-/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.195 2009/04/14 21:10:54 jj Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
/* Portable-specific options */
options->use_pam = -1;
+ options->permit_pam_user_change = -1;
/* Standard Options */
options->num_ports = 0;
options->kerberos_authentication = -1;
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
+#ifdef SESSION_HOOKS
+ options->session_hooks_allow = -1;
+ options->session_hooks_startup_cmd = NULL;
+ options->session_hooks_shutdown_cmd = NULL;
+#endif
options->kerberos_get_afs_token = -1;
- options->gss_authentication=-1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
+ options->gss_keyex = -1;
options->gss_cleanup_creds = -1;
+ options->gss_strict_acceptor = -1;
+ options->gsi_allow_limited_proxy = -1;
+ options->gss_store_rekey = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
options->zero_knowledge_password_authentication = -1;
+ options->none_enabled = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->hpn_disabled = -1;
+ options->hpn_buffer_size = -1;
}
void
fill_default_server_options(ServerOptions *options)
{
+ /* needed for hpn socket tests */
+ int sock;
+ int socksize;
+ int socksizelen = sizeof(int);
+
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
+ if (options->permit_pam_user_change == -1)
+ options->permit_pam_user_change = 0;
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
- options->gss_authentication = 0;
+ options->gss_authentication = 1;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 1;
+ if (options->gss_keyex == -1)
+ options->gss_keyex = 1;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
+ if (options->gss_strict_acceptor == -1)
+ options->gss_strict_acceptor = 1;
+ if (options->gsi_allow_limited_proxy == -1)
+ options->gsi_allow_limited_proxy = 0;
+ if (options->gss_store_rekey == -1)
+ options->gss_store_rekey = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
if (options->zero_knowledge_password_authentication == -1)
options->zero_knowledge_password_authentication = 0;
+ if (options->hpn_disabled == -1)
+ options->hpn_disabled = 0;
+
+ if (options->hpn_buffer_size == -1) {
+ /* option not explicitly set. Now we have to figure out */
+ /* what value to use */
+ if (options->hpn_disabled == 1) {
+ options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+ } else {
+ /* get the current RCV size and set it to that */
+ /*create a socket but don't connect it */
+ /* we use that the get the rcv socket size */
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+ &socksize, &socksizelen);
+ close(sock);
+ options->hpn_buffer_size = socksize;
+ debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
+
+ }
+ } else {
+ /* we have to do this incase the user sets both values in a contradictory */
+ /* manner. hpn_disabled overrrides hpn_buffer_size*/
+ if (options->hpn_disabled <= 0) {
+ if (options->hpn_buffer_size == 0)
+ options->hpn_buffer_size = 1;
+ /* limit the maximum buffer to 64MB */
+ if (options->hpn_buffer_size > 64*1024) {
+ options->hpn_buffer_size = 64*1024*1024;
+ } else {
+ options->hpn_buffer_size *= 1024;
+ }
+ } else
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sUsePAM,
+ sUsePAM, sPermitPAMUserChange,
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
sKerberosGetAFSToken,
sKerberosTgtPassing, sChallengeResponseAuthentication,
+#ifdef SESSION_HOOKS
+ sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
+#endif
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssDelegateCreds,
+ sGssCredsPath,
+ sGsiAllowLimitedProxy,
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssStoreRekey,
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
+ sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
sDeprecated, sUnsupported
} ServerOpCodes;
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
+ { "permitpamuserchange", sPermitPAMUserChange, SSHCFG_GLOBAL },
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
+ { "permitpamuserchange", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
- { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
+ { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
+#ifdef GSI
+ { "gsiallowlimitedproxy", sGsiAllowLimitedProxy, SSHCFG_GLOBAL },
+#endif
+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
+#ifdef GSI
+ { "gsiallowlimitedproxy", sUnsupported, SSHCFG_GLOBAL },
+#endif
+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
#endif
+#ifdef SESSION_HOOKS
+ { "allowsessionhooks", sAllowSessionHooks, SSHCFG_GLOBAL },
+ { "sessionhookstartupcmd", sSessionHookStartupCmd, SSHCFG_GLOBAL },
+ { "sessionhookshutdowncmd", sSessionHookShutdownCmd, SSHCFG_GLOBAL },
+#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
- { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
+ { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
- { "match", sMatch, SSHCFG_ALL },
+ { "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+ { "noneenabled", sNoneEnabled },
+ { "hpndisabled", sHPNDisabled },
+ { "hpnbuffersize", sHPNBufferSize },
+ { "tcprcvbufpoll", sTcpRcvBufPoll },
{ NULL, sBadOption, 0 }
};
for (i = 0; keywords[i].name; i++)
if (strcasecmp(cp, keywords[i].name) == 0) {
+ debug ("Config token is %s", keywords[i].name);
*flags = keywords[i].flags;
return keywords[i].opcode;
}
intptr = &options->use_pam;
goto parse_flag;
+ case sPermitPAMUserChange:
+ intptr = &options->permit_pam_user_change;
+ goto parse_flag;
+
/* Standard Options */
case sBadOption:
return -1;
*intptr = value;
break;
+ case sNoneEnabled:
+ intptr = &options->none_enabled;
+ goto parse_flag;
+
+ case sTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
+
+ case sHPNDisabled:
+ intptr = &options->hpn_disabled;
+ goto parse_flag;
+
+ case sHPNBufferSize:
+ intptr = &options->hpn_buffer_size;
+ goto parse_int;
+
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
intptr = &options->gss_authentication;
goto parse_flag;
+ case sGssDelegateCreds:
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
+ case sGssKeyEx:
+ intptr = &options->gss_keyex;
+ goto parse_flag;
+
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
+ case sGssCredsPath:
+ charptr = &options->gss_creds_path;
+ goto parse_filename;
+
+ case sGssStrictAcceptor:
+ intptr = &options->gss_strict_acceptor;
+ goto parse_flag;
+
+ case sGssStoreRekey:
+ intptr = &options->gss_store_rekey;
+ goto parse_flag;
+
+#ifdef GSI
+ case sGsiAllowLimitedProxy:
+ intptr = &options->gsi_allow_limited_proxy;
+ goto parse_flag;
+#endif
+
+#ifdef SESSION_HOOKS
+ case sAllowSessionHooks:
+ intptr = &options->session_hooks_allow;
+ goto parse_flag;
+ case sSessionHookStartupCmd:
+ case sSessionHookShutdownCmd:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: empty session hook command",
+ filename, linenum);
+ if (opcode==sSessionHookStartupCmd)
+ options->session_hooks_startup_cmd = strdup(arg);
+ else
+ options->session_hooks_shutdown_cmd = strdup(arg);
+ break;
+#endif
+
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
/*
* Copy any supported values that are set.
*
- * If the preauth flag is set, we do not bother copying the the string or
+ * If the preauth flag is set, we do not bother copying the string or
* array values that are not used pre-authentication, because any that we
* do use must be explictly sent in mm_getpwnamallow().
*/
{
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
+ M_CP_INTOPT(gss_deleg_creds);
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);