summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:33:15 +0100
committerColin Watson <cjwatson@debian.org>2014-10-07 14:27:30 +0100
commitf0b009aea83e9ff3a50be30f51012099a5143c16 (patch)
tree3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /servconf.c
parent47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff)
parent762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff)
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7): - sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket (closes: #236718). - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. - sftp(1): Allow resumption of interrupted uploads. - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. - sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. - sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages. - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly (closes: #734553). - Use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps}. * Restore TCP wrappers support, removed upstream in 6.7. It is true that dropping this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. * Replace patch to disable OpenSSL version check with an updated version of Kurt Roeckx's patch from #732940 to just avoid checking the status field.
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c67
1 files changed, 58 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index 37fd2de6d..6c7741ab2 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -39,10 +39,10 @@
39#include "ssh.h" 39#include "ssh.h"
40#include "log.h" 40#include "log.h"
41#include "buffer.h" 41#include "buffer.h"
42#include "misc.h"
42#include "servconf.h" 43#include "servconf.h"
43#include "compat.h" 44#include "compat.h"
44#include "pathnames.h" 45#include "pathnames.h"
45#include "misc.h"
46#include "cipher.h" 46#include "cipher.h"
47#include "key.h" 47#include "key.h"
48#include "kex.h" 48#include "kex.h"
@@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options)
93 options->x11_display_offset = -1; 93 options->x11_display_offset = -1;
94 options->x11_use_localhost = -1; 94 options->x11_use_localhost = -1;
95 options->permit_tty = -1; 95 options->permit_tty = -1;
96 options->permit_user_rc = -1;
96 options->xauth_location = NULL; 97 options->xauth_location = NULL;
97 options->strict_modes = -1; 98 options->strict_modes = -1;
98 options->tcp_keep_alive = -1; 99 options->tcp_keep_alive = -1;
@@ -122,6 +123,7 @@ initialize_server_options(ServerOptions *options)
122 options->rekey_limit = -1; 123 options->rekey_limit = -1;
123 options->rekey_interval = -1; 124 options->rekey_interval = -1;
124 options->allow_tcp_forwarding = -1; 125 options->allow_tcp_forwarding = -1;
126 options->allow_streamlocal_forwarding = -1;
125 options->allow_agent_forwarding = -1; 127 options->allow_agent_forwarding = -1;
126 options->num_allow_users = 0; 128 options->num_allow_users = 0;
127 options->num_deny_users = 0; 129 options->num_deny_users = 0;
@@ -131,7 +133,9 @@ initialize_server_options(ServerOptions *options)
131 options->macs = NULL; 133 options->macs = NULL;
132 options->kex_algorithms = NULL; 134 options->kex_algorithms = NULL;
133 options->protocol = SSH_PROTO_UNKNOWN; 135 options->protocol = SSH_PROTO_UNKNOWN;
134 options->gateway_ports = -1; 136 options->fwd_opts.gateway_ports = -1;
137 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
138 options->fwd_opts.streamlocal_bind_unlink = -1;
135 options->num_subsystems = 0; 139 options->num_subsystems = 0;
136 options->max_startups_begin = -1; 140 options->max_startups_begin = -1;
137 options->max_startups_rate = -1; 141 options->max_startups_rate = -1;
@@ -220,6 +224,8 @@ fill_default_server_options(ServerOptions *options)
220 options->xauth_location = _PATH_XAUTH; 224 options->xauth_location = _PATH_XAUTH;
221 if (options->permit_tty == -1) 225 if (options->permit_tty == -1)
222 options->permit_tty = 1; 226 options->permit_tty = 1;
227 if (options->permit_user_rc == -1)
228 options->permit_user_rc = 1;
223 if (options->strict_modes == -1) 229 if (options->strict_modes == -1)
224 options->strict_modes = 1; 230 options->strict_modes = 1;
225 if (options->tcp_keep_alive == -1) 231 if (options->tcp_keep_alive == -1)
@@ -276,10 +282,12 @@ fill_default_server_options(ServerOptions *options)
276 options->rekey_interval = 0; 282 options->rekey_interval = 0;
277 if (options->allow_tcp_forwarding == -1) 283 if (options->allow_tcp_forwarding == -1)
278 options->allow_tcp_forwarding = FORWARD_ALLOW; 284 options->allow_tcp_forwarding = FORWARD_ALLOW;
285 if (options->allow_streamlocal_forwarding == -1)
286 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
279 if (options->allow_agent_forwarding == -1) 287 if (options->allow_agent_forwarding == -1)
280 options->allow_agent_forwarding = 1; 288 options->allow_agent_forwarding = 1;
281 if (options->gateway_ports == -1) 289 if (options->fwd_opts.gateway_ports == -1)
282 options->gateway_ports = 0; 290 options->fwd_opts.gateway_ports = 0;
283 if (options->max_startups == -1) 291 if (options->max_startups == -1)
284 options->max_startups = 100; 292 options->max_startups = 100;
285 if (options->max_startups_rate == -1) 293 if (options->max_startups_rate == -1)
@@ -310,6 +318,10 @@ fill_default_server_options(ServerOptions *options)
310 options->ip_qos_bulk = IPTOS_THROUGHPUT; 318 options->ip_qos_bulk = IPTOS_THROUGHPUT;
311 if (options->version_addendum == NULL) 319 if (options->version_addendum == NULL)
312 options->version_addendum = xstrdup(""); 320 options->version_addendum = xstrdup("");
321 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
322 options->fwd_opts.streamlocal_bind_mask = 0177;
323 if (options->fwd_opts.streamlocal_bind_unlink == -1)
324 options->fwd_opts.streamlocal_bind_unlink = 0;
313 if (options->debian_banner == -1) 325 if (options->debian_banner == -1)
314 options->debian_banner = 1; 326 options->debian_banner = 1;
315 /* Turn privilege separation on by default */ 327 /* Turn privilege separation on by default */
@@ -361,7 +373,9 @@ typedef enum {
361 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 373 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
362 sKexAlgorithms, sIPQoS, sVersionAddendum, 374 sKexAlgorithms, sIPQoS, sVersionAddendum,
363 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 375 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
364 sAuthenticationMethods, sHostKeyAgent, 376 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
377 sStreamLocalBindMask, sStreamLocalBindUnlink,
378 sAllowStreamLocalForwarding,
365 sDebianBanner, 379 sDebianBanner,
366 sDeprecated, sUnsupported 380 sDeprecated, sUnsupported
367} ServerOpCodes; 381} ServerOpCodes;
@@ -486,6 +500,7 @@ static struct {
486 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 500 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
487 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 501 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
488 { "permittty", sPermitTTY, SSHCFG_ALL }, 502 { "permittty", sPermitTTY, SSHCFG_ALL },
503 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
489 { "match", sMatch, SSHCFG_ALL }, 504 { "match", sMatch, SSHCFG_ALL },
490 { "permitopen", sPermitOpen, SSHCFG_ALL }, 505 { "permitopen", sPermitOpen, SSHCFG_ALL },
491 { "forcecommand", sForceCommand, SSHCFG_ALL }, 506 { "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -500,6 +515,9 @@ static struct {
500 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 515 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
501 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 516 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
502 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 517 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
518 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
519 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
520 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
503 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 521 { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
504 { NULL, sBadOption, 0 } 522 { NULL, sBadOption, 0 }
505}; 523};
@@ -1169,6 +1187,10 @@ process_server_config_line(ServerOptions *options, char *line,
1169 intptr = &options->permit_tty; 1187 intptr = &options->permit_tty;
1170 goto parse_flag; 1188 goto parse_flag;
1171 1189
1190 case sPermitUserRC:
1191 intptr = &options->permit_user_rc;
1192 goto parse_flag;
1193
1172 case sStrictModes: 1194 case sStrictModes:
1173 intptr = &options->strict_modes; 1195 intptr = &options->strict_modes;
1174 goto parse_flag; 1196 goto parse_flag;
@@ -1226,7 +1248,7 @@ process_server_config_line(ServerOptions *options, char *line,
1226 break; 1248 break;
1227 1249
1228 case sGatewayPorts: 1250 case sGatewayPorts:
1229 intptr = &options->gateway_ports; 1251 intptr = &options->fwd_opts.gateway_ports;
1230 multistate_ptr = multistate_gatewayports; 1252 multistate_ptr = multistate_gatewayports;
1231 goto parse_multistate; 1253 goto parse_multistate;
1232 1254
@@ -1261,6 +1283,11 @@ process_server_config_line(ServerOptions *options, char *line,
1261 multistate_ptr = multistate_tcpfwd; 1283 multistate_ptr = multistate_tcpfwd;
1262 goto parse_multistate; 1284 goto parse_multistate;
1263 1285
1286 case sAllowStreamLocalForwarding:
1287 intptr = &options->allow_streamlocal_forwarding;
1288 multistate_ptr = multistate_tcpfwd;
1289 goto parse_multistate;
1290
1264 case sAllowAgentForwarding: 1291 case sAllowAgentForwarding:
1265 intptr = &options->allow_agent_forwarding; 1292 intptr = &options->allow_agent_forwarding;
1266 goto parse_flag; 1293 goto parse_flag;
@@ -1659,6 +1686,22 @@ process_server_config_line(ServerOptions *options, char *line,
1659 } 1686 }
1660 return 0; 1687 return 0;
1661 1688
1689 case sStreamLocalBindMask:
1690 arg = strdelim(&cp);
1691 if (!arg || *arg == '\0')
1692 fatal("%s line %d: missing StreamLocalBindMask argument.",
1693 filename, linenum);
1694 /* Parse mode in octal format */
1695 value = strtol(arg, &p, 8);
1696 if (arg == p || value < 0 || value > 0777)
1697 fatal("%s line %d: Bad mask.", filename, linenum);
1698 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1699 break;
1700
1701 case sStreamLocalBindUnlink:
1702 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1703 goto parse_flag;
1704
1662 case sDebianBanner: 1705 case sDebianBanner:
1663 intptr = &options->debian_banner; 1706 intptr = &options->debian_banner;
1664 goto parse_int; 1707 goto parse_int;
@@ -1802,13 +1845,15 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1802 M_CP_INTOPT(permit_empty_passwd); 1845 M_CP_INTOPT(permit_empty_passwd);
1803 1846
1804 M_CP_INTOPT(allow_tcp_forwarding); 1847 M_CP_INTOPT(allow_tcp_forwarding);
1848 M_CP_INTOPT(allow_streamlocal_forwarding);
1805 M_CP_INTOPT(allow_agent_forwarding); 1849 M_CP_INTOPT(allow_agent_forwarding);
1806 M_CP_INTOPT(permit_tun); 1850 M_CP_INTOPT(permit_tun);
1807 M_CP_INTOPT(gateway_ports); 1851 M_CP_INTOPT(fwd_opts.gateway_ports);
1808 M_CP_INTOPT(x11_display_offset); 1852 M_CP_INTOPT(x11_display_offset);
1809 M_CP_INTOPT(x11_forwarding); 1853 M_CP_INTOPT(x11_forwarding);
1810 M_CP_INTOPT(x11_use_localhost); 1854 M_CP_INTOPT(x11_use_localhost);
1811 M_CP_INTOPT(permit_tty); 1855 M_CP_INTOPT(permit_tty);
1856 M_CP_INTOPT(permit_user_rc);
1812 M_CP_INTOPT(max_sessions); 1857 M_CP_INTOPT(max_sessions);
1813 M_CP_INTOPT(max_authtries); 1858 M_CP_INTOPT(max_authtries);
1814 M_CP_INTOPT(ip_qos_interactive); 1859 M_CP_INTOPT(ip_qos_interactive);
@@ -1901,6 +1946,8 @@ fmt_intarg(ServerOpCodes code, int val)
1901 return fmt_multistate_int(val, multistate_privsep); 1946 return fmt_multistate_int(val, multistate_privsep);
1902 case sAllowTcpForwarding: 1947 case sAllowTcpForwarding:
1903 return fmt_multistate_int(val, multistate_tcpfwd); 1948 return fmt_multistate_int(val, multistate_tcpfwd);
1949 case sAllowStreamLocalForwarding:
1950 return fmt_multistate_int(val, multistate_tcpfwd);
1904 case sProtocol: 1951 case sProtocol:
1905 switch (val) { 1952 switch (val) {
1906 case SSH_PROTO_1: 1953 case SSH_PROTO_1:
@@ -2053,15 +2100,17 @@ dump_config(ServerOptions *o)
2053 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2100 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2054 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2101 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2055 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2102 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2103 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2056 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2104 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2057 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2105 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2058 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2106 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2059 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2107 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2060 dump_cfg_fmtint(sUseLogin, o->use_login); 2108 dump_cfg_fmtint(sUseLogin, o->use_login);
2061 dump_cfg_fmtint(sCompression, o->compression); 2109 dump_cfg_fmtint(sCompression, o->compression);
2062 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); 2110 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2063 dump_cfg_fmtint(sUseDNS, o->use_dns); 2111 dump_cfg_fmtint(sUseDNS, o->use_dns);
2064 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2112 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2113 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2065 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2114 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2066 2115
2067 /* string arguments */ 2116 /* string arguments */