-/* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ oVisualHostKey, oZeroKnowledgePasswordAuthentication,
+ oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
+ oHPNBufferSize,
oDeprecated, oUnsupported
} OpCodes;
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
+ { "gssapikeyexchange", oGssKeyEx },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
+ { "gssapiclientidentity", oGssClientIdentity },
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
#else
{ "gssapiauthentication", oUnsupported },
+ { "gssapikeyexchange", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
+ { "gssapiclientidentity", oUnsupported },
+ { "gssapirenewalforcesrekey", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
{ "identityfile", oIdentityFile },
- { "identityfile2", oIdentityFile }, /* alias */
+ { "identityfile2", oIdentityFile }, /* obsolete */
{ "identitiesonly", oIdentitiesOnly },
{ "hostname", oHostName },
{ "hostkeyalias", oHostKeyAlias },
{ "host", oHost },
{ "escapechar", oEscapeChar },
{ "globalknownhostsfile", oGlobalKnownHostsFile },
- { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
- { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
+ { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
+ { "userknownhostsfile", oUserKnownHostsFile },
{ "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
{ "connectionattempts", oConnectionAttempts },
{ "batchmode", oBatchMode },
{ "tunneldevice", oTunnelDevice },
{ "localcommand", oLocalCommand },
{ "permitlocalcommand", oPermitLocalCommand },
+ { "visualhostkey", oVisualHostKey },
+#ifdef JPAKE
+ { "zeroknowledgepasswordauthentication",
+ oZeroKnowledgePasswordAuthentication },
+#else
+ { "zeroknowledgepasswordauthentication", oUnsupported },
+#endif
+ { "noneenabled", oNoneEnabled },
+ { "tcprcvbufpoll", oTcpRcvBufPoll },
+ { "tcprcvbuf", oTcpRcvBuf },
+ { "noneswitch", oNoneSwitch },
+ { "hpndisabled", oHPNDisabled },
+ { "hpnbuffersize", oHPNBufferSize },
{ NULL, oBadOption }
};
fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
fwd = &options->local_forwards[options->num_local_forwards++];
- fwd->listen_host = (newfwd->listen_host == NULL) ?
- NULL : xstrdup(newfwd->listen_host);
+ fwd->listen_host = newfwd->listen_host;
fwd->listen_port = newfwd->listen_port;
- fwd->connect_host = xstrdup(newfwd->connect_host);
+ fwd->connect_host = newfwd->connect_host;
fwd->connect_port = newfwd->connect_port;
}
SSH_MAX_FORWARDS_PER_DIRECTION);
fwd = &options->remote_forwards[options->num_remote_forwards++];
- fwd->listen_host = (newfwd->listen_host == NULL) ?
- NULL : xstrdup(newfwd->listen_host);
+ fwd->listen_host = newfwd->listen_host;
fwd->listen_port = newfwd->listen_port;
- fwd->connect_host = xstrdup(newfwd->connect_host);
+ fwd->connect_host = newfwd->connect_host;
fwd->connect_port = newfwd->connect_port;
}
{
char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
int opcode, *intptr, value, value2, scale;
+ LogLevel *log_level_ptr;
long long orig, val64;
size_t len;
Forward fwd;
if ((value = convtime(arg)) == -1)
fatal("%s line %d: invalid time value.",
filename, linenum);
- if (*intptr == -1)
+ if (*activep && *intptr == -1)
*intptr = value;
break;
intptr = &options->password_authentication;
goto parse_flag;
+ case oZeroKnowledgePasswordAuthentication:
+ intptr = &options->zero_knowledge_password_authentication;
+ goto parse_flag;
+
case oKbdInteractiveAuthentication:
intptr = &options->kbd_interactive_authentication;
goto parse_flag;
intptr = &options->gss_authentication;
goto parse_flag;
+ case oGssKeyEx:
+ intptr = &options->gss_keyex;
+ goto parse_flag;
+
case oGssDelegateCreds:
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
+ case oGssClientIdentity:
+ charptr = &options->gss_client_identity;
+ goto parse_string;
+
+ case oGssRenewalRekey:
+ intptr = &options->gss_renewal_rekey;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
intptr = &options->check_host_ip;
goto parse_flag;
+ case oNoneEnabled:
+ intptr = &options->none_enabled;
+ goto parse_flag;
+
+ /* we check to see if the command comes from the */
+ /* command line or not. If it does then enable it */
+ /* otherwise fail. NONE should never be a default configuration */
+ case oNoneSwitch:
+ if(strcmp(filename,"command-line")==0)
+ {
+ intptr = &options->none_switch;
+ goto parse_flag;
+ } else {
+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
+ error("Continuing...");
+ debug("NoneSwitch directive found in %.200s.", filename);
+ return 0;
+ }
+
+ case oHPNDisabled:
+ intptr = &options->hpn_disabled;
+ goto parse_flag;
+
+ case oHPNBufferSize:
+ intptr = &options->hpn_buffer_size;
+ goto parse_int;
+
+ case oTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
+
case oVerifyHostKeyDNS:
intptr = &options->verify_host_key_dns;
goto parse_yesnoask;
goto parse_int;
case oRekeyLimit:
- intptr = &options->rekey_limit;
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.", filename, linenum);
}
val64 *= scale;
/* detect integer wrap and too-large limits */
- if ((val64 / scale) != orig || val64 > INT_MAX)
+ if ((val64 / scale) != orig || val64 > UINT_MAX)
fatal("%.200s line %d: RekeyLimit too large",
filename, linenum);
if (val64 < 16)
fatal("%.200s line %d: RekeyLimit too small",
filename, linenum);
- if (*activep && *intptr == -1)
- *intptr = (int)val64;
+ if (*activep && options->rekey_limit == -1)
+ options->rekey_limit = (u_int32_t)val64;
break;
case oIdentityFile:
if (*intptr >= SSH_MAX_IDENTITY_FILES)
fatal("%.200s line %d: Too many identity files specified (max %d).",
filename, linenum, SSH_MAX_IDENTITY_FILES);
- charptr = &options->identity_files[*intptr];
+ charptr = &options->identity_files[*intptr];
*charptr = xstrdup(arg);
*intptr = *intptr + 1;
}
intptr = &options->connection_attempts;
goto parse_int;
+ case oTcpRcvBuf:
+ intptr = &options->tcp_rcv_buf;
+ goto parse_int;
+
case oCipher:
intptr = &options->cipher;
arg = strdelim(&s);
break;
case oLogLevel:
- intptr = (int *) &options->log_level;
+ log_level_ptr = &options->log_level;
arg = strdelim(&s);
value = log_level_number(arg);
if (value == SYSLOG_LEVEL_NOT_SET)
fatal("%.200s line %d: unsupported log level '%s'",
filename, linenum, arg ? arg : "<NONE>");
- if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
- *intptr = (LogLevel) value;
+ if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
+ *log_level_ptr = (LogLevel) value;
break;
case oLocalForward:
case oRemoteForward:
+ case oDynamicForward:
arg = strdelim(&s);
if (arg == NULL || *arg == '\0')
fatal("%.200s line %d: Missing port argument.",
filename, linenum);
- arg2 = strdelim(&s);
- if (arg2 == NULL || *arg2 == '\0')
- fatal("%.200s line %d: Missing target argument.",
- filename, linenum);
- /* construct a string for parse_forward */
- snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
+ if (opcode == oLocalForward ||
+ opcode == oRemoteForward) {
+ arg2 = strdelim(&s);
+ if (arg2 == NULL || *arg2 == '\0')
+ fatal("%.200s line %d: Missing target argument.",
+ filename, linenum);
- if (parse_forward(&fwd, fwdarg) == 0)
+ /* construct a string for parse_forward */
+ snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
+ } else if (opcode == oDynamicForward) {
+ strlcpy(fwdarg, arg, sizeof(fwdarg));
+ }
+
+ if (parse_forward(&fwd, fwdarg,
+ opcode == oDynamicForward ? 1 : 0,
+ opcode == oRemoteForward ? 1 : 0) == 0)
fatal("%.200s line %d: Bad forwarding specification.",
filename, linenum);
if (*activep) {
- if (opcode == oLocalForward)
+ if (opcode == oLocalForward ||
+ opcode == oDynamicForward)
add_local_forward(options, &fwd);
else if (opcode == oRemoteForward)
add_remote_forward(options, &fwd);
}
break;
- case oDynamicForward:
- arg = strdelim(&s);
- if (!arg || *arg == '\0')
- fatal("%.200s line %d: Missing port argument.",
- filename, linenum);
- memset(&fwd, '\0', sizeof(fwd));
- fwd.connect_host = "socks";
- fwd.listen_host = hpdelim(&arg);
- if (fwd.listen_host == NULL ||
- strlen(fwd.listen_host) >= NI_MAXHOST)
- fatal("%.200s line %d: Bad forwarding specification.",
- filename, linenum);
- if (arg) {
- fwd.listen_port = a2port(arg);
- fwd.listen_host = cleanhostname(fwd.listen_host);
- } else {
- fwd.listen_port = a2port(fwd.listen_host);
- fwd.listen_host = NULL;
- }
- if (fwd.listen_port == 0)
- fatal("%.200s line %d: Badly formatted port number.",
- filename, linenum);
- if (*activep)
- add_local_forward(options, &fwd);
- break;
-
case oClearAllForwardings:
intptr = &options->clear_forwardings;
goto parse_flag;
intptr = &options->permit_local_command;
goto parse_flag;
+ case oVisualHostKey:
+ intptr = &options->visual_host_key;
+ goto parse_flag;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
int active, linenum;
int bad_options = 0;
- /* Open the file. */
if ((f = fopen(filename, "r")) == NULL)
return 0;
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
+ options->gss_keyex = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
+ options->gss_renewal_rekey = -1;
+ options->gss_client_identity = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
options->tun_remote = -1;
options->local_command = NULL;
options->permit_local_command = -1;
+ options->visual_host_key = -1;
+ options->zero_knowledge_password_authentication = -1;
+ options->none_switch = -1;
+ options->none_enabled = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->tcp_rcv_buf = -1;
}
/*
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
- options->gss_authentication = 0;
+ options->gss_authentication = 1;
+ if (options->gss_keyex == -1)
+ options->gss_keyex = 1;
if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
+ options->gss_deleg_creds = 1;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 1;
+ if (options->gss_renewal_rekey == -1)
+ options->gss_renewal_rekey = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
+ if (options->none_switch == -1)
+ options->none_switch = 0;
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+ if (options->hpn_buffer_size > -1)
+ {
+ /* if a user tries to set the size to 0 set it to 1KB */
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1024;
+ /*limit the buffer to 64MB*/
+ if (options->hpn_buffer_size > 65536)
+ {
+ options->hpn_buffer_size = 65536*1024;
+ debug("User requested buffer larger than 64MB. Request reverted to 64MB");
+ }
+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
+ }
+ if (options->tcp_rcv_buf == 0)
+ options->tcp_rcv_buf = 1;
+ if (options->tcp_rcv_buf > -1)
+ options->tcp_rcv_buf *=1024;
+ if (options->tcp_rcv_buf_poll == -1)
+ options->tcp_rcv_buf_poll = 1;
if (options->control_master == -1)
options->control_master = 0;
if (options->hash_known_hosts == -1)
options->tun_remote = SSH_TUNID_ANY;
if (options->permit_local_command == -1)
options->permit_local_command = 0;
+ if (options->visual_host_key == -1)
+ options->visual_host_key = 0;
+ if (options->zero_knowledge_password_authentication == -1)
+ options->zero_knowledge_password_authentication = 0;
/* options->local_command should not be set by default */
/* options->proxy_command should not be set by default */
/* options->user will be set in the main program if appropriate */
/*
* parse_forward
* parses a string containing a port forwarding specification of the form:
+ * dynamicfwd == 0
* [listenhost:]listenport:connecthost:connectport
+ * dynamicfwd == 1
+ * [listenhost:]listenport
* returns number of arguments parsed or zero on error
*/
int
-parse_forward(Forward *fwd, const char *fwdspec)
+parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
{
int i;
char *p, *cp, *fwdarg[4];
cp = p = xstrdup(fwdspec);
/* skip leading spaces */
- while (*cp && isspace(*cp))
+ while (isspace(*cp))
cp++;
for (i = 0; i < 4; ++i)
if ((fwdarg[i] = hpdelim(&cp)) == NULL)
break;
- /* Check for trailing garbage in 4-arg case*/
+ /* Check for trailing garbage */
if (cp != NULL)
i = 0; /* failure */
switch (i) {
+ case 1:
+ fwd->listen_host = NULL;
+ fwd->listen_port = a2port(fwdarg[0]);
+ fwd->connect_host = xstrdup("socks");
+ break;
+
+ case 2:
+ fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
+ fwd->listen_port = a2port(fwdarg[1]);
+ fwd->connect_host = xstrdup("socks");
+ break;
+
case 3:
fwd->listen_host = NULL;
fwd->listen_port = a2port(fwdarg[0]);
xfree(p);
- if (fwd->listen_port == 0 && fwd->connect_port == 0)
+ if (dynamicfwd) {
+ if (!(i == 1 || i == 2))
+ goto fail_free;
+ } else {
+ if (!(i == 3 || i == 4))
+ goto fail_free;
+ if (fwd->connect_port <= 0)
+ goto fail_free;
+ }
+
+ if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
goto fail_free;
if (fwd->connect_host != NULL &&
strlen(fwd->connect_host) >= NI_MAXHOST)
goto fail_free;
+ if (fwd->listen_host != NULL &&
+ strlen(fwd->listen_host) >= NI_MAXHOST)
+ goto fail_free;
+
return (i);
fail_free:
- if (fwd->connect_host != NULL)
+ if (fwd->connect_host != NULL) {
xfree(fwd->connect_host);
- if (fwd->listen_host != NULL)
+ fwd->connect_host = NULL;
+ }
+ if (fwd->listen_host != NULL) {
xfree(fwd->listen_host);
+ fwd->listen_host = NULL;
+ }
return (0);
}