Attachment #1118 for bug #1180

Lines 81-87 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)Makefile.in (-1 / +1 lines)
81	auth.o auth1.o auth2.o auth-options.o session.o \	81	auth.o auth1.o auth2.o auth-options.o session.o \
82	auth-chall.o auth2-chall.o groupaccess.o \	82	auth-chall.o auth2-chall.o groupaccess.o \
83	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \	83	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
84	auth2-none.o auth2-passwd.o auth2-pubkey.o \	84	auth2-none.o auth2-passwd.o auth2-pubkey.o cfgmatch.o \
85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \	85	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
86	auth-krb5.o \	86	auth-krb5.o \
87	auth2-gss.o gss-serv.o gss-serv-krb5.o \	87	auth2-gss.o gss-serv.o gss-serv-krb5.o \

Lines 492-497 getpwnamallow(const char *user) Link Here

(-)auth.c (+3 lines)
492	#endif	492	#endif
493	struct passwd *pw;	493	struct passwd *pw;
494		494
		495	parse_server_match_config(&options, user,
		496	get_canonical_hostname(options.use_dns), get_remote_ipaddr());
		497
495	pw = getpwnam(user);	498	pw = getpwnam(user);
496	if (pw == NULL) {	499	if (pw == NULL) {
497	logit("Invalid user %.100s from %.100s",	500	logit("Invalid user %.100s from %.100s",




/*
 * Copyright (c) 2006 Darren Tucker.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include "match.h"
#include "log.h"
#include "misc.h"
#include "canohost.h"
#include "groupaccess.h"

int
match_cfg_line(char **condition, int line, const char *user, const char *host,
    const char *address)
{
	int result = 1;
	char *arg, *attrib, *cp = *condition, *grplist[1];
	size_t len;
	struct passwd *pw;

	if (user == NULL)
		debug3("checking syntax for 'Match %s'", cp);
	else
		debug3("checking match for '%s'", cp);

	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
			error("Missing Match criteria for %s", attrib);
			return -1;
		}
		len = strlen(arg);
		if (strcasecmp(attrib, "user") == 0) {
			if (!user) {
				result = 0;
				continue;
			}
			if (match_pattern_list(user, arg, len, 0) != 1)
				/* XXX what about negative match? */
				result = 0;
			else
				debug("user %.100s matched 'User %.100s' at "
				    "line %d", user, arg, line);
		} else if (strcasecmp(attrib, "group") == 0) {
			if (!user) {
				result = 0;
				continue;
			}
			grplist[0] = arg; /* XXX split on comma */
			if ((pw = getpwnam(user)) == NULL) {
				debug("Can't match group at line %d because "
				    "user %.100s does not exist", line, user);
				result = 0;
			} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
				debug("Can't Match group because user %.100s "
				    "not in any group at line %d", user,
				    line);
				result = 0;
			} else if (ga_match(grplist, 1) != 1) {
				debug("User %.100s does not match group "
				    "%.100s at line %d", user, arg,
				    line);
				result = 0;
			} else {
				debug("User %.100s matched Group %.100s at "
				    "line %d", user, arg, line);
			}
		} else if (strcasecmp(attrib, "host") == 0) {
			if (!host) {
				result = 0;
				continue;
			}
			if (match_hostname(host, arg, len) != 1)
				result = 0;
			else
				debug("connection from %.100s matched 'Host "
				    "%.100s' at line %d", host, arg, line);
		} else if (strcasecmp(attrib, "address") == 0) {
			if (!address) {
				result = 0;
				continue;
			}
			if (match_hostname(address, arg, len) != 1)
				result = 0;
			else
				debug("connection from %.100s matched 'Address "
				    "%.100s' at line %d", address, arg, line);
		} else {
			error("Unsupported Match attribute %s", attrib);
			return -1;
		}
	}
	*condition = cp;
	debug3("match_cfg_line: returning %d", result);
	return result;
}

Lines 20-24 int match_hostname(const char *, const Link Here

(-)match.h (+1 lines)
20	int match_host_and_ip(const char , const char , const char *);	20	int match_host_and_ip(const char , const char , const char *);
21	int match_user(const char , const char , const char , const char );	21	int match_user(const char , const char , const char , const char );
22	char match_list(const char , const char , u_int );	22	char match_list(const char , const char , u_int );
		23	int match_cfg_line(char *, int, const char , const char , const char );
23		24
24	#endif	25	#endif

Lines 612-617 mm_answer_pwnamallow(int sock, Buffer *m Link Here

(-)monitor.c (+1 lines)
612	#endif	612	#endif
613	buffer_put_cstring(m, pwent->pw_dir);	613	buffer_put_cstring(m, pwent->pw_dir);
614	buffer_put_cstring(m, pwent->pw_shell);	614	buffer_put_cstring(m, pwent->pw_shell);
		615	buffer_put_string(m, &options, sizeof(options));
615		616
616	out:	617	out:
617	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);	618	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);




{
	Buffer m;
	struct passwd *pw;
	u_int len;
	void *p;

	debug3("%s entering", __func__);


		buffer_free(&m);
		return (NULL);
	}
	pw = buffer_get_string(&m, &len);
	if (len != sizeof(struct passwd))
		fatal("%s: struct passwd size mismatch", __func__);
	pw->pw_name = buffer_get_string(&m, NULL);
	pw->pw_passwd = buffer_get_string(&m, NULL);

#endif
	pw->pw_dir = buffer_get_string(&m, NULL);
	pw->pw_shell = buffer_get_string(&m, NULL);
	p = buffer_get_string(&m, &len);
	if (len != sizeof(options))
		fatal("%s: option block size mismatch", __func__);
	memcpy(&options, p, len);
	buffer_free(&m);

	/* we don't use these options, so zero for safety */
	options.num_ports = 0;
	options.ports_from_cmdline = 0;
	options.pid_file = NULL;
	options.xauth_location = NULL;
	options.ciphers = NULL;
	options.num_allow_users = 0;
	options.num_deny_users = 0;
	options.num_allow_groups = 0;
	options.num_deny_groups = 0;
	options.macs = NULL;
	options.num_subsystems = 0;
	options.banner = NULL;
	options.authorized_keys_file = NULL;
	options.authorized_keys_file2 = NULL;
	options.num_accept_env = 0;

	return (pw);
}




#include "cipher.h"
#include "kex.h"
#include "mac.h"
#include "match.h"

static void add_listen_addr(ServerOptions *, char *, u_short);
static void add_one_listen_addr(ServerOptions *, char *, u_short);

/* Use of privilege separation or not */
extern int use_privsep;
extern Buffer cfg;

/* Initializes the server options to their default values. */


	options->authorized_keys_file2 = NULL;
	options->num_accept_env = 0;
	options->permit_tun = -1;

	/* Needs to be accessable in many places */
	use_privsep = -1;
}

void

	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch,
	sUsePrivilegeSeparation,
	sDeprecated, sUnsupported
} ServerOpCodes;

#define SSHCFG_GLOBAL	0x01
#define SSHCFG_MATCH	0x02
#define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)

/* Textual representation of the tokens. */
static struct {
	const char *name;
	ServerOpCodes opcode;
	u_int flags;
} keywords[] = {
	/* Portable-specific options */
#ifdef USE_PAM
	{ "usepam", sUsePAM, SSHCFG_ALL },
#else
	{ "usepam", sUnsupported, SSHCFG_ALL },
#endif
	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
	/* Standard Options */
	{ "port", sPort, SSHCFG_GLOBAL },
	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
	{ "logingracetime", sLoginGraceTime, SSHCFG_ALL },
	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
	{ "syslogfacility", sLogFacility, SSHCFG_ALL },
	{ "loglevel", sLogLevel, SSHCFG_ALL },
	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_ALL }, /* alias */
#ifdef KRB5
	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_ALL },
	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_ALL },
#ifdef USE_AFS
	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_ALL },
#else
	{ "kerberosgetafstoken", sUnsupported, SSHCFG_ALL },
#endif
#else
	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_ALL },
	{ "kerberosticketcleanup", sUnsupported, SSHCFG_ALL },
	{ "kerberosgetafstoken", sUnsupported, SSHCFG_ALL },
#endif
	{ "kerberostgtpassing", sUnsupported, SSHCFG_ALL },
	{ "afstokenpassing", sUnsupported, SSHCFG_ALL },
#ifdef GSSAPI
	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_ALL },
#else
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_ALL },
#endif
	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, /* alias */
	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
	{ "printmotd", sPrintMotd, SSHCFG_ALL },
	{ "printlastlog", sPrintLastLog, SSHCFG_ALL },
	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_ALL },
	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
	{ "xauthlocation", sXAuthLocation, SSHCFG_ALL },
	{ "strictmodes", sStrictModes, SSHCFG_ALL },
	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_ALL },
	{ "uselogin", sUseLogin, SSHCFG_ALL },
	{ "compression", sCompression, SSHCFG_GLOBAL },
	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
	{ "macs", sMacs, SSHCFG_GLOBAL },
	{ "protocol", sProtocol, SSHCFG_GLOBAL },
	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
	{ "subsystem", sSubsystem, SSHCFG_ALL },
	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
	{ "banner", sBanner, SSHCFG_ALL },
	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
	{ "match", sMatch, SSHCFG_ALL },
	{ NULL, sBadOption, 0 }
};

/*


static ServerOpCodes
parse_token(const char *cp, const char *filename,
	    int linenum, u_int *flags)
{
	u_int i;

	for (i = 0; keywords[i].name; i++)
		if (strcasecmp(cp, keywords[i].name) == 0) {
			*flags = keywords[i].flags;
			return keywords[i].opcode;
		}

	error("%s: line %d: Bad configuration option: %s",
	    filename, linenum, cp);

	options->listen_addrs = aitop;
}

/*
 * The strategy for the Match blocks is that the config file is parsed twice.
 *
 * The first time is at startup.  activep is initialized to 1 and the
 * directives in the global context are processed and acted on.  Hitting a
 * Match directive unsets activep and the directives inside the block are
 * checked for syntax only.
 *
 * The second time is after a connection has been established but before
 * authentication.  activep is initialized to 2 and global config directives
 * are ignored since they have already been processed.  If the criteria in a
 * Match block is met, activep is set and the subsequent directives
 * processed and actioned until EOF or another Match block unsets it.  Any
 * options set are copied into the main server config.
 *
 * Potential additions/improvements:
 *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
 *
 *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
 *	Match Address 192.168.0.*
 *		Tag trusted
 *	Match Group wheel
 *		Tag trusted
 *	Match Tag trusted
 *		AllowTcpForwarding yes
 *		GatewayPorts clientspecified
 *		[...]
 *
 *  - Add a PermittedChannelRequests directive
 *	Match Group shell
 *		PermittedChannelRequests session,forwarded-tcpip
 */

int
process_server_config_line(ServerOptions *options, char *line,
    const char *filename, int linenum, int *activep, const char *user,
    const char *host, const char *address)
{
	char *cp, **charptr, *arg, *p;
	int cmdline = 0, *intptr, value, n;
	ServerOpCodes opcode;
	u_short port;
	u_int i, flags = 0;

	cp = line;
	arg = strdelim(&cp);

		return 0;
	intptr = NULL;
	charptr = NULL;
	opcode = parse_token(arg, filename, linenum, &flags);

	if (activep == NULL) { /* We are processing a command line directive */
		cmdline = 1;
		activep = &cmdline;
	}
	debug3("match: line %s active %d flags %d", line, *activep, flags);
	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
		if (user == NULL) {
			fatal("%s line %d: Directive '%s' is not allowed "
			    "within a Match block", filename, linenum, arg);
		} else { /* this is a directive we have already processed */
			while (arg)
				arg = strdelim(&cp);
			return 0;
		}
	}

	switch (opcode) {
	/* Portable-specific options */
	case sUsePAM:

			fatal("%s line %d: missing integer value.",
			    filename, linenum);
		value = atoi(arg);
		if (*activep && *intptr == -1)
			*intptr = value;
		break;


		if (!arg || *arg == '\0')
			fatal("%s line %d: missing file name.",
			    filename, linenum);
		if (*activep && *charptr == NULL) {
			*charptr = tilde_expand_filename(arg, getuid());
			/* increase optional counter */
			if (intptr != NULL)

		else
			fatal("%s line %d: Bad yes/no argument: %s",
				filename, linenum, arg);
		if (*activep && *intptr == -1)
			*intptr = value;
		break;


		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing subsystem name.",
			    filename, linenum);
		if (!*activep) {
			arg = strdelim(&cp);
			break;
		}
		for (i = 0; i < options->num_subsystems; i++)
			if (strcmp(arg, options->subsystem_name[i]) == 0)
				fatal("%s line %d: Subsystem '%s' already defined.",

			if (options->num_accept_env >= MAX_ACCEPT_ENV)
				fatal("%s line %d: too many allow env.",
				    filename, linenum);
			if (!*activep)
				break;
			options->accept_env[options->num_accept_env++] =
			    xstrdup(arg);
		}

			*intptr = value;
		break;

	case sMatch:
		if (cmdline)
			fatal("Match directive not supported as a command-line "
			   "option");
		value = match_cfg_line(&cp, linenum, user, host, address);
		if (value < 0)
			fatal("%s line %d: Bad Match condition", filename,
			    linenum);
		*activep = value;
		break;

	case sDeprecated:
		logit("%s line %d: Deprecated option %s",
		    filename, linenum, arg);

}

void
parse_server_match_config(ServerOptions *options, const char *user,
    const char *host, const char *address)
{
	u_int i;
	ServerOptions mo;

	initialize_server_options(&mo);
	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);

	/* now copy any (supported) values set */
	if (mo.use_pam != -1)
		options->use_pam = mo.use_pam;
	if (mo.num_accept_env > 0) {
		for (i = 0; i < options->num_accept_env; i++)
			xfree(options->accept_env[i]);
		options->num_accept_env = 0;
		for (i = 0; i < mo.num_accept_env; i++) {
			if (options->num_accept_env >= MAX_ACCEPT_ENV)
				fatal("Too many allow env in Match block.");
			options->accept_env[options->num_accept_env++] =
			    mo.accept_env[i];
		}
	}
	if (mo.allow_tcp_forwarding != -1)
		options->allow_tcp_forwarding = mo.allow_tcp_forwarding;
	if (mo.authorized_keys_file != NULL) {
		if (options->authorized_keys_file != NULL)
			xfree(options->authorized_keys_file);
		options->authorized_keys_file = mo.authorized_keys_file;
	}
	if (mo.authorized_keys_file2 != NULL) {
		if (options->authorized_keys_file2 != NULL)
			xfree(options->authorized_keys_file2);
		options->authorized_keys_file2 = mo.authorized_keys_file2;
	}
	if (mo.banner != NULL) {
		if (options->banner != NULL)
			xfree(options->banner);
		options->banner = mo.banner;
	}
	if (mo.password_authentication != -1)
		options->password_authentication = mo.password_authentication;
	if (mo.challenge_response_authentication != -1)
		options->challenge_response_authentication =
		    mo.challenge_response_authentication;
	if (mo.client_alive_count_max != -1)
		options->client_alive_count_max = mo.client_alive_count_max;
	if (mo.client_alive_interval != -1)
		options->client_alive_interval = mo.client_alive_interval;
	if (mo.gateway_ports != -1)
		options->gateway_ports = mo.gateway_ports;
	if (mo.gss_authentication != -1)
		options->gss_authentication = mo.gss_authentication;
	if (mo.hostbased_authentication != -1)
		options->hostbased_authentication = mo.hostbased_authentication;
	if (mo.hostbased_uses_name_from_packet_only != -1)
		options->hostbased_uses_name_from_packet_only =
		    mo.hostbased_uses_name_from_packet_only;
	if (mo.kerberos_authentication != -1)
		options->kerberos_authentication = mo.kerberos_authentication;
	if (mo.kerberos_or_local_passwd != -1)
		options->kerberos_or_local_passwd = mo.kerberos_or_local_passwd;
	if (mo.kerberos_ticket_cleanup != -1)
		options->kerberos_ticket_cleanup = mo.kerberos_ticket_cleanup;
	if (mo.kerberos_get_afs_token != -1)
		options->kerberos_get_afs_token = mo.kerberos_get_afs_token;
	if (mo.login_grace_time != -1)
		options->login_grace_time = mo.login_grace_time;
	if (mo.log_facility != -1)
		options->log_facility = mo.log_facility;
	if (mo.log_level != -1)
		options->log_level = mo.log_level;
	if (mo.permit_root_login != -1)
		options->permit_root_login = mo.permit_root_login;
	if (mo.max_authtries != -1)
		options->max_authtries = mo.max_authtries;
	if (mo.permit_empty_passwd != -1)
		options->permit_empty_passwd = mo.permit_empty_passwd;
	if (mo.permit_tun != -1)
		options->permit_tun = mo.permit_tun;
	if (mo.permit_user_env != -1)
		options->permit_user_env = mo.permit_user_env;
	if (mo.print_motd != -1)
		options->print_motd = mo.print_motd;
	if (mo.pubkey_authentication != -1)
		options->pubkey_authentication = mo.pubkey_authentication;
	if (mo.rsa_authentication != -1)
		options->rsa_authentication = mo.rsa_authentication;
	if (mo.strict_modes != -1)
		options->strict_modes = mo.strict_modes;
	if (mo.num_subsystems != 0) {  /* Not currently used */
		for (i = 0; i < options->num_subsystems; i++) {
			xfree(options->subsystem_name[i]);
			xfree(options->subsystem_command[i]);
		}
		options->num_subsystems = 0;
		for (i = 0; i < mo.num_subsystems; i++) {
			options->subsystem_name[options->num_subsystems] =
			    mo.subsystem_name[i];
			options->subsystem_command[options->num_subsystems] =
			    mo.subsystem_command[i];
			options->num_subsystems++;
		}
	}
	if (mo.use_login != -1)
		options->use_login = mo.use_login;
	if (mo.xauth_location != NULL) {
		if (options->xauth_location != NULL)
			xfree(options->xauth_location);
		options->xauth_location = mo.xauth_location;
	}
	if (mo.x11_display_offset != -1)
		options->x11_display_offset = mo.x11_display_offset;
	if (mo.x11_forwarding != -1)
		options->x11_forwarding = mo.x11_forwarding;
	if (mo.x11_use_localhost != -1)
		options->x11_use_localhost = mo.x11_use_localhost;
}

void
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
    const char *user, const char *host, const char *address)
{
	int active, linenum, bad_options = 0;
	char *cp, *obuf, *cbuf;

	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));

	obuf = cbuf = xstrdup(buffer_ptr(conf));
	active = user ? 0 : 1;
	linenum = 1;
	while ((cp = strsep(&cbuf, "\n")) != NULL) {
		if (process_server_config_line(options, cp, filename,
		    linenum++, &active, user, host, address) != 0)
			bad_options++;
	}
	xfree(obuf);

Lines 141-148 typedef struct { Link Here

(-)servconf.h (-2 / +6 lines)
141		141
142	void initialize_server_options(ServerOptions *);	142	void initialize_server_options(ServerOptions *);
143	void fill_default_server_options(ServerOptions *);	143	void fill_default_server_options(ServerOptions *);
144	int process_server_config_line(ServerOptions , char , const char *, int);	144	int process_server_config_line(ServerOptions , char , const char *, int,
		145	int , const char , const char , const char );
145	void load_server_config(const char , Buffer );	146	void load_server_config(const char , Buffer );
146	void parse_server_config(ServerOptions , const char , Buffer *);	147	void parse_server_config(ServerOptions , const char , Buffer *,
		148	const char , const char , const char *);
		149	void parse_server_match_config(ServerOptions , const char , const char *,
		150	const char *);
147		151
148	#endif /* SERVCONF_H */	152	#endif /* SERVCONF_H */

Lines 201-212 int *startup_pipes = NULL; Link Here

(-)sshd.c (-8 / +7 lines)
201	int startup_pipe; /* in child */	201	int startup_pipe; /* in child */
202		202
203	/* variables used for privilege separation */	203	/* variables used for privilege separation */
204	int use_privsep;	204	int use_privsep = -1; /* Needs to be accessable in many places */
205	struct monitor *pmonitor = NULL;	205	struct monitor *pmonitor = NULL;
206		206
207	/* global authentication context */	207	/* global authentication context */
208	Authctxt *the_authctxt = NULL;	208	Authctxt *the_authctxt = NULL;
209		209
		210	/* sshd_config buffer */
		211	Buffer cfg;
		212
210	/* message to be displayed after login */	213	/* message to be displayed after login */
211	Buffer loginmsg;	214	Buffer loginmsg;
212		215
Lines 892-898 main(int ac, char **av) Link Here
892	Key *key;	895	Key *key;
893	Authctxt *authctxt;	896	Authctxt *authctxt;
894	int ret, key_used = 0;	897	int ret, key_used = 0;
895	Buffer cfg;
896		898
897	#ifdef HAVE_SECUREWARE	899	#ifdef HAVE_SECUREWARE
898	(void)set_auth_parameters(ac, av);	900	(void)set_auth_parameters(ac, av);
Lines 1011-1017 main(int ac, char **av) Link Here
1011	case 'o':	1013	case 'o':
1012	line = xstrdup(optarg);	1014	line = xstrdup(optarg);
1013	if (process_server_config_line(&options, line,	1015	if (process_server_config_line(&options, line,
1014	"command-line", 0) != 0)	1016	"command-line", 0, NULL, NULL, NULL, NULL) != 0)
1015	exit(1);	1017	exit(1);
1016	xfree(line);	1018	xfree(line);
1017	break;	1019	break;
Lines 1069-1079 main(int ac, char **av) Link Here
1069	else	1071	else
1070	load_server_config(config_file_name, &cfg);	1072	load_server_config(config_file_name, &cfg);
1071		1073
1072	parse_server_config(&options,	1074	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
1073	rexeced_flag ? "rexec" : config_file_name, &cfg);	1075	&cfg, NULL, NULL, NULL);
1074
1075	if (!rexec_flag)
1076	buffer_free(&cfg);
1077		1076
1078	seed_rng();	1077	seed_rng();
1079		1078




Multiple algorithms must be comma-separated.
The default is
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.It Cm Match
Introduces a conditional block.  Keywords on lines following a
.Cm Match
block are only applied if the criteria on the
.Cm Match
are satisfied.
The the arguments to
.Cm Match
block are one or more criteria-pattern pairs.
The available criteria are
.Cm User ,
.Cm Group ,
.Cm Host ,
and
.Cm Address .
Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.
Available keywords are
.Cm AcceptEnv ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedKeysFile2 ,
.Cm Banner ,
.Cm ChallengeResponseAuthentication ,
.Cm ChallengeResponseAuthentication ,
.Cm ClientAliveCountMax ,
.Cm ClientAliveInterval ,
.Cm GatewayPorts ,
.Cm GssAuthentication ,
.Cm GssCleanupCreds ,
.Cm HostbasedAuthentication ,
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm IgnoreRhosts ,
.Cm IgnoreUserKnownHosts ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm KerberosGetAFSToken ,
.Cm KerberosOrLocalPasswd ,
.Cm KerberosTicketCleanup ,
.Cm LogFacility ,
.Cm LogLevel ,
.Cm LoginGraceTime ,
.Cm MaxAuthTries ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswd ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
.Cm PermitUserEnvironment ,
.Cm PrintLastLog ,
.Cm PrintMotd ,
.Cm PubkeyAuthentication ,
.Cm PubkeyAuthentication ,
.Cm RSAAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm StrictModes ,
.Cm Subsystem ,
.Cm UseLogin ,
.Cm UsePAM ,
.Cm X11DisplayOffset ,
.Cm X11Forwarding ,
.Cm X11UseLocalhost ,
and
.Cm XAuthLocation .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.

This file should be writable by root only, but it is recommended
(though not necessary) that it be world-readable.
.El
.Sh EXAMPLES
To allow
.Cm PasswordAuthentication
only from the local private network:
.Bd -literal -offset indent
PasswordAuthentication no
Match Address 192.168.0.*
	PasswordAuthentication yes
.Ed
.Bl -tag -width Ds
.Bl -tag -width Ds
.Sh SEE ALSO
.Xr sshd 8
.Sh AUTHORS

Return to bug 1180

Added Link Here

(-)cfgmatch.c (+116 lines)
1	/*
2	* Copyright (c) 2006 Darren Tucker. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include "includes.h"
26
27	#include "match.h"
28	#include "log.h"
29	#include "misc.h"
30	#include "canohost.h"
31	#include "groupaccess.h"
32
33	int
34	match_cfg_line(char *condition, int line, const char user, const char *host,
35	const char *address)
36	{
37	int result = 1;
38	char arg, attrib, cp = condition, *grplist[1];
39	size_t len;
40	struct passwd *pw;
41
42	if (user == NULL)
43	debug3("checking syntax for 'Match %s'", cp);
44	else
45	debug3("checking match for '%s'", cp);
46
47	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
48	if ((arg = strdelim(&cp)) == NULL \|\| *arg == '\0') {
49	error("Missing Match criteria for %s", attrib);
50	return -1;
51	}
52	len = strlen(arg);
53	if (strcasecmp(attrib, "user") == 0) {
54	if (!user) {
55	result = 0;
56	continue;
57	}
58	if (match_pattern_list(user, arg, len, 0) != 1)
59	/* XXX what about negative match? */
60	result = 0;
61	else
62	debug("user %.100s matched 'User %.100s' at "
63	"line %d", user, arg, line);
64	} else if (strcasecmp(attrib, "group") == 0) {
65	if (!user) {
66	result = 0;
67	continue;
68	}
69	grplist[0] = arg; /* XXX split on comma */
70	if ((pw = getpwnam(user)) == NULL) {
71	debug("Can't match group at line %d because "
72	"user %.100s does not exist", line, user);
73	result = 0;
74	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
75	debug("Can't Match group because user %.100s "
76	"not in any group at line %d", user,
77	line);
78	result = 0;
79	} else if (ga_match(grplist, 1) != 1) {
80	debug("User %.100s does not match group "
81	"%.100s at line %d", user, arg,
82	line);
83	result = 0;
84	} else {
85	debug("User %.100s matched Group %.100s at "
86	"line %d", user, arg, line);
87	}
88	} else if (strcasecmp(attrib, "host") == 0) {
89	if (!host) {
90	result = 0;
91	continue;
92	}
93	if (match_hostname(host, arg, len) != 1)
94	result = 0;
95	else
96	debug("connection from %.100s matched 'Host "
97	"%.100s' at line %d", host, arg, line);
98	} else if (strcasecmp(attrib, "address") == 0) {
99	if (!address) {
100	result = 0;
101	continue;
102	}
103	if (match_hostname(address, arg, len) != 1)
104	result = 0;
105	else
106	debug("connection from %.100s matched 'Address "
107	"%.100s' at line %d", address, arg, line);
108	} else {
109	error("Unsupported Match attribute %s", attrib);
110	return -1;
111	}
112	}
113	*condition = cp;
114	debug3("match_cfg_line: returning %d", result);
115	return result;
116	}

Lines 196-202 mm_getpwnamallow(const char *username) Link Here

(-)monitor_wrap.c (-4 / +26 lines)
196	{	196	{
197	Buffer m;	197	Buffer m;
198	struct passwd *pw;	198	struct passwd *pw;
199	u_int pwlen;	199	u_int len;
		200	void *p;
200		201
201	debug3("%s entering", __func__);	202	debug3("%s entering", __func__);
202		203
Lines 212-219 mm_getpwnamallow(const char *username) Link Here
212	buffer_free(&m);	213	buffer_free(&m);
213	return (NULL);	214	return (NULL);
214	}	215	}
215	pw = buffer_get_string(&m, &pwlen);	216	pw = buffer_get_string(&m, &len);
216	if (pwlen != sizeof(struct passwd))	217	if (len != sizeof(struct passwd))
217	fatal("%s: struct passwd size mismatch", __func__);	218	fatal("%s: struct passwd size mismatch", __func__);
218	pw->pw_name = buffer_get_string(&m, NULL);	219	pw->pw_name = buffer_get_string(&m, NULL);
219	pw->pw_passwd = buffer_get_string(&m, NULL);	220	pw->pw_passwd = buffer_get_string(&m, NULL);
Lines 223-229 mm_getpwnamallow(const char *username) Link Here
223	#endif	224	#endif
224	pw->pw_dir = buffer_get_string(&m, NULL);	225	pw->pw_dir = buffer_get_string(&m, NULL);
225	pw->pw_shell = buffer_get_string(&m, NULL);	226	pw->pw_shell = buffer_get_string(&m, NULL);
226	buffer_free(&m);	227	p = buffer_get_string(&m, &len);
		228	if (len != sizeof(options))
		229	fatal("%s: option block size mismatch", __func__);
		230	memcpy(&options, p, len);
		231	buffer_free(&m);
		232
		233	/* we don't use these options, so zero for safety */
		234	options.num_ports = 0;
		235	options.ports_from_cmdline = 0;
		236	options.pid_file = NULL;
		237	options.xauth_location = NULL;
		238	options.ciphers = NULL;
		239	options.num_allow_users = 0;
		240	options.num_deny_users = 0;
		241	options.num_allow_groups = 0;
		242	options.num_deny_groups = 0;
		243	options.macs = NULL;
		244	options.num_subsystems = 0;
		245	options.banner = NULL;
		246	options.authorized_keys_file = NULL;
		247	options.authorized_keys_file2 = NULL;
		248	options.num_accept_env = 0;
227		249
228	return (pw);	250	return (pw);
229	}	251	}

Lines 433-438 for data integrity protection. Link Here

(-)sshd_config.5 (+75 lines)
433	Multiple algorithms must be comma-separated.	433	Multiple algorithms must be comma-separated.
434	The default is	434	The default is
435	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .	435	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
		436	.It Cm Match
		437	Introduces a conditional block. Keywords on lines following a
		438	.Cm Match
		439	block are only applied if the criteria on the
		440	.Cm Match
		441	are satisfied.
		442	The the arguments to
		443	.Cm Match
		444	block are one or more criteria-pattern pairs.
		445	The available criteria are
		446	.Cm User ,
		447	.Cm Group ,
		448	.Cm Host ,
		449	and
		450	.Cm Address .
		451	Only a subset of keywords may be used on the lines following a
		452	.Cm Match
		453	keyword.
		454	Available keywords are
		455	.Cm AcceptEnv ,
		456	.Cm AllowTcpForwarding ,
		457	.Cm AuthorizedKeysFile ,
		458	.Cm AuthorizedKeysFile2 ,
		459	.Cm Banner ,
		460	.Cm ChallengeResponseAuthentication ,
		461	.Cm ChallengeResponseAuthentication ,
		462	.Cm ClientAliveCountMax ,
		463	.Cm ClientAliveInterval ,
		464	.Cm GatewayPorts ,
		465	.Cm GssAuthentication ,
		466	.Cm GssCleanupCreds ,
		467	.Cm HostbasedAuthentication ,
		468	.Cm HostbasedUsesNameFromPacketOnly ,
		469	.Cm IgnoreRhosts ,
		470	.Cm IgnoreUserKnownHosts ,
		471	.Cm KbdInteractiveAuthentication ,
		472	.Cm KerberosAuthentication ,
		473	.Cm KerberosGetAFSToken ,
		474	.Cm KerberosOrLocalPasswd ,
		475	.Cm KerberosTicketCleanup ,
		476	.Cm LogFacility ,
		477	.Cm LogLevel ,
		478	.Cm LoginGraceTime ,
		479	.Cm MaxAuthTries ,
		480	.Cm PasswordAuthentication ,
		481	.Cm PermitEmptyPasswd ,
		482	.Cm PermitRootLogin ,
		483	.Cm PermitTunnel ,
		484	.Cm PermitUserEnvironment ,
		485	.Cm PrintLastLog ,
		486	.Cm PrintMotd ,
		487	.Cm PubkeyAuthentication ,
		488	.Cm PubkeyAuthentication ,
		489	.Cm RSAAuthentication ,
		490	.Cm RhostsRSAAuthentication ,
		491	.Cm StrictModes ,
		492	.Cm Subsystem ,
		493	.Cm UseLogin ,
		494	.Cm UsePAM ,
		495	.Cm X11DisplayOffset ,
		496	.Cm X11Forwarding ,
		497	.Cm X11UseLocalhost ,
		498	and
		499	.Cm XAuthLocation .
436	.It Cm MaxAuthTries	500	.It Cm MaxAuthTries
437	Specifies the maximum number of authentication attempts permitted per	501	Specifies the maximum number of authentication attempts permitted per
438	connection.	502	connection.
Lines 827-832 Contains configuration data for Link Here
827	This file should be writable by root only, but it is recommended	891	This file should be writable by root only, but it is recommended
828	(though not necessary) that it be world-readable.	892	(though not necessary) that it be world-readable.
829	.El	893	.El
		894	.Sh EXAMPLES
		895	To allow
		896	.Cm PasswordAuthentication
		897	only from the local private network:
		898	.Bd -literal -offset indent
		899	PasswordAuthentication no
		900	Match Address 192.168.0.*
		901	PasswordAuthentication yes
		902	.Ed
		903	.Bl -tag -width Ds
		904	.Bl -tag -width Ds
830	.Sh SEE ALSO	905	.Sh SEE ALSO
831	.Xr sshd 8	906	.Xr sshd 8
832	.Sh AUTHORS	907	.Sh AUTHORS