diff options
Diffstat (limited to 'crypto/openssh/servconf.c')
-rw-r--r-- | crypto/openssh/servconf.c | 82 |
1 files changed, 72 insertions, 10 deletions
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 2664880..ace75d3 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.234 2013/02/06 00:20:42 dtucker Exp $ */ /* $FreeBSD$ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -50,6 +50,8 @@ __RCSID("$FreeBSD$"); #include "groupaccess.h" #include "canohost.h" #include "packet.h" +#include "hostfile.h" +#include "auth.h" #include "version.h" static void add_listen_addr(ServerOptions *, char *, int); @@ -138,6 +140,8 @@ initialize_server_options(ServerOptions *options) options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; + options->authorized_keys_command = NULL; + options->authorized_keys_command_user = NULL; options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; @@ -255,17 +259,17 @@ fill_default_server_options(ServerOptions *options) if (options->compression == -1) options->compression = COMP_DELAYED; if (options->allow_tcp_forwarding == -1) - options->allow_tcp_forwarding = 1; + options->allow_tcp_forwarding = FORWARD_ALLOW; if (options->allow_agent_forwarding == -1) options->allow_agent_forwarding = 1; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) - options->max_startups = 10; + options->max_startups = 100; if (options->max_startups_rate == -1) - options->max_startups_rate = 100; /* 100% */ + options->max_startups_rate = 30; /* 30% */ if (options->max_startups_begin == -1) - options->max_startups_begin = options->max_startups; + options->max_startups_begin = 10; if (options->max_authtries == -1) options->max_authtries = DEFAULT_AUTH_FAIL_MAX; if (options->max_sessions == -1) @@ -370,6 +374,8 @@ typedef enum { sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, + sAuthenticationMethods, sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll, #ifdef NONE_CIPHER_ENABLED sNoneEnabled, @@ -498,8 +504,10 @@ static struct { { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, - { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, + { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, { "hpndisabled", sHPNDisabled, SSHCFG_ALL }, { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL }, { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL }, @@ -670,8 +678,9 @@ out: } /* - * All of the attributes on a single Match line are ANDed together, so we need to check every - * attribute and set the result to zero if any attribute does not match. + * All of the attributes on a single Match line are ANDed together, so we need + * to check every * attribute and set the result to zero if any attribute does + * not match. */ static int match_cfg_line(char **condition, int line, struct connection_info *ci) @@ -828,6 +837,14 @@ static const struct multistate multistate_privsep[] = { { "no", PRIVSEP_OFF }, { NULL, -1 } }; +static const struct multistate multistate_tcpfwd[] = { + { "yes", FORWARD_ALLOW }, + { "all", FORWARD_ALLOW }, + { "no", FORWARD_DENY }, + { "remote", FORWARD_REMOTE }, + { "local", FORWARD_LOCAL }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1185,7 +1202,8 @@ process_server_config_line(ServerOptions *options, char *line, case sAllowTcpForwarding: intptr = &options->allow_tcp_forwarding; - goto parse_flag; + multistate_ptr = multistate_tcpfwd; + goto parse_multistate; case sAllowAgentForwarding: intptr = &options->allow_agent_forwarding; @@ -1465,7 +1483,6 @@ process_server_config_line(ServerOptions *options, char *line, } if (strcmp(arg, "none") == 0) { if (*activep && n == -1) { - channel_clear_adm_permitted_opens(); options->num_permitted_opens = 1; channel_disable_adm_local_opens(); } @@ -1549,6 +1566,43 @@ process_server_config_line(ServerOptions *options, char *line, } return 0; + case sAuthorizedKeysCommand: + len = strspn(cp, WHITESPACE); + if (*activep && options->authorized_keys_command == NULL) { + if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0) + fatal("%.200s line %d: AuthorizedKeysCommand " + "must be an absolute path", + filename, linenum); + options->authorized_keys_command = xstrdup(cp + len); + } + return 0; + + case sAuthorizedKeysCommandUser: + charptr = &options->authorized_keys_command_user; + + arg = strdelim(&cp); + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; + + case sAuthenticationMethods: + if (*activep && options->num_auth_methods == 0) { + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_auth_methods >= + MAX_AUTH_METHODS) + fatal("%s line %d: " + "too many authentication methods.", + filename, linenum); + if (auth2_methods_valid(arg, 0) != 0) + fatal("%s line %d: invalid " + "authentication method list.", + filename, linenum); + options->auth_methods[ + options->num_auth_methods++] = xstrdup(arg); + } + } + return 0; + case sHPNDisabled: intptr = &options->hpn_disabled; goto parse_flag; @@ -1717,6 +1771,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); + M_CP_STROPT(authorized_keys_command); + M_CP_STROPT(authorized_keys_command_user); M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); @@ -1801,6 +1857,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_compression); case sUsePrivilegeSeparation: return fmt_multistate_int(val, multistate_privsep); + case sAllowTcpForwarding: + return fmt_multistate_int(val, multistate_tcpfwd); case sProtocol: switch (val) { case SSH_PROTO_1: @@ -1977,6 +2035,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); dump_cfg_string(sVersionAddendum, o->version_addendum); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); @@ -1994,6 +2054,8 @@ dump_config(ServerOptions *o) dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); + dump_cfg_strarray_oneline(sAuthenticationMethods, + o->num_auth_methods, o->auth_methods); /* other arguments */ for (i = 0; i < o->num_subsystems; i++) |