--- hpn-ssh-hpn-18.4.2/pathnames.h.orig +++ hpn-ssh-hpn-18.4.2/pathnames.h @@ -42,6 +42,7 @@ #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" #define _PATH_DH_MODULI SSHDIR "/moduli" +#define _PATH_DEFAULT_LOGIN ETCDIR "/default/login" #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/hpnssh" --- hpn-ssh-hpn-18.4.2/servconf.c.orig +++ hpn-ssh-hpn-18.4.2/servconf.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #ifdef HAVE_UTIL_H #include @@ -224,6 +225,64 @@ return o == NULL || strcasecmp(o, "none") == 0; } +/* + * Reads /etc/default/login and defaults several ServerOptions: + * + * PermitRootLogin + * PermitEmptyPasswords + * LoginGraceTime + * + * CONSOLE=* -> PermitRootLogin=without-password + * #CONSOLE=* -> PermitRootLogin=yes + * + * PASSREQ=YES -> PermitEmptyPasswords=no + * PASSREQ=NO -> PermitEmptyPasswords=yes + * #PASSREQ=* -> PermitEmptyPasswords=no + * + * TIMEOUT= -> LoginGraceTime= + * #TIMEOUT= -> LoginGraceTime=300 + */ +static void +deflt_fill_default_server_options(ServerOptions *options) +{ + int flags; + char *ptr; + + if (defopen(_PATH_DEFAULT_LOGIN)) + return; + + /* Ignore case */ + flags = defcntl(DC_GETFLAGS, 0); + TURNOFF(flags, DC_CASE); + (void) defcntl(DC_SETFLAGS, flags); + + if (options->permit_root_login == PERMIT_NOT_SET && + (ptr = defread("CONSOLE=")) != NULL) + options->permit_root_login = PERMIT_NO_PASSWD; + + if (options->permit_empty_passwd == -1 && + (ptr = defread("PASSREQ=")) != NULL) { + if (strcasecmp("YES", ptr) == 0) + options->permit_empty_passwd = 0; + else if (strcasecmp("NO", ptr) == 0) + options->permit_empty_passwd = 1; + } + + if (options->max_authtries == -1 && + (ptr = defread("RETRIES=")) != NULL) { + options->max_authtries = atoi(ptr); + } + + if (options->login_grace_time == -1) { + if ((ptr = defread("TIMEOUT=")) != NULL) + options->login_grace_time = (unsigned)atoi(ptr); + else + options->login_grace_time = 300; + } + + (void) defopen((char *)NULL); +} + static void assemble_algorithms(ServerOptions *o) { @@ -304,6 +363,8 @@ options->use_pam = 0; #endif + deflt_fill_default_server_options(options); + /* Standard Options */ if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ --- hpn-ssh-hpn-18.4.2/hpnsshd_config.5.orig +++ hpn-ssh-hpn-18.4.2/hpnsshd_config.5 @@ -1349,7 +1349,14 @@ connection. Once the number of failures reaches half this value, additional failures are logged. -The default is 6. +The default is 6, or the value given by +.Dq RETRIES= +in the file +.Pa /etc/default/login , +if available +.Po see +.Xr login 1 +.Pc . .It Cm MaxSessions Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions permitted per network connection. @@ -1437,7 +1444,14 @@ When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is -.Cm no . +.Cm no +unless +.Dq PASSREQ=YES +is present in +.Pa /etc/default/login +.Po see +.Xr login 1 +.Pc . .It Cm PermitListen Specifies the addresses/ports on which a remote TCP port forwarding may listen. The listen specification must be one of the following forms: