*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.94 2001/12/06 13:30:05 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");
#if defined(KRB4) || defined(KRB5)
#include <krb.h>
/* AF_UNSPEC or AF_INET or AF_INET6 */
extern int IPv4or6;
+/* Use of privilege separation or not */
+extern int use_privsep;
/* Initializes the server options to their default values. */
options->print_lastlog = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
+ options->x11_use_localhost = -1;
options->xauth_location = NULL;
options->strict_modes = -1;
options->keepalives = -1;
- options->log_facility = (SyslogFacility) - 1;
- options->log_level = (LogLevel) - 1;
+ options->log_facility = SYSLOG_FACILITY_NOT_SET;
+ options->log_level = SYSLOG_LEVEL_NOT_SET;
options->rhosts_authentication = -1;
options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
options->banner = NULL;
- options->reverse_mapping_check = -1;
+ options->verify_reverse_mapping = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+
+ /* Needs to be accessable in many places */
+ use_privsep = -1;
}
void
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
if (options->protocol & SSH_PROTO_1)
- options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE;
- if (options->protocol & SSH_PROTO_2)
- options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE;
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_KEY_FILE;
+ if (options->protocol & SSH_PROTO_2) {
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_RSA_KEY_FILE;
+ options->host_key_files[options->num_host_key_files++] =
+ _PATH_HOST_DSA_KEY_FILE;
+ }
}
if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
-#ifdef _PATH_XAUTH
+ if (options->x11_use_localhost == -1)
+ options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
options->xauth_location = _PATH_XAUTH;
-#endif
if (options->strict_modes == -1)
options->strict_modes = 1;
if (options->keepalives == -1)
options->keepalives = 1;
- if (options->log_facility == (SyslogFacility) (-1))
+ if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
options->log_facility = SYSLOG_FACILITY_AUTH;
- if (options->log_level == (LogLevel) (-1))
+ if (options->log_level == SYSLOG_LEVEL_NOT_SET)
options->log_level = SYSLOG_LEVEL_INFO;
if (options->rhosts_authentication == -1)
options->rhosts_authentication = 0;
if (options->kerberos_tgt_passing == -1)
options->kerberos_tgt_passing = 0;
#endif
-#ifdef AFS
+#ifdef AFS
if (options->afs_token_passing == -1)
options->afs_token_passing = k_hasafs();
#endif
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
- if (options->reverse_mapping_check == -1)
- options->reverse_mapping_check = 0;
+ if (options->verify_reverse_mapping == -1)
+ options->verify_reverse_mapping = 0;
if (options->client_alive_interval == -1)
- options->client_alive_interval = 0;
+ options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
options->client_alive_count_max = 3;
if (options->authorized_keys_file2 == NULL) {
}
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+
+ /* Turn privilege separation _off_ by default */
+ if (use_privsep == -1)
+ use_privsep = 0;
}
/* Keyword tokens. */
sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset,
+ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sKeepAlives,
sUseLogin, sAllowTcpForwarding,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
- sBanner, sReverseMappingCheck, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sUsePrivilegeSeparation,
sDeprecated
} ServerOpCodes;
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
{ "x11forwarding", sX11Forwarding },
{ "x11displayoffset", sX11DisplayOffset },
+ { "x11uselocalhost", sX11UseLocalhost },
{ "xauthlocation", sXAuthLocation },
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
- { "reversemappingcheck", sReverseMappingCheck },
+ { "verifyreversemapping", sVerifyReverseMapping },
+ { "reversemappingcheck", sVerifyReverseMapping },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
+ { "useprivilegeseparation", sUsePrivilegeSeparation},
{ NULL, sBadOption }
};
return 0;
if (options->listen_addrs != NULL)
fatal("%s line %d: ports must be specified before "
- "ListenAdress.", filename, linenum);
+ "ListenAddress.", filename, linenum);
if (options->num_ports >= MAX_PORTS)
fatal("%s line %d: too many ports.",
filename, linenum);
intptr = &options->x11_display_offset;
goto parse_int;
+ case sX11UseLocalhost:
+ intptr = &options->x11_use_localhost;
+ goto parse_flag;
+
case sXAuthLocation:
charptr = &options->xauth_location;
goto parse_filename;
intptr = &options->gateway_ports;
goto parse_flag;
- case sReverseMappingCheck:
- intptr = &options->reverse_mapping_check;
+ case sVerifyReverseMapping:
+ intptr = &options->verify_reverse_mapping;
goto parse_flag;
case sLogFacility:
intptr = (int *) &options->log_facility;
arg = strdelim(&cp);
value = log_facility_number(arg);
- if (value == (SyslogFacility) - 1)
+ if (value == SYSLOG_FACILITY_NOT_SET)
fatal("%.200s line %d: unsupported log facility '%s'",
filename, linenum, arg ? arg : "<NONE>");
if (*intptr == -1)
intptr = (int *) &options->log_level;
arg = strdelim(&cp);
value = log_level_number(arg);
- if (value == (LogLevel) - 1)
+ if (value == SYSLOG_LEVEL_NOT_SET)
fatal("%.200s line %d: unsupported log level '%s'",
filename, linenum, arg ? arg : "<NONE>");
if (*intptr == -1)
intptr = &options->allow_tcp_forwarding;
goto parse_flag;
+ case sUsePrivilegeSeparation:
+ intptr = &use_privsep;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
value = proto_spec(arg);
if (value == SSH_PROTO_UNKNOWN)
fatal("%s line %d: Bad protocol spec '%s'.",
- filename, linenum, arg ? arg : "<NONE>");
+ filename, linenum, arg ? arg : "<NONE>");
if (*intptr == SSH_PROTO_UNKNOWN)
*intptr = value;
break;
case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.",
- filename, linenum);
+ filename, linenum);
}
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing subsystem name.",
- filename, linenum);
+ filename, linenum);
for (i = 0; i < options->num_subsystems; i++)
if (strcmp(arg, options->subsystem_name[i]) == 0)
fatal("%s line %d: Subsystem '%s' already defined.",
- filename, linenum, arg);
+ filename, linenum, arg);
options->subsystem_name[options->num_subsystems] = xstrdup(arg);
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing subsystem command.",
- filename, linenum);
+ filename, linenum);
options->subsystem_command[options->num_subsystems] = xstrdup(arg);
options->num_subsystems++;
break;
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing MaxStartups spec.",
- filename, linenum);
+ filename, linenum);
if ((n = sscanf(arg, "%d:%d:%d",
&options->max_startups_begin,
&options->max_startups_rate,