summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c50
1 files changed, 45 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index 484db3e5f..be27e75bc 100644
--- a/readconf.c
+++ b/readconf.c
@@ -28,6 +28,8 @@
28#include <stdio.h> 28#include <stdio.h>
29#include <string.h> 29#include <string.h>
30#include <unistd.h> 30#include <unistd.h>
31#include <pwd.h>
32#include <grp.h>
31 33
32#include "xmalloc.h" 34#include "xmalloc.h"
33#include "ssh.h" 35#include "ssh.h"
@@ -123,6 +125,7 @@ typedef enum {
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
128 oUseBlacklistedKeys,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, 129 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -132,6 +135,7 @@ typedef enum {
132 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 135 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
133 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 136 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
134 oVisualHostKey, oZeroKnowledgePasswordAuthentication, 137 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
138 oProtocolKeepAlives, oSetupTimeOut,
135 oDeprecated, oUnsupported 139 oDeprecated, oUnsupported
136} OpCodes; 140} OpCodes;
137 141
@@ -152,6 +156,7 @@ static struct {
152 { "passwordauthentication", oPasswordAuthentication }, 156 { "passwordauthentication", oPasswordAuthentication },
153 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 157 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
154 { "kbdinteractivedevices", oKbdInteractiveDevices }, 158 { "kbdinteractivedevices", oKbdInteractiveDevices },
159 { "useblacklistedkeys", oUseBlacklistedKeys },
155 { "rsaauthentication", oRSAAuthentication }, 160 { "rsaauthentication", oRSAAuthentication },
156 { "pubkeyauthentication", oPubkeyAuthentication }, 161 { "pubkeyauthentication", oPubkeyAuthentication },
157 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 162 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
@@ -243,6 +248,8 @@ static struct {
243#else 248#else
244 { "zeroknowledgepasswordauthentication", oUnsupported }, 249 { "zeroknowledgepasswordauthentication", oUnsupported },
245#endif 250#endif
251 { "protocolkeepalives", oProtocolKeepAlives },
252 { "setuptimeout", oSetupTimeOut },
246 253
247 { NULL, oBadOption } 254 { NULL, oBadOption }
248}; 255};
@@ -458,6 +465,10 @@ parse_flag:
458 intptr = &options->challenge_response_authentication; 465 intptr = &options->challenge_response_authentication;
459 goto parse_flag; 466 goto parse_flag;
460 467
468 case oUseBlacklistedKeys:
469 intptr = &options->use_blacklisted_keys;
470 goto parse_flag;
471
461 case oGssAuthentication: 472 case oGssAuthentication:
462 intptr = &options->gss_authentication; 473 intptr = &options->gss_authentication;
463 goto parse_flag; 474 goto parse_flag;
@@ -838,6 +849,8 @@ parse_int:
838 goto parse_flag; 849 goto parse_flag;
839 850
840 case oServerAliveInterval: 851 case oServerAliveInterval:
852 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
853 case oSetupTimeOut: /* Debian-specific compatibility alias */
841 intptr = &options->server_alive_interval; 854 intptr = &options->server_alive_interval;
842 goto parse_time; 855 goto parse_time;
843 856
@@ -982,11 +995,30 @@ read_config_file(const char *filename, const char *host, Options *options,
982 995
983 if (checkperm) { 996 if (checkperm) {
984 struct stat sb; 997 struct stat sb;
998 int bad_modes = 0;
985 999
986 if (fstat(fileno(f), &sb) == -1) 1000 if (fstat(fileno(f), &sb) == -1)
987 fatal("fstat %s: %s", filename, strerror(errno)); 1001 fatal("fstat %s: %s", filename, strerror(errno));
988 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1002 if (sb.st_uid != 0 && sb.st_uid != getuid())
989 (sb.st_mode & 022) != 0)) 1003 bad_modes = 1;
1004 if ((sb.st_mode & 020) != 0) {
1005 /* If the file is group-writable, the group in
1006 * question must have at most one member, namely the
1007 * file's owner.
1008 */
1009 struct passwd *pw = getpwuid(sb.st_uid);
1010 struct group *gr = getgrgid(sb.st_gid);
1011 if (!pw || !gr)
1012 bad_modes = 1;
1013 else if (gr->gr_mem[0]) {
1014 if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
1015 gr->gr_mem[1])
1016 bad_modes = 1;
1017 }
1018 }
1019 if ((sb.st_mode & 002) != 0)
1020 bad_modes = 1;
1021 if (bad_modes)
990 fatal("Bad owner or permissions on %s", filename); 1022 fatal("Bad owner or permissions on %s", filename);
991 } 1023 }
992 1024
@@ -1043,6 +1075,7 @@ initialize_options(Options * options)
1043 options->kbd_interactive_devices = NULL; 1075 options->kbd_interactive_devices = NULL;
1044 options->rhosts_rsa_authentication = -1; 1076 options->rhosts_rsa_authentication = -1;
1045 options->hostbased_authentication = -1; 1077 options->hostbased_authentication = -1;
1078 options->use_blacklisted_keys = -1;
1046 options->batch_mode = -1; 1079 options->batch_mode = -1;
1047 options->check_host_ip = -1; 1080 options->check_host_ip = -1;
1048 options->strict_host_key_checking = -1; 1081 options->strict_host_key_checking = -1;
@@ -1111,7 +1144,7 @@ fill_default_options(Options * options)
1111 if (options->forward_x11 == -1) 1144 if (options->forward_x11 == -1)
1112 options->forward_x11 = 0; 1145 options->forward_x11 = 0;
1113 if (options->forward_x11_trusted == -1) 1146 if (options->forward_x11_trusted == -1)
1114 options->forward_x11_trusted = 0; 1147 options->forward_x11_trusted = 1;
1115 if (options->exit_on_forward_failure == -1) 1148 if (options->exit_on_forward_failure == -1)
1116 options->exit_on_forward_failure = 0; 1149 options->exit_on_forward_failure = 0;
1117 if (options->xauth_location == NULL) 1150 if (options->xauth_location == NULL)
@@ -1144,6 +1177,8 @@ fill_default_options(Options * options)
1144 options->rhosts_rsa_authentication = 0; 1177 options->rhosts_rsa_authentication = 0;
1145 if (options->hostbased_authentication == -1) 1178 if (options->hostbased_authentication == -1)
1146 options->hostbased_authentication = 0; 1179 options->hostbased_authentication = 0;
1180 if (options->use_blacklisted_keys == -1)
1181 options->use_blacklisted_keys = 0;
1147 if (options->batch_mode == -1) 1182 if (options->batch_mode == -1)
1148 options->batch_mode = 0; 1183 options->batch_mode = 0;
1149 if (options->check_host_ip == -1) 1184 if (options->check_host_ip == -1)
@@ -1218,8 +1253,13 @@ fill_default_options(Options * options)
1218 options->rekey_limit = 0; 1253 options->rekey_limit = 0;
1219 if (options->verify_host_key_dns == -1) 1254 if (options->verify_host_key_dns == -1)
1220 options->verify_host_key_dns = 0; 1255 options->verify_host_key_dns = 0;
1221 if (options->server_alive_interval == -1) 1256 if (options->server_alive_interval == -1) {
1222 options->server_alive_interval = 0; 1257 /* in batch mode, default is 5mins */
1258 if (options->batch_mode == 1)
1259 options->server_alive_interval = 300;
1260 else
1261 options->server_alive_interval = 0;
1262 }
1223 if (options->server_alive_count_max == -1) 1263 if (options->server_alive_count_max == -1)
1224 options->server_alive_count_max = 3; 1264 options->server_alive_count_max = 3;
1225 if (options->control_master == -1) 1265 if (options->control_master == -1)
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 17:42:46 +0000