diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-11-13 04:38:06 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-11-16 11:31:37 +1100 |
| commit | 9fd04681a1e9b0af21e08ff82eb674cf0a499bfc (patch) | |
| tree | 9a6b671943aa1f7bddf90a318631b82d102c9ea4 | |
| parent | 94bc0b72c29e511cbbc5772190d43282e5acfdfe (diff) | |
upstream commit
Support "none" as an argument for sshd_config
ForceCommand and ChrootDirectory. Useful inside Match blocks to override a
global default. bz#2486 ok dtucker@
Upstream-ID: 7ef478d6592bc7db5c7376fc33b4443e63dccfa5
| -rw-r--r-- | servconf.c | 13 | ||||
| -rw-r--r-- | sshd_config.5 | 8 |
2 files changed, 18 insertions, 3 deletions
diff --git a/servconf.c b/servconf.c index 17cb094c7..19c68e2d7 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.282 2015/10/29 08:05:01 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.283 2015/11/13 04:38:06 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -373,6 +373,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 373 | CLEAR_ON_NONE(options->trusted_user_ca_keys); | 373 | CLEAR_ON_NONE(options->trusted_user_ca_keys); |
| 374 | CLEAR_ON_NONE(options->revoked_keys_file); | 374 | CLEAR_ON_NONE(options->revoked_keys_file); |
| 375 | CLEAR_ON_NONE(options->authorized_principals_file); | 375 | CLEAR_ON_NONE(options->authorized_principals_file); |
| 376 | CLEAR_ON_NONE(options->adm_forced_command); | ||
| 377 | CLEAR_ON_NONE(options->chroot_directory); | ||
| 376 | for (i = 0; i < options->num_host_key_files; i++) | 378 | for (i = 0; i < options->num_host_key_files; i++) |
| 377 | CLEAR_ON_NONE(options->host_key_files[i]); | 379 | CLEAR_ON_NONE(options->host_key_files[i]); |
| 378 | for (i = 0; i < options->num_host_cert_files; i++) | 380 | for (i = 0; i < options->num_host_cert_files; i++) |
| @@ -2034,8 +2036,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
| 2034 | if (preauth) | 2036 | if (preauth) |
| 2035 | return; | 2037 | return; |
| 2036 | 2038 | ||
| 2039 | /* These options may be "none" to clear a global setting */ | ||
| 2037 | M_CP_STROPT(adm_forced_command); | 2040 | M_CP_STROPT(adm_forced_command); |
| 2041 | if (option_clear_or_none(dst->adm_forced_command)) { | ||
| 2042 | free(dst->adm_forced_command); | ||
| 2043 | dst->adm_forced_command = NULL; | ||
| 2044 | } | ||
| 2038 | M_CP_STROPT(chroot_directory); | 2045 | M_CP_STROPT(chroot_directory); |
| 2046 | if (option_clear_or_none(dst->chroot_directory)) { | ||
| 2047 | free(dst->chroot_directory); | ||
| 2048 | dst->chroot_directory = NULL; | ||
| 2049 | } | ||
| 2039 | } | 2050 | } |
| 2040 | 2051 | ||
| 2041 | #undef M_CP_INTOPT | 2052 | #undef M_CP_INTOPT |
diff --git a/sshd_config.5 b/sshd_config.5 index 3eb1bb8e0..d94c5f5c0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,7 +33,7 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.214 2015/11/13 02:57:46 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.215 2015/11/13 04:38:06 djm Exp $ |
| 37 | .Dd $Mdocdate: November 13 2015 $ | 37 | .Dd $Mdocdate: November 13 2015 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| @@ -432,7 +432,9 @@ Misconfiguration can lead to unsafe environments which | |||
| 432 | .Xr sshd 8 | 432 | .Xr sshd 8 |
| 433 | cannot detect. | 433 | cannot detect. |
| 434 | .Pp | 434 | .Pp |
| 435 | The default is not to | 435 | The default is |
| 436 | .Dq none , | ||
| 437 | indicating not to | ||
| 436 | .Xr chroot 2 . | 438 | .Xr chroot 2 . |
| 437 | .It Cm Ciphers | 439 | .It Cm Ciphers |
| 438 | Specifies the ciphers allowed for protocol version 2. | 440 | Specifies the ciphers allowed for protocol version 2. |
| @@ -599,6 +601,8 @@ Specifying a command of | |||
| 599 | will force the use of an in-process sftp server that requires no support | 601 | will force the use of an in-process sftp server that requires no support |
| 600 | files when used with | 602 | files when used with |
| 601 | .Cm ChrootDirectory . | 603 | .Cm ChrootDirectory . |
| 604 | The default is | ||
| 605 | .Dq none . | ||
| 602 | .It Cm GatewayPorts | 606 | .It Cm GatewayPorts |
| 603 | Specifies whether remote hosts are allowed to connect to ports | 607 | Specifies whether remote hosts are allowed to connect to ports |
| 604 | forwarded for the client. | 608 | forwarded for the client. |