600 channels.c
View file

Large diffs are not rendered by default.

28 channels.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: channels.h,v 1.114 2014/06/27 16:41:56 markus Exp $ */
/* $OpenBSD: channels.h,v 1.115 2014/07/15 15:54:14 millert Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,7 +56,9 @@
#define SSH_CHANNEL_MUX_LISTENER 15 /* Listener for mux conn. */
#define SSH_CHANNEL_MUX_CLIENT 16 /* Conn. to mux slave */
#define SSH_CHANNEL_ABANDONED 17 /* Abandoned session, eg mux */
#define SSH_CHANNEL_MAX_TYPE 18
#define SSH_CHANNEL_UNIX_LISTENER 18 /* Listening on a domain socket. */
#define SSH_CHANNEL_RUNIX_LISTENER 19 /* Listening to a R-style domain socket. */
#define SSH_CHANNEL_MAX_TYPE 20

#define CHANNEL_CANCEL_PORT_STATIC -1

@@ -254,6 +256,8 @@ char *channel_open_message(void);
int channel_find_open(void);

/* tcp forwarding */
struct Forward;
struct ForwardOptions;
void channel_set_af(int af);
void channel_permit_all_opens(void);
void channel_add_permitted_opens(char *, int);
@@ -263,19 +267,19 @@ void channel_update_permitted_opens(int, int);
void channel_clear_permitted_opens(void);
void channel_clear_adm_permitted_opens(void);
void channel_print_adm_permitted_opens(void);
int channel_input_port_forward_request(int, int);
Channel *channel_connect_to(const char *, u_short, char *, char *);
int channel_input_port_forward_request(int, struct ForwardOptions *);
Channel *channel_connect_to_port(const char *, u_short, char *, char *);
Channel *channel_connect_to_path(const char *, char *, char *);
Channel *channel_connect_stdio_fwd(const char*, u_short, int, int);
Channel *channel_connect_by_listen_address(const char *, u_short,
char *, char *);
int channel_request_remote_forwarding(const char *, u_short,
const char *, u_short);
int channel_setup_local_fwd_listener(const char *, u_short,
const char *, u_short, int);
int channel_request_rforward_cancel(const char *host, u_short port);
int channel_setup_remote_fwd_listener(const char *, u_short, int *, int);
int channel_cancel_rport_listener(const char *, u_short);
int channel_cancel_lport_listener(const char *, u_short, int, int);
Channel *channel_connect_by_listen_path(const char *, char *, char *);
int channel_request_remote_forwarding(struct Forward *);
int channel_setup_local_fwd_listener(struct Forward *, struct ForwardOptions *);
int channel_request_rforward_cancel(struct Forward *);
int channel_setup_remote_fwd_listener(struct Forward *, int *, struct ForwardOptions *);
int channel_cancel_rport_listener(struct Forward *);
int channel_cancel_lport_listener(struct Forward *, int, struct ForwardOptions *);
int permitopen_port(const char *);

/* x11 forwarding */
78 clientloop.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.260 2014/06/27 16:41:56 markus Exp $ */
/* $OpenBSD: clientloop.c,v 1.261 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -100,13 +100,13 @@
#include "cipher.h"
#include "kex.h"
#include "log.h"
#include "misc.h"
#include "readconf.h"
#include "clientloop.h"
#include "sshconnect.h"
#include "authfd.h"
#include "atomicio.h"
#include "sshpty.h"
#include "misc.h"
#include "match.h"
#include "msg.h"
#include "roaming.h"
@@ -871,13 +871,11 @@ static void
process_cmdline(void)
{
void (*handler)(int);
char *s, *cmd, *cancel_host;
int delete = 0, local = 0, remote = 0, dynamic = 0;
int cancel_port, ok;
Forward fwd;
char *s, *cmd;
int ok, delete = 0, local = 0, remote = 0, dynamic = 0;
struct Forward fwd;

memset(&fwd, 0, sizeof(fwd));
fwd.listen_host = fwd.connect_host = NULL;

leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
handler = signal(SIGINT, SIG_IGN);
@@ -943,29 +941,20 @@ process_cmdline(void)

/* XXX update list of forwards in options */
if (delete) {
cancel_port = 0;
cancel_host = hpdelim(&s); /* may be NULL */
if (s != NULL) {
cancel_port = a2port(s);
cancel_host = cleanhostname(cancel_host);
} else {
cancel_port = a2port(cancel_host);
cancel_host = NULL;
}
if (cancel_port <= 0) {
logit("Bad forwarding close port");
/* We pass 1 for dynamicfwd to restrict to 1 or 2 fields. */
if (!parse_forward(&fwd, s, 1, 0)) {
logit("Bad forwarding close specification.");
goto out;
}
if (remote)
ok = channel_request_rforward_cancel(cancel_host,
cancel_port) == 0;
ok = channel_request_rforward_cancel(&fwd) == 0;
else if (dynamic)
ok = channel_cancel_lport_listener(cancel_host,
cancel_port, 0, options.gateway_ports) > 0;
ok = channel_cancel_lport_listener(&fwd,
0, &options.fwd_opts) > 0;
else
ok = channel_cancel_lport_listener(cancel_host,
cancel_port, CHANNEL_CANCEL_PORT_STATIC,
options.gateway_ports) > 0;
ok = channel_cancel_lport_listener(&fwd,
CHANNEL_CANCEL_PORT_STATIC,
&options.fwd_opts) > 0;
if (!ok) {
logit("Unkown port forwarding.");
goto out;
@@ -977,16 +966,13 @@ process_cmdline(void)
goto out;
}
if (local || dynamic) {
if (!channel_setup_local_fwd_listener(fwd.listen_host,
fwd.listen_port, fwd.connect_host,
fwd.connect_port, options.gateway_ports)) {
if (!channel_setup_local_fwd_listener(&fwd,
&options.fwd_opts)) {
logit("Port forwarding failed.");
goto out;
}
} else {
if (channel_request_remote_forwarding(fwd.listen_host,
fwd.listen_port, fwd.connect_host,
fwd.connect_port) < 0) {
if (channel_request_remote_forwarding(&fwd) < 0) {
logit("Port forwarding failed.");
goto out;
}
@@ -999,7 +985,9 @@ process_cmdline(void)
enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
free(cmd);
free(fwd.listen_host);
free(fwd.listen_path);
free(fwd.connect_host);
free(fwd.connect_path);
}

/* reasons to suppress output of an escape command in help output */
@@ -1845,9 +1833,8 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
originator_port = packet_get_int();
packet_check_eom();

debug("client_request_forwarded_tcpip: listen %s port %d, "
"originator %s port %d", listen_address, listen_port,
originator_address, originator_port);
debug("%s: listen %s port %d, originator %s port %d", __func__,
listen_address, listen_port, originator_address, originator_port);

c = channel_connect_by_listen_address(listen_address, listen_port,
"forwarded-tcpip", originator_address);
@@ -1857,6 +1844,27 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
return c;
}

static Channel *
client_request_forwarded_streamlocal(const char *request_type, int rchan)
{
Channel *c = NULL;
char *listen_path;

/* Get the remote path. */
listen_path = packet_get_string(NULL);
/* XXX: Skip reserved field for now. */
if (packet_get_string_ptr(NULL) == NULL)
fatal("%s: packet_get_string_ptr failed", __func__);
packet_check_eom();

debug("%s: %s", __func__, listen_path);

c = channel_connect_by_listen_path(listen_path,
"forwarded-streamlocal@openssh.com", "forwarded-streamlocal");
free(listen_path);
return c;
}

static Channel *
client_request_x11(const char *request_type, int rchan)
{
@@ -1984,6 +1992,8 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)

if (strcmp(ctype, "forwarded-tcpip") == 0) {
c = client_request_forwarded_tcpip(ctype, rchan);
} else if (strcmp(ctype, "forwarded-streamlocal@openssh.com") == 0) {
c = client_request_forwarded_streamlocal(ctype, rchan);
} else if (strcmp(ctype, "x11") == 0) {
c = client_request_x11(ctype, rchan);
} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
49 misc.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: misc.c,v 1.93 2014/04/20 02:30:25 djm Exp $ */
/* $OpenBSD: misc.c,v 1.94 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005,2006 Damien Miller. All rights reserved.
@@ -29,6 +29,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/param.h>

#include <stdarg.h>
@@ -1056,6 +1057,52 @@ lowercase(char *s)
for (; *s; s++)
*s = tolower((u_char)*s);
}

int
unix_listener(const char *path, int backlog, int unlink_first)
{
struct sockaddr_un sunaddr;
int saved_errno, sock;

memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
if (strlcpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) {
error("%s: \"%s\" too long for Unix domain socket", __func__,
path);
errno = ENAMETOOLONG;
return -1;
}

sock = socket(PF_UNIX, SOCK_STREAM, 0);
if (sock < 0) {
saved_errno = errno;
error("socket: %.100s", strerror(errno));
errno = saved_errno;
return -1;
}
if (unlink_first == 1) {
if (unlink(path) != 0 && errno != ENOENT)
error("unlink(%s): %.100s", path, strerror(errno));
}
if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
saved_errno = errno;
error("bind: %.100s", strerror(errno));
close(sock);
error("%s: cannot bind to path: %s", __func__, path);
errno = saved_errno;
return -1;
}
if (listen(sock, backlog) < 0) {
saved_errno = errno;
error("listen: %.100s", strerror(errno));
close(sock);
unlink(path);
error("%s: cannot listen on path: %s", __func__, path);
errno = saved_errno;
return -1;
}
return sock;
}
void
sock_set_v6only(int s)
{
25 misc.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: misc.h,v 1.53 2014/05/02 03:27:54 djm Exp $ */
/* $OpenBSD: misc.h,v 1.54 2014/07/15 15:54:14 millert Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,6 +15,25 @@
#ifndef _MISC_H
#define _MISC_H

/* Data structure for representing a forwarding request. */
struct Forward {
char *listen_host; /* Host (address) to listen on. */
int listen_port; /* Port to forward. */
char *listen_path; /* Path to bind domain socket. */
char *connect_host; /* Host to connect. */
int connect_port; /* Port to connect on connect_host. */
char *connect_path; /* Path to connect domain socket. */
int allocated_port; /* Dynamically allocated listen port */
int handle; /* Handle for dynamic listen ports */
};

/* Common server and client forwarding options. */
struct ForwardOptions {
int gateway_ports; /* Allow remote connects to forwarded ports. */
mode_t streamlocal_bind_mask; /* umask for streamlocal binds */
int streamlocal_bind_unlink; /* unlink socket before bind */
};

/* misc.c */

char *chop(char *);
@@ -37,6 +56,7 @@ void ms_subtract_diff(struct timeval *, int *);
void ms_to_timeval(struct timeval *, int);
time_t monotime(void);
void lowercase(char *s);
int unix_listener(const char *, int, int);

void sock_set_v6only(int);

@@ -68,6 +88,9 @@ int tun_open(int, int);
#define SSH_TUNID_ERR (SSH_TUNID_ANY - 1)
#define SSH_TUNID_MAX (SSH_TUNID_ANY - 2)

/* Fake port to indicate that host field is really a path. */
#define PORT_STREAMLOCAL -2

/* Functions to extract or store big-endian words of various sizes */
u_int64_t get_u64(const void *)
__attribute__((__bounded__( __minbytes__, 1, 8)));
4 monitor.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.134 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -87,6 +87,7 @@
#include "sshlogin.h"
#include "canohost.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "monitor.h"
#include "monitor_mm.h"
@@ -95,7 +96,6 @@
#endif
#include "monitor_wrap.h"
#include "monitor_fdpass.h"
#include "misc.h"
#include "compat.h"
#include "ssh2.h"
#include "roaming.h"
203 mux.c
View file

Large diffs are not rendered by default.

4 packet.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.197 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: packet.c,v 1.198 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -66,7 +66,6 @@
#include "crc32.h"
#include "compress.h"
#include "deattack.h"
#include "channels.h"
#include "compat.h"
#include "ssh1.h"
#include "ssh2.h"
@@ -77,6 +76,7 @@
#include "log.h"
#include "canohost.h"
#include "misc.h"
#include "channels.h"
#include "ssh.h"
#include "ssherr.h"
#include "roaming.h"
3 platform.c
View file
@@ -1,4 +1,4 @@
/* $Id: platform.c,v 1.21 2014/01/21 01:59:29 tim Exp $ */
/* $Id: platform.c,v 1.22 2014/07/18 04:11:26 djm Exp $ */

/*
* Copyright (c) 2006 Darren Tucker. All rights reserved.
@@ -25,6 +25,7 @@

#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "hostfile.h"
224 readconf.c
View file

Large diffs are not rendered by default.

25 readconf.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.101 2014/02/23 20:11:36 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.102 2014/07/15 15:54:14 millert Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,21 +16,12 @@
#ifndef READCONF_H
#define READCONF_H

/* Data structure for representing a forwarding request. */

typedef struct {
char *listen_host; /* Host (address) to listen on. */
int listen_port; /* Port to forward. */
char *connect_host; /* Host to connect. */
int connect_port; /* Port to connect on connect_host. */
int allocated_port; /* Dynamically allocated listen port */
int handle; /* Handle for dynamic listen ports */
} Forward;
/* Data structure for representing option data. */

#define MAX_SEND_ENV 256
#define SSH_MAX_HOSTS_FILES 32
#define MAX_CANON_DOMAINS 32
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)

struct allowed_cname {
char *source_list;
@@ -44,7 +35,7 @@ typedef struct {
int forward_x11_trusted; /* Trust Forward X11 display. */
int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
char *xauth_location; /* Location for xauth program */
int gateway_ports; /* Allow remote connects to forwarded ports. */
struct ForwardOptions fwd_opts; /* forwarding options */
int use_privileged_port; /* Don't use privileged port if false. */
int rhosts_rsa_authentication; /* Try rhosts with RSA
* authentication. */
@@ -106,11 +97,11 @@ typedef struct {

/* Local TCP/IP forward requests. */
int num_local_forwards;
Forward *local_forwards;
struct Forward *local_forwards;

/* Remote TCP/IP forward requests. */
int num_remote_forwards;
Forward *remote_forwards;
struct Forward *remote_forwards;
int clear_forwardings;

int enable_ssh_keysign;
@@ -181,12 +172,12 @@ int process_config_line(Options *, struct passwd *, const char *, char *,
const char *, int, int *, int);
int read_config_file(const char *, struct passwd *, const char *,
Options *, int);
int parse_forward(Forward *, const char *, int, int);
int parse_forward(struct Forward *, const char *, int, int);
int default_ssh_port(void);
int option_clear_or_none(const char *);

void add_local_forward(Options *, const Forward *);
void add_remote_forward(Options *, const Forward *);
void add_local_forward(Options *, const struct Forward *);
void add_remote_forward(Options *, const struct Forward *);
void add_identity_file(Options *, const char *, const char *, int);

#endif /* READCONF_H */
2 sandbox-systrace.c
View file
@@ -60,7 +60,7 @@ static const struct sandbox_policy preauth_policy[] = {
{ SYS___sysctl, SYSTR_POLICY_PERMIT },
#endif

{ SYS_sendsyslog, SYSTR_POLICY_PERMIT },
// { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
{ SYS_close, SYSTR_POLICY_PERMIT },
{ SYS_exit, SYSTR_POLICY_PERMIT },
{ SYS_getpid, SYSTR_POLICY_PERMIT },
55 servconf.c
View file
@@ -1,5 +1,5 @@

/* $OpenBSD: servconf.c,v 1.250 2014/07/03 22:40:43 djm Exp $ */
/* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -39,10 +39,10 @@
#include "ssh.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "compat.h"
#include "pathnames.h"
#include "misc.h"
#include "cipher.h"
#include "key.h"
#include "kex.h"
@@ -120,6 +120,7 @@ initialize_server_options(ServerOptions *options)
options->rekey_limit = -1;
options->rekey_interval = -1;
options->allow_tcp_forwarding = -1;
options->allow_streamlocal_forwarding = -1;
options->allow_agent_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
@@ -129,7 +130,9 @@ initialize_server_options(ServerOptions *options)
options->macs = NULL;
options->kex_algorithms = NULL;
options->protocol = SSH_PROTO_UNKNOWN;
options->gateway_ports = -1;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
options->fwd_opts.streamlocal_bind_unlink = -1;
options->num_subsystems = 0;
options->max_startups_begin = -1;
options->max_startups_rate = -1;
@@ -269,10 +272,12 @@ fill_default_server_options(ServerOptions *options)
options->rekey_interval = 0;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = FORWARD_ALLOW;
if (options->allow_streamlocal_forwarding == -1)
options->allow_streamlocal_forwarding = FORWARD_ALLOW;
if (options->allow_agent_forwarding == -1)
options->allow_agent_forwarding = 1;
if (options->gateway_ports == -1)
options->gateway_ports = 0;
if (options->fwd_opts.gateway_ports == -1)
options->fwd_opts.gateway_ports = 0;
if (options->max_startups == -1)
options->max_startups = 100;
if (options->max_startups_rate == -1)
@@ -303,6 +308,10 @@ fill_default_server_options(ServerOptions *options)
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
options->fwd_opts.streamlocal_bind_unlink = 0;
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -351,6 +360,8 @@ typedef enum {
sKexAlgorithms, sIPQoS, sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding,
sDeprecated, sUnsupported
} ServerOpCodes;

@@ -478,6 +489,9 @@ static struct {
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
{ "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
{ "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};

@@ -1195,7 +1209,7 @@ process_server_config_line(ServerOptions *options, char *line,
break;

case sGatewayPorts:
intptr = &options->gateway_ports;
intptr = &options->fwd_opts.gateway_ports;
multistate_ptr = multistate_gatewayports;
goto parse_multistate;

@@ -1230,6 +1244,11 @@ process_server_config_line(ServerOptions *options, char *line,
multistate_ptr = multistate_tcpfwd;
goto parse_multistate;

case sAllowStreamLocalForwarding:
intptr = &options->allow_streamlocal_forwarding;
multistate_ptr = multistate_tcpfwd;
goto parse_multistate;

case sAllowAgentForwarding:
intptr = &options->allow_agent_forwarding;
goto parse_flag;
@@ -1628,6 +1647,22 @@ process_server_config_line(ServerOptions *options, char *line,
}
return 0;

case sStreamLocalBindMask:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: missing StreamLocalBindMask argument.",
filename, linenum);
/* Parse mode in octal format */
value = strtol(arg, &p, 8);
if (arg == p || value < 0 || value > 0777)
fatal("%s line %d: Bad mask.", filename, linenum);
options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
break;

case sStreamLocalBindUnlink:
intptr = &options->fwd_opts.streamlocal_bind_unlink;
goto parse_flag;

case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1767,9 +1802,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(permit_empty_passwd);

M_CP_INTOPT(allow_tcp_forwarding);
M_CP_INTOPT(allow_streamlocal_forwarding);
M_CP_INTOPT(allow_agent_forwarding);
M_CP_INTOPT(permit_tun);
M_CP_INTOPT(gateway_ports);
M_CP_INTOPT(fwd_opts.gateway_ports);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
M_CP_INTOPT(x11_use_localhost);
@@ -1867,6 +1903,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_privsep);
case sAllowTcpForwarding:
return fmt_multistate_int(val, multistate_tcpfwd);
case sAllowStreamLocalForwarding:
return fmt_multistate_int(val, multistate_tcpfwd);
case sProtocol:
switch (val) {
case SSH_PROTO_1:
@@ -2023,9 +2061,10 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);

/* string arguments */
5 servconf.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.113 2014/07/03 22:40:43 djm Exp $ */
/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -92,7 +92,7 @@ typedef struct {
char *macs; /* Supported SSH2 macs. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
int protocol; /* Supported protocol versions. */
int gateway_ports; /* If true, allow remote connects to forwarded ports. */
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
int rhosts_rsa_authentication; /* If true, permit rhosts RSA
@@ -124,6 +124,7 @@ typedef struct {
int use_login; /* If true, login(1) is used */
int compression; /* If true, compression is allowed */
int allow_tcp_forwarding; /* One of FORWARD_* */
int allow_streamlocal_forwarding; /* One of FORWARD_* */
int allow_agent_forwarding;
u_int num_allow_users;
char *allow_users[MAX_ALLOW_USERS];
107 serverloop.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: serverloop.c,v 1.171 2014/04/29 13:10:30 djm Exp $ */
/* $OpenBSD: serverloop.c,v 1.172 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -61,6 +61,7 @@
#include "packet.h"
#include "buffer.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "canohost.h"
#include "sshpty.h"
@@ -77,7 +78,6 @@
#include "dispatch.h"
#include "auth-options.h"
#include "serverloop.h"
#include "misc.h"
#include "roaming.h"

extern ServerOptions options;
@@ -970,7 +970,7 @@ server_request_direct_tcpip(void)
/* XXX fine grained permissions */
if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
!no_port_forwarding_flag) {
c = channel_connect_to(target, target_port,
c = channel_connect_to_port(target, target_port,
"direct-tcpip", "direct-tcpip");
} else {
logit("refused local port forward: "
@@ -984,6 +984,38 @@ server_request_direct_tcpip(void)
return c;
}

static Channel *
server_request_direct_streamlocal(void)
{
Channel *c = NULL;
char *target, *originator;
u_short originator_port;

target = packet_get_string(NULL);
originator = packet_get_string(NULL);
originator_port = packet_get_int();
packet_check_eom();

debug("server_request_direct_streamlocal: originator %s port %d, target %s",
originator, originator_port, target);

/* XXX fine grained permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
!no_port_forwarding_flag) {
c = channel_connect_to_path(target,
"direct-streamlocal@openssh.com", "direct-streamlocal");
} else {
logit("refused streamlocal port forward: "
"originator %s port %d, target %s",
originator, originator_port, target);
}

free(originator);
free(target);

return c;
}

static Channel *
server_request_tun(void)
{
@@ -1081,6 +1113,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
c = server_request_session();
} else if (strcmp(ctype, "direct-tcpip") == 0) {
c = server_request_direct_tcpip();
} else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) {
c = server_request_direct_streamlocal();
} else if (strcmp(ctype, "tun@openssh.com") == 0) {
c = server_request_tun();
}
@@ -1125,47 +1159,74 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
/* -R style forwarding */
if (strcmp(rtype, "tcpip-forward") == 0) {
struct passwd *pw;
char *listen_address;
u_short listen_port;
struct Forward fwd;

pw = the_authctxt->pw;
if (pw == NULL || !the_authctxt->valid)
fatal("server_input_global_request: no/invalid user");
listen_address = packet_get_string(NULL);
listen_port = (u_short)packet_get_int();
memset(&fwd, 0, sizeof(fwd));
fwd.listen_host = packet_get_string(NULL);
fwd.listen_port = (u_short)packet_get_int();
debug("server_input_global_request: tcpip-forward listen %s port %d",
listen_address, listen_port);
fwd.listen_host, fwd.listen_port);

/* check permissions */
if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
no_port_forwarding_flag ||
(!want_reply && listen_port == 0)
(!want_reply && fwd.listen_port == 0) ||
#ifndef NO_IPPORT_RESERVED_CONCEPT
|| (listen_port != 0 && listen_port < IPPORT_RESERVED &&
pw->pw_uid != 0)
(fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
pw->pw_uid != 0)
#endif
) {
success = 0;
packet_send_debug("Server has disabled port forwarding.");
} else {
/* Start listening on the port */
success = channel_setup_remote_fwd_listener(
listen_address, listen_port,
&allocated_listen_port, options.gateway_ports);
success = channel_setup_remote_fwd_listener(&fwd,
&allocated_listen_port, &options.fwd_opts);
}
free(listen_address);
free(fwd.listen_host);
} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
char *cancel_address;
u_short cancel_port;
struct Forward fwd;

cancel_address = packet_get_string(NULL);
cancel_port = (u_short)packet_get_int();
memset(&fwd, 0, sizeof(fwd));
fwd.listen_host = packet_get_string(NULL);
fwd.listen_port = (u_short)packet_get_int();
debug("%s: cancel-tcpip-forward addr %s port %d", __func__,
cancel_address, cancel_port);
fwd.listen_host, fwd.listen_port);

success = channel_cancel_rport_listener(&fwd);
free(fwd.listen_host);
} else if (strcmp(rtype, "streamlocal-forward@openssh.com") == 0) {
struct Forward fwd;

memset(&fwd, 0, sizeof(fwd));
fwd.listen_path = packet_get_string(NULL);
debug("server_input_global_request: streamlocal-forward listen path %s",
fwd.listen_path);

/* check permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
|| no_port_forwarding_flag) {
success = 0;
packet_send_debug("Server has disabled port forwarding.");
} else {
/* Start listening on the socket */
success = channel_setup_remote_fwd_listener(
&fwd, NULL, &options.fwd_opts);
}
free(fwd.listen_path);
} else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
struct Forward fwd;

memset(&fwd, 0, sizeof(fwd));
fwd.listen_path = packet_get_string(NULL);
debug("%s: cancel-streamlocal-forward path %s", __func__,
fwd.listen_path);

success = channel_cancel_rport_listener(cancel_address,
cancel_port);
free(cancel_address);
success = channel_cancel_rport_listener(&fwd);
free(fwd.listen_path);
} else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) {
no_more_sessions = 1;
success = 1;
34 session.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: session.c,v 1.273 2014/07/03 22:40:43 djm Exp $ */
/* $OpenBSD: session.c,v 1.274 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -84,11 +84,11 @@
#include "authfd.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "sshlogin.h"
#include "serverloop.h"
#include "canohost.h"
#include "misc.h"
#include "session.h"
#include "kex.h"
#include "monitor_wrap.h"
@@ -183,7 +183,6 @@ auth_input_request_forwarding(struct passwd * pw)
{
Channel *nc;
int sock = -1;
struct sockaddr_un sunaddr;

if (auth_sock_name != NULL) {
error("authentication forwarding requested twice.");
@@ -209,33 +208,15 @@ auth_input_request_forwarding(struct passwd * pw)
xasprintf(&auth_sock_name, "%s/agent.%ld",
auth_sock_dir, (long) getpid());

/* Create the socket. */
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0) {
error("socket: %.100s", strerror(errno));
restore_uid();
goto authsock_err;
}

/* Bind it to the name. */
memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));

if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
error("bind: %.100s", strerror(errno));
restore_uid();
goto authsock_err;
}
/* Start a Unix listener on auth_sock_name. */
sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0);

/* Restore the privileged uid. */
restore_uid();

/* Start listening on the socket. */
if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
error("listen: %.100s", strerror(errno));
/* Check for socket/bind/listen failure. */
if (sock < 0)
goto authsock_err;
}

/* Allocate a channel for the authentication agent socket. */
nc = channel_new("auth socket",
@@ -274,6 +255,7 @@ do_authenticated(Authctxt *authctxt)
setproctitle("%s", authctxt->pw->pw_name);

/* setup the channel layer */
/* XXX - streamlocal? */
if (no_port_forwarding_flag ||
(options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
channel_disable_adm_local_opens();
@@ -393,7 +375,7 @@ do_authenticated1(Authctxt *authctxt)
}
debug("Received TCP/IP port forwarding request.");
if (channel_input_port_forward_request(s->pw->pw_uid == 0,
options.gateway_ports) < 0) {
&options.fwd_opts) < 0) {
debug("Port forwarding failed.");
break;
}
23 ssh-agent.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.187 2014/07/03 03:11:03 djm Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.188 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1038,11 +1038,9 @@ main(int ac, char **av)
u_int nalloc;
char *shell, *format, *pidstr, *agentsocket = NULL;
fd_set *readsetp = NULL, *writesetp = NULL;
struct sockaddr_un sunaddr;
#ifdef HAVE_SETRLIMIT
struct rlimit rlim;
#endif
int prev_mask;
extern int optind;
extern char *optarg;
pid_t pid;
@@ -1161,25 +1159,10 @@ main(int ac, char **av)
* Create socket early so it will exist before command gets run from
* the parent.
*/
sock = socket(AF_UNIX, SOCK_STREAM, 0);
sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);
if (sock < 0) {
perror("socket");
*socket_name = '\0'; /* Don't unlink any existing file */
cleanup_exit(1);
}
memset(&sunaddr, 0, sizeof(sunaddr));
sunaddr.sun_family = AF_UNIX;
strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
prev_mask = umask(0177);
if (bind(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) < 0) {
perror("bind");
/* XXX - unix_listener() calls error() not perror() */
*socket_name = '\0'; /* Don't unlink any existing file */
umask(prev_mask);
cleanup_exit(1);
}
umask(prev_mask);
if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
perror("listen");
cleanup_exit(1);
}

62 ssh.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.405 2014/07/03 06:39:19 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.406 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -96,9 +96,9 @@
#include "dispatch.h"
#include "clientloop.h"
#include "log.h"
#include "misc.h"
#include "readconf.h"
#include "sshconnect.h"
#include "misc.h"
#include "kex.h"
#include "mac.h"
#include "sshpty.h"
@@ -423,7 +423,7 @@ main(int ac, char **av)
int timeout_ms;
extern int optind, optreset;
extern char *optarg;
Forward fwd;
struct Forward fwd;
struct addrinfo *addrs = NULL;
struct ssh_digest_ctx *md;
u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
@@ -545,7 +545,7 @@ main(int ac, char **av)
options.forward_x11_trusted = 1;
break;
case 'g':
options.gateway_ports = 1;
options.fwd_opts.gateway_ports = 1;
break;
case 'O':
if (stdio_forward_host != NULL)
@@ -1305,15 +1305,17 @@ fork_postauth(void)
static void
ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
{
Forward *rfwd = (Forward *)ctxt;
struct Forward *rfwd = (struct Forward *)ctxt;

/* XXX verbose() on failure? */
debug("remote forward %s for: listen %s%s%d, connect %s:%d",
type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
rfwd->listen_host == NULL ? "" : rfwd->listen_host,
rfwd->listen_host == NULL ? "" : ":",
rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
if (rfwd->listen_port == 0) {
rfwd->listen_path ? rfwd->listen_path :
rfwd->listen_host ? rfwd->listen_host : "",
(rfwd->listen_path || rfwd->listen_host) ? ":" : "",
rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
rfwd->connect_host, rfwd->connect_port);
if (rfwd->listen_path == NULL && rfwd->listen_port == 0) {
if (type == SSH2_MSG_REQUEST_SUCCESS) {
rfwd->allocated_port = packet_get_int();
logit("Allocated port %u for remote forward to %s:%d",
@@ -1327,12 +1329,21 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
}

if (type == SSH2_MSG_REQUEST_FAILURE) {
if (options.exit_on_forward_failure)
fatal("Error: remote port forwarding failed for "
"listen port %d", rfwd->listen_port);
else
logit("Warning: remote port forwarding failed for "
"listen port %d", rfwd->listen_port);
if (options.exit_on_forward_failure) {
if (rfwd->listen_path != NULL)
fatal("Error: remote port forwarding failed "
"for listen path %s", rfwd->listen_path);
else
fatal("Error: remote port forwarding failed "
"for listen port %d", rfwd->listen_port);
} else {
if (rfwd->listen_path != NULL)
logit("Warning: remote port forwarding failed "
"for listen path %s", rfwd->listen_path);
else
logit("Warning: remote port forwarding failed "
"for listen port %d", rfwd->listen_port);
}
}
if (++remote_forward_confirms_received == options.num_remote_forwards) {
debug("All remote forwarding requests processed");
@@ -1380,18 +1391,18 @@ ssh_init_forwarding(void)
for (i = 0; i < options.num_local_forwards; i++) {
debug("Local connections to %.200s:%d forwarded to remote "
"address %.200s:%d",
(options.local_forwards[i].listen_path != NULL) ?
options.local_forwards[i].listen_path :
(options.local_forwards[i].listen_host == NULL) ?
(options.gateway_ports ? "*" : "LOCALHOST") :
(options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
options.local_forwards[i].listen_host,
options.local_forwards[i].listen_port,
(options.local_forwards[i].connect_path != NULL) ?
options.local_forwards[i].connect_path :
options.local_forwards[i].connect_host,
options.local_forwards[i].connect_port);
success += channel_setup_local_fwd_listener(
options.local_forwards[i].listen_host,
options.local_forwards[i].listen_port,
options.local_forwards[i].connect_host,
options.local_forwards[i].connect_port,
options.gateway_ports);
&options.local_forwards[i], &options.fwd_opts);
}
if (i > 0 && success != i && options.exit_on_forward_failure)
fatal("Could not request local forwarding.");
@@ -1402,17 +1413,18 @@ ssh_init_forwarding(void)
for (i = 0; i < options.num_remote_forwards; i++) {
debug("Remote connections from %.200s:%d forwarded to "
"local address %.200s:%d",
(options.remote_forwards[i].listen_path != NULL) ?
options.remote_forwards[i].listen_path :
(options.remote_forwards[i].listen_host == NULL) ?
"LOCALHOST" : options.remote_forwards[i].listen_host,
options.remote_forwards[i].listen_port,
(options.remote_forwards[i].connect_path != NULL) ?
options.remote_forwards[i].connect_path :
options.remote_forwards[i].connect_host,
options.remote_forwards[i].connect_port);
options.remote_forwards[i].handle =
channel_request_remote_forwarding(
options.remote_forwards[i].listen_host,
options.remote_forwards[i].listen_port,
options.remote_forwards[i].connect_host,
options.remote_forwards[i].connect_port);
&options.remote_forwards[i]);
if (options.remote_forwards[i].handle < 0) {
if (options.exit_on_forward_failure)
fatal("Could not request remote forwarding.");
31 ssh_config.5
View file
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: ssh_config.5,v 1.190 2014/07/07 08:19:12 djm Exp $
.Dd $Mdocdate: July 7 2014 $
.\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $
.Dd $Mdocdate: July 15 2014 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -1303,6 +1303,33 @@ channel to request a response from the server.
The default
is 0, indicating that these messages will not be sent to the server.
This option applies to protocol version 2 only.
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
used when creating a Unix-domain socket file for local or remote
port forwarding.
This option is only used for port forwarding to a Unix-domain socket file.
.Pp
The default value is 0177, which creates a Unix-domain socket file that is
readable and writable only by the owner.
Note that not all operating systems honor the file mode on Unix-domain
socket files.
.It Cm StreamLocalBindUnlink
Specifies whether to remove an existing Unix-domain socket file for local
or remote port forwarding before creating a new one.
If the socket file already exists and
.Cm StreamLocalBindUnlink
is not enabled,
.Nm ssh
will be unable to forward the port to the Unix-domain socket file.
This option is only used for port forwarding to a Unix-domain socket file.
.Pp
The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq no .
.It Cm StrictHostKeyChecking
If this flag is set to
.Dq yes ,
4 sshconnect.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.250 2014/07/03 22:23:46 djm Exp $ */
/* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -54,9 +54,9 @@
#include "sshconnect.h"
#include "hostfile.h"
#include "log.h"
#include "misc.h"
#include "readconf.h"
#include "atomicio.h"
#include "misc.h"
#include "dns.h"
#include "roaming.h"
#include "monitor_fdpass.h"
4 sshconnect1.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect1.c,v 1.75 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: sshconnect1.c,v 1.76 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -38,11 +38,11 @@
#include "kex.h"
#include "uidswap.h"
#include "log.h"
#include "misc.h"
#include "readconf.h"
#include "authfd.h"
#include "sshconnect.h"
#include "authfile.h"
#include "misc.h"
#include "canohost.h"
#include "hostfile.h"
#include "auth.h"
4 sshconnect2.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect2.c,v 1.209 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: sshconnect2.c,v 1.210 2014/07/15 15:54:14 millert Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -61,8 +61,8 @@
#include "dh.h"
#include "authfd.h"
#include "log.h"
#include "readconf.h"
#include "misc.h"
#include "readconf.h"
#include "match.h"
#include "dispatch.h"
#include "canohost.h"
4 sshd.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.427 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.428 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -93,6 +93,7 @@
#include "packet.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"
#include "uidswap.h"
#include "compat.h"
@@ -108,7 +109,6 @@
#include "hostfile.h"
#include "auth.h"
#include "authfd.h"
#include "misc.h"
#include "msg.h"
#include "dispatch.h"
#include "channels.h"
51 sshd_config.5
View file
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.174 2014/07/03 22:40:43 djm Exp $
.Dd $Mdocdate: July 3 2014 $
.\" $OpenBSD: sshd_config.5,v 1.175 2014/07/15 15:54:14 millert Exp $
.Dd $Mdocdate: July 15 2014 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -140,6 +140,26 @@ The default is
Note that disabling TCP forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.
.It Cm AllowStreamLocalForwarding
Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
The available options are
.Dq yes
or
.Dq all
to allow StreamLocal forwarding,
.Dq no
to prevent all StreamLocal forwarding,
.Dq local
to allow local (from the perspective of
.Xr ssh 1 )
forwarding only or
.Dq remote
to allow remote forwarding only.
The default is
.Dq yes .
Note that disabling StreamLocal forwarding does not improve security unless
users are also denied shell access, as they can always install their
own forwarders.
.It Cm AllowUsers
This keyword can be followed by a list of user name patterns, separated
by spaces.
@@ -1171,6 +1191,33 @@ This option applies to protocol version 1 only.
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
used when creating a Unix-domain socket file for local or remote
port forwarding.
This option is only used for port forwarding to a Unix-domain socket file.
.Pp
The default value is 0177, which creates a Unix-domain socket file that is
readable and writable only by the owner.
Note that not all operating systems honor the file mode on Unix-domain
socket files.
.It Cm StreamLocalBindUnlink
Specifies whether to remove an existing Unix-domain socket file for local
or remote port forwarding before creating a new one.
If the socket file already exists and
.Cm StreamLocalBindUnlink
is not enabled,
.Nm sshd
will be unable to forward the port to the Unix-domain socket file.
This option is only used for port forwarding to a Unix-domain socket file.
.Pp
The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq no .
.It Cm StrictModes
Specifies whether
.Xr sshd 8
3 sshlogin.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: sshlogin.c,v 1.28 2014/01/31 16:39:19 tedu Exp $ */
/* $OpenBSD: sshlogin.c,v 1.29 2014/07/15 15:54:14 millert Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -58,6 +58,7 @@
#include "loginrec.h"
#include "log.h"
#include "buffer.h"
#include "misc.h"
#include "servconf.h"

extern Buffer loginmsg;