Attachment #187172 for bug #223010

View | Details | Raw Unified | Return to bug 223010
Collapse All | Expand All

Lines 8-16 Link Here

(-)security/openssh-portable/files/patch-auth.c (-3 / +3 lines)
8		8
9	PR: 37416	9	PR: 37416
10		10
11	--- auth.c.orig 2010-08-12 11:33:01.000000000 -0600	11	--- auth.c.orig 2017-10-02 19:34:26 UTC
12	+++ auth.c 2010-09-14 16:14:12.000000000 -0600	12	+++ auth.c
13	@@ -594,7 +594,7 @@	13	@@ -606,7 +606,7 @@ getpwnamallow(const char *user)
14	if (!allowed_user(pw))	14	if (!allowed_user(pw))
15	return (NULL);	15	return (NULL);
16	#ifdef HAVE_LOGIN_CAP	16	#ifdef HAVE_LOGIN_CAP





Apply class-imposed login restrictions.

--- auth2.c.orig	2017-10-02 19:34:26 UTC
+++ auth2.c
@@ -221,6 +221,11 @@ input_userauth_request(int type, u_int32
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
+#include "canohost.h"
 #include "dispatch.h"
 #include "pathnames.h"
 #include "buffer.h"
@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 	int authenticated = 0;

+	login_cap_t *lc;
+	const char *from_host, *from_ip;
+
+	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+	from_ip = ssh_remote_ipaddr(ssh);
+#endif
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@@ -270,6 +275,28 @@ input_userauth_request(int type, u_int32
 		    "(%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
 	}
+
+#ifdef HAVE_LOGIN_CAP
+	if (authctxt->pw != NULL &&
+	    (lc = login_getpwclass(authctxt->pw)) != NULL) {
+		logit("user %s login class %s", authctxt->pw->pw_name,
+		    authctxt->pw->pw_class);
+		from_host = auth_get_canonical_hostname(ssh, options.use_dns);
+		from_ip = ssh_remote_ipaddr(ssh);
+		if (!auth_hostok(lc, from_host, from_ip)) {
+			logit("Denied connection for %.200s from %.200s [%.200s].",
+			    authctxt->pw->pw_name, from_host, from_ip);

+			packet_disconnect("Logins not available right now.");
+		}
+		login_close(lc);
+		lc = NULL;
+	}
+#endif  /* HAVE_LOGIN_CAP */
+
 	/* reset state */
 	auth2_challenge_stop(ssh);
 

Lines 1-11 Link Here

(-)security/openssh-portable/files/patch-configure.ac (-11 lines)
1	--- configure.ac.orig 2017-04-08 02:15:16 UTC
2	+++ configure.ac
3	@@ -1544,7 +1545,7 @@ AC_ARG_WITH([libedit],
4	LIBEDIT=`$PKGCONFIG --libs libedit`
5	CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
6	else
7	- LIBEDIT="-ledit -lcurses"
8	+ LIBEDIT="-ledit -lncurses"
9	fi
10	OTHERLIBS=`echo $LIBEDIT \| sed 's/-ledit//'`
11	AC_CHECK_LIB([edit], [el_init],




Submitted by:   delphij@
[rewritten for 7.4 by bdrewery@]

--- misc.c.orig	2017-10-02 19:34:26 UTC
+++ misc.c
@@ -63,6 +63,8 @@
 #include <net/if.h>
 #endif
 

 #include "xmalloc.h"
 #include "misc.h"
 #include "log.h"
@@ -1259,11 +1261,26 @@ forward_equals(const struct Forward *a, 
 	return 1;
 }
 
+static int
+ipport_reserved(void)
+{
+#if __FreeBSD__
+	int old, ret;
+	size_t len = sizeof(old);
+
+	ret = sysctlbyname("net.inet.ip.portrange.reservedhigh",
+	    &old, &len, NULL, 0);
+	if (ret == 0)
+		return (old + 1);
+#endif
+	return (IPPORT_RESERVED);
+}
+
 /* returns 1 if bind to specified port by specified user is permitted */
 int
 bind_permitted(int port, uid_t uid)
 {
-	if (port < IPPORT_RESERVED && uid != 0)
+	if (port < ipport_reserved() && uid != 0)
+#ifdef __FreeBSD__
+	size_t len_ipport_reserved = sizeof(ipport_reserved);
+
+	if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
+	    &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
+		ipport_reserved = IPPORT_RESERVED;
+	else
+		ipport_reserved++;
+#else
+	ipport_reserved = IPPORT_RESERVED;
+#endif
+	if (port < ipport_reserved && uid != 0)
 		return 0;
 	return 1;
 }

Lines 1-10 Link Here

(-)security/openssh-portable/files/patch-regress__test-exec.sh (-10 lines)
1	--- regress/test-exec.sh.orig 2015-04-03 18:20:32.256126000 UTC
2	+++ regress/test-exec.sh 2015-04-03 18:20:41.599903000 -0500
3	@@ -408,6 +408,7 @@ cat << EOF > $OBJ/sshd_config
4	LogLevel DEBUG3
5	AcceptEnv _XXX_TEST_*
6	AcceptEnv _XXX_TEST
7	+ PermitRootLogin yes
8	Subsystem sftp $SFTPSERVER
9	EOF
10




Sponsored by:   DARPA, NAI Labs


--- session.c.orig	2017-10-02 19:34:26 UTC
+++ session.c
@@ -966,6 +966,9 @@ do_setup_env(struct ssh *ssh, Session *s
 	struct passwd *pw = s->pw;
 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
 	char *path = NULL;
+#else
+	extern char **environ;
+	char **senv, **var, *val;
 #endif
 
 	/* Initialize the environment. */
@@ -987,6 +990,9 @@ do_setup_env(struct ssh *ssh, Session *s
 	}
 #endif
 

 #ifdef GSSAPI
 	/* Allow any GSSAPI methods that we've used to alter
 	 * the childs environment as they see fit
@@ -1004,11 +1010,30 @@ do_setup_env(struct ssh *ssh, Session *s
 	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
 #endif
 	child_set_env(&env, &envsize, "HOME", pw->pw_dir);

-		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+	child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+	child_set_env(&env, &envsize, "TERM", "su");
+	/*
+	 * Temporarily swap out our real environment with an empty one,
+	 * let setusercontext() apply any environment variables defined
+	 * for the user's login class, copy those variables to the child,
+	 * free the temporary environment, and restore the original.
+	 */
+	senv = environ;
+	environ = xmalloc(sizeof(*environ));
+	*environ = NULL;
+	(void)setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV|LOGIN_SETPATH);
+	for (var = environ; *var != NULL; ++var) {
+		if ((val = strchr(*var, '=')) != NULL) {
+			*val++ = '\0';
+			child_set_env(&env, &envsize, *var, val);
+		}
+		free(*var);
+	}
+	free(environ);
+	environ = senv;
 #else /* HAVE_LOGIN_CAP */
 # ifndef HAVE_CYGWIN
 	/*
@@ -1028,15 +1053,9 @@ do_setup_env(struct ssh *ssh, Session *s
 # endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
 

 	/* Set custom environment options from RSA authentication. */
 	while (custom_environment) {
 		struct envstring *ce = custom_environment;
@@ -1321,7 +1340,7 @@ do_setusercontext(struct passwd *pw)
 	if (platform_privileged_uidswap()) {
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid,




Document the FreeBSD default for CheckHostIP, which was changed in
rev 1.2 of readconf.c.

--- ssh_config.5.orig	2017-10-02 19:34:26 UTC
+++ ssh_config.5
@@ -388,6 +388,8 @@ in the process, regardless of the settin
 .Cm no .
 .It Cm CheckHostIP
 If set to
-.Cm yes
-(the default),
+.Cm yes ,
 .Xr ssh 1
 will additionally check the host IP address in the
 .Pa known_hosts
@@ -390,6 +389,7 @@ in the process, regardless of the settin
 .Cm StrictHostKeyChecking .
 If the option is set to
 .Cm no ,
+(the default),
 the check will not be executed.
+The default is
+.Cm no .
 .It Cm Ciphers
 Specifies the ciphers allowed and their order of preference.
 Multiple ciphers must be comma-separated.




--- UTC
r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines

Document the FreeBSD default for CheckHostIP, which was changed in
rev 1.2 of readconf.c.

--- ssh_config.orig	2010-01-12 01:40:27.000000000 -0700
+++ ssh_config	2010-09-14 16:14:13.000000000 -0600
@@ -27,7 +27,7 @@
 #   GSSAPIAuthentication no
 #   GSSAPIDelegateCredentials no
 #   BatchMode no
-#   CheckHostIP yes
+#   CheckHostIP no
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask




--- UTC
r100678 | fanf | 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) | 5 lines

Document the FreeBSD default for CheckHostIP, which was changed in
rev 1.2 of readconf.c.

--- ssh_config.5.orig	2010-08-04 21:03:13.000000000 -0600
+++ ssh_config.5	2010-09-14 16:14:13.000000000 -0600
@@ -377,8 +377,7 @@ or
 .Cm no .
 .It Cm CheckHostIP
 If set to
-.Cm yes
-(the default),
+.Cm yes ,
 .Xr ssh 1
 will additionally check the host IP address in the
 .Pa known_hosts
@@ -390,6 +389,7 @@ in the process, regardless of the settin
 .Cm StrictHostKeyChecking .
 If the option is set to
 .Cm no ,
+(the default),
 the check will not be executed.
 .It Cm Cipher
 Specifies the cipher to use for encrypting the session

Return to bug 223010

Lines 5-21 Link Here

(-)security/openssh-portable/files/patch-auth2.c (-20 / +11 lines)
5		5
6	Apply class-imposed login restrictions.	6	Apply class-imposed login restrictions.
7		7
8	--- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700	8	--- auth2.c.orig 2017-10-02 19:34:26 UTC
9	+++ auth2.c 2017-03-20 11:52:27.960733000 -0700	9	+++ auth2.c
10	@@ -47,6 +47,7 @@	10	@@ -221,6 +221,11 @@ input_userauth_request(int type, u_int32
11	#include "key.h"
12	#include "hostfile.h"
13	#include "auth.h"
14	+#include "canohost.h"
15	#include "dispatch.h"
16	#include "pathnames.h"
17	#include "buffer.h"
18	@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32
19	Authmethod *m = NULL;	11	Authmethod *m = NULL;
20	char user, service, method, style = NULL;	12	char user, service, method, style = NULL;
21	int authenticated = 0;	13	int authenticated = 0;
Lines 23-44 Link Here
23	+ login_cap_t *lc;	15	+ login_cap_t *lc;
24	+ const char from_host, from_ip;	16	+ const char from_host, from_ip;
25	+	17	+
26	+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
27	+ from_ip = ssh_remote_ipaddr(ssh);
28	+#endif	18	+#endif
29		19
30	if (authctxt == NULL)	20	if (authctxt == NULL)
31	fatal("input_userauth_request: no authctxt");	21	fatal("input_userauth_request: no authctxt");
32	@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32	22	@@ -270,6 +275,28 @@ input_userauth_request(int type, u_int32
33	"(%s,%s) -> (%s,%s)",	23	"(%s,%s) -> (%s,%s)",
34	authctxt->user, authctxt->service, user, service);	24	authctxt->user, authctxt->service, user, service);
35	}	25	}
36	+	26	+
37	+#ifdef HAVE_LOGIN_CAP	27	+#ifdef HAVE_LOGIN_CAP
38	+ if (authctxt->pw != NULL) {	28	+ if (authctxt->pw != NULL &&
39	+ lc = login_getpwclass(authctxt->pw);	29	+ (lc = login_getpwclass(authctxt->pw)) != NULL) {
40	+ if (lc == NULL)	30	+ logit("user %s login class %s", authctxt->pw->pw_name,
41	+ lc = login_getclassbyname(NULL, authctxt->pw);	31	+ authctxt->pw->pw_class);
		32	+ from_host = auth_get_canonical_hostname(ssh, options.use_dns);
		33	+ from_ip = ssh_remote_ipaddr(ssh);
42	+ if (!auth_hostok(lc, from_host, from_ip)) {	34	+ if (!auth_hostok(lc, from_host, from_ip)) {
43	+ logit("Denied connection for %.200s from %.200s [%.200s].",	35	+ logit("Denied connection for %.200s from %.200s [%.200s].",
44	+ authctxt->pw->pw_name, from_host, from_ip);	36	+ authctxt->pw->pw_name, from_host, from_ip);
Lines 50-59 Link Here
50	+ packet_disconnect("Logins not available right now.");	42	+ packet_disconnect("Logins not available right now.");
51	+ }	43	+ }
52	+ login_close(lc);	44	+ login_close(lc);
53	+ lc = NULL;
54	+ }	45	+ }
55	+#endif /* HAVE_LOGIN_CAP */	46	+#endif /* HAVE_LOGIN_CAP */
56	+	47	+
57	/* reset state */	48	/* reset state */
58	auth2_challenge_stop(authctxt);	49	auth2_challenge_stop(ssh);
59		50

Lines 9-17 Link Here

(-)security/openssh-portable/files/patch-misc.c (-17 / +24 lines)
9	Submitted by: delphij@	9	Submitted by: delphij@
10	[rewritten for 7.4 by bdrewery@]	10	[rewritten for 7.4 by bdrewery@]
11		11
12	--- misc.c.orig 2017-01-12 11:54:41.058558000 -0800	12	--- misc.c.orig 2017-10-02 19:34:26 UTC
13	+++ misc.c 2017-01-12 11:55:16.531356000 -0800	13	+++ misc.c
14	@@ -56,6 +56,8 @@	14	@@ -63,6 +63,8 @@
15	#include <net/if.h>	15	#include <net/if.h>
16	#endif	16	#endif
17		17
Lines 20-43 Link Here
20	#include "xmalloc.h"	20	#include "xmalloc.h"
21	#include "misc.h"	21	#include "misc.h"
22	#include "log.h"	22	#include "log.h"
23	@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a,	23	@@ -1259,11 +1261,26 @@ forward_equals(const struct Forward *a,
		24	return 1;
		25	}
		26
		27	+static int
		28	+ipport_reserved(void)
		29	+{
		30	+#if __FreeBSD__
		31	+ int old, ret;
		32	+ size_t len = sizeof(old);
		33	+
		34	+ ret = sysctlbyname("net.inet.ip.portrange.reservedhigh",
		35	+ &old, &len, NULL, 0);
		36	+ if (ret == 0)
		37	+ return (old + 1);
		38	+#endif
		39	+ return (IPPORT_RESERVED);
		40	+}
		41	+
		42	/* returns 1 if bind to specified port by specified user is permitted */
24	int	43	int
25	bind_permitted(int port, uid_t uid)	44	bind_permitted(int port, uid_t uid)
26	{	45	{
27	- if (port < IPPORT_RESERVED && uid != 0)	46	- if (port < IPPORT_RESERVED && uid != 0)
28	+ int ipport_reserved;	47	+ if (port < ipport_reserved() && uid != 0)
29	+#ifdef __FreeBSD__
30	+ size_t len_ipport_reserved = sizeof(ipport_reserved);
31	+
32	+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
33	+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
34	+ ipport_reserved = IPPORT_RESERVED;
35	+ else
36	+ ipport_reserved++;
37	+#else
38	+ ipport_reserved = IPPORT_RESERVED;
39	+#endif
40	+ if (port < ipport_reserved && uid != 0)
41	return 0;	48	return 0;
42	return 1;	49	return 1;
43	}	50	}

Lines 10-28 Link Here

(-)security/openssh-portable/files/patch-session.c (-12 / +21 lines)
10	Sponsored by: DARPA, NAI Labs	10	Sponsored by: DARPA, NAI Labs
11		11
12		12
13	--- session.c 2013-03-14 19:22:37 UTC	13	--- session.c.orig 2017-10-02 19:34:26 UTC
14	+++ session.c	14	+++ session.c
15	@@ -985,6 +985,9 @@ do_setup_env(Session s, const char she	15	@@ -966,6 +966,9 @@ do_setup_env(struct ssh ssh, Session s
16	struct passwd *pw = s->pw;	16	struct passwd *pw = s->pw;
17	#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)	17	#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
18	char *path = NULL;	18	char *path = NULL;
19	+#else	19	+#else
20	+ extern char **environ;	20	+ extern char **environ;
21	+ char senv, var;	21	+ char senv, var, *val;
22	#endif	22	#endif
23		23
24	/* Initialize the environment. */	24	/* Initialize the environment. */
25	@@ -1006,6 +1009,9 @@ do_setup_env(Session s, const char she	25	@@ -987,6 +990,9 @@ do_setup_env(struct ssh ssh, Session s
26	}	26	}
27	#endif	27	#endif
28		28
Lines 32-38 Link Here
32	#ifdef GSSAPI	32	#ifdef GSSAPI
33	/* Allow any GSSAPI methods that we've used to alter	33	/* Allow any GSSAPI methods that we've used to alter
34	* the childs environment as they see fit	34	* the childs environment as they see fit
35	@@ -1023,11 +1029,21 @@ do_setup_env(Session s, const char she	35	@@ -1004,11 +1010,30 @@ do_setup_env(struct ssh ssh, Session s
36	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);	36	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
37	#endif	37	#endif
38	child_set_env(&env, &envsize, "HOME", pw->pw_dir);	38	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
Lines 45-64 Link Here
45	- child_set_env(&env, &envsize, "PATH", getenv("PATH"));	45	- child_set_env(&env, &envsize, "PATH", getenv("PATH"));
46	+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);	46	+ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
47	+ child_set_env(&env, &envsize, "TERM", "su");	47	+ child_set_env(&env, &envsize, "TERM", "su");
		48	+ /*
		49	+ * Temporarily swap out our real environment with an empty one,
		50	+ * let setusercontext() apply any environment variables defined
		51	+ * for the user's login class, copy those variables to the child,
		52	+ * free the temporary environment, and restore the original.
		53	+ */
48	+ senv = environ;	54	+ senv = environ;
49	+ environ = xmalloc(sizeof(char *));	55	+ environ = xmalloc(sizeof(*environ));
50	+ *environ = NULL;	56	+ *environ = NULL;
51	+ (void) setusercontext(lc, pw, pw->pw_uid,	57	+ (void)setusercontext(lc, pw, pw->pw_uid, LOGIN_SETENV\|LOGIN_SETPATH);
52	+ LOGIN_SETENV\|LOGIN_SETPATH);	58	+ for (var = environ; *var != NULL; ++var) {
53	+ copy_environment(environ, &env, &envsize);	59	+ if ((val = strchr(*var, '=')) != NULL) {
54	+ for (var = environ; *var != NULL; ++var)	60	+ *val++ = '\0';
		61	+ child_set_env(&env, &envsize, *var, val);
		62	+ }
55	+ free(*var);	63	+ free(*var);
		64	+ }
56	+ free(environ);	65	+ free(environ);
57	+ environ = senv;	66	+ environ = senv;
58	#else /* HAVE_LOGIN_CAP */	67	#else /* HAVE_LOGIN_CAP */
59	# ifndef HAVE_CYGWIN	68	# ifndef HAVE_CYGWIN
60	/*	69	/*
61	@@ -1047,15 +1063,9 @@ do_setup_env(Session s, const char she	70	@@ -1028,15 +1053,9 @@ do_setup_env(struct ssh ssh, Session s
62	# endif /* HAVE_CYGWIN */	71	# endif /* HAVE_CYGWIN */
63	#endif /* HAVE_LOGIN_CAP */	72	#endif /* HAVE_LOGIN_CAP */
64		73
Lines 74-80 Link Here
74	/* Set custom environment options from RSA authentication. */	83	/* Set custom environment options from RSA authentication. */
75	while (custom_environment) {	84	while (custom_environment) {
76	struct envstring *ce = custom_environment;	85	struct envstring *ce = custom_environment;
77	@@ -1334,7 +1344,7 @@ do_setusercontext(struct passwd *pw)	86	@@ -1321,7 +1340,7 @@ do_setusercontext(struct passwd *pw)
78	if (platform_privileged_uidswap()) {	87	if (platform_privileged_uidswap()) {
79	#ifdef HAVE_LOGIN_CAP	88	#ifdef HAVE_LOGIN_CAP
80	if (setusercontext(lc, pw, pw->pw_uid,	89	if (setusercontext(lc, pw, pw->pw_uid,

Lines 4-26 Link Here

(-)security/openssh-portable/files/patch-ssh__config.5 (-17 / +8 lines)
4	Document the FreeBSD default for CheckHostIP, which was changed in	4	Document the FreeBSD default for CheckHostIP, which was changed in
5	rev 1.2 of readconf.c.	5	rev 1.2 of readconf.c.
6		6
7	--- ssh_config.5.orig 2010-08-04 21:03:13.000000000 -0600	7	--- ssh_config.5.orig 2017-10-02 19:34:26 UTC
8	+++ ssh_config.5 2010-09-14 16:14:13.000000000 -0600	8	+++ ssh_config.5
9	@@ -377,8 +377,7 @@ or	9	@@ -388,6 +388,8 @@ in the process, regardless of the settin
10	.Cm no .
11	.It Cm CheckHostIP
12	If set to
13	-.Cm yes
14	-(the default),
15	+.Cm yes ,
16	.Xr ssh 1
17	will additionally check the host IP address in the
18	.Pa known_hosts
19	@@ -390,6 +389,7 @@ in the process, regardless of the settin
20	.Cm StrictHostKeyChecking .
21	If the option is set to	10	If the option is set to
22	.Cm no ,	11	.Cm no ,
23	+(the default),
24	the check will not be executed.	12	the check will not be executed.
25	.It Cm Cipher	13	+The default is
26	Specifies the cipher to use for encrypting the session	14	+.Cm no .
		15	.It Cm Ciphers
		16	Specifies the ciphers allowed and their order of preference.
		17	Multiple ciphers must be comma-separated.

Lines 1-17 Link Here

(-)security/openssh-portable/files/patch-ssh_config (-17 lines)
1	--- UTC
2	r100678 \| fanf \| 2002-07-25 10:59:40 -0500 (Thu, 25 Jul 2002) \| 5 lines
3
4	Document the FreeBSD default for CheckHostIP, which was changed in
5	rev 1.2 of readconf.c.
6
7	--- ssh_config.orig 2010-01-12 01:40:27.000000000 -0700
8	+++ ssh_config 2010-09-14 16:14:13.000000000 -0600
9	@@ -27,7 +27,7 @@
10	# GSSAPIAuthentication no
11	# GSSAPIDelegateCredentials no
12	# BatchMode no
13	-# CheckHostIP yes
14	+# CheckHostIP no
15	# AddressFamily any
16	# ConnectTimeout 0
17	# StrictHostKeyChecking ask