summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
committerColin Watson <cjwatson@debian.org>2016-03-08 11:51:22 +0000
commit46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree0dd97fa4fb649a62b4639fe2674380872b1f3e98 /servconf.c
parentc753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)
New upstream release (7.2).
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c59
1 files changed, 40 insertions, 19 deletions
diff --git a/servconf.c b/servconf.c
index a778f44e9..8ca9695a2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ 2/* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -181,6 +181,20 @@ option_clear_or_none(const char *o)
181 return o == NULL || strcasecmp(o, "none") == 0; 181 return o == NULL || strcasecmp(o, "none") == 0;
182} 182}
183 183
184static void
185assemble_algorithms(ServerOptions *o)
186{
187 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
188 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
189 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
190 kex_assemble_names(KEX_DEFAULT_PK_ALG,
191 &o->hostkeyalgorithms) != 0 ||
192 kex_assemble_names(KEX_DEFAULT_PK_ALG,
193 &o->hostbased_key_types) != 0 ||
194 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
195 fatal("kex_assemble_names failed");
196}
197
184void 198void
185fill_default_server_options(ServerOptions *options) 199fill_default_server_options(ServerOptions *options)
186{ 200{
@@ -262,8 +276,6 @@ fill_default_server_options(ServerOptions *options)
262 options->hostbased_authentication = 0; 276 options->hostbased_authentication = 0;
263 if (options->hostbased_uses_name_from_packet_only == -1) 277 if (options->hostbased_uses_name_from_packet_only == -1)
264 options->hostbased_uses_name_from_packet_only = 0; 278 options->hostbased_uses_name_from_packet_only = 0;
265 if (options->hostkeyalgorithms == NULL)
266 options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
267 if (options->rsa_authentication == -1) 279 if (options->rsa_authentication == -1)
268 options->rsa_authentication = 1; 280 options->rsa_authentication = 1;
269 if (options->pubkey_authentication == -1) 281 if (options->pubkey_authentication == -1)
@@ -351,18 +363,11 @@ fill_default_server_options(ServerOptions *options)
351 if (options->debian_banner == -1) 363 if (options->debian_banner == -1)
352 options->debian_banner = 1; 364 options->debian_banner = 1;
353 365
354 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || 366 assemble_algorithms(options);
355 kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
356 kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
357 kex_assemble_names(KEX_DEFAULT_PK_ALG,
358 &options->hostbased_key_types) != 0 ||
359 kex_assemble_names(KEX_DEFAULT_PK_ALG,
360 &options->pubkey_key_types) != 0)
361 fatal("%s: kex_assemble_names failed", __func__);
362 367
363 /* Turn privilege separation on by default */ 368 /* Turn privilege separation and sandboxing on by default */
364 if (use_privsep == -1) 369 if (use_privsep == -1)
365 use_privsep = PRIVSEP_NOSANDBOX; 370 use_privsep = PRIVSEP_ON;
366 371
367#define CLEAR_ON_NONE(v) \ 372#define CLEAR_ON_NONE(v) \
368 do { \ 373 do { \
@@ -377,6 +382,8 @@ fill_default_server_options(ServerOptions *options)
377 CLEAR_ON_NONE(options->trusted_user_ca_keys); 382 CLEAR_ON_NONE(options->trusted_user_ca_keys);
378 CLEAR_ON_NONE(options->revoked_keys_file); 383 CLEAR_ON_NONE(options->revoked_keys_file);
379 CLEAR_ON_NONE(options->authorized_principals_file); 384 CLEAR_ON_NONE(options->authorized_principals_file);
385 CLEAR_ON_NONE(options->adm_forced_command);
386 CLEAR_ON_NONE(options->chroot_directory);
380 for (i = 0; i < options->num_host_key_files; i++) 387 for (i = 0; i < options->num_host_key_files; i++)
381 CLEAR_ON_NONE(options->host_key_files[i]); 388 CLEAR_ON_NONE(options->host_key_files[i]);
382 for (i = 0; i < options->num_host_cert_files; i++) 389 for (i = 0; i < options->num_host_cert_files; i++)
@@ -518,7 +525,11 @@ static struct {
518 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 525 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
519 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 526 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
520 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 527 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
528#ifdef DISABLE_LASTLOG
529 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
530#else
521 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 531 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
532#endif
522 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 533 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
523 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 534 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
524 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 535 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
@@ -1348,16 +1359,12 @@ process_server_config_line(ServerOptions *options, char *line,
1348 if (scan_scaled(arg, &val64) == -1) 1359 if (scan_scaled(arg, &val64) == -1)
1349 fatal("%.200s line %d: Bad number '%s': %s", 1360 fatal("%.200s line %d: Bad number '%s': %s",
1350 filename, linenum, arg, strerror(errno)); 1361 filename, linenum, arg, strerror(errno));
1351 /* check for too-large or too-small limits */
1352 if (val64 > UINT_MAX)
1353 fatal("%.200s line %d: RekeyLimit too large",
1354 filename, linenum);
1355 if (val64 != 0 && val64 < 16) 1362 if (val64 != 0 && val64 < 16)
1356 fatal("%.200s line %d: RekeyLimit too small", 1363 fatal("%.200s line %d: RekeyLimit too small",
1357 filename, linenum); 1364 filename, linenum);
1358 } 1365 }
1359 if (*activep && options->rekey_limit == -1) 1366 if (*activep && options->rekey_limit == -1)
1360 options->rekey_limit = (u_int32_t)val64; 1367 options->rekey_limit = val64;
1361 if (cp != NULL) { /* optional rekey interval present */ 1368 if (cp != NULL) { /* optional rekey interval present */
1362 if (strcmp(cp, "none") == 0) { 1369 if (strcmp(cp, "none") == 0) {
1363 (void)strdelim(&cp); /* discard */ 1370 (void)strdelim(&cp); /* discard */
@@ -2048,6 +2055,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2048 /* See comment in servconf.h */ 2055 /* See comment in servconf.h */
2049 COPY_MATCH_STRING_OPTS(); 2056 COPY_MATCH_STRING_OPTS();
2050 2057
2058 /* Arguments that accept '+...' need to be expanded */
2059 assemble_algorithms(dst);
2060
2051 /* 2061 /*
2052 * The only things that should be below this point are string options 2062 * The only things that should be below this point are string options
2053 * which are only used after authentication. 2063 * which are only used after authentication.
@@ -2055,8 +2065,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2055 if (preauth) 2065 if (preauth)
2056 return; 2066 return;
2057 2067
2068 /* These options may be "none" to clear a global setting */
2058 M_CP_STROPT(adm_forced_command); 2069 M_CP_STROPT(adm_forced_command);
2070 if (option_clear_or_none(dst->adm_forced_command)) {
2071 free(dst->adm_forced_command);
2072 dst->adm_forced_command = NULL;
2073 }
2059 M_CP_STROPT(chroot_directory); 2074 M_CP_STROPT(chroot_directory);
2075 if (option_clear_or_none(dst->chroot_directory)) {
2076 free(dst->chroot_directory);
2077 dst->chroot_directory = NULL;
2078 }
2060} 2079}
2061 2080
2062#undef M_CP_INTOPT 2081#undef M_CP_INTOPT
@@ -2290,7 +2309,9 @@ dump_config(ServerOptions *o)
2290 dump_cfg_fmtint(sChallengeResponseAuthentication, 2309 dump_cfg_fmtint(sChallengeResponseAuthentication,
2291 o->challenge_response_authentication); 2310 o->challenge_response_authentication);
2292 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2311 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2312#ifndef DISABLE_LASTLOG
2293 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2313 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2314#endif
2294 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2315 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2295 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2316 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2296 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2317 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
@@ -2374,7 +2395,7 @@ dump_config(ServerOptions *o)
2374 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2395 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2375 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2396 printf("%s\n", iptos2str(o->ip_qos_bulk));
2376 2397
2377 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, 2398 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2378 o->rekey_interval); 2399 o->rekey_interval);
2379 2400
2380 channel_print_adm_permitted_opens(); 2401 channel_print_adm_permitted_opens();