StreamLocal forwarding

Damien Miller djm at mindrot.org
Wed May 4 01:23:40 AEST 2016


On Tue, 3 May 2016, Rogan Dawes wrote:

> Hi Damien,
> Thanks for the response!
> 
> I tried moving the StreamLocalBindUnlink directive outside of the Match
> rule, and it worked. But that doesn't explain why the Match was not
> correctly setting the directive:
> 
> This is running on an alternate port with -ddd:
> 
> debug3: checking match for 'User sshvpn' user sshvpn host 196.209.244.243
> addr 196.209.244.243 laddr 176.9.9.247 lport 52221
> debug1: user sshvpn matched 'User sshvpn' at line 91
> debug3: match found
> debug3: reprocess config:92 setting ChrootDirectory /var/sshvpn/
> debug3: reprocess config:93 setting AllowTCPForwarding no
> debug3: reprocess config:94 setting AllowStreamLocalForwarding yes
> debug3: reprocess config:95 setting StreamLocalBindUnlink yes
> 
> And, surprisingly, even having set the directive outside the Match block,
> the following command still doesn't show streamlocalbindunlink set:
> 
> sshd -T -C "user=sshvpn,host=196.209.244.243,addr=196.209.244.243" | grep -i
> stream
> streamlocalbindmask 0177
> allowstreamlocalforwarding yes

oh, that's a bug in the config dump support.

diff --git a/servconf.c b/servconf.c
index 6111c5a..2094c48 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2293,6 +2293,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
+	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 


More information about the openssh-unix-dev mailing list