summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
committerColin Watson <cjwatson@debian.org>2011-09-06 14:56:29 +0100
commit978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch)
tree89400a44e42d84937deba7864e4964d6c7734da5 /readconf.c
parent87c685b8c6a49814fd782288097b3093f975aa72 (diff)
parent3a7e89697ca363de0f64e0d5704c57219294e41c (diff)
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c119
1 files changed, 85 insertions, 34 deletions
diff --git a/readconf.c b/readconf.c
index 656a2519f..7a26e923b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.190 2010/11/13 23:27:50 djm Exp $ */ 1/* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -139,7 +139,7 @@ typedef enum {
139 oHashKnownHosts, 139 oHashKnownHosts,
140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
142 oKexAlgorithms, oIPQoS, 142 oKexAlgorithms, oIPQoS, oRequestTTY,
143 oProtocolKeepAlives, oSetupTimeOut, 143 oProtocolKeepAlives, oSetupTimeOut,
144 oDeprecated, oUnsupported 144 oDeprecated, oUnsupported
145} OpCodes; 145} OpCodes;
@@ -209,9 +209,9 @@ static struct {
209 { "host", oHost }, 209 { "host", oHost },
210 { "escapechar", oEscapeChar }, 210 { "escapechar", oEscapeChar },
211 { "globalknownhostsfile", oGlobalKnownHostsFile }, 211 { "globalknownhostsfile", oGlobalKnownHostsFile },
212 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */ 212 { "globalknownhostsfile2", oDeprecated },
213 { "userknownhostsfile", oUserKnownHostsFile }, 213 { "userknownhostsfile", oUserKnownHostsFile },
214 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */ 214 { "userknownhostsfile2", oDeprecated },
215 { "connectionattempts", oConnectionAttempts }, 215 { "connectionattempts", oConnectionAttempts },
216 { "batchmode", oBatchMode }, 216 { "batchmode", oBatchMode },
217 { "checkhostip", oCheckHostIP }, 217 { "checkhostip", oCheckHostIP },
@@ -261,6 +261,7 @@ static struct {
261#endif 261#endif
262 { "kexalgorithms", oKexAlgorithms }, 262 { "kexalgorithms", oKexAlgorithms },
263 { "ipqos", oIPQoS }, 263 { "ipqos", oIPQoS },
264 { "requesttty", oRequestTTY },
264 { "protocolkeepalives", oProtocolKeepAlives }, 265 { "protocolkeepalives", oProtocolKeepAlives },
265 { "setuptimeout", oSetupTimeOut }, 266 { "setuptimeout", oSetupTimeOut },
266 267
@@ -371,8 +372,10 @@ process_config_line(Options *options, const char *host,
371 char *line, const char *filename, int linenum, 372 char *line, const char *filename, int linenum,
372 int *activep) 373 int *activep)
373{ 374{
374 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; 375 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
375 int opcode, *intptr, value, value2, scale; 376 char **cpptr, fwdarg[256];
377 u_int *uintptr, max_entries = 0;
378 int negated, opcode, *intptr, value, value2, scale;
376 LogLevel *log_level_ptr; 379 LogLevel *log_level_ptr;
377 long long orig, val64; 380 long long orig, val64;
378 size_t len; 381 size_t len;
@@ -639,26 +642,33 @@ parse_yesnoask:
639parse_string: 642parse_string:
640 arg = strdelim(&s); 643 arg = strdelim(&s);
641 if (!arg || *arg == '\0') 644 if (!arg || *arg == '\0')
642 fatal("%.200s line %d: Missing argument.", filename, linenum); 645 fatal("%.200s line %d: Missing argument.",
646 filename, linenum);
643 if (*activep && *charptr == NULL) 647 if (*activep && *charptr == NULL)
644 *charptr = xstrdup(arg); 648 *charptr = xstrdup(arg);
645 break; 649 break;
646 650
647 case oGlobalKnownHostsFile: 651 case oGlobalKnownHostsFile:
648 charptr = &options->system_hostfile; 652 cpptr = (char **)&options->system_hostfiles;
649 goto parse_string; 653 uintptr = &options->num_system_hostfiles;
654 max_entries = SSH_MAX_HOSTS_FILES;
655parse_char_array:
656 if (*activep && *uintptr == 0) {
657 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
658 if ((*uintptr) >= max_entries)
659 fatal("%s line %d: "
660 "too many authorized keys files.",
661 filename, linenum);
662 cpptr[(*uintptr)++] = xstrdup(arg);
663 }
664 }
665 return 0;
650 666
651 case oUserKnownHostsFile: 667 case oUserKnownHostsFile:
652 charptr = &options->user_hostfile; 668 cpptr = (char **)&options->user_hostfiles;
653 goto parse_string; 669 uintptr = &options->num_user_hostfiles;
654 670 max_entries = SSH_MAX_HOSTS_FILES;
655 case oGlobalKnownHostsFile2: 671 goto parse_char_array;
656 charptr = &options->system_hostfile2;
657 goto parse_string;
658
659 case oUserKnownHostsFile2:
660 charptr = &options->user_hostfile2;
661 goto parse_string;
662 672
663 case oHostName: 673 case oHostName:
664 charptr = &options->hostname; 674 charptr = &options->hostname;
@@ -835,12 +845,28 @@ parse_int:
835 845
836 case oHost: 846 case oHost:
837 *activep = 0; 847 *activep = 0;
838 while ((arg = strdelim(&s)) != NULL && *arg != '\0') 848 arg2 = NULL;
849 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
850 negated = *arg == '!';
851 if (negated)
852 arg++;
839 if (match_pattern(host, arg)) { 853 if (match_pattern(host, arg)) {
840 debug("Applying options for %.100s", arg); 854 if (negated) {
855 debug("%.200s line %d: Skipping Host "
856 "block because of negated match "
857 "for %.100s", filename, linenum,
858 arg);
859 *activep = 0;
860 break;
861 }
862 if (!*activep)
863 arg2 = arg; /* logged below */
841 *activep = 1; 864 *activep = 1;
842 break;
843 } 865 }
866 }
867 if (*activep)
868 debug("%.200s line %d: Applying options for %.100s",
869 filename, linenum, arg2);
844 /* Avoid garbage check below, as strdelim is done. */ 870 /* Avoid garbage check below, as strdelim is done. */
845 return 0; 871 return 0;
846 872
@@ -1041,6 +1067,26 @@ parse_int:
1041 intptr = &options->use_roaming; 1067 intptr = &options->use_roaming;
1042 goto parse_flag; 1068 goto parse_flag;
1043 1069
1070 case oRequestTTY:
1071 arg = strdelim(&s);
1072 if (!arg || *arg == '\0')
1073 fatal("%s line %d: missing argument.",
1074 filename, linenum);
1075 intptr = &options->request_tty;
1076 if (strcasecmp(arg, "yes") == 0)
1077 value = REQUEST_TTY_YES;
1078 else if (strcasecmp(arg, "no") == 0)
1079 value = REQUEST_TTY_NO;
1080 else if (strcasecmp(arg, "force") == 0)
1081 value = REQUEST_TTY_FORCE;
1082 else if (strcasecmp(arg, "auto") == 0)
1083 value = REQUEST_TTY_AUTO;
1084 else
1085 fatal("Unsupported RequestTTY \"%s\"", arg);
1086 if (*activep && *intptr == -1)
1087 *intptr = value;
1088 break;
1089
1044 case oDeprecated: 1090 case oDeprecated:
1045 debug("%s line %d: Deprecated option \"%s\"", 1091 debug("%s line %d: Deprecated option \"%s\"",
1046 filename, linenum, keyword); 1092 filename, linenum, keyword);
@@ -1170,10 +1216,8 @@ initialize_options(Options * options)
1170 options->proxy_command = NULL; 1216 options->proxy_command = NULL;
1171 options->user = NULL; 1217 options->user = NULL;
1172 options->escape_char = -1; 1218 options->escape_char = -1;
1173 options->system_hostfile = NULL; 1219 options->num_system_hostfiles = 0;
1174 options->user_hostfile = NULL; 1220 options->num_user_hostfiles = 0;
1175 options->system_hostfile2 = NULL;
1176 options->user_hostfile2 = NULL;
1177 options->local_forwards = NULL; 1221 options->local_forwards = NULL;
1178 options->num_local_forwards = 0; 1222 options->num_local_forwards = 0;
1179 options->remote_forwards = NULL; 1223 options->remote_forwards = NULL;
@@ -1206,6 +1250,7 @@ initialize_options(Options * options)
1206 options->zero_knowledge_password_authentication = -1; 1250 options->zero_knowledge_password_authentication = -1;
1207 options->ip_qos_interactive = -1; 1251 options->ip_qos_interactive = -1;
1208 options->ip_qos_bulk = -1; 1252 options->ip_qos_bulk = -1;
1253 options->request_tty = -1;
1209} 1254}
1210 1255
1211/* 1256/*
@@ -1320,14 +1365,18 @@ fill_default_options(Options * options)
1320 } 1365 }
1321 if (options->escape_char == -1) 1366 if (options->escape_char == -1)
1322 options->escape_char = '~'; 1367 options->escape_char = '~';
1323 if (options->system_hostfile == NULL) 1368 if (options->num_system_hostfiles == 0) {
1324 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE; 1369 options->system_hostfiles[options->num_system_hostfiles++] =
1325 if (options->user_hostfile == NULL) 1370 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1326 options->user_hostfile = _PATH_SSH_USER_HOSTFILE; 1371 options->system_hostfiles[options->num_system_hostfiles++] =
1327 if (options->system_hostfile2 == NULL) 1372 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1328 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2; 1373 }
1329 if (options->user_hostfile2 == NULL) 1374 if (options->num_user_hostfiles == 0) {
1330 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2; 1375 options->user_hostfiles[options->num_user_hostfiles++] =
1376 xstrdup(_PATH_SSH_USER_HOSTFILE);
1377 options->user_hostfiles[options->num_user_hostfiles++] =
1378 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1379 }
1331 if (options->log_level == SYSLOG_LEVEL_NOT_SET) 1380 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1332 options->log_level = SYSLOG_LEVEL_INFO; 1381 options->log_level = SYSLOG_LEVEL_INFO;
1333 if (options->clear_forwardings == 1) 1382 if (options->clear_forwardings == 1)
@@ -1377,6 +1426,8 @@ fill_default_options(Options * options)
1377 options->ip_qos_interactive = IPTOS_LOWDELAY; 1426 options->ip_qos_interactive = IPTOS_LOWDELAY;
1378 if (options->ip_qos_bulk == -1) 1427 if (options->ip_qos_bulk == -1)
1379 options->ip_qos_bulk = IPTOS_THROUGHPUT; 1428 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1429 if (options->request_tty == -1)
1430 options->request_tty = REQUEST_TTY_AUTO;
1380 /* options->local_command should not be set by default */ 1431 /* options->local_command should not be set by default */
1381 /* options->proxy_command should not be set by default */ 1432 /* options->proxy_command should not be set by default */
1382 /* options->user will be set in the main program if appropriate */ 1433 /* options->user will be set in the main program if appropriate */