Add native dynamic port forwarding
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled

This commit is contained in:
DuProcess
2026-06-13 15:48:49 -04:00
parent 64b00783fd
commit 3642de71e4
4 changed files with 322 additions and 33 deletions
+32 -18
View File
@@ -395,28 +395,31 @@ impl AuthorizedKey {
if self.options.force_command.is_some() {
bail!("authorized key command= is not supported for native Dosh terminal login");
}
if self.options.no_port_forwarding
&& auth
.requested_forwardings
.iter()
.any(|forwarding| !matches!(forwarding.kind, ForwardingKind::Dynamic))
{
if self.options.no_port_forwarding && !auth.requested_forwardings.is_empty() {
bail!("authorized key forbids port forwarding");
}
if !self.options.permitopen.is_empty() {
for forwarding in &auth.requested_forwardings {
if matches!(forwarding.kind, ForwardingKind::Local)
&& let (Some(host), Some(port)) =
(forwarding.target_host.as_ref(), forwarding.target_port)
{
let target = format!("{host}:{port}");
if !self
.options
.permitopen
.iter()
.any(|permit| permit == &target)
{
bail!("authorized key does not permit opening {target}");
match forwarding.kind {
ForwardingKind::Local => {
if let (Some(host), Some(port)) =
(forwarding.target_host.as_ref(), forwarding.target_port)
{
let target = format!("{host}:{port}");
if !self
.options
.permitopen
.iter()
.any(|permit| permit == &target)
{
bail!("authorized key does not permit opening {target}");
}
}
}
ForwardingKind::Remote | ForwardingKind::Dynamic => {
bail!(
"authorized key permitopen= cannot authorize remote or dynamic forwarding"
);
}
}
}
@@ -1040,6 +1043,17 @@ mod tests {
))
.unwrap();
assert!(verify_native_user_auth(&client, &server, &auth, &denied).is_err());
let dynamic = ForwardingRequest {
kind: ForwardingKind::Dynamic,
bind_host: Some("127.0.0.1".to_string()),
listen_port: 1080,
target_host: None,
target_port: None,
};
let dynamic_auth = sign_user_auth(&user_signing, &client, &server, vec![dynamic]).unwrap();
assert!(verify_native_user_auth(&client, &server, &dynamic_auth, &no_forwarding).is_err());
assert!(verify_native_user_auth(&client, &server, &dynamic_auth, &permitted).is_err());
}
fn test_client_hello() -> NativeClientHello {