3 files changed, 29 insertions, 22 deletions
diff --git a/ChangeLog b/ChangeLog
index 9f29954a0..410ae1b9e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,11 @@
     [sftp-client.c]
     bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
     AfriNIC
+   - djm@cvs.openbsd.org 2013/12/05 01:16:41
+     [servconf.c servconf.h]
+     bz#2161 - fix AuthorizedKeysCommand inside a Match block and
+     rearrange things so the same error is harder to make next time;
+     with and ok dtucker@
 - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
   -L location for libedit.  Patch from Serge van den Boom.
diff --git a/servconf.c b/servconf.c
index cb21bd229..6db89f7c1 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.246 2013/11/21 00:45:44 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.247 2013/12/05 01:16:41 djm Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -1742,24 +1742,6 @@ int server_match_spec_complete(struct connection_info *ci)
        return 0;       /* partial */
 }
-/* Helper macros */
-#define M_CP_INTOPT(n) do {\
-        if (src->n != -1) \
-                dst->n = src->n; \
-} while (0)
-#define M_CP_STROPT(n) do {\
-        if (src->n != NULL) { \
-                free(dst->n); \
-                dst->n = src->n; \
-        } \
-} while(0)
-#define M_CP_STRARRAYOPT(n, num_n) do {\
-        if (src->num_n != 0) { \
-                for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
-                        dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
-        } \
-} while(0)
 /*
 * Copy any supported values that are set.
 *
@@ -1770,6 +1752,11 @@ int server_match_spec_complete(struct connection_info *ci)
 void
 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 {
+#define M_CP_INTOPT(n) do {\
+        if (src->n != -1) \
+                dst->n = src->n; \
+} while (0)
        M_CP_INTOPT(password_authentication);
        M_CP_INTOPT(gss_authentication);
        M_CP_INTOPT(rsa_authentication);
@@ -1779,8 +1766,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
        M_CP_INTOPT(hostbased_uses_name_from_packet_only);
        M_CP_INTOPT(kbd_interactive_authentication);
        M_CP_INTOPT(zero_knowledge_password_authentication);
-        M_CP_STROPT(authorized_keys_command);
-        M_CP_STROPT(authorized_keys_command_user);
        M_CP_INTOPT(permit_root_login);
        M_CP_INTOPT(permit_empty_passwd);
@@ -1799,6 +1784,20 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
        M_CP_INTOPT(rekey_limit);
        M_CP_INTOPT(rekey_interval);
+        /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
+#define M_CP_STROPT(n) do {\
+        if (src->n != NULL && dst->n != src->n) { \
+                free(dst->n); \
+                dst->n = src->n; \
+        } \
+} while(0)
+#define M_CP_STRARRAYOPT(n, num_n) do {\
+        if (src->num_n != 0) { \
+                for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
+                        dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
+        } \
+} while(0)
        /* See comment in servconf.h */
        COPY_MATCH_STRING_OPTS();
diff --git a/servconf.h b/servconf.h
index 2d4b6ecb4..8812c5aab 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.110 2013/10/29 09:48:02 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.111 2013/12/05 01:16:41 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -202,6 +202,9 @@ struct connection_info {
 * Match sub-config and the main config, and must be sent from the
 * privsep slave to the privsep master. We use a macro to ensure all
 * the options are copied and the copies are done in the correct order.
+ *
+ * NB. an option must appear in servconf.c:copy_set_server_options() or
+ * COPY_MATCH_STRING_OPTS here but never both.
 */
 #define COPY_MATCH_STRING_OPTS() do { \
                M_CP_STROPT(banner); \