=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/servconf.c,v retrieving revision 1.78 retrieving revision 1.78.2.2 diff -u -r1.78 -r1.78.2.2 --- src/usr.bin/ssh/servconf.c 2001/04/15 21:28:35 1.78 +++ src/usr.bin/ssh/servconf.c 2001/11/15 22:51:15 1.78.2.2 @@ -10,9 +10,9 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.78 2001/04/15 21:28:35 stevesk Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.78.2.2 2001/11/15 22:51:15 miod Exp $"); -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) #include #endif #ifdef AFS @@ -31,8 +31,8 @@ #include "kex.h" #include "mac.h" -void add_listen_addr(ServerOptions *options, char *addr, u_short port); -void add_one_listen_addr(ServerOptions *options, char *addr, u_short port); +static void add_listen_addr(ServerOptions *, char *, u_short); +static void add_one_listen_addr(ServerOptions *, char *, u_short); /* AF_UNSPEC or AF_INET or AF_INET6 */ extern int IPv4or6; @@ -56,7 +56,6 @@ options->ignore_user_known_hosts = -1; options->print_motd = -1; options->print_lastlog = -1; - options->check_mail = -1; options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; @@ -70,18 +69,20 @@ options->hostbased_uses_name_from_packet_only = -1; options->rsa_authentication = -1; options->pubkey_authentication = -1; -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; #endif -#ifdef AFS +#if defined(AFS) || defined(KRB5) options->kerberos_tgt_passing = -1; +#endif +#ifdef AFS options->afs_token_passing = -1; #endif options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_reponse_authentication = -1; + options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -101,6 +102,8 @@ options->reverse_mapping_check = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; + options->authorized_keys_file = NULL; + options->authorized_keys_file2 = NULL; } void @@ -133,8 +136,6 @@ options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) options->ignore_user_known_hosts = 0; - if (options->check_mail == -1) - options->check_mail = 0; if (options->print_motd == -1) options->print_motd = 1; if (options->print_lastlog == -1) @@ -143,10 +144,10 @@ options->x11_forwarding = 0; if (options->x11_display_offset == -1) options->x11_display_offset = 10; -#ifdef XAUTH_PATH +#ifdef _PATH_XAUTH if (options->xauth_location == NULL) - options->xauth_location = XAUTH_PATH; -#endif /* XAUTH_PATH */ + options->xauth_location = _PATH_XAUTH; +#endif if (options->strict_modes == -1) options->strict_modes = 1; if (options->keepalives == -1) @@ -167,26 +168,28 @@ options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) if (options->kerberos_authentication == -1) options->kerberos_authentication = (access(KEYFILE, R_OK) == 0); if (options->kerberos_or_local_passwd == -1) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; -#endif /* KRB4 */ -#ifdef AFS +#endif +#if defined(AFS) || defined(KRB5) if (options->kerberos_tgt_passing == -1) options->kerberos_tgt_passing = 0; +#endif +#ifdef AFS if (options->afs_token_passing == -1) options->afs_token_passing = k_hasafs(); -#endif /* AFS */ +#endif if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; - if (options->challenge_reponse_authentication == -1) - options->challenge_reponse_authentication = 1; + if (options->challenge_response_authentication == -1) + options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) @@ -207,6 +210,15 @@ options->client_alive_interval = 0; if (options->client_alive_count_max == -1) options->client_alive_count_max = 3; + if (options->authorized_keys_file2 == NULL) { + /* authorized_keys_file2 falls back to authorized_keys_file */ + if (options->authorized_keys_file != NULL) + options->authorized_keys_file2 = options->authorized_keys_file; + else + options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2; + } + if (options->authorized_keys_file == NULL) + options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; } /* Keyword tokens. */ @@ -215,24 +227,28 @@ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, #endif +#if defined(AFS) || defined(KRB5) + sKerberosTgtPassing, +#endif #ifdef AFS - sKerberosTgtPassing, sAFSTokenPassing, + sAFSTokenPassing, #endif sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail, + sStrictModes, sEmptyPasswd, sKeepAlives, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sReverseMappingCheck, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sDeprecated } ServerOpCodes; /* Textual representation of the tokens. */ @@ -257,20 +273,22 @@ { "rsaauthentication", sRSAAuthentication }, { "pubkeyauthentication", sPubkeyAuthentication }, { "dsaauthentication", sPubkeyAuthentication }, /* alias */ -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, #endif -#ifdef AFS +#if defined(AFS) || defined(KRB5) { "kerberostgtpassing", sKerberosTgtPassing }, +#endif +#ifdef AFS { "afstokenpassing", sAFSTokenPassing }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, { "challengeresponseauthentication", sChallengeResponseAuthentication }, { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ - { "checkmail", sCheckMail }, + { "checkmail", sDeprecated }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, { "printlastlog", sPrintLastLog }, @@ -298,6 +316,8 @@ { "reversemappingcheck", sReverseMappingCheck }, { "clientaliveinterval", sClientAliveInterval }, { "clientalivecountmax", sClientAliveCountMax }, + { "authorizedkeysfile", sAuthorizedKeysFile }, + { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { NULL, 0 } }; @@ -320,7 +340,7 @@ return sBadOption; } -void +static void add_listen_addr(ServerOptions *options, char *addr, u_short port) { int i; @@ -334,7 +354,7 @@ add_one_listen_addr(options, addr, port); } -void +static void add_one_listen_addr(ServerOptions *options, char *addr, u_short port) { struct addrinfo hints, *ai, *aitop; @@ -367,7 +387,7 @@ int linenum, *intptr, value; int bad_options = 0; ServerOpCodes opcode; - int i; + int i, n; f = fopen(filename, "r"); if (!f) { @@ -397,7 +417,7 @@ continue; if (options->listen_addrs != NULL) fatal("%s line %d: ports must be specified before " - "ListenAdress.\n", filename, linenum); + "ListenAdress.", filename, linenum); if (options->num_ports >= MAX_PORTS) fatal("%s line %d: too many ports.", filename, linenum); @@ -425,11 +445,21 @@ case sLoginGraceTime: intptr = &options->login_grace_time; - goto parse_int; +parse_time: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing time value.", + filename, linenum); + if ((value = convtime(arg)) == -1) + fatal("%s line %d: invalid time value.", + filename, linenum); + if (*intptr == -1) + *intptr = value; + break; case sKeyRegenerationTime: intptr = &options->key_regeneration_time; - goto parse_int; + goto parse_time; case sListenAddress: arg = strdelim(&cp); @@ -561,8 +591,7 @@ case sPubkeyAuthentication: intptr = &options->pubkey_authentication; goto parse_flag; - -#ifdef KRB4 +#if defined(KRB4) || defined(KRB5) case sKerberosAuthentication: intptr = &options->kerberos_authentication; goto parse_flag; @@ -575,12 +604,12 @@ intptr = &options->kerberos_ticket_cleanup; goto parse_flag; #endif - -#ifdef AFS +#if defined(AFS) || defined(KRB5) case sKerberosTgtPassing: intptr = &options->kerberos_tgt_passing; goto parse_flag; - +#endif +#ifdef AFS case sAFSTokenPassing: intptr = &options->afs_token_passing; goto parse_flag; @@ -594,12 +623,8 @@ intptr = &options->kbd_interactive_authentication; goto parse_flag; - case sCheckMail: - intptr = &options->check_mail; - goto parse_flag; - case sChallengeResponseAuthentication: - intptr = &options->challenge_reponse_authentication; + intptr = &options->challenge_response_authentication; goto parse_flag; case sPrintMotd: @@ -770,30 +795,54 @@ if (!arg || *arg == '\0') fatal("%s line %d: Missing MaxStartups spec.", filename, linenum); - if (sscanf(arg, "%d:%d:%d", + if ((n = sscanf(arg, "%d:%d:%d", &options->max_startups_begin, &options->max_startups_rate, - &options->max_startups) == 3) { + &options->max_startups)) == 3) { if (options->max_startups_begin > options->max_startups || options->max_startups_rate > 100 || options->max_startups_rate < 1) + fatal("%s line %d: Illegal MaxStartups spec.", + filename, linenum); + } else if (n != 1) fatal("%s line %d: Illegal MaxStartups spec.", - filename, linenum); - break; - } - intptr = &options->max_startups; - goto parse_int; + filename, linenum); + else + options->max_startups = options->max_startups_begin; + break; case sBanner: charptr = &options->banner; goto parse_filename; + /* + * These options can contain %X options expanded at + * connect time, so that you can specify paths like: + * + * AuthorizedKeysFile /etc/ssh_keys/%u + */ + case sAuthorizedKeysFile: + case sAuthorizedKeysFile2: + charptr = (opcode == sAuthorizedKeysFile ) ? + &options->authorized_keys_file : + &options->authorized_keys_file2; + goto parse_filename; + case sClientAliveInterval: intptr = &options->client_alive_interval; - goto parse_int; + goto parse_time; + case sClientAliveCountMax: intptr = &options->client_alive_count_max; goto parse_int; + + case sDeprecated: + log("%s line %d: Deprecated option %s", + filename, linenum, arg); + while(arg) + arg = strdelim(&cp); + break; + default: fatal("%s line %d: Missing handler for opcode %s (%d)", filename, linenum, arg, opcode);