diff options
Diffstat (limited to 'readconf.c')
-rw-r--r-- | readconf.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c index 60befde59..7a26e923b 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -30,6 +30,8 @@ | |||
30 | #include <stdio.h> | 30 | #include <stdio.h> |
31 | #include <string.h> | 31 | #include <string.h> |
32 | #include <unistd.h> | 32 | #include <unistd.h> |
33 | #include <pwd.h> | ||
34 | #include <grp.h> | ||
33 | 35 | ||
34 | #include "xmalloc.h" | 36 | #include "xmalloc.h" |
35 | #include "ssh.h" | 37 | #include "ssh.h" |
@@ -125,6 +127,7 @@ typedef enum { | |||
125 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, | 127 | oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, |
126 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, | 128 | oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, |
127 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, | 129 | oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, |
130 | oUseBlacklistedKeys, | ||
128 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | 131 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, |
129 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 132 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
130 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 133 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
@@ -137,6 +140,7 @@ typedef enum { | |||
137 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 140 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
138 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 141 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
139 | oKexAlgorithms, oIPQoS, oRequestTTY, | 142 | oKexAlgorithms, oIPQoS, oRequestTTY, |
143 | oProtocolKeepAlives, oSetupTimeOut, | ||
140 | oDeprecated, oUnsupported | 144 | oDeprecated, oUnsupported |
141 | } OpCodes; | 145 | } OpCodes; |
142 | 146 | ||
@@ -158,6 +162,7 @@ static struct { | |||
158 | { "passwordauthentication", oPasswordAuthentication }, | 162 | { "passwordauthentication", oPasswordAuthentication }, |
159 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 163 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
160 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 164 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
165 | { "useblacklistedkeys", oUseBlacklistedKeys }, | ||
161 | { "rsaauthentication", oRSAAuthentication }, | 166 | { "rsaauthentication", oRSAAuthentication }, |
162 | { "pubkeyauthentication", oPubkeyAuthentication }, | 167 | { "pubkeyauthentication", oPubkeyAuthentication }, |
163 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 168 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
@@ -257,6 +262,8 @@ static struct { | |||
257 | { "kexalgorithms", oKexAlgorithms }, | 262 | { "kexalgorithms", oKexAlgorithms }, |
258 | { "ipqos", oIPQoS }, | 263 | { "ipqos", oIPQoS }, |
259 | { "requesttty", oRequestTTY }, | 264 | { "requesttty", oRequestTTY }, |
265 | { "protocolkeepalives", oProtocolKeepAlives }, | ||
266 | { "setuptimeout", oSetupTimeOut }, | ||
260 | 267 | ||
261 | { NULL, oBadOption } | 268 | { NULL, oBadOption } |
262 | }; | 269 | }; |
@@ -489,6 +496,10 @@ parse_flag: | |||
489 | intptr = &options->challenge_response_authentication; | 496 | intptr = &options->challenge_response_authentication; |
490 | goto parse_flag; | 497 | goto parse_flag; |
491 | 498 | ||
499 | case oUseBlacklistedKeys: | ||
500 | intptr = &options->use_blacklisted_keys; | ||
501 | goto parse_flag; | ||
502 | |||
492 | case oGssAuthentication: | 503 | case oGssAuthentication: |
493 | intptr = &options->gss_authentication; | 504 | intptr = &options->gss_authentication; |
494 | goto parse_flag; | 505 | goto parse_flag; |
@@ -908,6 +919,8 @@ parse_int: | |||
908 | goto parse_flag; | 919 | goto parse_flag; |
909 | 920 | ||
910 | case oServerAliveInterval: | 921 | case oServerAliveInterval: |
922 | case oProtocolKeepAlives: /* Debian-specific compatibility alias */ | ||
923 | case oSetupTimeOut: /* Debian-specific compatibility alias */ | ||
911 | intptr = &options->server_alive_interval; | 924 | intptr = &options->server_alive_interval; |
912 | goto parse_time; | 925 | goto parse_time; |
913 | 926 | ||
@@ -1120,8 +1133,7 @@ read_config_file(const char *filename, const char *host, Options *options, | |||
1120 | 1133 | ||
1121 | if (fstat(fileno(f), &sb) == -1) | 1134 | if (fstat(fileno(f), &sb) == -1) |
1122 | fatal("fstat %s: %s", filename, strerror(errno)); | 1135 | fatal("fstat %s: %s", filename, strerror(errno)); |
1123 | if (((sb.st_uid != 0 && sb.st_uid != getuid()) || | 1136 | if (!secure_permissions(&sb, getuid())) |
1124 | (sb.st_mode & 022) != 0)) | ||
1125 | fatal("Bad owner or permissions on %s", filename); | 1137 | fatal("Bad owner or permissions on %s", filename); |
1126 | } | 1138 | } |
1127 | 1139 | ||
@@ -1180,6 +1192,7 @@ initialize_options(Options * options) | |||
1180 | options->kbd_interactive_devices = NULL; | 1192 | options->kbd_interactive_devices = NULL; |
1181 | options->rhosts_rsa_authentication = -1; | 1193 | options->rhosts_rsa_authentication = -1; |
1182 | options->hostbased_authentication = -1; | 1194 | options->hostbased_authentication = -1; |
1195 | options->use_blacklisted_keys = -1; | ||
1183 | options->batch_mode = -1; | 1196 | options->batch_mode = -1; |
1184 | options->check_host_ip = -1; | 1197 | options->check_host_ip = -1; |
1185 | options->strict_host_key_checking = -1; | 1198 | options->strict_host_key_checking = -1; |
@@ -1255,7 +1268,7 @@ fill_default_options(Options * options) | |||
1255 | if (options->forward_x11 == -1) | 1268 | if (options->forward_x11 == -1) |
1256 | options->forward_x11 = 0; | 1269 | options->forward_x11 = 0; |
1257 | if (options->forward_x11_trusted == -1) | 1270 | if (options->forward_x11_trusted == -1) |
1258 | options->forward_x11_trusted = 0; | 1271 | options->forward_x11_trusted = 1; |
1259 | if (options->forward_x11_timeout == -1) | 1272 | if (options->forward_x11_timeout == -1) |
1260 | options->forward_x11_timeout = 1200; | 1273 | options->forward_x11_timeout = 1200; |
1261 | if (options->exit_on_forward_failure == -1) | 1274 | if (options->exit_on_forward_failure == -1) |
@@ -1290,6 +1303,8 @@ fill_default_options(Options * options) | |||
1290 | options->rhosts_rsa_authentication = 0; | 1303 | options->rhosts_rsa_authentication = 0; |
1291 | if (options->hostbased_authentication == -1) | 1304 | if (options->hostbased_authentication == -1) |
1292 | options->hostbased_authentication = 0; | 1305 | options->hostbased_authentication = 0; |
1306 | if (options->use_blacklisted_keys == -1) | ||
1307 | options->use_blacklisted_keys = 0; | ||
1293 | if (options->batch_mode == -1) | 1308 | if (options->batch_mode == -1) |
1294 | options->batch_mode = 0; | 1309 | options->batch_mode = 0; |
1295 | if (options->check_host_ip == -1) | 1310 | if (options->check_host_ip == -1) |
@@ -1376,8 +1391,13 @@ fill_default_options(Options * options) | |||
1376 | options->rekey_limit = 0; | 1391 | options->rekey_limit = 0; |
1377 | if (options->verify_host_key_dns == -1) | 1392 | if (options->verify_host_key_dns == -1) |
1378 | options->verify_host_key_dns = 0; | 1393 | options->verify_host_key_dns = 0; |
1379 | if (options->server_alive_interval == -1) | 1394 | if (options->server_alive_interval == -1) { |
1380 | options->server_alive_interval = 0; | 1395 | /* in batch mode, default is 5mins */ |
1396 | if (options->batch_mode == 1) | ||
1397 | options->server_alive_interval = 300; | ||
1398 | else | ||
1399 | options->server_alive_interval = 0; | ||
1400 | } | ||
1381 | if (options->server_alive_count_max == -1) | 1401 | if (options->server_alive_count_max == -1) |
1382 | options->server_alive_count_max = 3; | 1402 | options->server_alive_count_max = 3; |
1383 | if (options->control_master == -1) | 1403 | if (options->control_master == -1) |