diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-03-08 11:51:22 +0000 |
commit | 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch) | |
tree | 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /servconf.c | |
parent | c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff) | |
parent | 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff) |
New upstream release (7.2).
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 59 |
1 files changed, 40 insertions, 19 deletions
diff --git a/servconf.c b/servconf.c index a778f44e9..8ca9695a2 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -181,6 +181,20 @@ option_clear_or_none(const char *o) | |||
181 | return o == NULL || strcasecmp(o, "none") == 0; | 181 | return o == NULL || strcasecmp(o, "none") == 0; |
182 | } | 182 | } |
183 | 183 | ||
184 | static void | ||
185 | assemble_algorithms(ServerOptions *o) | ||
186 | { | ||
187 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || | ||
188 | kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || | ||
189 | kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || | ||
190 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
191 | &o->hostkeyalgorithms) != 0 || | ||
192 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
193 | &o->hostbased_key_types) != 0 || | ||
194 | kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) | ||
195 | fatal("kex_assemble_names failed"); | ||
196 | } | ||
197 | |||
184 | void | 198 | void |
185 | fill_default_server_options(ServerOptions *options) | 199 | fill_default_server_options(ServerOptions *options) |
186 | { | 200 | { |
@@ -262,8 +276,6 @@ fill_default_server_options(ServerOptions *options) | |||
262 | options->hostbased_authentication = 0; | 276 | options->hostbased_authentication = 0; |
263 | if (options->hostbased_uses_name_from_packet_only == -1) | 277 | if (options->hostbased_uses_name_from_packet_only == -1) |
264 | options->hostbased_uses_name_from_packet_only = 0; | 278 | options->hostbased_uses_name_from_packet_only = 0; |
265 | if (options->hostkeyalgorithms == NULL) | ||
266 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
267 | if (options->rsa_authentication == -1) | 279 | if (options->rsa_authentication == -1) |
268 | options->rsa_authentication = 1; | 280 | options->rsa_authentication = 1; |
269 | if (options->pubkey_authentication == -1) | 281 | if (options->pubkey_authentication == -1) |
@@ -351,18 +363,11 @@ fill_default_server_options(ServerOptions *options) | |||
351 | if (options->debian_banner == -1) | 363 | if (options->debian_banner == -1) |
352 | options->debian_banner = 1; | 364 | options->debian_banner = 1; |
353 | 365 | ||
354 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || | 366 | assemble_algorithms(options); |
355 | kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || | ||
356 | kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || | ||
357 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
358 | &options->hostbased_key_types) != 0 || | ||
359 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
360 | &options->pubkey_key_types) != 0) | ||
361 | fatal("%s: kex_assemble_names failed", __func__); | ||
362 | 367 | ||
363 | /* Turn privilege separation on by default */ | 368 | /* Turn privilege separation and sandboxing on by default */ |
364 | if (use_privsep == -1) | 369 | if (use_privsep == -1) |
365 | use_privsep = PRIVSEP_NOSANDBOX; | 370 | use_privsep = PRIVSEP_ON; |
366 | 371 | ||
367 | #define CLEAR_ON_NONE(v) \ | 372 | #define CLEAR_ON_NONE(v) \ |
368 | do { \ | 373 | do { \ |
@@ -377,6 +382,8 @@ fill_default_server_options(ServerOptions *options) | |||
377 | CLEAR_ON_NONE(options->trusted_user_ca_keys); | 382 | CLEAR_ON_NONE(options->trusted_user_ca_keys); |
378 | CLEAR_ON_NONE(options->revoked_keys_file); | 383 | CLEAR_ON_NONE(options->revoked_keys_file); |
379 | CLEAR_ON_NONE(options->authorized_principals_file); | 384 | CLEAR_ON_NONE(options->authorized_principals_file); |
385 | CLEAR_ON_NONE(options->adm_forced_command); | ||
386 | CLEAR_ON_NONE(options->chroot_directory); | ||
380 | for (i = 0; i < options->num_host_key_files; i++) | 387 | for (i = 0; i < options->num_host_key_files; i++) |
381 | CLEAR_ON_NONE(options->host_key_files[i]); | 388 | CLEAR_ON_NONE(options->host_key_files[i]); |
382 | for (i = 0; i < options->num_host_cert_files; i++) | 389 | for (i = 0; i < options->num_host_cert_files; i++) |
@@ -518,7 +525,11 @@ static struct { | |||
518 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 525 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
519 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, | 526 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, |
520 | { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, | 527 | { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, |
528 | #ifdef DISABLE_LASTLOG | ||
529 | { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, | ||
530 | #else | ||
521 | { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, | 531 | { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, |
532 | #endif | ||
522 | { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, | 533 | { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, |
523 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, | 534 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, |
524 | { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, | 535 | { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, |
@@ -1348,16 +1359,12 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1348 | if (scan_scaled(arg, &val64) == -1) | 1359 | if (scan_scaled(arg, &val64) == -1) |
1349 | fatal("%.200s line %d: Bad number '%s': %s", | 1360 | fatal("%.200s line %d: Bad number '%s': %s", |
1350 | filename, linenum, arg, strerror(errno)); | 1361 | filename, linenum, arg, strerror(errno)); |
1351 | /* check for too-large or too-small limits */ | ||
1352 | if (val64 > UINT_MAX) | ||
1353 | fatal("%.200s line %d: RekeyLimit too large", | ||
1354 | filename, linenum); | ||
1355 | if (val64 != 0 && val64 < 16) | 1362 | if (val64 != 0 && val64 < 16) |
1356 | fatal("%.200s line %d: RekeyLimit too small", | 1363 | fatal("%.200s line %d: RekeyLimit too small", |
1357 | filename, linenum); | 1364 | filename, linenum); |
1358 | } | 1365 | } |
1359 | if (*activep && options->rekey_limit == -1) | 1366 | if (*activep && options->rekey_limit == -1) |
1360 | options->rekey_limit = (u_int32_t)val64; | 1367 | options->rekey_limit = val64; |
1361 | if (cp != NULL) { /* optional rekey interval present */ | 1368 | if (cp != NULL) { /* optional rekey interval present */ |
1362 | if (strcmp(cp, "none") == 0) { | 1369 | if (strcmp(cp, "none") == 0) { |
1363 | (void)strdelim(&cp); /* discard */ | 1370 | (void)strdelim(&cp); /* discard */ |
@@ -2048,6 +2055,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2048 | /* See comment in servconf.h */ | 2055 | /* See comment in servconf.h */ |
2049 | COPY_MATCH_STRING_OPTS(); | 2056 | COPY_MATCH_STRING_OPTS(); |
2050 | 2057 | ||
2058 | /* Arguments that accept '+...' need to be expanded */ | ||
2059 | assemble_algorithms(dst); | ||
2060 | |||
2051 | /* | 2061 | /* |
2052 | * The only things that should be below this point are string options | 2062 | * The only things that should be below this point are string options |
2053 | * which are only used after authentication. | 2063 | * which are only used after authentication. |
@@ -2055,8 +2065,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2055 | if (preauth) | 2065 | if (preauth) |
2056 | return; | 2066 | return; |
2057 | 2067 | ||
2068 | /* These options may be "none" to clear a global setting */ | ||
2058 | M_CP_STROPT(adm_forced_command); | 2069 | M_CP_STROPT(adm_forced_command); |
2070 | if (option_clear_or_none(dst->adm_forced_command)) { | ||
2071 | free(dst->adm_forced_command); | ||
2072 | dst->adm_forced_command = NULL; | ||
2073 | } | ||
2059 | M_CP_STROPT(chroot_directory); | 2074 | M_CP_STROPT(chroot_directory); |
2075 | if (option_clear_or_none(dst->chroot_directory)) { | ||
2076 | free(dst->chroot_directory); | ||
2077 | dst->chroot_directory = NULL; | ||
2078 | } | ||
2060 | } | 2079 | } |
2061 | 2080 | ||
2062 | #undef M_CP_INTOPT | 2081 | #undef M_CP_INTOPT |
@@ -2290,7 +2309,9 @@ dump_config(ServerOptions *o) | |||
2290 | dump_cfg_fmtint(sChallengeResponseAuthentication, | 2309 | dump_cfg_fmtint(sChallengeResponseAuthentication, |
2291 | o->challenge_response_authentication); | 2310 | o->challenge_response_authentication); |
2292 | dump_cfg_fmtint(sPrintMotd, o->print_motd); | 2311 | dump_cfg_fmtint(sPrintMotd, o->print_motd); |
2312 | #ifndef DISABLE_LASTLOG | ||
2293 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); | 2313 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); |
2314 | #endif | ||
2294 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | 2315 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); |
2295 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 2316 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
2296 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); | 2317 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); |
@@ -2374,7 +2395,7 @@ dump_config(ServerOptions *o) | |||
2374 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2395 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2375 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2396 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2376 | 2397 | ||
2377 | printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, | 2398 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
2378 | o->rekey_interval); | 2399 | o->rekey_interval); |
2379 | 2400 | ||
2380 | channel_print_adm_permitted_opens(); | 2401 | channel_print_adm_permitted_opens(); |