From 87ddd676da0f3abd08b778b12b53b91b670dc93c Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 19 Jun 2018 02:59:41 +0000 Subject: upstream: allow bare port numbers to appear in PermitListen directives, e.g. PermitListen 2222 8080 is equivalent to: PermitListen *:2222 *:8080 Some bonus manpage improvements, mostly from markus@ "looks fine" markus@ OpenBSD-Commit-ID: 6546b0cc5aab7f53d65ad0a348ca0ae591d6dd24 --- auth-options.c | 22 +++++++++++++++++----- servconf.c | 26 +++++++++++++++++--------- sshd.8 | 19 +++++++++++++++---- sshd_config.5 | 22 +++++++++++++--------- 4 files changed, 62 insertions(+), 27 deletions(-) diff --git a/auth-options.c b/auth-options.c index 151b16ece..27c0eb05e 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.82 2018/06/07 09:26:42 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.83 2018/06/19 02:59:41 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -313,8 +313,8 @@ sshauthopt_new_with_keys_defaults(void) * Return 0 on success. Return -1 on failure and sets *errstrp to error reason. */ static int -handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp, - const char **errstrp) +handle_permit(const char **optsp, int allow_bare_port, + char ***permitsp, size_t *npermitsp, const char **errstrp) { char *opt, *tmp, *cp, *host, **permits = *permitsp; size_t npermits = *npermitsp; @@ -327,6 +327,18 @@ handle_permit(const char **optsp, char ***permitsp, size_t *npermitsp, if ((opt = opt_dequote(optsp, &errstr)) == NULL) { return -1; } + if (allow_bare_port && strchr(opt, ':') == NULL) { + /* + * Allow a bare port number in permitlisten to indicate a + * listen_host wildcard. + */ + if (asprintf(&tmp, "*:%s", opt) < 0) { + *errstrp = "memory allocation failed"; + return -1; + } + free(opt); + opt = tmp; + } if ((tmp = strdup(opt)) == NULL) { free(opt); *errstrp = "memory allocation failed"; @@ -474,11 +486,11 @@ sshauthopt_parse(const char *opts, const char **errstrp) } ret->env[ret->nenv++] = opt; } else if (opt_match(&opts, "permitopen")) { - if (handle_permit(&opts, &ret->permitopen, + if (handle_permit(&opts, 0, &ret->permitopen, &ret->npermitopen, &errstr) != 0) goto fail; } else if (opt_match(&opts, "permitlisten")) { - if (handle_permit(&opts, &ret->permitlisten, + if (handle_permit(&opts, 1, &ret->permitlisten, &ret->npermitlisten, &errstr) != 0) goto fail; } else if (opt_match(&opts, "tunnel")) { diff --git a/servconf.c b/servconf.c index 6e70e6312..cb5786583 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.333 2018/06/19 02:59:41 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1870,15 +1870,23 @@ process_server_config_line(ServerOptions *options, char *line, break; } for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { - arg2 = xstrdup(arg); - p = hpdelim(&arg); - /* XXX support bare port number for PermitListen */ - if (p == NULL) { - fatal("%s line %d: missing host in %s", - filename, linenum, - lookup_opcode_name(opcode)); + if (opcode == sPermitListen && + strchr(arg, ':') == NULL) { + /* + * Allow bare port number for PermitListen + * to indicate a wildcard listen host. + */ + xasprintf(&arg2, "*:%s", arg); + } else { + arg2 = xstrdup(arg); + p = hpdelim(&arg); + if (p == NULL) { + fatal("%s line %d: missing host in %s", + filename, linenum, + lookup_opcode_name(opcode)); + } + p = cleanhostname(p); } - p = cleanhostname(p); if (arg == NULL || ((port = permitopen_port(arg)) < 0)) { fatal("%s line %d: bad port number in %s", diff --git a/sshd.8 b/sshd.8 index 6127bb576..c05bbe65c 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.301 2018/06/07 11:26:14 jmc Exp $ -.Dd $Mdocdate: June 7 2018 $ +.\" $OpenBSD: sshd.8,v 1.302 2018/06/19 02:59:41 djm Exp $ +.Dd $Mdocdate: June 19 2018 $ .Dt SSHD 8 .Os .Sh NAME @@ -554,11 +554,11 @@ Disables execution of .It Cm no-X11-forwarding Forbids X11 forwarding when this key is used for authentication. Any X11 forward requests by the client will return an error. -.It Cm permitlisten="host:port" +.It Cm permitlisten="[host:]port" Limit remote port forwarding with the .Xr ssh 1 .Fl R -option such that it may only listen on the specified host and port. +option such that it may only listen on the specified host (optional) and port. IPv6 addresses can be specified by enclosing the address in square brackets. Multiple .Cm permitlisten @@ -571,6 +571,15 @@ matches any port. Note that the setting of .Cm GatewayPorts may further restrict listen addresses. +Note that +.Xr ssh 1 +will send a hostname of +.Dq localhost +if a listen host was not specified when the forwarding was requested, and +that his name is treated differently to the explicit localhost addresses +.Dq 127.0.0.1 +and +.Dq ::1 . .It Cm permitopen="host:port" Limit local port forwarding with the .Xr ssh 1 @@ -639,6 +648,8 @@ command="dump /home",no-pty,no-port-forwarding ssh-dss AAAAC3...51R== example.net permitopen="192.0.2.1:80",permitopen="192.0.2.2:25" ssh-dss AAAAB5...21S== +permitlisten="localhost:8080",permitopen="localhost:22000" ssh-dss +AAAAB5...21S== tunnel="0",command="sh /etc/netstart tun0" ssh-rsa AAAA...== jane@example.net restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== diff --git a/sshd_config.5 b/sshd_config.5 index 14ebafd7b..c0683d4a1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.275 2018/06/09 03:18:11 djm Exp $ -.Dd $Mdocdate: June 9 2018 $ +.\" $OpenBSD: sshd_config.5,v 1.276 2018/06/19 02:59:41 djm Exp $ +.Dd $Mdocdate: June 19 2018 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1196,17 +1196,12 @@ The listen specification must be one of the following forms: .It .Cm PermitListen .Sm off -.Ar host : port -.Sm on -.It -.Cm PermitListen -.Sm off -.Ar IPv4_addr : port +.Ar port .Sm on .It .Cm PermitListen .Sm off -.Ar \&[ IPv6_addr \&] : port +.Ar host : port .Sm on .El .Pp @@ -1226,6 +1221,15 @@ By default all port forwarding listen requests are permitted. Note that the .Cm GatewayPorts option may further restrict which addresses may be listened on. +Note also that +.Xr ssh 1 +will request a listen host of +.Dq localhost +if no listen host was specifically requested, and this this name is +treated differently to explict localhost addresses of +.Dq 127.0.0.1 +and +.Dq ::1 . .It Cm PermitOpen Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms: -- cgit v1.2.3