|
|
d7ff6e |
diff -up openssh-8.0p1/auth.c.sshdinclude openssh-8.0p1/auth.c
|
|
|
d7ff6e |
--- openssh-8.0p1/auth.c.sshdinclude 2021-10-20 15:18:49.740331098 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/auth.c 2021-10-20 15:19:41.324781344 +0200
|
|
|
d7ff6e |
@@ -80,6 +80,7 @@
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/* import */
|
|
|
d7ff6e |
extern ServerOptions options;
|
|
|
d7ff6e |
+extern struct include_list includes;
|
|
|
d7ff6e |
extern int use_privsep;
|
|
|
d7ff6e |
extern struct sshbuf *loginmsg;
|
|
|
d7ff6e |
extern struct passwd *privsep_pw;
|
|
|
d7ff6e |
@@ -573,7 +574,7 @@ getpwnamallow(struct ssh *ssh, const cha
|
|
|
d7ff6e |
|
|
|
d7ff6e |
ci = get_connection_info(ssh, 1, options.use_dns);
|
|
|
d7ff6e |
ci->user = user;
|
|
|
d7ff6e |
- parse_server_match_config(&options, ci);
|
|
|
d7ff6e |
+ parse_server_match_config(&options, &includes, ci);
|
|
|
d7ff6e |
log_change_level(options.log_level);
|
|
|
d7ff6e |
process_permitopen(ssh, &options);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
diff -up openssh-8.0p1/readconf.c.sshdinclude openssh-8.0p1/readconf.c
|
|
|
d7ff6e |
--- openssh-8.0p1/readconf.c.sshdinclude 2021-10-20 15:21:43.541848103 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/readconf.c 2021-10-20 15:22:06.302046768 +0200
|
|
|
d7ff6e |
@@ -711,7 +711,7 @@ match_cfg_line(Options *options, char **
|
|
|
d7ff6e |
static void
|
|
|
d7ff6e |
rm_env(Options *options, const char *arg, const char *filename, int linenum)
|
|
|
d7ff6e |
{
|
|
|
d7ff6e |
- int i, j;
|
|
|
d7ff6e |
+ int i, j, onum_send_env = options->num_send_env;
|
|
|
d7ff6e |
char *cp;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/* Remove an environment variable */
|
|
|
d7ff6e |
@@ -734,6 +734,11 @@ rm_env(Options *options, const char *arg
|
|
|
d7ff6e |
options->num_send_env--;
|
|
|
d7ff6e |
/* NB. don't increment i */
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
+ if (onum_send_env != options->num_send_env) {
|
|
|
d7ff6e |
+ options->send_env = xrecallocarray(options->send_env,
|
|
|
d7ff6e |
+ onum_send_env, options->num_send_env,
|
|
|
d7ff6e |
+ sizeof(*options->send_env));
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/*
|
|
|
d7ff6e |
diff -up openssh-8.0p1/regress/Makefile.sshdinclude openssh-8.0p1/regress/Makefile
|
|
|
d7ff6e |
--- openssh-8.0p1/regress/Makefile.sshdinclude 2021-10-20 15:18:49.742331115 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/regress/Makefile 2021-10-20 15:19:41.324781344 +0200
|
|
|
d7ff6e |
@@ -82,6 +82,7 @@ LTESTS= connect \
|
|
|
d7ff6e |
principals-command \
|
|
|
d7ff6e |
cert-file \
|
|
|
d7ff6e |
cfginclude \
|
|
|
d7ff6e |
+ servcfginclude \
|
|
|
d7ff6e |
allow-deny-users \
|
|
|
d7ff6e |
authinfo
|
|
|
d7ff6e |
|
|
|
d7ff6e |
@@ -118,7 +119,7 @@ CLEANFILES= *.core actual agent-key.* au
|
|
|
d7ff6e |
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
|
|
|
d7ff6e |
ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
|
|
|
d7ff6e |
ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
|
|
|
d7ff6e |
- sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
|
|
|
d7ff6e |
+ sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
|
|
|
d7ff6e |
sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
|
|
|
d7ff6e |
t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
|
|
|
d7ff6e |
t8.out t8.out.pub t9.out t9.out.pub testdata \
|
|
|
d7ff6e |
diff -up openssh-8.0p1/regress/servcfginclude.sh.sshdinclude openssh-8.0p1/regress/servcfginclude.sh
|
|
|
d7ff6e |
--- openssh-8.0p1/regress/servcfginclude.sh.sshdinclude 2021-10-20 15:18:49.744331132 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/regress/servcfginclude.sh 2021-10-20 15:22:06.303046777 +0200
|
|
|
d7ff6e |
@@ -0,0 +1,188 @@
|
|
|
d7ff6e |
+# Placed in the Public Domain.
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+tid="server config include"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i << _EOF
|
|
|
d7ff6e |
+HostKey $OBJ/host.ssh-ed25519
|
|
|
d7ff6e |
+Match host a
|
|
|
d7ff6e |
+ Banner /aa
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host b
|
|
|
d7ff6e |
+ Banner /bb
|
|
|
d7ff6e |
+ Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host c
|
|
|
d7ff6e |
+ Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+ Banner /cc
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host m
|
|
|
d7ff6e |
+ Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host d
|
|
|
d7ff6e |
+ Banner /dd
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host e
|
|
|
d7ff6e |
+ Banner /ee
|
|
|
d7ff6e |
+ Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host f
|
|
|
d7ff6e |
+ Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+ Banner /ff
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host n
|
|
|
d7ff6e |
+ Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.0 << _EOF
|
|
|
d7ff6e |
+Match host xxxxxx
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.1 << _EOF
|
|
|
d7ff6e |
+Match host a
|
|
|
d7ff6e |
+ Banner /aaa
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host b
|
|
|
d7ff6e |
+ Banner /bbb
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host c
|
|
|
d7ff6e |
+ Banner /ccc
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host d
|
|
|
d7ff6e |
+ Banner /ddd
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host e
|
|
|
d7ff6e |
+ Banner /eee
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host f
|
|
|
d7ff6e |
+ Banner /fff
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.2 << _EOF
|
|
|
d7ff6e |
+Match host a
|
|
|
d7ff6e |
+ Banner /aaaa
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host b
|
|
|
d7ff6e |
+ Banner /bbbb
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match host c
|
|
|
d7ff6e |
+ Banner /cccc
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host d
|
|
|
d7ff6e |
+ Banner /dddd
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host e
|
|
|
d7ff6e |
+ Banner /eeee
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match Host f
|
|
|
d7ff6e |
+ Banner /ffff
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+Match all
|
|
|
d7ff6e |
+ Banner /xxxx
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trial() {
|
|
|
d7ff6e |
+ _host="$1"
|
|
|
d7ff6e |
+ _exp="$2"
|
|
|
d7ff6e |
+ _desc="$3"
|
|
|
d7ff6e |
+ test -z "$_desc" && _desc="test match"
|
|
|
d7ff6e |
+ trace "$_desc host=$_host expect=$_exp"
|
|
|
d7ff6e |
+ ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
|
|
d7ff6e |
+ -C "host=$_host,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out ||
|
|
|
d7ff6e |
+ fatal "ssh config parse failed: $_desc host=$_host expect=$_exp"
|
|
|
d7ff6e |
+ _got=`grep -i '^banner ' $OBJ/sshd_config.out | awk '{print $2}'`
|
|
|
d7ff6e |
+ if test "x$_exp" != "x$_got" ; then
|
|
|
d7ff6e |
+ fail "$desc_ host $_host include fail: expected $_exp got $_got"
|
|
|
d7ff6e |
+ fi
|
|
|
d7ff6e |
+}
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trial a /aa
|
|
|
d7ff6e |
+trial b /bb
|
|
|
d7ff6e |
+trial c /ccc
|
|
|
d7ff6e |
+trial d /dd
|
|
|
d7ff6e |
+trial e /ee
|
|
|
d7ff6e |
+trial f /fff
|
|
|
d7ff6e |
+trial m /xxxx
|
|
|
d7ff6e |
+trial n /xxxx
|
|
|
d7ff6e |
+trial x none
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# Prepare an included config with an error.
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.3 << _EOF
|
|
|
d7ff6e |
+Banner xxxx
|
|
|
d7ff6e |
+ Junk
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trace "disallow invalid config host=a"
|
|
|
d7ff6e |
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
|
|
|
d7ff6e |
+ -C "host=a,user=test,addr=127.0.0.1" 2>/dev/null && \
|
|
|
d7ff6e |
+ fail "sshd include allowed invalid config"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trace "disallow invalid config host=x"
|
|
|
d7ff6e |
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
|
|
|
d7ff6e |
+ -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
|
|
d7ff6e |
+ fail "sshd include allowed invalid config"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+rm -f $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# Ensure that a missing include is not fatal.
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i << _EOF
|
|
|
d7ff6e |
+HostKey $OBJ/host.ssh-ed25519
|
|
|
d7ff6e |
+Include $OBJ/sshd_config.i.*
|
|
|
d7ff6e |
+Banner /aa
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trial a /aa "missing include non-fatal"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# Ensure that Match/Host in an included config does not affect parent.
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.x << _EOF
|
|
|
d7ff6e |
+Match host x
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trial a /aa "included file does not affect match state"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# Ensure the empty include directive is not accepted
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.x << _EOF
|
|
|
d7ff6e |
+Include
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trace "disallow invalid with no argument"
|
|
|
d7ff6e |
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
|
|
|
d7ff6e |
+ -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
|
|
d7ff6e |
+ fail "sshd allowed Include with no argument"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# Ensure the Include before any Match block works as expected (bug #3122)
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i << _EOF
|
|
|
d7ff6e |
+Banner /xx
|
|
|
d7ff6e |
+HostKey $OBJ/host.ssh-ed25519
|
|
|
d7ff6e |
+Include $OBJ/sshd_config.i.2
|
|
|
d7ff6e |
+Match host a
|
|
|
d7ff6e |
+ Banner /aaaa
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.2 << _EOF
|
|
|
d7ff6e |
+Match host a
|
|
|
d7ff6e |
+ Banner /aa
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trace "Include before match blocks"
|
|
|
d7ff6e |
+trial a /aa "included file before match blocks is properly evaluated"
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# Port in included file is correctly interpretted (bug #3169)
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i << _EOF
|
|
|
d7ff6e |
+Include $OBJ/sshd_config.i.2
|
|
|
d7ff6e |
+Port 7722
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+cat > $OBJ/sshd_config.i.2 << _EOF
|
|
|
d7ff6e |
+HostKey $OBJ/host.ssh-ed25519
|
|
|
d7ff6e |
+_EOF
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+trace "Port after included files"
|
|
|
d7ff6e |
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
|
|
d7ff6e |
+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
|
|
|
d7ff6e |
+ fail "failed to parse Port after included files"
|
|
|
d7ff6e |
+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
|
|
|
d7ff6e |
+if test "x7722" != "x$_port" ; then
|
|
|
d7ff6e |
+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
|
|
|
d7ff6e |
+fi
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+# cleanup
|
|
|
d7ff6e |
+rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
|
|
|
d7ff6e |
diff -up openssh-8.0p1/regress/test-exec.sh.sshdinclude openssh-8.0p1/regress/test-exec.sh
|
|
|
d7ff6e |
--- openssh-8.0p1/regress/test-exec.sh.sshdinclude 2021-10-20 15:18:49.746331150 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/regress/test-exec.sh 2021-10-20 15:19:41.324781344 +0200
|
|
|
d7ff6e |
@@ -220,6 +220,7 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE}
|
|
|
d7ff6e |
|
|
|
d7ff6e |
chmod a+rx $OBJ/ssh-log-wrapper.sh
|
|
|
d7ff6e |
REAL_SSH="$SSH"
|
|
|
d7ff6e |
+REAL_SSHD="$SSHD"
|
|
|
d7ff6e |
SSH="$SSHLOGWRAP"
|
|
|
d7ff6e |
|
|
|
d7ff6e |
# Some test data. We make a copy because some tests will overwrite it.
|
|
|
d7ff6e |
diff -up openssh-8.0p1/servconf.c.sshdinclude openssh-8.0p1/servconf.c
|
|
|
d7ff6e |
--- openssh-8.0p1/servconf.c.sshdinclude 2021-10-20 15:18:49.748331167 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/servconf.c 2021-10-20 15:22:06.303046777 +0200
|
|
|
d7ff6e |
@@ -40,6 +40,11 @@
|
|
|
d7ff6e |
#ifdef HAVE_UTIL_H
|
|
|
d7ff6e |
#include <util.h>
|
|
|
d7ff6e |
#endif
|
|
|
d7ff6e |
+#ifdef USE_SYSTEM_GLOB
|
|
|
d7ff6e |
+# include <glob.h>
|
|
|
d7ff6e |
+#else
|
|
|
d7ff6e |
+# include "openbsd-compat/glob.h"
|
|
|
d7ff6e |
+#endif
|
|
|
d7ff6e |
|
|
|
d7ff6e |
#include "openbsd-compat/sys-queue.h"
|
|
|
d7ff6e |
#include "xmalloc.h"
|
|
|
d7ff6e |
@@ -70,6 +75,9 @@ static void add_listen_addr(ServerOption
|
|
|
d7ff6e |
const char *, int);
|
|
|
d7ff6e |
static void add_one_listen_addr(ServerOptions *, const char *,
|
|
|
d7ff6e |
const char *, int);
|
|
|
d7ff6e |
+static void parse_server_config_depth(ServerOptions *options,
|
|
|
d7ff6e |
+ const char *filename, struct sshbuf *conf, struct include_list *includes,
|
|
|
d7ff6e |
+ struct connection_info *connectinfo, int flags, int *activep, int depth);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/* Use of privilege separation or not */
|
|
|
d7ff6e |
extern int use_privsep;
|
|
|
d7ff6e |
@@ -528,7 +536,7 @@ typedef enum {
|
|
|
d7ff6e |
sAcceptEnv, sSetEnv, sPermitTunnel,
|
|
|
d7ff6e |
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
|
|
d7ff6e |
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
|
d7ff6e |
- sHostCertificate,
|
|
|
d7ff6e |
+ sHostCertificate, sInclude,
|
|
|
d7ff6e |
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
|
|
d7ff6e |
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
|
|
|
d7ff6e |
sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
|
|
|
d7ff6e |
@@ -540,9 +548,11 @@ typedef enum {
|
|
|
d7ff6e |
sDeprecated, sIgnore, sUnsupported
|
|
|
d7ff6e |
} ServerOpCodes;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
-#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
|
|
|
d7ff6e |
-#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
|
|
d7ff6e |
-#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
|
|
d7ff6e |
+#define SSHCFG_GLOBAL 0x01 /* allowed in main section of config */
|
|
|
d7ff6e |
+#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
|
|
d7ff6e |
+#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
|
|
d7ff6e |
+#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
|
|
|
d7ff6e |
+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/* Textual representation of the tokens. */
|
|
|
d7ff6e |
static struct {
|
|
|
d7ff6e |
@@ -687,6 +697,7 @@ static struct {
|
|
|
d7ff6e |
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
|
d7ff6e |
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
|
|
d7ff6e |
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
|
|
d7ff6e |
+ { "include", sInclude, SSHCFG_ALL },
|
|
|
d7ff6e |
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
|
|
d7ff6e |
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
|
|
d7ff6e |
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
|
|
|
d7ff6e |
@@ -1259,13 +1270,14 @@ static const struct multistate multistat
|
|
|
d7ff6e |
{ NULL, -1 }
|
|
|
d7ff6e |
};
|
|
|
d7ff6e |
|
|
|
d7ff6e |
-int
|
|
|
d7ff6e |
-process_server_config_line(ServerOptions *options, char *line,
|
|
|
d7ff6e |
+static int
|
|
|
d7ff6e |
+process_server_config_line_depth(ServerOptions *options, char *line,
|
|
|
d7ff6e |
const char *filename, int linenum, int *activep,
|
|
|
d7ff6e |
- struct connection_info *connectinfo)
|
|
|
d7ff6e |
+ struct connection_info *connectinfo, int *inc_flags, int depth,
|
|
|
d7ff6e |
+ struct include_list *includes)
|
|
|
d7ff6e |
{
|
|
|
d7ff6e |
char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
|
|
|
d7ff6e |
- int cmdline = 0, *intptr, value, value2, n, port;
|
|
|
d7ff6e |
+ int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
|
|
|
d7ff6e |
SyslogFacility *log_facility_ptr;
|
|
|
d7ff6e |
LogLevel *log_level_ptr;
|
|
|
d7ff6e |
ServerOpCodes opcode;
|
|
|
d7ff6e |
@@ -1274,6 +1286,8 @@ process_server_config_line(ServerOptions
|
|
|
d7ff6e |
long long val64;
|
|
|
d7ff6e |
const struct multistate *multistate_ptr;
|
|
|
d7ff6e |
const char *errstr;
|
|
|
d7ff6e |
+ struct include_item *item;
|
|
|
d7ff6e |
+ glob_t gbuf;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/* Strip trailing whitespace. Allow \f (form feed) at EOL only */
|
|
|
d7ff6e |
if ((len = strlen(line)) == 0)
|
|
|
d7ff6e |
@@ -1300,7 +1314,7 @@ process_server_config_line(ServerOptions
|
|
|
d7ff6e |
cmdline = 1;
|
|
|
d7ff6e |
activep = &cmdline;
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
- if (*activep && opcode != sMatch)
|
|
|
d7ff6e |
+ if (*activep && opcode != sMatch && opcode != sInclude)
|
|
|
d7ff6e |
debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
|
|
|
d7ff6e |
if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
|
|
|
d7ff6e |
if (connectinfo == NULL) {
|
|
|
d7ff6e |
@@ -1980,15 +1994,112 @@ process_server_config_line(ServerOptions
|
|
|
d7ff6e |
*intptr = value;
|
|
|
d7ff6e |
break;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+ case sInclude:
|
|
|
d7ff6e |
+ if (cmdline) {
|
|
|
d7ff6e |
+ fatal("Include directive not supported as a "
|
|
|
d7ff6e |
+ "command-line option");
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ value = 0;
|
|
|
d7ff6e |
+ while ((arg2 = strdelim(&cp)) != NULL && *arg2 != '\0') {
|
|
|
d7ff6e |
+ value++;
|
|
|
d7ff6e |
+ found = 0;
|
|
|
d7ff6e |
+ if (*arg2 != '/' && *arg2 != '~') {
|
|
|
d7ff6e |
+ xasprintf(&arg, "%s/%s", SSHDIR, arg2);
|
|
|
d7ff6e |
+ } else
|
|
|
d7ff6e |
+ arg = xstrdup(arg2);
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ /*
|
|
|
d7ff6e |
+ * Don't let included files clobber the containing
|
|
|
d7ff6e |
+ * file's Match state.
|
|
|
d7ff6e |
+ */
|
|
|
d7ff6e |
+ oactive = *activep;
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ /* consult cache of include files */
|
|
|
d7ff6e |
+ TAILQ_FOREACH(item, includes, entry) {
|
|
|
d7ff6e |
+ if (strcmp(item->selector, arg) != 0)
|
|
|
d7ff6e |
+ continue;
|
|
|
d7ff6e |
+ if (item->filename != NULL) {
|
|
|
d7ff6e |
+ parse_server_config_depth(options,
|
|
|
d7ff6e |
+ item->filename, item->contents,
|
|
|
d7ff6e |
+ includes, connectinfo,
|
|
|
d7ff6e |
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
|
|
d7ff6e |
+ ? SSHCFG_MATCH_ONLY : (oactive
|
|
|
d7ff6e |
+ ? 0 : SSHCFG_NEVERMATCH)),
|
|
|
d7ff6e |
+ activep, depth + 1);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ found = 1;
|
|
|
d7ff6e |
+ *activep = oactive;
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ if (found != 0) {
|
|
|
d7ff6e |
+ free(arg);
|
|
|
d7ff6e |
+ continue;
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ /* requested glob was not in cache */
|
|
|
d7ff6e |
+ debug2("%s line %d: new include %s",
|
|
|
d7ff6e |
+ filename, linenum, arg);
|
|
|
d7ff6e |
+ if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
|
|
|
d7ff6e |
+ if (r != GLOB_NOMATCH) {
|
|
|
d7ff6e |
+ fatal("%s line %d: include \"%s\" "
|
|
|
d7ff6e |
+ "glob failed", filename,
|
|
|
d7ff6e |
+ linenum, arg);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ /*
|
|
|
d7ff6e |
+ * If no entry matched then record a
|
|
|
d7ff6e |
+ * placeholder to skip later glob calls.
|
|
|
d7ff6e |
+ */
|
|
|
d7ff6e |
+ debug2("%s line %d: no match for %s",
|
|
|
d7ff6e |
+ filename, linenum, arg);
|
|
|
d7ff6e |
+ item = xcalloc(1, sizeof(*item));
|
|
|
d7ff6e |
+ item->selector = strdup(arg);
|
|
|
d7ff6e |
+ TAILQ_INSERT_TAIL(includes,
|
|
|
d7ff6e |
+ item, entry);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ if (gbuf.gl_pathc > INT_MAX)
|
|
|
d7ff6e |
+ fatal("%s: too many glob results", __func__);
|
|
|
d7ff6e |
+ for (n = 0; n < (int)gbuf.gl_pathc; n++) {
|
|
|
d7ff6e |
+ debug2("%s line %d: including %s",
|
|
|
d7ff6e |
+ filename, linenum, gbuf.gl_pathv[n]);
|
|
|
d7ff6e |
+ item = xcalloc(1, sizeof(*item));
|
|
|
d7ff6e |
+ item->selector = strdup(arg);
|
|
|
d7ff6e |
+ item->filename = strdup(gbuf.gl_pathv[n]);
|
|
|
d7ff6e |
+ if ((item->contents = sshbuf_new()) == NULL) {
|
|
|
d7ff6e |
+ fatal("%s: sshbuf_new failed",
|
|
|
d7ff6e |
+ __func__);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ load_server_config(item->filename,
|
|
|
d7ff6e |
+ item->contents);
|
|
|
d7ff6e |
+ parse_server_config_depth(options,
|
|
|
d7ff6e |
+ item->filename, item->contents,
|
|
|
d7ff6e |
+ includes, connectinfo,
|
|
|
d7ff6e |
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
|
|
d7ff6e |
+ ? SSHCFG_MATCH_ONLY : (oactive
|
|
|
d7ff6e |
+ ? 0 : SSHCFG_NEVERMATCH)),
|
|
|
d7ff6e |
+ activep, depth + 1);
|
|
|
d7ff6e |
+ *activep = oactive;
|
|
|
d7ff6e |
+ TAILQ_INSERT_TAIL(includes, item, entry);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ globfree(&gbuf);
|
|
|
d7ff6e |
+ free(arg);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ if (value == 0) {
|
|
|
d7ff6e |
+ fatal("%s line %d: Include missing filename argument",
|
|
|
d7ff6e |
+ filename, linenum);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+ break;
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
case sMatch:
|
|
|
d7ff6e |
if (cmdline)
|
|
|
d7ff6e |
fatal("Match directive not supported as a command-line "
|
|
|
d7ff6e |
"option");
|
|
|
d7ff6e |
- value = match_cfg_line(&cp, linenum, connectinfo);
|
|
|
d7ff6e |
+ value = match_cfg_line(&cp, linenum,
|
|
|
d7ff6e |
+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
|
|
|
d7ff6e |
if (value < 0)
|
|
|
d7ff6e |
fatal("%s line %d: Bad Match condition", filename,
|
|
|
d7ff6e |
linenum);
|
|
|
d7ff6e |
- *activep = value;
|
|
|
d7ff6e |
+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
|
|
d7ff6e |
+ /* The MATCH_ONLY is applicable only until the first match block */
|
|
|
d7ff6e |
+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
|
|
|
d7ff6e |
break;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
case sKerberosUseKuserok:
|
|
|
d7ff6e |
@@ -2275,6 +2386,18 @@ process_server_config_line(ServerOptions
|
|
|
d7ff6e |
return 0;
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+int
|
|
|
d7ff6e |
+process_server_config_line(ServerOptions *options, char *line,
|
|
|
d7ff6e |
+ const char *filename, int linenum, int *activep,
|
|
|
d7ff6e |
+ struct connection_info *connectinfo, struct include_list *includes)
|
|
|
d7ff6e |
+{
|
|
|
d7ff6e |
+ int inc_flags = 0;
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ return process_server_config_line_depth(options, line, filename,
|
|
|
d7ff6e |
+ linenum, activep, connectinfo, &inc_flags, 0, includes);
|
|
|
d7ff6e |
+}
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
/* Reads the server configuration file. */
|
|
|
d7ff6e |
|
|
|
d7ff6e |
void
|
|
|
d7ff6e |
@@ -2313,12 +2436,13 @@ load_server_config(const char *filename,
|
|
|
d7ff6e |
|
|
|
d7ff6e |
void
|
|
|
d7ff6e |
parse_server_match_config(ServerOptions *options,
|
|
|
d7ff6e |
- struct connection_info *connectinfo)
|
|
|
d7ff6e |
+ struct include_list *includes, struct connection_info *connectinfo)
|
|
|
d7ff6e |
{
|
|
|
d7ff6e |
ServerOptions mo;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
initialize_server_options(&mo);
|
|
|
d7ff6e |
- parse_server_config(&mo, "reprocess config", cfg, connectinfo);
|
|
|
d7ff6e |
+ parse_server_config(&mo, "reprocess config", cfg, includes,
|
|
|
d7ff6e |
+ connectinfo);
|
|
|
d7ff6e |
copy_set_server_options(options, &mo, 0);
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
|
|
|
d7ff6e |
@@ -2464,28 +2588,44 @@ copy_set_server_options(ServerOptions *d
|
|
|
d7ff6e |
#undef M_CP_STROPT
|
|
|
d7ff6e |
#undef M_CP_STRARRAYOPT
|
|
|
d7ff6e |
|
|
|
d7ff6e |
-void
|
|
|
d7ff6e |
-parse_server_config(ServerOptions *options, const char *filename,
|
|
|
d7ff6e |
- struct sshbuf *conf, struct connection_info *connectinfo)
|
|
|
d7ff6e |
+#define SERVCONF_MAX_DEPTH 16
|
|
|
d7ff6e |
+static void
|
|
|
d7ff6e |
+parse_server_config_depth(ServerOptions *options, const char *filename,
|
|
|
d7ff6e |
+ struct sshbuf *conf, struct include_list *includes,
|
|
|
d7ff6e |
+ struct connection_info *connectinfo, int flags, int *activep, int depth)
|
|
|
d7ff6e |
{
|
|
|
d7ff6e |
- int active, linenum, bad_options = 0;
|
|
|
d7ff6e |
+ int linenum, bad_options = 0;
|
|
|
d7ff6e |
char *cp, *obuf, *cbuf;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
|
|
|
d7ff6e |
+ if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
|
|
|
d7ff6e |
+ fatal("Too many recursive configuration includes");
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
|
|
|
d7ff6e |
+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
|
|
|
d7ff6e |
|
|
|
d7ff6e |
if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
|
|
|
d7ff6e |
fatal("%s: sshbuf_dup_string failed", __func__);
|
|
|
d7ff6e |
- active = connectinfo ? 0 : 1;
|
|
|
d7ff6e |
linenum = 1;
|
|
|
d7ff6e |
while ((cp = strsep(&cbuf, "\n")) != NULL) {
|
|
|
d7ff6e |
- if (process_server_config_line(options, cp, filename,
|
|
|
d7ff6e |
- linenum++, &active, connectinfo) != 0)
|
|
|
d7ff6e |
+ if (process_server_config_line_depth(options, cp,
|
|
|
d7ff6e |
+ filename, linenum++, activep, connectinfo, &flags,
|
|
|
d7ff6e |
+ depth, includes) != 0)
|
|
|
d7ff6e |
bad_options++;
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
free(obuf);
|
|
|
d7ff6e |
if (bad_options > 0)
|
|
|
d7ff6e |
fatal("%s: terminating, %d bad configuration options",
|
|
|
d7ff6e |
filename, bad_options);
|
|
|
d7ff6e |
+}
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+void
|
|
|
d7ff6e |
+parse_server_config(ServerOptions *options, const char *filename,
|
|
|
d7ff6e |
+ struct sshbuf *conf, struct include_list *includes,
|
|
|
d7ff6e |
+ struct connection_info *connectinfo)
|
|
|
d7ff6e |
+{
|
|
|
d7ff6e |
+ int active = connectinfo ? 0 : 1;
|
|
|
d7ff6e |
+ parse_server_config_depth(options, filename, conf, includes,
|
|
|
d7ff6e |
+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
|
|
|
d7ff6e |
process_queued_listen_addrs(options);
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
|
|
|
d7ff6e |
diff -up openssh-8.0p1/servconf.h.sshdinclude openssh-8.0p1/servconf.h
|
|
|
d7ff6e |
--- openssh-8.0p1/servconf.h.sshdinclude 2021-10-20 15:18:49.750331185 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/servconf.h 2021-10-20 15:19:41.325781353 +0200
|
|
|
d7ff6e |
@@ -16,6 +16,8 @@
|
|
|
d7ff6e |
#ifndef SERVCONF_H
|
|
|
d7ff6e |
#define SERVCONF_H
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+#include <sys/queue.h>
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
#define MAX_PORTS 256 /* Max # ports. */
|
|
|
d7ff6e |
|
|
|
d7ff6e |
#define MAX_SUBSYSTEMS 256 /* Max # subsystems. */
|
|
|
d7ff6e |
@@ -234,6 +236,15 @@ struct connection_info {
|
|
|
d7ff6e |
* unspecified */
|
|
|
d7ff6e |
};
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+/* List of included files for re-exec from the parsed configuration */
|
|
|
d7ff6e |
+struct include_item {
|
|
|
d7ff6e |
+ char *selector;
|
|
|
d7ff6e |
+ char *filename;
|
|
|
d7ff6e |
+ struct sshbuf *contents;
|
|
|
d7ff6e |
+ TAILQ_ENTRY(include_item) entry;
|
|
|
d7ff6e |
+};
|
|
|
d7ff6e |
+TAILQ_HEAD(include_list, include_item);
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/*
|
|
|
d7ff6e |
* These are string config options that must be copied between the
|
|
|
d7ff6e |
@@ -273,12 +284,13 @@ struct connection_info *get_connection_i
|
|
|
d7ff6e |
void initialize_server_options(ServerOptions *);
|
|
|
d7ff6e |
void fill_default_server_options(ServerOptions *);
|
|
|
d7ff6e |
int process_server_config_line(ServerOptions *, char *, const char *, int,
|
|
|
d7ff6e |
- int *, struct connection_info *);
|
|
|
d7ff6e |
+ int *, struct connection_info *, struct include_list *includes);
|
|
|
d7ff6e |
void process_permitopen(struct ssh *ssh, ServerOptions *options);
|
|
|
d7ff6e |
void load_server_config(const char *, struct sshbuf *);
|
|
|
d7ff6e |
void parse_server_config(ServerOptions *, const char *, struct sshbuf *,
|
|
|
d7ff6e |
- struct connection_info *);
|
|
|
d7ff6e |
-void parse_server_match_config(ServerOptions *, struct connection_info *);
|
|
|
d7ff6e |
+ struct include_list *includes, struct connection_info *);
|
|
|
d7ff6e |
+void parse_server_match_config(ServerOptions *,
|
|
|
d7ff6e |
+ struct include_list *includes, struct connection_info *);
|
|
|
d7ff6e |
int parse_server_match_testspec(struct connection_info *, char *);
|
|
|
d7ff6e |
int server_match_spec_complete(struct connection_info *);
|
|
|
d7ff6e |
void copy_set_server_options(ServerOptions *, ServerOptions *, int);
|
|
|
d7ff6e |
diff -up openssh-8.0p1/sshd_config.5.sshdinclude openssh-8.0p1/sshd_config.5
|
|
|
d7ff6e |
--- openssh-8.0p1/sshd_config.5.sshdinclude 2021-10-20 15:18:49.754331220 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/sshd_config.5 2021-10-20 15:19:41.325781353 +0200
|
|
|
d7ff6e |
@@ -825,7 +825,20 @@ during
|
|
|
d7ff6e |
and use only the system-wide known hosts file
|
|
|
d7ff6e |
.Pa /etc/ssh/known_hosts .
|
|
|
d7ff6e |
The default is
|
|
|
d7ff6e |
-.Cm no .
|
|
|
d7ff6e |
+.Dq no .
|
|
|
d7ff6e |
+.It Cm Include
|
|
|
d7ff6e |
+Include the specified configuration file(s).
|
|
|
d7ff6e |
+Multiple path names may be specified and each pathname may contain
|
|
|
d7ff6e |
+.Xr glob 7
|
|
|
d7ff6e |
+wildcards.
|
|
|
d7ff6e |
+Files without absolute paths are assumed to be in
|
|
|
d7ff6e |
+.Pa /etc/ssh .
|
|
|
d7ff6e |
+A
|
|
|
d7ff6e |
+.Cm Include
|
|
|
d7ff6e |
+directive may appear inside a
|
|
|
d7ff6e |
+.Cm Match
|
|
|
d7ff6e |
+block
|
|
|
d7ff6e |
+to perform conditional inclusion.
|
|
|
d7ff6e |
.It Cm IPQoS
|
|
|
d7ff6e |
Specifies the IPv4 type-of-service or DSCP class for the connection.
|
|
|
d7ff6e |
Accepted values are
|
|
|
d7ff6e |
diff -up openssh-8.0p1/sshd.c.sshdinclude openssh-8.0p1/sshd.c
|
|
|
d7ff6e |
--- openssh-8.0p1/sshd.c.sshdinclude 2021-10-20 15:18:49.752331202 +0200
|
|
|
d7ff6e |
+++ openssh-8.0p1/sshd.c 2021-10-20 15:19:41.325781353 +0200
|
|
|
d7ff6e |
@@ -257,6 +257,9 @@ struct sshauthopt *auth_opts = NULL;
|
|
|
d7ff6e |
/* sshd_config buffer */
|
|
|
d7ff6e |
struct sshbuf *cfg;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+/* Included files from the configuration file */
|
|
|
d7ff6e |
+struct include_list includes = TAILQ_HEAD_INITIALIZER(includes);
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
/* message to be displayed after login */
|
|
|
d7ff6e |
struct sshbuf *loginmsg;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
@@ -927,30 +930,45 @@ usage(void)
|
|
|
d7ff6e |
static void
|
|
|
d7ff6e |
send_rexec_state(int fd, struct sshbuf *conf)
|
|
|
d7ff6e |
{
|
|
|
d7ff6e |
- struct sshbuf *m;
|
|
|
d7ff6e |
+ struct sshbuf *m = NULL, *inc = NULL;
|
|
|
d7ff6e |
+ struct include_item *item = NULL;
|
|
|
d7ff6e |
int r;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
debug3("%s: entering fd = %d config len %zu", __func__, fd,
|
|
|
d7ff6e |
sshbuf_len(conf));
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+ if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL)
|
|
|
d7ff6e |
+ fatal("%s: sshbuf_new failed", __func__);
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ /* pack includes into a string */
|
|
|
d7ff6e |
+ TAILQ_FOREACH(item, &includes, entry) {
|
|
|
d7ff6e |
+ if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 ||
|
|
|
d7ff6e |
+ (r = sshbuf_put_cstring(inc, item->filename)) != 0 ||
|
|
|
d7ff6e |
+ (r = sshbuf_put_stringb(inc, item->contents)) != 0)
|
|
|
d7ff6e |
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
/*
|
|
|
d7ff6e |
* Protocol from reexec master to child:
|
|
|
d7ff6e |
* string configuration
|
|
|
d7ff6e |
- * string rngseed (only if OpenSSL is not self-seeded)
|
|
|
d7ff6e |
+ * string included_files[] {
|
|
|
d7ff6e |
+ * string selector
|
|
|
d7ff6e |
+ * string filename
|
|
|
d7ff6e |
+ * string contents
|
|
|
d7ff6e |
+ * }
|
|
|
d7ff6e |
+ * string rng_seed (if required)
|
|
|
d7ff6e |
*/
|
|
|
d7ff6e |
- if ((m = sshbuf_new()) == NULL)
|
|
|
d7ff6e |
- fatal("%s: sshbuf_new failed", __func__);
|
|
|
d7ff6e |
- if ((r = sshbuf_put_stringb(m, conf)) != 0)
|
|
|
d7ff6e |
+ if ((r = sshbuf_put_stringb(m, conf)) != 0 ||
|
|
|
d7ff6e |
+ (r = sshbuf_put_stringb(m, inc)) != 0)
|
|
|
d7ff6e |
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
-
|
|
|
d7ff6e |
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
|
|
|
d7ff6e |
rexec_send_rng_seed(m);
|
|
|
d7ff6e |
#endif
|
|
|
d7ff6e |
-
|
|
|
d7ff6e |
if (ssh_msg_send(fd, 0, m) == -1)
|
|
|
d7ff6e |
fatal("%s: ssh_msg_send failed", __func__);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
sshbuf_free(m);
|
|
|
d7ff6e |
+ sshbuf_free(inc);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
debug3("%s: done", __func__);
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
@@ -958,14 +976,15 @@ send_rexec_state(int fd, struct sshbuf *
|
|
|
d7ff6e |
static void
|
|
|
d7ff6e |
recv_rexec_state(int fd, struct sshbuf *conf)
|
|
|
d7ff6e |
{
|
|
|
d7ff6e |
- struct sshbuf *m;
|
|
|
d7ff6e |
+ struct sshbuf *m, *inc;
|
|
|
d7ff6e |
u_char *cp, ver;
|
|
|
d7ff6e |
size_t len;
|
|
|
d7ff6e |
int r;
|
|
|
d7ff6e |
+ struct include_item *item;
|
|
|
d7ff6e |
|
|
|
d7ff6e |
debug3("%s: entering fd = %d", __func__, fd);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
- if ((m = sshbuf_new()) == NULL)
|
|
|
d7ff6e |
+ if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL)
|
|
|
d7ff6e |
fatal("%s: sshbuf_new failed", __func__);
|
|
|
d7ff6e |
if (ssh_msg_recv(fd, m) == -1)
|
|
|
d7ff6e |
fatal("%s: ssh_msg_recv failed", __func__);
|
|
|
d7ff6e |
@@ -973,14 +992,28 @@ recv_rexec_state(int fd, struct sshbuf *
|
|
|
d7ff6e |
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
if (ver != 0)
|
|
|
d7ff6e |
fatal("%s: rexec version mismatch", __func__);
|
|
|
d7ff6e |
- if ((r = sshbuf_get_string(m, &cp, &len)) != 0)
|
|
|
d7ff6e |
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
- if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
|
|
|
d7ff6e |
+ if ((r = sshbuf_get_string(m, &cp, &len)) != 0 ||
|
|
|
d7ff6e |
+ (r = sshbuf_get_stringb(m, inc)) != 0)
|
|
|
d7ff6e |
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
|
|
|
d7ff6e |
rexec_recv_rng_seed(m);
|
|
|
d7ff6e |
#endif
|
|
|
d7ff6e |
|
|
|
d7ff6e |
+ if (conf != NULL && (r = sshbuf_put(conf, cp, len)))
|
|
|
d7ff6e |
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
+ while (sshbuf_len(inc) != 0) {
|
|
|
d7ff6e |
+ item = xcalloc(1, sizeof(*item));
|
|
|
d7ff6e |
+ if ((item->contents = sshbuf_new()) == NULL)
|
|
|
d7ff6e |
+ fatal("%s: sshbuf_new failed", __func__);
|
|
|
d7ff6e |
+ if ((r = sshbuf_get_cstring(inc, &item->selector, NULL)) != 0 ||
|
|
|
d7ff6e |
+ (r = sshbuf_get_cstring(inc, &item->filename, NULL)) != 0 ||
|
|
|
d7ff6e |
+ (r = sshbuf_get_stringb(inc, item->contents)) != 0)
|
|
|
d7ff6e |
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
d7ff6e |
+ TAILQ_INSERT_TAIL(&includes, item, entry);
|
|
|
d7ff6e |
+ }
|
|
|
d7ff6e |
+
|
|
|
d7ff6e |
free(cp);
|
|
|
d7ff6e |
sshbuf_free(m);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
@@ -1661,7 +1694,7 @@ main(int ac, char **av)
|
|
|
d7ff6e |
case 'o':
|
|
|
d7ff6e |
line = xstrdup(optarg);
|
|
|
d7ff6e |
if (process_server_config_line(&options, line,
|
|
|
d7ff6e |
- "command-line", 0, NULL, NULL) != 0)
|
|
|
d7ff6e |
+ "command-line", 0, NULL, NULL, &includes) != 0)
|
|
|
d7ff6e |
exit(1);
|
|
|
d7ff6e |
free(line);
|
|
|
d7ff6e |
break;
|
|
|
d7ff6e |
@@ -1692,7 +1725,7 @@ main(int ac, char **av)
|
|
|
d7ff6e |
SYSLOG_LEVEL_INFO : options.log_level,
|
|
|
d7ff6e |
options.log_facility == SYSLOG_FACILITY_NOT_SET ?
|
|
|
d7ff6e |
SYSLOG_FACILITY_AUTH : options.log_facility,
|
|
|
d7ff6e |
- log_stderr || !inetd_flag);
|
|
|
d7ff6e |
+ log_stderr || !inetd_flag || debug_flag);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
/*
|
|
|
d7ff6e |
* Unset KRB5CCNAME, otherwise the user's session may inherit it from
|
|
|
d7ff6e |
@@ -1725,12 +1758,11 @@ main(int ac, char **av)
|
|
|
d7ff6e |
*/
|
|
|
d7ff6e |
(void)atomicio(vwrite, startup_pipe, "\0", 1);
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
- }
|
|
|
d7ff6e |
- else if (strcasecmp(config_file_name, "none") != 0)
|
|
|
d7ff6e |
+ } else if (strcasecmp(config_file_name, "none") != 0)
|
|
|
d7ff6e |
load_server_config(config_file_name, cfg);
|
|
|
d7ff6e |
|
|
|
d7ff6e |
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
|
|
d7ff6e |
- cfg, NULL);
|
|
|
d7ff6e |
+ cfg, &includes, NULL);
|
|
|
d7ff6e |
|
|
|
58886c |
/* 'UsePAM no' is not supported in RHEL */
|
|
|
d7ff6e |
if (! options.use_pam)
|
|
|
d7ff6e |
@@ -1946,7 +1978,7 @@ main(int ac, char **av)
|
|
|
d7ff6e |
if (connection_info == NULL)
|
|
|
d7ff6e |
connection_info = get_connection_info(ssh, 0, 0);
|
|
|
d7ff6e |
connection_info->test = 1;
|
|
|
d7ff6e |
- parse_server_match_config(&options, connection_info);
|
|
|
d7ff6e |
+ parse_server_match_config(&options, &includes, connection_info);
|
|
|
d7ff6e |
dump_config(&options);
|
|
|
d7ff6e |
}
|
|
|
d7ff6e |
|
|
|
b3b6ef |
diff -up openssh-8.0p1/sshbuf-getput-basic.c.stringb openssh-8.0p1/sshbuf-getput-basic.c
|
|
|
b3b6ef |
--- openssh-8.0p1/sshbuf-getput-basic.c.stringb 2022-12-21 12:18:43.274799163 +0100
|
|
|
b3b6ef |
+++ openssh-8.0p1/sshbuf-getput-basic.c 2022-12-21 12:19:19.758081516 +0100
|
|
|
b3b6ef |
@@ -371,6 +371,9 @@ sshbuf_put_cstring(struct sshbuf *buf, c
|
|
|
b3b6ef |
int
|
|
|
b3b6ef |
sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v)
|
|
|
b3b6ef |
{
|
|
|
b3b6ef |
+ if (v == NULL)
|
|
|
b3b6ef |
+ return sshbuf_put_string(buf, NULL, 0);
|
|
|
b3b6ef |
+
|
|
|
b3b6ef |
return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v));
|
|
|
b3b6ef |
}
|
|
|
b3b6ef |
|