* New upstream release (http://www.openssh.org/txt/release-5.9).

  - Introduce sandboxing of the pre-auth privsep child using an optional
    sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
    mandatory restrictions on the syscalls the privsep child can perform.
  - Add new SHA256-based HMAC transport integrity modes from
    http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
  - The pre-authentication sshd(8) privilege separation slave process now
    logs via a socket shared with the master process, avoiding the need to
    maintain /dev/log inside the chroot (closes: #75043, #429243,
    #599240).
  - ssh(1) now warns when a server refuses X11 forwarding (closes:
    #504757).
  - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
    separated by whitespace (closes: #76312).  The authorized_keys2
    fallback is deprecated but documented (closes: #560156).
  - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
    ToS/DSCP (closes: #498297).
  - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
    - < /path/to/key" (closes: #229124).
  - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
  - Say "required" rather than "recommended" in unprotected-private-key
    warning (LP: #663455).

1 files changed, 23 insertions, 3 deletions

diff --git a/servconf.h b/servconf.h
index be3be0be3..0be15f09a 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.95 2010/11/13 23:27:50 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.99 2011/06/22 21:57:01 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -27,6 +27,7 @@
 #define MAX_HOSTCERTS           256     /* Max # host certificates. */
 #define MAX_ACCEPT_ENV          256     /* Max # of env vars. */
 #define MAX_MATCH_GROUPS        256     /* Max # of groups for Match. */
+#define MAX_AUTHKEYS_FILES      256     /* Max # of authorized_keys files. */
 
 /* permit_root_login */
 #define PERMIT_NOT_SET          -1
@@ -35,6 +36,11 @@
 #define PERMIT_NO_PASSWD        2
 #define PERMIT_YES              3
 
+/* use_privsep */
+#define PRIVSEP_OFF             0
+#define PRIVSEP_ON              1
+#define PRIVSEP_SANDBOX         2
+
 #define DEFAULT_AUTH_FAIL_MAX   6       /* Default for MaxAuthTries */
 #define DEFAULT_SESSIONS_MAX    10      /* Default for MaxSessions */
 
@@ -149,8 +155,8 @@ typedef struct {
                                          * disconnect the session
                                          */
 
-        char   *authorized_keys_file;   /* File containing public keys */
-        char   *authorized_keys_file2;
+        u_int num_authkeys_files;       /* Files containing public keys */
+        char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
 
         char   *adm_forced_command;
 
@@ -168,6 +174,20 @@ typedef struct {
         char   *authorized_principals_file;
 }       ServerOptions;
 
+/*
+ * These are string config options that must be copied between the
+ * Match sub-config and the main config, and must be sent from the
+ * privsep slave to the privsep master. We use a macro to ensure all
+ * the options are copied and the copies are done in the correct order.
+ */
+#define COPY_MATCH_STRING_OPTS() do { \
+                M_CP_STROPT(banner); \
+                M_CP_STROPT(trusted_user_ca_keys); \
+                M_CP_STROPT(revoked_keys_file); \
+                M_CP_STROPT(authorized_principals_file); \
+                M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
+        } while (0)
+
 void     initialize_server_options(ServerOptions *);
 void     fill_default_server_options(ServerOptions *);
 int      process_server_config_line(ServerOptions *, char *, const char *, int,