* New upstream release (http://www.openssh.com/txt/release-6.2).

- Add support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option (closes: #195716). - Fix Sophie Germain formula in moduli(5) (closes: #698612). - Update ssh-copy-id to Phil Hands' greatly revised version (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798).
author: Colin Watson <cjwatson@debian.org> 2013-05-07 11:47:26 +0100
committer: Colin Watson <cjwatson@debian.org> 2013-05-07 11:47:26 +0100
commit: 2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch)
tree: c4fb7d1f51fa51e7677232de806aae150e29e2ac /servconf.c
parent: f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff)
parent: ecebda56da46a03dafff923d91c382f31faa9eec (diff)
1 files changed, 69 insertions, 6 deletions
diff --git a/servconf.c b/servconf.c
index 9a8822938..1700d5aa6 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -48,6 +48,8 @@
 #include "groupaccess.h"
 #include "canohost.h"
 #include "packet.h"
+#include "hostfile.h"
+#include "auth.h"
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -139,6 +141,8 @@ initialize_server_options(ServerOptions *options)
        options->num_permitted_opens = -1;
        options->adm_forced_command = NULL;
        options->chroot_directory = NULL;
+        options->authorized_keys_command = NULL;
+        options->authorized_keys_command_user = NULL;
        options->zero_knowledge_password_authentication = -1;
        options->revoked_keys_file = NULL;
        options->trusted_user_ca_keys = NULL;
@@ -259,7 +263,7 @@ fill_default_server_options(ServerOptions *options)
        if (options->compression == -1)
                options->compression = COMP_DELAYED;
        if (options->allow_tcp_forwarding == -1)
-                options->allow_tcp_forwarding = 1;
+                options->allow_tcp_forwarding = FORWARD_ALLOW;
        if (options->allow_agent_forwarding == -1)
                options->allow_agent_forwarding = 1;
        if (options->gateway_ports == -1)
@@ -346,6 +350,8 @@ typedef enum {
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
        sKexAlgorithms, sIPQoS, sVersionAddendum,
+        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+        sAuthenticationMethods,
        sDebianBanner,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -482,7 +488,10 @@ static struct {
        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
        { "ipqos", sIPQoS, SSHCFG_ALL },
+        { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
        { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
 };
@@ -648,8 +657,9 @@ out:
 }
 /*
- * All of the attributes on a single Match line are ANDed together, so we need to check every
+ * All of the attributes on a single Match line are ANDed together, so we need
- * attribute and set the result to zero if any attribute does not match.
+ * to check every * attribute and set the result to zero if any attribute does
+ * not match.
 */
 static int
 match_cfg_line(char **condition, int line, struct connection_info *ci)
@@ -806,6 +816,14 @@ static const struct multistate multistate_privsep[] = {
        { "no",                         PRIVSEP_OFF },
        { NULL, -1 }
 };
+static const struct multistate multistate_tcpfwd[] = {
+        { "yes",                        FORWARD_ALLOW },
+        { "all",                        FORWARD_ALLOW },
+        { "no",                         FORWARD_DENY },
+        { "remote",                     FORWARD_REMOTE },
+        { "local",                      FORWARD_LOCAL },
+        { NULL, -1 }
+};
 int
 process_server_config_line(ServerOptions *options, char *line,
@@ -1179,7 +1197,8 @@ process_server_config_line(ServerOptions *options, char *line,
        case sAllowTcpForwarding:
                intptr = &options->allow_tcp_forwarding;
-                goto parse_flag;
+                multistate_ptr = multistate_tcpfwd;
+                goto parse_multistate;
        case sAllowAgentForwarding:
                intptr = &options->allow_agent_forwarding;
@@ -1459,7 +1478,6 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                if (strcmp(arg, "none") == 0) {
                        if (*activep && n == -1) {
-                                channel_clear_adm_permitted_opens();
                                options->num_permitted_opens = 1;
                                channel_disable_adm_local_opens();
                        }
@@ -1543,6 +1561,43 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
+        case sAuthorizedKeysCommand:
+                len = strspn(cp, WHITESPACE);
+                if (*activep && options->authorized_keys_command == NULL) {
+                        if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
+                                fatal("%.200s line %d: AuthorizedKeysCommand "
+                                    "must be an absolute path",
+                                    filename, linenum);
+                        options->authorized_keys_command = xstrdup(cp + len);
+                }
+                return 0;
+        case sAuthorizedKeysCommandUser:
+                charptr = &options->authorized_keys_command_user;
+                arg = strdelim(&cp);
+                if (*activep && *charptr == NULL)
+                        *charptr = xstrdup(arg);
+                break;
+        case sAuthenticationMethods:
+                if (*activep && options->num_auth_methods == 0) {
+                        while ((arg = strdelim(&cp)) && *arg != '\0') {
+                                if (options->num_auth_methods >=
+                                    MAX_AUTH_METHODS)
+                                        fatal("%s line %d: "
+                                            "too many authentication methods.",
+                                            filename, linenum);
+                                if (auth2_methods_valid(arg, 0) != 0)
+                                        fatal("%s line %d: invalid "
+                                            "authentication method list.",
+                                            filename, linenum);
+                                options->auth_methods[
+                                    options->num_auth_methods++] = xstrdup(arg);
+                        }
+                }
+                return 0;
        case sDebianBanner:
                intptr = &options->debian_banner;
                goto parse_int;
@@ -1697,6 +1752,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
        M_CP_INTOPT(hostbased_uses_name_from_packet_only);
        M_CP_INTOPT(kbd_interactive_authentication);
        M_CP_INTOPT(zero_knowledge_password_authentication);
+        M_CP_STROPT(authorized_keys_command);
+        M_CP_STROPT(authorized_keys_command_user);
        M_CP_INTOPT(permit_root_login);
        M_CP_INTOPT(permit_empty_passwd);
@@ -1781,6 +1838,8 @@ fmt_intarg(ServerOpCodes code, int val)
                return fmt_multistate_int(val, multistate_compression);
        case sUsePrivilegeSeparation:
                return fmt_multistate_int(val, multistate_privsep);
+        case sAllowTcpForwarding:
+                return fmt_multistate_int(val, multistate_tcpfwd);
        case sProtocol:
                switch (val) {
                case SSH_PROTO_1:
@@ -1961,6 +2020,8 @@ dump_config(ServerOptions *o)
        dump_cfg_string(sAuthorizedPrincipalsFile,
            o->authorized_principals_file);
        dump_cfg_string(sVersionAddendum, o->version_addendum);
+        dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+        dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
        /* string arguments requiring a lookup */
        dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -1978,6 +2039,8 @@ dump_config(ServerOptions *o)
        dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
        dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
        dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
+        dump_cfg_strarray_oneline(sAuthenticationMethods,
+            o->num_auth_methods, o->auth_methods);
        /* other arguments */
        for (i = 0; i < o->num_subsystems; i++)
author	Colin Watson <cjwatson@debian.org>	2013-05-07 11:47:26 +0100
committer	Colin Watson <cjwatson@debian.org>	2013-05-07 11:47:26 +0100
commit	2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch)
tree	c4fb7d1f51fa51e7677232de806aae150e29e2ac /servconf.c
parent	f5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff)
parent	ecebda56da46a03dafff923d91c382f31faa9eec (diff)