merge 6.2p1; reorder additions to monitor.h for easier merging in future

author: Colin Watson <cjwatson@debian.org> 2013-05-07 10:06:42 +0100
committer: Colin Watson <cjwatson@debian.org> 2013-05-07 10:06:42 +0100
commit: ecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree: 449614b6c06a2622c74a609b31fcc46c60037c56 /servconf.c
parent: c6a2c0334e45419875687d250aed9bea78480f2e (diff)
parent: ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)
1 files changed, 72 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index 5be0c7bbf..cdc029308 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -48,6 +48,8 @@
 #include "groupaccess.h"
 #include "canohost.h"
 #include "packet.h"
+#include "hostfile.h"
+#include "auth.h"
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -138,6 +140,8 @@ initialize_server_options(ServerOptions *options)
        options->num_permitted_opens = -1;
        options->adm_forced_command = NULL;
        options->chroot_directory = NULL;
+        options->authorized_keys_command = NULL;
+        options->authorized_keys_command_user = NULL;
        options->zero_knowledge_password_authentication = -1;
        options->revoked_keys_file = NULL;
        options->trusted_user_ca_keys = NULL;
@@ -255,17 +259,17 @@ fill_default_server_options(ServerOptions *options)
        if (options->compression == -1)
                options->compression = COMP_DELAYED;
        if (options->allow_tcp_forwarding == -1)
-                options->allow_tcp_forwarding = 1;
+                options->allow_tcp_forwarding = FORWARD_ALLOW;
        if (options->allow_agent_forwarding == -1)
                options->allow_agent_forwarding = 1;
        if (options->gateway_ports == -1)
                options->gateway_ports = 0;
        if (options->max_startups == -1)
-                options->max_startups = 10;
+                options->max_startups = 100;
        if (options->max_startups_rate == -1)
-                options->max_startups_rate = 100;               /* 100% */
+                options->max_startups_rate = 30;                /* 30% */
        if (options->max_startups_begin == -1)
-                options->max_startups_begin = options->max_startups;
+                options->max_startups_begin = 10;
        if (options->max_authtries == -1)
                options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
        if (options->max_sessions == -1)
@@ -340,6 +344,8 @@ typedef enum {
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
        sKexAlgorithms, sIPQoS, sVersionAddendum,
+        sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+        sAuthenticationMethods,
        sDeprecated, sUnsupported
 } ServerOpCodes;
@@ -474,7 +480,10 @@ static struct {
        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
        { "ipqos", sIPQoS, SSHCFG_ALL },
+        { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+        { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
        { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+        { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
        { NULL, sBadOption, 0 }
 };
@@ -639,8 +648,9 @@ out:
 }
 /*
- * All of the attributes on a single Match line are ANDed together, so we need to check every
+ * All of the attributes on a single Match line are ANDed together, so we need
- * attribute and set the result to zero if any attribute does not match.
+ * to check every * attribute and set the result to zero if any attribute does
+ * not match.
 */
 static int
 match_cfg_line(char **condition, int line, struct connection_info *ci)
@@ -797,6 +807,14 @@ static const struct multistate multistate_privsep[] = {
        { "no",                         PRIVSEP_OFF },
        { NULL, -1 }
 };
+static const struct multistate multistate_tcpfwd[] = {
+        { "yes",                        FORWARD_ALLOW },
+        { "all",                        FORWARD_ALLOW },
+        { "no",                         FORWARD_DENY },
+        { "remote",                     FORWARD_REMOTE },
+        { "local",                      FORWARD_LOCAL },
+        { NULL, -1 }
+};
 int
 process_server_config_line(ServerOptions *options, char *line,
@@ -1166,7 +1184,8 @@ process_server_config_line(ServerOptions *options, char *line,
        case sAllowTcpForwarding:
                intptr = &options->allow_tcp_forwarding;
-                goto parse_flag;
+                multistate_ptr = multistate_tcpfwd;
+                goto parse_multistate;
        case sAllowAgentForwarding:
                intptr = &options->allow_agent_forwarding;
@@ -1446,7 +1465,6 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                if (strcmp(arg, "none") == 0) {
                        if (*activep && n == -1) {
-                                channel_clear_adm_permitted_opens();
                                options->num_permitted_opens = 1;
                                channel_disable_adm_local_opens();
                        }
@@ -1530,6 +1548,43 @@ process_server_config_line(ServerOptions *options, char *line,
                }
                return 0;
+        case sAuthorizedKeysCommand:
+                len = strspn(cp, WHITESPACE);
+                if (*activep && options->authorized_keys_command == NULL) {
+                        if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
+                                fatal("%.200s line %d: AuthorizedKeysCommand "
+                                    "must be an absolute path",
+                                    filename, linenum);
+                        options->authorized_keys_command = xstrdup(cp + len);
+                }
+                return 0;
+        case sAuthorizedKeysCommandUser:
+                charptr = &options->authorized_keys_command_user;
+                arg = strdelim(&cp);
+                if (*activep && *charptr == NULL)
+                        *charptr = xstrdup(arg);
+                break;
+        case sAuthenticationMethods:
+                if (*activep && options->num_auth_methods == 0) {
+                        while ((arg = strdelim(&cp)) && *arg != '\0') {
+                                if (options->num_auth_methods >=
+                                    MAX_AUTH_METHODS)
+                                        fatal("%s line %d: "
+                                            "too many authentication methods.",
+                                            filename, linenum);
+                                if (auth2_methods_valid(arg, 0) != 0)
+                                        fatal("%s line %d: invalid "
+                                            "authentication method list.",
+                                            filename, linenum);
+                                options->auth_methods[
+                                    options->num_auth_methods++] = xstrdup(arg);
+                        }
+                }
+                return 0;
        case sDeprecated:
                logit("%s line %d: Deprecated option %s",
                    filename, linenum, arg);
@@ -1680,6 +1735,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
        M_CP_INTOPT(hostbased_uses_name_from_packet_only);
        M_CP_INTOPT(kbd_interactive_authentication);
        M_CP_INTOPT(zero_knowledge_password_authentication);
+        M_CP_STROPT(authorized_keys_command);
+        M_CP_STROPT(authorized_keys_command_user);
        M_CP_INTOPT(permit_root_login);
        M_CP_INTOPT(permit_empty_passwd);
@@ -1764,6 +1821,8 @@ fmt_intarg(ServerOpCodes code, int val)
                return fmt_multistate_int(val, multistate_compression);
        case sUsePrivilegeSeparation:
                return fmt_multistate_int(val, multistate_privsep);
+        case sAllowTcpForwarding:
+                return fmt_multistate_int(val, multistate_tcpfwd);
        case sProtocol:
                switch (val) {
                case SSH_PROTO_1:
@@ -1943,6 +2002,8 @@ dump_config(ServerOptions *o)
        dump_cfg_string(sAuthorizedPrincipalsFile,
            o->authorized_principals_file);
        dump_cfg_string(sVersionAddendum, o->version_addendum);
+        dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+        dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
        /* string arguments requiring a lookup */
        dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -1960,6 +2021,8 @@ dump_config(ServerOptions *o)
        dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
        dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
        dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
+        dump_cfg_strarray_oneline(sAuthenticationMethods,
+            o->num_auth_methods, o->auth_methods);
        /* other arguments */
        for (i = 0; i < o->num_subsystems; i++)
author	Colin Watson <cjwatson@debian.org>	2013-05-07 10:06:42 +0100
committer	Colin Watson <cjwatson@debian.org>	2013-05-07 10:06:42 +0100
commit	ecebda56da46a03dafff923d91c382f31faa9eec (patch)
tree	449614b6c06a2622c74a609b31fcc46c60037c56 /servconf.c
parent	c6a2c0334e45419875687d250aed9bea78480f2e (diff)
parent	ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff)