From 18938d11a90b74d63c20b2d3c965d5bd64786ab1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 10 Feb 2023 04:47:19 +0000 Subject: upstream: add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated. bz3460 feedback/ok dtucker@ OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29 --- sshd.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) (limited to 'sshd.c') diff --git a/sshd.c b/sshd.c index 6321936c0..ce48602d7 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.596 2023/01/18 01:50:21 millert Exp $ */ +/* $OpenBSD: sshd.c,v 1.597 2023/02/10 04:47:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -901,7 +901,7 @@ usage(void) { fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSH_OPENSSL_VERSION); fprintf(stderr, -"usage: sshd [-46DdeiqTtV] [-C connection_spec] [-c host_cert_file]\n" +"usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file]\n" " [-E log_file] [-f config_file] [-g login_grace_time]\n" " [-h host_key_file] [-o option] [-p port] [-u len]\n" ); @@ -1524,6 +1524,21 @@ prepare_proctitle(int ac, char **av) return ret; } +static void +print_config(struct ssh *ssh, struct connection_info *connection_info) +{ + /* + * If no connection info was provided by -C then use + * use a blank one that will cause no predicate to match. + */ + if (connection_info == NULL) + connection_info = get_connection_info(ssh, 0, 0); + connection_info->test = 1; + parse_server_match_config(&options, &includes, connection_info); + dump_config(&options); + exit(0); +} + /* * Main program for the daemon. */ @@ -1533,7 +1548,7 @@ main(int ac, char **av) struct ssh *ssh = NULL; extern char *optarg; extern int optind; - int r, opt, on = 1, already_daemon, remote_port; + int r, opt, on = 1, do_dump_cfg = 0, already_daemon, remote_port; int sock_in = -1, sock_out = -1, newsock = -1; const char *remote_ip, *rdomain; char *fp, *line, *laddr, *logfile = NULL; @@ -1581,7 +1596,7 @@ main(int ac, char **av) /* Parse command-line arguments. */ while ((opt = getopt(ac, av, - "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrtV")) != -1) { + "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) { switch (opt) { case '4': options.address_family = AF_INET; @@ -1606,6 +1621,9 @@ main(int ac, char **av) case 'D': no_daemon_flag = 1; break; + case 'G': + do_dump_cfg = 1; + break; case 'E': logfile = optarg; /* FALLTHROUGH */ @@ -1693,7 +1711,7 @@ main(int ac, char **av) } if (rexeced_flag || inetd_flag) rexec_flag = 0; - if (!test_flag && rexec_flag && !path_absolute(av[0])) + if (!test_flag && !do_dump_cfg && rexec_flag && !path_absolute(av[0])) fatal("sshd re-exec requires execution with an absolute path"); if (rexeced_flag) closefrom(REEXEC_MIN_FREE_FD); @@ -1799,6 +1817,9 @@ main(int ac, char **av) debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION); + if (do_dump_cfg) + print_config(ssh, connection_info); + /* Store privilege separation user for later use if required. */ privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0); if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { @@ -1981,17 +2002,8 @@ main(int ac, char **av) "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); } - if (test_flag > 1) { - /* - * If no connection info was provided by -C then use - * use a blank one that will cause no predicate to match. - */ - if (connection_info == NULL) - connection_info = get_connection_info(ssh, 0, 0); - connection_info->test = 1; - parse_server_match_config(&options, &includes, connection_info); - dump_config(&options); - } + if (test_flag > 1) + print_config(ssh, connection_info); /* Configuration looks good, so exit if in test mode. */ if (test_flag) -- cgit v1.2.3