Attachment #2467 for bug #2267

Lines 65-71 The configuration files contain sections Link Here

(-)ssh_config.5 (-7 / +59 lines)
65	.Dq Host	65	.Dq Host
66	specifications, and that section is only applied for hosts that	66	specifications, and that section is only applied for hosts that
67	match one of the patterns given in the specification.	67	match one of the patterns given in the specification.
68	The matched host name is the one given on the command line.	68	The matched host name is usually the one given on the command line
		69	(see the
		70	.Cm RereadConfig
		71	option for exceptions.)
69	.Pp	72	.Pp
70	Since the first obtained value for each parameter is used, more	73	Since the first obtained value for each parameter is used, more
71	host-specific declarations should be given near the beginning of the	74	host-specific declarations should be given near the beginning of the
Lines 109-118 A single Link Here
109	.Ql *	112	.Ql *
110	as a pattern can be used to provide global	113	as a pattern can be used to provide global
111	defaults for all hosts.	114	defaults for all hosts.
112	The host is the	115	The host is usually the
113	.Ar hostname	116	.Ar hostname
114	argument given on the command line (i.e. the name is not converted to	117	argument given on the command line
115	a canonicalized host name before matching).	118	(see the
		119	.Cm RereadConfig
		120	option for exceptions.)
116	.Pp	121	.Pp
117	A pattern entry may be negated by prefixing it with an exclamation mark	122	A pattern entry may be negated by prefixing it with an exclamation mark
118	.Pq Sq !\& .	123	.Pq Sq !\& .
Lines 134-152 or Link Here
134	keyword) to be used only when the conditions following the	139	keyword) to be used only when the conditions following the
135	.Cm Match	140	.Cm Match
136	keyword are satisfied.	141	keyword are satisfied.
137	Match conditions are specified using one or more keyword/criteria pairs	142	Match conditions are specified using one or more critera
138	or the single token	143	or the single token
139	.Cm all	144	.Cm all
140	which matches all criteria.	145	which always matches.
141	The available keywords are:	146	The available criteria keywords are:
		147	.Cm canonical ,
142	.Cm exec ,	148	.Cm exec ,
143	.Cm host ,	149	.Cm host ,
144	.Cm originalhost ,	150	.Cm originalhost ,
145	.Cm user ,	151	.Cm user ,
146	and	152	and
147	.Cm localuser .	153	.Cm localuser .
		154	The
		155	.Cm all
		156	criteria must appear alone.
		157	Other criteria may be combined arbitrarily.
		158	All criteria but
		159	.Cm all
		160	and
		161	.Cm canonical
		162	require an argument.
		163	Criteria may be negated by prepending an exclamation mark
		164	.Pq Sq !\& .
148	.Pp	165	.Pp
149	The	166	The
		167	.Cm canonical
		168	keywork matches only when the configuration file is being re-parsed
		169	after hostname canonicalization (see the
		170	.Cm CanonicalizeHostname
		171	option.)
		172	This may be useful to specify conditions that work with canonical host
		173	names only.
		174	The
150	.Cm exec	175	.Cm exec
151	keyword executes the specified command under the user's shell.	176	keyword executes the specified command under the user's shell.
152	If the command returns a zero exit status then the condition is considered true.	177	If the command returns a zero exit status then the condition is considered true.
Lines 775-780 The default is the name given on the com Link Here
775	Numeric IP addresses are also permitted (both on the command line and in	800	Numeric IP addresses are also permitted (both on the command line and in
776	.Cm HostName	801	.Cm HostName
777	specifications).	802	specifications).
		803	.Pp
		804	If this option is enabled and results in the target hostname
		805	changing, then the configuration files are processed again using the new
		806	target name to pick up any new configuration in matching
		807	.Cm Host
		808	stanzas.
778	.It Cm IdentitiesOnly	809	.It Cm IdentitiesOnly
779	Specifies that	810	Specifies that
780	.Xr ssh 1	811	.Xr ssh 1
Lines 1204-1209 will only succeed if the server's Link Here
1204	.Cm GatewayPorts	1235	.Cm GatewayPorts
1205	option is enabled (see	1236	option is enabled (see
1206	.Xr sshd_config 5 ) .	1237	.Xr sshd_config 5 ) .
		1238	.It Cm RereadConfig
		1239	Controls whether
		1240	.Xr ssh 1
		1241	re-reads its configuration files a second time.
		1242	Re-reading the configuration files may allow
		1243	.Cm Host
		1244	and
		1245	.Cm Match
		1246	blocks to pick up changes to the target host name caused by
		1247	hostname canonicalisation or
		1248	.Cm HostName
		1249	directives.
		1250	The argument may be one of
		1251	.Dq no
		1252	to indicate that the configuration should never be re-read,
		1253	.Dq yes
		1254	to always re-read the configuration, or
		1255	.Dq if-canon
		1256	to only re-read the configuration if hostname canonicalisation is enabled.
		1257	The default is
		1258	.Dq if-canon .
1207	.It Cm RequestTTY	1259	.It Cm RequestTTY
1208	Specifies whether to request a pseudo-tty for the session.	1260	Specifies whether to request a pseudo-tty for the session.
1209	The argument may be one of:	1261	The argument may be one of:




 * file if the user specifies a config file on the command line.
 */
static void
process_config_files(const char *host_arg, struct passwd *pw, int post_canon)
{
	char buf[MAXPATHLEN];
	int r;

	if (config != NULL) {
		if (strcasecmp(config, "none") != 0 &&
		    !read_config_file(config, pw, host, host_arg, &options,
		    SSHCONF_USERCONF | (post_canon ? SSHCONF_POSTCANON : 0)))
			fatal("Can't open user config file %.100s: "
			    "%.100s", config, strerror(errno));
	} else {
		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
		    _PATH_SSH_USER_CONFFILE);
		if (r > 0 && (size_t)r < sizeof(buf))
			(void)read_config_file(buf, pw, host, host_arg,
			    &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
			    (post_canon ? SSHCONF_POSTCANON : 0));

		/* Read systemwide configuration file after user config. */
		(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
		    host, host_arg, &options,
		    post_canon ? SSHCONF_POSTCANON : 0);
	}
}


			break;
		case 'o':
			line = xstrdup(optarg);
			if (process_config_line(&options, pw,
			    host ? host : "", host ? host : "", line,
			    "command-line", 0, NULL, SSHCONF_USERCONF) != 0)
				exit(255);
			free(line);
			break;

		);

	/* Parse the configuration files */
	process_config_files(host_arg, pw, 0);

	/* Hostname canonicalisation needs a few options filled. */
	fill_default_options_for_canonicalization(&options);

			check_follow_cname(&host, cname);
	}

	if (options.reread_config == 1 || (options.reread_config == 2 &&
	    options.canonicalize_hostname != 0)) {
		debug("Re-reading configuration");
		process_config_files(host_arg, pw, 1);
	if (strcasecmp(host_arg, host) != 0) {
		debug("Hostname has changed; re-reading configuration");
		process_config_files(pw);
	}

	/* Fill configuration defaults. */

Lines 144-149 typedef struct { Link Here

(-)readconf.h (-3 / +10 lines)
144	int num_permitted_cnames;	144	int num_permitted_cnames;
145	struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];	145	struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
146		146
		147	int reread_config;
		148
147	char ignored_unknown; / Pattern list of unknown tokens to ignore */	149	char ignored_unknown; / Pattern list of unknown tokens to ignore */
148	} Options;	150	} Options;
149		151
Lines 162-177 typedef struct { Link Here
162	#define REQUEST_TTY_YES 2	164	#define REQUEST_TTY_YES 2
163	#define REQUEST_TTY_FORCE 3	165	#define REQUEST_TTY_FORCE 3
164		166
		167	#define SSH_REREAD_NO 0
		168	#define SSH_REREAD_YES 1
		169	#define SSH_REREAD_CANON 2
		170
165	#define SSHCONF_CHECKPERM 1 /* check permissions on config file */	171	#define SSHCONF_CHECKPERM 1 /* check permissions on config file */
166	#define SSHCONF_USERCONF 2 /* user provided config file not system */	172	#define SSHCONF_USERCONF 2 /* user provided config file not system */
		173	#define SSHCONF_POSTCANON 4 /* After hostname canonicalisation */
167		174
168	void initialize_options(Options *);	175	void initialize_options(Options *);
169	void fill_default_options(Options *);	176	void fill_default_options(Options *);
170	void fill_default_options_for_canonicalization(Options *);	177	void fill_default_options_for_canonicalization(Options *);
171	int process_config_line(Options , struct passwd , const char , char ,	178	int process_config_line(Options , struct passwd , const char *,
172	const char , int, int , int);	179	const char , char , const char , int, int , int);
173	int read_config_file(const char , struct passwd , const char *,	180	int read_config_file(const char , struct passwd , const char *,
174	Options *, int);	181	const char , Options , int);
175	int parse_forward(struct Forward , const char , int, int);	182	int parse_forward(struct Forward , const char , int, int);
176	int default_ssh_port(void);	183	int default_ssh_port(void);
177	int option_clear_or_none(const char *);	184	int option_clear_or_none(const char *);




	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
	oStreamLocalBindMask, oStreamLocalBindUnlink, oRereadConfig,
	oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;


	{ "streamlocalbindmask", oStreamLocalBindMask },
	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
	{ "ignoreunknown", oIgnoreUnknown },
	{ "rereadconfig", oRereadConfig },

	{ NULL, oBadOption }
};

 */
static int
match_cfg_line(Options *options, char **condition, struct passwd *pw,
    const char *host_arg, const char *original_host, int post_canon,
    const char *filename, int linenum)
{
	char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
	const char *ruser;
	int r, port, this_result, result = 1, attributes = 0, negate;
	size_t len;
	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];


	} else
		host = xstrdup(host_arg);

	debug2("checking match for '%s' host %s originally %s",
	    cp, host, original_host);
	while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
		criteria = NULL;
		this_result = 1;
		attributes++;
		negate = attrib[0] == '!';
		if (negate)
			attrib++;
		/* criteria "all" and "canonical" have no argument */
		if (strcasecmp(attrib, "all") == 0) {
			if (attributes != 1 ||
			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
				error("%.200s line %d: '%s' cannot be combined "
				    "with other Match attributes",
				    filename, linenum, oattrib);
				result = -1;
				goto out;
			}
			*condition = cp;
			result = negate ? 0 : 1;
			goto out;
		} else if (strcasecmp(attrib, "canonical") == 0) {
			r = !!post_canon;  /* force bitmask member to boolean */
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
			debug3("%.200s line %d: %smatched '%s'",
			    filename, linenum,
			    this_result ? "" : "not ", oattrib);
			continue;
		}
		/* All other criteria require an argument */
		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
			error("Missing Match criteria for %s", attrib);
			result = -1;

		}
		len = strlen(arg);
		if (strcasecmp(attrib, "host") == 0) {
			criteria = xstrdup(host);
			r = match_hostname(host, arg, len) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    filename, linenum, host);
		} else if (strcasecmp(attrib, "originalhost") == 0) {
			criteria = xstrdup(original_host);
			r = match_hostname(original_host, arg, len) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    "'OriginalHost %.100s' ",
				    filename, linenum, host_arg);
		} else if (strcasecmp(attrib, "user") == 0) {
			criteria = xstrdup(ruser);
			r = match_pattern_list(ruser, arg, len, 0) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    filename, linenum, ruser);
		} else if (strcasecmp(attrib, "localuser") == 0) {
			criteria = xstrdup(pw->pw_name);
			r = match_pattern_list(pw->pw_name, arg, len, 0) == 1;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
				    "'LocalUser %.100s' ",
				    filename, linenum, pw->pw_name);
		} else if (strcasecmp(attrib, "exec") == 0) {
			if (gethostname(thishost, sizeof(thishost)) == -1)
				fatal("gethostname: %s", strerror(errno));

			    "d", pw->pw_dir,
			    "h", host,
			    "l", thishost,
			    "n", original_host,
			    "p", portstr,
			    "r", ruser,
			    "u", pw->pw_name,
			    (char *)NULL);
			if (result != 1) {
				/* skip execution if prior predicate failed */
				debug3("%.200s line %d: skipped exec "
				    "\"%.100s\"", filename, linenum, cmd);
				free(cmd);
				continue;
				if (r == -1) {
					fatal("%.200s line %d: match exec "
					    "'%.100s' error", filename,
					    linenum, cmd);
				} else if (r == 0) {
					debug("%.200s line %d: matched "
					    "'exec \"%.100s\"'", filename,
					    linenum, cmd);
				} else {
					debug("%.200s line %d: no match "
					    "'exec \"%.100s\"'", filename,
					    linenum, cmd);
					result = 0;
				}
			}
			r = execute_in_shell(cmd);
			if (r == -1) {
				fatal("%.200s line %d: match exec "
				    "'%.100s' error", filename,
				    linenum, cmd);
			}
			criteria = xstrdup(cmd);
			free(cmd);
			/* Force exit status to boolean */
			r = r == 0;
			if (r == (negate ? 1 : 0))
				this_result = result = 0;
		} else {
			error("Unsupported Match attribute %s", attrib);
			result = -1;
			goto out;
		}
		debug3("%.200s line %d: %smatched '%s \"%.100s\"' ",
		    filename, linenum, this_result ? "": "not ",
		    oattrib, criteria);
		free(criteria);
	}
	if (attributes == 0) {
		error("One or more attributes required for Match");
		result = -1;
		goto out;
	}
	debug2("match %sfound", result ? "" : "not ");
	*condition = cp;
 out:
	free(host);

	{ "always",			SSH_CANONICALISE_ALWAYS },
	{ NULL, -1 }
};
static const struct multistate multistate_reread_config[] = {
	{ "true",			SSH_REREAD_YES },
	{ "false",			SSH_REREAD_NO },
	{ "yes",			SSH_REREAD_YES },
	{ "no",				SSH_REREAD_NO },
	{ "if-canon",			SSH_REREAD_CANON },
	{ NULL, -1 }
};

/*
 * Processes a single option line as used in the configuration files. This

#define WHITESPACE " \t\r\n"
int
process_config_line(Options *options, struct passwd *pw, const char *host,
    const char *original_host, char *line, const char *filename,
    int linenum, int *activep, int flags)
{
	char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
	char **cpptr, fwdarg[256];

			if (*intptr >= SSH_MAX_IDENTITY_FILES)
				fatal("%.200s line %d: Too many identity files specified (max %d).",
				    filename, linenum, SSH_MAX_IDENTITY_FILES);
			add_identity_file(options, NULL,
			    arg, flags & SSHCONF_USERCONF);
		}
		break;


		if (cmdline)
			fatal("Host directive not supported as a command-line "
			    "option");
		value = match_cfg_line(options, &s, pw, host, original_host,
		    flags & SSHCONF_POSTCANON, filename, linenum);
		if (value < 0)
			fatal("%.200s line %d: Bad Match condition", filename,
			    linenum);

		intptr = &options->fwd_opts.streamlocal_bind_unlink;
		goto parse_flag;

	case oRereadConfig:
		intptr = &options->reread_config;
		multistate_ptr = multistate_reread_config;
		goto parse_multistate;

	case oDeprecated:
		debug("%s line %d: Deprecated option \"%s\"",
		    filename, linenum, keyword);

		return 0;

	default:
		fatal("%s: Unimplemented opcode %d", __func__, opcode);
	}

	/* Check that there is no garbage at end of line. */


int
read_config_file(const char *filename, struct passwd *pw, const char *host,
    const char *original_host, Options *options, int flags)
{
	FILE *f;
	char line[1024];

	while (fgets(line, sizeof(line), f)) {
		/* Update line number counter. */
		linenum++;
		if (process_config_line(options, pw, host, original_host,
		    line, filename, linenum, &active, flags) != 0)
			bad_options++;
	}
	fclose(f);

	options->canonicalize_max_dots = -1;
	options->canonicalize_fallback_local = -1;
	options->canonicalize_hostname = -1;
	options->reread_config = -1;
}

/*

		options->canonicalize_fallback_local = 1;
	if (options->canonicalize_hostname == -1)
		options->canonicalize_hostname = SSH_CANONICALISE_NO;
	if (options->reread_config == -1)
		options->reread_config = SSH_REREAD_CANON;
#define CLEAR_ON_NONE(v) \
	do { \
		if (option_clear_or_none(v)) { \

Lines 187-193 main(int argc, char **argv) Link Here

(-)ssh-keysign.c (-1 / +1 lines)
187		187
188	/* verify that ssh-keysign is enabled by the admin */	188	/* verify that ssh-keysign is enabled by the admin */
189	initialize_options(&options);	189	initialize_options(&options);
190	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0);	190	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", &options, 0);
191	fill_default_options(&options);	191	fill_default_options(&options);
192	if (options.enable_ssh_keysign != 1)	192	if (options.enable_ssh_keysign != 1)
193	fatal("ssh-keysign not enabled in %s",	193	fatal("ssh-keysign not enabled in %s",

Return to bug 2267

Lines 384-410 resolve_canonicalize(char **hostp, int p Link Here

(-)ssh.c (-18 / +17 lines)
384	* file if the user specifies a config file on the command line.	384	* file if the user specifies a config file on the command line.
385	*/	385	*/
386	static void	386	static void
387	process_config_files(struct passwd *pw)	387	process_config_files(const char host_arg, struct passwd pw, int post_canon)
388	{	388	{
389	char buf[MAXPATHLEN];	389	char buf[MAXPATHLEN];
390	int r;	390	int r;
391		391
392	if (config != NULL) {	392	if (config != NULL) {
393	if (strcasecmp(config, "none") != 0 &&	393	if (strcasecmp(config, "none") != 0 &&
394	!read_config_file(config, pw, host, &options,	394	!read_config_file(config, pw, host, host_arg, &options,
395	SSHCONF_USERCONF))	395	SSHCONF_USERCONF \| (post_canon ? SSHCONF_POSTCANON : 0)))
396	fatal("Can't open user config file %.100s: "	396	fatal("Can't open user config file %.100s: "
397	"%.100s", config, strerror(errno));	397	"%.100s", config, strerror(errno));
398	} else {	398	} else {
399	r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,	399	r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
400	_PATH_SSH_USER_CONFFILE);	400	_PATH_SSH_USER_CONFFILE);
401	if (r > 0 && (size_t)r < sizeof(buf))	401	if (r > 0 && (size_t)r < sizeof(buf))
402	(void)read_config_file(buf, pw, host, &options,	402	(void)read_config_file(buf, pw, host, host_arg,
403	SSHCONF_CHECKPERM\|SSHCONF_USERCONF);	403	&options, SSHCONF_CHECKPERM \| SSHCONF_USERCONF \|
		404	(post_canon ? SSHCONF_POSTCANON : 0));
404		405
405	/* Read systemwide configuration file after user config. */	406	/* Read systemwide configuration file after user config. */
406	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host,	407	(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
407	&options, 0);	408	host, host_arg, &options,
		409	post_canon ? SSHCONF_POSTCANON : 0);
408	}	410	}
409	}	411	}
410		412
Lines 788-796 main(int ac, char **av) Link Here
788	break;	790	break;
789	case 'o':	791	case 'o':
790	line = xstrdup(optarg);	792	line = xstrdup(optarg);
791	if (process_config_line(&options, pw, host ? host : "",	793	if (process_config_line(&options, pw,
792	line, "command-line", 0, NULL, SSHCONF_USERCONF)	794	host ? host : "", host ? host : "", line,
793	!= 0)	795	"command-line", 0, NULL, SSHCONF_USERCONF) != 0)
794	exit(255);	796	exit(255);
795	free(line);	797	free(line);
796	break;	798	break;
Lines 899-905 main(int ac, char **av) Link Here
899	);	901	);
900		902
901	/* Parse the configuration files */	903	/* Parse the configuration files */
902	process_config_files(pw);	904	process_config_files(host_arg, pw, 0);
903		905
904	/* Hostname canonicalisation needs a few options filled. */	906	/* Hostname canonicalisation needs a few options filled. */
905	fill_default_options_for_canonicalization(&options);	907	fill_default_options_for_canonicalization(&options);
Lines 944-956 main(int ac, char **av) Link Here
944	check_follow_cname(&host, cname);	946	check_follow_cname(&host, cname);
945	}	947	}
946		948
947	/*	949	if (options.reread_config == 1 \|\| (options.reread_config == 2 &&
948	* If the target hostname has changed as a result of canonicalisation	950	options.canonicalize_hostname != 0)) {
949	* then re-parse the configuration files as new stanzas may match.	951	debug("Re-reading configuration");
950	*/	952	process_config_files(host_arg, pw, 1);
951	if (strcasecmp(host_arg, host) != 0) {
952	debug("Hostname has changed; re-reading configuration");
953	process_config_files(pw);
954	}	953	}
955		954
956	/* Fill configuration defaults. */	955	/* Fill configuration defaults. */

Lines 150-156 typedef enum { Link Here

(-)readconf.c (-59 / +91 lines)
150	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,	150	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
151	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,	151	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
152	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,	152	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
153	oStreamLocalBindMask, oStreamLocalBindUnlink,	153	oStreamLocalBindMask, oStreamLocalBindUnlink, oRereadConfig,
154	oIgnoredUnknownOption, oDeprecated, oUnsupported	154	oIgnoredUnknownOption, oDeprecated, oUnsupported
155	} OpCodes;	155	} OpCodes;
156		156
Lines 266-271 static struct { Link Here
266	{ "streamlocalbindmask", oStreamLocalBindMask },	266	{ "streamlocalbindmask", oStreamLocalBindMask },
267	{ "streamlocalbindunlink", oStreamLocalBindUnlink },	267	{ "streamlocalbindunlink", oStreamLocalBindUnlink },
268	{ "ignoreunknown", oIgnoreUnknown },	268	{ "ignoreunknown", oIgnoreUnknown },
		269	{ "rereadconfig", oRereadConfig },
269		270
270	{ NULL, oBadOption }	271	{ NULL, oBadOption }
271	};	272	};
Lines 476-486 execute_in_shell(const char *cmd) Link Here
476	*/	477	*/
477	static int	478	static int
478	match_cfg_line(Options options, char condition, struct passwd pw,	479	match_cfg_line(Options options, char condition, struct passwd pw,
479	const char host_arg, const char filename, int linenum)	480	const char host_arg, const char original_host, int post_canon,
		481	const char *filename, int linenum)
480	{	482	{
481	char arg, attrib, cmd, cp = condition, host;	483	char arg, oattrib, attrib, cmd, cp = condition, host, criteria;
482	const char *ruser;	484	const char *ruser;
483	int r, port, result = 1, attributes = 0;	485	int r, port, this_result, result = 1, attributes = 0, negate;
484	size_t len;	486	size_t len;
485	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];	487	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
486		488
Lines 497-517 match_cfg_line(Options options, char * Link Here
497	} else	499	} else
498	host = xstrdup(host_arg);	500	host = xstrdup(host_arg);
499		501
500	debug3("checking match for '%s' host %s", cp, host);	502	debug2("checking match for '%s' host %s originally %s",
501	while ((attrib = strdelim(&cp)) && *attrib != '\0') {	503	cp, host, original_host);
		504	while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') {
		505	criteria = NULL;
		506	this_result = 1;
502	attributes++;	507	attributes++;
		508	negate = attrib[0] == '!';
		509	if (negate)
		510	attrib++;
		511	/* criteria "all" and "canonical" have no argument */
503	if (strcasecmp(attrib, "all") == 0) {	512	if (strcasecmp(attrib, "all") == 0) {
504	if (attributes != 1 \|\|	513	if (attributes != 1 \|\|
505	((arg = strdelim(&cp)) != NULL && *arg != '\0')) {	514	((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
506	error("'all' cannot be combined with other "	515	error("%.200s line %d: '%s' cannot be combined "
507	"Match attributes");	516	"with other Match attributes",
		517	filename, linenum, oattrib);
508	result = -1;	518	result = -1;
509	goto out;	519	goto out;
510	}	520	}
511	*condition = cp;	521	*condition = cp;
512	result = 1;	522	result = negate ? 0 : 1;
513	goto out;	523	goto out;
		524	} else if (strcasecmp(attrib, "canonical") == 0) {
		525	r = !!post_canon; /* force bitmask member to boolean */
		526	if (r == (negate ? 1 : 0))
		527	this_result = result = 0;
		528	debug3("%.200s line %d: %smatched '%s'",
		529	filename, linenum,
		530	this_result ? "" : "not ", oattrib);
		531	continue;
514	}	532	}
		533	/* All other criteria require an argument */
515	if ((arg = strdelim(&cp)) == NULL \|\| *arg == '\0') {	534	if ((arg = strdelim(&cp)) == NULL \|\| *arg == '\0') {
516	error("Missing Match criteria for %s", attrib);	535	error("Missing Match criteria for %s", attrib);
517	result = -1;	536	result = -1;
Lines 519-549 match_cfg_line(Options options, char * Link Here
519	}	538	}
520	len = strlen(arg);	539	len = strlen(arg);
521	if (strcasecmp(attrib, "host") == 0) {	540	if (strcasecmp(attrib, "host") == 0) {
522	if (match_hostname(host, arg, len) != 1)	541	criteria = xstrdup(host);
523	result = 0;	542	r = match_hostname(host, arg, len) == 1;
524	else	543	if (r == (negate ? 1 : 0))
525	debug("%.200s line %d: matched 'Host %.100s' ",	544	this_result = result = 0;
526	filename, linenum, host);
527	} else if (strcasecmp(attrib, "originalhost") == 0) {	545	} else if (strcasecmp(attrib, "originalhost") == 0) {
528	if (match_hostname(host_arg, arg, len) != 1)	546	criteria = xstrdup(original_host);
529	result = 0;	547	r = match_hostname(original_host, arg, len) == 1;
530	else	548	if (r == (negate ? 1 : 0))
531	debug("%.200s line %d: matched "	549	this_result = result = 0;
532	"'OriginalHost %.100s' ",
533	filename, linenum, host_arg);
534	} else if (strcasecmp(attrib, "user") == 0) {	550	} else if (strcasecmp(attrib, "user") == 0) {
535	if (match_pattern_list(ruser, arg, len, 0) != 1)	551	criteria = xstrdup(ruser);
536	result = 0;	552	r = match_pattern_list(ruser, arg, len, 0) == 1;
537	else	553	if (r == (negate ? 1 : 0))
538	debug("%.200s line %d: matched 'User %.100s' ",	554	this_result = result = 0;
539	filename, linenum, ruser);
540	} else if (strcasecmp(attrib, "localuser") == 0) {	555	} else if (strcasecmp(attrib, "localuser") == 0) {
541	if (match_pattern_list(pw->pw_name, arg, len, 0) != 1)	556	criteria = xstrdup(pw->pw_name);
542	result = 0;	557	r = match_pattern_list(pw->pw_name, arg, len, 0) == 1;
543	else	558	if (r == (negate ? 1 : 0))
544	debug("%.200s line %d: matched "	559	this_result = result = 0;
545	"'LocalUser %.100s' ",
546	filename, linenum, pw->pw_name);
547	} else if (strcasecmp(attrib, "exec") == 0) {	560	} else if (strcasecmp(attrib, "exec") == 0) {
548	if (gethostname(thishost, sizeof(thishost)) == -1)	561	if (gethostname(thishost, sizeof(thishost)) == -1)
549	fatal("gethostname: %s", strerror(errno));	562	fatal("gethostname: %s", strerror(errno));
Lines 556-600 match_cfg_line(Options options, char * Link Here
556	"d", pw->pw_dir,	569	"d", pw->pw_dir,
557	"h", host,	570	"h", host,
558	"l", thishost,	571	"l", thishost,
559	"n", host_arg,	572	"n", original_host,
560	"p", portstr,	573	"p", portstr,
561	"r", ruser,	574	"r", ruser,
562	"u", pw->pw_name,	575	"u", pw->pw_name,
563	(char *)NULL);	576	(char *)NULL);
564	if (result != 1) {	577	if (result != 1) {
565	/* skip execution if prior predicate failed */	578	/* skip execution if prior predicate failed */
566	debug("%.200s line %d: skipped exec \"%.100s\"",	579	debug3("%.200s line %d: skipped exec "
567	filename, linenum, cmd);	580	"\"%.100s\"", filename, linenum, cmd);
568	} else {	581	free(cmd);
569	r = execute_in_shell(cmd);	582	continue;
570	if (r == -1) {
571	fatal("%.200s line %d: match exec "
572	"'%.100s' error", filename,
573	linenum, cmd);
574	} else if (r == 0) {
575	debug("%.200s line %d: matched "
576	"'exec \"%.100s\"'", filename,
577	linenum, cmd);
578	} else {
579	debug("%.200s line %d: no match "
580	"'exec \"%.100s\"'", filename,
581	linenum, cmd);
582	result = 0;
583	}
584	}	583	}
		584	r = execute_in_shell(cmd);
		585	if (r == -1) {
		586	fatal("%.200s line %d: match exec "
		587	"'%.100s' error", filename,
		588	linenum, cmd);
		589	}
		590	criteria = xstrdup(cmd);
585	free(cmd);	591	free(cmd);
		592	/* Force exit status to boolean */
		593	r = r == 0;
		594	if (r == (negate ? 1 : 0))
		595	this_result = result = 0;
586	} else {	596	} else {
587	error("Unsupported Match attribute %s", attrib);	597	error("Unsupported Match attribute %s", attrib);
588	result = -1;	598	result = -1;
589	goto out;	599	goto out;
590	}	600	}
		601	debug3("%.200s line %d: %smatched '%s \"%.100s\"' ",
		602	filename, linenum, this_result ? "": "not ",
		603	oattrib, criteria);
		604	free(criteria);
591	}	605	}
592	if (attributes == 0) {	606	if (attributes == 0) {
593	error("One or more attributes required for Match");	607	error("One or more attributes required for Match");
594	result = -1;	608	result = -1;
595	goto out;	609	goto out;
596	}	610	}
597	debug3("match %sfound", result ? "" : "not ");	611	debug2("match %sfound", result ? "" : "not ");
598	*condition = cp;	612	*condition = cp;
599	out:	613	out:
600	free(host);	614	free(host);
Lines 711-716 static const struct multistate multistat Link Here
711	{ "always", SSH_CANONICALISE_ALWAYS },	725	{ "always", SSH_CANONICALISE_ALWAYS },
712	{ NULL, -1 }	726	{ NULL, -1 }
713	};	727	};
		728	static const struct multistate multistate_reread_config[] = {
		729	{ "true", SSH_REREAD_YES },
		730	{ "false", SSH_REREAD_NO },
		731	{ "yes", SSH_REREAD_YES },
		732	{ "no", SSH_REREAD_NO },
		733	{ "if-canon", SSH_REREAD_CANON },
		734	{ NULL, -1 }
		735	};
714		736
715	/*	737	/*
716	* Processes a single option line as used in the configuration files. This	738	* Processes a single option line as used in the configuration files. This
Lines 719-725 static const struct multistate multistat Link Here
719	#define WHITESPACE " \t\r\n"	741	#define WHITESPACE " \t\r\n"
720	int	742	int
721	process_config_line(Options options, struct passwd pw, const char *host,	743	process_config_line(Options options, struct passwd pw, const char *host,
722	char line, const char filename, int linenum, int *activep, int userconfig)	744	const char original_host, char line, const char *filename,
		745	int linenum, int *activep, int flags)
723	{	746	{
724	char s, charptr, endofnumber, keyword, arg, *arg2;	747	char s, charptr, endofnumber, keyword, arg, *arg2;
725	char **cpptr, fwdarg[256];	748	char **cpptr, fwdarg[256];
Lines 947-953 parse_time: Link Here
947	if (*intptr >= SSH_MAX_IDENTITY_FILES)	970	if (*intptr >= SSH_MAX_IDENTITY_FILES)
948	fatal("%.200s line %d: Too many identity files specified (max %d).",	971	fatal("%.200s line %d: Too many identity files specified (max %d).",
949	filename, linenum, SSH_MAX_IDENTITY_FILES);	972	filename, linenum, SSH_MAX_IDENTITY_FILES);
950	add_identity_file(options, NULL, arg, userconfig);	973	add_identity_file(options, NULL,
		974	arg, flags & SSHCONF_USERCONF);
951	}	975	}
952	break;	976	break;
953		977
Lines 1195-1202 parse_int: Link Here
1195	if (cmdline)	1219	if (cmdline)
1196	fatal("Host directive not supported as a command-line "	1220	fatal("Host directive not supported as a command-line "
1197	"option");	1221	"option");
1198	value = match_cfg_line(options, &s, pw, host,	1222	value = match_cfg_line(options, &s, pw, host, original_host,
1199	filename, linenum);	1223	flags & SSHCONF_POSTCANON, filename, linenum);
1200	if (value < 0)	1224	if (value < 0)
1201	fatal("%.200s line %d: Bad Match condition", filename,	1225	fatal("%.200s line %d: Bad Match condition", filename,
1202	linenum);	1226	linenum);
Lines 1433-1438 parse_int: Link Here
1433	intptr = &options->fwd_opts.streamlocal_bind_unlink;	1457	intptr = &options->fwd_opts.streamlocal_bind_unlink;
1434	goto parse_flag;	1458	goto parse_flag;
1435		1459
		1460	case oRereadConfig:
		1461	intptr = &options->reread_config;
		1462	multistate_ptr = multistate_reread_config;
		1463	goto parse_multistate;
		1464
1436	case oDeprecated:	1465	case oDeprecated:
1437	debug("%s line %d: Deprecated option \"%s\"",	1466	debug("%s line %d: Deprecated option \"%s\"",
1438	filename, linenum, keyword);	1467	filename, linenum, keyword);
Lines 1444-1450 parse_int: Link Here
1444	return 0;	1473	return 0;
1445		1474
1446	default:	1475	default:
1447	fatal("process_config_line: Unimplemented opcode %d", opcode);	1476	fatal("%s: Unimplemented opcode %d", __func__, opcode);
1448	}	1477	}
1449		1478
1450	/* Check that there is no garbage at end of line. */	1479	/* Check that there is no garbage at end of line. */
Lines 1464-1470 parse_int: Link Here
1464		1493
1465	int	1494	int
1466	read_config_file(const char filename, struct passwd pw, const char *host,	1495	read_config_file(const char filename, struct passwd pw, const char *host,
1467	Options *options, int flags)	1496	const char original_host, Options options, int flags)
1468	{	1497	{
1469	FILE *f;	1498	FILE *f;
1470	char line[1024];	1499	char line[1024];
Lines 1495-1502 read_config_file(const char *filename, s Link Here
1495	while (fgets(line, sizeof(line), f)) {	1524	while (fgets(line, sizeof(line), f)) {
1496	/* Update line number counter. */	1525	/* Update line number counter. */
1497	linenum++;	1526	linenum++;
1498	if (process_config_line(options, pw, host, line, filename,	1527	if (process_config_line(options, pw, host, original_host,
1499	linenum, &active, flags & SSHCONF_USERCONF) != 0)	1528	line, filename, linenum, &active, flags) != 0)
1500	bad_options++;	1529	bad_options++;
1501	}	1530	}
1502	fclose(f);	1531	fclose(f);
Lines 1609-1614 initialize_options(Options * options) Link Here
1609	options->canonicalize_max_dots = -1;	1638	options->canonicalize_max_dots = -1;
1610	options->canonicalize_fallback_local = -1;	1639	options->canonicalize_fallback_local = -1;
1611	options->canonicalize_hostname = -1;	1640	options->canonicalize_hostname = -1;
		1641	options->reread_config = -1;
1612	}	1642	}
1613		1643
1614	/*	1644	/*
Lines 1786-1791 fill_default_options(Options * options) Link Here
1786	options->canonicalize_fallback_local = 1;	1816	options->canonicalize_fallback_local = 1;
1787	if (options->canonicalize_hostname == -1)	1817	if (options->canonicalize_hostname == -1)
1788	options->canonicalize_hostname = SSH_CANONICALISE_NO;	1818	options->canonicalize_hostname = SSH_CANONICALISE_NO;
		1819	if (options->reread_config == -1)
		1820	options->reread_config = SSH_REREAD_CANON;
1789	#define CLEAR_ON_NONE(v) \	1821	#define CLEAR_ON_NONE(v) \
1790	do { \	1822	do { \
1791	if (option_clear_or_none(v)) { \	1823	if (option_clear_or_none(v)) { \