diff options
| author |   florian <florian@openbsd.org> | 2019-05-10 18:55:17 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2019-05-10 18:55:17 +0000 |
| commit | f0bd690d60ce997ef1c670475a9ee3979fcb75f8 (patch) | |
| tree | 6973244f5bef9caf05958d8c9de76efef45c2d45 | |
| parent | Reduce number of timehands from to just two. (diff) | |
| download | wireguard-openbsd-f0bd690d60ce997ef1c670475a9ee3979fcb75f8.tar.xz wireguard-openbsd-f0bd690d60ce997ef1c670475a9ee3979fcb75f8.zip | |
For PermitOpen violations add the remote host and port to
be able to find out from where the request was comming.
Add the same logging for PermitListen violations which where not
logged at all.
Pointed out by Robert Kisteleki (robert AT ripe.net)
input markus
OK deraadt
| -rw-r--r-- | usr.bin/ssh/channels.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c index e8bb75028df..69836ed0a76 100644 --- a/usr.bin/ssh/channels.c +++ b/usr.bin/ssh/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.390 2019/05/03 04:11:00 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.391 2019/05/10 18:55:17 florian Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -3782,6 +3782,23 @@ channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, { if (!check_rfwd_permission(ssh, fwd)) { ssh_packet_send_debug(ssh, "port forwarding refused"); + if (fwd->listen_path != NULL) + /* XXX always allowed, see remote_open_match() */ + logit("Received request from %.100s port %d to " + "remote forward to path \"%.100s\", " + "but the request was denied.", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), + fwd->listen_path); + else if(fwd->listen_host != NULL) + logit("Received request from %.100s port %d to " + "remote forward to host %.100s port %d, " + "but the request was denied.", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), + fwd->listen_host, fwd->listen_port ); + else + logit("Received request from %.100s port %d to remote " + "forward, but the request was denied.", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); return 0; } if (fwd->listen_path != NULL) { @@ -4377,8 +4394,9 @@ channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, } if (!permit || !permit_adm) { - logit("Received request to connect to host %.100s port %d, " - "but the request was denied.", host, port); + logit("Received request from %.100s port %d to connect to " + "host %.100s port %d, but the request was denied.", + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port); if (reason != NULL) *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; return NULL; |