summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c30
1 files changed, 25 insertions, 5 deletions
diff --git a/readconf.c b/readconf.c
index 091029a19..656a2519f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -30,6 +30,8 @@
30#include <stdio.h> 30#include <stdio.h>
31#include <string.h> 31#include <string.h>
32#include <unistd.h> 32#include <unistd.h>
33#include <pwd.h>
34#include <grp.h>
33 35
34#include "xmalloc.h" 36#include "xmalloc.h"
35#include "ssh.h" 37#include "ssh.h"
@@ -125,6 +127,7 @@ typedef enum {
125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 127 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 128 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 129 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
130 oUseBlacklistedKeys,
128 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 131 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
129 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 132 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
130 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 133 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -137,6 +140,7 @@ typedef enum {
137 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 140 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
138 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 141 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
139 oKexAlgorithms, oIPQoS, 142 oKexAlgorithms, oIPQoS,
143 oProtocolKeepAlives, oSetupTimeOut,
140 oDeprecated, oUnsupported 144 oDeprecated, oUnsupported
141} OpCodes; 145} OpCodes;
142 146
@@ -158,6 +162,7 @@ static struct {
158 { "passwordauthentication", oPasswordAuthentication }, 162 { "passwordauthentication", oPasswordAuthentication },
159 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 163 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
160 { "kbdinteractivedevices", oKbdInteractiveDevices }, 164 { "kbdinteractivedevices", oKbdInteractiveDevices },
165 { "useblacklistedkeys", oUseBlacklistedKeys },
161 { "rsaauthentication", oRSAAuthentication }, 166 { "rsaauthentication", oRSAAuthentication },
162 { "pubkeyauthentication", oPubkeyAuthentication }, 167 { "pubkeyauthentication", oPubkeyAuthentication },
163 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 168 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
@@ -256,6 +261,8 @@ static struct {
256#endif 261#endif
257 { "kexalgorithms", oKexAlgorithms }, 262 { "kexalgorithms", oKexAlgorithms },
258 { "ipqos", oIPQoS }, 263 { "ipqos", oIPQoS },
264 { "protocolkeepalives", oProtocolKeepAlives },
265 { "setuptimeout", oSetupTimeOut },
259 266
260 { NULL, oBadOption } 267 { NULL, oBadOption }
261}; 268};
@@ -486,6 +493,10 @@ parse_flag:
486 intptr = &options->challenge_response_authentication; 493 intptr = &options->challenge_response_authentication;
487 goto parse_flag; 494 goto parse_flag;
488 495
496 case oUseBlacklistedKeys:
497 intptr = &options->use_blacklisted_keys;
498 goto parse_flag;
499
489 case oGssAuthentication: 500 case oGssAuthentication:
490 intptr = &options->gss_authentication; 501 intptr = &options->gss_authentication;
491 goto parse_flag; 502 goto parse_flag;
@@ -882,6 +893,8 @@ parse_int:
882 goto parse_flag; 893 goto parse_flag;
883 894
884 case oServerAliveInterval: 895 case oServerAliveInterval:
896 case oProtocolKeepAlives: /* Debian-specific compatibility alias */
897 case oSetupTimeOut: /* Debian-specific compatibility alias */
885 intptr = &options->server_alive_interval; 898 intptr = &options->server_alive_interval;
886 goto parse_time; 899 goto parse_time;
887 900
@@ -1074,8 +1087,7 @@ read_config_file(const char *filename, const char *host, Options *options,
1074 1087
1075 if (fstat(fileno(f), &sb) == -1) 1088 if (fstat(fileno(f), &sb) == -1)
1076 fatal("fstat %s: %s", filename, strerror(errno)); 1089 fatal("fstat %s: %s", filename, strerror(errno));
1077 if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 1090 if (!secure_permissions(&sb, getuid()))
1078 (sb.st_mode & 022) != 0))
1079 fatal("Bad owner or permissions on %s", filename); 1091 fatal("Bad owner or permissions on %s", filename);
1080 } 1092 }
1081 1093
@@ -1134,6 +1146,7 @@ initialize_options(Options * options)
1134 options->kbd_interactive_devices = NULL; 1146 options->kbd_interactive_devices = NULL;
1135 options->rhosts_rsa_authentication = -1; 1147 options->rhosts_rsa_authentication = -1;
1136 options->hostbased_authentication = -1; 1148 options->hostbased_authentication = -1;
1149 options->use_blacklisted_keys = -1;
1137 options->batch_mode = -1; 1150 options->batch_mode = -1;
1138 options->check_host_ip = -1; 1151 options->check_host_ip = -1;
1139 options->strict_host_key_checking = -1; 1152 options->strict_host_key_checking = -1;
@@ -1210,7 +1223,7 @@ fill_default_options(Options * options)
1210 if (options->forward_x11 == -1) 1223 if (options->forward_x11 == -1)
1211 options->forward_x11 = 0; 1224 options->forward_x11 = 0;
1212 if (options->forward_x11_trusted == -1) 1225 if (options->forward_x11_trusted == -1)
1213 options->forward_x11_trusted = 0; 1226 options->forward_x11_trusted = 1;
1214 if (options->forward_x11_timeout == -1) 1227 if (options->forward_x11_timeout == -1)
1215 options->forward_x11_timeout = 1200; 1228 options->forward_x11_timeout = 1200;
1216 if (options->exit_on_forward_failure == -1) 1229 if (options->exit_on_forward_failure == -1)
@@ -1245,6 +1258,8 @@ fill_default_options(Options * options)
1245 options->rhosts_rsa_authentication = 0; 1258 options->rhosts_rsa_authentication = 0;
1246 if (options->hostbased_authentication == -1) 1259 if (options->hostbased_authentication == -1)
1247 options->hostbased_authentication = 0; 1260 options->hostbased_authentication = 0;
1261 if (options->use_blacklisted_keys == -1)
1262 options->use_blacklisted_keys = 0;
1248 if (options->batch_mode == -1) 1263 if (options->batch_mode == -1)
1249 options->batch_mode = 0; 1264 options->batch_mode = 0;
1250 if (options->check_host_ip == -1) 1265 if (options->check_host_ip == -1)
@@ -1327,8 +1342,13 @@ fill_default_options(Options * options)
1327 options->rekey_limit = 0; 1342 options->rekey_limit = 0;
1328 if (options->verify_host_key_dns == -1) 1343 if (options->verify_host_key_dns == -1)
1329 options->verify_host_key_dns = 0; 1344 options->verify_host_key_dns = 0;
1330 if (options->server_alive_interval == -1) 1345 if (options->server_alive_interval == -1) {
1331 options->server_alive_interval = 0; 1346 /* in batch mode, default is 5mins */
1347 if (options->batch_mode == 1)
1348 options->server_alive_interval = 300;
1349 else
1350 options->server_alive_interval = 0;
1351 }
1332 if (options->server_alive_count_max == -1) 1352 if (options->server_alive_count_max == -1)
1333 options->server_alive_count_max = 3; 1353 options->server_alive_count_max = 3;
1334 if (options->control_master == -1) 1354 if (options->control_master == -1)
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 18:06:13 +0000