From 846518269f65af1f02714c311eb33dfa4cb291b4 Mon Sep 17 00:00:00 2001 From: Alex Wilson Date: Mon, 24 Aug 2015 18:57:27 -0700 Subject: [PATCH 27/34] Set default sshd options based on /etc/default/login diff -wpruN --no-dereference '--exclude=*.orig' a~/pathnames.h a/pathnames.h --- a~/pathnames.h 1970-01-01 00:00:00 +++ a/pathnames.h 1970-01-01 00:00:00 @@ -42,6 +42,7 @@ #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" #define _PATH_DH_MODULI SSHDIR "/moduli" +#define _PATH_DEFAULT_LOGIN ETCDIR "/default/login" #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" diff -wpruN --no-dereference '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 @@ -36,6 +36,7 @@ #include #include #include +#include #include #ifdef HAVE_UTIL_H #include @@ -236,6 +237,64 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } +/* + * Reads /etc/default/login and defaults several ServerOptions: + * + * PermitRootLogin + * PermitEmptyPasswords + * LoginGraceTime + * + * CONSOLE=* -> PermitRootLogin=without-password + * #CONSOLE=* -> PermitRootLogin=yes + * + * PASSREQ=YES -> PermitEmptyPasswords=no + * PASSREQ=NO -> PermitEmptyPasswords=yes + * #PASSREQ=* -> PermitEmptyPasswords=no + * + * TIMEOUT= -> LoginGraceTime= + * #TIMEOUT= -> LoginGraceTime=300 + */ +static void +deflt_fill_default_server_options(ServerOptions *options) +{ + int flags; + char *ptr; + + if (defopen(_PATH_DEFAULT_LOGIN)) + return; + + /* Ignore case */ + flags = defcntl(DC_GETFLAGS, 0); + TURNOFF(flags, DC_CASE); + (void) defcntl(DC_SETFLAGS, flags); + + if (options->permit_root_login == PERMIT_NOT_SET && + (ptr = defread("CONSOLE=")) != NULL) + options->permit_root_login = PERMIT_NO_PASSWD; + + if (options->permit_empty_passwd == -1 && + (ptr = defread("PASSREQ=")) != NULL) { + if (strcasecmp("YES", ptr) == 0) + options->permit_empty_passwd = 0; + else if (strcasecmp("NO", ptr) == 0) + options->permit_empty_passwd = 1; + } + + if (options->max_authtries == -1 && + (ptr = defread("RETRIES=")) != NULL) { + options->max_authtries = atoi(ptr); + } + + if (options->login_grace_time == -1) { + if ((ptr = defread("TIMEOUT=")) != NULL) + options->login_grace_time = (unsigned)atoi(ptr); + else + options->login_grace_time = 300; + } + + (void) defopen((char *)NULL); +} + static void assemble_algorithms(ServerOptions *o) { @@ -323,6 +382,8 @@ fill_default_server_options(ServerOption options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); #endif + deflt_fill_default_server_options(options); + /* Standard Options */ if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ diff -wpruN --no-dereference '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5 --- a~/sshd_config.5 1970-01-01 00:00:00 +++ a/sshd_config.5 1970-01-01 00:00:00 @@ -1345,7 +1345,14 @@ Specifies the maximum number of authenti connection. Once the number of failures reaches half this value, additional failures are logged. -The default is 6. +The default is 6, or the value given by +.Dq RETRIES= +in the file +.Pa /etc/default/login , +if available +.Po see +.Xr login 1 +.Pc . .It Cm MaxSessions Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions permitted per network connection. @@ -1420,7 +1427,14 @@ The default is When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is -.Cm no . +.Cm no +unless +.Dq PASSREQ=YES +is present in +.Pa /etc/default/login +.Po see +.Xr login 1 +.Pc . .It Cm PermitListen Specifies the addresses/ports on which a remote TCP port forwarding may listen. The listen specification must be one of the following forms: