summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c57
1 files changed, 53 insertions, 4 deletions
diff --git a/servconf.c b/servconf.c
index d9726c435..cbbb20052 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */ 1/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -65,6 +65,7 @@ initialize_server_options(ServerOptions *options)
65 options->listen_addrs = NULL; 65 options->listen_addrs = NULL;
66 options->address_family = -1; 66 options->address_family = -1;
67 options->num_host_key_files = 0; 67 options->num_host_key_files = 0;
68 options->num_host_cert_files = 0;
68 options->pid_file = NULL; 69 options->pid_file = NULL;
69 options->server_key_bits = -1; 70 options->server_key_bits = -1;
70 options->login_grace_time = -1; 71 options->login_grace_time = -1;
@@ -131,6 +132,8 @@ initialize_server_options(ServerOptions *options)
131 options->adm_forced_command = NULL; 132 options->adm_forced_command = NULL;
132 options->chroot_directory = NULL; 133 options->chroot_directory = NULL;
133 options->zero_knowledge_password_authentication = -1; 134 options->zero_knowledge_password_authentication = -1;
135 options->revoked_keys_file = NULL;
136 options->trusted_user_ca_keys = NULL;
134} 137}
135 138
136void 139void
@@ -142,7 +145,7 @@ fill_default_server_options(ServerOptions *options)
142 145
143 /* Standard Options */ 146 /* Standard Options */
144 if (options->protocol == SSH_PROTO_UNKNOWN) 147 if (options->protocol == SSH_PROTO_UNKNOWN)
145 options->protocol = SSH_PROTO_1|SSH_PROTO_2; 148 options->protocol = SSH_PROTO_2;
146 if (options->num_host_key_files == 0) { 149 if (options->num_host_key_files == 0) {
147 /* fill default hostkeys for protocols */ 150 /* fill default hostkeys for protocols */
148 if (options->protocol & SSH_PROTO_1) 151 if (options->protocol & SSH_PROTO_1)
@@ -155,6 +158,7 @@ fill_default_server_options(ServerOptions *options)
155 _PATH_HOST_DSA_KEY_FILE; 158 _PATH_HOST_DSA_KEY_FILE;
156 } 159 }
157 } 160 }
161 /* No certificates by default */
158 if (options->num_ports == 0) 162 if (options->num_ports == 0)
159 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 163 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
160 if (options->listen_addrs == NULL) 164 if (options->listen_addrs == NULL)
@@ -316,7 +320,8 @@ typedef enum {
316 sAcceptEnv, sPermitTunnel, 320 sAcceptEnv, sPermitTunnel,
317 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 321 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
318 sUsePrivilegeSeparation, sAllowAgentForwarding, 322 sUsePrivilegeSeparation, sAllowAgentForwarding,
319 sZeroKnowledgePasswordAuthentication, 323 sZeroKnowledgePasswordAuthentication, sHostCertificate,
324 sRevokedKeys, sTrustedUserCAKeys,
320 sDeprecated, sUnsupported 325 sDeprecated, sUnsupported
321} ServerOpCodes; 326} ServerOpCodes;
322 327
@@ -441,6 +446,9 @@ static struct {
441 { "permitopen", sPermitOpen, SSHCFG_ALL }, 446 { "permitopen", sPermitOpen, SSHCFG_ALL },
442 { "forcecommand", sForceCommand, SSHCFG_ALL }, 447 { "forcecommand", sForceCommand, SSHCFG_ALL },
443 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 448 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
449 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
450 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
451 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
444 { NULL, sBadOption, 0 } 452 { NULL, sBadOption, 0 }
445}; 453};
446 454
@@ -476,6 +484,22 @@ parse_token(const char *cp, const char *filename,
476 return sBadOption; 484 return sBadOption;
477} 485}
478 486
487char *
488derelativise_path(const char *path)
489{
490 char *expanded, *ret, *cwd;
491
492 expanded = tilde_expand_filename(path, getuid());
493 if (*expanded == '/')
494 return expanded;
495 if ((cwd = getcwd(NULL, 0)) == NULL)
496 fatal("%s: getcwd: %s", __func__, strerror(errno));
497 xasprintf(&ret, "%s/%s", cwd, expanded);
498 xfree(cwd);
499 xfree(expanded);
500 return ret;
501}
502
479static void 503static void
480add_listen_addr(ServerOptions *options, char *addr, int port) 504add_listen_addr(ServerOptions *options, char *addr, int port)
481{ 505{
@@ -810,13 +834,23 @@ process_server_config_line(ServerOptions *options, char *line,
810 fatal("%s line %d: missing file name.", 834 fatal("%s line %d: missing file name.",
811 filename, linenum); 835 filename, linenum);
812 if (*activep && *charptr == NULL) { 836 if (*activep && *charptr == NULL) {
813 *charptr = tilde_expand_filename(arg, getuid()); 837 *charptr = derelativise_path(arg);
814 /* increase optional counter */ 838 /* increase optional counter */
815 if (intptr != NULL) 839 if (intptr != NULL)
816 *intptr = *intptr + 1; 840 *intptr = *intptr + 1;
817 } 841 }
818 break; 842 break;
819 843
844 case sHostCertificate:
845 intptr = &options->num_host_cert_files;
846 if (*intptr >= MAX_HOSTKEYS)
847 fatal("%s line %d: too many host certificates "
848 "specified (max %d).", filename, linenum,
849 MAX_HOSTCERTS);
850 charptr = &options->host_cert_files[*intptr];
851 goto parse_filename;
852 break;
853
820 case sPidFile: 854 case sPidFile:
821 charptr = &options->pid_file; 855 charptr = &options->pid_file;
822 goto parse_filename; 856 goto parse_filename;
@@ -1323,6 +1357,14 @@ process_server_config_line(ServerOptions *options, char *line,
1323 *charptr = xstrdup(arg); 1357 *charptr = xstrdup(arg);
1324 break; 1358 break;
1325 1359
1360 case sTrustedUserCAKeys:
1361 charptr = &options->trusted_user_ca_keys;
1362 goto parse_filename;
1363
1364 case sRevokedKeys:
1365 charptr = &options->revoked_keys_file;
1366 goto parse_filename;
1367
1326 case sDeprecated: 1368 case sDeprecated:
1327 logit("%s line %d: Deprecated option %s", 1369 logit("%s line %d: Deprecated option %s",
1328 filename, linenum, arg); 1370 filename, linenum, arg);
@@ -1437,6 +1479,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1437 return; 1479 return;
1438 M_CP_STROPT(adm_forced_command); 1480 M_CP_STROPT(adm_forced_command);
1439 M_CP_STROPT(chroot_directory); 1481 M_CP_STROPT(chroot_directory);
1482 M_CP_STROPT(trusted_user_ca_keys);
1483 M_CP_STROPT(revoked_keys_file);
1440} 1484}
1441 1485
1442#undef M_CP_INTOPT 1486#undef M_CP_INTOPT
@@ -1655,6 +1699,9 @@ dump_config(ServerOptions *o)
1655 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); 1699 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1656 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); 1700 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1657 dump_cfg_string(sForceCommand, o->adm_forced_command); 1701 dump_cfg_string(sForceCommand, o->adm_forced_command);
1702 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1703 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1704 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1658 1705
1659 /* string arguments requiring a lookup */ 1706 /* string arguments requiring a lookup */
1660 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 1707 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -1663,6 +1710,8 @@ dump_config(ServerOptions *o)
1663 /* string array arguments */ 1710 /* string array arguments */
1664 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, 1711 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1665 o->host_key_files); 1712 o->host_key_files);
1713 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1714 o->host_cert_files);
1666 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); 1715 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1667 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); 1716 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1668 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 1717 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);