[PATCH] add more None-able options in match clause

Richard Scothern richard.scothern at gmail.com
Sat Feb 22 10:31:43 AEDT 2020


There are some options in the sshd configuration which can be
specified globally, and overridden in a Match clause with a value of
none that I don't think are correctly handled.

For example:

AuthorizedPrincipalsFile /etc/ssh/auth_principals/auth_principals_%u
Match Group users
  AuthorizedPrincipalsFile none

This would cause sshd to use ~/none for the authorized principals file
rather than store a NULL value for members of users.  According to the
manpage this keys can have a value of none.

I extended the scope of CLEAR_ON_NONE to handle these, and this could
additionally be used for dst->adm_forced_command and
dst->chroot_directory just below.

Url: https://git.io/JvRNI
diff --git a/servconf.c b/servconf.c
index 353bcc97..5e0a7f50 100644
--- a/servconf.c
+++ b/servconf.c
@@ -458,7 +458,6 @@ fill_default_server_options(ServerOptions *options)
        for (i = 0; i < options->num_host_cert_files; i++)

        /* Similar handling for AuthenticationMethods=any */
        if (options->num_auth_methods == 1 &&
@@ -2390,6 +2389,11 @@ copy_set_server_options(ServerOptions *dst,
ServerOptions *src, int preauth)
        /* See comment in servconf.h */

+       CLEAR_ON_NONE(dst->banner);
+       CLEAR_ON_NONE(dst->trusted_user_ca_keys);
+       CLEAR_ON_NONE(dst->revoked_keys_file);
+       CLEAR_ON_NONE(dst->authorized_principals_file);
        /* Arguments that accept '+...' need to be expanded */

@@ -2412,7 +2416,7 @@ copy_set_server_options(ServerOptions *dst,
ServerOptions *src, int preauth)
                dst->chroot_directory = NULL;
 #undef M_CP_INTOPT
 #undef M_CP_STROPT

More information about the openssh-unix-dev mailing list