diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-03-03 03:15:51 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-03-03 14:37:16 +1100 |
| commit | 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (patch) | |
| tree | 48c837fc9c9e11d64862d4f54c1a886b54d8721c /serverloop.c | |
| parent | 90c4bec8b5f9ec4c003ae4abdf13fc7766f00c8b (diff) | |
upstream: switch over to the new authorized_keys options API and
remove the legacy one.
Includes a fairly big refactor of auth2-pubkey.c to retain less state
between key file lines.
feedback and ok markus@
OpenBSD-Commit-ID: dece6cae0f47751b9892080eb13d6625599573df
Diffstat (limited to 'serverloop.c')
| -rw-r--r-- | serverloop.c | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/serverloop.c b/serverloop.c index 7e2abd52f..d6fe24cc1 100644 --- a/serverloop.c +++ b/serverloop.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: serverloop.c,v 1.204 2018/02/11 21:16:56 dtucker Exp $ */ | 1 | /* $OpenBSD: serverloop.c,v 1.205 2018/03/03 03:15:51 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -82,6 +82,7 @@ extern ServerOptions options; | |||
| 82 | 82 | ||
| 83 | /* XXX */ | 83 | /* XXX */ |
| 84 | extern Authctxt *the_authctxt; | 84 | extern Authctxt *the_authctxt; |
| 85 | extern struct sshauthopt *auth_opts; | ||
| 85 | extern int use_privsep; | 86 | extern int use_privsep; |
| 86 | 87 | ||
| 87 | static int no_more_sessions = 0; /* Disallow further sessions. */ | 88 | static int no_more_sessions = 0; /* Disallow further sessions. */ |
| @@ -456,12 +457,13 @@ server_request_direct_tcpip(struct ssh *ssh, int *reason, const char **errmsg) | |||
| 456 | originator_port = packet_get_int(); | 457 | originator_port = packet_get_int(); |
| 457 | packet_check_eom(); | 458 | packet_check_eom(); |
| 458 | 459 | ||
| 459 | debug("server_request_direct_tcpip: originator %s port %d, target %s " | 460 | debug("%s: originator %s port %d, target %s port %d", __func__, |
| 460 | "port %d", originator, originator_port, target, target_port); | 461 | originator, originator_port, target, target_port); |
| 461 | 462 | ||
| 462 | /* XXX fine grained permissions */ | 463 | /* XXX fine grained permissions */ |
| 463 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && | 464 | if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 && |
| 464 | !no_port_forwarding_flag && !options.disable_forwarding) { | 465 | auth_opts->permit_port_forwarding_flag && |
| 466 | !options.disable_forwarding) { | ||
| 465 | c = channel_connect_to_port(ssh, target, target_port, | 467 | c = channel_connect_to_port(ssh, target, target_port, |
| 466 | "direct-tcpip", "direct-tcpip", reason, errmsg); | 468 | "direct-tcpip", "direct-tcpip", reason, errmsg); |
| 467 | } else { | 469 | } else { |
| @@ -487,20 +489,20 @@ server_request_direct_streamlocal(struct ssh *ssh) | |||
| 487 | struct passwd *pw = the_authctxt->pw; | 489 | struct passwd *pw = the_authctxt->pw; |
| 488 | 490 | ||
| 489 | if (pw == NULL || !the_authctxt->valid) | 491 | if (pw == NULL || !the_authctxt->valid) |
| 490 | fatal("server_input_global_request: no/invalid user"); | 492 | fatal("%s: no/invalid user", __func__); |
| 491 | 493 | ||
| 492 | target = packet_get_string(NULL); | 494 | target = packet_get_string(NULL); |
| 493 | originator = packet_get_string(NULL); | 495 | originator = packet_get_string(NULL); |
| 494 | originator_port = packet_get_int(); | 496 | originator_port = packet_get_int(); |
| 495 | packet_check_eom(); | 497 | packet_check_eom(); |
| 496 | 498 | ||
| 497 | debug("server_request_direct_streamlocal: originator %s port %d, target %s", | 499 | debug("%s: originator %s port %d, target %s", __func__, |
| 498 | originator, originator_port, target); | 500 | originator, originator_port, target); |
| 499 | 501 | ||
| 500 | /* XXX fine grained permissions */ | 502 | /* XXX fine grained permissions */ |
| 501 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && | 503 | if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 && |
| 502 | !no_port_forwarding_flag && !options.disable_forwarding && | 504 | auth_opts->permit_port_forwarding_flag && |
| 503 | (pw->pw_uid == 0 || use_privsep)) { | 505 | !options.disable_forwarding && (pw->pw_uid == 0 || use_privsep)) { |
| 504 | c = channel_connect_to_path(ssh, target, | 506 | c = channel_connect_to_path(ssh, target, |
| 505 | "direct-streamlocal@openssh.com", "direct-streamlocal"); | 507 | "direct-streamlocal@openssh.com", "direct-streamlocal"); |
| 506 | } else { | 508 | } else { |
| @@ -519,8 +521,7 @@ static Channel * | |||
| 519 | server_request_tun(struct ssh *ssh) | 521 | server_request_tun(struct ssh *ssh) |
| 520 | { | 522 | { |
| 521 | Channel *c = NULL; | 523 | Channel *c = NULL; |
| 522 | int mode, tun; | 524 | int mode, tun, sock; |
| 523 | int sock; | ||
| 524 | char *tmp, *ifname = NULL; | 525 | char *tmp, *ifname = NULL; |
| 525 | 526 | ||
| 526 | mode = packet_get_int(); | 527 | mode = packet_get_int(); |
| @@ -539,10 +540,10 @@ server_request_tun(struct ssh *ssh) | |||
| 539 | } | 540 | } |
| 540 | 541 | ||
| 541 | tun = packet_get_int(); | 542 | tun = packet_get_int(); |
| 542 | if (forced_tun_device != -1) { | 543 | if (auth_opts->force_tun_device != -1) { |
| 543 | if (tun != SSH_TUNID_ANY && forced_tun_device != tun) | 544 | if (tun != SSH_TUNID_ANY && auth_opts->force_tun_device != tun) |
| 544 | goto done; | 545 | goto done; |
| 545 | tun = forced_tun_device; | 546 | tun = auth_opts->force_tun_device; |
| 546 | } | 547 | } |
| 547 | sock = tun_open(tun, mode, &ifname); | 548 | sock = tun_open(tun, mode, &ifname); |
| 548 | if (sock < 0) | 549 | if (sock < 0) |
| @@ -767,7 +768,8 @@ server_input_global_request(int type, u_int32_t seq, struct ssh *ssh) | |||
| 767 | 768 | ||
| 768 | /* check permissions */ | 769 | /* check permissions */ |
| 769 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || | 770 | if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 || |
| 770 | no_port_forwarding_flag || options.disable_forwarding || | 771 | !auth_opts->permit_port_forwarding_flag || |
| 772 | options.disable_forwarding || | ||
| 771 | (!want_reply && fwd.listen_port == 0) || | 773 | (!want_reply && fwd.listen_port == 0) || |
| 772 | (fwd.listen_port != 0 && | 774 | (fwd.listen_port != 0 && |
| 773 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { | 775 | !bind_permitted(fwd.listen_port, pw->pw_uid))) { |
| @@ -805,7 +807,8 @@ server_input_global_request(int type, u_int32_t seq, struct ssh *ssh) | |||
| 805 | 807 | ||
| 806 | /* check permissions */ | 808 | /* check permissions */ |
| 807 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 | 809 | if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0 |
| 808 | || no_port_forwarding_flag || options.disable_forwarding || | 810 | || !auth_opts->permit_port_forwarding_flag || |
| 811 | options.disable_forwarding || | ||
| 809 | (pw->pw_uid != 0 && !use_privsep)) { | 812 | (pw->pw_uid != 0 && !use_privsep)) { |
| 810 | success = 0; | 813 | success = 0; |
| 811 | packet_send_debug("Server has disabled " | 814 | packet_send_debug("Server has disabled " |