diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 147 |
1 files changed, 61 insertions, 86 deletions
diff --git a/servconf.c b/servconf.c index 2510659ee..71e28b3cb 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -10,23 +10,7 @@ | |||
10 | */ | 10 | */ |
11 | 11 | ||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $"); | 13 | RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $"); |
14 | |||
15 | #if defined(KRB4) | ||
16 | #include <krb.h> | ||
17 | #endif | ||
18 | #if defined(KRB5) | ||
19 | #ifdef HEIMDAL | ||
20 | #include <krb.h> | ||
21 | #else | ||
22 | /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V | ||
23 | * keytab */ | ||
24 | #define KEYFILE "/etc/krb5.keytab" | ||
25 | #endif | ||
26 | #endif | ||
27 | #ifdef AFS | ||
28 | #include <kafs.h> | ||
29 | #endif | ||
30 | 14 | ||
31 | #include "ssh.h" | 15 | #include "ssh.h" |
32 | #include "log.h" | 16 | #include "log.h" |
@@ -56,7 +40,7 @@ initialize_server_options(ServerOptions *options) | |||
56 | memset(options, 0, sizeof(*options)); | 40 | memset(options, 0, sizeof(*options)); |
57 | 41 | ||
58 | /* Portable-specific options */ | 42 | /* Portable-specific options */ |
59 | options->pam_authentication_via_kbd_int = -1; | 43 | options->use_pam = -1; |
60 | 44 | ||
61 | /* Standard Options */ | 45 | /* Standard Options */ |
62 | options->num_ports = 0; | 46 | options->num_ports = 0; |
@@ -80,23 +64,16 @@ initialize_server_options(ServerOptions *options) | |||
80 | options->keepalives = -1; | 64 | options->keepalives = -1; |
81 | options->log_facility = SYSLOG_FACILITY_NOT_SET; | 65 | options->log_facility = SYSLOG_FACILITY_NOT_SET; |
82 | options->log_level = SYSLOG_LEVEL_NOT_SET; | 66 | options->log_level = SYSLOG_LEVEL_NOT_SET; |
83 | options->rhosts_authentication = -1; | ||
84 | options->rhosts_rsa_authentication = -1; | 67 | options->rhosts_rsa_authentication = -1; |
85 | options->hostbased_authentication = -1; | 68 | options->hostbased_authentication = -1; |
86 | options->hostbased_uses_name_from_packet_only = -1; | 69 | options->hostbased_uses_name_from_packet_only = -1; |
87 | options->rsa_authentication = -1; | 70 | options->rsa_authentication = -1; |
88 | options->pubkey_authentication = -1; | 71 | options->pubkey_authentication = -1; |
89 | #if defined(KRB4) || defined(KRB5) | ||
90 | options->kerberos_authentication = -1; | 72 | options->kerberos_authentication = -1; |
91 | options->kerberos_or_local_passwd = -1; | 73 | options->kerberos_or_local_passwd = -1; |
92 | options->kerberos_ticket_cleanup = -1; | 74 | options->kerberos_ticket_cleanup = -1; |
93 | #endif | 75 | options->gss_authentication=-1; |
94 | #if defined(AFS) || defined(KRB5) | 76 | options->gss_cleanup_creds = -1; |
95 | options->kerberos_tgt_passing = -1; | ||
96 | #endif | ||
97 | #ifdef AFS | ||
98 | options->afs_token_passing = -1; | ||
99 | #endif | ||
100 | options->password_authentication = -1; | 77 | options->password_authentication = -1; |
101 | options->kbd_interactive_authentication = -1; | 78 | options->kbd_interactive_authentication = -1; |
102 | options->challenge_response_authentication = -1; | 79 | options->challenge_response_authentication = -1; |
@@ -118,7 +95,7 @@ initialize_server_options(ServerOptions *options) | |||
118 | options->max_startups_rate = -1; | 95 | options->max_startups_rate = -1; |
119 | options->max_startups = -1; | 96 | options->max_startups = -1; |
120 | options->banner = NULL; | 97 | options->banner = NULL; |
121 | options->verify_reverse_mapping = -1; | 98 | options->use_dns = -1; |
122 | options->client_alive_interval = -1; | 99 | options->client_alive_interval = -1; |
123 | options->client_alive_count_max = -1; | 100 | options->client_alive_count_max = -1; |
124 | options->authorized_keys_file = NULL; | 101 | options->authorized_keys_file = NULL; |
@@ -132,8 +109,8 @@ void | |||
132 | fill_default_server_options(ServerOptions *options) | 109 | fill_default_server_options(ServerOptions *options) |
133 | { | 110 | { |
134 | /* Portable-specific options */ | 111 | /* Portable-specific options */ |
135 | if (options->pam_authentication_via_kbd_int == -1) | 112 | if (options->use_pam == -1) |
136 | options->pam_authentication_via_kbd_int = 0; | 113 | options->use_pam = 1; |
137 | 114 | ||
138 | /* Standard Options */ | 115 | /* Standard Options */ |
139 | if (options->protocol == SSH_PROTO_UNKNOWN) | 116 | if (options->protocol == SSH_PROTO_UNKNOWN) |
@@ -188,8 +165,6 @@ fill_default_server_options(ServerOptions *options) | |||
188 | options->log_facility = SYSLOG_FACILITY_AUTH; | 165 | options->log_facility = SYSLOG_FACILITY_AUTH; |
189 | if (options->log_level == SYSLOG_LEVEL_NOT_SET) | 166 | if (options->log_level == SYSLOG_LEVEL_NOT_SET) |
190 | options->log_level = SYSLOG_LEVEL_INFO; | 167 | options->log_level = SYSLOG_LEVEL_INFO; |
191 | if (options->rhosts_authentication == -1) | ||
192 | options->rhosts_authentication = 0; | ||
193 | if (options->rhosts_rsa_authentication == -1) | 168 | if (options->rhosts_rsa_authentication == -1) |
194 | options->rhosts_rsa_authentication = 0; | 169 | options->rhosts_rsa_authentication = 0; |
195 | if (options->hostbased_authentication == -1) | 170 | if (options->hostbased_authentication == -1) |
@@ -200,22 +175,16 @@ fill_default_server_options(ServerOptions *options) | |||
200 | options->rsa_authentication = 1; | 175 | options->rsa_authentication = 1; |
201 | if (options->pubkey_authentication == -1) | 176 | if (options->pubkey_authentication == -1) |
202 | options->pubkey_authentication = 1; | 177 | options->pubkey_authentication = 1; |
203 | #if defined(KRB4) || defined(KRB5) | ||
204 | if (options->kerberos_authentication == -1) | 178 | if (options->kerberos_authentication == -1) |
205 | options->kerberos_authentication = 0; | 179 | options->kerberos_authentication = 0; |
206 | if (options->kerberos_or_local_passwd == -1) | 180 | if (options->kerberos_or_local_passwd == -1) |
207 | options->kerberos_or_local_passwd = 1; | 181 | options->kerberos_or_local_passwd = 1; |
208 | if (options->kerberos_ticket_cleanup == -1) | 182 | if (options->kerberos_ticket_cleanup == -1) |
209 | options->kerberos_ticket_cleanup = 1; | 183 | options->kerberos_ticket_cleanup = 1; |
210 | #endif | 184 | if (options->gss_authentication == -1) |
211 | #if defined(AFS) || defined(KRB5) | 185 | options->gss_authentication = 0; |
212 | if (options->kerberos_tgt_passing == -1) | 186 | if (options->gss_cleanup_creds == -1) |
213 | options->kerberos_tgt_passing = 0; | 187 | options->gss_cleanup_creds = 1; |
214 | #endif | ||
215 | #ifdef AFS | ||
216 | if (options->afs_token_passing == -1) | ||
217 | options->afs_token_passing = 0; | ||
218 | #endif | ||
219 | if (options->password_authentication == -1) | 188 | if (options->password_authentication == -1) |
220 | options->password_authentication = 1; | 189 | options->password_authentication = 1; |
221 | if (options->kbd_interactive_authentication == -1) | 190 | if (options->kbd_interactive_authentication == -1) |
@@ -240,8 +209,8 @@ fill_default_server_options(ServerOptions *options) | |||
240 | options->max_startups_rate = 100; /* 100% */ | 209 | options->max_startups_rate = 100; /* 100% */ |
241 | if (options->max_startups_begin == -1) | 210 | if (options->max_startups_begin == -1) |
242 | options->max_startups_begin = options->max_startups; | 211 | options->max_startups_begin = options->max_startups; |
243 | if (options->verify_reverse_mapping == -1) | 212 | if (options->use_dns == -1) |
244 | options->verify_reverse_mapping = 0; | 213 | options->use_dns = 1; |
245 | if (options->client_alive_interval == -1) | 214 | if (options->client_alive_interval == -1) |
246 | options->client_alive_interval = 0; | 215 | options->client_alive_interval = 0; |
247 | if (options->client_alive_count_max == -1) | 216 | if (options->client_alive_count_max == -1) |
@@ -275,21 +244,13 @@ fill_default_server_options(ServerOptions *options) | |||
275 | typedef enum { | 244 | typedef enum { |
276 | sBadOption, /* == unknown option */ | 245 | sBadOption, /* == unknown option */ |
277 | /* Portable-specific options */ | 246 | /* Portable-specific options */ |
278 | sPAMAuthenticationViaKbdInt, | 247 | sUsePAM, |
279 | /* Standard Options */ | 248 | /* Standard Options */ |
280 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, | 249 | sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, |
281 | sPermitRootLogin, sLogFacility, sLogLevel, | 250 | sPermitRootLogin, sLogFacility, sLogLevel, |
282 | sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, | 251 | sRhostsRSAAuthentication, sRSAAuthentication, |
283 | #if defined(KRB4) || defined(KRB5) | ||
284 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, | 252 | sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, |
285 | #endif | 253 | sKerberosTgtPassing, sChallengeResponseAuthentication, |
286 | #if defined(AFS) || defined(KRB5) | ||
287 | sKerberosTgtPassing, | ||
288 | #endif | ||
289 | #ifdef AFS | ||
290 | sAFSTokenPassing, | ||
291 | #endif | ||
292 | sChallengeResponseAuthentication, | ||
293 | sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, | 254 | sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, |
294 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 255 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
295 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 256 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -298,11 +259,12 @@ typedef enum { | |||
298 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 259 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
299 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 260 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
300 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, | 261 | sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, |
301 | sBanner, sVerifyReverseMapping, sHostbasedAuthentication, | 262 | sBanner, sUseDNS, sHostbasedAuthentication, |
302 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 263 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
303 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 264 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, |
265 | sGssAuthentication, sGssCleanupCreds, | ||
304 | sUsePrivilegeSeparation, | 266 | sUsePrivilegeSeparation, |
305 | sDeprecated | 267 | sDeprecated, sUnsupported |
306 | } ServerOpCodes; | 268 | } ServerOpCodes; |
307 | 269 | ||
308 | /* Textual representation of the tokens. */ | 270 | /* Textual representation of the tokens. */ |
@@ -311,7 +273,12 @@ static struct { | |||
311 | ServerOpCodes opcode; | 273 | ServerOpCodes opcode; |
312 | } keywords[] = { | 274 | } keywords[] = { |
313 | /* Portable-specific options */ | 275 | /* Portable-specific options */ |
314 | { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, | 276 | #ifdef USE_PAM |
277 | { "usepam", sUsePAM }, | ||
278 | #else | ||
279 | { "usepam", sUnsupported }, | ||
280 | #endif | ||
281 | { "pamauthenticationviakbdint", sDeprecated }, | ||
315 | /* Standard Options */ | 282 | /* Standard Options */ |
316 | { "port", sPort }, | 283 | { "port", sPort }, |
317 | { "hostkey", sHostKeyFile }, | 284 | { "hostkey", sHostKeyFile }, |
@@ -323,23 +290,30 @@ static struct { | |||
323 | { "permitrootlogin", sPermitRootLogin }, | 290 | { "permitrootlogin", sPermitRootLogin }, |
324 | { "syslogfacility", sLogFacility }, | 291 | { "syslogfacility", sLogFacility }, |
325 | { "loglevel", sLogLevel }, | 292 | { "loglevel", sLogLevel }, |
326 | { "rhostsauthentication", sRhostsAuthentication }, | 293 | { "rhostsauthentication", sDeprecated }, |
327 | { "rhostsrsaauthentication", sRhostsRSAAuthentication }, | 294 | { "rhostsrsaauthentication", sRhostsRSAAuthentication }, |
328 | { "hostbasedauthentication", sHostbasedAuthentication }, | 295 | { "hostbasedauthentication", sHostbasedAuthentication }, |
329 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, | 296 | { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, |
330 | { "rsaauthentication", sRSAAuthentication }, | 297 | { "rsaauthentication", sRSAAuthentication }, |
331 | { "pubkeyauthentication", sPubkeyAuthentication }, | 298 | { "pubkeyauthentication", sPubkeyAuthentication }, |
332 | { "dsaauthentication", sPubkeyAuthentication }, /* alias */ | 299 | { "dsaauthentication", sPubkeyAuthentication }, /* alias */ |
333 | #if defined(KRB4) || defined(KRB5) | 300 | #ifdef KRB5 |
334 | { "kerberosauthentication", sKerberosAuthentication }, | 301 | { "kerberosauthentication", sKerberosAuthentication }, |
335 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, | 302 | { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, |
336 | { "kerberosticketcleanup", sKerberosTicketCleanup }, | 303 | { "kerberosticketcleanup", sKerberosTicketCleanup }, |
304 | #else | ||
305 | { "kerberosauthentication", sUnsupported }, | ||
306 | { "kerberosorlocalpasswd", sUnsupported }, | ||
307 | { "kerberosticketcleanup", sUnsupported }, | ||
337 | #endif | 308 | #endif |
338 | #if defined(AFS) || defined(KRB5) | 309 | { "kerberostgtpassing", sUnsupported }, |
339 | { "kerberostgtpassing", sKerberosTgtPassing }, | 310 | { "afstokenpassing", sUnsupported }, |
340 | #endif | 311 | #ifdef GSSAPI |
341 | #ifdef AFS | 312 | { "gssapiauthentication", sGssAuthentication }, |
342 | { "afstokenpassing", sAFSTokenPassing }, | 313 | { "gssapicleanupcreds", sGssCleanupCreds }, |
314 | #else | ||
315 | { "gssapiauthentication", sUnsupported }, | ||
316 | { "gssapicleanupcreds", sUnsupported }, | ||
343 | #endif | 317 | #endif |
344 | { "passwordauthentication", sPasswordAuthentication }, | 318 | { "passwordauthentication", sPasswordAuthentication }, |
345 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, | 319 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, |
@@ -373,8 +347,9 @@ static struct { | |||
373 | { "subsystem", sSubsystem }, | 347 | { "subsystem", sSubsystem }, |
374 | { "maxstartups", sMaxStartups }, | 348 | { "maxstartups", sMaxStartups }, |
375 | { "banner", sBanner }, | 349 | { "banner", sBanner }, |
376 | { "verifyreversemapping", sVerifyReverseMapping }, | 350 | { "usedns", sUseDNS }, |
377 | { "reversemappingcheck", sVerifyReverseMapping }, | 351 | { "verifyreversemapping", sDeprecated }, |
352 | { "reversemappingcheck", sDeprecated }, | ||
378 | { "clientaliveinterval", sClientAliveInterval }, | 353 | { "clientaliveinterval", sClientAliveInterval }, |
379 | { "clientalivecountmax", sClientAliveCountMax }, | 354 | { "clientalivecountmax", sClientAliveCountMax }, |
380 | { "authorizedkeysfile", sAuthorizedKeysFile }, | 355 | { "authorizedkeysfile", sAuthorizedKeysFile }, |
@@ -458,8 +433,8 @@ process_server_config_line(ServerOptions *options, char *line, | |||
458 | opcode = parse_token(arg, filename, linenum); | 433 | opcode = parse_token(arg, filename, linenum); |
459 | switch (opcode) { | 434 | switch (opcode) { |
460 | /* Portable-specific options */ | 435 | /* Portable-specific options */ |
461 | case sPAMAuthenticationViaKbdInt: | 436 | case sUsePAM: |
462 | intptr = &options->pam_authentication_via_kbd_int; | 437 | intptr = &options->use_pam; |
463 | goto parse_flag; | 438 | goto parse_flag; |
464 | 439 | ||
465 | /* Standard Options */ | 440 | /* Standard Options */ |
@@ -622,10 +597,6 @@ parse_flag: | |||
622 | intptr = &options->ignore_user_known_hosts; | 597 | intptr = &options->ignore_user_known_hosts; |
623 | goto parse_flag; | 598 | goto parse_flag; |
624 | 599 | ||
625 | case sRhostsAuthentication: | ||
626 | intptr = &options->rhosts_authentication; | ||
627 | goto parse_flag; | ||
628 | |||
629 | case sRhostsRSAAuthentication: | 600 | case sRhostsRSAAuthentication: |
630 | intptr = &options->rhosts_rsa_authentication; | 601 | intptr = &options->rhosts_rsa_authentication; |
631 | goto parse_flag; | 602 | goto parse_flag; |
@@ -645,7 +616,7 @@ parse_flag: | |||
645 | case sPubkeyAuthentication: | 616 | case sPubkeyAuthentication: |
646 | intptr = &options->pubkey_authentication; | 617 | intptr = &options->pubkey_authentication; |
647 | goto parse_flag; | 618 | goto parse_flag; |
648 | #if defined(KRB4) || defined(KRB5) | 619 | |
649 | case sKerberosAuthentication: | 620 | case sKerberosAuthentication: |
650 | intptr = &options->kerberos_authentication; | 621 | intptr = &options->kerberos_authentication; |
651 | goto parse_flag; | 622 | goto parse_flag; |
@@ -657,17 +628,14 @@ parse_flag: | |||
657 | case sKerberosTicketCleanup: | 628 | case sKerberosTicketCleanup: |
658 | intptr = &options->kerberos_ticket_cleanup; | 629 | intptr = &options->kerberos_ticket_cleanup; |
659 | goto parse_flag; | 630 | goto parse_flag; |
660 | #endif | 631 | |
661 | #if defined(AFS) || defined(KRB5) | 632 | case sGssAuthentication: |
662 | case sKerberosTgtPassing: | 633 | intptr = &options->gss_authentication; |
663 | intptr = &options->kerberos_tgt_passing; | ||
664 | goto parse_flag; | 634 | goto parse_flag; |
665 | #endif | 635 | |
666 | #ifdef AFS | 636 | case sGssCleanupCreds: |
667 | case sAFSTokenPassing: | 637 | intptr = &options->gss_cleanup_creds; |
668 | intptr = &options->afs_token_passing; | ||
669 | goto parse_flag; | 638 | goto parse_flag; |
670 | #endif | ||
671 | 639 | ||
672 | case sPasswordAuthentication: | 640 | case sPasswordAuthentication: |
673 | intptr = &options->password_authentication; | 641 | intptr = &options->password_authentication; |
@@ -733,8 +701,8 @@ parse_flag: | |||
733 | intptr = &options->gateway_ports; | 701 | intptr = &options->gateway_ports; |
734 | goto parse_flag; | 702 | goto parse_flag; |
735 | 703 | ||
736 | case sVerifyReverseMapping: | 704 | case sUseDNS: |
737 | intptr = &options->verify_reverse_mapping; | 705 | intptr = &options->use_dns; |
738 | goto parse_flag; | 706 | goto parse_flag; |
739 | 707 | ||
740 | case sLogFacility: | 708 | case sLogFacility: |
@@ -910,7 +878,14 @@ parse_flag: | |||
910 | goto parse_int; | 878 | goto parse_int; |
911 | 879 | ||
912 | case sDeprecated: | 880 | case sDeprecated: |
913 | log("%s line %d: Deprecated option %s", | 881 | logit("%s line %d: Deprecated option %s", |
882 | filename, linenum, arg); | ||
883 | while (arg) | ||
884 | arg = strdelim(&cp); | ||
885 | break; | ||
886 | |||
887 | case sUnsupported: | ||
888 | logit("%s line %d: Unsupported option %s", | ||
914 | filename, linenum, arg); | 889 | filename, linenum, arg); |
915 | while (arg) | 890 | while (arg) |
916 | arg = strdelim(&cp); | 891 | arg = strdelim(&cp); |