summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c77
1 files changed, 68 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index 1700d5aa6..a2928ff57 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -20,6 +20,7 @@
20#include <netinet/in_systm.h> 20#include <netinet/in_systm.h>
21#include <netinet/ip.h> 21#include <netinet/ip.h>
22 22
23#include <ctype.h>
23#include <netdb.h> 24#include <netdb.h>
24#include <pwd.h> 25#include <pwd.h>
25#include <stdio.h> 26#include <stdio.h>
@@ -29,6 +30,9 @@
29#include <unistd.h> 30#include <unistd.h>
30#include <stdarg.h> 31#include <stdarg.h>
31#include <errno.h> 32#include <errno.h>
33#ifdef HAVE_UTIL_H
34#include <util.h>
35#endif
32 36
33#include "openbsd-compat/sys-queue.h" 37#include "openbsd-compat/sys-queue.h"
34#include "xmalloc.h" 38#include "xmalloc.h"
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options)
75 options->address_family = -1; 79 options->address_family = -1;
76 options->num_host_key_files = 0; 80 options->num_host_key_files = 0;
77 options->num_host_cert_files = 0; 81 options->num_host_cert_files = 0;
82 options->host_key_agent = NULL;
78 options->pid_file = NULL; 83 options->pid_file = NULL;
79 options->server_key_bits = -1; 84 options->server_key_bits = -1;
80 options->login_grace_time = -1; 85 options->login_grace_time = -1;
@@ -114,6 +119,8 @@ initialize_server_options(ServerOptions *options)
114 options->permit_user_env = -1; 119 options->permit_user_env = -1;
115 options->use_login = -1; 120 options->use_login = -1;
116 options->compression = -1; 121 options->compression = -1;
122 options->rekey_limit = -1;
123 options->rekey_interval = -1;
117 options->allow_tcp_forwarding = -1; 124 options->allow_tcp_forwarding = -1;
118 options->allow_agent_forwarding = -1; 125 options->allow_agent_forwarding = -1;
119 options->num_allow_users = 0; 126 options->num_allow_users = 0;
@@ -262,6 +269,10 @@ fill_default_server_options(ServerOptions *options)
262 options->use_login = 0; 269 options->use_login = 0;
263 if (options->compression == -1) 270 if (options->compression == -1)
264 options->compression = COMP_DELAYED; 271 options->compression = COMP_DELAYED;
272 if (options->rekey_limit == -1)
273 options->rekey_limit = 0;
274 if (options->rekey_interval == -1)
275 options->rekey_interval = 0;
265 if (options->allow_tcp_forwarding == -1) 276 if (options->allow_tcp_forwarding == -1)
266 options->allow_tcp_forwarding = FORWARD_ALLOW; 277 options->allow_tcp_forwarding = FORWARD_ALLOW;
267 if (options->allow_agent_forwarding == -1) 278 if (options->allow_agent_forwarding == -1)
@@ -335,7 +346,7 @@ typedef enum {
335 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 346 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
336 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, 347 sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive,
337 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 348 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
338 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 349 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
339 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 350 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
340 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, 351 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
341 sMaxStartups, sMaxAuthTries, sMaxSessions, 352 sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -351,7 +362,7 @@ typedef enum {
351 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 362 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
352 sKexAlgorithms, sIPQoS, sVersionAddendum, 363 sKexAlgorithms, sIPQoS, sVersionAddendum,
353 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 364 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
354 sAuthenticationMethods, 365 sAuthenticationMethods, sHostKeyAgent,
355 sDebianBanner, 366 sDebianBanner,
356 sDeprecated, sUnsupported 367 sDeprecated, sUnsupported
357} ServerOpCodes; 368} ServerOpCodes;
@@ -377,6 +388,7 @@ static struct {
377 { "port", sPort, SSHCFG_GLOBAL }, 388 { "port", sPort, SSHCFG_GLOBAL },
378 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, 389 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
379 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ 390 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
391 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
380 { "pidfile", sPidFile, SSHCFG_GLOBAL }, 392 { "pidfile", sPidFile, SSHCFG_GLOBAL },
381 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, 393 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
382 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, 394 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
@@ -451,6 +463,7 @@ static struct {
451 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 463 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
452 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 464 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
453 { "compression", sCompression, SSHCFG_GLOBAL }, 465 { "compression", sCompression, SSHCFG_GLOBAL },
466 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
454 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, 467 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
455 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ 468 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
456 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, 469 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
@@ -539,7 +552,7 @@ derelativise_path(const char *path)
539 if (getcwd(cwd, sizeof(cwd)) == NULL) 552 if (getcwd(cwd, sizeof(cwd)) == NULL)
540 fatal("%s: getcwd: %s", __func__, strerror(errno)); 553 fatal("%s: getcwd: %s", __func__, strerror(errno));
541 xasprintf(&ret, "%s/%s", cwd, expanded); 554 xasprintf(&ret, "%s/%s", cwd, expanded);
542 xfree(expanded); 555 free(expanded);
543 return ret; 556 return ret;
544} 557}
545 558
@@ -831,13 +844,13 @@ process_server_config_line(ServerOptions *options, char *line,
831 struct connection_info *connectinfo) 844 struct connection_info *connectinfo)
832{ 845{
833 char *cp, **charptr, *arg, *p; 846 char *cp, **charptr, *arg, *p;
834 int cmdline = 0, *intptr, value, value2, n; 847 int cmdline = 0, *intptr, value, value2, n, port;
835 SyslogFacility *log_facility_ptr; 848 SyslogFacility *log_facility_ptr;
836 LogLevel *log_level_ptr; 849 LogLevel *log_level_ptr;
837 ServerOpCodes opcode; 850 ServerOpCodes opcode;
838 int port;
839 u_int i, flags = 0; 851 u_int i, flags = 0;
840 size_t len; 852 size_t len;
853 long long val64;
841 const struct multistate *multistate_ptr; 854 const struct multistate *multistate_ptr;
842 855
843 cp = line; 856 cp = line;
@@ -997,6 +1010,17 @@ process_server_config_line(ServerOptions *options, char *line,
997 } 1010 }
998 break; 1011 break;
999 1012
1013 case sHostKeyAgent:
1014 charptr = &options->host_key_agent;
1015 arg = strdelim(&cp);
1016 if (!arg || *arg == '\0')
1017 fatal("%s line %d: missing socket name.",
1018 filename, linenum);
1019 if (*activep && *charptr == NULL)
1020 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1021 xstrdup(arg) : derelativise_path(arg);
1022 break;
1023
1000 case sHostCertificate: 1024 case sHostCertificate:
1001 intptr = &options->num_host_cert_files; 1025 intptr = &options->num_host_cert_files;
1002 if (*intptr >= MAX_HOSTKEYS) 1026 if (*intptr >= MAX_HOSTKEYS)
@@ -1164,6 +1188,37 @@ process_server_config_line(ServerOptions *options, char *line,
1164 multistate_ptr = multistate_compression; 1188 multistate_ptr = multistate_compression;
1165 goto parse_multistate; 1189 goto parse_multistate;
1166 1190
1191 case sRekeyLimit:
1192 arg = strdelim(&cp);
1193 if (!arg || *arg == '\0')
1194 fatal("%.200s line %d: Missing argument.", filename,
1195 linenum);
1196 if (strcmp(arg, "default") == 0) {
1197 val64 = 0;
1198 } else {
1199 if (scan_scaled(arg, &val64) == -1)
1200 fatal("%.200s line %d: Bad number '%s': %s",
1201 filename, linenum, arg, strerror(errno));
1202 /* check for too-large or too-small limits */
1203 if (val64 > UINT_MAX)
1204 fatal("%.200s line %d: RekeyLimit too large",
1205 filename, linenum);
1206 if (val64 != 0 && val64 < 16)
1207 fatal("%.200s line %d: RekeyLimit too small",
1208 filename, linenum);
1209 }
1210 if (*activep && options->rekey_limit == -1)
1211 options->rekey_limit = (u_int32_t)val64;
1212 if (cp != NULL) { /* optional rekey interval present */
1213 if (strcmp(cp, "none") == 0) {
1214 (void)strdelim(&cp); /* discard */
1215 break;
1216 }
1217 intptr = &options->rekey_interval;
1218 goto parse_time;
1219 }
1220 break;
1221
1167 case sGatewayPorts: 1222 case sGatewayPorts:
1168 intptr = &options->gateway_ports; 1223 intptr = &options->gateway_ports;
1169 multistate_ptr = multistate_gatewayports; 1224 multistate_ptr = multistate_gatewayports;
@@ -1721,8 +1776,7 @@ int server_match_spec_complete(struct connection_info *ci)
1721} while (0) 1776} while (0)
1722#define M_CP_STROPT(n) do {\ 1777#define M_CP_STROPT(n) do {\
1723 if (src->n != NULL) { \ 1778 if (src->n != NULL) { \
1724 if (dst->n != NULL) \ 1779 free(dst->n); \
1725 xfree(dst->n); \
1726 dst->n = src->n; \ 1780 dst->n = src->n; \
1727 } \ 1781 } \
1728} while(0) 1782} while(0)
@@ -1768,6 +1822,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1768 M_CP_INTOPT(max_authtries); 1822 M_CP_INTOPT(max_authtries);
1769 M_CP_INTOPT(ip_qos_interactive); 1823 M_CP_INTOPT(ip_qos_interactive);
1770 M_CP_INTOPT(ip_qos_bulk); 1824 M_CP_INTOPT(ip_qos_bulk);
1825 M_CP_INTOPT(rekey_limit);
1826 M_CP_INTOPT(rekey_interval);
1771 1827
1772 /* See comment in servconf.h */ 1828 /* See comment in servconf.h */
1773 COPY_MATCH_STRING_OPTS(); 1829 COPY_MATCH_STRING_OPTS();
@@ -1804,7 +1860,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1804 linenum++, &active, connectinfo) != 0) 1860 linenum++, &active, connectinfo) != 0)
1805 bad_options++; 1861 bad_options++;
1806 } 1862 }
1807 xfree(obuf); 1863 free(obuf);
1808 if (bad_options > 0) 1864 if (bad_options > 0)
1809 fatal("%s: terminating, %d bad configuration options", 1865 fatal("%s: terminating, %d bad configuration options",
1810 filename, bad_options); 1866 filename, bad_options);
@@ -2022,6 +2078,7 @@ dump_config(ServerOptions *o)
2022 dump_cfg_string(sVersionAddendum, o->version_addendum); 2078 dump_cfg_string(sVersionAddendum, o->version_addendum);
2023 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); 2079 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2024 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); 2080 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2081 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2025 2082
2026 /* string arguments requiring a lookup */ 2083 /* string arguments requiring a lookup */
2027 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2084 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -2060,5 +2117,7 @@ dump_config(ServerOptions *o)
2060 printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); 2117 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2061 printf("%s\n", iptos2str(o->ip_qos_bulk)); 2118 printf("%s\n", iptos2str(o->ip_qos_bulk));
2062 2119
2120 printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval);
2121
2063 channel_print_adm_permitted_opens(); 2122 channel_print_adm_permitted_opens();
2064} 2123}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-19 05:21:03 +0000