diff options
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 61 |
1 files changed, 56 insertions, 5 deletions
diff --git a/servconf.c b/servconf.c index c843c97c5..11a69f819 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.c,v 1.209 2010/06/22 04:22:59 djm Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.213 2010/11/13 23:27:50 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -15,6 +15,10 @@ | |||
| 15 | #include <sys/types.h> | 15 | #include <sys/types.h> |
| 16 | #include <sys/socket.h> | 16 | #include <sys/socket.h> |
| 17 | 17 | ||
| 18 | #include <netinet/in.h> | ||
| 19 | #include <netinet/in_systm.h> | ||
| 20 | #include <netinet/ip.h> | ||
| 21 | |||
| 18 | #include <netdb.h> | 22 | #include <netdb.h> |
| 19 | #include <pwd.h> | 23 | #include <pwd.h> |
| 20 | #include <stdio.h> | 24 | #include <stdio.h> |
| @@ -113,6 +117,7 @@ initialize_server_options(ServerOptions *options) | |||
| 113 | options->num_deny_groups = 0; | 117 | options->num_deny_groups = 0; |
| 114 | options->ciphers = NULL; | 118 | options->ciphers = NULL; |
| 115 | options->macs = NULL; | 119 | options->macs = NULL; |
| 120 | options->kex_algorithms = NULL; | ||
| 116 | options->protocol = SSH_PROTO_UNKNOWN; | 121 | options->protocol = SSH_PROTO_UNKNOWN; |
| 117 | options->gateway_ports = -1; | 122 | options->gateway_ports = -1; |
| 118 | options->num_subsystems = 0; | 123 | options->num_subsystems = 0; |
| @@ -136,6 +141,8 @@ initialize_server_options(ServerOptions *options) | |||
| 136 | options->revoked_keys_file = NULL; | 141 | options->revoked_keys_file = NULL; |
| 137 | options->trusted_user_ca_keys = NULL; | 142 | options->trusted_user_ca_keys = NULL; |
| 138 | options->authorized_principals_file = NULL; | 143 | options->authorized_principals_file = NULL; |
| 144 | options->ip_qos_interactive = -1; | ||
| 145 | options->ip_qos_bulk = -1; | ||
| 139 | options->debian_banner = -1; | 146 | options->debian_banner = -1; |
| 140 | } | 147 | } |
| 141 | 148 | ||
| @@ -159,6 +166,10 @@ fill_default_server_options(ServerOptions *options) | |||
| 159 | _PATH_HOST_RSA_KEY_FILE; | 166 | _PATH_HOST_RSA_KEY_FILE; |
| 160 | options->host_key_files[options->num_host_key_files++] = | 167 | options->host_key_files[options->num_host_key_files++] = |
| 161 | _PATH_HOST_DSA_KEY_FILE; | 168 | _PATH_HOST_DSA_KEY_FILE; |
| 169 | #ifdef OPENSSL_HAS_ECC | ||
| 170 | options->host_key_files[options->num_host_key_files++] = | ||
| 171 | _PATH_HOST_ECDSA_KEY_FILE; | ||
| 172 | #endif | ||
| 162 | } | 173 | } |
| 163 | } | 174 | } |
| 164 | /* No certificates by default */ | 175 | /* No certificates by default */ |
| @@ -269,16 +280,20 @@ fill_default_server_options(ServerOptions *options) | |||
| 269 | if (options->authorized_keys_file2 == NULL) { | 280 | if (options->authorized_keys_file2 == NULL) { |
| 270 | /* authorized_keys_file2 falls back to authorized_keys_file */ | 281 | /* authorized_keys_file2 falls back to authorized_keys_file */ |
| 271 | if (options->authorized_keys_file != NULL) | 282 | if (options->authorized_keys_file != NULL) |
| 272 | options->authorized_keys_file2 = options->authorized_keys_file; | 283 | options->authorized_keys_file2 = xstrdup(options->authorized_keys_file); |
| 273 | else | 284 | else |
| 274 | options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; | 285 | options->authorized_keys_file2 = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); |
| 275 | } | 286 | } |
| 276 | if (options->authorized_keys_file == NULL) | 287 | if (options->authorized_keys_file == NULL) |
| 277 | options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; | 288 | options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); |
| 278 | if (options->permit_tun == -1) | 289 | if (options->permit_tun == -1) |
| 279 | options->permit_tun = SSH_TUNMODE_NO; | 290 | options->permit_tun = SSH_TUNMODE_NO; |
| 280 | if (options->zero_knowledge_password_authentication == -1) | 291 | if (options->zero_knowledge_password_authentication == -1) |
| 281 | options->zero_knowledge_password_authentication = 0; | 292 | options->zero_knowledge_password_authentication = 0; |
| 293 | if (options->ip_qos_interactive == -1) | ||
| 294 | options->ip_qos_interactive = IPTOS_LOWDELAY; | ||
| 295 | if (options->ip_qos_bulk == -1) | ||
| 296 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | ||
| 282 | if (options->debian_banner == -1) | 297 | if (options->debian_banner == -1) |
| 283 | options->debian_banner = 1; | 298 | options->debian_banner = 1; |
| 284 | 299 | ||
| @@ -329,6 +344,7 @@ typedef enum { | |||
| 329 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 344 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 330 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 345 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
| 331 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 346 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
| 347 | sKexAlgorithms, sIPQoS, | ||
| 332 | sDebianBanner, | 348 | sDebianBanner, |
| 333 | sDeprecated, sUnsupported | 349 | sDeprecated, sUnsupported |
| 334 | } ServerOpCodes; | 350 | } ServerOpCodes; |
| @@ -463,6 +479,8 @@ static struct { | |||
| 463 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | 479 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
| 464 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | 480 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
| 465 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | 481 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
| 482 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, | ||
| 483 | { "ipqos", sIPQoS, SSHCFG_ALL }, | ||
| 466 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 484 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
| 467 | { NULL, sBadOption, 0 } | 485 | { NULL, sBadOption, 0 } |
| 468 | }; | 486 | }; |
| @@ -693,7 +711,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 693 | const char *host, const char *address) | 711 | const char *host, const char *address) |
| 694 | { | 712 | { |
| 695 | char *cp, **charptr, *arg, *p; | 713 | char *cp, **charptr, *arg, *p; |
| 696 | int cmdline = 0, *intptr, value, n; | 714 | int cmdline = 0, *intptr, value, value2, n; |
| 697 | SyslogFacility *log_facility_ptr; | 715 | SyslogFacility *log_facility_ptr; |
| 698 | LogLevel *log_level_ptr; | 716 | LogLevel *log_level_ptr; |
| 699 | ServerOpCodes opcode; | 717 | ServerOpCodes opcode; |
| @@ -1175,6 +1193,18 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1175 | options->macs = xstrdup(arg); | 1193 | options->macs = xstrdup(arg); |
| 1176 | break; | 1194 | break; |
| 1177 | 1195 | ||
| 1196 | case sKexAlgorithms: | ||
| 1197 | arg = strdelim(&cp); | ||
| 1198 | if (!arg || *arg == '\0') | ||
| 1199 | fatal("%s line %d: Missing argument.", | ||
| 1200 | filename, linenum); | ||
| 1201 | if (!kex_names_valid(arg)) | ||
| 1202 | fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", | ||
| 1203 | filename, linenum, arg ? arg : "<NONE>"); | ||
| 1204 | if (options->kex_algorithms == NULL) | ||
| 1205 | options->kex_algorithms = xstrdup(arg); | ||
| 1206 | break; | ||
| 1207 | |||
| 1178 | case sProtocol: | 1208 | case sProtocol: |
| 1179 | intptr = &options->protocol; | 1209 | intptr = &options->protocol; |
| 1180 | arg = strdelim(&cp); | 1210 | arg = strdelim(&cp); |
| @@ -1397,6 +1427,23 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1397 | charptr = &options->revoked_keys_file; | 1427 | charptr = &options->revoked_keys_file; |
| 1398 | goto parse_filename; | 1428 | goto parse_filename; |
| 1399 | 1429 | ||
| 1430 | case sIPQoS: | ||
| 1431 | arg = strdelim(&cp); | ||
| 1432 | if ((value = parse_ipqos(arg)) == -1) | ||
| 1433 | fatal("%s line %d: Bad IPQoS value: %s", | ||
| 1434 | filename, linenum, arg); | ||
| 1435 | arg = strdelim(&cp); | ||
| 1436 | if (arg == NULL) | ||
| 1437 | value2 = value; | ||
| 1438 | else if ((value2 = parse_ipqos(arg)) == -1) | ||
| 1439 | fatal("%s line %d: Bad IPQoS value: %s", | ||
| 1440 | filename, linenum, arg); | ||
| 1441 | if (*activep) { | ||
| 1442 | options->ip_qos_interactive = value; | ||
| 1443 | options->ip_qos_bulk = value2; | ||
| 1444 | } | ||
| 1445 | break; | ||
| 1446 | |||
| 1400 | case sDebianBanner: | 1447 | case sDebianBanner: |
| 1401 | intptr = &options->debian_banner; | 1448 | intptr = &options->debian_banner; |
| 1402 | goto parse_int; | 1449 | goto parse_int; |
| @@ -1511,6 +1558,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
| 1511 | M_CP_INTOPT(x11_use_localhost); | 1558 | M_CP_INTOPT(x11_use_localhost); |
| 1512 | M_CP_INTOPT(max_sessions); | 1559 | M_CP_INTOPT(max_sessions); |
| 1513 | M_CP_INTOPT(max_authtries); | 1560 | M_CP_INTOPT(max_authtries); |
| 1561 | M_CP_INTOPT(ip_qos_interactive); | ||
| 1562 | M_CP_INTOPT(ip_qos_bulk); | ||
| 1514 | 1563 | ||
| 1515 | M_CP_STROPT(banner); | 1564 | M_CP_STROPT(banner); |
| 1516 | if (preauth) | 1565 | if (preauth) |
| @@ -1780,5 +1829,7 @@ dump_config(ServerOptions *o) | |||
| 1780 | } | 1829 | } |
| 1781 | dump_cfg_string(sPermitTunnel, s); | 1830 | dump_cfg_string(sPermitTunnel, s); |
| 1782 | 1831 | ||
| 1832 | printf("ipqos 0x%02x 0x%02x\n", o->ip_qos_interactive, o->ip_qos_bulk); | ||
| 1833 | |||
| 1783 | channel_print_adm_permitted_opens(); | 1834 | channel_print_adm_permitted_opens(); |
| 1784 | } | 1835 | } |