Bugzilla – Attachment 1240 Details for
Bug 1180
Add finer-grained controls to sshd_config
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Add support for auth types to Match
openssh-4.5p1-match-auths.patch (text/plain), 10.08 KB, created by
Darren Tucker
on 2007-02-19 22:41:25 AEDT
(
hide
)
Description:
Add support for auth types to Match
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2007-02-19 22:41:25 AEDT
Size:
10.08 KB
patch
obsolete
>Index: monitor.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v >retrieving revision 1.121 >diff -u -p -r1.121 monitor.c >--- monitor.c 7 Nov 2006 12:16:08 -0000 1.121 >+++ monitor.c 19 Feb 2007 11:36:18 -0000 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: monitor.c,v 1.89 2006/11/07 10:31:31 markus Exp $ */ >+/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */ > /* > * Copyright 2002 Niels Provos <provos@citi.umich.edu> > * Copyright 2002 Markus Friedl <markus@openbsd.org> >@@ -642,6 +642,9 @@ mm_answer_pwnamallow(int sock, Buffer *m > #endif > buffer_put_cstring(m, pwent->pw_dir); > buffer_put_cstring(m, pwent->pw_shell); >+ buffer_put_string(m, &options, sizeof(options)); >+ if (options.banner != NULL) >+ buffer_put_cstring(m, options.banner); > > out: > debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); >Index: monitor_wrap.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor_wrap.c,v >retrieving revision 1.70 >diff -u -p -r1.70 monitor_wrap.c >--- monitor_wrap.c 1 Sep 2006 05:38:37 -0000 1.70 >+++ monitor_wrap.c 19 Feb 2007 11:36:18 -0000 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: monitor_wrap.c,v 1.54 2006/08/12 20:46:46 miod Exp $ */ >+/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */ > /* > * Copyright 2002 Niels Provos <provos@citi.umich.edu> > * Copyright 2002 Markus Friedl <markus@openbsd.org> >@@ -73,6 +73,7 @@ > > #include "channels.h" > #include "session.h" >+#include "servconf.h" > > /* Imports */ > extern int compat20; >@@ -207,7 +208,8 @@ mm_getpwnamallow(const char *username) > { > Buffer m; > struct passwd *pw; >- u_int pwlen; >+ u_int len; >+ ServerOptions *newopts; > > debug3("%s entering", __func__); > >@@ -223,8 +225,8 @@ mm_getpwnamallow(const char *username) > buffer_free(&m); > return (NULL); > } >- pw = buffer_get_string(&m, &pwlen); >- if (pwlen != sizeof(struct passwd)) >+ pw = buffer_get_string(&m, &len); >+ if (len != sizeof(struct passwd)) > fatal("%s: struct passwd size mismatch", __func__); > pw->pw_name = buffer_get_string(&m, NULL); > pw->pw_passwd = buffer_get_string(&m, NULL); >@@ -234,6 +236,16 @@ mm_getpwnamallow(const char *username) > #endif > pw->pw_dir = buffer_get_string(&m, NULL); > pw->pw_shell = buffer_get_string(&m, NULL); >+ >+ /* copy options block as a Match directive may have changed some */ >+ newopts = buffer_get_string(&m, &len); >+ if (len != sizeof(*newopts)) >+ fatal("%s: option block size mismatch", __func__); >+ if (newopts->banner != NULL) >+ newopts->banner = buffer_get_string(&m, NULL); >+ copy_set_server_options(&options, newopts, 1); >+ xfree(newopts); >+ > buffer_free(&m); > > return (pw); >Index: servconf.c >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/servconf.c,v >retrieving revision 1.156 >diff -u -p -r1.156 servconf.c >--- servconf.c 18 Aug 2006 14:23:15 -0000 1.156 >+++ servconf.c 19 Feb 2007 11:36:18 -0000 >@@ -325,14 +325,14 @@ static struct { > { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, > { "loglevel", sLogLevel, SSHCFG_GLOBAL }, > { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, >- { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, >- { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, >+ { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, >+ { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, > { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, >- { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, >- { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, >+ { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, >+ { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, > { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ > #ifdef KRB5 >- { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, >+ { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, > { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, > { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, > #ifdef USE_AFS >@@ -341,7 +341,7 @@ static struct { > { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, > #endif > #else >- { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, >+ { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, > { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, > { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, > { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, >@@ -349,15 +349,15 @@ static struct { > { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, > { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, > #ifdef GSSAPI >- { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, >+ { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, > { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, > #else >- { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, >+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, > { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, > #endif >- { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, >- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, >- { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, >+ { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, >+ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, >+ { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_ALL }, > { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ > { "checkmail", sDeprecated, SSHCFG_GLOBAL }, > { "listenaddress", sListenAddress, SSHCFG_GLOBAL }, >@@ -389,7 +389,7 @@ static struct { > { "subsystem", sSubsystem, SSHCFG_GLOBAL }, > { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, > { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, >- { "banner", sBanner, SSHCFG_GLOBAL }, >+ { "banner", sBanner, SSHCFG_ALL }, > { "usedns", sUseDNS, SSHCFG_GLOBAL }, > { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, > { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, >@@ -1316,30 +1316,56 @@ parse_server_match_config(ServerOptions > > initialize_server_options(&mo); > parse_server_config(&mo, "reprocess config", &cfg, user, host, address); >- copy_set_server_options(options, &mo); >+ copy_set_server_options(options, &mo, 0); > } > >-/* Copy any (supported) values that are set */ >+/* Helper macros */ >+#define M_CP_INTOPT(n) do {\ >+ if (src->n != -1) \ >+ dst->n = src->n; \ >+} while (0) >+#define M_CP_STROPT(n) do {\ >+ if (src->n != NULL) { \ >+ if (dst->n != NULL) \ >+ xfree(dst->n); \ >+ dst->n = src->n; \ >+ } \ >+} while(0) >+ >+/* >+ * Copy any supported values that are set. >+ * >+ * If the preauth flag is set, we do not bother copying the the string or >+ * array values that are not used pre-authentication, because any that we >+ * do use must be explictly sent in mm_getpwnamallow(). >+ */ > void >-copy_set_server_options(ServerOptions *dst, ServerOptions *src) >+copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) > { >- if (src->allow_tcp_forwarding != -1) >- dst->allow_tcp_forwarding = src->allow_tcp_forwarding; >- if (src->gateway_ports != -1) >- dst->gateway_ports = src->gateway_ports; >- if (src->adm_forced_command != NULL) { >- if (dst->adm_forced_command != NULL) >- xfree(dst->adm_forced_command); >- dst->adm_forced_command = src->adm_forced_command; >- } >- if (src->x11_display_offset != -1) >- dst->x11_display_offset = src->x11_display_offset; >- if (src->x11_forwarding != -1) >- dst->x11_forwarding = src->x11_forwarding; >- if (src->x11_use_localhost != -1) >- dst->x11_use_localhost = src->x11_use_localhost; >+ M_CP_INTOPT(password_authentication); >+ M_CP_INTOPT(gss_authentication); >+ M_CP_INTOPT(rsa_authentication); >+ M_CP_INTOPT(pubkey_authentication); >+ M_CP_INTOPT(kerberos_authentication); >+ M_CP_INTOPT(hostbased_authentication); >+ M_CP_INTOPT(kbd_interactive_authentication); >+ M_CP_INTOPT(challenge_response_authentication); >+ >+ M_CP_INTOPT(allow_tcp_forwarding); >+ M_CP_INTOPT(gateway_ports); >+ M_CP_INTOPT(x11_display_offset); >+ M_CP_INTOPT(x11_forwarding); >+ M_CP_INTOPT(x11_use_localhost); >+ >+ M_CP_STROPT(banner); >+ if (preauth) >+ return; >+ M_CP_STROPT(adm_forced_command); > } > >+#undef M_CP_INTOPT >+#undef M_CP_STROPT >+ > void > parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, > const char *user, const char *host, const char *address) >Index: servconf.h >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/servconf.h,v >retrieving revision 1.71 >diff -u -p -r1.71 servconf.h >--- servconf.h 18 Aug 2006 14:23:15 -0000 1.71 >+++ servconf.h 19 Feb 2007 11:36:18 -0000 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: servconf.h,v 1.79 2006/08/14 12:40:25 dtucker Exp $ */ >+/* $OpenBSD: servconf.h,v 1.80 2007/02/19 10:45:58 dtucker Exp $ */ > > /* > * Author: Tatu Ylonen <ylo@cs.hut.fi> >@@ -152,6 +152,6 @@ void parse_server_config(ServerOptions > const char *, const char *, const char *); > void parse_server_match_config(ServerOptions *, const char *, const char *, > const char *); >-void copy_set_server_options(ServerOptions *, ServerOptions *); >+void copy_set_server_options(ServerOptions *, ServerOptions *, int); > > #endif /* SERVCONF_H */ >Index: sshd_config.5 >=================================================================== >RCS file: /usr/local/src/security/openssh/cvs/openssh/sshd_config.5,v >retrieving revision 1.76 >diff -u -p -r1.76 sshd_config.5 >--- sshd_config.5 30 Aug 2006 01:06:34 -0000 1.76 >+++ sshd_config.5 19 Feb 2007 11:36:18 -0000 >@@ -514,9 +514,17 @@ Only a subset of keywords may be used on > keyword. > Available keywords are > .Cm AllowTcpForwarding , >+.Cm Banner , >+.Cm ChallengeResponseAuthentication , > .Cm ForceCommand , > .Cm GatewayPorts , >+.Cm GSSApiAuthentication , >+.Cm KerberosAuthentication , >+.Cm KeyboardInteractiveAuthentication , >+.Cm PasswordAuthentication , > .Cm PermitOpen , >+.Cm RhostsRSAAuthentication , >+.Cm RSAAuthentication , > .Cm X11DisplayOffset , > .Cm X11Forwarding , > and
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1240">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1180
:
1118
|
1127
|
1184
|
1185
| 1240