diff options
author | Colin Watson <cjwatson@debian.org> | 2013-09-14 15:43:03 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-09-14 15:43:03 +0100 |
commit | 8faf8c84430cf3c19705b1d9f8889d256e7fd1fd (patch) | |
tree | e6cb74192adb00fda5e4d1457547851d7e0d86af /servconf.c | |
parent | 328b60656f29db6306994d7498dede386ec2d1c3 (diff) | |
parent | c41345ad7ee5a22689e2c009595e85fa27b4b39a (diff) |
merge 6.3p1
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 77 |
1 files changed, 68 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c index cdc029308..c938ae399 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -20,6 +20,7 @@ | |||
20 | #include <netinet/in_systm.h> | 20 | #include <netinet/in_systm.h> |
21 | #include <netinet/ip.h> | 21 | #include <netinet/ip.h> |
22 | 22 | ||
23 | #include <ctype.h> | ||
23 | #include <netdb.h> | 24 | #include <netdb.h> |
24 | #include <pwd.h> | 25 | #include <pwd.h> |
25 | #include <stdio.h> | 26 | #include <stdio.h> |
@@ -29,6 +30,9 @@ | |||
29 | #include <unistd.h> | 30 | #include <unistd.h> |
30 | #include <stdarg.h> | 31 | #include <stdarg.h> |
31 | #include <errno.h> | 32 | #include <errno.h> |
33 | #ifdef HAVE_UTIL_H | ||
34 | #include <util.h> | ||
35 | #endif | ||
32 | 36 | ||
33 | #include "openbsd-compat/sys-queue.h" | 37 | #include "openbsd-compat/sys-queue.h" |
34 | #include "xmalloc.h" | 38 | #include "xmalloc.h" |
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options) | |||
75 | options->address_family = -1; | 79 | options->address_family = -1; |
76 | options->num_host_key_files = 0; | 80 | options->num_host_key_files = 0; |
77 | options->num_host_cert_files = 0; | 81 | options->num_host_cert_files = 0; |
82 | options->host_key_agent = NULL; | ||
78 | options->pid_file = NULL; | 83 | options->pid_file = NULL; |
79 | options->server_key_bits = -1; | 84 | options->server_key_bits = -1; |
80 | options->login_grace_time = -1; | 85 | options->login_grace_time = -1; |
@@ -113,6 +118,8 @@ initialize_server_options(ServerOptions *options) | |||
113 | options->permit_user_env = -1; | 118 | options->permit_user_env = -1; |
114 | options->use_login = -1; | 119 | options->use_login = -1; |
115 | options->compression = -1; | 120 | options->compression = -1; |
121 | options->rekey_limit = -1; | ||
122 | options->rekey_interval = -1; | ||
116 | options->allow_tcp_forwarding = -1; | 123 | options->allow_tcp_forwarding = -1; |
117 | options->allow_agent_forwarding = -1; | 124 | options->allow_agent_forwarding = -1; |
118 | options->num_allow_users = 0; | 125 | options->num_allow_users = 0; |
@@ -258,6 +265,10 @@ fill_default_server_options(ServerOptions *options) | |||
258 | options->use_login = 0; | 265 | options->use_login = 0; |
259 | if (options->compression == -1) | 266 | if (options->compression == -1) |
260 | options->compression = COMP_DELAYED; | 267 | options->compression = COMP_DELAYED; |
268 | if (options->rekey_limit == -1) | ||
269 | options->rekey_limit = 0; | ||
270 | if (options->rekey_interval == -1) | ||
271 | options->rekey_interval = 0; | ||
261 | if (options->allow_tcp_forwarding == -1) | 272 | if (options->allow_tcp_forwarding == -1) |
262 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 273 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
263 | if (options->allow_agent_forwarding == -1) | 274 | if (options->allow_agent_forwarding == -1) |
@@ -329,7 +340,7 @@ typedef enum { | |||
329 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 340 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
330 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 341 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
331 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 342 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
332 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 343 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
333 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 344 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
334 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | 345 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
335 | sMaxStartups, sMaxAuthTries, sMaxSessions, | 346 | sMaxStartups, sMaxAuthTries, sMaxSessions, |
@@ -345,7 +356,7 @@ typedef enum { | |||
345 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 356 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
346 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 357 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
347 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 358 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
348 | sAuthenticationMethods, | 359 | sAuthenticationMethods, sHostKeyAgent, |
349 | sDeprecated, sUnsupported | 360 | sDeprecated, sUnsupported |
350 | } ServerOpCodes; | 361 | } ServerOpCodes; |
351 | 362 | ||
@@ -370,6 +381,7 @@ static struct { | |||
370 | { "port", sPort, SSHCFG_GLOBAL }, | 381 | { "port", sPort, SSHCFG_GLOBAL }, |
371 | { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, | 382 | { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, |
372 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ | 383 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ |
384 | { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, | ||
373 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, | 385 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, |
374 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, | 386 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, |
375 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, | 387 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, |
@@ -443,6 +455,7 @@ static struct { | |||
443 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 455 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
444 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 456 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
445 | { "compression", sCompression, SSHCFG_GLOBAL }, | 457 | { "compression", sCompression, SSHCFG_GLOBAL }, |
458 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | ||
446 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 459 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
447 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 460 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
448 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 461 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
@@ -530,7 +543,7 @@ derelativise_path(const char *path) | |||
530 | if (getcwd(cwd, sizeof(cwd)) == NULL) | 543 | if (getcwd(cwd, sizeof(cwd)) == NULL) |
531 | fatal("%s: getcwd: %s", __func__, strerror(errno)); | 544 | fatal("%s: getcwd: %s", __func__, strerror(errno)); |
532 | xasprintf(&ret, "%s/%s", cwd, expanded); | 545 | xasprintf(&ret, "%s/%s", cwd, expanded); |
533 | xfree(expanded); | 546 | free(expanded); |
534 | return ret; | 547 | return ret; |
535 | } | 548 | } |
536 | 549 | ||
@@ -822,13 +835,13 @@ process_server_config_line(ServerOptions *options, char *line, | |||
822 | struct connection_info *connectinfo) | 835 | struct connection_info *connectinfo) |
823 | { | 836 | { |
824 | char *cp, **charptr, *arg, *p; | 837 | char *cp, **charptr, *arg, *p; |
825 | int cmdline = 0, *intptr, value, value2, n; | 838 | int cmdline = 0, *intptr, value, value2, n, port; |
826 | SyslogFacility *log_facility_ptr; | 839 | SyslogFacility *log_facility_ptr; |
827 | LogLevel *log_level_ptr; | 840 | LogLevel *log_level_ptr; |
828 | ServerOpCodes opcode; | 841 | ServerOpCodes opcode; |
829 | int port; | ||
830 | u_int i, flags = 0; | 842 | u_int i, flags = 0; |
831 | size_t len; | 843 | size_t len; |
844 | long long val64; | ||
832 | const struct multistate *multistate_ptr; | 845 | const struct multistate *multistate_ptr; |
833 | 846 | ||
834 | cp = line; | 847 | cp = line; |
@@ -988,6 +1001,17 @@ process_server_config_line(ServerOptions *options, char *line, | |||
988 | } | 1001 | } |
989 | break; | 1002 | break; |
990 | 1003 | ||
1004 | case sHostKeyAgent: | ||
1005 | charptr = &options->host_key_agent; | ||
1006 | arg = strdelim(&cp); | ||
1007 | if (!arg || *arg == '\0') | ||
1008 | fatal("%s line %d: missing socket name.", | ||
1009 | filename, linenum); | ||
1010 | if (*activep && *charptr == NULL) | ||
1011 | *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? | ||
1012 | xstrdup(arg) : derelativise_path(arg); | ||
1013 | break; | ||
1014 | |||
991 | case sHostCertificate: | 1015 | case sHostCertificate: |
992 | intptr = &options->num_host_cert_files; | 1016 | intptr = &options->num_host_cert_files; |
993 | if (*intptr >= MAX_HOSTKEYS) | 1017 | if (*intptr >= MAX_HOSTKEYS) |
@@ -1151,6 +1175,37 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1151 | multistate_ptr = multistate_compression; | 1175 | multistate_ptr = multistate_compression; |
1152 | goto parse_multistate; | 1176 | goto parse_multistate; |
1153 | 1177 | ||
1178 | case sRekeyLimit: | ||
1179 | arg = strdelim(&cp); | ||
1180 | if (!arg || *arg == '\0') | ||
1181 | fatal("%.200s line %d: Missing argument.", filename, | ||
1182 | linenum); | ||
1183 | if (strcmp(arg, "default") == 0) { | ||
1184 | val64 = 0; | ||
1185 | } else { | ||
1186 | if (scan_scaled(arg, &val64) == -1) | ||
1187 | fatal("%.200s line %d: Bad number '%s': %s", | ||
1188 | filename, linenum, arg, strerror(errno)); | ||
1189 | /* check for too-large or too-small limits */ | ||
1190 | if (val64 > UINT_MAX) | ||
1191 | fatal("%.200s line %d: RekeyLimit too large", | ||
1192 | filename, linenum); | ||
1193 | if (val64 != 0 && val64 < 16) | ||
1194 | fatal("%.200s line %d: RekeyLimit too small", | ||
1195 | filename, linenum); | ||
1196 | } | ||
1197 | if (*activep && options->rekey_limit == -1) | ||
1198 | options->rekey_limit = (u_int32_t)val64; | ||
1199 | if (cp != NULL) { /* optional rekey interval present */ | ||
1200 | if (strcmp(cp, "none") == 0) { | ||
1201 | (void)strdelim(&cp); /* discard */ | ||
1202 | break; | ||
1203 | } | ||
1204 | intptr = &options->rekey_interval; | ||
1205 | goto parse_time; | ||
1206 | } | ||
1207 | break; | ||
1208 | |||
1154 | case sGatewayPorts: | 1209 | case sGatewayPorts: |
1155 | intptr = &options->gateway_ports; | 1210 | intptr = &options->gateway_ports; |
1156 | multistate_ptr = multistate_gatewayports; | 1211 | multistate_ptr = multistate_gatewayports; |
@@ -1704,8 +1759,7 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1704 | } while (0) | 1759 | } while (0) |
1705 | #define M_CP_STROPT(n) do {\ | 1760 | #define M_CP_STROPT(n) do {\ |
1706 | if (src->n != NULL) { \ | 1761 | if (src->n != NULL) { \ |
1707 | if (dst->n != NULL) \ | 1762 | free(dst->n); \ |
1708 | xfree(dst->n); \ | ||
1709 | dst->n = src->n; \ | 1763 | dst->n = src->n; \ |
1710 | } \ | 1764 | } \ |
1711 | } while(0) | 1765 | } while(0) |
@@ -1751,6 +1805,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1751 | M_CP_INTOPT(max_authtries); | 1805 | M_CP_INTOPT(max_authtries); |
1752 | M_CP_INTOPT(ip_qos_interactive); | 1806 | M_CP_INTOPT(ip_qos_interactive); |
1753 | M_CP_INTOPT(ip_qos_bulk); | 1807 | M_CP_INTOPT(ip_qos_bulk); |
1808 | M_CP_INTOPT(rekey_limit); | ||
1809 | M_CP_INTOPT(rekey_interval); | ||
1754 | 1810 | ||
1755 | /* See comment in servconf.h */ | 1811 | /* See comment in servconf.h */ |
1756 | COPY_MATCH_STRING_OPTS(); | 1812 | COPY_MATCH_STRING_OPTS(); |
@@ -1787,7 +1843,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | |||
1787 | linenum++, &active, connectinfo) != 0) | 1843 | linenum++, &active, connectinfo) != 0) |
1788 | bad_options++; | 1844 | bad_options++; |
1789 | } | 1845 | } |
1790 | xfree(obuf); | 1846 | free(obuf); |
1791 | if (bad_options > 0) | 1847 | if (bad_options > 0) |
1792 | fatal("%s: terminating, %d bad configuration options", | 1848 | fatal("%s: terminating, %d bad configuration options", |
1793 | filename, bad_options); | 1849 | filename, bad_options); |
@@ -2004,6 +2060,7 @@ dump_config(ServerOptions *o) | |||
2004 | dump_cfg_string(sVersionAddendum, o->version_addendum); | 2060 | dump_cfg_string(sVersionAddendum, o->version_addendum); |
2005 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); | 2061 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); |
2006 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); | 2062 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); |
2063 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | ||
2007 | 2064 | ||
2008 | /* string arguments requiring a lookup */ | 2065 | /* string arguments requiring a lookup */ |
2009 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2066 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -2042,5 +2099,7 @@ dump_config(ServerOptions *o) | |||
2042 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2099 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2043 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2100 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2044 | 2101 | ||
2102 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | ||
2103 | |||
2045 | channel_print_adm_permitted_opens(); | 2104 | channel_print_adm_permitted_opens(); |
2046 | } | 2105 | } |