X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/73fbf63712ecc6757ec1c772dd382070463e7f3b..38501509ae30e4b85edb935261a9accfe7d43623:/servconf.c

diff --git a/servconf.c b/servconf.c
index 72d75cc9..f311ae48 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,10 +10,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.103 2002/03/18 23:52:51 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
 
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4)
+#include <krb.h>
+#endif
+#if defined(KRB5)
+#ifdef HEIMDAL
 #include <krb.h>
+#else
+/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
+ * keytab */
+#define KEYFILE "/etc/krb5.keytab"
+#endif
 #endif
 #ifdef AFS
 #include <kafs.h>
@@ -93,6 +102,7 @@ initialize_server_options(ServerOptions *options)
 	options->challenge_response_authentication = -1;
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
+	options->compression = -1;
 	options->allow_tcp_forwarding = -1;
 	options->num_allow_users = 0;
 	options->num_deny_users = 0;
@@ -113,10 +123,6 @@ initialize_server_options(ServerOptions *options)
 	options->authorized_keys_file = NULL;
 	options->authorized_keys_file2 = NULL;
 
-	options->unprivileged_user = -1;
-	options->unprivileged_group = -1;
-	options->unprivileged_dir = NULL;
-
 	/* Needs to be accessable in many places */
 	use_privsep = -1;
 }
@@ -195,7 +201,7 @@ fill_default_server_options(ServerOptions *options)
 		options->pubkey_authentication = 1;
 #if defined(KRB4) || defined(KRB5)
 	if (options->kerberos_authentication == -1)
-		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
+		options->kerberos_authentication = 0;
 	if (options->kerberos_or_local_passwd == -1)
 		options->kerberos_or_local_passwd = 1;
 	if (options->kerberos_ticket_cleanup == -1)
@@ -207,7 +213,7 @@ fill_default_server_options(ServerOptions *options)
 #endif
 #ifdef AFS
 	if (options->afs_token_passing == -1)
-		options->afs_token_passing = k_hasafs();
+		options->afs_token_passing = 0;
 #endif
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
@@ -219,6 +225,8 @@ fill_default_server_options(ServerOptions *options)
 		options->permit_empty_passwd = 0;
 	if (options->use_login == -1)
 		options->use_login = 0;
+	if (options->compression == -1)
+		options->compression = 1;
 	if (options->allow_tcp_forwarding == -1)
 		options->allow_tcp_forwarding = 1;
 	if (options->gateway_ports == -1)
@@ -245,15 +253,19 @@ fill_default_server_options(ServerOptions *options)
 	if (options->authorized_keys_file == NULL)
 		options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
 
-	/* Turn privilege separation _off_ by default */
+	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-		use_privsep = 0;
-	if (options->unprivileged_user == -1)
-		options->unprivileged_user = 32767;
-	if (options->unprivileged_group == -1)
-		options->unprivileged_group = 32767;
-	if (options->unprivileged_dir == NULL)
-		options->unprivileged_dir = "/var/empty";
+		use_privsep = 1;
+
+#if !defined(HAVE_MMAP_ANON_SHARED)
+	if (use_privsep && options->compression == 1) {
+		error("This platform does not support both privilege "
+		    "separation and compression");
+		error("Compression disabled");
+		options->compression = 0;
+	}
+#endif
+
 }
 
 /* Keyword tokens. */
@@ -279,14 +291,14 @@ typedef enum {
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sStrictModes, sEmptyPasswd, sKeepAlives,
-	sUseLogin, sAllowTcpForwarding,
+	sUseLogin, sAllowTcpForwarding, sCompression,
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
 	sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
-	sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup, sUnprivDir,
+	sUsePrivilegeSeparation,
 	sDeprecated
 } ServerOpCodes;
 
@@ -343,6 +355,7 @@ static struct {
 	{ "strictmodes", sStrictModes },
 	{ "permitemptypasswords", sEmptyPasswd },
 	{ "uselogin", sUseLogin },
+	{ "compression", sCompression },
 	{ "keepalive", sKeepAlives },
 	{ "allowtcpforwarding", sAllowTcpForwarding },
 	{ "allowusers", sAllowUsers },
@@ -363,9 +376,6 @@ static struct {
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation},
-	{ "unprivuser", sUnprivUser},
-	{ "unprivgroup", sUnprivGroup},
-	{ "unprivdir", sUnprivDir},
 	{ NULL, sBadOption }
 };
 
@@ -413,7 +423,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
 	hints.ai_family = IPv4or6;
 	hints.ai_socktype = SOCK_STREAM;
 	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
-	snprintf(strport, sizeof strport, "%d", port);
+	snprintf(strport, sizeof strport, "%u", port);
 	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
 		fatal("bad addr or host: %s (%s)",
 		    addr ? addr : "<NULL>",
@@ -429,9 +439,8 @@ process_server_config_line(ServerOptions *options, char *line,
     const char *filename, int linenum)
 {
 	char *cp, **charptr, *arg, *p;
-	int *intptr, value;
+	int *intptr, value, i, n;
 	ServerOpCodes opcode;
-	int i, n;
 
 	cp = line;
 	arg = strdelim(&cp);
@@ -708,6 +717,10 @@ parse_flag:
 		intptr = &options->use_login;
 		goto parse_flag;
 
+	case sCompression:
+		intptr = &options->compression;
+		goto parse_flag;
+
 	case sGatewayPorts:
 		intptr = &options->gateway_ports;
 		goto parse_flag;
@@ -746,24 +759,13 @@ parse_flag:
 		intptr = &use_privsep;
 		goto parse_flag;
 
-	case sUnprivUser:
-		intptr = &options->unprivileged_user;
-		goto parse_int;
-
-	case sUnprivGroup:
-		intptr = &options->unprivileged_group;
-		goto parse_int;
-
-	case sUnprivDir:
-		charptr = &options->unprivileged_dir;
-		goto parse_filename;
-
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
 				fatal("%s line %d: too many allow users.",
 				    filename, linenum);
-			options->allow_users[options->num_allow_users++] = xstrdup(arg);
+			options->allow_users[options->num_allow_users++] =
+			    xstrdup(arg);
 		}
 		break;
 
@@ -772,7 +774,8 @@ parse_flag:
 			if (options->num_deny_users >= MAX_DENY_USERS)
 				fatal( "%s line %d: too many deny users.",
 				    filename, linenum);
-			options->deny_users[options->num_deny_users++] = xstrdup(arg);
+			options->deny_users[options->num_deny_users++] =
+			    xstrdup(arg);
 		}
 		break;
 
@@ -781,7 +784,8 @@ parse_flag:
 			if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
 				fatal("%s line %d: too many allow groups.",
 				    filename, linenum);
-			options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
+			options->allow_groups[options->num_allow_groups++] =
+			    xstrdup(arg);
 		}
 		break;
 
@@ -919,10 +923,9 @@ parse_flag:
 void
 read_server_config(ServerOptions *options, const char *filename)
 {
-	FILE *f;
+	int linenum, bad_options = 0;
 	char line[1024];
-	int linenum;
-	int bad_options = 0;
+	FILE *f;
 
 	f = fopen(filename, "r");
 	if (!f) {