From 4890e539774ab8b57aa0ee733a5b07bdf9561af6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Sep 2007 11:57:38 +1000 Subject: - djm@cvs.openbsd.org 2007/08/23 03:22:16 [auth2-none.c sshd_config sshd_config.5] Support "Banner=none" to disable displaying of the pre-login banner; ok dtucker@ deraadt@ --- sshd_config.5 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index 2a283ea2d..3d4afb459 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $ -.Dd $Mdocdate: June 8 2007 $ +.\" $OpenBSD: sshd_config.5,v 1.78 2007/08/23 03:22:16 djm Exp $ +.Dd $Mdocdate: June 11 2007 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -159,10 +159,11 @@ directory. The default is .Dq .ssh/authorized_keys . .It Cm Banner -In some jurisdictions, sending a warning message before authentication -may be relevant for getting legal protection. The contents of the specified file are sent to the remote user before authentication is allowed. +If the argument is +.Dq none +then no banner is displayed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication -- cgit v1.2.3 From 15f94271be59bc78e92992aae3a21ac6a9c42cfd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 1 Jan 2008 20:36:56 +1100 Subject: - dtucker@cvs.openbsd.org 2008/01/01 09:27:33 [sshd_config.5 servconf.c] Allow PermitRootLogin in a Match block. Allows for, eg, permitting root only from the local network. ok markus@, man page bit ok jmc@ --- ChangeLog | 6 +++++- servconf.c | 7 ++++--- sshd_config.5 | 5 +++-- 3 files changed, 12 insertions(+), 6 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 2b7eb2aa8..5bd495c01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,10 @@ If scp -p encounters a pre-epoch timestamp, use the epoch which is as close as we can get given that it's used unsigned. Add a little debugging while there. bz #828, ok djm@ + - dtucker@cvs.openbsd.org 2008/01/01 09:27:33 + [sshd_config.5 servconf.c] + Allow PermitRootLogin in a Match block. Allows for, eg, permitting root + only from the local network. ok markus@, man page bit ok jmc@ 20071231 - (dtucker) [configure.ac openbsd-compat/glob.{c,h}] Bug #1407: force use of @@ -3509,4 +3513,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4814 2008/01/01 09:36:25 dtucker Exp $ +$Id: ChangeLog,v 1.4815 2008/01/01 09:36:56 dtucker Exp $ diff --git a/servconf.c b/servconf.c index 4e3140fe3..19c286c18 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.174 2007/12/31 10:41:31 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.175 2008/01/01 09:27:33 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -321,7 +321,7 @@ static struct { { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, - { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL }, + { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL }, { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, @@ -806,7 +806,7 @@ parse_filename: fatal("%s line %d: Bad yes/" "without-password/forced-commands-only/no " "argument: %s", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -1351,6 +1351,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(kbd_interactive_authentication); + M_CP_INTOPT(permit_root_login); M_CP_INTOPT(allow_tcp_forwarding); M_CP_INTOPT(gateway_ports); diff --git a/sshd_config.5 b/sshd_config.5 index 3d4afb459..aa6720dc3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.78 2007/08/23 03:22:16 djm Exp $ -.Dd $Mdocdate: June 11 2007 $ +.\" $OpenBSD: sshd_config.5,v 1.79 2008/01/01 09:27:33 dtucker Exp $ +.Dd $Mdocdate: January 1 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -524,6 +524,7 @@ Available keywords are .Cm KerberosAuthentication , .Cm PasswordAuthentication , .Cm PermitOpen , +.Cm PermitRootLogin , .Cm RhostsRSAAuthentication , .Cm RSAAuthentication , .Cm X11DisplayOffset , -- cgit v1.2.3 From d8cb1f184f9acaae02bb4d15ce1e00ffbeeeac88 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:40:12 +1100 Subject: - djm@cvs.openbsd.org 2008/02/08 23:24:07 [servconf.c servconf.h session.c sftp-server.c sftp.h sshd_config] [sshd_config.5] add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@ --- Makefile.in | 6 +-- servconf.c | 12 +++++- servconf.h | 4 +- session.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++------- sftp-server-main.c | 50 +++++++++++++++++++++++++ sftp-server.c | 10 ++--- sftp.h | 6 ++- sshd_config | 3 +- sshd_config.5 | 54 ++++++++++++++++++++++++++- 9 files changed, 220 insertions(+), 31 deletions(-) create mode 100644 sftp-server-main.c (limited to 'sshd_config.5') diff --git a/Makefile.in b/Makefile.in index 2486edc95..1f78ea9cc 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.285 2007/06/11 04:01:42 djm Exp $ +# $Id: Makefile.in,v 1.286 2008/02/10 11:40:12 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -156,8 +156,8 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o - $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) diff --git a/servconf.c b/servconf.c index 19c286c18..d38d0bfb1 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.175 2008/01/01 09:27:33 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.176 2008/02/08 23:24:08 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -122,6 +122,7 @@ initialize_server_options(ServerOptions *options) options->permit_tun = -1; options->num_permitted_opens = -1; options->adm_forced_command = NULL; + options->chroot_directory = NULL; } void @@ -291,7 +292,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, sForceCommand, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -403,6 +404,7 @@ static struct { { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, { "forcecommand", sForceCommand, SSHCFG_ALL }, + { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1147,6 +1149,7 @@ parse_flag: case sBanner: charptr = &options->banner; goto parse_filename; + /* * These options can contain %X options expanded at * connect time, so that you can specify paths like: @@ -1255,6 +1258,10 @@ parse_flag: options->adm_forced_command = xstrdup(cp + len); return 0; + case sChrootDirectory: + charptr = &options->chroot_directory; + goto parse_filename; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1363,6 +1370,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) if (preauth) return; M_CP_STROPT(adm_forced_command); + M_CP_STROPT(chroot_directory); } #undef M_CP_INTOPT diff --git a/servconf.h b/servconf.h index 8a5b950ea..81a68be89 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.81 2008/02/08 23:24:08 djm Exp $ */ /* * Author: Tatu Ylonen @@ -141,6 +141,8 @@ typedef struct { int permit_tun; int num_permitted_opens; + + char *chroot_directory; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/session.c b/session.c index a1319b384..1768c8c2f 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.225 2008/02/04 21:53:00 markus Exp $ */ +/* $OpenBSD: session.c,v 1.226 2008/02/08 23:24:07 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -84,6 +84,7 @@ #include "sshlogin.h" #include "serverloop.h" #include "canohost.h" +#include "misc.h" #include "session.h" #include "kex.h" #include "monitor_wrap.h" @@ -93,6 +94,9 @@ #include #endif +/* Magic name for internal sftp-server */ +#define INTERNAL_SFTP_NAME "internal-sftp" + /* func */ Session *session_new(void); @@ -130,7 +134,7 @@ extern Buffer loginmsg; const char *original_command = NULL; /* data */ -#define MAX_SESSIONS 10 +#define MAX_SESSIONS 20 Session sessions[MAX_SESSIONS]; #define SUBSYSTEM_NONE 0 @@ -688,13 +692,17 @@ do_exec(Session *s, const char *command) if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; - if (s->is_subsystem) + if (strcmp(INTERNAL_SFTP_NAME, command) == 0) + s->is_subsystem = SUBSYSTEM_INT_SFTP; + else if (s->is_subsystem) s->is_subsystem = SUBSYSTEM_EXT; debug("Forced command (config) '%.900s'", command); } else if (forced_command) { original_command = command; command = forced_command; - if (s->is_subsystem) + if (strcmp(INTERNAL_SFTP_NAME, command) == 0) + s->is_subsystem = SUBSYSTEM_INT_SFTP; + else if (s->is_subsystem) s->is_subsystem = SUBSYSTEM_EXT; debug("Forced command (key option) '%.900s'", command); } @@ -710,7 +718,6 @@ do_exec(Session *s, const char *command) PRIVSEP(audit_run_command(shell)); } #endif - if (s->ttyfd != -1) do_exec_pty(s, command); else @@ -1293,6 +1300,61 @@ do_nologin(struct passwd *pw) } } +/* + * Chroot into a directory after checking it for safety: all path components + * must be root-owned directories with strict permissions. + */ +static void +safely_chroot(const char *path, uid_t uid) +{ + const char *cp; + char component[MAXPATHLEN]; + struct stat st; + + if (*path != '/') + fatal("chroot path does not begin at root"); + if (strlen(path) >= sizeof(component)) + fatal("chroot path too long"); + + /* + * Descend the path, checking that each component is a + * root-owned directory with strict permissions. + */ + for (cp = path; cp != NULL;) { + if ((cp = strchr(cp, '/')) == NULL) + strlcpy(component, path, sizeof(component)); + else { + cp++; + memcpy(component, path, cp - path); + component[cp - path] = '\0'; + } + + debug3("%s: checking '%s'", __func__, component); + + if (stat(component, &st) != 0) + fatal("%s: stat(\"%s\"): %s", __func__, + component, strerror(errno)); + if (st.st_uid != 0 || (st.st_mode & 022) != 0) + fatal("bad ownership or modes for chroot " + "directory %s\"%s\"", + cp == NULL ? "" : "component ", component); + if (!S_ISDIR(st.st_mode)) + fatal("chroot path %s\"%s\" is not a directory", + cp == NULL ? "" : "component ", component); + + } + + if (chdir(path) == -1) + fatal("Unable to chdir to chroot path \"%s\": " + "%s", path, strerror(errno)); + if (chroot(path) == -1) + fatal("chroot(\"%s\"): %s", path, strerror(errno)); + if (chdir("/") == -1) + fatal("%s: chdir(/) after chroot: %s", + __func__, strerror(errno)); + verbose("Changed root directory to \"%s\"", path); +} + /* Set login name, uid, gid, and groups. */ void do_setusercontext(struct passwd *pw) @@ -1324,7 +1386,7 @@ do_setusercontext(struct passwd *pw) } # endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); } @@ -1347,13 +1409,13 @@ do_setusercontext(struct passwd *pw) exit(1); } endgrent(); -#ifdef GSSAPI +# ifdef GSSAPI if (options.gss_authentication) { temporarily_use_uid(pw); ssh_gssapi_storecreds(); restore_uid(); } -#endif +# endif # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. @@ -1367,15 +1429,33 @@ do_setusercontext(struct passwd *pw) # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); -# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ +# endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ # ifdef _AIX aix_usrinfo(pw); # endif /* _AIX */ -#ifdef USE_LIBIAF +# ifdef USE_LIBIAF if (set_id(pw->pw_name) != 0) { exit(1); } -#endif /* USE_LIBIAF */ +# endif /* USE_LIBIAF */ +#endif + + if (options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { + char *chroot_path; + + chroot_path = percent_expand(options.chroot_directory, + "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); + safely_chroot(chroot_path, pw->pw_uid); + free(chroot_path); + } + +#ifdef HAVE_LOGIN_CAP + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) { + perror("unable to set user context (setuser)"); + exit(1); + } +#else /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -1625,7 +1705,7 @@ do_child(Session *s, const char *command) argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; - exit(sftp_server_main(i, argv)); + exit(sftp_server_main(i, argv, s->pw)); } if (options.use_login) { @@ -1900,7 +1980,7 @@ session_subsystem_req(Session *s) if (strcmp(subsys, options.subsystem_name[i]) == 0) { prog = options.subsystem_command[i]; cmd = options.subsystem_args[i]; - if (!strcmp("internal-sftp", prog)) { + if (!strcmp(INTERNAL_SFTP_NAME, prog)) { s->is_subsystem = SUBSYSTEM_INT_SFTP; } else if (stat(prog, &st) < 0) { error("subsystem: cannot stat %s: %s", prog, diff --git a/sftp-server-main.c b/sftp-server-main.c new file mode 100644 index 000000000..1d2ea6220 --- /dev/null +++ b/sftp-server-main.c @@ -0,0 +1,50 @@ +/* $OpenBSD: */ +/* + * Copyright (c) 2008 Markus Friedl. All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include +#include + +#include "log.h" +#include "sftp.h" +#include "misc.h" + +void +cleanup_exit(int i) +{ + sftp_server_cleanup_exit(i); +} + +int +main(int argc, char **argv) +{ + struct passwd *user_pw; + + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + + if ((user_pw = getpwuid(getuid())) == NULL) { + fprintf(stderr, "No user found for uid %lu", (u_long)getuid()); + return 1; + } + + return (sftp_server_main(argc, argv, user_pw)); +} diff --git a/sftp-server.c b/sftp-server.c index 373bd5eda..44ccefff8 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.76 2008/02/04 21:53:00 markus Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.77 2008/02/08 23:24:07 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -1219,7 +1219,7 @@ sftp_server_usage(void) } int -sftp_server_main(int argc, char **argv) +sftp_server_main(int argc, char **argv, struct passwd *user_pw) { fd_set *rset, *wset; int in, out, max, ch, skipargs = 0, log_stderr = 0; @@ -1277,11 +1277,7 @@ sftp_server_main(int argc, char **argv) } else client_addr = xstrdup("UNKNOWN"); - if ((pw = getpwuid(getuid())) == NULL) { - error("No user found for uid %lu", (u_long)getuid()); - sftp_server_cleanup_exit(255); - } - pw = pwcopy(pw); + pw = pwcopy(user_pw); logit("session opened for local user %s from [%s]", pw->pw_name, client_addr); diff --git a/sftp.h b/sftp.h index 12b9cc056..0835da6ed 100644 --- a/sftp.h +++ b/sftp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.h,v 1.6 2008/02/04 21:53:00 markus Exp $ */ +/* $OpenBSD: sftp.h,v 1.7 2008/02/08 23:24:07 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -91,5 +91,7 @@ #define SSH2_FX_OP_UNSUPPORTED 8 #define SSH2_FX_MAX 8 -int sftp_server_main(int, char **); +struct passwd; + +int sftp_server_main(int, char **, struct passwd *); void sftp_server_cleanup_exit(int) __dead; diff --git a/sshd_config b/sshd_config index c7094e775..ddfbbe91e 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.76 2007/08/23 03:22:16 djm Exp $ +# $OpenBSD: sshd_config,v 1.77 2008/02/08 23:24:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -102,6 +102,7 @@ Protocol 2 #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no +#ChrootDirectory none # no default banner path #Banner none diff --git a/sshd_config.5 b/sshd_config.5 index aa6720dc3..2f83bf2e1 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.79 2008/01/01 09:27:33 dtucker Exp $ -.Dd $Mdocdate: January 1 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.80 2008/02/08 23:24:07 djm Exp $ +.Dd $Mdocdate: February 8 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -173,6 +173,45 @@ All authentication styles from are supported. The default is .Dq yes . +.It Cm ChrootDirectory +Specifies a path to +.Xr chroot 2 +to after authentication. +This path, and all its components, must be root-owned directories that are +not writable by any other user or group. +.Pp +The path may contain the following tokens that are expanded at runtime once +the connecting user has been authenticated: %% is replaced by a literal '%', +%h is replaced by the home directory of the user being authenticated, and +%u is replaced by the username of that user. +.Pp +The +.Cm ChrootDirectory +must contain the necessary files and directories to support the +users' session. +For an interactive session this requires at least a shell, typically +.Xr sh 1 , +and basic +.Pa /dev +nodes such as +.Xr null 4 , +.Xr zero 4 , +.Xr stdin 4 , +.Xr stdout 4 , +.Xr stderr 4 , +.Xr arandom 4 +and +.Xr tty 4 +devices. +For file transfer sessions using +.Dq sftp , +no additional configuration of the environment is necessary if the +in-process sftp server is used (see +.Cm Subsystem +for details. +.Pp +The default is not to +.Xr chroot 2 . .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. @@ -740,11 +779,22 @@ The default is Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request. +.Pp The command .Xr sftp-server 8 implements the .Dq sftp file transfer subsystem. +.Pp +Alternately the name +.Dq internal-sftp +implements an in-process +.Dq sftp +server. +This may simplify configurations using +.Cm ChrootDirectory +to force a different filesystem root on clients. +.Pp By default no subsystems are defined. Note that this option applies to protocol version 2 only. .It Cm SyslogFacility -- cgit v1.2.3 From 70433b5d7310b03a02424fecf7f40a756fee22ae Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:45:13 +1100 Subject: - jmc@cvs.openbsd.org 2008/02/09 08:04:31 [sshd_config.5] missing `)'; --- sshd_config.5 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index 2f83bf2e1..6fb93a078 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.80 2008/02/08 23:24:07 djm Exp $ -.Dd $Mdocdate: February 8 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.81 2008/02/09 08:04:31 jmc Exp $ +.Dd $Mdocdate: February 9 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -208,7 +208,7 @@ For file transfer sessions using no additional configuration of the environment is necessary if the in-process sftp server is used (see .Cm Subsystem -for details. +for details). .Pp The default is not to .Xr chroot 2 . -- cgit v1.2.3 From cdb6e65175fab4346be5b74b2527e4f28437e5fe Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:47:24 +1100 Subject: - djm@cvs.openbsd.org 2008/02/10 09:55:37 [sshd_config.5] mantion that "internal-sftp" is useful with ForceCommand too --- ChangeLog | 5 ++++- sshd_config.5 | 9 +++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index c941fb892..eb10e1059 100644 --- a/ChangeLog +++ b/ChangeLog @@ -75,6 +75,9 @@ [ssh.1 sshd.8] Document the correct permissions for the ~/.ssh/ directory. ok jmc + - djm@cvs.openbsd.org 2008/02/10 09:55:37 + [sshd_config.5] + mantion that "internal-sftp" is useful with ForceCommand too 20080119 - (djm) Silence noice from expr in ssh-copy-id; patch from @@ -3603,4 +3606,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4835 2008/02/10 11:46:22 djm Exp $ +$Id: ChangeLog,v 1.4836 2008/02/10 11:47:24 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 6fb93a078..2d9126ee4 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.81 2008/02/09 08:04:31 jmc Exp $ -.Dd $Mdocdate: February 9 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.82 2008/02/10 09:55:37 djm Exp $ +.Dd $Mdocdate: February 10 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -333,6 +333,11 @@ block. The command originally supplied by the client is available in the .Ev SSH_ORIGINAL_COMMAND environment variable. +Specifying a command of +.Dq internal-sftp +will force the use of an in-process sftp server that requires no support +files when used with +.Cm ChrootDirectory . .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. -- cgit v1.2.3 From 5447eb2454961bdc1d01e6630a02bf844a799713 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Mar 2008 10:50:21 +1100 Subject: - jmc@cvs.openbsd.org 2008/02/11 07:58:28 [ssh.1 sshd.8 sshd_config.5] bump Mdocdate for pages committed in "febuary", necessary because of a typo in rcs.c; --- ChangeLog | 7 ++++++- ssh.1 | 4 ++-- sshd.8 | 4 ++-- sshd_config.5 | 4 ++-- 4 files changed, 12 insertions(+), 7 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 4edfb8fa6..03635b5e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ but not enabled. Using it with selinux enabled will require some selinux support inside the chroot. "looks sane" djm@ - (djm) Fix RCS ident in sftp-server-main.c + - (djm) OpenBSD CVS sync: + - jmc@cvs.openbsd.org 2008/02/11 07:58:28 + [ssh.1 sshd.8 sshd_config.5] + bump Mdocdate for pages committed in "febuary", necessary because + of a typo in rcs.c; 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are @@ -3772,4 +3777,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4881 2008/03/26 23:45:49 djm Exp $ +$Id: ChangeLog,v 1.4882 2008/03/26 23:50:21 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 35e29cc0c..e191bf04e 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.272 2008/02/09 12:15:43 mcbride Exp $ -.Dd $Mdocdate: February 9 2008 $ +.\" $OpenBSD: ssh.1,v 1.273 2008/02/11 07:58:28 jmc Exp $ +.Dd $Mdocdate: February 11 2008 $ .Dt SSH 1 .Os .Sh NAME diff --git a/sshd.8 b/sshd.8 index eff66eb0c..b91ca4fc7 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.238 2008/02/09 12:15:43 mcbride Exp $ -.Dd $Mdocdate: February 9 2008 $ +.\" $OpenBSD: sshd.8,v 1.239 2008/02/11 07:58:28 jmc Exp $ +.Dd $Mdocdate: February 11 2008 $ .Dt SSHD 8 .Os .Sh NAME diff --git a/sshd_config.5 b/sshd_config.5 index 2d9126ee4..a2f193470 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.82 2008/02/10 09:55:37 djm Exp $ -.Dd $Mdocdate: February 10 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.83 2008/02/11 07:58:28 jmc Exp $ +.Dd $Mdocdate: February 11 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME -- cgit v1.2.3 From a1b48ccf2d7383bc0cdc158324e400dd4f7ce87a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 27 Mar 2008 11:02:02 +1100 Subject: - djm@cvs.openbsd.org 2008/03/25 11:58:02 [session.c sshd_config.5] ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; from dtucker@ ok deraadt@ djm@ --- ChangeLog | 6 +++++- session.c | 7 ++++--- sshd_config.5 | 8 +++++--- 3 files changed, 14 insertions(+), 7 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 876055383..993fe76c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ works now that kernel fd passing has been fixed to accept a bit of sloppiness because of this ABI repair. lots of discussion with kettenis + - djm@cvs.openbsd.org 2008/03/25 11:58:02 + [session.c sshd_config.5] + ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; + from dtucker@ ok deraadt@ djm@ 20080315 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are @@ -3801,4 +3805,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4886 2008/03/27 00:01:15 djm Exp $ +$Id: ChangeLog,v 1.4887 2008/03/27 00:02:02 djm Exp $ diff --git a/session.c b/session.c index 54621a4c0..3dcf222f5 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.230 2008/02/22 05:58:56 djm Exp $ */ +/* $OpenBSD: session.c,v 1.231 2008/03/25 11:58:02 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1202,8 +1202,9 @@ do_rc_files(Session *s, const char *shell) do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; - /* ignore _PATH_SSH_USER_RC for subsystems */ - if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) { + /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */ + if (!s->is_subsystem && options.adm_forced_command != NULL && + (stat(_PATH_SSH_USER_RC, &st) >= 0)) { snprintf(cmd, sizeof cmd, "%s -c '%s %s'", shell, _PATH_BSHELL, _PATH_SSH_USER_RC); if (debug_flag) diff --git a/sshd_config.5 b/sshd_config.5 index a2f193470..245ed946f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.83 2008/02/11 07:58:28 jmc Exp $ -.Dd $Mdocdate: February 11 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $ +.Dd $Mdocdate: March 25 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -324,7 +324,9 @@ for more information on patterns. .It Cm ForceCommand Forces the execution of the command specified by .Cm ForceCommand , -ignoring any command supplied by the client. +ignoring any command supplied by the client and +.Pa ~/.ssh/rc +if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a -- cgit v1.2.3 From 797e3d117f8b4cfed5f066ef88f28826eb8f8b41 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:27:42 +1000 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2008/04/04 05:14:38 [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk --- ChangeLog | 9 ++++++++- sshd_config.5 | 38 ++++++++++++++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 91e6ff030..dd8602954 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20080518 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/04/04 05:14:38 + [sshd_config.5] + ChrootDirectory is supported in Match blocks (in fact, it is most useful + there). Spotted by Minstrel AT minstrel.org.uk + 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- time warnings on LynxOS. Patch from ops AT iki.fi @@ -3857,4 +3864,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4905 2008/05/16 00:01:54 djm Exp $ +$Id: ChangeLog,v 1.4906 2008/05/19 04:27:42 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 245ed946f..be3869713 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.84 2008/03/25 11:58:02 djm Exp $ -.Dd $Mdocdate: March 25 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $ +.Dd $Mdocdate: April 4 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -210,6 +210,29 @@ in-process sftp server is used (see .Cm Subsystem for details). .Pp +Please note that there are many ways to misconfigure a chroot environment +in ways that compromise security. +These include: +.Pp +.Bl -dash -offset indent -compact +.It +Making unsafe setuid binaries available; +.It +Having missing or incorrect configuration files in the chroot's +.Pa /etc +directory; +.It +Hard-linking files between the chroot and outside; +.It +Leaving unnecessary +.Pa /dev +nodes accessible inside the chroot (especially those for physical drives); +.It +Executing scripts or binaries inside the chroot from outside, either +directly or through facilities such as +.Xr cron 8 . +.El +.Pp The default is not to .Xr chroot 2 . .It Cm Ciphers @@ -340,6 +363,11 @@ Specifying a command of will force the use of an in-process sftp server that requires no support files when used with .Cm ChrootDirectory . +Note that +.Dq internal-sftp +is only supported when +.Cm UsePrivilegeSeparation +is enabled. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -563,6 +591,7 @@ keyword. Available keywords are .Cm AllowTcpForwarding , .Cm Banner , +.Cm ChrootDirectory , .Cm ForceCommand , .Cm GatewayPorts , .Cm GSSApiAuthentication , @@ -801,6 +830,11 @@ server. This may simplify configurations using .Cm ChrootDirectory to force a different filesystem root on clients. +Note that +.Dq internal-sftp +is only supported when +.Cm UsePrivilegeSeparation +is enabled. .Pp By default no subsystems are defined. Note that this option applies to protocol version 2 only. -- cgit v1.2.3 From 56f41ddc5472ef04f20c59ec94a74825b8439898 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:28:19 +1000 Subject: - djm@cvs.openbsd.org 2008/04/04 06:44:26 [sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@ --- ChangeLog | 6 +++++- sshd_config.5 | 37 ++----------------------------------- 2 files changed, 7 insertions(+), 36 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index dd8602954..f0ecbe21a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [sshd_config.5] ChrootDirectory is supported in Match blocks (in fact, it is most useful there). Spotted by Minstrel AT minstrel.org.uk + - djm@cvs.openbsd.org 2008/04/04 06:44:26 + [sshd_config.5] + oops, some unrelated stuff crept into that commit - backout. + spotted by jmc@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3864,4 +3868,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4906 2008/05/19 04:27:42 djm Exp $ +$Id: ChangeLog,v 1.4907 2008/05/19 04:28:19 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index be3869713..601b56402 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.85 2008/04/04 05:14:38 djm Exp $ -.Dd $Mdocdate: April 4 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $ +.Dd $Mdocdate: May 19 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -210,29 +210,6 @@ in-process sftp server is used (see .Cm Subsystem for details). .Pp -Please note that there are many ways to misconfigure a chroot environment -in ways that compromise security. -These include: -.Pp -.Bl -dash -offset indent -compact -.It -Making unsafe setuid binaries available; -.It -Having missing or incorrect configuration files in the chroot's -.Pa /etc -directory; -.It -Hard-linking files between the chroot and outside; -.It -Leaving unnecessary -.Pa /dev -nodes accessible inside the chroot (especially those for physical drives); -.It -Executing scripts or binaries inside the chroot from outside, either -directly or through facilities such as -.Xr cron 8 . -.El -.Pp The default is not to .Xr chroot 2 . .It Cm Ciphers @@ -363,11 +340,6 @@ Specifying a command of will force the use of an in-process sftp server that requires no support files when used with .Cm ChrootDirectory . -Note that -.Dq internal-sftp -is only supported when -.Cm UsePrivilegeSeparation -is enabled. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -830,11 +802,6 @@ server. This may simplify configurations using .Cm ChrootDirectory to force a different filesystem root on clients. -Note that -.Dq internal-sftp -is only supported when -.Cm UsePrivilegeSeparation -is enabled. .Pp By default no subsystems are defined. Note that this option applies to protocol version 2 only. -- cgit v1.2.3 From 25434de4606924a31016e42728c4acdf6de90cc7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:29:08 +1000 Subject: - djm@cvs.openbsd.org 2008/04/05 02:46:02 [sshd_config.5] HostbasedAuthentication is supported under Match too --- ChangeLog | 5 ++++- sshd_config.5 | 7 ++++--- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index f0ecbe21a..f466f481e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ [sshd_config.5] oops, some unrelated stuff crept into that commit - backout. spotted by jmc@ + - djm@cvs.openbsd.org 2008/04/05 02:46:02 + [sshd_config.5] + HostbasedAuthentication is supported under Match too 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3868,4 +3871,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4907 2008/05/19 04:28:19 djm Exp $ +$Id: ChangeLog,v 1.4908 2008/05/19 04:29:08 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 601b56402..6edaa9260 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.86 2008/04/04 06:44:26 djm Exp $ -.Dd $Mdocdate: May 19 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ +.Dd $Mdocdate: April 5 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -566,7 +566,8 @@ Available keywords are .Cm ChrootDirectory , .Cm ForceCommand , .Cm GatewayPorts , -.Cm GSSApiAuthentication , +.Cm GSSAPIAuthentication , +.Cm HostbasedAuthentication , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , .Cm PasswordAuthentication , -- cgit v1.2.3 From 4f755cdc05f5c6dee7cb1894f8d3bcaee33443d0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:57:41 +1000 Subject: - pyr@cvs.openbsd.org 2008/05/07 05:49:37 [servconf.c servconf.h session.c sshd_config.5] Enable the AllowAgentForwarding option in sshd_config (global and match context), to specify if agents should be permitted on the server. As the man page states: ``Note that disabling Agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.'' ok djm@, ok and a mild frown markus@ --- ChangeLog | 11 ++++++++++- servconf.c | 13 +++++++++++-- servconf.h | 3 ++- session.c | 7 ++++--- sshd_config.5 | 13 +++++++++++-- 5 files changed, 38 insertions(+), 9 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index b7e6098e5..8ee0b0e55 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,15 @@ [ssh-keyscan.1 ssh-keyscan.c] default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by larsnooden AT openoffice.org + - pyr@cvs.openbsd.org 2008/05/07 05:49:37 + [servconf.c servconf.h session.c sshd_config.5] + Enable the AllowAgentForwarding option in sshd_config (global and match + context), to specify if agents should be permitted on the server. + As the man page states: + ``Note that disabling Agent forwarding does not improve security + unless users are also denied shell access, as they can always install + their own forwarders.'' + ok djm@, ok and a mild frown markus@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3903,4 +3912,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4915 2008/05/19 04:56:33 djm Exp $ +$Id: ChangeLog,v 1.4916 2008/05/19 04:57:41 djm Exp $ diff --git a/servconf.c b/servconf.c index 9add96ca1..e6d49099b 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.177 2008/02/10 10:54:28 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.178 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -99,6 +99,7 @@ initialize_server_options(ServerOptions *options) options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; + options->allow_agent_forwarding = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = 1; + if (options->allow_agent_forwarding == -1) + options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -293,7 +296,7 @@ typedef enum { sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, - sUsePrivilegeSeparation, + sUsePrivilegeSeparation, sAllowAgentForwarding, sDeprecated, sUnsupported } ServerOpCodes; @@ -379,6 +382,7 @@ static struct { { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, + { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL }, { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, @@ -1005,6 +1009,10 @@ parse_flag: intptr = &options->allow_tcp_forwarding; goto parse_flag; + case sAllowAgentForwarding: + intptr = &options->allow_agent_forwarding; + goto parse_flag; + case sUsePrivilegeSeparation: intptr = &use_privsep; goto parse_flag; @@ -1368,6 +1376,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(permit_root_login); M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(allow_agent_forwarding); M_CP_INTOPT(gateway_ports); M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); diff --git a/servconf.h b/servconf.h index 5b88067db..aaf87cd18 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.82 2008/02/13 22:38:17 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ /* * Author: Tatu Ylonen @@ -101,6 +101,7 @@ typedef struct { int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; + int allow_agent_forwarding; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; diff --git a/session.c b/session.c index f2bcfd061..16e455588 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.234 2008/04/18 22:01:33 djm Exp $ */ +/* $OpenBSD: session.c,v 1.235 2008/05/07 05:49:37 pyr Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -335,7 +335,8 @@ do_authenticated1(Authctxt *authctxt) break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: - if (no_agent_forwarding_flag || compat13) { + if (!options.allow_agent_forwarding || + no_agent_forwarding_flag || compat13) { debug("Authentication agent forwarding not permitted for this authentication."); break; } @@ -2081,7 +2082,7 @@ session_auth_agent_req(Session *s) { static int called = 0; packet_check_eom(); - if (no_agent_forwarding_flag) { + if (no_agent_forwarding_flag || !options.allow_agent_forwarding) { debug("session_auth_agent_req: no_agent_forwarding_flag"); return 0; } diff --git a/sshd_config.5 b/sshd_config.5 index 6edaa9260..b93c801e3 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.87 2008/04/05 02:46:02 djm Exp $ -.Dd $Mdocdate: April 5 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $ +.Dd $Mdocdate: May 7 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -114,6 +114,15 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AllowAgentForwarding +Specifies whether +.Xr ssh-agent 1 +forwarding is permitted. +The default is +.Dq yes . +Note that disabling Agent forwarding does not improve security +unless users are also denied shell access, as they can always install +their own forwarders. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is -- cgit v1.2.3 From e9890193032b4bba7afa40d4fc003bbf629afba2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 14:59:02 +1000 Subject: - jmc@cvs.openbsd.org 2008/05/07 08:00:14 [sshd_config.5] sort; --- ChangeLog | 5 ++++- sshd_config.5 | 22 +++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 01274c697..4ac32e57f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,9 @@ - pyr@cvs.openbsd.org 2008/05/07 06:43:35 [sshd_config] push the sshd_config bits in, spotted by ajacoutot@ + - jmc@cvs.openbsd.org 2008/05/07 08:00:14 + [sshd_config.5] + sort; 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3915,4 +3918,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4917 2008/05/19 04:58:22 djm Exp $ +$Id: ChangeLog,v 1.4918 2008/05/19 04:59:02 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index b93c801e3..99b5621e7 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.88 2008/05/07 05:49:37 pyr Exp $ -.Dd $Mdocdate: May 7 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.89 2008/05/07 08:00:14 jmc Exp $ +.Dd $Mdocdate: May 19 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -95,6 +95,15 @@ Valid arguments are (use IPv6 only). The default is .Dq any . +.It Cm AllowAgentForwarding +Specifies whether +.Xr ssh-agent 1 +forwarding is permitted. +The default is +.Dq yes . +Note that disabling agent forwarding does not improve security +unless users are also denied shell access, as they can always install +their own forwarders. .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -114,15 +123,6 @@ See in .Xr ssh_config 5 for more information on patterns. -.It Cm AllowAgentForwarding -Specifies whether -.Xr ssh-agent 1 -forwarding is permitted. -The default is -.Dq yes . -Note that disabling Agent forwarding does not improve security -unless users are also denied shell access, as they can always install -their own forwarders. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is -- cgit v1.2.3 From 7207f64a23a49a719aad3083c068f50e5034ccb8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 19 May 2008 15:34:50 +1000 Subject: - djm@cvs.openbsd.org 2008/05/08 12:21:16 [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] [sshd_config sshd_config.5] Make the maximum number of sessions run-time controllable via a sshd_config MaxSessions knob. This is useful for disabling login/shell/subsystem access while leaving port-forwarding working (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or simply increasing the number of allows multiplexed sessions. Because some bozos are sure to configure MaxSessions in excess of the number of available file descriptors in sshd (which, at peak, might be as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds on error paths, and make it fail gracefully on out-of-fd conditions - sending channel errors instead of than exiting with fatal(). bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com ok markus@ --- ChangeLog | 17 ++- monitor.c | 4 +- monitor_wrap.c | 22 +++- servconf.c | 21 +++- servconf.h | 4 +- session.c | 382 +++++++++++++++++++++++++++++++++++++++------------------ session.h | 4 +- sshd_config | 3 +- sshd_config.5 | 7 +- 9 files changed, 326 insertions(+), 138 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 99dbdaf78..5ea4afcac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -77,6 +77,21 @@ shouldn't happen in compliant implementations, but it could be abused to leak memory. ok markus@ (as part of a larger diff) + - djm@cvs.openbsd.org 2008/05/08 12:21:16 + [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] + [sshd_config sshd_config.5] + Make the maximum number of sessions run-time controllable via + a sshd_config MaxSessions knob. This is useful for disabling + login/shell/subsystem access while leaving port-forwarding working + (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or + simply increasing the number of allows multiplexed sessions. + Because some bozos are sure to configure MaxSessions in excess of the + number of available file descriptors in sshd (which, at peak, might be + as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds + on error paths, and make it fail gracefully on out-of-fd conditions - + sending channel errors instead of than exiting with fatal(). + bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com + ok markus@ 20080403 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- @@ -3937,4 +3952,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4922 2008/05/19 05:28:35 djm Exp $ +$Id: ChangeLog,v 1.4923 2008/05/19 05:34:50 djm Exp $ diff --git a/monitor.c b/monitor.c index 04f6924b6..f872edbb5 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.95 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.96 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1273,7 +1273,7 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } - s->used = 0; + session_unused(s->self); } int diff --git a/monitor_wrap.c b/monitor_wrap.c index 72fd5c83c..e65fb1279 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.61 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.62 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -666,7 +666,20 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) { Buffer m; char *p, *msg; - int success = 0; + int success = 0, tmp1 = -1, tmp2 = -1; + + /* Kludge: ensure there are fds free to receive the pty/tty */ + if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || + (tmp2 = dup(pmonitor->m_recvfd)) == -1) { + error("%s: cannot allocate fds for pty", __func__); + if (tmp1 > 0) + close(tmp1); + if (tmp2 > 0) + close(tmp2); + return 0; + } + close(tmp1); + close(tmp2); buffer_init(&m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PTY, &m); @@ -711,8 +724,9 @@ mm_session_pty_cleanup2(Session *s) buffer_free(&m); /* closed dup'ed master */ - if (close(s->ptymaster) < 0) - error("close(s->ptymaster): %s", strerror(errno)); + if (s->ptymaster != -1 && close(s->ptymaster) < 0) + error("close(s->ptymaster/%d): %s", + s->ptymaster, strerror(errno)); /* unlink pty from session */ s->ttyfd = -1; diff --git a/servconf.c b/servconf.c index b8a968aa3..94dff1fd6 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.179 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_rate = -1; options->max_startups = -1; options->max_authtries = -1; + options->max_sessions = -1; options->banner = NULL; options->use_dns = -1; options->client_alive_interval = -1; @@ -237,6 +238,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_begin = options->max_startups; if (options->max_authtries == -1) options->max_authtries = DEFAULT_AUTH_FAIL_MAX; + if (options->max_sessions == -1) + options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 1; if (options->client_alive_interval == -1) @@ -291,7 +294,7 @@ typedef enum { sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, - sMaxStartups, sMaxAuthTries, + sMaxStartups, sMaxAuthTries, sMaxSessions, sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -395,6 +398,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, + { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, @@ -695,7 +699,7 @@ process_server_config_line(ServerOptions *options, char *line, case sServerKeyBits: intptr = &options->server_key_bits; -parse_int: + parse_int: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing integer value.", @@ -707,7 +711,7 @@ parse_int: case sLoginGraceTime: intptr = &options->login_grace_time; -parse_time: + parse_time: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing time value.", @@ -776,7 +780,7 @@ parse_time: fatal("%s line %d: too many host keys specified (max %d).", filename, linenum, MAX_HOSTKEYS); charptr = &options->host_key_files[*intptr]; -parse_filename: + parse_filename: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing file name.", @@ -819,7 +823,7 @@ parse_filename: case sIgnoreRhosts: intptr = &options->ignore_rhosts; -parse_flag: + parse_flag: arg = strdelim(&cp); if (!arg || *arg == '\0') fatal("%s line %d: missing yes/no argument.", @@ -1155,6 +1159,10 @@ parse_flag: intptr = &options->max_authtries; goto parse_int; + case sMaxSessions: + intptr = &options->max_sessions; + goto parse_int; + case sBanner: charptr = &options->banner; goto parse_filename; @@ -1382,6 +1390,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(x11_display_offset); M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); + M_CP_INTOPT(max_sessions); M_CP_STROPT(banner); if (preauth) diff --git a/servconf.h b/servconf.h index aaf87cd18..819a028c8 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.83 2008/05/07 05:49:37 pyr Exp $ */ +/* $OpenBSD: servconf.h,v 1.84 2008/05/08 12:21:16 djm Exp $ */ /* * Author: Tatu Ylonen @@ -35,6 +35,7 @@ #define PERMIT_YES 3 #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ +#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ /* Magic name for internal sftp-server */ #define INTERNAL_SFTP_NAME "internal-sftp" @@ -123,6 +124,7 @@ typedef struct { int max_startups_rate; int max_startups; int max_authtries; + int max_sessions; char *banner; /* SSH-2 banner message */ int use_dns; int client_alive_interval; /* diff --git a/session.c b/session.c index ca04a4532..c8ed25234 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.236 2008/05/08 12:02:23 djm Exp $ */ +/* $OpenBSD: session.c,v 1.237 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -102,9 +102,9 @@ void session_set_fds(Session *, int, int, int); void session_pty_cleanup(Session *); void session_proctitle(Session *); int session_setup_x11fwd(Session *); -void do_exec_pty(Session *, const char *); -void do_exec_no_pty(Session *, const char *); -void do_exec(Session *, const char *); +int do_exec_pty(Session *, const char *); +int do_exec_no_pty(Session *, const char *); +int do_exec(Session *, const char *); void do_login(Session *, const char *); #ifdef LOGIN_NEEDS_UTMPX static void do_pre_login(Session *s); @@ -132,8 +132,9 @@ extern Buffer loginmsg; const char *original_command = NULL; /* data */ -#define MAX_SESSIONS 20 -Session sessions[MAX_SESSIONS]; +static int sessions_first_unused = -1; +static int sessions_nalloc = 0; +static Session *sessions = NULL; #define SUBSYSTEM_NONE 0 #define SUBSYSTEM_EXT 1 @@ -167,7 +168,7 @@ static int auth_input_request_forwarding(struct passwd * pw) { Channel *nc; - int sock; + int sock = -1; struct sockaddr_un sunaddr; if (auth_sock_name != NULL) { @@ -179,43 +180,48 @@ auth_input_request_forwarding(struct passwd * pw) temporarily_use_uid(pw); /* Allocate a buffer for the socket name, and format the name. */ - auth_sock_name = xmalloc(MAXPATHLEN); - auth_sock_dir = xmalloc(MAXPATHLEN); - strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); + auth_sock_dir = xstrdup("/tmp/ssh-XXXXXXXXXX"); /* Create private directory for socket */ if (mkdtemp(auth_sock_dir) == NULL) { packet_send_debug("Agent forwarding disabled: " "mkdtemp() failed: %.100s", strerror(errno)); restore_uid(); - xfree(auth_sock_name); xfree(auth_sock_dir); - auth_sock_name = NULL; auth_sock_dir = NULL; - return 0; + goto authsock_err; } - snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld", - auth_sock_dir, (long) getpid()); + + xasprintf(&auth_sock_name, "%s/agent.%ld", + auth_sock_dir, (long) getpid()); /* Create the socket. */ sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) - packet_disconnect("socket: %.100s", strerror(errno)); + if (sock < 0) { + error("socket: %.100s", strerror(errno)); + restore_uid(); + goto authsock_err; + } /* Bind it to the name. */ memset(&sunaddr, 0, sizeof(sunaddr)); sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); - if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) - packet_disconnect("bind: %.100s", strerror(errno)); + if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { + error("bind: %.100s", strerror(errno)); + restore_uid(); + goto authsock_err; + } /* Restore the privileged uid. */ restore_uid(); /* Start listening on the socket. */ - if (listen(sock, SSH_LISTEN_BACKLOG) < 0) - packet_disconnect("listen: %.100s", strerror(errno)); + if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { + error("listen: %.100s", strerror(errno)); + goto authsock_err; + } /* Allocate a channel for the authentication agent socket. */ nc = channel_new("auth socket", @@ -224,6 +230,19 @@ auth_input_request_forwarding(struct passwd * pw) 0, "auth socket", 1); strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); return 1; + + authsock_err: + if (auth_sock_name != NULL) + xfree(auth_sock_name); + if (auth_sock_dir != NULL) { + rmdir(auth_sock_dir); + xfree(auth_sock_dir); + } + if (sock != -1) + close(sock); + auth_sock_name = NULL; + auth_sock_dir = NULL; + return 0; } static void @@ -373,10 +392,14 @@ do_authenticated1(Authctxt *authctxt) if (type == SSH_CMSG_EXEC_CMD) { command = packet_get_string(&dlen); debug("Exec command '%.500s'", command); - do_exec(s, command); + if (do_exec(s, command) != 0) + packet_disconnect( + "command execution failed"); xfree(command); } else { - do_exec(s, NULL); + if (do_exec(s, NULL) != 0) + packet_disconnect( + "shell execution failed"); } packet_check_eom(); session_close(s); @@ -401,41 +424,84 @@ do_authenticated1(Authctxt *authctxt) } } +#define USE_PIPES /* * This is called to fork and execute a command when we have no tty. This * will call do_child from the child, and server_loop from the parent after * setting up file descriptors and such. */ -void +int do_exec_no_pty(Session *s, const char *command) { pid_t pid; #ifdef USE_PIPES int pin[2], pout[2], perr[2]; + /* Allocate pipes for communicating with the program. */ - if (pipe(pin) < 0 || pipe(pout) < 0 || pipe(perr) < 0) - packet_disconnect("Could not create pipes: %.100s", - strerror(errno)); -#else /* USE_PIPES */ + if (pipe(pin) < 0) { + error("%s: pipe in: %.100s", __func__, strerror(errno)); + return -1; + } + if (pipe(pout) < 0) { + error("%s: pipe out: %.100s", __func__, strerror(errno)); + close(pin[0]); + close(pin[1]); + return -1; + } + if (pipe(perr) < 0) { + error("%s: pipe err: %.100s", __func__, strerror(errno)); + close(pin[0]); + close(pin[1]); + close(pout[0]); + close(pout[1]); + return -1; + } +#else int inout[2], err[2]; + /* Uses socket pairs to communicate with the program. */ - if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0 || - socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) - packet_disconnect("Could not create socket pairs: %.100s", - strerror(errno)); -#endif /* USE_PIPES */ + if (socketpair(AF_UNIX, SOCK_STREAM, 0, inout) < 0) { + error("%s: socketpair #1: %.100s", __func__, strerror(errno)); + return -1; + } + if (socketpair(AF_UNIX, SOCK_STREAM, 0, err) < 0) { + error("%s: socketpair #2: %.100s", __func__, strerror(errno)); + close(inout[0]); + close(inout[1]); + return -1; + } +#endif + if (s == NULL) fatal("do_exec_no_pty: no session"); session_proctitle(s); /* Fork the child. */ - if ((pid = fork()) == 0) { + switch ((pid = fork())) { + case -1: + error("%s: fork: %.100s", __func__, strerror(errno)); +#ifdef USE_PIPES + close(pin[0]); + close(pin[1]); + close(pout[0]); + close(pout[1]); + close(perr[0]); + close(perr[1]); +#else + close(inout[0]); + close(inout[1]); + close(err[0]); + close(err[1]); +#endif + return -1; + case 0: is_child = 1; /* Child. Reinitialize the log since the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, + options.log_facility, log_stderr); /* * Create a new session and process group since the 4.4BSD @@ -465,7 +531,7 @@ do_exec_no_pty(Session *s, const char *command) if (dup2(perr[1], 2) < 0) perror("dup2 stderr"); close(perr[1]); -#else /* USE_PIPES */ +#else /* * Redirect stdin, stdout, and stderr. Stdin and stdout will * use the same socket, as some programs (particularly rdist) @@ -475,11 +541,14 @@ do_exec_no_pty(Session *s, const char *command) close(err[1]); if (dup2(inout[0], 0) < 0) /* stdin */ perror("dup2 stdin"); - if (dup2(inout[0], 1) < 0) /* stdout. Note: same socket as stdin. */ + if (dup2(inout[0], 1) < 0) /* stdout (same as stdin) */ perror("dup2 stdout"); + close(inout[0]); if (dup2(err[0], 2) < 0) /* stderr */ perror("dup2 stderr"); -#endif /* USE_PIPES */ + close(err[0]); +#endif + #ifdef _UNICOS cray_init_job(s->pw); /* set up cray jid and tmpdir */ @@ -488,7 +557,10 @@ do_exec_no_pty(Session *s, const char *command) /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ + default: + break; } + #ifdef _UNICOS signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ @@ -496,11 +568,18 @@ do_exec_no_pty(Session *s, const char *command) if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif - if (pid < 0) - packet_disconnect("fork failed: %.100s", strerror(errno)); + s->pid = pid; /* Set interactive/non-interactive mode. */ packet_set_interactive(s->display != NULL); + + /* + * Clear loginmsg, since it's the child's responsibility to display + * it to the user, otherwise multiple sessions may accumulate + * multiple copies of the login messages. + */ + buffer_clear(&loginmsg); + #ifdef USE_PIPES /* We are the parent. Close the child sides of the pipes. */ close(pin[0]); @@ -518,29 +597,26 @@ do_exec_no_pty(Session *s, const char *command) server_loop(pid, pin[1], pout[0], perr[0]); /* server_loop has closed pin[1], pout[0], and perr[0]. */ } -#else /* USE_PIPES */ +#else /* We are the parent. Close the child sides of the socket pairs. */ close(inout[0]); close(err[0]); - /* - * Clear loginmsg, since it's the child's responsibility to display - * it to the user, otherwise multiple sessions may accumulate - * multiple copies of the login messages. - */ - buffer_clear(&loginmsg); - /* * Enter the interactive session. Note: server_loop must be able to * handle the case that fdin and fdout are the same. */ if (compat20) { - session_set_fds(s, inout[1], inout[1], s->is_subsystem ? -1 : err[1]); + session_set_fds(s, inout[1], inout[1], + s->is_subsystem ? -1 : err[1]); + if (s->is_subsystem) + close(err[1]); } else { server_loop(pid, inout[1], inout[1], err[1]); /* server_loop has closed inout[1] and err[1]. */ } -#endif /* USE_PIPES */ +#endif + return 0; } /* @@ -549,7 +625,7 @@ do_exec_no_pty(Session *s, const char *command) * setting up file descriptors, controlling tty, updating wtmp, utmp, * lastlog, and other such operations. */ -void +int do_exec_pty(Session *s, const char *command) { int fdout, ptyfd, ttyfd, ptymaster; @@ -560,12 +636,46 @@ do_exec_pty(Session *s, const char *command) ptyfd = s->ptyfd; ttyfd = s->ttyfd; + /* + * Create another descriptor of the pty master side for use as the + * standard input. We could use the original descriptor, but this + * simplifies code in server_loop. The descriptor is bidirectional. + * Do this before forking (and cleanup in the child) so as to + * detect and gracefully fail out-of-fd conditions. + */ + if ((fdout = dup(ptyfd)) < 0) { + error("%s: dup #1: %s", __func__, strerror(errno)); + close(ttyfd); + close(ptyfd); + return -1; + } + /* we keep a reference to the pty master */ + if ((ptymaster = dup(ptyfd)) < 0) { + error("%s: dup #2: %s", __func__, strerror(errno)); + close(ttyfd); + close(ptyfd); + close(fdout); + return -1; + } + /* Fork the child. */ - if ((pid = fork()) == 0) { + switch ((pid = fork())) { + case -1: + error("%s: fork: %.100s", __func__, strerror(errno)); + close(fdout); + close(ptymaster); + close(ttyfd); + close(ptyfd); + return -1; + case 0: is_child = 1; + close(fdout); + close(ptymaster); + /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); + log_init(__progname, options.log_level, + options.log_facility, log_stderr); /* Close the master side of the pseudo tty. */ close(ptyfd); @@ -596,11 +706,16 @@ do_exec_pty(Session *s, const char *command) do_pre_login(s); # endif #endif - - /* Do common processing for the child, such as execing the command. */ - do_child(s, command); - /* NOTREACHED */ + /* + * Do common processing for the child, such as execing + * the command. + */ + do_child(s, command); + /* NOTREACHED */ + default: + break; } + #ifdef _UNICOS signal(WJSIGNAL, cray_job_termination_handler); #endif /* _UNICOS */ @@ -608,29 +723,14 @@ do_exec_pty(Session *s, const char *command) if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); #endif - if (pid < 0) - packet_disconnect("fork failed: %.100s", strerror(errno)); + s->pid = pid; /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); - /* - * Create another descriptor of the pty master side for use as the - * standard input. We could use the original descriptor, but this - * simplifies code in server_loop. The descriptor is bidirectional. - */ - fdout = dup(ptyfd); - if (fdout < 0) - packet_disconnect("dup #1 failed: %.100s", strerror(errno)); - - /* we keep a reference to the pty master */ - ptymaster = dup(ptyfd); - if (ptymaster < 0) - packet_disconnect("dup #2 failed: %.100s", strerror(errno)); - s->ptymaster = ptymaster; - /* Enter interactive session. */ + s->ptymaster = ptymaster; packet_set_interactive(1); if (compat20) { session_set_fds(s, ptyfd, fdout, -1); @@ -638,6 +738,7 @@ do_exec_pty(Session *s, const char *command) server_loop(pid, ptyfd, fdout, -1); /* server_loop _has_ closed ptyfd and fdout. */ } + return 0; } #ifdef LOGIN_NEEDS_UTMPX @@ -672,9 +773,11 @@ do_pre_login(Session *s) * This is called to fork and execute a command. If another command is * to be forced, execute that instead. */ -void +int do_exec(Session *s, const char *command) { + int ret; + if (options.adm_forced_command) { original_command = command; command = options.adm_forced_command; @@ -705,9 +808,9 @@ do_exec(Session *s, const char *command) } #endif if (s->ttyfd != -1) - do_exec_pty(s, command); + ret = do_exec_pty(s, command); else - do_exec_no_pty(s, command); + ret = do_exec_no_pty(s, command); original_command = NULL; @@ -717,6 +820,8 @@ do_exec(Session *s, const char *command) * multiple copies of the login messages. */ buffer_clear(&loginmsg); + + return ret; } /* administrative, login(1)-like work */ @@ -1740,43 +1845,79 @@ do_child(Session *s, const char *command) exit(1); } +void +session_unused(int id) +{ + debug3("%s: session id %d unused", __func__, id); + if (id >= options.max_sessions || + id >= sessions_nalloc) { + fatal("%s: insane session id %d (max %d nalloc %d)", + __func__, id, options.max_sessions, sessions_nalloc); + } + bzero(&sessions[id], sizeof(*sessions)); + sessions[id].self = id; + sessions[id].used = 0; + sessions[id].chanid = -1; + sessions[id].ptyfd = -1; + sessions[id].ttyfd = -1; + sessions[id].ptymaster = -1; + sessions[id].x11_chanids = NULL; + sessions[id].next_unused = sessions_first_unused; + sessions_first_unused = id; +} + Session * session_new(void) { - int i; - static int did_init = 0; - if (!did_init) { - debug("session_new: init"); - for (i = 0; i < MAX_SESSIONS; i++) { - sessions[i].used = 0; + Session *s, *tmp; + + if (sessions_first_unused == -1) { + if (sessions_nalloc >= options.max_sessions) + return NULL; + debug2("%s: allocate (allocated %d max %d)", + __func__, sessions_nalloc, options.max_sessions); + tmp = xrealloc(sessions, sessions_nalloc + 1, + sizeof(*sessions)); + if (tmp == NULL) { + error("%s: cannot allocate %d sessions", + __func__, sessions_nalloc + 1); + return NULL; } - did_init = 1; + sessions = tmp; + session_unused(sessions_nalloc++); } - for (i = 0; i < MAX_SESSIONS; i++) { - Session *s = &sessions[i]; - if (! s->used) { - memset(s, 0, sizeof(*s)); - s->chanid = -1; - s->ptyfd = -1; - s->ttyfd = -1; - s->used = 1; - s->self = i; - s->x11_chanids = NULL; - debug("session_new: session %d", i); - return s; - } + + if (sessions_first_unused >= sessions_nalloc || + sessions_first_unused < 0) { + fatal("%s: insane first_unused %d max %d nalloc %d", + __func__, sessions_first_unused, options.max_sessions, + sessions_nalloc); } - return NULL; + + s = &sessions[sessions_first_unused]; + if (s->used) { + fatal("%s: session %d already used", + __func__, sessions_first_unused); + } + sessions_first_unused = s->next_unused; + s->used = 1; + s->next_unused = -1; + debug("session_new: session %d", s->self); + + return s; } static void session_dump(void) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; - debug("dump: used %d session %d %p channel %d pid %ld", + + debug("dump: used %d next_unused %d session %d %p " + "channel %d pid %ld", s->used, + s->next_unused, s->self, s, s->chanid, @@ -1806,7 +1947,7 @@ Session * session_by_tty(char *tty) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1 && strcmp(s->tty, tty) == 0) { debug("session_by_tty: session %d tty %s", i, tty); @@ -1822,10 +1963,11 @@ static Session * session_by_channel(int id) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->chanid == id) { - debug("session_by_channel: session %d channel %d", i, id); + debug("session_by_channel: session %d channel %d", + i, id); return s; } } @@ -1839,7 +1981,7 @@ session_by_x11_channel(int id) { int i, j; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->x11_chanids == NULL || !s->used) @@ -1862,7 +2004,7 @@ session_by_pid(pid_t pid) { int i; debug("session_by_pid: pid %ld", (long)pid); - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->pid == pid) return s; @@ -1918,7 +2060,8 @@ session_pty_req(Session *s) /* Allocate a pty and open it. */ debug("Allocating pty."); - if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)))) { + if (!PRIVSEP(pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, + sizeof(s->tty)))) { if (s->term) xfree(s->term); s->term = NULL; @@ -1971,8 +2114,7 @@ session_subsystem_req(Session *s) s->is_subsystem = SUBSYSTEM_EXT; } debug("subsystem: exec() %s", cmd); - do_exec(s, cmd); - success = 1; + success = do_exec(s, cmd) == 0; break; } } @@ -2015,19 +2157,19 @@ static int session_shell_req(Session *s) { packet_check_eom(); - do_exec(s, NULL); - return 1; + return do_exec(s, NULL) == 0; } static int session_exec_req(Session *s) { - u_int len; + u_int len, success; + char *command = packet_get_string(&len); packet_check_eom(); - do_exec(s, command); + success = do_exec(s, command) == 0; xfree(command); - return 1; + return success; } static int @@ -2037,8 +2179,7 @@ session_break_req(Session *s) packet_get_int(); /* ignored */ packet_check_eom(); - if (s->ttyfd == -1 || - tcsendbreak(s->ttyfd, 0) < 0) + if (s->ttyfd == -1 || tcsendbreak(s->ttyfd, 0) < 0) return 0; return 1; } @@ -2185,8 +2326,9 @@ session_pty_cleanup2(Session *s) * the pty cleanup, so that another process doesn't get this pty * while we're still cleaning up. */ - if (close(s->ptymaster) < 0) - error("close(s->ptymaster/%d): %s", s->ptymaster, strerror(errno)); + if (s->ptymaster != -1 && close(s->ptymaster) < 0) + error("close(s->ptymaster/%d): %s", + s->ptymaster, strerror(errno)); /* unlink pty from session */ s->ttyfd = -1; @@ -2346,7 +2488,6 @@ session_close(Session *s) xfree(s->auth_data); if (s->auth_proto) xfree(s->auth_proto); - s->used = 0; if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { xfree(s->env[i].name); @@ -2355,6 +2496,7 @@ session_close(Session *s) xfree(s->env); } session_proctitle(s); + session_unused(s->self); } void @@ -2418,7 +2560,7 @@ void session_destroy_all(void (*closefunc)(Session *)) { int i; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used) { if (closefunc != NULL) @@ -2437,7 +2579,7 @@ session_tty_list(void) char *cp; buf[0] = '\0'; - for (i = 0; i < MAX_SESSIONS; i++) { + for (i = 0; i < sessions_nalloc; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1) { diff --git a/session.h b/session.h index ee9338e4f..cbb8e3a32 100644 --- a/session.h +++ b/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.29 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -31,6 +31,7 @@ typedef struct Session Session; struct Session { int used; int self; + int next_unused; struct passwd *pw; Authctxt *authctxt; pid_t pid; @@ -65,6 +66,7 @@ void do_authenticated(Authctxt *); void do_cleanup(Authctxt *); int session_open(Authctxt *, int); +void session_unused(int); int session_input_channel_req(Channel *, const char *); void session_close_by_pid(pid_t, int); void session_close_by_channel(int, void *); diff --git a/sshd_config b/sshd_config index 1f97a9dcc..c5ee7c8a4 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.78 2008/05/07 06:43:35 pyr Exp $ +# $OpenBSD: sshd_config,v 1.79 2008/05/08 12:21:16 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -41,6 +41,7 @@ Protocol 2 #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 +#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes diff --git a/sshd_config.5 b/sshd_config.5 index 99b5621e7..0d8c140bf 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.89 2008/05/07 08:00:14 jmc Exp $ -.Dd $Mdocdate: May 19 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $ +.Dd $Mdocdate: May 8 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -594,6 +594,9 @@ connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6. +.It Cm MaxSessions +Specifies the maximum number of open sessions permitted per network connection. +The default is 10. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. -- cgit v1.2.3 From 7a3935de2facb227ea1fc2ce2de046b569a2ebc7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Jun 2008 22:59:10 +1000 Subject: - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2008/06/10 03:57:27 [servconf.c match.h sshd_config.5] support CIDR address matching in sshd_config "Match address" blocks, with full support for negation and fall-back to classic wildcard matching. For example: Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@ --- ChangeLog | 14 +- Makefile.in | 4 +- addrmatch.c | 420 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ match.h | 5 +- servconf.c | 18 +-- sshd_config.5 | 26 +++- 6 files changed, 473 insertions(+), 14 deletions(-) create mode 100644 addrmatch.c (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index d60967404..65f97df7f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +20080610 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/06/10 03:57:27 + [servconf.c match.h sshd_config.5] + support CIDR address matching in sshd_config "Match address" blocks, with + full support for negation and fall-back to classic wildcard matching. + For example: + Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* + PasswordAuthentication yes + addrmatch.c code mostly lifted from flowd's addr.c + feedback and ok dtucker@ + 20080609 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2008/06/08 17:04:41 @@ -4083,4 +4095,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4948 2008/06/09 13:52:22 dtucker Exp $ +$Id: ChangeLog,v 1.4949 2008/06/10 12:59:10 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index b57b9b72d..5debe2533 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.290 2008/05/19 06:00:08 djm Exp $ +# $Id: Makefile.in,v 1.291 2008/06/10 12:59:10 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -83,7 +83,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \ - auth-krb5.o \ + auth-krb5.o addrmatch.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o diff --git a/addrmatch.c b/addrmatch.c new file mode 100644 index 000000000..a0559efa0 --- /dev/null +++ b/addrmatch.c @@ -0,0 +1,420 @@ +/* $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */ + +/* + * Copyright (c) 2004-2008 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "match.h" +#include "log.h" + +struct xaddr { + sa_family_t af; + union { + struct in_addr v4; + struct in6_addr v6; + u_int8_t addr8[16]; + u_int32_t addr32[4]; + } xa; /* 128-bit address */ + u_int32_t scope_id; /* iface scope id for v6 */ +#define v4 xa.v4 +#define v6 xa.v6 +#define addr8 xa.addr8 +#define addr32 xa.addr32 +}; + +static int +addr_unicast_masklen(int af) +{ + switch (af) { + case AF_INET: + return 32; + case AF_INET6: + return 128; + default: + return -1; + } +} + +static inline int +masklen_valid(int af, u_int masklen) +{ + switch (af) { + case AF_INET: + return masklen <= 32 ? 0 : -1; + case AF_INET6: + return masklen <= 128 ? 0 : -1; + default: + return -1; + } +} + +/* + * Convert struct sockaddr to struct xaddr + * Returns 0 on success, -1 on failure. + */ +static int +addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa) +{ + struct sockaddr_in *in4 = (struct sockaddr_in *)sa; + struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa; + + memset(xa, '\0', sizeof(*xa)); + + switch (sa->sa_family) { + case AF_INET: + if (slen < sizeof(*in4)) + return -1; + xa->af = AF_INET; + memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4)); + break; + case AF_INET6: + if (slen < sizeof(*in6)) + return -1; + xa->af = AF_INET6; + memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6)); + xa->scope_id = in6->sin6_scope_id; + break; + default: + return -1; + } + + return 0; +} + +/* + * Calculate a netmask of length 'l' for address family 'af' and + * store it in 'n'. + * Returns 0 on success, -1 on failure. + */ +static int +addr_netmask(int af, u_int l, struct xaddr *n) +{ + int i; + + if (masklen_valid(af, l) != 0 || n == NULL) + return -1; + + memset(n, '\0', sizeof(*n)); + switch (af) { + case AF_INET: + n->af = AF_INET; + n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff); + return 0; + case AF_INET6: + n->af = AF_INET6; + for (i = 0; i < 4 && l >= 32; i++, l -= 32) + n->addr32[i] = 0xffffffffU; + if (i < 4 && l != 0) + n->addr32[i] = htonl((0xffffffff << (32 - l)) & + 0xffffffff); + return 0; + default: + return -1; + } +} + +/* + * Perform logical AND of addresses 'a' and 'b', storing result in 'dst'. + * Returns 0 on success, -1 on failure. + */ +static int +addr_and(struct xaddr *dst, const struct xaddr *a, const struct xaddr *b) +{ + int i; + + if (dst == NULL || a == NULL || b == NULL || a->af != b->af) + return -1; + + memcpy(dst, a, sizeof(*dst)); + switch (a->af) { + case AF_INET: + dst->v4.s_addr &= b->v4.s_addr; + return 0; + case AF_INET6: + dst->scope_id = a->scope_id; + for (i = 0; i < 4; i++) + dst->addr32[i] &= b->addr32[i]; + return 0; + default: + return -1; + } +} + +/* + * Compare addresses 'a' and 'b' + * Return 0 if addresses are identical, -1 if (a < b) or 1 if (a > b) + */ +static int +addr_cmp(const struct xaddr *a, const struct xaddr *b) +{ + int i; + + if (a->af != b->af) + return a->af == AF_INET6 ? 1 : -1; + + switch (a->af) { + case AF_INET: + if (a->v4.s_addr == b->v4.s_addr) + return 0; + return ntohl(a->v4.s_addr) > ntohl(b->v4.s_addr) ? 1 : -1; + case AF_INET6: + for (i = 0; i < 16; i++) + if (a->addr8[i] - b->addr8[i] != 0) + return a->addr8[i] > b->addr8[i] ? 1 : -1; + if (a->scope_id == b->scope_id) + return 0; + return a->scope_id > b->scope_id ? 1 : -1; + default: + return -1; + } +} + +/* + * Parse string address 'p' into 'n' + * Returns 0 on success, -1 on failure. + */ +static int +addr_pton(const char *p, struct xaddr *n) +{ + struct addrinfo hints, *ai; + + memset(&hints, '\0', sizeof(hints)); + hints.ai_flags = AI_NUMERICHOST; + + if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0) + return -1; + + if (ai == NULL || ai->ai_addr == NULL) + return -1; + + if (n != NULL && + addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, n) == -1) { + freeaddrinfo(ai); + return -1; + } + + freeaddrinfo(ai); + return 0; +} + +/* + * Perform bitwise negation of address + * Returns 0 on success, -1 on failure. + */ +static int +addr_invert(struct xaddr *n) +{ + int i; + + if (n == NULL) + return (-1); + + switch (n->af) { + case AF_INET: + n->v4.s_addr = ~n->v4.s_addr; + return (0); + case AF_INET6: + for (i = 0; i < 4; i++) + n->addr32[i] = ~n->addr32[i]; + return (0); + default: + return (-1); + } +} + +/* + * Calculate a netmask of length 'l' for address family 'af' and + * store it in 'n'. + * Returns 0 on success, -1 on failure. + */ +static int +addr_hostmask(int af, u_int l, struct xaddr *n) +{ + if (addr_netmask(af, l, n) == -1 || addr_invert(n) == -1) + return (-1); + return (0); +} + +/* + * Test whether address 'a' is all zeros (i.e. 0.0.0.0 or ::) + * Returns 0 on if address is all-zeros, -1 if not all zeros or on failure. + */ +static int +addr_is_all0s(const struct xaddr *a) +{ + int i; + + switch (a->af) { + case AF_INET: + return (a->v4.s_addr == 0 ? 0 : -1); + case AF_INET6:; + for (i = 0; i < 4; i++) + if (a->addr32[i] != 0) + return (-1); + return (0); + default: + return (-1); + } +} + +/* + * Test whether host portion of address 'a', as determined by 'masklen' + * is all zeros. + * Returns 0 on if host portion of address is all-zeros, + * -1 if not all zeros or on failure. + */ +static int +addr_host_is_all0s(const struct xaddr *a, u_int masklen) +{ + struct xaddr tmp_addr, tmp_mask, tmp_result; + + memcpy(&tmp_addr, a, sizeof(tmp_addr)); + if (addr_hostmask(a->af, masklen, &tmp_mask) == -1) + return (-1); + if (addr_and(&tmp_result, &tmp_addr, &tmp_mask) == -1) + return (-1); + return (addr_is_all0s(&tmp_result)); +} + +/* + * Parse a CIDR address (x.x.x.x/y or xxxx:yyyy::/z). + * Return -1 on parse error, -2 on inconsistency or 0 on success. + */ +static int +addr_pton_cidr(const char *p, struct xaddr *n, u_int *l) +{ + struct xaddr tmp; + long unsigned int masklen = 999; + char addrbuf[64], *mp, *cp; + + /* Don't modify argument */ + if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) > sizeof(addrbuf)) + return -1; + + if ((mp = strchr(addrbuf, '/')) != NULL) { + *mp = '\0'; + mp++; + masklen = strtoul(mp, &cp, 10); + if (*mp == '\0' || *cp != '\0' || masklen > 128) + return -1; + } + + if (addr_pton(addrbuf, &tmp) == -1) + return -1; + + if (mp == NULL) + masklen = addr_unicast_masklen(tmp.af); + if (masklen_valid(tmp.af, masklen) == -1) + return -2; + if (addr_host_is_all0s(&tmp, masklen) != 0) + return -2; + + if (n != NULL) + memcpy(n, &tmp, sizeof(*n)); + if (l != NULL) + *l = masklen; + + return 0; +} + +static int +addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen) +{ + struct xaddr tmp_mask, tmp_result; + + if (host->af != net->af) + return -1; + + if (addr_netmask(host->af, masklen, &tmp_mask) == -1) + return -1; + if (addr_and(&tmp_result, host, &tmp_mask) == -1) + return -1; + return addr_cmp(&tmp_result, net); +} + +/* + * Match "addr" against list pattern list "_list", which may contain a + * mix of CIDR addresses and old-school wildcards. + * + * If addr is NULL, then no matching is performed, but _list is parsed + * and checked for well-formedness. + * + * Returns 1 on match found (never returned when addr == NULL). + * Returns 0 on if no match found, or no errors found when addr == NULL. + * Returns -1 on invalid list entry. + */ +int +addr_match_list(const char *addr, const char *_list) +{ + char *list, *cp, *o; + struct xaddr try_addr, match_addr; + u_int masklen, neg; + int ret = 0, r; + + if (addr != NULL && addr_pton(addr, &try_addr) != 0) { + debug2("%s: couldn't parse address %.100s", __func__, addr); + return 0; + } + if ((o = list = strdup(_list)) == NULL) + return -1; + while ((cp = strsep(&list, ",")) != NULL) { + neg = *cp == '!'; + if (neg) + cp++; + if (*cp == '\0') { + ret = -1; + break; + } + /* Prefer CIDR address matching */ + r = addr_pton_cidr(cp, &match_addr, &masklen); + if (r == -2) { + error("Inconsistent mask length for " + "network \"%.100s\"", cp); + ret = -1; + break; + } else if (r == 0) { + if (addr != NULL && addr_netmatch(&try_addr, + &match_addr, masklen) == 0) { + foundit: + if (neg) { + ret = 0; + break; + } + ret = 1; + } + continue; + } else { + /* If CIDR parse failed, try wildcard string match */ + if (addr != NULL && match_pattern(addr, cp) == 1) + goto foundit; + } + } + free(o); + + return ret; +} diff --git a/match.h b/match.h index d1d538654..18f683070 100644 --- a/match.h +++ b/match.h @@ -1,4 +1,4 @@ -/* $OpenBSD: match.h,v 1.13 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: match.h,v 1.14 2008/06/10 03:57:27 djm Exp $ */ /* * Author: Tatu Ylonen @@ -21,4 +21,7 @@ int match_host_and_ip(const char *, const char *, const char *); int match_user(const char *, const char *, const char *, const char *); char *match_list(const char *, const char *, u_int *); +/* addrmatch.c */ +int addr_match_list(const char *, const char *); + #endif diff --git a/servconf.c b/servconf.c index 94dff1fd6..07a201034 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.180 2008/05/08 12:21:16 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.181 2008/06/10 03:57:27 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -603,15 +603,17 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, debug("connection from %.100s matched 'Host " "%.100s' at line %d", host, arg, line); } else if (strcasecmp(attrib, "address") == 0) { - if (!address) { - result = 0; - continue; - } - if (match_hostname(address, arg, len) != 1) - result = 0; - else + switch (addr_match_list(address, arg)) { + case 1: debug("connection from %.100s matched 'Address " "%.100s' at line %d", address, arg, line); + break; + case 0: + result = 0; + break; + case -1: + return -1; + } } else { error("Unsupported Match attribute %s", attrib); return -1; diff --git a/sshd_config.5 b/sshd_config.5 index 0d8c140bf..dc42959e2 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.90 2008/05/08 12:21:16 djm Exp $ -.Dd $Mdocdate: May 8 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $ +.Dd $Mdocdate: June 10 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -557,6 +557,7 @@ line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another .Cm Match line or the end of the file. +.Pp The arguments to .Cm Match are one or more criteria-pattern pairs. @@ -566,6 +567,27 @@ The available criteria are .Cm Host , and .Cm Address . +The match patterns may consist of single entries or comma-separated +lists and may use the wildcard and negation operators described in the +.Sx SSH_KNOWN_HOSTS FILE FORMAT +section of +.Xr sshd 8 . +.Pp +The patterns in an +.Cm Address +criteria may additionally contain addresses to match in CIDR +address/masklen format, e.g. +.Dq 192.0.2.0/24 +or +.Dq 3ffe:ffff::/32 . +Note that the mask length provided must be consistent with the address - +it is an error to specify a mask length that is too long for the address +or one with bits set in this host portion of the address. For example, +.Dq 192.0.2.0/33 +and +.Dq 192.0.2.0/8 +respectively. +.Pp Only a subset of keywords may be used on the lines following a .Cm Match keyword. -- cgit v1.2.3 From b06cc4abf8e2eb4d1e14f19911a7e0afde50ee95 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Jun 2008 22:59:53 +1000 Subject: - djm@cvs.openbsd.org 2008/06/10 04:17:46 [sshd_config.5] better reference for pattern-list --- ChangeLog | 5 ++++- sshd_config.5 | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 65f97df7f..e16603175 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ PasswordAuthentication yes addrmatch.c code mostly lifted from flowd's addr.c feedback and ok dtucker@ + - djm@cvs.openbsd.org 2008/06/10 04:17:46 + [sshd_config.5] + better reference for pattern-list 20080609 - (dtucker) OpenBSD CVS Sync @@ -4095,4 +4098,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4949 2008/06/10 12:59:10 dtucker Exp $ +$Id: ChangeLog,v 1.4950 2008/06/10 12:59:53 dtucker Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index dc42959e2..43e5c8522 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.91 2008/06/10 03:57:27 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.92 2008/06/10 04:17:46 djm Exp $ .Dd $Mdocdate: June 10 2008 $ .Dt SSHD_CONFIG 5 .Os @@ -569,9 +569,9 @@ and .Cm Address . The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the -.Sx SSH_KNOWN_HOSTS FILE FORMAT +.Sx PATTERNS section of -.Xr sshd 8 . +.Xr ssh_config 5 . .Pp The patterns in an .Cm Address -- cgit v1.2.3 From 6a2a400f7a64d0dee83a1a32e7022445548ff348 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Jun 2008 23:03:04 +1000 Subject: - jmc@cvs.openbsd.org 2008/06/10 07:12:00 [sshd_config.5] tweak previous; --- ChangeLog | 5 ++++- sshd_config.5 | 9 +++++---- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 3c2cc2168..c470c4002 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ -T causes sshd to write its effective configuration to stdout and exit. -C causes any relevant Match rules to be applied before output. The combination allows tesing of the parser and config files. ok deraadt djm + - jmc@cvs.openbsd.org 2008/06/10 07:12:00 + [sshd_config.5] + tweak previous; 20080609 - (dtucker) OpenBSD CVS Sync @@ -4104,4 +4107,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4951 2008/06/10 13:01:51 dtucker Exp $ +$Id: ChangeLog,v 1.4952 2008/06/10 13:03:04 dtucker Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 43e5c8522..ea6523584 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.92 2008/06/10 04:17:46 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.93 2008/06/10 07:12:00 jmc Exp $ .Dd $Mdocdate: June 10 2008 $ .Dt SSHD_CONFIG 5 .Os @@ -576,16 +576,17 @@ section of The patterns in an .Cm Address criteria may additionally contain addresses to match in CIDR -address/masklen format, e.g. +address/masklen format, e.g.\& .Dq 192.0.2.0/24 or .Dq 3ffe:ffff::/32 . Note that the mask length provided must be consistent with the address - it is an error to specify a mask length that is too long for the address -or one with bits set in this host portion of the address. For example, +or one with bits set in this host portion of the address. +For example, .Dq 192.0.2.0/33 and -.Dq 192.0.2.0/8 +.Dq 192.0.2.0/8 respectively. .Pp Only a subset of keywords may be used on the lines following a -- cgit v1.2.3 From c62a5af29ab1515f6093d84588f86a398e696a9a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 16 Jun 2008 07:55:46 +1000 Subject: - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 [sshd_config.5] MaxSessions is allowed in a Match block too --- ChangeLog | 5 ++++- sshd_config.5 | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 3af392c02..5f5fcdec7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,9 @@ [scp.1] Mention that scp follows symlinks during -r. bz #1466, from nectar at apple + - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 + [sshd_config.5] + MaxSessions is allowed in a Match block too 20080614 - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction @@ -4387,4 +4390,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5016 2008/06/15 21:55:06 djm Exp $ +$Id: ChangeLog,v 1.5017 2008/06/15 21:55:46 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index ea6523584..5ec007f15 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.93 2008/06/10 07:12:00 jmc Exp $ -.Dd $Mdocdate: June 10 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.94 2008/06/15 16:55:38 dtucker Exp $ +.Dd $Mdocdate: June 15 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -602,6 +602,7 @@ Available keywords are .Cm HostbasedAuthentication , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm MaxSessions , .Cm PasswordAuthentication , .Cm PermitOpen , .Cm PermitRootLogin , -- cgit v1.2.3 From 307c1d10a78218fc2a67c3b285f90e701415004b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 16 Jun 2008 07:56:20 +1000 Subject: - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 [servconf.c sshd_config.5] Allow MaxAuthTries within a Match block. ok djm@ --- ChangeLog | 5 ++++- servconf.c | 5 +++-- sshd_config.5 | 3 ++- 3 files changed, 9 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 5f5fcdec7..1a3b3b1a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 [sshd_config.5] MaxSessions is allowed in a Match block too + - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 + [servconf.c sshd_config.5] + Allow MaxAuthTries within a Match block. ok djm@ 20080614 - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction @@ -4390,4 +4393,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5017 2008/06/15 21:55:46 djm Exp $ +$Id: ChangeLog,v 1.5018 2008/06/15 21:56:20 djm Exp $ diff --git a/servconf.c b/servconf.c index 8f5ddbd33..67e7d7db3 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.183 2008/06/10 23:06:19 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.184 2008/06/15 16:58:40 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -398,7 +398,7 @@ static struct { { "gatewayports", sGatewayPorts, SSHCFG_ALL }, { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, - { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, + { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, @@ -1403,6 +1403,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(x11_forwarding); M_CP_INTOPT(x11_use_localhost); M_CP_INTOPT(max_sessions); + M_CP_INTOPT(max_authtries); M_CP_STROPT(banner); if (preauth) diff --git a/sshd_config.5 b/sshd_config.5 index 5ec007f15..0d41edf98 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.94 2008/06/15 16:55:38 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.95 2008/06/15 16:58:40 dtucker Exp $ .Dd $Mdocdate: June 15 2008 $ .Dt SSHD_CONFIG 5 .Os @@ -602,6 +602,7 @@ Available keywords are .Cm HostbasedAuthentication , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , .Cm PermitOpen , -- cgit v1.2.3 From 7499b0cca021f14c615cbfef170aba3e24cf8d4d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 2 Jul 2008 22:35:43 +1000 Subject: - djm@cvs.openbsd.org 2008/07/02 02:24:18 [sshd_config sshd_config.5 sshd.8 servconf.c] increase default size of ssh protocol 1 ephemeral key from 768 to 1024 bits; prodded by & ok dtucker@ ok deraadt@ --- ChangeLog | 6 +++++- servconf.c | 4 ++-- sshd.8 | 6 +++--- sshd_config | 4 ++-- sshd_config.5 | 6 +++--- 5 files changed, 15 insertions(+), 11 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index fadf27a7d..9e7326d85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,10 @@ - stevesk@cvs.openbsd.org 2008/07/01 23:12:47 [PROTOCOL.agent] fix some typos; ok djm@ + - djm@cvs.openbsd.org 2008/07/02 02:24:18 + [sshd_config sshd_config.5 sshd.8 servconf.c] + increase default size of ssh protocol 1 ephemeral key from 768 to 1024 + bits; prodded by & ok dtucker@ ok deraadt@ 20080630 - (djm) OpenBSD CVS Sync @@ -4507,4 +4511,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5045 2008/07/02 12:35:00 dtucker Exp $ +$Id: ChangeLog,v 1.5046 2008/07/02 12:35:43 dtucker Exp $ diff --git a/servconf.c b/servconf.c index 67e7d7db3..9d9c9508e 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.184 2008/06/15 16:58:40 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.185 2008/07/02 02:24:18 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -158,7 +158,7 @@ fill_default_server_options(ServerOptions *options) if (options->pid_file == NULL) options->pid_file = _PATH_SSH_DAEMON_PID_FILE; if (options->server_key_bits == -1) - options->server_key_bits = 768; + options->server_key_bits = 1024; if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->key_regeneration_time == -1) diff --git a/sshd.8 b/sshd.8 index fdbe7abfa..c4c4181fc 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.245 2008/06/11 07:30:37 jmc Exp $ -.Dd $Mdocdate: June 11 2008 $ +.\" $OpenBSD: sshd.8,v 1.246 2008/07/02 02:24:18 djm Exp $ +.Dd $Mdocdate: July 2 2008 $ .Dt SSHD 8 .Os .Sh NAME @@ -100,7 +100,7 @@ Forces to use IPv6 addresses only. .It Fl b Ar bits Specifies the number of bits in the ephemeral protocol version 1 -server key (default 768). +server key (default 1024). .It Fl C Ar connection_spec Specify the connection parameters to use for the .Fl T diff --git a/sshd_config b/sshd_config index c5ee7c8a4..1b53a0efb 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.79 2008/05/08 12:21:16 djm Exp $ +# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -28,7 +28,7 @@ Protocol 2 # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -#ServerKeyBits 768 +#ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging diff --git a/sshd_config.5 b/sshd_config.5 index 0d41edf98..7255b1c22 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.95 2008/06/15 16:58:40 dtucker Exp $ -.Dd $Mdocdate: June 15 2008 $ +.\" $OpenBSD: sshd_config.5,v 1.96 2008/07/02 02:24:18 djm Exp $ +.Dd $Mdocdate: July 2 2008 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -811,7 +811,7 @@ The default is This option applies to protocol version 1 only. .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. -The minimum value is 512, and the default is 768. +The minimum value is 512, and the default is 1024. .It Cm StrictModes Specifies whether .Xr sshd 8 -- cgit v1.2.3