Add native dynamic port forwarding
This commit is contained in:
+32
-18
@@ -395,28 +395,31 @@ impl AuthorizedKey {
|
||||
if self.options.force_command.is_some() {
|
||||
bail!("authorized key command= is not supported for native Dosh terminal login");
|
||||
}
|
||||
if self.options.no_port_forwarding
|
||||
&& auth
|
||||
.requested_forwardings
|
||||
.iter()
|
||||
.any(|forwarding| !matches!(forwarding.kind, ForwardingKind::Dynamic))
|
||||
{
|
||||
if self.options.no_port_forwarding && !auth.requested_forwardings.is_empty() {
|
||||
bail!("authorized key forbids port forwarding");
|
||||
}
|
||||
if !self.options.permitopen.is_empty() {
|
||||
for forwarding in &auth.requested_forwardings {
|
||||
if matches!(forwarding.kind, ForwardingKind::Local)
|
||||
&& let (Some(host), Some(port)) =
|
||||
(forwarding.target_host.as_ref(), forwarding.target_port)
|
||||
{
|
||||
let target = format!("{host}:{port}");
|
||||
if !self
|
||||
.options
|
||||
.permitopen
|
||||
.iter()
|
||||
.any(|permit| permit == &target)
|
||||
{
|
||||
bail!("authorized key does not permit opening {target}");
|
||||
match forwarding.kind {
|
||||
ForwardingKind::Local => {
|
||||
if let (Some(host), Some(port)) =
|
||||
(forwarding.target_host.as_ref(), forwarding.target_port)
|
||||
{
|
||||
let target = format!("{host}:{port}");
|
||||
if !self
|
||||
.options
|
||||
.permitopen
|
||||
.iter()
|
||||
.any(|permit| permit == &target)
|
||||
{
|
||||
bail!("authorized key does not permit opening {target}");
|
||||
}
|
||||
}
|
||||
}
|
||||
ForwardingKind::Remote | ForwardingKind::Dynamic => {
|
||||
bail!(
|
||||
"authorized key permitopen= cannot authorize remote or dynamic forwarding"
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1040,6 +1043,17 @@ mod tests {
|
||||
))
|
||||
.unwrap();
|
||||
assert!(verify_native_user_auth(&client, &server, &auth, &denied).is_err());
|
||||
|
||||
let dynamic = ForwardingRequest {
|
||||
kind: ForwardingKind::Dynamic,
|
||||
bind_host: Some("127.0.0.1".to_string()),
|
||||
listen_port: 1080,
|
||||
target_host: None,
|
||||
target_port: None,
|
||||
};
|
||||
let dynamic_auth = sign_user_auth(&user_signing, &client, &server, vec![dynamic]).unwrap();
|
||||
assert!(verify_native_user_auth(&client, &server, &dynamic_auth, &no_forwarding).is_err());
|
||||
assert!(verify_native_user_auth(&client, &server, &dynamic_auth, &permitted).is_err());
|
||||
}
|
||||
|
||||
fn test_client_hello() -> NativeClientHello {
|
||||
|
||||
Reference in New Issue
Block a user