diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 84 |
1 files changed, 57 insertions, 27 deletions
diff --git a/servconf.c b/servconf.c index 802db1d79..63ff4ffbc 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options) | |||
92 | options->x11_forwarding = -1; | 92 | options->x11_forwarding = -1; |
93 | options->x11_display_offset = -1; | 93 | options->x11_display_offset = -1; |
94 | options->x11_use_localhost = -1; | 94 | options->x11_use_localhost = -1; |
95 | options->permit_tty = -1; | ||
95 | options->xauth_location = NULL; | 96 | options->xauth_location = NULL; |
96 | options->strict_modes = -1; | 97 | options->strict_modes = -1; |
97 | options->tcp_keep_alive = -1; | 98 | options->tcp_keep_alive = -1; |
@@ -183,6 +184,8 @@ fill_default_server_options(ServerOptions *options) | |||
183 | options->host_key_files[options->num_host_key_files++] = | 184 | options->host_key_files[options->num_host_key_files++] = |
184 | _PATH_HOST_ECDSA_KEY_FILE; | 185 | _PATH_HOST_ECDSA_KEY_FILE; |
185 | #endif | 186 | #endif |
187 | options->host_key_files[options->num_host_key_files++] = | ||
188 | _PATH_HOST_ED25519_KEY_FILE; | ||
186 | } | 189 | } |
187 | } | 190 | } |
188 | /* No certificates by default */ | 191 | /* No certificates by default */ |
@@ -216,6 +219,8 @@ fill_default_server_options(ServerOptions *options) | |||
216 | options->x11_use_localhost = 1; | 219 | options->x11_use_localhost = 1; |
217 | if (options->xauth_location == NULL) | 220 | if (options->xauth_location == NULL) |
218 | options->xauth_location = _PATH_XAUTH; | 221 | options->xauth_location = _PATH_XAUTH; |
222 | if (options->permit_tty == -1) | ||
223 | options->permit_tty = 1; | ||
219 | if (options->strict_modes == -1) | 224 | if (options->strict_modes == -1) |
220 | options->strict_modes = 1; | 225 | options->strict_modes = 1; |
221 | if (options->tcp_keep_alive == -1) | 226 | if (options->tcp_keep_alive == -1) |
@@ -341,7 +346,7 @@ typedef enum { | |||
341 | sListenAddress, sAddressFamily, | 346 | sListenAddress, sAddressFamily, |
342 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 347 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
343 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 348 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
344 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 349 | sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
345 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 350 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
346 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 351 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
347 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 352 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
@@ -488,6 +493,7 @@ static struct { | |||
488 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, | 493 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, |
489 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 494 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
490 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 495 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
496 | { "permittty", sPermitTTY, SSHCFG_ALL }, | ||
491 | { "match", sMatch, SSHCFG_ALL }, | 497 | { "match", sMatch, SSHCFG_ALL }, |
492 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 498 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
493 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | 499 | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
@@ -668,13 +674,13 @@ out: | |||
668 | 674 | ||
669 | /* | 675 | /* |
670 | * All of the attributes on a single Match line are ANDed together, so we need | 676 | * All of the attributes on a single Match line are ANDed together, so we need |
671 | * to check every * attribute and set the result to zero if any attribute does | 677 | * to check every attribute and set the result to zero if any attribute does |
672 | * not match. | 678 | * not match. |
673 | */ | 679 | */ |
674 | static int | 680 | static int |
675 | match_cfg_line(char **condition, int line, struct connection_info *ci) | 681 | match_cfg_line(char **condition, int line, struct connection_info *ci) |
676 | { | 682 | { |
677 | int result = 1, port; | 683 | int result = 1, attributes = 0, port; |
678 | char *arg, *attrib, *cp = *condition; | 684 | char *arg, *attrib, *cp = *condition; |
679 | size_t len; | 685 | size_t len; |
680 | 686 | ||
@@ -688,6 +694,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) | |||
688 | ci->laddress ? ci->laddress : "(null)", ci->lport); | 694 | ci->laddress ? ci->laddress : "(null)", ci->lport); |
689 | 695 | ||
690 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { | 696 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { |
697 | attributes++; | ||
698 | if (strcasecmp(attrib, "all") == 0) { | ||
699 | if (attributes != 1 || | ||
700 | ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { | ||
701 | error("'all' cannot be combined with other " | ||
702 | "Match attributes"); | ||
703 | return -1; | ||
704 | } | ||
705 | *condition = cp; | ||
706 | return 1; | ||
707 | } | ||
691 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { | 708 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { |
692 | error("Missing Match criteria for %s", attrib); | 709 | error("Missing Match criteria for %s", attrib); |
693 | return -1; | 710 | return -1; |
@@ -781,6 +798,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) | |||
781 | return -1; | 798 | return -1; |
782 | } | 799 | } |
783 | } | 800 | } |
801 | if (attributes == 0) { | ||
802 | error("One or more attributes required for Match"); | ||
803 | return -1; | ||
804 | } | ||
784 | if (ci != NULL) | 805 | if (ci != NULL) |
785 | debug3("match %sfound", result ? "" : "not "); | 806 | debug3("match %sfound", result ? "" : "not "); |
786 | *condition = cp; | 807 | *condition = cp; |
@@ -1156,6 +1177,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1156 | charptr = &options->xauth_location; | 1177 | charptr = &options->xauth_location; |
1157 | goto parse_filename; | 1178 | goto parse_filename; |
1158 | 1179 | ||
1180 | case sPermitTTY: | ||
1181 | intptr = &options->permit_tty; | ||
1182 | goto parse_flag; | ||
1183 | |||
1159 | case sStrictModes: | 1184 | case sStrictModes: |
1160 | intptr = &options->strict_modes; | 1185 | intptr = &options->strict_modes; |
1161 | goto parse_flag; | 1186 | goto parse_flag; |
@@ -1762,24 +1787,6 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1762 | return 0; /* partial */ | 1787 | return 0; /* partial */ |
1763 | } | 1788 | } |
1764 | 1789 | ||
1765 | /* Helper macros */ | ||
1766 | #define M_CP_INTOPT(n) do {\ | ||
1767 | if (src->n != -1) \ | ||
1768 | dst->n = src->n; \ | ||
1769 | } while (0) | ||
1770 | #define M_CP_STROPT(n) do {\ | ||
1771 | if (src->n != NULL) { \ | ||
1772 | free(dst->n); \ | ||
1773 | dst->n = src->n; \ | ||
1774 | } \ | ||
1775 | } while(0) | ||
1776 | #define M_CP_STRARRAYOPT(n, num_n) do {\ | ||
1777 | if (src->num_n != 0) { \ | ||
1778 | for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ | ||
1779 | dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ | ||
1780 | } \ | ||
1781 | } while(0) | ||
1782 | |||
1783 | /* | 1790 | /* |
1784 | * Copy any supported values that are set. | 1791 | * Copy any supported values that are set. |
1785 | * | 1792 | * |
@@ -1790,6 +1797,11 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1790 | void | 1797 | void |
1791 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | 1798 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) |
1792 | { | 1799 | { |
1800 | #define M_CP_INTOPT(n) do {\ | ||
1801 | if (src->n != -1) \ | ||
1802 | dst->n = src->n; \ | ||
1803 | } while (0) | ||
1804 | |||
1793 | M_CP_INTOPT(password_authentication); | 1805 | M_CP_INTOPT(password_authentication); |
1794 | M_CP_INTOPT(gss_authentication); | 1806 | M_CP_INTOPT(gss_authentication); |
1795 | M_CP_INTOPT(rsa_authentication); | 1807 | M_CP_INTOPT(rsa_authentication); |
@@ -1799,8 +1811,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1799 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); | 1811 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); |
1800 | M_CP_INTOPT(kbd_interactive_authentication); | 1812 | M_CP_INTOPT(kbd_interactive_authentication); |
1801 | M_CP_INTOPT(zero_knowledge_password_authentication); | 1813 | M_CP_INTOPT(zero_knowledge_password_authentication); |
1802 | M_CP_STROPT(authorized_keys_command); | ||
1803 | M_CP_STROPT(authorized_keys_command_user); | ||
1804 | M_CP_INTOPT(permit_root_login); | 1814 | M_CP_INTOPT(permit_root_login); |
1805 | M_CP_INTOPT(permit_empty_passwd); | 1815 | M_CP_INTOPT(permit_empty_passwd); |
1806 | 1816 | ||
@@ -1811,6 +1821,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1811 | M_CP_INTOPT(x11_display_offset); | 1821 | M_CP_INTOPT(x11_display_offset); |
1812 | M_CP_INTOPT(x11_forwarding); | 1822 | M_CP_INTOPT(x11_forwarding); |
1813 | M_CP_INTOPT(x11_use_localhost); | 1823 | M_CP_INTOPT(x11_use_localhost); |
1824 | M_CP_INTOPT(permit_tty); | ||
1814 | M_CP_INTOPT(max_sessions); | 1825 | M_CP_INTOPT(max_sessions); |
1815 | M_CP_INTOPT(max_authtries); | 1826 | M_CP_INTOPT(max_authtries); |
1816 | M_CP_INTOPT(ip_qos_interactive); | 1827 | M_CP_INTOPT(ip_qos_interactive); |
@@ -1818,6 +1829,20 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1818 | M_CP_INTOPT(rekey_limit); | 1829 | M_CP_INTOPT(rekey_limit); |
1819 | M_CP_INTOPT(rekey_interval); | 1830 | M_CP_INTOPT(rekey_interval); |
1820 | 1831 | ||
1832 | /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ | ||
1833 | #define M_CP_STROPT(n) do {\ | ||
1834 | if (src->n != NULL && dst->n != src->n) { \ | ||
1835 | free(dst->n); \ | ||
1836 | dst->n = src->n; \ | ||
1837 | } \ | ||
1838 | } while(0) | ||
1839 | #define M_CP_STRARRAYOPT(n, num_n) do {\ | ||
1840 | if (src->num_n != 0) { \ | ||
1841 | for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ | ||
1842 | dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ | ||
1843 | } \ | ||
1844 | } while(0) | ||
1845 | |||
1821 | /* See comment in servconf.h */ | 1846 | /* See comment in servconf.h */ |
1822 | COPY_MATCH_STRING_OPTS(); | 1847 | COPY_MATCH_STRING_OPTS(); |
1823 | 1848 | ||
@@ -2044,6 +2069,7 @@ dump_config(ServerOptions *o) | |||
2044 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); | 2069 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); |
2045 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | 2070 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); |
2046 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 2071 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
2072 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); | ||
2047 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 2073 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
2048 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 2074 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
2049 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 2075 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
@@ -2058,8 +2084,9 @@ dump_config(ServerOptions *o) | |||
2058 | /* string arguments */ | 2084 | /* string arguments */ |
2059 | dump_cfg_string(sPidFile, o->pid_file); | 2085 | dump_cfg_string(sPidFile, o->pid_file); |
2060 | dump_cfg_string(sXAuthLocation, o->xauth_location); | 2086 | dump_cfg_string(sXAuthLocation, o->xauth_location); |
2061 | dump_cfg_string(sCiphers, o->ciphers); | 2087 | dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : |
2062 | dump_cfg_string(sMacs, o->macs); | 2088 | cipher_alg_list(',', 0)); |
2089 | dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); | ||
2063 | dump_cfg_string(sBanner, o->banner); | 2090 | dump_cfg_string(sBanner, o->banner); |
2064 | dump_cfg_string(sForceCommand, o->adm_forced_command); | 2091 | dump_cfg_string(sForceCommand, o->adm_forced_command); |
2065 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | 2092 | dump_cfg_string(sChrootDirectory, o->chroot_directory); |
@@ -2071,6 +2098,8 @@ dump_config(ServerOptions *o) | |||
2071 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); | 2098 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); |
2072 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); | 2099 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); |
2073 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | 2100 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
2101 | dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : | ||
2102 | kex_alg_list(',')); | ||
2074 | 2103 | ||
2075 | /* string arguments requiring a lookup */ | 2104 | /* string arguments requiring a lookup */ |
2076 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2105 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -2109,7 +2138,8 @@ dump_config(ServerOptions *o) | |||
2109 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2138 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2110 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2139 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2111 | 2140 | ||
2112 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | 2141 | printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, |
2142 | o->rekey_interval); | ||
2113 | 2143 | ||
2114 | channel_print_adm_permitted_opens(); | 2144 | channel_print_adm_permitted_opens(); |
2115 | } | 2145 | } |