Attachment #2469 for bug #2267




#include <string.h>
#include <unistd.h>
#include <util.h>
#include <vis.h>

#include "xmalloc.h"
#include "ssh.h"

#include "kex.h"
#include "mac.h"
#include "uidswap.h"
#include "myproposal.h"

/* Format of the configuration file:


	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
	oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
	oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
	oPubkeyAuthentication,
	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,

	{ "globalknownhostsfile", oGlobalKnownHostsFile },
	{ "globalknownhostsfile2", oDeprecated },
	{ "userknownhostsfile", oUserKnownHostsFile },
	{ "userknownhostsfile2", oDeprecated },
	{ "connectionattempts", oConnectionAttempts },
	{ "batchmode", oBatchMode },
	{ "checkhostip", oCheckHostIP },

	if (!WIFEXITED(status)) {
		error("command '%.100s' exited abnormally", cmd);
		return -1;
	}
	debug3("command returned status %d", WEXITSTATUS(status));
	return WEXITSTATUS(status);
}

 */
static int
match_cfg_line(Options *options, char **condition, struct passwd *pw,
    const char *host_arg, const char *original_host, int post_canon,
    const char *filename, int linenum)
{
	char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
	const char *ruser;
	int r, port, this_result, result = 1, attributes = 0, negate;
	size_t len;
	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];


	} else
		host = xstrdup(host_arg);

	debug2("checking match for '%s' host %s originally %s",
	    cp, host, original_host);
	while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
		criteria = NULL;
		this_result = 1;
		if ((negate = attrib[0] == '!'))
			attrib++;
		/* criteria "all" and "canonical" have no argument */
		if (strcasecmp(attrib, "all") == 0) {
			if (attributes > 1 ||
			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
				error("%.200s line %d: '%s' cannot be combined "
				    "with other Match attributes",
				    filename, linenum, oattrib);
				result = -1;
				goto out;
			}
			if (result)
				result = negate ? 0 : 1;
			goto out;
		}
		attributes++;
		if (strcasecmp(attrib, "canonical") == 0) {
			r = !!post_canon;  /* force bitmask member to boolean */
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
			debug3("%.200s line %d: %smatched '%s'",
			    filename, linenum,
			    this_result ? "" : "not ", oattrib);
			continue;
		}
		/* All other criteria require an argument */
		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
			error("Missing Match criteria for %s", attrib);
			result = -1;

		}
		len = strlen(arg);
		if (strcasecmp(attrib, "host") == 0) {
			criteria = xstrdup(host);
			r = match_hostname(host, arg, len) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    filename, linenum, host);
		} else if (strcasecmp(attrib, "originalhost") == 0) {
			criteria = xstrdup(original_host);
			r = match_hostname(original_host, arg, len) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    "'OriginalHost %.100s' ",
				    filename, linenum, host_arg);
		} else if (strcasecmp(attrib, "user") == 0) {
			criteria = xstrdup(ruser);
			r = match_pattern_list(ruser, arg, len, 0) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    filename, linenum, ruser);
		} else if (strcasecmp(attrib, "localuser") == 0) {
			criteria = xstrdup(pw->pw_name);
			r = match_pattern_list(pw->pw_name, arg, len, 0) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    "'LocalUser %.100s' ",
				    filename, linenum, pw->pw_name);
		} else if (strcasecmp(attrib, "exec") == 0) {
			if (gethostname(thishost, sizeof(thishost)) == -1)
				fatal("gethostname: %s", strerror(errno));

			    "d", pw->pw_dir,
			    "h", host,
			    "l", thishost,
			    "n", original_host,
			    "p", portstr,
			    "r", ruser,
			    "u", pw->pw_name,
			    (char *)NULL);
			if (result != 1) {
				/* skip execution if prior predicate failed */
				debug3("%.200s line %d: skipped exec "
				    "\"%.100s\"", filename, linenum, cmd);
				free(cmd);
				continue;
				if (r == -1) {
					fatal("%.200s line %d: match exec "
					    "'%.100s' error", filename,
					    linenum, cmd);
				} else if (r == 0) {
					debug("%.200s line %d: matched "
					    "'exec \"%.100s\"'", filename,
					    linenum, cmd);
				} else {
					debug("%.200s line %d: no match "
					    "'exec \"%.100s\"'", filename,
					    linenum, cmd);
					result = 0;
				}
			}
			r = execute_in_shell(cmd);
			if (r == -1) {
				fatal("%.200s line %d: match exec "
				    "'%.100s' error", filename,
				    linenum, cmd);
			}
			criteria = xstrdup(cmd);
			free(cmd);
			/* Force exit status to boolean */
			r = r == 0;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
		} else {
			error("Unsupported Match attribute %s", attrib);
			result = -1;
			goto out;
		}
		debug3("%.200s line %d: %smatched '%s \"%.100s\"' ",
		    filename, linenum, this_result ? "": "not ",
		    oattrib, criteria);
		free(criteria);
	}
	if (attributes == 0) {
		error("One or more attributes required for Match");
		result = -1;
		goto out;
	}
	debug3("match %sfound", result ? "" : "not ");
	*condition = cp;
 out:
	if (result != -1)
		debug2("match %sfound", result ? "" : "not ");
	*condition = cp;
	free(host);
	return result;
}

#define WHITESPACE " \t\r\n"
int
process_config_line(Options *options, struct passwd *pw, const char *host,
    const char *original_host, char *line, const char *filename,
    int linenum, int *activep, int flags)
{
	char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
	char **cpptr, fwdarg[256];

		if (!arg || *arg == '\0')
			fatal("%s line %d: missing time value.",
			    filename, linenum);
		if (strcmp(arg, "none") == 0)
			value = -1;
		else if ((value = convtime(arg)) == -1)
			fatal("%s line %d: invalid time value.",
			    filename, linenum);
		if (*activep && *intptr == -1)

	case oForwardX11Trusted:
		intptr = &options->forward_x11_trusted;
		goto parse_flag;

	case oForwardX11Timeout:
		intptr = &options->forward_x11_timeout;
		goto parse_time;

			if (*intptr >= SSH_MAX_IDENTITY_FILES)
				fatal("%.200s line %d: Too many identity files specified (max %d).",
				    filename, linenum, SSH_MAX_IDENTITY_FILES);
			add_identity_file(options, NULL,
			    arg, flags & SSHCONF_USERCONF);
		}
		break;


		if (cmdline)
			fatal("Host directive not supported as a command-line "
			    "option");
		value = match_cfg_line(options, &s, pw, host, original_host,
		    flags & SSHCONF_POSTCANON, filename, linenum);
		if (value < 0)
			fatal("%.200s line %d: Bad Match condition", filename,
			    linenum);

		return 0;

	default:
		fatal("%s: Unimplemented opcode %d", __func__, opcode);
	}

	/* Check that there is no garbage at end of line. */


int
read_config_file(const char *filename, struct passwd *pw, const char *host,
    const char *original_host, Options *options, int flags)
{
	FILE *f;
	char line[1024];

	while (fgets(line, sizeof(line), f)) {
		/* Update line number counter. */
		linenum++;
		if (process_config_line(options, pw, host, original_host,
		    line, filename, linenum, &active, flags) != 0)
			bad_options++;
	}
	fclose(f);

	fwd->listen_path = NULL;
	return (0);
}

/* XXX the following is a near-vebatim copy from servconf.c; refactor */
static const char *
fmt_multistate_int(int val, const struct multistate *m)
{
	u_int i;

	for (i = 0; m[i].key != NULL; i++) {
		if (m[i].value == val)
			return m[i].key;
	}
	return "UNKNOWN";
}

static const char *
fmt_intarg(OpCodes code, int val)
{
	if (val == -1)
		return "unset";
	switch (code) {
	case oAddressFamily:
		return fmt_multistate_int(val, multistate_addressfamily);
	case oVerifyHostKeyDNS:
	case oStrictHostKeyChecking:
		return fmt_multistate_int(val, multistate_yesnoask);
	case oControlMaster:
		return fmt_multistate_int(val, multistate_controlmaster);
	case oTunnel:
		return fmt_multistate_int(val, multistate_tunnel);
	case oRequestTTY:
		return fmt_multistate_int(val, multistate_requesttty);
	case oCanonicalizeHostname:
		return fmt_multistate_int(val, multistate_canonicalizehostname);
	case oProtocol:
		switch (val) {
		case SSH_PROTO_1:
			return "1";
		case SSH_PROTO_2:
			return "2";
		case (SSH_PROTO_1|SSH_PROTO_2):
			return "2,1";
		default:
			return "UNKNOWN";
		}
	default:
		switch (val) {
		case 0:
			return "no";
		case 1:
			return "yes";
		default:
			return "UNKNOWN";
		}
	}
}

static const char *
lookup_opcode_name(OpCodes code)
{
	u_int i;

	for (i = 0; keywords[i].name != NULL; i++)
		if (keywords[i].opcode == code)
			return(keywords[i].name);
	return "UNKNOWN";
}

static void
dump_cfg_int(OpCodes code, int val)
{
	printf("%s %d\n", lookup_opcode_name(code), val);
}

static void
dump_cfg_fmtint(OpCodes code, int val)
{
	printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
}

static void
dump_cfg_string(OpCodes code, const char *val)
{
	if (val == NULL)
		return;
	printf("%s %s\n", lookup_opcode_name(code), val);
}

static void
dump_cfg_strarray(OpCodes code, u_int count, char **vals)
{
	u_int i;

	for (i = 0; i < count; i++)
		printf("%s %s\n", lookup_opcode_name(code), vals[i]);
}

static void
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
{
	u_int i;

	printf("%s", lookup_opcode_name(code));
	for (i = 0; i < count; i++)
		printf(" %s",  vals[i]);
	printf("\n");
}

static void
dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds)
{
	const struct Forward *fwd;
	u_int i;

	/* oDynamicForward */
	for (i = 0; i < count; i++) {
		fwd = &fwds[i];
		if (code == oDynamicForward &&
		    strcmp(fwd->connect_host, "socks") != 0)
			continue;
		if (code == oLocalForward &&
		    strcmp(fwd->connect_host, "socks") == 0)
			continue;
		printf("%s", lookup_opcode_name(code));
		if (fwd->listen_port == PORT_STREAMLOCAL)
			printf(" %s", fwd->listen_path);
		else if (fwd->listen_host == NULL)
			printf(" %d", fwd->listen_port);
		else {
			printf(" [%s]:%d",
			    fwd->listen_host, fwd->listen_port);
		}
		if (code != oDynamicForward) {
			if (fwd->connect_port == PORT_STREAMLOCAL)
				printf(" %s", fwd->connect_path);
			else if (fwd->connect_host == NULL)
				printf(" %d", fwd->connect_port);
			else {
				printf(" [%s]:%d",
				    fwd->connect_host, fwd->connect_port);
			}
		}
		printf("\n");
	}
}

void
dump_client_config(Options *o, const char *host)
{
	int i;
	char vbuf[5];

	/* Most interesting options first: user, host, port */
	dump_cfg_string(oUser, o->user);
	dump_cfg_string(oHostName, host);
	dump_cfg_int(oPort, o->port);

	/* Flag options */
	dump_cfg_fmtint(oAddressFamily, o->address_family);
	dump_cfg_fmtint(oBatchMode, o->batch_mode);
	dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local);
	dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname);
	dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication);
	dump_cfg_fmtint(oCheckHostIP, o->check_host_ip);
	dump_cfg_fmtint(oCompression, o->compression);
	dump_cfg_fmtint(oControlMaster, o->control_master);
	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
	dump_cfg_fmtint(oForwardX11, o->forward_x11);
	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
	dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI
	dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
	dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds);
#endif /* GSSAPI */
	dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
	dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
	dump_cfg_fmtint(oIdentitiesOnly, o->identities_only);
	dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication);
	dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);
	dump_cfg_fmtint(oPasswordAuthentication, o->password_authentication);
	dump_cfg_fmtint(oPermitLocalCommand, o->permit_local_command);
	dump_cfg_fmtint(oProtocol, o->protocol);
	dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass);
	dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication);
	dump_cfg_fmtint(oRequestTTY, o->request_tty);
	dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication);
	dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication);
	dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
	dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking);
	dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive);
	dump_cfg_fmtint(oTunnel, o->tun_open);
	dump_cfg_fmtint(oUsePrivilegedPort, o->use_privileged_port);
	dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns);
	dump_cfg_fmtint(oVisualHostKey, o->visual_host_key);

	/* Integer options */
	dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots);
	dump_cfg_int(oCompressionLevel, o->compression_level);
	dump_cfg_int(oConnectionAttempts, o->connection_attempts);
	dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout);
	dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
	dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max);
	dump_cfg_int(oServerAliveInterval, o->server_alive_interval);

	/* String options */
	dump_cfg_string(oBindAddress, o->bind_address);
	dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
	dump_cfg_string(oControlPath, o->control_path);
	dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
	dump_cfg_string(oHostKeyAlias, o->host_key_alias);
	dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
	dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
	dump_cfg_string(oLocalCommand, o->local_command);
	dump_cfg_string(oLogLevel, log_level_name(o->log_level));
	dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
	dump_cfg_string(oPKCS11Provider, o->pkcs11_provider);
	dump_cfg_string(oPreferredAuthentications, o->preferred_authentications);
	dump_cfg_string(oProxyCommand, o->proxy_command);
	dump_cfg_string(oXAuthLocation, o->xauth_location);

	dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards);
	dump_cfg_forwards(oLocalForward, o->num_local_forwards, o->local_forwards);
	dump_cfg_forwards(oRemoteForward, o->num_remote_forwards, o->remote_forwards);

	/* String array options */
	dump_cfg_strarray(oIdentityFile, o->num_identity_files, o->identity_files);
	dump_cfg_strarray_oneline(oCanonicalDomains, o->num_canonical_domains, o->canonical_domains);
	dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
	dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);

	/* Special cases */

	/* oConnectTimeout */
	if (o->connection_timeout == -1)
		printf("connecttimeout none\n");
	else
		dump_cfg_int(oConnectTimeout, o->connection_timeout);

	/* oTunnelDevice */
	printf("tunneldevice");
	if (o->tun_local == SSH_TUNID_ANY)
		printf(" any");
	else
		printf(" %d", o->tun_local);
	if (o->tun_remote == SSH_TUNID_ANY)
		printf(":any");
	else
		printf(":%d", o->tun_remote);
	printf("\n");

	/* oCanonicalizePermittedCNAMEs */
	if ( o->num_permitted_cnames > 0) {
		printf("canonicalizePermittedcnames");
		for (i = 0; i < o->num_permitted_cnames; i++) {
			printf(" %s:%s", o->permitted_cnames[i].source_list,
			    o->permitted_cnames[i].target_list);
		}
		printf("\n");
	}

	/* oCipher */
	if (o->cipher != SSH_CIPHER_NOT_SET)
		printf("Cipher %s\n", cipher_name(o->cipher));

	/* oControlPersist */
	if (o->control_persist == 0 || o->control_persist_timeout == 0)
		dump_cfg_fmtint(oControlPersist, o->control_persist);
	else
		dump_cfg_int(oControlPersist, o->control_persist_timeout);

	/* oEscapeChar */
	if (o->escape_char == SSH_ESCAPECHAR_NONE)
		printf("escapechar none\n");
	else {
		vis(vbuf, o->escape_char, VIS_WHITE, 0);
		printf("escapechar %s\n", vbuf);
	}

	/* oIPQoS */
	printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
	printf("%s\n", iptos2str(o->ip_qos_bulk));

	/* oRekeyLimit */
	printf("rekeylimit %lld %d\n",
	    (long long)o->rekey_limit, o->rekey_interval);

	/* oStreamLocalBindMask */
	printf("streamlocalbindmask 0%o\n",
	    o->fwd_opts.streamlocal_bind_mask);
}





#define SSHCONF_CHECKPERM	1  /* check permissions on config file */
#define SSHCONF_USERCONF	2  /* user provided config file not system */
#define SSHCONF_POSTCANON	4  /* After hostname canonicalisation */

void     initialize_options(Options *);
void     fill_default_options(Options *);
void	 fill_default_options_for_canonicalization(Options *);
int	 process_config_line(Options *, struct passwd *, const char *,
    const char *, char *, const char *, int, int *, int);
int	 read_config_file(const char *, struct passwd *, const char *,
    const char *, Options *, int);
int	 parse_forward(struct Forward *, const char *, int, int);
int	 default_ssh_port(void);
int	 option_clear_or_none(const char *);
void	 dump_client_config(Options *o, const char *host);

void	 add_local_forward(Options *, const struct Forward *);
void	 add_remote_forward(Options *, const struct Forward *);

Lines 178-184 main(int argc, char **argv) Link Here

(-)ssh-keysign.c (-1 / +1 lines)
178		178
179	/* verify that ssh-keysign is enabled by the admin */	179	/* verify that ssh-keysign is enabled by the admin */
180	initialize_options(&options);	180	initialize_options(&options);
181	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0);	181	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", &options, 0);
182	fill_default_options(&options);	182	fill_default_options(&options);
183	if (options.enable_ssh_keysign != 1)	183	if (options.enable_ssh_keysign != 1)
184	fatal("ssh-keysign not enabled in %s",	184	fatal("ssh-keysign not enabled in %s",




.Sh SYNOPSIS
.Nm ssh
.Bk -words
.Op Fl 1246AaCfgGKkMNnqsTtVvXxYy
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port

.Fl f
will wait for all remote port forwards to be successfully established
before placing itself in the background.
.It Fl G
Causes
.Nm
to print its configuration after evaluating
.Cm Host
and
.Cm Match
blocks and exit.
.It Fl g
Allows remote hosts to connect to local forwarded ports.
If used on a multiplexed connection, then this option must be specified




 * file if the user specifies a config file on the command line.
 */
static void
process_config_files(const char *host_arg, struct passwd *pw, int post_canon)
{
	char buf[MAXPATHLEN];
	int r;

	if (config != NULL) {
		if (strcasecmp(config, "none") != 0 &&
		    !read_config_file(config, pw, host, host_arg, &options,
		    SSHCONF_USERCONF | (post_canon ? SSHCONF_POSTCANON : 0)))
			fatal("Can't open user config file %.100s: "
			    "%.100s", config, strerror(errno));
	} else {
		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
		    _PATH_SSH_USER_CONFFILE);
		if (r > 0 && (size_t)r < sizeof(buf))
			(void)read_config_file(buf, pw, host, host_arg,
			    &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
			    (post_canon ? SSHCONF_POSTCANON : 0));

		/* Read systemwide configuration file after user config. */
		(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
		    host, host_arg, &options,
		    post_canon ? SSHCONF_POSTCANON : 0);
	}
}


int
main(int ac, char **av)
{
	int i, r, opt, exit_status, use_syslog, config_test = 0;
	char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile;
	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
	char cname[NI_MAXHOST];


 again:
	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
		switch (opt) {
		case '1':
			options.protocol = SSH_PROTO_1;

		case 'E':
			logfile = xstrdup(optarg);
			break;
		case 'G':
			config_test = 1;
			break;
		case 'Y':
			options.forward_x11 = 1;
			options.forward_x11_trusted = 1;

			break;
		case 'o':
			line = xstrdup(optarg);
			if (process_config_line(&options, pw,
			    host ? host : "", host ? host : "", line,
			    "command-line", 0, NULL, SSHCONF_USERCONF) != 0)
				exit(255);
			free(line);
			break;

		);

	/* Parse the configuration files */
	process_config_files(host_arg, pw, 0);

	/* Hostname canonicalisation needs a few options filled. */
	fill_default_options_for_canonicalization(&options);

		    "h", host, (char *)NULL);
		free(host);
		host = cp;
		free(options.hostname);
		options.hostname = xstrdup(host);
	}

	/* If canonicalization requested then try to apply it */

			check_follow_cname(&host, cname);
	}

	if (options.canonicalize_hostname != 0) {
		debug("Re-reading configuration");
		free(options.hostname);
		options.hostname = xstrdup(host);
		process_config_files(host_arg, pw, 1);
		debug("Hostname has changed; re-reading configuration");
		process_config_files(pw);
	}

	/* Fill configuration defaults. */

	}
	free(conn_hash_hex);

	if (config_test) {
		dump_client_config(&options, host);
		exit(0);
	}

	if (muxclient_command != 0 && options.control_path == NULL)
		fatal("No ControlPath specified for \"-O\" command");
	if (options.control_path != NULL)

Lines 65-71 The configuration files contain sections separated by Link Here

(-)ssh_config.5 (-11 / +46 lines)
65	.Dq Host	65	.Dq Host
66	specifications, and that section is only applied for hosts that	66	specifications, and that section is only applied for hosts that
67	match one of the patterns given in the specification.	67	match one of the patterns given in the specification.
68	The matched host name is the one given on the command line.	68	The matched host name is usually the one given on the command line
		69	(see the
		70	.Cm CanonicalizeHostname
		71	option for exceptions.)
69	.Pp	72	.Pp
70	Since the first obtained value for each parameter is used, more	73	Since the first obtained value for each parameter is used, more
71	host-specific declarations should be given near the beginning of the	74	host-specific declarations should be given near the beginning of the
Lines 109-118 A single Link Here
109	.Ql *	112	.Ql *
110	as a pattern can be used to provide global	113	as a pattern can be used to provide global
111	defaults for all hosts.	114	defaults for all hosts.
112	The host is the	115	The host is usually the
113	.Ar hostname	116	.Ar hostname
114	argument given on the command line (i.e. the name is not converted to	117	argument given on the command line
115	a canonicalized host name before matching).	118	(see the
		119	.Cm CanonicalizeHostname
		120	option for exceptions.)
116	.Pp	121	.Pp
117	A pattern entry may be negated by prefixing it with an exclamation mark	122	A pattern entry may be negated by prefixing it with an exclamation mark
118	.Pq Sq !\& .	123	.Pq Sq !\& .
Lines 134-152 or Link Here
134	keyword) to be used only when the conditions following the	139	keyword) to be used only when the conditions following the
135	.Cm Match	140	.Cm Match
136	keyword are satisfied.	141	keyword are satisfied.
137	Match conditions are specified using one or more keyword/criteria pairs	142	Match conditions are specified using one or more critera
138	or the single token	143	or the single token
139	.Cm all	144	.Cm all
140	which matches all criteria.	145	which always matches.
141	The available keywords are:	146	The available criteria keywords are:
		147	.Cm canonical ,
142	.Cm exec ,	148	.Cm exec ,
143	.Cm host ,	149	.Cm host ,
144	.Cm originalhost ,	150	.Cm originalhost ,
145	.Cm user ,	151	.Cm user ,
146	and	152	and
147	.Cm localuser .	153	.Cm localuser .
		154	The
		155	.Cm all
		156	criteria must appear alone or immediately after
		157	.Cm canonical.
		158	Other criteria may be combined arbitrarily.
		159	All criteria but
		160	.Cm all
		161	and
		162	.Cm canonical
		163	require an argument.
		164	Criteria may be negated by prepending an exclamation mark
		165	.Pq Sq !\& .
148	.Pp	166	.Pp
149	The	167	The
		168	.Cm canonical
		169	keywork matches only when the configuration file is being re-parsed
		170	after hostname canonicalization (see the
		171	.Cm CanonicalizeHostname
		172	option.)
		173	This may be useful to specify conditions that work with canonical host
		174	names only.
		175	The
150	.Cm exec	176	.Cm exec
151	keyword executes the specified command under the user's shell.	177	keyword executes the specified command under the user's shell.
152	If the command returns a zero exit status then the condition is considered true.	178	If the command returns a zero exit status then the condition is considered true.
Lines 179-185 The criteria for the Link Here
179	keyword are matched against the target hostname, after any substitution	205	keyword are matched against the target hostname, after any substitution
180	by the	206	by the
181	.Cm Hostname	207	.Cm Hostname
182	option.	208	or
		209	.Cm CanonicalizeHostname
		210	options.
183	The	211	The
184	.Cm originalhost	212	.Cm originalhost
185	keyword matches against the hostname as it was specified on the command-line.	213	keyword matches against the hostname as it was specified on the command-line.
Lines 264-273 is set to Link Here
264	.Dq always ,	292	.Dq always ,
265	then canonicalization is applied to proxied connections too.	293	then canonicalization is applied to proxied connections too.
266	.Pp	294	.Pp
267	If this option is enabled and canonicalisation results in the target hostname	295	If this option is enabled, then the configuration files are processed
268	changing, then the configuration files are processed again using the new	296	again using the new target name to pick up any new configuration in matching
269	target name to pick up any new configuration in matching
270	.Cm Host	297	.Cm Host
		298	and
		299	.Cm Match
271	stanzas.	300	stanzas.
272	.It Cm CanonicalizeMaxDots	301	.It Cm CanonicalizeMaxDots
273	Specifies the maximum number of dot characters in a hostname before	302	Specifies the maximum number of dot characters in a hostname before
Lines 775-780 The default is the name given on the command line. Link Here
775	Numeric IP addresses are also permitted (both on the command line and in	804	Numeric IP addresses are also permitted (both on the command line and in
776	.Cm HostName	805	.Cm HostName
777	specifications).	806	specifications).
		807	.Pp
		808	If this option is enabled and results in the target hostname
		809	changing, then the configuration files are processed again using the new
		810	target name to pick up any new configuration in matching
		811	.Cm Host
		812	stanzas.
778	.It Cm IdentitiesOnly	813	.It Cm IdentitiesOnly
779	Specifies that	814	Specifies that
780	.Xr ssh 1	815	.Xr ssh 1

Return to bug 2267

Lines 370-396 resolve_canonicalize(char **hostp, int port) Link Here

(-)ssh.c (-20 / +30 lines)
370	* file if the user specifies a config file on the command line.	370	* file if the user specifies a config file on the command line.
371	*/	371	*/
372	static void	372	static void
373	process_config_files(struct passwd *pw)	373	process_config_files(const char host_arg, struct passwd pw, int post_canon)
374	{	374	{
375	char buf[MAXPATHLEN];	375	char buf[MAXPATHLEN];
376	int r;	376	int r;
377		377
378	if (config != NULL) {	378	if (config != NULL) {
379	if (strcasecmp(config, "none") != 0 &&	379	if (strcasecmp(config, "none") != 0 &&
380	!read_config_file(config, pw, host, &options,	380	!read_config_file(config, pw, host, host_arg, &options,
381	SSHCONF_USERCONF))	381	SSHCONF_USERCONF \| (post_canon ? SSHCONF_POSTCANON : 0)))
382	fatal("Can't open user config file %.100s: "	382	fatal("Can't open user config file %.100s: "
383	"%.100s", config, strerror(errno));	383	"%.100s", config, strerror(errno));
384	} else {	384	} else {
385	r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,	385	r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
386	_PATH_SSH_USER_CONFFILE);	386	_PATH_SSH_USER_CONFFILE);
387	if (r > 0 && (size_t)r < sizeof(buf))	387	if (r > 0 && (size_t)r < sizeof(buf))
388	(void)read_config_file(buf, pw, host, &options,	388	(void)read_config_file(buf, pw, host, host_arg,
389	SSHCONF_CHECKPERM\|SSHCONF_USERCONF);	389	&options, SSHCONF_CHECKPERM \| SSHCONF_USERCONF \|
		390	(post_canon ? SSHCONF_POSTCANON : 0));
390		391
391	/* Read systemwide configuration file after user config. */	392	/* Read systemwide configuration file after user config. */
392	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host,	393	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
393	&options, 0);	394	host, host_arg, &options,
		395	post_canon ? SSHCONF_POSTCANON : 0);
394	}	396	}
395	}	397	}
396		398
Lines 400-406 process_config_files(struct passwd *pw) Link Here
400	int	402	int
401	main(int ac, char **av)	403	main(int ac, char **av)
402	{	404	{
403	int i, r, opt, exit_status, use_syslog;	405	int i, r, opt, exit_status, use_syslog, config_test = 0;
404	char p, cp, line, argv0, buf[MAXPATHLEN], host_arg, logfile;	406	char p, cp, line, argv0, buf[MAXPATHLEN], host_arg, logfile;
405	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];	407	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
406	char cname[NI_MAXHOST];	408	char cname[NI_MAXHOST];
Lines 478-484 main(int ac, char **av) Link Here
478		480
479	again:	481	again:
480	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"	482	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
481	"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {	483	"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
482	switch (opt) {	484	switch (opt) {
483	case '1':	485	case '1':
484	options.protocol = SSH_PROTO_1;	486	options.protocol = SSH_PROTO_1;
Lines 511-516 main(int ac, char **av) Link Here
511	case 'E':	513	case 'E':
512	logfile = xstrdup(optarg);	514	logfile = xstrdup(optarg);
513	break;	515	break;
		516	case 'G':
		517	config_test = 1;
		518	break;
514	case 'Y':	519	case 'Y':
515	options.forward_x11 = 1;	520	options.forward_x11 = 1;
516	options.forward_x11_trusted = 1;	521	options.forward_x11_trusted = 1;
Lines 759-767 main(int ac, char **av) Link Here
759	break;	764	break;
760	case 'o':	765	case 'o':
761	line = xstrdup(optarg);	766	line = xstrdup(optarg);
762	if (process_config_line(&options, pw, host ? host : "",	767	if (process_config_line(&options, pw,
763	line, "command-line", 0, NULL, SSHCONF_USERCONF)	768	host ? host : "", host ? host : "", line,
764	!= 0)	769	"command-line", 0, NULL, SSHCONF_USERCONF) != 0)
765	exit(255);	770	exit(255);
766	free(line);	771	free(line);
767	break;	772	break;
Lines 870-876 main(int ac, char **av) Link Here
870	);	875	);
871		876
872	/* Parse the configuration files */	877	/* Parse the configuration files */
873	process_config_files(pw);	878	process_config_files(host_arg, pw, 0);
874		879
875	/* Hostname canonicalisation needs a few options filled. */	880	/* Hostname canonicalisation needs a few options filled. */
876	fill_default_options_for_canonicalization(&options);	881	fill_default_options_for_canonicalization(&options);
Lines 882-887 main(int ac, char **av) Link Here
882	"h", host, (char *)NULL);	887	"h", host, (char *)NULL);
883	free(host);	888	free(host);
884	host = cp;	889	host = cp;
		890	free(options.hostname);
		891	options.hostname = xstrdup(host);
885	}	892	}
886		893
887	/* If canonicalization requested then try to apply it */	894	/* If canonicalization requested then try to apply it */
Lines 915-927 main(int ac, char **av) Link Here
915	check_follow_cname(&host, cname);	922	check_follow_cname(&host, cname);
916	}	923	}
917		924
918	/*	925	if (options.canonicalize_hostname != 0) {
919	* If the target hostname has changed as a result of canonicalisation	926	debug("Re-reading configuration");
920	* then re-parse the configuration files as new stanzas may match.	927	free(options.hostname);
921	*/	928	options.hostname = xstrdup(host);
922	if (strcasecmp(host_arg, host) != 0) {	929	process_config_files(host_arg, pw, 1);
923	debug("Hostname has changed; re-reading configuration");
924	process_config_files(pw);
925	}	930	}
926		931
927	/* Fill configuration defaults. */	932	/* Fill configuration defaults. */
Lines 1019-1024 main(int ac, char **av) Link Here
1019	}	1024	}
1020	free(conn_hash_hex);	1025	free(conn_hash_hex);
1021		1026
		1027	if (config_test) {
		1028	dump_client_config(&options, host);
		1029	exit(0);
		1030	}
		1031
1022	if (muxclient_command != 0 && options.control_path == NULL)	1032	if (muxclient_command != 0 && options.control_path == NULL)
1023	fatal("No ControlPath specified for \"-O\" command");	1033	fatal("No ControlPath specified for \"-O\" command");
1024	if (options.control_path != NULL)	1034	if (options.control_path != NULL)

Lines 164-180 typedef struct { Link Here

(-)readconf.h (-3 / +5 lines)
164		164
165	#define SSHCONF_CHECKPERM 1 /* check permissions on config file */	165	#define SSHCONF_CHECKPERM 1 /* check permissions on config file */
166	#define SSHCONF_USERCONF 2 /* user provided config file not system */	166	#define SSHCONF_USERCONF 2 /* user provided config file not system */
		167	#define SSHCONF_POSTCANON 4 /* After hostname canonicalisation */
167		168
168	void initialize_options(Options *);	169	void initialize_options(Options *);
169	void fill_default_options(Options *);	170	void fill_default_options(Options *);
170	void fill_default_options_for_canonicalization(Options *);	171	void fill_default_options_for_canonicalization(Options *);
171	int process_config_line(Options , struct passwd , const char , char ,	172	int process_config_line(Options , struct passwd , const char *,
172	const char , int, int , int);	173	const char , char , const char , int, int , int);
173	int read_config_file(const char , struct passwd , const char *,	174	int read_config_file(const char , struct passwd , const char *,
174	Options *, int);	175	const char , Options , int);
175	int parse_forward(struct Forward , const char , int, int);	176	int parse_forward(struct Forward , const char , int, int);
176	int default_ssh_port(void);	177	int default_ssh_port(void);
177	int option_clear_or_none(const char *);	178	int option_clear_or_none(const char *);
		179	void dump_client_config(Options o, const char host);
178		180
179	void add_local_forward(Options , const struct Forward );	181	void add_local_forward(Options , const struct Forward );
180	void add_remote_forward(Options , const struct Forward );	182	void add_remote_forward(Options , const struct Forward );

Lines 43-49 Link Here

(-)ssh.1 (-1 / +9 lines)
43	.Sh SYNOPSIS	43	.Sh SYNOPSIS
44	.Nm ssh	44	.Nm ssh
45	.Bk -words	45	.Bk -words
46	.Op Fl 1246AaCfgKkMNnqsTtVvXxYy	46	.Op Fl 1246AaCfgGKkMNnqsTtVvXxYy
47	.Op Fl b Ar bind_address	47	.Op Fl b Ar bind_address
48	.Op Fl c Ar cipher_spec	48	.Op Fl c Ar cipher_spec
49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port	49	.Op Fl D Oo Ar bind_address : Oc Ns Ar port
Lines 251-256 then a client started with Link Here
251	.Fl f	251	.Fl f
252	will wait for all remote port forwards to be successfully established	252	will wait for all remote port forwards to be successfully established
253	before placing itself in the background.	253	before placing itself in the background.
		254	.It Fl G
		255	Causes
		256	.Nm
		257	to print its configuration after evaluating
		258	.Cm Host
		259	and
		260	.Cm Match
		261	blocks and exit.
254	.It Fl g	262	.It Fl g
255	Allows remote hosts to connect to local forwarded ports.	263	Allows remote hosts to connect to local forwarded ports.
256	If used on a multiplexed connection, then this option must be specified	264	If used on a multiplexed connection, then this option must be specified