diff options
author | Darren Tucker <dtucker@zip.com.au> | 2007-02-19 22:25:37 +1100 |
---|---|---|
committer | Darren Tucker <dtucker@zip.com.au> | 2007-02-19 22:25:37 +1100 |
commit | 1629c07c0725fd5cc533c9664b8e8add27a81c69 (patch) | |
tree | 2954f5aba367319421509ea0100b76ab710260b5 /servconf.c | |
parent | 591322ae3897bef0b19236ec0c2a6053e8466e71 (diff) |
- dtucker@cvs.openbsd.org 2007/02/19 10:45:58
[monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
Teach Match how handle config directives that are used before
authentication. This allows configurations such as permitting password
authentication from the local net only while requiring pubkey from
offsite. ok djm@, man page bits ok jmc@
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 88 |
1 files changed, 57 insertions, 31 deletions
diff --git a/servconf.c b/servconf.c index 872ff4a87..86949c33f 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.167 2006/12/14 10:01:14 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.168 2007/02/19 10:45:58 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -325,14 +325,14 @@ static struct { | |||
325 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, | 325 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, |
326 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, | 326 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, |
327 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, | 327 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, |
328 | { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, | 328 | { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, |
329 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, | 329 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, |
330 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, | 330 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, |
331 | { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, | 331 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, |
332 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, | 332 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, |
333 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ | 333 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ |
334 | #ifdef KRB5 | 334 | #ifdef KRB5 |
335 | { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, | 335 | { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, |
336 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, | 336 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, |
337 | { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, | 337 | { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, |
338 | #ifdef USE_AFS | 338 | #ifdef USE_AFS |
@@ -341,7 +341,7 @@ static struct { | |||
341 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, | 341 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, |
342 | #endif | 342 | #endif |
343 | #else | 343 | #else |
344 | { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, | 344 | { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, |
345 | { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, | 345 | { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, |
346 | { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, | 346 | { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, |
347 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, | 347 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, |
@@ -349,15 +349,15 @@ static struct { | |||
349 | { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, | 349 | { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, |
350 | { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, | 350 | { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
351 | #ifdef GSSAPI | 351 | #ifdef GSSAPI |
352 | { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, | 352 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
353 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 353 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
354 | #else | 354 | #else |
355 | { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, | 355 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
356 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 356 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
357 | #endif | 357 | #endif |
358 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, | 358 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
359 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, | 359 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
360 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 360 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, |
361 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ | 361 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ |
362 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, | 362 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, |
363 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 363 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
@@ -389,7 +389,7 @@ static struct { | |||
389 | { "subsystem", sSubsystem, SSHCFG_GLOBAL }, | 389 | { "subsystem", sSubsystem, SSHCFG_GLOBAL }, |
390 | { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, | 390 | { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, |
391 | { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, | 391 | { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, |
392 | { "banner", sBanner, SSHCFG_GLOBAL }, | 392 | { "banner", sBanner, SSHCFG_ALL }, |
393 | { "usedns", sUseDNS, SSHCFG_GLOBAL }, | 393 | { "usedns", sUseDNS, SSHCFG_GLOBAL }, |
394 | { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, | 394 | { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, |
395 | { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, | 395 | { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, |
@@ -1317,30 +1317,56 @@ parse_server_match_config(ServerOptions *options, const char *user, | |||
1317 | 1317 | ||
1318 | initialize_server_options(&mo); | 1318 | initialize_server_options(&mo); |
1319 | parse_server_config(&mo, "reprocess config", &cfg, user, host, address); | 1319 | parse_server_config(&mo, "reprocess config", &cfg, user, host, address); |
1320 | copy_set_server_options(options, &mo); | 1320 | copy_set_server_options(options, &mo, 0); |
1321 | } | 1321 | } |
1322 | 1322 | ||
1323 | /* Copy any (supported) values that are set */ | 1323 | /* Helper macros */ |
1324 | #define M_CP_INTOPT(n) do {\ | ||
1325 | if (src->n != -1) \ | ||
1326 | dst->n = src->n; \ | ||
1327 | } while (0) | ||
1328 | #define M_CP_STROPT(n) do {\ | ||
1329 | if (src->n != NULL) { \ | ||
1330 | if (dst->n != NULL) \ | ||
1331 | xfree(dst->n); \ | ||
1332 | dst->n = src->n; \ | ||
1333 | } \ | ||
1334 | } while(0) | ||
1335 | |||
1336 | /* | ||
1337 | * Copy any supported values that are set. | ||
1338 | * | ||
1339 | * If the preauth flag is set, we do not bother copying the the string or | ||
1340 | * array values that are not used pre-authentication, because any that we | ||
1341 | * do use must be explictly sent in mm_getpwnamallow(). | ||
1342 | */ | ||
1324 | void | 1343 | void |
1325 | copy_set_server_options(ServerOptions *dst, ServerOptions *src) | 1344 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) |
1326 | { | 1345 | { |
1327 | if (src->allow_tcp_forwarding != -1) | 1346 | M_CP_INTOPT(password_authentication); |
1328 | dst->allow_tcp_forwarding = src->allow_tcp_forwarding; | 1347 | M_CP_INTOPT(gss_authentication); |
1329 | if (src->gateway_ports != -1) | 1348 | M_CP_INTOPT(rsa_authentication); |
1330 | dst->gateway_ports = src->gateway_ports; | 1349 | M_CP_INTOPT(pubkey_authentication); |
1331 | if (src->adm_forced_command != NULL) { | 1350 | M_CP_INTOPT(kerberos_authentication); |
1332 | if (dst->adm_forced_command != NULL) | 1351 | M_CP_INTOPT(hostbased_authentication); |
1333 | xfree(dst->adm_forced_command); | 1352 | M_CP_INTOPT(kbd_interactive_authentication); |
1334 | dst->adm_forced_command = src->adm_forced_command; | 1353 | M_CP_INTOPT(challenge_response_authentication); |
1335 | } | 1354 | |
1336 | if (src->x11_display_offset != -1) | 1355 | M_CP_INTOPT(allow_tcp_forwarding); |
1337 | dst->x11_display_offset = src->x11_display_offset; | 1356 | M_CP_INTOPT(gateway_ports); |
1338 | if (src->x11_forwarding != -1) | 1357 | M_CP_INTOPT(x11_display_offset); |
1339 | dst->x11_forwarding = src->x11_forwarding; | 1358 | M_CP_INTOPT(x11_forwarding); |
1340 | if (src->x11_use_localhost != -1) | 1359 | M_CP_INTOPT(x11_use_localhost); |
1341 | dst->x11_use_localhost = src->x11_use_localhost; | 1360 | |
1361 | M_CP_STROPT(banner); | ||
1362 | if (preauth) | ||
1363 | return; | ||
1364 | M_CP_STROPT(adm_forced_command); | ||
1342 | } | 1365 | } |
1343 | 1366 | ||
1367 | #undef M_CP_INTOPT | ||
1368 | #undef M_CP_STROPT | ||
1369 | |||
1344 | void | 1370 | void |
1345 | parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | 1371 | parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, |
1346 | const char *user, const char *host, const char *address) | 1372 | const char *user, const char *host, const char *address) |