summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c121
1 files changed, 75 insertions, 46 deletions
diff --git a/readconf.c b/readconf.c
index d1091cbda..4d92d174b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.262 2016/10/25 04:08:13 jsg Exp $ */ 1/* $OpenBSD: readconf.c,v 1.270 2017/03/10 04:27:32 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -93,7 +93,7 @@
93 93
94 Host books.com 94 Host books.com
95 RemoteForward 9999 shadows.cs.hut.fi:9999 95 RemoteForward 9999 shadows.cs.hut.fi:9999
96 Cipher 3des 96 Ciphers 3des-cbc
97 97
98 Host fascist.blob.com 98 Host fascist.blob.com
99 Port 23123 99 Port 23123
@@ -108,7 +108,7 @@
108 PublicKeyAuthentication no 108 PublicKeyAuthentication no
109 109
110 Host *.su 110 Host *.su
111 Cipher none 111 Ciphers aes128-ctr
112 PasswordAuthentication no 112 PasswordAuthentication no
113 113
114 Host vpn.fake.com 114 Host vpn.fake.com
@@ -183,30 +183,21 @@ static struct {
183 const char *name; 183 const char *name;
184 OpCodes opcode; 184 OpCodes opcode;
185} keywords[] = { 185} keywords[] = {
186 { "forwardagent", oForwardAgent }, 186 /* Deprecated options */
187 { "forwardx11", oForwardX11 }, 187 { "fallbacktorsh", oDeprecated },
188 { "forwardx11trusted", oForwardX11Trusted }, 188 { "globalknownhostsfile2", oDeprecated },
189 { "forwardx11timeout", oForwardX11Timeout },
190 { "exitonforwardfailure", oExitOnForwardFailure },
191 { "xauthlocation", oXAuthLocation },
192 { "gatewayports", oGatewayPorts },
193 { "useprivilegedport", oUsePrivilegedPort },
194 { "rhostsauthentication", oDeprecated }, 189 { "rhostsauthentication", oDeprecated },
195 { "passwordauthentication", oPasswordAuthentication },
196 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
197 { "kbdinteractivedevices", oKbdInteractiveDevices },
198 { "useblacklistedkeys", oDeprecated }, 190 { "useblacklistedkeys", oDeprecated },
199 { "rsaauthentication", oRSAAuthentication }, 191 { "userknownhostsfile2", oDeprecated },
200 { "pubkeyauthentication", oPubkeyAuthentication }, 192 { "useroaming", oDeprecated },
201 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 193 { "usersh", oDeprecated },
202 { "rhostsrsaauthentication", oRhostsRSAAuthentication }, 194
203 { "hostbasedauthentication", oHostbasedAuthentication }, 195 /* Unsupported options */
204 { "challengeresponseauthentication", oChallengeResponseAuthentication }, 196 { "afstokenpassing", oUnsupported },
205 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
206 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
207 { "kerberosauthentication", oUnsupported }, 197 { "kerberosauthentication", oUnsupported },
208 { "kerberostgtpassing", oUnsupported }, 198 { "kerberostgtpassing", oUnsupported },
209 { "afstokenpassing", oUnsupported }, 199
200 /* Sometimes-unsupported options */
210#if defined(GSSAPI) 201#if defined(GSSAPI)
211 { "gssapiauthentication", oGssAuthentication }, 202 { "gssapiauthentication", oGssAuthentication },
212 { "gssapikeyexchange", oGssKeyEx }, 203 { "gssapikeyexchange", oGssKeyEx },
@@ -215,16 +206,49 @@ static struct {
215 { "gssapiclientidentity", oGssClientIdentity }, 206 { "gssapiclientidentity", oGssClientIdentity },
216 { "gssapiserveridentity", oGssServerIdentity }, 207 { "gssapiserveridentity", oGssServerIdentity },
217 { "gssapirenewalforcesrekey", oGssRenewalRekey }, 208 { "gssapirenewalforcesrekey", oGssRenewalRekey },
218#else 209# else
219 { "gssapiauthentication", oUnsupported }, 210 { "gssapiauthentication", oUnsupported },
220 { "gssapikeyexchange", oUnsupported }, 211 { "gssapikeyexchange", oUnsupported },
221 { "gssapidelegatecredentials", oUnsupported }, 212 { "gssapidelegatecredentials", oUnsupported },
222 { "gssapitrustdns", oUnsupported }, 213 { "gssapitrustdns", oUnsupported },
223 { "gssapiclientidentity", oUnsupported }, 214 { "gssapiclientidentity", oUnsupported },
215 { "gssapiserveridentity", oUnsupported },
224 { "gssapirenewalforcesrekey", oUnsupported }, 216 { "gssapirenewalforcesrekey", oUnsupported },
225#endif 217#endif
226 { "fallbacktorsh", oDeprecated }, 218#ifdef ENABLE_PKCS11
227 { "usersh", oDeprecated }, 219 { "smartcarddevice", oPKCS11Provider },
220 { "pkcs11provider", oPKCS11Provider },
221# else
222 { "smartcarddevice", oUnsupported },
223 { "pkcs11provider", oUnsupported },
224#endif
225#ifdef WITH_SSH1
226 { "rsaauthentication", oRSAAuthentication },
227 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
228 { "compressionlevel", oCompressionLevel },
229# else
230 { "rsaauthentication", oUnsupported },
231 { "rhostsrsaauthentication", oUnsupported },
232 { "compressionlevel", oUnsupported },
233#endif
234
235 { "forwardagent", oForwardAgent },
236 { "forwardx11", oForwardX11 },
237 { "forwardx11trusted", oForwardX11Trusted },
238 { "forwardx11timeout", oForwardX11Timeout },
239 { "exitonforwardfailure", oExitOnForwardFailure },
240 { "xauthlocation", oXAuthLocation },
241 { "gatewayports", oGatewayPorts },
242 { "useprivilegedport", oUsePrivilegedPort },
243 { "passwordauthentication", oPasswordAuthentication },
244 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
245 { "kbdinteractivedevices", oKbdInteractiveDevices },
246 { "pubkeyauthentication", oPubkeyAuthentication },
247 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
248 { "hostbasedauthentication", oHostbasedAuthentication },
249 { "challengeresponseauthentication", oChallengeResponseAuthentication },
250 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
251 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
228 { "identityfile", oIdentityFile }, 252 { "identityfile", oIdentityFile },
229 { "identityfile2", oIdentityFile }, /* obsolete */ 253 { "identityfile2", oIdentityFile }, /* obsolete */
230 { "identitiesonly", oIdentitiesOnly }, 254 { "identitiesonly", oIdentitiesOnly },
@@ -246,15 +270,12 @@ static struct {
246 { "match", oMatch }, 270 { "match", oMatch },
247 { "escapechar", oEscapeChar }, 271 { "escapechar", oEscapeChar },
248 { "globalknownhostsfile", oGlobalKnownHostsFile }, 272 { "globalknownhostsfile", oGlobalKnownHostsFile },
249 { "globalknownhostsfile2", oDeprecated },
250 { "userknownhostsfile", oUserKnownHostsFile }, 273 { "userknownhostsfile", oUserKnownHostsFile },
251 { "userknownhostsfile2", oDeprecated },
252 { "connectionattempts", oConnectionAttempts }, 274 { "connectionattempts", oConnectionAttempts },
253 { "batchmode", oBatchMode }, 275 { "batchmode", oBatchMode },
254 { "checkhostip", oCheckHostIP }, 276 { "checkhostip", oCheckHostIP },
255 { "stricthostkeychecking", oStrictHostKeyChecking }, 277 { "stricthostkeychecking", oStrictHostKeyChecking },
256 { "compression", oCompression }, 278 { "compression", oCompression },
257 { "compressionlevel", oCompressionLevel },
258 { "tcpkeepalive", oTCPKeepAlive }, 279 { "tcpkeepalive", oTCPKeepAlive },
259 { "keepalive", oTCPKeepAlive }, /* obsolete */ 280 { "keepalive", oTCPKeepAlive }, /* obsolete */
260 { "numberofpasswordprompts", oNumberOfPasswordPrompts }, 281 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
@@ -263,13 +284,6 @@ static struct {
263 { "preferredauthentications", oPreferredAuthentications }, 284 { "preferredauthentications", oPreferredAuthentications },
264 { "hostkeyalgorithms", oHostKeyAlgorithms }, 285 { "hostkeyalgorithms", oHostKeyAlgorithms },
265 { "bindaddress", oBindAddress }, 286 { "bindaddress", oBindAddress },
266#ifdef ENABLE_PKCS11
267 { "smartcarddevice", oPKCS11Provider },
268 { "pkcs11provider", oPKCS11Provider },
269#else
270 { "smartcarddevice", oUnsupported },
271 { "pkcs11provider", oUnsupported },
272#endif
273 { "clearallforwardings", oClearAllForwardings }, 287 { "clearallforwardings", oClearAllForwardings },
274 { "enablesshkeysign", oEnableSSHKeysign }, 288 { "enablesshkeysign", oEnableSSHKeysign },
275 { "verifyhostkeydns", oVerifyHostKeyDNS }, 289 { "verifyhostkeydns", oVerifyHostKeyDNS },
@@ -290,7 +304,6 @@ static struct {
290 { "localcommand", oLocalCommand }, 304 { "localcommand", oLocalCommand },
291 { "permitlocalcommand", oPermitLocalCommand }, 305 { "permitlocalcommand", oPermitLocalCommand },
292 { "visualhostkey", oVisualHostKey }, 306 { "visualhostkey", oVisualHostKey },
293 { "useroaming", oDeprecated },
294 { "kexalgorithms", oKexAlgorithms }, 307 { "kexalgorithms", oKexAlgorithms },
295 { "ipqos", oIPQoS }, 308 { "ipqos", oIPQoS },
296 { "requesttty", oRequestTTY }, 309 { "requesttty", oRequestTTY },
@@ -845,11 +858,11 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
845 activep = &cmdline; 858 activep = &cmdline;
846 } 859 }
847 860
848 /* Strip trailing whitespace */ 861 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
849 if ((len = strlen(line)) == 0) 862 if ((len = strlen(line)) == 0)
850 return 0; 863 return 0;
851 for (len--; len > 0; len--) { 864 for (len--; len > 0; len--) {
852 if (strchr(WHITESPACE, line[len]) == NULL) 865 if (strchr(WHITESPACE "\f", line[len]) == NULL)
853 break; 866 break;
854 line[len] = '\0'; 867 line[len] = '\0';
855 } 868 }
@@ -1217,7 +1230,7 @@ parse_int:
1217 arg = strdelim(&s); 1230 arg = strdelim(&s);
1218 if (!arg || *arg == '\0') 1231 if (!arg || *arg == '\0')
1219 fatal("%.200s line %d: Missing argument.", filename, linenum); 1232 fatal("%.200s line %d: Missing argument.", filename, linenum);
1220 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) 1233 if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
1221 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.", 1234 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1222 filename, linenum, arg ? arg : "<NONE>"); 1235 filename, linenum, arg ? arg : "<NONE>");
1223 if (*activep && options->ciphers == NULL) 1236 if (*activep && options->ciphers == NULL)
@@ -1228,7 +1241,7 @@ parse_int:
1228 arg = strdelim(&s); 1241 arg = strdelim(&s);
1229 if (!arg || *arg == '\0') 1242 if (!arg || *arg == '\0')
1230 fatal("%.200s line %d: Missing argument.", filename, linenum); 1243 fatal("%.200s line %d: Missing argument.", filename, linenum);
1231 if (!mac_valid(*arg == '+' ? arg + 1 : arg)) 1244 if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
1232 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.", 1245 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1233 filename, linenum, arg ? arg : "<NONE>"); 1246 filename, linenum, arg ? arg : "<NONE>");
1234 if (*activep && options->macs == NULL) 1247 if (*activep && options->macs == NULL)
@@ -1240,7 +1253,8 @@ parse_int:
1240 if (!arg || *arg == '\0') 1253 if (!arg || *arg == '\0')
1241 fatal("%.200s line %d: Missing argument.", 1254 fatal("%.200s line %d: Missing argument.",
1242 filename, linenum); 1255 filename, linenum);
1243 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) 1256 if (*arg != '-' &&
1257 !kex_names_valid(*arg == '+' ? arg + 1 : arg))
1244 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", 1258 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1245 filename, linenum, arg ? arg : "<NONE>"); 1259 filename, linenum, arg ? arg : "<NONE>");
1246 if (*activep && options->kex_algorithms == NULL) 1260 if (*activep && options->kex_algorithms == NULL)
@@ -1254,7 +1268,8 @@ parse_keytypes:
1254 if (!arg || *arg == '\0') 1268 if (!arg || *arg == '\0')
1255 fatal("%.200s line %d: Missing argument.", 1269 fatal("%.200s line %d: Missing argument.",
1256 filename, linenum); 1270 filename, linenum);
1257 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) 1271 if (*arg != '-' &&
1272 !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1258 fatal("%s line %d: Bad key types '%s'.", 1273 fatal("%s line %d: Bad key types '%s'.",
1259 filename, linenum, arg ? arg : "<NONE>"); 1274 filename, linenum, arg ? arg : "<NONE>");
1260 if (*activep && *charptr == NULL) 1275 if (*activep && *charptr == NULL)
@@ -1523,6 +1538,7 @@ parse_keytypes:
1523 if (r == GLOB_NOMATCH) { 1538 if (r == GLOB_NOMATCH) {
1524 debug("%.200s line %d: include %s matched no " 1539 debug("%.200s line %d: include %s matched no "
1525 "files",filename, linenum, arg2); 1540 "files",filename, linenum, arg2);
1541 free(arg2);
1526 continue; 1542 continue;
1527 } else if (r != 0 || gl.gl_pathc < 0) 1543 } else if (r != 0 || gl.gl_pathc < 0)
1528 fatal("%.200s line %d: glob failed for %s.", 1544 fatal("%.200s line %d: glob failed for %s.",
@@ -1539,6 +1555,11 @@ parse_keytypes:
1539 flags | SSHCONF_CHECKPERM | 1555 flags | SSHCONF_CHECKPERM |
1540 (oactive ? 0 : SSHCONF_NEVERMATCH), 1556 (oactive ? 0 : SSHCONF_NEVERMATCH),
1541 activep, depth + 1); 1557 activep, depth + 1);
1558 if (r != 1 && errno != ENOENT) {
1559 fatal("Can't open user config file "
1560 "%.100s: %.100s", gl.gl_pathv[i],
1561 strerror(errno));
1562 }
1542 /* 1563 /*
1543 * don't let Match in includes clobber the 1564 * don't let Match in includes clobber the
1544 * containing file's Match state. 1565 * containing file's Match state.
@@ -1737,7 +1758,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
1737 int flags, int *activep, int depth) 1758 int flags, int *activep, int depth)
1738{ 1759{
1739 FILE *f; 1760 FILE *f;
1740 char line[1024]; 1761 char line[4096];
1741 int linenum; 1762 int linenum;
1742 int bad_options = 0; 1763 int bad_options = 0;
1743 1764
@@ -1766,6 +1787,8 @@ read_config_file_depth(const char *filename, struct passwd *pw,
1766 while (fgets(line, sizeof(line), f)) { 1787 while (fgets(line, sizeof(line), f)) {
1767 /* Update line number counter. */ 1788 /* Update line number counter. */
1768 linenum++; 1789 linenum++;
1790 if (strlen(line) == sizeof(line) - 1)
1791 fatal("%s line %d too long", filename, linenum);
1769 if (process_config_line_depth(options, pw, host, original_host, 1792 if (process_config_line_depth(options, pw, host, original_host,
1770 line, filename, linenum, activep, flags, depth) != 0) 1793 line, filename, linenum, activep, flags, depth) != 0)
1771 bad_options++; 1794 bad_options++;
@@ -2498,10 +2521,10 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds)
2498 /* oDynamicForward */ 2521 /* oDynamicForward */
2499 for (i = 0; i < count; i++) { 2522 for (i = 0; i < count; i++) {
2500 fwd = &fwds[i]; 2523 fwd = &fwds[i];
2501 if (code == oDynamicForward && 2524 if (code == oDynamicForward && fwd->connect_host != NULL &&
2502 strcmp(fwd->connect_host, "socks") != 0) 2525 strcmp(fwd->connect_host, "socks") != 0)
2503 continue; 2526 continue;
2504 if (code == oLocalForward && 2527 if (code == oLocalForward && fwd->connect_host != NULL &&
2505 strcmp(fwd->connect_host, "socks") == 0) 2528 strcmp(fwd->connect_host, "socks") == 0)
2506 continue; 2529 continue;
2507 printf("%s", lookup_opcode_name(code)); 2530 printf("%s", lookup_opcode_name(code));
@@ -2574,8 +2597,10 @@ dump_client_config(Options *o, const char *host)
2574 dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass); 2597 dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
2575 dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication); 2598 dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
2576 dump_cfg_fmtint(oRequestTTY, o->request_tty); 2599 dump_cfg_fmtint(oRequestTTY, o->request_tty);
2600#ifdef WITH_RSA1
2577 dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication); 2601 dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2578 dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication); 2602 dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
2603#endif
2579 dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); 2604 dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2580 dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking); 2605 dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
2581 dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive); 2606 dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
@@ -2587,7 +2612,9 @@ dump_client_config(Options *o, const char *host)
2587 2612
2588 /* Integer options */ 2613 /* Integer options */
2589 dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); 2614 dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);
2615#ifdef WITH_SSH1
2590 dump_cfg_int(oCompressionLevel, o->compression_level); 2616 dump_cfg_int(oCompressionLevel, o->compression_level);
2617#endif
2591 dump_cfg_int(oConnectionAttempts, o->connection_attempts); 2618 dump_cfg_int(oConnectionAttempts, o->connection_attempts);
2592 dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout); 2619 dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout);
2593 dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts); 2620 dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
@@ -2607,7 +2634,9 @@ dump_client_config(Options *o, const char *host)
2607 dump_cfg_string(oLocalCommand, o->local_command); 2634 dump_cfg_string(oLocalCommand, o->local_command);
2608 dump_cfg_string(oLogLevel, log_level_name(o->log_level)); 2635 dump_cfg_string(oLogLevel, log_level_name(o->log_level));
2609 dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); 2636 dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
2637#ifdef ENABLE_PKCS11
2610 dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); 2638 dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
2639#endif
2611 dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); 2640 dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
2612 dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types); 2641 dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
2613 dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys); 2642 dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);