1 files changed, 57 insertions, 31 deletions
diff --git a/servconf.c b/servconf.c
index 872ff4a87..86949c33f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.167 2006/12/14 10:01:14 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.168 2007/02/19 10:45:58 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -325,14 +325,14 @@ static struct {
        { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
        { "loglevel", sLogLevel, SSHCFG_GLOBAL },
        { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
-        { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
+        { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
-        { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },
+        { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
        { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
-        { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },
+        { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
-        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },
+        { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
        { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },  /* alias */
 #ifdef KRB5
-        { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },
+        { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
        { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
        { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
 #ifdef USE_AFS
@@ -341,7 +341,7 @@ static struct {
        { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
 #else
-        { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },
+        { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
        { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
        { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
        { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
@@ -349,15 +349,15 @@ static struct {
        { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
        { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 #ifdef GSSAPI
-        { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
+        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 #else
-        { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
        { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
 #endif
-        { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
+        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
-        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
+        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
+        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
        { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
        { "checkmail", sDeprecated, SSHCFG_GLOBAL },
        { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
@@ -389,7 +389,7 @@ static struct {
        { "subsystem", sSubsystem, SSHCFG_GLOBAL },
        { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
        { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
-        { "banner", sBanner, SSHCFG_GLOBAL },
+        { "banner", sBanner, SSHCFG_ALL },
        { "usedns", sUseDNS, SSHCFG_GLOBAL },
        { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
        { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1317,30 +1317,56 @@ parse_server_match_config(ServerOptions *options, const char *user,
        initialize_server_options(&mo);
        parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
-        copy_set_server_options(options, &mo);
+        copy_set_server_options(options, &mo, 0);
 }
-/* Copy any (supported) values that are set */
+/* Helper macros */
+#define M_CP_INTOPT(n) do {\
+        if (src->n != -1) \
+                dst->n = src->n; \
+} while (0)
+#define M_CP_STROPT(n) do {\
+        if (src->n != NULL) { \
+                if (dst->n != NULL) \
+                        xfree(dst->n); \
+                dst->n = src->n; \
+        } \
+} while(0)
+/*
+ * Copy any supported values that are set.
+ *
+ * If the preauth flag is set, we do not bother copying the the string or
+ * array values that are not used pre-authentication, because any that we
+ * do use must be explictly sent in mm_getpwnamallow().
+ */
 void
-copy_set_server_options(ServerOptions *dst, ServerOptions *src)
+copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 {
-        if (src->allow_tcp_forwarding != -1)
+        M_CP_INTOPT(password_authentication);
-                dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
+        M_CP_INTOPT(gss_authentication);
-        if (src->gateway_ports != -1)
+        M_CP_INTOPT(rsa_authentication);
-                dst->gateway_ports = src->gateway_ports;
+        M_CP_INTOPT(pubkey_authentication);
-        if (src->adm_forced_command != NULL) {
+        M_CP_INTOPT(kerberos_authentication);
-                if (dst->adm_forced_command != NULL)
+        M_CP_INTOPT(hostbased_authentication);
-                        xfree(dst->adm_forced_command);
+        M_CP_INTOPT(kbd_interactive_authentication);
-                dst->adm_forced_command = src->adm_forced_command;
+        M_CP_INTOPT(challenge_response_authentication);
-        }
-        if (src->x11_display_offset != -1)
+        M_CP_INTOPT(allow_tcp_forwarding);
-                dst->x11_display_offset = src->x11_display_offset;
+        M_CP_INTOPT(gateway_ports);
-        if (src->x11_forwarding != -1)
+        M_CP_INTOPT(x11_display_offset);
-                dst->x11_forwarding = src->x11_forwarding;
+        M_CP_INTOPT(x11_forwarding);
-        if (src->x11_use_localhost != -1)
+        M_CP_INTOPT(x11_use_localhost);
-                dst->x11_use_localhost = src->x11_use_localhost;
+        M_CP_STROPT(banner);
+        if (preauth)
+                return;
+        M_CP_STROPT(adm_forced_command);
 }
+#undef M_CP_INTOPT
+#undef M_CP_STROPT
 void
 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
    const char *user, const char *host, const char *address)

diff --git a/servconf.c b/servconf.c index 872ff4a87..86949c33f 100644 --- a/servconf.c +++ b/servconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: servconf.c,v 1.167 2006/12/14 10:01:14 dtucker Exp $ */	1	/* $OpenBSD: servconf.c,v 1.168 2007/02/19 10:45:58 dtucker Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -325,14 +325,14 @@ static struct {
325	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },	325	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
326	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },	326	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
327	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },	327	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
328	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },	328	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
329	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },	329	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
330	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },	330	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
331	{ "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },	331	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
332	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },	332	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
333	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */	333	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
334	#ifdef KRB5	334	#ifdef KRB5
335	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },	335	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
336	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },	336	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
337	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },	337	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
338	#ifdef USE_AFS	338	#ifdef USE_AFS
@@ -341,7 +341,7 @@ static struct {
341	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	341	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
342	#endif	342	#endif
343	#else	343	#else
344	{ "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },	344	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
345	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },	345	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
346	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },	346	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
347	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	347	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
@@ -349,15 +349,15 @@ static struct {
349	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },	349	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
350	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },	350	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
351	#ifdef GSSAPI	351	#ifdef GSSAPI
352	{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },	352	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
353	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	353	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
354	#else	354	#else
355	{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },	355	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
356	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },	356	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
357	#endif	357	#endif
358	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },	358	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
359	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },	359	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
360	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },	360	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
361	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */	361	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
362	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },	362	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
363	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },	363	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
@@ -389,7 +389,7 @@ static struct {
389	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },	389	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
390	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },	390	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
391	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },	391	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
392	{ "banner", sBanner, SSHCFG_GLOBAL },	392	{ "banner", sBanner, SSHCFG_ALL },
393	{ "usedns", sUseDNS, SSHCFG_GLOBAL },	393	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
394	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },	394	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
395	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },	395	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1317,30 +1317,56 @@ parse_server_match_config(ServerOptions options, const char user,
1317		1317
1318	initialize_server_options(&mo);	1318	initialize_server_options(&mo);
1319	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);	1319	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1320	copy_set_server_options(options, &mo);	1320	copy_set_server_options(options, &mo, 0);
1321	}	1321	}
1322		1322
1323	/* Copy any (supported) values that are set */	1323	/* Helper macros */
		1324	#define M_CP_INTOPT(n) do {\
		1325	if (src->n != -1) \
		1326	dst->n = src->n; \
		1327	} while (0)
		1328	#define M_CP_STROPT(n) do {\
		1329	if (src->n != NULL) { \
		1330	if (dst->n != NULL) \
		1331	xfree(dst->n); \
		1332	dst->n = src->n; \
		1333	} \
		1334	} while(0)
		1335
		1336	/*
		1337	* Copy any supported values that are set.
		1338	*
		1339	* If the preauth flag is set, we do not bother copying the the string or
		1340	* array values that are not used pre-authentication, because any that we
		1341	* do use must be explictly sent in mm_getpwnamallow().
		1342	*/
1324	void	1343	void
1325	copy_set_server_options(ServerOptions dst, ServerOptions src)	1344	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
1326	{	1345	{
1327	if (src->allow_tcp_forwarding != -1)	1346	M_CP_INTOPT(password_authentication);
1328	dst->allow_tcp_forwarding = src->allow_tcp_forwarding;	1347	M_CP_INTOPT(gss_authentication);
1329	if (src->gateway_ports != -1)	1348	M_CP_INTOPT(rsa_authentication);
1330	dst->gateway_ports = src->gateway_ports;	1349	M_CP_INTOPT(pubkey_authentication);
1331	if (src->adm_forced_command != NULL) {	1350	M_CP_INTOPT(kerberos_authentication);
1332	if (dst->adm_forced_command != NULL)	1351	M_CP_INTOPT(hostbased_authentication);
1333	xfree(dst->adm_forced_command);	1352	M_CP_INTOPT(kbd_interactive_authentication);
1334	dst->adm_forced_command = src->adm_forced_command;	1353	M_CP_INTOPT(challenge_response_authentication);
1335	}	1354
1336	if (src->x11_display_offset != -1)	1355	M_CP_INTOPT(allow_tcp_forwarding);
1337	dst->x11_display_offset = src->x11_display_offset;	1356	M_CP_INTOPT(gateway_ports);
1338	if (src->x11_forwarding != -1)	1357	M_CP_INTOPT(x11_display_offset);
1339	dst->x11_forwarding = src->x11_forwarding;	1358	M_CP_INTOPT(x11_forwarding);
1340	if (src->x11_use_localhost != -1)	1359	M_CP_INTOPT(x11_use_localhost);
1341	dst->x11_use_localhost = src->x11_use_localhost;	1360
		1361	M_CP_STROPT(banner);
		1362	if (preauth)
		1363	return;
		1364	M_CP_STROPT(adm_forced_command);
1342	}	1365	}
1343		1366
		1367	#undef M_CP_INTOPT
		1368	#undef M_CP_STROPT
		1369
1344	void	1370	void
1345	parse_server_config(ServerOptions options, const char filename, Buffer *conf,	1371	parse_server_config(ServerOptions options, const char filename, Buffer *conf,
1346	const char user, const char host, const char *address)	1372	const char user, const char host, const char *address)