summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
committerColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
commitc52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch)
tree793395934013923b7b2426382c0676edcd4be3d4 /servconf.c
parenteeff4de96f5d7365750dc56912c2c62b5c28db6b (diff)
parent72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff)
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c59
1 files changed, 40 insertions, 19 deletions
diff --git a/servconf.c b/servconf.c
index 6c7a91e6b..b19d30e18 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ 2/* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -178,6 +178,20 @@ option_clear_or_none(const char *o)
178 return o == NULL || strcasecmp(o, "none") == 0; 178 return o == NULL || strcasecmp(o, "none") == 0;
179} 179}
180 180
181static void
182assemble_algorithms(ServerOptions *o)
183{
184 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
185 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
186 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
187 kex_assemble_names(KEX_DEFAULT_PK_ALG,
188 &o->hostkeyalgorithms) != 0 ||
189 kex_assemble_names(KEX_DEFAULT_PK_ALG,
190 &o->hostbased_key_types) != 0 ||
191 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
192 fatal("kex_assemble_names failed");
193}
194
181void 195void
182fill_default_server_options(ServerOptions *options) 196fill_default_server_options(ServerOptions *options)
183{ 197{
@@ -259,8 +273,6 @@ fill_default_server_options(ServerOptions *options)
259 options->hostbased_authentication = 0; 273 options->hostbased_authentication = 0;
260 if (options->hostbased_uses_name_from_packet_only == -1) 274 if (options->hostbased_uses_name_from_packet_only == -1)
261 options->hostbased_uses_name_from_packet_only = 0; 275 options->hostbased_uses_name_from_packet_only = 0;
262 if (options->hostkeyalgorithms == NULL)
263 options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
264 if (options->rsa_authentication == -1) 276 if (options->rsa_authentication == -1)
265 options->rsa_authentication = 1; 277 options->rsa_authentication = 1;
266 if (options->pubkey_authentication == -1) 278 if (options->pubkey_authentication == -1)
@@ -342,18 +354,11 @@ fill_default_server_options(ServerOptions *options)
342 if (options->fingerprint_hash == -1) 354 if (options->fingerprint_hash == -1)
343 options->fingerprint_hash = SSH_FP_HASH_DEFAULT; 355 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
344 356
345 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || 357 assemble_algorithms(options);
346 kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
347 kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
348 kex_assemble_names(KEX_DEFAULT_PK_ALG,
349 &options->hostbased_key_types) != 0 ||
350 kex_assemble_names(KEX_DEFAULT_PK_ALG,
351 &options->pubkey_key_types) != 0)
352 fatal("%s: kex_assemble_names failed", __func__);
353 358
354 /* Turn privilege separation on by default */ 359 /* Turn privilege separation and sandboxing on by default */
355 if (use_privsep == -1) 360 if (use_privsep == -1)
356 use_privsep = PRIVSEP_NOSANDBOX; 361 use_privsep = PRIVSEP_ON;
357 362
358#define CLEAR_ON_NONE(v) \ 363#define CLEAR_ON_NONE(v) \
359 do { \ 364 do { \
@@ -368,6 +373,8 @@ fill_default_server_options(ServerOptions *options)
368 CLEAR_ON_NONE(options->trusted_user_ca_keys); 373 CLEAR_ON_NONE(options->trusted_user_ca_keys);
369 CLEAR_ON_NONE(options->revoked_keys_file); 374 CLEAR_ON_NONE(options->revoked_keys_file);
370 CLEAR_ON_NONE(options->authorized_principals_file); 375 CLEAR_ON_NONE(options->authorized_principals_file);
376 CLEAR_ON_NONE(options->adm_forced_command);
377 CLEAR_ON_NONE(options->chroot_directory);
371 for (i = 0; i < options->num_host_key_files; i++) 378 for (i = 0; i < options->num_host_key_files; i++)
372 CLEAR_ON_NONE(options->host_key_files[i]); 379 CLEAR_ON_NONE(options->host_key_files[i]);
373 for (i = 0; i < options->num_host_cert_files; i++) 380 for (i = 0; i < options->num_host_cert_files; i++)
@@ -499,7 +506,11 @@ static struct {
499 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 506 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
500 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 507 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
501 { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, 508 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
509#ifdef DISABLE_LASTLOG
510 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
511#else
502 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, 512 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
513#endif
503 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, 514 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
504 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, 515 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
505 { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, 516 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
@@ -1319,16 +1330,12 @@ process_server_config_line(ServerOptions *options, char *line,
1319 if (scan_scaled(arg, &val64) == -1) 1330 if (scan_scaled(arg, &val64) == -1)
1320 fatal("%.200s line %d: Bad number '%s': %s", 1331 fatal("%.200s line %d: Bad number '%s': %s",
1321 filename, linenum, arg, strerror(errno)); 1332 filename, linenum, arg, strerror(errno));
1322 /* check for too-large or too-small limits */
1323 if (val64 > UINT_MAX)
1324 fatal("%.200s line %d: RekeyLimit too large",
1325 filename, linenum);
1326 if (val64 != 0 && val64 < 16) 1333 if (val64 != 0 && val64 < 16)
1327 fatal("%.200s line %d: RekeyLimit too small", 1334 fatal("%.200s line %d: RekeyLimit too small",
1328 filename, linenum); 1335 filename, linenum);
1329 } 1336 }
1330 if (*activep && options->rekey_limit == -1) 1337 if (*activep && options->rekey_limit == -1)
1331 options->rekey_limit = (u_int32_t)val64; 1338 options->rekey_limit = val64;
1332 if (cp != NULL) { /* optional rekey interval present */ 1339 if (cp != NULL) { /* optional rekey interval present */
1333 if (strcmp(cp, "none") == 0) { 1340 if (strcmp(cp, "none") == 0) {
1334 (void)strdelim(&cp); /* discard */ 1341 (void)strdelim(&cp); /* discard */
@@ -2015,6 +2022,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2015 /* See comment in servconf.h */ 2022 /* See comment in servconf.h */
2016 COPY_MATCH_STRING_OPTS(); 2023 COPY_MATCH_STRING_OPTS();
2017 2024
2025 /* Arguments that accept '+...' need to be expanded */
2026 assemble_algorithms(dst);
2027
2018 /* 2028 /*
2019 * The only things that should be below this point are string options 2029 * The only things that should be below this point are string options
2020 * which are only used after authentication. 2030 * which are only used after authentication.
@@ -2022,8 +2032,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2022 if (preauth) 2032 if (preauth)
2023 return; 2033 return;
2024 2034
2035 /* These options may be "none" to clear a global setting */
2025 M_CP_STROPT(adm_forced_command); 2036 M_CP_STROPT(adm_forced_command);
2037 if (option_clear_or_none(dst->adm_forced_command)) {
2038 free(dst->adm_forced_command);
2039 dst->adm_forced_command = NULL;
2040 }
2026 M_CP_STROPT(chroot_directory); 2041 M_CP_STROPT(chroot_directory);
2042 if (option_clear_or_none(dst->chroot_directory)) {
2043 free(dst->chroot_directory);
2044 dst->chroot_directory = NULL;
2045 }
2027} 2046}
2028 2047
2029#undef M_CP_INTOPT 2048#undef M_CP_INTOPT
@@ -2254,7 +2273,9 @@ dump_config(ServerOptions *o)
2254 dump_cfg_fmtint(sChallengeResponseAuthentication, 2273 dump_cfg_fmtint(sChallengeResponseAuthentication,
2255 o->challenge_response_authentication); 2274 o->challenge_response_authentication);
2256 dump_cfg_fmtint(sPrintMotd, o->print_motd); 2275 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2276#ifndef DISABLE_LASTLOG
2257 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2277 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2278#endif
2258 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2279 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2259 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2280 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2260 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2281 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
@@ -2338,7 +2359,7 @@ dump_config(ServerOptions *o)
2338 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2359 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2339 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2360 printf("%s\n", iptos2str(o->ip_qos_bulk));
2340 2361
2341 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, 2362 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2342 o->rekey_interval); 2363 o->rekey_interval);
2343 2364
2344 channel_print_adm_permitted_opens(); 2365 channel_print_adm_permitted_opens();