- djm@cvs.openbsd.org 2004/12/23 23:11:00

     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
     bz #898: support AddressFamily in sshd_config. from
     peak@argo.troja.mff.cuni.cz; ok deraadt@

diff --git a/ChangeLog b/ChangeLog
index 962a544c5888d8601b5500a4f068ac0408c30e47..eae4a3babc16a9ef6555f9aa59de4b216e969e78 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@
    - markus@cvs.openbsd.org 2004/12/23 17:38:07
      [ssh-keygen.c]
      leak; from mpech
+   - djm@cvs.openbsd.org 2004/12/23 23:11:00
+     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+     bz #898: support AddressFamily in sshd_config. from
+     peak@argo.troja.mff.cuni.cz; ok deraadt@
 
 20050118
  - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement

diff --git a/servconf.c b/servconf.c
index fae3c658e1d27968fb91adf3c261155f351a356f..541a9c85b0dfc27a8c21164cd9434b62ebd4756a 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.138 2004/12/23 23:11:00 djm Exp $");
 
 #include "ssh.h"
 #include "log.h"
@@ -26,8 +26,6 @@ RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $");
 static void add_listen_addr(ServerOptions *, char *, u_short);
 static void add_one_listen_addr(ServerOptions *, char *, u_short);
 
-/* AF_UNSPEC or AF_INET or AF_INET6 */
-extern int IPv4or6;
 /* Use of privilege separation or not */
 extern int use_privsep;
 
@@ -45,6 +43,7 @@ initialize_server_options(ServerOptions *options)
        options->num_ports = 0;
        options->ports_from_cmdline = 0;
        options->listen_addrs = NULL;
+       options->address_family = -1;
        options->num_host_key_files = 0;
        options->pid_file = NULL;
        options->server_key_bits = -1;
@@ -258,7 +257,8 @@ typedef enum {
        sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
        sKerberosGetAFSToken,
        sKerberosTgtPassing, sChallengeResponseAuthentication,
-       sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
+       sPasswordAuthentication, sKbdInteractiveAuthentication,
+       sListenAddress, sAddressFamily,
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
        sStrictModes, sEmptyPasswd, sTCPKeepAlive,
@@ -335,6 +335,7 @@ static struct {
        { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
        { "checkmail", sDeprecated },
        { "listenaddress", sListenAddress },
+       { "addressfamily", sAddressFamily },
        { "printmotd", sPrintMotd },
        { "printlastlog", sPrintLastLog },
        { "ignorerhosts", sIgnoreRhosts },
@@ -401,6 +402,8 @@ add_listen_addr(ServerOptions *options, char *addr, u_short port)
 
        if (options->num_ports == 0)
                options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
+       if (options->address_family == -1)
+               options->address_family = AF_UNSPEC;
        if (port == 0)
                for (i = 0; i < options->num_ports; i++)
                        add_one_listen_addr(options, addr, options->ports[i]);
@@ -416,7 +419,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
        int gaierr;
 
        memset(&hints, 0, sizeof(hints));
-       hints.ai_family = IPv4or6;
+       hints.ai_family = options->address_family;
        hints.ai_socktype = SOCK_STREAM;
        hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
        snprintf(strport, sizeof strport, "%u", port);
@@ -544,6 +547,25 @@ parse_time:
                            filename, linenum);
                break;
 
+       case sAddressFamily:
+               arg = strdelim(&cp);
+               intptr = &options->address_family;
+               if (options->listen_addrs != NULL)
+                       fatal("%s line %d: address family must be specified before "
+                           "ListenAddress.", filename, linenum);
+               if (strcasecmp(arg, "inet") == 0)
+                       value = AF_INET;
+               else if (strcasecmp(arg, "inet6") == 0)
+                       value = AF_INET6;
+               else if (strcasecmp(arg, "any") == 0)
+                       value = AF_UNSPEC;
+               else
+                       fatal("%s line %d: unsupported address family \"%s\".",
+                           filename, linenum, arg);
+               if (*intptr == -1)
+                       *intptr = value;
+               break;
+
        case sHostKeyFile:
                intptr = &options->num_host_key_files;
                if (*intptr >= MAX_HOSTKEYS)

diff --git a/servconf.h b/servconf.h
index ebd056814733acf2bf77126e276da51bf57e737d..f7e56d52105efc895ee8c1e0bd12efd051be91ec 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: servconf.h,v 1.70 2004/06/24 19:30:54 djm Exp $       */
+/*     $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $       */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -43,6 +43,7 @@ typedef struct {
        u_short ports[MAX_PORTS];       /* Port number to listen on. */
        char   *listen_addr;            /* Address on which the server listens. */
        struct addrinfo *listen_addrs;  /* Addresses on which the server listens. */
+       int     address_family;         /* Address family used by the server. */
        char   *host_key_files[MAX_HOSTKEYS];   /* Files containing host keys. */
        int     num_host_key_files;     /* Number of files for host keys. */
        char   *pid_file;       /* Where to put our pid */

diff --git a/sshd.c b/sshd.c
index 92b1df10c3039462b9e6a8cb444d61529f46eee2..89f36a47436a5938050947726f3e8562a2713ad2 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -42,7 +42,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.304 2004/09/25 03:45:14 djm Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.305 2004/12/23 23:11:00 djm Exp $");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -111,12 +111,6 @@ ServerOptions options;
 /* Name of the server configuration file. */
 char *config_file_name = _PATH_SERVER_CONFIG_FILE;
 
-/*
- * Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
- * Default value is AF_UNSPEC means both IPv4 and IPv6.
- */
-int IPv4or6 = AF_UNSPEC;
-
 /*
  * Debug mode flag.  This can be set on the command line.  If debug
  * mode is enabled, extra debugging output will be sent to the system
@@ -920,10 +914,10 @@ main(int ac, char **av)
        while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) {
                switch (opt) {
                case '4':
-                       IPv4or6 = AF_INET;
+                       options.address_family = AF_INET;
                        break;
                case '6':
-                       IPv4or6 = AF_INET6;
+                       options.address_family = AF_INET6;
                        break;
                case 'f':
                        config_file_name = optarg;
@@ -1024,7 +1018,6 @@ main(int ac, char **av)
                closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 
        SSLeay_add_all_algorithms();
-       channel_set_af(IPv4or6);
 
        /*
         * Force logging to stderr until we have loaded the private host
@@ -1074,6 +1067,9 @@ main(int ac, char **av)
        /* Fill in default values for those options not explicitly set. */
        fill_default_server_options(&options);
 
+       /* set default channel AF */
+       channel_set_af(options.address_family);
+
        /* Check that there are no remaining arguments. */
        if (optind < ac) {
                fprintf(stderr, "Extra argument %s.\n", av[optind]);

diff --git a/sshd_config b/sshd_config
index 65e6f1c32f26ead1c3fcdd16f90b73a45dea4c07..53ae9942e0cd0536f5a80468de562a5dd97786ea 100644 (file)
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#      $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
+#      $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -12,6 +12,7 @@
 
 #Port 22
 #Protocol 2,1
+#AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 

diff --git a/sshd_config.5 b/sshd_config.5
index 50b9a89b1058fc8a9dd88d538279128542701a26..07f91b6ed4bc003d7236e13b9236cee09f811214 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.36 2004/09/15 03:25:41 jaredy Exp $
+.\" $OpenBSD: sshd_config.5,v 1.37 2004/12/23 23:11:00 djm Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -83,6 +83,17 @@ Be warned that some environment variables could be used to bypass restricted
 user environments.
 For this reason, care should be taken in the use of this directive.
 The default is not to accept any environment variables.
+.It Cm AddressFamily
+Specifies which address family should be used by
+.Nm sshd .
+Valid arguments are
+.Dq any ,
+.Dq inet
+(use IPv4 only) or
+.Dq inet6
+(use IPv6 only).
+The default is
+.Dq any .
 .It Cm AllowGroups
 This keyword can be followed by a list of group name patterns, separated
 by spaces.