diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 77 |
1 files changed, 68 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c index 1700d5aa6..a2928ff57 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -20,6 +20,7 @@ | |||
20 | #include <netinet/in_systm.h> | 20 | #include <netinet/in_systm.h> |
21 | #include <netinet/ip.h> | 21 | #include <netinet/ip.h> |
22 | 22 | ||
23 | #include <ctype.h> | ||
23 | #include <netdb.h> | 24 | #include <netdb.h> |
24 | #include <pwd.h> | 25 | #include <pwd.h> |
25 | #include <stdio.h> | 26 | #include <stdio.h> |
@@ -29,6 +30,9 @@ | |||
29 | #include <unistd.h> | 30 | #include <unistd.h> |
30 | #include <stdarg.h> | 31 | #include <stdarg.h> |
31 | #include <errno.h> | 32 | #include <errno.h> |
33 | #ifdef HAVE_UTIL_H | ||
34 | #include <util.h> | ||
35 | #endif | ||
32 | 36 | ||
33 | #include "openbsd-compat/sys-queue.h" | 37 | #include "openbsd-compat/sys-queue.h" |
34 | #include "xmalloc.h" | 38 | #include "xmalloc.h" |
@@ -75,6 +79,7 @@ initialize_server_options(ServerOptions *options) | |||
75 | options->address_family = -1; | 79 | options->address_family = -1; |
76 | options->num_host_key_files = 0; | 80 | options->num_host_key_files = 0; |
77 | options->num_host_cert_files = 0; | 81 | options->num_host_cert_files = 0; |
82 | options->host_key_agent = NULL; | ||
78 | options->pid_file = NULL; | 83 | options->pid_file = NULL; |
79 | options->server_key_bits = -1; | 84 | options->server_key_bits = -1; |
80 | options->login_grace_time = -1; | 85 | options->login_grace_time = -1; |
@@ -114,6 +119,8 @@ initialize_server_options(ServerOptions *options) | |||
114 | options->permit_user_env = -1; | 119 | options->permit_user_env = -1; |
115 | options->use_login = -1; | 120 | options->use_login = -1; |
116 | options->compression = -1; | 121 | options->compression = -1; |
122 | options->rekey_limit = -1; | ||
123 | options->rekey_interval = -1; | ||
117 | options->allow_tcp_forwarding = -1; | 124 | options->allow_tcp_forwarding = -1; |
118 | options->allow_agent_forwarding = -1; | 125 | options->allow_agent_forwarding = -1; |
119 | options->num_allow_users = 0; | 126 | options->num_allow_users = 0; |
@@ -262,6 +269,10 @@ fill_default_server_options(ServerOptions *options) | |||
262 | options->use_login = 0; | 269 | options->use_login = 0; |
263 | if (options->compression == -1) | 270 | if (options->compression == -1) |
264 | options->compression = COMP_DELAYED; | 271 | options->compression = COMP_DELAYED; |
272 | if (options->rekey_limit == -1) | ||
273 | options->rekey_limit = 0; | ||
274 | if (options->rekey_interval == -1) | ||
275 | options->rekey_interval = 0; | ||
265 | if (options->allow_tcp_forwarding == -1) | 276 | if (options->allow_tcp_forwarding == -1) |
266 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 277 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
267 | if (options->allow_agent_forwarding == -1) | 278 | if (options->allow_agent_forwarding == -1) |
@@ -335,7 +346,7 @@ typedef enum { | |||
335 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 346 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
336 | sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, | 347 | sStrictModes, sPermitBlacklistedKeys, sEmptyPasswd, sTCPKeepAlive, |
337 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 348 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
338 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 349 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
339 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 350 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
340 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, | 351 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, |
341 | sMaxStartups, sMaxAuthTries, sMaxSessions, | 352 | sMaxStartups, sMaxAuthTries, sMaxSessions, |
@@ -351,7 +362,7 @@ typedef enum { | |||
351 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 362 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
352 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 363 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
353 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 364 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
354 | sAuthenticationMethods, | 365 | sAuthenticationMethods, sHostKeyAgent, |
355 | sDebianBanner, | 366 | sDebianBanner, |
356 | sDeprecated, sUnsupported | 367 | sDeprecated, sUnsupported |
357 | } ServerOpCodes; | 368 | } ServerOpCodes; |
@@ -377,6 +388,7 @@ static struct { | |||
377 | { "port", sPort, SSHCFG_GLOBAL }, | 388 | { "port", sPort, SSHCFG_GLOBAL }, |
378 | { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, | 389 | { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, |
379 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ | 390 | { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ |
391 | { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, | ||
380 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, | 392 | { "pidfile", sPidFile, SSHCFG_GLOBAL }, |
381 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, | 393 | { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, |
382 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, | 394 | { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, |
@@ -451,6 +463,7 @@ static struct { | |||
451 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 463 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
452 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 464 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
453 | { "compression", sCompression, SSHCFG_GLOBAL }, | 465 | { "compression", sCompression, SSHCFG_GLOBAL }, |
466 | { "rekeylimit", sRekeyLimit, SSHCFG_ALL }, | ||
454 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, | 467 | { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, |
455 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ | 468 | { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ |
456 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, | 469 | { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, |
@@ -539,7 +552,7 @@ derelativise_path(const char *path) | |||
539 | if (getcwd(cwd, sizeof(cwd)) == NULL) | 552 | if (getcwd(cwd, sizeof(cwd)) == NULL) |
540 | fatal("%s: getcwd: %s", __func__, strerror(errno)); | 553 | fatal("%s: getcwd: %s", __func__, strerror(errno)); |
541 | xasprintf(&ret, "%s/%s", cwd, expanded); | 554 | xasprintf(&ret, "%s/%s", cwd, expanded); |
542 | xfree(expanded); | 555 | free(expanded); |
543 | return ret; | 556 | return ret; |
544 | } | 557 | } |
545 | 558 | ||
@@ -831,13 +844,13 @@ process_server_config_line(ServerOptions *options, char *line, | |||
831 | struct connection_info *connectinfo) | 844 | struct connection_info *connectinfo) |
832 | { | 845 | { |
833 | char *cp, **charptr, *arg, *p; | 846 | char *cp, **charptr, *arg, *p; |
834 | int cmdline = 0, *intptr, value, value2, n; | 847 | int cmdline = 0, *intptr, value, value2, n, port; |
835 | SyslogFacility *log_facility_ptr; | 848 | SyslogFacility *log_facility_ptr; |
836 | LogLevel *log_level_ptr; | 849 | LogLevel *log_level_ptr; |
837 | ServerOpCodes opcode; | 850 | ServerOpCodes opcode; |
838 | int port; | ||
839 | u_int i, flags = 0; | 851 | u_int i, flags = 0; |
840 | size_t len; | 852 | size_t len; |
853 | long long val64; | ||
841 | const struct multistate *multistate_ptr; | 854 | const struct multistate *multistate_ptr; |
842 | 855 | ||
843 | cp = line; | 856 | cp = line; |
@@ -997,6 +1010,17 @@ process_server_config_line(ServerOptions *options, char *line, | |||
997 | } | 1010 | } |
998 | break; | 1011 | break; |
999 | 1012 | ||
1013 | case sHostKeyAgent: | ||
1014 | charptr = &options->host_key_agent; | ||
1015 | arg = strdelim(&cp); | ||
1016 | if (!arg || *arg == '\0') | ||
1017 | fatal("%s line %d: missing socket name.", | ||
1018 | filename, linenum); | ||
1019 | if (*activep && *charptr == NULL) | ||
1020 | *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ? | ||
1021 | xstrdup(arg) : derelativise_path(arg); | ||
1022 | break; | ||
1023 | |||
1000 | case sHostCertificate: | 1024 | case sHostCertificate: |
1001 | intptr = &options->num_host_cert_files; | 1025 | intptr = &options->num_host_cert_files; |
1002 | if (*intptr >= MAX_HOSTKEYS) | 1026 | if (*intptr >= MAX_HOSTKEYS) |
@@ -1164,6 +1188,37 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1164 | multistate_ptr = multistate_compression; | 1188 | multistate_ptr = multistate_compression; |
1165 | goto parse_multistate; | 1189 | goto parse_multistate; |
1166 | 1190 | ||
1191 | case sRekeyLimit: | ||
1192 | arg = strdelim(&cp); | ||
1193 | if (!arg || *arg == '\0') | ||
1194 | fatal("%.200s line %d: Missing argument.", filename, | ||
1195 | linenum); | ||
1196 | if (strcmp(arg, "default") == 0) { | ||
1197 | val64 = 0; | ||
1198 | } else { | ||
1199 | if (scan_scaled(arg, &val64) == -1) | ||
1200 | fatal("%.200s line %d: Bad number '%s': %s", | ||
1201 | filename, linenum, arg, strerror(errno)); | ||
1202 | /* check for too-large or too-small limits */ | ||
1203 | if (val64 > UINT_MAX) | ||
1204 | fatal("%.200s line %d: RekeyLimit too large", | ||
1205 | filename, linenum); | ||
1206 | if (val64 != 0 && val64 < 16) | ||
1207 | fatal("%.200s line %d: RekeyLimit too small", | ||
1208 | filename, linenum); | ||
1209 | } | ||
1210 | if (*activep && options->rekey_limit == -1) | ||
1211 | options->rekey_limit = (u_int32_t)val64; | ||
1212 | if (cp != NULL) { /* optional rekey interval present */ | ||
1213 | if (strcmp(cp, "none") == 0) { | ||
1214 | (void)strdelim(&cp); /* discard */ | ||
1215 | break; | ||
1216 | } | ||
1217 | intptr = &options->rekey_interval; | ||
1218 | goto parse_time; | ||
1219 | } | ||
1220 | break; | ||
1221 | |||
1167 | case sGatewayPorts: | 1222 | case sGatewayPorts: |
1168 | intptr = &options->gateway_ports; | 1223 | intptr = &options->gateway_ports; |
1169 | multistate_ptr = multistate_gatewayports; | 1224 | multistate_ptr = multistate_gatewayports; |
@@ -1721,8 +1776,7 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1721 | } while (0) | 1776 | } while (0) |
1722 | #define M_CP_STROPT(n) do {\ | 1777 | #define M_CP_STROPT(n) do {\ |
1723 | if (src->n != NULL) { \ | 1778 | if (src->n != NULL) { \ |
1724 | if (dst->n != NULL) \ | 1779 | free(dst->n); \ |
1725 | xfree(dst->n); \ | ||
1726 | dst->n = src->n; \ | 1780 | dst->n = src->n; \ |
1727 | } \ | 1781 | } \ |
1728 | } while(0) | 1782 | } while(0) |
@@ -1768,6 +1822,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1768 | M_CP_INTOPT(max_authtries); | 1822 | M_CP_INTOPT(max_authtries); |
1769 | M_CP_INTOPT(ip_qos_interactive); | 1823 | M_CP_INTOPT(ip_qos_interactive); |
1770 | M_CP_INTOPT(ip_qos_bulk); | 1824 | M_CP_INTOPT(ip_qos_bulk); |
1825 | M_CP_INTOPT(rekey_limit); | ||
1826 | M_CP_INTOPT(rekey_interval); | ||
1771 | 1827 | ||
1772 | /* See comment in servconf.h */ | 1828 | /* See comment in servconf.h */ |
1773 | COPY_MATCH_STRING_OPTS(); | 1829 | COPY_MATCH_STRING_OPTS(); |
@@ -1804,7 +1860,7 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, | |||
1804 | linenum++, &active, connectinfo) != 0) | 1860 | linenum++, &active, connectinfo) != 0) |
1805 | bad_options++; | 1861 | bad_options++; |
1806 | } | 1862 | } |
1807 | xfree(obuf); | 1863 | free(obuf); |
1808 | if (bad_options > 0) | 1864 | if (bad_options > 0) |
1809 | fatal("%s: terminating, %d bad configuration options", | 1865 | fatal("%s: terminating, %d bad configuration options", |
1810 | filename, bad_options); | 1866 | filename, bad_options); |
@@ -2022,6 +2078,7 @@ dump_config(ServerOptions *o) | |||
2022 | dump_cfg_string(sVersionAddendum, o->version_addendum); | 2078 | dump_cfg_string(sVersionAddendum, o->version_addendum); |
2023 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); | 2079 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); |
2024 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); | 2080 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); |
2081 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | ||
2025 | 2082 | ||
2026 | /* string arguments requiring a lookup */ | 2083 | /* string arguments requiring a lookup */ |
2027 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2084 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -2060,5 +2117,7 @@ dump_config(ServerOptions *o) | |||
2060 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2117 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2061 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2118 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2062 | 2119 | ||
2120 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | ||
2121 | |||
2063 | channel_print_adm_permitted_opens(); | 2122 | channel_print_adm_permitted_opens(); |
2064 | } | 2123 | } |