summaryrefslogtreecommitdiff
path: root/servconf.c
diff options
context:
space:
mode:
Diffstat (limited to 'servconf.c')
-rw-r--r--servconf.c66
1 files changed, 51 insertions, 15 deletions
diff --git a/servconf.c b/servconf.c
index 66ce39026..c1f2bc2af 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.c,v 1.186 2008/07/04 03:44:59 djm Exp $ */ 1/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -42,8 +42,8 @@
42#include "channels.h" 42#include "channels.h"
43#include "groupaccess.h" 43#include "groupaccess.h"
44 44
45static void add_listen_addr(ServerOptions *, char *, u_short); 45static void add_listen_addr(ServerOptions *, char *, int);
46static void add_one_listen_addr(ServerOptions *, char *, u_short); 46static void add_one_listen_addr(ServerOptions *, char *, int);
47 47
48/* Use of privilege separation or not */ 48/* Use of privilege separation or not */
49extern int use_privsep; 49extern int use_privsep;
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions *options)
95 options->gss_keyex = -1; 95 options->gss_keyex = -1;
96 options->gss_cleanup_creds = -1; 96 options->gss_cleanup_creds = -1;
97 options->gss_strict_acceptor = -1; 97 options->gss_strict_acceptor = -1;
98 options->gss_store_rekey = -1;
98 options->password_authentication = -1; 99 options->password_authentication = -1;
99 options->kbd_interactive_authentication = -1; 100 options->kbd_interactive_authentication = -1;
100 options->challenge_response_authentication = -1; 101 options->challenge_response_authentication = -1;
@@ -130,6 +131,7 @@ initialize_server_options(ServerOptions *options)
130 options->num_permitted_opens = -1; 131 options->num_permitted_opens = -1;
131 options->adm_forced_command = NULL; 132 options->adm_forced_command = NULL;
132 options->chroot_directory = NULL; 133 options->chroot_directory = NULL;
134 options->zero_knowledge_password_authentication = -1;
133} 135}
134 136
135void 137void
@@ -218,6 +220,8 @@ fill_default_server_options(ServerOptions *options)
218 options->gss_cleanup_creds = 1; 220 options->gss_cleanup_creds = 1;
219 if (options->gss_strict_acceptor == -1) 221 if (options->gss_strict_acceptor == -1)
220 options->gss_strict_acceptor = 1; 222 options->gss_strict_acceptor = 1;
223 if (options->gss_store_rekey == -1)
224 options->gss_store_rekey = 0;
221 if (options->password_authentication == -1) 225 if (options->password_authentication == -1)
222 options->password_authentication = 1; 226 options->password_authentication = 1;
223 if (options->kbd_interactive_authentication == -1) 227 if (options->kbd_interactive_authentication == -1)
@@ -267,6 +271,8 @@ fill_default_server_options(ServerOptions *options)
267 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; 271 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
268 if (options->permit_tun == -1) 272 if (options->permit_tun == -1)
269 options->permit_tun = SSH_TUNMODE_NO; 273 options->permit_tun = SSH_TUNMODE_NO;
274 if (options->zero_knowledge_password_authentication == -1)
275 options->zero_knowledge_password_authentication = 0;
270 276
271 /* Turn privilege separation on by default */ 277 /* Turn privilege separation on by default */
272 if (use_privsep == -1) 278 if (use_privsep == -1)
@@ -309,10 +315,11 @@ typedef enum {
309 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 315 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
310 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 316 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
311 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 317 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
312 sGssKeyEx, 318 sGssKeyEx, sGssStoreRekey,
313 sAcceptEnv, sPermitTunnel, 319 sAcceptEnv, sPermitTunnel,
314 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 320 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
315 sUsePrivilegeSeparation, sAllowAgentForwarding, 321 sUsePrivilegeSeparation, sAllowAgentForwarding,
322 sZeroKnowledgePasswordAuthentication,
316 sDeprecated, sUnsupported 323 sDeprecated, sUnsupported
317} ServerOpCodes; 324} ServerOpCodes;
318 325
@@ -374,12 +381,14 @@ static struct {
374 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, 381 { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
375 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, 382 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
376 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, 383 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
384 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
377#else 385#else
378 { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, 386 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
379 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, 387 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
380 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, 388 { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
381 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, 389 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
382 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, 390 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
391 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
383#endif 392#endif
384 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, 393 { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
385 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, 394 { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -387,6 +396,11 @@ static struct {
387 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 396 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
388 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 397 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
389 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ 398 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
399#ifdef JPAKE
400 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
401#else
402 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
403#endif
390 { "checkmail", sDeprecated, SSHCFG_GLOBAL }, 404 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
391 { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, 405 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
392 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, 406 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -400,7 +414,7 @@ static struct {
400 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 414 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
401 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 415 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
402 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL }, 416 { "permitblacklistedkeys", sPermitBlacklistedKeys, SSHCFG_GLOBAL },
403 { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, 417 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
404 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 418 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
405 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 419 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
406 { "compression", sCompression, SSHCFG_GLOBAL }, 420 { "compression", sCompression, SSHCFG_GLOBAL },
@@ -471,7 +485,7 @@ parse_token(const char *cp, const char *filename,
471} 485}
472 486
473static void 487static void
474add_listen_addr(ServerOptions *options, char *addr, u_short port) 488add_listen_addr(ServerOptions *options, char *addr, int port)
475{ 489{
476 u_int i; 490 u_int i;
477 491
@@ -487,7 +501,7 @@ add_listen_addr(ServerOptions *options, char *addr, u_short port)
487} 501}
488 502
489static void 503static void
490add_one_listen_addr(ServerOptions *options, char *addr, u_short port) 504add_one_listen_addr(ServerOptions *options, char *addr, int port)
491{ 505{
492 struct addrinfo hints, *ai, *aitop; 506 struct addrinfo hints, *ai, *aitop;
493 char strport[NI_MAXSERV]; 507 char strport[NI_MAXSERV];
@@ -497,7 +511,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
497 hints.ai_family = options->address_family; 511 hints.ai_family = options->address_family;
498 hints.ai_socktype = SOCK_STREAM; 512 hints.ai_socktype = SOCK_STREAM;
499 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; 513 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
500 snprintf(strport, sizeof strport, "%u", port); 514 snprintf(strport, sizeof strport, "%d", port);
501 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) 515 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
502 fatal("bad addr or host: %s (%s)", 516 fatal("bad addr or host: %s (%s)",
503 addr ? addr : "<NULL>", 517 addr ? addr : "<NULL>",
@@ -653,7 +667,7 @@ process_server_config_line(ServerOptions *options, char *line,
653 SyslogFacility *log_facility_ptr; 667 SyslogFacility *log_facility_ptr;
654 LogLevel *log_level_ptr; 668 LogLevel *log_level_ptr;
655 ServerOpCodes opcode; 669 ServerOpCodes opcode;
656 u_short port; 670 int port;
657 u_int i, flags = 0; 671 u_int i, flags = 0;
658 size_t len; 672 size_t len;
659 673
@@ -710,7 +724,7 @@ process_server_config_line(ServerOptions *options, char *line,
710 fatal("%s line %d: missing port number.", 724 fatal("%s line %d: missing port number.",
711 filename, linenum); 725 filename, linenum);
712 options->ports[options->num_ports++] = a2port(arg); 726 options->ports[options->num_ports++] = a2port(arg);
713 if (options->ports[options->num_ports-1] == 0) 727 if (options->ports[options->num_ports-1] <= 0)
714 fatal("%s line %d: Badly formatted port number.", 728 fatal("%s line %d: Badly formatted port number.",
715 filename, linenum); 729 filename, linenum);
716 break; 730 break;
@@ -763,7 +777,7 @@ process_server_config_line(ServerOptions *options, char *line,
763 p = cleanhostname(p); 777 p = cleanhostname(p);
764 if (arg == NULL) 778 if (arg == NULL)
765 port = 0; 779 port = 0;
766 else if ((port = a2port(arg)) == 0) 780 else if ((port = a2port(arg)) <= 0)
767 fatal("%s line %d: bad port number", filename, linenum); 781 fatal("%s line %d: bad port number", filename, linenum);
768 782
769 add_listen_addr(options, p, port); 783 add_listen_addr(options, p, port);
@@ -914,10 +928,18 @@ process_server_config_line(ServerOptions *options, char *line,
914 intptr = &options->gss_strict_acceptor; 928 intptr = &options->gss_strict_acceptor;
915 goto parse_flag; 929 goto parse_flag;
916 930
931 case sGssStoreRekey:
932 intptr = &options->gss_store_rekey;
933 goto parse_flag;
934
917 case sPasswordAuthentication: 935 case sPasswordAuthentication:
918 intptr = &options->password_authentication; 936 intptr = &options->password_authentication;
919 goto parse_flag; 937 goto parse_flag;
920 938
939 case sZeroKnowledgePasswordAuthentication:
940 intptr = &options->zero_knowledge_password_authentication;
941 goto parse_flag;
942
921 case sKbdInteractiveAuthentication: 943 case sKbdInteractiveAuthentication:
922 intptr = &options->kbd_interactive_authentication; 944 intptr = &options->kbd_interactive_authentication;
923 goto parse_flag; 945 goto parse_flag;
@@ -1284,7 +1306,7 @@ process_server_config_line(ServerOptions *options, char *line,
1284 fatal("%s line %d: missing host in PermitOpen", 1306 fatal("%s line %d: missing host in PermitOpen",
1285 filename, linenum); 1307 filename, linenum);
1286 p = cleanhostname(p); 1308 p = cleanhostname(p);
1287 if (arg == NULL || (port = a2port(arg)) == 0) 1309 if (arg == NULL || (port = a2port(arg)) <= 0)
1288 fatal("%s line %d: bad port number in " 1310 fatal("%s line %d: bad port number in "
1289 "PermitOpen", filename, linenum); 1311 "PermitOpen", filename, linenum);
1290 if (*activep && n == -1) 1312 if (*activep && n == -1)
@@ -1409,7 +1431,9 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1409 M_CP_INTOPT(kerberos_authentication); 1431 M_CP_INTOPT(kerberos_authentication);
1410 M_CP_INTOPT(hostbased_authentication); 1432 M_CP_INTOPT(hostbased_authentication);
1411 M_CP_INTOPT(kbd_interactive_authentication); 1433 M_CP_INTOPT(kbd_interactive_authentication);
1434 M_CP_INTOPT(zero_knowledge_password_authentication);
1412 M_CP_INTOPT(permit_root_login); 1435 M_CP_INTOPT(permit_root_login);
1436 M_CP_INTOPT(permit_empty_passwd);
1413 1437
1414 M_CP_INTOPT(allow_tcp_forwarding); 1438 M_CP_INTOPT(allow_tcp_forwarding);
1415 M_CP_INTOPT(allow_agent_forwarding); 1439 M_CP_INTOPT(allow_agent_forwarding);
@@ -1471,7 +1495,7 @@ fmt_intarg(ServerOpCodes code, int val)
1471 if (code == sPermitRootLogin) { 1495 if (code == sPermitRootLogin) {
1472 switch (val) { 1496 switch (val) {
1473 case PERMIT_NO_PASSWD: 1497 case PERMIT_NO_PASSWD:
1474 return "without-passord"; 1498 return "without-password";
1475 case PERMIT_FORCED_ONLY: 1499 case PERMIT_FORCED_ONLY:
1476 return "forced-commands-only"; 1500 return "forced-commands-only";
1477 case PERMIT_YES: 1501 case PERMIT_YES:
@@ -1576,11 +1600,15 @@ dump_config(ServerOptions *o)
1576 } 1600 }
1577 1601
1578 /* integer arguments */ 1602 /* integer arguments */
1603#ifdef USE_PAM
1604 dump_cfg_int(sUsePAM, o->use_pam);
1605#endif
1579 dump_cfg_int(sServerKeyBits, o->server_key_bits); 1606 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1580 dump_cfg_int(sLoginGraceTime, o->login_grace_time); 1607 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1581 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); 1608 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1582 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); 1609 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1583 dump_cfg_int(sMaxAuthTries, o->max_authtries); 1610 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1611 dump_cfg_int(sMaxSessions, o->max_sessions);
1584 dump_cfg_int(sClientAliveInterval, o->client_alive_interval); 1612 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1585 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); 1613 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1586 1614
@@ -1594,14 +1622,24 @@ dump_config(ServerOptions *o)
1594 o->hostbased_uses_name_from_packet_only); 1622 o->hostbased_uses_name_from_packet_only);
1595 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication); 1623 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1596 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication); 1624 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1625#ifdef KRB5
1597 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication); 1626 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1598 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd); 1627 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1599 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup); 1628 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1629# ifdef USE_AFS
1600 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); 1630 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1631# endif
1632#endif
1633#ifdef GSSAPI
1601 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 1634 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1602 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); 1635 dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
1603 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); 1636 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1604 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); 1637 dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
1638#endif
1639#ifdef JPAKE
1640 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1641 o->zero_knowledge_password_authentication);
1642#endif
1605 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 1643 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1606 dump_cfg_fmtint(sKbdInteractiveAuthentication, 1644 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1607 o->kbd_interactive_authentication); 1645 o->kbd_interactive_authentication);
@@ -1661,7 +1699,5 @@ dump_config(ServerOptions *o)
1661 } 1699 }
1662 dump_cfg_string(sPermitTunnel, s); 1700 dump_cfg_string(sPermitTunnel, s);
1663 1701
1664 printf("permitopen");
1665 channel_print_adm_permitted_opens(); 1702 channel_print_adm_permitted_opens();
1666 printf("\n");
1667} 1703}