Remove address limitation for direct-tcpip for now

7 years ago · deca5d5d13
parent cba5592d42
commit deca5d5d13
2 changed files with 12 additions and 6 deletions
--- a/4
+++ b/4
@ -1,4 +1,8 @@
 * Make sure to not run this as root (setuid doesn't work well), so use NET capabilities
+* Allow limiting the hosts that one can connect to use direct-tcpip (right now
+  all hosts are allowed)
+* Allow lifting restrictions on what clients can bind on with forwarded-tcpip
+
 * Check assertions and TODOs.
 * Look if/where we want to set deadlines on open sockets
 * Go through all log.Println calls, and make sure they are unique(?) and
--- a/sshd.go
+++ b/sshd.go
@ -206,12 +206,14 @@ func handleDirect(client *sshClient, newChannel ssh.NewChannel) {
 		return
 	}

-	// XXX: Is this sensible?
-	if payload.Addr != "localhost" && payload.Addr != "::1" && payload.Addr != "127.0.0.1" {
-		log.Printf("[%s] Tried to connect to prohibited host: %s", client.Name, payload.Addr)
-		newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr"))
-		return
-	}
+	/*
+		// XXX: Is this sensible?
+		if payload.Addr != "localhost" && payload.Addr != "::1" && payload.Addr != "127.0.0.1" {
+			log.Printf("[%s] Tried to connect to prohibited host: %s", client.Name, payload.Addr)
+			newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr"))
+			return
+		}
+	*/

 	if !portPermitted(payload.Port, client.AllowedLocalPorts) {
 		newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad port"))