Bugzilla – Attachment 2469 Details for
Bug 2267
Host matching uses modified hostname as well as original
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Attempt #4
canon3.diff (text/plain), 29.36 KB, created by
Damien Miller
on 2014-09-05 12:51:48 AEST
(
hide
)
Description:
Attempt #4
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2014-09-05 12:51:48 AEST
Size:
29.36 KB
patch
obsolete
>diff --git readconf.c readconf.c >index 8c5195b..51d3f02 100644 >--- readconf.c >+++ readconf.c >@@ -33,6 +33,7 @@ > #include <string.h> > #include <unistd.h> > #include <util.h> >+#include <vis.h> > > #include "xmalloc.h" > #include "ssh.h" >@@ -48,6 +49,7 @@ > #include "kex.h" > #include "mac.h" > #include "uidswap.h" >+#include "myproposal.h" > > /* Format of the configuration file: > >@@ -127,7 +129,7 @@ typedef enum { > oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, > oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, > oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, >- oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, >+ oPubkeyAuthentication, > oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, > oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, > oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, >@@ -204,7 +206,7 @@ static struct { > { "globalknownhostsfile", oGlobalKnownHostsFile }, > { "globalknownhostsfile2", oDeprecated }, > { "userknownhostsfile", oUserKnownHostsFile }, >- { "userknownhostsfile2", oDeprecated }, >+ { "userknownhostsfile2", oDeprecated }, > { "connectionattempts", oConnectionAttempts }, > { "batchmode", oBatchMode }, > { "checkhostip", oCheckHostIP }, >@@ -457,7 +459,7 @@ execute_in_shell(const char *cmd) > if (!WIFEXITED(status)) { > error("command '%.100s' exited abnormally", cmd); > return -1; >- } >+ } > debug3("command returned status %d", WEXITSTATUS(status)); > return WEXITSTATUS(status); > } >@@ -467,11 +469,12 @@ execute_in_shell(const char *cmd) > */ > static int > match_cfg_line(Options *options, char **condition, struct passwd *pw, >- const char *host_arg, const char *filename, int linenum) >+ const char *host_arg, const char *original_host, int post_canon, >+ const char *filename, int linenum) > { >- char *arg, *attrib, *cmd, *cp = *condition, *host; >+ char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria; > const char *ruser; >- int r, port, result = 1, attributes = 0; >+ int r, port, this_result, result = 1, attributes = 0, negate; > size_t len; > char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; > >@@ -488,21 +491,38 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, > } else > host = xstrdup(host_arg); > >- debug3("checking match for '%s' host %s", cp, host); >- while ((attrib = strdelim(&cp)) && *attrib != '\0') { >- attributes++; >+ debug2("checking match for '%s' host %s originally %s", >+ cp, host, original_host); >+ while ((oattrib = attrib = strdelim(&cp)) && *attrib != '\0') { >+ criteria = NULL; >+ this_result = 1; >+ if ((negate = attrib[0] == '!')) >+ attrib++; >+ /* criteria "all" and "canonical" have no argument */ > if (strcasecmp(attrib, "all") == 0) { >- if (attributes != 1 || >+ if (attributes > 1 || > ((arg = strdelim(&cp)) != NULL && *arg != '\0')) { >- error("'all' cannot be combined with other " >- "Match attributes"); >+ error("%.200s line %d: '%s' cannot be combined " >+ "with other Match attributes", >+ filename, linenum, oattrib); > result = -1; > goto out; > } >- *condition = cp; >- result = 1; >+ if (result) >+ result = negate ? 0 : 1; > goto out; > } >+ attributes++; >+ if (strcasecmp(attrib, "canonical") == 0) { >+ r = !!post_canon; /* force bitmask member to boolean */ >+ if (r == (negate ? 1 : 0)) >+ this_result = result = 0; >+ debug3("%.200s line %d: %smatched '%s'", >+ filename, linenum, >+ this_result ? "" : "not ", oattrib); >+ continue; >+ } >+ /* All other criteria require an argument */ > if ((arg = strdelim(&cp)) == NULL || *arg == '\0') { > error("Missing Match criteria for %s", attrib); > result = -1; >@@ -510,31 +530,25 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, > } > len = strlen(arg); > if (strcasecmp(attrib, "host") == 0) { >- if (match_hostname(host, arg, len) != 1) >- result = 0; >- else >- debug("%.200s line %d: matched 'Host %.100s' ", >- filename, linenum, host); >+ criteria = xstrdup(host); >+ r = match_hostname(host, arg, len) == 1; >+ if (r == (negate ? 1 : 0)) >+ this_result = result = 0; > } else if (strcasecmp(attrib, "originalhost") == 0) { >- if (match_hostname(host_arg, arg, len) != 1) >- result = 0; >- else >- debug("%.200s line %d: matched " >- "'OriginalHost %.100s' ", >- filename, linenum, host_arg); >+ criteria = xstrdup(original_host); >+ r = match_hostname(original_host, arg, len) == 1; >+ if (r == (negate ? 1 : 0)) >+ this_result = result = 0; > } else if (strcasecmp(attrib, "user") == 0) { >- if (match_pattern_list(ruser, arg, len, 0) != 1) >- result = 0; >- else >- debug("%.200s line %d: matched 'User %.100s' ", >- filename, linenum, ruser); >+ criteria = xstrdup(ruser); >+ r = match_pattern_list(ruser, arg, len, 0) == 1; >+ if (r == (negate ? 1 : 0)) >+ this_result = result = 0; > } else if (strcasecmp(attrib, "localuser") == 0) { >- if (match_pattern_list(pw->pw_name, arg, len, 0) != 1) >- result = 0; >- else >- debug("%.200s line %d: matched " >- "'LocalUser %.100s' ", >- filename, linenum, pw->pw_name); >+ criteria = xstrdup(pw->pw_name); >+ r = match_pattern_list(pw->pw_name, arg, len, 0) == 1; >+ if (r == (negate ? 1 : 0)) >+ this_result = result = 0; > } else if (strcasecmp(attrib, "exec") == 0) { > if (gethostname(thishost, sizeof(thishost)) == -1) > fatal("gethostname: %s", strerror(errno)); >@@ -547,47 +561,49 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw, > "d", pw->pw_dir, > "h", host, > "l", thishost, >- "n", host_arg, >+ "n", original_host, > "p", portstr, > "r", ruser, > "u", pw->pw_name, > (char *)NULL); > if (result != 1) { > /* skip execution if prior predicate failed */ >- debug("%.200s line %d: skipped exec \"%.100s\"", >- filename, linenum, cmd); >- } else { >- r = execute_in_shell(cmd); >- if (r == -1) { >- fatal("%.200s line %d: match exec " >- "'%.100s' error", filename, >- linenum, cmd); >- } else if (r == 0) { >- debug("%.200s line %d: matched " >- "'exec \"%.100s\"'", filename, >- linenum, cmd); >- } else { >- debug("%.200s line %d: no match " >- "'exec \"%.100s\"'", filename, >- linenum, cmd); >- result = 0; >- } >+ debug3("%.200s line %d: skipped exec " >+ "\"%.100s\"", filename, linenum, cmd); >+ free(cmd); >+ continue; > } >+ r = execute_in_shell(cmd); >+ if (r == -1) { >+ fatal("%.200s line %d: match exec " >+ "'%.100s' error", filename, >+ linenum, cmd); >+ } >+ criteria = xstrdup(cmd); > free(cmd); >+ /* Force exit status to boolean */ >+ r = r == 0; >+ if (r == (negate ? 1 : 0)) >+ this_result = result = 0; > } else { > error("Unsupported Match attribute %s", attrib); > result = -1; > goto out; > } >+ debug3("%.200s line %d: %smatched '%s \"%.100s\"' ", >+ filename, linenum, this_result ? "": "not ", >+ oattrib, criteria); >+ free(criteria); > } > if (attributes == 0) { > error("One or more attributes required for Match"); > result = -1; > goto out; > } >- debug3("match %sfound", result ? "" : "not "); >- *condition = cp; > out: >+ if (result != -1) >+ debug2("match %sfound", result ? "" : "not "); >+ *condition = cp; > free(host); > return result; > } >@@ -710,7 +726,8 @@ static const struct multistate multistate_canonicalizehostname[] = { > #define WHITESPACE " \t\r\n" > int > process_config_line(Options *options, struct passwd *pw, const char *host, >- char *line, const char *filename, int linenum, int *activep, int userconfig) >+ const char *original_host, char *line, const char *filename, >+ int linenum, int *activep, int flags) > { > char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; > char **cpptr, fwdarg[256]; >@@ -766,7 +783,9 @@ parse_time: > if (!arg || *arg == '\0') > fatal("%s line %d: missing time value.", > filename, linenum); >- if ((value = convtime(arg)) == -1) >+ if (strcmp(arg, "none") == 0) >+ value = -1; >+ else if ((value = convtime(arg)) == -1) > fatal("%s line %d: invalid time value.", > filename, linenum); > if (*activep && *intptr == -1) >@@ -803,7 +822,7 @@ parse_time: > case oForwardX11Trusted: > intptr = &options->forward_x11_trusted; > goto parse_flag; >- >+ > case oForwardX11Timeout: > intptr = &options->forward_x11_timeout; > goto parse_time; >@@ -938,7 +957,8 @@ parse_time: > if (*intptr >= SSH_MAX_IDENTITY_FILES) > fatal("%.200s line %d: Too many identity files specified (max %d).", > filename, linenum, SSH_MAX_IDENTITY_FILES); >- add_identity_file(options, NULL, arg, userconfig); >+ add_identity_file(options, NULL, >+ arg, flags & SSHCONF_USERCONF); > } > break; > >@@ -1186,8 +1206,8 @@ parse_int: > if (cmdline) > fatal("Host directive not supported as a command-line " > "option"); >- value = match_cfg_line(options, &s, pw, host, >- filename, linenum); >+ value = match_cfg_line(options, &s, pw, host, original_host, >+ flags & SSHCONF_POSTCANON, filename, linenum); > if (value < 0) > fatal("%.200s line %d: Bad Match condition", filename, > linenum); >@@ -1435,7 +1455,7 @@ parse_int: > return 0; > > default: >- fatal("process_config_line: Unimplemented opcode %d", opcode); >+ fatal("%s: Unimplemented opcode %d", __func__, opcode); > } > > /* Check that there is no garbage at end of line. */ >@@ -1455,7 +1475,7 @@ parse_int: > > int > read_config_file(const char *filename, struct passwd *pw, const char *host, >- Options *options, int flags) >+ const char *original_host, Options *options, int flags) > { > FILE *f; > char line[1024]; >@@ -1486,8 +1506,8 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, > while (fgets(line, sizeof(line), f)) { > /* Update line number counter. */ > linenum++; >- if (process_config_line(options, pw, host, line, filename, >- linenum, &active, flags & SSHCONF_USERCONF) != 0) >+ if (process_config_line(options, pw, host, original_host, >+ line, filename, linenum, &active, flags) != 0) > bad_options++; > } > fclose(f); >@@ -1998,3 +2018,295 @@ parse_forward(struct Forward *fwd, const char *fwdspec, int dynamicfwd, int remo > fwd->listen_path = NULL; > return (0); > } >+ >+/* XXX the following is a near-vebatim copy from servconf.c; refactor */ >+static const char * >+fmt_multistate_int(int val, const struct multistate *m) >+{ >+ u_int i; >+ >+ for (i = 0; m[i].key != NULL; i++) { >+ if (m[i].value == val) >+ return m[i].key; >+ } >+ return "UNKNOWN"; >+} >+ >+static const char * >+fmt_intarg(OpCodes code, int val) >+{ >+ if (val == -1) >+ return "unset"; >+ switch (code) { >+ case oAddressFamily: >+ return fmt_multistate_int(val, multistate_addressfamily); >+ case oVerifyHostKeyDNS: >+ case oStrictHostKeyChecking: >+ return fmt_multistate_int(val, multistate_yesnoask); >+ case oControlMaster: >+ return fmt_multistate_int(val, multistate_controlmaster); >+ case oTunnel: >+ return fmt_multistate_int(val, multistate_tunnel); >+ case oRequestTTY: >+ return fmt_multistate_int(val, multistate_requesttty); >+ case oCanonicalizeHostname: >+ return fmt_multistate_int(val, multistate_canonicalizehostname); >+ case oProtocol: >+ switch (val) { >+ case SSH_PROTO_1: >+ return "1"; >+ case SSH_PROTO_2: >+ return "2"; >+ case (SSH_PROTO_1|SSH_PROTO_2): >+ return "2,1"; >+ default: >+ return "UNKNOWN"; >+ } >+ default: >+ switch (val) { >+ case 0: >+ return "no"; >+ case 1: >+ return "yes"; >+ default: >+ return "UNKNOWN"; >+ } >+ } >+} >+ >+static const char * >+lookup_opcode_name(OpCodes code) >+{ >+ u_int i; >+ >+ for (i = 0; keywords[i].name != NULL; i++) >+ if (keywords[i].opcode == code) >+ return(keywords[i].name); >+ return "UNKNOWN"; >+} >+ >+static void >+dump_cfg_int(OpCodes code, int val) >+{ >+ printf("%s %d\n", lookup_opcode_name(code), val); >+} >+ >+static void >+dump_cfg_fmtint(OpCodes code, int val) >+{ >+ printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val)); >+} >+ >+static void >+dump_cfg_string(OpCodes code, const char *val) >+{ >+ if (val == NULL) >+ return; >+ printf("%s %s\n", lookup_opcode_name(code), val); >+} >+ >+static void >+dump_cfg_strarray(OpCodes code, u_int count, char **vals) >+{ >+ u_int i; >+ >+ for (i = 0; i < count; i++) >+ printf("%s %s\n", lookup_opcode_name(code), vals[i]); >+} >+ >+static void >+dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals) >+{ >+ u_int i; >+ >+ printf("%s", lookup_opcode_name(code)); >+ for (i = 0; i < count; i++) >+ printf(" %s", vals[i]); >+ printf("\n"); >+} >+ >+static void >+dump_cfg_forwards(OpCodes code, u_int count, const struct Forward *fwds) >+{ >+ const struct Forward *fwd; >+ u_int i; >+ >+ /* oDynamicForward */ >+ for (i = 0; i < count; i++) { >+ fwd = &fwds[i]; >+ if (code == oDynamicForward && >+ strcmp(fwd->connect_host, "socks") != 0) >+ continue; >+ if (code == oLocalForward && >+ strcmp(fwd->connect_host, "socks") == 0) >+ continue; >+ printf("%s", lookup_opcode_name(code)); >+ if (fwd->listen_port == PORT_STREAMLOCAL) >+ printf(" %s", fwd->listen_path); >+ else if (fwd->listen_host == NULL) >+ printf(" %d", fwd->listen_port); >+ else { >+ printf(" [%s]:%d", >+ fwd->listen_host, fwd->listen_port); >+ } >+ if (code != oDynamicForward) { >+ if (fwd->connect_port == PORT_STREAMLOCAL) >+ printf(" %s", fwd->connect_path); >+ else if (fwd->connect_host == NULL) >+ printf(" %d", fwd->connect_port); >+ else { >+ printf(" [%s]:%d", >+ fwd->connect_host, fwd->connect_port); >+ } >+ } >+ printf("\n"); >+ } >+} >+ >+void >+dump_client_config(Options *o, const char *host) >+{ >+ int i; >+ char vbuf[5]; >+ >+ /* Most interesting options first: user, host, port */ >+ dump_cfg_string(oUser, o->user); >+ dump_cfg_string(oHostName, host); >+ dump_cfg_int(oPort, o->port); >+ >+ /* Flag options */ >+ dump_cfg_fmtint(oAddressFamily, o->address_family); >+ dump_cfg_fmtint(oBatchMode, o->batch_mode); >+ dump_cfg_fmtint(oCanonicalizeFallbackLocal, o->canonicalize_fallback_local); >+ dump_cfg_fmtint(oCanonicalizeHostname, o->canonicalize_hostname); >+ dump_cfg_fmtint(oChallengeResponseAuthentication, o->challenge_response_authentication); >+ dump_cfg_fmtint(oCheckHostIP, o->check_host_ip); >+ dump_cfg_fmtint(oCompression, o->compression); >+ dump_cfg_fmtint(oControlMaster, o->control_master); >+ dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign); >+ dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); >+ dump_cfg_fmtint(oForwardAgent, o->forward_agent); >+ dump_cfg_fmtint(oForwardX11, o->forward_x11); >+ dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted); >+ dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); >+#ifdef GSSAPI >+ dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); >+ dump_cfg_fmtint(oGssDelegateCreds, o->gss_deleg_creds); >+#endif /* GSSAPI */ >+ dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); >+ dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); >+ dump_cfg_fmtint(oIdentitiesOnly, o->identities_only); >+ dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication); >+ dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost); >+ dump_cfg_fmtint(oPasswordAuthentication, o->password_authentication); >+ dump_cfg_fmtint(oPermitLocalCommand, o->permit_local_command); >+ dump_cfg_fmtint(oProtocol, o->protocol); >+ dump_cfg_fmtint(oProxyUseFdpass, o->proxy_use_fdpass); >+ dump_cfg_fmtint(oPubkeyAuthentication, o->pubkey_authentication); >+ dump_cfg_fmtint(oRequestTTY, o->request_tty); >+ dump_cfg_fmtint(oRhostsRSAAuthentication, o->rhosts_rsa_authentication); >+ dump_cfg_fmtint(oRSAAuthentication, o->rsa_authentication); >+ dump_cfg_fmtint(oStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); >+ dump_cfg_fmtint(oStrictHostKeyChecking, o->strict_host_key_checking); >+ dump_cfg_fmtint(oTCPKeepAlive, o->tcp_keep_alive); >+ dump_cfg_fmtint(oTunnel, o->tun_open); >+ dump_cfg_fmtint(oUsePrivilegedPort, o->use_privileged_port); >+ dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); >+ dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); >+ >+ /* Integer options */ >+ dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); >+ dump_cfg_int(oCompressionLevel, o->compression_level); >+ dump_cfg_int(oConnectionAttempts, o->connection_attempts); >+ dump_cfg_int(oForwardX11Timeout, o->forward_x11_timeout); >+ dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts); >+ dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max); >+ dump_cfg_int(oServerAliveInterval, o->server_alive_interval); >+ >+ /* String options */ >+ dump_cfg_string(oBindAddress, o->bind_address); >+ dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT); >+ dump_cfg_string(oControlPath, o->control_path); >+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); >+ dump_cfg_string(oHostKeyAlias, o->host_key_alias); >+ dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); >+ dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); >+ dump_cfg_string(oLocalCommand, o->local_command); >+ dump_cfg_string(oLogLevel, log_level_name(o->log_level)); >+ dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC); >+ dump_cfg_string(oPKCS11Provider, o->pkcs11_provider); >+ dump_cfg_string(oPreferredAuthentications, o->preferred_authentications); >+ dump_cfg_string(oProxyCommand, o->proxy_command); >+ dump_cfg_string(oXAuthLocation, o->xauth_location); >+ >+ dump_cfg_forwards(oDynamicForward, o->num_local_forwards, o->local_forwards); >+ dump_cfg_forwards(oLocalForward, o->num_local_forwards, o->local_forwards); >+ dump_cfg_forwards(oRemoteForward, o->num_remote_forwards, o->remote_forwards); >+ >+ /* String array options */ >+ dump_cfg_strarray(oIdentityFile, o->num_identity_files, o->identity_files); >+ dump_cfg_strarray_oneline(oCanonicalDomains, o->num_canonical_domains, o->canonical_domains); >+ dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles); >+ dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles); >+ dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env); >+ >+ /* Special cases */ >+ >+ /* oConnectTimeout */ >+ if (o->connection_timeout == -1) >+ printf("connecttimeout none\n"); >+ else >+ dump_cfg_int(oConnectTimeout, o->connection_timeout); >+ >+ /* oTunnelDevice */ >+ printf("tunneldevice"); >+ if (o->tun_local == SSH_TUNID_ANY) >+ printf(" any"); >+ else >+ printf(" %d", o->tun_local); >+ if (o->tun_remote == SSH_TUNID_ANY) >+ printf(":any"); >+ else >+ printf(":%d", o->tun_remote); >+ printf("\n"); >+ >+ /* oCanonicalizePermittedCNAMEs */ >+ if ( o->num_permitted_cnames > 0) { >+ printf("canonicalizePermittedcnames"); >+ for (i = 0; i < o->num_permitted_cnames; i++) { >+ printf(" %s:%s", o->permitted_cnames[i].source_list, >+ o->permitted_cnames[i].target_list); >+ } >+ printf("\n"); >+ } >+ >+ /* oCipher */ >+ if (o->cipher != SSH_CIPHER_NOT_SET) >+ printf("Cipher %s\n", cipher_name(o->cipher)); >+ >+ /* oControlPersist */ >+ if (o->control_persist == 0 || o->control_persist_timeout == 0) >+ dump_cfg_fmtint(oControlPersist, o->control_persist); >+ else >+ dump_cfg_int(oControlPersist, o->control_persist_timeout); >+ >+ /* oEscapeChar */ >+ if (o->escape_char == SSH_ESCAPECHAR_NONE) >+ printf("escapechar none\n"); >+ else { >+ vis(vbuf, o->escape_char, VIS_WHITE, 0); >+ printf("escapechar %s\n", vbuf); >+ } >+ >+ /* oIPQoS */ >+ printf("ipqos %s ", iptos2str(o->ip_qos_interactive)); >+ printf("%s\n", iptos2str(o->ip_qos_bulk)); >+ >+ /* oRekeyLimit */ >+ printf("rekeylimit %lld %d\n", >+ (long long)o->rekey_limit, o->rekey_interval); >+ >+ /* oStreamLocalBindMask */ >+ printf("streamlocalbindmask 0%o\n", >+ o->fwd_opts.streamlocal_bind_mask); >+} >diff --git readconf.h readconf.h >index 0b9cb77..f0041bd 100644 >--- readconf.h >+++ readconf.h >@@ -164,17 +164,19 @@ typedef struct { > > #define SSHCONF_CHECKPERM 1 /* check permissions on config file */ > #define SSHCONF_USERCONF 2 /* user provided config file not system */ >+#define SSHCONF_POSTCANON 4 /* After hostname canonicalisation */ > > void initialize_options(Options *); > void fill_default_options(Options *); > void fill_default_options_for_canonicalization(Options *); >-int process_config_line(Options *, struct passwd *, const char *, char *, >- const char *, int, int *, int); >+int process_config_line(Options *, struct passwd *, const char *, >+ const char *, char *, const char *, int, int *, int); > int read_config_file(const char *, struct passwd *, const char *, >- Options *, int); >+ const char *, Options *, int); > int parse_forward(struct Forward *, const char *, int, int); > int default_ssh_port(void); > int option_clear_or_none(const char *); >+void dump_client_config(Options *o, const char *host); > > void add_local_forward(Options *, const struct Forward *); > void add_remote_forward(Options *, const struct Forward *); >diff --git ssh-keysign.c ssh-keysign.c >index 1da6eb7..0ed2c0f 100644 >--- ssh-keysign.c >+++ ssh-keysign.c >@@ -178,7 +178,7 @@ main(int argc, char **argv) > > /* verify that ssh-keysign is enabled by the admin */ > initialize_options(&options); >- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", &options, 0); >+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", &options, 0); > fill_default_options(&options); > if (options.enable_ssh_keysign != 1) > fatal("ssh-keysign not enabled in %s", >diff --git ssh.1 ssh.1 >index 1c889b6..e16eba5 100644 >--- ssh.1 >+++ ssh.1 >@@ -43,7 +43,7 @@ > .Sh SYNOPSIS > .Nm ssh > .Bk -words >-.Op Fl 1246AaCfgKkMNnqsTtVvXxYy >+.Op Fl 1246AaCfgGKkMNnqsTtVvXxYy > .Op Fl b Ar bind_address > .Op Fl c Ar cipher_spec > .Op Fl D Oo Ar bind_address : Oc Ns Ar port >@@ -251,6 +251,14 @@ then a client started with > .Fl f > will wait for all remote port forwards to be successfully established > before placing itself in the background. >+.It Fl G >+Causes >+.Nm >+to print its configuration after evaluating >+.Cm Host >+and >+.Cm Match >+blocks and exit. > .It Fl g > Allows remote hosts to connect to local forwarded ports. > If used on a multiplexed connection, then this option must be specified >diff --git ssh.c ssh.c >index d83b023..806c299 100644 >--- ssh.c >+++ ssh.c >@@ -370,27 +370,29 @@ resolve_canonicalize(char **hostp, int port) > * file if the user specifies a config file on the command line. > */ > static void >-process_config_files(struct passwd *pw) >+process_config_files(const char *host_arg, struct passwd *pw, int post_canon) > { > char buf[MAXPATHLEN]; > int r; > > if (config != NULL) { > if (strcasecmp(config, "none") != 0 && >- !read_config_file(config, pw, host, &options, >- SSHCONF_USERCONF)) >+ !read_config_file(config, pw, host, host_arg, &options, >+ SSHCONF_USERCONF | (post_canon ? SSHCONF_POSTCANON : 0))) > fatal("Can't open user config file %.100s: " > "%.100s", config, strerror(errno)); > } else { > r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, > _PATH_SSH_USER_CONFFILE); > if (r > 0 && (size_t)r < sizeof(buf)) >- (void)read_config_file(buf, pw, host, &options, >- SSHCONF_CHECKPERM|SSHCONF_USERCONF); >+ (void)read_config_file(buf, pw, host, host_arg, >+ &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF | >+ (post_canon ? SSHCONF_POSTCANON : 0)); > > /* Read systemwide configuration file after user config. */ >- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host, >- &options, 0); >+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, >+ host, host_arg, &options, >+ post_canon ? SSHCONF_POSTCANON : 0); > } > } > >@@ -400,7 +402,7 @@ process_config_files(struct passwd *pw) > int > main(int ac, char **av) > { >- int i, r, opt, exit_status, use_syslog; >+ int i, r, opt, exit_status, use_syslog, config_test = 0; > char *p, *cp, *line, *argv0, buf[MAXPATHLEN], *host_arg, *logfile; > char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV]; > char cname[NI_MAXHOST]; >@@ -478,7 +480,7 @@ main(int ac, char **av) > > again: > while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" >- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { >+ "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { > switch (opt) { > case '1': > options.protocol = SSH_PROTO_1; >@@ -511,6 +513,9 @@ main(int ac, char **av) > case 'E': > logfile = xstrdup(optarg); > break; >+ case 'G': >+ config_test = 1; >+ break; > case 'Y': > options.forward_x11 = 1; > options.forward_x11_trusted = 1; >@@ -759,9 +764,9 @@ main(int ac, char **av) > break; > case 'o': > line = xstrdup(optarg); >- if (process_config_line(&options, pw, host ? host : "", >- line, "command-line", 0, NULL, SSHCONF_USERCONF) >- != 0) >+ if (process_config_line(&options, pw, >+ host ? host : "", host ? host : "", line, >+ "command-line", 0, NULL, SSHCONF_USERCONF) != 0) > exit(255); > free(line); > break; >@@ -870,7 +875,7 @@ main(int ac, char **av) > ); > > /* Parse the configuration files */ >- process_config_files(pw); >+ process_config_files(host_arg, pw, 0); > > /* Hostname canonicalisation needs a few options filled. */ > fill_default_options_for_canonicalization(&options); >@@ -882,6 +887,8 @@ main(int ac, char **av) > "h", host, (char *)NULL); > free(host); > host = cp; >+ free(options.hostname); >+ options.hostname = xstrdup(host); > } > > /* If canonicalization requested then try to apply it */ >@@ -915,13 +922,11 @@ main(int ac, char **av) > check_follow_cname(&host, cname); > } > >- /* >- * If the target hostname has changed as a result of canonicalisation >- * then re-parse the configuration files as new stanzas may match. >- */ >- if (strcasecmp(host_arg, host) != 0) { >- debug("Hostname has changed; re-reading configuration"); >- process_config_files(pw); >+ if (options.canonicalize_hostname != 0) { >+ debug("Re-reading configuration"); >+ free(options.hostname); >+ options.hostname = xstrdup(host); >+ process_config_files(host_arg, pw, 1); > } > > /* Fill configuration defaults. */ >@@ -1019,6 +1024,11 @@ main(int ac, char **av) > } > free(conn_hash_hex); > >+ if (config_test) { >+ dump_client_config(&options, host); >+ exit(0); >+ } >+ > if (muxclient_command != 0 && options.control_path == NULL) > fatal("No ControlPath specified for \"-O\" command"); > if (options.control_path != NULL) >diff --git ssh_config.5 ssh_config.5 >index 4396aa9..dfdb484 100644 >--- ssh_config.5 >+++ ssh_config.5 >@@ -65,7 +65,10 @@ The configuration files contain sections separated by > .Dq Host > specifications, and that section is only applied for hosts that > match one of the patterns given in the specification. >-The matched host name is the one given on the command line. >+The matched host name is usually the one given on the command line >+(see the >+.Cm CanonicalizeHostname >+option for exceptions.) > .Pp > Since the first obtained value for each parameter is used, more > host-specific declarations should be given near the beginning of the >@@ -109,10 +112,12 @@ A single > .Ql * > as a pattern can be used to provide global > defaults for all hosts. >-The host is the >+The host is usually the > .Ar hostname >-argument given on the command line (i.e. the name is not converted to >-a canonicalized host name before matching). >+argument given on the command line >+(see the >+.Cm CanonicalizeHostname >+option for exceptions.) > .Pp > A pattern entry may be negated by prefixing it with an exclamation mark > .Pq Sq !\& . >@@ -134,19 +139,40 @@ or > keyword) to be used only when the conditions following the > .Cm Match > keyword are satisfied. >-Match conditions are specified using one or more keyword/criteria pairs >+Match conditions are specified using one or more critera > or the single token > .Cm all >-which matches all criteria. >-The available keywords are: >+which always matches. >+The available criteria keywords are: >+.Cm canonical , > .Cm exec , > .Cm host , > .Cm originalhost , > .Cm user , > and > .Cm localuser . >+The >+.Cm all >+criteria must appear alone or immediately after >+.Cm canonical. >+Other criteria may be combined arbitrarily. >+All criteria but >+.Cm all >+and >+.Cm canonical >+require an argument. >+Criteria may be negated by prepending an exclamation mark >+.Pq Sq !\& . > .Pp > The >+.Cm canonical >+keywork matches only when the configuration file is being re-parsed >+after hostname canonicalization (see the >+.Cm CanonicalizeHostname >+option.) >+This may be useful to specify conditions that work with canonical host >+names only. >+The > .Cm exec > keyword executes the specified command under the user's shell. > If the command returns a zero exit status then the condition is considered true. >@@ -179,7 +205,9 @@ The criteria for the > keyword are matched against the target hostname, after any substitution > by the > .Cm Hostname >-option. >+or >+.Cm CanonicalizeHostname >+options. > The > .Cm originalhost > keyword matches against the hostname as it was specified on the command-line. >@@ -264,10 +292,11 @@ is set to > .Dq always , > then canonicalization is applied to proxied connections too. > .Pp >-If this option is enabled and canonicalisation results in the target hostname >-changing, then the configuration files are processed again using the new >-target name to pick up any new configuration in matching >+If this option is enabled, then the configuration files are processed >+again using the new target name to pick up any new configuration in matching > .Cm Host >+and >+.Cm Match > stanzas. > .It Cm CanonicalizeMaxDots > Specifies the maximum number of dot characters in a hostname before >@@ -775,6 +804,12 @@ The default is the name given on the command line. > Numeric IP addresses are also permitted (both on the command line and in > .Cm HostName > specifications). >+.Pp >+If this option is enabled and results in the target hostname >+changing, then the configuration files are processed again using the new >+target name to pick up any new configuration in matching >+.Cm Host >+stanzas. > .It Cm IdentitiesOnly > Specifies that > .Xr ssh 1
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2469">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2267
:
2465
|
2466
|
2467
| 2469 |
2470