diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 60 |
1 files changed, 52 insertions, 8 deletions
diff --git a/servconf.c b/servconf.c index 8ca9695a2..a98b30938 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -390,6 +390,14 @@ fill_default_server_options(ServerOptions *options) | |||
390 | CLEAR_ON_NONE(options->host_cert_files[i]); | 390 | CLEAR_ON_NONE(options->host_cert_files[i]); |
391 | #undef CLEAR_ON_NONE | 391 | #undef CLEAR_ON_NONE |
392 | 392 | ||
393 | /* Similar handling for AuthenticationMethods=any */ | ||
394 | if (options->num_auth_methods == 1 && | ||
395 | strcmp(options->auth_methods[0], "any") == 0) { | ||
396 | free(options->auth_methods[0]); | ||
397 | options->auth_methods[0] = NULL; | ||
398 | options->num_auth_methods = 0; | ||
399 | } | ||
400 | |||
393 | #ifndef HAVE_MMAP | 401 | #ifndef HAVE_MMAP |
394 | if (use_privsep && options->compression == 1) { | 402 | if (use_privsep && options->compression == 1) { |
395 | error("This platform does not support both privilege " | 403 | error("This platform does not support both privilege " |
@@ -727,14 +735,15 @@ process_queued_listen_addrs(ServerOptions *options) | |||
727 | struct connection_info * | 735 | struct connection_info * |
728 | get_connection_info(int populate, int use_dns) | 736 | get_connection_info(int populate, int use_dns) |
729 | { | 737 | { |
738 | struct ssh *ssh = active_state; /* XXX */ | ||
730 | static struct connection_info ci; | 739 | static struct connection_info ci; |
731 | 740 | ||
732 | if (!populate) | 741 | if (!populate) |
733 | return &ci; | 742 | return &ci; |
734 | ci.host = get_canonical_hostname(use_dns); | 743 | ci.host = auth_get_canonical_hostname(ssh, use_dns); |
735 | ci.address = get_remote_ipaddr(); | 744 | ci.address = ssh_remote_ipaddr(ssh); |
736 | ci.laddress = get_local_ipaddr(packet_get_connection_in()); | 745 | ci.laddress = ssh_local_ipaddr(ssh); |
737 | ci.lport = get_local_port(); | 746 | ci.lport = ssh_local_port(ssh); |
738 | return &ci; | 747 | return &ci; |
739 | } | 748 | } |
740 | 749 | ||
@@ -1832,21 +1841,41 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1832 | 1841 | ||
1833 | case sAuthenticationMethods: | 1842 | case sAuthenticationMethods: |
1834 | if (options->num_auth_methods == 0) { | 1843 | if (options->num_auth_methods == 0) { |
1844 | value = 0; /* seen "any" pseudo-method */ | ||
1845 | value2 = 0; /* sucessfully parsed any method */ | ||
1835 | while ((arg = strdelim(&cp)) && *arg != '\0') { | 1846 | while ((arg = strdelim(&cp)) && *arg != '\0') { |
1836 | if (options->num_auth_methods >= | 1847 | if (options->num_auth_methods >= |
1837 | MAX_AUTH_METHODS) | 1848 | MAX_AUTH_METHODS) |
1838 | fatal("%s line %d: " | 1849 | fatal("%s line %d: " |
1839 | "too many authentication methods.", | 1850 | "too many authentication methods.", |
1840 | filename, linenum); | 1851 | filename, linenum); |
1841 | if (auth2_methods_valid(arg, 0) != 0) | 1852 | if (strcmp(arg, "any") == 0) { |
1853 | if (options->num_auth_methods > 0) { | ||
1854 | fatal("%s line %d: \"any\" " | ||
1855 | "must appear alone in " | ||
1856 | "AuthenticationMethods", | ||
1857 | filename, linenum); | ||
1858 | } | ||
1859 | value = 1; | ||
1860 | } else if (value) { | ||
1861 | fatal("%s line %d: \"any\" must appear " | ||
1862 | "alone in AuthenticationMethods", | ||
1863 | filename, linenum); | ||
1864 | } else if (auth2_methods_valid(arg, 0) != 0) { | ||
1842 | fatal("%s line %d: invalid " | 1865 | fatal("%s line %d: invalid " |
1843 | "authentication method list.", | 1866 | "authentication method list.", |
1844 | filename, linenum); | 1867 | filename, linenum); |
1868 | } | ||
1869 | value2 = 1; | ||
1845 | if (!*activep) | 1870 | if (!*activep) |
1846 | continue; | 1871 | continue; |
1847 | options->auth_methods[ | 1872 | options->auth_methods[ |
1848 | options->num_auth_methods++] = xstrdup(arg); | 1873 | options->num_auth_methods++] = xstrdup(arg); |
1849 | } | 1874 | } |
1875 | if (value2 == 0) { | ||
1876 | fatal("%s line %d: no AuthenticationMethods " | ||
1877 | "specified", filename, linenum); | ||
1878 | } | ||
1850 | } | 1879 | } |
1851 | return 0; | 1880 | return 0; |
1852 | 1881 | ||
@@ -2026,6 +2055,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2026 | M_CP_INTOPT(allow_agent_forwarding); | 2055 | M_CP_INTOPT(allow_agent_forwarding); |
2027 | M_CP_INTOPT(permit_tun); | 2056 | M_CP_INTOPT(permit_tun); |
2028 | M_CP_INTOPT(fwd_opts.gateway_ports); | 2057 | M_CP_INTOPT(fwd_opts.gateway_ports); |
2058 | M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink); | ||
2029 | M_CP_INTOPT(x11_display_offset); | 2059 | M_CP_INTOPT(x11_display_offset); |
2030 | M_CP_INTOPT(x11_forwarding); | 2060 | M_CP_INTOPT(x11_forwarding); |
2031 | M_CP_INTOPT(x11_use_localhost); | 2061 | M_CP_INTOPT(x11_use_localhost); |
@@ -2038,6 +2068,16 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
2038 | M_CP_INTOPT(rekey_limit); | 2068 | M_CP_INTOPT(rekey_limit); |
2039 | M_CP_INTOPT(rekey_interval); | 2069 | M_CP_INTOPT(rekey_interval); |
2040 | 2070 | ||
2071 | /* | ||
2072 | * The bind_mask is a mode_t that may be unsigned, so we can't use | ||
2073 | * M_CP_INTOPT - it does a signed comparison that causes compiler | ||
2074 | * warnings. | ||
2075 | */ | ||
2076 | if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) { | ||
2077 | dst->fwd_opts.streamlocal_bind_mask = | ||
2078 | src->fwd_opts.streamlocal_bind_mask; | ||
2079 | } | ||
2080 | |||
2041 | /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ | 2081 | /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ |
2042 | #define M_CP_STROPT(n) do {\ | 2082 | #define M_CP_STROPT(n) do {\ |
2043 | if (src->n != NULL && dst->n != src->n) { \ | 2083 | if (src->n != NULL && dst->n != src->n) { \ |
@@ -2091,7 +2131,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | |||
2091 | 2131 | ||
2092 | debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); | 2132 | debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); |
2093 | 2133 | ||
2094 | obuf = cbuf = xstrdup(buffer_ptr(conf)); | 2134 | if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) |
2135 | fatal("%s: sshbuf_dup_string failed", __func__); | ||
2095 | active = connectinfo ? 0 : 1; | 2136 | active = connectinfo ? 0 : 1; |
2096 | linenum = 1; | 2137 | linenum = 1; |
2097 | while ((cp = strsep(&cbuf, "\n")) != NULL) { | 2138 | while ((cp = strsep(&cbuf, "\n")) != NULL) { |
@@ -2215,11 +2256,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) | |||
2215 | { | 2256 | { |
2216 | u_int i; | 2257 | u_int i; |
2217 | 2258 | ||
2218 | if (count <= 0) | 2259 | if (count <= 0 && code != sAuthenticationMethods) |
2219 | return; | 2260 | return; |
2220 | printf("%s", lookup_opcode_name(code)); | 2261 | printf("%s", lookup_opcode_name(code)); |
2221 | for (i = 0; i < count; i++) | 2262 | for (i = 0; i < count; i++) |
2222 | printf(" %s", vals[i]); | 2263 | printf(" %s", vals[i]); |
2264 | if (code == sAuthenticationMethods && count == 0) | ||
2265 | printf(" any"); | ||
2223 | printf("\n"); | 2266 | printf("\n"); |
2224 | } | 2267 | } |
2225 | 2268 | ||
@@ -2327,6 +2370,7 @@ dump_config(ServerOptions *o) | |||
2327 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); | 2370 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); |
2328 | dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); | 2371 | dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); |
2329 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | 2372 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
2373 | dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); | ||
2330 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | 2374 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); |
2331 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); | 2375 | dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
2332 | 2376 | ||