commit ab6de351404d5a691a89cf2c9fbe9438271bd03d
author Damien Miller <djm@mindrot.org> Sat Jun 26 09:38:45 2010 +1000
committer Damien Miller <djm@mindrot.org> Sat Jun 26 09:38:45 2010 +1000
tree 855128945a4f4c44cff1e925f00b890a7fe28927
parent 495663165f9ef1583249e690a8f654b312fbd40e

   - djm@cvs.openbsd.org 2010/06/22 04:22:59
     [servconf.c sshd_config.5]
     expose some more sshd_config options inside Match blocks:
       AuthorizedKeysFile AuthorizedPrincipalsFile
       HostbasedUsesNameFromPacketOnly PermitTunnel
     bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 6563597..6ca101a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,12 @@
      [sftp-client.c]
      fix memory leak in do_realpath() error path; bz#1771, patch from
      anicka AT suse.cz
+   - djm@cvs.openbsd.org 2010/06/22 04:22:59
+     [servconf.c sshd_config.5]
+     expose some more sshd_config options inside Match blocks:
+       AuthorizedKeysFile AuthorizedPrincipalsFile
+       HostbasedUsesNameFromPacketOnly PermitTunnel
+     bz#1764; feedback from imorgan AT nas.nasa.gov; ok dtucker@
 
 20100622
  - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512

servconf.c

diff --git a/servconf.c b/servconf.c
index c556986..986a5b9 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.208 2010/05/07 11:30:29 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.209 2010/06/22 04:22:59 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -346,7 +346,7 @@
 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
 	{ "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
-	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
+	{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
 	{ "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
 	{ "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
 	{ "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
@@ -421,11 +421,11 @@
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
 	{ "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
 	{ "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
-	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
-	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
+	{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
+	{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_ALL },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
 	{ "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
-	{ "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
+	{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
 	{ "match", sMatch, SSHCFG_ALL },
 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -433,7 +433,7 @@
 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_GLOBAL },
+	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
 
@@ -1446,6 +1446,7 @@
 	M_CP_INTOPT(pubkey_authentication);
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
+	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
 	M_CP_INTOPT(kbd_interactive_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
 	M_CP_INTOPT(permit_root_login);
@@ -1453,6 +1454,7 @@
 
 	M_CP_INTOPT(allow_tcp_forwarding);
 	M_CP_INTOPT(allow_agent_forwarding);
+	M_CP_INTOPT(permit_tun);
 	M_CP_INTOPT(gateway_ports);
 	M_CP_INTOPT(x11_display_offset);
 	M_CP_INTOPT(x11_forwarding);
@@ -1467,6 +1469,9 @@
 	M_CP_STROPT(chroot_directory);
 	M_CP_STROPT(trusted_user_ca_keys);
 	M_CP_STROPT(revoked_keys_file);
+	M_CP_STROPT(authorized_keys_file);
+	M_CP_STROPT(authorized_keys_file2);
+	M_CP_STROPT(authorized_principals_file);
 }
 
 #undef M_CP_INTOPT

sshd_config.5

diff --git a/sshd_config.5 b/sshd_config.5
index f9814f9..acaf809 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.122 2010/05/07 12:49:17 jmc Exp $
-.Dd $Mdocdate: May 7 2010 $
+.\" $OpenBSD: sshd_config.5,v 1.123 2010/06/22 04:22:59 djm Exp $
+.Dd $Mdocdate: June 22 2010 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -644,12 +644,15 @@
 Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
+.Cm AuthorizedKeysFile ,
+.Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
 .Cm ForceCommand ,
 .Cm GatewayPorts ,
 .Cm GSSAPIAuthentication ,
 .Cm HostbasedAuthentication ,
+.Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
 .Cm MaxAuthTries ,
@@ -658,6 +661,7 @@
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
+.Cm PermitTunnel ,
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,