Bugzilla – Attachment 3150 Details for
Bug 2858
sshd -T requires -C when "Match" is used in sshd_config
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix sshd -T w/out -C
openbsd-sshd-T.patch (text/plain), 6.43 KB, created by
Darren Tucker
on 2018-05-11 19:41:25 AEST
(
hide
)
Description:
Fix sshd -T w/out -C
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2018-05-11 19:41:25 AEST
Size:
6.43 KB
patch
obsolete
>Index: usr.bin/ssh/servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.328 >diff -u -p -r1.328 servconf.c >--- usr.bin/ssh/servconf.c 10 Apr 2018 00:10:49 -0000 1.328 >+++ usr.bin/ssh/servconf.c 11 May 2018 09:40:22 -0000 >@@ -879,6 +879,26 @@ match_test_missing_fatal(const char *cri > } > > /* >+ * Return a connection_info structure that can never match, which is used >+ * for sshd -T test mode. We can't use NULL since that's already used >+ * for "not provided". >+ */ >+static const char *param_nevermatch = "this can never match"; >+struct connection_info * >+nevermatch_connection_info(void) >+{ >+ struct connection_info *ci = get_connection_info(0,0); >+ >+ ci->user = param_nevermatch; >+ ci->host = param_nevermatch; >+ ci->address = param_nevermatch; >+ ci->laddress = param_nevermatch; >+ ci->rdomain = param_nevermatch; >+ ci->lport = -1; >+ return ci; >+} >+ >+/* > * All of the attributes on a single Match line are ANDed together, so we need > * to check every attribute and set the result to zero if any attribute does > * not match. >@@ -915,7 +935,7 @@ match_cfg_line(char **condition, int lin > return -1; > } > if (strcasecmp(attrib, "user") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || ci->user == param_nevermatch) { > result = 0; > continue; > } >@@ -927,7 +947,7 @@ match_cfg_line(char **condition, int lin > debug("user %.100s matched 'User %.100s' at " > "line %d", ci->user, arg, line); > } else if (strcasecmp(attrib, "group") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || ci->user == param_nevermatch) { > result = 0; > continue; > } >@@ -940,7 +960,7 @@ match_cfg_line(char **condition, int lin > result = 0; > } > } else if (strcasecmp(attrib, "host") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || ci->host == param_nevermatch) { > result = 0; > continue; > } >@@ -952,7 +972,7 @@ match_cfg_line(char **condition, int lin > debug("connection from %.100s matched 'Host " > "%.100s' at line %d", ci->host, arg, line); > } else if (strcasecmp(attrib, "address") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || ci->address == param_nevermatch) { > result = 0; > continue; > } >@@ -971,7 +991,7 @@ match_cfg_line(char **condition, int lin > return -1; > } > } else if (strcasecmp(attrib, "localaddress") == 0){ >- if (ci == NULL) { >+ if (ci == NULL || ci->laddress == param_nevermatch) { > result = 0; > continue; > } >@@ -997,7 +1017,7 @@ match_cfg_line(char **condition, int lin > arg); > return -1; > } >- if (ci == NULL) { >+ if (ci == NULL || ci->lport == -1) { > result = 0; > continue; > } >@@ -1011,10 +1031,12 @@ match_cfg_line(char **condition, int lin > else > result = 0; > } else if (strcasecmp(attrib, "rdomain") == 0) { >- if (ci == NULL || ci->rdomain == NULL) { >+ if (ci == NULL || ci->rdomain == param_nevermatch) { > result = 0; > continue; > } >+ if (ci->rdomain == NULL) >+ match_test_missing_fatal("RDomain", "rdomain"); > if (match_pattern_list(ci->rdomain, arg, 0) != 1) > result = 0; > else >Index: usr.bin/ssh/servconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.h,v >retrieving revision 1.131 >diff -u -p -r1.131 servconf.h >--- usr.bin/ssh/servconf.h 13 Apr 2018 03:57:26 -0000 1.131 >+++ usr.bin/ssh/servconf.h 11 May 2018 09:40:22 -0000 >@@ -271,5 +271,6 @@ void servconf_add_hostkey(const char *, > ServerOptions *, const char *path); > void servconf_add_hostcert(const char *, const int, > ServerOptions *, const char *path); >+struct connection_info * nevermatch_connection_info(void); > > #endif /* SERVCONF_H */ >Index: usr.bin/ssh/sshd.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd.c,v >retrieving revision 1.508 >diff -u -p -r1.508 sshd.c >--- usr.bin/ssh/sshd.c 13 Apr 2018 03:57:26 -0000 1.508 >+++ usr.bin/ssh/sshd.c 11 May 2018 09:40:22 -0000 >@@ -1731,7 +1731,7 @@ main(int ac, char **av) > * use a blank one that will cause no predicate to match. > */ > if (connection_info == NULL) >- connection_info = get_connection_info(0, 0); >+ connection_info = nevermatch_connection_info(); > parse_server_match_config(&options, connection_info); > dump_config(&options); > } >Index: regress/usr.bin/ssh/cfgmatch.sh >=================================================================== >RCS file: /cvs/src/regress/usr.bin/ssh/cfgmatch.sh,v >retrieving revision 1.11 >diff -u -p -r1.11 cfgmatch.sh >--- regress/usr.bin/ssh/cfgmatch.sh 4 Oct 2017 18:50:23 -0000 1.11 >+++ regress/usr.bin/ssh/cfgmatch.sh 11 May 2018 09:40:22 -0000 >@@ -51,9 +51,10 @@ echo "AuthorizedKeysFile /dev/null $OBJ/ > echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy > echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy > >-start_sshd >+${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ >+ fail "config w/match fails config test" > >-#set -x >+start_sshd > > # Test Match + PermitOpen in sshd_config. This should be permitted > trace "match permitopen localhost" >@@ -113,3 +114,46 @@ start_client -F $OBJ/ssh_proxy > ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ > fail "nomatch override permitopen" > stop_client >+ >+# Test parsing of available Match criteria (with the exception of Group which >+# requires knowing actual group memberships. >+params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ >+ localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" >+cp $OBJ/sshd_proxy_bak $OBJ/sshd_config >+echo 'Banner /nomatch' >>$OBJ/sshd_config >+for i in $params; do >+ config=`echo $i | cut -f1 -d:` >+ criteria=`echo $i | cut -f2 -d:` >+ value=`echo $i | cut -f3 -d:` >+ cat >>$OBJ/sshd_config <<EOD >+ Match $config $value >+ Banner /$value >+EOD >+done >+ >+${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ >+ fail "validate config for w/out spec" >+ >+# Test matching each criteria. >+for i in $params; do >+ testcriteria=`echo $i | cut -f2 -d:` >+ expected=/`echo $i | cut -f3 -d:` >+ spec="" >+ for j in $params; do >+ config=`echo $j | cut -f1 -d:` >+ criteria=`echo $j | cut -f2 -d:` >+ value=`echo $j | cut -f3 -d:` >+ if [ "$criteria" = "$testcriteria" ]; then >+ spec="$criteria=$value,$spec" >+ else >+ spec="$criteria=1$value,$spec" >+ fi >+ done >+ trace "test spec $spec" >+ result=`${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ >+ awk '$1=="banner"{print $2}'` >+ if [ "$result" != "$expected" ]; then >+ fail "match $config expected $expected got $result" >+ fi >+done >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3150">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2858
:
3150
|
3265