diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 55 |
1 files changed, 47 insertions, 8 deletions
diff --git a/servconf.c b/servconf.c index 331716c8f..b7f329447 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.250 2014/07/03 22:40:43 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -39,10 +39,10 @@ | |||
39 | #include "ssh.h" | 39 | #include "ssh.h" |
40 | #include "log.h" | 40 | #include "log.h" |
41 | #include "buffer.h" | 41 | #include "buffer.h" |
42 | #include "misc.h" | ||
42 | #include "servconf.h" | 43 | #include "servconf.h" |
43 | #include "compat.h" | 44 | #include "compat.h" |
44 | #include "pathnames.h" | 45 | #include "pathnames.h" |
45 | #include "misc.h" | ||
46 | #include "cipher.h" | 46 | #include "cipher.h" |
47 | #include "key.h" | 47 | #include "key.h" |
48 | #include "kex.h" | 48 | #include "kex.h" |
@@ -120,6 +120,7 @@ initialize_server_options(ServerOptions *options) | |||
120 | options->rekey_limit = -1; | 120 | options->rekey_limit = -1; |
121 | options->rekey_interval = -1; | 121 | options->rekey_interval = -1; |
122 | options->allow_tcp_forwarding = -1; | 122 | options->allow_tcp_forwarding = -1; |
123 | options->allow_streamlocal_forwarding = -1; | ||
123 | options->allow_agent_forwarding = -1; | 124 | options->allow_agent_forwarding = -1; |
124 | options->num_allow_users = 0; | 125 | options->num_allow_users = 0; |
125 | options->num_deny_users = 0; | 126 | options->num_deny_users = 0; |
@@ -129,7 +130,9 @@ initialize_server_options(ServerOptions *options) | |||
129 | options->macs = NULL; | 130 | options->macs = NULL; |
130 | options->kex_algorithms = NULL; | 131 | options->kex_algorithms = NULL; |
131 | options->protocol = SSH_PROTO_UNKNOWN; | 132 | options->protocol = SSH_PROTO_UNKNOWN; |
132 | options->gateway_ports = -1; | 133 | options->fwd_opts.gateway_ports = -1; |
134 | options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; | ||
135 | options->fwd_opts.streamlocal_bind_unlink = -1; | ||
133 | options->num_subsystems = 0; | 136 | options->num_subsystems = 0; |
134 | options->max_startups_begin = -1; | 137 | options->max_startups_begin = -1; |
135 | options->max_startups_rate = -1; | 138 | options->max_startups_rate = -1; |
@@ -269,10 +272,12 @@ fill_default_server_options(ServerOptions *options) | |||
269 | options->rekey_interval = 0; | 272 | options->rekey_interval = 0; |
270 | if (options->allow_tcp_forwarding == -1) | 273 | if (options->allow_tcp_forwarding == -1) |
271 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 274 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
275 | if (options->allow_streamlocal_forwarding == -1) | ||
276 | options->allow_streamlocal_forwarding = FORWARD_ALLOW; | ||
272 | if (options->allow_agent_forwarding == -1) | 277 | if (options->allow_agent_forwarding == -1) |
273 | options->allow_agent_forwarding = 1; | 278 | options->allow_agent_forwarding = 1; |
274 | if (options->gateway_ports == -1) | 279 | if (options->fwd_opts.gateway_ports == -1) |
275 | options->gateway_ports = 0; | 280 | options->fwd_opts.gateway_ports = 0; |
276 | if (options->max_startups == -1) | 281 | if (options->max_startups == -1) |
277 | options->max_startups = 100; | 282 | options->max_startups = 100; |
278 | if (options->max_startups_rate == -1) | 283 | if (options->max_startups_rate == -1) |
@@ -303,6 +308,10 @@ fill_default_server_options(ServerOptions *options) | |||
303 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 308 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
304 | if (options->version_addendum == NULL) | 309 | if (options->version_addendum == NULL) |
305 | options->version_addendum = xstrdup(""); | 310 | options->version_addendum = xstrdup(""); |
311 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | ||
312 | options->fwd_opts.streamlocal_bind_mask = 0177; | ||
313 | if (options->fwd_opts.streamlocal_bind_unlink == -1) | ||
314 | options->fwd_opts.streamlocal_bind_unlink = 0; | ||
306 | /* Turn privilege separation on by default */ | 315 | /* Turn privilege separation on by default */ |
307 | if (use_privsep == -1) | 316 | if (use_privsep == -1) |
308 | use_privsep = PRIVSEP_NOSANDBOX; | 317 | use_privsep = PRIVSEP_NOSANDBOX; |
@@ -351,6 +360,8 @@ typedef enum { | |||
351 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 360 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
352 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 361 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
353 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, | 362 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
363 | sStreamLocalBindMask, sStreamLocalBindUnlink, | ||
364 | sAllowStreamLocalForwarding, | ||
354 | sDeprecated, sUnsupported | 365 | sDeprecated, sUnsupported |
355 | } ServerOpCodes; | 366 | } ServerOpCodes; |
356 | 367 | ||
@@ -478,6 +489,9 @@ static struct { | |||
478 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | 489 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
479 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 490 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
480 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | 491 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, |
492 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, | ||
493 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | ||
494 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | ||
481 | { NULL, sBadOption, 0 } | 495 | { NULL, sBadOption, 0 } |
482 | }; | 496 | }; |
483 | 497 | ||
@@ -1195,7 +1209,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1195 | break; | 1209 | break; |
1196 | 1210 | ||
1197 | case sGatewayPorts: | 1211 | case sGatewayPorts: |
1198 | intptr = &options->gateway_ports; | 1212 | intptr = &options->fwd_opts.gateway_ports; |
1199 | multistate_ptr = multistate_gatewayports; | 1213 | multistate_ptr = multistate_gatewayports; |
1200 | goto parse_multistate; | 1214 | goto parse_multistate; |
1201 | 1215 | ||
@@ -1230,6 +1244,11 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1230 | multistate_ptr = multistate_tcpfwd; | 1244 | multistate_ptr = multistate_tcpfwd; |
1231 | goto parse_multistate; | 1245 | goto parse_multistate; |
1232 | 1246 | ||
1247 | case sAllowStreamLocalForwarding: | ||
1248 | intptr = &options->allow_streamlocal_forwarding; | ||
1249 | multistate_ptr = multistate_tcpfwd; | ||
1250 | goto parse_multistate; | ||
1251 | |||
1233 | case sAllowAgentForwarding: | 1252 | case sAllowAgentForwarding: |
1234 | intptr = &options->allow_agent_forwarding; | 1253 | intptr = &options->allow_agent_forwarding; |
1235 | goto parse_flag; | 1254 | goto parse_flag; |
@@ -1628,6 +1647,22 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1628 | } | 1647 | } |
1629 | return 0; | 1648 | return 0; |
1630 | 1649 | ||
1650 | case sStreamLocalBindMask: | ||
1651 | arg = strdelim(&cp); | ||
1652 | if (!arg || *arg == '\0') | ||
1653 | fatal("%s line %d: missing StreamLocalBindMask argument.", | ||
1654 | filename, linenum); | ||
1655 | /* Parse mode in octal format */ | ||
1656 | value = strtol(arg, &p, 8); | ||
1657 | if (arg == p || value < 0 || value > 0777) | ||
1658 | fatal("%s line %d: Bad mask.", filename, linenum); | ||
1659 | options->fwd_opts.streamlocal_bind_mask = (mode_t)value; | ||
1660 | break; | ||
1661 | |||
1662 | case sStreamLocalBindUnlink: | ||
1663 | intptr = &options->fwd_opts.streamlocal_bind_unlink; | ||
1664 | goto parse_flag; | ||
1665 | |||
1631 | case sDeprecated: | 1666 | case sDeprecated: |
1632 | logit("%s line %d: Deprecated option %s", | 1667 | logit("%s line %d: Deprecated option %s", |
1633 | filename, linenum, arg); | 1668 | filename, linenum, arg); |
@@ -1767,9 +1802,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1767 | M_CP_INTOPT(permit_empty_passwd); | 1802 | M_CP_INTOPT(permit_empty_passwd); |
1768 | 1803 | ||
1769 | M_CP_INTOPT(allow_tcp_forwarding); | 1804 | M_CP_INTOPT(allow_tcp_forwarding); |
1805 | M_CP_INTOPT(allow_streamlocal_forwarding); | ||
1770 | M_CP_INTOPT(allow_agent_forwarding); | 1806 | M_CP_INTOPT(allow_agent_forwarding); |
1771 | M_CP_INTOPT(permit_tun); | 1807 | M_CP_INTOPT(permit_tun); |
1772 | M_CP_INTOPT(gateway_ports); | 1808 | M_CP_INTOPT(fwd_opts.gateway_ports); |
1773 | M_CP_INTOPT(x11_display_offset); | 1809 | M_CP_INTOPT(x11_display_offset); |
1774 | M_CP_INTOPT(x11_forwarding); | 1810 | M_CP_INTOPT(x11_forwarding); |
1775 | M_CP_INTOPT(x11_use_localhost); | 1811 | M_CP_INTOPT(x11_use_localhost); |
@@ -1867,6 +1903,8 @@ fmt_intarg(ServerOpCodes code, int val) | |||
1867 | return fmt_multistate_int(val, multistate_privsep); | 1903 | return fmt_multistate_int(val, multistate_privsep); |
1868 | case sAllowTcpForwarding: | 1904 | case sAllowTcpForwarding: |
1869 | return fmt_multistate_int(val, multistate_tcpfwd); | 1905 | return fmt_multistate_int(val, multistate_tcpfwd); |
1906 | case sAllowStreamLocalForwarding: | ||
1907 | return fmt_multistate_int(val, multistate_tcpfwd); | ||
1870 | case sProtocol: | 1908 | case sProtocol: |
1871 | switch (val) { | 1909 | switch (val) { |
1872 | case SSH_PROTO_1: | 1910 | case SSH_PROTO_1: |
@@ -2023,9 +2061,10 @@ dump_config(ServerOptions *o) | |||
2023 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | 2061 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); |
2024 | dump_cfg_fmtint(sUseLogin, o->use_login); | 2062 | dump_cfg_fmtint(sUseLogin, o->use_login); |
2025 | dump_cfg_fmtint(sCompression, o->compression); | 2063 | dump_cfg_fmtint(sCompression, o->compression); |
2026 | dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); | 2064 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); |
2027 | dump_cfg_fmtint(sUseDNS, o->use_dns); | 2065 | dump_cfg_fmtint(sUseDNS, o->use_dns); |
2028 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); | 2066 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); |
2067 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | ||
2029 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | 2068 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); |
2030 | 2069 | ||
2031 | /* string arguments */ | 2070 | /* string arguments */ |