diff options
author | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2007-06-12 16:16:35 +0000 |
commit | b7e40fa9da0b5491534a429dadb321eab5a77558 (patch) | |
tree | bed1da11e9f829925797aa093e379fc0b5868ecd /readconf.c | |
parent | 4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff) | |
parent | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff) |
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2:
- 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+ On portable OpenSSH, fix a GSSAPI authentication abort that could be
used to determine the validity of usernames on some platforms.
+ Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of
post-authentication options are supported and more are expected to
be added in future releases.
+ Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
+ Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
+ Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
+ Add optional logging of transactions to sftp-server(8).
+ ssh(1) will now record port numbers for hosts stored in
~/.ssh/known_hosts when a non-standard port has been requested
(closes: #50612).
+ Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
non-zero exit code) when requested port forwardings could not be
established.
+ Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
+ Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
+ Many manpage fixes and improvements.
+ Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
+ Tokens in configuration files may be double-quoted in order to
contain spaces (closes: #319639).
+ Move a debug() call out of a SIGCHLD handler, fixing a hang when the
session exits very quickly (closes: #307890).
+ Fix some incorrect buffer allocation calculations (closes: #410599).
+ ssh-add doesn't ask for a passphrase if key file permissions are too
liberal (closes: #103677).
+ Likewise, ssh doesn't ask either (closes: #99675).
- 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+ sshd now allows the enabling and disabling of authentication methods
on a per user, group, host and network basis via the Match directive
in sshd_config.
+ Fixed an inconsistent check for a terminal when displaying scp
progress meter (closes: #257524).
+ Fix "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
install ChangeLog.gssapi.
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 74 |
1 files changed, 63 insertions, 11 deletions
diff --git a/readconf.c b/readconf.c index b3e14b9d2..6a0ffd634 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,3 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */ | ||
1 | /* | 2 | /* |
2 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -12,17 +13,33 @@ | |||
12 | */ | 13 | */ |
13 | 14 | ||
14 | #include "includes.h" | 15 | #include "includes.h" |
15 | RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $"); | ||
16 | 16 | ||
17 | #include "ssh.h" | 17 | #include <sys/types.h> |
18 | #include <sys/stat.h> | ||
19 | #include <sys/socket.h> | ||
20 | |||
21 | #include <netinet/in.h> | ||
22 | |||
23 | #include <ctype.h> | ||
24 | #include <errno.h> | ||
25 | #include <netdb.h> | ||
26 | #include <signal.h> | ||
27 | #include <stdarg.h> | ||
28 | #include <stdio.h> | ||
29 | #include <string.h> | ||
30 | #include <unistd.h> | ||
31 | |||
18 | #include "xmalloc.h" | 32 | #include "xmalloc.h" |
33 | #include "ssh.h" | ||
19 | #include "compat.h" | 34 | #include "compat.h" |
20 | #include "cipher.h" | 35 | #include "cipher.h" |
21 | #include "pathnames.h" | 36 | #include "pathnames.h" |
22 | #include "log.h" | 37 | #include "log.h" |
38 | #include "key.h" | ||
23 | #include "readconf.h" | 39 | #include "readconf.h" |
24 | #include "match.h" | 40 | #include "match.h" |
25 | #include "misc.h" | 41 | #include "misc.h" |
42 | #include "buffer.h" | ||
26 | #include "kex.h" | 43 | #include "kex.h" |
27 | #include "mac.h" | 44 | #include "mac.h" |
28 | 45 | ||
@@ -94,6 +111,7 @@ RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $"); | |||
94 | typedef enum { | 111 | typedef enum { |
95 | oBadOption, | 112 | oBadOption, |
96 | oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, | 113 | oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, |
114 | oExitOnForwardFailure, | ||
97 | oPasswordAuthentication, oRSAAuthentication, | 115 | oPasswordAuthentication, oRSAAuthentication, |
98 | oChallengeResponseAuthentication, oXAuthLocation, | 116 | oChallengeResponseAuthentication, oXAuthLocation, |
99 | oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, | 117 | oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, |
@@ -109,6 +127,7 @@ typedef enum { | |||
109 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 127 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
110 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 128 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
111 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 129 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
130 | oGssKeyEx, | ||
112 | oGssTrustDns, | 131 | oGssTrustDns, |
113 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 132 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
114 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | 133 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, |
@@ -126,6 +145,7 @@ static struct { | |||
126 | { "forwardagent", oForwardAgent }, | 145 | { "forwardagent", oForwardAgent }, |
127 | { "forwardx11", oForwardX11 }, | 146 | { "forwardx11", oForwardX11 }, |
128 | { "forwardx11trusted", oForwardX11Trusted }, | 147 | { "forwardx11trusted", oForwardX11Trusted }, |
148 | { "exitonforwardfailure", oExitOnForwardFailure }, | ||
129 | { "xauthlocation", oXAuthLocation }, | 149 | { "xauthlocation", oXAuthLocation }, |
130 | { "gatewayports", oGatewayPorts }, | 150 | { "gatewayports", oGatewayPorts }, |
131 | { "useprivilegedport", oUsePrivilegedPort }, | 151 | { "useprivilegedport", oUsePrivilegedPort }, |
@@ -146,10 +166,12 @@ static struct { | |||
146 | { "afstokenpassing", oUnsupported }, | 166 | { "afstokenpassing", oUnsupported }, |
147 | #if defined(GSSAPI) | 167 | #if defined(GSSAPI) |
148 | { "gssapiauthentication", oGssAuthentication }, | 168 | { "gssapiauthentication", oGssAuthentication }, |
169 | { "gssapikeyexchange", oGssKeyEx }, | ||
149 | { "gssapidelegatecredentials", oGssDelegateCreds }, | 170 | { "gssapidelegatecredentials", oGssDelegateCreds }, |
150 | { "gssapitrustdns", oGssTrustDns }, | 171 | { "gssapitrustdns", oGssTrustDns }, |
151 | #else | 172 | #else |
152 | { "gssapiauthentication", oUnsupported }, | 173 | { "gssapiauthentication", oUnsupported }, |
174 | { "gssapikeyexchange", oUnsupported }, | ||
153 | { "gssapidelegatecredentials", oUnsupported }, | 175 | { "gssapidelegatecredentials", oUnsupported }, |
154 | { "gssapitrustdns", oUnsupported }, | 176 | { "gssapitrustdns", oUnsupported }, |
155 | #endif | 177 | #endif |
@@ -312,7 +334,8 @@ process_config_line(Options *options, const char *host, | |||
312 | int *activep) | 334 | int *activep) |
313 | { | 335 | { |
314 | char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; | 336 | char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; |
315 | int opcode, *intptr, value, value2; | 337 | int opcode, *intptr, value, value2, scale; |
338 | long long orig, val64; | ||
316 | size_t len; | 339 | size_t len; |
317 | Forward fwd; | 340 | Forward fwd; |
318 | 341 | ||
@@ -325,7 +348,8 @@ process_config_line(Options *options, const char *host, | |||
325 | 348 | ||
326 | s = line; | 349 | s = line; |
327 | /* Get the keyword. (Each line is supposed to begin with a keyword). */ | 350 | /* Get the keyword. (Each line is supposed to begin with a keyword). */ |
328 | keyword = strdelim(&s); | 351 | if ((keyword = strdelim(&s)) == NULL) |
352 | return 0; | ||
329 | /* Ignore leading whitespace. */ | 353 | /* Ignore leading whitespace. */ |
330 | if (*keyword == '\0') | 354 | if (*keyword == '\0') |
331 | keyword = strdelim(&s); | 355 | keyword = strdelim(&s); |
@@ -349,7 +373,7 @@ parse_time: | |||
349 | if ((value = convtime(arg)) == -1) | 373 | if ((value = convtime(arg)) == -1) |
350 | fatal("%s line %d: invalid time value.", | 374 | fatal("%s line %d: invalid time value.", |
351 | filename, linenum); | 375 | filename, linenum); |
352 | if (*intptr == -1) | 376 | if (*activep && *intptr == -1) |
353 | *intptr = value; | 377 | *intptr = value; |
354 | break; | 378 | break; |
355 | 379 | ||
@@ -382,6 +406,10 @@ parse_flag: | |||
382 | intptr = &options->gateway_ports; | 406 | intptr = &options->gateway_ports; |
383 | goto parse_flag; | 407 | goto parse_flag; |
384 | 408 | ||
409 | case oExitOnForwardFailure: | ||
410 | intptr = &options->exit_on_forward_failure; | ||
411 | goto parse_flag; | ||
412 | |||
385 | case oUsePrivilegedPort: | 413 | case oUsePrivilegedPort: |
386 | intptr = &options->use_privileged_port; | 414 | intptr = &options->use_privileged_port; |
387 | goto parse_flag; | 415 | goto parse_flag; |
@@ -422,6 +450,10 @@ parse_flag: | |||
422 | intptr = &options->gss_authentication; | 450 | intptr = &options->gss_authentication; |
423 | goto parse_flag; | 451 | goto parse_flag; |
424 | 452 | ||
453 | case oGssKeyEx: | ||
454 | intptr = &options->gss_keyex; | ||
455 | goto parse_flag; | ||
456 | |||
425 | case oGssDelegateCreds: | 457 | case oGssDelegateCreds: |
426 | intptr = &options->gss_deleg_creds; | 458 | intptr = &options->gss_deleg_creds; |
427 | goto parse_flag; | 459 | goto parse_flag; |
@@ -489,22 +521,36 @@ parse_yesnoask: | |||
489 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 521 | fatal("%.200s line %d: Missing argument.", filename, linenum); |
490 | if (arg[0] < '0' || arg[0] > '9') | 522 | if (arg[0] < '0' || arg[0] > '9') |
491 | fatal("%.200s line %d: Bad number.", filename, linenum); | 523 | fatal("%.200s line %d: Bad number.", filename, linenum); |
492 | value = strtol(arg, &endofnumber, 10); | 524 | orig = val64 = strtoll(arg, &endofnumber, 10); |
493 | if (arg == endofnumber) | 525 | if (arg == endofnumber) |
494 | fatal("%.200s line %d: Bad number.", filename, linenum); | 526 | fatal("%.200s line %d: Bad number.", filename, linenum); |
495 | switch (toupper(*endofnumber)) { | 527 | switch (toupper(*endofnumber)) { |
528 | case '\0': | ||
529 | scale = 1; | ||
530 | break; | ||
496 | case 'K': | 531 | case 'K': |
497 | value *= 1<<10; | 532 | scale = 1<<10; |
498 | break; | 533 | break; |
499 | case 'M': | 534 | case 'M': |
500 | value *= 1<<20; | 535 | scale = 1<<20; |
501 | break; | 536 | break; |
502 | case 'G': | 537 | case 'G': |
503 | value *= 1<<30; | 538 | scale = 1<<30; |
504 | break; | 539 | break; |
540 | default: | ||
541 | fatal("%.200s line %d: Invalid RekeyLimit suffix", | ||
542 | filename, linenum); | ||
505 | } | 543 | } |
544 | val64 *= scale; | ||
545 | /* detect integer wrap and too-large limits */ | ||
546 | if ((val64 / scale) != orig || val64 > INT_MAX) | ||
547 | fatal("%.200s line %d: RekeyLimit too large", | ||
548 | filename, linenum); | ||
549 | if (val64 < 16) | ||
550 | fatal("%.200s line %d: RekeyLimit too small", | ||
551 | filename, linenum); | ||
506 | if (*activep && *intptr == -1) | 552 | if (*activep && *intptr == -1) |
507 | *intptr = value; | 553 | *intptr = (int)val64; |
508 | break; | 554 | break; |
509 | 555 | ||
510 | case oIdentityFile: | 556 | case oIdentityFile: |
@@ -516,7 +562,7 @@ parse_yesnoask: | |||
516 | if (*intptr >= SSH_MAX_IDENTITY_FILES) | 562 | if (*intptr >= SSH_MAX_IDENTITY_FILES) |
517 | fatal("%.200s line %d: Too many identity files specified (max %d).", | 563 | fatal("%.200s line %d: Too many identity files specified (max %d).", |
518 | filename, linenum, SSH_MAX_IDENTITY_FILES); | 564 | filename, linenum, SSH_MAX_IDENTITY_FILES); |
519 | charptr = &options->identity_files[*intptr]; | 565 | charptr = &options->identity_files[*intptr]; |
520 | *charptr = xstrdup(arg); | 566 | *charptr = xstrdup(arg); |
521 | *intptr = *intptr + 1; | 567 | *intptr = *intptr + 1; |
522 | } | 568 | } |
@@ -997,6 +1043,7 @@ initialize_options(Options * options) | |||
997 | options->forward_agent = -1; | 1043 | options->forward_agent = -1; |
998 | options->forward_x11 = -1; | 1044 | options->forward_x11 = -1; |
999 | options->forward_x11_trusted = -1; | 1045 | options->forward_x11_trusted = -1; |
1046 | options->exit_on_forward_failure = -1; | ||
1000 | options->xauth_location = NULL; | 1047 | options->xauth_location = NULL; |
1001 | options->gateway_ports = -1; | 1048 | options->gateway_ports = -1; |
1002 | options->use_privileged_port = -1; | 1049 | options->use_privileged_port = -1; |
@@ -1004,6 +1051,7 @@ initialize_options(Options * options) | |||
1004 | options->pubkey_authentication = -1; | 1051 | options->pubkey_authentication = -1; |
1005 | options->challenge_response_authentication = -1; | 1052 | options->challenge_response_authentication = -1; |
1006 | options->gss_authentication = -1; | 1053 | options->gss_authentication = -1; |
1054 | options->gss_keyex = -1; | ||
1007 | options->gss_deleg_creds = -1; | 1055 | options->gss_deleg_creds = -1; |
1008 | options->gss_trust_dns = -1; | 1056 | options->gss_trust_dns = -1; |
1009 | options->password_authentication = -1; | 1057 | options->password_authentication = -1; |
@@ -1079,6 +1127,8 @@ fill_default_options(Options * options) | |||
1079 | options->forward_x11 = 0; | 1127 | options->forward_x11 = 0; |
1080 | if (options->forward_x11_trusted == -1) | 1128 | if (options->forward_x11_trusted == -1) |
1081 | options->forward_x11_trusted = 1; | 1129 | options->forward_x11_trusted = 1; |
1130 | if (options->exit_on_forward_failure == -1) | ||
1131 | options->exit_on_forward_failure = 0; | ||
1082 | if (options->xauth_location == NULL) | 1132 | if (options->xauth_location == NULL) |
1083 | options->xauth_location = _PATH_XAUTH; | 1133 | options->xauth_location = _PATH_XAUTH; |
1084 | if (options->gateway_ports == -1) | 1134 | if (options->gateway_ports == -1) |
@@ -1093,6 +1143,8 @@ fill_default_options(Options * options) | |||
1093 | options->challenge_response_authentication = 1; | 1143 | options->challenge_response_authentication = 1; |
1094 | if (options->gss_authentication == -1) | 1144 | if (options->gss_authentication == -1) |
1095 | options->gss_authentication = 0; | 1145 | options->gss_authentication = 0; |
1146 | if (options->gss_keyex == -1) | ||
1147 | options->gss_keyex = 0; | ||
1096 | if (options->gss_deleg_creds == -1) | 1148 | if (options->gss_deleg_creds == -1) |
1097 | options->gss_deleg_creds = 0; | 1149 | options->gss_deleg_creds = 0; |
1098 | if (options->gss_trust_dns == -1) | 1150 | if (options->gss_trust_dns == -1) |