diff options
author | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-02-29 12:15:15 +0000 |
commit | c52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch) | |
tree | 793395934013923b7b2426382c0676edcd4be3d4 /servconf.c | |
parent | eeff4de96f5d7365750dc56912c2c62b5c28db6b (diff) | |
parent | 72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff) |
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 59 |
1 files changed, 40 insertions, 19 deletions
diff --git a/servconf.c b/servconf.c index 6c7a91e6b..b19d30e18 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -178,6 +178,20 @@ option_clear_or_none(const char *o) | |||
178 | return o == NULL || strcasecmp(o, "none") == 0; | 178 | return o == NULL || strcasecmp(o, "none") == 0; |
179 | } | 179 | } |
180 | 180 | ||
181 | static void | ||
182 | assemble_algorithms(ServerOptions *o) | ||
183 | { | ||
184 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || | ||
185 | kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || | ||
186 | kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || | ||
187 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
188 | &o->hostkeyalgorithms) != 0 || | ||
189 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
190 | &o->hostbased_key_types) != 0 || | ||
191 | kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) | ||
192 | fatal("kex_assemble_names failed"); | ||
193 | } | ||
194 | |||
181 | void | 195 | void |
182 | fill_default_server_options(ServerOptions *options) | 196 | fill_default_server_options(ServerOptions *options) |
183 | { | 197 | { |
@@ -259,8 +273,6 @@ fill_default_server_options(ServerOptions *options) | |||
259 | options->hostbased_authentication = 0; | 273 | options->hostbased_authentication = 0; |
260 | if (options->hostbased_uses_name_from_packet_only == -1) | 274 | if (options->hostbased_uses_name_from_packet_only == -1) |
261 | options->hostbased_uses_name_from_packet_only = 0; | 275 | options->hostbased_uses_name_from_packet_only = 0; |
262 | if (options->hostkeyalgorithms == NULL) | ||
263 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
264 | if (options->rsa_authentication == -1) | 276 | if (options->rsa_authentication == -1) |
265 | options->rsa_authentication = 1; | 277 | options->rsa_authentication = 1; |
266 | if (options->pubkey_authentication == -1) | 278 | if (options->pubkey_authentication == -1) |
@@ -342,18 +354,11 @@ fill_default_server_options(ServerOptions *options) | |||
342 | if (options->fingerprint_hash == -1) | 354 | if (options->fingerprint_hash == -1) |
343 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 355 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
344 | 356 | ||
345 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || | 357 | assemble_algorithms(options); |
346 | kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || | ||
347 | kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || | ||
348 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
349 | &options->hostbased_key_types) != 0 || | ||
350 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
351 | &options->pubkey_key_types) != 0) | ||
352 | fatal("%s: kex_assemble_names failed", __func__); | ||
353 | 358 | ||
354 | /* Turn privilege separation on by default */ | 359 | /* Turn privilege separation and sandboxing on by default */ |
355 | if (use_privsep == -1) | 360 | if (use_privsep == -1) |
356 | use_privsep = PRIVSEP_NOSANDBOX; | 361 | use_privsep = PRIVSEP_ON; |
357 | 362 | ||
358 | #define CLEAR_ON_NONE(v) \ | 363 | #define CLEAR_ON_NONE(v) \ |
359 | do { \ | 364 | do { \ |
@@ -368,6 +373,8 @@ fill_default_server_options(ServerOptions *options) | |||
368 | CLEAR_ON_NONE(options->trusted_user_ca_keys); | 373 | CLEAR_ON_NONE(options->trusted_user_ca_keys); |
369 | CLEAR_ON_NONE(options->revoked_keys_file); | 374 | CLEAR_ON_NONE(options->revoked_keys_file); |
370 | CLEAR_ON_NONE(options->authorized_principals_file); | 375 | CLEAR_ON_NONE(options->authorized_principals_file); |
376 | CLEAR_ON_NONE(options->adm_forced_command); | ||
377 | CLEAR_ON_NONE(options->chroot_directory); | ||
371 | for (i = 0; i < options->num_host_key_files; i++) | 378 | for (i = 0; i < options->num_host_key_files; i++) |
372 | CLEAR_ON_NONE(options->host_key_files[i]); | 379 | CLEAR_ON_NONE(options->host_key_files[i]); |
373 | for (i = 0; i < options->num_host_cert_files; i++) | 380 | for (i = 0; i < options->num_host_cert_files; i++) |
@@ -499,7 +506,11 @@ static struct { | |||
499 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 506 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
500 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, | 507 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, |
501 | { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, | 508 | { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, |
509 | #ifdef DISABLE_LASTLOG | ||
510 | { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, | ||
511 | #else | ||
502 | { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, | 512 | { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, |
513 | #endif | ||
503 | { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, | 514 | { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, |
504 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, | 515 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, |
505 | { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, | 516 | { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, |
@@ -1319,16 +1330,12 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1319 | if (scan_scaled(arg, &val64) == -1) | 1330 | if (scan_scaled(arg, &val64) == -1) |
1320 | fatal("%.200s line %d: Bad number '%s': %s", | 1331 | fatal("%.200s line %d: Bad number '%s': %s", |
1321 | filename, linenum, arg, strerror(errno)); | 1332 | filename, linenum, arg, strerror(errno)); |
1322 | /* check for too-large or too-small limits */ | ||
1323 | if (val64 > UINT_MAX) | ||
1324 | fatal("%.200s line %d: RekeyLimit too large", | ||
1325 | filename, linenum); | ||
1326 | if (val64 != 0 && val64 < 16) | 1333 | if (val64 != 0 && val64 < 16) |
1327 | fatal("%.200s line %d: RekeyLimit too small", | 1334 | fatal("%.200s line %d: RekeyLimit too small", |
1328 | filename, linenum); | 1335 | filename, linenum); |
1329 | } | 1336 | } |
1330 | if (*activep && options->rekey_limit == -1) | 1337 | if (*activep && options->rekey_limit == -1) |
1331 | options->rekey_limit = (u_int32_t)val64; | 1338 | options->rekey_limit = val64; |
1332 | if (cp != NULL) { /* optional rekey interval present */ | 1339 | if (cp != NULL) { /* optional rekey interval present */ |
1333 | if (strcmp(cp, "none") == 0) { | 1340 | if (strcmp(cp, "none") == 0) { |
1334 | (void)strdelim(&cp); /* discard */ | 1341 | (void)strdelim(&cp); /* discard */ |
@@ -2015,6 +2022,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2015 | /* See comment in servconf.h */ | 2022 | /* See comment in servconf.h */ |
2016 | COPY_MATCH_STRING_OPTS(); | 2023 | COPY_MATCH_STRING_OPTS(); |
2017 | 2024 | ||
2025 | /* Arguments that accept '+...' need to be expanded */ | ||
2026 | assemble_algorithms(dst); | ||
2027 | |||
2018 | /* | 2028 | /* |
2019 | * The only things that should be below this point are string options | 2029 | * The only things that should be below this point are string options |
2020 | * which are only used after authentication. | 2030 | * which are only used after authentication. |
@@ -2022,8 +2032,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2022 | if (preauth) | 2032 | if (preauth) |
2023 | return; | 2033 | return; |
2024 | 2034 | ||
2035 | /* These options may be "none" to clear a global setting */ | ||
2025 | M_CP_STROPT(adm_forced_command); | 2036 | M_CP_STROPT(adm_forced_command); |
2037 | if (option_clear_or_none(dst->adm_forced_command)) { | ||
2038 | free(dst->adm_forced_command); | ||
2039 | dst->adm_forced_command = NULL; | ||
2040 | } | ||
2026 | M_CP_STROPT(chroot_directory); | 2041 | M_CP_STROPT(chroot_directory); |
2042 | if (option_clear_or_none(dst->chroot_directory)) { | ||
2043 | free(dst->chroot_directory); | ||
2044 | dst->chroot_directory = NULL; | ||
2045 | } | ||
2027 | } | 2046 | } |
2028 | 2047 | ||
2029 | #undef M_CP_INTOPT | 2048 | #undef M_CP_INTOPT |
@@ -2254,7 +2273,9 @@ dump_config(ServerOptions *o) | |||
2254 | dump_cfg_fmtint(sChallengeResponseAuthentication, | 2273 | dump_cfg_fmtint(sChallengeResponseAuthentication, |
2255 | o->challenge_response_authentication); | 2274 | o->challenge_response_authentication); |
2256 | dump_cfg_fmtint(sPrintMotd, o->print_motd); | 2275 | dump_cfg_fmtint(sPrintMotd, o->print_motd); |
2276 | #ifndef DISABLE_LASTLOG | ||
2257 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); | 2277 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); |
2278 | #endif | ||
2258 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | 2279 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); |
2259 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 2280 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
2260 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); | 2281 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); |
@@ -2338,7 +2359,7 @@ dump_config(ServerOptions *o) | |||
2338 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2359 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2339 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2360 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2340 | 2361 | ||
2341 | printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, | 2362 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
2342 | o->rekey_interval); | 2363 | o->rekey_interval); |
2343 | 2364 | ||
2344 | channel_print_adm_permitted_opens(); | 2365 | channel_print_adm_permitted_opens(); |