diff --git a/ChangeLog b/ChangeLog index b5fdc2e4a..369fcbfbf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - markus@cvs.openbsd.org 2004/12/23 17:38:07 [ssh-keygen.c] leak; from mpech + - djm@cvs.openbsd.org 2004/12/23 23:11:00 + [servconf.c servconf.h sshd.c sshd_config sshd_config.5] + bz #898: support AddressFamily in sshd_config. from + peak@argo.troja.mff.cuni.cz; ok deraadt@ 20050118 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement @@ -1978,4 +1982,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3610 2005/01/19 23:56:31 dtucker Exp $ +$Id: ChangeLog,v 1.3611 2005/01/19 23:57:56 dtucker Exp $ diff --git a/servconf.c b/servconf.c index fae3c658e..541a9c85b 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.138 2004/12/23 23:11:00 djm Exp $"); #include "ssh.h" #include "log.h" @@ -26,8 +26,6 @@ RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $"); static void add_listen_addr(ServerOptions *, char *, u_short); static void add_one_listen_addr(ServerOptions *, char *, u_short); -/* AF_UNSPEC or AF_INET or AF_INET6 */ -extern int IPv4or6; /* Use of privilege separation or not */ extern int use_privsep; @@ -45,6 +43,7 @@ initialize_server_options(ServerOptions *options) options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; + options->address_family = -1; options->num_host_key_files = 0; options->pid_file = NULL; options->server_key_bits = -1; @@ -258,7 +257,8 @@ typedef enum { sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sTCPKeepAlive, @@ -335,6 +335,7 @@ static struct { { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ { "checkmail", sDeprecated }, { "listenaddress", sListenAddress }, + { "addressfamily", sAddressFamily }, { "printmotd", sPrintMotd }, { "printlastlog", sPrintLastLog }, { "ignorerhosts", sIgnoreRhosts }, @@ -401,6 +402,8 @@ add_listen_addr(ServerOptions *options, char *addr, u_short port) if (options->num_ports == 0) options->ports[options->num_ports++] = SSH_DEFAULT_PORT; + if (options->address_family == -1) + options->address_family = AF_UNSPEC; if (port == 0) for (i = 0; i < options->num_ports; i++) add_one_listen_addr(options, addr, options->ports[i]); @@ -416,7 +419,7 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port) int gaierr; memset(&hints, 0, sizeof(hints)); - hints.ai_family = IPv4or6; + hints.ai_family = options->address_family; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; snprintf(strport, sizeof strport, "%u", port); @@ -544,6 +547,25 @@ parse_time: filename, linenum); break; + case sAddressFamily: + arg = strdelim(&cp); + intptr = &options->address_family; + if (options->listen_addrs != NULL) + fatal("%s line %d: address family must be specified before " + "ListenAddress.", filename, linenum); + if (strcasecmp(arg, "inet") == 0) + value = AF_INET; + else if (strcasecmp(arg, "inet6") == 0) + value = AF_INET6; + else if (strcasecmp(arg, "any") == 0) + value = AF_UNSPEC; + else + fatal("%s line %d: unsupported address family \"%s\".", + filename, linenum, arg); + if (*intptr == -1) + *intptr = value; + break; + case sHostKeyFile: intptr = &options->num_host_key_files; if (*intptr >= MAX_HOSTKEYS) diff --git a/servconf.h b/servconf.h index ebd056814..f7e56d521 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.70 2004/06/24 19:30:54 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.71 2004/12/23 23:11:00 djm Exp $ */ /* * Author: Tatu Ylonen @@ -43,6 +43,7 @@ typedef struct { u_short ports[MAX_PORTS]; /* Port number to listen on. */ char *listen_addr; /* Address on which the server listens. */ struct addrinfo *listen_addrs; /* Addresses on which the server listens. */ + int address_family; /* Address family used by the server. */ char *host_key_files[MAX_HOSTKEYS]; /* Files containing host keys. */ int num_host_key_files; /* Number of files for host keys. */ char *pid_file; /* Where to put our pid */ diff --git a/sshd.c b/sshd.c index 92b1df10c..89f36a474 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.304 2004/09/25 03:45:14 djm Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.305 2004/12/23 23:11:00 djm Exp $"); #include #include @@ -111,12 +111,6 @@ ServerOptions options; /* Name of the server configuration file. */ char *config_file_name = _PATH_SERVER_CONFIG_FILE; -/* - * Flag indicating whether IPv4 or IPv6. This can be set on the command line. - * Default value is AF_UNSPEC means both IPv4 and IPv6. - */ -int IPv4or6 = AF_UNSPEC; - /* * Debug mode flag. This can be set on the command line. If debug * mode is enabled, extra debugging output will be sent to the system @@ -920,10 +914,10 @@ main(int ac, char **av) while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) { switch (opt) { case '4': - IPv4or6 = AF_INET; + options.address_family = AF_INET; break; case '6': - IPv4or6 = AF_INET6; + options.address_family = AF_INET6; break; case 'f': config_file_name = optarg; @@ -1024,7 +1018,6 @@ main(int ac, char **av) closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); SSLeay_add_all_algorithms(); - channel_set_af(IPv4or6); /* * Force logging to stderr until we have loaded the private host @@ -1074,6 +1067,9 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); + /* set default channel AF */ + channel_set_af(options.address_family); + /* Check that there are no remaining arguments. */ if (optind < ac) { fprintf(stderr, "Extra argument %s.\n", av[optind]); diff --git a/sshd_config b/sshd_config index 65e6f1c32..53ae9942e 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ +# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -12,6 +12,7 @@ #Port 22 #Protocol 2,1 +#AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: diff --git a/sshd_config.5 b/sshd_config.5 index 50b9a89b1..07f91b6ed 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.36 2004/09/15 03:25:41 jaredy Exp $ +.\" $OpenBSD: sshd_config.5,v 1.37 2004/12/23 23:11:00 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -83,6 +83,17 @@ Be warned that some environment variables could be used to bypass restricted user environments. For this reason, care should be taken in the use of this directive. The default is not to accept any environment variables. +.It Cm AddressFamily +Specifies which address family should be used by +.Nm sshd . +Valid arguments are +.Dq any , +.Dq inet +(use IPv4 only) or +.Dq inet6 +(use IPv6 only). +The default is +.Dq any . .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces.