Decouple AllowStreamLocalForwarding and AllowTcpForwarding

[Baptiste Daroussin]

On Thu 16 Oct 13:43, Baptiste Daroussin wrote:
> hello everyone,

Hello,

Anything I should do on my side to make this progress?

Best regards,
Bapt
> 
> I am trying to fix an issue we have at $work with the fact that the
> AllowStreamLocalFrowarding option is dependant on the AllowTcpForwarding option
> (this issue have been reported multiple time by others over the past).
> 
> When looking at the code, I can see 2 approach:
> 1/ the complete option would consist in removing FORWARD_LOCAL and
> FORWARD_REMOTE and replace them with TCP_FORWARD_LOCAL and TCP_FORWARD_REMOTE
> then introduce STREAMLOCAL_FORWARD_LOCAL and STREAMLOCAL_FORWARD_REMOTE and
> duplicate all the code to deal with both case.
> 
> 2/ the lazy approach which is the one I took so far would be to apply the patch.
> 
> I am not very familiar with ssh code, but it seems to work and not break the
> testsuite. Still I ma pretty sure this is too naive, what do you think?
> 
> Best regards,
> Bapt
> 
> ---
>  session.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/session.c b/session.c
> index f265fdc3ed3..e35ff360ec9 100644
> --- a/session.c
> +++ b/session.c
> @@ -323,11 +323,13 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt)
>  		channel_disable_admin(ssh, FORWARD_LOCAL);
>  		channel_disable_admin(ssh, FORWARD_REMOTE);
>  	} else {
> -		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
> +		if ((options.allow_tcp_forwarding & FORWARD_LOCAL) == 0 &&
> +		    (options.allow_streamlocal_forwarding & FORWARD_LOCAL) == 0)
>  			channel_disable_admin(ssh, FORWARD_LOCAL);
>  		else
>  			channel_permit_all(ssh, FORWARD_LOCAL);
> -		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0)
> +		if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 &&
> +		    (options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0)
>  			channel_disable_admin(ssh, FORWARD_REMOTE);
>  		else
>  			channel_permit_all(ssh, FORWARD_REMOTE);