diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | monitor.c | 5 | ||||
-rw-r--r-- | monitor_wrap.c | 20 | ||||
-rw-r--r-- | servconf.c | 88 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | sshd_config.5 | 10 |
6 files changed, 95 insertions, 40 deletions
@@ -35,6 +35,12 @@ | |||
35 | - stevesk@cvs.openbsd.org 2007/02/14 14:32:00 | 35 | - stevesk@cvs.openbsd.org 2007/02/14 14:32:00 |
36 | [bufbn.c] | 36 | [bufbn.c] |
37 | typos in comments; ok jmc@ | 37 | typos in comments; ok jmc@ |
38 | - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 | ||
39 | [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] | ||
40 | Teach Match how handle config directives that are used before | ||
41 | authentication. This allows configurations such as permitting password | ||
42 | authentication from the local net only while requiring pubkey from | ||
43 | offsite. ok djm@, man page bits ok jmc@ | ||
38 | 44 | ||
39 | 20070128 | 45 | 20070128 |
40 | - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) | 46 | - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) |
@@ -2730,4 +2736,4 @@ | |||
2730 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 2736 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
2731 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 2737 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
2732 | 2738 | ||
2733 | $Id: ChangeLog,v 1.4616 2007/02/19 11:17:28 dtucker Exp $ | 2739 | $Id: ChangeLog,v 1.4617 2007/02/19 11:25:37 dtucker Exp $ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
642 | #endif | 642 | #endif |
643 | buffer_put_cstring(m, pwent->pw_dir); | 643 | buffer_put_cstring(m, pwent->pw_dir); |
644 | buffer_put_cstring(m, pwent->pw_shell); | 644 | buffer_put_cstring(m, pwent->pw_shell); |
645 | buffer_put_string(m, &options, sizeof(options)); | ||
646 | if (options.banner != NULL) | ||
647 | buffer_put_cstring(m, options.banner); | ||
645 | 648 | ||
646 | out: | 649 | out: |
647 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); | 650 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 3865539df..27cc1c5f1 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -73,6 +73,7 @@ | |||
73 | 73 | ||
74 | #include "channels.h" | 74 | #include "channels.h" |
75 | #include "session.h" | 75 | #include "session.h" |
76 | #include "servconf.h" | ||
76 | 77 | ||
77 | /* Imports */ | 78 | /* Imports */ |
78 | extern int compat20; | 79 | extern int compat20; |
@@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username) | |||
207 | { | 208 | { |
208 | Buffer m; | 209 | Buffer m; |
209 | struct passwd *pw; | 210 | struct passwd *pw; |
210 | u_int pwlen; | 211 | u_int len; |
212 | ServerOptions *newopts; | ||
211 | 213 | ||
212 | debug3("%s entering", __func__); | 214 | debug3("%s entering", __func__); |
213 | 215 | ||
@@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username) | |||
223 | buffer_free(&m); | 225 | buffer_free(&m); |
224 | return (NULL); | 226 | return (NULL); |
225 | } | 227 | } |
226 | pw = buffer_get_string(&m, &pwlen); | 228 | pw = buffer_get_string(&m, &len); |
227 | if (pwlen != sizeof(struct passwd)) | 229 | if (len != sizeof(struct passwd)) |
228 | fatal("%s: struct passwd size mismatch", __func__); | 230 | fatal("%s: struct passwd size mismatch", __func__); |
229 | pw->pw_name = buffer_get_string(&m, NULL); | 231 | pw->pw_name = buffer_get_string(&m, NULL); |
230 | pw->pw_passwd = buffer_get_string(&m, NULL); | 232 | pw->pw_passwd = buffer_get_string(&m, NULL); |
@@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username) | |||
234 | #endif | 236 | #endif |
235 | pw->pw_dir = buffer_get_string(&m, NULL); | 237 | pw->pw_dir = buffer_get_string(&m, NULL); |
236 | pw->pw_shell = buffer_get_string(&m, NULL); | 238 | pw->pw_shell = buffer_get_string(&m, NULL); |
239 | |||
240 | /* copy options block as a Match directive may have changed some */ | ||
241 | newopts = buffer_get_string(&m, &len); | ||
242 | if (len != sizeof(*newopts)) | ||
243 | fatal("%s: option block size mismatch", __func__); | ||
244 | if (newopts->banner != NULL) | ||
245 | newopts->banner = buffer_get_string(&m, NULL); | ||
246 | copy_set_server_options(&options, newopts, 1); | ||
247 | xfree(newopts); | ||
248 | |||
237 | buffer_free(&m); | 249 | buffer_free(&m); |
238 | 250 | ||
239 | return (pw); | 251 | return (pw); |
diff --git a/servconf.c b/servconf.c index 872ff4a87..86949c33f 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.167 2006/12/14 10:01:14 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.168 2007/02/19 10:45:58 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -325,14 +325,14 @@ static struct { | |||
325 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, | 325 | { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, |
326 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, | 326 | { "loglevel", sLogLevel, SSHCFG_GLOBAL }, |
327 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, | 327 | { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, |
328 | { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, | 328 | { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, |
329 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, | 329 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, |
330 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, | 330 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, |
331 | { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, | 331 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, |
332 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, | 332 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, |
333 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ | 333 | { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ |
334 | #ifdef KRB5 | 334 | #ifdef KRB5 |
335 | { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, | 335 | { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, |
336 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, | 336 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, |
337 | { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, | 337 | { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, |
338 | #ifdef USE_AFS | 338 | #ifdef USE_AFS |
@@ -341,7 +341,7 @@ static struct { | |||
341 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, | 341 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, |
342 | #endif | 342 | #endif |
343 | #else | 343 | #else |
344 | { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, | 344 | { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, |
345 | { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, | 345 | { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, |
346 | { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, | 346 | { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, |
347 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, | 347 | { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, |
@@ -349,15 +349,15 @@ static struct { | |||
349 | { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, | 349 | { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, |
350 | { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, | 350 | { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, |
351 | #ifdef GSSAPI | 351 | #ifdef GSSAPI |
352 | { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, | 352 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
353 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 353 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
354 | #else | 354 | #else |
355 | { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, | 355 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
356 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 356 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
357 | #endif | 357 | #endif |
358 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, | 358 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
359 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, | 359 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
360 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 360 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, |
361 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ | 361 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ |
362 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, | 362 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, |
363 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 363 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
@@ -389,7 +389,7 @@ static struct { | |||
389 | { "subsystem", sSubsystem, SSHCFG_GLOBAL }, | 389 | { "subsystem", sSubsystem, SSHCFG_GLOBAL }, |
390 | { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, | 390 | { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, |
391 | { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, | 391 | { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, |
392 | { "banner", sBanner, SSHCFG_GLOBAL }, | 392 | { "banner", sBanner, SSHCFG_ALL }, |
393 | { "usedns", sUseDNS, SSHCFG_GLOBAL }, | 393 | { "usedns", sUseDNS, SSHCFG_GLOBAL }, |
394 | { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, | 394 | { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, |
395 | { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, | 395 | { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, |
@@ -1317,30 +1317,56 @@ parse_server_match_config(ServerOptions *options, const char *user, | |||
1317 | 1317 | ||
1318 | initialize_server_options(&mo); | 1318 | initialize_server_options(&mo); |
1319 | parse_server_config(&mo, "reprocess config", &cfg, user, host, address); | 1319 | parse_server_config(&mo, "reprocess config", &cfg, user, host, address); |
1320 | copy_set_server_options(options, &mo); | 1320 | copy_set_server_options(options, &mo, 0); |
1321 | } | 1321 | } |
1322 | 1322 | ||
1323 | /* Copy any (supported) values that are set */ | 1323 | /* Helper macros */ |
1324 | #define M_CP_INTOPT(n) do {\ | ||
1325 | if (src->n != -1) \ | ||
1326 | dst->n = src->n; \ | ||
1327 | } while (0) | ||
1328 | #define M_CP_STROPT(n) do {\ | ||
1329 | if (src->n != NULL) { \ | ||
1330 | if (dst->n != NULL) \ | ||
1331 | xfree(dst->n); \ | ||
1332 | dst->n = src->n; \ | ||
1333 | } \ | ||
1334 | } while(0) | ||
1335 | |||
1336 | /* | ||
1337 | * Copy any supported values that are set. | ||
1338 | * | ||
1339 | * If the preauth flag is set, we do not bother copying the the string or | ||
1340 | * array values that are not used pre-authentication, because any that we | ||
1341 | * do use must be explictly sent in mm_getpwnamallow(). | ||
1342 | */ | ||
1324 | void | 1343 | void |
1325 | copy_set_server_options(ServerOptions *dst, ServerOptions *src) | 1344 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) |
1326 | { | 1345 | { |
1327 | if (src->allow_tcp_forwarding != -1) | 1346 | M_CP_INTOPT(password_authentication); |
1328 | dst->allow_tcp_forwarding = src->allow_tcp_forwarding; | 1347 | M_CP_INTOPT(gss_authentication); |
1329 | if (src->gateway_ports != -1) | 1348 | M_CP_INTOPT(rsa_authentication); |
1330 | dst->gateway_ports = src->gateway_ports; | 1349 | M_CP_INTOPT(pubkey_authentication); |
1331 | if (src->adm_forced_command != NULL) { | 1350 | M_CP_INTOPT(kerberos_authentication); |
1332 | if (dst->adm_forced_command != NULL) | 1351 | M_CP_INTOPT(hostbased_authentication); |
1333 | xfree(dst->adm_forced_command); | 1352 | M_CP_INTOPT(kbd_interactive_authentication); |
1334 | dst->adm_forced_command = src->adm_forced_command; | 1353 | M_CP_INTOPT(challenge_response_authentication); |
1335 | } | 1354 | |
1336 | if (src->x11_display_offset != -1) | 1355 | M_CP_INTOPT(allow_tcp_forwarding); |
1337 | dst->x11_display_offset = src->x11_display_offset; | 1356 | M_CP_INTOPT(gateway_ports); |
1338 | if (src->x11_forwarding != -1) | 1357 | M_CP_INTOPT(x11_display_offset); |
1339 | dst->x11_forwarding = src->x11_forwarding; | 1358 | M_CP_INTOPT(x11_forwarding); |
1340 | if (src->x11_use_localhost != -1) | 1359 | M_CP_INTOPT(x11_use_localhost); |
1341 | dst->x11_use_localhost = src->x11_use_localhost; | 1360 | |
1361 | M_CP_STROPT(banner); | ||
1362 | if (preauth) | ||
1363 | return; | ||
1364 | M_CP_STROPT(adm_forced_command); | ||
1342 | } | 1365 | } |
1343 | 1366 | ||
1367 | #undef M_CP_INTOPT | ||
1368 | #undef M_CP_STROPT | ||
1369 | |||
1344 | void | 1370 | void |
1345 | parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | 1371 | parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, |
1346 | const char *user, const char *host, const char *address) | 1372 | const char *user, const char *host, const char *address) |
diff --git a/servconf.h b/servconf.h index ad496f64b..8a5b950ea 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -152,6 +152,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *, | |||
152 | const char *, const char *, const char *); | 152 | const char *, const char *, const char *); |
153 | void parse_server_match_config(ServerOptions *, const char *, const char *, | 153 | void parse_server_match_config(ServerOptions *, const char *, const char *, |
154 | const char *); | 154 | const char *); |
155 | void copy_set_server_options(ServerOptions *, ServerOptions *); | 155 | void copy_set_server_options(ServerOptions *, ServerOptions *, int); |
156 | 156 | ||
157 | #endif /* SERVCONF_H */ | 157 | #endif /* SERVCONF_H */ |
diff --git a/sshd_config.5 b/sshd_config.5 index 53207fd84..54231d562 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -34,7 +34,7 @@ | |||
34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 34 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 35 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
36 | .\" | 36 | .\" |
37 | .\" $OpenBSD: sshd_config.5,v 1.71 2007/01/02 09:57:25 jmc Exp $ | 37 | .\" $OpenBSD: sshd_config.5,v 1.72 2007/02/19 10:45:58 dtucker Exp $ |
38 | .Dd September 25, 1999 | 38 | .Dd September 25, 1999 |
39 | .Dt SSHD_CONFIG 5 | 39 | .Dt SSHD_CONFIG 5 |
40 | .Os | 40 | .Os |
@@ -512,9 +512,17 @@ Only a subset of keywords may be used on the lines following a | |||
512 | keyword. | 512 | keyword. |
513 | Available keywords are | 513 | Available keywords are |
514 | .Cm AllowTcpForwarding , | 514 | .Cm AllowTcpForwarding , |
515 | .Cm Banner , | ||
516 | .Cm ChallengeResponseAuthentication , | ||
515 | .Cm ForceCommand , | 517 | .Cm ForceCommand , |
516 | .Cm GatewayPorts , | 518 | .Cm GatewayPorts , |
519 | .Cm GSSApiAuthentication , | ||
520 | .Cm KerberosAuthentication , | ||
521 | .Cm KeyboardInteractiveAuthentication , | ||
522 | .Cm PasswordAuthentication , | ||
517 | .Cm PermitOpen , | 523 | .Cm PermitOpen , |
524 | .Cm RhostsRSAAuthentication , | ||
525 | .Cm RSAAuthentication , | ||
518 | .Cm X11DisplayOffset , | 526 | .Cm X11DisplayOffset , |
519 | .Cm X11Forwarding , | 527 | .Cm X11Forwarding , |
520 | and | 528 | and |