diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 66 |
1 files changed, 51 insertions, 15 deletions
diff --git a/servconf.c b/servconf.c index ede032567..68c44fc81 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.186 2008/07/04 03:44:59 djm Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -42,8 +42,8 @@ | |||
42 | #include "channels.h" | 42 | #include "channels.h" |
43 | #include "groupaccess.h" | 43 | #include "groupaccess.h" |
44 | 44 | ||
45 | static void add_listen_addr(ServerOptions *, char *, u_short); | 45 | static void add_listen_addr(ServerOptions *, char *, int); |
46 | static void add_one_listen_addr(ServerOptions *, char *, u_short); | 46 | static void add_one_listen_addr(ServerOptions *, char *, int); |
47 | 47 | ||
48 | /* Use of privilege separation or not */ | 48 | /* Use of privilege separation or not */ |
49 | extern int use_privsep; | 49 | extern int use_privsep; |
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions *options) | |||
95 | options->gss_keyex = -1; | 95 | options->gss_keyex = -1; |
96 | options->gss_cleanup_creds = -1; | 96 | options->gss_cleanup_creds = -1; |
97 | options->gss_strict_acceptor = -1; | 97 | options->gss_strict_acceptor = -1; |
98 | options->gss_store_rekey = -1; | ||
98 | options->password_authentication = -1; | 99 | options->password_authentication = -1; |
99 | options->kbd_interactive_authentication = -1; | 100 | options->kbd_interactive_authentication = -1; |
100 | options->challenge_response_authentication = -1; | 101 | options->challenge_response_authentication = -1; |
@@ -129,6 +130,7 @@ initialize_server_options(ServerOptions *options) | |||
129 | options->num_permitted_opens = -1; | 130 | options->num_permitted_opens = -1; |
130 | options->adm_forced_command = NULL; | 131 | options->adm_forced_command = NULL; |
131 | options->chroot_directory = NULL; | 132 | options->chroot_directory = NULL; |
133 | options->zero_knowledge_password_authentication = -1; | ||
132 | } | 134 | } |
133 | 135 | ||
134 | void | 136 | void |
@@ -217,6 +219,8 @@ fill_default_server_options(ServerOptions *options) | |||
217 | options->gss_cleanup_creds = 1; | 219 | options->gss_cleanup_creds = 1; |
218 | if (options->gss_strict_acceptor == -1) | 220 | if (options->gss_strict_acceptor == -1) |
219 | options->gss_strict_acceptor = 1; | 221 | options->gss_strict_acceptor = 1; |
222 | if (options->gss_store_rekey == -1) | ||
223 | options->gss_store_rekey = 0; | ||
220 | if (options->password_authentication == -1) | 224 | if (options->password_authentication == -1) |
221 | options->password_authentication = 1; | 225 | options->password_authentication = 1; |
222 | if (options->kbd_interactive_authentication == -1) | 226 | if (options->kbd_interactive_authentication == -1) |
@@ -264,6 +268,8 @@ fill_default_server_options(ServerOptions *options) | |||
264 | options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; | 268 | options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; |
265 | if (options->permit_tun == -1) | 269 | if (options->permit_tun == -1) |
266 | options->permit_tun = SSH_TUNMODE_NO; | 270 | options->permit_tun = SSH_TUNMODE_NO; |
271 | if (options->zero_knowledge_password_authentication == -1) | ||
272 | options->zero_knowledge_password_authentication = 0; | ||
267 | 273 | ||
268 | /* Turn privilege separation on by default */ | 274 | /* Turn privilege separation on by default */ |
269 | if (use_privsep == -1) | 275 | if (use_privsep == -1) |
@@ -306,10 +312,11 @@ typedef enum { | |||
306 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 312 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
307 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 313 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
308 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 314 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
309 | sGssKeyEx, | 315 | sGssKeyEx, sGssStoreRekey, |
310 | sAcceptEnv, sPermitTunnel, | 316 | sAcceptEnv, sPermitTunnel, |
311 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 317 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
312 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 318 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
319 | sZeroKnowledgePasswordAuthentication, | ||
313 | sDeprecated, sUnsupported | 320 | sDeprecated, sUnsupported |
314 | } ServerOpCodes; | 321 | } ServerOpCodes; |
315 | 322 | ||
@@ -370,16 +377,23 @@ static struct { | |||
370 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 377 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
371 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, | 378 | { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, |
372 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, | 379 | { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, |
380 | { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, | ||
373 | #else | 381 | #else |
374 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, | 382 | { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, |
375 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, | 383 | { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, |
376 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, | 384 | { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, |
377 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, | 385 | { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, |
386 | { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, | ||
378 | #endif | 387 | #endif |
379 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 388 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
380 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 389 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
381 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 390 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
382 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ | 391 | { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ |
392 | #ifdef JPAKE | ||
393 | { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL }, | ||
394 | #else | ||
395 | { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL }, | ||
396 | #endif | ||
383 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, | 397 | { "checkmail", sDeprecated, SSHCFG_GLOBAL }, |
384 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 398 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
385 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, | 399 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, |
@@ -392,7 +406,7 @@ static struct { | |||
392 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 406 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
393 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 407 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
394 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 408 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
395 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, | 409 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
396 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 410 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
397 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 411 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
398 | { "compression", sCompression, SSHCFG_GLOBAL }, | 412 | { "compression", sCompression, SSHCFG_GLOBAL }, |
@@ -463,7 +477,7 @@ parse_token(const char *cp, const char *filename, | |||
463 | } | 477 | } |
464 | 478 | ||
465 | static void | 479 | static void |
466 | add_listen_addr(ServerOptions *options, char *addr, u_short port) | 480 | add_listen_addr(ServerOptions *options, char *addr, int port) |
467 | { | 481 | { |
468 | u_int i; | 482 | u_int i; |
469 | 483 | ||
@@ -479,7 +493,7 @@ add_listen_addr(ServerOptions *options, char *addr, u_short port) | |||
479 | } | 493 | } |
480 | 494 | ||
481 | static void | 495 | static void |
482 | add_one_listen_addr(ServerOptions *options, char *addr, u_short port) | 496 | add_one_listen_addr(ServerOptions *options, char *addr, int port) |
483 | { | 497 | { |
484 | struct addrinfo hints, *ai, *aitop; | 498 | struct addrinfo hints, *ai, *aitop; |
485 | char strport[NI_MAXSERV]; | 499 | char strport[NI_MAXSERV]; |
@@ -489,7 +503,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) | |||
489 | hints.ai_family = options->address_family; | 503 | hints.ai_family = options->address_family; |
490 | hints.ai_socktype = SOCK_STREAM; | 504 | hints.ai_socktype = SOCK_STREAM; |
491 | hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; | 505 | hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; |
492 | snprintf(strport, sizeof strport, "%u", port); | 506 | snprintf(strport, sizeof strport, "%d", port); |
493 | if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) | 507 | if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) |
494 | fatal("bad addr or host: %s (%s)", | 508 | fatal("bad addr or host: %s (%s)", |
495 | addr ? addr : "<NULL>", | 509 | addr ? addr : "<NULL>", |
@@ -645,7 +659,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
645 | SyslogFacility *log_facility_ptr; | 659 | SyslogFacility *log_facility_ptr; |
646 | LogLevel *log_level_ptr; | 660 | LogLevel *log_level_ptr; |
647 | ServerOpCodes opcode; | 661 | ServerOpCodes opcode; |
648 | u_short port; | 662 | int port; |
649 | u_int i, flags = 0; | 663 | u_int i, flags = 0; |
650 | size_t len; | 664 | size_t len; |
651 | 665 | ||
@@ -702,7 +716,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
702 | fatal("%s line %d: missing port number.", | 716 | fatal("%s line %d: missing port number.", |
703 | filename, linenum); | 717 | filename, linenum); |
704 | options->ports[options->num_ports++] = a2port(arg); | 718 | options->ports[options->num_ports++] = a2port(arg); |
705 | if (options->ports[options->num_ports-1] == 0) | 719 | if (options->ports[options->num_ports-1] <= 0) |
706 | fatal("%s line %d: Badly formatted port number.", | 720 | fatal("%s line %d: Badly formatted port number.", |
707 | filename, linenum); | 721 | filename, linenum); |
708 | break; | 722 | break; |
@@ -755,7 +769,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
755 | p = cleanhostname(p); | 769 | p = cleanhostname(p); |
756 | if (arg == NULL) | 770 | if (arg == NULL) |
757 | port = 0; | 771 | port = 0; |
758 | else if ((port = a2port(arg)) == 0) | 772 | else if ((port = a2port(arg)) <= 0) |
759 | fatal("%s line %d: bad port number", filename, linenum); | 773 | fatal("%s line %d: bad port number", filename, linenum); |
760 | 774 | ||
761 | add_listen_addr(options, p, port); | 775 | add_listen_addr(options, p, port); |
@@ -906,10 +920,18 @@ process_server_config_line(ServerOptions *options, char *line, | |||
906 | intptr = &options->gss_strict_acceptor; | 920 | intptr = &options->gss_strict_acceptor; |
907 | goto parse_flag; | 921 | goto parse_flag; |
908 | 922 | ||
923 | case sGssStoreRekey: | ||
924 | intptr = &options->gss_store_rekey; | ||
925 | goto parse_flag; | ||
926 | |||
909 | case sPasswordAuthentication: | 927 | case sPasswordAuthentication: |
910 | intptr = &options->password_authentication; | 928 | intptr = &options->password_authentication; |
911 | goto parse_flag; | 929 | goto parse_flag; |
912 | 930 | ||
931 | case sZeroKnowledgePasswordAuthentication: | ||
932 | intptr = &options->zero_knowledge_password_authentication; | ||
933 | goto parse_flag; | ||
934 | |||
913 | case sKbdInteractiveAuthentication: | 935 | case sKbdInteractiveAuthentication: |
914 | intptr = &options->kbd_interactive_authentication; | 936 | intptr = &options->kbd_interactive_authentication; |
915 | goto parse_flag; | 937 | goto parse_flag; |
@@ -1272,7 +1294,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1272 | fatal("%s line %d: missing host in PermitOpen", | 1294 | fatal("%s line %d: missing host in PermitOpen", |
1273 | filename, linenum); | 1295 | filename, linenum); |
1274 | p = cleanhostname(p); | 1296 | p = cleanhostname(p); |
1275 | if (arg == NULL || (port = a2port(arg)) == 0) | 1297 | if (arg == NULL || (port = a2port(arg)) <= 0) |
1276 | fatal("%s line %d: bad port number in " | 1298 | fatal("%s line %d: bad port number in " |
1277 | "PermitOpen", filename, linenum); | 1299 | "PermitOpen", filename, linenum); |
1278 | if (*activep && n == -1) | 1300 | if (*activep && n == -1) |
@@ -1397,7 +1419,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1397 | M_CP_INTOPT(kerberos_authentication); | 1419 | M_CP_INTOPT(kerberos_authentication); |
1398 | M_CP_INTOPT(hostbased_authentication); | 1420 | M_CP_INTOPT(hostbased_authentication); |
1399 | M_CP_INTOPT(kbd_interactive_authentication); | 1421 | M_CP_INTOPT(kbd_interactive_authentication); |
1422 | M_CP_INTOPT(zero_knowledge_password_authentication); | ||
1400 | M_CP_INTOPT(permit_root_login); | 1423 | M_CP_INTOPT(permit_root_login); |
1424 | M_CP_INTOPT(permit_empty_passwd); | ||
1401 | 1425 | ||
1402 | M_CP_INTOPT(allow_tcp_forwarding); | 1426 | M_CP_INTOPT(allow_tcp_forwarding); |
1403 | M_CP_INTOPT(allow_agent_forwarding); | 1427 | M_CP_INTOPT(allow_agent_forwarding); |
@@ -1459,7 +1483,7 @@ fmt_intarg(ServerOpCodes code, int val) | |||
1459 | if (code == sPermitRootLogin) { | 1483 | if (code == sPermitRootLogin) { |
1460 | switch (val) { | 1484 | switch (val) { |
1461 | case PERMIT_NO_PASSWD: | 1485 | case PERMIT_NO_PASSWD: |
1462 | return "without-passord"; | 1486 | return "without-password"; |
1463 | case PERMIT_FORCED_ONLY: | 1487 | case PERMIT_FORCED_ONLY: |
1464 | return "forced-commands-only"; | 1488 | return "forced-commands-only"; |
1465 | case PERMIT_YES: | 1489 | case PERMIT_YES: |
@@ -1564,11 +1588,15 @@ dump_config(ServerOptions *o) | |||
1564 | } | 1588 | } |
1565 | 1589 | ||
1566 | /* integer arguments */ | 1590 | /* integer arguments */ |
1591 | #ifdef USE_PAM | ||
1592 | dump_cfg_int(sUsePAM, o->use_pam); | ||
1593 | #endif | ||
1567 | dump_cfg_int(sServerKeyBits, o->server_key_bits); | 1594 | dump_cfg_int(sServerKeyBits, o->server_key_bits); |
1568 | dump_cfg_int(sLoginGraceTime, o->login_grace_time); | 1595 | dump_cfg_int(sLoginGraceTime, o->login_grace_time); |
1569 | dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); | 1596 | dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); |
1570 | dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); | 1597 | dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); |
1571 | dump_cfg_int(sMaxAuthTries, o->max_authtries); | 1598 | dump_cfg_int(sMaxAuthTries, o->max_authtries); |
1599 | dump_cfg_int(sMaxSessions, o->max_sessions); | ||
1572 | dump_cfg_int(sClientAliveInterval, o->client_alive_interval); | 1600 | dump_cfg_int(sClientAliveInterval, o->client_alive_interval); |
1573 | dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); | 1601 | dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); |
1574 | 1602 | ||
@@ -1582,12 +1610,22 @@ dump_config(ServerOptions *o) | |||
1582 | o->hostbased_uses_name_from_packet_only); | 1610 | o->hostbased_uses_name_from_packet_only); |
1583 | dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); | 1611 | dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); |
1584 | dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); | 1612 | dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); |
1613 | #ifdef KRB5 | ||
1585 | dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); | 1614 | dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); |
1586 | dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); | 1615 | dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); |
1587 | dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); | 1616 | dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); |
1617 | # ifdef USE_AFS | ||
1588 | dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); | 1618 | dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); |
1619 | # endif | ||
1620 | #endif | ||
1621 | #ifdef GSSAPI | ||
1589 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 1622 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
1590 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 1623 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
1624 | #endif | ||
1625 | #ifdef JPAKE | ||
1626 | dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, | ||
1627 | o->zero_knowledge_password_authentication); | ||
1628 | #endif | ||
1591 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 1629 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
1592 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 1630 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
1593 | o->kbd_interactive_authentication); | 1631 | o->kbd_interactive_authentication); |
@@ -1646,7 +1684,5 @@ dump_config(ServerOptions *o) | |||
1646 | } | 1684 | } |
1647 | dump_cfg_string(sPermitTunnel, s); | 1685 | dump_cfg_string(sPermitTunnel, s); |
1648 | 1686 | ||
1649 | printf("permitopen"); | ||
1650 | channel_print_adm_permitted_opens(); | 1687 | channel_print_adm_permitted_opens(); |
1651 | printf("\n"); | ||
1652 | } | 1688 | } |