- deraadt@cvs.openbsd.org 2002/05/22 23:18:25

[openssh.git] / servconf.c

diff --git a/servconf.c b/servconf.c
index 3b6b55e93f154dec8d58de4237fb07a43a8567d5..7a776ac8e8a797a7a5134a72e62eaac42dfa6833 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -10,10 +10,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.102 2002/03/18 17:50:31 provos Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.110 2002/05/15 21:56:38 markus Exp $");
 
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4)
+#include <krb.h>
+#endif
+#if defined(KRB5)
+#ifdef HEIMDAL
 #include <krb.h>
+#else
+/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
+ * keytab */
+#define KEYFILE "/etc/krb5.keytab"
+#endif
 #endif
 #ifdef AFS
 #include <kafs.h>
@@ -113,10 +122,6 @@ initialize_server_options(ServerOptions *options)
        options->authorized_keys_file = NULL;
        options->authorized_keys_file2 = NULL;
 
-       options->unprivileged_user = -1;
-       options->unprivileged_group = -1;
-       options->unprivileged_dir = NULL;
-
        /* Needs to be accessable in many places */
        use_privsep = -1;
 }
@@ -195,7 +200,7 @@ fill_default_server_options(ServerOptions *options)
                options->pubkey_authentication = 1;
 #if defined(KRB4) || defined(KRB5)
        if (options->kerberos_authentication == -1)
-               options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+               options->kerberos_authentication = 0;
        if (options->kerberos_or_local_passwd == -1)
                options->kerberos_or_local_passwd = 1;
        if (options->kerberos_ticket_cleanup == -1)
@@ -207,7 +212,7 @@ fill_default_server_options(ServerOptions *options)
 #endif
 #ifdef AFS
        if (options->afs_token_passing == -1)
-               options->afs_token_passing = k_hasafs();
+               options->afs_token_passing = 0;
 #endif
        if (options->password_authentication == -1)
                options->password_authentication = 1;
@@ -245,15 +250,9 @@ fill_default_server_options(ServerOptions *options)
        if (options->authorized_keys_file == NULL)
                options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
 
-       /* Turn privilege separation _off_ by default */
+       /* Turn privilege separation on by default */
        if (use_privsep == -1)
-               use_privsep = 0;
-       if (options->unprivileged_user == -1)
-               options->unprivileged_user = 32767;
-       if (options->unprivileged_group == -1)
-               options->unprivileged_group = 32767;
-       if (options->unprivileged_dir == NULL)
-               options->unprivileged_dir = "/var/empty";
+               use_privsep = 1;
 }
 
 /* Keyword tokens. */
@@ -286,7 +285,7 @@ typedef enum {
        sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
-       sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup, sUnprivDir,
+       sUsePrivilegeSeparation,
        sDeprecated
 } ServerOpCodes;
 
@@ -363,9 +362,6 @@ static struct {
        { "authorizedkeysfile", sAuthorizedKeysFile },
        { "authorizedkeysfile2", sAuthorizedKeysFile2 },
        { "useprivilegeseparation", sUsePrivilegeSeparation},
-       { "unprivuser", sUnprivUser},
-       { "unprivgroup", sUnprivGroup},
-       { "unprivdir", sUnprivDir},
        { NULL, sBadOption }
 };
 
@@ -746,18 +742,6 @@ parse_flag:
                intptr = &use_privsep;
                goto parse_flag;
 
-       case sUnprivUser:
-               intptr = &options->unprivileged_user;
-               goto parse_flag;
-
-       case sUnprivGroup:
-               intptr = &options->unprivileged_group;
-               goto parse_flag;
-
-       case sUnprivDir:
-               charptr = &options->unprivileged_dir;
-               goto parse_filename;
-
        case sAllowUsers:
                while ((arg = strdelim(&cp)) && *arg != '\0') {
                        if (options->num_allow_users >= MAX_ALLOW_USERS)