1 files changed, 75 insertions, 46 deletions
diff --git a/readconf.c b/readconf.c
index d1091cbda..4d92d174b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.262 2016/10/25 04:08:13 jsg Exp $ */
+/* $OpenBSD: readconf.c,v 1.270 2017/03/10 04:27:32 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -93,7 +93,7 @@
   Host books.com
     RemoteForward 9999 shadows.cs.hut.fi:9999
-     Cipher 3des
+     Ciphers 3des-cbc
   Host fascist.blob.com
     Port 23123
@@ -108,7 +108,7 @@
     PublicKeyAuthentication no
   Host *.su
-     Cipher none
+     Ciphers aes128-ctr
     PasswordAuthentication no
   Host vpn.fake.com
@@ -183,30 +183,21 @@ static struct {
        const char *name;
        OpCodes opcode;
 } keywords[] = {
-        { "forwardagent", oForwardAgent },
+        /* Deprecated options */
-        { "forwardx11", oForwardX11 },
+        { "fallbacktorsh", oDeprecated },
-        { "forwardx11trusted", oForwardX11Trusted },
+        { "globalknownhostsfile2", oDeprecated },
-        { "forwardx11timeout", oForwardX11Timeout },
-        { "exitonforwardfailure", oExitOnForwardFailure },
-        { "xauthlocation", oXAuthLocation },
-        { "gatewayports", oGatewayPorts },
-        { "useprivilegedport", oUsePrivilegedPort },
        { "rhostsauthentication", oDeprecated },
-        { "passwordauthentication", oPasswordAuthentication },
-        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
-        { "kbdinteractivedevices", oKbdInteractiveDevices },
        { "useblacklistedkeys", oDeprecated },
-        { "rsaauthentication", oRSAAuthentication },
+        { "userknownhostsfile2", oDeprecated },
-        { "pubkeyauthentication", oPubkeyAuthentication },
+        { "useroaming", oDeprecated },
-        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
+        { "usersh", oDeprecated },
-        { "rhostsrsaauthentication", oRhostsRSAAuthentication },
-        { "hostbasedauthentication", oHostbasedAuthentication },
+        /* Unsupported options */
-        { "challengeresponseauthentication", oChallengeResponseAuthentication },
+        { "afstokenpassing", oUnsupported },
-        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
-        { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
        { "kerberosauthentication", oUnsupported },
        { "kerberostgtpassing", oUnsupported },
-        { "afstokenpassing", oUnsupported },
+        /* Sometimes-unsupported options */
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
        { "gssapikeyexchange", oGssKeyEx },
@@ -215,16 +206,49 @@ static struct {
        { "gssapiclientidentity", oGssClientIdentity },
        { "gssapiserveridentity", oGssServerIdentity },
        { "gssapirenewalforcesrekey", oGssRenewalRekey },
-#else
+# else
        { "gssapiauthentication", oUnsupported },
        { "gssapikeyexchange", oUnsupported },
        { "gssapidelegatecredentials", oUnsupported },
        { "gssapitrustdns", oUnsupported },
        { "gssapiclientidentity", oUnsupported },
+        { "gssapiserveridentity", oUnsupported },
        { "gssapirenewalforcesrekey", oUnsupported },
 #endif
-        { "fallbacktorsh", oDeprecated },
+#ifdef ENABLE_PKCS11
-        { "usersh", oDeprecated },
+        { "smartcarddevice", oPKCS11Provider },
+        { "pkcs11provider", oPKCS11Provider },
+# else
+        { "smartcarddevice", oUnsupported },
+        { "pkcs11provider", oUnsupported },
+#endif
+#ifdef WITH_SSH1
+        { "rsaauthentication", oRSAAuthentication },
+        { "rhostsrsaauthentication", oRhostsRSAAuthentication },
+        { "compressionlevel", oCompressionLevel },
+# else
+        { "rsaauthentication", oUnsupported },
+        { "rhostsrsaauthentication", oUnsupported },
+        { "compressionlevel", oUnsupported },
+#endif
+        { "forwardagent", oForwardAgent },
+        { "forwardx11", oForwardX11 },
+        { "forwardx11trusted", oForwardX11Trusted },
+        { "forwardx11timeout", oForwardX11Timeout },
+        { "exitonforwardfailure", oExitOnForwardFailure },
+        { "xauthlocation", oXAuthLocation },
+        { "gatewayports", oGatewayPorts },
+        { "useprivilegedport", oUsePrivilegedPort },
+        { "passwordauthentication", oPasswordAuthentication },
+        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
+        { "kbdinteractivedevices", oKbdInteractiveDevices },
+        { "pubkeyauthentication", oPubkeyAuthentication },
+        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
+        { "hostbasedauthentication", oHostbasedAuthentication },
+        { "challengeresponseauthentication", oChallengeResponseAuthentication },
+        { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
+        { "tisauthentication", oChallengeResponseAuthentication },  /* alias */
        { "identityfile", oIdentityFile },
        { "identityfile2", oIdentityFile },                     /* obsolete */
        { "identitiesonly", oIdentitiesOnly },
@@ -246,15 +270,12 @@ static struct {
        { "match", oMatch },
        { "escapechar", oEscapeChar },
        { "globalknownhostsfile", oGlobalKnownHostsFile },
-        { "globalknownhostsfile2", oDeprecated },
        { "userknownhostsfile", oUserKnownHostsFile },
-        { "userknownhostsfile2", oDeprecated },
        { "connectionattempts", oConnectionAttempts },
        { "batchmode", oBatchMode },
        { "checkhostip", oCheckHostIP },
        { "stricthostkeychecking", oStrictHostKeyChecking },
        { "compression", oCompression },
-        { "compressionlevel", oCompressionLevel },
        { "tcpkeepalive", oTCPKeepAlive },
        { "keepalive", oTCPKeepAlive },                         /* obsolete */
        { "numberofpasswordprompts", oNumberOfPasswordPrompts },
@@ -263,13 +284,6 @@ static struct {
        { "preferredauthentications", oPreferredAuthentications },
        { "hostkeyalgorithms", oHostKeyAlgorithms },
        { "bindaddress", oBindAddress },
-#ifdef ENABLE_PKCS11
-        { "smartcarddevice", oPKCS11Provider },
-        { "pkcs11provider", oPKCS11Provider },
-#else
-        { "smartcarddevice", oUnsupported },
-        { "pkcs11provider", oUnsupported },
-#endif
        { "clearallforwardings", oClearAllForwardings },
        { "enablesshkeysign", oEnableSSHKeysign },
        { "verifyhostkeydns", oVerifyHostKeyDNS },
@@ -290,7 +304,6 @@ static struct {
        { "localcommand", oLocalCommand },
        { "permitlocalcommand", oPermitLocalCommand },
        { "visualhostkey", oVisualHostKey },
-        { "useroaming", oDeprecated },
        { "kexalgorithms", oKexAlgorithms },
        { "ipqos", oIPQoS },
        { "requesttty", oRequestTTY },
@@ -845,11 +858,11 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
                activep = &cmdline;
        }
-        /* Strip trailing whitespace */
+        /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
        if ((len = strlen(line)) == 0)
                return 0;
        for (len--; len > 0; len--) {
-                if (strchr(WHITESPACE, line[len]) == NULL)
+                if (strchr(WHITESPACE "\f", line[len]) == NULL)
                        break;
                line[len] = '\0';
        }
@@ -1217,7 +1230,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->ciphers == NULL)
@@ -1228,7 +1241,7 @@ parse_int:
                arg = strdelim(&s);
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (!mac_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->macs == NULL)
@@ -1240,7 +1253,8 @@ parse_int:
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
                            filename, linenum);
-                if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' &&
+                    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
                        fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
                            filename, linenum, arg ? arg : "<NONE>");
                if (*activep && options->kex_algorithms == NULL)
@@ -1254,7 +1268,8 @@ parse_keytypes:
                if (!arg || *arg == '\0')
                        fatal("%.200s line %d: Missing argument.",
                            filename, linenum);
-                if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+                if (*arg != '-' &&
+                    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
                        fatal("%s line %d: Bad key types '%s'.",
                                filename, linenum, arg ? arg : "<NONE>");
                if (*activep && *charptr == NULL)
@@ -1523,6 +1538,7 @@ parse_keytypes:
                        if (r == GLOB_NOMATCH) {
                                debug("%.200s line %d: include %s matched no "
                                    "files",filename, linenum, arg2);
+                                free(arg2);
                                continue;
                        } else if (r != 0 || gl.gl_pathc < 0)
                                fatal("%.200s line %d: glob failed for %s.",
@@ -1539,6 +1555,11 @@ parse_keytypes:
                                    flags | SSHCONF_CHECKPERM |
                                    (oactive ? 0 : SSHCONF_NEVERMATCH),
                                    activep, depth + 1);
+                                if (r != 1 && errno != ENOENT) {
+                                        fatal("Can't open user config file "
+                                            "%.100s: %.100s", gl.gl_pathv[i],
+                                            strerror(errno));
+                                }
                                /*
                                 * don't let Match in includes clobber the
                                 * containing file's Match state.
@@ -1737,7 +1758,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
    int flags, int *activep, int depth)
 {
        FILE *f;
-        char line[1024];
+        char line[4096];
        int linenum;
        int bad_options = 0;
@@ -1766,6 +1787,8 @@ read_config_file_depth(const char *filename, struct passwd *pw,
        while (fgets(line, sizeof(line), f)) {
                /* Update line number counter. */
                linenum++;
+                if (strlen(line) == sizeof(line) - 1)
+                        fatal("%s line %d too long", filename, linenum);
                if (process_config_line_depth(options, pw, host, original_host,
                    line, filename, linenum, activep, flags, depth) != 0)
                        bad_options++;
@@ -2498,10 +2521,10 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds)
        /* oDynamicForward */
        for (i = 0; i < count; i++) {
                fwd = &fwds[i];
-                if (code == oDynamicForward &&
+                if (code == oDynamicForward && fwd->connect_host != NULL &&
                    strcmp(fwd->connect_host, "socks") != 0)
                        continue;
-                if (code == oLocalForward &&
+                if (code == oLocalForward && fwd->connect_host != NULL &&
                    strcmp(fwd->connect_host, "socks") == 0)
                        continue;
                printf("%s", lookup_opcode_name(code));
@@ -2574,8 +2597,10 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
        dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
        dump_cfg_fmtint(oRequestTTY, o->request_tty);
+#ifdef WITH_RSA1
        dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
        dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
+#endif
        dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
        dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
        dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
@@ -2587,7 +2612,9 @@ dump_client_config(Options *o, const char *host)
        /* Integer options */
        dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);
+#ifdef WITH_SSH1
        dump_cfg_int(oCompressionLevel, o->compression_level);
+#endif
        dump_cfg_int(oConnectionAttempts, o->connection_attempts);
        dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout);
        dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
@@ -2607,7 +2634,9 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_string(oLocalCommand, o->local_command);
        dump_cfg_string(oLogLevel, log_level_name(o->log_level));
        dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
+#ifdef ENABLE_PKCS11
        dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
+#endif
        dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
        dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
        dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);

diff --git a/readconf.c b/readconf.c index d1091cbda..4d92d174b 100644 --- a/readconf.c +++ b/readconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: readconf.c,v 1.262 2016/10/25 04:08:13 jsg Exp $ */	1	/* $OpenBSD: readconf.c,v 1.270 2017/03/10 04:27:32 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -93,7 +93,7 @@
93		93
94	Host books.com	94	Host books.com
95	RemoteForward 9999 shadows.cs.hut.fi:9999	95	RemoteForward 9999 shadows.cs.hut.fi:9999
96	Cipher 3des	96	Ciphers 3des-cbc
97		97
98	Host fascist.blob.com	98	Host fascist.blob.com
99	Port 23123	99	Port 23123
@@ -108,7 +108,7 @@
108	PublicKeyAuthentication no	108	PublicKeyAuthentication no
109		109
110	Host *.su	110	Host *.su
111	Cipher none	111	Ciphers aes128-ctr
112	PasswordAuthentication no	112	PasswordAuthentication no
113		113
114	Host vpn.fake.com	114	Host vpn.fake.com
@@ -183,30 +183,21 @@ static struct {
183	const char *name;	183	const char *name;
184	OpCodes opcode;	184	OpCodes opcode;
185	} keywords[] = {	185	} keywords[] = {
186	{ "forwardagent", oForwardAgent },	186	/* Deprecated options */
187	{ "forwardx11", oForwardX11 },	187	{ "fallbacktorsh", oDeprecated },
188	{ "forwardx11trusted", oForwardX11Trusted },	188	{ "globalknownhostsfile2", oDeprecated },
189	{ "forwardx11timeout", oForwardX11Timeout },
190	{ "exitonforwardfailure", oExitOnForwardFailure },
191	{ "xauthlocation", oXAuthLocation },
192	{ "gatewayports", oGatewayPorts },
193	{ "useprivilegedport", oUsePrivilegedPort },
194	{ "rhostsauthentication", oDeprecated },	189	{ "rhostsauthentication", oDeprecated },
195	{ "passwordauthentication", oPasswordAuthentication },
196	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
197	{ "kbdinteractivedevices", oKbdInteractiveDevices },
198	{ "useblacklistedkeys", oDeprecated },	190	{ "useblacklistedkeys", oDeprecated },
199	{ "rsaauthentication", oRSAAuthentication },	191	{ "userknownhostsfile2", oDeprecated },
200	{ "pubkeyauthentication", oPubkeyAuthentication },	192	{ "useroaming", oDeprecated },
201	{ "dsaauthentication", oPubkeyAuthentication }, /* alias */	193	{ "usersh", oDeprecated },
202	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },	194
203	{ "hostbasedauthentication", oHostbasedAuthentication },	195	/* Unsupported options */
204	{ "challengeresponseauthentication", oChallengeResponseAuthentication },	196	{ "afstokenpassing", oUnsupported },
205	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
206	{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
207	{ "kerberosauthentication", oUnsupported },	197	{ "kerberosauthentication", oUnsupported },
208	{ "kerberostgtpassing", oUnsupported },	198	{ "kerberostgtpassing", oUnsupported },
209	{ "afstokenpassing", oUnsupported },	199
		200	/* Sometimes-unsupported options */
210	#if defined(GSSAPI)	201	#if defined(GSSAPI)
211	{ "gssapiauthentication", oGssAuthentication },	202	{ "gssapiauthentication", oGssAuthentication },
212	{ "gssapikeyexchange", oGssKeyEx },	203	{ "gssapikeyexchange", oGssKeyEx },
@@ -215,16 +206,49 @@ static struct {
215	{ "gssapiclientidentity", oGssClientIdentity },	206	{ "gssapiclientidentity", oGssClientIdentity },
216	{ "gssapiserveridentity", oGssServerIdentity },	207	{ "gssapiserveridentity", oGssServerIdentity },
217	{ "gssapirenewalforcesrekey", oGssRenewalRekey },	208	{ "gssapirenewalforcesrekey", oGssRenewalRekey },
218	#else	209	# else
219	{ "gssapiauthentication", oUnsupported },	210	{ "gssapiauthentication", oUnsupported },
220	{ "gssapikeyexchange", oUnsupported },	211	{ "gssapikeyexchange", oUnsupported },
221	{ "gssapidelegatecredentials", oUnsupported },	212	{ "gssapidelegatecredentials", oUnsupported },
222	{ "gssapitrustdns", oUnsupported },	213	{ "gssapitrustdns", oUnsupported },
223	{ "gssapiclientidentity", oUnsupported },	214	{ "gssapiclientidentity", oUnsupported },
		215	{ "gssapiserveridentity", oUnsupported },
224	{ "gssapirenewalforcesrekey", oUnsupported },	216	{ "gssapirenewalforcesrekey", oUnsupported },
225	#endif	217	#endif
226	{ "fallbacktorsh", oDeprecated },	218	#ifdef ENABLE_PKCS11
227	{ "usersh", oDeprecated },	219	{ "smartcarddevice", oPKCS11Provider },
		220	{ "pkcs11provider", oPKCS11Provider },
		221	# else
		222	{ "smartcarddevice", oUnsupported },
		223	{ "pkcs11provider", oUnsupported },
		224	#endif
		225	#ifdef WITH_SSH1
		226	{ "rsaauthentication", oRSAAuthentication },
		227	{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
		228	{ "compressionlevel", oCompressionLevel },
		229	# else
		230	{ "rsaauthentication", oUnsupported },
		231	{ "rhostsrsaauthentication", oUnsupported },
		232	{ "compressionlevel", oUnsupported },
		233	#endif
		234
		235	{ "forwardagent", oForwardAgent },
		236	{ "forwardx11", oForwardX11 },
		237	{ "forwardx11trusted", oForwardX11Trusted },
		238	{ "forwardx11timeout", oForwardX11Timeout },
		239	{ "exitonforwardfailure", oExitOnForwardFailure },
		240	{ "xauthlocation", oXAuthLocation },
		241	{ "gatewayports", oGatewayPorts },
		242	{ "useprivilegedport", oUsePrivilegedPort },
		243	{ "passwordauthentication", oPasswordAuthentication },
		244	{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
		245	{ "kbdinteractivedevices", oKbdInteractiveDevices },
		246	{ "pubkeyauthentication", oPubkeyAuthentication },
		247	{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
		248	{ "hostbasedauthentication", oHostbasedAuthentication },
		249	{ "challengeresponseauthentication", oChallengeResponseAuthentication },
		250	{ "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
		251	{ "tisauthentication", oChallengeResponseAuthentication }, /* alias */
228	{ "identityfile", oIdentityFile },	252	{ "identityfile", oIdentityFile },
229	{ "identityfile2", oIdentityFile }, /* obsolete */	253	{ "identityfile2", oIdentityFile }, /* obsolete */
230	{ "identitiesonly", oIdentitiesOnly },	254	{ "identitiesonly", oIdentitiesOnly },
@@ -246,15 +270,12 @@ static struct {
246	{ "match", oMatch },	270	{ "match", oMatch },
247	{ "escapechar", oEscapeChar },	271	{ "escapechar", oEscapeChar },
248	{ "globalknownhostsfile", oGlobalKnownHostsFile },	272	{ "globalknownhostsfile", oGlobalKnownHostsFile },
249	{ "globalknownhostsfile2", oDeprecated },
250	{ "userknownhostsfile", oUserKnownHostsFile },	273	{ "userknownhostsfile", oUserKnownHostsFile },
251	{ "userknownhostsfile2", oDeprecated },
252	{ "connectionattempts", oConnectionAttempts },	274	{ "connectionattempts", oConnectionAttempts },
253	{ "batchmode", oBatchMode },	275	{ "batchmode", oBatchMode },
254	{ "checkhostip", oCheckHostIP },	276	{ "checkhostip", oCheckHostIP },
255	{ "stricthostkeychecking", oStrictHostKeyChecking },	277	{ "stricthostkeychecking", oStrictHostKeyChecking },
256	{ "compression", oCompression },	278	{ "compression", oCompression },
257	{ "compressionlevel", oCompressionLevel },
258	{ "tcpkeepalive", oTCPKeepAlive },	279	{ "tcpkeepalive", oTCPKeepAlive },
259	{ "keepalive", oTCPKeepAlive }, /* obsolete */	280	{ "keepalive", oTCPKeepAlive }, /* obsolete */
260	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },	281	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
@@ -263,13 +284,6 @@ static struct {
263	{ "preferredauthentications", oPreferredAuthentications },	284	{ "preferredauthentications", oPreferredAuthentications },
264	{ "hostkeyalgorithms", oHostKeyAlgorithms },	285	{ "hostkeyalgorithms", oHostKeyAlgorithms },
265	{ "bindaddress", oBindAddress },	286	{ "bindaddress", oBindAddress },
266	#ifdef ENABLE_PKCS11
267	{ "smartcarddevice", oPKCS11Provider },
268	{ "pkcs11provider", oPKCS11Provider },
269	#else
270	{ "smartcarddevice", oUnsupported },
271	{ "pkcs11provider", oUnsupported },
272	#endif
273	{ "clearallforwardings", oClearAllForwardings },	287	{ "clearallforwardings", oClearAllForwardings },
274	{ "enablesshkeysign", oEnableSSHKeysign },	288	{ "enablesshkeysign", oEnableSSHKeysign },
275	{ "verifyhostkeydns", oVerifyHostKeyDNS },	289	{ "verifyhostkeydns", oVerifyHostKeyDNS },
@@ -290,7 +304,6 @@ static struct {
290	{ "localcommand", oLocalCommand },	304	{ "localcommand", oLocalCommand },
291	{ "permitlocalcommand", oPermitLocalCommand },	305	{ "permitlocalcommand", oPermitLocalCommand },
292	{ "visualhostkey", oVisualHostKey },	306	{ "visualhostkey", oVisualHostKey },
293	{ "useroaming", oDeprecated },
294	{ "kexalgorithms", oKexAlgorithms },	307	{ "kexalgorithms", oKexAlgorithms },
295	{ "ipqos", oIPQoS },	308	{ "ipqos", oIPQoS },
296	{ "requesttty", oRequestTTY },	309	{ "requesttty", oRequestTTY },
@@ -845,11 +858,11 @@ process_config_line_depth(Options options, struct passwd pw, const char *host,
845	activep = &cmdline;	858	activep = &cmdline;
846	}	859	}
847		860
848	/* Strip trailing whitespace */	861	/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
849	if ((len = strlen(line)) == 0)	862	if ((len = strlen(line)) == 0)
850	return 0;	863	return 0;
851	for (len--; len > 0; len--) {	864	for (len--; len > 0; len--) {
852	if (strchr(WHITESPACE, line[len]) == NULL)	865	if (strchr(WHITESPACE "\f", line[len]) == NULL)
853	break;	866	break;
854	line[len] = '\0';	867	line[len] = '\0';
855	}	868	}
@@ -1217,7 +1230,7 @@ parse_int:
1217	arg = strdelim(&s);	1230	arg = strdelim(&s);
1218	if (!arg \|\| *arg == '\0')	1231	if (!arg \|\| *arg == '\0')
1219	fatal("%.200s line %d: Missing argument.", filename, linenum);	1232	fatal("%.200s line %d: Missing argument.", filename, linenum);
1220	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))	1233	if (arg != '-' && !ciphers_valid(arg == '+' ? arg + 1 : arg))
1221	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",	1234	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1222	filename, linenum, arg ? arg : "<NONE>");	1235	filename, linenum, arg ? arg : "<NONE>");
1223	if (*activep && options->ciphers == NULL)	1236	if (*activep && options->ciphers == NULL)
@@ -1228,7 +1241,7 @@ parse_int:
1228	arg = strdelim(&s);	1241	arg = strdelim(&s);
1229	if (!arg \|\| *arg == '\0')	1242	if (!arg \|\| *arg == '\0')
1230	fatal("%.200s line %d: Missing argument.", filename, linenum);	1243	fatal("%.200s line %d: Missing argument.", filename, linenum);
1231	if (!mac_valid(*arg == '+' ? arg + 1 : arg))	1244	if (arg != '-' && !mac_valid(arg == '+' ? arg + 1 : arg))
1232	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",	1245	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1233	filename, linenum, arg ? arg : "<NONE>");	1246	filename, linenum, arg ? arg : "<NONE>");
1234	if (*activep && options->macs == NULL)	1247	if (*activep && options->macs == NULL)
@@ -1240,7 +1253,8 @@ parse_int:
1240	if (!arg \|\| *arg == '\0')	1253	if (!arg \|\| *arg == '\0')
1241	fatal("%.200s line %d: Missing argument.",	1254	fatal("%.200s line %d: Missing argument.",
1242	filename, linenum);	1255	filename, linenum);
1243	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))	1256	if (*arg != '-' &&
		1257	!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1244	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",	1258	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1245	filename, linenum, arg ? arg : "<NONE>");	1259	filename, linenum, arg ? arg : "<NONE>");
1246	if (*activep && options->kex_algorithms == NULL)	1260	if (*activep && options->kex_algorithms == NULL)
@@ -1254,7 +1268,8 @@ parse_keytypes:
1254	if (!arg \|\| *arg == '\0')	1268	if (!arg \|\| *arg == '\0')
1255	fatal("%.200s line %d: Missing argument.",	1269	fatal("%.200s line %d: Missing argument.",
1256	filename, linenum);	1270	filename, linenum);
1257	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))	1271	if (*arg != '-' &&
		1272	!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1258	fatal("%s line %d: Bad key types '%s'.",	1273	fatal("%s line %d: Bad key types '%s'.",
1259	filename, linenum, arg ? arg : "<NONE>");	1274	filename, linenum, arg ? arg : "<NONE>");
1260	if (activep && charptr == NULL)	1275	if (activep && charptr == NULL)
@@ -1523,6 +1538,7 @@ parse_keytypes:
1523	if (r == GLOB_NOMATCH) {	1538	if (r == GLOB_NOMATCH) {
1524	debug("%.200s line %d: include %s matched no "	1539	debug("%.200s line %d: include %s matched no "
1525	"files",filename, linenum, arg2);	1540	"files",filename, linenum, arg2);
		1541	free(arg2);
1526	continue;	1542	continue;
1527	} else if (r != 0 \|\| gl.gl_pathc < 0)	1543	} else if (r != 0 \|\| gl.gl_pathc < 0)
1528	fatal("%.200s line %d: glob failed for %s.",	1544	fatal("%.200s line %d: glob failed for %s.",
@@ -1539,6 +1555,11 @@ parse_keytypes:
1539	flags \| SSHCONF_CHECKPERM \|	1555	flags \| SSHCONF_CHECKPERM \|
1540	(oactive ? 0 : SSHCONF_NEVERMATCH),	1556	(oactive ? 0 : SSHCONF_NEVERMATCH),
1541	activep, depth + 1);	1557	activep, depth + 1);
		1558	if (r != 1 && errno != ENOENT) {
		1559	fatal("Can't open user config file "
		1560	"%.100s: %.100s", gl.gl_pathv[i],
		1561	strerror(errno));
		1562	}
1542	/*	1563	/*
1543	* don't let Match in includes clobber the	1564	* don't let Match in includes clobber the
1544	* containing file's Match state.	1565	* containing file's Match state.
@@ -1737,7 +1758,7 @@ read_config_file_depth(const char filename, struct passwd pw,
1737	int flags, int *activep, int depth)	1758	int flags, int *activep, int depth)
1738	{	1759	{
1739	FILE *f;	1760	FILE *f;
1740	char line[1024];	1761	char line[4096];
1741	int linenum;	1762	int linenum;
1742	int bad_options = 0;	1763	int bad_options = 0;
1743		1764
@@ -1766,6 +1787,8 @@ read_config_file_depth(const char filename, struct passwd pw,
1766	while (fgets(line, sizeof(line), f)) {	1787	while (fgets(line, sizeof(line), f)) {
1767	/* Update line number counter. */	1788	/* Update line number counter. */
1768	linenum++;	1789	linenum++;
		1790	if (strlen(line) == sizeof(line) - 1)
		1791	fatal("%s line %d too long", filename, linenum);
1769	if (process_config_line_depth(options, pw, host, original_host,	1792	if (process_config_line_depth(options, pw, host, original_host,
1770	line, filename, linenum, activep, flags, depth) != 0)	1793	line, filename, linenum, activep, flags, depth) != 0)
1771	bad_options++;	1794	bad_options++;
@@ -2498,10 +2521,10 @@ dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds)
2498	/* oDynamicForward */	2521	/* oDynamicForward */
2499	for (i = 0; i < count; i++) {	2522	for (i = 0; i < count; i++) {
2500	fwd = &fwds[i];	2523	fwd = &fwds[i];
2501	if (code == oDynamicForward &&	2524	if (code == oDynamicForward && fwd->connect_host != NULL &&
2502	strcmp(fwd->connect_host, "socks") != 0)	2525	strcmp(fwd->connect_host, "socks") != 0)
2503	continue;	2526	continue;
2504	if (code == oLocalForward &&	2527	if (code == oLocalForward && fwd->connect_host != NULL &&
2505	strcmp(fwd->connect_host, "socks") == 0)	2528	strcmp(fwd->connect_host, "socks") == 0)
2506	continue;	2529	continue;
2507	printf("%s", lookup_opcode_name(code));	2530	printf("%s", lookup_opcode_name(code));
@@ -2574,8 +2597,10 @@ dump_client_config(Options o, const char host)
2574	dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);	2597	dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
2575	dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);	2598	dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
2576	dump_cfg_fmtint(oRequestTTY, o->request_tty);	2599	dump_cfg_fmtint(oRequestTTY, o->request_tty);
		2600	#ifdef WITH_RSA1
2577	dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);	2601	dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2578	dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);	2602	dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
		2603	#endif
2579	dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);	2604	dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2580	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);	2605	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
2581	dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);	2606	dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
@@ -2587,7 +2612,9 @@ dump_client_config(Options o, const char host)
2587		2612
2588	/* Integer options */	2613	/* Integer options */
2589	dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);	2614	dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);
		2615	#ifdef WITH_SSH1
2590	dump_cfg_int(oCompressionLevel, o->compression_level);	2616	dump_cfg_int(oCompressionLevel, o->compression_level);
		2617	#endif
2591	dump_cfg_int(oConnectionAttempts, o->connection_attempts);	2618	dump_cfg_int(oConnectionAttempts, o->connection_attempts);
2592	dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout);	2619	dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout);
2593	dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);	2620	dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
@@ -2607,7 +2634,9 @@ dump_client_config(Options o, const char host)
2607	dump_cfg_string(oLocalCommand, o->local_command);	2634	dump_cfg_string(oLocalCommand, o->local_command);
2608	dump_cfg_string(oLogLevel, log_level_name(o->log_level));	2635	dump_cfg_string(oLogLevel, log_level_name(o->log_level));
2609	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);	2636	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
		2637	#ifdef ENABLE_PKCS11
2610	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);	2638	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
		2639	#endif
2611	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);	2640	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
2612	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);	2641	dump_cfg_string(oPubkeyAcceptedKeyTypes, o->pubkey_key_types);
2613	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);	2642	dump_cfg_string(oRevokedHostKeys, o->revoked_host_keys);