diff options
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 59 |
1 files changed, 40 insertions, 19 deletions
diff --git a/servconf.c b/servconf.c index a778f44e9..8ca9695a2 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -181,6 +181,20 @@ option_clear_or_none(const char *o) | |||
| 181 | return o == NULL || strcasecmp(o, "none") == 0; | 181 | return o == NULL || strcasecmp(o, "none") == 0; |
| 182 | } | 182 | } |
| 183 | 183 | ||
| 184 | static void | ||
| 185 | assemble_algorithms(ServerOptions *o) | ||
| 186 | { | ||
| 187 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || | ||
| 188 | kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || | ||
| 189 | kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || | ||
| 190 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
| 191 | &o->hostkeyalgorithms) != 0 || | ||
| 192 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
| 193 | &o->hostbased_key_types) != 0 || | ||
| 194 | kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0) | ||
| 195 | fatal("kex_assemble_names failed"); | ||
| 196 | } | ||
| 197 | |||
| 184 | void | 198 | void |
| 185 | fill_default_server_options(ServerOptions *options) | 199 | fill_default_server_options(ServerOptions *options) |
| 186 | { | 200 | { |
| @@ -262,8 +276,6 @@ fill_default_server_options(ServerOptions *options) | |||
| 262 | options->hostbased_authentication = 0; | 276 | options->hostbased_authentication = 0; |
| 263 | if (options->hostbased_uses_name_from_packet_only == -1) | 277 | if (options->hostbased_uses_name_from_packet_only == -1) |
| 264 | options->hostbased_uses_name_from_packet_only = 0; | 278 | options->hostbased_uses_name_from_packet_only = 0; |
| 265 | if (options->hostkeyalgorithms == NULL) | ||
| 266 | options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG); | ||
| 267 | if (options->rsa_authentication == -1) | 279 | if (options->rsa_authentication == -1) |
| 268 | options->rsa_authentication = 1; | 280 | options->rsa_authentication = 1; |
| 269 | if (options->pubkey_authentication == -1) | 281 | if (options->pubkey_authentication == -1) |
| @@ -351,18 +363,11 @@ fill_default_server_options(ServerOptions *options) | |||
| 351 | if (options->debian_banner == -1) | 363 | if (options->debian_banner == -1) |
| 352 | options->debian_banner = 1; | 364 | options->debian_banner = 1; |
| 353 | 365 | ||
| 354 | if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || | 366 | assemble_algorithms(options); |
| 355 | kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 || | ||
| 356 | kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 || | ||
| 357 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
| 358 | &options->hostbased_key_types) != 0 || | ||
| 359 | kex_assemble_names(KEX_DEFAULT_PK_ALG, | ||
| 360 | &options->pubkey_key_types) != 0) | ||
| 361 | fatal("%s: kex_assemble_names failed", __func__); | ||
| 362 | 367 | ||
| 363 | /* Turn privilege separation on by default */ | 368 | /* Turn privilege separation and sandboxing on by default */ |
| 364 | if (use_privsep == -1) | 369 | if (use_privsep == -1) |
| 365 | use_privsep = PRIVSEP_NOSANDBOX; | 370 | use_privsep = PRIVSEP_ON; |
| 366 | 371 | ||
| 367 | #define CLEAR_ON_NONE(v) \ | 372 | #define CLEAR_ON_NONE(v) \ |
| 368 | do { \ | 373 | do { \ |
| @@ -377,6 +382,8 @@ fill_default_server_options(ServerOptions *options) | |||
| 377 | CLEAR_ON_NONE(options->trusted_user_ca_keys); | 382 | CLEAR_ON_NONE(options->trusted_user_ca_keys); |
| 378 | CLEAR_ON_NONE(options->revoked_keys_file); | 383 | CLEAR_ON_NONE(options->revoked_keys_file); |
| 379 | CLEAR_ON_NONE(options->authorized_principals_file); | 384 | CLEAR_ON_NONE(options->authorized_principals_file); |
| 385 | CLEAR_ON_NONE(options->adm_forced_command); | ||
| 386 | CLEAR_ON_NONE(options->chroot_directory); | ||
| 380 | for (i = 0; i < options->num_host_key_files; i++) | 387 | for (i = 0; i < options->num_host_key_files; i++) |
| 381 | CLEAR_ON_NONE(options->host_key_files[i]); | 388 | CLEAR_ON_NONE(options->host_key_files[i]); |
| 382 | for (i = 0; i < options->num_host_cert_files; i++) | 389 | for (i = 0; i < options->num_host_cert_files; i++) |
| @@ -518,7 +525,11 @@ static struct { | |||
| 518 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, | 525 | { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, |
| 519 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, | 526 | { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, |
| 520 | { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, | 527 | { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, |
| 528 | #ifdef DISABLE_LASTLOG | ||
| 529 | { "printlastlog", sUnsupported, SSHCFG_GLOBAL }, | ||
| 530 | #else | ||
| 521 | { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, | 531 | { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, |
| 532 | #endif | ||
| 522 | { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, | 533 | { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, |
| 523 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, | 534 | { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, |
| 524 | { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, | 535 | { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, |
| @@ -1348,16 +1359,12 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1348 | if (scan_scaled(arg, &val64) == -1) | 1359 | if (scan_scaled(arg, &val64) == -1) |
| 1349 | fatal("%.200s line %d: Bad number '%s': %s", | 1360 | fatal("%.200s line %d: Bad number '%s': %s", |
| 1350 | filename, linenum, arg, strerror(errno)); | 1361 | filename, linenum, arg, strerror(errno)); |
| 1351 | /* check for too-large or too-small limits */ | ||
| 1352 | if (val64 > UINT_MAX) | ||
| 1353 | fatal("%.200s line %d: RekeyLimit too large", | ||
| 1354 | filename, linenum); | ||
| 1355 | if (val64 != 0 && val64 < 16) | 1362 | if (val64 != 0 && val64 < 16) |
| 1356 | fatal("%.200s line %d: RekeyLimit too small", | 1363 | fatal("%.200s line %d: RekeyLimit too small", |
| 1357 | filename, linenum); | 1364 | filename, linenum); |
| 1358 | } | 1365 | } |
| 1359 | if (*activep && options->rekey_limit == -1) | 1366 | if (*activep && options->rekey_limit == -1) |
| 1360 | options->rekey_limit = (u_int32_t)val64; | 1367 | options->rekey_limit = val64; |
| 1361 | if (cp != NULL) { /* optional rekey interval present */ | 1368 | if (cp != NULL) { /* optional rekey interval present */ |
| 1362 | if (strcmp(cp, "none") == 0) { | 1369 | if (strcmp(cp, "none") == 0) { |
| 1363 | (void)strdelim(&cp); /* discard */ | 1370 | (void)strdelim(&cp); /* discard */ |
| @@ -2048,6 +2055,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
| 2048 | /* See comment in servconf.h */ | 2055 | /* See comment in servconf.h */ |
| 2049 | COPY_MATCH_STRING_OPTS(); | 2056 | COPY_MATCH_STRING_OPTS(); |
| 2050 | 2057 | ||
| 2058 | /* Arguments that accept '+...' need to be expanded */ | ||
| 2059 | assemble_algorithms(dst); | ||
| 2060 | |||
| 2051 | /* | 2061 | /* |
| 2052 | * The only things that should be below this point are string options | 2062 | * The only things that should be below this point are string options |
| 2053 | * which are only used after authentication. | 2063 | * which are only used after authentication. |
| @@ -2055,8 +2065,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
| 2055 | if (preauth) | 2065 | if (preauth) |
| 2056 | return; | 2066 | return; |
| 2057 | 2067 | ||
| 2068 | /* These options may be "none" to clear a global setting */ | ||
| 2058 | M_CP_STROPT(adm_forced_command); | 2069 | M_CP_STROPT(adm_forced_command); |
| 2070 | if (option_clear_or_none(dst->adm_forced_command)) { | ||
| 2071 | free(dst->adm_forced_command); | ||
| 2072 | dst->adm_forced_command = NULL; | ||
| 2073 | } | ||
| 2059 | M_CP_STROPT(chroot_directory); | 2074 | M_CP_STROPT(chroot_directory); |
| 2075 | if (option_clear_or_none(dst->chroot_directory)) { | ||
| 2076 | free(dst->chroot_directory); | ||
| 2077 | dst->chroot_directory = NULL; | ||
| 2078 | } | ||
| 2060 | } | 2079 | } |
| 2061 | 2080 | ||
| 2062 | #undef M_CP_INTOPT | 2081 | #undef M_CP_INTOPT |
| @@ -2290,7 +2309,9 @@ dump_config(ServerOptions *o) | |||
| 2290 | dump_cfg_fmtint(sChallengeResponseAuthentication, | 2309 | dump_cfg_fmtint(sChallengeResponseAuthentication, |
| 2291 | o->challenge_response_authentication); | 2310 | o->challenge_response_authentication); |
| 2292 | dump_cfg_fmtint(sPrintMotd, o->print_motd); | 2311 | dump_cfg_fmtint(sPrintMotd, o->print_motd); |
| 2312 | #ifndef DISABLE_LASTLOG | ||
| 2293 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); | 2313 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); |
| 2314 | #endif | ||
| 2294 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | 2315 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); |
| 2295 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 2316 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
| 2296 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); | 2317 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); |
| @@ -2374,7 +2395,7 @@ dump_config(ServerOptions *o) | |||
| 2374 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2395 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
| 2375 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2396 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
| 2376 | 2397 | ||
| 2377 | printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, | 2398 | printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit, |
| 2378 | o->rekey_interval); | 2399 | o->rekey_interval); |
| 2379 | 2400 | ||
| 2380 | channel_print_adm_permitted_opens(); | 2401 | channel_print_adm_permitted_opens(); |