diff options
Diffstat (limited to 'servconf.c')
-rw-r--r-- | servconf.c | 67 |
1 files changed, 58 insertions, 9 deletions
diff --git a/servconf.c b/servconf.c index 37fd2de6d..6c7741ab2 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -39,10 +39,10 @@ | |||
39 | #include "ssh.h" | 39 | #include "ssh.h" |
40 | #include "log.h" | 40 | #include "log.h" |
41 | #include "buffer.h" | 41 | #include "buffer.h" |
42 | #include "misc.h" | ||
42 | #include "servconf.h" | 43 | #include "servconf.h" |
43 | #include "compat.h" | 44 | #include "compat.h" |
44 | #include "pathnames.h" | 45 | #include "pathnames.h" |
45 | #include "misc.h" | ||
46 | #include "cipher.h" | 46 | #include "cipher.h" |
47 | #include "key.h" | 47 | #include "key.h" |
48 | #include "kex.h" | 48 | #include "kex.h" |
@@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options) | |||
93 | options->x11_display_offset = -1; | 93 | options->x11_display_offset = -1; |
94 | options->x11_use_localhost = -1; | 94 | options->x11_use_localhost = -1; |
95 | options->permit_tty = -1; | 95 | options->permit_tty = -1; |
96 | options->permit_user_rc = -1; | ||
96 | options->xauth_location = NULL; | 97 | options->xauth_location = NULL; |
97 | options->strict_modes = -1; | 98 | options->strict_modes = -1; |
98 | options->tcp_keep_alive = -1; | 99 | options->tcp_keep_alive = -1; |
@@ -122,6 +123,7 @@ initialize_server_options(ServerOptions *options) | |||
122 | options->rekey_limit = -1; | 123 | options->rekey_limit = -1; |
123 | options->rekey_interval = -1; | 124 | options->rekey_interval = -1; |
124 | options->allow_tcp_forwarding = -1; | 125 | options->allow_tcp_forwarding = -1; |
126 | options->allow_streamlocal_forwarding = -1; | ||
125 | options->allow_agent_forwarding = -1; | 127 | options->allow_agent_forwarding = -1; |
126 | options->num_allow_users = 0; | 128 | options->num_allow_users = 0; |
127 | options->num_deny_users = 0; | 129 | options->num_deny_users = 0; |
@@ -131,7 +133,9 @@ initialize_server_options(ServerOptions *options) | |||
131 | options->macs = NULL; | 133 | options->macs = NULL; |
132 | options->kex_algorithms = NULL; | 134 | options->kex_algorithms = NULL; |
133 | options->protocol = SSH_PROTO_UNKNOWN; | 135 | options->protocol = SSH_PROTO_UNKNOWN; |
134 | options->gateway_ports = -1; | 136 | options->fwd_opts.gateway_ports = -1; |
137 | options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; | ||
138 | options->fwd_opts.streamlocal_bind_unlink = -1; | ||
135 | options->num_subsystems = 0; | 139 | options->num_subsystems = 0; |
136 | options->max_startups_begin = -1; | 140 | options->max_startups_begin = -1; |
137 | options->max_startups_rate = -1; | 141 | options->max_startups_rate = -1; |
@@ -220,6 +224,8 @@ fill_default_server_options(ServerOptions *options) | |||
220 | options->xauth_location = _PATH_XAUTH; | 224 | options->xauth_location = _PATH_XAUTH; |
221 | if (options->permit_tty == -1) | 225 | if (options->permit_tty == -1) |
222 | options->permit_tty = 1; | 226 | options->permit_tty = 1; |
227 | if (options->permit_user_rc == -1) | ||
228 | options->permit_user_rc = 1; | ||
223 | if (options->strict_modes == -1) | 229 | if (options->strict_modes == -1) |
224 | options->strict_modes = 1; | 230 | options->strict_modes = 1; |
225 | if (options->tcp_keep_alive == -1) | 231 | if (options->tcp_keep_alive == -1) |
@@ -276,10 +282,12 @@ fill_default_server_options(ServerOptions *options) | |||
276 | options->rekey_interval = 0; | 282 | options->rekey_interval = 0; |
277 | if (options->allow_tcp_forwarding == -1) | 283 | if (options->allow_tcp_forwarding == -1) |
278 | options->allow_tcp_forwarding = FORWARD_ALLOW; | 284 | options->allow_tcp_forwarding = FORWARD_ALLOW; |
285 | if (options->allow_streamlocal_forwarding == -1) | ||
286 | options->allow_streamlocal_forwarding = FORWARD_ALLOW; | ||
279 | if (options->allow_agent_forwarding == -1) | 287 | if (options->allow_agent_forwarding == -1) |
280 | options->allow_agent_forwarding = 1; | 288 | options->allow_agent_forwarding = 1; |
281 | if (options->gateway_ports == -1) | 289 | if (options->fwd_opts.gateway_ports == -1) |
282 | options->gateway_ports = 0; | 290 | options->fwd_opts.gateway_ports = 0; |
283 | if (options->max_startups == -1) | 291 | if (options->max_startups == -1) |
284 | options->max_startups = 100; | 292 | options->max_startups = 100; |
285 | if (options->max_startups_rate == -1) | 293 | if (options->max_startups_rate == -1) |
@@ -310,6 +318,10 @@ fill_default_server_options(ServerOptions *options) | |||
310 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 318 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
311 | if (options->version_addendum == NULL) | 319 | if (options->version_addendum == NULL) |
312 | options->version_addendum = xstrdup(""); | 320 | options->version_addendum = xstrdup(""); |
321 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | ||
322 | options->fwd_opts.streamlocal_bind_mask = 0177; | ||
323 | if (options->fwd_opts.streamlocal_bind_unlink == -1) | ||
324 | options->fwd_opts.streamlocal_bind_unlink = 0; | ||
313 | if (options->debian_banner == -1) | 325 | if (options->debian_banner == -1) |
314 | options->debian_banner = 1; | 326 | options->debian_banner = 1; |
315 | /* Turn privilege separation on by default */ | 327 | /* Turn privilege separation on by default */ |
@@ -361,7 +373,9 @@ typedef enum { | |||
361 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 373 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
362 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 374 | sKexAlgorithms, sIPQoS, sVersionAddendum, |
363 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 375 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, |
364 | sAuthenticationMethods, sHostKeyAgent, | 376 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
377 | sStreamLocalBindMask, sStreamLocalBindUnlink, | ||
378 | sAllowStreamLocalForwarding, | ||
365 | sDebianBanner, | 379 | sDebianBanner, |
366 | sDeprecated, sUnsupported | 380 | sDeprecated, sUnsupported |
367 | } ServerOpCodes; | 381 | } ServerOpCodes; |
@@ -486,6 +500,7 @@ static struct { | |||
486 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 500 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
487 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 501 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
488 | { "permittty", sPermitTTY, SSHCFG_ALL }, | 502 | { "permittty", sPermitTTY, SSHCFG_ALL }, |
503 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, | ||
489 | { "match", sMatch, SSHCFG_ALL }, | 504 | { "match", sMatch, SSHCFG_ALL }, |
490 | { "permitopen", sPermitOpen, SSHCFG_ALL }, | 505 | { "permitopen", sPermitOpen, SSHCFG_ALL }, |
491 | { "forcecommand", sForceCommand, SSHCFG_ALL }, | 506 | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
@@ -500,6 +515,9 @@ static struct { | |||
500 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | 515 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, |
501 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 516 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, |
502 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | 517 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, |
518 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, | ||
519 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, | ||
520 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, | ||
503 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 521 | { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
504 | { NULL, sBadOption, 0 } | 522 | { NULL, sBadOption, 0 } |
505 | }; | 523 | }; |
@@ -1169,6 +1187,10 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1169 | intptr = &options->permit_tty; | 1187 | intptr = &options->permit_tty; |
1170 | goto parse_flag; | 1188 | goto parse_flag; |
1171 | 1189 | ||
1190 | case sPermitUserRC: | ||
1191 | intptr = &options->permit_user_rc; | ||
1192 | goto parse_flag; | ||
1193 | |||
1172 | case sStrictModes: | 1194 | case sStrictModes: |
1173 | intptr = &options->strict_modes; | 1195 | intptr = &options->strict_modes; |
1174 | goto parse_flag; | 1196 | goto parse_flag; |
@@ -1226,7 +1248,7 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1226 | break; | 1248 | break; |
1227 | 1249 | ||
1228 | case sGatewayPorts: | 1250 | case sGatewayPorts: |
1229 | intptr = &options->gateway_ports; | 1251 | intptr = &options->fwd_opts.gateway_ports; |
1230 | multistate_ptr = multistate_gatewayports; | 1252 | multistate_ptr = multistate_gatewayports; |
1231 | goto parse_multistate; | 1253 | goto parse_multistate; |
1232 | 1254 | ||
@@ -1261,6 +1283,11 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1261 | multistate_ptr = multistate_tcpfwd; | 1283 | multistate_ptr = multistate_tcpfwd; |
1262 | goto parse_multistate; | 1284 | goto parse_multistate; |
1263 | 1285 | ||
1286 | case sAllowStreamLocalForwarding: | ||
1287 | intptr = &options->allow_streamlocal_forwarding; | ||
1288 | multistate_ptr = multistate_tcpfwd; | ||
1289 | goto parse_multistate; | ||
1290 | |||
1264 | case sAllowAgentForwarding: | 1291 | case sAllowAgentForwarding: |
1265 | intptr = &options->allow_agent_forwarding; | 1292 | intptr = &options->allow_agent_forwarding; |
1266 | goto parse_flag; | 1293 | goto parse_flag; |
@@ -1659,6 +1686,22 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1659 | } | 1686 | } |
1660 | return 0; | 1687 | return 0; |
1661 | 1688 | ||
1689 | case sStreamLocalBindMask: | ||
1690 | arg = strdelim(&cp); | ||
1691 | if (!arg || *arg == '\0') | ||
1692 | fatal("%s line %d: missing StreamLocalBindMask argument.", | ||
1693 | filename, linenum); | ||
1694 | /* Parse mode in octal format */ | ||
1695 | value = strtol(arg, &p, 8); | ||
1696 | if (arg == p || value < 0 || value > 0777) | ||
1697 | fatal("%s line %d: Bad mask.", filename, linenum); | ||
1698 | options->fwd_opts.streamlocal_bind_mask = (mode_t)value; | ||
1699 | break; | ||
1700 | |||
1701 | case sStreamLocalBindUnlink: | ||
1702 | intptr = &options->fwd_opts.streamlocal_bind_unlink; | ||
1703 | goto parse_flag; | ||
1704 | |||
1662 | case sDebianBanner: | 1705 | case sDebianBanner: |
1663 | intptr = &options->debian_banner; | 1706 | intptr = &options->debian_banner; |
1664 | goto parse_int; | 1707 | goto parse_int; |
@@ -1802,13 +1845,15 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) | |||
1802 | M_CP_INTOPT(permit_empty_passwd); | 1845 | M_CP_INTOPT(permit_empty_passwd); |
1803 | 1846 | ||
1804 | M_CP_INTOPT(allow_tcp_forwarding); | 1847 | M_CP_INTOPT(allow_tcp_forwarding); |
1848 | M_CP_INTOPT(allow_streamlocal_forwarding); | ||
1805 | M_CP_INTOPT(allow_agent_forwarding); | 1849 | M_CP_INTOPT(allow_agent_forwarding); |
1806 | M_CP_INTOPT(permit_tun); | 1850 | M_CP_INTOPT(permit_tun); |
1807 | M_CP_INTOPT(gateway_ports); | 1851 | M_CP_INTOPT(fwd_opts.gateway_ports); |
1808 | M_CP_INTOPT(x11_display_offset); | 1852 | M_CP_INTOPT(x11_display_offset); |
1809 | M_CP_INTOPT(x11_forwarding); | 1853 | M_CP_INTOPT(x11_forwarding); |
1810 | M_CP_INTOPT(x11_use_localhost); | 1854 | M_CP_INTOPT(x11_use_localhost); |
1811 | M_CP_INTOPT(permit_tty); | 1855 | M_CP_INTOPT(permit_tty); |
1856 | M_CP_INTOPT(permit_user_rc); | ||
1812 | M_CP_INTOPT(max_sessions); | 1857 | M_CP_INTOPT(max_sessions); |
1813 | M_CP_INTOPT(max_authtries); | 1858 | M_CP_INTOPT(max_authtries); |
1814 | M_CP_INTOPT(ip_qos_interactive); | 1859 | M_CP_INTOPT(ip_qos_interactive); |
@@ -1901,6 +1946,8 @@ fmt_intarg(ServerOpCodes code, int val) | |||
1901 | return fmt_multistate_int(val, multistate_privsep); | 1946 | return fmt_multistate_int(val, multistate_privsep); |
1902 | case sAllowTcpForwarding: | 1947 | case sAllowTcpForwarding: |
1903 | return fmt_multistate_int(val, multistate_tcpfwd); | 1948 | return fmt_multistate_int(val, multistate_tcpfwd); |
1949 | case sAllowStreamLocalForwarding: | ||
1950 | return fmt_multistate_int(val, multistate_tcpfwd); | ||
1904 | case sProtocol: | 1951 | case sProtocol: |
1905 | switch (val) { | 1952 | switch (val) { |
1906 | case SSH_PROTO_1: | 1953 | case SSH_PROTO_1: |
@@ -2053,15 +2100,17 @@ dump_config(ServerOptions *o) | |||
2053 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); | 2100 | dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding); |
2054 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 2101 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
2055 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); | 2102 | dump_cfg_fmtint(sPermitTTY, o->permit_tty); |
2103 | dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc); | ||
2056 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 2104 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
2057 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 2105 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
2058 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); | 2106 | dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); |
2059 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); | 2107 | dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); |
2060 | dump_cfg_fmtint(sUseLogin, o->use_login); | 2108 | dump_cfg_fmtint(sUseLogin, o->use_login); |
2061 | dump_cfg_fmtint(sCompression, o->compression); | 2109 | dump_cfg_fmtint(sCompression, o->compression); |
2062 | dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); | 2110 | dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); |
2063 | dump_cfg_fmtint(sUseDNS, o->use_dns); | 2111 | dump_cfg_fmtint(sUseDNS, o->use_dns); |
2064 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); | 2112 | dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); |
2113 | dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); | ||
2065 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); | 2114 | dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); |
2066 | 2115 | ||
2067 | /* string arguments */ | 2116 | /* string arguments */ |