summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c50
1 files changed, 45 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index 9d1ee55fa..487c3399b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -28,6 +28,8 @@
28#include <stdio.h> 28#include <stdio.h>
29#include <string.h> 29#include <string.h>
30#include <unistd.h> 30#include <unistd.h>
31#include <pwd.h>
32#include <grp.h>
31 33
32#include "xmalloc.h" 34#include "xmalloc.h"
33#include "ssh.h" 35#include "ssh.h"
@@ -123,6 +125,7 @@ typedef enum {
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
128 oUseBlacklistedKeys,
126 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 129 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -132,6 +135,7 @@ typedef enum {
132 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 135 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
133 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 136 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
134 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 137 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
138 oProtocolKeepAlives, oSetupTimeOut,
135 oDeprecated, oUnsupported 139 oDeprecated, oUnsupported
136} OpCodes; 140} OpCodes;
137 141
@@ -152,6 +156,7 @@ static struct {
152 { "passwordauthentication", oPasswordAuthentication }, 156 { "passwordauthentication", oPasswordAuthentication },
153 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 157 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
154 { "kbdinteractivedevices", oKbdInteractiveDevices }, 158 { "kbdinteractivedevices", oKbdInteractiveDevices },
159 { "useblacklistedkeys", oUseBlacklistedKeys },
155 { "rsaauthentication", oRSAAuthentication }, 160 { "rsaauthentication", oRSAAuthentication },
156 { "pubkeyauthentication", oPubkeyAuthentication }, 161 { "pubkeyauthentication", oPubkeyAuthentication },
157 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 162 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
@@ -246,6 +251,8 @@ static struct {
246#else 251#else
247 { "zeroknowledgepasswordauthentication", oUnsupported }, 252 { "zeroknowledgepasswordauthentication", oUnsupported },
248#endif 253#endif
254 { "protocolkeepalives", oProtocolKeepAlives },
255 { "setuptimeout", oSetupTimeOut },
249 256
250 { NULL, oBadOption } 257 { NULL, oBadOption }
251}; 258};
@@ -461,6 +468,10 @@ parse_flag:
461 intptr = &options->challenge_response_authentication; 468 intptr = &options->challenge_response_authentication;
462 goto parse_flag; 469 goto parse_flag;
463 470
471 case oUseBlacklistedKeys:
472 intptr = &options->use_blacklisted_keys;
473 goto parse_flag;
474
464 case oGssAuthentication: 475 case oGssAuthentication:
465 intptr = &options->gss_authentication; 476 intptr = &options->gss_authentication;
466 goto parse_flag; 477 goto parse_flag;
@@ -841,6 +852,8 @@ parse_int:
841 goto parse_flag; 852 goto parse_flag;
842 853
843 case oServerAliveInterval: 854 case oServerAliveInterval:
855 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
856 case oSetupTimeOut: /* Debian-specific compatibility alias */
844 intptr = &options->server_alive_interval; 857 intptr = &options->server_alive_interval;
845 goto parse_time; 858 goto parse_time;
846 859
@@ -989,11 +1002,30 @@ read_config_file(const char *filename, const char *host, Options *options,
989 1002
990 if (checkperm) { 1003 if (checkperm) {
991 struct stat sb; 1004 struct stat sb;
1005 int bad_modes = 0;
992 1006
993 if (fstat(fileno(f), &sb) == -1) 1007 if (fstat(fileno(f), &sb) == -1)
994 fatal("fstat %s: %s", filename, strerror(errno)); 1008 fatal("fstat %s: %s", filename, strerror(errno));
995 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1009 if (sb.st_uid != 0 && sb.st_uid != getuid())
996 (sb.st_mode & 022) != 0)) 1010 bad_modes = 1;
1011 if ((sb.st_mode & 020) != 0) {
1012 /* If the file is group-writable, the group in
1013 * question must have at most one member, namely the
1014 * file's owner.
1015 */
1016 struct passwd *pw = getpwuid(sb.st_uid);
1017 struct group *gr = getgrgid(sb.st_gid);
1018 if (!pw || !gr)
1019 bad_modes = 1;
1020 else if (gr->gr_mem[0]) {
1021 if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
1022 gr->gr_mem[1])
1023 bad_modes = 1;
1024 }
1025 }
1026 if ((sb.st_mode & 002) != 0)
1027 bad_modes = 1;
1028 if (bad_modes)
997 fatal("Bad owner or permissions on %s", filename); 1029 fatal("Bad owner or permissions on %s", filename);
998 } 1030 }
999 1031
@@ -1050,6 +1082,7 @@ initialize_options(Options * options)
1050 options->kbd_interactive_devices = NULL; 1082 options->kbd_interactive_devices = NULL;
1051 options->rhosts_rsa_authentication = -1; 1083 options->rhosts_rsa_authentication = -1;
1052 options->hostbased_authentication = -1; 1084 options->hostbased_authentication = -1;
1085 options->use_blacklisted_keys = -1;
1053 options->batch_mode = -1; 1086 options->batch_mode = -1;
1054 options->check_host_ip = -1; 1087 options->check_host_ip = -1;
1055 options->strict_host_key_checking = -1; 1088 options->strict_host_key_checking = -1;
@@ -1119,7 +1152,7 @@ fill_default_options(Options * options)
1119 if (options->forward_x11 == -1) 1152 if (options->forward_x11 == -1)
1120 options->forward_x11 = 0; 1153 options->forward_x11 = 0;
1121 if (options->forward_x11_trusted == -1) 1154 if (options->forward_x11_trusted == -1)
1122 options->forward_x11_trusted = 0; 1155 options->forward_x11_trusted = 1;
1123 if (options->exit_on_forward_failure == -1) 1156 if (options->exit_on_forward_failure == -1)
1124 options->exit_on_forward_failure = 0; 1157 options->exit_on_forward_failure = 0;
1125 if (options->xauth_location == NULL) 1158 if (options->xauth_location == NULL)
@@ -1152,6 +1185,8 @@ fill_default_options(Options * options)
1152 options->rhosts_rsa_authentication = 0; 1185 options->rhosts_rsa_authentication = 0;
1153 if (options->hostbased_authentication == -1) 1186 if (options->hostbased_authentication == -1)
1154 options->hostbased_authentication = 0; 1187 options->hostbased_authentication = 0;
1188 if (options->use_blacklisted_keys == -1)
1189 options->use_blacklisted_keys = 0;
1155 if (options->batch_mode == -1) 1190 if (options->batch_mode == -1)
1156 options->batch_mode = 0; 1191 options->batch_mode = 0;
1157 if (options->check_host_ip == -1) 1192 if (options->check_host_ip == -1)
@@ -1226,8 +1261,13 @@ fill_default_options(Options * options)
1226 options->rekey_limit = 0; 1261 options->rekey_limit = 0;
1227 if (options->verify_host_key_dns == -1) 1262 if (options->verify_host_key_dns == -1)
1228 options->verify_host_key_dns = 0; 1263 options->verify_host_key_dns = 0;
1229 if (options->server_alive_interval == -1) 1264 if (options->server_alive_interval == -1) {
1230 options->server_alive_interval = 0; 1265 /* in batch mode, default is 5mins */
1266 if (options->batch_mode == 1)
1267 options->server_alive_interval = 300;
1268 else
1269 options->server_alive_interval = 0;
1270 }
1231 if (options->server_alive_count_max == -1) 1271 if (options->server_alive_count_max == -1)
1232 options->server_alive_count_max = 3; 1272 options->server_alive_count_max = 3;
1233 if (options->control_master == -1) 1273 if (options->control_master == -1)
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 10:28:00 +0000