From cf31f3863425453ffcda540fbefa9df80088c8d1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 24 Oct 2013 21:02:56 +1100 Subject: - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 [readconf.c servconf.c ssh_config.5 sshd_config.5] Disallow empty Match statements and add "Match all" which matches everything. ok djm, man page help jmc@ --- ChangeLog | 4 ++++ readconf.c | 22 ++++++++++++++++++++-- servconf.c | 19 +++++++++++++++++-- ssh_config.5 | 9 ++++++--- sshd_config.5 | 8 +++++--- 5 files changed, 52 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 95040392f..8dcff45d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ [moduli.c] Periodically print progress and, if possible, expected time to completion when screening moduli for DH groups. ok deraadt djm + - dtucker@cvs.openbsd.org 2013/10/24 00:51:48 + [readconf.c servconf.c ssh_config.5 sshd_config.5] + Disallow empty Match statements and add "Match all" which matches + everything. ok djm, man page help jmc@ 20131023 - (djm) OpenBSD CVS Sync diff --git a/readconf.c b/readconf.c index f18666786..63c0ba196 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.212 2013/10/23 03:05:19 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.213 2013/10/24 00:51:48 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -459,7 +459,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, { char *arg, *attrib, *cmd, *cp = *condition, *host; const char *ruser; - int r, port, result = 1; + int r, port, result = 1, attributes = 0; size_t len; char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; @@ -478,6 +478,19 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, debug3("checking match for '%s' host %s", cp, host); while ((attrib = strdelim(&cp)) && *attrib != '\0') { + attributes++; + if (strcasecmp(attrib, "all") == 0) { + if (attributes != 1 || + ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { + error("'all' cannot be combined with other " + "Match attributes"); + result = -1; + goto out; + } + *condition = cp; + result = 1; + goto out; + } if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { error("Missing Match criteria for %s", attrib); result = -1; @@ -544,6 +557,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, goto out; } } + if (attributes == 0) { + error("One or more attributes required for Match"); + result = -1; + goto out; + } debug3("match %sfound", result ? "" : "not "); *condition = cp; out: diff --git a/servconf.c b/servconf.c index 100d38d9b..82146723f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.242 2013/10/23 05:40:58 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -647,7 +647,7 @@ out: static int match_cfg_line(char **condition, int line, struct connection_info *ci) { - int result = 1, port; + int result = 1, attributes = 0, port; char *arg, *attrib, *cp = *condition; size_t len; @@ -661,6 +661,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) ci->laddress ? ci->laddress : "(null)", ci->lport); while ((attrib = strdelim(&cp)) && *attrib != '\0') { + attributes++; + if (strcasecmp(attrib, "all") == 0) { + if (attributes != 1 || + ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { + error("'all' cannot be combined with other " + "Match attributes"); + return -1; + } + *condition = cp; + return 1; + } if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { error("Missing Match criteria for %s", attrib); return -1; @@ -754,6 +765,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci) return -1; } } + if (attributes == 0) { + error("One or more attributes required for Match"); + return -1; + } if (ci != NULL) debug3("match %sfound", result ? "" : "not "); *condition = cp; diff --git a/ssh_config.5 b/ssh_config.5 index 4161a6624..3ef494618 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.177 2013/10/20 18:00:13 jmc Exp $ -.Dd $Mdocdate: October 20 2013 $ +.\" $OpenBSD: ssh_config.5,v 1.178 2013/10/24 00:51:48 dtucker Exp $ +.Dd $Mdocdate: October 24 2013 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -134,7 +134,10 @@ or keyword) to be used only when the conditions following the .Cm Match keyword are satisfied. -Match conditions are specified using one or more keyword/criteria pairs. +Match conditions are specified using one or more keyword/criteria pairs +or the single token +.Cm all +which matches all criteria. The available keywords are: .Cm exec , .Cm host , diff --git a/sshd_config.5 b/sshd_config.5 index 3abac6c10..0536cc3c6 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $ -.Dd $Mdocdate: July 19 2013 $ +.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $ +.Dd $Mdocdate: October 24 2013 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -750,7 +750,9 @@ line or the end of the file. .Pp The arguments to .Cm Match -are one or more criteria-pattern pairs. +are one or more criteria-pattern pairs or the single token +.Cm All +which matches all criteria. The available criteria are .Cm User , .Cm Group , -- cgit v1.2.3