summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c70
1 files changed, 65 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index 73f6eb361..7ad5a8e18 100644
--- a/readconf.c
+++ b/readconf.c
@@ -28,6 +28,8 @@
28#include <stdio.h> 28#include <stdio.h>
29#include <string.h> 29#include <string.h>
30#include <unistd.h> 30#include <unistd.h>
31#include <pwd.h>
32#include <grp.h>
31 33
32#include "xmalloc.h" 34#include "xmalloc.h"
33#include "ssh.h" 35#include "ssh.h"
@@ -123,14 +125,18 @@ typedef enum {
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
128 oUseBlacklistedKeys,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, 129 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 132 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
133 oGssKeyEx,
134 oGssTrustDns,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 135 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts, 136 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 137 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
133 oVisualHostKey, 138 oVisualHostKey,
139 oProtocolKeepAlives, oSetupTimeOut,
134 oDeprecated, oUnsupported 140 oDeprecated, oUnsupported
135} OpCodes; 141} OpCodes;
136 142
@@ -151,6 +157,7 @@ static struct {
151 { "passwordauthentication", oPasswordAuthentication }, 157 { "passwordauthentication", oPasswordAuthentication },
152 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 158 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
153 { "kbdinteractivedevices", oKbdInteractiveDevices }, 159 { "kbdinteractivedevices", oKbdInteractiveDevices },
160 { "useblacklistedkeys", oUseBlacklistedKeys },
154 { "rsaauthentication", oRSAAuthentication }, 161 { "rsaauthentication", oRSAAuthentication },
155 { "pubkeyauthentication", oPubkeyAuthentication }, 162 { "pubkeyauthentication", oPubkeyAuthentication },
156 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 163 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
@@ -164,10 +171,14 @@ static struct {
164 { "afstokenpassing", oUnsupported }, 171 { "afstokenpassing", oUnsupported },
165#if defined(GSSAPI) 172#if defined(GSSAPI)
166 { "gssapiauthentication", oGssAuthentication }, 173 { "gssapiauthentication", oGssAuthentication },
174 { "gssapikeyexchange", oGssKeyEx },
167 { "gssapidelegatecredentials", oGssDelegateCreds }, 175 { "gssapidelegatecredentials", oGssDelegateCreds },
176 { "gssapitrustdns", oGssTrustDns },
168#else 177#else
169 { "gssapiauthentication", oUnsupported }, 178 { "gssapiauthentication", oUnsupported },
179 { "gssapikeyexchange", oUnsupported },
170 { "gssapidelegatecredentials", oUnsupported }, 180 { "gssapidelegatecredentials", oUnsupported },
181 { "gssapitrustdns", oUnsupported },
171#endif 182#endif
172 { "fallbacktorsh", oDeprecated }, 183 { "fallbacktorsh", oDeprecated },
173 { "usersh", oDeprecated }, 184 { "usersh", oDeprecated },
@@ -228,6 +239,8 @@ static struct {
228 { "localcommand", oLocalCommand }, 239 { "localcommand", oLocalCommand },
229 { "permitlocalcommand", oPermitLocalCommand }, 240 { "permitlocalcommand", oPermitLocalCommand },
230 { "visualhostkey", oVisualHostKey }, 241 { "visualhostkey", oVisualHostKey },
242 { "protocolkeepalives", oProtocolKeepAlives },
243 { "setuptimeout", oSetupTimeOut },
231 { NULL, oBadOption } 244 { NULL, oBadOption }
232}; 245};
233 246
@@ -440,14 +453,26 @@ parse_flag:
440 intptr = &options->challenge_response_authentication; 453 intptr = &options->challenge_response_authentication;
441 goto parse_flag; 454 goto parse_flag;
442 455
456 case oUseBlacklistedKeys:
457 intptr = &options->use_blacklisted_keys;
458 goto parse_flag;
459
443 case oGssAuthentication: 460 case oGssAuthentication:
444 intptr = &options->gss_authentication; 461 intptr = &options->gss_authentication;
445 goto parse_flag; 462 goto parse_flag;
446 463
464 case oGssKeyEx:
465 intptr = &options->gss_keyex;
466 goto parse_flag;
467
447 case oGssDelegateCreds: 468 case oGssDelegateCreds:
448 intptr = &options->gss_deleg_creds; 469 intptr = &options->gss_deleg_creds;
449 goto parse_flag; 470 goto parse_flag;
450 471
472 case oGssTrustDns:
473 intptr = &options->gss_trust_dns;
474 goto parse_flag;
475
451 case oBatchMode: 476 case oBatchMode:
452 intptr = &options->batch_mode; 477 intptr = &options->batch_mode;
453 goto parse_flag; 478 goto parse_flag;
@@ -820,6 +845,8 @@ parse_int:
820 goto parse_flag; 845 goto parse_flag;
821 846
822 case oServerAliveInterval: 847 case oServerAliveInterval:
848 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
849 case oSetupTimeOut: /* Debian-specific compatibility alias */
823 intptr = &options->server_alive_interval; 850 intptr = &options->server_alive_interval;
824 goto parse_time; 851 goto parse_time;
825 852
@@ -965,11 +992,30 @@ read_config_file(const char *filename, const char *host, Options *options,
965 992
966 if (checkperm) { 993 if (checkperm) {
967 struct stat sb; 994 struct stat sb;
995 int bad_modes = 0;
968 996
969 if (fstat(fileno(f), &sb) == -1) 997 if (fstat(fileno(f), &sb) == -1)
970 fatal("fstat %s: %s", filename, strerror(errno)); 998 fatal("fstat %s: %s", filename, strerror(errno));
971 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 999 if (sb.st_uid != 0 && sb.st_uid != getuid())
972 (sb.st_mode & 022) != 0)) 1000 bad_modes = 1;
1001 if ((sb.st_mode & 020) != 0) {
1002 /* If the file is group-writable, the group in
1003 * question must have at most one member, namely the
1004 * file's owner.
1005 */
1006 struct passwd *pw = getpwuid(sb.st_uid);
1007 struct group *gr = getgrgid(sb.st_gid);
1008 if (!pw || !gr)
1009 bad_modes = 1;
1010 else if (gr->gr_mem[0]) {
1011 if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
1012 gr->gr_mem[1])
1013 bad_modes = 1;
1014 }
1015 }
1016 if ((sb.st_mode & 002) != 0)
1017 bad_modes = 1;
1018 if (bad_modes)
973 fatal("Bad owner or permissions on %s", filename); 1019 fatal("Bad owner or permissions on %s", filename);
974 } 1020 }
975 1021
@@ -1016,12 +1062,15 @@ initialize_options(Options * options)
1016 options->pubkey_authentication = -1; 1062 options->pubkey_authentication = -1;
1017 options->challenge_response_authentication = -1; 1063 options->challenge_response_authentication = -1;
1018 options->gss_authentication = -1; 1064 options->gss_authentication = -1;
1065 options->gss_keyex = -1;
1019 options->gss_deleg_creds = -1; 1066 options->gss_deleg_creds = -1;
1067 options->gss_trust_dns = -1;
1020 options->password_authentication = -1; 1068 options->password_authentication = -1;
1021 options->kbd_interactive_authentication = -1; 1069 options->kbd_interactive_authentication = -1;
1022 options->kbd_interactive_devices = NULL; 1070 options->kbd_interactive_devices = NULL;
1023 options->rhosts_rsa_authentication = -1; 1071 options->rhosts_rsa_authentication = -1;
1024 options->hostbased_authentication = -1; 1072 options->hostbased_authentication = -1;
1073 options->use_blacklisted_keys = -1;
1025 options->batch_mode = -1; 1074 options->batch_mode = -1;
1026 options->check_host_ip = -1; 1075 options->check_host_ip = -1;
1027 options->strict_host_key_checking = -1; 1076 options->strict_host_key_checking = -1;
@@ -1089,7 +1138,7 @@ fill_default_options(Options * options)
1089 if (options->forward_x11 == -1) 1138 if (options->forward_x11 == -1)
1090 options->forward_x11 = 0; 1139 options->forward_x11 = 0;
1091 if (options->forward_x11_trusted == -1) 1140 if (options->forward_x11_trusted == -1)
1092 options->forward_x11_trusted = 0; 1141 options->forward_x11_trusted = 1;
1093 if (options->exit_on_forward_failure == -1) 1142 if (options->exit_on_forward_failure == -1)
1094 options->exit_on_forward_failure = 0; 1143 options->exit_on_forward_failure = 0;
1095 if (options->xauth_location == NULL) 1144 if (options->xauth_location == NULL)
@@ -1106,8 +1155,12 @@ fill_default_options(Options * options)
1106 options->challenge_response_authentication = 1; 1155 options->challenge_response_authentication = 1;
1107 if (options->gss_authentication == -1) 1156 if (options->gss_authentication == -1)
1108 options->gss_authentication = 0; 1157 options->gss_authentication = 0;
1158 if (options->gss_keyex == -1)
1159 options->gss_keyex = 0;
1109 if (options->gss_deleg_creds == -1) 1160 if (options->gss_deleg_creds == -1)
1110 options->gss_deleg_creds = 0; 1161 options->gss_deleg_creds = 0;
1162 if (options->gss_trust_dns == -1)
1163 options->gss_trust_dns = 0;
1111 if (options->password_authentication == -1) 1164 if (options->password_authentication == -1)
1112 options->password_authentication = 1; 1165 options->password_authentication = 1;
1113 if (options->kbd_interactive_authentication == -1) 1166 if (options->kbd_interactive_authentication == -1)
@@ -1116,6 +1169,8 @@ fill_default_options(Options * options)
1116 options->rhosts_rsa_authentication = 0; 1169 options->rhosts_rsa_authentication = 0;
1117 if (options->hostbased_authentication == -1) 1170 if (options->hostbased_authentication == -1)
1118 options->hostbased_authentication = 0; 1171 options->hostbased_authentication = 0;
1172 if (options->use_blacklisted_keys == -1)
1173 options->use_blacklisted_keys = 0;
1119 if (options->batch_mode == -1) 1174 if (options->batch_mode == -1)
1120 options->batch_mode = 0; 1175 options->batch_mode = 0;
1121 if (options->check_host_ip == -1) 1176 if (options->check_host_ip == -1)
@@ -1190,8 +1245,13 @@ fill_default_options(Options * options)
1190 options->rekey_limit = 0; 1245 options->rekey_limit = 0;
1191 if (options->verify_host_key_dns == -1) 1246 if (options->verify_host_key_dns == -1)
1192 options->verify_host_key_dns = 0; 1247 options->verify_host_key_dns = 0;
1193 if (options->server_alive_interval == -1) 1248 if (options->server_alive_interval == -1) {
1194 options->server_alive_interval = 0; 1249 /* in batch mode, default is 5mins */
1250 if (options->batch_mode == 1)
1251 options->server_alive_interval = 300;
1252 else
1253 options->server_alive_interval = 0;
1254 }
1195 if (options->server_alive_count_max == -1) 1255 if (options->server_alive_count_max == -1)
1196 options->server_alive_count_max = 3; 1256 options->server_alive_count_max = 3;
1197 if (options->control_master == -1) 1257 if (options->control_master == -1)
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 18:19:55 +0000