summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c72
1 files changed, 67 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index d57d4551d..0999f28e3 100644
--- a/readconf.c
+++ b/readconf.c
@@ -28,6 +28,8 @@
28#include <stdio.h> 28#include <stdio.h>
29#include <string.h> 29#include <string.h>
30#include <unistd.h> 30#include <unistd.h>
31#include <pwd.h>
32#include <grp.h>
31 33
32#include "xmalloc.h" 34#include "xmalloc.h"
33#include "ssh.h" 35#include "ssh.h"
@@ -127,9 +129,12 @@ typedef enum {
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 129 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 130 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 131 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oGssKeyEx,
133 oGssTrustDns,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 134 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 135 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 136 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
137 oProtocolKeepAlives, oSetupTimeOut,
133 oDeprecated, oUnsupported 138 oDeprecated, oUnsupported
134} OpCodes; 139} OpCodes;
135 140
@@ -163,10 +168,14 @@ static struct {
163 { "afstokenpassing", oUnsupported }, 168 { "afstokenpassing", oUnsupported },
164#if defined(GSSAPI) 169#if defined(GSSAPI)
165 { "gssapiauthentication", oGssAuthentication }, 170 { "gssapiauthentication", oGssAuthentication },
171 { "gssapikeyexchange", oGssKeyEx },
166 { "gssapidelegatecredentials", oGssDelegateCreds }, 172 { "gssapidelegatecredentials", oGssDelegateCreds },
173 { "gssapitrustdns", oGssTrustDns },
167#else 174#else
168 { "gssapiauthentication", oUnsupported }, 175 { "gssapiauthentication", oUnsupported },
176 { "gssapikeyexchange", oUnsupported },
169 { "gssapidelegatecredentials", oUnsupported }, 177 { "gssapidelegatecredentials", oUnsupported },
178 { "gssapitrustdns", oUnsupported },
170#endif 179#endif
171 { "fallbacktorsh", oDeprecated }, 180 { "fallbacktorsh", oDeprecated },
172 { "usersh", oDeprecated }, 181 { "usersh", oDeprecated },
@@ -226,6 +235,8 @@ static struct {
226 { "tunneldevice", oTunnelDevice }, 235 { "tunneldevice", oTunnelDevice },
227 { "localcommand", oLocalCommand }, 236 { "localcommand", oLocalCommand },
228 { "permitlocalcommand", oPermitLocalCommand }, 237 { "permitlocalcommand", oPermitLocalCommand },
238 { "protocolkeepalives", oProtocolKeepAlives },
239 { "setuptimeout", oSetupTimeOut },
229 { NULL, oBadOption } 240 { NULL, oBadOption }
230}; 241};
231 242
@@ -441,10 +452,18 @@ parse_flag:
441 intptr = &options->gss_authentication; 452 intptr = &options->gss_authentication;
442 goto parse_flag; 453 goto parse_flag;
443 454
455 case oGssKeyEx:
456 intptr = &options->gss_keyex;
457 goto parse_flag;
458
444 case oGssDelegateCreds: 459 case oGssDelegateCreds:
445 intptr = &options->gss_deleg_creds; 460 intptr = &options->gss_deleg_creds;
446 goto parse_flag; 461 goto parse_flag;
447 462
463 case oGssTrustDns:
464 intptr = &options->gss_trust_dns;
465 goto parse_flag;
466
448 case oBatchMode: 467 case oBatchMode:
449 intptr = &options->batch_mode; 468 intptr = &options->batch_mode;
450 goto parse_flag; 469 goto parse_flag;
@@ -818,6 +837,7 @@ parse_int:
818 goto parse_flag; 837 goto parse_flag;
819 838
820 case oServerAliveInterval: 839 case oServerAliveInterval:
840 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
821 intptr = &options->server_alive_interval; 841 intptr = &options->server_alive_interval;
822 goto parse_time; 842 goto parse_time;
823 843
@@ -915,6 +935,10 @@ parse_int:
915 intptr = &options->permit_local_command; 935 intptr = &options->permit_local_command;
916 goto parse_flag; 936 goto parse_flag;
917 937
938 case oSetupTimeOut:
939 intptr = &options->setuptimeout;
940 goto parse_int;
941
918 case oDeprecated: 942 case oDeprecated:
919 debug("%s line %d: Deprecated option \"%s\"", 943 debug("%s line %d: Deprecated option \"%s\"",
920 filename, linenum, keyword); 944 filename, linenum, keyword);
@@ -959,11 +983,30 @@ read_config_file(const char *filename, const char *host, Options *options,
959 983
960 if (checkperm) { 984 if (checkperm) {
961 struct stat sb; 985 struct stat sb;
986 int bad_modes = 0;
962 987
963 if (fstat(fileno(f), &sb) == -1) 988 if (fstat(fileno(f), &sb) == -1)
964 fatal("fstat %s: %s", filename, strerror(errno)); 989 fatal("fstat %s: %s", filename, strerror(errno));
965 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 990 if (sb.st_uid != 0 && sb.st_uid != getuid())
966 (sb.st_mode & 022) != 0)) 991 bad_modes = 1;
992 if ((sb.st_mode & 020) != 0) {
993 /* If the file is group-writable, the group in
994 * question must have at most one member, namely the
995 * file's owner.
996 */
997 struct passwd *pw = getpwuid(sb.st_uid);
998 struct group *gr = getgrgid(sb.st_gid);
999 if (!pw || !gr)
1000 bad_modes = 1;
1001 else if (gr->gr_mem[0]) {
1002 if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
1003 gr->gr_mem[1])
1004 bad_modes = 1;
1005 }
1006 }
1007 if ((sb.st_mode & 002) != 0)
1008 bad_modes = 1;
1009 if (bad_modes)
967 fatal("Bad owner or permissions on %s", filename); 1010 fatal("Bad owner or permissions on %s", filename);
968 } 1011 }
969 1012
@@ -1010,7 +1053,9 @@ initialize_options(Options * options)
1010 options->pubkey_authentication = -1; 1053 options->pubkey_authentication = -1;
1011 options->challenge_response_authentication = -1; 1054 options->challenge_response_authentication = -1;
1012 options->gss_authentication = -1; 1055 options->gss_authentication = -1;
1056 options->gss_keyex = -1;
1013 options->gss_deleg_creds = -1; 1057 options->gss_deleg_creds = -1;
1058 options->gss_trust_dns = -1;
1014 options->password_authentication = -1; 1059 options->password_authentication = -1;
1015 options->kbd_interactive_authentication = -1; 1060 options->kbd_interactive_authentication = -1;
1016 options->kbd_interactive_devices = NULL; 1061 options->kbd_interactive_devices = NULL;
@@ -1021,6 +1066,7 @@ initialize_options(Options * options)
1021 options->strict_host_key_checking = -1; 1066 options->strict_host_key_checking = -1;
1022 options->compression = -1; 1067 options->compression = -1;
1023 options->tcp_keep_alive = -1; 1068 options->tcp_keep_alive = -1;
1069 options->setuptimeout = -1;
1024 options->compression_level = -1; 1070 options->compression_level = -1;
1025 options->port = -1; 1071 options->port = -1;
1026 options->address_family = -1; 1072 options->address_family = -1;
@@ -1082,7 +1128,7 @@ fill_default_options(Options * options)
1082 if (options->forward_x11 == -1) 1128 if (options->forward_x11 == -1)
1083 options->forward_x11 = 0; 1129 options->forward_x11 = 0;
1084 if (options->forward_x11_trusted == -1) 1130 if (options->forward_x11_trusted == -1)
1085 options->forward_x11_trusted = 0; 1131 options->forward_x11_trusted = 1;
1086 if (options->exit_on_forward_failure == -1) 1132 if (options->exit_on_forward_failure == -1)
1087 options->exit_on_forward_failure = 0; 1133 options->exit_on_forward_failure = 0;
1088 if (options->xauth_location == NULL) 1134 if (options->xauth_location == NULL)
@@ -1099,8 +1145,12 @@ fill_default_options(Options * options)
1099 options->challenge_response_authentication = 1; 1145 options->challenge_response_authentication = 1;
1100 if (options->gss_authentication == -1) 1146 if (options->gss_authentication == -1)
1101 options->gss_authentication = 0; 1147 options->gss_authentication = 0;
1148 if (options->gss_keyex == -1)
1149 options->gss_keyex = 0;
1102 if (options->gss_deleg_creds == -1) 1150 if (options->gss_deleg_creds == -1)
1103 options->gss_deleg_creds = 0; 1151 options->gss_deleg_creds = 0;
1152 if (options->gss_trust_dns == -1)
1153 options->gss_trust_dns = 0;
1104 if (options->password_authentication == -1) 1154 if (options->password_authentication == -1)
1105 options->password_authentication = 1; 1155 options->password_authentication = 1;
1106 if (options->kbd_interactive_authentication == -1) 1156 if (options->kbd_interactive_authentication == -1)
@@ -1183,8 +1233,13 @@ fill_default_options(Options * options)
1183 options->rekey_limit = 0; 1233 options->rekey_limit = 0;
1184 if (options->verify_host_key_dns == -1) 1234 if (options->verify_host_key_dns == -1)
1185 options->verify_host_key_dns = 0; 1235 options->verify_host_key_dns = 0;
1186 if (options->server_alive_interval == -1) 1236 if (options->server_alive_interval == -1) {
1187 options->server_alive_interval = 0; 1237 /* in batch mode, default is 5mins */
1238 if (options->batch_mode == 1)
1239 options->server_alive_interval = 300;
1240 else
1241 options->server_alive_interval = 0;
1242 }
1188 if (options->server_alive_count_max == -1) 1243 if (options->server_alive_count_max == -1)
1189 options->server_alive_count_max = 3; 1244 options->server_alive_count_max = 3;
1190 if (options->control_master == -1) 1245 if (options->control_master == -1)
@@ -1199,6 +1254,13 @@ fill_default_options(Options * options)
1199 options->tun_remote = SSH_TUNID_ANY; 1254 options->tun_remote = SSH_TUNID_ANY;
1200 if (options->permit_local_command == -1) 1255 if (options->permit_local_command == -1)
1201 options->permit_local_command = 0; 1256 options->permit_local_command = 0;
1257 if (options->setuptimeout == -1) {
1258 /* in batch mode, default is 5mins */
1259 if (options->batch_mode == 1)
1260 options->setuptimeout = 300;
1261 else
1262 options->setuptimeout = 0;
1263 }
1202 /* options->local_command should not be set by default */ 1264 /* options->local_command should not be set by default */
1203 /* options->proxy_command should not be set by default */ 1265 /* options->proxy_command should not be set by default */
1204 /* options->user will be set in the main program if appropriate */ 1266 /* options->user will be set in the main program if appropriate */
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-13 08:11:17 +0000