summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c84
1 files changed, 57 insertions, 27 deletions
diff --git a/servconf.c b/servconf.c
index 802db1d79..63ff4ffbc 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ 2/* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options)
92 options->x11_forwarding = -1; 92 options->x11_forwarding = -1;
93 options->x11_display_offset = -1; 93 options->x11_display_offset = -1;
94 options->x11_use_localhost = -1; 94 options->x11_use_localhost = -1;
95 options->permit_tty = -1;
95 options->xauth_location = NULL; 96 options->xauth_location = NULL;
96 options->strict_modes = -1; 97 options->strict_modes = -1;
97 options->tcp_keep_alive = -1; 98 options->tcp_keep_alive = -1;
@@ -183,6 +184,8 @@ fill_default_server_options(ServerOptions *options)
183 options->host_key_files[options->num_host_key_files++] = 184 options->host_key_files[options->num_host_key_files++] =
184 _PATH_HOST_ECDSA_KEY_FILE; 185 _PATH_HOST_ECDSA_KEY_FILE;
185#endif 186#endif
187 options->host_key_files[options->num_host_key_files++] =
188 _PATH_HOST_ED25519_KEY_FILE;
186 } 189 }
187 } 190 }
188 /* No certificates by default */ 191 /* No certificates by default */
@@ -216,6 +219,8 @@ fill_default_server_options(ServerOptions *options)
216 options->x11_use_localhost = 1; 219 options->x11_use_localhost = 1;
217 if (options->xauth_location == NULL) 220 if (options->xauth_location == NULL)
218 options->xauth_location = _PATH_XAUTH; 221 options->xauth_location = _PATH_XAUTH;
222 if (options->permit_tty == -1)
223 options->permit_tty = 1;
219 if (options->strict_modes == -1) 224 if (options->strict_modes == -1)
220 options->strict_modes = 1; 225 options->strict_modes = 1;
221 if (options->tcp_keep_alive == -1) 226 if (options->tcp_keep_alive == -1)
@@ -341,7 +346,7 @@ typedef enum {
341 sListenAddress, sAddressFamily, 346 sListenAddress, sAddressFamily,
342 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 347 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
343 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 348 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
344 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 349 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
345 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 350 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
346 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 351 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
347 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 352 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
@@ -488,6 +493,7 @@ static struct {
488 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, 493 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
489 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 494 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
490 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 495 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
496 { "permittty", sPermitTTY, SSHCFG_ALL },
491 { "match", sMatch, SSHCFG_ALL }, 497 { "match", sMatch, SSHCFG_ALL },
492 { "permitopen", sPermitOpen, SSHCFG_ALL }, 498 { "permitopen", sPermitOpen, SSHCFG_ALL },
493 { "forcecommand", sForceCommand, SSHCFG_ALL }, 499 { "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -668,13 +674,13 @@ out:
668 674
669/* 675/*
670 * All of the attributes on a single Match line are ANDed together, so we need 676 * All of the attributes on a single Match line are ANDed together, so we need
671 * to check every * attribute and set the result to zero if any attribute does 677 * to check every attribute and set the result to zero if any attribute does
672 * not match. 678 * not match.
673 */ 679 */
674static int 680static int
675match_cfg_line(char **condition, int line, struct connection_info *ci) 681match_cfg_line(char **condition, int line, struct connection_info *ci)
676{ 682{
677 int result = 1, port; 683 int result = 1, attributes = 0, port;
678 char *arg, *attrib, *cp = *condition; 684 char *arg, *attrib, *cp = *condition;
679 size_t len; 685 size_t len;
680 686
@@ -688,6 +694,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
688 ci->laddress ? ci->laddress : "(null)", ci->lport); 694 ci->laddress ? ci->laddress : "(null)", ci->lport);
689 695
690 while ((attrib = strdelim(&cp)) && *attrib != '\0') { 696 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
697 attributes++;
698 if (strcasecmp(attrib, "all") == 0) {
699 if (attributes != 1 ||
700 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
701 error("'all' cannot be combined with other "
702 "Match attributes");
703 return -1;
704 }
705 *condition = cp;
706 return 1;
707 }
691 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { 708 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
692 error("Missing Match criteria for %s", attrib); 709 error("Missing Match criteria for %s", attrib);
693 return -1; 710 return -1;
@@ -781,6 +798,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
781 return -1; 798 return -1;
782 } 799 }
783 } 800 }
801 if (attributes == 0) {
802 error("One or more attributes required for Match");
803 return -1;
804 }
784 if (ci != NULL) 805 if (ci != NULL)
785 debug3("match %sfound", result ? "" : "not "); 806 debug3("match %sfound", result ? "" : "not ");
786 *condition = cp; 807 *condition = cp;
@@ -1156,6 +1177,10 @@ process_server_config_line(ServerOptions *options, char *line,
1156 charptr = &options->xauth_location; 1177 charptr = &options->xauth_location;
1157 goto parse_filename; 1178 goto parse_filename;
1158 1179
1180 case sPermitTTY:
1181 intptr = &options->permit_tty;
1182 goto parse_flag;
1183
1159 case sStrictModes: 1184 case sStrictModes:
1160 intptr = &options->strict_modes; 1185 intptr = &options->strict_modes;
1161 goto parse_flag; 1186 goto parse_flag;
@@ -1762,24 +1787,6 @@ int server_match_spec_complete(struct connection_info *ci)
1762 return 0; /* partial */ 1787 return 0; /* partial */
1763} 1788}
1764 1789
1765/* Helper macros */
1766#define M_CP_INTOPT(n) do {\
1767 if (src->n != -1) \
1768 dst->n = src->n; \
1769} while (0)
1770#define M_CP_STROPT(n) do {\
1771 if (src->n != NULL) { \
1772 free(dst->n); \
1773 dst->n = src->n; \
1774 } \
1775} while(0)
1776#define M_CP_STRARRAYOPT(n, num_n) do {\
1777 if (src->num_n != 0) { \
1778 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1779 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1780 } \
1781} while(0)
1782
1783/* 1790/*
1784 * Copy any supported values that are set. 1791 * Copy any supported values that are set.
1785 * 1792 *
@@ -1790,6 +1797,11 @@ int server_match_spec_complete(struct connection_info *ci)
1790void 1797void
1791copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) 1798copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1792{ 1799{
1800#define M_CP_INTOPT(n) do {\
1801 if (src->n != -1) \
1802 dst->n = src->n; \
1803} while (0)
1804
1793 M_CP_INTOPT(password_authentication); 1805 M_CP_INTOPT(password_authentication);
1794 M_CP_INTOPT(gss_authentication); 1806 M_CP_INTOPT(gss_authentication);
1795 M_CP_INTOPT(rsa_authentication); 1807 M_CP_INTOPT(rsa_authentication);
@@ -1799,8 +1811,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1799 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1811 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1800 M_CP_INTOPT(kbd_interactive_authentication); 1812 M_CP_INTOPT(kbd_interactive_authentication);
1801 M_CP_INTOPT(zero_knowledge_password_authentication); 1813 M_CP_INTOPT(zero_knowledge_password_authentication);
1802 M_CP_STROPT(authorized_keys_command);
1803 M_CP_STROPT(authorized_keys_command_user);
1804 M_CP_INTOPT(permit_root_login); 1814 M_CP_INTOPT(permit_root_login);
1805 M_CP_INTOPT(permit_empty_passwd); 1815 M_CP_INTOPT(permit_empty_passwd);
1806 1816
@@ -1811,6 +1821,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1811 M_CP_INTOPT(x11_display_offset); 1821 M_CP_INTOPT(x11_display_offset);
1812 M_CP_INTOPT(x11_forwarding); 1822 M_CP_INTOPT(x11_forwarding);
1813 M_CP_INTOPT(x11_use_localhost); 1823 M_CP_INTOPT(x11_use_localhost);
1824 M_CP_INTOPT(permit_tty);
1814 M_CP_INTOPT(max_sessions); 1825 M_CP_INTOPT(max_sessions);
1815 M_CP_INTOPT(max_authtries); 1826 M_CP_INTOPT(max_authtries);
1816 M_CP_INTOPT(ip_qos_interactive); 1827 M_CP_INTOPT(ip_qos_interactive);
@@ -1818,6 +1829,20 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1818 M_CP_INTOPT(rekey_limit); 1829 M_CP_INTOPT(rekey_limit);
1819 M_CP_INTOPT(rekey_interval); 1830 M_CP_INTOPT(rekey_interval);
1820 1831
1832 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
1833#define M_CP_STROPT(n) do {\
1834 if (src->n != NULL && dst->n != src->n) { \
1835 free(dst->n); \
1836 dst->n = src->n; \
1837 } \
1838} while(0)
1839#define M_CP_STRARRAYOPT(n, num_n) do {\
1840 if (src->num_n != 0) { \
1841 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1842 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1843 } \
1844} while(0)
1845
1821 /* See comment in servconf.h */ 1846 /* See comment in servconf.h */
1822 COPY_MATCH_STRING_OPTS(); 1847 COPY_MATCH_STRING_OPTS();
1823 1848
@@ -2044,6 +2069,7 @@ dump_config(ServerOptions *o)
2044 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); 2069 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2045 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2070 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2046 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2071 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2072 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2047 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2073 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2048 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2074 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2049 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2075 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
@@ -2058,8 +2084,9 @@ dump_config(ServerOptions *o)
2058 /* string arguments */ 2084 /* string arguments */
2059 dump_cfg_string(sPidFile, o->pid_file); 2085 dump_cfg_string(sPidFile, o->pid_file);
2060 dump_cfg_string(sXAuthLocation, o->xauth_location); 2086 dump_cfg_string(sXAuthLocation, o->xauth_location);
2061 dump_cfg_string(sCiphers, o->ciphers); 2087 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
2062 dump_cfg_string(sMacs, o->macs); 2088 cipher_alg_list(',', 0));
2089 dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
2063 dump_cfg_string(sBanner, o->banner); 2090 dump_cfg_string(sBanner, o->banner);
2064 dump_cfg_string(sForceCommand, o->adm_forced_command); 2091 dump_cfg_string(sForceCommand, o->adm_forced_command);
2065 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2092 dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2071,6 +2098,8 @@ dump_config(ServerOptions *o)
2071 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2098 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2072 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2099 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2073 dump_cfg_string(sHostKeyAgent, o->host_key_agent); 2100 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2101 dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
2102 kex_alg_list(','));
2074 2103
2075 /* string arguments requiring a lookup */ 2104 /* string arguments requiring a lookup */
2076 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2105 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2109,7 +2138,8 @@ dump_config(ServerOptions *o)
2109 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2138 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2110 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2139 printf("%s\n", iptos2str(o->ip_qos_bulk));
2111 2140
2112 printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); 2141 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2142 o->rekey_interval);
2113 2143
2114 channel_print_adm_permitted_opens(); 2144 channel_print_adm_permitted_opens();
2115} 2145}