omnios-build New build/openssh/patches/0030-Set-default-sshd-options-based-on-etc-default-login.patch

   1 From 4e36108ba3e42eb1c4d84b6e31d21a5ca77f33a1 Mon Sep 17 00:00:00 2001
   2 From: Alex Wilson <alex.wilson@joyent.com>
   3 Date: Mon, 24 Aug 2015 18:57:27 -0700
   4 Subject: [PATCH 30/36] Set default sshd options based on /etc/default/login
   5 
   6 ---
   7  pathnames.h   |  1 +
   8  servconf.c    | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
   9  sshd_config.4 | 17 +++++++++++++++--
  10  3 files changed, 77 insertions(+), 2 deletions(-)
  11 
  12 diff --git a/pathnames.h b/pathnames.h
  13 index 0b2281b..11c9bf6 100644
  14 --- a/pathnames.h
  15 +++ b/pathnames.h
  16 @@ -46,6 +46,7 @@
  17  #define _PATH_HOST_ED25519_KEY_FILE    SSHKEYDIR "/ssh_host_ed25519_key"
  18  #define _PATH_HOST_RSA_KEY_FILE                SSHKEYDIR "/ssh_host_rsa_key"
  19  #define _PATH_DH_MODULI                        SSHKEYDIR "/moduli"
  20 +#define _PATH_DEFAULT_LOGIN            ETCDIR "/default/login"
  21  /* Backwards compatibility */
  22  #define _PATH_DH_PRIMES                        SSHDIR "/primes"
  23  
  24 diff --git a/servconf.c b/servconf.c
  25 index a0edff2..f8122aa 100644
  26 --- a/servconf.c
  27 +++ b/servconf.c
  28 @@ -30,6 +30,7 @@
  29  #include <unistd.h>
  30  #include <limits.h>
  31  #include <stdarg.h>
  32 +#include <deflt.h>
  33  #include <errno.h>
  34  #ifdef HAVE_UTIL_H
  35  #include <util.h>
  36 @@ -192,6 +193,64 @@ option_clear_or_none(const char *o)
  37         return o == NULL || strcasecmp(o, "none") == 0;
  38  }
  39  
  40 +/*
  41 + * Reads /etc/default/login and defaults several ServerOptions:
  42 + *
  43 + * PermitRootLogin
  44 + * PermitEmptyPasswords
  45 + * LoginGraceTime
  46 + *
  47 + * CONSOLE=*      -> PermitRootLogin=without-password
  48 + * #CONSOLE=*     -> PermitRootLogin=yes
  49 + *
  50 + * PASSREQ=YES    -> PermitEmptyPasswords=no
  51 + * PASSREQ=NO     -> PermitEmptyPasswords=yes
  52 + * #PASSREQ=*     -> PermitEmptyPasswords=no
  53 + *
  54 + * TIMEOUT=<secs> -> LoginGraceTime=<secs>
  55 + * #TIMEOUT=<secs> -> LoginGraceTime=300
  56 + */
  57 +static void
  58 +deflt_fill_default_server_options(ServerOptions *options)
  59 +{
  60 +       int     flags;
  61 +       char    *ptr;
  62 +
  63 +       if (defopen(_PATH_DEFAULT_LOGIN))
  64 +               return;
  65 +
  66 +       /* Ignore case */
  67 +       flags = defcntl(DC_GETFLAGS, 0);
  68 +       TURNOFF(flags, DC_CASE);
  69 +       (void) defcntl(DC_SETFLAGS, flags);
  70 +
  71 +       if (options->permit_root_login == PERMIT_NOT_SET &&
  72 +           (ptr = defread("CONSOLE=")) != NULL)
  73 +               options->permit_root_login = PERMIT_NO_PASSWD;
  74 +
  75 +       if (options->permit_empty_passwd == -1 &&
  76 +           (ptr = defread("PASSREQ=")) != NULL) {
  77 +               if (strcasecmp("YES", ptr) == 0)
  78 +                       options->permit_empty_passwd = 0;
  79 +               else if (strcasecmp("NO", ptr) == 0)
  80 +                       options->permit_empty_passwd = 1;
  81 +       }
  82 +
  83 +       if (options->max_authtries == -1 &&
  84 +           (ptr = defread("RETRIES=")) != NULL) {
  85 +               options->max_authtries = atoi(ptr);
  86 +       }
  87 +
  88 +       if (options->login_grace_time == -1) {
  89 +               if ((ptr = defread("TIMEOUT=")) != NULL)
  90 +                       options->login_grace_time = (unsigned)atoi(ptr);
  91 +               else
  92 +                       options->login_grace_time = 300;
  93 +       }
  94 +
  95 +       (void) defopen((char *)NULL);
  96 +}
  97 +
  98  void
  99  fill_default_server_options(ServerOptions *options)
 100  {
 101 @@ -206,6 +265,8 @@ fill_default_server_options(ServerOptions *options)
 102                 options->use_pam = 0;
 103  #endif
 104  
 105 +       deflt_fill_default_server_options(options);
 106 +
 107         /* Standard Options */
 108         if (options->protocol == SSH_PROTO_UNKNOWN)
 109                 options->protocol = SSH_PROTO_2;
 110 diff --git a/sshd_config.4 b/sshd_config.4
 111 index 0c07fd1..cce3a5a 100644
 112 --- a/sshd_config.4
 113 +++ b/sshd_config.4
 114 @@ -1138,7 +1138,13 @@ Specifies the maximum number of authentication attempts permitted per
 115  connection.
 116  Once the number of failures reaches half this value,
 117  additional failures are logged.
 118 -The default is 6.
 119 +The default is 6, or the value given by
 120 +.Dq RETRIES=
 121 +in the file
 122 +.Dq /etc/default/login ,
 123 +if available (see
 124 +.Xr login 1
 125 +).
 126  .It Cm MaxSessions
 127  Specifies the maximum number of open sessions permitted per network connection.
 128  The default is 10.
 129 @@ -1189,7 +1195,14 @@ The default is
 130  When password authentication is allowed, it specifies whether the
 131  server allows login to accounts with empty password strings.
 132  The default is
 133 -.Dq no .
 134 +.Dq no
 135 +unless
 136 +.Dq PASSREQ=YES
 137 +is present in
 138 +.Dq /etc/default/login
 139 +(see
 140 +.Xr login 1
 141 +).
 142  .It Cm PermitOpen
 143  Specifies the destinations to which TCP port forwarding is permitted.
 144  The forwarding specification must be one of the following forms:
 145 -- 
 146 2.5.4 (Apple Git-61)
 147