[openssh-commits] [openssh] branch master updated: upstream: allow the "Include" directive to expand the same set of
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Sep 3 15:42:56 AEST 2024
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
The following commit(s) were added to refs/heads/master by this push:
new 8c4d6a62 upstream: allow the "Include" directive to expand the same set of
8c4d6a62 is described below
commit 8c4d6a628051e318bae2f283e8dc38b896400862
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Tue Sep 3 05:29:55 2024 +0000
upstream: allow the "Include" directive to expand the same set of
%-tokens that "Match Exec" and environment variables.
ok dtucker@
OpenBSD-Commit-ID: 12ef521eaa966a9241e684258564f52f1f3c5d37
---
readconf.c | 129 +++++++++++++++++++++++++++++++++++++++--------------------
ssh_config.5 | 13 ++++--
2 files changed, 95 insertions(+), 47 deletions(-)
diff --git a/readconf.c b/readconf.c
index 1d0ba0e7..ec63c42b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.388 2024/08/23 04:51:00 deraadt Exp $ */
+/* $OpenBSD: readconf.c,v 1.389 2024/09/03 05:29:55 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -645,6 +645,63 @@ check_match_ifaddrs(const char *addrlist)
#endif /* HAVE_IFADDRS_H */
}
+/*
+ * Expand a "match exec" command or an Include path, caller must free returned
+ * value.
+ */
+static char *
+expand_match_exec_or_include_path(const char *path, Options *options,
+ struct passwd *pw, const char *host_arg, const char *original_host,
+ int final_pass, int is_include_path)
+{
+ char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
+ char uidstr[32], *conn_hash_hex, *keyalias, *jmphost, *ruser;
+ char *host, *ret;
+ int port;
+
+ port = options->port <= 0 ? default_ssh_port() : options->port;
+ ruser = options->user == NULL ? pw->pw_name : options->user;
+ if (final_pass) {
+ host = xstrdup(options->hostname);
+ } else if (options->hostname != NULL) {
+ /* NB. Please keep in sync with ssh.c:main() */
+ host = percent_expand(options->hostname,
+ "h", host_arg, (char *)NULL);
+ } else {
+ host = xstrdup(host_arg);
+ }
+ if (gethostname(thishost, sizeof(thishost)) == -1)
+ fatal("gethostname: %s", strerror(errno));
+ jmphost = option_clear_or_none(options->jump_host) ?
+ "" : options->jump_host;
+ strlcpy(shorthost, thishost, sizeof(shorthost));
+ shorthost[strcspn(thishost, ".")] = '\0';
+ snprintf(portstr, sizeof(portstr), "%d", port);
+ snprintf(uidstr, sizeof(uidstr), "%llu",
+ (unsigned long long)pw->pw_uid);
+ conn_hash_hex = ssh_connection_hash(thishost, host,
+ portstr, ruser, jmphost);
+ keyalias = options->host_key_alias ? options->host_key_alias : host;
+
+ ret = (is_include_path ? percent_dollar_expand : percent_expand)(path,
+ "C", conn_hash_hex,
+ "L", shorthost,
+ "d", pw->pw_dir,
+ "h", host,
+ "k", keyalias,
+ "l", thishost,
+ "n", original_host,
+ "p", portstr,
+ "r", ruser,
+ "u", pw->pw_name,
+ "i", uidstr,
+ "j", jmphost,
+ (char *)NULL);
+ free(host);
+ free(conn_hash_hex);
+ return ret;
+}
+
/*
* Parse and execute a Match directive.
*/
@@ -655,15 +712,12 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
{
char *arg, *oattrib, *attrib, *cmd, *cp = *condition, *host, *criteria;
const char *ruser;
- int r, port, this_result, result = 1, attributes = 0, negate;
- char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
- char uidstr[32];
+ int r, this_result, result = 1, attributes = 0, negate;
/*
* Configuration is likely to be incomplete at this point so we
* must be prepared to use default values.
*/
- port = options->port <= 0 ? default_ssh_port() : options->port;
ruser = options->user == NULL ? pw->pw_name : options->user;
if (final_pass) {
host = xstrdup(options->hostname);
@@ -765,37 +819,12 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
if (r == (negate ? 1 : 0))
this_result = result = 0;
} else if (strcasecmp(attrib, "exec") == 0) {
- char *conn_hash_hex, *keyalias, *jmphost;
-
- if (gethostname(thishost, sizeof(thishost)) == -1)
- fatal("gethostname: %s", strerror(errno));
- jmphost = option_clear_or_none(options->jump_host) ?
- "" : options->jump_host;
- strlcpy(shorthost, thishost, sizeof(shorthost));
- shorthost[strcspn(thishost, ".")] = '\0';
- snprintf(portstr, sizeof(portstr), "%d", port);
- snprintf(uidstr, sizeof(uidstr), "%llu",
- (unsigned long long)pw->pw_uid);
- conn_hash_hex = ssh_connection_hash(thishost, host,
- portstr, ruser, jmphost);
- keyalias = options->host_key_alias ?
- options->host_key_alias : host;
-
- cmd = percent_expand(arg,
- "C", conn_hash_hex,
- "L", shorthost,
- "d", pw->pw_dir,
- "h", host,
- "k", keyalias,
- "l", thishost,
- "n", original_host,
- "p", portstr,
- "r", ruser,
- "u", pw->pw_name,
- "i", uidstr,
- "j", jmphost,
- (char *)NULL);
- free(conn_hash_hex);
+ if ((cmd = expand_match_exec_or_include_path(arg,
+ options, pw, host_arg, original_host,
+ final_pass, 0)) == NULL) {
+ fatal("%.200s line %d: failed to expand match "
+ "exec '%.100s'", filename, linenum, arg);
+ }
if (result != 1) {
/* skip execution if prior predicate failed */
debug3("%.200s line %d: skipped exec "
@@ -1990,6 +2019,15 @@ parse_pubkey_algos:
filename, linenum, keyword);
goto out;
}
+ /* Expand %tokens and environment variables */
+ if ((p = expand_match_exec_or_include_path(arg,
+ options, pw, host, original_host,
+ flags & SSHCONF_FINAL, 1)) == NULL) {
+ error("%.200s line %d: Unable to expand user "
+ "config file '%.100s'",
+ filename, linenum, arg);
+ continue;
+ }
/*
* Ensure all paths are anchored. User configuration
* files may begin with '~/' but system configurations
@@ -1997,17 +2035,19 @@ parse_pubkey_algos:
* as living in ~/.ssh for user configurations or
* /etc/ssh for system ones.
*/
- if (*arg == '~' && (flags & SSHCONF_USERCONF) == 0) {
+ if (*p == '~' && (flags & SSHCONF_USERCONF) == 0) {
error("%.200s line %d: bad include path %s.",
- filename, linenum, arg);
+ filename, linenum, p);
goto out;
}
- if (!path_absolute(arg) && *arg != '~') {
+ if (!path_absolute(p) && *p != '~') {
xasprintf(&arg2, "%s/%s",
(flags & SSHCONF_USERCONF) ?
- "~/" _PATH_SSH_USER_DIR : SSHDIR, arg);
- } else
- arg2 = xstrdup(arg);
+ "~/" _PATH_SSH_USER_DIR : SSHDIR, p);
+ } else {
+ arg2 = xstrdup(p);
+ }
+ free(p);
memset(&gl, 0, sizeof(gl));
r = glob(arg2, GLOB_TILDE, NULL, &gl);
if (r == GLOB_NOMATCH) {
@@ -2033,8 +2073,9 @@ parse_pubkey_algos:
(oactive ? 0 : SSHCONF_NEVERMATCH),
activep, want_final_pass, depth + 1);
if (r != 1 && errno != ENOENT) {
- error("Can't open user config file "
- "%.100s: %.100s", gl.gl_pathv[i],
+ error("%.200s line %d: Can't open user "
+ "config file %.100s: %.100s",
+ filename, linenum, gl.gl_pathv[i],
strerror(errno));
globfree(&gl);
goto out;
diff --git a/ssh_config.5 b/ssh_config.5
index 6a688a1b..cab00b04 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.399 2024/08/22 23:11:30 djm Exp $
-.Dd $Mdocdate: August 22 2024 $
+.\" $OpenBSD: ssh_config.5,v 1.400 2024/09/03 05:29:56 djm Exp $
+.Dd $Mdocdate: September 3 2024 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -1182,7 +1182,12 @@ to unknown options that appear before it.
Include the specified configuration file(s).
Multiple pathnames may be specified and each pathname may contain
.Xr glob 7
-wildcards and, for user configurations, shell-like
+wildcards,
+tokens as described in the
+.Sx TOKENS
+section, envrionment variables as described in the
+.Sx ENVIRONMENT VARIABLES
+section and, for user configurations, shell-like
.Sq ~
references to user home directories.
Wildcards will be expanded and processed in lexical order.
@@ -2270,6 +2275,7 @@ The local username.
.Cm ControlPath ,
.Cm IdentityAgent ,
.Cm IdentityFile ,
+.Cm Include ,
.Cm KnownHostsCommand ,
.Cm LocalForward ,
.Cm Match exec ,
@@ -2318,6 +2324,7 @@ The keywords
.Cm ControlPath ,
.Cm IdentityAgent ,
.Cm IdentityFile ,
+.Cm Include ,
.Cm KnownHostsCommand ,
and
.Cm UserKnownHostsFile
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list