[PATCH] add more None-able options in match clause

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,

There are some options in the sshd configuration which can be
specified globally, and overridden in a Match clause with a value of
none that I don't think are correctly handled.

For example:

AuthorizedPrincipalsFile /etc/ssh/auth_principals/auth_principals_%u
Match Group users
  AuthorizedPrincipalsFile none

This would cause sshd to use ~/none for the authorized principals file
rather than store a NULL value for members of users.  According to the
manpage this keys can have a value of none.

I extended the scope of CLEAR_ON_NONE to handle these, and this could
additionally be used for dst->adm_forced_command and
dst->chroot_directory just below.

Url: https://git.io/JvRNI
---
diff --git a/servconf.c b/servconf.c
index 353bcc97..5e0a7f50 100644
--- a/servconf.c
+++ b/servconf.c
@@ -458,7 +458,6 @@ fill_default_server_options(ServerOptions *options)
                CLEAR_ON_NONE(options->host_key_files[i]);
        for (i = 0; i < options->num_host_cert_files; i++)
                CLEAR_ON_NONE(options->host_cert_files[i]);
-#undef CLEAR_ON_NONE

        /* Similar handling for AuthenticationMethods=any */
        if (options->num_auth_methods == 1 &&
@@ -2390,6 +2389,11 @@ copy_set_server_options(ServerOptions *dst,
ServerOptions *src, int preauth)
        /* See comment in servconf.h */
        COPY_MATCH_STRING_OPTS();

+       CLEAR_ON_NONE(dst->banner);
+       CLEAR_ON_NONE(dst->trusted_user_ca_keys);
+       CLEAR_ON_NONE(dst->revoked_keys_file);
+       CLEAR_ON_NONE(dst->authorized_principals_file);
+
        /* Arguments that accept '+...' need to be expanded */
        assemble_algorithms(dst);

@@ -2412,7 +2416,7 @@ copy_set_server_options(ServerOptions *dst,
ServerOptions *src, int preauth)
                dst->chroot_directory = NULL;
        }
 }
-
+#undef CLEAR_ON_NONE
 #undef M_CP_INTOPT
 #undef M_CP_STROPT
 #undef M_CP_STRARRAYOPT
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux