[openssh-commits] [openssh] 01/04: upstream: "Match command ..." support for ssh_config to allow
git+noreply at mindrot.org
git+noreply at mindrot.org
Sat Feb 15 13:16:43 AEDT 2025
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit caa3c0c77082888236b0b0c4feb3e6879731b3ba
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Sat Feb 15 01:48:30 2025 +0000
upstream: "Match command ..." support for ssh_config to allow
matching on the remote command specified on the commandline.
Also relaxes matching rules for `Match tagged` to allow
`Match tagged ""` to match an empty tag value. This also works
for command.
ok markus@
OpenBSD-Commit-ID: 00dcfea425bf58d824bf5e3464cfc2409121b60d
---
readconf.c | 69 ++++++++++++++++++++++++++++++++++++++---------------------
readconf.h | 6 +++---
ssh-keysign.c | 4 ++--
ssh.c | 20 ++++++++++-------
ssh_config.5 | 17 +++++++++++++--
5 files changed, 77 insertions(+), 39 deletions(-)
diff --git a/readconf.c b/readconf.c
index aa646588..72392d01 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.394 2024/12/06 16:21:48 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.395 2025/02/15 01:48:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -133,11 +133,11 @@
*/
static int read_config_file_depth(const char *filename, struct passwd *pw,
- const char *host, const char *original_host, Options *options,
- int flags, int *activep, int *want_final_pass, int depth);
+ const char *host, const char *original_host, const char *remote_command,
+ Options *options, int flags, int *activep, int *want_final_pass, int depth);
static int process_config_line_depth(Options *options, struct passwd *pw,
- const char *host, const char *original_host, char *line,
- const char *filename, int linenum, int *activep, int flags,
+ const char *host, const char *original_host, const char *remote_command,
+ char *line, const char *filename, int linenum, int *activep, int flags,
int *want_final_pass, int depth);
/* Keyword tokens. */
@@ -710,7 +710,8 @@ expand_match_exec_or_include_path(const char *path, Options *options,
static int
match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
- int final_pass, int *want_final_pass, const char *filename, int linenum)
+ const char *remote_command, int final_pass, int *want_final_pass,
+ const char *filename, int linenum)
{
char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
@@ -788,6 +789,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
strprefix(attrib, "localuser=", 1) != NULL ||
strprefix(attrib, "localnetwork=", 1) != NULL ||
strprefix(attrib, "tagged=", 1) != NULL ||
+ strprefix(attrib, "command=", 1) != NULL ||
strprefix(attrib, "exec=", 1) != NULL) {
arg = strchr(attrib, '=');
*(arg++) = '\0';
@@ -795,8 +797,16 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
arg = argv_next(acp, avp);
}
- /* All other criteria require an argument */
- if (arg == NULL || *arg == '\0' || *arg == '#') {
+ /*
+ * All other criteria require an argument, though it may
+ * be the empty string for the "tagged" and "command"
+ * options.
+ */
+ if (*arg == '\0' &&
+ strcasecmp(attrib, "tagged") != 0 &&
+ strcasecmp(attrib, "command") != 0)
+ arg = NULL;
+ if (arg == NULL || *arg == '#') {
error("Missing Match criteria for %s", attrib);
result = -1;
goto out;
@@ -833,7 +843,17 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
} else if (strcasecmp(attrib, "tagged") == 0) {
criteria = xstrdup(options->tag == NULL ? "" :
options->tag);
- r = match_pattern_list(criteria, arg, 0) == 1;
+ /* Special case: empty criteria matches empty arg */
+ r = (*criteria == '\0') ? *arg == '\0' :
+ match_pattern_list(criteria, arg, 0) == 1;
+ if (r == (negate ? 1 : 0))
+ this_result = result = 0;
+ } else if (strcasecmp(attrib, "command") == 0) {
+ criteria = xstrdup(remote_command == NULL ?
+ "" : remote_command);
+ /* Special case: empty criteria matches empty arg */
+ r = (*criteria == '\0') ? *arg == '\0' :
+ match_pattern_list(criteria, arg, 0) == 1;
if (r == (negate ? 1 : 0))
this_result = result = 0;
} else if (strcasecmp(attrib, "exec") == 0) {
@@ -1080,18 +1100,19 @@ parse_multistate_value(const char *arg, const char *filename, int linenum,
*/
int
process_config_line(Options *options, struct passwd *pw, const char *host,
- const char *original_host, char *line, const char *filename,
- int linenum, int *activep, int flags)
+ const char *original_host, const char *remote_command, char *line,
+ const char *filename, int linenum, int *activep, int flags)
{
return process_config_line_depth(options, pw, host, original_host,
- line, filename, linenum, activep, flags, NULL, 0);
+ remote_command, line, filename, linenum, activep, flags, NULL, 0);
}
#define WHITESPACE " \t\r\n"
static int
process_config_line_depth(Options *options, struct passwd *pw, const char *host,
- const char *original_host, char *line, const char *filename,
- int linenum, int *activep, int flags, int *want_final_pass, int depth)
+ const char *original_host, const char *remote_command, char *line,
+ const char *filename, int linenum, int *activep, int flags,
+ int *want_final_pass, int depth)
{
char *str, **charptr, *endofnumber, *keyword, *arg, *arg2, *p;
char **cpptr, ***cppptr, fwdarg[256];
@@ -1828,8 +1849,8 @@ parse_pubkey_algos:
goto out;
}
value = match_cfg_line(options, str, &ac, &av, pw, host,
- original_host, flags & SSHCONF_FINAL, want_final_pass,
- filename, linenum);
+ original_host, remote_command, flags & SSHCONF_FINAL,
+ want_final_pass, filename, linenum);
if (value < 0) {
error("%.200s line %d: Bad Match condition", filename,
linenum);
@@ -2081,8 +2102,8 @@ parse_pubkey_algos:
gl.gl_pathv[i], depth,
oactive ? "" : " (parse only)");
r = read_config_file_depth(gl.gl_pathv[i],
- pw, host, original_host, options,
- flags | SSHCONF_CHECKPERM |
+ pw, host, original_host, remote_command,
+ options, flags | SSHCONF_CHECKPERM |
(oactive ? 0 : SSHCONF_NEVERMATCH),
activep, want_final_pass, depth + 1);
if (r != 1 && errno != ENOENT) {
@@ -2505,20 +2526,20 @@ parse_pubkey_algos:
*/
int
read_config_file(const char *filename, struct passwd *pw, const char *host,
- const char *original_host, Options *options, int flags,
+ const char *original_host, const char *remote_command, Options *options, int flags,
int *want_final_pass)
{
int active = 1;
return read_config_file_depth(filename, pw, host, original_host,
- options, flags, &active, want_final_pass, 0);
+ remote_command, options, flags, &active, want_final_pass, 0);
}
#define READCONF_MAX_DEPTH 16
static int
read_config_file_depth(const char *filename, struct passwd *pw,
- const char *host, const char *original_host, Options *options,
- int flags, int *activep, int *want_final_pass, int depth)
+ const char *host, const char *original_host, const char *remote_command,
+ Options *options, int flags, int *activep, int *want_final_pass, int depth)
{
FILE *f;
char *line = NULL;
@@ -2558,8 +2579,8 @@ read_config_file_depth(const char *filename, struct passwd *pw,
* line numbers later for error messages.
*/
if (process_config_line_depth(options, pw, host, original_host,
- line, filename, linenum, activep, flags, want_final_pass,
- depth) != 0)
+ remote_command, line, filename, linenum, activep, flags,
+ want_final_pass, depth) != 0)
bad_options++;
}
free(line);
diff --git a/readconf.h b/readconf.h
index 2922dcb2..cd49139b 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.158 2024/12/06 16:21:48 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.159 2025/02/15 01:48:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -240,9 +240,9 @@ int fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
void free_options(Options *o);
int process_config_line(Options *, struct passwd *, const char *,
- const char *, char *, const char *, int, int *, int);
+ const char *, const char *, char *, const char *, int, int *, int);
int read_config_file(const char *, struct passwd *, const char *,
- const char *, Options *, int, int *);
+ const char *, const char *, Options *, int, int *);
int parse_forward(struct Forward *, const char *, int, int);
int parse_jump(const char *, Options *, int);
int parse_ssh_uri(const char *, char **, char **, int *);
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 968344e7..955f7b0a 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.74 2024/04/30 05:53:03 djm Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.75 2025/02/15 01:48:30 djm Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@@ -222,7 +222,7 @@ main(int argc, char **argv)
/* verify that ssh-keysign is enabled by the admin */
initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "",
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, "", "", "",
&options, 0, NULL);
(void)fill_default_options(&options);
if (options.enable_ssh_keysign != 1)
diff --git a/ssh.c b/ssh.c
index d82f2fb8..d4e872c4 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.603 2025/02/10 23:19:26 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.604 2025/02/15 01:48:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -559,15 +559,18 @@ check_load(int r, struct sshkey **k, const char *path, const char *message)
* file if the user specifies a config file on the command line.
*/
static void
-process_config_files(const char *host_name, struct passwd *pw, int final_pass,
- int *want_final_pass)
+process_config_files(const char *host_name, struct passwd *pw,
+ int final_pass, int *want_final_pass)
{
- char buf[PATH_MAX];
+ char *cmd, buf[PATH_MAX];
int r;
+ if ((cmd = sshbuf_dup_string(command)) == NULL)
+ fatal_f("sshbuf_dup_string failed");
if (config != NULL) {
if (strcasecmp(config, "none") != 0 &&
- !read_config_file(config, pw, host, host_name, &options,
+ !read_config_file(config, pw, host, host_name, cmd,
+ &options,
SSHCONF_USERCONF | (final_pass ? SSHCONF_FINAL : 0),
want_final_pass))
fatal("Can't open user config file %.100s: "
@@ -576,15 +579,16 @@ process_config_files(const char *host_name, struct passwd *pw, int final_pass,
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
if (r > 0 && (size_t)r < sizeof(buf))
- (void)read_config_file(buf, pw, host, host_name,
+ (void)read_config_file(buf, pw, host, host_name, cmd,
&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
(final_pass ? SSHCONF_FINAL : 0), want_final_pass);
/* Read systemwide configuration file after user config. */
(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
- host, host_name, &options,
+ host, host_name, cmd, &options,
final_pass ? SSHCONF_FINAL : 0, want_final_pass);
}
+ free(cmd);
}
/* Rewrite the port number in an addrinfo list of addresses */
@@ -1078,7 +1082,7 @@ main(int ac, char **av)
case 'o':
line = xstrdup(optarg);
if (process_config_line(&options, pw,
- host ? host : "", host ? host : "", line,
+ host ? host : "", host ? host : "", "", line,
"command-line", 0, NULL, SSHCONF_USERCONF) != 0)
exit(255);
free(line);
diff --git a/ssh_config.5 b/ssh_config.5
index 570bf651..857cabbe 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.407 2024/12/06 16:21:48 djm Exp $
-.Dd $Mdocdate: December 6 2024 $
+.\" $OpenBSD: ssh_config.5,v 1.408 2025/02/15 01:48:30 djm Exp $
+.Dd $Mdocdate: February 15 2025 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -145,6 +145,7 @@ The available criteria keywords are:
.Cm host ,
.Cm originalhost ,
.Cm tagged ,
+.Cm command ,
.Cm user ,
and
.Cm localuser .
@@ -212,6 +213,7 @@ The other keywords' criteria must be single entries or comma-separated
lists and may use the wildcard and negation operators described in the
.Sx PATTERNS
section.
+.Pp
The criteria for the
.Cm host
keyword are matched against the target hostname, after any substitution
@@ -223,6 +225,7 @@ options.
The
.Cm originalhost
keyword matches against the hostname as it was specified on the command-line.
+.Pp
The
.Cm tagged
keyword matches a tag name specified by a prior
@@ -233,6 +236,16 @@ command-line using the
.Fl P
flag.
The
+.Cm command
+keyword matches the remote command that has been requested, or the subsystem
+name that is being invoked (e.g.
+.Oq sftp
+for an SFTP session).
+The empty string will match the case where a command or tag has not been
+specified, i.e.
+.Sq Match tag \&"\&"
+.Pp
+The
.Cm user
keyword matches against the target username on the remote host.
The
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list