1 files changed, 45 insertions, 9 deletions

diff --git a/servconf.c b/servconf.c
index daed26a66..74710c41f 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.218 2011/05/20 03:25:45 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.219 2011/05/23 03:30:07 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -126,7 +126,7 @@ initialize_server_options(ServerOptions *options)
         options->use_dns = -1;
         options->client_alive_interval = -1;
         options->client_alive_count_max = -1;
-        options->authorized_keys_file = NULL;
+        options->num_authkeys_files = 0;
         options->num_accept_env = 0;
         options->permit_tun = -1;
         options->num_permitted_opens = -1;
@@ -263,8 +263,12 @@ fill_default_server_options(ServerOptions *options)
                 options->client_alive_interval = 0;
         if (options->client_alive_count_max == -1)
                 options->client_alive_count_max = 3;
-        if (options->authorized_keys_file == NULL)
-                options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
+        if (options->num_authkeys_files == 0) {
+                options->authorized_keys_files[options->num_authkeys_files++] =
+                    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
+                options->authorized_keys_files[options->num_authkeys_files++] =
+                    xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
+        }
         if (options->permit_tun == -1)
                 options->permit_tun = SSH_TUNMODE_NO;
         if (options->zero_knowledge_password_authentication == -1)
@@ -430,6 +434,7 @@ static struct {
         { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
         { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
         { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
+        { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
         { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
         { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
         { "permittunnel", sPermitTunnel, SSHCFG_ALL },
@@ -1241,11 +1246,22 @@ process_server_config_line(ServerOptions *options, char *line,
          * AuthorizedKeysFile   /etc/ssh_keys/%u
          */
         case sAuthorizedKeysFile:
-                charptr = &options->authorized_keys_file;
-                goto parse_tilde_filename;
+                if (*activep && options->num_authkeys_files == 0) {
+                        while ((arg = strdelim(&cp)) && *arg != '\0') {
+                                if (options->num_authkeys_files >=
+                                    MAX_AUTHKEYS_FILES)
+                                        fatal("%s line %d: "
+                                            "too many authorized keys files.",
+                                            filename, linenum);
+                                options->authorized_keys_files[
+                                    options->num_authkeys_files++] =
+                                    tilde_expand_filename(arg, getuid());
+                        }
+                }
+                return 0;
+
         case sAuthorizedPrincipalsFile:
                 charptr = &options->authorized_principals_file;
- parse_tilde_filename:
                 arg = strdelim(&cp);
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: missing file name.",
@@ -1464,6 +1480,12 @@ parse_server_match_config(ServerOptions *options, const char *user,
                 dst->n = src->n; \
         } \
 } while(0)
+#define M_CP_STRARRAYOPT(n, num_n) do {\
+        if (src->num_n != 0) { \
+                for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
+                        dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
+        } \
+} while(0)
 
 /*
  * Copy any supported values that are set.
@@ -1508,12 +1530,14 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
          */
         if (preauth)
                 return;
+
         M_CP_STROPT(adm_forced_command);
         M_CP_STROPT(chroot_directory);
 }
 
 #undef M_CP_INTOPT
 #undef M_CP_STROPT
+#undef M_CP_STRARRAYOPT
 
 void
 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
@@ -1627,7 +1651,18 @@ dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
         u_int i;
 
         for (i = 0; i < count; i++)
-                printf("%s %s\n", lookup_opcode_name(code),  vals[i]);
+                printf("%s %s\n", lookup_opcode_name(code), vals[i]);
+}
+
+static void
+dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
+{
+        u_int i;
+
+        printf("%s", lookup_opcode_name(code));
+        for (i = 0; i < count; i++)
+                printf(" %s",  vals[i]);
+        printf("\n");
 }
 
 void
@@ -1725,7 +1760,6 @@ dump_config(ServerOptions *o)
         dump_cfg_string(sCiphers, o->ciphers);
         dump_cfg_string(sMacs, o->macs);
         dump_cfg_string(sBanner, o->banner);
-        dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
         dump_cfg_string(sForceCommand, o->adm_forced_command);
         dump_cfg_string(sChrootDirectory, o->chroot_directory);
         dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
@@ -1738,6 +1772,8 @@ dump_config(ServerOptions *o)
         dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
 
         /* string array arguments */
+        dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
+            o->authorized_keys_files);
         dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
              o->host_key_files);
         dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,