diff options
author | Colin Watson <cjwatson@debian.org> | 2016-12-20 00:22:53 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2016-12-23 19:08:35 +0000 |
commit | ee52365e713e546dbd878d73d9590dbaccd760ba (patch) | |
tree | 841d0d9ae73e83070bcc3b46218ebdd18142dda3 /servconf.c | |
parent | 8a4a5c22e363ad6a110ad9b787170297f5da8f04 (diff) | |
parent | 2103d3e5566c54e08a59be750579a249e46747d7 (diff) |
New upstream release (7.4p1).
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 174 |
1 files changed, 57 insertions, 117 deletions
diff --git a/servconf.c b/servconf.c index a98b30938..1cee3d6c2 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.301 2016/11/30 03:00:05 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -86,9 +86,7 @@ initialize_server_options(ServerOptions *options) | |||
86 | options->num_host_cert_files = 0; | 86 | options->num_host_cert_files = 0; |
87 | options->host_key_agent = NULL; | 87 | options->host_key_agent = NULL; |
88 | options->pid_file = NULL; | 88 | options->pid_file = NULL; |
89 | options->server_key_bits = -1; | ||
90 | options->login_grace_time = -1; | 89 | options->login_grace_time = -1; |
91 | options->key_regeneration_time = -1; | ||
92 | options->permit_root_login = PERMIT_NOT_SET; | 90 | options->permit_root_login = PERMIT_NOT_SET; |
93 | options->ignore_rhosts = -1; | 91 | options->ignore_rhosts = -1; |
94 | options->ignore_user_known_hosts = -1; | 92 | options->ignore_user_known_hosts = -1; |
@@ -104,12 +102,10 @@ initialize_server_options(ServerOptions *options) | |||
104 | options->tcp_keep_alive = -1; | 102 | options->tcp_keep_alive = -1; |
105 | options->log_facility = SYSLOG_FACILITY_NOT_SET; | 103 | options->log_facility = SYSLOG_FACILITY_NOT_SET; |
106 | options->log_level = SYSLOG_LEVEL_NOT_SET; | 104 | options->log_level = SYSLOG_LEVEL_NOT_SET; |
107 | options->rhosts_rsa_authentication = -1; | ||
108 | options->hostbased_authentication = -1; | 105 | options->hostbased_authentication = -1; |
109 | options->hostbased_uses_name_from_packet_only = -1; | 106 | options->hostbased_uses_name_from_packet_only = -1; |
110 | options->hostbased_key_types = NULL; | 107 | options->hostbased_key_types = NULL; |
111 | options->hostkeyalgorithms = NULL; | 108 | options->hostkeyalgorithms = NULL; |
112 | options->rsa_authentication = -1; | ||
113 | options->pubkey_authentication = -1; | 109 | options->pubkey_authentication = -1; |
114 | options->pubkey_key_types = NULL; | 110 | options->pubkey_key_types = NULL; |
115 | options->kerberos_authentication = -1; | 111 | options->kerberos_authentication = -1; |
@@ -126,7 +122,6 @@ initialize_server_options(ServerOptions *options) | |||
126 | options->challenge_response_authentication = -1; | 122 | options->challenge_response_authentication = -1; |
127 | options->permit_empty_passwd = -1; | 123 | options->permit_empty_passwd = -1; |
128 | options->permit_user_env = -1; | 124 | options->permit_user_env = -1; |
129 | options->use_login = -1; | ||
130 | options->compression = -1; | 125 | options->compression = -1; |
131 | options->rekey_limit = -1; | 126 | options->rekey_limit = -1; |
132 | options->rekey_interval = -1; | 127 | options->rekey_interval = -1; |
@@ -140,7 +135,6 @@ initialize_server_options(ServerOptions *options) | |||
140 | options->ciphers = NULL; | 135 | options->ciphers = NULL; |
141 | options->macs = NULL; | 136 | options->macs = NULL; |
142 | options->kex_algorithms = NULL; | 137 | options->kex_algorithms = NULL; |
143 | options->protocol = SSH_PROTO_UNKNOWN; | ||
144 | options->fwd_opts.gateway_ports = -1; | 138 | options->fwd_opts.gateway_ports = -1; |
145 | options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; | 139 | options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; |
146 | options->fwd_opts.streamlocal_bind_unlink = -1; | 140 | options->fwd_opts.streamlocal_bind_unlink = -1; |
@@ -171,6 +165,7 @@ initialize_server_options(ServerOptions *options) | |||
171 | options->ip_qos_bulk = -1; | 165 | options->ip_qos_bulk = -1; |
172 | options->version_addendum = NULL; | 166 | options->version_addendum = NULL; |
173 | options->fingerprint_hash = -1; | 167 | options->fingerprint_hash = -1; |
168 | options->disable_forwarding = -1; | ||
174 | options->debian_banner = -1; | 169 | options->debian_banner = -1; |
175 | } | 170 | } |
176 | 171 | ||
@@ -205,25 +200,18 @@ fill_default_server_options(ServerOptions *options) | |||
205 | options->use_pam = 0; | 200 | options->use_pam = 0; |
206 | 201 | ||
207 | /* Standard Options */ | 202 | /* Standard Options */ |
208 | if (options->protocol == SSH_PROTO_UNKNOWN) | ||
209 | options->protocol = SSH_PROTO_2; | ||
210 | if (options->num_host_key_files == 0) { | 203 | if (options->num_host_key_files == 0) { |
211 | /* fill default hostkeys for protocols */ | 204 | /* fill default hostkeys for protocols */ |
212 | if (options->protocol & SSH_PROTO_1) | 205 | options->host_key_files[options->num_host_key_files++] = |
213 | options->host_key_files[options->num_host_key_files++] = | 206 | _PATH_HOST_RSA_KEY_FILE; |
214 | _PATH_HOST_KEY_FILE; | 207 | options->host_key_files[options->num_host_key_files++] = |
215 | if (options->protocol & SSH_PROTO_2) { | 208 | _PATH_HOST_DSA_KEY_FILE; |
216 | options->host_key_files[options->num_host_key_files++] = | ||
217 | _PATH_HOST_RSA_KEY_FILE; | ||
218 | options->host_key_files[options->num_host_key_files++] = | ||
219 | _PATH_HOST_DSA_KEY_FILE; | ||
220 | #ifdef OPENSSL_HAS_ECC | 209 | #ifdef OPENSSL_HAS_ECC |
221 | options->host_key_files[options->num_host_key_files++] = | 210 | options->host_key_files[options->num_host_key_files++] = |
222 | _PATH_HOST_ECDSA_KEY_FILE; | 211 | _PATH_HOST_ECDSA_KEY_FILE; |
223 | #endif | 212 | #endif |
224 | options->host_key_files[options->num_host_key_files++] = | 213 | options->host_key_files[options->num_host_key_files++] = |
225 | _PATH_HOST_ED25519_KEY_FILE; | 214 | _PATH_HOST_ED25519_KEY_FILE; |
226 | } | ||
227 | } | 215 | } |
228 | /* No certificates by default */ | 216 | /* No certificates by default */ |
229 | if (options->num_ports == 0) | 217 | if (options->num_ports == 0) |
@@ -234,12 +222,8 @@ fill_default_server_options(ServerOptions *options) | |||
234 | add_listen_addr(options, NULL, 0); | 222 | add_listen_addr(options, NULL, 0); |
235 | if (options->pid_file == NULL) | 223 | if (options->pid_file == NULL) |
236 | options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); | 224 | options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); |
237 | if (options->server_key_bits == -1) | ||
238 | options->server_key_bits = 1024; | ||
239 | if (options->login_grace_time == -1) | 225 | if (options->login_grace_time == -1) |
240 | options->login_grace_time = 120; | 226 | options->login_grace_time = 120; |
241 | if (options->key_regeneration_time == -1) | ||
242 | options->key_regeneration_time = 3600; | ||
243 | if (options->permit_root_login == PERMIT_NOT_SET) | 227 | if (options->permit_root_login == PERMIT_NOT_SET) |
244 | options->permit_root_login = PERMIT_NO_PASSWD; | 228 | options->permit_root_login = PERMIT_NO_PASSWD; |
245 | if (options->ignore_rhosts == -1) | 229 | if (options->ignore_rhosts == -1) |
@@ -270,14 +254,10 @@ fill_default_server_options(ServerOptions *options) | |||
270 | options->log_facility = SYSLOG_FACILITY_AUTH; | 254 | options->log_facility = SYSLOG_FACILITY_AUTH; |
271 | if (options->log_level == SYSLOG_LEVEL_NOT_SET) | 255 | if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
272 | options->log_level = SYSLOG_LEVEL_INFO; | 256 | options->log_level = SYSLOG_LEVEL_INFO; |
273 | if (options->rhosts_rsa_authentication == -1) | ||
274 | options->rhosts_rsa_authentication = 0; | ||
275 | if (options->hostbased_authentication == -1) | 257 | if (options->hostbased_authentication == -1) |
276 | options->hostbased_authentication = 0; | 258 | options->hostbased_authentication = 0; |
277 | if (options->hostbased_uses_name_from_packet_only == -1) | 259 | if (options->hostbased_uses_name_from_packet_only == -1) |
278 | options->hostbased_uses_name_from_packet_only = 0; | 260 | options->hostbased_uses_name_from_packet_only = 0; |
279 | if (options->rsa_authentication == -1) | ||
280 | options->rsa_authentication = 1; | ||
281 | if (options->pubkey_authentication == -1) | 261 | if (options->pubkey_authentication == -1) |
282 | options->pubkey_authentication = 1; | 262 | options->pubkey_authentication = 1; |
283 | if (options->kerberos_authentication == -1) | 263 | if (options->kerberos_authentication == -1) |
@@ -308,8 +288,6 @@ fill_default_server_options(ServerOptions *options) | |||
308 | options->permit_empty_passwd = 0; | 288 | options->permit_empty_passwd = 0; |
309 | if (options->permit_user_env == -1) | 289 | if (options->permit_user_env == -1) |
310 | options->permit_user_env = 0; | 290 | options->permit_user_env = 0; |
311 | if (options->use_login == -1) | ||
312 | options->use_login = 0; | ||
313 | if (options->compression == -1) | 291 | if (options->compression == -1) |
314 | options->compression = COMP_DELAYED; | 292 | options->compression = COMP_DELAYED; |
315 | if (options->rekey_limit == -1) | 293 | if (options->rekey_limit == -1) |
@@ -360,6 +338,8 @@ fill_default_server_options(ServerOptions *options) | |||
360 | options->fwd_opts.streamlocal_bind_unlink = 0; | 338 | options->fwd_opts.streamlocal_bind_unlink = 0; |
361 | if (options->fingerprint_hash == -1) | 339 | if (options->fingerprint_hash == -1) |
362 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 340 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
341 | if (options->disable_forwarding == -1) | ||
342 | options->disable_forwarding = 0; | ||
363 | if (options->debian_banner == -1) | 343 | if (options->debian_banner == -1) |
364 | options->debian_banner = 1; | 344 | options->debian_banner = 1; |
365 | 345 | ||
@@ -415,8 +395,8 @@ typedef enum { | |||
415 | /* Portable-specific options */ | 395 | /* Portable-specific options */ |
416 | sUsePAM, | 396 | sUsePAM, |
417 | /* Standard Options */ | 397 | /* Standard Options */ |
418 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, | 398 | sPort, sHostKeyFile, sLoginGraceTime, |
419 | sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, | 399 | sPermitRootLogin, sLogFacility, sLogLevel, |
420 | sRhostsRSAAuthentication, sRSAAuthentication, | 400 | sRhostsRSAAuthentication, sRSAAuthentication, |
421 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, | 401 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
422 | sKerberosGetAFSToken, | 402 | sKerberosGetAFSToken, |
@@ -426,9 +406,9 @@ typedef enum { | |||
426 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 406 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
427 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 407 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
428 | sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 408 | sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
429 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 409 | sPermitUserEnvironment, sAllowTcpForwarding, sCompression, |
430 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 410 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
431 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 411 | sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, |
432 | sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, | 412 | sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, |
433 | sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, | 413 | sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, |
434 | sBanner, sUseDNS, sHostbasedAuthentication, | 414 | sBanner, sUseDNS, sHostbasedAuthentication, |
@@ -447,9 +427,9 @@ typedef enum { | |||
447 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 427 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
448 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 428 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
449 | sStreamLocalBindMask, sStreamLocalBindUnlink, | 429 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
450 | sAllowStreamLocalForwarding, sFingerprintHash, | 430 | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
451 | sDebianBanner, | 431 | sDebianBanner, |
452 | sDeprecated, sUnsupported | 432 | sDeprecated, sIgnore, sUnsupported |
453 | } ServerOpCodes; | 433 | } ServerOpCodes; |
454 | 434 | ||
455 | #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ | 435 | #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ |
@@ -475,19 +455,19 @@ static struct { | |||
475 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ | 455 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ |
476 | { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, | 456 | { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, |
477 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, | 457 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, |
478 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, | 458 | { "serverkeybits", sDeprecated, SSHCFG_GLOBAL }, |
479 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, | 459 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, |
480 | { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, | 460 | { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL }, |
481 | { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, | 461 | { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, |
482 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, | 462 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, |
483 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, | 463 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, |
484 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, | 464 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, |
485 | { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, | 465 | { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL }, |
486 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, | 466 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, |
487 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, | 467 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, |
488 | { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, | 468 | { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, |
489 | { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, | 469 | { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, |
490 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, | 470 | { "rsaauthentication", sDeprecated, SSHCFG_ALL }, |
491 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, | 471 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, |
492 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, | 472 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, |
493 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ | 473 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ |
@@ -548,7 +528,7 @@ static struct { | |||
548 | { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL }, | 528 | { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL }, |
549 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 529 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
550 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 530 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
551 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 531 | { "uselogin", sDeprecated, SSHCFG_GLOBAL }, |
552 | { "compression", sCompression, SSHCFG_GLOBAL }, | 532 | { "compression", sCompression, SSHCFG_GLOBAL }, |
553 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | 533 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, |
554 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 534 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
@@ -561,7 +541,7 @@ static struct { | |||
561 | { "denygroups", sDenyGroups, SSHCFG_ALL }, | 541 | { "denygroups", sDenyGroups, SSHCFG_ALL }, |
562 | { "ciphers", sCiphers, SSHCFG_GLOBAL }, | 542 | { "ciphers", sCiphers, SSHCFG_GLOBAL }, |
563 | { "macs", sMacs, SSHCFG_GLOBAL }, | 543 | { "macs", sMacs, SSHCFG_GLOBAL }, |
564 | { "protocol", sProtocol, SSHCFG_GLOBAL }, | 544 | { "protocol", sIgnore, SSHCFG_GLOBAL }, |
565 | { "gatewayports", sGatewayPorts, SSHCFG_ALL }, | 545 | { "gatewayports", sGatewayPorts, SSHCFG_ALL }, |
566 | { "subsystem", sSubsystem, SSHCFG_GLOBAL }, | 546 | { "subsystem", sSubsystem, SSHCFG_GLOBAL }, |
567 | { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, | 547 | { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, |
@@ -571,8 +551,8 @@ static struct { | |||
571 | { "usedns", sUseDNS, SSHCFG_GLOBAL }, | 551 | { "usedns", sUseDNS, SSHCFG_GLOBAL }, |
572 | { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, | 552 | { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, |
573 | { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, | 553 | { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, |
574 | { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, | 554 | { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL }, |
575 | { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, | 555 | { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL }, |
576 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, | 556 | { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL }, |
577 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 557 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
578 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, | 558 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, |
@@ -600,6 +580,7 @@ static struct { | |||
600 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | 580 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
601 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | 581 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
602 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, | 582 | { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
583 | { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, | ||
603 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 584 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
604 | { NULL, sBadOption, 0 } | 585 | { NULL, sBadOption, 0 } |
605 | }; | 586 | }; |
@@ -763,7 +744,7 @@ get_connection_info(int populate, int use_dns) | |||
763 | * options set are copied into the main server config. | 744 | * options set are copied into the main server config. |
764 | * | 745 | * |
765 | * Potential additions/improvements: | 746 | * Potential additions/improvements: |
766 | * - Add Match support for pre-kex directives, eg Protocol, Ciphers. | 747 | * - Add Match support for pre-kex directives, eg. Ciphers. |
767 | * | 748 | * |
768 | * - Add a Tag directive (idea from David Leonard) ala pf, eg: | 749 | * - Add a Tag directive (idea from David Leonard) ala pf, eg: |
769 | * Match Address 192.168.0.* | 750 | * Match Address 192.168.0.* |
@@ -964,8 +945,8 @@ static const struct multistate multistate_permitrootlogin[] = { | |||
964 | { NULL, -1 } | 945 | { NULL, -1 } |
965 | }; | 946 | }; |
966 | static const struct multistate multistate_compression[] = { | 947 | static const struct multistate multistate_compression[] = { |
948 | { "yes", COMP_DELAYED }, | ||
967 | { "delayed", COMP_DELAYED }, | 949 | { "delayed", COMP_DELAYED }, |
968 | { "yes", COMP_ZLIB }, | ||
969 | { "no", COMP_NONE }, | 950 | { "no", COMP_NONE }, |
970 | { NULL, -1 } | 951 | { NULL, -1 } |
971 | }; | 952 | }; |
@@ -1061,18 +1042,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1061 | filename, linenum); | 1042 | filename, linenum); |
1062 | break; | 1043 | break; |
1063 | 1044 | ||
1064 | case sServerKeyBits: | ||
1065 | intptr = &options->server_key_bits; | ||
1066 | parse_int: | ||
1067 | arg = strdelim(&cp); | ||
1068 | if (!arg || *arg == '\0') | ||
1069 | fatal("%s line %d: missing integer value.", | ||
1070 | filename, linenum); | ||
1071 | value = atoi(arg); | ||
1072 | if (*activep && *intptr == -1) | ||
1073 | *intptr = value; | ||
1074 | break; | ||
1075 | |||
1076 | case sLoginGraceTime: | 1045 | case sLoginGraceTime: |
1077 | intptr = &options->login_grace_time; | 1046 | intptr = &options->login_grace_time; |
1078 | parse_time: | 1047 | parse_time: |
@@ -1087,10 +1056,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1087 | *intptr = value; | 1056 | *intptr = value; |
1088 | break; | 1057 | break; |
1089 | 1058 | ||
1090 | case sKeyRegenerationTime: | ||
1091 | intptr = &options->key_regeneration_time; | ||
1092 | goto parse_time; | ||
1093 | |||
1094 | case sListenAddress: | 1059 | case sListenAddress: |
1095 | arg = strdelim(&cp); | 1060 | arg = strdelim(&cp); |
1096 | if (arg == NULL || *arg == '\0') | 1061 | if (arg == NULL || *arg == '\0') |
@@ -1176,7 +1141,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1176 | MAX_HOSTCERTS); | 1141 | MAX_HOSTCERTS); |
1177 | charptr = &options->host_cert_files[*intptr]; | 1142 | charptr = &options->host_cert_files[*intptr]; |
1178 | goto parse_filename; | 1143 | goto parse_filename; |
1179 | break; | ||
1180 | 1144 | ||
1181 | case sPidFile: | 1145 | case sPidFile: |
1182 | charptr = &options->pid_file; | 1146 | charptr = &options->pid_file; |
@@ -1210,10 +1174,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1210 | intptr = &options->ignore_user_known_hosts; | 1174 | intptr = &options->ignore_user_known_hosts; |
1211 | goto parse_flag; | 1175 | goto parse_flag; |
1212 | 1176 | ||
1213 | case sRhostsRSAAuthentication: | ||
1214 | intptr = &options->rhosts_rsa_authentication; | ||
1215 | goto parse_flag; | ||
1216 | |||
1217 | case sHostbasedAuthentication: | 1177 | case sHostbasedAuthentication: |
1218 | intptr = &options->hostbased_authentication; | 1178 | intptr = &options->hostbased_authentication; |
1219 | goto parse_flag; | 1179 | goto parse_flag; |
@@ -1240,10 +1200,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1240 | charptr = &options->hostkeyalgorithms; | 1200 | charptr = &options->hostkeyalgorithms; |
1241 | goto parse_keytypes; | 1201 | goto parse_keytypes; |
1242 | 1202 | ||
1243 | case sRSAAuthentication: | ||
1244 | intptr = &options->rsa_authentication; | ||
1245 | goto parse_flag; | ||
1246 | |||
1247 | case sPubkeyAuthentication: | 1203 | case sPubkeyAuthentication: |
1248 | intptr = &options->pubkey_authentication; | 1204 | intptr = &options->pubkey_authentication; |
1249 | goto parse_flag; | 1205 | goto parse_flag; |
@@ -1314,7 +1270,15 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1314 | 1270 | ||
1315 | case sX11DisplayOffset: | 1271 | case sX11DisplayOffset: |
1316 | intptr = &options->x11_display_offset; | 1272 | intptr = &options->x11_display_offset; |
1317 | goto parse_int; | 1273 | parse_int: |
1274 | arg = strdelim(&cp); | ||
1275 | if (!arg || *arg == '\0') | ||
1276 | fatal("%s line %d: missing integer value.", | ||
1277 | filename, linenum); | ||
1278 | value = atoi(arg); | ||
1279 | if (*activep && *intptr == -1) | ||
1280 | *intptr = value; | ||
1281 | break; | ||
1318 | 1282 | ||
1319 | case sX11UseLocalhost: | 1283 | case sX11UseLocalhost: |
1320 | intptr = &options->x11_use_localhost; | 1284 | intptr = &options->x11_use_localhost; |
@@ -1348,10 +1312,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1348 | intptr = &options->permit_user_env; | 1312 | intptr = &options->permit_user_env; |
1349 | goto parse_flag; | 1313 | goto parse_flag; |
1350 | 1314 | ||
1351 | case sUseLogin: | ||
1352 | intptr = &options->use_login; | ||
1353 | goto parse_flag; | ||
1354 | |||
1355 | case sCompression: | 1315 | case sCompression: |
1356 | intptr = &options->compression; | 1316 | intptr = &options->compression; |
1357 | multistate_ptr = multistate_compression; | 1317 | multistate_ptr = multistate_compression; |
@@ -1429,6 +1389,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1429 | intptr = &options->allow_agent_forwarding; | 1389 | intptr = &options->allow_agent_forwarding; |
1430 | goto parse_flag; | 1390 | goto parse_flag; |
1431 | 1391 | ||
1392 | case sDisableForwarding: | ||
1393 | intptr = &options->disable_forwarding; | ||
1394 | goto parse_flag; | ||
1395 | |||
1432 | case sUsePrivilegeSeparation: | 1396 | case sUsePrivilegeSeparation: |
1433 | intptr = &use_privsep; | 1397 | intptr = &use_privsep; |
1434 | multistate_ptr = multistate_privsep; | 1398 | multistate_ptr = multistate_privsep; |
@@ -1439,6 +1403,9 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1439 | if (options->num_allow_users >= MAX_ALLOW_USERS) | 1403 | if (options->num_allow_users >= MAX_ALLOW_USERS) |
1440 | fatal("%s line %d: too many allow users.", | 1404 | fatal("%s line %d: too many allow users.", |
1441 | filename, linenum); | 1405 | filename, linenum); |
1406 | if (match_user(NULL, NULL, NULL, arg) == -1) | ||
1407 | fatal("%s line %d: invalid AllowUsers pattern: " | ||
1408 | "\"%.100s\"", filename, linenum, arg); | ||
1442 | if (!*activep) | 1409 | if (!*activep) |
1443 | continue; | 1410 | continue; |
1444 | options->allow_users[options->num_allow_users++] = | 1411 | options->allow_users[options->num_allow_users++] = |
@@ -1451,6 +1418,9 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1451 | if (options->num_deny_users >= MAX_DENY_USERS) | 1418 | if (options->num_deny_users >= MAX_DENY_USERS) |
1452 | fatal("%s line %d: too many deny users.", | 1419 | fatal("%s line %d: too many deny users.", |
1453 | filename, linenum); | 1420 | filename, linenum); |
1421 | if (match_user(NULL, NULL, NULL, arg) == -1) | ||
1422 | fatal("%s line %d: invalid DenyUsers pattern: " | ||
1423 | "\"%.100s\"", filename, linenum, arg); | ||
1454 | if (!*activep) | 1424 | if (!*activep) |
1455 | continue; | 1425 | continue; |
1456 | options->deny_users[options->num_deny_users++] = | 1426 | options->deny_users[options->num_deny_users++] = |
@@ -1516,19 +1486,6 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1516 | options->kex_algorithms = xstrdup(arg); | 1486 | options->kex_algorithms = xstrdup(arg); |
1517 | break; | 1487 | break; |
1518 | 1488 | ||
1519 | case sProtocol: | ||
1520 | intptr = &options->protocol; | ||
1521 | arg = strdelim(&cp); | ||
1522 | if (!arg || *arg == '\0') | ||
1523 | fatal("%s line %d: Missing argument.", filename, linenum); | ||
1524 | value = proto_spec(arg); | ||
1525 | if (value == SSH_PROTO_UNKNOWN) | ||
1526 | fatal("%s line %d: Bad protocol spec '%s'.", | ||
1527 | filename, linenum, arg ? arg : "<NONE>"); | ||
1528 | if (*intptr == SSH_PROTO_UNKNOWN) | ||
1529 | *intptr = value; | ||
1530 | break; | ||
1531 | |||
1532 | case sSubsystem: | 1489 | case sSubsystem: |
1533 | if (options->num_subsystems >= MAX_SUBSYSTEMS) { | 1490 | if (options->num_subsystems >= MAX_SUBSYSTEMS) { |
1534 | fatal("%s line %d: too many subsystems defined.", | 1491 | fatal("%s line %d: too many subsystems defined.", |
@@ -1913,15 +1870,12 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1913 | goto parse_int; | 1870 | goto parse_int; |
1914 | 1871 | ||
1915 | case sDeprecated: | 1872 | case sDeprecated: |
1916 | logit("%s line %d: Deprecated option %s", | 1873 | case sIgnore: |
1917 | filename, linenum, arg); | ||
1918 | while (arg) | ||
1919 | arg = strdelim(&cp); | ||
1920 | break; | ||
1921 | |||
1922 | case sUnsupported: | 1874 | case sUnsupported: |
1923 | logit("%s line %d: Unsupported option %s", | 1875 | do_log2(opcode == sIgnore ? |
1924 | filename, linenum, arg); | 1876 | SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO, |
1877 | "%s line %d: %s option %s", filename, linenum, | ||
1878 | opcode == sUnsupported ? "Unsupported" : "Deprecated", arg); | ||
1925 | while (arg) | 1879 | while (arg) |
1926 | arg = strdelim(&cp); | 1880 | arg = strdelim(&cp); |
1927 | break; | 1881 | break; |
@@ -2041,7 +1995,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2041 | 1995 | ||
2042 | M_CP_INTOPT(password_authentication); | 1996 | M_CP_INTOPT(password_authentication); |
2043 | M_CP_INTOPT(gss_authentication); | 1997 | M_CP_INTOPT(gss_authentication); |
2044 | M_CP_INTOPT(rsa_authentication); | ||
2045 | M_CP_INTOPT(pubkey_authentication); | 1998 | M_CP_INTOPT(pubkey_authentication); |
2046 | M_CP_INTOPT(kerberos_authentication); | 1999 | M_CP_INTOPT(kerberos_authentication); |
2047 | M_CP_INTOPT(hostbased_authentication); | 2000 | M_CP_INTOPT(hostbased_authentication); |
@@ -2053,6 +2006,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2053 | M_CP_INTOPT(allow_tcp_forwarding); | 2006 | M_CP_INTOPT(allow_tcp_forwarding); |
2054 | M_CP_INTOPT(allow_streamlocal_forwarding); | 2007 | M_CP_INTOPT(allow_streamlocal_forwarding); |
2055 | M_CP_INTOPT(allow_agent_forwarding); | 2008 | M_CP_INTOPT(allow_agent_forwarding); |
2009 | M_CP_INTOPT(disable_forwarding); | ||
2056 | M_CP_INTOPT(permit_tun); | 2010 | M_CP_INTOPT(permit_tun); |
2057 | M_CP_INTOPT(fwd_opts.gateway_ports); | 2011 | M_CP_INTOPT(fwd_opts.gateway_ports); |
2058 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); | 2012 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); |
@@ -2063,6 +2017,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2063 | M_CP_INTOPT(permit_user_rc); | 2017 | M_CP_INTOPT(permit_user_rc); |
2064 | M_CP_INTOPT(max_sessions); | 2018 | M_CP_INTOPT(max_sessions); |
2065 | M_CP_INTOPT(max_authtries); | 2019 | M_CP_INTOPT(max_authtries); |
2020 | M_CP_INTOPT(client_alive_count_max); | ||
2021 | M_CP_INTOPT(client_alive_interval); | ||
2066 | M_CP_INTOPT(ip_qos_interactive); | 2022 | M_CP_INTOPT(ip_qos_interactive); |
2067 | M_CP_INTOPT(ip_qos_bulk); | 2023 | M_CP_INTOPT(ip_qos_bulk); |
2068 | M_CP_INTOPT(rekey_limit); | 2024 | M_CP_INTOPT(rekey_limit); |
@@ -2181,17 +2137,6 @@ fmt_intarg(ServerOpCodes code, int val) | |||
2181 | return fmt_multistate_int(val, multistate_tcpfwd); | 2137 | return fmt_multistate_int(val, multistate_tcpfwd); |
2182 | case sFingerprintHash: | 2138 | case sFingerprintHash: |
2183 | return ssh_digest_alg_name(val); | 2139 | return ssh_digest_alg_name(val); |
2184 | case sProtocol: | ||
2185 | switch (val) { | ||
2186 | case SSH_PROTO_1: | ||
2187 | return "1"; | ||
2188 | case SSH_PROTO_2: | ||
2189 | return "2"; | ||
2190 | case (SSH_PROTO_1|SSH_PROTO_2): | ||
2191 | return "2,1"; | ||
2192 | default: | ||
2193 | return "UNKNOWN"; | ||
2194 | } | ||
2195 | default: | 2140 | default: |
2196 | switch (val) { | 2141 | switch (val) { |
2197 | case 0: | 2142 | case 0: |
@@ -2278,7 +2223,6 @@ dump_config(ServerOptions *o) | |||
2278 | /* these are usually at the top of the config */ | 2223 | /* these are usually at the top of the config */ |
2279 | for (i = 0; i < o->num_ports; i++) | 2224 | for (i = 0; i < o->num_ports; i++) |
2280 | printf("port %d\n", o->ports[i]); | 2225 | printf("port %d\n", o->ports[i]); |
2281 | dump_cfg_fmtint(sProtocol, o->protocol); | ||
2282 | dump_cfg_fmtint(sAddressFamily, o->address_family); | 2226 | dump_cfg_fmtint(sAddressFamily, o->address_family); |
2283 | 2227 | ||
2284 | /* | 2228 | /* |
@@ -2311,9 +2255,7 @@ dump_config(ServerOptions *o) | |||
2311 | #ifdef USE_PAM | 2255 | #ifdef USE_PAM |
2312 | dump_cfg_fmtint(sUsePAM, o->use_pam); | 2256 | dump_cfg_fmtint(sUsePAM, o->use_pam); |
2313 | #endif | 2257 | #endif |
2314 | dump_cfg_int(sServerKeyBits, o->server_key_bits); | ||
2315 | dump_cfg_int(sLoginGraceTime, o->login_grace_time); | 2258 | dump_cfg_int(sLoginGraceTime, o->login_grace_time); |
2316 | dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); | ||
2317 | dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); | 2259 | dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); |
2318 | dump_cfg_int(sMaxAuthTries, o->max_authtries); | 2260 | dump_cfg_int(sMaxAuthTries, o->max_authtries); |
2319 | dump_cfg_int(sMaxSessions, o->max_sessions); | 2261 | dump_cfg_int(sMaxSessions, o->max_sessions); |
@@ -2325,11 +2267,9 @@ dump_config(ServerOptions *o) | |||
2325 | dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); | 2267 | dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); |
2326 | dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); | 2268 | dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); |
2327 | dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); | 2269 | dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); |
2328 | dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); | ||
2329 | dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); | 2270 | dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); |
2330 | dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, | 2271 | dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, |
2331 | o->hostbased_uses_name_from_packet_only); | 2272 | o->hostbased_uses_name_from_packet_only); |
2332 | dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); | ||
2333 | dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); | 2273 | dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); |
2334 | #ifdef KRB5 | 2274 | #ifdef KRB5 |
2335 | dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); | 2275 | dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); |
@@ -2363,12 +2303,12 @@ dump_config(ServerOptions *o) | |||
2363 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 2303 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
2364 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 2304 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
2365 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | 2305 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); |
2366 | dump_cfg_fmtint(sUseLogin, o->use_login); | ||
2367 | dump_cfg_fmtint(sCompression, o->compression); | 2306 | dump_cfg_fmtint(sCompression, o->compression); |
2368 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); | 2307 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); |
2369 | dump_cfg_fmtint(sUseDNS, o->use_dns); | 2308 | dump_cfg_fmtint(sUseDNS, o->use_dns); |
2370 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); | 2309 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); |
2371 | dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); | 2310 | dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); |
2311 | dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding); | ||
2372 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | 2312 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
2373 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); | 2313 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
2374 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | 2314 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); |