From deca5d5d1362214807714582c6e970f23f451a50 Mon Sep 17 00:00:00 2001 From: "Merlijn B. W. Wajer" Date: Thu, 27 Apr 2017 12:37:37 +0200 Subject: [PATCH] Remove address limitation for direct-tcpip for now --- TODO | 4 ++++ sshd.go | 14 ++++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/TODO b/TODO index 8fe9e70..f79556e 100644 --- a/TODO +++ b/TODO @@ -1,4 +1,8 @@ * Make sure to not run this as root (setuid doesn't work well), so use NET capabilities +* Allow limiting the hosts that one can connect to use direct-tcpip (right now + all hosts are allowed) +* Allow lifting restrictions on what clients can bind on with forwarded-tcpip + * Check assertions and TODOs. * Look if/where we want to set deadlines on open sockets * Go through all log.Println calls, and make sure they are unique(?) and diff --git a/sshd.go b/sshd.go index 7957d18..d71609f 100644 --- a/sshd.go +++ b/sshd.go @@ -206,12 +206,14 @@ func handleDirect(client *sshClient, newChannel ssh.NewChannel) { return } - // XXX: Is this sensible? - if payload.Addr != "localhost" && payload.Addr != "::1" && payload.Addr != "127.0.0.1" { - log.Printf("[%s] Tried to connect to prohibited host: %s", client.Name, payload.Addr) - newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr")) - return - } + /* + // XXX: Is this sensible? + if payload.Addr != "localhost" && payload.Addr != "::1" && payload.Addr != "127.0.0.1" { + log.Printf("[%s] Tried to connect to prohibited host: %s", client.Name, payload.Addr) + newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr")) + return + } + */ if !portPermitted(payload.Port, client.AllowedLocalPorts) { newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad port"))