You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mina.apache.org by sp...@apache.org on 2009/12/15 21:24:16 UTC
svn commit: r890974 - in /mina/sshd/trunk/sshd-core/src:
main/java/org/apache/sshd/ main/java/org/apache/sshd/client/channel/
main/java/org/apache/sshd/server/ main/java/org/apache/sshd/server/channel/
main/java/org/apache/sshd/server/session/ test/jav...
Author: spearce
Date: Tue Dec 15 20:24:15 2009
New Revision: 890974
URL: http://svn.apache.org/viewvc?rev=890974&view=rev
Log:
Filter agent and X11 port forwarding requests
Some server embeddings might not want to permit agent or X11 port
forwarding from clients, as they could consume limited server
resources like listen sockets that will never receive an inbound
connection. Although less risky to the host server than TCP/IP
port forwarding, some embedders still don't want a client to be
able to request and consume these resources.
Rename the TcpIpForwardFilter to just ForwardingFilter and add
methods to validate permission to forward the agent and X11.
Added:
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java
- copied, changed from r890868, mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/TcpIpForwardFilter.java
mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusForwardingFilter.java
- copied, changed from r890868, mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusTcpIpForwardFilter.java
Removed:
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/TcpIpForwardFilter.java
mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusTcpIpForwardFilter.java
Modified:
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/SshServer.java
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ServerFactoryManager.java
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelDirectTcpip.java
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java
mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/TcpipForwardSupport.java
mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/SshServer.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/SshServer.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/SshServer.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/SshServer.java Tue Dec 15 20:24:15 2009
@@ -68,7 +68,7 @@
import org.apache.sshd.server.PasswordAuthenticator;
import org.apache.sshd.server.PublickeyAuthenticator;
import org.apache.sshd.server.ServerFactoryManager;
-import org.apache.sshd.server.TcpIpForwardFilter;
+import org.apache.sshd.server.ForwardingFilter;
import org.apache.sshd.server.UserAuth;
import org.apache.sshd.server.auth.UserAuthPassword;
import org.apache.sshd.server.auth.UserAuthPublicKey;
@@ -120,7 +120,7 @@
protected List<NamedFactory<Command>> subsystemFactories;
protected PasswordAuthenticator passwordAuthenticator;
protected PublickeyAuthenticator publickeyAuthenticator;
- protected TcpIpForwardFilter tcpIpForwardFilter;
+ protected ForwardingFilter forwardingFilter;
public SshServer() {
}
@@ -226,12 +226,12 @@
this.publickeyAuthenticator = publickeyAuthenticator;
}
- public TcpIpForwardFilter getTcpIpForwardFilter() {
- return tcpIpForwardFilter;
+ public ForwardingFilter getForwardingFilter() {
+ return forwardingFilter;
}
- public void setTcpIpForwardFilter(TcpIpForwardFilter tcpIpForwardFilter) {
- this.tcpIpForwardFilter = tcpIpForwardFilter;
+ public void setForwardingFilter(ForwardingFilter forwardingFilter) {
+ this.forwardingFilter = forwardingFilter;
}
protected void checkConfig() {
@@ -457,7 +457,15 @@
return true;
}
});
- sshd.setTcpIpForwardFilter(new TcpIpForwardFilter() {
+ sshd.setForwardingFilter(new ForwardingFilter() {
+ public boolean canForwardAgent(ServerSession session) {
+ return true;
+ }
+
+ public boolean canForwardX11(ServerSession session) {
+ return true;
+ }
+
public boolean canListen(InetSocketAddress address, ServerSession session) {
return true;
}
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/client/channel/ChannelAgentForwarding.java Tue Dec 15 20:24:15 2009
@@ -42,7 +42,7 @@
import org.apache.sshd.common.future.SshFutureListener;
import org.apache.sshd.common.util.Buffer;
import org.apache.sshd.common.util.BufferUtils;
-import org.apache.sshd.server.TcpIpForwardFilter;
+import org.apache.sshd.server.ForwardingFilter;
import org.apache.sshd.server.channel.AbstractServerChannel;
import org.apache.sshd.server.channel.OpenChannelException;
import org.apache.sshd.server.session.ServerSession;
Copied: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java (from r890868, mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/TcpIpForwardFilter.java)
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java?p2=mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java&p1=mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/TcpIpForwardFilter.java&r1=890868&r2=890974&rev=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/TcpIpForwardFilter.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ForwardingFilter.java Tue Dec 15 20:24:15 2009
@@ -18,16 +18,41 @@
*/
package org.apache.sshd.server;
+import org.apache.sshd.SshAgent;
import org.apache.sshd.server.session.ServerSession;
import java.net.InetSocketAddress;
/**
- * Determines if a TCP/IP forwarding will be permitted.
+ * Determines if a forwarding request will be permitted.
*
* @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
*/
-public interface TcpIpForwardFilter {
+public interface ForwardingFilter {
+ /**
+ * Determine if the session may arrange for agent forwarding.
+ * <p>
+ * This server process will open a new listen socket locally and export
+ * the address in the {@link SshAgent#SSH_AUTHSOCKET_ENV_NAME} environment
+ * variable.
+ *
+ * @param session session requesting permission to forward the agent.
+ * @return true if the agent forwarding is permitted, false if denied.
+ */
+ boolean canForwardAgent(ServerSession session);
+
+ /**
+ * Determine if the session may arrange for X11 forwarding.
+ * <p>
+ * This server process will open a new listen socket locally and export
+ * the address in the environment so X11 clients can be tunneled to the
+ * user's X11 display server.
+ *
+ * @param session session requesting permission to forward X11 connections.
+ * @return true if the X11 forwarding is permitted, false if denied.
+ */
+ boolean canForwardX11(ServerSession session);
+
/**
* Determine if the session may listen for inbound connections.
* <p>
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ServerFactoryManager.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ServerFactoryManager.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ServerFactoryManager.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/ServerFactoryManager.java Tue Dec 15 20:24:15 2009
@@ -60,13 +60,13 @@
PasswordAuthenticator getPasswordAuthenticator();
/**
- * Retrieve the <code>TcpIpForwardFilter</code> to be used by the SSH server.
+ * Retrieve the <code>ForwardingFilter</code> to be used by the SSH server.
* If no filter has been configured (i.e. this method returns
* <code>null</code>), then all forwarding requests will be rejected.
*
- * @return the <code>TcpIpForwardFilter</code> or <code>null</code>
+ * @return the <code>ForwardingFilter</code> or <code>null</code>
*/
- TcpIpForwardFilter getTcpIpForwardFilter();
+ ForwardingFilter getForwardingFilter();
/**
* Retrieve the <code>ShellFactory</code> object to be used to create shells.
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelDirectTcpip.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelDirectTcpip.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelDirectTcpip.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelDirectTcpip.java Tue Dec 15 20:24:15 2009
@@ -42,7 +42,7 @@
import org.apache.sshd.common.future.SshFuture;
import org.apache.sshd.common.future.SshFutureListener;
import org.apache.sshd.common.util.Buffer;
-import org.apache.sshd.server.TcpIpForwardFilter;
+import org.apache.sshd.server.ForwardingFilter;
import org.apache.sshd.server.session.ServerSession;
/**
@@ -83,7 +83,7 @@
}
final ServerSession serverSession = (ServerSession)getSession();
- final TcpIpForwardFilter filter = serverSession.getServerFactoryManager().getTcpIpForwardFilter();
+ final ForwardingFilter filter = serverSession.getServerFactoryManager().getForwardingFilter();
if (address == null || filter == null || !filter.canConnect(address, serverSession)) {
super.close(true);
f.setException(new OpenChannelException(SshConstants.SSH_OPEN_ADMINISTRATIVELY_PROHIBITED, "connect denied"));
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java Tue Dec 15 20:24:15 2009
@@ -45,6 +45,7 @@
import org.apache.sshd.server.Command;
import org.apache.sshd.server.Environment;
import org.apache.sshd.server.ExitCallback;
+import org.apache.sshd.server.ForwardingFilter;
import org.apache.sshd.server.SessionAware;
import org.apache.sshd.server.Signal;
import org.apache.sshd.server.SignalListener;
@@ -458,7 +459,18 @@
protected boolean handleAgentForwarding(Buffer buffer) throws IOException {
boolean wantReply = buffer.getBoolean();
- int authSocket = ((ServerSession) session).initAgentForward();
+ final ServerSession server = (ServerSession) session;
+ final ForwardingFilter filter = server.getServerFactoryManager().getForwardingFilter();
+ if (filter == null || !filter.canForwardAgent(server)) {
+ if (wantReply) {
+ buffer = session.createBuffer(SshConstants.Message.SSH_MSG_CHANNEL_FAILURE, 0);
+ buffer.putInt(recipient);
+ session.writePacket(buffer);
+ }
+ return true;
+ }
+
+ int authSocket = server.initAgentForward();
addEnvVariable(SshAgent.SSH_AUTHSOCKET_ENV_NAME, Integer.toString(authSocket));
if (wantReply) {
@@ -471,6 +483,18 @@
protected boolean handleX11Forwarding(Buffer buffer) throws IOException {
boolean wantReply = buffer.getBoolean();
+
+ final ServerSession server = (ServerSession) session;
+ final ForwardingFilter filter = server.getServerFactoryManager().getForwardingFilter();
+ if (filter == null || !filter.canForwardX11(server)) {
+ if (wantReply) {
+ buffer = session.createBuffer(SshConstants.Message.SSH_MSG_CHANNEL_FAILURE, 0);
+ buffer.putInt(recipient);
+ session.writePacket(buffer);
+ }
+ return true;
+ }
+
// TODO: start x11 forwarding
if (wantReply) {
buffer = session.createBuffer(SshConstants.Message.SSH_MSG_CHANNEL_SUCCESS, 0);
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/AgentForwardSupport.java Tue Dec 15 20:24:15 2009
@@ -32,7 +32,7 @@
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.channel.ChannelOutputStream;
import org.apache.sshd.common.util.Buffer;
-import org.apache.sshd.server.TcpIpForwardFilter;
+import org.apache.sshd.server.ForwardingFilter;
import java.io.IOException;
import java.net.InetSocketAddress;
Modified: mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/TcpipForwardSupport.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/TcpipForwardSupport.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/TcpipForwardSupport.java (original)
+++ mina/sshd/trunk/sshd-core/src/main/java/org/apache/sshd/server/session/TcpipForwardSupport.java Tue Dec 15 20:24:15 2009
@@ -38,7 +38,7 @@
import org.apache.sshd.common.SshException;
import org.apache.sshd.common.channel.ChannelOutputStream;
import org.apache.sshd.common.util.Buffer;
-import org.apache.sshd.server.TcpIpForwardFilter;
+import org.apache.sshd.server.ForwardingFilter;
/**
* @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
@@ -80,7 +80,7 @@
addr = null;
}
- final TcpIpForwardFilter filter = session.getServerFactoryManager().getTcpIpForwardFilter();
+ final ForwardingFilter filter = session.getServerFactoryManager().getForwardingFilter();
if (addr == null || filter == null || !filter.canListen(addr, session)) {
if (wantReply) {
buffer = session.createBuffer(SshConstants.Message.SSH_MSG_REQUEST_FAILURE, 0);
Modified: mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java?rev=890974&r1=890973&r2=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java (original)
+++ mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/PortForwardingTest.java Tue Dec 15 20:24:15 2009
@@ -37,7 +37,7 @@
import org.apache.mina.transport.socket.nio.NioSocketAcceptor;
import org.apache.sshd.common.keyprovider.FileKeyPairProvider;
import org.apache.sshd.util.BogusPasswordAuthenticator;
-import org.apache.sshd.util.BogusTcpIpForwardFilter;
+import org.apache.sshd.util.BogusForwardingFilter;
import org.apache.sshd.util.EchoShellFactory;
import org.junit.After;
import org.junit.Before;
@@ -76,7 +76,7 @@
sshd.setKeyPairProvider(new FileKeyPairProvider(new String[] { "src/test/resources/hostkey.pem" }));
sshd.setShellFactory(new EchoShellFactory());
sshd.setPasswordAuthenticator(new BogusPasswordAuthenticator());
- sshd.setTcpIpForwardFilter(new BogusTcpIpForwardFilter());
+ sshd.setForwardingFilter(new BogusForwardingFilter());
sshd.start();
NioSocketAcceptor acceptor = new NioSocketAcceptor();
@@ -198,7 +198,7 @@
final int nbDownloads = 2;
final int nbLoops = 2;
- final int port = getFreePort();
+ final int port = getFreePort();
StringBuilder resp = new StringBuilder();
resp.append("<html><body>\n");
for (int i = 0; i < 1000; i++) {
Copied: mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusForwardingFilter.java (from r890868, mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusTcpIpForwardFilter.java)
URL: http://svn.apache.org/viewvc/mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusForwardingFilter.java?p2=mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusForwardingFilter.java&p1=mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusTcpIpForwardFilter.java&r1=890868&r2=890974&rev=890974&view=diff
==============================================================================
--- mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusTcpIpForwardFilter.java (original)
+++ mina/sshd/trunk/sshd-core/src/test/java/org/apache/sshd/util/BogusForwardingFilter.java Tue Dec 15 20:24:15 2009
@@ -18,7 +18,7 @@
*/
package org.apache.sshd.util;
-import org.apache.sshd.server.TcpIpForwardFilter;
+import org.apache.sshd.server.ForwardingFilter;
import org.apache.sshd.server.session.ServerSession;
import java.net.InetSocketAddress;
@@ -28,7 +28,15 @@
*
* @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
*/
-public class BogusTcpIpForwardFilter implements TcpIpForwardFilter {
+public class BogusForwardingFilter implements ForwardingFilter {
+ public boolean canForwardAgent(ServerSession session) {
+ return true;
+ }
+
+ public boolean canForwardX11(ServerSession session) {
+ return true;
+ }
+
public boolean canConnect(InetSocketAddress address, ServerSession session) {
return true;
}