diff options
| author |   djm <djm@openbsd.org> | 2015-11-13 04:38:06 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2015-11-13 04:38:06 +0000 |
| commit | e0eb783bda94e1e77764c0b430bab9dd8655b43f (patch) | |
| tree | 73d65a310cbe6a92319915705371906bb9a93ee8 | |
| parent | support multiple certificates (one per line) and reading from (diff) | |
| download | wireguard-openbsd-e0eb783bda94e1e77764c0b430bab9dd8655b43f.tar.xz wireguard-openbsd-e0eb783bda94e1e77764c0b430bab9dd8655b43f.zip | |
Support "none" as an argument for sshd_config ForceCommand and
ChrootDirectory. Useful inside Match blocks to override a global
default. bz#2486 ok dtucker@
| -rw-r--r-- | usr.bin/ssh/servconf.c | 13 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd_config.5 | 8 |
2 files changed, 18 insertions, 3 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index 4f05b5727d9..1457ddd206f 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.282 2015/10/29 08:05:01 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.283 2015/11/13 04:38:06 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -356,6 +356,8 @@ fill_default_server_options(ServerOptions *options) CLEAR_ON_NONE(options->trusted_user_ca_keys); CLEAR_ON_NONE(options->revoked_keys_file); CLEAR_ON_NONE(options->authorized_principals_file); + CLEAR_ON_NONE(options->adm_forced_command); + CLEAR_ON_NONE(options->chroot_directory); for (i = 0; i < options->num_host_key_files; i++) CLEAR_ON_NONE(options->host_key_files[i]); for (i = 0; i < options->num_host_cert_files; i++) @@ -1982,8 +1984,17 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) if (preauth) return; + /* These options may be "none" to clear a global setting */ M_CP_STROPT(adm_forced_command); + if (option_clear_or_none(dst->adm_forced_command)) { + free(dst->adm_forced_command); + dst->adm_forced_command = NULL; + } M_CP_STROPT(chroot_directory); + if (option_clear_or_none(dst->chroot_directory)) { + free(dst->chroot_directory); + dst->chroot_directory = NULL; + } } #undef M_CP_INTOPT diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 9dc20bace1a..8e73fb80dce 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.214 2015/11/13 02:57:46 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.215 2015/11/13 04:38:06 djm Exp $ .Dd $Mdocdate: November 13 2015 $ .Dt SSHD_CONFIG 5 .Os @@ -433,7 +433,9 @@ Misconfiguration can lead to unsafe environments which .Xr sshd 8 cannot detect. .Pp -The default is not to +The default is +.Dq none , +indicating not to .Xr chroot 2 . .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. @@ -600,6 +602,8 @@ Specifying a command of will force the use of an in-process sftp server that requires no support files when used with .Cm ChrootDirectory . +The default is +.Dq none . .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. |