- dtucker@cvs.openbsd.org 2008/01/01 09:27:33

[sshd_config.5 servconf.c] Allow PermitRootLogin in a Match block. Allows for, eg, permitting root only from the local network. ok markus@, man page bit ok jmc@
2024-11-24 10:53:24 +08:00 · 2008-01-01 20:36:56 +11:00 · 2008-01-01 20:36:56 +11:00 · 15f94271be
commit 15f94271be
parent 4629f93b12
3 changed files with 12 additions and 6 deletions
--- a/6
+++ b/6
@ -19,6 +19,10 @@
     If scp -p encounters a pre-epoch timestamp, use the epoch which is
     as close as we can get given that it's used unsigned.  Add a little
     debugging while there.  bz #828, ok djm@
+   - dtucker@cvs.openbsd.org 2008/01/01 09:27:33
+     [sshd_config.5 servconf.c]
+     Allow PermitRootLogin in a Match block.  Allows for, eg, permitting root
+     only from the local network.  ok markus@, man page bit ok jmc@

 20071231
 - (dtucker) [configure.ac openbsd-compat/glob.{c,h}] Bug #1407: force use of
@ -3509,4 +3513,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@

-$Id: ChangeLog,v 1.4814 2008/01/01 09:36:25 dtucker Exp $
+$Id: ChangeLog,v 1.4815 2008/01/01 09:36:56 dtucker Exp $
--- a/servconf.c
+++ b/servconf.c
@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.174 2007/12/31 10:41:31 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.175 2008/01/01 09:27:33 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@ -321,7 +321,7 @@ static struct {
 	{ "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
 	{ "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
 	{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
-	{ "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
+	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
 	{ "loglevel", sLogLevel, SSHCFG_GLOBAL },
 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
@ -806,7 +806,7 @@ parse_filename:
 			fatal("%s line %d: Bad yes/"
 			    "without-password/forced-commands-only/no "
 			    "argument: %s", filename, linenum, arg);
-		if (*intptr == -1)
+		if (*activep && *intptr == -1)
 			*intptr = value;
 		break;

@ -1351,6 +1351,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
 	M_CP_INTOPT(kbd_interactive_authentication);
+	M_CP_INTOPT(permit_root_login);

 	M_CP_INTOPT(allow_tcp_forwarding);
 	M_CP_INTOPT(gateway_ports);
--- a/sshd_config.5
+++ b/sshd_config.5
@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.78 2007/08/23 03:22:16 djm Exp $
-.Dd $Mdocdate: June 11 2007 $
+.\" $OpenBSD: sshd_config.5,v 1.79 2008/01/01 09:27:33 dtucker Exp $
+.Dd $Mdocdate: January 1 2008 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@ -524,6 +524,7 @@ Available keywords are
 .Cm KerberosAuthentication ,
 .Cm PasswordAuthentication ,
 .Cm PermitOpen ,
+.Cm PermitRootLogin ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
 .Cm X11DisplayOffset ,