diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 77 |
1 files changed, 68 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c index b2a60fd6c..747edde6c 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -20,6 +20,7 @@ | |||
20 | #include <netinet/in_systm.h> | 20 | #include <netinet/in_systm.h> |
21 | #include <netinet/ip.h> | 21 | #include <netinet/ip.h> |
22 | 22 | ||
23 | #include <ctype.h> | ||
23 | #include <netdb.h> | 24 | #include <netdb.h> |
24 | #include <pwd.h> | 25 | #include <pwd.h> |
25 | #include <stdio.h> | 26 | #include <stdio.h> |
@@ -29,6 +30,9 @@ | |||
29 | #include <unistd.h> | 30 | #include <unistd.h> |
30 | #include <stdarg.h> | 31 | #include <stdarg.h> |
31 | #include <errno.h> | 32 | #include <errno.h> |
33 | #ifdef HAVE_UTIL_H | ||
34 | #include <util.h> | ||
35 | #endif | ||
32 | 36 | ||
33 | #include "openbsd-compat/sys-queue.h" | 37 | #include "openbsd-compat/sys-queue.h" |
34 | #include "xmalloc.h" | 38 | #include "xmalloc.h" |
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options) | |||
75 | options->address_family = -1; | 79 | options->address_family = -1; |
76 | options->num_host_key_files = 0; | 80 | options->num_host_key_files = 0; |
77 | options->num_host_cert_files = 0; | 81 | options->num_host_cert_files = 0; |
82 | options->host_key_agent = NULL; | ||
78 | options->pid_file = NULL; | 83 | options->pid_file = NULL; |
79 | options->server_key_bits = -1; | 84 | options->server_key_bits = -1; |
80 | options->login_grace_time = -1; | 85 | options->login_grace_time = -1; |
@@ -110,6 +115,8 @@ initialize_server_options(ServerOptions *options) | |||
110 | options->permit_user_env = -1; | 115 | options->permit_user_env = -1; |
111 | options->use_login = -1; | 116 | options->use_login = -1; |
112 | options->compression = -1; | 117 | options->compression = -1; |
118 | options->rekey_limit = -1; | ||
119 | options->rekey_interval = -1; | ||
113 | options->allow_tcp_forwarding = -1; | 120 | options->allow_tcp_forwarding = -1; |
114 | options->allow_agent_forwarding = -1; | 121 | options->allow_agent_forwarding = -1; |
115 | options->num_allow_users = 0; | 122 | options->num_allow_users = 0; |
@@ -249,6 +256,10 @@ fill_default_server_options(ServerOptions *options) | |||
249 | options->use_login = 0; | 256 | options->use_login = 0; |
250 | if (options->compression == -1) | 257 | if (options->compression == -1) |
251 | options->compression = COMP_DELAYED; | 258 | options->compression = COMP_DELAYED; |
259 | if (options->rekey_limit == -1) | ||
260 | options->rekey_limit = 0; | ||
261 | if (options->rekey_interval == -1) | ||
262 | options->rekey_interval = 0; | ||
252 | if (options->allow_tcp_forwarding == -1) | 263 | if (options->allow_tcp_forwarding == -1) |
253 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 264 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
254 | if (options->allow_agent_forwarding == -1) | 265 | if (options->allow_agent_forwarding == -1) |
@@ -320,7 +331,7 @@ typedef enum { | |||
320 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 331 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
321 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 332 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
322 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 333 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
323 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 334 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
324 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 335 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
325 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | 336 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
326 | sMaxStartups, sMaxAuthTries, sMaxSessions, | 337 | sMaxStartups, sMaxAuthTries, sMaxSessions, |
@@ -334,7 +345,7 @@ typedef enum { | |||
334 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 345 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
335 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 346 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
336 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 347 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
337 | sAuthenticationMethods, | 348 | sAuthenticationMethods, sHostKeyAgent, |
338 | sDeprecated, sUnsupported | 349 | sDeprecated, sUnsupported |
339 | } ServerOpCodes; | 350 | } ServerOpCodes; |
340 | 351 | ||
@@ -359,6 +370,7 @@ static struct { | |||
359 | { "port", sPort, SSHCFG_GLOBAL }, | 370 | { "port", sPort, SSHCFG_GLOBAL }, |
360 | { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, | 371 | { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, |
361 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ | 372 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ |
373 | { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, | ||
362 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, | 374 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, |
363 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, | 375 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, |
364 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, | 376 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, |
@@ -422,6 +434,7 @@ static struct { | |||
422 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 434 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
423 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 435 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
424 | { "compression", sCompression, SSHCFG_GLOBAL }, | 436 | { "compression", sCompression, SSHCFG_GLOBAL }, |
437 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | ||
425 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 438 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
426 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 439 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
427 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 440 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
@@ -509,7 +522,7 @@ derelativise_path(const char *path) | |||
509 | if (getcwd(cwd, sizeof(cwd)) == NULL) | 522 | if (getcwd(cwd, sizeof(cwd)) == NULL) |
510 | fatal("%s: getcwd: %s", __func__, strerror(errno)); | 523 | fatal("%s: getcwd: %s", __func__, strerror(errno)); |
511 | xasprintf(&ret, "%s/%s", cwd, expanded); | 524 | xasprintf(&ret, "%s/%s", cwd, expanded); |
512 | xfree(expanded); | 525 | free(expanded); |
513 | return ret; | 526 | return ret; |
514 | } | 527 | } |
515 | 528 | ||
@@ -801,13 +814,13 @@ process_server_config_line(ServerOptions *options, char *line, | |||
801 | struct connection_info *connectinfo) | 814 | struct connection_info *connectinfo) |
802 | { | 815 | { |
803 | char *cp, **charptr, *arg, *p; | 816 | char *cp, **charptr, *arg, *p; |
804 | int cmdline = 0, *intptr, value, value2, n; | 817 | int cmdline = 0, *intptr, value, value2, n, port; |
805 | SyslogFacility *log_facility_ptr; | 818 | SyslogFacility *log_facility_ptr; |
806 | LogLevel *log_level_ptr; | 819 | LogLevel *log_level_ptr; |
807 | ServerOpCodes opcode; | 820 | ServerOpCodes opcode; |
808 | int port; | ||
809 | u_int i, flags = 0; | 821 | u_int i, flags = 0; |
810 | size_t len; | 822 | size_t len; |
823 | long long val64; | ||
811 | const struct multistate *multistate_ptr; | 824 | const struct multistate *multistate_ptr; |
812 | 825 | ||
813 | cp = line; | 826 | cp = line; |
@@ -967,6 +980,17 @@ process_server_config_line(ServerOptions *options, char *line, | |||
967 | } | 980 | } |
968 | break; | 981 | break; |
969 | 982 | ||
983 | case sHostKeyAgent: | ||
984 | charptr = &options->host_key_agent; | ||
985 | arg = strdelim(&cp); | ||
986 | if (!arg || *arg == '\0') | ||
987 | fatal("%s line %d: missing socket name.", | ||
988 | filename, linenum); | ||
989 | if (*activep && *charptr == NULL) | ||
990 | *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? | ||
991 | xstrdup(arg) : derelativise_path(arg); | ||
992 | break; | ||
993 | |||
970 | case sHostCertificate: | 994 | case sHostCertificate: |
971 | intptr = &options->num_host_cert_files; | 995 | intptr = &options->num_host_cert_files; |
972 | if (*intptr >= MAX_HOSTKEYS) | 996 | if (*intptr >= MAX_HOSTKEYS) |
@@ -1118,6 +1142,37 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1118 | multistate_ptr = multistate_compression; | 1142 | multistate_ptr = multistate_compression; |
1119 | goto parse_multistate; | 1143 | goto parse_multistate; |
1120 | 1144 | ||
1145 | case sRekeyLimit: | ||
1146 | arg = strdelim(&cp); | ||
1147 | if (!arg || *arg == '\0') | ||
1148 | fatal("%.200s line %d: Missing argument.", filename, | ||
1149 | linenum); | ||
1150 | if (strcmp(arg, "default") == 0) { | ||
1151 | val64 = 0; | ||
1152 | } else { | ||
1153 | if (scan_scaled(arg, &val64) == -1) | ||
1154 | fatal("%.200s line %d: Bad number '%s': %s", | ||
1155 | filename, linenum, arg, strerror(errno)); | ||
1156 | /* check for too-large or too-small limits */ | ||
1157 | if (val64 > UINT_MAX) | ||
1158 | fatal("%.200s line %d: RekeyLimit too large", | ||
1159 | filename, linenum); | ||
1160 | if (val64 != 0 && val64 < 16) | ||
1161 | fatal("%.200s line %d: RekeyLimit too small", | ||
1162 | filename, linenum); | ||
1163 | } | ||
1164 | if (*activep && options->rekey_limit == -1) | ||
1165 | options->rekey_limit = (u_int32_t)val64; | ||
1166 | if (cp != NULL) { /* optional rekey interval present */ | ||
1167 | if (strcmp(cp, "none") == 0) { | ||
1168 | (void)strdelim(&cp); /* discard */ | ||
1169 | break; | ||
1170 | } | ||
1171 | intptr = &options->rekey_interval; | ||
1172 | goto parse_time; | ||
1173 | } | ||
1174 | break; | ||
1175 | |||
1121 | case sGatewayPorts: | 1176 | case sGatewayPorts: |
1122 | intptr = &options->gateway_ports; | 1177 | intptr = &options->gateway_ports; |
1123 | multistate_ptr = multistate_gatewayports; | 1178 | multistate_ptr = multistate_gatewayports; |
@@ -1671,8 +1726,7 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1671 | } while (0) | 1726 | } while (0) |
1672 | #define M_CP_STROPT(n) do {\ | 1727 | #define M_CP_STROPT(n) do {\ |
1673 | if (src->n != NULL) { \ | 1728 | if (src->n != NULL) { \ |
1674 | if (dst->n != NULL) \ | 1729 | free(dst->n); \ |
1675 | xfree(dst->n); \ | ||
1676 | dst->n = src->n; \ | 1730 | dst->n = src->n; \ |
1677 | } \ | 1731 | } \ |
1678 | } while(0) | 1732 | } while(0) |
@@ -1718,6 +1772,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1718 | M_CP_INTOPT(max_authtries); | 1772 | M_CP_INTOPT(max_authtries); |
1719 | M_CP_INTOPT(ip_qos_interactive); | 1773 | M_CP_INTOPT(ip_qos_interactive); |
1720 | M_CP_INTOPT(ip_qos_bulk); | 1774 | M_CP_INTOPT(ip_qos_bulk); |
1775 | M_CP_INTOPT(rekey_limit); | ||
1776 | M_CP_INTOPT(rekey_interval); | ||
1721 | 1777 | ||
1722 | /* See comment in servconf.h */ | 1778 | /* See comment in servconf.h */ |
1723 | COPY_MATCH_STRING_OPTS(); | 1779 | COPY_MATCH_STRING_OPTS(); |
@@ -1754,7 +1810,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | |||
1754 | linenum++, &active, connectinfo) != 0) | 1810 | linenum++, &active, connectinfo) != 0) |
1755 | bad_options++; | 1811 | bad_options++; |
1756 | } | 1812 | } |
1757 | xfree(obuf); | 1813 | free(obuf); |
1758 | if (bad_options > 0) | 1814 | if (bad_options > 0) |
1759 | fatal("%s: terminating, %d bad configuration options", | 1815 | fatal("%s: terminating, %d bad configuration options", |
1760 | filename, bad_options); | 1816 | filename, bad_options); |
@@ -1968,6 +2024,7 @@ dump_config(ServerOptions *o) | |||
1968 | dump_cfg_string(sVersionAddendum, o->version_addendum); | 2024 | dump_cfg_string(sVersionAddendum, o->version_addendum); |
1969 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); | 2025 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); |
1970 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); | 2026 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); |
2027 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | ||
1971 | 2028 | ||
1972 | /* string arguments requiring a lookup */ | 2029 | /* string arguments requiring a lookup */ |
1973 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2030 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -2006,5 +2063,7 @@ dump_config(ServerOptions *o) | |||
2006 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2063 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2007 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2064 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2008 | 2065 | ||
2066 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | ||
2067 | |||
2009 | channel_print_adm_permitted_opens(); | 2068 | channel_print_adm_permitted_opens(); |
2010 | } | 2069 | } |