- dtucker@cvs.openbsd.org 2013/10/24 00:51:48

[readconf.c servconf.c ssh_config.5 sshd_config.5]
     Disallow empty Match statements and add "Match all" which matches
     everything.  ok djm, man page help jmc@

ChangeLog

@@ -14,6 +14,10 @@
      [moduli.c]
      Periodically print progress and, if possible, expected time to completion
      when screening moduli for DH groups.  ok deraadt djm
+   - dtucker@cvs.openbsd.org 2013/10/24 00:51:48
+     [readconf.c servconf.c ssh_config.5 sshd_config.5]
+     Disallow empty Match statements and add "Match all" which matches
+     everything.  ok djm, man page help jmc@
 
 20131023
  - (djm) OpenBSD CVS Sync

readconf.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.212 2013/10/23 03:05:19 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.213 2013/10/24 00:51:48 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -459,7 +459,7 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 {
 	char *arg, *attrib, *cmd, *cp = *condition, *host;
 	const char *ruser;
-	int r, port, result = 1;
+	int r, port, result = 1, attributes = 0;
 	size_t len;
 	char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
 
@@ -478,6 +478,19 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 
 	debug3("checking match for '%s' host %s", cp, host);
 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
+		attributes++;
+		if (strcasecmp(attrib, "all") == 0) {
+			if (attributes != 1 ||
+			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
+				error("'all' cannot be combined with other "
+				    "Match attributes");
+				result = -1;
+				goto out;
+			}
+			*condition = cp;
+			result = 1;
+			goto out;
+		}
 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
 			error("Missing Match criteria for %s", attrib);
 			result = -1;
@@ -544,6 +557,11 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
 			goto out;
 		}
 	}
+	if (attributes == 0) {
+		error("One or more attributes required for Match");
+		result = -1;
+		goto out;
+	}
 	debug3("match %sfound", result ? "" : "not ");
 	*condition = cp;
  out:

servconf.c

@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.242 2013/10/23 05:40:58 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.243 2013/10/24 00:51:48 dtucker Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -647,7 +647,7 @@ out:
 static int
 match_cfg_line(char **condition, int line, struct connection_info *ci)
 {
-	int result = 1, port;
+	int result = 1, attributes = 0, port;
 	char *arg, *attrib, *cp = *condition;
 	size_t len;
 
@@ -661,6 +661,17 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
 
 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
+		attributes++;
+		if (strcasecmp(attrib, "all") == 0) {
+			if (attributes != 1 ||
+			    ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
+				error("'all' cannot be combined with other "
+				    "Match attributes");
+				return -1;
+			}
+			*condition = cp;
+			return 1;
+		}
 		if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
 			error("Missing Match criteria for %s", attrib);
 			return -1;
@@ -754,6 +765,10 @@ match_cfg_line(char **condition, int line, struct connection_info *ci)
 			return -1;
 		}
 	}
+	if (attributes == 0) {
+		error("One or more attributes required for Match");
+		return -1;
+	}
 	if (ci != NULL)
 		debug3("match %sfound", result ? "" : "not ");
 	*condition = cp;

ssh_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.177 2013/10/20 18:00:13 jmc Exp $
-.Dd $Mdocdate: October 20 2013 $
+.\" $OpenBSD: ssh_config.5,v 1.178 2013/10/24 00:51:48 dtucker Exp $
+.Dd $Mdocdate: October 24 2013 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -134,7 +134,10 @@ or
 keyword) to be used only when the conditions following the
 .Cm Match
 keyword are satisfied.
-Match conditions are specified using one or more keyword/criteria pairs.
+Match conditions are specified using one or more keyword/criteria pairs
+or the single token
+.Cm all
+which matches all criteria.
 The available keywords are:
 .Cm exec ,
 .Cm host ,

sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.162 2013/07/19 07:37:48 markus Exp $
-.Dd $Mdocdate: July 19 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.163 2013/10/24 00:51:48 dtucker Exp $
+.Dd $Mdocdate: October 24 2013 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -750,7 +750,9 @@ line or the end of the file.
 .Pp
 The arguments to
 .Cm Match
-are one or more criteria-pattern pairs.
+are one or more criteria-pattern pairs or the single token
+.Cm All
+which matches all criteria.
 The available criteria are
 .Cm User ,
 .Cm Group ,