diff options
author | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
commit | 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (patch) | |
tree | 3e090f2711b94ca5029d3fa3e8047b1ed1448b1f /servconf.c | |
parent | 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff) | |
parent | 66bf74a92131b7effe49fb0eefe5225151869dc5 (diff) |
Import openssh_7.6p1.orig.tar.gz
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 117 |
1 files changed, 88 insertions, 29 deletions
diff --git a/servconf.c b/servconf.c index 56b831652..2c321a4ad 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.306 2017/03/14 07:19:07 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -149,7 +149,7 @@ initialize_server_options(ServerOptions *options) | |||
149 | options->num_authkeys_files = 0; | 149 | options->num_authkeys_files = 0; |
150 | options->num_accept_env = 0; | 150 | options->num_accept_env = 0; |
151 | options->permit_tun = -1; | 151 | options->permit_tun = -1; |
152 | options->num_permitted_opens = -1; | 152 | options->permitted_opens = NULL; |
153 | options->adm_forced_command = NULL; | 153 | options->adm_forced_command = NULL; |
154 | options->chroot_directory = NULL; | 154 | options->chroot_directory = NULL; |
155 | options->authorized_keys_command = NULL; | 155 | options->authorized_keys_command = NULL; |
@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options) | |||
164 | options->version_addendum = NULL; | 164 | options->version_addendum = NULL; |
165 | options->fingerprint_hash = -1; | 165 | options->fingerprint_hash = -1; |
166 | options->disable_forwarding = -1; | 166 | options->disable_forwarding = -1; |
167 | options->expose_userauth_info = -1; | ||
167 | } | 168 | } |
168 | 169 | ||
169 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ | 170 | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
@@ -333,6 +334,8 @@ fill_default_server_options(ServerOptions *options) | |||
333 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 334 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
334 | if (options->disable_forwarding == -1) | 335 | if (options->disable_forwarding == -1) |
335 | options->disable_forwarding = 0; | 336 | options->disable_forwarding = 0; |
337 | if (options->expose_userauth_info == -1) | ||
338 | options->expose_userauth_info = 0; | ||
336 | 339 | ||
337 | assemble_algorithms(options); | 340 | assemble_algorithms(options); |
338 | 341 | ||
@@ -418,6 +421,7 @@ typedef enum { | |||
418 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 421 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
419 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 422 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
420 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, | 423 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
424 | sExposeAuthInfo, | ||
421 | sDeprecated, sIgnore, sUnsupported | 425 | sDeprecated, sIgnore, sUnsupported |
422 | } ServerOpCodes; | 426 | } ServerOpCodes; |
423 | 427 | ||
@@ -449,7 +453,7 @@ static struct { | |||
449 | { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, | 453 | { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, |
450 | { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, | 454 | { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, |
451 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, | 455 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, |
452 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, | 456 | { "loglevel", sLogLevel, SSHCFG_ALL }, |
453 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, | 457 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, |
454 | { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, | 458 | { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, |
455 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, | 459 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, |
@@ -561,6 +565,7 @@ static struct { | |||
561 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 565 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
562 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | 566 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
563 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | 567 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
568 | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, | ||
564 | { NULL, sBadOption, 0 } | 569 | { NULL, sBadOption, 0 } |
565 | }; | 570 | }; |
566 | 571 | ||
@@ -692,6 +697,44 @@ process_queued_listen_addrs(ServerOptions *options) | |||
692 | options->num_queued_listens = 0; | 697 | options->num_queued_listens = 0; |
693 | } | 698 | } |
694 | 699 | ||
700 | /* | ||
701 | * Inform channels layer of permitopen options from configuration. | ||
702 | */ | ||
703 | void | ||
704 | process_permitopen(struct ssh *ssh, ServerOptions *options) | ||
705 | { | ||
706 | u_int i; | ||
707 | int port; | ||
708 | char *host, *arg, *oarg; | ||
709 | |||
710 | channel_clear_adm_permitted_opens(ssh); | ||
711 | if (options->num_permitted_opens == 0) | ||
712 | return; /* permit any */ | ||
713 | |||
714 | /* handle keywords: "any" / "none" */ | ||
715 | if (options->num_permitted_opens == 1 && | ||
716 | strcmp(options->permitted_opens[0], "any") == 0) | ||
717 | return; | ||
718 | if (options->num_permitted_opens == 1 && | ||
719 | strcmp(options->permitted_opens[0], "none") == 0) { | ||
720 | channel_disable_adm_local_opens(ssh); | ||
721 | return; | ||
722 | } | ||
723 | /* Otherwise treat it as a list of permitted host:port */ | ||
724 | for (i = 0; i < options->num_permitted_opens; i++) { | ||
725 | oarg = arg = xstrdup(options->permitted_opens[i]); | ||
726 | host = hpdelim(&arg); | ||
727 | if (host == NULL) | ||
728 | fatal("%s: missing host in PermitOpen", __func__); | ||
729 | host = cleanhostname(host); | ||
730 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) | ||
731 | fatal("%s: bad port number in PermitOpen", __func__); | ||
732 | /* Send it to channels layer */ | ||
733 | channel_add_adm_permitted_opens(ssh, host, port); | ||
734 | free(oarg); | ||
735 | } | ||
736 | } | ||
737 | |||
695 | struct connection_info * | 738 | struct connection_info * |
696 | get_connection_info(int populate, int use_dns) | 739 | get_connection_info(int populate, int use_dns) |
697 | { | 740 | { |
@@ -935,13 +978,6 @@ static const struct multistate multistate_gatewayports[] = { | |||
935 | { "no", 0 }, | 978 | { "no", 0 }, |
936 | { NULL, -1 } | 979 | { NULL, -1 } |
937 | }; | 980 | }; |
938 | static const struct multistate multistate_privsep[] = { | ||
939 | { "yes", PRIVSEP_NOSANDBOX }, | ||
940 | { "sandbox", PRIVSEP_ON }, | ||
941 | { "nosandbox", PRIVSEP_NOSANDBOX }, | ||
942 | { "no", PRIVSEP_OFF }, | ||
943 | { NULL, -1 } | ||
944 | }; | ||
945 | static const struct multistate multistate_tcpfwd[] = { | 981 | static const struct multistate multistate_tcpfwd[] = { |
946 | { "yes", FORWARD_ALLOW }, | 982 | { "yes", FORWARD_ALLOW }, |
947 | { "all", FORWARD_ALLOW }, | 983 | { "all", FORWARD_ALLOW }, |
@@ -956,7 +992,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
956 | const char *filename, int linenum, int *activep, | 992 | const char *filename, int linenum, int *activep, |
957 | struct connection_info *connectinfo) | 993 | struct connection_info *connectinfo) |
958 | { | 994 | { |
959 | char *cp, **charptr, *arg, *p; | 995 | char *cp, **charptr, *arg, *arg2, *p; |
960 | int cmdline = 0, *intptr, value, value2, n, port; | 996 | int cmdline = 0, *intptr, value, value2, n, port; |
961 | SyslogFacility *log_facility_ptr; | 997 | SyslogFacility *log_facility_ptr; |
962 | LogLevel *log_level_ptr; | 998 | LogLevel *log_level_ptr; |
@@ -1352,7 +1388,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1352 | if (value == SYSLOG_LEVEL_NOT_SET) | 1388 | if (value == SYSLOG_LEVEL_NOT_SET) |
1353 | fatal("%.200s line %d: unsupported log level '%s'", | 1389 | fatal("%.200s line %d: unsupported log level '%s'", |
1354 | filename, linenum, arg ? arg : "<NONE>"); | 1390 | filename, linenum, arg ? arg : "<NONE>"); |
1355 | if (*log_level_ptr == -1) | 1391 | if (*activep && *log_level_ptr == -1) |
1356 | *log_level_ptr = (LogLevel) value; | 1392 | *log_level_ptr = (LogLevel) value; |
1357 | break; | 1393 | break; |
1358 | 1394 | ||
@@ -1627,24 +1663,18 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1627 | if (!arg || *arg == '\0') | 1663 | if (!arg || *arg == '\0') |
1628 | fatal("%s line %d: missing PermitOpen specification", | 1664 | fatal("%s line %d: missing PermitOpen specification", |
1629 | filename, linenum); | 1665 | filename, linenum); |
1630 | n = options->num_permitted_opens; /* modified later */ | 1666 | i = options->num_permitted_opens; /* modified later */ |
1631 | if (strcmp(arg, "any") == 0) { | 1667 | if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { |
1632 | if (*activep && n == -1) { | 1668 | if (*activep && i == 0) { |
1633 | channel_clear_adm_permitted_opens(); | ||
1634 | options->num_permitted_opens = 0; | ||
1635 | } | ||
1636 | break; | ||
1637 | } | ||
1638 | if (strcmp(arg, "none") == 0) { | ||
1639 | if (*activep && n == -1) { | ||
1640 | options->num_permitted_opens = 1; | 1669 | options->num_permitted_opens = 1; |
1641 | channel_disable_adm_local_opens(); | 1670 | options->permitted_opens = xcalloc(1, |
1671 | sizeof(*options->permitted_opens)); | ||
1672 | options->permitted_opens[0] = xstrdup(arg); | ||
1642 | } | 1673 | } |
1643 | break; | 1674 | break; |
1644 | } | 1675 | } |
1645 | if (*activep && n == -1) | ||
1646 | channel_clear_adm_permitted_opens(); | ||
1647 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { | 1676 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { |
1677 | arg2 = xstrdup(arg); | ||
1648 | p = hpdelim(&arg); | 1678 | p = hpdelim(&arg); |
1649 | if (p == NULL) | 1679 | if (p == NULL) |
1650 | fatal("%s line %d: missing host in PermitOpen", | 1680 | fatal("%s line %d: missing host in PermitOpen", |
@@ -1653,9 +1683,16 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1653 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) | 1683 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) |
1654 | fatal("%s line %d: bad port number in " | 1684 | fatal("%s line %d: bad port number in " |
1655 | "PermitOpen", filename, linenum); | 1685 | "PermitOpen", filename, linenum); |
1656 | if (*activep && n == -1) | 1686 | if (*activep && i == 0) { |
1657 | options->num_permitted_opens = | 1687 | options->permitted_opens = xrecallocarray( |
1658 | channel_add_adm_permitted_opens(p, port); | 1688 | options->permitted_opens, |
1689 | options->num_permitted_opens, | ||
1690 | options->num_permitted_opens + 1, | ||
1691 | sizeof(*options->permitted_opens)); | ||
1692 | i = options->num_permitted_opens++; | ||
1693 | options->permitted_opens[i] = arg2; | ||
1694 | } else | ||
1695 | free(arg2); | ||
1659 | } | 1696 | } |
1660 | break; | 1697 | break; |
1661 | 1698 | ||
@@ -1842,6 +1879,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1842 | options->fingerprint_hash = value; | 1879 | options->fingerprint_hash = value; |
1843 | break; | 1880 | break; |
1844 | 1881 | ||
1882 | case sExposeAuthInfo: | ||
1883 | intptr = &options->expose_userauth_info; | ||
1884 | goto parse_flag; | ||
1885 | |||
1845 | case sDeprecated: | 1886 | case sDeprecated: |
1846 | case sIgnore: | 1887 | case sIgnore: |
1847 | case sUnsupported: | 1888 | case sUnsupported: |
@@ -1980,6 +2021,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1980 | M_CP_INTOPT(allow_streamlocal_forwarding); | 2021 | M_CP_INTOPT(allow_streamlocal_forwarding); |
1981 | M_CP_INTOPT(allow_agent_forwarding); | 2022 | M_CP_INTOPT(allow_agent_forwarding); |
1982 | M_CP_INTOPT(disable_forwarding); | 2023 | M_CP_INTOPT(disable_forwarding); |
2024 | M_CP_INTOPT(expose_userauth_info); | ||
1983 | M_CP_INTOPT(permit_tun); | 2025 | M_CP_INTOPT(permit_tun); |
1984 | M_CP_INTOPT(fwd_opts.gateway_ports); | 2026 | M_CP_INTOPT(fwd_opts.gateway_ports); |
1985 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); | 2027 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); |
@@ -1996,6 +2038,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1996 | M_CP_INTOPT(ip_qos_bulk); | 2038 | M_CP_INTOPT(ip_qos_bulk); |
1997 | M_CP_INTOPT(rekey_limit); | 2039 | M_CP_INTOPT(rekey_limit); |
1998 | M_CP_INTOPT(rekey_interval); | 2040 | M_CP_INTOPT(rekey_interval); |
2041 | M_CP_INTOPT(log_level); | ||
1999 | 2042 | ||
2000 | /* | 2043 | /* |
2001 | * The bind_mask is a mode_t that may be unsigned, so we can't use | 2044 | * The bind_mask is a mode_t that may be unsigned, so we can't use |
@@ -2020,6 +2063,13 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2020 | dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ | 2063 | dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ |
2021 | } \ | 2064 | } \ |
2022 | } while(0) | 2065 | } while(0) |
2066 | #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \ | ||
2067 | if (src->num_n != 0) { \ | ||
2068 | dst->n = xcalloc(src->num_n, sizeof(*dst->n)); \ | ||
2069 | M_CP_STRARRAYOPT(n, num_n); \ | ||
2070 | dst->num_n = src->num_n; \ | ||
2071 | } \ | ||
2072 | } while(0) | ||
2023 | 2073 | ||
2024 | /* See comment in servconf.h */ | 2074 | /* See comment in servconf.h */ |
2025 | COPY_MATCH_STRING_OPTS(); | 2075 | COPY_MATCH_STRING_OPTS(); |
@@ -2050,6 +2100,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2050 | #undef M_CP_INTOPT | 2100 | #undef M_CP_INTOPT |
2051 | #undef M_CP_STROPT | 2101 | #undef M_CP_STROPT |
2052 | #undef M_CP_STRARRAYOPT | 2102 | #undef M_CP_STRARRAYOPT |
2103 | #undef M_CP_STRARRAYOPT_ALLOC | ||
2053 | 2104 | ||
2054 | void | 2105 | void |
2055 | parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | 2106 | parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, |
@@ -2278,6 +2329,7 @@ dump_config(ServerOptions *o) | |||
2278 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | 2329 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
2279 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); | 2330 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
2280 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); | 2331 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
2332 | dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); | ||
2281 | 2333 | ||
2282 | /* string arguments */ | 2334 | /* string arguments */ |
2283 | dump_cfg_string(sPidFile, o->pid_file); | 2335 | dump_cfg_string(sPidFile, o->pid_file); |
@@ -2347,5 +2399,12 @@ dump_config(ServerOptions *o) | |||
2347 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, | 2399 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
2348 | o->rekey_interval); | 2400 | o->rekey_interval); |
2349 | 2401 | ||
2350 | channel_print_adm_permitted_opens(); | 2402 | printf("permitopen"); |
2403 | if (o->num_permitted_opens == 0) | ||
2404 | printf(" any"); | ||
2405 | else { | ||
2406 | for (i = 0; i < o->num_permitted_opens; i++) | ||
2407 | printf(" %s", o->permitted_opens[i]); | ||
2408 | } | ||
2409 | printf("\n"); | ||
2351 | } | 2410 | } |