[Bug 1513] CIDR address/masklen matching support for permitopen=

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Mar 29 08:49:02 EST 2011 

https://bugzilla.mindrot.org/show_bug.cgi?id=1513

--- Comment #3 from RyanC <kvhwyucjkp at snkmail.com> 2011-03-29 08:49:02 EST ---
Created attachment 2025
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2025
Feature enhancement patch for permitopen - needs code
review/testing/cleanup

This patch changes permitopen to use the same access logic as is
available for 'from='

That is:

* CIDR matches - 192.168.0.0/16
* Wildcard matches - *.example.com
* Negated matches !10.0.0.0/8

Support for port ranges has been added, e.g.

127.0.0.1:* or 127.0.0.1:1-65535

The checking logic has been moved to a function which is called from
connect_next which happens after DNS resolution but before the actual
connect call.  This is in order to allow a permitopen to
www.example.com to still work when the forwarding request is made using
the ip address and vice versa.

Negations take precedence over other matches, so one can do something
like this:
PermitOpen 0.0.0.0/0:*
PermitOpen !127.0.0.0/8:*

Other things:

Get rid of permitopen any?

NOTES:

I've only tested this with PermitOpen in the config file, it should
work with permitopen= from an authorized_key file, but I haven't
verified.

I'm not great with C, and someone needs to doublecheck my work to
ensure that I haven't introduced any possible buffer overflows.  I
understand the gotchas in general regarding buffer overflows and I
think I've done everything correctly, but I lack enough experience to
be confident.

Some minor changes have been made to return codes given by functions in
match.c and code referencing these functions has been updated.  Stuff
relying on those functions should be tested.

channel_connect_to has been changed to simply call connect_to.  It
could probably be aliased with a #define but I'm not quite clear on
static vs non-static functions in C.

I've attempted to follow coding style, but in a few cases this has lead
me to do things which seem weird.  In particular multi-purposing
variables seems questionable to me.

I've used hpdelim to split out CIDR/port mappings, but it doesn't
distinguish : from /, so if you permitopen 192.168.0.0/16 it will be
parsed as 192.168.0.0, port 16, which is a bit dubious.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list