diff options
| author | Damien Miller <djm@mindrot.org> | 2013-10-24 21:02:56 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-10-24 21:02:56 +1100 |
| commit | cf31f3863425453ffcda540fbefa9df80088c8d1 (patch) | |
| tree | 5d85b4557e5e5196fe52556a24a209a3f0d719e8 | |
| parent | 4bedd4032a09ce87322ae5ea80f193f109e5c607 (diff) | |
- dtucker@cvs.openbsd.org 2013/10/24 00:51:48
[readconf.c servconf.c ssh_config.5 sshd_config.5]
Disallow empty Match statements and add "Match all" which matches
everything. ok djm, man page help jmc@
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | readconf.c | 22 | ||||
| -rw-r--r-- | servconf.c | 19 | ||||
| -rw-r--r-- | ssh_config.5 | 9 | ||||
| -rw-r--r-- | sshd_config.5 | 8 |
5 files changed, 52 insertions, 10 deletions
| @@ -14,6 +14,10 @@ | |||
| 14 | [moduli.c] | 14 | [moduli.c] |
| 15 | Periodically print progress and, if possible, expected time to completion | 15 | Periodically print progress and, if possible, expected time to completion |
| 16 | when screening moduli for DH groups. ok deraadt djm | 16 | when screening moduli for DH groups. ok deraadt djm |
| 17 | - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 | ||
| 18 | [readconf.c servconf.c ssh_config.5 sshd_config.5] | ||
| 19 | Disallow empty Match statements and add "Match all" which matches | ||
| 20 | everything. ok djm, man page help jmc@ | ||
| 17 | 21 | ||
| 18 | 20131023 | 22 | 20131023 |
| 19 | - (djm) OpenBSD CVS Sync | 23 | - (djm) OpenBSD CVS Sync |
diff --git a/readconf.c b/readconf.c index f18666786..63c0ba196 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: readconf.c,v 1.212 2013/10/23 03:05:19 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.213 2013/10/24 00:51:48 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -459,7 +459,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, | |||
| 459 | { | 459 | { |
| 460 | char *arg, *attrib, *cmd, *cp = *condition, *host; | 460 | char *arg, *attrib, *cmd, *cp = *condition, *host; |
| 461 | const char *ruser; | 461 | const char *ruser; |
| 462 | int r, port, result = 1; | 462 | int r, port, result = 1, attributes = 0; |
| 463 | size_t len; | 463 | size_t len; |
| 464 | char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; | 464 | char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; |
| 465 | 465 | ||
| @@ -478,6 +478,19 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, | |||
| 478 | 478 | ||
| 479 | debug3("checking match for '%s' host %s", cp, host); | 479 | debug3("checking match for '%s' host %s", cp, host); |
| 480 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { | 480 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { |
| 481 | attributes++; | ||
| 482 | if (strcasecmp(attrib, "all") == 0) { | ||
| 483 | if (attributes != 1 || | ||
| 484 | ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { | ||
| 485 | error("'all' cannot be combined with other " | ||
| 486 | "Match attributes"); | ||
| 487 | result = -1; | ||
| 488 | goto out; | ||
| 489 | } | ||
| 490 | *condition = cp; | ||
| 491 | result = 1; | ||
| 492 | goto out; | ||
| 493 | } | ||
| 481 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { | 494 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { |
| 482 | error("Missing Match criteria for %s", attrib); | 495 | error("Missing Match criteria for %s", attrib); |
| 483 | result = -1; | 496 | result = -1; |
| @@ -544,6 +557,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, | |||
| 544 | goto out; | 557 | goto out; |
| 545 | } | 558 | } |
| 546 | } | 559 | } |
| 560 | if (attributes == 0) { | ||
| 561 | error("One or more attributes required for Match"); | ||
| 562 | result = -1; | ||
| 563 | goto out; | ||
| 564 | } | ||
| 547 | debug3("match %sfound", result ? "" : "not "); | 565 | debug3("match %sfound", result ? "" : "not "); |
| 548 | *condition = cp; | 566 | *condition = cp; |
| 549 | out: | 567 | out: |
diff --git a/servconf.c b/servconf.c index 100d38d9b..82146723f 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.242 2013/10/23 05:40:58 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -647,7 +647,7 @@ out: | |||
| 647 | static int | 647 | static int |
| 648 | match_cfg_line(char **condition, int line, struct connection_info *ci) | 648 | match_cfg_line(char **condition, int line, struct connection_info *ci) |
| 649 | { | 649 | { |
| 650 | int result = 1, port; | 650 | int result = 1, attributes = 0, port; |
| 651 | char *arg, *attrib, *cp = *condition; | 651 | char *arg, *attrib, *cp = *condition; |
| 652 | size_t len; | 652 | size_t len; |
| 653 | 653 | ||
| @@ -661,6 +661,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) | |||
| 661 | ci->laddress ? ci->laddress : "(null)", ci->lport); | 661 | ci->laddress ? ci->laddress : "(null)", ci->lport); |
| 662 | 662 | ||
| 663 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { | 663 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { |
| 664 | attributes++; | ||
| 665 | if (strcasecmp(attrib, "all") == 0) { | ||
| 666 | if (attributes != 1 || | ||
| 667 | ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { | ||
| 668 | error("'all' cannot be combined with other " | ||
| 669 | "Match attributes"); | ||
| 670 | return -1; | ||
| 671 | } | ||
| 672 | *condition = cp; | ||
| 673 | return 1; | ||
| 674 | } | ||
| 664 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { | 675 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { |
| 665 | error("Missing Match criteria for %s", attrib); | 676 | error("Missing Match criteria for %s", attrib); |
| 666 | return -1; | 677 | return -1; |
| @@ -754,6 +765,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) | |||
| 754 | return -1; | 765 | return -1; |
| 755 | } | 766 | } |
| 756 | } | 767 | } |
| 768 | if (attributes == 0) { | ||
| 769 | error("One or more attributes required for Match"); | ||
| 770 | return -1; | ||
| 771 | } | ||
| 757 | if (ci != NULL) | 772 | if (ci != NULL) |
| 758 | debug3("match %sfound", result ? "" : "not "); | 773 | debug3("match %sfound", result ? "" : "not "); |
| 759 | *condition = cp; | 774 | *condition = cp; |
diff --git a/ssh_config.5 b/ssh_config.5 index 4161a6624..3ef494618 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: ssh_config.5,v 1.177 2013/10/20 18:00:13 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.178 2013/10/24 00:51:48 dtucker Exp $ |
| 37 | .Dd $Mdocdate: October 20 2013 $ | 37 | .Dd $Mdocdate: October 24 2013 $ |
| 38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -134,7 +134,10 @@ or | |||
| 134 | keyword) to be used only when the conditions following the | 134 | keyword) to be used only when the conditions following the |
| 135 | .Cm Match | 135 | .Cm Match |
| 136 | keyword are satisfied. | 136 | keyword are satisfied. |
| 137 | Match conditions are specified using one or more keyword/criteria pairs. | 137 | Match conditions are specified using one or more keyword/criteria pairs |
| 138 | or the single token | ||
| 139 | .Cm all | ||
| 140 | which matches all criteria. | ||
| 138 | The available keywords are: | 141 | The available keywords are: |
| 139 | .Cm exec , | 142 | .Cm exec , |
| 140 | .Cm host , | 143 | .Cm host , |
diff --git a/sshd_config.5 b/sshd_config.5 index 3abac6c10..0536cc3c6 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,8 +33,8 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $ |
| 37 | .Dd $Mdocdate: July 19 2013 $ | 37 | .Dd $Mdocdate: October 24 2013 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| 40 | .Sh NAME | 40 | .Sh NAME |
| @@ -750,7 +750,9 @@ line or the end of the file. | |||
| 750 | .Pp | 750 | .Pp |
| 751 | The arguments to | 751 | The arguments to |
| 752 | .Cm Match | 752 | .Cm Match |
| 753 | are one or more criteria-pattern pairs. | 753 | are one or more criteria-pattern pairs or the single token |
| 754 | .Cm All | ||
| 755 | which matches all criteria. | ||
| 754 | The available criteria are | 756 | The available criteria are |
| 755 | .Cm User , | 757 | .Cm User , |
| 756 | .Cm Group , | 758 | .Cm Group , |