*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4)
+#include <krb.h>
+#endif
+#if defined(KRB5)
+#ifdef HEIMDAL
#include <krb.h>
+#else
+/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
+ * keytab */
+#define KEYFILE "/etc/krb5.keytab"
+#endif
#endif
#ifdef AFS
#include <kafs.h>
/* AF_UNSPEC or AF_INET or AF_INET6 */
extern int IPv4or6;
+/* Use of privilege separation or not */
+extern int use_privsep;
/* Initializes the server options to their default values. */
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
options->use_login = -1;
+ options->compression = -1;
options->allow_tcp_forwarding = -1;
options->num_allow_users = 0;
options->num_deny_users = 0;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+
+ /* Needs to be accessable in many places */
+ use_privsep = -1;
}
void
options->pubkey_authentication = 1;
#if defined(KRB4) || defined(KRB5)
if (options->kerberos_authentication == -1)
- options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+ options->kerberos_authentication = 0;
if (options->kerberos_or_local_passwd == -1)
options->kerberos_or_local_passwd = 1;
if (options->kerberos_ticket_cleanup == -1)
#endif
#ifdef AFS
if (options->afs_token_passing == -1)
- options->afs_token_passing = k_hasafs();
+ options->afs_token_passing = 0;
#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
options->permit_empty_passwd = 0;
if (options->use_login == -1)
options->use_login = 0;
+ if (options->compression == -1)
+ options->compression = 1;
if (options->allow_tcp_forwarding == -1)
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
}
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+ use_privsep = 1;
+
+#if !defined(HAVE_MMAP_ANON_SHARED)
+ if (use_privsep && options->compression == 1) {
+ error("This platform does not support both privilege "
+ "separation and compression");
+ error("Compression disabled");
+ options->compression = 0;
+ }
+#endif
+
}
/* Keyword tokens. */
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sKeepAlives,
- sUseLogin, sAllowTcpForwarding,
+ sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sUsePrivilegeSeparation,
sDeprecated
} ServerOpCodes;
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
{ "uselogin", sUseLogin },
+ { "compression", sCompression },
{ "keepalive", sKeepAlives },
{ "allowtcpforwarding", sAllowTcpForwarding },
{ "allowusers", sAllowUsers },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
+ { "useprivilegeseparation", sUsePrivilegeSeparation},
{ NULL, sBadOption }
};
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
- snprintf(strport, sizeof strport, "%d", port);
+ snprintf(strport, sizeof strport, "%u", port);
if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
fatal("bad addr or host: %s (%s)",
addr ? addr : "<NULL>",
const char *filename, int linenum)
{
char *cp, **charptr, *arg, *p;
- int *intptr, value;
+ int *intptr, value, i, n;
ServerOpCodes opcode;
- int i, n;
cp = line;
arg = strdelim(&cp);
intptr = &options->use_login;
goto parse_flag;
+ case sCompression:
+ intptr = &options->compression;
+ goto parse_flag;
+
case sGatewayPorts:
intptr = &options->gateway_ports;
goto parse_flag;
intptr = &options->allow_tcp_forwarding;
goto parse_flag;
+ case sUsePrivilegeSeparation:
+ intptr = &use_privsep;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
fatal("%s line %d: too many allow users.",
filename, linenum);
- options->allow_users[options->num_allow_users++] = xstrdup(arg);
+ options->allow_users[options->num_allow_users++] =
+ xstrdup(arg);
}
break;
if (options->num_deny_users >= MAX_DENY_USERS)
fatal( "%s line %d: too many deny users.",
filename, linenum);
- options->deny_users[options->num_deny_users++] = xstrdup(arg);
+ options->deny_users[options->num_deny_users++] =
+ xstrdup(arg);
}
break;
if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
fatal("%s line %d: too many allow groups.",
filename, linenum);
- options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
+ options->allow_groups[options->num_allow_groups++] =
+ xstrdup(arg);
}
break;
void
read_server_config(ServerOptions *options, const char *filename)
{
- FILE *f;
+ int linenum, bad_options = 0;
char line[1024];
- int linenum;
- int bad_options = 0;
+ FILE *f;
f = fopen(filename, "r");
if (!f) {
andersk / openssh.git / blobdiff