[PATCH]: Add tcp_wrappers protection to port forwarding

Sun Oct 8 08:40:39 EST 2000

Hi,

attached is a patch by Chris Faylor <cgf at cygnus.com> relative to
2.2.0p1.

Description:

OpenSSH does not allow port gatewaying by default. This means that only
the local host can access forwarded ports. Adding "GatewayPorts yes" to
.ssh/config usually does this job.

Unfortunately, OpenSSH does not recognize the same hosts.allow/
hosts.deny options as ssh.com's sshd client, i.e., it dosn't recognize
the sshfwd settings in hosts.allow.

So adding "GatewayPorts" opens up all forwarded ports to outside
inspection not considering using a firewall.

The patch uses basically the same method as ssh.com. A lookup is made
in hosts.allow/hosts.deny on sshfwd-<port number> (not port name --
this is different from ssh.com) and if the tcp_wrappers don't allow
the lookup then the connection is closed immediately.

ChangeLog:

20001007
  - Add tcp_wrappers protection to port forwarding.
  From <Christopher Faylor> cgf at cygnus.com.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                        mailto:cygwin at sources.redhat.com
Red Hat, Inc.
mailto:vinschen at cygnus.com
-------------- next part --------------

--- channels.c.orig	Tue Aug 22 20:46:24 2000
+++ channels.c	Mon Oct  2 22:49:22 2000
@@ -38,6 +38,11 @@ RCSID("$OpenBSD: channels.c,v 1.66 2000/
 #include "key.h"
 #include "authfd.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+#endif /* LIBWRAP */
+
 /* Maximum number of fake X11 displays to try. */
 #define MAX_DISPLAYS  1000
 
@@ -581,6 +586,30 @@ channel_post_port_listener(Channel *c, f
 		}
 		remote_hostname = get_remote_hostname(newsock);
 		remote_port = get_peer_port(newsock);
+#ifdef LIBWRAP
+		{
+			char fwd[80];
+			void (*sigch) (int);
+			int res;
+			struct request_info req;
+
+			snprintf(fwd, sizeof(fwd), "sshdfwd-%d", c->host_port);
+			request_init(&req, RQ_DAEMON, fwd, RQ_FILE, newsock, NULL);
+			fromhost(&req);
+			sigch = signal(SIGCHLD, SIG_DFL);
+			res = hosts_access(&req);
+			signal(SIGCHLD, sigch);
+			if (!res) {
+				packet_send_debug("refused forwarded connection from %.500s to local port %d.",
+						  eval_client(&req), c->host_port);
+				error("forwarded connection from %.500s to local port %d refused.",
+				      eval_client(&req), c->host_port);
+				shutdown(newsock, SHUT_RDWR);
+				close(newsock);
+				return;
+			}
+		}
+#endif /* LIBWRAP */
 		snprintf(buf, sizeof buf,
 		    "listen port %d for %.100s port %d, "
 		    "connect from %.200s port %d",
--- ssh.c.orig	Mon Aug 28 20:33:51 2000
+++ ssh.c	Mon Oct  2 22:50:29 2000
@@ -30,6 +30,11 @@ RCSID("$OpenBSD: ssh.c,v 1.63 2000/08/28
 #include "key.h"
 #include "authfd.h"
 #include "authfile.h"
+#ifdef LIBWRAP
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
 
 #ifdef HAVE___PROGNAME
 extern char *__progname;

