summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2017-11-03 03:18:54 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2017-11-03 03:18:54 +0000
commita597fff09493e4e550bdc1ae5ff1b8069f6a754a (patch)
tree8d664f353599d757824abab300ee83a6a23063f3 /usr.bin
parent3dac79f18f32618c72c89e7b455b01cebf8e9171 (diff)
When doing a config test with sshd -T, only require the attributes
that are actually used in Match criteria rather than (an incomplete list of) all criteria. ok djm@, man page help jmc@
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/servconf.c47
-rw-r--r--usr.bin/ssh/sshd.823
-rw-r--r--usr.bin/ssh/sshd.c18
3 files changed, 46 insertions, 42 deletions
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index cb55d7760b3..7c3b74c8b6f 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.318 2017/10/25 02:10:39 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.319 2017/11/03 03:18:53 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -870,6 +870,13 @@ out:
return result;
}
+static void
+match_test_missing_fatal(const char *criteria, const char *attrib)
+{
+ fatal("'Match %s' in configuration but '%s' not in connection "
+ "test specification.", criteria, attrib);
+}
+
/*
* All of the attributes on a single Match line are ANDed together, so we need
* to check every attribute and set the result to zero if any attribute does
@@ -907,20 +914,24 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
return -1;
}
if (strcasecmp(attrib, "user") == 0) {
- if (ci == NULL || ci->user == NULL) {
+ if (ci == NULL) {
result = 0;
continue;
}
+ if (ci->user == NULL)
+ match_test_missing_fatal("User", "user");
if (match_pattern_list(ci->user, arg, 0) != 1)
result = 0;
else
debug("user %.100s matched 'User %.100s' at "
"line %d", ci->user, arg, line);
} else if (strcasecmp(attrib, "group") == 0) {
- if (ci == NULL || ci->user == NULL) {
+ if (ci == NULL) {
result = 0;
continue;
}
+ if (ci->user == NULL)
+ match_test_missing_fatal("Group", "user");
switch (match_cfg_line_group(arg, line, ci->user)) {
case -1:
return -1;
@@ -928,20 +939,24 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
result = 0;
}
} else if (strcasecmp(attrib, "host") == 0) {
- if (ci == NULL || ci->host == NULL) {
+ if (ci == NULL) {
result = 0;
continue;
}
+ if (ci->host == NULL)
+ match_test_missing_fatal("Host", "host");
if (match_hostname(ci->host, arg) != 1)
result = 0;
else
debug("connection from %.100s matched 'Host "
"%.100s' at line %d", ci->host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
- if (ci == NULL || ci->address == NULL) {
+ if (ci == NULL) {
result = 0;
continue;
}
+ if (ci->address == NULL)
+ match_test_missing_fatal("Address", "addr");
switch (addr_match_list(ci->address, arg)) {
case 1:
debug("connection from %.100s matched 'Address "
@@ -955,10 +970,13 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
return -1;
}
} else if (strcasecmp(attrib, "localaddress") == 0){
- if (ci == NULL || ci->laddress == NULL) {
+ if (ci == NULL) {
result = 0;
continue;
}
+ if (ci->laddress == NULL)
+ match_test_missing_fatal("LocalAddress",
+ "laddr");
switch (addr_match_list(ci->laddress, arg)) {
case 1:
debug("connection from %.100s matched "
@@ -978,10 +996,12 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
arg);
return -1;
}
- if (ci == NULL || ci->lport == 0) {
+ if (ci == NULL) {
result = 0;
continue;
}
+ if (ci->lport == 0)
+ match_test_missing_fatal("LocalPort", "lport");
/* TODO support port lists */
if (port == ci->lport)
debug("connection from %.100s matched "
@@ -2054,19 +2074,6 @@ int parse_server_match_testspec(struct connection_info *ci, char *spec)
}
/*
- * returns 1 for a complete spec, 0 for partial spec and -1 for an
- * empty spec.
- */
-int server_match_spec_complete(struct connection_info *ci)
-{
- if (ci->user && ci->host && ci->address)
- return 1; /* complete */
- if (!ci->user && !ci->host && !ci->address)
- return -1; /* empty */
- return 0; /* partial */
-}
-
-/*
* Copy any supported values that are set.
*
* If the preauth flag is set, we do not bother copying the string or
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 7335c6ff995..da08a7911e8 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.292 2017/10/25 00:19:47 djm Exp $
-.Dd $Mdocdate: October 25 2017 $
+.\" $OpenBSD: sshd.8,v 1.293 2017/11/03 03:18:53 dtucker Exp $
+.Dd $Mdocdate: November 3 2017 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -100,21 +100,22 @@ Specify the connection parameters to use for the
extended test mode.
If provided, any
.Cm Match
-directives in the configuration file
-that would apply to the specified user, host, and address will be set before
-the configuration is written to standard output.
-The connection parameters are supplied as keyword=value pairs.
+directives in the configuration file that would apply are applied before the
+configuration is written to standard output.
+The connection parameters are supplied as keyword=value pairs and may be
+supplied in any order, either with multiple
+.Fl C
+options or as a comma-separated list.
The keywords are
+.Dq addr,
.Dq user ,
.Dq host ,
.Dq laddr ,
.Dq lport ,
-.Dq rdomain
and
-.Dq addr .
-All are required and may be supplied in any order, either with multiple
-.Fl C
-options or as a comma-separated list.
+.Dq rdomain
+and correspond to source address, user, resolved source host name,
+local address, local port number and routing domain respectively.
.It Fl c Ar host_certificate_file
Specifies a path to a certificate file to identify
.Nm
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index e3a86d69421..b00c9ccb090 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.497 2017/10/27 00:18:41 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.498 2017/11/03 03:18:53 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1338,7 +1338,7 @@ main(int ac, char **av)
struct sshkey *pubkey;
int keytype;
Authctxt *authctxt;
- struct connection_info *connection_info = get_connection_info(0, 0);
+ struct connection_info *connection_info = NULL;
ssh_malloc_init(); /* must be called before any mallocs */
/* Save argv. */
@@ -1435,6 +1435,7 @@ main(int ac, char **av)
test_flag = 2;
break;
case 'C':
+ connection_info = get_connection_info(0, 0);
if (parse_server_match_testspec(connection_info,
optarg) == -1)
exit(1);
@@ -1489,14 +1490,10 @@ main(int ac, char **av)
sensitive_data.have_ssh2_key = 0;
/*
- * If we're doing an extended config test, make sure we have all of
- * the parameters we need. If we're not doing an extended test,
- * do not silently ignore connection test params.
+ * If we're not doing an extended test do not silently ignore connection
+ * test params.
*/
- if (test_flag >= 2 && server_match_spec_complete(connection_info) == 0)
- fatal("user, host and addr are all required when testing "
- "Match configs");
- if (test_flag < 2 && server_match_spec_complete(connection_info) >= 0)
+ if (test_flag < 2 && connection_info != NULL)
fatal("Config test connection parameter (-C) provided without "
"test mode (-T)");
@@ -1682,8 +1679,7 @@ main(int ac, char **av)
}
if (test_flag > 1) {
- if (server_match_spec_complete(connection_info) == 1)
- parse_server_match_config(&options, connection_info);
+ parse_server_match_config(&options, connection_info);
dump_config(&options);
}