From a4904f7bf19fb091b9fcf8059dedd5c5198fc039 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 23 Feb 2006 21:35:30 +1100 Subject: - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current reality. Pointed out by tryponraj at gmail.com. --- sshd_config.5 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'sshd_config.5') diff --git a/sshd_config.5 b/sshd_config.5 index 71a293ffb..6e2de10d7 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -677,7 +677,10 @@ If set to .Dq yes this will enable PAM authentication using .Cm ChallengeResponseAuthentication -and PAM account and session module processing for all authentication types. +and +.Cm PasswordAuthentication +in addition to PAM account and session module processing for all +authentication types. .Pp Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either -- cgit v1.2.3 From 0c2079d81f6244c6bfdc0d091dc575c820af08f1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:54:21 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 10:33:54 [sshd_config.5] signpost to PATTERNS; --- ChangeLog | 5 ++++- sshd_config.5 | 45 +++++++++++++++++++++++++-------------------- 2 files changed, 29 insertions(+), 21 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 7f34f310f..4d289aa4c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -154,6 +154,9 @@ [ssh_config.5] add section on patterns; from dtucker + myself + - jmc@cvs.openbsd.org 2006/02/24 10:33:54 + [sshd_config.5] + signpost to PATTERNS; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4055,4 +4058,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4182 2006/03/15 00:54:05 djm Exp $ +$Id: ChangeLog,v 1.4183 2006/03/15 00:54:21 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 6e2de10d7..e0768230e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.48 2006/01/02 17:09:49 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.49 2006/02/24 10:33:54 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -99,13 +99,14 @@ This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -.Ql \&* -and -.Ql \&? -can be used as -wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. +.Pp +See +.Sx PATTERNS +in +.Xr ssh_config 5 +for more information on patterns. .It Cm AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is @@ -118,16 +119,17 @@ This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. -.Ql \&* -and -.Ql \&? -can be used as -wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +.Pp +See +.Sx PATTERNS +in +.Xr ssh_config 5 +for more information on patterns. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. @@ -231,26 +233,29 @@ This keyword can be followed by a list of group name patterns, separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -.Ql \&* -and -.Ql \&? -can be used as -wildcards in the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. +.Pp +See +.Sx PATTERNS +in +.Xr ssh_config 5 +for more information on patterns. .It Cm DenyUsers This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns. -.Ql \&* -and -.Ql \&? -can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +.Pp +See +.Sx PATTERNS +in +.Xr ssh_config 5 +for more information on patterns. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. -- cgit v1.2.3 From 1faa7133233075776c83a71b427d19e35790280e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:55:31 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 20:22:16 [ssh-keysign.8 ssh_config.5 sshd_config.5] some consistency fixes; --- ChangeLog | 5 ++++- ssh-keysign.8 | 10 +++++----- ssh_config.5 | 4 ++-- sshd_config.5 | 6 +++--- 4 files changed, 14 insertions(+), 11 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index b5f623a8e..730634ce7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -163,6 +163,9 @@ - jmc@cvs.openbsd.org 2006/02/24 10:39:52 [sshd.8] signpost to PATTERNS section; + - jmc@cvs.openbsd.org 2006/02/24 20:22:16 + [ssh-keysign.8 ssh_config.5 sshd_config.5] + some consistency fixes; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4064,4 +4067,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4185 2006/03/15 00:55:08 djm Exp $ +$Id: ChangeLog,v 1.4186 2006/03/15 00:55:31 djm Exp $ diff --git a/ssh-keysign.8 b/ssh-keysign.8 index a17e8d5cf..4cdcb7a43 100644 --- a/ssh-keysign.8 +++ b/ssh-keysign.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.7 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -27,7 +27,7 @@ .Os .Sh NAME .Nm ssh-keysign -.Nd ssh helper program for hostbased authentication +.Nd ssh helper program for host-based authentication .Sh SYNOPSIS .Nm .Sh DESCRIPTION @@ -35,7 +35,7 @@ is used by .Xr ssh 1 to access the local host keys and generate the digital signature -required during hostbased authentication with SSH protocol version 2. +required during host-based authentication with SSH protocol version 2. .Pp .Nm is disabled by default and can only be enabled in the @@ -53,7 +53,7 @@ See .Xr ssh 1 and .Xr sshd 8 -for more information about hostbased authentication. +for more information about host-based authentication. .Sh FILES .Bl -tag -width Ds .It Pa /etc/ssh/ssh_config @@ -67,7 +67,7 @@ They should be owned by root, readable only by root, and not accessible to others. Since they are readable only by root, .Nm -must be set-uid root if hostbased authentication is used. +must be set-uid root if host-based authentication is used. .El .Sh SEE ALSO .Xr ssh 1 , diff --git a/ssh_config.5 b/ssh_config.5 index a334e57dc..5905d4c90 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.81 2006/02/24 10:37:07 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.82 2006/02/24 20:22:16 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -178,7 +178,7 @@ Note that this option does not work if is set to .Dq yes . .It Cm ChallengeResponseAuthentication -Specifies whether to use challenge response authentication. +Specifies whether to use challenge-response authentication. The argument to this keyword must be .Dq yes or diff --git a/sshd_config.5 b/sshd_config.5 index e0768230e..caeddf603 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.49 2006/02/24 10:33:54 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.50 2006/02/24 20:22:16 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -153,7 +153,7 @@ authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication -Specifies whether challenge response authentication is allowed. +Specifies whether challenge-response authentication is allowed. All authentication styles from .Xr login.conf 5 are supported. @@ -291,7 +291,7 @@ Note that this option applies to protocol version 2 only. .It Cm HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed -(hostbased authentication). +(host-based authentication). This option is similar to .Cm RhostsRSAAuthentication and applies to protocol version 2 only. -- cgit v1.2.3 From 208f1ed6f180cc0cfd3ab59d0b1c33796cc4c641 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:56:03 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 20:31:31 [ssh.1 ssh_config.5 sshd.8 sshd_config.5] more consistency fixes; --- ChangeLog | 5 ++++- ssh.1 | 6 +++--- ssh_config.5 | 6 +++--- sshd.8 | 8 ++++---- sshd_config.5 | 8 ++++---- 5 files changed, 18 insertions(+), 15 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 730634ce7..b24ca1887 100644 --- a/ChangeLog +++ b/ChangeLog @@ -166,6 +166,9 @@ - jmc@cvs.openbsd.org 2006/02/24 20:22:16 [ssh-keysign.8 ssh_config.5 sshd_config.5] some consistency fixes; + - jmc@cvs.openbsd.org 2006/02/24 20:31:31 + [ssh.1 ssh_config.5 sshd.8 sshd_config.5] + more consistency fixes; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4067,4 +4070,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4186 2006/03/15 00:55:31 djm Exp $ +$Id: ChangeLog,v 1.4187 2006/03/15 00:56:03 djm Exp $ diff --git a/ssh.1 b/ssh.1 index b9bbe0bd6..e66ad9e88 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.256 2006/02/15 16:53:20 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.257 2006/02/24 20:31:30 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -569,7 +569,7 @@ Disable pseudo-tty allocation. Force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine, which can be very useful, -e.g., when implementing menu services. +e.g. when implementing menu services. Multiple .Fl t options force tty allocation, even if @@ -1178,7 +1178,7 @@ If the current session has no tty, this variable is not set. .It Ev TZ This variable is set to indicate the present time zone if it -was set when the daemon was started (i.e., the daemon passes the value +was set when the daemon was started (i.e. the daemon passes the value on to new connections). .It Ev USER Set to the name of the user logging in. diff --git a/ssh_config.5 b/ssh_config.5 index 5905d4c90..66c9ed3f5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.82 2006/02/24 20:22:16 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.83 2006/02/24 20:31:31 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -138,12 +138,12 @@ Restricts the following declarations (up to the next keyword) to be only for those hosts that match one of the patterns given after the keyword. A single -.Ql \&* +.Ql * as a pattern can be used to provide global defaults for all hosts. The host is the .Ar hostname -argument given on the command line (i.e., the name is not converted to +argument given on the command line (i.e. the name is not converted to a canonicalized host name before matching). .Pp See diff --git a/sshd.8 b/sshd.8 index d09dc4e99..0bfd68505 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.229 2006/02/24 10:39:52 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.230 2006/02/24 20:31:31 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -81,7 +81,7 @@ configuration file. .Nm rereads its configuration file when it receives a hangup signal, .Dv SIGHUP , -by executing itself with the name and options it was started with, e.g., +by executing itself with the name and options it was started with, e.g.\& .Pa /usr/sbin/sshd . .Pp The options are as follows: @@ -154,7 +154,7 @@ is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was regenerated every time. -However, with small key sizes (e.g., 512) using +However, with small key sizes (e.g. 512) using .Nm from inetd may be feasible. @@ -519,7 +519,7 @@ authentication. .It Cm no-port-forwarding Forbids TCP forwarding when this key is used for authentication. Any port forward requests by the client will return an error. -This might be used, e.g., in connection with the +This might be used, e.g. in connection with the .Cm command option. .It Cm no-pty diff --git a/sshd_config.5 b/sshd_config.5 index caeddf603..642e1fa29 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.50 2006/02/24 20:22:16 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.51 2006/02/24 20:31:31 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -72,7 +72,7 @@ in for how to configure the client. Note that environment passing is only supported for protocol 2. Variables are specified by name, which may contain the wildcard characters -.Ql \&* +.Ql * and .Ql \&? . Multiple environment variables may be separated by whitespace or spread @@ -456,7 +456,7 @@ The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values .Dq start:rate:full -(e.g., "10:30:60"). +(e.g. "10:30:60"). .Nm sshd will refuse connection attempts with a probability of .Dq rate/100 @@ -612,7 +612,7 @@ directory or files world-writable. The default is .Dq yes . .It Cm Subsystem -Configures an external subsystem (e.g., file transfer daemon). +Configures an external subsystem (e.g. file transfer daemon). Arguments should be a subsystem name and a command to execute upon subsystem request. The command -- cgit v1.2.3 From 5b0d63f8943dc7f9029ba5171b2a23acfa97f7aa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:56:56 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 23:43:57 [sshd_config.5] some grammar/wording fixes; --- ChangeLog | 5 ++- sshd_config.5 | 107 +++++++++++++++++++++++++++------------------------------- 2 files changed, 54 insertions(+), 58 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index a24b2d025..18298750c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -172,6 +172,9 @@ - jmc@cvs.openbsd.org 2006/02/24 23:20:07 [ssh_config.5] some grammar/wording fixes; + - jmc@cvs.openbsd.org 2006/02/24 23:43:57 + [sshd_config.5] + some grammar/wording fixes; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4073,4 +4076,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4188 2006/03/15 00:56:18 djm Exp $ +$Id: ChangeLog,v 1.4189 2006/03/15 00:56:56 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 642e1fa29..6f60d7e84 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.51 2006/02/24 20:31:31 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.52 2006/02/24 23:43:57 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -89,7 +89,7 @@ Specifies which address family should be used by Valid arguments are .Dq any , .Dq inet -(use IPv4 only) or +(use IPv4 only), or .Dq inet6 (use IPv6 only). The default is @@ -135,9 +135,9 @@ Specifies the file that contains the public keys that can be used for user authentication. .Cm AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection -set-up. +setup. The following tokens are defined: %% is replaced by a literal '%', -%h is replaced by the home directory of the user being authenticated and +%h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user. After expansion, .Cm AuthorizedKeysFile @@ -176,20 +176,19 @@ The supported ciphers are .Dq blowfish-cbc , and .Dq cast128-cbc . -The default is -.Bd -literal - ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, - arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, - aes192-ctr,aes256-ctr'' +The default is: +.Bd -literal -offset 3n +aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, +arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, +aes192-ctr,aes256-ctr .Ed .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be sent without -.Nm sshd +.Xr sshd 8 receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, -.Nm sshd -will disconnect the client, terminating the session. +sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from .Cm TCPKeepAlive @@ -207,12 +206,12 @@ If .Cm ClientAliveInterval (see below) is set to 15, and .Cm ClientAliveCountMax -is left at the default, unresponsive ssh clients +is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. .It Cm ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, -.Nm sshd +.Xr sshd 8 will send a message through the encrypted channel to request a response from the client. The default @@ -260,12 +259,11 @@ for more information on patterns. Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, -.Nm sshd +.Xr sshd 8 binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. .Cm GatewayPorts -can be used to specify that -.Nm sshd +can be used to specify that sshd should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be @@ -308,7 +306,7 @@ and .Pa /etc/ssh/ssh_host_dsa_key for protocol version 2. Note that -.Nm sshd +.Xr sshd 8 will refuse to use a file if it is group/world-accessible. It is possible to have multiple host key files. .Dq rsa1 @@ -335,7 +333,7 @@ The default is .Dq yes . .It Cm IgnoreUserKnownHosts Specifies whether -.Nm sshd +.Xr sshd 8 should ignore the user's .Pa ~/.ssh/known_hosts during @@ -350,24 +348,24 @@ Specifies whether the password provided by the user for will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which allows the verification of the KDC's identity. -Default is +The default is .Dq no . .It Cm KerberosGetAFSToken If AFS is active and the user has a Kerberos 5 TGT, attempt to acquire an AFS token before accessing the user's home directory. -Default is +The default is .Dq no . .It Cm KerberosOrLocalPasswd -If set then if password authentication through Kerberos fails then +If password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as .Pa /etc/passwd . -Default is +The default is .Dq yes . .It Cm KerberosTicketCleanup Specifies whether to automatically destroy the user's ticket cache file on logout. -Default is +The default is .Dq yes . .It Cm KeyRegenerationInterval In protocol version 1, the ephemeral server key is automatically regenerated @@ -380,7 +378,7 @@ If the value is 0, the key is never regenerated. The default is 3600 (seconds). .It Cm ListenAddress Specifies the local addresses -.Nm sshd +.Xr sshd 8 should listen on. The following forms may be used: .Pp @@ -406,8 +404,7 @@ The following forms may be used: If .Ar port is not specified, -.Nm sshd -will listen on the address and all prior +sshd will listen on the address and all prior .Cm Port options specified. The default is to listen on all local addresses. @@ -416,7 +413,7 @@ Multiple options are permitted. Additionally, any .Cm Port -options must precede this option for non port qualified addresses. +options must precede this option for non-port qualified addresses. .It Cm LoginGraceTime The server disconnects after this time if the user has not successfully logged in. @@ -426,7 +423,7 @@ The default is 120 seconds. Gives the verbosity level that is used when logging messages from .Nm sshd . The possible values are: -QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. +QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. @@ -436,7 +433,7 @@ Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. -The default is +The default is: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per @@ -446,8 +443,7 @@ additional failures are logged. The default is 6. .It Cm MaxStartups Specifies the maximum number of concurrent unauthenticated connections to the -.Nm sshd -daemon. +SSH daemon. Additional connections will be dropped until authentication succeeds or the .Cm LoginGraceTime expires for a connection. @@ -484,18 +480,18 @@ Specifies whether root can log in using The argument must be .Dq yes , .Dq without-password , -.Dq forced-commands-only +.Dq forced-commands-only , or .Dq no . The default is .Dq yes . .Pp If this option is set to -.Dq without-password +.Dq without-password , password authentication is disabled for root. .Pp If this option is set to -.Dq forced-commands-only +.Dq forced-commands-only , root login with public key authentication will be allowed, but only if the .Ar command @@ -505,7 +501,7 @@ normally not allowed). All other authentication methods are disabled for root. .Pp If this option is set to -.Dq no +.Dq no , root is not allowed to log in. .It Cm PermitTunnel Specifies whether @@ -514,7 +510,7 @@ device forwarding is allowed. The argument must be .Dq yes , .Dq point-to-point , -.Dq ethernet +.Dq ethernet , or .Dq no . The default is @@ -527,7 +523,7 @@ and options in .Pa ~/.ssh/authorized_keys are processed by -.Nm sshd . +.Xr sshd 8 . The default is .Dq no . Enabling environment processing may enable users to bypass access @@ -541,7 +537,7 @@ The default is .Pa /var/run/sshd.pid . .It Cm Port Specifies the port number that -.Nm sshd +.Xr sshd 8 listens on. The default is 22. Multiple options of this type are permitted. @@ -549,14 +545,14 @@ See also .Cm ListenAddress . .It Cm PrintLastLog Specifies whether -.Nm sshd +.Xr sshd 8 should print the date and time of the last user login when a user logs in interactively. The default is .Dq yes . .It Cm PrintMotd Specifies whether -.Nm sshd +.Xr sshd 8 should print .Pa /etc/motd when a user logs in interactively. @@ -567,12 +563,12 @@ The default is .Dq yes . .It Cm Protocol Specifies the protocol versions -.Nm sshd +.Xr sshd 8 supports. The possible values are -.Dq 1 +.Sq 1 and -.Dq 2 . +.Sq 2 . Multiple versions must be comma-separated. The default is .Dq 2,1 . @@ -604,7 +600,7 @@ Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 768. .It Cm StrictModes Specifies whether -.Nm sshd +.Xr sshd 8 should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their @@ -651,7 +647,7 @@ To disable TCP keepalive messages, the value should be set to .Dq no . .It Cm UseDNS Specifies whether -.Nm sshd +.Xr sshd 8 should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. @@ -702,7 +698,7 @@ The default is .Dq no . .It Cm UsePrivilegeSeparation Specifies whether -.Nm sshd +.Xr sshd 8 separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has @@ -713,11 +709,9 @@ The default is .Dq yes . .It Cm X11DisplayOffset Specifies the first display number available for -.Nm sshd Ns 's +.Xr sshd 8 Ns 's X11 forwarding. -This prevents -.Nm sshd -from interfering with real X11 servers. +This prevents sshd from interfering with real X11 servers. The default is 10. .It Cm X11Forwarding Specifies whether X11 forwarding is permitted. @@ -730,14 +724,14 @@ The default is .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the -.Nm sshd +.Xr sshd 8 proxy display is configured to listen on the wildcard address (see .Cm X11UseLocalhost -below), however this is not the default. +below), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 -display server may be exposed to attack when the ssh client requests +display server may be exposed to attack when the SSH client requests forwarding (see the warnings for .Cm ForwardX11 in @@ -755,12 +749,11 @@ X11 forwarding is automatically disabled if is enabled. .It Cm X11UseLocalhost Specifies whether -.Nm sshd +.Xr sshd 8 should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, -.Nm sshd -binds the forwarding server to the loopback address and sets the +sshd binds the forwarding server to the loopback address and sets the hostname part of the .Ev DISPLAY environment variable to -- cgit v1.2.3 From f4f22b54c0e2a454d3ac093d99f845db4da98a81 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:57:25 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/24 23:51:17 [sshd_config.5] oops - bits i missed; --- ChangeLog | 5 ++++- sshd_config.5 | 19 +++++++++---------- 2 files changed, 13 insertions(+), 11 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 18298750c..4d21aae76 100644 --- a/ChangeLog +++ b/ChangeLog @@ -175,6 +175,9 @@ - jmc@cvs.openbsd.org 2006/02/24 23:43:57 [sshd_config.5] some grammar/wording fixes; + - jmc@cvs.openbsd.org 2006/02/24 23:51:17 + [sshd_config.5] + oops - bits i missed; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4076,4 +4079,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4189 2006/03/15 00:56:56 djm Exp $ +$Id: ChangeLog,v 1.4190 2006/03/15 00:57:25 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 6f60d7e84..8c714444b 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.52 2006/02/24 23:43:57 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.53 2006/02/24 23:51:17 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -46,7 +46,7 @@ .It Pa /etc/ssh/sshd_config .El .Sh DESCRIPTION -.Nm sshd +.Xr sshd 8 reads configuration data from .Pa /etc/ssh/sshd_config (or the file specified with @@ -85,7 +85,7 @@ For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables. .It Cm AddressFamily Specifies which address family should be used by -.Nm sshd . +.Xr sshd 8 . Valid arguments are .Dq any , .Dq inet @@ -421,7 +421,7 @@ If the value is 0, there is no time limit. The default is 120 seconds. .It Cm LogLevel Gives the verbosity level that is used when logging messages from -.Nm sshd . +.Xr sshd 8 . The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. @@ -453,7 +453,7 @@ Alternatively, random early drop can be enabled by specifying the three colon separated values .Dq start:rate:full (e.g. "10:30:60"). -.Nm sshd +.Xr sshd 8 will refuse connection attempts with a probability of .Dq rate/100 (30%) @@ -531,8 +531,7 @@ restrictions in some configurations using mechanisms such as .Ev LD_PRELOAD . .It Cm PidFile Specifies the file that contains the process ID of the -.Nm sshd -daemon. +SSH daemon. The default is .Pa /var/run/sshd.pid . .It Cm Port @@ -620,7 +619,7 @@ By default no subsystems are defined. Note that this option applies to protocol version 2 only. .It Cm SyslogFacility Gives the facility code that is used when logging messages from -.Nm sshd . +.Xr sshd 8 . The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. @@ -780,7 +779,7 @@ The default is .Pa /usr/X11R6/bin/xauth . .El .Ss Time Formats -.Nm sshd +.Xr sshd 8 command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: .Sm off @@ -824,7 +823,7 @@ Time format examples: .Bl -tag -width Ds .It Pa /etc/ssh/sshd_config Contains configuration data for -.Nm sshd . +.Xr sshd 8 . This file should be writable by root only, but it is recommended (though not necessary) that it be world-readable. .El -- cgit v1.2.3 From ac73e5139072c444ade00fadc7817451a531788d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:58:49 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/25 12:28:34 [sshd_config.5] document the order in which allow/deny directives are processed; help/ok dtucker --- ChangeLog | 6 +++++- sshd_config.5 | 26 +++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 9f07c8cf4..bdfb7520b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -182,6 +182,10 @@ [ssh_config.5] document the possible values for KbdInteractiveDevices; help/ok dtucker + - jmc@cvs.openbsd.org 2006/02/25 12:28:34 + [sshd_config.5] + document the order in which allow/deny directives are processed; + help/ok dtucker 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4083,4 +4087,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4192 2006/03/15 00:58:25 djm Exp $ +$Id: ChangeLog,v 1.4193 2006/03/15 00:58:49 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 8c714444b..2fc2d057e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.53 2006/02/24 23:51:17 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.54 2006/02/25 12:28:34 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -101,6 +101,12 @@ If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. +The allow/deny directives are processed in the following order: +.Cm DenyUsers , +.Cm AllowUsers , +.Cm DenyGroups , +and finally +.Cm AllowGroups . .Pp See .Sx PATTERNS @@ -124,6 +130,12 @@ By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +The allow/deny directives are processed in the following order: +.Cm DenyUsers , +.Cm AllowUsers , +.Cm DenyGroups , +and finally +.Cm AllowGroups . .Pp See .Sx PATTERNS @@ -234,6 +246,12 @@ Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. +The allow/deny directives are processed in the following order: +.Cm DenyUsers , +.Cm AllowUsers , +.Cm DenyGroups , +and finally +.Cm AllowGroups . .Pp See .Sx PATTERNS @@ -249,6 +267,12 @@ By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. +The allow/deny directives are processed in the following order: +.Cm DenyUsers , +.Cm AllowUsers , +.Cm DenyGroups , +and finally +.Cm AllowGroups . .Pp See .Sx PATTERNS -- cgit v1.2.3 From e3beba231af4aa4364171c6828b0481067293ab5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 11:59:25 +1100 Subject: - jmc@cvs.openbsd.org 2006/02/26 18:01:13 [sshd_config.5] subsection is pointless here; --- ChangeLog | 5 ++++- sshd_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index dbfb130a6..ac7af857c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -189,6 +189,9 @@ - jmc@cvs.openbsd.org 2006/02/26 17:17:18 [ssh_config.5] move PATTERNS to the end of the main body; requested by dtucker + - jmc@cvs.openbsd.org 2006/02/26 18:01:13 + [sshd_config.5] + subsection is pointless here; 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4090,4 +4093,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4194 2006/03/15 00:59:08 djm Exp $ +$Id: ChangeLog,v 1.4195 2006/03/15 00:59:25 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 2fc2d057e..446e59afd 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.54 2006/02/25 12:28:34 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.55 2006/02/26 18:01:13 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -802,7 +802,7 @@ program. The default is .Pa /usr/X11R6/bin/xauth . .El -.Ss Time Formats +.Sh TIME FORMATS .Xr sshd 8 command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: -- cgit v1.2.3 From 306d118f72670f0da447f28b7eec576dcb4a6e38 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 12:05:59 +1100 Subject: - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 [misc.c ssh_config.5 sshd_config.5] Allow config directives to contain whitespace by surrounding them by double quotes. mindrot #482, man page help from jmc@, ok djm@ --- ChangeLog | 6 +++++- misc.c | 17 +++++++++++++++-- ssh_config.5 | 5 ++++- sshd_config.5 | 5 ++++- 4 files changed, 28 insertions(+), 5 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 74ece7805..c72eeed41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -220,6 +220,10 @@ Make ssh-keygen handle CR and CRLF line termination when converting IETF format keys, in adition to vanilla LF. mindrot #1157, tested by Chris Pepper, ok djm@ + - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 + [misc.c ssh_config.5 sshd_config.5] + Allow config directives to contain whitespace by surrounding them by double + quotes. mindrot #482, man page help from jmc@, ok djm@ 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4121,4 +4125,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4202 2006/03/15 01:05:40 djm Exp $ +$Id: ChangeLog,v 1.4203 2006/03/15 01:05:59 djm Exp $ diff --git a/misc.c b/misc.c index e1da651ef..662480e9e 100644 --- a/misc.c +++ b/misc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.45 2006/02/10 00:27:13 stevesk Exp $"); +RCSID("$OpenBSD: misc.c,v 1.46 2006/03/13 10:14:29 dtucker Exp $"); #include #include @@ -128,6 +128,7 @@ set_nodelay(int fd) /* Characters considered whitespace in strsep calls. */ #define WHITESPACE " \t\r\n" +#define QUOTE "\"" /* return next token in configuration line */ char * @@ -141,15 +142,27 @@ strdelim(char **s) old = *s; - *s = strpbrk(*s, WHITESPACE "="); + *s = strpbrk(*s, WHITESPACE QUOTE "="); if (*s == NULL) return (old); + if (*s[0] == '\"') { + memmove(*s, *s + 1, strlen(*s)); /* move nul too */ + /* Find matching quote */ + if ((*s = strpbrk(*s, QUOTE)) == NULL) { + return (NULL); /* no matching quote */ + } else { + *s[0] = '\0'; + return (old); + } + } + /* Allow only one '=' to be skipped */ if (*s[0] == '=') wspace = 1; *s[0] = '\0'; + /* Skip any extra whitespace after first token */ *s += strspn(*s + 1, WHITESPACE) + 1; if (*s[0] == '=' && !wspace) *s += strspn(*s + 1, WHITESPACE) + 1; diff --git a/ssh_config.5 b/ssh_config.5 index ba8926e8e..f7c9f7145 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.87 2006/02/26 18:03:10 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.88 2006/03/13 10:14:29 dtucker Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -92,6 +92,9 @@ and .Nm sftp .Fl o option. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. .Pp The possible keywords and their meanings are as follows (note that diff --git a/sshd_config.5 b/sshd_config.5 index 446e59afd..1bd3a624f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.55 2006/02/26 18:01:13 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.56 2006/03/13 10:14:29 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -56,6 +56,9 @@ The file contains keyword-argument pairs, one per line. Lines starting with .Ql # and empty lines are interpreted as comments. +Arguments may optionally be enclosed in double quotes +.Pq \&" +in order to represent arguments containing spaces. .Pp The possible keywords and their meanings are as follows (note that -- cgit v1.2.3 From cc3e8ba3c24357b912dd7071ba34ab863de593bd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 15 Mar 2006 12:06:55 +1100 Subject: - markus@cvs.openbsd.org 2006/03/14 16:32:48 [ssh_config.5 sshd_config.5] *AliveCountMax applies to protcol v2 only; ok dtucker, djm --- ChangeLog | 5 ++++- ssh_config.5 | 3 ++- sshd_config.5 | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 57c97c85e..3064b306d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -233,6 +233,9 @@ [canohost.c] log the originating address and not just the name when a reverse mapping check fails, requested by linux AT linuon.com + - markus@cvs.openbsd.org 2006/03/14 16:32:48 + [ssh_config.5 sshd_config.5] + *AliveCountMax applies to protcol v2 only; ok dtucker, djm 20060313 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) @@ -4134,4 +4137,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4205 2006/03/15 01:06:41 djm Exp $ +$Id: ChangeLog,v 1.4206 2006/03/15 01:06:55 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index f7c9f7145..5b02ef821 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.88 2006/03/13 10:14:29 dtucker Exp $ +.\" $OpenBSD: ssh_config.5,v 1.89 2006/03/14 16:32:48 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -845,6 +845,7 @@ If, for example, .Cm ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. +This option applies to protocol version 2 only. .It Cm ServerAliveInterval Sets a timeout interval in seconds after which if no data has been received from the server, diff --git a/sshd_config.5 b/sshd_config.5 index 1bd3a624f..aad28f4c8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.56 2006/03/13 10:14:29 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.57 2006/03/14 16:32:48 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -223,6 +223,7 @@ If .Cm ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. +This option applies to protocol version 2 only. .It Cm ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, -- cgit v1.2.3 From 991dba43e17f7e4c8706158ecee32f2bfd18cac4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 Jul 2006 20:16:27 +1000 Subject: - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 [ssh.1 ssh.c ssh_config.5 sshd_config.5] more details and clarity for tun(4) device forwarding; ok and help jmc@ --- ChangeLog | 6 +++++- ssh.1 | 38 +++++++++++++++++++++++++------------- ssh.c | 4 ++-- ssh_config.5 | 38 +++++++++++++++++++++++++++++--------- sshd_config.5 | 15 +++++++++++---- 5 files changed, 72 insertions(+), 29 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 4a3ee6670..f31d44bcd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ [clientloop.c] mention optional bind_address in runtime port forwarding setup command-line help. patch from santhi.amirta AT gmail.com + - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 + [ssh.1 ssh.c ssh_config.5 sshd_config.5] + more details and clarity for tun(4) device forwarding; ok and help + jmc@ 20060706 - (dtucker) [configure.ac] Try AIX blibpath test in different order when @@ -4741,4 +4745,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4361 2006/07/10 10:16:12 djm Exp $ +$Id: ChangeLog,v 1.4362 2006/07/10 10:16:27 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 874a5d2fe..4067a9362 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.260 2006/05/29 16:13:23 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.261 2006/07/02 17:12:58 stevesk Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -78,7 +78,8 @@ .Oc .Op Fl S Ar ctl_path .Bk -words -.Op Fl w Ar tunnel : Ns Ar tunnel +.Oo Fl w Ar local_tun Ns +.Op : Ns Ar remote_tun Oc .Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command .Ek @@ -588,24 +589,35 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. -.It Fl w Ar tunnel : Ns Ar tunnel -Requests a +.It Fl w Xo +.Ar local_tun Ns Op : Ns Ar remote_tun +.Xc +Requests +tunnel +device forwarding with the specified .Xr tun 4 -device on the client -(first -.Ar tunnel -arg) -and server -(second -.Ar tunnel -arg). +devices between the client +.Pq Ar local_tun +and the server +.Pq Ar remote_tun . +.Pp The devices may be specified by numerical ID or the keyword .Dq any , which uses the next available tunnel device. +If +.Ar remote_tun +is not specified, it defaults to +.Dq any . See also the .Cm Tunnel -directive in +and +.Cm TunnelDevice +directives in .Xr ssh_config 5 . +If the +.Cm Tunnel +directive is unset, it is set to the default tunnel mode, which is +.Dq point-to-point . .It Fl X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. diff --git a/ssh.c b/ssh.c index 01303dc97..9d50e42fd 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.276 2006/04/25 08:02:27 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.277 2006/07/02 17:12:58 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -176,7 +176,7 @@ usage(void) " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" " [-R [bind_address:]port:host:hostport] [-S ctl_path]\n" -" [-w tunnel:tunnel] [user@]hostname [command]\n" +" [-w local_tun[:remote_tun]] [user@]hostname [command]\n" ); exit(255); } diff --git a/ssh_config.5 b/ssh_config.5 index 0d40fd63e..68ec311b2 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.94 2006/05/29 16:10:03 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.95 2006/07/02 17:12:58 stevesk Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -931,24 +931,44 @@ This is important in scripts, and many users want it too. To disable TCP keepalive messages, the value should be set to .Dq no . .It Cm Tunnel -Request starting +Request .Xr tun 4 device forwarding between the client and the server. -This option also allows requesting layer 2 (ethernet) -instead of layer 3 (point-to-point) tunneling from the server. The argument must be .Dq yes , -.Dq point-to-point , -.Dq ethernet , +.Dq point-to-point +(layer 3), +.Dq ethernet +(layer 2), or .Dq no . +Specifying +.Dq yes +requests the default tunnel mode, which is +.Dq point-to-point . The default is .Dq no . .It Cm TunnelDevice -Force a specified +Specifies the .Xr tun 4 -device on the client. -Without this option, the next available device will be used. +devices to open on the client +.Pq Ar local_tun +and the server +.Pq Ar remote_tun . +.Pp +The argument must be +.Sm off +.Ar local_tun Op : Ar remote_tun . +.Sm on +The devices may be specified by numerical ID or the keyword +.Dq any , +which uses the next available tunnel device. +If +.Ar remote_tun +is not specified, it defaults to +.Dq any . +The default is +.Dq any:any . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be diff --git a/sshd_config.5 b/sshd_config.5 index aad28f4c8..836add94f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.57 2006/03/14 16:32:48 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.58 2006/07/02 17:12:58 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -537,10 +537,17 @@ Specifies whether device forwarding is allowed. The argument must be .Dq yes , -.Dq point-to-point , -.Dq ethernet , -or +.Dq point-to-point +(layer 3), +.Dq ethernet +(layer 2), or .Dq no . +Specifying +.Dq yes +permits both +.Dq point-to-point +and +.Dq ethernet . The default is .Dq no . .It Cm PermitUserEnvironment -- cgit v1.2.3 From 917f9b6b6eb560e205a787bd8f38d4b9741c9a9f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 Jul 2006 20:36:47 +1000 Subject: - djm@cvs.openbsd.org 2006/07/06 10:47:05 [servconf.c servconf.h session.c sshd_config.5] support arguments to Subsystem commands; ok markus@ --- ChangeLog | 5 ++++- servconf.c | 14 +++++++++++++- servconf.h | 3 ++- session.c | 11 ++++++----- sshd_config.5 | 6 +++--- 5 files changed, 28 insertions(+), 11 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 70f96ef77..2e45ea652 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ [serverloop.c sshconnect.c uuencode.c] move #include out of includes.h; ok deraadt@ (also ssh-rand-helper.c logintest.c loginrec.c) + - djm@cvs.openbsd.org 2006/07/06 10:47:05 + [servconf.c servconf.h session.c sshd_config.5] + support arguments to Subsystem commands; ok markus@ 20060706 - (dtucker) [configure.ac] Try AIX blibpath test in different order when @@ -4768,4 +4771,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4368 2006/07/10 10:35:38 djm Exp $ +$Id: ChangeLog,v 1.4369 2006/07/10 10:36:47 djm Exp $ diff --git a/servconf.c b/servconf.c index 43372e20f..af0ad1a35 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.150 2006/03/25 13:17:02 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.151 2006/07/06 10:47:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -446,6 +446,7 @@ process_server_config_line(ServerOptions *options, char *line, ServerOpCodes opcode; u_short port; u_int i; + size_t len; cp = line; if ((arg = strdelim(&cp)) == NULL) @@ -901,6 +902,17 @@ parse_flag: fatal("%s line %d: Missing subsystem command.", filename, linenum); options->subsystem_command[options->num_subsystems] = xstrdup(arg); + + /* Collect arguments (separate to executable) */ + p = xstrdup(arg); + len = strlen(p) + 1; + while ((arg = strdelim(&cp)) != NULL && *arg != '\0') { + len += 1 + strlen(arg); + p = xrealloc(p, 1, len); + strlcat(p, " ", len); + strlcat(p, arg, len); + } + options->subsystem_args[options->num_subsystems] = p; options->num_subsystems++; break; diff --git a/servconf.h b/servconf.h index 73604a98e..671050e4c 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.73 2006/03/25 22:22:43 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.74 2006/07/06 10:47:05 djm Exp $ */ /* * Author: Tatu Ylonen @@ -111,6 +111,7 @@ typedef struct { u_int num_subsystems; char *subsystem_name[MAX_SUBSYSTEMS]; char *subsystem_command[MAX_SUBSYSTEMS]; + char *subsystem_args[MAX_SUBSYSTEMS]; u_int num_accept_env; char *accept_env[MAX_ACCEPT_ENV]; diff --git a/session.c b/session.c index cb0e8267c..899c3a16b 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.204 2006/07/02 22:45:59 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.205 2006/07/06 10:47:05 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1841,7 +1841,7 @@ session_subsystem_req(Session *s) struct stat st; u_int len; int success = 0; - char *cmd, *subsys = packet_get_string(&len); + char *prog, *cmd, *subsys = packet_get_string(&len); u_int i; packet_check_eom(); @@ -1849,9 +1849,10 @@ session_subsystem_req(Session *s) for (i = 0; i < options.num_subsystems; i++) { if (strcmp(subsys, options.subsystem_name[i]) == 0) { - cmd = options.subsystem_command[i]; - if (stat(cmd, &st) < 0) { - error("subsystem: cannot stat %s: %s", cmd, + prog = options.subsystem_command[i]; + cmd = options.subsystem_args[i]; + if (stat(prog, &st) < 0) { + error("subsystem: cannot stat %s: %s", prog, strerror(errno)); break; } diff --git a/sshd_config.5 b/sshd_config.5 index 836add94f..3b639b17d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.58 2006/07/02 17:12:58 stevesk Exp $ +.\" $OpenBSD: sshd_config.5,v 1.59 2006/07/06 10:47:05 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -643,8 +643,8 @@ The default is .Dq yes . .It Cm Subsystem Configures an external subsystem (e.g. file transfer daemon). -Arguments should be a subsystem name and a command to execute upon subsystem -request. +Arguments should be a subsystem name and a command (with optional arguments) +to execute upon subsystem request. The command .Xr sftp-server 8 implements the -- cgit v1.2.3 From 4515047e47f26377a46f480ed5929e8ccfa18720 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 12 Jul 2006 22:34:17 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 [sshd.c servconf.h servconf.c sshd_config.5 auth.c] Add support for conditional directives to sshd_config via a "Match" keyword, which works similarly to the "Host" directive in ssh_config. Lines after a Match line override the default set in the main section if the condition on the Match line is true, eg AllowTcpForwarding yes Match User anoncvs AllowTcpForwarding no will allow port forwarding by all users except "anoncvs". Currently only a very small subset of directives are supported. ok djm@ --- ChangeLog | 14 ++- auth.c | 5 +- servconf.c | 356 ++++++++++++++++++++++++++++++++++++++++++---------------- servconf.h | 11 +- sshd.c | 17 ++- sshd_config.5 | 23 +++- 6 files changed, 314 insertions(+), 112 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 2710249f2..5d86e4451 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,18 @@ - stevesk@cvs.openbsd.org 2006/07/11 20:27:56 [authfile.c ssh.c] need here also (it's also included in ) + - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 + [sshd.c servconf.h servconf.c sshd_config.5 auth.c] + Add support for conditional directives to sshd_config via a "Match" + keyword, which works similarly to the "Host" directive in ssh_config. + Lines after a Match line override the default set in the main section + if the condition on the Match line is true, eg + AllowTcpForwarding yes + Match User anoncvs + AllowTcpForwarding no + will allow port forwarding by all users except "anoncvs". + Currently only a very small subset of directives are supported. + ok djm@ 20060711 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c @@ -4892,4 +4904,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4399 2006/07/12 12:24:22 dtucker Exp $ +$Id: ChangeLog,v 1.4400 2006/07/12 12:34:17 dtucker Exp $ diff --git a/auth.c b/auth.c index e5ddc79da..3bca8dc21 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.70 2006/07/11 20:07:25 stevesk Exp $ */ +/* $OpenBSD: auth.c,v 1.71 2006/07/12 11:34:58 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -467,6 +467,9 @@ getpwnamallow(const char *user) #endif struct passwd *pw; + parse_server_match_config(&options, user, + get_canonical_hostname(options.use_dns), get_remote_ipaddr()); + pw = getpwnam(user); if (pw == NULL) { logit("Invalid user %.100s from %.100s", diff --git a/servconf.c b/servconf.c index c5b933ab9..42ec340f3 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.152 2006/07/08 21:47:12 stevesk Exp $ */ +/* $OpenBSD: servconf.c,v 1.153 2006/07/12 11:34:58 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -25,12 +25,14 @@ #include "cipher.h" #include "kex.h" #include "mac.h" +#include "match.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); /* Use of privilege separation or not */ extern int use_privsep; +extern Buffer cfg; /* Initializes the server options to their default values. */ @@ -105,9 +107,6 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; - - /* Needs to be accessable in many places */ - use_privsep = -1; } void @@ -277,110 +276,116 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sMatch, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; +#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ +#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ +#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) + /* Textual representation of the tokens. */ static struct { const char *name; ServerOpCodes opcode; + u_int flags; } keywords[] = { /* Portable-specific options */ #ifdef USE_PAM - { "usepam", sUsePAM }, + { "usepam", sUsePAM, SSHCFG_GLOBAL }, #else - { "usepam", sUnsupported }, + { "usepam", sUnsupported, SSHCFG_GLOBAL }, #endif - { "pamauthenticationviakbdint", sDeprecated }, + { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ - { "port", sPort }, - { "hostkey", sHostKeyFile }, - { "hostdsakey", sHostKeyFile }, /* alias */ - { "pidfile", sPidFile }, - { "serverkeybits", sServerKeyBits }, - { "logingracetime", sLoginGraceTime }, - { "keyregenerationinterval", sKeyRegenerationTime }, - { "permitrootlogin", sPermitRootLogin }, - { "syslogfacility", sLogFacility }, - { "loglevel", sLogLevel }, - { "rhostsauthentication", sDeprecated }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication }, - { "hostbasedauthentication", sHostbasedAuthentication }, - { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly }, - { "rsaauthentication", sRSAAuthentication }, - { "pubkeyauthentication", sPubkeyAuthentication }, - { "dsaauthentication", sPubkeyAuthentication }, /* alias */ + { "port", sPort, SSHCFG_GLOBAL }, + { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, + { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ + { "pidfile", sPidFile, SSHCFG_GLOBAL }, + { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL }, + { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL }, + { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL }, + { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL }, + { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, + { "loglevel", sLogLevel, SSHCFG_GLOBAL }, + { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication }, - { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, - { "kerberosticketcleanup", sKerberosTicketCleanup }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, + { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, #ifdef USE_AFS - { "kerberosgetafstoken", sKerberosGetAFSToken }, + { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL }, #else - { "kerberosgetafstoken", sUnsupported }, + { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif #else - { "kerberosauthentication", sUnsupported }, - { "kerberosorlocalpasswd", sUnsupported }, - { "kerberosticketcleanup", sUnsupported }, - { "kerberosgetafstoken", sUnsupported }, + { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif - { "kerberostgtpassing", sUnsupported }, - { "afstokenpassing", sUnsupported }, + { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, + { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication }, - { "gssapicleanupcredentials", sGssCleanupCreds }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported }, - { "gssapicleanupcredentials", sUnsupported }, + { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, - { "challengeresponseauthentication", sChallengeResponseAuthentication }, - { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ - { "checkmail", sDeprecated }, - { "listenaddress", sListenAddress }, - { "addressfamily", sAddressFamily }, - { "printmotd", sPrintMotd }, - { "printlastlog", sPrintLastLog }, - { "ignorerhosts", sIgnoreRhosts }, - { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, - { "x11forwarding", sX11Forwarding }, - { "x11displayoffset", sX11DisplayOffset }, - { "x11uselocalhost", sX11UseLocalhost }, - { "xauthlocation", sXAuthLocation }, - { "strictmodes", sStrictModes }, - { "permitemptypasswords", sEmptyPasswd }, - { "permituserenvironment", sPermitUserEnvironment }, - { "uselogin", sUseLogin }, - { "compression", sCompression }, - { "tcpkeepalive", sTCPKeepAlive }, - { "keepalive", sTCPKeepAlive }, /* obsolete alias */ - { "allowtcpforwarding", sAllowTcpForwarding }, - { "allowusers", sAllowUsers }, - { "denyusers", sDenyUsers }, - { "allowgroups", sAllowGroups }, - { "denygroups", sDenyGroups }, - { "ciphers", sCiphers }, - { "macs", sMacs }, - { "protocol", sProtocol }, - { "gatewayports", sGatewayPorts }, - { "subsystem", sSubsystem }, - { "maxstartups", sMaxStartups }, - { "maxauthtries", sMaxAuthTries }, - { "banner", sBanner }, - { "usedns", sUseDNS }, - { "verifyreversemapping", sDeprecated }, - { "reversemappingcheck", sDeprecated }, - { "clientaliveinterval", sClientAliveInterval }, - { "clientalivecountmax", sClientAliveCountMax }, - { "authorizedkeysfile", sAuthorizedKeysFile }, - { "authorizedkeysfile2", sAuthorizedKeysFile2 }, - { "useprivilegeseparation", sUsePrivilegeSeparation}, - { "acceptenv", sAcceptEnv }, - { "permittunnel", sPermitTunnel }, - { NULL, sBadOption } + { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, + { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ + { "checkmail", sDeprecated, SSHCFG_GLOBAL }, + { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, + { "addressfamily", sAddressFamily, SSHCFG_GLOBAL }, + { "printmotd", sPrintMotd, SSHCFG_GLOBAL }, + { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, + { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, + { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, + { "x11forwarding", sX11Forwarding, SSHCFG_GLOBAL }, + { "x11displayoffset", sX11DisplayOffset, SSHCFG_GLOBAL }, + { "x11uselocalhost", sX11UseLocalhost, SSHCFG_GLOBAL }, + { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, + { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, + { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, + { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, + { "uselogin", sUseLogin, SSHCFG_GLOBAL }, + { "compression", sCompression, SSHCFG_GLOBAL }, + { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, + { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */ + { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL }, + { "allowusers", sAllowUsers, SSHCFG_GLOBAL }, + { "denyusers", sDenyUsers, SSHCFG_GLOBAL }, + { "allowgroups", sAllowGroups, SSHCFG_GLOBAL }, + { "denygroups", sDenyGroups, SSHCFG_GLOBAL }, + { "ciphers", sCiphers, SSHCFG_GLOBAL }, + { "macs", sMacs, SSHCFG_GLOBAL }, + { "protocol", sProtocol, SSHCFG_GLOBAL }, + { "gatewayports", sGatewayPorts, SSHCFG_ALL }, + { "subsystem", sSubsystem, SSHCFG_GLOBAL }, + { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, + { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_GLOBAL }, + { "usedns", sUseDNS, SSHCFG_GLOBAL }, + { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, + { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, + { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL }, + { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL }, + { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL }, + { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL }, + { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, + { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, + { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, + { NULL, sBadOption, 0 } }; /* @@ -389,13 +394,15 @@ static struct { static ServerOpCodes parse_token(const char *cp, const char *filename, - int linenum) + int linenum, u_int *flags) { u_int i; for (i = 0; keywords[i].name; i++) - if (strcasecmp(cp, keywords[i].name) == 0) + if (strcasecmp(cp, keywords[i].name) == 0) { + *flags = keywords[i].flags; return keywords[i].opcode; + } error("%s: line %d: Bad configuration option: %s", filename, linenum, cp); @@ -440,15 +447,112 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) options->listen_addrs = aitop; } +/* + * The strategy for the Match blocks is that the config file is parsed twice. + * + * The first time is at startup. activep is initialized to 1 and the + * directives in the global context are processed and acted on. Hitting a + * Match directive unsets activep and the directives inside the block are + * checked for syntax only. + * + * The second time is after a connection has been established but before + * authentication. activep is initialized to 2 and global config directives + * are ignored since they have already been processed. If the criteria in a + * Match block is met, activep is set and the subsequent directives + * processed and actioned until EOF or another Match block unsets it. Any + * options set are copied into the main server config. + * + * Potential additions/improvements: + * - Add Match support for pre-kex directives, eg Protocol, Ciphers. + * + * - Add a Tag directive (idea from David Leonard) ala pf, eg: + * Match Address 192.168.0.* + * Tag trusted + * Match Group wheel + * Tag trusted + * Match Tag trusted + * AllowTcpForwarding yes + * GatewayPorts clientspecified + * [...] + * + * - Add a PermittedChannelRequests directive + * Match Group shell + * PermittedChannelRequests session,forwarded-tcpip + */ + +static int +match_cfg_line(char **condition, int line, const char *user, const char *host, + const char *address) +{ + int result = 1; + char *arg, *attrib, *cp = *condition; + size_t len; + + if (user == NULL) + debug3("checking syntax for 'Match %s'", cp); + else + debug3("checking match for '%s' user %s host %s addr %s", cp, + user ? user : "(null)", host ? host : "(null)", + address ? address : "(null)"); + + while ((attrib = strdelim(&cp)) && *attrib != '\0') { + if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { + error("Missing Match criteria for %s", attrib); + return -1; + } + len = strlen(arg); + if (strcasecmp(attrib, "user") == 0) { + if (!user) { + result = 0; + continue; + } + if (match_pattern_list(user, arg, len, 0) != 1) + result = 0; + else + debug("user %.100s matched 'User %.100s' at " + "line %d", user, arg, line); + } else if (strcasecmp(attrib, "host") == 0) { + if (!host) { + result = 0; + continue; + } + if (match_hostname(host, arg, len) != 1) + result = 0; + else + debug("connection from %.100s matched 'Host " + "%.100s' at line %d", host, arg, line); + } else if (strcasecmp(attrib, "address") == 0) { + debug("address '%s' arg '%s'", address, arg); + if (!address) { + result = 0; + continue; + } + if (match_hostname(address, arg, len) != 1) + result = 0; + else + debug("connection from %.100s matched 'Address " + "%.100s' at line %d", address, arg, line); + } else { + error("Unsupported Match attribute %s", attrib); + return -1; + } + } + if (user != NULL) + debug3("match %sfound", result ? "" : "not "); + *condition = cp; + return result; +} + int process_server_config_line(ServerOptions *options, char *line, - const char *filename, int linenum) + const char *filename, int linenum, int *activep, const char *user, + const char *host, const char *address) { char *cp, **charptr, *arg, *p; - int *intptr, value, n; + int cmdline = 0, *intptr, value, n; ServerOpCodes opcode; u_short port; - u_int i; + u_int i, flags = 0; size_t len; cp = line; @@ -461,7 +565,25 @@ process_server_config_line(ServerOptions *options, char *line, return 0; intptr = NULL; charptr = NULL; - opcode = parse_token(arg, filename, linenum); + opcode = parse_token(arg, filename, linenum, &flags); + + if (activep == NULL) { /* We are processing a command line directive */ + cmdline = 1; + activep = &cmdline; + } + if (*activep && opcode != sMatch) + debug3("%s:%d setting %s %s", filename, linenum, arg, cp); + if (*activep == 0 && !(flags & SSHCFG_MATCH)) { + if (user == NULL) { + fatal("%s line %d: Directive '%s' is not allowed " + "within a Match block", filename, linenum, arg); + } else { /* this is a directive we have already processed */ + while (arg) + arg = strdelim(&cp); + return 0; + } + } + switch (opcode) { /* Portable-specific options */ case sUsePAM: @@ -499,7 +621,7 @@ parse_int: fatal("%s line %d: missing integer value.", filename, linenum); value = atoi(arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -579,7 +701,7 @@ parse_filename: if (!arg || *arg == '\0') fatal("%s line %d: missing file name.", filename, linenum); - if (*charptr == NULL) { + if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ if (intptr != NULL) @@ -630,7 +752,7 @@ parse_flag: else fatal("%s line %d: Bad yes/no argument: %s", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -895,6 +1017,10 @@ parse_flag: if (!arg || *arg == '\0') fatal("%s line %d: Missing subsystem name.", filename, linenum); + if (!*activep) { + arg = strdelim(&cp); + break; + } for (i = 0; i < options->num_subsystems; i++) if (strcmp(arg, options->subsystem_name[i]) == 0) fatal("%s line %d: Subsystem '%s' already defined.", @@ -977,6 +1103,8 @@ parse_flag: if (options->num_accept_env >= MAX_ACCEPT_ENV) fatal("%s line %d: too many allow env.", filename, linenum); + if (!*activep) + break; options->accept_env[options->num_accept_env++] = xstrdup(arg); } @@ -1004,6 +1132,17 @@ parse_flag: *intptr = value; break; + case sMatch: + if (cmdline) + fatal("Match directive not supported as a command-line " + "option"); + value = match_cfg_line(&cp, linenum, user, host, address); + if (value < 0) + fatal("%s line %d: Bad Match condition", filename, + linenum); + *activep = value; + break; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1060,18 +1199,41 @@ load_server_config(const char *filename, Buffer *conf) } void -parse_server_config(ServerOptions *options, const char *filename, Buffer *conf) +parse_server_match_config(ServerOptions *options, const char *user, + const char *host, const char *address) +{ + ServerOptions mo; + + initialize_server_options(&mo); + parse_server_config(&mo, "reprocess config", &cfg, user, host, address); + copy_set_server_options(options, &mo); +} + +/* Copy any (supported) values that are set */ +void +copy_set_server_options(ServerOptions *dst, ServerOptions *src) +{ + if (src->allow_tcp_forwarding != -1) + dst->allow_tcp_forwarding = src->allow_tcp_forwarding; + if (src->gateway_ports != -1) + dst->gateway_ports = src->gateway_ports; +} + +void +parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, + const char *user, const char *host, const char *address) { - int linenum, bad_options = 0; + int active, linenum, bad_options = 0; char *cp, *obuf, *cbuf; debug2("%s: config %s len %d", __func__, filename, buffer_len(conf)); obuf = cbuf = xstrdup(buffer_ptr(conf)); + active = user ? 0 : 1; linenum = 1; while ((cp = strsep(&cbuf, "\n")) != NULL) { if (process_server_config_line(options, cp, filename, - linenum++) != 0) + linenum++, &active, user, host, address) != 0) bad_options++; } xfree(obuf); diff --git a/servconf.h b/servconf.h index 671050e4c..a74716e6f 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.74 2006/07/06 10:47:05 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -142,8 +142,13 @@ typedef struct { void initialize_server_options(ServerOptions *); void fill_default_server_options(ServerOptions *); -int process_server_config_line(ServerOptions *, char *, const char *, int); +int process_server_config_line(ServerOptions *, char *, const char *, int, + int *, const char *, const char *, const char *); void load_server_config(const char *, Buffer *); -void parse_server_config(ServerOptions *, const char *, Buffer *); +void parse_server_config(ServerOptions *, const char *, Buffer *, + const char *, const char *, const char *); +void parse_server_match_config(ServerOptions *, const char *, const char *, + const char *); +void copy_set_server_options(ServerOptions *, ServerOptions *); #endif /* SERVCONF_H */ diff --git a/sshd.c b/sshd.c index f3fe9d184..497525df8 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.336 2006/07/11 20:07:25 stevesk Exp $ */ +/* $OpenBSD: sshd.c,v 1.337 2006/07/12 11:34:58 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -219,12 +219,15 @@ int *startup_pipes = NULL; int startup_pipe; /* in child */ /* variables used for privilege separation */ -int use_privsep; +int use_privsep = -1; struct monitor *pmonitor = NULL; /* global authentication context */ Authctxt *the_authctxt = NULL; +/* sshd_config buffer */ +Buffer cfg; + /* message to be displayed after login */ Buffer loginmsg; @@ -916,7 +919,6 @@ main(int ac, char **av) Key *key; Authctxt *authctxt; int ret, key_used = 0; - Buffer cfg; #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); @@ -1036,7 +1038,7 @@ main(int ac, char **av) case 'o': line = xstrdup(optarg); if (process_server_config_line(&options, line, - "command-line", 0) != 0) + "command-line", 0, NULL, NULL, NULL, NULL) != 0) exit(1); xfree(line); break; @@ -1094,11 +1096,8 @@ main(int ac, char **av) else load_server_config(config_file_name, &cfg); - parse_server_config(&options, - rexeced_flag ? "rexec" : config_file_name, &cfg); - - if (!rexec_flag) - buffer_free(&cfg); + parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, + &cfg, NULL, NULL, NULL); seed_rng(); diff --git a/sshd_config.5 b/sshd_config.5 index 3b639b17d..0b2646027 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.59 2006/07/06 10:47:05 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.60 2006/07/12 11:34:58 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -463,6 +463,27 @@ for data integrity protection. Multiple algorithms must be comma-separated. The default is: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . +.It Cm Match +Introduces a conditional block. Keywords on lines following a +.Cm Match +block are only applied if all of the criteria on the +.Cm Match +are satisfied. +The the arguments to +.Cm Match +block are one or more criteria-pattern pairs. +The available criteria are +.Cm User , +.Cm Host , +and +.Cm Address . +Only a subset of keywords may be used on the lines following a +.Cm Match +keyword. +Available keywords are +.Cm AllowTcpForwarding , +and +.Cm GatewayPorts . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. -- cgit v1.2.3 From d04f357ac24a6d40176cd53e58d0256b5130d98e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 13:46:50 +1000 Subject: - jmc@cvs.openbsd.org 2006/07/12 13:39:55 [sshd_config.5] - new sentence, new line - s/The the/The/ - kill a bad comma --- ChangeLog | 10 +++++++++- sshd_config.5 | 9 +++++---- 2 files changed, 14 insertions(+), 5 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 1945b8cd4..4f75fe5b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20060724 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2006/07/12 13:39:55 + [sshd_config.5] + - new sentence, new line + - s/The the/The/ + - kill a bad comma + 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4915,4 +4923,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4407 2006/07/12 22:45:14 dtucker Exp $ +$Id: ChangeLog,v 1.4408 2006/07/24 03:46:50 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 0b2646027..4db92814c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.60 2006/07/12 11:34:58 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.61 2006/07/12 13:39:55 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -464,12 +464,13 @@ Multiple algorithms must be comma-separated. The default is: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .It Cm Match -Introduces a conditional block. Keywords on lines following a +Introduces a conditional block. +Keywords on lines following a .Cm Match block are only applied if all of the criteria on the .Cm Match are satisfied. -The the arguments to +The arguments to .Cm Match block are one or more criteria-pattern pairs. The available criteria are @@ -481,7 +482,7 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are -.Cm AllowTcpForwarding , +.Cm AllowTcpForwarding and .Cm GatewayPorts . .It Cm MaxAuthTries -- cgit v1.2.3 From 9b439df18a9d56683584811ce38dcf72acd4cb20 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:04:00 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/17 12:06:00 [channels.c channels.h servconf.c sshd_config.5] Add PermitOpen directive to sshd_config which is equivalent to the "permitopen" key option. Allows server admin to allow TCP port forwarding only two specific host/port pairs. Useful when combined with Match. If permitopen is used in both sshd_config and a key option, both must allow a given connection before it will be permitted. Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@. --- ChangeLog | 13 ++++++++++++- channels.c | 50 +++++++++++++++++++++++++++++++++++++++++++++----- channels.h | 4 +++- servconf.c | 29 +++++++++++++++++++++++++++-- sshd_config.5 | 36 +++++++++++++++++++++++++++++++++--- 5 files changed, 120 insertions(+), 12 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index c3069df12..2e28a43f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,17 @@ - dtucker@cvs.openbsd.org 2006/07/17 12:02:24 [auth-options.c] Use '\0' rather than 0 to terminates strings; ok djm@ + - dtucker@cvs.openbsd.org 2006/07/17 12:06:00 + [channels.c channels.h servconf.c sshd_config.5] + Add PermitOpen directive to sshd_config which is equivalent to the + "permitopen" key option. Allows server admin to allow TCP port + forwarding only two specific host/port pairs. Useful when combined + with Match. + If permitopen is used in both sshd_config and a key option, both + must allow a given connection before it will be permitted. + Note that users can still use external forwarders such as netcat, + so to be those must be controlled too for the limits to be effective. + Feedback & ok djm@, man page corrections & ok jmc@. 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4944,4 +4955,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4414 2006/07/24 04:01:43 djm Exp $ +$Id: ChangeLog,v 1.4415 2006/07/24 04:04:00 djm Exp $ diff --git a/channels.c b/channels.c index fbbae9ed7..9aaf7e9d7 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.256 2006/07/17 01:31:09 stevesk Exp $ */ +/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -106,11 +106,18 @@ typedef struct { u_short listen_port; /* Remote side should listen port number. */ } ForwardPermission; -/* List of all permitted host/port pairs to connect. */ +/* List of all permitted host/port pairs to connect by the user. */ static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; -/* Number of permitted host/port pairs in the array. */ +/* List of all permitted host/port pairs to connect by the admin. */ +static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; + +/* Number of permitted host/port pairs in the array permitted by the user. */ static int num_permitted_opens = 0; + +/* Number of permitted host/port pair in the array permitted by the admin. */ +static int num_adm_permitted_opens = 0; + /* * If this is true, all opens are permitted. This is the case on the server * on which we have to trust the client anyway, and the user could do @@ -2646,6 +2653,19 @@ channel_add_permitted_opens(char *host, int port) all_opens_permitted = 0; } +void +channel_add_adm_permitted_opens(char *host, int port) +{ + if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + fatal("channel_add_adm_permitted_opens: too many forwards"); + debug("allow port forwarding to host %s port %d", host, port); + + permitted_adm_opens[num_adm_permitted_opens].host_to_connect + = xstrdup(host); + permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; + num_adm_permitted_opens++; +} + void channel_clear_permitted_opens(void) { @@ -2655,7 +2675,17 @@ channel_clear_permitted_opens(void) if (permitted_opens[i].host_to_connect != NULL) xfree(permitted_opens[i].host_to_connect); num_permitted_opens = 0; +} + +void +channel_clear_adm_permitted_opens(void) +{ + int i; + for (i = 0; i < num_adm_permitted_opens; i++) + if (permitted_adm_opens[i].host_to_connect != NULL) + xfree(permitted_adm_opens[i].host_to_connect); + num_adm_permitted_opens = 0; } /* return socket to remote host, port */ @@ -2734,7 +2764,7 @@ channel_connect_by_listen_address(u_short listen_port) int channel_connect_to(const char *host, u_short port) { - int i, permit; + int i, permit, permit_adm = 1; permit = all_opens_permitted; if (!permit) { @@ -2743,9 +2773,19 @@ channel_connect_to(const char *host, u_short port) permitted_opens[i].port_to_connect == port && strcmp(permitted_opens[i].host_to_connect, host) == 0) permit = 1; + } + if (num_adm_permitted_opens > 0) { + permit_adm = 0; + for (i = 0; i < num_adm_permitted_opens; i++) + if (permitted_adm_opens[i].host_to_connect != NULL && + permitted_adm_opens[i].port_to_connect == port && + strcmp(permitted_adm_opens[i].host_to_connect, host) + == 0) + permit_adm = 1; } - if (!permit) { + + if (!permit || !permit_adm) { logit("Received request to connect to host %.100s port %d, " "but the request was denied.", host, port); return -1; diff --git a/channels.h b/channels.h index d21319a2b..c473b730c 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.85 2006/07/11 18:50:47 markus Exp $ */ +/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -207,7 +207,9 @@ int channel_find_open(void); void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); +void channel_add_adm_permitted_opens(char *, int); void channel_clear_permitted_opens(void); +void channel_clear_adm_permitted_opens(void); int channel_input_port_forward_request(int, int); int channel_connect_to(const char *, u_short); int channel_connect_by_listen_address(u_short); diff --git a/servconf.c b/servconf.c index 330e79143..4f5cb19db 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.155 2006/07/17 01:31:09 stevesk Exp $ */ +/* $OpenBSD: servconf.c,v 1.156 2006/07/17 12:06:00 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -31,6 +31,7 @@ #include "kex.h" #include "mac.h" #include "match.h" +#include "channels.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -281,7 +282,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, + sMatch, sPermitOpen, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -390,6 +391,8 @@ static struct { { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL }, { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL }, { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, + { "match", sMatch, SSHCFG_ALL }, + { "permitopen", sPermitOpen, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -1148,6 +1151,28 @@ parse_flag: *activep = value; break; + case sPermitOpen: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing PermitOpen specification", + filename, linenum); + if (strcmp(arg, "any") == 0) { + if (*activep) + channel_clear_adm_permitted_opens(); + break; + } + p = hpdelim(&arg); + if (p == NULL) + fatal("%s line %d: missing host in PermitOpen", + filename, linenum); + p = cleanhostname(p); + if (arg == NULL || (port = a2port(arg)) == 0) + fatal("%s line %d: bad port number in PermitOpen", + filename, linenum); + if (*activep) + channel_add_adm_permitted_opens(p, port); + break; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/sshd_config.5 b/sshd_config.5 index 4db92814c..c9515234d 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.61 2006/07/12 13:39:55 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.62 2006/07/17 12:06:00 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -482,9 +482,10 @@ Only a subset of keywords may be used on the lines following a .Cm Match keyword. Available keywords are -.Cm AllowTcpForwarding +.Cm AllowTcpForwarding , +.Cm GatewayPorts , and -.Cm GatewayPorts . +.Cm PermitOpen . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. @@ -524,6 +525,35 @@ When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is .Dq no . +.It Cm PermitOpen +Specifies the destinations to which TCP port forwarding is permitted. +The forwarding specification must be one of the following forms: +.Pp +.Bl -item -offset indent -compact +.It +.Cm PermitOpen +.Sm off +.Ar host : port +.Sm on +.It +.Cm PermitOpen +.Sm off +.Ar IPv4_addr : port +.Sm on +.It +.Cm PermitOpen +.Sm off +.Ar \&[ IPv6_addr \&] : port +.Sm on +.El +.Pp +Multiple instances of +.Cm PermitOpen +are permitted. +An argument of +.Dq any +can be used to remove all restrictions and permit any forwarding requests. +By default all port forward requests are permitted. .It Cm PermitRootLogin Specifies whether root can log in using .Xr ssh 1 . -- cgit v1.2.3 From 65bc2c402871ef0603b1f99afb323da953212232 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:04:16 +1000 Subject: - jmc@cvs.openbsd.org 2006/07/18 07:50:40 [sshd_config.5] tweak; ok dtucker --- ChangeLog | 5 ++++- sshd_config.5 | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 2e28a43f8..bde3e3843 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ Note that users can still use external forwarders such as netcat, so to be those must be controlled too for the limits to be effective. Feedback & ok djm@, man page corrections & ok jmc@. + - jmc@cvs.openbsd.org 2006/07/18 07:50:40 + [sshd_config.5] + tweak; ok dtucker 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4955,4 +4958,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4415 2006/07/24 04:04:00 djm Exp $ +$Id: ChangeLog,v 1.4416 2006/07/24 04:04:16 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index c9515234d..5f14f2017 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.62 2006/07/17 12:06:00 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.63 2006/07/18 07:50:40 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -553,7 +553,7 @@ are permitted. An argument of .Dq any can be used to remove all restrictions and permit any forwarding requests. -By default all port forward requests are permitted. +By default all port forwarding requests are permitted. .It Cm PermitRootLogin Specifies whether root can log in using .Xr ssh 1 . -- cgit v1.2.3 From 393821ad720050c014ef2dc62c519f66684c099c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:04:53 +1000 Subject: - jmc@cvs.openbsd.org 2006/07/18 08:03:09 [ssh-agent.1 sshd_config.5] mark up angle brackets; --- ChangeLog | 5 ++++- ssh-agent.1 | 6 +++--- sshd_config.5 | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index f29eace14..9bd2a7cbd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ - jmc@cvs.openbsd.org 2006/07/18 07:56:28 [scp.1] replace DIAGNOSTICS with .Ex; + - jmc@cvs.openbsd.org 2006/07/18 08:03:09 + [ssh-agent.1 sshd_config.5] + mark up angle brackets; 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4961,4 +4964,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4417 2006/07/24 04:04:36 djm Exp $ +$Id: ChangeLog,v 1.4418 2006/07/24 04:04:53 djm Exp $ diff --git a/ssh-agent.1 b/ssh-agent.1 index fd6bd3f6c..f1b877790 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -70,7 +70,7 @@ The options are as follows: Bind the agent to the unix-domain socket .Ar bind_address . The default is -.Pa /tmp/ssh-XXXXXXXXXX/agent. . +.Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt . .It Fl c Generate C-shell commands on .Dv stdout . @@ -185,7 +185,7 @@ Contains the protocol version 1 RSA authentication identity of the user. Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. -.It Pa /tmp/ssh-XXXXXXXXXX/agent. +.It Pa /tmp/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. diff --git a/sshd_config.5 b/sshd_config.5 index 5f14f2017..cbc2176ff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.63 2006/07/18 07:50:40 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.64 2006/07/18 08:03:09 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -879,7 +879,7 @@ is a positive integer value and is one of the following: .Pp .Bl -tag -width Ds -compact -offset indent -.It Cm +.It Aq Cm none seconds .It Cm s | Cm S seconds -- cgit v1.2.3 From 8c23403b5141b2cc570a8b55805855eea93d875a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:05:08 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/18 08:22:23 [sshd_config.5] Clarify description of Match, with minor correction from jmc@ --- ChangeLog | 5 ++++- sshd_config.5 | 11 ++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 9bd2a7cbd..6eda0ee69 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ - jmc@cvs.openbsd.org 2006/07/18 08:03:09 [ssh-agent.1 sshd_config.5] mark up angle brackets; + - dtucker@cvs.openbsd.org 2006/07/18 08:22:23 + [sshd_config.5] + Clarify description of Match, with minor correction from jmc@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4964,4 +4967,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4418 2006/07/24 04:04:53 djm Exp $ +$Id: ChangeLog,v 1.4419 2006/07/24 04:05:08 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index cbc2176ff..02996a2ed 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.64 2006/07/18 08:03:09 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.65 2006/07/18 08:22:23 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -465,14 +465,15 @@ The default is: .Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 . .It Cm Match Introduces a conditional block. -Keywords on lines following a +If all of the criteria on the .Cm Match -block are only applied if all of the criteria on the +line are satisfied, the keywords on the following lines override those +set in the global section of the config file, until either another .Cm Match -are satisfied. +line or the end of the file. The arguments to .Cm Match -block are one or more criteria-pattern pairs. +are one or more criteria-pattern pairs. The available criteria are .Cm User , .Cm Host , -- cgit v1.2.3 From d1de9950e5ae91584aa955a4f85c9c7579aa76af Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:05:48 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/19 08:56:41 [servconf.c sshd_config.5] Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to Match. ok djm@ --- ChangeLog | 6 +++++- servconf.c | 14 ++++++++++---- sshd_config.5 | 7 +++++-- 3 files changed, 20 insertions(+), 7 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 11e218d4b..e42f8a786 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,10 @@ - stevesk@cvs.openbsd.org 2006/07/18 22:27:55 [dh.c] remove unneeded includes; ok djm@ + - dtucker@cvs.openbsd.org 2006/07/19 08:56:41 + [servconf.c sshd_config.5] + Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to + Match. ok djm@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4970,4 +4974,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4420 2006/07/24 04:05:24 djm Exp $ +$Id: ChangeLog,v 1.4421 2006/07/24 04:05:48 djm Exp $ diff --git a/servconf.c b/servconf.c index 4f5cb19db..bc457eebe 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.156 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.157 2006/07/19 08:56:41 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -357,9 +357,9 @@ static struct { { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL }, { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL }, { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL }, - { "x11forwarding", sX11Forwarding, SSHCFG_GLOBAL }, - { "x11displayoffset", sX11DisplayOffset, SSHCFG_GLOBAL }, - { "x11uselocalhost", sX11UseLocalhost, SSHCFG_GLOBAL }, + { "x11forwarding", sX11Forwarding, SSHCFG_ALL }, + { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL }, + { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL }, @@ -1247,6 +1247,12 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src) dst->allow_tcp_forwarding = src->allow_tcp_forwarding; if (src->gateway_ports != -1) dst->gateway_ports = src->gateway_ports; + if (src->x11_display_offset != -1) + dst->x11_display_offset = src->x11_display_offset; + if (src->x11_forwarding != -1) + dst->x11_forwarding = src->x11_forwarding; + if (src->x11_use_localhost != -1) + dst->x11_use_localhost = src->x11_use_localhost; } void diff --git a/sshd_config.5 b/sshd_config.5 index 02996a2ed..9196b761e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.65 2006/07/18 08:22:23 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -485,8 +485,11 @@ keyword. Available keywords are .Cm AllowTcpForwarding , .Cm GatewayPorts , +.Cm PermitOpen , +.Cm X11DisplayOffset , +.Cm X11Forwarding , and -.Cm PermitOpen . +.Cm X11UseLocalHost . .It Cm MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. -- cgit v1.2.3 From e275443f66aab6d46356d6940b8a8b291cab4f9e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:06:47 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] Add ForceCommand keyword to sshd_config, equivalent to the "command=" key option, man page entry and example in sshd_config. Feedback & ok djm@, man page corrections & ok jmc@ --- ChangeLog | 7 ++++++- servconf.c | 22 ++++++++++++++++++++-- servconf.h | 4 +++- session.c | 10 +++++++--- sshd.8 | 5 ++++- sshd_config | 8 +++++++- sshd_config.5 | 15 ++++++++++++++- 7 files changed, 61 insertions(+), 10 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index e42f8a786..0ae5d3f6c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,6 +56,11 @@ [servconf.c sshd_config.5] Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to Match. ok djm@ + - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 + [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] + Add ForceCommand keyword to sshd_config, equivalent to the "command=" + key option, man page entry and example in sshd_config. + Feedback & ok djm@, man page corrections & ok jmc@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4974,4 +4979,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4421 2006/07/24 04:05:48 djm Exp $ +$Id: ChangeLog,v 1.4422 2006/07/24 04:06:47 djm Exp $ diff --git a/servconf.c b/servconf.c index bc457eebe..e2c1d4458 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.157 2006/07/19 08:56:41 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + options->adm_forced_command = NULL; } void @@ -282,7 +283,7 @@ typedef enum { sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, - sMatch, sPermitOpen, + sMatch, sPermitOpen, sForceCommand, sUsePrivilegeSeparation, sDeprecated, sUnsupported } ServerOpCodes; @@ -393,6 +394,7 @@ static struct { { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL }, { "match", sMatch, SSHCFG_ALL }, { "permitopen", sPermitOpen, SSHCFG_ALL }, + { "forcecommand", sForceCommand, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; @@ -551,6 +553,8 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, return result; } +#define WHITESPACE " \t\r\n" + int process_server_config_line(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, const char *user, @@ -1173,6 +1177,15 @@ parse_flag: channel_add_adm_permitted_opens(p, port); break; + case sForceCommand: + if (cp == NULL) + fatal("%.200s line %d: Missing argument.", filename, + linenum); + len = strspn(cp, WHITESPACE); + if (*activep && options->adm_forced_command == NULL) + options->adm_forced_command = xstrdup(cp + len); + return 0; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -1247,6 +1260,11 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src) dst->allow_tcp_forwarding = src->allow_tcp_forwarding; if (src->gateway_ports != -1) dst->gateway_ports = src->gateway_ports; + if (src->adm_forced_command != NULL) { + if (dst->adm_forced_command != NULL) + xfree(dst->adm_forced_command); + dst->adm_forced_command = src->adm_forced_command; + } if (src->x11_display_offset != -1) dst->x11_display_offset = src->x11_display_offset; if (src->x11_forwarding != -1) diff --git a/servconf.h b/servconf.h index a74716e6f..41dce7686 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.75 2006/07/12 11:34:58 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -135,6 +135,8 @@ typedef struct { char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + char *adm_forced_command; + int use_pam; /* Enable auth via PAM */ int permit_tun; diff --git a/session.c b/session.c index 5441a4762..e189acdf2 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.209 2006/07/11 20:07:25 stevesk Exp $ */ +/* $OpenBSD: session.c,v 1.210 2006/07/19 13:07:10 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -672,10 +672,14 @@ do_pre_login(Session *s) void do_exec(Session *s, const char *command) { - if (forced_command) { + if (options.adm_forced_command) { + original_command = command; + command = options.adm_forced_command; + debug("Forced command (config) '%.900s'", command); + } else if (forced_command) { original_command = command; command = forced_command; - debug("Forced command '%.900s'", command); + debug("Forced command (key option) '%.900s'", command); } #ifdef SSH_AUDIT_EVENTS diff --git a/sshd.8 b/sshd.8 index 48be5a760..778ea906b 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.232 2006/07/10 16:04:21 jmc Exp $ +.\" $OpenBSD: sshd.8,v 1.233 2006/07/19 13:07:10 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -481,6 +481,9 @@ to restrict certain public keys to perform just a specific operation. An example might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. Note that this option applies to shell, command or subsystem execution. .It Cm environment="NAME=value" Specifies that the string is to be added to the environment when diff --git a/sshd_config b/sshd_config index 57f9a17bb..6a3cad886 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ +# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -104,3 +104,9 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/sshd_config.5 b/sshd_config.5 index 9196b761e..26c895f7a 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.66 2006/07/19 08:56:41 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -283,6 +283,18 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm ForceCommand +Forces the execution of the command specified by +.Cm ForceCommand , +ignoring any command supplied by the client. +The command is invoked by using the user's login shell with the -c option. +This applies to shell, command, or subsystem execution. +It is most useful inside a +.Cm Match +block. +The command originally supplied by the client is available in the +.Ev SSH_ORIGINAL_COMMAND +environment variable. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. @@ -484,6 +496,7 @@ Only a subset of keywords may be used on the lines following a keyword. Available keywords are .Cm AllowTcpForwarding , +.Cm ForceCommand , .Cm GatewayPorts , .Cm PermitOpen , .Cm X11DisplayOffset , -- cgit v1.2.3 From a765cf4b66ba116626c317204ac317607fe0c848 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Jul 2006 14:08:13 +1000 Subject: - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 [channels.c channels.h servconf.c servconf.h sshd_config.5] Make PermitOpen take a list of permitted ports and act more like most other keywords (ie the first match is the effective setting). This also makes it easier to override a previously set PermitOpen. ok djm@ --- ChangeLog | 7 ++++++- channels.c | 8 ++++---- channels.h | 4 ++-- servconf.c | 32 ++++++++++++++++++++------------ servconf.h | 4 +++- sshd_config.5 | 6 ++---- 6 files changed, 37 insertions(+), 24 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 50937e3b3..04fa8c25a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -65,6 +65,11 @@ [auth1.c serverloop.c session.c sshconnect2.c] missed some needed #include when KERBEROS5=no; issue from massimo@cedoc.mo.it + - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 + [channels.c channels.h servconf.c servconf.h sshd_config.5] + Make PermitOpen take a list of permitted ports and act more like most + other keywords (ie the first match is the effective setting). This + also makes it easier to override a previously set PermitOpen. ok djm@ 20060713 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h @@ -4983,4 +4988,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4423 2006/07/24 04:07:35 djm Exp $ +$Id: ChangeLog,v 1.4424 2006/07/24 04:08:13 djm Exp $ diff --git a/channels.c b/channels.c index 9aaf7e9d7..c6c5c8899 100644 --- a/channels.c +++ b/channels.c @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.c,v 1.257 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.c,v 1.258 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2653,17 +2653,17 @@ channel_add_permitted_opens(char *host, int port) all_opens_permitted = 0; } -void +int channel_add_adm_permitted_opens(char *host, int port) { if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_add_adm_permitted_opens: too many forwards"); - debug("allow port forwarding to host %s port %d", host, port); + debug("config allows port forwarding to host %s port %d", host, port); permitted_adm_opens[num_adm_permitted_opens].host_to_connect = xstrdup(host); permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; - num_adm_permitted_opens++; + return ++num_adm_permitted_opens; } void diff --git a/channels.h b/channels.h index c473b730c..ed719f724 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.86 2006/07/17 12:06:00 dtucker Exp $ */ +/* $OpenBSD: channels.h,v 1.87 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -207,7 +207,7 @@ int channel_find_open(void); void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); -void channel_add_adm_permitted_opens(char *, int); +int channel_add_adm_permitted_opens(char *, int); void channel_clear_permitted_opens(void); void channel_clear_adm_permitted_opens(void); int channel_input_port_forward_request(int, int); diff --git a/servconf.c b/servconf.c index e2c1d4458..46558b690 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.158 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.159 2006/07/21 12:43:36 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -113,6 +113,7 @@ initialize_server_options(ServerOptions *options) options->authorized_keys_file2 = NULL; options->num_accept_env = 0; options->permit_tun = -1; + options->num_permitted_opens = -1; options->adm_forced_command = NULL; } @@ -1161,20 +1162,27 @@ parse_flag: fatal("%s line %d: missing PermitOpen specification", filename, linenum); if (strcmp(arg, "any") == 0) { - if (*activep) + if (*activep) { channel_clear_adm_permitted_opens(); + options->num_permitted_opens = 0; + } break; } - p = hpdelim(&arg); - if (p == NULL) - fatal("%s line %d: missing host in PermitOpen", - filename, linenum); - p = cleanhostname(p); - if (arg == NULL || (port = a2port(arg)) == 0) - fatal("%s line %d: bad port number in PermitOpen", - filename, linenum); - if (*activep) - channel_add_adm_permitted_opens(p, port); + for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { + p = hpdelim(&arg); + if (p == NULL) + fatal("%s line %d: missing host in PermitOpen", + filename, linenum); + p = cleanhostname(p); + if (arg == NULL || (port = a2port(arg)) == 0) + fatal("%s line %d: bad port number in " + "PermitOpen", filename, linenum); + if (*activep && options->num_permitted_opens == -1) { + channel_clear_adm_permitted_opens(); + options->num_permitted_opens = + channel_add_adm_permitted_opens(p, port); + } + } break; case sForceCommand: diff --git a/servconf.h b/servconf.h index 41dce7686..0add6518d 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.76 2006/07/19 13:07:10 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.77 2006/07/21 12:43:36 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -140,6 +140,8 @@ typedef struct { int use_pam; /* Enable auth via PAM */ int permit_tun; + + int num_permitted_opens; } ServerOptions; void initialize_server_options(ServerOptions *); diff --git a/sshd_config.5 b/sshd_config.5 index 26c895f7a..ff5457dff 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.67 2006/07/19 13:07:10 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -564,9 +564,7 @@ The forwarding specification must be one of the following forms: .Sm on .El .Pp -Multiple instances of -.Cm PermitOpen -are permitted. +Multiple forwards may be specified by separating them with whitespace. An argument of .Dq any can be used to remove all restrictions and permit any forwarding requests. -- cgit v1.2.3 From 565ca3f60058f22d083572930833aaff2292ac20 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 19 Aug 2006 00:23:15 +1000 Subject: - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 [servconf.c servconf.h sshd_config.5] Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@. --- ChangeLog | 6 +++++- servconf.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- servconf.h | 3 ++- sshd_config.5 | 3 ++- 4 files changed, 64 insertions(+), 4 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 674d2b9e3..328f0c116 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ Revert previous include file ordering change, for ssh to compile under gcc2 (or until openssl include files are cleaned of parameter names in function prototypes) + - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 + [servconf.c servconf.h sshd_config.5] + Add ability to match groups to Match keyword in sshd_config. Feedback + djm@, stevesk@, ok stevesk@. 20060817 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] @@ -5235,4 +5239,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4488 2006/08/18 14:22:40 djm Exp $ +$Id: ChangeLog,v 1.4489 2006/08/18 14:23:15 djm Exp $ diff --git a/servconf.c b/servconf.c index 5884b95be..1f80de22d 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -16,6 +16,7 @@ #include #include +#include #include #include #include @@ -37,6 +38,7 @@ #include "mac.h" #include "match.h" #include "channels.h" +#include "groupaccess.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -496,6 +498,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) * PermittedChannelRequests session,forwarded-tcpip */ +static int +match_cfg_line_group(const char *grps, int line, const char *user) +{ + int result = 0; + u_int ngrps = 0; + char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS]; + struct passwd *pw; + + /* + * Even if we do not have a user yet, we still need to check for + * valid syntax. + */ + arg = cp = xstrdup(grps); + while ((p = strsep(&cp, ",")) != NULL && *p != '\0') { + if (ngrps >= MAX_MATCH_GROUPS) { + error("line %d: too many groups in Match Group", line); + result = -1; + goto out; + } + grplist[ngrps++] = p; + } + + if (user == NULL) + goto out; + + if ((pw = getpwnam(user)) == NULL) { + debug("Can't match group at line %d because user %.100s does " + "not exist", line, user); + } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { + debug("Can't Match group because user %.100s not in any group " + "at line %d", user, line); + } else if (ga_match(grplist, ngrps) != 1) { + debug("user %.100s does not match group %.100s at line %d", + user, arg, line); + } else { + debug("user %.100s matched group %.100s at line %d", user, + arg, line); + result = 1; + } +out: + ga_free(); + xfree(arg); + return result; +} + static int match_cfg_line(char **condition, int line, const char *user, const char *host, const char *address) @@ -527,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, else debug("user %.100s matched 'User %.100s' at " "line %d", user, arg, line); + } else if (strcasecmp(attrib, "group") == 0) { + switch (match_cfg_line_group(arg, line, user)) { + case -1: + return -1; + case 0: + result = 0; + } } else if (strcasecmp(attrib, "host") == 0) { if (!host) { result = 0; diff --git a/servconf.h b/servconf.h index 2593b1cd1..ad496f64b 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.78 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -25,6 +25,7 @@ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ #define MAX_HOSTKEYS 256 /* Max # hostkeys. */ #define MAX_ACCEPT_ENV 256 /* Max # of env vars. */ +#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match. */ /* permit_root_login */ #define PERMIT_NOT_SET -1 diff --git a/sshd_config.5 b/sshd_config.5 index ff5457dff..3c20c1faa 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.68 2006/07/21 12:43:36 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.69 2006/08/14 12:40:25 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -488,6 +488,7 @@ The arguments to are one or more criteria-pattern pairs. The available criteria are .Cm User , +.Cm Group , .Cm Host , and .Cm Address . -- cgit v1.2.3 From b594f38bae891e5149e3c0a7e6d7b4d501b50c01 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 30 Aug 2006 11:06:34 +1000 Subject: - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2006/08/21 08:14:01 [sshd_config.5] Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, ok jmc@ djm@ --- ChangeLog | 9 ++++++++- sshd_config.5 | 19 ++++++++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index de6dce270..62fef2fc0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20060830 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2006/08/21 08:14:01 + [sshd_config.5] + Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, + ok jmc@ djm@ + 20060824 - (dtucker) [openbsd-compat/basename.c] Include errno.h. - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on @@ -5299,4 +5306,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4510 2006/08/24 09:55:41 dtucker Exp $ +$Id: ChangeLog,v 1.4511 2006/08/30 01:06:34 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 3c20c1faa..2bcaf2245 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.69 2006/08/14 12:40:25 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -335,6 +335,23 @@ This option is similar to and applies to protocol version 2 only. The default is .Dq no . +.It Cm HostbasedUsesNameFromPacketOnly +Specifies whether or not the server will attempt to perform a reverse +name lookup when matching the name in the +.Pa ~/.shosts , +.Pa ~/.rhosts , +and +.Pa /etc/hosts.equiv +files during +.Cm HostbasedAuthentication . +A setting of +.Dq yes +means that +.Xr sshd 8 +uses the name supplied by the client rather than +attempting to resolve the name from the TCP connection itself. +The default is +.Dq no . .It Cm HostKey Specifies a file containing a private host key used by SSH. -- cgit v1.2.3 From d94fc72bcdd7d9f5a4f02c165c34ed3ffc12ed2b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 5 Jan 2007 16:29:30 +1100 Subject: - jmc@cvs.openbsd.org 2007/01/02 09:57:25 [sshd_config.5] do not use lists for SYNOPSIS; from eric s. raymond via brad --- ChangeLog | 6 +++++- sshd_config.5 | 6 ++---- 2 files changed, 7 insertions(+), 5 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 1c893a1d7..1c090460c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,10 @@ [servconf.c] Make "PermitOpen all" first-match within a block to match the way other options work. ok markus@ djm@ + - jmc@cvs.openbsd.org 2007/01/02 09:57:25 + [sshd_config.5] + do not use lists for SYNOPSIS; + from eric s. raymond via brad 20061205 - (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would @@ -2645,4 +2649,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4597 2007/01/05 05:29:02 djm Exp $ +$Id: ChangeLog,v 1.4598 2007/01/05 05:29:30 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 2bcaf2245..53207fd84 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.70 2006/08/21 08:14:01 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.71 2007/01/02 09:57:25 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -42,9 +42,7 @@ .Nm sshd_config .Nd OpenSSH SSH daemon configuration file .Sh SYNOPSIS -.Bl -tag -width Ds -compact -.It Pa /etc/ssh/sshd_config -.El +.Nm /etc/ssh/sshd_config .Sh DESCRIPTION .Xr sshd 8 reads configuration data from -- cgit v1.2.3 From 1629c07c0725fd5cc533c9664b8e8add27a81c69 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 19 Feb 2007 22:25:37 +1100 Subject: - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] Teach Match how handle config directives that are used before authentication. This allows configurations such as permitting password authentication from the local net only while requiring pubkey from offsite. ok djm@, man page bits ok jmc@ --- ChangeLog | 8 +++++- monitor.c | 5 +++- monitor_wrap.c | 20 ++++++++++--- servconf.c | 88 +++++++++++++++++++++++++++++++++++++--------------------- servconf.h | 4 +-- sshd_config.5 | 10 ++++++- 6 files changed, 95 insertions(+), 40 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index c2a22bd1a..ec16391eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,12 @@ - stevesk@cvs.openbsd.org 2007/02/14 14:32:00 [bufbn.c] typos in comments; ok jmc@ + - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 + [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] + Teach Match how handle config directives that are used before + authentication. This allows configurations such as permitting password + authentication from the local net only while requiring pubkey from + offsite. ok djm@, man page bits ok jmc@ 20070128 - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) @@ -2730,4 +2736,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4616 2007/02/19 11:17:28 dtucker Exp $ +$Id: ChangeLog,v 1.4617 2007/02/19 11:25:37 dtucker Exp $ diff --git a/monitor.c b/monitor.c index 48ae46ccc..02f2dc869 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */ +/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) #endif buffer_put_cstring(m, pwent->pw_dir); buffer_put_cstring(m, pwent->pw_shell); + buffer_put_string(m, &options, sizeof(options)); + if (options.banner != NULL) + buffer_put_cstring(m, options.banner); out: debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); diff --git a/monitor_wrap.c b/monitor_wrap.c index 3865539df..27cc1c5f1 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ +/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -73,6 +73,7 @@ #include "channels.h" #include "session.h" +#include "servconf.h" /* Imports */ extern int compat20; @@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username) { Buffer m; struct passwd *pw; - u_int pwlen; + u_int len; + ServerOptions *newopts; debug3("%s entering", __func__); @@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username) buffer_free(&m); return (NULL); } - pw = buffer_get_string(&m, &pwlen); - if (pwlen != sizeof(struct passwd)) + pw = buffer_get_string(&m, &len); + if (len != sizeof(struct passwd)) fatal("%s: struct passwd size mismatch", __func__); pw->pw_name = buffer_get_string(&m, NULL); pw->pw_passwd = buffer_get_string(&m, NULL); @@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username) #endif pw->pw_dir = buffer_get_string(&m, NULL); pw->pw_shell = buffer_get_string(&m, NULL); + + /* copy options block as a Match directive may have changed some */ + newopts = buffer_get_string(&m, &len); + if (len != sizeof(*newopts)) + fatal("%s: option block size mismatch", __func__); + if (newopts->banner != NULL) + newopts->banner = buffer_get_string(&m, NULL); + copy_set_server_options(&options, newopts, 1); + xfree(newopts); + buffer_free(&m); return (pw); diff --git a/servconf.c b/servconf.c index 872ff4a87..86949c33f 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.167 2006/12/14 10:01:14 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.168 2007/02/19 10:45:58 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -325,14 +325,14 @@ static struct { { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, - { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, - { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, - { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, #ifdef USE_AFS @@ -341,7 +341,7 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif #else - { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, @@ -349,15 +349,15 @@ static struct { { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, @@ -389,7 +389,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, - { "banner", sBanner, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, @@ -1317,30 +1317,56 @@ parse_server_match_config(ServerOptions *options, const char *user, initialize_server_options(&mo); parse_server_config(&mo, "reprocess config", &cfg, user, host, address); - copy_set_server_options(options, &mo); + copy_set_server_options(options, &mo, 0); } -/* Copy any (supported) values that are set */ +/* Helper macros */ +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) +#define M_CP_STROPT(n) do {\ + if (src->n != NULL) { \ + if (dst->n != NULL) \ + xfree(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) + +/* + * Copy any supported values that are set. + * + * If the preauth flag is set, we do not bother copying the the string or + * array values that are not used pre-authentication, because any that we + * do use must be explictly sent in mm_getpwnamallow(). + */ void -copy_set_server_options(ServerOptions *dst, ServerOptions *src) +copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { - if (src->allow_tcp_forwarding != -1) - dst->allow_tcp_forwarding = src->allow_tcp_forwarding; - if (src->gateway_ports != -1) - dst->gateway_ports = src->gateway_ports; - if (src->adm_forced_command != NULL) { - if (dst->adm_forced_command != NULL) - xfree(dst->adm_forced_command); - dst->adm_forced_command = src->adm_forced_command; - } - if (src->x11_display_offset != -1) - dst->x11_display_offset = src->x11_display_offset; - if (src->x11_forwarding != -1) - dst->x11_forwarding = src->x11_forwarding; - if (src->x11_use_localhost != -1) - dst->x11_use_localhost = src->x11_use_localhost; + M_CP_INTOPT(password_authentication); + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); + M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(kerberos_authentication); + M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(kbd_interactive_authentication); + M_CP_INTOPT(challenge_response_authentication); + + M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(gateway_ports); + M_CP_INTOPT(x11_display_offset); + M_CP_INTOPT(x11_forwarding); + M_CP_INTOPT(x11_use_localhost); + + M_CP_STROPT(banner); + if (preauth) + return; + M_CP_STROPT(adm_forced_command); } +#undef M_CP_INTOPT +#undef M_CP_STROPT + void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, const char *user, const char *host, const char *address) diff --git a/servconf.h b/servconf.h index ad496f64b..8a5b950ea 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ +/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -152,6 +152,6 @@ void parse_server_config(ServerOptions *, const char *, Buffer *, const char *, const char *, const char *); void parse_server_match_config(ServerOptions *, const char *, const char *, const char *); -void copy_set_server_options(ServerOptions *, ServerOptions *); +void copy_set_server_options(ServerOptions *, ServerOptions *, int); #endif /* SERVCONF_H */ diff --git a/sshd_config.5 b/sshd_config.5 index 53207fd84..54231d562 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.71 2007/01/02 09:57:25 jmc Exp $ +.\" $OpenBSD: sshd_config.5,v 1.72 2007/02/19 10:45:58 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -512,9 +512,17 @@ Only a subset of keywords may be used on the lines following a keyword. Available keywords are .Cm AllowTcpForwarding , +.Cm Banner , +.Cm ChallengeResponseAuthentication , .Cm ForceCommand , .Cm GatewayPorts , +.Cm GSSApiAuthentication , +.Cm KerberosAuthentication , +.Cm KeyboardInteractiveAuthentication , +.Cm PasswordAuthentication , .Cm PermitOpen , +.Cm RhostsRSAAuthentication , +.Cm RSAAuthentication , .Cm X11DisplayOffset , .Cm X11Forwarding , and -- cgit v1.2.3 From 1d75f22c5d99ce1a4c7a87c7ae042a33fbeefefb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 1 Mar 2007 21:31:28 +1100 Subject: - dtucker@cvs.openbsd.org 2007/03/01 10:28:02 [auth2.c sshd_config.5 servconf.c] Remove ChallengeResponseAuthentication support inside a Match block as its interaction with KbdInteractive makes it difficult to support. Also, relocate the CR/kbdint option special-case code into servconf. "please commit" djm@, ok markus@ for the relocation. --- ChangeLog | 11 ++++++++++- auth2.c | 6 +----- servconf.c | 9 ++++++--- sshd_config.5 | 5 ++--- 4 files changed, 19 insertions(+), 12 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 79658c520..feee3ff98 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20070301 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2007/03/01 10:28:02 + [auth2.c sshd_config.5 servconf.c] + Remove ChallengeResponseAuthentication support inside a Match + block as its interaction with KbdInteractive makes it difficult to + support. Also, relocate the CR/kbdint option special-case code into + servconf. "please commit" djm@, ok markus@ for the relocation. + 20070228 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2007/02/28 00:55:30 @@ -2773,4 +2782,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4624 2007/02/28 10:19:58 dtucker Exp $ +$Id: ChangeLog,v 1.4625 2007/03/01 10:31:28 dtucker Exp $ diff --git a/auth2.c b/auth2.c index 2d880b57c..b1a4e3635 100644 --- a/auth2.c +++ b/auth2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */ +/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -96,10 +96,6 @@ int user_key_allowed(struct passwd *, Key *); void do_authentication2(Authctxt *authctxt) { - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; - dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); diff --git a/servconf.c b/servconf.c index c6a8043de..1e3c213a5 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.169 2007/02/22 12:58:40 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -357,7 +357,7 @@ static struct { #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, @@ -1350,7 +1350,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(kerberos_authentication); M_CP_INTOPT(hostbased_authentication); M_CP_INTOPT(kbd_interactive_authentication); - M_CP_INTOPT(challenge_response_authentication); M_CP_INTOPT(allow_tcp_forwarding); M_CP_INTOPT(gateway_ports); @@ -1388,4 +1387,8 @@ parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, if (bad_options > 0) fatal("%s: terminating, %d bad configuration options", filename, bad_options); + + /* challenge-response is implemented via keyboard interactive */ + if (options->challenge_response_authentication == 1) + options->kbd_interactive_authentication = 1; } diff --git a/sshd_config.5 b/sshd_config.5 index 54231d562..bcd0435e8 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.72 2007/02/19 10:45:58 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.73 2007/03/01 10:28:02 dtucker Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -513,12 +513,11 @@ keyword. Available keywords are .Cm AllowTcpForwarding , .Cm Banner , -.Cm ChallengeResponseAuthentication , .Cm ForceCommand , .Cm GatewayPorts , .Cm GSSApiAuthentication , .Cm KerberosAuthentication , -.Cm KeyboardInteractiveAuthentication , +.Cm KbdInteractiveAuthentication , .Cm PasswordAuthentication , .Cm PermitOpen , .Cm RhostsRSAAuthentication , -- cgit v1.2.3 From 5737e363c5b8d74ba8caddbcc2458a2c858cf72f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 6 Mar 2007 21:21:18 +1100 Subject: - OpenBSD CVS Sync - jmc@cvs.openbsd.org 2007/03/01 16:19:33 [sshd_config.5] sort the `match' keywords; --- ChangeLog | 8 +++++++- sshd_config.5 | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'sshd_config.5') diff --git a/ChangeLog b/ChangeLog index 188d04293..0fec02c7b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20070306 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2007/03/01 16:19:33 + [sshd_config.5] + sort the `match' keywords; + 20070304 - (djm) [configure.ac] add a --without-openssl-header-check option to configure, as some platforms (OS X) ship OpenSSL headers whose version @@ -2803,4 +2809,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4631 2007/03/05 07:25:20 dtucker Exp $ +$Id: ChangeLog,v 1.4632 2007/03/06 10:21:18 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index bcd0435e8..af1221445 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.73 2007/03/01 10:28:02 dtucker Exp $ +.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -516,8 +516,8 @@ Available keywords are .Cm ForceCommand , .Cm GatewayPorts , .Cm GSSApiAuthentication , -.Cm KerberosAuthentication , .Cm KbdInteractiveAuthentication , +.Cm KerberosAuthentication , .Cm PasswordAuthentication , .Cm PermitOpen , .Cm RhostsRSAAuthentication , -- cgit v1.2.3