diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 39 |
1 files changed, 29 insertions, 10 deletions
diff --git a/servconf.c b/servconf.c index df93fc450..6c7a91e6b 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,5 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.274 2015/07/01 02:32:17 djm Exp $ */ | 1 | |
2 | /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ | ||
2 | /* | 3 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 5 | * All rights reserved |
@@ -107,6 +108,7 @@ initialize_server_options(ServerOptions *options) | |||
107 | options->hostbased_authentication = -1; | 108 | options->hostbased_authentication = -1; |
108 | options->hostbased_uses_name_from_packet_only = -1; | 109 | options->hostbased_uses_name_from_packet_only = -1; |
109 | options->hostbased_key_types = NULL; | 110 | options->hostbased_key_types = NULL; |
111 | options->hostkeyalgorithms = NULL; | ||
110 | options->rsa_authentication = -1; | 112 | options->rsa_authentication = -1; |
111 | options->pubkey_authentication = -1; | 113 | options->pubkey_authentication = -1; |
112 | options->pubkey_key_types = NULL; | 114 | options->pubkey_key_types = NULL; |
@@ -222,7 +224,7 @@ fill_default_server_options(ServerOptions *options) | |||
222 | if (options->key_regeneration_time == -1) | 224 | if (options->key_regeneration_time == -1) |
223 | options->key_regeneration_time = 3600; | 225 | options->key_regeneration_time = 3600; |
224 | if (options->permit_root_login == PERMIT_NOT_SET) | 226 | if (options->permit_root_login == PERMIT_NOT_SET) |
225 | options->permit_root_login = PERMIT_YES; | 227 | options->permit_root_login = PERMIT_NO_PASSWD; |
226 | if (options->ignore_rhosts == -1) | 228 | if (options->ignore_rhosts == -1) |
227 | options->ignore_rhosts = 1; | 229 | options->ignore_rhosts = 1; |
228 | if (options->ignore_user_known_hosts == -1) | 230 | if (options->ignore_user_known_hosts == -1) |
@@ -257,14 +259,12 @@ fill_default_server_options(ServerOptions *options) | |||
257 | options->hostbased_authentication = 0; | 259 | options->hostbased_authentication = 0; |
258 | if (options->hostbased_uses_name_from_packet_only == -1) | 260 | if (options->hostbased_uses_name_from_packet_only == -1) |
259 | options->hostbased_uses_name_from_packet_only = 0; | 261 | options->hostbased_uses_name_from_packet_only = 0; |
260 | if (options->hostbased_key_types == NULL) | 262 | if (options->hostkeyalgorithms == NULL) |
261 | options->hostbased_key_types = xstrdup("*"); | 263 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); |
262 | if (options->rsa_authentication == -1) | 264 | if (options->rsa_authentication == -1) |
263 | options->rsa_authentication = 1; | 265 | options->rsa_authentication = 1; |
264 | if (options->pubkey_authentication == -1) | 266 | if (options->pubkey_authentication == -1) |
265 | options->pubkey_authentication = 1; | 267 | options->pubkey_authentication = 1; |
266 | if (options->pubkey_key_types == NULL) | ||
267 | options->pubkey_key_types = xstrdup("*"); | ||
268 | if (options->kerberos_authentication == -1) | 268 | if (options->kerberos_authentication == -1) |
269 | options->kerberos_authentication = 0; | 269 | options->kerberos_authentication = 0; |
270 | if (options->kerberos_or_local_passwd == -1) | 270 | if (options->kerberos_or_local_passwd == -1) |
@@ -341,6 +341,16 @@ fill_default_server_options(ServerOptions *options) | |||
341 | options->fwd_opts.streamlocal_bind_unlink = 0; | 341 | options->fwd_opts.streamlocal_bind_unlink = 0; |
342 | if (options->fingerprint_hash == -1) | 342 | if (options->fingerprint_hash == -1) |
343 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; | 343 | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
344 | |||
345 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || | ||
346 | kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || | ||
347 | kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || | ||
348 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
349 | &options->hostbased_key_types) != 0 || | ||
350 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
351 | &options->pubkey_key_types) != 0) | ||
352 | fatal("%s: kex_assemble_names failed", __func__); | ||
353 | |||
344 | /* Turn privilege separation on by default */ | 354 | /* Turn privilege separation on by default */ |
345 | if (use_privsep == -1) | 355 | if (use_privsep == -1) |
346 | use_privsep = PRIVSEP_NOSANDBOX; | 356 | use_privsep = PRIVSEP_NOSANDBOX; |
@@ -399,6 +409,7 @@ typedef enum { | |||
399 | sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, | 409 | sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, |
400 | sBanner, sUseDNS, sHostbasedAuthentication, | 410 | sBanner, sUseDNS, sHostbasedAuthentication, |
401 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, | 411 | sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, |
412 | sHostKeyAlgorithms, | ||
402 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 413 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
403 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 414 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
404 | sAcceptEnv, sPermitTunnel, | 415 | sAcceptEnv, sPermitTunnel, |
@@ -449,6 +460,7 @@ static struct { | |||
449 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, | 460 | { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, |
450 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, | 461 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL }, |
451 | { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, | 462 | { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL }, |
463 | { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL }, | ||
452 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, | 464 | { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, |
453 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, | 465 | { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, |
454 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, | 466 | { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL }, |
@@ -904,6 +916,7 @@ static const struct multistate multistate_addressfamily[] = { | |||
904 | }; | 916 | }; |
905 | static const struct multistate multistate_permitrootlogin[] = { | 917 | static const struct multistate multistate_permitrootlogin[] = { |
906 | { "without-password", PERMIT_NO_PASSWD }, | 918 | { "without-password", PERMIT_NO_PASSWD }, |
919 | { "prohibit-password", PERMIT_NO_PASSWD }, | ||
907 | { "forced-commands-only", PERMIT_FORCED_ONLY }, | 920 | { "forced-commands-only", PERMIT_FORCED_ONLY }, |
908 | { "yes", PERMIT_YES }, | 921 | { "yes", PERMIT_YES }, |
909 | { "no", PERMIT_NO }, | 922 | { "no", PERMIT_NO }, |
@@ -1175,13 +1188,17 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1175 | if (!arg || *arg == '\0') | 1188 | if (!arg || *arg == '\0') |
1176 | fatal("%s line %d: Missing argument.", | 1189 | fatal("%s line %d: Missing argument.", |
1177 | filename, linenum); | 1190 | filename, linenum); |
1178 | if (!sshkey_names_valid2(arg, 1)) | 1191 | if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) |
1179 | fatal("%s line %d: Bad key types '%s'.", | 1192 | fatal("%s line %d: Bad key types '%s'.", |
1180 | filename, linenum, arg ? arg : "<NONE>"); | 1193 | filename, linenum, arg ? arg : "<NONE>"); |
1181 | if (*activep && *charptr == NULL) | 1194 | if (*activep && *charptr == NULL) |
1182 | *charptr = xstrdup(arg); | 1195 | *charptr = xstrdup(arg); |
1183 | break; | 1196 | break; |
1184 | 1197 | ||
1198 | case sHostKeyAlgorithms: | ||
1199 | charptr = &options->hostkeyalgorithms; | ||
1200 | goto parse_keytypes; | ||
1201 | |||
1185 | case sRSAAuthentication: | 1202 | case sRSAAuthentication: |
1186 | intptr = &options->rsa_authentication; | 1203 | intptr = &options->rsa_authentication; |
1187 | goto parse_flag; | 1204 | goto parse_flag; |
@@ -1424,7 +1441,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1424 | arg = strdelim(&cp); | 1441 | arg = strdelim(&cp); |
1425 | if (!arg || *arg == '\0') | 1442 | if (!arg || *arg == '\0') |
1426 | fatal("%s line %d: Missing argument.", filename, linenum); | 1443 | fatal("%s line %d: Missing argument.", filename, linenum); |
1427 | if (!ciphers_valid(arg)) | 1444 | if (!ciphers_valid(*arg == '+' ? arg + 1 : arg)) |
1428 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", | 1445 | fatal("%s line %d: Bad SSH2 cipher spec '%s'.", |
1429 | filename, linenum, arg ? arg : "<NONE>"); | 1446 | filename, linenum, arg ? arg : "<NONE>"); |
1430 | if (options->ciphers == NULL) | 1447 | if (options->ciphers == NULL) |
@@ -1435,7 +1452,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1435 | arg = strdelim(&cp); | 1452 | arg = strdelim(&cp); |
1436 | if (!arg || *arg == '\0') | 1453 | if (!arg || *arg == '\0') |
1437 | fatal("%s line %d: Missing argument.", filename, linenum); | 1454 | fatal("%s line %d: Missing argument.", filename, linenum); |
1438 | if (!mac_valid(arg)) | 1455 | if (!mac_valid(*arg == '+' ? arg + 1 : arg)) |
1439 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", | 1456 | fatal("%s line %d: Bad SSH2 mac spec '%s'.", |
1440 | filename, linenum, arg ? arg : "<NONE>"); | 1457 | filename, linenum, arg ? arg : "<NONE>"); |
1441 | if (options->macs == NULL) | 1458 | if (options->macs == NULL) |
@@ -1447,7 +1464,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1447 | if (!arg || *arg == '\0') | 1464 | if (!arg || *arg == '\0') |
1448 | fatal("%s line %d: Missing argument.", | 1465 | fatal("%s line %d: Missing argument.", |
1449 | filename, linenum); | 1466 | filename, linenum); |
1450 | if (!kex_names_valid(arg)) | 1467 | if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) |
1451 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", | 1468 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", |
1452 | filename, linenum, arg ? arg : "<NONE>"); | 1469 | filename, linenum, arg ? arg : "<NONE>"); |
1453 | if (options->kex_algorithms == NULL) | 1470 | if (options->kex_algorithms == NULL) |
@@ -2279,6 +2296,8 @@ dump_config(ServerOptions *o) | |||
2279 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); | 2296 | o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); |
2280 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? | 2297 | dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? |
2281 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); | 2298 | o->hostbased_key_types : KEX_DEFAULT_PK_ALG); |
2299 | dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? | ||
2300 | o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); | ||
2282 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? | 2301 | dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? |
2283 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); | 2302 | o->pubkey_key_types : KEX_DEFAULT_PK_ALG); |
2284 | 2303 | ||