diff options
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 87 |
1 files changed, 66 insertions, 21 deletions
diff --git a/servconf.c b/servconf.c index ed1fc71cf..e0e43c3dd 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.309 2017/06/24 06:34:38 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.310 2017/09/12 06:32:07 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -149,7 +149,7 @@ initialize_server_options(ServerOptions *options) | |||
| 149 | options->num_authkeys_files = 0; | 149 | options->num_authkeys_files = 0; |
| 150 | options->num_accept_env = 0; | 150 | options->num_accept_env = 0; |
| 151 | options->permit_tun = -1; | 151 | options->permit_tun = -1; |
| 152 | options->num_permitted_opens = -1; | 152 | options->permitted_opens = NULL; |
| 153 | options->adm_forced_command = NULL; | 153 | options->adm_forced_command = NULL; |
| 154 | options->chroot_directory = NULL; | 154 | options->chroot_directory = NULL; |
| 155 | options->authorized_keys_command = NULL; | 155 | options->authorized_keys_command = NULL; |
| @@ -697,6 +697,44 @@ process_queued_listen_addrs(ServerOptions *options) | |||
| 697 | options->num_queued_listens = 0; | 697 | options->num_queued_listens = 0; |
| 698 | } | 698 | } |
| 699 | 699 | ||
| 700 | /* | ||
| 701 | * Inform channels layer of permitopen options from configuration. | ||
| 702 | */ | ||
| 703 | void | ||
| 704 | process_permitopen(struct ssh *ssh, ServerOptions *options) | ||
| 705 | { | ||
| 706 | u_int i; | ||
| 707 | int port; | ||
| 708 | char *host, *arg, *oarg; | ||
| 709 | |||
| 710 | channel_clear_adm_permitted_opens(ssh); | ||
| 711 | if (options->num_permitted_opens == 0) | ||
| 712 | return; /* permit any */ | ||
| 713 | |||
| 714 | /* handle keywords: "any" / "none" */ | ||
| 715 | if (options->num_permitted_opens == 1 && | ||
| 716 | strcmp(options->permitted_opens[0], "any") == 0) | ||
| 717 | return; | ||
| 718 | if (options->num_permitted_opens == 1 && | ||
| 719 | strcmp(options->permitted_opens[0], "none") == 0) { | ||
| 720 | channel_disable_adm_local_opens(ssh); | ||
| 721 | return; | ||
| 722 | } | ||
| 723 | /* Otherwise treat it as a list of permitted host:port */ | ||
| 724 | for (i = 0; i < options->num_permitted_opens; i++) { | ||
| 725 | oarg = arg = xstrdup(options->permitted_opens[i]); | ||
| 726 | host = hpdelim(&arg); | ||
| 727 | if (host == NULL) | ||
| 728 | fatal("%s: missing host in PermitOpen", __func__); | ||
| 729 | host = cleanhostname(host); | ||
| 730 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) | ||
| 731 | fatal("%s: bad port number in PermitOpen", __func__); | ||
| 732 | /* Send it to channels layer */ | ||
| 733 | channel_add_adm_permitted_opens(ssh, host, port); | ||
| 734 | free(oarg); | ||
| 735 | } | ||
| 736 | } | ||
| 737 | |||
| 700 | struct connection_info * | 738 | struct connection_info * |
| 701 | get_connection_info(int populate, int use_dns) | 739 | get_connection_info(int populate, int use_dns) |
| 702 | { | 740 | { |
| @@ -954,7 +992,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 954 | const char *filename, int linenum, int *activep, | 992 | const char *filename, int linenum, int *activep, |
| 955 | struct connection_info *connectinfo) | 993 | struct connection_info *connectinfo) |
| 956 | { | 994 | { |
| 957 | char *cp, **charptr, *arg, *p; | 995 | char *cp, **charptr, *arg, *arg2, *p; |
| 958 | int cmdline = 0, *intptr, value, value2, n, port; | 996 | int cmdline = 0, *intptr, value, value2, n, port; |
| 959 | SyslogFacility *log_facility_ptr; | 997 | SyslogFacility *log_facility_ptr; |
| 960 | LogLevel *log_level_ptr; | 998 | LogLevel *log_level_ptr; |
| @@ -1625,24 +1663,17 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1625 | if (!arg || *arg == '\0') | 1663 | if (!arg || *arg == '\0') |
| 1626 | fatal("%s line %d: missing PermitOpen specification", | 1664 | fatal("%s line %d: missing PermitOpen specification", |
| 1627 | filename, linenum); | 1665 | filename, linenum); |
| 1628 | n = options->num_permitted_opens; /* modified later */ | 1666 | i = options->num_permitted_opens; /* modified later */ |
| 1629 | if (strcmp(arg, "any") == 0) { | 1667 | if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { |
| 1630 | if (*activep && n == -1) { | 1668 | if (*activep && i == 0) |
| 1631 | channel_clear_adm_permitted_opens(); | ||
| 1632 | options->num_permitted_opens = 0; | ||
| 1633 | } | ||
| 1634 | break; | ||
| 1635 | } | ||
| 1636 | if (strcmp(arg, "none") == 0) { | ||
| 1637 | if (*activep && n == -1) { | ||
| 1638 | options->num_permitted_opens = 1; | 1669 | options->num_permitted_opens = 1; |
| 1639 | channel_disable_adm_local_opens(); | 1670 | options->permitted_opens = xcalloc(1, |
| 1640 | } | 1671 | sizeof(*options->permitted_opens)); |
| 1672 | options->permitted_opens[0] = xstrdup(arg); | ||
| 1641 | break; | 1673 | break; |
| 1642 | } | 1674 | } |
| 1643 | if (*activep && n == -1) | ||
| 1644 | channel_clear_adm_permitted_opens(); | ||
| 1645 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { | 1675 | for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { |
| 1676 | arg2 = xstrdup(arg); | ||
| 1646 | p = hpdelim(&arg); | 1677 | p = hpdelim(&arg); |
| 1647 | if (p == NULL) | 1678 | if (p == NULL) |
| 1648 | fatal("%s line %d: missing host in PermitOpen", | 1679 | fatal("%s line %d: missing host in PermitOpen", |
| @@ -1651,9 +1682,16 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1651 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) | 1682 | if (arg == NULL || ((port = permitopen_port(arg)) < 0)) |
| 1652 | fatal("%s line %d: bad port number in " | 1683 | fatal("%s line %d: bad port number in " |
| 1653 | "PermitOpen", filename, linenum); | 1684 | "PermitOpen", filename, linenum); |
| 1654 | if (*activep && n == -1) | 1685 | if (*activep && i == 0) { |
| 1655 | options->num_permitted_opens = | 1686 | options->permitted_opens = xrecallocarray( |
| 1656 | channel_add_adm_permitted_opens(p, port); | 1687 | options->permitted_opens, |
| 1688 | options->num_permitted_opens, | ||
| 1689 | options->num_permitted_opens + 1, | ||
| 1690 | sizeof(*options->permitted_opens)); | ||
| 1691 | i = options->num_permitted_opens++; | ||
| 1692 | options->permitted_opens[i] = arg2; | ||
| 1693 | } else | ||
| 1694 | free(arg2); | ||
| 1657 | } | 1695 | } |
| 1658 | break; | 1696 | break; |
| 1659 | 1697 | ||
| @@ -2352,5 +2390,12 @@ dump_config(ServerOptions *o) | |||
| 2352 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, | 2390 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
| 2353 | o->rekey_interval); | 2391 | o->rekey_interval); |
| 2354 | 2392 | ||
| 2355 | channel_print_adm_permitted_opens(); | 2393 | printf("permitopen"); |
| 2394 | if (o->num_permitted_opens == 0) | ||
| 2395 | printf(" any"); | ||
| 2396 | else { | ||
| 2397 | for (i = 0; i < o->num_permitted_opens; i++) | ||
| 2398 | printf(" %s", o->permitted_opens[i]); | ||
| 2399 | } | ||
| 2400 | printf("\n"); | ||
| 2356 | } | 2401 | } |