summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c77
1 files changed, 68 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index b2a60fd6c..747edde6c 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -20,6 +20,7 @@
20#include <netinet/in_systm.h> 20#include <netinet/in_systm.h>
21#include <netinet/ip.h> 21#include <netinet/ip.h>
22 22
23#include <ctype.h>
23#include <netdb.h> 24#include <netdb.h>
24#include <pwd.h> 25#include <pwd.h>
25#include <stdio.h> 26#include <stdio.h>
@@ -29,6 +30,9 @@
29#include <unistd.h> 30#include <unistd.h>
30#include <stdarg.h> 31#include <stdarg.h>
31#include <errno.h> 32#include <errno.h>
33#ifdef HAVE_UTIL_H
34#include <util.h>
35#endif
32 36
33#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
34#include "xmalloc.h" 38#include "xmalloc.h"
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options)
75 options->address_family = -1; 79 options->address_family = -1;
76 options->num_host_key_files = 0; 80 options->num_host_key_files = 0;
77 options->num_host_cert_files = 0; 81 options->num_host_cert_files = 0;
82 options->host_key_agent = NULL;
78 options->pid_file = NULL; 83 options->pid_file = NULL;
79 options->server_key_bits = -1; 84 options->server_key_bits = -1;
80 options->login_grace_time = -1; 85 options->login_grace_time = -1;
@@ -110,6 +115,8 @@ initialize_server_options(ServerOptions *options)
110 options->permit_user_env = -1; 115 options->permit_user_env = -1;
111 options->use_login = -1; 116 options->use_login = -1;
112 options->compression = -1; 117 options->compression = -1;
118 options->rekey_limit = -1;
119 options->rekey_interval = -1;
113 options->allow_tcp_forwarding = -1; 120 options->allow_tcp_forwarding = -1;
114 options->allow_agent_forwarding = -1; 121 options->allow_agent_forwarding = -1;
115 options->num_allow_users = 0; 122 options->num_allow_users = 0;
@@ -249,6 +256,10 @@ fill_default_server_options(ServerOptions *options)
249 options->use_login = 0; 256 options->use_login = 0;
250 if (options->compression == -1) 257 if (options->compression == -1)
251 options->compression = COMP_DELAYED; 258 options->compression = COMP_DELAYED;
259 if (options->rekey_limit == -1)
260 options->rekey_limit = 0;
261 if (options->rekey_interval == -1)
262 options->rekey_interval = 0;
252 if (options->allow_tcp_forwarding == -1) 263 if (options->allow_tcp_forwarding == -1)
253 options->allow_tcp_forwarding = FORWARD_ALLOW; 264 options->allow_tcp_forwarding = FORWARD_ALLOW;
254 if (options->allow_agent_forwarding == -1) 265 if (options->allow_agent_forwarding == -1)
@@ -320,7 +331,7 @@ typedef enum {
320 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 331 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
321 sStrictModes, sEmptyPasswd, sTCPKeepAlive, 332 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
322 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 333 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
323 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 334 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
324 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 335 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
325 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 336 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
326 sMaxStartups, sMaxAuthTries, sMaxSessions, 337 sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -334,7 +345,7 @@ typedef enum {
334 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 345 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
335 sKexAlgorithms, sIPQoS, sVersionAddendum, 346 sKexAlgorithms, sIPQoS, sVersionAddendum,
336 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 347 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
337 sAuthenticationMethods, 348 sAuthenticationMethods, sHostKeyAgent,
338 sDeprecated, sUnsupported 349 sDeprecated, sUnsupported
339} ServerOpCodes; 350} ServerOpCodes;
340 351
@@ -359,6 +370,7 @@ static struct {
359 { "port", sPort, SSHCFG_GLOBAL }, 370 { "port", sPort, SSHCFG_GLOBAL },
360 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 371 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
361 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 372 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
373 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
362 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 374 { "pidfile", sPidFile, SSHCFG_GLOBAL },
363 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 375 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
364 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 376 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
@@ -422,6 +434,7 @@ static struct {
422 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 434 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
423 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 435 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
424 { "compression", sCompression, SSHCFG_GLOBAL }, 436 { "compression", sCompression, SSHCFG_GLOBAL },
437 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
425 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 438 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
426 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 439 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
427 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 440 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
@@ -509,7 +522,7 @@ derelativise_path(const char *path)
509 if (getcwd(cwd, sizeof(cwd)) == NULL) 522 if (getcwd(cwd, sizeof(cwd)) == NULL)
510 fatal("%s: getcwd: %s", __func__, strerror(errno)); 523 fatal("%s: getcwd: %s", __func__, strerror(errno));
511 xasprintf(&ret, "%s/%s", cwd, expanded); 524 xasprintf(&ret, "%s/%s", cwd, expanded);
512 xfree(expanded); 525 free(expanded);
513 return ret; 526 return ret;
514} 527}
515 528
@@ -801,13 +814,13 @@ process_server_config_line(ServerOptions *options, char *line,
801 struct connection_info *connectinfo) 814 struct connection_info *connectinfo)
802{ 815{
803 char *cp, **charptr, *arg, *p; 816 char *cp, **charptr, *arg, *p;
804 int cmdline = 0, *intptr, value, value2, n; 817 int cmdline = 0, *intptr, value, value2, n, port;
805 SyslogFacility *log_facility_ptr; 818 SyslogFacility *log_facility_ptr;
806 LogLevel *log_level_ptr; 819 LogLevel *log_level_ptr;
807 ServerOpCodes opcode; 820 ServerOpCodes opcode;
808 int port;
809 u_int i, flags = 0; 821 u_int i, flags = 0;
810 size_t len; 822 size_t len;
823 long long val64;
811 const struct multistate *multistate_ptr; 824 const struct multistate *multistate_ptr;
812 825
813 cp = line; 826 cp = line;
@@ -967,6 +980,17 @@ process_server_config_line(ServerOptions *options, char *line,
967 } 980 }
968 break; 981 break;
969 982
983 case sHostKeyAgent:
984 charptr = &options->host_key_agent;
985 arg = strdelim(&cp);
986 if (!arg || *arg == '\0')
987 fatal("%s line %d: missing socket name.",
988 filename, linenum);
989 if (*activep && *charptr == NULL)
990 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
991 xstrdup(arg) : derelativise_path(arg);
992 break;
993
970 case sHostCertificate: 994 case sHostCertificate:
971 intptr = &options->num_host_cert_files; 995 intptr = &options->num_host_cert_files;
972 if (*intptr >= MAX_HOSTKEYS) 996 if (*intptr >= MAX_HOSTKEYS)
@@ -1118,6 +1142,37 @@ process_server_config_line(ServerOptions *options, char *line,
1118 multistate_ptr = multistate_compression; 1142 multistate_ptr = multistate_compression;
1119 goto parse_multistate; 1143 goto parse_multistate;
1120 1144
1145 case sRekeyLimit:
1146 arg = strdelim(&cp);
1147 if (!arg || *arg == '\0')
1148 fatal("%.200s line %d: Missing argument.", filename,
1149 linenum);
1150 if (strcmp(arg, "default") == 0) {
1151 val64 = 0;
1152 } else {
1153 if (scan_scaled(arg, &val64) == -1)
1154 fatal("%.200s line %d: Bad number '%s': %s",
1155 filename, linenum, arg, strerror(errno));
1156 /* check for too-large or too-small limits */
1157 if (val64 > UINT_MAX)
1158 fatal("%.200s line %d: RekeyLimit too large",
1159 filename, linenum);
1160 if (val64 != 0 && val64 < 16)
1161 fatal("%.200s line %d: RekeyLimit too small",
1162 filename, linenum);
1163 }
1164 if (*activep && options->rekey_limit == -1)
1165 options->rekey_limit = (u_int32_t)val64;
1166 if (cp != NULL) { /* optional rekey interval present */
1167 if (strcmp(cp, "none") == 0) {
1168 (void)strdelim(&cp); /* discard */
1169 break;
1170 }
1171 intptr = &options->rekey_interval;
1172 goto parse_time;
1173 }
1174 break;
1175
1121 case sGatewayPorts: 1176 case sGatewayPorts:
1122 intptr = &options->gateway_ports; 1177 intptr = &options->gateway_ports;
1123 multistate_ptr = multistate_gatewayports; 1178 multistate_ptr = multistate_gatewayports;
@@ -1671,8 +1726,7 @@ int server_match_spec_complete(struct connection_info *ci)
1671} while (0) 1726} while (0)
1672#define M_CP_STROPT(n) do {\ 1727#define M_CP_STROPT(n) do {\
1673 if (src->n != NULL) { \ 1728 if (src->n != NULL) { \
1674 if (dst->n != NULL) \ 1729 free(dst->n); \
1675 xfree(dst->n); \
1676 dst->n = src->n; \ 1730 dst->n = src->n; \
1677 } \ 1731 } \
1678} while(0) 1732} while(0)
@@ -1718,6 +1772,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1718 M_CP_INTOPT(max_authtries); 1772 M_CP_INTOPT(max_authtries);
1719 M_CP_INTOPT(ip_qos_interactive); 1773 M_CP_INTOPT(ip_qos_interactive);
1720 M_CP_INTOPT(ip_qos_bulk); 1774 M_CP_INTOPT(ip_qos_bulk);
1775 M_CP_INTOPT(rekey_limit);
1776 M_CP_INTOPT(rekey_interval);
1721 1777
1722 /* See comment in servconf.h */ 1778 /* See comment in servconf.h */
1723 COPY_MATCH_STRING_OPTS(); 1779 COPY_MATCH_STRING_OPTS();
@@ -1754,7 +1810,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1754 linenum++, &active, connectinfo) != 0) 1810 linenum++, &active, connectinfo) != 0)
1755 bad_options++; 1811 bad_options++;
1756 } 1812 }
1757 xfree(obuf); 1813 free(obuf);
1758 if (bad_options > 0) 1814 if (bad_options > 0)
1759 fatal("%s: terminating, %d bad configuration options", 1815 fatal("%s: terminating, %d bad configuration options",
1760 filename, bad_options); 1816 filename, bad_options);
@@ -1968,6 +2024,7 @@ dump_config(ServerOptions *o)
1968 dump_cfg_string(sVersionAddendum, o->version_addendum); 2024 dump_cfg_string(sVersionAddendum, o->version_addendum);
1969 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2025 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
1970 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2026 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2027 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
1971 2028
1972 /* string arguments requiring a lookup */ 2029 /* string arguments requiring a lookup */
1973 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2030 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2006,5 +2063,7 @@ dump_config(ServerOptions *o)
2006 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2063 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2007 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2064 printf("%s\n", iptos2str(o->ip_qos_bulk));
2008 2065
2066 printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval);
2067
2009 channel_print_adm_permitted_opens(); 2068 channel_print_adm_permitted_opens();
2010} 2069}
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 17:42:02 +0000