Decouple AllowStreamLocalForwarding and AllowTcpForwarding

[Baptiste Daroussin]

hello everyone,

I am trying to fix an issue we have at $work with the fact that the
AllowStreamLocalFrowarding option is dependant on the AllowTcpForwarding option
(this issue have been reported multiple time by others over the past).

When looking at the code, I can see 2 approach:
1/ the complete option would consist in removing FORWARD_LOCAL and
FORWARD_REMOTE and replace them with TCP_FORWARD_LOCAL and TCP_FORWARD_REMOTE
then introduce STREAMLOCAL_FORWARD_LOCAL and STREAMLOCAL_FORWARD_REMOTE and
duplicate all the code to deal with both case.

2/ the lazy approach which is the one I took so far would be to apply the patch.

I am not very familiar with ssh code, but it seems to work and not break the
testsuite. Still I ma pretty sure this is too naive, what do you think?

Best regards,
Bapt

---
 session.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/session.c b/session.c
index f265fdc3ed3..e35ff360ec9 100644
--- a/session.c
+++ b/session.c
@@ -323,11 +323,13 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
 		channel_disable_admin(ssh, FORWARD_LOCAL);
 		channel_disable_admin(ssh, FORWARD_REMOTE);
 	} else {
-		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
+		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0 &&
+		    (options.allow_streamlocal_forwarding & FORWARD_LOCAL) == 0)
 			channel_disable_admin(ssh, FORWARD_LOCAL);
 		else
 			channel_permit_all(ssh, FORWARD_LOCAL);
-		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
+		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 &&
+		    (options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0)
 			channel_disable_admin(ssh, FORWARD_REMOTE);
 		else
 			channel_permit_all(ssh, FORWARD_REMOTE);