Attachment #1240 for bug #1180

Lines 1-4 Link Here

(-)monitor.c (-1 / +4 lines)
1	/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */	1	/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
Lines 642-647 mm_answer_pwnamallow(int sock, Buffer *m Link Here
642	#endif	642	#endif
643	buffer_put_cstring(m, pwent->pw_dir);	643	buffer_put_cstring(m, pwent->pw_dir);
644	buffer_put_cstring(m, pwent->pw_shell);	644	buffer_put_cstring(m, pwent->pw_shell);
		645	buffer_put_string(m, &options, sizeof(options));
		646	if (options.banner != NULL)
		647	buffer_put_cstring(m, options.banner);
645		648
646	out:	649	out:
647	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);	650	debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);




/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
/*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>


#include "channels.h"
#include "session.h"
#include "servconf.h"

/* Imports */
extern int compat20;

{
	Buffer m;
	struct passwd *pw;
	u_int len;
	ServerOptions *newopts;

	debug3("%s entering", __func__);


		buffer_free(&m);
		return (NULL);
	}
	pw = buffer_get_string(&m, &len);
	if (len != sizeof(struct passwd))
		fatal("%s: struct passwd size mismatch", __func__);
	pw->pw_name = buffer_get_string(&m, NULL);
	pw->pw_passwd = buffer_get_string(&m, NULL);

#endif
	pw->pw_dir = buffer_get_string(&m, NULL);
	pw->pw_shell = buffer_get_string(&m, NULL);

	/* copy options block as a Match directive may have changed some */
	newopts = buffer_get_string(&m, &len);
	if (len != sizeof(*newopts))
		fatal("%s: option block size mismatch", __func__);
	if (newopts->banner != NULL)
		newopts->banner = buffer_get_string(&m, NULL);
	copy_set_server_options(&options, newopts, 1);
	xfree(newopts);

	buffer_free(&m);

	return (pw);




	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },	/* alias */
#ifdef KRB5
	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
#ifdef USE_AFS

	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
#else
	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },

	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
#else
	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
#endif
	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },

	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
	{ "banner", sBanner, SSHCFG_ALL },
	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },


	initialize_server_options(&mo);
	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
	copy_set_server_options(options, &mo, 0);
}

/* Helper macros */
#define M_CP_INTOPT(n) do {\
	if (src->n != -1) \
		dst->n = src->n; \
} while (0)
#define M_CP_STROPT(n) do {\
	if (src->n != NULL) { \
		if (dst->n != NULL) \
			xfree(dst->n); \
		dst->n = src->n; \
	} \
} while(0)

/*
 * Copy any supported values that are set.
 *
 * If the preauth flag is set, we do not bother copying the the string or
 * array values that are not used pre-authentication, because any that we
 * do use must be explictly sent in mm_getpwnamallow().
 */
void
copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
{
	M_CP_INTOPT(password_authentication);
	M_CP_INTOPT(gss_authentication);
	M_CP_INTOPT(rsa_authentication);
	M_CP_INTOPT(pubkey_authentication);
	M_CP_INTOPT(kerberos_authentication);
	M_CP_INTOPT(hostbased_authentication);
	M_CP_INTOPT(kbd_interactive_authentication);
	M_CP_INTOPT(challenge_response_authentication);

	M_CP_INTOPT(allow_tcp_forwarding);
	M_CP_INTOPT(gateway_ports);
	M_CP_INTOPT(x11_display_offset);
	M_CP_INTOPT(x11_forwarding);
	M_CP_INTOPT(x11_use_localhost);

	M_CP_STROPT(banner);
	if (preauth)
		return;
	M_CP_STROPT(adm_forced_command);
}

#undef M_CP_INTOPT
#undef M_CP_STROPT

void
parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
    const char *user, const char *host, const char *address)

Lines 1-4 Link Here

(-)servconf.h (-2 / +2 lines)
1	/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */	1	/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */
2		2
3	/*	3	/*
4	* Author: Tatu Ylonen <ylo@cs.hut.fi>	4	* Author: Tatu Ylonen <ylo@cs.hut.fi>
Lines 152-157 void parse_server_config(ServerOptions Link Here
152	const char , const char , const char *);	152	const char , const char , const char *);
153	void parse_server_match_config(ServerOptions , const char , const char *,	153	void parse_server_match_config(ServerOptions , const char , const char *,
154	const char *);	154	const char *);
155	void copy_set_server_options(ServerOptions , ServerOptions );	155	void copy_set_server_options(ServerOptions , ServerOptions , int);
156		156
157	#endif /* SERVCONF_H */	157	#endif /* SERVCONF_H */

Lines 514-522 Only a subset of keywords may be used on Link Here

(-)sshd_config.5 (+8 lines)
514	keyword.	514	keyword.
515	Available keywords are	515	Available keywords are
516	.Cm AllowTcpForwarding ,	516	.Cm AllowTcpForwarding ,
		517	.Cm Banner ,
		518	.Cm ChallengeResponseAuthentication ,
517	.Cm ForceCommand ,	519	.Cm ForceCommand ,
518	.Cm GatewayPorts ,	520	.Cm GatewayPorts ,
		521	.Cm GSSApiAuthentication ,
		522	.Cm KerberosAuthentication ,
		523	.Cm KeyboardInteractiveAuthentication ,
		524	.Cm PasswordAuthentication ,
519	.Cm PermitOpen ,	525	.Cm PermitOpen ,
		526	.Cm RhostsRSAAuthentication ,
		527	.Cm RSAAuthentication ,
520	.Cm X11DisplayOffset ,	528	.Cm X11DisplayOffset ,
521	.Cm X11Forwarding ,	529	.Cm X11Forwarding ,
522	and	530	and

Return to bug 1180

Lines 1-4 Link Here

(-)monitor_wrap.c (-4 / +16 lines)
1	/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */	1	/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
2	/*	2	/*
3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>	3	* Copyright 2002 Niels Provos <provos@citi.umich.edu>
4	* Copyright 2002 Markus Friedl <markus@openbsd.org>	4	* Copyright 2002 Markus Friedl <markus@openbsd.org>
Lines 73-78 Link Here
73		73
74	#include "channels.h"	74	#include "channels.h"
75	#include "session.h"	75	#include "session.h"
		76	#include "servconf.h"
76		77
77	/* Imports */	78	/* Imports */
78	extern int compat20;	79	extern int compat20;
Lines 207-213 mm_getpwnamallow(const char *username) Link Here
207	{	208	{
208	Buffer m;	209	Buffer m;
209	struct passwd *pw;	210	struct passwd *pw;
210	u_int pwlen;	211	u_int len;
		212	ServerOptions *newopts;
211		213
212	debug3("%s entering", __func__);	214	debug3("%s entering", __func__);
213		215
Lines 223-230 mm_getpwnamallow(const char *username) Link Here
223	buffer_free(&m);	225	buffer_free(&m);
224	return (NULL);	226	return (NULL);
225	}	227	}
226	pw = buffer_get_string(&m, &pwlen);	228	pw = buffer_get_string(&m, &len);
227	if (pwlen != sizeof(struct passwd))	229	if (len != sizeof(struct passwd))
228	fatal("%s: struct passwd size mismatch", __func__);	230	fatal("%s: struct passwd size mismatch", __func__);
229	pw->pw_name = buffer_get_string(&m, NULL);	231	pw->pw_name = buffer_get_string(&m, NULL);
230	pw->pw_passwd = buffer_get_string(&m, NULL);	232	pw->pw_passwd = buffer_get_string(&m, NULL);
Lines 234-239 mm_getpwnamallow(const char *username) Link Here
234	#endif	236	#endif
235	pw->pw_dir = buffer_get_string(&m, NULL);	237	pw->pw_dir = buffer_get_string(&m, NULL);
236	pw->pw_shell = buffer_get_string(&m, NULL);	238	pw->pw_shell = buffer_get_string(&m, NULL);
		239
		240	/* copy options block as a Match directive may have changed some */
		241	newopts = buffer_get_string(&m, &len);
		242	if (len != sizeof(*newopts))
		243	fatal("%s: option block size mismatch", __func__);
		244	if (newopts->banner != NULL)
		245	newopts->banner = buffer_get_string(&m, NULL);
		246	copy_set_server_options(&options, newopts, 1);
		247	xfree(newopts);
		248
237	buffer_free(&m);	249	buffer_free(&m);
238		250
239	return (pw);	251	return (pw);

Lines 325-338 static struct { Link Here

(-)servconf.c (-30 / +56 lines)
325	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },	325	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
326	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },	326	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
327	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },	327	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
328	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },	328	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
329	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL },	329	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
330	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },	330	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
331	{ "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL },	331	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
332	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL },	332	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
333	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */	333	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
334	#ifdef KRB5	334	#ifdef KRB5
335	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL },	335	{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
336	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },	336	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
337	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },	337	{ "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
338	#ifdef USE_AFS	338	#ifdef USE_AFS
Lines 341-347 static struct { Link Here
341	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	341	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
342	#endif	342	#endif
343	#else	343	#else
344	{ "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL },	344	{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
345	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },	345	{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
346	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },	346	{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
347	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },	347	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
Lines 349-363 static struct { Link Here
349	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },	349	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
350	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },	350	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
351	#ifdef GSSAPI	351	#ifdef GSSAPI
352	{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },	352	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
353	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	353	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
354	#else	354	#else
355	{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },	355	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
356	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },	356	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
357	#endif	357	#endif
358	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },	358	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
359	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },	359	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
360	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },	360	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL },
361	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */	361	{ "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
362	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },	362	{ "checkmail", sDeprecated, SSHCFG_GLOBAL },
363	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },	363	{ "listenaddress", sListenAddress, SSHCFG_GLOBAL },
Lines 389-395 static struct { Link Here
389	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },	389	{ "subsystem", sSubsystem, SSHCFG_GLOBAL },
390	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },	390	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
391	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },	391	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
392	{ "banner", sBanner, SSHCFG_GLOBAL },	392	{ "banner", sBanner, SSHCFG_ALL },
393	{ "usedns", sUseDNS, SSHCFG_GLOBAL },	393	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
394	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },	394	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
395	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },	395	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
Lines 1316-1345 parse_server_match_config(ServerOptions Link Here
1316		1316
1317	initialize_server_options(&mo);	1317	initialize_server_options(&mo);
1318	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);	1318	parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1319	copy_set_server_options(options, &mo);	1319	copy_set_server_options(options, &mo, 0);
1320	}	1320	}
1321		1321
1322	/* Copy any (supported) values that are set */	1322	/* Helper macros */
		1323	#define M_CP_INTOPT(n) do {\
		1324	if (src->n != -1) \
		1325	dst->n = src->n; \
		1326	} while (0)
		1327	#define M_CP_STROPT(n) do {\
		1328	if (src->n != NULL) { \
		1329	if (dst->n != NULL) \
		1330	xfree(dst->n); \
		1331	dst->n = src->n; \
		1332	} \
		1333	} while(0)
		1334
		1335	/*
		1336	* Copy any supported values that are set.
		1337	*
		1338	* If the preauth flag is set, we do not bother copying the the string or
		1339	* array values that are not used pre-authentication, because any that we
		1340	* do use must be explictly sent in mm_getpwnamallow().
		1341	*/
1323	void	1342	void
1324	copy_set_server_options(ServerOptions dst, ServerOptions src)	1343	copy_set_server_options(ServerOptions dst, ServerOptions src, int preauth)
1325	{	1344	{
1326	if (src->allow_tcp_forwarding != -1)	1345	M_CP_INTOPT(password_authentication);
1327	dst->allow_tcp_forwarding = src->allow_tcp_forwarding;	1346	M_CP_INTOPT(gss_authentication);
1328	if (src->gateway_ports != -1)	1347	M_CP_INTOPT(rsa_authentication);
1329	dst->gateway_ports = src->gateway_ports;	1348	M_CP_INTOPT(pubkey_authentication);
1330	if (src->adm_forced_command != NULL) {	1349	M_CP_INTOPT(kerberos_authentication);
1331	if (dst->adm_forced_command != NULL)	1350	M_CP_INTOPT(hostbased_authentication);
1332	xfree(dst->adm_forced_command);	1351	M_CP_INTOPT(kbd_interactive_authentication);
1333	dst->adm_forced_command = src->adm_forced_command;	1352	M_CP_INTOPT(challenge_response_authentication);
1334	}	1353
1335	if (src->x11_display_offset != -1)	1354	M_CP_INTOPT(allow_tcp_forwarding);
1336	dst->x11_display_offset = src->x11_display_offset;	1355	M_CP_INTOPT(gateway_ports);
1337	if (src->x11_forwarding != -1)	1356	M_CP_INTOPT(x11_display_offset);
1338	dst->x11_forwarding = src->x11_forwarding;	1357	M_CP_INTOPT(x11_forwarding);
1339	if (src->x11_use_localhost != -1)	1358	M_CP_INTOPT(x11_use_localhost);
1340	dst->x11_use_localhost = src->x11_use_localhost;	1359
		1360	M_CP_STROPT(banner);
		1361	if (preauth)
		1362	return;
		1363	M_CP_STROPT(adm_forced_command);
1341	}	1364	}
1342		1365
		1366	#undef M_CP_INTOPT
		1367	#undef M_CP_STROPT
		1368
1343	void	1369	void
1344	parse_server_config(ServerOptions options, const char filename, Buffer *conf,	1370	parse_server_config(ServerOptions options, const char filename, Buffer *conf,
1345	const char user, const char host, const char *address)	1371	const char user, const char host, const char *address)