| servconf.c (215116) | servconf.c (221420) |
|---|---|
| 1/* $OpenBSD: servconf.c,v 1.209 2010/06/22 04:22:59 djm Exp $ */ | 1/* $OpenBSD: servconf.c,v 1.213 2010/11/13 23:27:50 djm Exp $ */ |
| 2/* 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 */ 12 13#include "includes.h" | 2/* 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 */ 12 13#include "includes.h" |
| 14__RCSID("$FreeBSD: head/crypto/openssh/servconf.c 215116 2010-11-11 11:46:19Z des $"); | 14__RCSID("$FreeBSD: head/crypto/openssh/servconf.c 221420 2011-05-04 07:34:44Z des $"); |
| 15 16#include <sys/types.h> 17#include <sys/socket.h> 18 | 15 16#include <sys/types.h> 17#include <sys/socket.h> 18 |
| 19#include <netinet/in.h> 20#include <netinet/in_systm.h> 21#include <netinet/ip.h> 22 |
|
| 19#include <netdb.h> 20#include <pwd.h> 21#include <stdio.h> 22#include <stdlib.h> 23#include <string.h> 24#include <signal.h> 25#include <unistd.h> 26#include <stdarg.h> --- 79 unchanged lines hidden (view full) --- 106 options->allow_tcp_forwarding = -1; 107 options->allow_agent_forwarding = -1; 108 options->num_allow_users = 0; 109 options->num_deny_users = 0; 110 options->num_allow_groups = 0; 111 options->num_deny_groups = 0; 112 options->ciphers = NULL; 113 options->macs = NULL; | 23#include <netdb.h> 24#include <pwd.h> 25#include <stdio.h> 26#include <stdlib.h> 27#include <string.h> 28#include <signal.h> 29#include <unistd.h> 30#include <stdarg.h> --- 79 unchanged lines hidden (view full) --- 110 options->allow_tcp_forwarding = -1; 111 options->allow_agent_forwarding = -1; 112 options->num_allow_users = 0; 113 options->num_deny_users = 0; 114 options->num_allow_groups = 0; 115 options->num_deny_groups = 0; 116 options->ciphers = NULL; 117 options->macs = NULL; |
| 118 options->kex_algorithms = NULL; |
|
| 114 options->protocol = SSH_PROTO_UNKNOWN; 115 options->gateway_ports = -1; 116 options->num_subsystems = 0; 117 options->max_startups_begin = -1; 118 options->max_startups_rate = -1; 119 options->max_startups = -1; 120 options->max_authtries = -1; 121 options->max_sessions = -1; --- 7 unchanged lines hidden (view full) --- 129 options->permit_tun = -1; 130 options->num_permitted_opens = -1; 131 options->adm_forced_command = NULL; 132 options->chroot_directory = NULL; 133 options->zero_knowledge_password_authentication = -1; 134 options->revoked_keys_file = NULL; 135 options->trusted_user_ca_keys = NULL; 136 options->authorized_principals_file = NULL; | 119 options->protocol = SSH_PROTO_UNKNOWN; 120 options->gateway_ports = -1; 121 options->num_subsystems = 0; 122 options->max_startups_begin = -1; 123 options->max_startups_rate = -1; 124 options->max_startups = -1; 125 options->max_authtries = -1; 126 options->max_sessions = -1; --- 7 unchanged lines hidden (view full) --- 134 options->permit_tun = -1; 135 options->num_permitted_opens = -1; 136 options->adm_forced_command = NULL; 137 options->chroot_directory = NULL; 138 options->zero_knowledge_password_authentication = -1; 139 options->revoked_keys_file = NULL; 140 options->trusted_user_ca_keys = NULL; 141 options->authorized_principals_file = NULL; |
| 142 options->ip_qos_interactive = -1; 143 options->ip_qos_bulk = -1; |
|
| 137} 138 139void 140fill_default_server_options(ServerOptions *options) 141{ 142 /* Portable-specific options */ 143 if (options->use_pam == -1) 144 options->use_pam = 1; --- 6 unchanged lines hidden (view full) --- 151 if (options->protocol & SSH_PROTO_1) 152 options->host_key_files[options->num_host_key_files++] = 153 _PATH_HOST_KEY_FILE; 154 if (options->protocol & SSH_PROTO_2) { 155 options->host_key_files[options->num_host_key_files++] = 156 _PATH_HOST_RSA_KEY_FILE; 157 options->host_key_files[options->num_host_key_files++] = 158 _PATH_HOST_DSA_KEY_FILE; | 144} 145 146void 147fill_default_server_options(ServerOptions *options) 148{ 149 /* Portable-specific options */ 150 if (options->use_pam == -1) 151 options->use_pam = 1; --- 6 unchanged lines hidden (view full) --- 158 if (options->protocol & SSH_PROTO_1) 159 options->host_key_files[options->num_host_key_files++] = 160 _PATH_HOST_KEY_FILE; 161 if (options->protocol & SSH_PROTO_2) { 162 options->host_key_files[options->num_host_key_files++] = 163 _PATH_HOST_RSA_KEY_FILE; 164 options->host_key_files[options->num_host_key_files++] = 165 _PATH_HOST_DSA_KEY_FILE; |
| 166#ifdef OPENSSL_HAS_ECC 167 options->host_key_files[options->num_host_key_files++] = 168 _PATH_HOST_ECDSA_KEY_FILE; 169#endif |
|
| 159 } 160 } 161 /* No certificates by default */ 162 if (options->num_ports == 0) 163 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 164 if (options->listen_addrs == NULL) 165 add_listen_addr(options, NULL, 0); 166 if (options->pid_file == NULL) --- 86 unchanged lines hidden (view full) --- 253 options->use_dns = 1; 254 if (options->client_alive_interval == -1) 255 options->client_alive_interval = 0; 256 if (options->client_alive_count_max == -1) 257 options->client_alive_count_max = 3; 258 if (options->authorized_keys_file2 == NULL) { 259 /* authorized_keys_file2 falls back to authorized_keys_file */ 260 if (options->authorized_keys_file != NULL) | 170 } 171 } 172 /* No certificates by default */ 173 if (options->num_ports == 0) 174 options->ports[options->num_ports++] = SSH_DEFAULT_PORT; 175 if (options->listen_addrs == NULL) 176 add_listen_addr(options, NULL, 0); 177 if (options->pid_file == NULL) --- 86 unchanged lines hidden (view full) --- 264 options->use_dns = 1; 265 if (options->client_alive_interval == -1) 266 options->client_alive_interval = 0; 267 if (options->client_alive_count_max == -1) 268 options->client_alive_count_max = 3; 269 if (options->authorized_keys_file2 == NULL) { 270 /* authorized_keys_file2 falls back to authorized_keys_file */ 271 if (options->authorized_keys_file != NULL) |
| 261 options->authorized_keys_file2 = options->authorized_keys_file; | 272 options->authorized_keys_file2 = xstrdup(options->authorized_keys_file); |
| 262 else | 273 else |
| 263 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; | 274 options->authorized_keys_file2 = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2); |
| 264 } 265 if (options->authorized_keys_file == NULL) | 275 } 276 if (options->authorized_keys_file == NULL) |
| 266 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; | 277 options->authorized_keys_file = xstrdup(_PATH_SSH_USER_PERMITTED_KEYS); |
| 267 if (options->permit_tun == -1) 268 options->permit_tun = SSH_TUNMODE_NO; 269 if (options->zero_knowledge_password_authentication == -1) 270 options->zero_knowledge_password_authentication = 0; | 278 if (options->permit_tun == -1) 279 options->permit_tun = SSH_TUNMODE_NO; 280 if (options->zero_knowledge_password_authentication == -1) 281 options->zero_knowledge_password_authentication = 0; |
| 282 if (options->ip_qos_interactive == -1) 283 options->ip_qos_interactive = IPTOS_LOWDELAY; 284 if (options->ip_qos_bulk == -1) 285 options->ip_qos_bulk = IPTOS_THROUGHPUT; |
|
| 271 272 /* Turn privilege separation on by default */ 273 if (use_privsep == -1) 274 use_privsep = 1; 275 276#ifndef HAVE_MMAP 277 if (use_privsep && options->compression == 1) { 278 error("This platform does not support both privilege " --- 30 unchanged lines hidden (view full) --- 309 sBanner, sUseDNS, sHostbasedAuthentication, 310 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 311 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 312 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 313 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 314 sUsePrivilegeSeparation, sAllowAgentForwarding, 315 sZeroKnowledgePasswordAuthentication, sHostCertificate, 316 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 286 287 /* Turn privilege separation on by default */ 288 if (use_privsep == -1) 289 use_privsep = 1; 290 291#ifndef HAVE_MMAP 292 if (use_privsep && options->compression == 1) { 293 error("This platform does not support both privilege " --- 30 unchanged lines hidden (view full) --- 324 sBanner, sUseDNS, sHostbasedAuthentication, 325 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 326 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, 327 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, 328 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 329 sUsePrivilegeSeparation, sAllowAgentForwarding, 330 sZeroKnowledgePasswordAuthentication, sHostCertificate, 331 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
| 332 sKexAlgorithms, sIPQoS, |
|
| 317 sVersionAddendum, 318 sDeprecated, sUnsupported 319} ServerOpCodes; 320 321#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 322#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 323#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 324 --- 107 unchanged lines hidden (view full) --- 432 { "match", sMatch, SSHCFG_ALL }, 433 { "permitopen", sPermitOpen, SSHCFG_ALL }, 434 { "forcecommand", sForceCommand, SSHCFG_ALL }, 435 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 436 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 437 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 438 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 439 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | 333 sVersionAddendum, 334 sDeprecated, sUnsupported 335} ServerOpCodes; 336 337#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ 338#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ 339#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) 340 --- 107 unchanged lines hidden (view full) --- 448 { "match", sMatch, SSHCFG_ALL }, 449 { "permitopen", sPermitOpen, SSHCFG_ALL }, 450 { "forcecommand", sForceCommand, SSHCFG_ALL }, 451 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, 452 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, 453 { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, 454 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, 455 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
| 456 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, 457 { "ipqos", sIPQoS, SSHCFG_ALL }, |
|
| 440 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 441 { NULL, sBadOption, 0 } 442}; 443 444static struct { 445 int val; 446 char *text; 447} tunmode_desc[] = { --- 214 unchanged lines hidden (view full) --- 662#define WHITESPACE " \t\r\n" 663 664int 665process_server_config_line(ServerOptions *options, char *line, 666 const char *filename, int linenum, int *activep, const char *user, 667 const char *host, const char *address) 668{ 669 char *cp, **charptr, *arg, *p; | 458 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 459 { NULL, sBadOption, 0 } 460}; 461 462static struct { 463 int val; 464 char *text; 465} tunmode_desc[] = { --- 214 unchanged lines hidden (view full) --- 680#define WHITESPACE " \t\r\n" 681 682int 683process_server_config_line(ServerOptions *options, char *line, 684 const char *filename, int linenum, int *activep, const char *user, 685 const char *host, const char *address) 686{ 687 char *cp, **charptr, *arg, *p; |
| 670 int cmdline = 0, *intptr, value, n; | 688 int cmdline = 0, *intptr, value, value2, n; |
| 671 SyslogFacility *log_facility_ptr; 672 LogLevel *log_level_ptr; 673 ServerOpCodes opcode; 674 int port; 675 u_int i, flags = 0; 676 size_t len; 677 678 cp = line; --- 449 unchanged lines hidden (view full) --- 1128 fatal("%s line %d: Missing argument.", filename, linenum); 1129 if (!mac_valid(arg)) 1130 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1131 filename, linenum, arg ? arg : "<NONE>"); 1132 if (options->macs == NULL) 1133 options->macs = xstrdup(arg); 1134 break; 1135 | 689 SyslogFacility *log_facility_ptr; 690 LogLevel *log_level_ptr; 691 ServerOpCodes opcode; 692 int port; 693 u_int i, flags = 0; 694 size_t len; 695 696 cp = line; --- 449 unchanged lines hidden (view full) --- 1146 fatal("%s line %d: Missing argument.", filename, linenum); 1147 if (!mac_valid(arg)) 1148 fatal("%s line %d: Bad SSH2 mac spec '%s'.", 1149 filename, linenum, arg ? arg : "<NONE>"); 1150 if (options->macs == NULL) 1151 options->macs = xstrdup(arg); 1152 break; 1153 |
| 1154 case sKexAlgorithms: 1155 arg = strdelim(&cp); 1156 if (!arg || *arg == '\0') 1157 fatal("%s line %d: Missing argument.", 1158 filename, linenum); 1159 if (!kex_names_valid(arg)) 1160 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", 1161 filename, linenum, arg ? arg : "<NONE>"); 1162 if (options->kex_algorithms == NULL) 1163 options->kex_algorithms = xstrdup(arg); 1164 break; 1165 |
|
| 1136 case sProtocol: 1137 intptr = &options->protocol; 1138 arg = strdelim(&cp); 1139 if (!arg || *arg == '\0') 1140 fatal("%s line %d: Missing argument.", filename, linenum); 1141 value = proto_spec(arg); 1142 if (value == SSH_PROTO_UNKNOWN) 1143 fatal("%s line %d: Bad protocol spec '%s'.", --- 206 unchanged lines hidden (view full) --- 1350 case sTrustedUserCAKeys: 1351 charptr = &options->trusted_user_ca_keys; 1352 goto parse_filename; 1353 1354 case sRevokedKeys: 1355 charptr = &options->revoked_keys_file; 1356 goto parse_filename; 1357 | 1166 case sProtocol: 1167 intptr = &options->protocol; 1168 arg = strdelim(&cp); 1169 if (!arg || *arg == '\0') 1170 fatal("%s line %d: Missing argument.", filename, linenum); 1171 value = proto_spec(arg); 1172 if (value == SSH_PROTO_UNKNOWN) 1173 fatal("%s line %d: Bad protocol spec '%s'.", --- 206 unchanged lines hidden (view full) --- 1380 case sTrustedUserCAKeys: 1381 charptr = &options->trusted_user_ca_keys; 1382 goto parse_filename; 1383 1384 case sRevokedKeys: 1385 charptr = &options->revoked_keys_file; 1386 goto parse_filename; 1387 |
| 1388 case sIPQoS: 1389 arg = strdelim(&cp); 1390 if ((value = parse_ipqos(arg)) == -1) 1391 fatal("%s line %d: Bad IPQoS value: %s", 1392 filename, linenum, arg); 1393 arg = strdelim(&cp); 1394 if (arg == NULL) 1395 value2 = value; 1396 else if ((value2 = parse_ipqos(arg)) == -1) 1397 fatal("%s line %d: Bad IPQoS value: %s", 1398 filename, linenum, arg); 1399 if (*activep) { 1400 options->ip_qos_interactive = value; 1401 options->ip_qos_bulk = value2; 1402 } 1403 break; 1404 |
|
| 1358 case sVersionAddendum: | 1405 case sVersionAddendum: |
| 1359 ssh_version_set_addendum(strtok(cp, "\n")); 1360 do { 1361 arg = strdelim(&cp); 1362 } while (arg != NULL && *arg != '\0'); | 1406 ssh_version_set_addendum(strtok(cp, "\n")); 1407 do { 1408 arg = strdelim(&cp); 1409 } while (arg != NULL && *arg != '\0'); |
| 1363 break; 1364 1365 case sDeprecated: 1366 logit("%s line %d: Deprecated option %s", 1367 filename, linenum, arg); 1368 while (arg) 1369 arg = strdelim(&cp); 1370 break; --- 96 unchanged lines hidden (view full) --- 1467 M_CP_INTOPT(allow_agent_forwarding); 1468 M_CP_INTOPT(permit_tun); 1469 M_CP_INTOPT(gateway_ports); 1470 M_CP_INTOPT(x11_display_offset); 1471 M_CP_INTOPT(x11_forwarding); 1472 M_CP_INTOPT(x11_use_localhost); 1473 M_CP_INTOPT(max_sessions); 1474 M_CP_INTOPT(max_authtries); | 1410 break; 1411 1412 case sDeprecated: 1413 logit("%s line %d: Deprecated option %s", 1414 filename, linenum, arg); 1415 while (arg) 1416 arg = strdelim(&cp); 1417 break; --- 96 unchanged lines hidden (view full) --- 1514 M_CP_INTOPT(allow_agent_forwarding); 1515 M_CP_INTOPT(permit_tun); 1516 M_CP_INTOPT(gateway_ports); 1517 M_CP_INTOPT(x11_display_offset); 1518 M_CP_INTOPT(x11_forwarding); 1519 M_CP_INTOPT(x11_use_localhost); 1520 M_CP_INTOPT(max_sessions); 1521 M_CP_INTOPT(max_authtries); |
| 1522 M_CP_INTOPT(ip_qos_interactive); 1523 M_CP_INTOPT(ip_qos_bulk); |
|
| 1475 1476 M_CP_STROPT(banner); 1477 if (preauth) 1478 return; 1479 M_CP_STROPT(adm_forced_command); 1480 M_CP_STROPT(chroot_directory); 1481 M_CP_STROPT(trusted_user_ca_keys); 1482 M_CP_STROPT(revoked_keys_file); --- 249 unchanged lines hidden (view full) --- 1732 1733 for (i = 0; tunmode_desc[i].val != -1; i++) 1734 if (tunmode_desc[i].val == o->permit_tun) { 1735 s = tunmode_desc[i].text; 1736 break; 1737 } 1738 dump_cfg_string(sPermitTunnel, s); 1739 | 1524 1525 M_CP_STROPT(banner); 1526 if (preauth) 1527 return; 1528 M_CP_STROPT(adm_forced_command); 1529 M_CP_STROPT(chroot_directory); 1530 M_CP_STROPT(trusted_user_ca_keys); 1531 M_CP_STROPT(revoked_keys_file); --- 249 unchanged lines hidden (view full) --- 1781 1782 for (i = 0; tunmode_desc[i].val != -1; i++) 1783 if (tunmode_desc[i].val == o->permit_tun) { 1784 s = tunmode_desc[i].text; 1785 break; 1786 } 1787 dump_cfg_string(sPermitTunnel, s); 1788 |
| 1789 printf("ipqos 0x%02x 0x%02x\n", o->ip_qos_interactive, o->ip_qos_bulk); 1790 |
|
| 1740 channel_print_adm_permitted_opens(); 1741} | 1791 channel_print_adm_permitted_opens(); 1792} |