summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c50
1 files changed, 45 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index b6abeed06..163244ed9 100644
--- a/readconf.c
+++ b/readconf.c
@@ -28,6 +28,8 @@
28#include <stdio.h> 28#include <stdio.h>
29#include <string.h> 29#include <string.h>
30#include <unistd.h> 30#include <unistd.h>
31#include <pwd.h>
32#include <grp.h>
31 33
32#include "xmalloc.h" 34#include "xmalloc.h"
33#include "ssh.h" 35#include "ssh.h"
@@ -123,6 +125,7 @@ typedef enum {
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
128 oUseBlacklistedKeys,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, 129 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -132,6 +135,7 @@ typedef enum {
132 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 135 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
133 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 136 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
134 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 137 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
138 oProtocolKeepAlives, oSetupTimeOut,
135 oDeprecated, oUnsupported 139 oDeprecated, oUnsupported
136} OpCodes; 140} OpCodes;
137 141
@@ -152,6 +156,7 @@ static struct {
152 { "passwordauthentication", oPasswordAuthentication }, 156 { "passwordauthentication", oPasswordAuthentication },
153 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 157 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
154 { "kbdinteractivedevices", oKbdInteractiveDevices }, 158 { "kbdinteractivedevices", oKbdInteractiveDevices },
159 { "useblacklistedkeys", oUseBlacklistedKeys },
155 { "rsaauthentication", oRSAAuthentication }, 160 { "rsaauthentication", oRSAAuthentication },
156 { "pubkeyauthentication", oPubkeyAuthentication }, 161 { "pubkeyauthentication", oPubkeyAuthentication },
157 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 162 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
@@ -244,6 +249,8 @@ static struct {
244#else 249#else
245 { "zeroknowledgepasswordauthentication", oUnsupported }, 250 { "zeroknowledgepasswordauthentication", oUnsupported },
246#endif 251#endif
252 { "protocolkeepalives", oProtocolKeepAlives },
253 { "setuptimeout", oSetupTimeOut },
247 254
248 { NULL, oBadOption } 255 { NULL, oBadOption }
249}; 256};
@@ -459,6 +466,10 @@ parse_flag:
459 intptr = &options->challenge_response_authentication; 466 intptr = &options->challenge_response_authentication;
460 goto parse_flag; 467 goto parse_flag;
461 468
469 case oUseBlacklistedKeys:
470 intptr = &options->use_blacklisted_keys;
471 goto parse_flag;
472
462 case oGssAuthentication: 473 case oGssAuthentication:
463 intptr = &options->gss_authentication; 474 intptr = &options->gss_authentication;
464 goto parse_flag; 475 goto parse_flag;
@@ -839,6 +850,8 @@ parse_int:
839 goto parse_flag; 850 goto parse_flag;
840 851
841 case oServerAliveInterval: 852 case oServerAliveInterval:
853 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
854 case oSetupTimeOut: /* Debian-specific compatibility alias */
842 intptr = &options->server_alive_interval; 855 intptr = &options->server_alive_interval;
843 goto parse_time; 856 goto parse_time;
844 857
@@ -987,11 +1000,30 @@ read_config_file(const char *filename, const char *host, Options *options,
987 1000
988 if (checkperm) { 1001 if (checkperm) {
989 struct stat sb; 1002 struct stat sb;
1003 int bad_modes = 0;
990 1004
991 if (fstat(fileno(f), &sb) == -1) 1005 if (fstat(fileno(f), &sb) == -1)
992 fatal("fstat %s: %s", filename, strerror(errno)); 1006 fatal("fstat %s: %s", filename, strerror(errno));
993 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1007 if (sb.st_uid != 0 && sb.st_uid != getuid())
994 (sb.st_mode & 022) != 0)) 1008 bad_modes = 1;
1009 if ((sb.st_mode & 020) != 0) {
1010 /* If the file is group-writable, the group in
1011 * question must have at most one member, namely the
1012 * file's owner.
1013 */
1014 struct passwd *pw = getpwuid(sb.st_uid);
1015 struct group *gr = getgrgid(sb.st_gid);
1016 if (!pw || !gr)
1017 bad_modes = 1;
1018 else if (gr->gr_mem[0]) {
1019 if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
1020 gr->gr_mem[1])
1021 bad_modes = 1;
1022 }
1023 }
1024 if ((sb.st_mode & 002) != 0)
1025 bad_modes = 1;
1026 if (bad_modes)
995 fatal("Bad owner or permissions on %s", filename); 1027 fatal("Bad owner or permissions on %s", filename);
996 } 1028 }
997 1029
@@ -1048,6 +1080,7 @@ initialize_options(Options * options)
1048 options->kbd_interactive_devices = NULL; 1080 options->kbd_interactive_devices = NULL;
1049 options->rhosts_rsa_authentication = -1; 1081 options->rhosts_rsa_authentication = -1;
1050 options->hostbased_authentication = -1; 1082 options->hostbased_authentication = -1;
1083 options->use_blacklisted_keys = -1;
1051 options->batch_mode = -1; 1084 options->batch_mode = -1;
1052 options->check_host_ip = -1; 1085 options->check_host_ip = -1;
1053 options->strict_host_key_checking = -1; 1086 options->strict_host_key_checking = -1;
@@ -1117,7 +1150,7 @@ fill_default_options(Options * options)
1117 if (options->forward_x11 == -1) 1150 if (options->forward_x11 == -1)
1118 options->forward_x11 = 0; 1151 options->forward_x11 = 0;
1119 if (options->forward_x11_trusted == -1) 1152 if (options->forward_x11_trusted == -1)
1120 options->forward_x11_trusted = 0; 1153 options->forward_x11_trusted = 1;
1121 if (options->exit_on_forward_failure == -1) 1154 if (options->exit_on_forward_failure == -1)
1122 options->exit_on_forward_failure = 0; 1155 options->exit_on_forward_failure = 0;
1123 if (options->xauth_location == NULL) 1156 if (options->xauth_location == NULL)
@@ -1150,6 +1183,8 @@ fill_default_options(Options * options)
1150 options->rhosts_rsa_authentication = 0; 1183 options->rhosts_rsa_authentication = 0;
1151 if (options->hostbased_authentication == -1) 1184 if (options->hostbased_authentication == -1)
1152 options->hostbased_authentication = 0; 1185 options->hostbased_authentication = 0;
1186 if (options->use_blacklisted_keys == -1)
1187 options->use_blacklisted_keys = 0;
1153 if (options->batch_mode == -1) 1188 if (options->batch_mode == -1)
1154 options->batch_mode = 0; 1189 options->batch_mode = 0;
1155 if (options->check_host_ip == -1) 1190 if (options->check_host_ip == -1)
@@ -1224,8 +1259,13 @@ fill_default_options(Options * options)
1224 options->rekey_limit = 0; 1259 options->rekey_limit = 0;
1225 if (options->verify_host_key_dns == -1) 1260 if (options->verify_host_key_dns == -1)
1226 options->verify_host_key_dns = 0; 1261 options->verify_host_key_dns = 0;
1227 if (options->server_alive_interval == -1) 1262 if (options->server_alive_interval == -1) {
1228 options->server_alive_interval = 0; 1263 /* in batch mode, default is 5mins */
1264 if (options->batch_mode == 1)
1265 options->server_alive_interval = 300;
1266 else
1267 options->server_alive_interval = 0;
1268 }
1229 if (options->server_alive_count_max == -1) 1269 if (options->server_alive_count_max == -1)
1230 options->server_alive_count_max = 3; 1270 options->server_alive_count_max = 3;
1231 if (options->control_master == -1) 1271 if (options->control_master == -1)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-13 08:09:40 +0000