diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 84 |
1 files changed, 57 insertions, 27 deletions
diff --git a/servconf.c b/servconf.c index 747edde6c..9bcd05bf2 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions *options) | |||
92 | options->x11_forwarding = -1; | 92 | options->x11_forwarding = -1; |
93 | options->x11_display_offset = -1; | 93 | options->x11_display_offset = -1; |
94 | options->x11_use_localhost = -1; | 94 | options->x11_use_localhost = -1; |
95 | options->permit_tty = -1; | ||
95 | options->xauth_location = NULL; | 96 | options->xauth_location = NULL; |
96 | options->strict_modes = -1; | 97 | options->strict_modes = -1; |
97 | options->tcp_keep_alive = -1; | 98 | options->tcp_keep_alive = -1; |
@@ -179,6 +180,8 @@ fill_default_server_options(ServerOptions *options) | |||
179 | options->host_key_files[options->num_host_key_files++] = | 180 | options->host_key_files[options->num_host_key_files++] = |
180 | _PATH_HOST_ECDSA_KEY_FILE; | 181 | _PATH_HOST_ECDSA_KEY_FILE; |
181 | #endif | 182 | #endif |
183 | options->host_key_files[options->num_host_key_files++] = | ||
184 | _PATH_HOST_ED25519_KEY_FILE; | ||
182 | } | 185 | } |
183 | } | 186 | } |
184 | /* No certificates by default */ | 187 | /* No certificates by default */ |
@@ -212,6 +215,8 @@ fill_default_server_options(ServerOptions *options) | |||
212 | options->x11_use_localhost = 1; | 215 | options->x11_use_localhost = 1; |
213 | if (options->xauth_location == NULL) | 216 | if (options->xauth_location == NULL) |
214 | options->xauth_location = _PATH_XAUTH; | 217 | options->xauth_location = _PATH_XAUTH; |
218 | if (options->permit_tty == -1) | ||
219 | options->permit_tty = 1; | ||
215 | if (options->strict_modes == -1) | 220 | if (options->strict_modes == -1) |
216 | options->strict_modes = 1; | 221 | options->strict_modes = 1; |
217 | if (options->tcp_keep_alive == -1) | 222 | if (options->tcp_keep_alive == -1) |
@@ -329,7 +334,7 @@ typedef enum { | |||
329 | sListenAddress, sAddressFamily, | 334 | sListenAddress, sAddressFamily, |
330 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 335 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
331 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 336 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
332 | sStrictModes, sEmptyPasswd, sTCPKeepAlive, | 337 | sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive, |
333 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 338 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
334 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 339 | sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
335 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 340 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
@@ -462,6 +467,7 @@ static struct { | |||
462 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, | 467 | { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL}, |
463 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 468 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
464 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 469 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
470 | { "permittty", sPermitTTY, SSHCFG_ALL }, | ||
465 | { "match", sMatch, SSHCFG_ALL }, | 471 | { "match", sMatch, SSHCFG_ALL }, |
466 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 472 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
467 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | 473 | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
@@ -641,13 +647,13 @@ out: | |||
641 | 647 | ||
642 | /* | 648 | /* |
643 | * All of the attributes on a single Match line are ANDed together, so we need | 649 | * All of the attributes on a single Match line are ANDed together, so we need |
644 | * to check every * attribute and set the result to zero if any attribute does | 650 | * to check every attribute and set the result to zero if any attribute does |
645 | * not match. | 651 | * not match. |
646 | */ | 652 | */ |
647 | static int | 653 | static int |
648 | match_cfg_line(char **condition, int line, struct connection_info *ci) | 654 | match_cfg_line(char **condition, int line, struct connection_info *ci) |
649 | { | 655 | { |
650 | int result = 1, port; | 656 | int result = 1, attributes = 0, port; |
651 | char *arg, *attrib, *cp = *condition; | 657 | char *arg, *attrib, *cp = *condition; |
652 | size_t len; | 658 | size_t len; |
653 | 659 | ||
@@ -661,6 +667,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) | |||
661 | ci->laddress ? ci->laddress : "(null)", ci->lport); | 667 | ci->laddress ? ci->laddress : "(null)", ci->lport); |
662 | 668 | ||
663 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { | 669 | while ((attrib = strdelim(&cp)) && *attrib != '\0') { |
670 | attributes++; | ||
671 | if (strcasecmp(attrib, "all") == 0) { | ||
672 | if (attributes != 1 || | ||
673 | ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { | ||
674 | error("'all' cannot be combined with other " | ||
675 | "Match attributes"); | ||
676 | return -1; | ||
677 | } | ||
678 | *condition = cp; | ||
679 | return 1; | ||
680 | } | ||
664 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { | 681 | if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { |
665 | error("Missing Match criteria for %s", attrib); | 682 | error("Missing Match criteria for %s", attrib); |
666 | return -1; | 683 | return -1; |
@@ -754,6 +771,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) | |||
754 | return -1; | 771 | return -1; |
755 | } | 772 | } |
756 | } | 773 | } |
774 | if (attributes == 0) { | ||
775 | error("One or more attributes required for Match"); | ||
776 | return -1; | ||
777 | } | ||
757 | if (ci != NULL) | 778 | if (ci != NULL) |
758 | debug3("match %sfound", result ? "" : "not "); | 779 | debug3("match %sfound", result ? "" : "not "); |
759 | *condition = cp; | 780 | *condition = cp; |
@@ -1117,6 +1138,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1117 | charptr = &options->xauth_location; | 1138 | charptr = &options->xauth_location; |
1118 | goto parse_filename; | 1139 | goto parse_filename; |
1119 | 1140 | ||
1141 | case sPermitTTY: | ||
1142 | intptr = &options->permit_tty; | ||
1143 | goto parse_flag; | ||
1144 | |||
1120 | case sStrictModes: | 1145 | case sStrictModes: |
1121 | intptr = &options->strict_modes; | 1146 | intptr = &options->strict_modes; |
1122 | goto parse_flag; | 1147 | goto parse_flag; |
@@ -1719,24 +1744,6 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1719 | return 0; /* partial */ | 1744 | return 0; /* partial */ |
1720 | } | 1745 | } |
1721 | 1746 | ||
1722 | /* Helper macros */ | ||
1723 | #define M_CP_INTOPT(n) do {\ | ||
1724 | if (src->n != -1) \ | ||
1725 | dst->n = src->n; \ | ||
1726 | } while (0) | ||
1727 | #define M_CP_STROPT(n) do {\ | ||
1728 | if (src->n != NULL) { \ | ||
1729 | free(dst->n); \ | ||
1730 | dst->n = src->n; \ | ||
1731 | } \ | ||
1732 | } while(0) | ||
1733 | #define M_CP_STRARRAYOPT(n, num_n) do {\ | ||
1734 | if (src->num_n != 0) { \ | ||
1735 | for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ | ||
1736 | dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ | ||
1737 | } \ | ||
1738 | } while(0) | ||
1739 | |||
1740 | /* | 1747 | /* |
1741 | * Copy any supported values that are set. | 1748 | * Copy any supported values that are set. |
1742 | * | 1749 | * |
@@ -1747,6 +1754,11 @@ int server_match_spec_complete(struct connection_info *ci) | |||
1747 | void | 1754 | void |
1748 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | 1755 | copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) |
1749 | { | 1756 | { |
1757 | #define M_CP_INTOPT(n) do {\ | ||
1758 | if (src->n != -1) \ | ||
1759 | dst->n = src->n; \ | ||
1760 | } while (0) | ||
1761 | |||
1750 | M_CP_INTOPT(password_authentication); | 1762 | M_CP_INTOPT(password_authentication); |
1751 | M_CP_INTOPT(gss_authentication); | 1763 | M_CP_INTOPT(gss_authentication); |
1752 | M_CP_INTOPT(rsa_authentication); | 1764 | M_CP_INTOPT(rsa_authentication); |
@@ -1756,8 +1768,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1756 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); | 1768 | M_CP_INTOPT(hostbased_uses_name_from_packet_only); |
1757 | M_CP_INTOPT(kbd_interactive_authentication); | 1769 | M_CP_INTOPT(kbd_interactive_authentication); |
1758 | M_CP_INTOPT(zero_knowledge_password_authentication); | 1770 | M_CP_INTOPT(zero_knowledge_password_authentication); |
1759 | M_CP_STROPT(authorized_keys_command); | ||
1760 | M_CP_STROPT(authorized_keys_command_user); | ||
1761 | M_CP_INTOPT(permit_root_login); | 1771 | M_CP_INTOPT(permit_root_login); |
1762 | M_CP_INTOPT(permit_empty_passwd); | 1772 | M_CP_INTOPT(permit_empty_passwd); |
1763 | 1773 | ||
@@ -1768,6 +1778,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1768 | M_CP_INTOPT(x11_display_offset); | 1778 | M_CP_INTOPT(x11_display_offset); |
1769 | M_CP_INTOPT(x11_forwarding); | 1779 | M_CP_INTOPT(x11_forwarding); |
1770 | M_CP_INTOPT(x11_use_localhost); | 1780 | M_CP_INTOPT(x11_use_localhost); |
1781 | M_CP_INTOPT(permit_tty); | ||
1771 | M_CP_INTOPT(max_sessions); | 1782 | M_CP_INTOPT(max_sessions); |
1772 | M_CP_INTOPT(max_authtries); | 1783 | M_CP_INTOPT(max_authtries); |
1773 | M_CP_INTOPT(ip_qos_interactive); | 1784 | M_CP_INTOPT(ip_qos_interactive); |
@@ -1775,6 +1786,20 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1775 | M_CP_INTOPT(rekey_limit); | 1786 | M_CP_INTOPT(rekey_limit); |
1776 | M_CP_INTOPT(rekey_interval); | 1787 | M_CP_INTOPT(rekey_interval); |
1777 | 1788 | ||
1789 | /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ | ||
1790 | #define M_CP_STROPT(n) do {\ | ||
1791 | if (src->n != NULL && dst->n != src->n) { \ | ||
1792 | free(dst->n); \ | ||
1793 | dst->n = src->n; \ | ||
1794 | } \ | ||
1795 | } while(0) | ||
1796 | #define M_CP_STRARRAYOPT(n, num_n) do {\ | ||
1797 | if (src->num_n != 0) { \ | ||
1798 | for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ | ||
1799 | dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ | ||
1800 | } \ | ||
1801 | } while(0) | ||
1802 | |||
1778 | /* See comment in servconf.h */ | 1803 | /* See comment in servconf.h */ |
1779 | COPY_MATCH_STRING_OPTS(); | 1804 | COPY_MATCH_STRING_OPTS(); |
1780 | 1805 | ||
@@ -1998,6 +2023,7 @@ dump_config(ServerOptions *o) | |||
1998 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); | 2023 | dump_cfg_fmtint(sPrintLastLog, o->print_lastlog); |
1999 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | 2024 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); |
2000 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 2025 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
2026 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); | ||
2001 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 2027 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
2002 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 2028 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
2003 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 2029 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
@@ -2012,8 +2038,9 @@ dump_config(ServerOptions *o) | |||
2012 | /* string arguments */ | 2038 | /* string arguments */ |
2013 | dump_cfg_string(sPidFile, o->pid_file); | 2039 | dump_cfg_string(sPidFile, o->pid_file); |
2014 | dump_cfg_string(sXAuthLocation, o->xauth_location); | 2040 | dump_cfg_string(sXAuthLocation, o->xauth_location); |
2015 | dump_cfg_string(sCiphers, o->ciphers); | 2041 | dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : |
2016 | dump_cfg_string(sMacs, o->macs); | 2042 | cipher_alg_list(',', 0)); |
2043 | dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); | ||
2017 | dump_cfg_string(sBanner, o->banner); | 2044 | dump_cfg_string(sBanner, o->banner); |
2018 | dump_cfg_string(sForceCommand, o->adm_forced_command); | 2045 | dump_cfg_string(sForceCommand, o->adm_forced_command); |
2019 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | 2046 | dump_cfg_string(sChrootDirectory, o->chroot_directory); |
@@ -2025,6 +2052,8 @@ dump_config(ServerOptions *o) | |||
2025 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); | 2052 | dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); |
2026 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); | 2053 | dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); |
2027 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); | 2054 | dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
2055 | dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : | ||
2056 | kex_alg_list(',')); | ||
2028 | 2057 | ||
2029 | /* string arguments requiring a lookup */ | 2058 | /* string arguments requiring a lookup */ |
2030 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 2059 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -2063,7 +2092,8 @@ dump_config(ServerOptions *o) | |||
2063 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); | 2092 | printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); |
2064 | printf("%s\n", iptos2str(o->ip_qos_bulk)); | 2093 | printf("%s\n", iptos2str(o->ip_qos_bulk)); |
2065 | 2094 | ||
2066 | printf("rekeylimit %lld %d\n", o->rekey_limit, o->rekey_interval); | 2095 | printf("rekeylimit %lld %d\n", (long long)o->rekey_limit, |
2096 | o->rekey_interval); | ||
2067 | 2097 | ||
2068 | channel_print_adm_permitted_opens(); | 2098 | channel_print_adm_permitted_opens(); |
2069 | } | 2099 | } |