summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/addrmatch.c11
-rw-r--r--usr.bin/ssh/auth-options.c25
-rw-r--r--usr.bin/ssh/match.c12
-rw-r--r--usr.bin/ssh/servconf.c5
-rw-r--r--usr.bin/ssh/sshd.830
5 files changed, 51 insertions, 32 deletions
diff --git a/usr.bin/ssh/addrmatch.c b/usr.bin/ssh/addrmatch.c
index bc267834583..9917d562bf6 100644
--- a/usr.bin/ssh/addrmatch.c
+++ b/usr.bin/ssh/addrmatch.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: addrmatch.c,v 1.2 2008/06/10 05:22:45 djm Exp $ */
+/* $OpenBSD: addrmatch.c,v 1.3 2008/06/10 23:06:19 djm Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@@ -364,7 +364,8 @@ addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen)
*
* Returns 1 on match found (never returned when addr == NULL).
* Returns 0 on if no match found, or no errors found when addr == NULL.
- * Returns -1 on invalid list entry.
+ * Returns -1 on negated match found (never returned when addr == NULL).
+ * Returns -2 on invalid list entry.
*/
int
addr_match_list(const char *addr, const char *_list)
@@ -385,7 +386,7 @@ addr_match_list(const char *addr, const char *_list)
if (neg)
cp++;
if (*cp == '\0') {
- ret = -1;
+ ret = -2;
break;
}
/* Prefer CIDR address matching */
@@ -393,14 +394,14 @@ addr_match_list(const char *addr, const char *_list)
if (r == -2) {
error("Inconsistent mask length for "
"network \"%.100s\"", cp);
- ret = -1;
+ ret = -2;
break;
} else if (r == 0) {
if (addr != NULL && addr_netmatch(&try_addr,
&match_addr, masklen) == 0) {
foundit:
if (neg) {
- ret = 0;
+ ret = -1;
break;
}
ret = 1;
diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c
index 8e95efcc35f..ccfcc9298b4 100644
--- a/usr.bin/ssh/auth-options.c
+++ b/usr.bin/ssh/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.42 2008/05/08 12:02:23 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.43 2008/06/10 23:06:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -224,8 +224,19 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
}
patterns[i] = '\0';
opts++;
- if (match_host_and_ip(remote_host, remote_ip,
- patterns) != 1) {
+ switch (match_host_and_ip(remote_host, remote_ip,
+ patterns)) {
+ case 1:
+ xfree(patterns);
+ /* Host name matches. */
+ goto next_option;
+ case -1:
+ debug("%.100s, line %lu: invalid criteria",
+ file, linenum);
+ auth_debug_add("%.100s, line %lu: "
+ "invalid criteria", file, linenum);
+ /* FALLTHROUGH */
+ case 0:
xfree(patterns);
logit("Authentication tried for %.100s with "
"correct key but not from a permitted "
@@ -234,12 +245,10 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
auth_debug_add("Your host '%.200s' is not "
"permitted to use this key for login.",
remote_host);
- /* deny access */
- return 0;
+ break;
}
- xfree(patterns);
- /* Host name matches. */
- goto next_option;
+ /* deny access */
+ return 0;
}
cp = "permitopen=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
diff --git a/usr.bin/ssh/match.c b/usr.bin/ssh/match.c
index e8fcdc3f17c..499f7475790 100644
--- a/usr.bin/ssh/match.c
+++ b/usr.bin/ssh/match.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: match.c,v 1.27 2008/06/10 23:06:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -181,7 +181,8 @@ match_hostname(const char *host, const char *pattern, u_int len)
/*
* returns 0 if we get a negative match for the hostname or the ip
- * or if we get no match at all. returns 1 otherwise.
+ * or if we get no match at all. returns -1 on error, or 1 on
+ * successful match.
*/
int
match_host_and_ip(const char *host, const char *ipaddr,
@@ -189,9 +190,12 @@ match_host_and_ip(const char *host, const char *ipaddr,
{
int mhost, mip;
- /* negative ipaddr match */
- if ((mip = match_hostname(ipaddr, patterns, strlen(patterns))) == -1)
+ /* error in ipaddr match */
+ if ((mip = addr_match_list(ipaddr, patterns)) == -2)
+ return -1;
+ else if (mip == -1) /* negative ip address match */
return 0;
+
/* negative hostname match */
if ((mhost = match_hostname(host, patterns, strlen(patterns))) == -1)
return 0;
diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c
index 5a4778efd75..47bf1f53103 100644
--- a/usr.bin/ssh/servconf.c
+++ b/usr.bin/ssh/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.182 2008/06/10 04:50:25 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.183 2008/06/10 23:06:19 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -584,9 +584,10 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
"%.100s' at line %d", address, arg, line);
break;
case 0:
+ case -1:
result = 0;
break;
- case -1:
+ case -2:
return -1;
}
} else {
diff --git a/usr.bin/ssh/sshd.8 b/usr.bin/ssh/sshd.8
index 7b1533cacd4..0c557bd28a2 100644
--- a/usr.bin/ssh/sshd.8
+++ b/usr.bin/ssh/sshd.8
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.243 2008/06/10 08:17:40 jmc Exp $
+.\" $OpenBSD: sshd.8,v 1.244 2008/06/10 23:06:19 djm Exp $
.Dd $Mdocdate: June 10 2008 $
.Dt SSHD 8
.Os
@@ -504,23 +504,27 @@ This option is automatically disabled if
.Cm UseLogin
is enabled.
.It Cm from="pattern-list"
-Specifies that in addition to public key authentication, the canonical name
-of the remote host must be present in the comma-separated list of
-patterns.
-The purpose
-of this option is to optionally increase security: public key authentication
-by itself does not trust the network or name servers or anything (but
-the key); however, if somebody somehow steals the key, the key
-permits an intruder to log in from anywhere in the world.
-This additional option makes using a stolen key more difficult (name
-servers and/or routers would have to be compromised in addition to
-just the key).
-.Pp
+Specifies that in addition to public key authentication, either the canonical
+name of the remote host or its IP address must be present in the
+comma-separated list of patterns.
See
.Sx PATTERNS
in
.Xr ssh_config 5
for more information on patterns.
+.Pp
+In addition to the wildcard matching that may be applied to hostnames or
+addresses, a
+.Cm from
+stanza may match IP addressess using CIDR address/masklen notation.
+.Pp
+The purpose of this option is to optionally increase security: public key
+authentication by itself does not trust the network or name servers or
+anything (but the key); however, if somebody somehow steals the key, the key
+permits an intruder to log in from anywhere in the world.
+This additional option makes using a stolen key more difficult (name
+servers and/or routers would have to be compromised in addition to
+just the key).
.It Cm no-agent-forwarding
Forbids authentication agent forwarding when this key is used for
authentication.