diff options
author | Damien Miller <djm@mindrot.org> | 2012-06-20 21:53:58 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2012-06-20 21:53:58 +1000 |
commit | c24da77015900e4e416a9f3ac5f51001abb0fd20 (patch) | |
tree | 50fb132941472dc6a4c1cbad695cec091eb96138 | |
parent | 36378c64134c9fee2258e0fc8f1cff1bfccdfecd (diff) |
- markus@cvs.openbsd.org 2012/06/19 18:25:28
[servconf.c servconf.h sshd_config.5]
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | servconf.c | 25 | ||||
-rw-r--r-- | servconf.h | 7 | ||||
-rw-r--r-- | sshd_config.5 | 13 |
4 files changed, 37 insertions, 13 deletions
@@ -42,6 +42,11 @@ | |||
42 | [ssh.1] | 42 | [ssh.1] |
43 | Clarify description of -W. Noted by Steve.McClellan at radisys com, | 43 | Clarify description of -W. Noted by Steve.McClellan at radisys com, |
44 | ok jmc | 44 | ok jmc |
45 | - markus@cvs.openbsd.org 2012/06/19 18:25:28 | ||
46 | [servconf.c servconf.h sshd_config.5] | ||
47 | sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups} | ||
48 | this allows 'Match LocalPort 1022' combined with 'AllowUser bauer' | ||
49 | ok djm@ (back in March) | ||
45 | 50 | ||
46 | 20120519 | 51 | 20120519 |
47 | - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch | 52 | - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch |
diff --git a/servconf.c b/servconf.c index 12f43c91e..eccfbad48 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.226 2012/05/13 01:42:32 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.227 2012/06/19 18:25:27 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -420,10 +420,10 @@ static struct { | |||
420 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 420 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
421 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 421 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
422 | { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, | 422 | { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, |
423 | { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, | 423 | { "allowusers", sAllowUsers, SSHCFG_ALL }, |
424 | { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, | 424 | { "denyusers", sDenyUsers, SSHCFG_ALL }, |
425 | { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, | 425 | { "allowgroups", sAllowGroups, SSHCFG_ALL }, |
426 | { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, | 426 | { "denygroups", sDenyGroups, SSHCFG_ALL }, |
427 | { "ciphers", sCiphers, SSHCFG_GLOBAL }, | 427 | { "ciphers", sCiphers, SSHCFG_GLOBAL }, |
428 | { "macs", sMacs, SSHCFG_GLOBAL }, | 428 | { "macs", sMacs, SSHCFG_GLOBAL }, |
429 | { "protocol", sProtocol, SSHCFG_GLOBAL }, | 429 | { "protocol", sProtocol, SSHCFG_GLOBAL }, |
@@ -441,7 +441,7 @@ static struct { | |||
441 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, | 441 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, |
442 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 442 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
443 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, | 443 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, |
444 | { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, | 444 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
445 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 445 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
446 | { "match", sMatch, SSHCFG_ALL }, | 446 | { "match", sMatch, SSHCFG_ALL }, |
447 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 447 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
@@ -1148,6 +1148,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1148 | if (options->num_allow_users >= MAX_ALLOW_USERS) | 1148 | if (options->num_allow_users >= MAX_ALLOW_USERS) |
1149 | fatal("%s line %d: too many allow users.", | 1149 | fatal("%s line %d: too many allow users.", |
1150 | filename, linenum); | 1150 | filename, linenum); |
1151 | if (!*activep) | ||
1152 | continue; | ||
1151 | options->allow_users[options->num_allow_users++] = | 1153 | options->allow_users[options->num_allow_users++] = |
1152 | xstrdup(arg); | 1154 | xstrdup(arg); |
1153 | } | 1155 | } |
@@ -1158,6 +1160,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1158 | if (options->num_deny_users >= MAX_DENY_USERS) | 1160 | if (options->num_deny_users >= MAX_DENY_USERS) |
1159 | fatal("%s line %d: too many deny users.", | 1161 | fatal("%s line %d: too many deny users.", |
1160 | filename, linenum); | 1162 | filename, linenum); |
1163 | if (!*activep) | ||
1164 | continue; | ||
1161 | options->deny_users[options->num_deny_users++] = | 1165 | options->deny_users[options->num_deny_users++] = |
1162 | xstrdup(arg); | 1166 | xstrdup(arg); |
1163 | } | 1167 | } |
@@ -1168,6 +1172,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1168 | if (options->num_allow_groups >= MAX_ALLOW_GROUPS) | 1172 | if (options->num_allow_groups >= MAX_ALLOW_GROUPS) |
1169 | fatal("%s line %d: too many allow groups.", | 1173 | fatal("%s line %d: too many allow groups.", |
1170 | filename, linenum); | 1174 | filename, linenum); |
1175 | if (!*activep) | ||
1176 | continue; | ||
1171 | options->allow_groups[options->num_allow_groups++] = | 1177 | options->allow_groups[options->num_allow_groups++] = |
1172 | xstrdup(arg); | 1178 | xstrdup(arg); |
1173 | } | 1179 | } |
@@ -1178,7 +1184,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1178 | if (options->num_deny_groups >= MAX_DENY_GROUPS) | 1184 | if (options->num_deny_groups >= MAX_DENY_GROUPS) |
1179 | fatal("%s line %d: too many deny groups.", | 1185 | fatal("%s line %d: too many deny groups.", |
1180 | filename, linenum); | 1186 | filename, linenum); |
1181 | options->deny_groups[options->num_deny_groups++] = xstrdup(arg); | 1187 | if (!*activep) |
1188 | continue; | ||
1189 | options->deny_groups[options->num_deny_groups++] = | ||
1190 | xstrdup(arg); | ||
1182 | } | 1191 | } |
1183 | break; | 1192 | break; |
1184 | 1193 | ||
@@ -1352,7 +1361,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1352 | fatal("%s line %d: too many allow env.", | 1361 | fatal("%s line %d: too many allow env.", |
1353 | filename, linenum); | 1362 | filename, linenum); |
1354 | if (!*activep) | 1363 | if (!*activep) |
1355 | break; | 1364 | continue; |
1356 | options->accept_env[options->num_accept_env++] = | 1365 | options->accept_env[options->num_accept_env++] = |
1357 | xstrdup(arg); | 1366 | xstrdup(arg); |
1358 | } | 1367 | } |
diff --git a/servconf.h b/servconf.h index 2ffaecdcd..c2eeed665 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.101 2012/05/13 01:42:32 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.102 2012/06/19 18:25:28 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -192,6 +192,11 @@ struct connection_info { | |||
192 | M_CP_STROPT(revoked_keys_file); \ | 192 | M_CP_STROPT(revoked_keys_file); \ |
193 | M_CP_STROPT(authorized_principals_file); \ | 193 | M_CP_STROPT(authorized_principals_file); \ |
194 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ | 194 | M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \ |
195 | M_CP_STRARRAYOPT(allow_users, num_allow_users); \ | ||
196 | M_CP_STRARRAYOPT(deny_users, num_deny_users); \ | ||
197 | M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \ | ||
198 | M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \ | ||
199 | M_CP_STRARRAYOPT(accept_env, num_accept_env); \ | ||
195 | } while (0) | 200 | } while (0) |
196 | 201 | ||
197 | struct connection_info *get_connection_info(int, int); | 202 | struct connection_info *get_connection_info(int, int); |
diff --git a/sshd_config.5 b/sshd_config.5 index ddcf51f02..9ef0bcaa8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.140 2012/05/19 06:30:30 dtucker Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.141 2012/06/19 18:25:28 markus Exp $ |
37 | .Dd $Mdocdate: May 19 2012 $ | 37 | .Dd $Mdocdate: June 19 2012 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -707,15 +707,20 @@ Only a subset of keywords may be used on the lines following a | |||
707 | .Cm Match | 707 | .Cm Match |
708 | keyword. | 708 | keyword. |
709 | Available keywords are | 709 | Available keywords are |
710 | .Cm AcceptEnv | ||
710 | .Cm AllowAgentForwarding , | 711 | .Cm AllowAgentForwarding , |
712 | .Cm AllowGroups . | ||
711 | .Cm AllowTcpForwarding , | 713 | .Cm AllowTcpForwarding , |
714 | .Cm AllowUsers , | ||
712 | .Cm AuthorizedKeysFile , | 715 | .Cm AuthorizedKeysFile , |
713 | .Cm AuthorizedPrincipalsFile , | 716 | .Cm AuthorizedPrincipalsFile , |
714 | .Cm Banner , | 717 | .Cm Banner , |
715 | .Cm ChrootDirectory , | 718 | .Cm ChrootDirectory , |
719 | .Cm DenyGroups , | ||
720 | .Cm DenyUsers , | ||
716 | .Cm ForceCommand , | 721 | .Cm ForceCommand , |
717 | .Cm GatewayPorts , | ||
718 | .Cm GSSAPIAuthentication , | 722 | .Cm GSSAPIAuthentication , |
723 | .Cm GatewayPorts , | ||
719 | .Cm HostbasedAuthentication , | 724 | .Cm HostbasedAuthentication , |
720 | .Cm HostbasedUsesNameFromPacketOnly , | 725 | .Cm HostbasedUsesNameFromPacketOnly , |
721 | .Cm KbdInteractiveAuthentication , | 726 | .Cm KbdInteractiveAuthentication , |
@@ -728,8 +733,8 @@ Available keywords are | |||
728 | .Cm PermitRootLogin , | 733 | .Cm PermitRootLogin , |
729 | .Cm PermitTunnel , | 734 | .Cm PermitTunnel , |
730 | .Cm PubkeyAuthentication , | 735 | .Cm PubkeyAuthentication , |
731 | .Cm RhostsRSAAuthentication , | ||
732 | .Cm RSAAuthentication , | 736 | .Cm RSAAuthentication , |
737 | .Cm RhostsRSAAuthentication , | ||
733 | .Cm X11DisplayOffset , | 738 | .Cm X11DisplayOffset , |
734 | .Cm X11Forwarding | 739 | .Cm X11Forwarding |
735 | and | 740 | and |