[servconf.c servconf.h sshd_config.5]
     sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
     this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
     ok djm@ (back in March)
This commit is contained in:
Damien Miller 2012-06-20 21:53:58 +10:00
parent 36378c6413
commit c24da77015
4 changed files with 37 additions and 13 deletions

View File

@ -42,6 +42,11 @@
[ssh.1]
Clarify description of -W. Noted by Steve.McClellan at radisys com,
ok jmc
- markus@cvs.openbsd.org 2012/06/19 18:25:28
[servconf.c servconf.h sshd_config.5]
sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
ok djm@ (back in March)
20120519
- (dtucker) [configure.ac] bz#2010: fix non-portable shell construct. Patch

View File

@ -1,5 +1,5 @@
/* $OpenBSD: servconf.c,v 1.226 2012/05/13 01:42:32 dtucker Exp $ */
/* $OpenBSD: servconf.c,v 1.227 2012/06/19 18:25:27 markus Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@ -420,10 +420,10 @@ static struct {
{ "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
{ "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
{ "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
{ "allowusers", sAllowUsers, SSHCFG_GLOBAL },
{ "denyusers", sDenyUsers, SSHCFG_GLOBAL },
{ "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
{ "denygroups", sDenyGroups, SSHCFG_GLOBAL },
{ "allowusers", sAllowUsers, SSHCFG_ALL },
{ "denyusers", sDenyUsers, SSHCFG_ALL },
{ "allowgroups", sAllowGroups, SSHCFG_ALL },
{ "denygroups", sDenyGroups, SSHCFG_ALL },
{ "ciphers", sCiphers, SSHCFG_GLOBAL },
{ "macs", sMacs, SSHCFG_GLOBAL },
{ "protocol", sProtocol, SSHCFG_GLOBAL },
@ -441,7 +441,7 @@ static struct {
{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
{ "match", sMatch, SSHCFG_ALL },
{ "permitopen", sPermitOpen, SSHCFG_ALL },
@ -1148,6 +1148,8 @@ process_server_config_line(ServerOptions *options, char *line,
if (options->num_allow_users >= MAX_ALLOW_USERS)
fatal("%s line %d: too many allow users.",
filename, linenum);
if (!*activep)
continue;
options->allow_users[options->num_allow_users++] =
xstrdup(arg);
}
@ -1158,6 +1160,8 @@ process_server_config_line(ServerOptions *options, char *line,
if (options->num_deny_users >= MAX_DENY_USERS)
fatal("%s line %d: too many deny users.",
filename, linenum);
if (!*activep)
continue;
options->deny_users[options->num_deny_users++] =
xstrdup(arg);
}
@ -1168,6 +1172,8 @@ process_server_config_line(ServerOptions *options, char *line,
if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
fatal("%s line %d: too many allow groups.",
filename, linenum);
if (!*activep)
continue;
options->allow_groups[options->num_allow_groups++] =
xstrdup(arg);
}
@ -1178,7 +1184,10 @@ process_server_config_line(ServerOptions *options, char *line,
if (options->num_deny_groups >= MAX_DENY_GROUPS)
fatal("%s line %d: too many deny groups.",
filename, linenum);
options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
if (!*activep)
continue;
options->deny_groups[options->num_deny_groups++] =
xstrdup(arg);
}
break;
@ -1352,7 +1361,7 @@ process_server_config_line(ServerOptions *options, char *line,
fatal("%s line %d: too many allow env.",
filename, linenum);
if (!*activep)
break;
continue;
options->accept_env[options->num_accept_env++] =
xstrdup(arg);
}

View File

@ -1,4 +1,4 @@
/* $OpenBSD: servconf.h,v 1.101 2012/05/13 01:42:32 dtucker Exp $ */
/* $OpenBSD: servconf.h,v 1.102 2012/06/19 18:25:28 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -192,6 +192,11 @@ struct connection_info {
M_CP_STROPT(revoked_keys_file); \
M_CP_STROPT(authorized_principals_file); \
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
M_CP_STRARRAYOPT(allow_users, num_allow_users); \
M_CP_STRARRAYOPT(deny_users, num_deny_users); \
M_CP_STRARRAYOPT(allow_groups, num_allow_groups); \
M_CP_STRARRAYOPT(deny_groups, num_deny_groups); \
M_CP_STRARRAYOPT(accept_env, num_accept_env); \
} while (0)
struct connection_info *get_connection_info(int, int);

View File

@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $OpenBSD: sshd_config.5,v 1.140 2012/05/19 06:30:30 dtucker Exp $
.Dd $Mdocdate: May 19 2012 $
.\" $OpenBSD: sshd_config.5,v 1.141 2012/06/19 18:25:28 markus Exp $
.Dd $Mdocdate: June 19 2012 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@ -707,15 +707,20 @@ Only a subset of keywords may be used on the lines following a
.Cm Match
keyword.
Available keywords are
.Cm AcceptEnv
.Cm AllowAgentForwarding ,
.Cm AllowGroups .
.Cm AllowTcpForwarding ,
.Cm AllowUsers ,
.Cm AuthorizedKeysFile ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
.Cm DenyGroups ,
.Cm DenyUsers ,
.Cm ForceCommand ,
.Cm GatewayPorts ,
.Cm GSSAPIAuthentication ,
.Cm GatewayPorts ,
.Cm HostbasedAuthentication ,
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
@ -728,8 +733,8 @@ Available keywords are
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm X11DisplayOffset ,
.Cm X11Forwarding
and