diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 57 |
1 files changed, 53 insertions, 4 deletions
diff --git a/servconf.c b/servconf.c index 55b56e59e..62417def7 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */ | 1 | /* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -65,6 +65,7 @@ initialize_server_options(ServerOptions *options) | |||
65 | options->listen_addrs = NULL; | 65 | options->listen_addrs = NULL; |
66 | options->address_family = -1; | 66 | options->address_family = -1; |
67 | options->num_host_key_files = 0; | 67 | options->num_host_key_files = 0; |
68 | options->num_host_cert_files = 0; | ||
68 | options->pid_file = NULL; | 69 | options->pid_file = NULL; |
69 | options->server_key_bits = -1; | 70 | options->server_key_bits = -1; |
70 | options->login_grace_time = -1; | 71 | options->login_grace_time = -1; |
@@ -132,6 +133,8 @@ initialize_server_options(ServerOptions *options) | |||
132 | options->adm_forced_command = NULL; | 133 | options->adm_forced_command = NULL; |
133 | options->chroot_directory = NULL; | 134 | options->chroot_directory = NULL; |
134 | options->zero_knowledge_password_authentication = -1; | 135 | options->zero_knowledge_password_authentication = -1; |
136 | options->revoked_keys_file = NULL; | ||
137 | options->trusted_user_ca_keys = NULL; | ||
135 | options->debian_banner = -1; | 138 | options->debian_banner = -1; |
136 | } | 139 | } |
137 | 140 | ||
@@ -144,7 +147,7 @@ fill_default_server_options(ServerOptions *options) | |||
144 | 147 | ||
145 | /* Standard Options */ | 148 | /* Standard Options */ |
146 | if (options->protocol == SSH_PROTO_UNKNOWN) | 149 | if (options->protocol == SSH_PROTO_UNKNOWN) |
147 | options->protocol = SSH_PROTO_1|SSH_PROTO_2; | 150 | options->protocol = SSH_PROTO_2; |
148 | if (options->num_host_key_files == 0) { | 151 | if (options->num_host_key_files == 0) { |
149 | /* fill default hostkeys for protocols */ | 152 | /* fill default hostkeys for protocols */ |
150 | if (options->protocol & SSH_PROTO_1) | 153 | if (options->protocol & SSH_PROTO_1) |
@@ -157,6 +160,7 @@ fill_default_server_options(ServerOptions *options) | |||
157 | _PATH_HOST_DSA_KEY_FILE; | 160 | _PATH_HOST_DSA_KEY_FILE; |
158 | } | 161 | } |
159 | } | 162 | } |
163 | /* No certificates by default */ | ||
160 | if (options->num_ports == 0) | 164 | if (options->num_ports == 0) |
161 | options->ports[options->num_ports++] = SSH_DEFAULT_PORT; | 165 | options->ports[options->num_ports++] = SSH_DEFAULT_PORT; |
162 | if (options->listen_addrs == NULL) | 166 | if (options->listen_addrs == NULL) |
@@ -322,7 +326,8 @@ typedef enum { | |||
322 | sAcceptEnv, sPermitTunnel, | 326 | sAcceptEnv, sPermitTunnel, |
323 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 327 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
324 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 328 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
325 | sZeroKnowledgePasswordAuthentication, | 329 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
330 | sRevokedKeys, sTrustedUserCAKeys, | ||
326 | sDebianBanner, | 331 | sDebianBanner, |
327 | sDeprecated, sUnsupported | 332 | sDeprecated, sUnsupported |
328 | } ServerOpCodes; | 333 | } ServerOpCodes; |
@@ -453,6 +458,9 @@ static struct { | |||
453 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 458 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
454 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | 459 | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
455 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, | 460 | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
461 | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, | ||
462 | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, | ||
463 | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, | ||
456 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 464 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
457 | { NULL, sBadOption, 0 } | 465 | { NULL, sBadOption, 0 } |
458 | }; | 466 | }; |
@@ -489,6 +497,22 @@ parse_token(const char *cp, const char *filename, | |||
489 | return sBadOption; | 497 | return sBadOption; |
490 | } | 498 | } |
491 | 499 | ||
500 | char * | ||
501 | derelativise_path(const char *path) | ||
502 | { | ||
503 | char *expanded, *ret, *cwd; | ||
504 | |||
505 | expanded = tilde_expand_filename(path, getuid()); | ||
506 | if (*expanded == '/') | ||
507 | return expanded; | ||
508 | if ((cwd = getcwd(NULL, 0)) == NULL) | ||
509 | fatal("%s: getcwd: %s", __func__, strerror(errno)); | ||
510 | xasprintf(&ret, "%s/%s", cwd, expanded); | ||
511 | xfree(cwd); | ||
512 | xfree(expanded); | ||
513 | return ret; | ||
514 | } | ||
515 | |||
492 | static void | 516 | static void |
493 | add_listen_addr(ServerOptions *options, char *addr, int port) | 517 | add_listen_addr(ServerOptions *options, char *addr, int port) |
494 | { | 518 | { |
@@ -823,13 +847,23 @@ process_server_config_line(ServerOptions *options, char *line, | |||
823 | fatal("%s line %d: missing file name.", | 847 | fatal("%s line %d: missing file name.", |
824 | filename, linenum); | 848 | filename, linenum); |
825 | if (*activep && *charptr == NULL) { | 849 | if (*activep && *charptr == NULL) { |
826 | *charptr = tilde_expand_filename(arg, getuid()); | 850 | *charptr = derelativise_path(arg); |
827 | /* increase optional counter */ | 851 | /* increase optional counter */ |
828 | if (intptr != NULL) | 852 | if (intptr != NULL) |
829 | *intptr = *intptr + 1; | 853 | *intptr = *intptr + 1; |
830 | } | 854 | } |
831 | break; | 855 | break; |
832 | 856 | ||
857 | case sHostCertificate: | ||
858 | intptr = &options->num_host_cert_files; | ||
859 | if (*intptr >= MAX_HOSTKEYS) | ||
860 | fatal("%s line %d: too many host certificates " | ||
861 | "specified (max %d).", filename, linenum, | ||
862 | MAX_HOSTCERTS); | ||
863 | charptr = &options->host_cert_files[*intptr]; | ||
864 | goto parse_filename; | ||
865 | break; | ||
866 | |||
833 | case sPidFile: | 867 | case sPidFile: |
834 | charptr = &options->pid_file; | 868 | charptr = &options->pid_file; |
835 | goto parse_filename; | 869 | goto parse_filename; |
@@ -1340,6 +1374,14 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1340 | *charptr = xstrdup(arg); | 1374 | *charptr = xstrdup(arg); |
1341 | break; | 1375 | break; |
1342 | 1376 | ||
1377 | case sTrustedUserCAKeys: | ||
1378 | charptr = &options->trusted_user_ca_keys; | ||
1379 | goto parse_filename; | ||
1380 | |||
1381 | case sRevokedKeys: | ||
1382 | charptr = &options->revoked_keys_file; | ||
1383 | goto parse_filename; | ||
1384 | |||
1343 | case sDebianBanner: | 1385 | case sDebianBanner: |
1344 | intptr = &options->debian_banner; | 1386 | intptr = &options->debian_banner; |
1345 | goto parse_int; | 1387 | goto parse_int; |
@@ -1458,6 +1500,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1458 | return; | 1500 | return; |
1459 | M_CP_STROPT(adm_forced_command); | 1501 | M_CP_STROPT(adm_forced_command); |
1460 | M_CP_STROPT(chroot_directory); | 1502 | M_CP_STROPT(chroot_directory); |
1503 | M_CP_STROPT(trusted_user_ca_keys); | ||
1504 | M_CP_STROPT(revoked_keys_file); | ||
1461 | } | 1505 | } |
1462 | 1506 | ||
1463 | #undef M_CP_INTOPT | 1507 | #undef M_CP_INTOPT |
@@ -1680,6 +1724,9 @@ dump_config(ServerOptions *o) | |||
1680 | dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); | 1724 | dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file); |
1681 | dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); | 1725 | dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2); |
1682 | dump_cfg_string(sForceCommand, o->adm_forced_command); | 1726 | dump_cfg_string(sForceCommand, o->adm_forced_command); |
1727 | dump_cfg_string(sChrootDirectory, o->chroot_directory); | ||
1728 | dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); | ||
1729 | dump_cfg_string(sRevokedKeys, o->revoked_keys_file); | ||
1683 | 1730 | ||
1684 | /* string arguments requiring a lookup */ | 1731 | /* string arguments requiring a lookup */ |
1685 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); | 1732 | dump_cfg_string(sLogLevel, log_level_name(o->log_level)); |
@@ -1688,6 +1735,8 @@ dump_config(ServerOptions *o) | |||
1688 | /* string array arguments */ | 1735 | /* string array arguments */ |
1689 | dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, | 1736 | dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, |
1690 | o->host_key_files); | 1737 | o->host_key_files); |
1738 | dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, | ||
1739 | o->host_cert_files); | ||
1691 | dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); | 1740 | dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); |
1692 | dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); | 1741 | dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); |
1693 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); | 1742 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); |