summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c60
1 files changed, 52 insertions, 8 deletions
diff --git a/servconf.c b/servconf.c
index 8ca9695a2..a98b30938 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -390,6 +390,14 @@ fill_default_server_options(ServerOptions *options)
390 CLEAR_ON_NONE(options->host_cert_files[i]); 390 CLEAR_ON_NONE(options->host_cert_files[i]);
391#undef CLEAR_ON_NONE 391#undef CLEAR_ON_NONE
392 392
393 /* Similar handling for AuthenticationMethods=any */
394 if (options->num_auth_methods == 1 &&
395 strcmp(options->auth_methods[0], "any") == 0) {
396 free(options->auth_methods[0]);
397 options->auth_methods[0] = NULL;
398 options->num_auth_methods = 0;
399 }
400
393#ifndef HAVE_MMAP 401#ifndef HAVE_MMAP
394 if (use_privsep && options->compression == 1) { 402 if (use_privsep && options->compression == 1) {
395 error("This platform does not support both privilege " 403 error("This platform does not support both privilege "
@@ -727,14 +735,15 @@ process_queued_listen_addrs(ServerOptions *options)
727struct connection_info * 735struct connection_info *
728get_connection_info(int populate, int use_dns) 736get_connection_info(int populate, int use_dns)
729{ 737{
738 struct ssh *ssh = active_state; /* XXX */
730 static struct connection_info ci; 739 static struct connection_info ci;
731 740
732 if (!populate) 741 if (!populate)
733 return &ci; 742 return &ci;
734 ci.host = get_canonical_hostname(use_dns); 743 ci.host = auth_get_canonical_hostname(ssh, use_dns);
735 ci.address = get_remote_ipaddr(); 744 ci.address = ssh_remote_ipaddr(ssh);
736 ci.laddress = get_local_ipaddr(packet_get_connection_in()); 745 ci.laddress = ssh_local_ipaddr(ssh);
737 ci.lport = get_local_port(); 746 ci.lport = ssh_local_port(ssh);
738 return &ci; 747 return &ci;
739} 748}
740 749
@@ -1832,21 +1841,41 @@ process_server_config_line(ServerOptions *options, char *line,
1832 1841
1833 case sAuthenticationMethods: 1842 case sAuthenticationMethods:
1834 if (options->num_auth_methods == 0) { 1843 if (options->num_auth_methods == 0) {
1844 value = 0; /* seen "any" pseudo-method */
1845 value2 = 0; /* sucessfully parsed any method */
1835 while ((arg = strdelim(&cp)) && *arg != '\0') { 1846 while ((arg = strdelim(&cp)) && *arg != '\0') {
1836 if (options->num_auth_methods >= 1847 if (options->num_auth_methods >=
1837 MAX_AUTH_METHODS) 1848 MAX_AUTH_METHODS)
1838 fatal("%s line %d: " 1849 fatal("%s line %d: "
1839 "too many authentication methods.", 1850 "too many authentication methods.",
1840 filename, linenum); 1851 filename, linenum);
1841 if (auth2_methods_valid(arg, 0) != 0) 1852 if (strcmp(arg, "any") == 0) {
1853 if (options->num_auth_methods > 0) {
1854 fatal("%s line %d: \"any\" "
1855 "must appear alone in "
1856 "AuthenticationMethods",
1857 filename, linenum);
1858 }
1859 value = 1;
1860 } else if (value) {
1861 fatal("%s line %d: \"any\" must appear "
1862 "alone in AuthenticationMethods",
1863 filename, linenum);
1864 } else if (auth2_methods_valid(arg, 0) != 0) {
1842 fatal("%s line %d: invalid " 1865 fatal("%s line %d: invalid "
1843 "authentication method list.", 1866 "authentication method list.",
1844 filename, linenum); 1867 filename, linenum);
1868 }
1869 value2 = 1;
1845 if (!*activep) 1870 if (!*activep)
1846 continue; 1871 continue;
1847 options->auth_methods[ 1872 options->auth_methods[
1848 options->num_auth_methods++] = xstrdup(arg); 1873 options->num_auth_methods++] = xstrdup(arg);
1849 } 1874 }
1875 if (value2 == 0) {
1876 fatal("%s line %d: no AuthenticationMethods "
1877 "specified", filename, linenum);
1878 }
1850 } 1879 }
1851 return 0; 1880 return 0;
1852 1881
@@ -2026,6 +2055,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2026 M_CP_INTOPT(allow_agent_forwarding); 2055 M_CP_INTOPT(allow_agent_forwarding);
2027 M_CP_INTOPT(permit_tun); 2056 M_CP_INTOPT(permit_tun);
2028 M_CP_INTOPT(fwd_opts.gateway_ports); 2057 M_CP_INTOPT(fwd_opts.gateway_ports);
2058 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2029 M_CP_INTOPT(x11_display_offset); 2059 M_CP_INTOPT(x11_display_offset);
2030 M_CP_INTOPT(x11_forwarding); 2060 M_CP_INTOPT(x11_forwarding);
2031 M_CP_INTOPT(x11_use_localhost); 2061 M_CP_INTOPT(x11_use_localhost);
@@ -2038,6 +2068,16 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2038 M_CP_INTOPT(rekey_limit); 2068 M_CP_INTOPT(rekey_limit);
2039 M_CP_INTOPT(rekey_interval); 2069 M_CP_INTOPT(rekey_interval);
2040 2070
2071 /*
2072 * The bind_mask is a mode_t that may be unsigned, so we can't use
2073 * M_CP_INTOPT - it does a signed comparison that causes compiler
2074 * warnings.
2075 */
2076 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2077 dst->fwd_opts.streamlocal_bind_mask =
2078 src->fwd_opts.streamlocal_bind_mask;
2079 }
2080
2041 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ 2081 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2042#define M_CP_STROPT(n) do {\ 2082#define M_CP_STROPT(n) do {\
2043 if (src->n != NULL && dst->n != src->n) { \ 2083 if (src->n != NULL && dst->n != src->n) { \
@@ -2091,7 +2131,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2091 2131
2092 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); 2132 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2093 2133
2094 obuf = cbuf = xstrdup(buffer_ptr(conf)); 2134 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2135 fatal("%s: sshbuf_dup_string failed", __func__);
2095 active = connectinfo ? 0 : 1; 2136 active = connectinfo ? 0 : 1;
2096 linenum = 1; 2137 linenum = 1;
2097 while ((cp = strsep(&cbuf, "\n")) != NULL) { 2138 while ((cp = strsep(&cbuf, "\n")) != NULL) {
@@ -2215,11 +2256,13 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2215{ 2256{
2216 u_int i; 2257 u_int i;
2217 2258
2218 if (count <= 0) 2259 if (count <= 0 && code != sAuthenticationMethods)
2219 return; 2260 return;
2220 printf("%s", lookup_opcode_name(code)); 2261 printf("%s", lookup_opcode_name(code));
2221 for (i = 0; i < count; i++) 2262 for (i = 0; i < count; i++)
2222 printf(" %s", vals[i]); 2263 printf(" %s", vals[i]);
2264 if (code == sAuthenticationMethods && count == 0)
2265 printf(" any");
2223 printf("\n"); 2266 printf("\n");
2224} 2267}
2225 2268
@@ -2327,6 +2370,7 @@ dump_config(ServerOptions *o)
2327 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2370 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2328 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); 2371 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2329 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); 2372 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2373 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2330 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2374 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2331 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); 2375 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2332 2376
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-13 19:33:40 +0000