summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c81
1 files changed, 72 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index 5be0c7bbf..cdc029308 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ 2/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -48,6 +48,8 @@
48#include "groupaccess.h" 48#include "groupaccess.h"
49#include "canohost.h" 49#include "canohost.h"
50#include "packet.h" 50#include "packet.h"
51#include "hostfile.h"
52#include "auth.h"
51 53
52static void add_listen_addr(ServerOptions *, char *, int); 54static void add_listen_addr(ServerOptions *, char *, int);
53static void add_one_listen_addr(ServerOptions *, char *, int); 55static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -138,6 +140,8 @@ initialize_server_options(ServerOptions *options)
138 options->num_permitted_opens = -1; 140 options->num_permitted_opens = -1;
139 options->adm_forced_command = NULL; 141 options->adm_forced_command = NULL;
140 options->chroot_directory = NULL; 142 options->chroot_directory = NULL;
143 options->authorized_keys_command = NULL;
144 options->authorized_keys_command_user = NULL;
141 options->zero_knowledge_password_authentication = -1; 145 options->zero_knowledge_password_authentication = -1;
142 options->revoked_keys_file = NULL; 146 options->revoked_keys_file = NULL;
143 options->trusted_user_ca_keys = NULL; 147 options->trusted_user_ca_keys = NULL;
@@ -255,17 +259,17 @@ fill_default_server_options(ServerOptions *options)
255 if (options->compression == -1) 259 if (options->compression == -1)
256 options->compression = COMP_DELAYED; 260 options->compression = COMP_DELAYED;
257 if (options->allow_tcp_forwarding == -1) 261 if (options->allow_tcp_forwarding == -1)
258 options->allow_tcp_forwarding = 1; 262 options->allow_tcp_forwarding = FORWARD_ALLOW;
259 if (options->allow_agent_forwarding == -1) 263 if (options->allow_agent_forwarding == -1)
260 options->allow_agent_forwarding = 1; 264 options->allow_agent_forwarding = 1;
261 if (options->gateway_ports == -1) 265 if (options->gateway_ports == -1)
262 options->gateway_ports = 0; 266 options->gateway_ports = 0;
263 if (options->max_startups == -1) 267 if (options->max_startups == -1)
264 options->max_startups = 10; 268 options->max_startups = 100;
265 if (options->max_startups_rate == -1) 269 if (options->max_startups_rate == -1)
266 options->max_startups_rate = 100; /* 100% */ 270 options->max_startups_rate = 30; /* 30% */
267 if (options->max_startups_begin == -1) 271 if (options->max_startups_begin == -1)
268 options->max_startups_begin = options->max_startups; 272 options->max_startups_begin = 10;
269 if (options->max_authtries == -1) 273 if (options->max_authtries == -1)
270 options->max_authtries = DEFAULT_AUTH_FAIL_MAX; 274 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
271 if (options->max_sessions == -1) 275 if (options->max_sessions == -1)
@@ -340,6 +344,8 @@ typedef enum {
340 sZeroKnowledgePasswordAuthentication, sHostCertificate, 344 sZeroKnowledgePasswordAuthentication, sHostCertificate,
341 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 345 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
342 sKexAlgorithms, sIPQoS, sVersionAddendum, 346 sKexAlgorithms, sIPQoS, sVersionAddendum,
347 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
348 sAuthenticationMethods,
343 sDeprecated, sUnsupported 349 sDeprecated, sUnsupported
344} ServerOpCodes; 350} ServerOpCodes;
345 351
@@ -474,7 +480,10 @@ static struct {
474 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, 480 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
475 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 481 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
476 { "ipqos", sIPQoS, SSHCFG_ALL }, 482 { "ipqos", sIPQoS, SSHCFG_ALL },
483 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
484 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
477 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 485 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
486 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
478 { NULL, sBadOption, 0 } 487 { NULL, sBadOption, 0 }
479}; 488};
480 489
@@ -639,8 +648,9 @@ out:
639} 648}
640 649
641/* 650/*
642 * All of the attributes on a single Match line are ANDed together, so we need to check every 651 * All of the attributes on a single Match line are ANDed together, so we need
643 * attribute and set the result to zero if any attribute does not match. 652 * to check every * attribute and set the result to zero if any attribute does
653 * not match.
644 */ 654 */
645static int 655static int
646match_cfg_line(char **condition, int line, struct connection_info *ci) 656match_cfg_line(char **condition, int line, struct connection_info *ci)
@@ -797,6 +807,14 @@ static const struct multistate multistate_privsep[] = {
797 { "no", PRIVSEP_OFF }, 807 { "no", PRIVSEP_OFF },
798 { NULL, -1 } 808 { NULL, -1 }
799}; 809};
810static const struct multistate multistate_tcpfwd[] = {
811 { "yes", FORWARD_ALLOW },
812 { "all", FORWARD_ALLOW },
813 { "no", FORWARD_DENY },
814 { "remote", FORWARD_REMOTE },
815 { "local", FORWARD_LOCAL },
816 { NULL, -1 }
817};
800 818
801int 819int
802process_server_config_line(ServerOptions *options, char *line, 820process_server_config_line(ServerOptions *options, char *line,
@@ -1166,7 +1184,8 @@ process_server_config_line(ServerOptions *options, char *line,
1166 1184
1167 case sAllowTcpForwarding: 1185 case sAllowTcpForwarding:
1168 intptr = &options->allow_tcp_forwarding; 1186 intptr = &options->allow_tcp_forwarding;
1169 goto parse_flag; 1187 multistate_ptr = multistate_tcpfwd;
1188 goto parse_multistate;
1170 1189
1171 case sAllowAgentForwarding: 1190 case sAllowAgentForwarding:
1172 intptr = &options->allow_agent_forwarding; 1191 intptr = &options->allow_agent_forwarding;
@@ -1446,7 +1465,6 @@ process_server_config_line(ServerOptions *options, char *line,
1446 } 1465 }
1447 if (strcmp(arg, "none") == 0) { 1466 if (strcmp(arg, "none") == 0) {
1448 if (*activep && n == -1) { 1467 if (*activep && n == -1) {
1449 channel_clear_adm_permitted_opens();
1450 options->num_permitted_opens = 1; 1468 options->num_permitted_opens = 1;
1451 channel_disable_adm_local_opens(); 1469 channel_disable_adm_local_opens();
1452 } 1470 }
@@ -1530,6 +1548,43 @@ process_server_config_line(ServerOptions *options, char *line,
1530 } 1548 }
1531 return 0; 1549 return 0;
1532 1550
1551 case sAuthorizedKeysCommand:
1552 len = strspn(cp, WHITESPACE);
1553 if (*activep && options->authorized_keys_command == NULL) {
1554 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1555 fatal("%.200s line %d: AuthorizedKeysCommand "
1556 "must be an absolute path",
1557 filename, linenum);
1558 options->authorized_keys_command = xstrdup(cp + len);
1559 }
1560 return 0;
1561
1562 case sAuthorizedKeysCommandUser:
1563 charptr = &options->authorized_keys_command_user;
1564
1565 arg = strdelim(&cp);
1566 if (*activep && *charptr == NULL)
1567 *charptr = xstrdup(arg);
1568 break;
1569
1570 case sAuthenticationMethods:
1571 if (*activep && options->num_auth_methods == 0) {
1572 while ((arg = strdelim(&cp)) && *arg != '\0') {
1573 if (options->num_auth_methods >=
1574 MAX_AUTH_METHODS)
1575 fatal("%s line %d: "
1576 "too many authentication methods.",
1577 filename, linenum);
1578 if (auth2_methods_valid(arg, 0) != 0)
1579 fatal("%s line %d: invalid "
1580 "authentication method list.",
1581 filename, linenum);
1582 options->auth_methods[
1583 options->num_auth_methods++] = xstrdup(arg);
1584 }
1585 }
1586 return 0;
1587
1533 case sDeprecated: 1588 case sDeprecated:
1534 logit("%s line %d: Deprecated option %s", 1589 logit("%s line %d: Deprecated option %s",
1535 filename, linenum, arg); 1590 filename, linenum, arg);
@@ -1680,6 +1735,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1680 M_CP_INTOPT(hostbased_uses_name_from_packet_only); 1735 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1681 M_CP_INTOPT(kbd_interactive_authentication); 1736 M_CP_INTOPT(kbd_interactive_authentication);
1682 M_CP_INTOPT(zero_knowledge_password_authentication); 1737 M_CP_INTOPT(zero_knowledge_password_authentication);
1738 M_CP_STROPT(authorized_keys_command);
1739 M_CP_STROPT(authorized_keys_command_user);
1683 M_CP_INTOPT(permit_root_login); 1740 M_CP_INTOPT(permit_root_login);
1684 M_CP_INTOPT(permit_empty_passwd); 1741 M_CP_INTOPT(permit_empty_passwd);
1685 1742
@@ -1764,6 +1821,8 @@ fmt_intarg(ServerOpCodes code, int val)
1764 return fmt_multistate_int(val, multistate_compression); 1821 return fmt_multistate_int(val, multistate_compression);
1765 case sUsePrivilegeSeparation: 1822 case sUsePrivilegeSeparation:
1766 return fmt_multistate_int(val, multistate_privsep); 1823 return fmt_multistate_int(val, multistate_privsep);
1824 case sAllowTcpForwarding:
1825 return fmt_multistate_int(val, multistate_tcpfwd);
1767 case sProtocol: 1826 case sProtocol:
1768 switch (val) { 1827 switch (val) {
1769 case SSH_PROTO_1: 1828 case SSH_PROTO_1:
@@ -1943,6 +2002,8 @@ dump_config(ServerOptions *o)
1943 dump_cfg_string(sAuthorizedPrincipalsFile, 2002 dump_cfg_string(sAuthorizedPrincipalsFile,
1944 o->authorized_principals_file); 2003 o->authorized_principals_file);
1945 dump_cfg_string(sVersionAddendum, o->version_addendum); 2004 dump_cfg_string(sVersionAddendum, o->version_addendum);
2005 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2006 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
1946 2007
1947 /* string arguments requiring a lookup */ 2008 /* string arguments requiring a lookup */
1948 dump_cfg_string(sLogLevel, log_level_name(o->log_level)); 2009 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
@@ -1960,6 +2021,8 @@ dump_config(ServerOptions *o)
1960 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); 2021 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1961 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); 2022 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1962 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); 2023 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2024 dump_cfg_strarray_oneline(sAuthenticationMethods,
2025 o->num_auth_methods, o->auth_methods);
1963 2026
1964 /* other arguments */ 2027 /* other arguments */
1965 for (i = 0; i < o->num_subsystems; i++) 2028 for (i = 0; i < o->num_subsystems; i++)
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-30 11:20:26 +0000