summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c30
1 files changed, 25 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index 60befde59..7a26e923b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -30,6 +30,8 @@
30#include <stdio.h> 30#include <stdio.h>
31#include <string.h> 31#include <string.h>
32#include <unistd.h> 32#include <unistd.h>
33#include <pwd.h>
34#include <grp.h>
33 35
34#include "xmalloc.h" 36#include "xmalloc.h"
35#include "ssh.h" 37#include "ssh.h"
@@ -125,6 +127,7 @@ typedef enum {
125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 127 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 128 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 129 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
130 oUseBlacklistedKeys,
128 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 131 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
129 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 132 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
130 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 133 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -137,6 +140,7 @@ typedef enum {
137 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
138 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
139 oKexAlgorithms, oIPQoS, oRequestTTY, 142 oKexAlgorithms, oIPQoS, oRequestTTY,
143 oProtocolKeepAlives, oSetupTimeOut,
140 oDeprecated, oUnsupported 144 oDeprecated, oUnsupported
141} OpCodes; 145} OpCodes;
142 146
@@ -158,6 +162,7 @@ static struct {
158 { "passwordauthentication", oPasswordAuthentication }, 162 { "passwordauthentication", oPasswordAuthentication },
159 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 163 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
160 { "kbdinteractivedevices", oKbdInteractiveDevices }, 164 { "kbdinteractivedevices", oKbdInteractiveDevices },
165 { "useblacklistedkeys", oUseBlacklistedKeys },
161 { "rsaauthentication", oRSAAuthentication }, 166 { "rsaauthentication", oRSAAuthentication },
162 { "pubkeyauthentication", oPubkeyAuthentication }, 167 { "pubkeyauthentication", oPubkeyAuthentication },
163 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 168 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
@@ -257,6 +262,8 @@ static struct {
257 { "kexalgorithms", oKexAlgorithms }, 262 { "kexalgorithms", oKexAlgorithms },
258 { "ipqos", oIPQoS }, 263 { "ipqos", oIPQoS },
259 { "requesttty", oRequestTTY }, 264 { "requesttty", oRequestTTY },
265 { "protocolkeepalives", oProtocolKeepAlives },
266 { "setuptimeout", oSetupTimeOut },
260 267
261 { NULL, oBadOption } 268 { NULL, oBadOption }
262}; 269};
@@ -489,6 +496,10 @@ parse_flag:
489 intptr = &options->challenge_response_authentication; 496 intptr = &options->challenge_response_authentication;
490 goto parse_flag; 497 goto parse_flag;
491 498
499 case oUseBlacklistedKeys:
500 intptr = &options->use_blacklisted_keys;
501 goto parse_flag;
502
492 case oGssAuthentication: 503 case oGssAuthentication:
493 intptr = &options->gss_authentication; 504 intptr = &options->gss_authentication;
494 goto parse_flag; 505 goto parse_flag;
@@ -908,6 +919,8 @@ parse_int:
908 goto parse_flag; 919 goto parse_flag;
909 920
910 case oServerAliveInterval: 921 case oServerAliveInterval:
922 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
923 case oSetupTimeOut: /* Debian-specific compatibility alias */
911 intptr = &options->server_alive_interval; 924 intptr = &options->server_alive_interval;
912 goto parse_time; 925 goto parse_time;
913 926
@@ -1120,8 +1133,7 @@ read_config_file(const char *filename, const char *host, Options *options,
1120 1133
1121 if (fstat(fileno(f), &sb) == -1) 1134 if (fstat(fileno(f), &sb) == -1)
1122 fatal("fstat %s: %s", filename, strerror(errno)); 1135 fatal("fstat %s: %s", filename, strerror(errno));
1123 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1136 if (!secure_permissions(&sb, getuid()))
1124 (sb.st_mode & 022) != 0))
1125 fatal("Bad owner or permissions on %s", filename); 1137 fatal("Bad owner or permissions on %s", filename);
1126 } 1138 }
1127 1139
@@ -1180,6 +1192,7 @@ initialize_options(Options * options)
1180 options->kbd_interactive_devices = NULL; 1192 options->kbd_interactive_devices = NULL;
1181 options->rhosts_rsa_authentication = -1; 1193 options->rhosts_rsa_authentication = -1;
1182 options->hostbased_authentication = -1; 1194 options->hostbased_authentication = -1;
1195 options->use_blacklisted_keys = -1;
1183 options->batch_mode = -1; 1196 options->batch_mode = -1;
1184 options->check_host_ip = -1; 1197 options->check_host_ip = -1;
1185 options->strict_host_key_checking = -1; 1198 options->strict_host_key_checking = -1;
@@ -1255,7 +1268,7 @@ fill_default_options(Options * options)
1255 if (options->forward_x11 == -1) 1268 if (options->forward_x11 == -1)
1256 options->forward_x11 = 0; 1269 options->forward_x11 = 0;
1257 if (options->forward_x11_trusted == -1) 1270 if (options->forward_x11_trusted == -1)
1258 options->forward_x11_trusted = 0; 1271 options->forward_x11_trusted = 1;
1259 if (options->forward_x11_timeout == -1) 1272 if (options->forward_x11_timeout == -1)
1260 options->forward_x11_timeout = 1200; 1273 options->forward_x11_timeout = 1200;
1261 if (options->exit_on_forward_failure == -1) 1274 if (options->exit_on_forward_failure == -1)
@@ -1290,6 +1303,8 @@ fill_default_options(Options * options)
1290 options->rhosts_rsa_authentication = 0; 1303 options->rhosts_rsa_authentication = 0;
1291 if (options->hostbased_authentication == -1) 1304 if (options->hostbased_authentication == -1)
1292 options->hostbased_authentication = 0; 1305 options->hostbased_authentication = 0;
1306 if (options->use_blacklisted_keys == -1)
1307 options->use_blacklisted_keys = 0;
1293 if (options->batch_mode == -1) 1308 if (options->batch_mode == -1)
1294 options->batch_mode = 0; 1309 options->batch_mode = 0;
1295 if (options->check_host_ip == -1) 1310 if (options->check_host_ip == -1)
@@ -1376,8 +1391,13 @@ fill_default_options(Options * options)
1376 options->rekey_limit = 0; 1391 options->rekey_limit = 0;
1377 if (options->verify_host_key_dns == -1) 1392 if (options->verify_host_key_dns == -1)
1378 options->verify_host_key_dns = 0; 1393 options->verify_host_key_dns = 0;
1379 if (options->server_alive_interval == -1) 1394 if (options->server_alive_interval == -1) {
1380 options->server_alive_interval = 0; 1395 /* in batch mode, default is 5mins */
1396 if (options->batch_mode == 1)
1397 options->server_alive_interval = 300;
1398 else
1399 options->server_alive_interval = 0;
1400 }
1381 if (options->server_alive_count_max == -1) 1401 if (options->server_alive_count_max == -1)
1382 options->server_alive_count_max = 3; 1402 options->server_alive_count_max = 3;
1383 if (options->control_master == -1) 1403 if (options->control_master == -1)