1 files changed, 51 insertions, 15 deletions

diff --git a/servconf.c b/servconf.c
index 66ce39026..c1f2bc2af 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.186 2008/07/04 03:44:59 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -42,8 +42,8 @@
 #include "channels.h"
 #include "groupaccess.h"
 
-static void add_listen_addr(ServerOptions *, char *, u_short);
-static void add_one_listen_addr(ServerOptions *, char *, u_short);
+static void add_listen_addr(ServerOptions *, char *, int);
+static void add_one_listen_addr(ServerOptions *, char *, int);
 
 /* Use of privilege separation or not */
 extern int use_privsep;
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions *options)
         options->gss_keyex = -1;
         options->gss_cleanup_creds = -1;
         options->gss_strict_acceptor = -1;
+        options->gss_store_rekey = -1;
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
@@ -130,6 +131,7 @@ initialize_server_options(ServerOptions *options)
         options->num_permitted_opens = -1;
         options->adm_forced_command = NULL;
         options->chroot_directory = NULL;
+        options->zero_knowledge_password_authentication = -1;
 }
 
 void
@@ -218,6 +220,8 @@ fill_default_server_options(ServerOptions *options)
                 options->gss_cleanup_creds = 1;
         if (options->gss_strict_acceptor == -1)
                 options->gss_strict_acceptor = 1;
+        if (options->gss_store_rekey == -1)
+                options->gss_store_rekey = 0;
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
@@ -267,6 +271,8 @@ fill_default_server_options(ServerOptions *options)
                 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
         if (options->permit_tun == -1)
                 options->permit_tun = SSH_TUNMODE_NO;
+        if (options->zero_knowledge_password_authentication == -1)
+                options->zero_knowledge_password_authentication = 0;
 
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
@@ -309,10 +315,11 @@ typedef enum {
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-        sGssKeyEx,
+        sGssKeyEx, sGssStoreRekey,
         sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
+        sZeroKnowledgePasswordAuthentication,
         sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -374,12 +381,14 @@ static struct {
         { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
         { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
 #else
         { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
         { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
         { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
         { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
         { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
 #endif
         { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
         { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -387,6 +396,11 @@ static struct {
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
         { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
+#ifdef JPAKE
+        { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
+#else
+        { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
+#endif
         { "checkmail", sDeprecated, SSHCFG_GLOBAL },
         { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
         { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -400,7 +414,7 @@ static struct {
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
         { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
-        { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
+        { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
         { "uselogin", sUseLogin, SSHCFG_GLOBAL },
         { "compression", sCompression, SSHCFG_GLOBAL },
@@ -471,7 +485,7 @@ parse_token(const char *cp, const char *filename,
 }
 
 static void
-add_listen_addr(ServerOptions *options, char *addr, u_short port)
+add_listen_addr(ServerOptions *options, char *addr, int port)
 {
         u_int i;
 
@@ -487,7 +501,7 @@ add_listen_addr(ServerOptions *options, char *addr, u_short port)
 }
 
 static void
-add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
+add_one_listen_addr(ServerOptions *options, char *addr, int port)
 {
         struct addrinfo hints, *ai, *aitop;
         char strport[NI_MAXSERV];
@@ -497,7 +511,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
         hints.ai_family = options->address_family;
         hints.ai_socktype = SOCK_STREAM;
         hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
-        snprintf(strport, sizeof strport, "%u", port);
+        snprintf(strport, sizeof strport, "%d", port);
         if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
                 fatal("bad addr or host: %s (%s)",
                     addr ? addr : "<NULL>",
@@ -653,7 +667,7 @@ process_server_config_line(ServerOptions *options, char *line,
         SyslogFacility *log_facility_ptr;
         LogLevel *log_level_ptr;
         ServerOpCodes opcode;
-        u_short port;
+        int port;
         u_int i, flags = 0;
         size_t len;
 
@@ -710,7 +724,7 @@ process_server_config_line(ServerOptions *options, char *line,
                         fatal("%s line %d: missing port number.",
                             filename, linenum);
                 options->ports[options->num_ports++] = a2port(arg);
-                if (options->ports[options->num_ports-1] == 0)
+                if (options->ports[options->num_ports-1] <= 0)
                         fatal("%s line %d: Badly formatted port number.",
                             filename, linenum);
                 break;
@@ -763,7 +777,7 @@ process_server_config_line(ServerOptions *options, char *line,
                 p = cleanhostname(p);
                 if (arg == NULL)
                         port = 0;
-                else if ((port = a2port(arg)) == 0)
+                else if ((port = a2port(arg)) <= 0)
                         fatal("%s line %d: bad port number", filename, linenum);
 
                 add_listen_addr(options, p, port);
@@ -914,10 +928,18 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_strict_acceptor;
                 goto parse_flag;
 
+        case sGssStoreRekey:
+                intptr = &options->gss_store_rekey;
+                goto parse_flag;
+
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
 
+        case sZeroKnowledgePasswordAuthentication:
+                intptr = &options->zero_knowledge_password_authentication;
+                goto parse_flag;
+
         case sKbdInteractiveAuthentication:
                 intptr = &options->kbd_interactive_authentication;
                 goto parse_flag;
@@ -1284,7 +1306,7 @@ process_server_config_line(ServerOptions *options, char *line,
                                 fatal("%s line %d: missing host in PermitOpen",
                                     filename, linenum);
                         p = cleanhostname(p);
-                        if (arg == NULL || (port = a2port(arg)) == 0)
+                        if (arg == NULL || (port = a2port(arg)) <= 0)
                                 fatal("%s line %d: bad port number in "
                                     "PermitOpen", filename, linenum);
                         if (*activep && n == -1)
@@ -1409,7 +1431,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
         M_CP_INTOPT(kerberos_authentication);
         M_CP_INTOPT(hostbased_authentication);
         M_CP_INTOPT(kbd_interactive_authentication);
+        M_CP_INTOPT(zero_knowledge_password_authentication);
         M_CP_INTOPT(permit_root_login);
+        M_CP_INTOPT(permit_empty_passwd);
 
         M_CP_INTOPT(allow_tcp_forwarding);
         M_CP_INTOPT(allow_agent_forwarding);
@@ -1471,7 +1495,7 @@ fmt_intarg(ServerOpCodes code, int val)
         if (code == sPermitRootLogin) {
                 switch (val) {
                 case PERMIT_NO_PASSWD:
-                        return "without-passord";
+                        return "without-password";
                 case PERMIT_FORCED_ONLY:
                         return "forced-commands-only";
                 case PERMIT_YES:
@@ -1576,11 +1600,15 @@ dump_config(ServerOptions *o)
         }
 
         /* integer arguments */
+#ifdef USE_PAM
+        dump_cfg_int(sUsePAM, o->use_pam);
+#endif
         dump_cfg_int(sServerKeyBits, o->server_key_bits);
         dump_cfg_int(sLoginGraceTime, o->login_grace_time);
         dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
         dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
         dump_cfg_int(sMaxAuthTries, o->max_authtries);
+        dump_cfg_int(sMaxSessions, o->max_sessions);
         dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
         dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
 
@@ -1594,14 +1622,24 @@ dump_config(ServerOptions *o)
             o->hostbased_uses_name_from_packet_only);
         dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
         dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
+#ifdef KRB5
         dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
         dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
         dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
+# ifdef USE_AFS
         dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
+# endif
+#endif
+#ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
         dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
         dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
         dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+#endif
+#ifdef JPAKE
+        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
+            o->zero_knowledge_password_authentication);
+#endif
         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
         dump_cfg_fmtint(sKbdInteractiveAuthentication,
             o->kbd_interactive_authentication);
@@ -1661,7 +1699,5 @@ dump_config(ServerOptions *o)
                 }
         dump_cfg_string(sPermitTunnel, s);
 
-        printf("permitopen");
         channel_print_adm_permitted_opens();
-        printf("\n");
 }