summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
committerColin Watson <cjwatson@debian.org>2007-06-12 16:16:35 +0000
commitb7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
treebed1da11e9f829925797aa093e379fc0b5868ecd /readconf.c
parent4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)
* New upstream release (closes: #395507, #397961, #420035). Important
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c74
1 files changed, 63 insertions, 11 deletions
diff --git a/readconf.c b/readconf.c
index b3e14b9d2..6a0ffd634 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,3 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
1/* 2/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -12,17 +13,33 @@
12 */ 13 */
13 14
14#include "includes.h" 15#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
16 16
17#include "ssh.h" 17#include <sys/types.h>
18#include <sys/stat.h>
19#include <sys/socket.h>
20
21#include <netinet/in.h>
22
23#include <ctype.h>
24#include <errno.h>
25#include <netdb.h>
26#include <signal.h>
27#include <stdarg.h>
28#include <stdio.h>
29#include <string.h>
30#include <unistd.h>
31
18#include "xmalloc.h" 32#include "xmalloc.h"
33#include "ssh.h"
19#include "compat.h" 34#include "compat.h"
20#include "cipher.h" 35#include "cipher.h"
21#include "pathnames.h" 36#include "pathnames.h"
22#include "log.h" 37#include "log.h"
38#include "key.h"
23#include "readconf.h" 39#include "readconf.h"
24#include "match.h" 40#include "match.h"
25#include "misc.h" 41#include "misc.h"
42#include "buffer.h"
26#include "kex.h" 43#include "kex.h"
27#include "mac.h" 44#include "mac.h"
28 45
@@ -94,6 +111,7 @@ RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
94typedef enum { 111typedef enum {
95 oBadOption, 112 oBadOption,
96 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, 113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
97 oPasswordAuthentication, oRSAAuthentication, 115 oPasswordAuthentication, oRSAAuthentication,
98 oChallengeResponseAuthentication, oXAuthLocation, 116 oChallengeResponseAuthentication, oXAuthLocation,
99 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, 117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -109,6 +127,7 @@ typedef enum {
109 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
110 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
111 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oGssKeyEx,
112 oGssTrustDns, 131 oGssTrustDns,
113 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
114 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
@@ -126,6 +145,7 @@ static struct {
126 { "forwardagent", oForwardAgent }, 145 { "forwardagent", oForwardAgent },
127 { "forwardx11", oForwardX11 }, 146 { "forwardx11", oForwardX11 },
128 { "forwardx11trusted", oForwardX11Trusted }, 147 { "forwardx11trusted", oForwardX11Trusted },
148 { "exitonforwardfailure", oExitOnForwardFailure },
129 { "xauthlocation", oXAuthLocation }, 149 { "xauthlocation", oXAuthLocation },
130 { "gatewayports", oGatewayPorts }, 150 { "gatewayports", oGatewayPorts },
131 { "useprivilegedport", oUsePrivilegedPort }, 151 { "useprivilegedport", oUsePrivilegedPort },
@@ -146,10 +166,12 @@ static struct {
146 { "afstokenpassing", oUnsupported }, 166 { "afstokenpassing", oUnsupported },
147#if defined(GSSAPI) 167#if defined(GSSAPI)
148 { "gssapiauthentication", oGssAuthentication }, 168 { "gssapiauthentication", oGssAuthentication },
169 { "gssapikeyexchange", oGssKeyEx },
149 { "gssapidelegatecredentials", oGssDelegateCreds }, 170 { "gssapidelegatecredentials", oGssDelegateCreds },
150 { "gssapitrustdns", oGssTrustDns }, 171 { "gssapitrustdns", oGssTrustDns },
151#else 172#else
152 { "gssapiauthentication", oUnsupported }, 173 { "gssapiauthentication", oUnsupported },
174 { "gssapikeyexchange", oUnsupported },
153 { "gssapidelegatecredentials", oUnsupported }, 175 { "gssapidelegatecredentials", oUnsupported },
154 { "gssapitrustdns", oUnsupported }, 176 { "gssapitrustdns", oUnsupported },
155#endif 177#endif
@@ -312,7 +334,8 @@ process_config_line(Options *options, const char *host,
312 int *activep) 334 int *activep)
313{ 335{
314 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; 336 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
315 int opcode, *intptr, value, value2; 337 int opcode, *intptr, value, value2, scale;
338 long long orig, val64;
316 size_t len; 339 size_t len;
317 Forward fwd; 340 Forward fwd;
318 341
@@ -325,7 +348,8 @@ process_config_line(Options *options, const char *host,
325 348
326 s = line; 349 s = line;
327 /* Get the keyword. (Each line is supposed to begin with a keyword). */ 350 /* Get the keyword. (Each line is supposed to begin with a keyword). */
328 keyword = strdelim(&s); 351 if ((keyword = strdelim(&s)) == NULL)
352 return 0;
329 /* Ignore leading whitespace. */ 353 /* Ignore leading whitespace. */
330 if (*keyword == '\0') 354 if (*keyword == '\0')
331 keyword = strdelim(&s); 355 keyword = strdelim(&s);
@@ -349,7 +373,7 @@ parse_time:
349 if ((value = convtime(arg)) == -1) 373 if ((value = convtime(arg)) == -1)
350 fatal("%s line %d: invalid time value.", 374 fatal("%s line %d: invalid time value.",
351 filename, linenum); 375 filename, linenum);
352 if (*intptr == -1) 376 if (*activep && *intptr == -1)
353 *intptr = value; 377 *intptr = value;
354 break; 378 break;
355 379
@@ -382,6 +406,10 @@ parse_flag:
382 intptr = &options->gateway_ports; 406 intptr = &options->gateway_ports;
383 goto parse_flag; 407 goto parse_flag;
384 408
409 case oExitOnForwardFailure:
410 intptr = &options->exit_on_forward_failure;
411 goto parse_flag;
412
385 case oUsePrivilegedPort: 413 case oUsePrivilegedPort:
386 intptr = &options->use_privileged_port; 414 intptr = &options->use_privileged_port;
387 goto parse_flag; 415 goto parse_flag;
@@ -422,6 +450,10 @@ parse_flag:
422 intptr = &options->gss_authentication; 450 intptr = &options->gss_authentication;
423 goto parse_flag; 451 goto parse_flag;
424 452
453 case oGssKeyEx:
454 intptr = &options->gss_keyex;
455 goto parse_flag;
456
425 case oGssDelegateCreds: 457 case oGssDelegateCreds:
426 intptr = &options->gss_deleg_creds; 458 intptr = &options->gss_deleg_creds;
427 goto parse_flag; 459 goto parse_flag;
@@ -489,22 +521,36 @@ parse_yesnoask:
489 fatal("%.200s line %d: Missing argument.", filename, linenum); 521 fatal("%.200s line %d: Missing argument.", filename, linenum);
490 if (arg[0] < '0' || arg[0] > '9') 522 if (arg[0] < '0' || arg[0] > '9')
491 fatal("%.200s line %d: Bad number.", filename, linenum); 523 fatal("%.200s line %d: Bad number.", filename, linenum);
492 value = strtol(arg, &endofnumber, 10); 524 orig = val64 = strtoll(arg, &endofnumber, 10);
493 if (arg == endofnumber) 525 if (arg == endofnumber)
494 fatal("%.200s line %d: Bad number.", filename, linenum); 526 fatal("%.200s line %d: Bad number.", filename, linenum);
495 switch (toupper(*endofnumber)) { 527 switch (toupper(*endofnumber)) {
528 case '\0':
529 scale = 1;
530 break;
496 case 'K': 531 case 'K':
497 value *= 1<<10; 532 scale = 1<<10;
498 break; 533 break;
499 case 'M': 534 case 'M':
500 value *= 1<<20; 535 scale = 1<<20;
501 break; 536 break;
502 case 'G': 537 case 'G':
503 value *= 1<<30; 538 scale = 1<<30;
504 break; 539 break;
540 default:
541 fatal("%.200s line %d: Invalid RekeyLimit suffix",
542 filename, linenum);
505 } 543 }
544 val64 *= scale;
545 /* detect integer wrap and too-large limits */
546 if ((val64 / scale) != orig || val64 > INT_MAX)
547 fatal("%.200s line %d: RekeyLimit too large",
548 filename, linenum);
549 if (val64 < 16)
550 fatal("%.200s line %d: RekeyLimit too small",
551 filename, linenum);
506 if (*activep && *intptr == -1) 552 if (*activep && *intptr == -1)
507 *intptr = value; 553 *intptr = (int)val64;
508 break; 554 break;
509 555
510 case oIdentityFile: 556 case oIdentityFile:
@@ -516,7 +562,7 @@ parse_yesnoask:
516 if (*intptr >= SSH_MAX_IDENTITY_FILES) 562 if (*intptr >= SSH_MAX_IDENTITY_FILES)
517 fatal("%.200s line %d: Too many identity files specified (max %d).", 563 fatal("%.200s line %d: Too many identity files specified (max %d).",
518 filename, linenum, SSH_MAX_IDENTITY_FILES); 564 filename, linenum, SSH_MAX_IDENTITY_FILES);
519 charptr = &options->identity_files[*intptr]; 565 charptr = &options->identity_files[*intptr];
520 *charptr = xstrdup(arg); 566 *charptr = xstrdup(arg);
521 *intptr = *intptr + 1; 567 *intptr = *intptr + 1;
522 } 568 }
@@ -997,6 +1043,7 @@ initialize_options(Options * options)
997 options->forward_agent = -1; 1043 options->forward_agent = -1;
998 options->forward_x11 = -1; 1044 options->forward_x11 = -1;
999 options->forward_x11_trusted = -1; 1045 options->forward_x11_trusted = -1;
1046 options->exit_on_forward_failure = -1;
1000 options->xauth_location = NULL; 1047 options->xauth_location = NULL;
1001 options->gateway_ports = -1; 1048 options->gateway_ports = -1;
1002 options->use_privileged_port = -1; 1049 options->use_privileged_port = -1;
@@ -1004,6 +1051,7 @@ initialize_options(Options * options)
1004 options->pubkey_authentication = -1; 1051 options->pubkey_authentication = -1;
1005 options->challenge_response_authentication = -1; 1052 options->challenge_response_authentication = -1;
1006 options->gss_authentication = -1; 1053 options->gss_authentication = -1;
1054 options->gss_keyex = -1;
1007 options->gss_deleg_creds = -1; 1055 options->gss_deleg_creds = -1;
1008 options->gss_trust_dns = -1; 1056 options->gss_trust_dns = -1;
1009 options->password_authentication = -1; 1057 options->password_authentication = -1;
@@ -1079,6 +1127,8 @@ fill_default_options(Options * options)
1079 options->forward_x11 = 0; 1127 options->forward_x11 = 0;
1080 if (options->forward_x11_trusted == -1) 1128 if (options->forward_x11_trusted == -1)
1081 options->forward_x11_trusted = 1; 1129 options->forward_x11_trusted = 1;
1130 if (options->exit_on_forward_failure == -1)
1131 options->exit_on_forward_failure = 0;
1082 if (options->xauth_location == NULL) 1132 if (options->xauth_location == NULL)
1083 options->xauth_location = _PATH_XAUTH; 1133 options->xauth_location = _PATH_XAUTH;
1084 if (options->gateway_ports == -1) 1134 if (options->gateway_ports == -1)
@@ -1093,6 +1143,8 @@ fill_default_options(Options * options)
1093 options->challenge_response_authentication = 1; 1143 options->challenge_response_authentication = 1;
1094 if (options->gss_authentication == -1) 1144 if (options->gss_authentication == -1)
1095 options->gss_authentication = 0; 1145 options->gss_authentication = 0;
1146 if (options->gss_keyex == -1)
1147 options->gss_keyex = 0;
1096 if (options->gss_deleg_creds == -1) 1148 if (options->gss_deleg_creds == -1)
1097 options->gss_deleg_creds = 0; 1149 options->gss_deleg_creds = 0;
1098 if (options->gss_trust_dns == -1) 1150 if (options->gss_trust_dns == -1)