ping? On Fri, Sep 18, 2015 at 06:46:20PM +0300, Ossi Herrala wrote: > Hi everyone, > > The following patch makes it possible to build SSH layer 2 (and layer > 3) tunnels without using root permissions when connecting. > > This is achieved by root setting up everything beforehand so sshd > doesn't have to do it. However, the old functionality of sshd setting > things up with root permissions is preserved. > > What my patch does is: > > 1. Check the current value of network interface parameters > 2. If change is needed try to do it: > * Fail like it failed before if no permissions > * Or set the parameters and proceed like before > 3. If no changes needed just continue without fail. > > > After the patch is applied and sshd is rebuilt, installed and > restarted one can set up SSH layer 2 tunnel server as follows: > > * groupadd tunnel > * useradd -m -c "Test User" -G tunnel test > * chown :tunnel /dev/tun? && chmod g+rw /dev/tun? > * for i in 0 1 2 3; do printf "create\nlink0\nup\n" >/etc/hostname.tun$i; > done > * for i in 0 1 2 3; do sh /etc/netstart tun$i; done > > Now things should look like this: > > * ls -l /dev/tun0 > crw-rw---- 1 root tunnel 40, 0 Sep 18 14:52 /dev/tun0 > > * ifconfig tun0 > tun0: flags=9803<UP,BROADCAST,SIMPLEX,LINK0,MULTICAST> mtu 1500 > lladdr fe:e1:ba:d1:6b:94 > priority: 0 > groups: tun > status: no carrier > > Last, config sshd to allow tunnels: > > * echo "PermitTunnel ethernet" >>/etc/ssh/sshd_config > * kill -HUP `cat /var/run/sshd.pid` > > > And connect from client (client needs permissions, check yours): > > * ssh -w any -o Tunnel=ethernet [email protected] > > > Is this patch the correct way of achieving what's described above? > > Thanks, > Ossi Herrala > > > Index: usr.bin/ssh/misc.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/misc.c,v > retrieving revision 1.97 > diff -u -p -r1.97 misc.c > --- usr.bin/ssh/misc.c 24 Apr 2015 01:36:00 -0000 1.97 > +++ usr.bin/ssh/misc.c 18 Sep 2015 14:08:27 -0000 > @@ -664,19 +664,21 @@ tun_open(int tun, int mode) > if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) > goto failed; > > - /* Set interface mode */ > - ifr.ifr_flags &= ~IFF_UP; > - if (mode == SSH_TUNMODE_ETHERNET) > - ifr.ifr_flags |= IFF_LINK0; > - else > - ifr.ifr_flags &= ~IFF_LINK0; > - if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) > - goto failed; > + if (((mode == SSH_TUNMODE_ETHERNET) && !(ifr.ifr_flags & IFF_LINK0)) || > + ((mode != SSH_TUNMODE_ETHERNET) && ifr.ifr_flags & IFF_LINK0)) { > + /* Set interface mode */ > + ifr.ifr_flags &= ~IFF_UP; > + ifr.ifr_flags ^= IFF_LINK0; > + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) > + goto failed; > + } > > - /* Bring interface up */ > - ifr.ifr_flags |= IFF_UP; > - if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) > - goto failed; > + if (!(ifr.ifr_flags & IFF_UP)) { > + /* Bring interface up */ > + ifr.ifr_flags |= IFF_UP; > + if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) > + goto failed; > + } > > close(sock); > return (fd); >
-- Ossi Herrala
