X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/cf851879472cd5d1338abaf8686301e989362a50..d837615aa540e1d403bd3eaff7b62027cb3097f6:/servconf.c diff --git a/servconf.c b/servconf.c index 4edc80ef..1a754517 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.162 2006/08/01 23:22:47 stevesk Exp $ */ +/* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -16,23 +16,29 @@ #include #include +#include #include #include #include +#include #include +#include +#include "xmalloc.h" #include "ssh.h" #include "log.h" +#include "buffer.h" #include "servconf.h" -#include "xmalloc.h" #include "compat.h" #include "pathnames.h" #include "misc.h" #include "cipher.h" +#include "key.h" #include "kex.h" #include "mac.h" #include "match.h" #include "channels.h" +#include "groupaccess.h" static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); @@ -319,14 +325,14 @@ static struct { { "syslogfacility", sLogFacility, SSHCFG_GLOBAL }, { "loglevel", sLogLevel, SSHCFG_GLOBAL }, { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL }, - { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL }, - { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_GLOBAL }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL }, + { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL }, { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL }, - { "rsaauthentication", sRSAAuthentication, SSHCFG_GLOBAL }, - { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, + { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL }, + { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL }, { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */ #ifdef KRB5 - { "kerberosauthentication", sKerberosAuthentication, SSHCFG_GLOBAL }, + { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL }, #ifdef USE_AFS @@ -335,7 +341,7 @@ static struct { { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif #else - { "kerberosauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, @@ -343,14 +349,14 @@ static struct { { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI - { "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL }, + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, #else - { "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, #endif - { "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL }, - { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */ { "checkmail", sDeprecated, SSHCFG_GLOBAL }, @@ -383,7 +389,7 @@ static struct { { "subsystem", sSubsystem, SSHCFG_GLOBAL }, { "maxstartups", sMaxStartups, SSHCFG_GLOBAL }, { "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL }, - { "banner", sBanner, SSHCFG_GLOBAL }, + { "banner", sBanner, SSHCFG_ALL }, { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, @@ -492,6 +498,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) * PermittedChannelRequests session,forwarded-tcpip */ +static int +match_cfg_line_group(const char *grps, int line, const char *user) +{ + int result = 0; + u_int ngrps = 0; + char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS]; + struct passwd *pw; + + /* + * Even if we do not have a user yet, we still need to check for + * valid syntax. + */ + arg = cp = xstrdup(grps); + while ((p = strsep(&cp, ",")) != NULL && *p != '\0') { + if (ngrps >= MAX_MATCH_GROUPS) { + error("line %d: too many groups in Match Group", line); + result = -1; + goto out; + } + grplist[ngrps++] = p; + } + + if (user == NULL) + goto out; + + if ((pw = getpwnam(user)) == NULL) { + debug("Can't match group at line %d because user %.100s does " + "not exist", line, user); + } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) { + debug("Can't Match group because user %.100s not in any group " + "at line %d", user, line); + } else if (ga_match(grplist, ngrps) != 1) { + debug("user %.100s does not match group %.100s at line %d", + user, arg, line); + } else { + debug("user %.100s matched group %.100s at line %d", user, + arg, line); + result = 1; + } +out: + ga_free(); + xfree(arg); + return result; +} + static int match_cfg_line(char **condition, int line, const char *user, const char *host, const char *address) @@ -523,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, else debug("user %.100s matched 'User %.100s' at " "line %d", user, arg, line); + } else if (strcasecmp(attrib, "group") == 0) { + switch (match_cfg_line_group(arg, line, user)) { + case -1: + return -1; + case 0: + result = 0; + } } else if (strcasecmp(attrib, "host") == 0) { if (!host) { result = 0; @@ -534,7 +592,6 @@ match_cfg_line(char **condition, int line, const char *user, const char *host, debug("connection from %.100s matched 'Host " "%.100s' at line %d", host, arg, line); } else if (strcasecmp(attrib, "address") == 0) { - debug("address '%s' arg '%s'", address, arg); if (!address) { result = 0; continue; @@ -910,7 +967,7 @@ parse_flag: else fatal("%s line %d: Bad yes/no/clientspecified " "argument: %s", filename, linenum, arg); - if (*intptr == -1) + if (*activep && *intptr == -1) *intptr = value; break; @@ -961,7 +1018,7 @@ parse_flag: case sDenyUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_deny_users >= MAX_DENY_USERS) - fatal( "%s line %d: too many deny users.", + fatal("%s line %d: too many deny users.", filename, linenum); options->deny_users[options->num_deny_users++] = xstrdup(arg); @@ -1096,7 +1153,7 @@ parse_flag: */ case sAuthorizedKeysFile: case sAuthorizedKeysFile2: - charptr = (opcode == sAuthorizedKeysFile ) ? + charptr = (opcode == sAuthorizedKeysFile) ? &options->authorized_keys_file : &options->authorized_keys_file2; goto parse_filename; @@ -1162,13 +1219,16 @@ parse_flag: if (!arg || *arg == '\0') fatal("%s line %d: missing PermitOpen specification", filename, linenum); + n = options->num_permitted_opens; /* modified later */ if (strcmp(arg, "any") == 0) { - if (*activep) { + if (*activep && n == -1) { channel_clear_adm_permitted_opens(); options->num_permitted_opens = 0; } break; } + if (*activep && n == -1) + channel_clear_adm_permitted_opens(); for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) { p = hpdelim(&arg); if (p == NULL) @@ -1178,11 +1238,9 @@ parse_flag: if (arg == NULL || (port = a2port(arg)) == 0) fatal("%s line %d: bad port number in " "PermitOpen", filename, linenum); - if (*activep && options->num_permitted_opens == -1) { - channel_clear_adm_permitted_opens(); + if (*activep && n == -1) options->num_permitted_opens = channel_add_adm_permitted_opens(p, port); - } } break; @@ -1258,30 +1316,55 @@ parse_server_match_config(ServerOptions *options, const char *user, initialize_server_options(&mo); parse_server_config(&mo, "reprocess config", &cfg, user, host, address); - copy_set_server_options(options, &mo); + copy_set_server_options(options, &mo, 0); } -/* Copy any (supported) values that are set */ +/* Helper macros */ +#define M_CP_INTOPT(n) do {\ + if (src->n != -1) \ + dst->n = src->n; \ +} while (0) +#define M_CP_STROPT(n) do {\ + if (src->n != NULL) { \ + if (dst->n != NULL) \ + xfree(dst->n); \ + dst->n = src->n; \ + } \ +} while(0) + +/* + * Copy any supported values that are set. + * + * If the preauth flag is set, we do not bother copying the the string or + * array values that are not used pre-authentication, because any that we + * do use must be explictly sent in mm_getpwnamallow(). + */ void -copy_set_server_options(ServerOptions *dst, ServerOptions *src) +copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) { - if (src->allow_tcp_forwarding != -1) - dst->allow_tcp_forwarding = src->allow_tcp_forwarding; - if (src->gateway_ports != -1) - dst->gateway_ports = src->gateway_ports; - if (src->adm_forced_command != NULL) { - if (dst->adm_forced_command != NULL) - xfree(dst->adm_forced_command); - dst->adm_forced_command = src->adm_forced_command; - } - if (src->x11_display_offset != -1) - dst->x11_display_offset = src->x11_display_offset; - if (src->x11_forwarding != -1) - dst->x11_forwarding = src->x11_forwarding; - if (src->x11_use_localhost != -1) - dst->x11_use_localhost = src->x11_use_localhost; + M_CP_INTOPT(password_authentication); + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); + M_CP_INTOPT(pubkey_authentication); + M_CP_INTOPT(kerberos_authentication); + M_CP_INTOPT(hostbased_authentication); + M_CP_INTOPT(kbd_interactive_authentication); + + M_CP_INTOPT(allow_tcp_forwarding); + M_CP_INTOPT(gateway_ports); + M_CP_INTOPT(x11_display_offset); + M_CP_INTOPT(x11_forwarding); + M_CP_INTOPT(x11_use_localhost); + + M_CP_STROPT(banner); + if (preauth) + return; + M_CP_STROPT(adm_forced_command); } +#undef M_CP_INTOPT +#undef M_CP_STROPT + void parse_server_config(ServerOptions *options, const char *filename, Buffer *conf, const char *user, const char *host, const char *address)