upstream: add a `sshd -G` option that parses and prints the

effective configuration without attempting to load private keys and perform
other checks. This allows usage of the option before keys have been
generated.

bz3460 feedback/ok dtucker@

OpenBSD-Commit-ID: 774504f629023fc25a559ab1d95401adb3a7fb29

diff --git a/sshd.8 b/sshd.8
index bace97839b7a02de99abb22ebd447c3e28579b00..eb063c716adf098fd72bc4fe4dcf987c502ba04c 100644 (file)
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.322 2023/01/18 01:50:21 millert Exp $
-.Dd $Mdocdate: January 18 2023 $
+.\" $OpenBSD: sshd.8,v 1.323 2023/02/10 04:47:19 djm Exp $
+.Dd $Mdocdate: February 10 2023 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Sh SYNOPSIS
 .Nm sshd
 .Bk -words
-.Op Fl 46DdeiqTtV
+.Op Fl 46DGdeiqTtV
 .Op Fl C Ar connection_spec
 .Op Fl c Ar host_certificate_file
 .Op Fl E Ar log_file
@@ -154,6 +154,15 @@ The default is
 .Pa /etc/ssh/sshd_config .
 .Nm
 refuses to start if there is no configuration file.
+.It Fl G
+Parse and print configuration file.
+Check the validity of the configuration file, output the effective configuration
+to stdout and then exit.
+Optionally,
+.Cm Match
+rules may be applied by specifying the connection parameters using one or more
+.Fl C
+options.
 .It Fl g Ar login_grace_time
 Gives the grace time for clients to authenticate themselves (default
 120 seconds).
@@ -208,6 +217,11 @@ Optionally,
 rules may be applied by specifying the connection parameters using one or more
 .Fl C
 options.
+This is similar to the
+.Fl G
+flag, but it includes the additional testing performed by the
+.Fl t
+flag.
 .It Fl t
 Test mode.
 Only check the validity of the configuration file and sanity of the keys.

diff --git a/sshd.c b/sshd.c
index 6321936c020869a8bd2a520284e10f01430b2e4e..ce48602d7be2b93a029c326a3d32a06cb7a578d3 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.596 2023/01/18 01:50:21 millert Exp $ */
+/* $OpenBSD: sshd.c,v 1.597 2023/02/10 04:47:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -901,7 +901,7 @@ usage(void)
 {
        fprintf(stderr, "%s, %s\n", SSH_RELEASE, SSH_OPENSSL_VERSION);
        fprintf(stderr,
-"usage: sshd [-46DdeiqTtV] [-C connection_spec] [-c host_cert_file]\n"
+"usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file]\n"
 "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
 "            [-h host_key_file] [-o option] [-p port] [-u len]\n"
        );
@@ -1524,6 +1524,21 @@ prepare_proctitle(int ac, char **av)
        return ret;
 }
 
+static void
+print_config(struct ssh *ssh, struct connection_info *connection_info)
+{
+       /*
+        * If no connection info was provided by -C then use
+        * use a blank one that will cause no predicate to match.
+        */
+       if (connection_info == NULL)
+               connection_info = get_connection_info(ssh, 0, 0);
+       connection_info->test = 1;
+       parse_server_match_config(&options, &includes, connection_info);
+       dump_config(&options);
+       exit(0);
+}
+
 /*
  * Main program for the daemon.
  */
@@ -1533,7 +1548,7 @@ main(int ac, char **av)
        struct ssh *ssh = NULL;
        extern char *optarg;
        extern int optind;
-       int r, opt, on = 1, already_daemon, remote_port;
+       int r, opt, on = 1, do_dump_cfg = 0, already_daemon, remote_port;
        int sock_in = -1, sock_out = -1, newsock = -1;
        const char *remote_ip, *rdomain;
        char *fp, *line, *laddr, *logfile = NULL;
@@ -1581,7 +1596,7 @@ main(int ac, char **av)
 
        /* Parse command-line arguments. */
        while ((opt = getopt(ac, av,
-           "C:E:b:c:f:g:h:k:o:p:u:46DQRTdeiqrtV")) != -1) {
+           "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) {
                switch (opt) {
                case '4':
                        options.address_family = AF_INET;
@@ -1606,6 +1621,9 @@ main(int ac, char **av)
                case 'D':
                        no_daemon_flag = 1;
                        break;
+               case 'G':
+                       do_dump_cfg = 1;
+                       break;
                case 'E':
                        logfile = optarg;
                        /* FALLTHROUGH */
@@ -1693,7 +1711,7 @@ main(int ac, char **av)
        }
        if (rexeced_flag || inetd_flag)
                rexec_flag = 0;
-       if (!test_flag && rexec_flag && !path_absolute(av[0]))
+       if (!test_flag && !do_dump_cfg && rexec_flag && !path_absolute(av[0]))
                fatal("sshd re-exec requires execution with an absolute path");
        if (rexeced_flag)
                closefrom(REEXEC_MIN_FREE_FD);
@@ -1799,6 +1817,9 @@ main(int ac, char **av)
 
        debug("sshd version %s, %s", SSH_VERSION, SSH_OPENSSL_VERSION);
 
+       if (do_dump_cfg)
+               print_config(ssh, connection_info);
+
        /* Store privilege separation user for later use if required. */
        privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
        if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
@@ -1981,17 +2002,8 @@ main(int ac, char **av)
                            "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
        }
 
-       if (test_flag > 1) {
-               /*
-                * If no connection info was provided by -C then use
-                * use a blank one that will cause no predicate to match.
-                */
-               if (connection_info == NULL)
-                       connection_info = get_connection_info(ssh, 0, 0);
-               connection_info->test = 1;
-               parse_server_match_config(&options, &includes, connection_info);
-               dump_config(&options);
-       }
+       if (test_flag > 1)
+               print_config(ssh, connection_info);
 
        /* Configuration looks good, so exit if in test mode. */
        if (test_flag)