diff options
| author | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2011-09-06 14:56:29 +0100 |
| commit | 978e62d6f14c60747bddef2cc72d66a9c8b83b54 (patch) | |
| tree | 89400a44e42d84937deba7864e4964d6c7734da5 /readconf.c | |
| parent | 87c685b8c6a49814fd782288097b3093f975aa72 (diff) | |
| parent | 3a7e89697ca363de0f64e0d5704c57219294e41c (diff) | |
* New upstream release (http://www.openssh.org/txt/release-5.9).
- Introduce sandboxing of the pre-auth privsep child using an optional
sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
mandatory restrictions on the syscalls the privsep child can perform.
- Add new SHA256-based HMAC transport integrity modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
- The pre-authentication sshd(8) privilege separation slave process now
logs via a socket shared with the master process, avoiding the need to
maintain /dev/log inside the chroot (closes: #75043, #429243,
#599240).
- ssh(1) now warns when a server refuses X11 forwarding (closes:
#504757).
- sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace (closes: #76312). The authorized_keys2
fallback is deprecated but documented (closes: #560156).
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
ToS/DSCP (closes: #498297).
- ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add
- < /path/to/key" (closes: #229124).
- Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
- Say "required" rather than "recommended" in unprotected-private-key
warning (LP: #663455).
Diffstat (limited to 'readconf.c')
| -rw-r--r-- | readconf.c | 119 |
1 files changed, 85 insertions, 34 deletions
diff --git a/readconf.c b/readconf.c index 656a2519f..7a26e923b 100644 --- a/readconf.c +++ b/readconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: readconf.c,v 1.190 2010/11/13 23:27:50 djm Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -139,7 +139,7 @@ typedef enum { | |||
| 139 | oHashKnownHosts, | 139 | oHashKnownHosts, |
| 140 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 140 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
| 141 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 141 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
| 142 | oKexAlgorithms, oIPQoS, | 142 | oKexAlgorithms, oIPQoS, oRequestTTY, |
| 143 | oProtocolKeepAlives, oSetupTimeOut, | 143 | oProtocolKeepAlives, oSetupTimeOut, |
| 144 | oDeprecated, oUnsupported | 144 | oDeprecated, oUnsupported |
| 145 | } OpCodes; | 145 | } OpCodes; |
| @@ -209,9 +209,9 @@ static struct { | |||
| 209 | { "host", oHost }, | 209 | { "host", oHost }, |
| 210 | { "escapechar", oEscapeChar }, | 210 | { "escapechar", oEscapeChar }, |
| 211 | { "globalknownhostsfile", oGlobalKnownHostsFile }, | 211 | { "globalknownhostsfile", oGlobalKnownHostsFile }, |
| 212 | { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */ | 212 | { "globalknownhostsfile2", oDeprecated }, |
| 213 | { "userknownhostsfile", oUserKnownHostsFile }, | 213 | { "userknownhostsfile", oUserKnownHostsFile }, |
| 214 | { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */ | 214 | { "userknownhostsfile2", oDeprecated }, |
| 215 | { "connectionattempts", oConnectionAttempts }, | 215 | { "connectionattempts", oConnectionAttempts }, |
| 216 | { "batchmode", oBatchMode }, | 216 | { "batchmode", oBatchMode }, |
| 217 | { "checkhostip", oCheckHostIP }, | 217 | { "checkhostip", oCheckHostIP }, |
| @@ -261,6 +261,7 @@ static struct { | |||
| 261 | #endif | 261 | #endif |
| 262 | { "kexalgorithms", oKexAlgorithms }, | 262 | { "kexalgorithms", oKexAlgorithms }, |
| 263 | { "ipqos", oIPQoS }, | 263 | { "ipqos", oIPQoS }, |
| 264 | { "requesttty", oRequestTTY }, | ||
| 264 | { "protocolkeepalives", oProtocolKeepAlives }, | 265 | { "protocolkeepalives", oProtocolKeepAlives }, |
| 265 | { "setuptimeout", oSetupTimeOut }, | 266 | { "setuptimeout", oSetupTimeOut }, |
| 266 | 267 | ||
| @@ -371,8 +372,10 @@ process_config_line(Options *options, const char *host, | |||
| 371 | char *line, const char *filename, int linenum, | 372 | char *line, const char *filename, int linenum, |
| 372 | int *activep) | 373 | int *activep) |
| 373 | { | 374 | { |
| 374 | char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256]; | 375 | char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; |
| 375 | int opcode, *intptr, value, value2, scale; | 376 | char **cpptr, fwdarg[256]; |
| 377 | u_int *uintptr, max_entries = 0; | ||
| 378 | int negated, opcode, *intptr, value, value2, scale; | ||
| 376 | LogLevel *log_level_ptr; | 379 | LogLevel *log_level_ptr; |
| 377 | long long orig, val64; | 380 | long long orig, val64; |
| 378 | size_t len; | 381 | size_t len; |
| @@ -639,26 +642,33 @@ parse_yesnoask: | |||
| 639 | parse_string: | 642 | parse_string: |
| 640 | arg = strdelim(&s); | 643 | arg = strdelim(&s); |
| 641 | if (!arg || *arg == '\0') | 644 | if (!arg || *arg == '\0') |
| 642 | fatal("%.200s line %d: Missing argument.", filename, linenum); | 645 | fatal("%.200s line %d: Missing argument.", |
| 646 | filename, linenum); | ||
| 643 | if (*activep && *charptr == NULL) | 647 | if (*activep && *charptr == NULL) |
| 644 | *charptr = xstrdup(arg); | 648 | *charptr = xstrdup(arg); |
| 645 | break; | 649 | break; |
| 646 | 650 | ||
| 647 | case oGlobalKnownHostsFile: | 651 | case oGlobalKnownHostsFile: |
| 648 | charptr = &options->system_hostfile; | 652 | cpptr = (char **)&options->system_hostfiles; |
| 649 | goto parse_string; | 653 | uintptr = &options->num_system_hostfiles; |
| 654 | max_entries = SSH_MAX_HOSTS_FILES; | ||
| 655 | parse_char_array: | ||
| 656 | if (*activep && *uintptr == 0) { | ||
| 657 | while ((arg = strdelim(&s)) != NULL && *arg != '\0') { | ||
| 658 | if ((*uintptr) >= max_entries) | ||
| 659 | fatal("%s line %d: " | ||
| 660 | "too many authorized keys files.", | ||
| 661 | filename, linenum); | ||
| 662 | cpptr[(*uintptr)++] = xstrdup(arg); | ||
| 663 | } | ||
| 664 | } | ||
| 665 | return 0; | ||
| 650 | 666 | ||
| 651 | case oUserKnownHostsFile: | 667 | case oUserKnownHostsFile: |
| 652 | charptr = &options->user_hostfile; | 668 | cpptr = (char **)&options->user_hostfiles; |
| 653 | goto parse_string; | 669 | uintptr = &options->num_user_hostfiles; |
| 654 | 670 | max_entries = SSH_MAX_HOSTS_FILES; | |
| 655 | case oGlobalKnownHostsFile2: | 671 | goto parse_char_array; |
| 656 | charptr = &options->system_hostfile2; | ||
| 657 | goto parse_string; | ||
| 658 | |||
| 659 | case oUserKnownHostsFile2: | ||
| 660 | charptr = &options->user_hostfile2; | ||
| 661 | goto parse_string; | ||
| 662 | 672 | ||
| 663 | case oHostName: | 673 | case oHostName: |
| 664 | charptr = &options->hostname; | 674 | charptr = &options->hostname; |
| @@ -835,12 +845,28 @@ parse_int: | |||
| 835 | 845 | ||
| 836 | case oHost: | 846 | case oHost: |
| 837 | *activep = 0; | 847 | *activep = 0; |
| 838 | while ((arg = strdelim(&s)) != NULL && *arg != '\0') | 848 | arg2 = NULL; |
| 849 | while ((arg = strdelim(&s)) != NULL && *arg != '\0') { | ||
| 850 | negated = *arg == '!'; | ||
| 851 | if (negated) | ||
| 852 | arg++; | ||
| 839 | if (match_pattern(host, arg)) { | 853 | if (match_pattern(host, arg)) { |
| 840 | debug("Applying options for %.100s", arg); | 854 | if (negated) { |
| 855 | debug("%.200s line %d: Skipping Host " | ||
| 856 | "block because of negated match " | ||
| 857 | "for %.100s", filename, linenum, | ||
| 858 | arg); | ||
| 859 | *activep = 0; | ||
| 860 | break; | ||
| 861 | } | ||
| 862 | if (!*activep) | ||
| 863 | arg2 = arg; /* logged below */ | ||
| 841 | *activep = 1; | 864 | *activep = 1; |
| 842 | break; | ||
| 843 | } | 865 | } |
| 866 | } | ||
| 867 | if (*activep) | ||
| 868 | debug("%.200s line %d: Applying options for %.100s", | ||
| 869 | filename, linenum, arg2); | ||
| 844 | /* Avoid garbage check below, as strdelim is done. */ | 870 | /* Avoid garbage check below, as strdelim is done. */ |
| 845 | return 0; | 871 | return 0; |
| 846 | 872 | ||
| @@ -1041,6 +1067,26 @@ parse_int: | |||
| 1041 | intptr = &options->use_roaming; | 1067 | intptr = &options->use_roaming; |
| 1042 | goto parse_flag; | 1068 | goto parse_flag; |
| 1043 | 1069 | ||
| 1070 | case oRequestTTY: | ||
| 1071 | arg = strdelim(&s); | ||
| 1072 | if (!arg || *arg == '\0') | ||
| 1073 | fatal("%s line %d: missing argument.", | ||
| 1074 | filename, linenum); | ||
| 1075 | intptr = &options->request_tty; | ||
| 1076 | if (strcasecmp(arg, "yes") == 0) | ||
| 1077 | value = REQUEST_TTY_YES; | ||
| 1078 | else if (strcasecmp(arg, "no") == 0) | ||
| 1079 | value = REQUEST_TTY_NO; | ||
| 1080 | else if (strcasecmp(arg, "force") == 0) | ||
| 1081 | value = REQUEST_TTY_FORCE; | ||
| 1082 | else if (strcasecmp(arg, "auto") == 0) | ||
| 1083 | value = REQUEST_TTY_AUTO; | ||
| 1084 | else | ||
| 1085 | fatal("Unsupported RequestTTY \"%s\"", arg); | ||
| 1086 | if (*activep && *intptr == -1) | ||
| 1087 | *intptr = value; | ||
| 1088 | break; | ||
| 1089 | |||
| 1044 | case oDeprecated: | 1090 | case oDeprecated: |
| 1045 | debug("%s line %d: Deprecated option \"%s\"", | 1091 | debug("%s line %d: Deprecated option \"%s\"", |
| 1046 | filename, linenum, keyword); | 1092 | filename, linenum, keyword); |
| @@ -1170,10 +1216,8 @@ initialize_options(Options * options) | |||
| 1170 | options->proxy_command = NULL; | 1216 | options->proxy_command = NULL; |
| 1171 | options->user = NULL; | 1217 | options->user = NULL; |
| 1172 | options->escape_char = -1; | 1218 | options->escape_char = -1; |
| 1173 | options->system_hostfile = NULL; | 1219 | options->num_system_hostfiles = 0; |
| 1174 | options->user_hostfile = NULL; | 1220 | options->num_user_hostfiles = 0; |
| 1175 | options->system_hostfile2 = NULL; | ||
| 1176 | options->user_hostfile2 = NULL; | ||
| 1177 | options->local_forwards = NULL; | 1221 | options->local_forwards = NULL; |
| 1178 | options->num_local_forwards = 0; | 1222 | options->num_local_forwards = 0; |
| 1179 | options->remote_forwards = NULL; | 1223 | options->remote_forwards = NULL; |
| @@ -1206,6 +1250,7 @@ initialize_options(Options * options) | |||
| 1206 | options->zero_knowledge_password_authentication = -1; | 1250 | options->zero_knowledge_password_authentication = -1; |
| 1207 | options->ip_qos_interactive = -1; | 1251 | options->ip_qos_interactive = -1; |
| 1208 | options->ip_qos_bulk = -1; | 1252 | options->ip_qos_bulk = -1; |
| 1253 | options->request_tty = -1; | ||
| 1209 | } | 1254 | } |
| 1210 | 1255 | ||
| 1211 | /* | 1256 | /* |
| @@ -1320,14 +1365,18 @@ fill_default_options(Options * options) | |||
| 1320 | } | 1365 | } |
| 1321 | if (options->escape_char == -1) | 1366 | if (options->escape_char == -1) |
| 1322 | options->escape_char = '~'; | 1367 | options->escape_char = '~'; |
| 1323 | if (options->system_hostfile == NULL) | 1368 | if (options->num_system_hostfiles == 0) { |
| 1324 | options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE; | 1369 | options->system_hostfiles[options->num_system_hostfiles++] = |
| 1325 | if (options->user_hostfile == NULL) | 1370 | xstrdup(_PATH_SSH_SYSTEM_HOSTFILE); |
| 1326 | options->user_hostfile = _PATH_SSH_USER_HOSTFILE; | 1371 | options->system_hostfiles[options->num_system_hostfiles++] = |
| 1327 | if (options->system_hostfile2 == NULL) | 1372 | xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2); |
| 1328 | options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2; | 1373 | } |
| 1329 | if (options->user_hostfile2 == NULL) | 1374 | if (options->num_user_hostfiles == 0) { |
| 1330 | options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2; | 1375 | options->user_hostfiles[options->num_user_hostfiles++] = |
| 1376 | xstrdup(_PATH_SSH_USER_HOSTFILE); | ||
| 1377 | options->user_hostfiles[options->num_user_hostfiles++] = | ||
| 1378 | xstrdup(_PATH_SSH_USER_HOSTFILE2); | ||
| 1379 | } | ||
| 1331 | if (options->log_level == SYSLOG_LEVEL_NOT_SET) | 1380 | if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
| 1332 | options->log_level = SYSLOG_LEVEL_INFO; | 1381 | options->log_level = SYSLOG_LEVEL_INFO; |
| 1333 | if (options->clear_forwardings == 1) | 1382 | if (options->clear_forwardings == 1) |
| @@ -1377,6 +1426,8 @@ fill_default_options(Options * options) | |||
| 1377 | options->ip_qos_interactive = IPTOS_LOWDELAY; | 1426 | options->ip_qos_interactive = IPTOS_LOWDELAY; |
| 1378 | if (options->ip_qos_bulk == -1) | 1427 | if (options->ip_qos_bulk == -1) |
| 1379 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 1428 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
| 1429 | if (options->request_tty == -1) | ||
| 1430 | options->request_tty = REQUEST_TTY_AUTO; | ||
| 1380 | /* options->local_command should not be set by default */ | 1431 | /* options->local_command should not be set by default */ |
| 1381 | /* options->proxy_command should not be set by default */ | 1432 | /* options->proxy_command should not be set by default */ |
| 1382 | /* options->user will be set in the main program if appropriate */ | 1433 | /* options->user will be set in the main program if appropriate */ |