diff options
-rw-r--r-- | usr.bin/ssh/sftp-server.c | 32 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-agent.1 | 18 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-agent.c | 24 |
3 files changed, 37 insertions, 37 deletions
diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c index 10e43bf06bf..9ce13ab90f1 100644 --- a/usr.bin/ssh/sftp-server.c +++ b/usr.bin/ssh/sftp-server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-server.c,v 1.117 2019/07/05 04:55:40 djm Exp $ */ +/* $OpenBSD: sftp-server.c,v 1.118 2020/06/22 05:52:05 djm Exp $ */ /* * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * @@ -66,7 +66,7 @@ static int init_done; static int readonly; /* Requests that are allowed/denied */ -static char *request_whitelist, *request_blacklist; +static char *request_allowlist, *request_denylist; /* portable attributes, etc. */ typedef struct Stat Stat; @@ -156,20 +156,20 @@ request_permitted(const struct sftp_handler *h) verbose("Refusing %s request in read-only mode", h->name); return 0; } - if (request_blacklist != NULL && - ((result = match_list(h->name, request_blacklist, NULL))) != NULL) { + if (request_denylist != NULL && + ((result = match_list(h->name, request_denylist, NULL))) != NULL) { free(result); - verbose("Refusing blacklisted %s request", h->name); + verbose("Refusing denylisted %s request", h->name); return 0; } - if (request_whitelist != NULL && - ((result = match_list(h->name, request_whitelist, NULL))) != NULL) { + if (request_allowlist != NULL && + ((result = match_list(h->name, request_allowlist, NULL))) != NULL) { free(result); - debug2("Permitting whitelisted %s request", h->name); + debug2("Permitting allowlisted %s request", h->name); return 1; } - if (request_whitelist != NULL) { - verbose("Refusing non-whitelisted %s request", h->name); + if (request_allowlist != NULL) { + verbose("Refusing non-allowlisted %s request", h->name); return 0; } return 1; @@ -1529,8 +1529,8 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-P blacklisted_requests] " - "[-p whitelisted_requests] [-u umask]\n" + "[-l log_level]\n\t[-P denied_requests] " + "[-p allowed_requests] [-u umask]\n" " %s -Q protocol_feature\n", __progname, __progname); exit(1); @@ -1599,14 +1599,14 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) free(cp); break; case 'p': - if (request_whitelist != NULL) + if (request_allowlist != NULL) fatal("Permitted requests already set"); - request_whitelist = xstrdup(optarg); + request_allowlist = xstrdup(optarg); break; case 'P': - if (request_blacklist != NULL) + if (request_denylist != NULL) fatal("Refused requests already set"); - request_blacklist = xstrdup(optarg); + request_denylist = xstrdup(optarg); break; case 'u': errno = 0; diff --git a/usr.bin/ssh/ssh-agent.1 b/usr.bin/ssh/ssh-agent.1 index 8e9295e9d7c..2cf46160bf7 100644 --- a/usr.bin/ssh/ssh-agent.1 +++ b/usr.bin/ssh/ssh-agent.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.71 2020/06/19 07:21:42 dtucker Exp $ +.\" $OpenBSD: ssh-agent.1,v 1.72 2020/06/22 05:52:05 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 19 2020 $ +.Dd $Mdocdate: June 22 2020 $ .Dt SSH-AGENT 1 .Os .Sh NAME @@ -46,12 +46,12 @@ .Op Fl \&Dd .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash -.Op Fl P Ar provider_whitelist +.Op Fl P Ar allowed_providers .Op Fl t Ar life .Nm ssh-agent .Op Fl a Ar bind_address .Op Fl E Ar fingerprint_hash -.Op Fl P Ar provider_whitelist +.Op Fl P Ar allowed_providers .Op Fl t Ar life .Ar command Op Ar arg ... .Nm ssh-agent @@ -102,19 +102,19 @@ The default is Kill the current agent (given by the .Ev SSH_AGENT_PID environment variable). -.It Fl P Ar provider_whitelist -Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator -shared libraries that may be used with the +.It Fl P Ar allowed_providers +Specify a pattern-list of acceptable paths for PKCS#11 provider and FIDO +authenticator middleware shared libraries that may be used with the .Fl S or .Fl s options to .Xr ssh-add 1 . -Libraries that do not match the whitelist will be refused. +Libraries that do not match the pattern list will be refused. See PATTERNS in .Xr ssh_config 5 for a description of pattern-list syntax. -The default whitelist is +The default list is .Dq /usr/lib/*,/usr/local/lib/* . .It Fl s Generate Bourne shell commands on diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index db7e093f044..44aa240c843 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.259 2020/06/19 07:21:42 dtucker Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.260 2020/06/22 05:52:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -136,8 +136,8 @@ pid_t cleanup_pid = 0; char socket_name[PATH_MAX]; char socket_dir[PATH_MAX]; -/* PKCS#11/Security key path whitelist */ -static char *provider_whitelist; +/* Pattern-list of allowed PKCS#11/Security key paths */ +static char *allowed_providers; /* locking */ #define LOCK_SIZE 32 @@ -598,9 +598,9 @@ process_add_identity(SocketEntry *e) free(sk_provider); sk_provider = xstrdup(canonical_provider); if (match_pattern_list(sk_provider, - provider_whitelist, 0) != 1) { + allowed_providers, 0) != 1) { error("Refusing add key: " - "provider %s not whitelisted", sk_provider); + "provider %s not allowed", sk_provider); free(sk_provider); goto send; } @@ -755,9 +755,9 @@ process_add_smartcard_key(SocketEntry *e) provider, strerror(errno)); goto send; } - if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { + if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) { verbose("refusing PKCS#11 add of \"%.100s\": " - "provider not whitelisted", canonical_provider); + "provider not allowed", canonical_provider); goto send; } debug("%s: add %.100s", __func__, canonical_provider); @@ -1241,7 +1241,7 @@ usage(void) fprintf(stderr, "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n" " [-P provider_whitelist] [-t life]\n" - " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P provider_whitelist]\n" + " ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers]\n" " [-t life] command [arg ...]\n" " ssh-agent [-c | -s] -k\n"); exit(1); @@ -1301,9 +1301,9 @@ main(int ac, char **av) fatal("Unknown -O option"); break; case 'P': - if (provider_whitelist != NULL) + if (allowed_providers != NULL) fatal("-P option already specified"); - provider_whitelist = xstrdup(optarg); + allowed_providers = xstrdup(optarg); break; case 's': if (c_flag) @@ -1339,8 +1339,8 @@ main(int ac, char **av) if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag)) usage(); - if (provider_whitelist == NULL) - provider_whitelist = xstrdup(DEFAULT_PROVIDER_WHITELIST); + if (allowed_providers == NULL) + allowed_providers = xstrdup(DEFAULT_PROVIDER_WHITELIST); if (ac == 0 && !c_flag && !s_flag) { shell = getenv("SHELL"); |