Attachment #1127 for bug #1180

Lines 82-88 SSHDOBJS=sshd.o auth-rhosts.o auth-passw Link Here

(-)Makefile.in (-1 / +1 lines)
82	auth.o auth1.o auth2.o auth-options.o session.o \	82	auth.o auth1.o auth2.o auth-options.o session.o \
83	auth-chall.o auth2-chall.o groupaccess.o \	83	auth-chall.o auth2-chall.o groupaccess.o \
84	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \	84	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
85	auth2-none.o auth2-passwd.o auth2-pubkey.o \	85	auth2-none.o auth2-passwd.o auth2-pubkey.o cfgmatch.o \
86	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \	86	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
87	auth-krb5.o \	87	auth-krb5.o \
88	auth2-gss.o gss-serv.o gss-serv-krb5.o \	88	auth2-gss.o gss-serv.o gss-serv-krb5.o \

Lines 499-504 getpwnamallow(const char *user) Link Here

(-)auth.c (+3 lines)
499	#endif	499	#endif
500	struct passwd *pw;	500	struct passwd *pw;
501		501
		502	parse_server_match_config(&options, user,
		503	get_canonical_hostname(options.use_dns), get_remote_ipaddr());
		504
502	pw = getpwnam(user);	505	pw = getpwnam(user);
503	if (pw == NULL) {	506	if (pw == NULL) {
504	logit("Invalid user %.100s from %.100s",	507	logit("Invalid user %.100s from %.100s",




/*
 * Copyright (c) 2006 Darren Tucker.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#include "match.h"
#include "log.h"
#include "misc.h"
#include "canohost.h"
#include "servconf.h"
#include "groupaccess.h"
#include "xmalloc.h"

static int
match_cfg_line_group(const char *grps, int line, const char *user)
{
	int result = 0;
	u_int ngrps = 0;
	char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
	struct passwd *pw;

	arg = cp = xstrdup(grps);
	while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
		if (ngrps >= MAX_MATCH_GROUPS) {
			error("line %d: too many groups in Match Group", line);
			result = -1;
			goto out;
		}
		grplist[ngrps++] = p;
	}

	if (user == NULL)
		goto out;

	if ((pw = getpwnam(user)) == NULL) {
		debug("Can't match group at line %d because "
		    "user %.100s does not exist", line, user);
	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
		debug("Can't Match group because user %.100s "
		    "not in any group at line %d", user, line);
	} else if (ga_match(grplist, ngrps) != 1) {
		debug("user %.100s does not match group "
		    "%.100s at line %d", user, arg, line);
	} else {
		debug("user %.100s matched group %.100s at "
		    "line %d", user, arg, line);
		result = 1;
	}
out:
	xfree(arg);
	return result;
}


int
match_cfg_line(char **condition, int line, const char *user, const char *host,
    const char *address)
{
	int r, result = 1;
	char *arg, *attrib, *cp = *condition;
	size_t len;

	if (user == NULL)
		debug3("checking syntax for 'Match %s'", cp);
	else
		debug3("checking match for '%s'", cp);

	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
			error("Missing Match criteria for %s", attrib);
			return -1;
		}
		len = strlen(arg);
		if (strcasecmp(attrib, "user") == 0) {
			if (!user) {
				result = 0;
				continue;
			}
			if (match_pattern_list(user, arg, len, 0) != 1)
				/* XXX what about negative match? */
				result = 0;
			else
				debug("user %.100s matched 'User %.100s' at "
				    "line %d", user, arg, line);
		} else if (strcasecmp(attrib, "group") == 0) {
			if ((r = match_cfg_line_group(arg, line, user)) < 0)
				return -1;
			if (r == 0)
				result = 0;
		} else if (strcasecmp(attrib, "host") == 0) {
			if (!host) {
				result = 0;
				continue;
			}
			if (match_hostname(host, arg, len) != 1)
				result = 0;
			else
				debug("connection from %.100s matched 'Host "
				    "%.100s' at line %d", host, arg, line);
		} else if (strcasecmp(attrib, "address") == 0) {
			if (!address) {
				result = 0;
				continue;
			}
			if (match_hostname(address, arg, len) != 1)
				result = 0;
			else
				debug("connection from %.100s matched 'Address "
				    "%.100s' at line %d", address, arg, line);
		} else {
			error("Unsupported Match attribute %s", attrib);
			return -1;
		}
	}
	if (user != NULL)
		debug3("match %sfound", result ? "" : "not ");
	*condition = cp;
	return result;
}

Lines 32-37 Link Here

(-)groupaccess.c (-1 / +12 lines)
32		32
33	static int ngroups;	33	static int ngroups;
34	static char **groups_byname;	34	static char **groups_byname;
		35	static char *saved_user;
		36	static gid_t saved_gid;
35		37
36	/*	38	/*
37	* Initialize group access list for user with primary (base) and	39	* Initialize group access list for user with primary (base) and
Lines 44-57 ga_init(const char *user, gid_t base) Link Here
44	int i, j;	46	int i, j;
45	struct group *gr;	47	struct group *gr;
46		48
47	if (ngroups > 0)	49	if (saved_user != NULL && strcmp(saved_user, user) == 0 &&
		50	saved_gid == base)
		51	return ngroups;
		52
		53	if (ngroups > 0) {
48	ga_free();	54	ga_free();
		55	xfree(saved_user);
		56	saved_user = NULL;
		57	}
49		58
50	ngroups = NGROUPS_MAX;	59	ngroups = NGROUPS_MAX;
51	#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)	60	#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
52	ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));	61	ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
53	#endif	62	#endif
54		63
		64	saved_user = xstrdup(user);
		65	saved_gid = base;
55	groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid));	66	groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid));
56	groups_byname = xmalloc(ngroups * sizeof(*groups_byname));	67	groups_byname = xmalloc(ngroups * sizeof(*groups_byname));
57		68

Lines 20-24 int match_hostname(const char *, const Link Here

(-)match.h (+1 lines)
20	int match_host_and_ip(const char , const char , const char *);	20	int match_host_and_ip(const char , const char , const char *);
21	int match_user(const char , const char , const char , const char );	21	int match_user(const char , const char , const char , const char );
22	char match_list(const char , const char , u_int );	22	char match_list(const char , const char , u_int );
		23	int match_cfg_line(char *, int, const char , const char , const char );
23		24
24	#endif	25	#endif

Lines 628-633 mm_answer_pwnamallow(int sock, Buffer *m Link Here

(-)monitor.c (+6 lines)
628	#endif	628	#endif
629	buffer_put_cstring(m, pwent->pw_dir);	629	buffer_put_cstring(m, pwent->pw_dir);
630	buffer_put_cstring(m, pwent->pw_shell);	630	buffer_put_cstring(m, pwent->pw_shell);
		631	buffer_put_string(m, &options, sizeof(options));
		632	if (options.banner != NULL) {
		633	buffer_put_int(m, 1);
		634	buffer_put_cstring(m, options.banner);
		635	} else
		636	buffer_put_int(m, 0);
631		637
632	out:	638	out:
633	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);	639	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);

Lines 196-202 mm_getpwnamallow(const char *username) Link Here

(-)monitor_wrap.c (-3 / +31 lines)
196	{	196	{
197	Buffer m;	197	Buffer m;
198	struct passwd *pw;	198	struct passwd *pw;
199	u_int pwlen;	199	u_int len;
		200	void *p;
		201	ServerOptions newopts;
200		202
201	debug3("%s entering", __func__);	203	debug3("%s entering", __func__);
202		204
Lines 212-219 mm_getpwnamallow(const char *username) Link Here
212	buffer_free(&m);	214	buffer_free(&m);
213	return (NULL);	215	return (NULL);
214	}	216	}
215	pw = buffer_get_string(&m, &pwlen);	217	pw = buffer_get_string(&m, &len);
216	if (pwlen != sizeof(struct passwd))	218	if (len != sizeof(struct passwd))
217	fatal("%s: struct passwd size mismatch", __func__);	219	fatal("%s: struct passwd size mismatch", __func__);
218	pw->pw_name = buffer_get_string(&m, NULL);	220	pw->pw_name = buffer_get_string(&m, NULL);
219	pw->pw_passwd = buffer_get_string(&m, NULL);	221	pw->pw_passwd = buffer_get_string(&m, NULL);
Lines 223-228 mm_getpwnamallow(const char *username) Link Here
223	#endif	225	#endif
224	pw->pw_dir = buffer_get_string(&m, NULL);	226	pw->pw_dir = buffer_get_string(&m, NULL);
225	pw->pw_shell = buffer_get_string(&m, NULL);	227	pw->pw_shell = buffer_get_string(&m, NULL);
		228
		229	/* copy options block as a Match directive may have changed some */
		230	p = buffer_get_string(&m, &len);
		231	if (len != sizeof(newopts))
		232	fatal("%s: option block size mismatch", __func__);
		233	memcpy(&newopts, p, sizeof(newopts));
		234	newopts.banner = NULL;
		235	if (buffer_get_int(&m) == 1)
		236	newopts.banner = buffer_get_string(&m, NULL);
		237	/* unset the string/array options not used in the slave */
		238	newopts.num_ports = 0;
		239	newopts.ports_from_cmdline = 0;
		240	newopts.pid_file = NULL;
		241	newopts.xauth_location = NULL;
		242	newopts.ciphers = NULL;
		243	newopts.num_allow_users = 0;
		244	newopts.num_deny_users = 0;
		245	newopts.num_allow_groups = 0;
		246	newopts.num_deny_groups = 0;
		247	newopts.macs = NULL;
		248	newopts.num_subsystems = 0;
		249	newopts.authorized_keys_file = NULL;
		250	newopts.authorized_keys_file2 = NULL;
		251	newopts.num_accept_env = 0;
		252	copy_set_server_options(&options, &newopts);
		253
226	buffer_free(&m);	254	buffer_free(&m);
227		255
228	return (pw);	256	return (pw);




#include "cipher.h"
#include "kex.h"
#include "mac.h"
#include "match.h"

static void add_listen_addr(ServerOptions *, char *, u_short);
static void add_one_listen_addr(ServerOptions *, char *, u_short);

/* Use of privilege separation or not */
extern int use_privsep;
extern Buffer cfg;

/* Initializes the server options to their default values. */


	options->authorized_keys_file2 = NULL;
	options->num_accept_env = 0;
	options->permit_tun = -1;

	/* Needs to be accessable in many places */
	use_privsep = -1;
}

void

	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
	sMatch,
	sUsePrivilegeSeparation,
	sDeprecated, sUnsupported
} ServerOpCodes;

#define SSHCFG_GLOBAL	0x01
#define SSHCFG_MATCH	0x02
#define SSHCFG_ALL	(SSHCFG_GLOBAL|SSHCFG_MATCH)

/* Textual representation of the tokens. */
static struct {
	const char *name;
	ServerOpCodes opcode;
	u_int flags;
} keywords[] = {
	/* Portable-specific options */
#ifdef USE_PAM
	{ "usepam", sUsePAM, SSHCFG_ALL },
#else
	{ "usepam", sUnsupported, SSHCFG_ALL },
#endif
	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
	/* Standard Options */
	{ "port", sPort, SSHCFG_GLOBAL },
	{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
	{ "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL },		/* alias */
	{ "pidfile", sPidFile, SSHCFG_GLOBAL },
	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
	{ "logingracetime", sLoginGraceTime, SSHCFG_ALL },
	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
	{ "syslogfacility", sLogFacility, SSHCFG_ALL },
	{ "loglevel", sLogLevel, SSHCFG_ALL },
	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_ALL }, /* alias */
#ifdef KRB5
	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_ALL },
	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_ALL },
#ifdef USE_AFS
	{ "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_ALL },
#else
	{ "kerberosgetafstoken", sUnsupported, SSHCFG_ALL },
#endif
#else
	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_ALL },
	{ "kerberosticketcleanup", sUnsupported, SSHCFG_ALL },
	{ "kerberosgetafstoken", sUnsupported, SSHCFG_ALL },
#endif
	{ "kerberostgtpassing", sUnsupported, SSHCFG_ALL },
	{ "afstokenpassing", sUnsupported, SSHCFG_ALL },
#ifdef GSSAPI
	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_ALL },
#else
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_ALL },
#endif
	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, /* alias */
	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
	{ "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
	{ "printmotd", sPrintMotd, SSHCFG_ALL },
	{ "printlastlog", sPrintLastLog, SSHCFG_ALL },
	{ "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_ALL },
	{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
	{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
	{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
	{ "xauthlocation", sXAuthLocation, SSHCFG_ALL },
	{ "strictmodes", sStrictModes, SSHCFG_ALL },
	{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
	{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_ALL },
	{ "uselogin", sUseLogin, SSHCFG_ALL },
	{ "compression", sCompression, SSHCFG_GLOBAL },
	{ "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
	{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL },	/* obsolete alias */
	{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
	{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
	{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
	{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
	{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
	{ "ciphers", sCiphers, SSHCFG_GLOBAL },
	{ "macs", sMacs, SSHCFG_GLOBAL },
	{ "protocol", sProtocol, SSHCFG_GLOBAL },
	{ "gatewayports", sGatewayPorts, SSHCFG_ALL },
	{ "subsystem", sSubsystem, SSHCFG_ALL },
	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
	{ "banner", sBanner, SSHCFG_ALL },
	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
	{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
	{ "match", sMatch, SSHCFG_ALL },
	{ NULL, sBadOption, 0 }
};

/*


static ServerOpCodes
parse_token(const char *cp, const char *filename,
	    int linenum, u_int *flags)
{
	u_int i;

	for (i = 0; keywords[i].name; i++)
		if (strcasecmp(cp, keywords[i].name) == 0) {
			*flags = keywords[i].flags;
			return keywords[i].opcode;
		}

	error("%s: line %d: Bad configuration option: %s",
	    filename, linenum, cp);

	options->listen_addrs = aitop;
}

/*
 * The strategy for the Match blocks is that the config file is parsed twice.
 *
 * The first time is at startup.  activep is initialized to 1 and the
 * directives in the global context are processed and acted on.  Hitting a
 * Match directive unsets activep and the directives inside the block are
 * checked for syntax only.
 *
 * The second time is after a connection has been established but before
 * authentication.  activep is initialized to 2 and global config directives
 * are ignored since they have already been processed.  If the criteria in a
 * Match block is met, activep is set and the subsequent directives
 * processed and actioned until EOF or another Match block unsets it.  Any
 * options set are copied into the main server config.
 *
 * Potential additions/improvements:
 *  - Add Match support for pre-kex directives, eg Protocol, Ciphers.
 *
 *  - Add a Tag directive (idea from David Leonard) ala pf, eg:
 *	Match Address 192.168.0.*
 *		Tag trusted
 *	Match Group wheel
 *		Tag trusted
 *	Match Tag trusted
 *		AllowTcpForwarding yes
 *		GatewayPorts clientspecified
 *		[...]
 *
 *  - Add a PermittedChannelRequests directive
 *	Match Group shell
 *		PermittedChannelRequests session,forwarded-tcpip
 */

int
process_server_config_line(ServerOptions *options, char *line,
    const char *filename, int linenum, int *activep, const char *user,
    const char *host, const char *address)
{
	char *cp, **charptr, *arg, *p;
	int cmdline = 0, *intptr, value, n;
	ServerOpCodes opcode;
	u_short port;
	u_int i, flags = 0;

	cp = line;
	if ((arg = strdelim(&cp)) == NULL)

		return 0;
	intptr = NULL;
	charptr = NULL;
	opcode = parse_token(arg, filename, linenum, &flags);

	if (activep == NULL) { /* We are processing a command line directive */
		cmdline = 1;
		activep = &cmdline;
	}
	if (*activep && opcode != sMatch)
		debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
	if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
		if (user == NULL) {
			fatal("%s line %d: Directive '%s' is not allowed "
			    "within a Match block", filename, linenum, arg);
		} else { /* this is a directive we have already processed */
			while (arg)
				arg = strdelim(&cp);
			return 0;
		}
	}

	switch (opcode) {
	/* Portable-specific options */
	case sUsePAM:

			fatal("%s line %d: missing integer value.",
			    filename, linenum);
		value = atoi(arg);
		if (*activep && *intptr == -1)
			*intptr = value;
		break;


		if (!arg || *arg == '\0')
			fatal("%s line %d: missing file name.",
			    filename, linenum);
		if (*activep && *charptr == NULL) {
			*charptr = tilde_expand_filename(arg, getuid());
			/* increase optional counter */
			if (intptr != NULL)

		else
			fatal("%s line %d: Bad yes/no argument: %s",
				filename, linenum, arg);
		if (*activep && *intptr == -1)
			*intptr = value;
		break;


		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing subsystem name.",
			    filename, linenum);
		if (!*activep) {
			arg = strdelim(&cp);
			break;
		}
		for (i = 0; i < options->num_subsystems; i++)
			if (strcmp(arg, options->subsystem_name[i]) == 0)
				fatal("%s line %d: Subsystem '%s' already defined.",

			if (options->num_accept_env >= MAX_ACCEPT_ENV)
				fatal("%s line %d: too many allow env.",
				    filename, linenum);
			if (!*activep)
				break;
			options->accept_env[options->num_accept_env++] =
			    xstrdup(arg);
		}

			*intptr = value;
		break;

	case sMatch:
		if (cmdline)
			fatal("Match directive not supported as a command-line "
			   "option");
		value = match_cfg_line(&cp, linenum, user, host, address);
		if (value < 0)
			fatal("%s line %d: Bad Match condition", filename,
			    linenum);
		*activep = value;
		break;

	case sDeprecated:
		logit("%s line %d: Deprecated option %s",
		    filename, linenum, arg);

}

void
parse_server_match_config(ServerOptions *options, const char *user,
    const char *host, const char *address)
{
	ServerOptions mo;

	initialize_server_options(&mo);
	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
	copy_set_server_options(options, &mo);
}

/* Copy any (supported) values that are set */
void
copy_set_server_options(ServerOptions *dst, ServerOptions *src)
{
	u_int i;

	if (src->use_pam != -1)
		dst->use_pam = src->use_pam;
	if (src->num_accept_env > 0) {
		for (i = 0; i < dst->num_accept_env; i++)
			xfree(dst->accept_env[i]);
		dst->num_accept_env = 0;
		for (i = 0; i < src->num_accept_env; i++) {
			if (dst->num_accept_env >= MAX_ACCEPT_ENV)
				fatal("Too many allow env in Match block.");
			dst->accept_env[dst->num_accept_env++] =
			    src->accept_env[i];
		}
	}
	if (src->allow_tcp_forwarding != -1)
		dst->allow_tcp_forwarding = src->allow_tcp_forwarding;
	if (src->authorized_keys_file != NULL) {
		if (dst->authorized_keys_file != NULL)
			xfree(dst->authorized_keys_file);
		dst->authorized_keys_file = src->authorized_keys_file;
	}
	if (src->authorized_keys_file2 != NULL) {
		if (dst->authorized_keys_file2 != NULL)
			xfree(dst->authorized_keys_file2);
		dst->authorized_keys_file2 = src->authorized_keys_file2;
	}
	if (src->banner != NULL) {
		if (dst->banner != NULL)
			xfree(dst->banner);
		dst->banner = src->banner;
	}
	if (src->password_authentication != -1)
		dst->password_authentication = src->password_authentication;
	if (src->challenge_response_authentication != -1)
		dst->challenge_response_authentication =
		    src->challenge_response_authentication;
	if (src->client_alive_count_max != -1)
		dst->client_alive_count_max = src->client_alive_count_max;
	if (src->client_alive_interval != -1)
		dst->client_alive_interval = src->client_alive_interval;
	if (src->gateway_ports != -1)
		dst->gateway_ports = src->gateway_ports;
	if (src->gss_authentication != -1)
		dst->gss_authentication = src->gss_authentication;
	if (src->hostbased_authentication != -1)
		dst->hostbased_authentication = src->hostbased_authentication;
	if (src->hostbased_uses_name_from_packet_only != -1)
		dst->hostbased_uses_name_from_packet_only =
		    src->hostbased_uses_name_from_packet_only;
	if (src->kerberos_authentication != -1)
		dst->kerberos_authentication = src->kerberos_authentication;
	if (src->kerberos_or_local_passwd != -1)
		dst->kerberos_or_local_passwd = src->kerberos_or_local_passwd;
	if (src->kerberos_ticket_cleanup != -1)
		dst->kerberos_ticket_cleanup = src->kerberos_ticket_cleanup;
	if (src->kerberos_get_afs_token != -1)
		dst->kerberos_get_afs_token = src->kerberos_get_afs_token;
	if (src->login_grace_time != -1)
		dst->login_grace_time = src->login_grace_time;
	if (src->log_facility != -1)
		dst->log_facility = src->log_facility;
	if (src->log_level != -1)
		dst->log_level = src->log_level;
	if (src->permit_root_login != -1)
		dst->permit_root_login = src->permit_root_login;
	if (src->max_authtries != -1)
		dst->max_authtries = src->max_authtries;
	if (src->permit_empty_passwd != -1)
		dst->permit_empty_passwd = src->permit_empty_passwd;
	if (src->permit_tun != -1)
		dst->permit_tun = src->permit_tun;
	if (src->permit_user_env != -1)
		dst->permit_user_env = src->permit_user_env;
	if (src->print_motd != -1)
		dst->print_motd = src->print_motd;
	if (src->pubkey_authentication != -1)
		dst->pubkey_authentication = src->pubkey_authentication;
	if (src->rsa_authentication != -1)
		dst->rsa_authentication = src->rsa_authentication;
	if (src->strict_modes != -1)
		dst->strict_modes = src->strict_modes;
	if (src->num_subsystems != 0) {  /* Not currently used */
		for (i = 0; i < dst->num_subsystems; i++) {
			xfree(dst->subsystem_name[i]);
			xfree(dst->subsystem_command[i]);
		}
		dst->num_subsystems = 0;
		for (i = 0; i < src->num_subsystems; i++) {
			dst->subsystem_name[dst->num_subsystems] =
			    src->subsystem_name[i];
			dst->subsystem_command[dst->num_subsystems] =
			    src->subsystem_command[i];
			dst->num_subsystems++;
		}
	}
	if (src->use_login != -1)
		dst->use_login = src->use_login;
	if (src->xauth_location != NULL) {
		if (dst->xauth_location != NULL)
			xfree(dst->xauth_location);
		dst->xauth_location = src->xauth_location;
	}
	if (src->x11_display_offset != -1)
		dst->x11_display_offset = src->x11_display_offset;
	if (src->x11_forwarding != -1)
		dst->x11_forwarding = src->x11_forwarding;
	if (src->x11_use_localhost != -1)
		dst->x11_use_localhost = src->x11_use_localhost;
}

void
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
    const char *user, const char *host, const char *address)
{
	int active, linenum, bad_options = 0;
	char *cp, *obuf, *cbuf;

	debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));

	obuf = cbuf = xstrdup(buffer_ptr(conf));
	active = user ? 0 : 1;
	linenum = 1;
	while ((cp = strsep(&cbuf, "\n")) != NULL) {
		if (process_server_config_line(options, cp, filename,
		    linenum++, &active, user, host, address) != 0)
			bad_options++;
	}
	xfree(obuf);

Lines 27-32 Link Here

(-)servconf.h (-2 / +8 lines)
27	#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */	27	#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
28	#define MAX_HOSTKEYS 256 /* Max # hostkeys. */	28	#define MAX_HOSTKEYS 256 /* Max # hostkeys. */
29	#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */	29	#define MAX_ACCEPT_ENV 256 /* Max # of env vars. */
		30	#define MAX_MATCH_GROUPS 256 /* Max # of groups for Match Group */
30		31
31	/* permit_root_login */	32	/* permit_root_login */
32	#define PERMIT_NOT_SET -1	33	#define PERMIT_NOT_SET -1
Lines 141-148 typedef struct { Link Here
141		142
142	void initialize_server_options(ServerOptions *);	143	void initialize_server_options(ServerOptions *);
143	void fill_default_server_options(ServerOptions *);	144	void fill_default_server_options(ServerOptions *);
144	int process_server_config_line(ServerOptions , char , const char *, int);	145	int process_server_config_line(ServerOptions , char , const char *, int,
		146	int , const char , const char , const char );
145	void load_server_config(const char , Buffer );	147	void load_server_config(const char , Buffer );
146	void parse_server_config(ServerOptions , const char , Buffer *);	148	void parse_server_config(ServerOptions , const char , Buffer *,
		149	const char , const char , const char *);
		150	void parse_server_match_config(ServerOptions , const char , const char *,
		151	const char *);
		152	void copy_set_server_options(ServerOptions , ServerOptions );
147		153
148	#endif /* SERVCONF_H */	154	#endif /* SERVCONF_H */

Lines 213-224 int *startup_pipes = NULL; Link Here

(-)sshd.c (-8 / +7 lines)
213	int startup_pipe; /* in child */	213	int startup_pipe; /* in child */
214		214
215	/* variables used for privilege separation */	215	/* variables used for privilege separation */
216	int use_privsep;	216	int use_privsep = -1; /* Needs to be accessable in many places */
217	struct monitor *pmonitor = NULL;	217	struct monitor *pmonitor = NULL;
218		218
219	/* global authentication context */	219	/* global authentication context */
220	Authctxt *the_authctxt = NULL;	220	Authctxt *the_authctxt = NULL;
221		221
		222	/* sshd_config buffer */
		223	Buffer cfg;
		224
222	/* message to be displayed after login */	225	/* message to be displayed after login */
223	Buffer loginmsg;	226	Buffer loginmsg;
224		227
Lines 910-916 main(int ac, char **av) Link Here
910	Key *key;	913	Key *key;
911	Authctxt *authctxt;	914	Authctxt *authctxt;
912	int ret, key_used = 0;	915	int ret, key_used = 0;
913	Buffer cfg;
914		916
915	#ifdef HAVE_SECUREWARE	917	#ifdef HAVE_SECUREWARE
916	(void)set_auth_parameters(ac, av);	918	(void)set_auth_parameters(ac, av);
Lines 1030-1036 main(int ac, char **av) Link Here
1030	case 'o':	1032	case 'o':
1031	line = xstrdup(optarg);	1033	line = xstrdup(optarg);
1032	if (process_server_config_line(&options, line,	1034	if (process_server_config_line(&options, line,
1033	"command-line", 0) != 0)	1035	"command-line", 0, NULL, NULL, NULL, NULL) != 0)
1034	exit(1);	1036	exit(1);
1035	xfree(line);	1037	xfree(line);
1036	break;	1038	break;
Lines 1088-1098 main(int ac, char **av) Link Here
1088	else	1090	else
1089	load_server_config(config_file_name, &cfg);	1091	load_server_config(config_file_name, &cfg);
1090		1092
1091	parse_server_config(&options,	1093	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
1092	rexeced_flag ? "rexec" : config_file_name, &cfg);	1094	&cfg, NULL, NULL, NULL);
1093
1094	if (!rexec_flag)
1095	buffer_free(&cfg);
1096		1095
1097	seed_rng();	1096	seed_rng();
1098		1097




Multiple algorithms must be comma-separated.
The default is:
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
.It Cm Match
Introduces a conditional block.  Keywords on lines following a
.Cm Match
block are only applied if the criteria on the
.Cm Match
are satisfied.
The the arguments to
.Cm Match
block are one or more criteria-pattern pairs.
The available criteria are
.Cm User ,
.Cm Group ,
.Cm Host ,
and
.Cm Address .
Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.
Available keywords are
.Cm AcceptEnv ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedKeysFile2 ,
.Cm Banner ,
.Cm ChallengeResponseAuthentication ,
.Cm ChallengeResponseAuthentication ,
.Cm ClientAliveCountMax ,
.Cm ClientAliveInterval ,
.Cm GatewayPorts ,
.Cm GssAuthentication ,
.Cm GssCleanupCreds ,
.Cm HostbasedAuthentication ,
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm IgnoreRhosts ,
.Cm IgnoreUserKnownHosts ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
.Cm KerberosGetAFSToken ,
.Cm KerberosOrLocalPasswd ,
.Cm KerberosTicketCleanup ,
.Cm LogFacility ,
.Cm LogLevel ,
.Cm LoginGraceTime ,
.Cm MaxAuthTries ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswd ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
.Cm PermitUserEnvironment ,
.Cm PrintLastLog ,
.Cm PrintMotd ,
.Cm PubkeyAuthentication ,
.Cm PubkeyAuthentication ,
.Cm RSAAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm StrictModes ,
.Cm Subsystem ,
.Cm UseLogin ,
.Cm UsePAM ,
.Cm X11DisplayOffset ,
.Cm X11Forwarding ,
.Cm X11UseLocalhost ,
and
.Cm XAuthLocation .
.It Cm MaxAuthTries
Specifies the maximum number of authentication attempts permitted per
connection.

This file should be writable by root only, but it is recommended
(though not necessary) that it be world-readable.
.El
.Sh EXAMPLES
To allow
.Cm PasswordAuthentication
only from the local private network:
.Bd -literal -offset indent
PasswordAuthentication no
Match Address 192.168.0.*
	PasswordAuthentication yes
.Ed
.Bl -tag -width Ds
.Bl -tag -width Ds
.Sh SEE ALSO
.Xr sshd 8
.Sh AUTHORS

Return to bug 1180

Added Link Here

(-)cfgmatch.c (+140 lines)
1	/*
2	* Copyright (c) 2006 Darren Tucker. All rights reserved.
3	*
4	* Redistribution and use in source and binary forms, with or without
5	* modification, are permitted provided that the following conditions
6	* are met:
7	* 1. Redistributions of source code must retain the above copyright
8	* notice, this list of conditions and the following disclaimer.
9	* 2. Redistributions in binary form must reproduce the above copyright
10	* notice, this list of conditions and the following disclaimer in the
11	* documentation and/or other materials provided with the distribution.
12	*
13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23	*/
24
25	#include "includes.h"
26
27	#include "match.h"
28	#include "log.h"
29	#include "misc.h"
30	#include "canohost.h"
31	#include "servconf.h"
32	#include "groupaccess.h"
33	#include "xmalloc.h"
34
35	static int
36	match_cfg_line_group(const char grps, int line, const char user)
37	{
38	int result = 0;
39	u_int ngrps = 0;
40	char arg, p, cp, grplist[MAX_MATCH_GROUPS];
41	struct passwd *pw;
42
43	arg = cp = xstrdup(grps);
44	while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
45	if (ngrps >= MAX_MATCH_GROUPS) {
46	error("line %d: too many groups in Match Group", line);
47	result = -1;
48	goto out;
49	}
50	grplist[ngrps++] = p;
51	}
52
53	if (user == NULL)
54	goto out;
55
56	if ((pw = getpwnam(user)) == NULL) {
57	debug("Can't match group at line %d because "
58	"user %.100s does not exist", line, user);
59	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
60	debug("Can't Match group because user %.100s "
61	"not in any group at line %d", user, line);
62	} else if (ga_match(grplist, ngrps) != 1) {
63	debug("user %.100s does not match group "
64	"%.100s at line %d", user, arg, line);
65	} else {
66	debug("user %.100s matched group %.100s at "
67	"line %d", user, arg, line);
68	result = 1;
69	}
70	out:
71	xfree(arg);
72	return result;
73	}
74
75
76	int
77	match_cfg_line(char *condition, int line, const char user, const char *host,
78	const char *address)
79	{
80	int r, result = 1;
81	char arg, attrib, cp = condition;
82	size_t len;
83
84	if (user == NULL)
85	debug3("checking syntax for 'Match %s'", cp);
86	else
87	debug3("checking match for '%s'", cp);
88
89	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
90	if ((arg = strdelim(&cp)) == NULL \|\| *arg == '\0') {
91	error("Missing Match criteria for %s", attrib);
92	return -1;
93	}
94	len = strlen(arg);
95	if (strcasecmp(attrib, "user") == 0) {
96	if (!user) {
97	result = 0;
98	continue;
99	}
100	if (match_pattern_list(user, arg, len, 0) != 1)
101	/* XXX what about negative match? */
102	result = 0;
103	else
104	debug("user %.100s matched 'User %.100s' at "
105	"line %d", user, arg, line);
106	} else if (strcasecmp(attrib, "group") == 0) {
107	if ((r = match_cfg_line_group(arg, line, user)) < 0)
108	return -1;
109	if (r == 0)
110	result = 0;
111	} else if (strcasecmp(attrib, "host") == 0) {
112	if (!host) {
113	result = 0;
114	continue;
115	}
116	if (match_hostname(host, arg, len) != 1)
117	result = 0;
118	else
119	debug("connection from %.100s matched 'Host "
120	"%.100s' at line %d", host, arg, line);
121	} else if (strcasecmp(attrib, "address") == 0) {
122	if (!address) {
123	result = 0;
124	continue;
125	}
126	if (match_hostname(address, arg, len) != 1)
127	result = 0;
128	else
129	debug("connection from %.100s matched 'Address "
130	"%.100s' at line %d", address, arg, line);
131	} else {
132	error("Unsupported Match attribute %s", attrib);
133	return -1;
134	}
135	}
136	if (user != NULL)
137	debug3("match %sfound", result ? "" : "not ");
138	*condition = cp;
139	return result;
140	}

Lines 463-468 for data integrity protection. Link Here

(-)sshd_config.5 (+75 lines)
463	Multiple algorithms must be comma-separated.	463	Multiple algorithms must be comma-separated.
464	The default is:	464	The default is:
465	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .	465	.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
		466	.It Cm Match
		467	Introduces a conditional block. Keywords on lines following a
		468	.Cm Match
		469	block are only applied if the criteria on the
		470	.Cm Match
		471	are satisfied.
		472	The the arguments to
		473	.Cm Match
		474	block are one or more criteria-pattern pairs.
		475	The available criteria are
		476	.Cm User ,
		477	.Cm Group ,
		478	.Cm Host ,
		479	and
		480	.Cm Address .
		481	Only a subset of keywords may be used on the lines following a
		482	.Cm Match
		483	keyword.
		484	Available keywords are
		485	.Cm AcceptEnv ,
		486	.Cm AllowTcpForwarding ,
		487	.Cm AuthorizedKeysFile ,
		488	.Cm AuthorizedKeysFile2 ,
		489	.Cm Banner ,
		490	.Cm ChallengeResponseAuthentication ,
		491	.Cm ChallengeResponseAuthentication ,
		492	.Cm ClientAliveCountMax ,
		493	.Cm ClientAliveInterval ,
		494	.Cm GatewayPorts ,
		495	.Cm GssAuthentication ,
		496	.Cm GssCleanupCreds ,
		497	.Cm HostbasedAuthentication ,
		498	.Cm HostbasedUsesNameFromPacketOnly ,
		499	.Cm IgnoreRhosts ,
		500	.Cm IgnoreUserKnownHosts ,
		501	.Cm KbdInteractiveAuthentication ,
		502	.Cm KerberosAuthentication ,
		503	.Cm KerberosGetAFSToken ,
		504	.Cm KerberosOrLocalPasswd ,
		505	.Cm KerberosTicketCleanup ,
		506	.Cm LogFacility ,
		507	.Cm LogLevel ,
		508	.Cm LoginGraceTime ,
		509	.Cm MaxAuthTries ,
		510	.Cm PasswordAuthentication ,
		511	.Cm PermitEmptyPasswd ,
		512	.Cm PermitRootLogin ,
		513	.Cm PermitTunnel ,
		514	.Cm PermitUserEnvironment ,
		515	.Cm PrintLastLog ,
		516	.Cm PrintMotd ,
		517	.Cm PubkeyAuthentication ,
		518	.Cm PubkeyAuthentication ,
		519	.Cm RSAAuthentication ,
		520	.Cm RhostsRSAAuthentication ,
		521	.Cm StrictModes ,
		522	.Cm Subsystem ,
		523	.Cm UseLogin ,
		524	.Cm UsePAM ,
		525	.Cm X11DisplayOffset ,
		526	.Cm X11Forwarding ,
		527	.Cm X11UseLocalhost ,
		528	and
		529	.Cm XAuthLocation .
466	.It Cm MaxAuthTries	530	.It Cm MaxAuthTries
467	Specifies the maximum number of authentication attempts permitted per	531	Specifies the maximum number of authentication attempts permitted per
468	connection.	532	connection.
Lines 855-860 Contains configuration data for Link Here
855	This file should be writable by root only, but it is recommended	919	This file should be writable by root only, but it is recommended
856	(though not necessary) that it be world-readable.	920	(though not necessary) that it be world-readable.
857	.El	921	.El
		922	.Sh EXAMPLES
		923	To allow
		924	.Cm PasswordAuthentication
		925	only from the local private network:
		926	.Bd -literal -offset indent
		927	PasswordAuthentication no
		928	Match Address 192.168.0.*
		929	PasswordAuthentication yes
		930	.Ed
		931	.Bl -tag -width Ds
		932	.Bl -tag -width Ds
858	.Sh SEE ALSO	933	.Sh SEE ALSO
859	.Xr sshd 8	934	.Xr sshd 8
860	.Sh AUTHORS	935	.Sh AUTHORS