summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-06-20 21:53:58 +1000
committerDamien Miller <djm@mindrot.org>2012-06-20 21:53:58 +1000
commitc24da77015900e4e416a9f3ac5f51001abb0fd20 (patch)
tree50fb132941472dc6a4c1cbad695cec091eb96138
parent36378c64134c9fee2258e0fc8f1cff1bfccdfecd (diff)
- markus@cvs.openbsd.org 2012/06/19 18:25:28
[servconf.c servconf.h sshd_config.5] sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' ok djm@ (back in March)
-rw-r--r--ChangeLog5
-rw-r--r--servconf.c25
-rw-r--r--servconf.h7
-rw-r--r--sshd_config.513
4 files changed, 37 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index df10ce092..331a34f86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -42,6 +42,11 @@
42 [ssh.1] 42 [ssh.1]
43 Clarify description of -W. Noted by Steve.McClellan at radisys com, 43 Clarify description of -W. Noted by Steve.McClellan at radisys com,
44 ok jmc 44 ok jmc
45 - markus@cvs.openbsd.org 2012/06/19 18:25:28
46 [servconf.c servconf.h sshd_config.5]
47 sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
48 this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
49 ok djm@ (back in March)
45 50
4620120519 5120120519
47 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch 52 - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch
diff --git a/servconf.c b/servconf.c
index 12f43c91e..eccfbad48 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.226 2012/05/13 01:42:32 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.227 2012/06/19 18:25:27 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -420,10 +420,10 @@ static struct {
420 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 420 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
421 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 421 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
422 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, 422 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
423 { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, 423 { "allowusers", sAllowUsers, SSHCFG_ALL },
424 { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, 424 { "denyusers", sDenyUsers, SSHCFG_ALL },
425 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, 425 { "allowgroups", sAllowGroups, SSHCFG_ALL },
426 { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, 426 { "denygroups", sDenyGroups, SSHCFG_ALL },
427 { "ciphers", sCiphers, SSHCFG_GLOBAL }, 427 { "ciphers", sCiphers, SSHCFG_GLOBAL },
428 { "macs", sMacs, SSHCFG_GLOBAL }, 428 { "macs", sMacs, SSHCFG_GLOBAL },
429 { "protocol", sProtocol, SSHCFG_GLOBAL }, 429 { "protocol", sProtocol, SSHCFG_GLOBAL },
@@ -441,7 +441,7 @@ static struct {
441 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, 441 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
442 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, 442 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
443 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 443 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
444 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, 444 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
445 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 445 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
446 { "match", sMatch, SSHCFG_ALL }, 446 { "match", sMatch, SSHCFG_ALL },
447 { "permitopen", sPermitOpen, SSHCFG_ALL }, 447 { "permitopen", sPermitOpen, SSHCFG_ALL },
@@ -1148,6 +1148,8 @@ process_server_config_line(ServerOptions *options, char *line,
1148 if (options->num_allow_users >= MAX_ALLOW_USERS) 1148 if (options->num_allow_users >= MAX_ALLOW_USERS)
1149 fatal("%s line %d: too many allow users.", 1149 fatal("%s line %d: too many allow users.",
1150 filename, linenum); 1150 filename, linenum);
1151 if (!*activep)
1152 continue;
1151 options->allow_users[options->num_allow_users++] = 1153 options->allow_users[options->num_allow_users++] =
1152 xstrdup(arg); 1154 xstrdup(arg);
1153 } 1155 }
@@ -1158,6 +1160,8 @@ process_server_config_line(ServerOptions *options, char *line,
1158 if (options->num_deny_users >= MAX_DENY_USERS) 1160 if (options->num_deny_users >= MAX_DENY_USERS)
1159 fatal("%s line %d: too many deny users.", 1161 fatal("%s line %d: too many deny users.",
1160 filename, linenum); 1162 filename, linenum);
1163 if (!*activep)
1164 continue;
1161 options->deny_users[options->num_deny_users++] = 1165 options->deny_users[options->num_deny_users++] =
1162 xstrdup(arg); 1166 xstrdup(arg);
1163 } 1167 }
@@ -1168,6 +1172,8 @@ process_server_config_line(ServerOptions *options, char *line,
1168 if (options->num_allow_groups >= MAX_ALLOW_GROUPS) 1172 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1169 fatal("%s line %d: too many allow groups.", 1173 fatal("%s line %d: too many allow groups.",
1170 filename, linenum); 1174 filename, linenum);
1175 if (!*activep)
1176 continue;
1171 options->allow_groups[options->num_allow_groups++] = 1177 options->allow_groups[options->num_allow_groups++] =
1172 xstrdup(arg); 1178 xstrdup(arg);
1173 } 1179 }
@@ -1178,7 +1184,10 @@ process_server_config_line(ServerOptions *options, char *line,
1178 if (options->num_deny_groups >= MAX_DENY_GROUPS) 1184 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1179 fatal("%s line %d: too many deny groups.", 1185 fatal("%s line %d: too many deny groups.",
1180 filename, linenum); 1186 filename, linenum);
1181 options->deny_groups[options->num_deny_groups++] = xstrdup(arg); 1187 if (!*activep)
1188 continue;
1189 options->deny_groups[options->num_deny_groups++] =
1190 xstrdup(arg);
1182 } 1191 }
1183 break; 1192 break;
1184 1193
@@ -1352,7 +1361,7 @@ process_server_config_line(ServerOptions *options, char *line,
1352 fatal("%s line %d: too many allow env.", 1361 fatal("%s line %d: too many allow env.",
1353 filename, linenum); 1362 filename, linenum);
1354 if (!*activep) 1363 if (!*activep)
1355 break; 1364 continue;
1356 options->accept_env[options->num_accept_env++] = 1365 options->accept_env[options->num_accept_env++] =
1357 xstrdup(arg); 1366 xstrdup(arg);
1358 } 1367 }
diff --git a/servconf.h b/servconf.h
index 2ffaecdcd..c2eeed665 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.101 2012/05/13 01:42:32 dtucker Exp $ */ 1/* $OpenBSD: servconf.h,v 1.102 2012/06/19 18:25:28 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -192,6 +192,11 @@ struct connection_info {
192 M_CP_STROPT(revoked_keys_file); \ 192 M_CP_STROPT(revoked_keys_file); \
193 M_CP_STROPT(authorized_principals_file); \ 193 M_CP_STROPT(authorized_principals_file); \
194 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ 194 M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
195 M_CP_STRARRAYOPT(allow_users, num_allow_users); \
196 M_CP_STRARRAYOPT(deny_users, num_deny_users); \
197 M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
198 M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
199 M_CP_STRARRAYOPT(accept_env, num_accept_env); \
195 } while (0) 200 } while (0)
196 201
197struct connection_info *get_connection_info(int, int); 202struct connection_info *get_connection_info(int, int);
diff --git a/sshd_config.5 b/sshd_config.5
index ddcf51f02..9ef0bcaa8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35.\" 35.\"
36.\" $OpenBSD: sshd_config.5,v 1.140 2012/05/19 06:30:30 dtucker Exp $ 36.\" $OpenBSD: sshd_config.5,v 1.141 2012/06/19 18:25:28 markus Exp $
37.Dd $Mdocdate: May 19 2012 $ 37.Dd $Mdocdate: June 19 2012 $
38.Dt SSHD_CONFIG 5 38.Dt SSHD_CONFIG 5
39.Os 39.Os
40.Sh NAME 40.Sh NAME
@@ -707,15 +707,20 @@ Only a subset of keywords may be used on the lines following a
707.Cm Match 707.Cm Match
708keyword. 708keyword.
709Available keywords are 709Available keywords are
710.Cm AcceptEnv
710.Cm AllowAgentForwarding , 711.Cm AllowAgentForwarding ,
712.Cm AllowGroups .
711.Cm AllowTcpForwarding , 713.Cm AllowTcpForwarding ,
714.Cm AllowUsers ,
712.Cm AuthorizedKeysFile , 715.Cm AuthorizedKeysFile ,
713.Cm AuthorizedPrincipalsFile , 716.Cm AuthorizedPrincipalsFile ,
714.Cm Banner , 717.Cm Banner ,
715.Cm ChrootDirectory , 718.Cm ChrootDirectory ,
719.Cm DenyGroups ,
720.Cm DenyUsers ,
716.Cm ForceCommand , 721.Cm ForceCommand ,
717.Cm GatewayPorts ,
718.Cm GSSAPIAuthentication , 722.Cm GSSAPIAuthentication ,
723.Cm GatewayPorts ,
719.Cm HostbasedAuthentication , 724.Cm HostbasedAuthentication ,
720.Cm HostbasedUsesNameFromPacketOnly , 725.Cm HostbasedUsesNameFromPacketOnly ,
721.Cm KbdInteractiveAuthentication , 726.Cm KbdInteractiveAuthentication ,
@@ -728,8 +733,8 @@ Available keywords are
728.Cm PermitRootLogin , 733.Cm PermitRootLogin ,
729.Cm PermitTunnel , 734.Cm PermitTunnel ,
730.Cm PubkeyAuthentication , 735.Cm PubkeyAuthentication ,
731.Cm RhostsRSAAuthentication ,
732.Cm RSAAuthentication , 736.Cm RSAAuthentication ,
737.Cm RhostsRSAAuthentication ,
733.Cm X11DisplayOffset , 738.Cm X11DisplayOffset ,
734.Cm X11Forwarding 739.Cm X11Forwarding
735and 740and