diff options
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 70 |
1 files changed, 65 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c index 73f6eb361..7ad5a8e18 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -28,6 +28,8 @@ | |||
28 | #include <stdio.h> | 28 | #include <stdio.h> |
29 | #include <string.h> | 29 | #include <string.h> |
30 | #include <unistd.h> | 30 | #include <unistd.h> |
31 | #include <pwd.h> | ||
32 | #include <grp.h> | ||
31 | 33 | ||
32 | #include "xmalloc.h" | 34 | #include "xmalloc.h" |
33 | #include "ssh.h" | 35 | #include "ssh.h" |
@@ -123,14 +125,18 @@ typedef enum { | |||
123 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 125 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
124 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 126 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
125 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 127 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
128 | oUseBlacklistedKeys, | ||
126 | oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, | 129 | oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, |
127 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 130 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
128 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 131 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
129 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 132 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
133 | oGssKeyEx, | ||
134 | oGssTrustDns, | ||
130 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 135 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
131 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, | 136 | oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, |
132 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 137 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
133 | oVisualHostKey, | 138 | oVisualHostKey, |
139 | oProtocolKeepAlives, oSetupTimeOut, | ||
134 | oDeprecated, oUnsupported | 140 | oDeprecated, oUnsupported |
135 | } OpCodes; | 141 | } OpCodes; |
136 | 142 | ||
@@ -151,6 +157,7 @@ static struct { | |||
151 | { "passwordauthentication", oPasswordAuthentication }, | 157 | { "passwordauthentication", oPasswordAuthentication }, |
152 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 158 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
153 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 159 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
160 | { "useblacklistedkeys", oUseBlacklistedKeys }, | ||
154 | { "rsaauthentication", oRSAAuthentication }, | 161 | { "rsaauthentication", oRSAAuthentication }, |
155 | { "pubkeyauthentication", oPubkeyAuthentication }, | 162 | { "pubkeyauthentication", oPubkeyAuthentication }, |
156 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 163 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
@@ -164,10 +171,14 @@ static struct { | |||
164 | { "afstokenpassing", oUnsupported }, | 171 | { "afstokenpassing", oUnsupported }, |
165 | #if defined(GSSAPI) | 172 | #if defined(GSSAPI) |
166 | { "gssapiauthentication", oGssAuthentication }, | 173 | { "gssapiauthentication", oGssAuthentication }, |
174 | { "gssapikeyexchange", oGssKeyEx }, | ||
167 | { "gssapidelegatecredentials", oGssDelegateCreds }, | 175 | { "gssapidelegatecredentials", oGssDelegateCreds }, |
176 | { "gssapitrustdns", oGssTrustDns }, | ||
168 | #else | 177 | #else |
169 | { "gssapiauthentication", oUnsupported }, | 178 | { "gssapiauthentication", oUnsupported }, |
179 | { "gssapikeyexchange", oUnsupported }, | ||
170 | { "gssapidelegatecredentials", oUnsupported }, | 180 | { "gssapidelegatecredentials", oUnsupported }, |
181 | { "gssapitrustdns", oUnsupported }, | ||
171 | #endif | 182 | #endif |
172 | { "fallbacktorsh", oDeprecated }, | 183 | { "fallbacktorsh", oDeprecated }, |
173 | { "usersh", oDeprecated }, | 184 | { "usersh", oDeprecated }, |
@@ -228,6 +239,8 @@ static struct { | |||
228 | { "localcommand", oLocalCommand }, | 239 | { "localcommand", oLocalCommand }, |
229 | { "permitlocalcommand", oPermitLocalCommand }, | 240 | { "permitlocalcommand", oPermitLocalCommand }, |
230 | { "visualhostkey", oVisualHostKey }, | 241 | { "visualhostkey", oVisualHostKey }, |
242 | { "protocolkeepalives", oProtocolKeepAlives }, | ||
243 | { "setuptimeout", oSetupTimeOut }, | ||
231 | { NULL, oBadOption } | 244 | { NULL, oBadOption } |
232 | }; | 245 | }; |
233 | 246 | ||
@@ -440,14 +453,26 @@ parse_flag: | |||
440 | intptr = &options->challenge_response_authentication; | 453 | intptr = &options->challenge_response_authentication; |
441 | goto parse_flag; | 454 | goto parse_flag; |
442 | 455 | ||
456 | case oUseBlacklistedKeys: | ||
457 | intptr = &options->use_blacklisted_keys; | ||
458 | goto parse_flag; | ||
459 | |||
443 | case oGssAuthentication: | 460 | case oGssAuthentication: |
444 | intptr = &options->gss_authentication; | 461 | intptr = &options->gss_authentication; |
445 | goto parse_flag; | 462 | goto parse_flag; |
446 | 463 | ||
464 | case oGssKeyEx: | ||
465 | intptr = &options->gss_keyex; | ||
466 | goto parse_flag; | ||
467 | |||
447 | case oGssDelegateCreds: | 468 | case oGssDelegateCreds: |
448 | intptr = &options->gss_deleg_creds; | 469 | intptr = &options->gss_deleg_creds; |
449 | goto parse_flag; | 470 | goto parse_flag; |
450 | 471 | ||
472 | case oGssTrustDns: | ||
473 | intptr = &options->gss_trust_dns; | ||
474 | goto parse_flag; | ||
475 | |||
451 | case oBatchMode: | 476 | case oBatchMode: |
452 | intptr = &options->batch_mode; | 477 | intptr = &options->batch_mode; |
453 | goto parse_flag; | 478 | goto parse_flag; |
@@ -820,6 +845,8 @@ parse_int: | |||
820 | goto parse_flag; | 845 | goto parse_flag; |
821 | 846 | ||
822 | case oServerAliveInterval: | 847 | case oServerAliveInterval: |
848 | case oProtocolKeepAlives: /* Debian-specific compatibility alias */ | ||
849 | case oSetupTimeOut: /* Debian-specific compatibility alias */ | ||
823 | intptr = &options->server_alive_interval; | 850 | intptr = &options->server_alive_interval; |
824 | goto parse_time; | 851 | goto parse_time; |
825 | 852 | ||
@@ -965,11 +992,30 @@ read_config_file(const char *filename, const char *host, Options *options, | |||
965 | 992 | ||
966 | if (checkperm) { | 993 | if (checkperm) { |
967 | struct stat sb; | 994 | struct stat sb; |
995 | int bad_modes = 0; | ||
968 | 996 | ||
969 | if (fstat(fileno(f), &sb) == -1) | 997 | if (fstat(fileno(f), &sb) == -1) |
970 | fatal("fstat %s: %s", filename, strerror(errno)); | 998 | fatal("fstat %s: %s", filename, strerror(errno)); |
971 | if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | 999 | if (sb.st_uid != 0 && sb.st_uid != getuid()) |
972 | (sb.st_mode & 022) != 0)) | 1000 | bad_modes = 1; |
1001 | if ((sb.st_mode & 020) != 0) { | ||
1002 | /* If the file is group-writable, the group in | ||
1003 | * question must have at most one member, namely the | ||
1004 | * file's owner. | ||
1005 | */ | ||
1006 | struct passwd *pw = getpwuid(sb.st_uid); | ||
1007 | struct group *gr = getgrgid(sb.st_gid); | ||
1008 | if (!pw || !gr) | ||
1009 | bad_modes = 1; | ||
1010 | else if (gr->gr_mem[0]) { | ||
1011 | if (strcmp(pw->pw_name, gr->gr_mem[0]) || | ||
1012 | gr->gr_mem[1]) | ||
1013 | bad_modes = 1; | ||
1014 | } | ||
1015 | } | ||
1016 | if ((sb.st_mode & 002) != 0) | ||
1017 | bad_modes = 1; | ||
1018 | if (bad_modes) | ||
973 | fatal("Bad owner or permissions on %s", filename); | 1019 | fatal("Bad owner or permissions on %s", filename); |
974 | } | 1020 | } |
975 | 1021 | ||
@@ -1016,12 +1062,15 @@ initialize_options(Options * options) | |||
1016 | options->pubkey_authentication = -1; | 1062 | options->pubkey_authentication = -1; |
1017 | options->challenge_response_authentication = -1; | 1063 | options->challenge_response_authentication = -1; |
1018 | options->gss_authentication = -1; | 1064 | options->gss_authentication = -1; |
1065 | options->gss_keyex = -1; | ||
1019 | options->gss_deleg_creds = -1; | 1066 | options->gss_deleg_creds = -1; |
1067 | options->gss_trust_dns = -1; | ||
1020 | options->password_authentication = -1; | 1068 | options->password_authentication = -1; |
1021 | options->kbd_interactive_authentication = -1; | 1069 | options->kbd_interactive_authentication = -1; |
1022 | options->kbd_interactive_devices = NULL; | 1070 | options->kbd_interactive_devices = NULL; |
1023 | options->rhosts_rsa_authentication = -1; | 1071 | options->rhosts_rsa_authentication = -1; |
1024 | options->hostbased_authentication = -1; | 1072 | options->hostbased_authentication = -1; |
1073 | options->use_blacklisted_keys = -1; | ||
1025 | options->batch_mode = -1; | 1074 | options->batch_mode = -1; |
1026 | options->check_host_ip = -1; | 1075 | options->check_host_ip = -1; |
1027 | options->strict_host_key_checking = -1; | 1076 | options->strict_host_key_checking = -1; |
@@ -1089,7 +1138,7 @@ fill_default_options(Options * options) | |||
1089 | if (options->forward_x11 == -1) | 1138 | if (options->forward_x11 == -1) |
1090 | options->forward_x11 = 0; | 1139 | options->forward_x11 = 0; |
1091 | if (options->forward_x11_trusted == -1) | 1140 | if (options->forward_x11_trusted == -1) |
1092 | options->forward_x11_trusted = 0; | 1141 | options->forward_x11_trusted = 1; |
1093 | if (options->exit_on_forward_failure == -1) | 1142 | if (options->exit_on_forward_failure == -1) |
1094 | options->exit_on_forward_failure = 0; | 1143 | options->exit_on_forward_failure = 0; |
1095 | if (options->xauth_location == NULL) | 1144 | if (options->xauth_location == NULL) |
@@ -1106,8 +1155,12 @@ fill_default_options(Options * options) | |||
1106 | options->challenge_response_authentication = 1; | 1155 | options->challenge_response_authentication = 1; |
1107 | if (options->gss_authentication == -1) | 1156 | if (options->gss_authentication == -1) |
1108 | options->gss_authentication = 0; | 1157 | options->gss_authentication = 0; |
1158 | if (options->gss_keyex == -1) | ||
1159 | options->gss_keyex = 0; | ||
1109 | if (options->gss_deleg_creds == -1) | 1160 | if (options->gss_deleg_creds == -1) |
1110 | options->gss_deleg_creds = 0; | 1161 | options->gss_deleg_creds = 0; |
1162 | if (options->gss_trust_dns == -1) | ||
1163 | options->gss_trust_dns = 0; | ||
1111 | if (options->password_authentication == -1) | 1164 | if (options->password_authentication == -1) |
1112 | options->password_authentication = 1; | 1165 | options->password_authentication = 1; |
1113 | if (options->kbd_interactive_authentication == -1) | 1166 | if (options->kbd_interactive_authentication == -1) |
@@ -1116,6 +1169,8 @@ fill_default_options(Options * options) | |||
1116 | options->rhosts_rsa_authentication = 0; | 1169 | options->rhosts_rsa_authentication = 0; |
1117 | if (options->hostbased_authentication == -1) | 1170 | if (options->hostbased_authentication == -1) |
1118 | options->hostbased_authentication = 0; | 1171 | options->hostbased_authentication = 0; |
1172 | if (options->use_blacklisted_keys == -1) | ||
1173 | options->use_blacklisted_keys = 0; | ||
1119 | if (options->batch_mode == -1) | 1174 | if (options->batch_mode == -1) |
1120 | options->batch_mode = 0; | 1175 | options->batch_mode = 0; |
1121 | if (options->check_host_ip == -1) | 1176 | if (options->check_host_ip == -1) |
@@ -1190,8 +1245,13 @@ fill_default_options(Options * options) | |||
1190 | options->rekey_limit = 0; | 1245 | options->rekey_limit = 0; |
1191 | if (options->verify_host_key_dns == -1) | 1246 | if (options->verify_host_key_dns == -1) |
1192 | options->verify_host_key_dns = 0; | 1247 | options->verify_host_key_dns = 0; |
1193 | if (options->server_alive_interval == -1) | 1248 | if (options->server_alive_interval == -1) { |
1194 | options->server_alive_interval = 0; | 1249 | /* in batch mode, default is 5mins */ |
1250 | if (options->batch_mode == 1) | ||
1251 | options->server_alive_interval = 300; | ||
1252 | else | ||
1253 | options->server_alive_interval = 0; | ||
1254 | } | ||
1195 | if (options->server_alive_count_max == -1) | 1255 | if (options->server_alive_count_max == -1) |
1196 | options->server_alive_count_max = 3; | 1256 | options->server_alive_count_max = 3; |
1197 | if (options->control_master == -1) | 1257 | if (options->control_master == -1) |