options->gss_authentication=-1;
options->gss_keyex = -1;
options->gss_cleanup_creds = -1;
+ options->gss_strict_acceptor = -1;
options->gsi_allow_limited_proxy = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->permit_tun = -1;
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
-
- options->none_enabled = -1;
- options->tcp_rcv_buf_poll = -1;
- options->hpn_disabled = -1;
- options->hpn_buffer_size = -1;
+ options->none_enabled = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
}
void
fill_default_server_options(ServerOptions *options)
{
+ int sock;
+ int socksize;
+ int socksizelen = sizeof(int);
/* Portable-specific options */
if (options->use_pam == -1)
options->gss_keyex = 1;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
+ if (options->gss_strict_acceptor == -1)
+ options->gss_strict_acceptor = 1;
if (options->gsi_allow_limited_proxy == -1)
options->gsi_allow_limited_proxy = 0;
if (options->password_authentication == -1)
if (options->hpn_disabled == -1)
options->hpn_disabled = 0;
- if (options->hpn_buffer_size == -1)
- options->hpn_buffer_size = 2*1024*1024;
- else {
- if (options->hpn_buffer_size == 0)
- options->hpn_buffer_size = 1;
- /* limit the maximum buffer to 7MB */
- if (options->hpn_buffer_size > 7168)
- options->hpn_buffer_size = 7168;
- options->hpn_buffer_size *=1024;
+ if (options->hpn_buffer_size == -1)
+ {
+ /* option not explicitly set. Now we have to figure out */
+ /* what value to use */
+ if (options->hpn_disabled == 1)
+ {
+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+ }
+ else
+ {
+ /* get the current RCV size and set it to that */
+ /*create a socket but don't connect it */
+ /* we use that the get the rcv socket size */
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ close(sock);
+ options->hpn_buffer_size = socksize;
+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
+
+ }
+ }
+ else
+ {
+ /* we have to do this incase the user sets both values in a contradictory */
+ /* manner. hpn_disabled overrrides hpn_buffer_size*/
+ if (options->hpn_disabled <= 0)
+ {
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
+ /* limit the maximum buffer to 64MB */
+ if (options->hpn_buffer_size > 64*1024)
+ options->hpn_buffer_size = 64*1024;
+ options->hpn_buffer_size *=1024;
+ }
+ else
+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
}
/* Turn privilege separation on by default */
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sGssKeyEx,
+ sGssCredsPath,
sGsiAllowLimitedProxy,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand,
- sUsePrivilegeSeparation,
- sNoneEnabled, sTcpRcvBufPoll,
- sHPNDisabled, sHPNBufferSize,
+ sUsePrivilegeSeparation, sNoneEnabled, sTcpRcvBufPoll,
+ sHPNDisabled, sHPNBufferSize,
sDeprecated, sUnsupported
} ServerOpCodes;
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
- { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
#ifdef GSI
{ "gsiallowlimitedproxy", sGsiAllowLimitedProxy, SSHCFG_GLOBAL },
#endif
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
- { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+#ifdef GSI
+ { "gsiallowlimitedproxy", sUnsupported, SSHCFG_GLOBAL },
+#endif
#endif
#ifdef SESSION_HOOKS
{ "allowsessionhooks", sAllowSessionHooks, SSHCFG_GLOBAL },
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ { "noneenabled", sNoneEnabled },
+ { "hpndisabled", sHPNDisabled },
+ { "hpnbuffersize", sHPNBufferSize },
+ { "tcprcvbufpoll", sTcpRcvBufPoll },
{ NULL, sBadOption, 0 }
};
for (i = 0; keywords[i].name; i++)
if (strcasecmp(cp, keywords[i].name) == 0) {
+ debug ("Config token is %s", keywords[i].name);
*flags = keywords[i].flags;
return keywords[i].opcode;
}
intptr = &options->gss_cleanup_creds;
goto parse_flag;
+ case sGssStrictAcceptor:
+ intptr = &options->gss_strict_acceptor;
+ goto parse_flag;
+
+ case sGssCredsPath:
+ charptr = &options->gss_creds_path;
+ goto parse_filename;
+
case sGsiAllowLimitedProxy:
intptr = &options->gsi_allow_limited_proxy;
goto parse_flag;