summaryrefslogtreecommitdiff
path: root/readconf.c
diff options
context:
space:
mode:
authordtucker@openbsd.org <dtucker@openbsd.org>2020-04-03 02:27:12 +0000
committerDamien Miller <djm@mindrot.org>2020-04-03 13:33:37 +1100
commited833da176611a39d3376d62154eb88eb440d31c (patch)
treef9fe72b08478c0ad599538f9dbfb94e582e93a93 /readconf.c
parent6ec7457171468da2bbd908b8cd63d298b0e049ea (diff)
upstream: Make with config keywords support which
percent_expansions more consistent. - %C is moved into its own function and added to Match Exec. - move the common (global) options into a macro. This is ugly but it's the least-ugly way I could come up with. - move IdentityAgent and ForwardAgent percent expansion to before the config dump to make it regression-testable. - document all of the above ok jmc@ for man page bits, "makes things less terrible" djm@ for the rest. OpenBSD-Commit-ID: 4b65664bd6d8ae2a9afaf1a2438ddd1b614b1d75
Diffstat (limited to 'readconf.c')
-rw-r--r--readconf.c26
1 files changed, 25 insertions, 1 deletions
diff --git a/readconf.c b/readconf.c
index f3cac6b3..1a3b2db2 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.326 2020/02/06 22:46:31 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.327 2020/04/03 02:27:12 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -324,6 +324,24 @@ kex_default_pk_alg(void)
return kex_default_pk_alg_filtered;
}
+char *
+ssh_connection_hash(const char *thishost, const char *host, const char *portstr,
+ const char *user)
+{
+ struct ssh_digest_ctx *md;
+ u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+
+ if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL ||
+ ssh_digest_update(md, thishost, strlen(thishost)) < 0 ||
+ ssh_digest_update(md, host, strlen(host)) < 0 ||
+ ssh_digest_update(md, portstr, strlen(portstr)) < 0 ||
+ ssh_digest_update(md, user, strlen(user)) < 0 ||
+ ssh_digest_final(md, conn_hash, sizeof(conn_hash)) < 0)
+ fatal("%s: mux digest failed", __func__);
+ ssh_digest_free(md);
+ return tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+}
+
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
@@ -646,6 +664,8 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
if (r == (negate ? 1 : 0))
this_result = result = 0;
} else if (strcasecmp(attrib, "exec") == 0) {
+ char *conn_hash_hex;
+
if (gethostname(thishost, sizeof(thishost)) == -1)
fatal("gethostname: %s", strerror(errno));
strlcpy(shorthost, thishost, sizeof(shorthost));
@@ -653,8 +673,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
snprintf(portstr, sizeof(portstr), "%d", port);
snprintf(uidstr, sizeof(uidstr), "%llu",
(unsigned long long)pw->pw_uid);
+ conn_hash_hex = ssh_connection_hash(thishost, host,
+ portstr, pw->pw_name);
cmd = percent_expand(arg,
+ "C", conn_hash_hex,
"L", shorthost,
"d", pw->pw_dir,
"h", host,
@@ -665,6 +688,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
"u", pw->pw_name,
"i", uidstr,
(char *)NULL);
+ free(conn_hash_hex);
if (result != 1) {
/* skip execution if prior predicate failed */
debug3("%.200s line %d: skipped exec "