Address "
- "%.100s' at line %d", address, arg, line);
+ "%.100s' at line %d", ci->address, arg, line);
break;
case 0:
case -1:
@@ -661,12 +670,42 @@ match_cfg_line(char **condition, int lin
case -2:
return -1;
}
+ } else if (strcasecmp(attrib, "localaddress") == 0){
+ if (ci == NULL || ci->laddress == NULL) {
+ result = 0;
+ continue;
+ }
+ switch (addr_match_list(ci->laddress, arg)) {
+ case 1:
+ debug("connection from %.100s matched "
+ "'LocalAddress %.100s' at line %d",
+ ci->laddress, arg, line);
+ break;
+ case 0:
+ case -1:
+ result = 0;
+ break;
+ case -2:
+ return -1;
+ }
+ } else if (strcasecmp(attrib, "localport") == 0) {
+ if ((port = a2port(arg)) == -1) {
+ error("Invalid LocalPort '%s' on Match line",
+ arg);
+ return -1;
+ }
+ if (ci == NULL) {
+ result = 0;
+ continue;
+ }
+ if (a2port(arg) == ci->lport)
+ result = 1;
} else {
error("Unsupported Match attribute %s", attrib);
return -1;
}
}
- if (user != NULL)
+ if (ci != NULL)
debug3("match %sfound", result ? "" : "not ");
*condition = cp;
return result;
@@ -713,8 +752,8 @@ static const struct multistate multistat
int
process_server_config_line(ServerOptions *options, char *line,
- const char *filename, int linenum, int *activep, const char *user,
- const char *host, const char *address)
+ const char *filename, int linenum, int *activep,
+ ConnectionInfo *connectinfo)
{
char *cp, **charptr, *arg, *p;
int cmdline = 0, *intptr, value, value2, n;
@@ -745,7 +784,7 @@ process_server_config_line(ServerOptions
if (*activep && opcode != sMatch)
debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
- if (user == NULL) {
+ if (connectinfo == NULL) {
fatal("%s line %d: Directive '%s' is not allowed "
"within a Match block", filename, linenum, arg);
} else { /* this is a directive we have already processed */
@@ -1316,7 +1355,7 @@ process_server_config_line(ServerOptions
if (cmdline)
fatal("Match directive not supported as a command-line "
"option");
- value = match_cfg_line(&cp, linenum, user, host, address);
+ value = match_cfg_line(&cp, linenum, connectinfo);
if (value < 0)
fatal("%s line %d: Bad Match condition", filename,
linenum);
@@ -1478,16 +1517,57 @@ load_server_config(const char *filename,
}
void
-parse_server_match_config(ServerOptions *options, const char *user,
- const char *host, const char *address)
+parse_server_match_config(ServerOptions *options, ConnectionInfo *connectinfo)
{
ServerOptions mo;
initialize_server_options(&mo);
- parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
+ parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
copy_set_server_options(options, &mo, 0);
}
+int parse_server_match_testspec(ConnectionInfo *ci, char *spec)
+{
+ char *p;
+
+ while ((p = strsep(&spec, ",")) && *p != '\0') {
+ if (strncmp(p, "addr=", 5) == 0)
+ ci->address = xstrdup(p + 5);
+ else if (strncmp(p, "host=", 5) == 0)
+ ci->host = xstrdup(p + 5);
+ else if (strncmp(p, "user=", 5) == 0)
+ ci->user = xstrdup(p + 5);
+ else if (strncmp(p, "laddr=", 6) == 0)
+ ci->laddress = xstrdup(p + 6);
+ else if (strncmp(p, "lport=", 6) == 0)
+ ci->lport = a2port(p + 6);
+ if (ci->lport == -1) {
+ fprintf(stderr, "Invalid port '%s' in test mode"
+ " specification %s\n", p+6, p);
+ return -1;
+ }
+ else {
+ fprintf(stderr, "Invalid test mode specification %s\n",
+ p);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+/*
+ * returns 1 for a complete spec, 0 for partial spec and -1 for an
+ * empty spec.
+ */
+int server_match_spec_complete(ConnectionInfo *ci)
+{
+ if (ci->user && ci->host && ci->address)
+ return 1; /* complete */
+ if (!ci->user && !ci->host && !ci->address)
+ return -1; /* empty */
+ return 0; /* partial */
+}
+
/* Helper macros */
#define M_CP_INTOPT(n) do {\
if (src->n != -1) \
@@ -1561,7 +1641,7 @@ copy_set_server_options(ServerOptions *d
void
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
- const char *user, const char *host, const char *address)
+ ConnectionInfo *connectinfo)
{
int active, linenum, bad_options = 0;
char *cp, *obuf, *cbuf;
@@ -1569,11 +1649,11 @@ parse_server_config(ServerOptions *optio
debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
obuf = cbuf = xstrdup(buffer_ptr(conf));
- active = user ? 0 : 1;
+ active = connectinfo ? 0 : 1;
linenum = 1;
while ((cp = strsep(&cbuf, "\n")) != NULL) {
if (process_server_config_line(options, cp, filename,
- linenum++, &active, user, host, address) != 0)
+ linenum++, &active, connectinfo) != 0)
bad_options++;
}
xfree(obuf);
Index: servconf.h
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/servconf.h,v
retrieving revision 1.92
diff -u -p -r1.92 servconf.h
--- servconf.h 22 Apr 2012 01:24:44 -0000 1.92
+++ servconf.h 26 Apr 2012 03:37:07 -0000
@@ -170,6 +170,17 @@ typedef struct {
char *version_addendum; /* Appended to SSH banner */
} ServerOptions;
+
+/* Information about the incoming connection as used by Match */
+typedef struct {
+ const char *user;
+ const char *host; /* possibly resolved hostname */
+ const char *address; /* remote address */
+ const char *laddress; /* local address */
+ int lport; /* local port */
+} ConnectionInfo;
+
+
/*
* These are string config options that must be copied between the
* Match sub-config and the main config, and must be sent from the
@@ -187,12 +198,13 @@ typedef struct {
void initialize_server_options(ServerOptions *);
void fill_default_server_options(ServerOptions *);
int process_server_config_line(ServerOptions *, char *, const char *, int,
- int *, const char *, const char *, const char *);
+ int *, ConnectionInfo *);
void load_server_config(const char *, Buffer *);
void parse_server_config(ServerOptions *, const char *, Buffer *,
- const char *, const char *, const char *);
-void parse_server_match_config(ServerOptions *, const char *, const char *,
- const char *);
+ ConnectionInfo *);
+void parse_server_match_config(ServerOptions *, ConnectionInfo *);
+int parse_server_match_testspec(ConnectionInfo *, char *);
+int server_match_spec_complete(ConnectionInfo *);
void copy_set_server_options(ServerOptions *, ServerOptions *, int);
void dump_config(ServerOptions *);
char *derelativise_path(const char *);
Index: sshd.8
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/sshd.8,v
retrieving revision 1.225
diff -u -p -r1.225 sshd.8
--- sshd.8 2 Oct 2011 07:57:38 -0000 1.225
+++ sshd.8 10 Oct 2011 06:14:47 -0000
@@ -114,6 +114,8 @@ The connection parameters are supplied a
The keywords are
.Dq user ,
.Dq host ,
+.Dq laddr ,
+.Dq lport ,
and
.Dq addr .
All are required and may be supplied in any order, either with multiple
Index: sshd.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/sshd.c,v
retrieving revision 1.413
diff -u -p -r1.413 sshd.c
--- sshd.c 22 Apr 2012 01:24:44 -0000 1.413
+++ sshd.c 26 Apr 2012 03:37:07 -0000
@@ -143,6 +143,9 @@ extern char *__progname;
/* Server configuration options. */
ServerOptions options;
+/* Connection information used by Match */
+ConnectionInfo connection_info;
+
/* Name of the server configuration file. */
char *config_file_name = _PATH_SERVER_CONFIG_FILE;
@@ -1325,9 +1328,8 @@ main(int ac, char **av)
int opt, i, j, on = 1;
int sock_in = -1, sock_out = -1, newsock = -1;
const char *remote_ip;
- char *test_user = NULL, *test_host = NULL, *test_addr = NULL;
int remote_port;
- char *line, *p, *cp;
+ char *line;
int config_s[2] = { -1 , -1 };
u_int64_t ibytes, obytes;
mode_t new_umask;
@@ -1454,20 +1456,9 @@ main(int ac, char **av)
test_flag = 2;
break;
case 'C':
- cp = optarg;
- while ((p = strsep(&cp, ",")) && *p != '\0') {
- if (strncmp(p, "addr=", 5) == 0)
- test_addr = xstrdup(p + 5);
- else if (strncmp(p, "host=", 5) == 0)
- test_host = xstrdup(p + 5);
- else if (strncmp(p, "user=", 5) == 0)
- test_user = xstrdup(p + 5);
- else {
- fprintf(stderr, "Invalid test "
- "mode specification %s\n", p);
- exit(1);
- }
- }
+ if (parse_server_match_testspec(&connection_info,
+ optarg) == -1)
+ exit(1);
break;
case 'u':
utmp_len = (u_int)strtonum(optarg, 0, MAXHOSTNAMELEN+1, NULL);
@@ -1479,7 +1470,7 @@ main(int ac, char **av)
case 'o':
line = xstrdup(optarg);
if (process_server_config_line(&options, line,
- "command-line", 0, NULL, NULL, NULL, NULL) != 0)
+ "command-line", 0, NULL, NULL) != 0)
exit(1);
xfree(line);
break;
@@ -1535,13 +1526,10 @@ main(int ac, char **av)
* the parameters we need. If we're not doing an extended test,
* do not silently ignore connection test params.
*/
- if (test_flag >= 2 &&
- (test_user != NULL || test_host != NULL || test_addr != NULL)
- && (test_user == NULL || test_host == NULL || test_addr == NULL))
+ if (test_flag >= 2 && server_match_spec_complete(&connection_info) == 0)
fatal("user, host and addr are all required when testing "
"Match configs");
- if (test_flag < 2 && (test_user != NULL || test_host != NULL ||
- test_addr != NULL))
+ if (test_flag < 2 && server_match_spec_complete(&connection_info) >= 0)
fatal("Config test connection parameter (-C) provided without "
"test mode (-T)");
@@ -1553,7 +1541,7 @@ main(int ac, char **av)
load_server_config(config_file_name, &cfg);
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
- &cfg, NULL, NULL, NULL);
+ &cfg, NULL);
seed_rng();
@@ -1715,9 +1703,8 @@ main(int ac, char **av)
}
if (test_flag > 1) {
- if (test_user != NULL && test_addr != NULL && test_host != NULL)
- parse_server_match_config(&options, test_user,
- test_host, test_addr);
+ if (server_match_spec_complete(&connection_info) == 1)
+ parse_server_match_config(&options, &connection_info);
dump_config(&options);
}
Index: sshd_config.5
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/sshd_config.5,v
retrieving revision 1.145
diff -u -p -r1.145 sshd_config.5
--- sshd_config.5 22 Apr 2012 01:25:11 -0000 1.145
+++ sshd_config.5 26 Apr 2012 03:37:07 -0000
@@ -677,6 +677,8 @@ The available criteria are
.Cm User ,
.Cm Group ,
.Cm Host ,
+.Cm LocalAddress ,
+.Cm LocalPort ,
and
.Cm Address .
The match patterns may consist of single entries or comma-separated
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list