summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c67
1 files changed, 58 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c
index 7ba65d51d..b7f329447 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -39,10 +39,10 @@
39#include "ssh.h" 39#include "ssh.h"
40#include "log.h" 40#include "log.h"
41#include "buffer.h" 41#include "buffer.h"
42#include "misc.h"
42#include "servconf.h" 43#include "servconf.h"
43#include "compat.h" 44#include "compat.h"
44#include "pathnames.h" 45#include "pathnames.h"
45#include "misc.h"
46#include "cipher.h" 46#include "cipher.h"
47#include "key.h" 47#include "key.h"
48#include "kex.h" 48#include "kex.h"
@@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options)
93 options->x11_display_offset = -1; 93 options->x11_display_offset = -1;
94 options->x11_use_localhost = -1; 94 options->x11_use_localhost = -1;
95 options->permit_tty = -1; 95 options->permit_tty = -1;
96 options->permit_user_rc = -1;
96 options->xauth_location = NULL; 97 options->xauth_location = NULL;
97 options->strict_modes = -1; 98 options->strict_modes = -1;
98 options->tcp_keep_alive = -1; 99 options->tcp_keep_alive = -1;
@@ -119,6 +120,7 @@ initialize_server_options(ServerOptions *options)
119 options->rekey_limit = -1; 120 options->rekey_limit = -1;
120 options->rekey_interval = -1; 121 options->rekey_interval = -1;
121 options->allow_tcp_forwarding = -1; 122 options->allow_tcp_forwarding = -1;
123 options->allow_streamlocal_forwarding = -1;
122 options->allow_agent_forwarding = -1; 124 options->allow_agent_forwarding = -1;
123 options->num_allow_users = 0; 125 options->num_allow_users = 0;
124 options->num_deny_users = 0; 126 options->num_deny_users = 0;
@@ -128,7 +130,9 @@ initialize_server_options(ServerOptions *options)
128 options->macs = NULL; 130 options->macs = NULL;
129 options->kex_algorithms = NULL; 131 options->kex_algorithms = NULL;
130 options->protocol = SSH_PROTO_UNKNOWN; 132 options->protocol = SSH_PROTO_UNKNOWN;
131 options->gateway_ports = -1; 133 options->fwd_opts.gateway_ports = -1;
134 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
135 options->fwd_opts.streamlocal_bind_unlink = -1;
132 options->num_subsystems = 0; 136 options->num_subsystems = 0;
133 options->max_startups_begin = -1; 137 options->max_startups_begin = -1;
134 options->max_startups_rate = -1; 138 options->max_startups_rate = -1;
@@ -216,6 +220,8 @@ fill_default_server_options(ServerOptions *options)
216 options->xauth_location = _PATH_XAUTH; 220 options->xauth_location = _PATH_XAUTH;
217 if (options->permit_tty == -1) 221 if (options->permit_tty == -1)
218 options->permit_tty = 1; 222 options->permit_tty = 1;
223 if (options->permit_user_rc == -1)
224 options->permit_user_rc = 1;
219 if (options->strict_modes == -1) 225 if (options->strict_modes == -1)
220 options->strict_modes = 1; 226 options->strict_modes = 1;
221 if (options->tcp_keep_alive == -1) 227 if (options->tcp_keep_alive == -1)
@@ -266,10 +272,12 @@ fill_default_server_options(ServerOptions *options)
266 options->rekey_interval = 0; 272 options->rekey_interval = 0;
267 if (options->allow_tcp_forwarding == -1) 273 if (options->allow_tcp_forwarding == -1)
268 options->allow_tcp_forwarding = FORWARD_ALLOW; 274 options->allow_tcp_forwarding = FORWARD_ALLOW;
275 if (options->allow_streamlocal_forwarding == -1)
276 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
269 if (options->allow_agent_forwarding == -1) 277 if (options->allow_agent_forwarding == -1)
270 options->allow_agent_forwarding = 1; 278 options->allow_agent_forwarding = 1;
271 if (options->gateway_ports == -1) 279 if (options->fwd_opts.gateway_ports == -1)
272 options->gateway_ports = 0; 280 options->fwd_opts.gateway_ports = 0;
273 if (options->max_startups == -1) 281 if (options->max_startups == -1)
274 options->max_startups = 100; 282 options->max_startups = 100;
275 if (options->max_startups_rate == -1) 283 if (options->max_startups_rate == -1)
@@ -300,6 +308,10 @@ fill_default_server_options(ServerOptions *options)
300 options->ip_qos_bulk = IPTOS_THROUGHPUT; 308 options->ip_qos_bulk = IPTOS_THROUGHPUT;
301 if (options->version_addendum == NULL) 309 if (options->version_addendum == NULL)
302 options->version_addendum = xstrdup(""); 310 options->version_addendum = xstrdup("");
311 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
312 options->fwd_opts.streamlocal_bind_mask = 0177;
313 if (options->fwd_opts.streamlocal_bind_unlink == -1)
314 options->fwd_opts.streamlocal_bind_unlink = 0;
303 /* Turn privilege separation on by default */ 315 /* Turn privilege separation on by default */
304 if (use_privsep == -1) 316 if (use_privsep == -1)
305 use_privsep = PRIVSEP_NOSANDBOX; 317 use_privsep = PRIVSEP_NOSANDBOX;
@@ -347,7 +359,9 @@ typedef enum {
347 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, 359 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
348 sKexAlgorithms, sIPQoS, sVersionAddendum, 360 sKexAlgorithms, sIPQoS, sVersionAddendum,
349 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 361 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
350 sAuthenticationMethods, sHostKeyAgent, 362 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
363 sStreamLocalBindMask, sStreamLocalBindUnlink,
364 sAllowStreamLocalForwarding,
351 sDeprecated, sUnsupported 365 sDeprecated, sUnsupported
352} ServerOpCodes; 366} ServerOpCodes;
353 367
@@ -460,6 +474,7 @@ static struct {
460 { "acceptenv", sAcceptEnv, SSHCFG_ALL }, 474 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
461 { "permittunnel", sPermitTunnel, SSHCFG_ALL }, 475 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
462 { "permittty", sPermitTTY, SSHCFG_ALL }, 476 { "permittty", sPermitTTY, SSHCFG_ALL },
477 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
463 { "match", sMatch, SSHCFG_ALL }, 478 { "match", sMatch, SSHCFG_ALL },
464 { "permitopen", sPermitOpen, SSHCFG_ALL }, 479 { "permitopen", sPermitOpen, SSHCFG_ALL },
465 { "forcecommand", sForceCommand, SSHCFG_ALL }, 480 { "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -474,6 +489,9 @@ static struct {
474 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 489 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
475 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 490 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
476 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 491 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
492 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
493 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
494 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
477 { NULL, sBadOption, 0 } 495 { NULL, sBadOption, 0 }
478}; 496};
479 497
@@ -1130,6 +1148,10 @@ process_server_config_line(ServerOptions *options, char *line,
1130 intptr = &options->permit_tty; 1148 intptr = &options->permit_tty;
1131 goto parse_flag; 1149 goto parse_flag;
1132 1150
1151 case sPermitUserRC:
1152 intptr = &options->permit_user_rc;
1153 goto parse_flag;
1154
1133 case sStrictModes: 1155 case sStrictModes:
1134 intptr = &options->strict_modes; 1156 intptr = &options->strict_modes;
1135 goto parse_flag; 1157 goto parse_flag;
@@ -1187,7 +1209,7 @@ process_server_config_line(ServerOptions *options, char *line,
1187 break; 1209 break;
1188 1210
1189 case sGatewayPorts: 1211 case sGatewayPorts:
1190 intptr = &options->gateway_ports; 1212 intptr = &options->fwd_opts.gateway_ports;
1191 multistate_ptr = multistate_gatewayports; 1213 multistate_ptr = multistate_gatewayports;
1192 goto parse_multistate; 1214 goto parse_multistate;
1193 1215
@@ -1222,6 +1244,11 @@ process_server_config_line(ServerOptions *options, char *line,
1222 multistate_ptr = multistate_tcpfwd; 1244 multistate_ptr = multistate_tcpfwd;
1223 goto parse_multistate; 1245 goto parse_multistate;
1224 1246
1247 case sAllowStreamLocalForwarding:
1248 intptr = &options->allow_streamlocal_forwarding;
1249 multistate_ptr = multistate_tcpfwd;
1250 goto parse_multistate;
1251
1225 case sAllowAgentForwarding: 1252 case sAllowAgentForwarding:
1226 intptr = &options->allow_agent_forwarding; 1253 intptr = &options->allow_agent_forwarding;
1227 goto parse_flag; 1254 goto parse_flag;
@@ -1620,6 +1647,22 @@ process_server_config_line(ServerOptions *options, char *line,
1620 } 1647 }
1621 return 0; 1648 return 0;
1622 1649
1650 case sStreamLocalBindMask:
1651 arg = strdelim(&cp);
1652 if (!arg || *arg == '\0')
1653 fatal("%s line %d: missing StreamLocalBindMask argument.",
1654 filename, linenum);
1655 /* Parse mode in octal format */
1656 value = strtol(arg, &p, 8);
1657 if (arg == p || value < 0 || value > 0777)
1658 fatal("%s line %d: Bad mask.", filename, linenum);
1659 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1660 break;
1661
1662 case sStreamLocalBindUnlink:
1663 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1664 goto parse_flag;
1665
1623 case sDeprecated: 1666 case sDeprecated:
1624 logit("%s line %d: Deprecated option %s", 1667 logit("%s line %d: Deprecated option %s",
1625 filename, linenum, arg); 1668 filename, linenum, arg);
@@ -1759,13 +1802,15 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1759 M_CP_INTOPT(permit_empty_passwd); 1802 M_CP_INTOPT(permit_empty_passwd);
1760 1803
1761 M_CP_INTOPT(allow_tcp_forwarding); 1804 M_CP_INTOPT(allow_tcp_forwarding);
1805 M_CP_INTOPT(allow_streamlocal_forwarding);
1762 M_CP_INTOPT(allow_agent_forwarding); 1806 M_CP_INTOPT(allow_agent_forwarding);
1763 M_CP_INTOPT(permit_tun); 1807 M_CP_INTOPT(permit_tun);
1764 M_CP_INTOPT(gateway_ports); 1808 M_CP_INTOPT(fwd_opts.gateway_ports);
1765 M_CP_INTOPT(x11_display_offset); 1809 M_CP_INTOPT(x11_display_offset);
1766 M_CP_INTOPT(x11_forwarding); 1810 M_CP_INTOPT(x11_forwarding);
1767 M_CP_INTOPT(x11_use_localhost); 1811 M_CP_INTOPT(x11_use_localhost);
1768 M_CP_INTOPT(permit_tty); 1812 M_CP_INTOPT(permit_tty);
1813 M_CP_INTOPT(permit_user_rc);
1769 M_CP_INTOPT(max_sessions); 1814 M_CP_INTOPT(max_sessions);
1770 M_CP_INTOPT(max_authtries); 1815 M_CP_INTOPT(max_authtries);
1771 M_CP_INTOPT(ip_qos_interactive); 1816 M_CP_INTOPT(ip_qos_interactive);
@@ -1858,6 +1903,8 @@ fmt_intarg(ServerOpCodes code, int val)
1858 return fmt_multistate_int(val, multistate_privsep); 1903 return fmt_multistate_int(val, multistate_privsep);
1859 case sAllowTcpForwarding: 1904 case sAllowTcpForwarding:
1860 return fmt_multistate_int(val, multistate_tcpfwd); 1905 return fmt_multistate_int(val, multistate_tcpfwd);
1906 case sAllowStreamLocalForwarding:
1907 return fmt_multistate_int(val, multistate_tcpfwd);
1861 case sProtocol: 1908 case sProtocol:
1862 switch (val) { 1909 switch (val) {
1863 case SSH_PROTO_1: 1910 case SSH_PROTO_1:
@@ -2007,15 +2054,17 @@ dump_config(ServerOptions *o)
2007 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); 2054 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2008 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 2055 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2009 dump_cfg_fmtint(sPermitTTY, o->permit_tty); 2056 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2057 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2010 dump_cfg_fmtint(sStrictModes, o->strict_modes); 2058 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2011 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 2059 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2012 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 2060 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2013 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 2061 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2014 dump_cfg_fmtint(sUseLogin, o->use_login); 2062 dump_cfg_fmtint(sUseLogin, o->use_login);
2015 dump_cfg_fmtint(sCompression, o->compression); 2063 dump_cfg_fmtint(sCompression, o->compression);
2016 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); 2064 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2017 dump_cfg_fmtint(sUseDNS, o->use_dns); 2065 dump_cfg_fmtint(sUseDNS, o->use_dns);
2018 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); 2066 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2067 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2019 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); 2068 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2020 2069
2021 /* string arguments */ 2070 /* string arguments */
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-06 12:14:44 +0000