diff options
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 57 |
1 files changed, 53 insertions, 4 deletions
diff --git a/servconf.c b/servconf.c index d9726c435..cbbb20052 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -65,6 +65,7 @@ initialize_server_options(ServerOptions *options) | |||
| 65 | options->listen_addrs = NULL; | 65 | options->listen_addrs = NULL; |
| 66 | options->address_family = -1; | 66 | options->address_family = -1; |
| 67 | options->num_host_key_files = 0; | 67 | options->num_host_key_files = 0; |
| 68 | options->num_host_cert_files = 0; | ||
| 68 | options->pid_file = NULL; | 69 | options->pid_file = NULL; |
| 69 | options->server_key_bits = -1; | 70 | options->server_key_bits = -1; |
| 70 | options->login_grace_time = -1; | 71 | options->login_grace_time = -1; |
| @@ -131,6 +132,8 @@ initialize_server_options(ServerOptions *options) | |||
| 131 | options->adm_forced_command = NULL; | 132 | options->adm_forced_command = NULL; |
| 132 | options->chroot_directory = NULL; | 133 | options->chroot_directory = NULL; |
| 133 | options->zero_knowledge_password_authentication = -1; | 134 | options->zero_knowledge_password_authentication = -1; |
| 135 | options->revoked_keys_file = NULL; | ||
| 136 | options->trusted_user_ca_keys = NULL; | ||
| 134 | } | 137 | } |
| 135 | 138 | ||
| 136 | void | 139 | void |
| @@ -142,7 +145,7 @@ fill_default_server_options(ServerOptions *options) | |||
| 142 | 145 | ||
| 143 | /* Standard Options */ | 146 | /* Standard Options */ |
| 144 | if (options->protocol == SSH_PROTO_UNKNOWN) | 147 | if (options->protocol == SSH_PROTO_UNKNOWN) |
| 145 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | 148 | options->protocol = SSH_PROTO_2; |
| 146 | if (options->num_host_key_files == 0) { | 149 | if (options->num_host_key_files == 0) { |
| 147 | /* fill default hostkeys for protocols */ | 150 | /* fill default hostkeys for protocols */ |
| 148 | if (options->protocol & SSH_PROTO_1) | 151 | if (options->protocol & SSH_PROTO_1) |
| @@ -155,6 +158,7 @@ fill_default_server_options(ServerOptions *options) | |||
| 155 | _PATH_HOST_DSA_KEY_FILE; | 158 | _PATH_HOST_DSA_KEY_FILE; |
| 156 | } | 159 | } |
| 157 | } | 160 | } |
| 161 | /* No certificates by default */ | ||
| 158 | if (options->num_ports == 0) | 162 | if (options->num_ports == 0) |
| 159 | options->ports[options->num_ports++] = SSH_DEFAULT_PORT; | 163 | options->ports[options->num_ports++] = SSH_DEFAULT_PORT; |
| 160 | if (options->listen_addrs == NULL) | 164 | if (options->listen_addrs == NULL) |
| @@ -316,7 +320,8 @@ typedef enum { | |||
| 316 | sAcceptEnv, sPermitTunnel, | 320 | sAcceptEnv, sPermitTunnel, |
| 317 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 321 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
| 318 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 322 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 319 | sZeroKnowledgePasswordAuthentication, | 323 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
| 324 | sRevokedKeys, sTrustedUserCAKeys, | ||
| 320 | sDeprecated, sUnsupported | 325 | sDeprecated, sUnsupported |
| 321 | } ServerOpCodes; | 326 | } ServerOpCodes; |
| 322 | 327 | ||
| @@ -441,6 +446,9 @@ static struct { | |||
| 441 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 446 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
| 442 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | 447 | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
| 443 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, | 448 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
| 449 | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, | ||
| 450 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | ||
| 451 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | ||
| 444 | { NULL, sBadOption, 0 } | 452 | { NULL, sBadOption, 0 } |
| 445 | }; | 453 | }; |
| 446 | 454 | ||
| @@ -476,6 +484,22 @@ parse_token(const char *cp, const char *filename, | |||
| 476 | return sBadOption; | 484 | return sBadOption; |
| 477 | } | 485 | } |
| 478 | 486 | ||
| 487 | char * | ||
| 488 | derelativise_path(const char *path) | ||
| 489 | { | ||
| 490 | char *expanded, *ret, *cwd; | ||
| 491 | |||
| 492 | expanded = tilde_expand_filename(path, getuid()); | ||
| 493 | if (*expanded == '/') | ||
| 494 | return expanded; | ||
| 495 | if ((cwd = getcwd(NULL, 0)) == NULL) | ||
| 496 | fatal("%s: getcwd: %s", __func__, strerror(errno)); | ||
| 497 | xasprintf(&ret, "%s/%s", cwd, expanded); | ||
| 498 | xfree(cwd); | ||
| 499 | xfree(expanded); | ||
| 500 | return ret; | ||
| 501 | } | ||
| 502 | |||
| 479 | static void | 503 | static void |
| 480 | add_listen_addr(ServerOptions *options, char *addr, int port) | 504 | add_listen_addr(ServerOptions *options, char *addr, int port) |
| 481 | { | 505 | { |
| @@ -810,13 +834,23 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 810 | fatal("%s line %d: missing file name.", | 834 | fatal("%s line %d: missing file name.", |
| 811 | filename, linenum); | 835 | filename, linenum); |
| 812 | if (*activep && *charptr == NULL) { | 836 | if (*activep && *charptr == NULL) { |
| 813 | *charptr = tilde_expand_filename(arg, getuid()); | 837 | *charptr = derelativise_path(arg); |
| 814 | /* increase optional counter */ | 838 | /* increase optional counter */ |
| 815 | if (intptr != NULL) | 839 | if (intptr != NULL) |
| 816 | *intptr = *intptr + 1; | 840 | *intptr = *intptr + 1; |
| 817 | } | 841 | } |
| 818 | break; | 842 | break; |
| 819 | 843 | ||
| 844 | case sHostCertificate: | ||
| 845 | intptr = &options->num_host_cert_files; | ||
| 846 | if (*intptr >= MAX_HOSTKEYS) | ||
| 847 | fatal("%s line %d: too many host certificates " | ||
| 848 | "specified (max %d).", filename, linenum, | ||
| 849 | MAX_HOSTCERTS); | ||
| 850 | charptr = &options->host_cert_files[*intptr]; | ||
| 851 | goto parse_filename; | ||
| 852 | break; | ||
| 853 | |||
| 820 | case sPidFile: | 854 | case sPidFile: |
| 821 | charptr = &options->pid_file; | 855 | charptr = &options->pid_file; |
| 822 | goto parse_filename; | 856 | goto parse_filename; |
| @@ -1323,6 +1357,14 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1323 | *charptr = xstrdup(arg); | 1357 | *charptr = xstrdup(arg); |
| 1324 | break; | 1358 | break; |
| 1325 | 1359 | ||
| 1360 | case sTrustedUserCAKeys: | ||
| 1361 | charptr = &options->trusted_user_ca_keys; | ||
| 1362 | goto parse_filename; | ||
| 1363 | |||
| 1364 | case sRevokedKeys: | ||
| 1365 | charptr = &options->revoked_keys_file; | ||
| 1366 | goto parse_filename; | ||
| 1367 | |||
| 1326 | case sDeprecated: | 1368 | case sDeprecated: |
| 1327 | logit("%s line %d: Deprecated option %s", | 1369 | logit("%s line %d: Deprecated option %s", |
| 1328 | filename, linenum, arg); | 1370 | filename, linenum, arg); |
| @@ -1437,6 +1479,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
| 1437 | return; | 1479 | return; |
| 1438 | M_CP_STROPT(adm_forced_command); | 1480 | M_CP_STROPT(adm_forced_command); |
| 1439 | M_CP_STROPT(chroot_directory); | 1481 | M_CP_STROPT(chroot_directory); |
| 1482 | M_CP_STROPT(trusted_user_ca_keys); | ||
| 1483 | M_CP_STROPT(revoked_keys_file); | ||
| 1440 | } | 1484 | } |
| 1441 | 1485 | ||
| 1442 | #undef M_CP_INTOPT | 1486 | #undef M_CP_INTOPT |
| @@ -1655,6 +1699,9 @@ dump_config(ServerOptions *o) | |||
| 1655 | dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); | 1699 | dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); |
| 1656 | dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); | 1700 | dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); |
| 1657 | dump_cfg_string(sForceCommand, o->adm_forced_command); | 1701 | dump_cfg_string(sForceCommand, o->adm_forced_command); |
| 1702 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | ||
| 1703 | dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); | ||
| 1704 | dump_cfg_string(sRevokedKeys, o->revoked_keys_file); | ||
| 1658 | 1705 | ||
| 1659 | /* string arguments requiring a lookup */ | 1706 | /* string arguments requiring a lookup */ |
| 1660 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 1707 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
| @@ -1663,6 +1710,8 @@ dump_config(ServerOptions *o) | |||
| 1663 | /* string array arguments */ | 1710 | /* string array arguments */ |
| 1664 | dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, | 1711 | dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, |
| 1665 | o->host_key_files); | 1712 | o->host_key_files); |
| 1713 | dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, | ||
| 1714 | o->host_cert_files); | ||
| 1666 | dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); | 1715 | dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); |
| 1667 | dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); | 1716 | dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); |
| 1668 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); | 1717 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); |