search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
oops, that last commit was:
[openssh-git.git] / servconf.c
blob9e420a527d7b2d2bebb271837d38228eb5e2df9b
1 /*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12 #include "includes.h"
13 RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
14
15 #include "ssh.h"
16 #include "log.h"
17 #include "servconf.h"
18 #include "xmalloc.h"
19 #include "compat.h"
20 #include "pathnames.h"
21 #include "misc.h"
22 #include "cipher.h"
23 #include "kex.h"
24 #include "mac.h"
25
26 static void add_listen_addr(ServerOptions *, char *, u_short);
27 static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
29 /* Use of privilege separation or not */
30 extern int use_privsep;
31
32 /* Initializes the server options to their default values. */
33
34 void
35 initialize_server_options(ServerOptions *options)
36 {
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
40 options->use_pam = -1;
41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
46 options->address_family = -1;
47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
59 options->x11_use_localhost = -1;
60 options->xauth_location = NULL;
61 options->strict_modes = -1;
62 options->tcp_keep_alive = -1;
63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
89 options->macs = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->max_authtries = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0;
104
105 /* Needs to be accessable in many places */
106 use_privsep = -1;
107 }
108
109 void
110 fill_default_server_options(ServerOptions *options)
111 {
112 /* Portable-specific options */
113 if (options->use_pam == -1)
114 options->use_pam = 0;
115
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
130 }
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
201 if (options->use_login == -1)
202 options->use_login = 0;
203 if (options->compression == -1)
204 options->compression = COMP_DELAYED;
205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
217 if (options->use_dns == -1)
218 options->use_dns = 1;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
227 else
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 }
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
232
233 /* Turn privilege separation on by default */
234 if (use_privsep == -1)
235 use_privsep = 1;
236
237 #ifndef HAVE_MMAP
238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
243 }
244 #endif
245
246 }
247
248 /* Keyword tokens. */
249 typedef enum {
250 sBadOption, /* == unknown option */
251 /* Portable-specific options */
252 sUsePAM,
253 /* Standard Options */
254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
256 sRhostsRSAAuthentication, sRSAAuthentication,
257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
258 sKerberosGetAFSToken,
259 sKerberosTgtPassing, sChallengeResponseAuthentication,
260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
270 sBanner, sUseDNS, sHostbasedAuthentication,
271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
274 sUsePrivilegeSeparation,
275 sDeprecated, sUnsupported
276 } ServerOpCodes;
277
278 /* Textual representation of the tokens. */
279 static struct {
280 const char *name;
281 ServerOpCodes opcode;
282 } keywords[] = {
283 /* Portable-specific options */
284 #ifdef USE_PAM
285 { "usepam", sUsePAM },
286 #else
287 { "usepam", sUnsupported },
288 #endif
289 { "pamauthenticationviakbdint", sDeprecated },
290 /* Standard Options */
291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
293 { "hostdsakey", sHostKeyFile }, /* alias */
294 { "pidfile", sPidFile },
295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
301 { "rhostsauthentication", sDeprecated },
302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
305 { "rsaauthentication", sRSAAuthentication },
306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
308 #ifdef KRB5
309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
312 #ifdef USE_AFS
313 { "kerberosgetafstoken", sKerberosGetAFSToken },
314 #else
315 { "kerberosgetafstoken", sUnsupported },
316 #endif
317 #else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
321 { "kerberosgetafstoken", sUnsupported },
322 #endif
323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
325 #ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
327 { "gssapicleanupcredentials", sGssCleanupCreds },
328 #else
329 { "gssapiauthentication", sUnsupported },
330 { "gssapicleanupcredentials", sUnsupported },
331 #endif
332 { "passwordauthentication", sPasswordAuthentication },
333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
336 { "checkmail", sDeprecated },
337 { "listenaddress", sListenAddress },
338 { "addressfamily", sAddressFamily },
339 { "printmotd", sPrintMotd },
340 { "printlastlog", sPrintLastLog },
341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
345 { "x11uselocalhost", sX11UseLocalhost },
346 { "xauthlocation", sXAuthLocation },
347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
349 { "permituserenvironment", sPermitUserEnvironment },
350 { "uselogin", sUseLogin },
351 { "compression", sCompression },
352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
354 { "allowtcpforwarding", sAllowTcpForwarding },
355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
359 { "ciphers", sCiphers },
360 { "macs", sMacs },
361 { "protocol", sProtocol },
362 { "gatewayports", sGatewayPorts },
363 { "subsystem", sSubsystem },
364 { "maxstartups", sMaxStartups },
365 { "maxauthtries", sMaxAuthTries },
366 { "banner", sBanner },
367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
374 { "useprivilegeseparation", sUsePrivilegeSeparation},
375 { "acceptenv", sAcceptEnv },
376 { NULL, sBadOption }
377 };
378
379 /*
380 * Returns the number of the token pointed to by cp or sBadOption.
381 */
382
383 static ServerOpCodes
384 parse_token(const char *cp, const char *filename,
385 int linenum)
386 {
387 u_int i;
388
389 for (i = 0; keywords[i].name; i++)
390 if (strcasecmp(cp, keywords[i].name) == 0)
391 return keywords[i].opcode;
392
393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
395 return sBadOption;
396 }
397
398 static void
399 add_listen_addr(ServerOptions *options, char *addr, u_short port)
400 {
401 u_int i;
402
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
407 if (port == 0)
408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
410 else
411 add_one_listen_addr(options, addr, port);
412 }
413
414 static void
415 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
416 {
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
419 int gaierr;
420
421 memset(&hints, 0, sizeof(hints));
422 hints.ai_family = options->address_family;
423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
425 snprintf(strport, sizeof strport, "%u", port);
426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
431 ;
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
434 }
435
436 int
437 process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
439 {
440 char *cp, **charptr, *arg, *p;
441 int *intptr, value, n;
442 ServerOpCodes opcode;
443 u_short port;
444 u_int i;
445
446 cp = line;
447 arg = strdelim(&cp);
448 /* Ignore leading whitespace */
449 if (*arg == '\0')
450 arg = strdelim(&cp);
451 if (!arg || !*arg || *arg == '#')
452 return 0;
453 intptr = NULL;
454 charptr = NULL;
455 opcode = parse_token(arg, filename, linenum);
456 switch (opcode) {
457 /* Portable-specific options */
458 case sUsePAM:
459 intptr = &options->use_pam;
460 goto parse_flag;
461
462 /* Standard Options */
463 case sBadOption:
464 return -1;
465 case sPort:
466 /* ignore ports from configfile if cmdline specifies ports */
467 if (options->ports_from_cmdline)
468 return 0;
469 if (options->listen_addrs != NULL)
470 fatal("%s line %d: ports must be specified before "
471 "ListenAddress.", filename, linenum);
472 if (options->num_ports >= MAX_PORTS)
473 fatal("%s line %d: too many ports.",
474 filename, linenum);
475 arg = strdelim(&cp);
476 if (!arg || *arg == '\0')
477 fatal("%s line %d: missing port number.",
478 filename, linenum);
479 options->ports[options->num_ports++] = a2port(arg);
480 if (options->ports[options->num_ports-1] == 0)
481 fatal("%s line %d: Badly formatted port number.",
482 filename, linenum);
483 break;
484
485 case sServerKeyBits:
486 intptr = &options->server_key_bits;
487 parse_int:
488 arg = strdelim(&cp);
489 if (!arg || *arg == '\0')
490 fatal("%s line %d: missing integer value.",
491 filename, linenum);
492 value = atoi(arg);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sLoginGraceTime:
498 intptr = &options->login_grace_time;
499 parse_time:
500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing time value.",
503 filename, linenum);
504 if ((value = convtime(arg)) == -1)
505 fatal("%s line %d: invalid time value.",
506 filename, linenum);
507 if (*intptr == -1)
508 *intptr = value;
509 break;
510
511 case sKeyRegenerationTime:
512 intptr = &options->key_regeneration_time;
513 goto parse_time;
514
515 case sListenAddress:
516 arg = strdelim(&cp);
517 if (arg == NULL || *arg == '\0')
518 fatal("%s line %d: missing address",
519 filename, linenum);
520 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
521 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
522 && strchr(p+1, ':') != NULL) {
523 add_listen_addr(options, arg, 0);
524 break;
525 }
526 p = hpdelim(&arg);
527 if (p == NULL)
528 fatal("%s line %d: bad address:port usage",
529 filename, linenum);
530 p = cleanhostname(p);
531 if (arg == NULL)
532 port = 0;
533 else if ((port = a2port(arg)) == 0)
534 fatal("%s line %d: bad port number", filename, linenum);
535
536 add_listen_addr(options, p, port);
537
538 break;
539
540 case sAddressFamily:
541 arg = strdelim(&cp);
542 if (!arg || *arg == '\0')
543 fatal("%s line %d: missing address family.",
544 filename, linenum);
545 intptr = &options->address_family;
546 if (options->listen_addrs != NULL)
547 fatal("%s line %d: address family must be specified before "
548 "ListenAddress.", filename, linenum);
549 if (strcasecmp(arg, "inet") == 0)
550 value = AF_INET;
551 else if (strcasecmp(arg, "inet6") == 0)
552 value = AF_INET6;
553 else if (strcasecmp(arg, "any") == 0)
554 value = AF_UNSPEC;
555 else
556 fatal("%s line %d: unsupported address family \"%s\".",
557 filename, linenum, arg);
558 if (*intptr == -1)
559 *intptr = value;
560 break;
561
562 case sHostKeyFile:
563 intptr = &options->num_host_key_files;
564 if (*intptr >= MAX_HOSTKEYS)
565 fatal("%s line %d: too many host keys specified (max %d).",
566 filename, linenum, MAX_HOSTKEYS);
567 charptr = &options->host_key_files[*intptr];
568 parse_filename:
569 arg = strdelim(&cp);
570 if (!arg || *arg == '\0')
571 fatal("%s line %d: missing file name.",
572 filename, linenum);
573 if (*charptr == NULL) {
574 *charptr = tilde_expand_filename(arg, getuid());
575 /* increase optional counter */
576 if (intptr != NULL)
577 *intptr = *intptr + 1;
578 }
579 break;
580
581 case sPidFile:
582 charptr = &options->pid_file;
583 goto parse_filename;
584
585 case sPermitRootLogin:
586 intptr = &options->permit_root_login;
587 arg = strdelim(&cp);
588 if (!arg || *arg == '\0')
589 fatal("%s line %d: missing yes/"
590 "without-password/forced-commands-only/no "
591 "argument.", filename, linenum);
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "without-password") == 0)
594 value = PERMIT_NO_PASSWD;
595 else if (strcmp(arg, "forced-commands-only") == 0)
596 value = PERMIT_FORCED_ONLY;
597 else if (strcmp(arg, "yes") == 0)
598 value = PERMIT_YES;
599 else if (strcmp(arg, "no") == 0)
600 value = PERMIT_NO;
601 else
602 fatal("%s line %d: Bad yes/"
603 "without-password/forced-commands-only/no "
604 "argument: %s", filename, linenum, arg);
605 if (*intptr == -1)
606 *intptr = value;
607 break;
608
609 case sIgnoreRhosts:
610 intptr = &options->ignore_rhosts;
611 parse_flag:
612 arg = strdelim(&cp);
613 if (!arg || *arg == '\0')
614 fatal("%s line %d: missing yes/no argument.",
615 filename, linenum);
616 value = 0; /* silence compiler */
617 if (strcmp(arg, "yes") == 0)
618 value = 1;
619 else if (strcmp(arg, "no") == 0)
620 value = 0;
621 else
622 fatal("%s line %d: Bad yes/no argument: %s",
623 filename, linenum, arg);
624 if (*intptr == -1)
625 *intptr = value;
626 break;
627
628 case sIgnoreUserKnownHosts:
629 intptr = &options->ignore_user_known_hosts;
630 goto parse_flag;
631
632 case sRhostsRSAAuthentication:
633 intptr = &options->rhosts_rsa_authentication;
634 goto parse_flag;
635
636 case sHostbasedAuthentication:
637 intptr = &options->hostbased_authentication;
638 goto parse_flag;
639
640 case sHostbasedUsesNameFromPacketOnly:
641 intptr = &options->hostbased_uses_name_from_packet_only;
642 goto parse_flag;
643
644 case sRSAAuthentication:
645 intptr = &options->rsa_authentication;
646 goto parse_flag;
647
648 case sPubkeyAuthentication:
649 intptr = &options->pubkey_authentication;
650 goto parse_flag;
651
652 case sKerberosAuthentication:
653 intptr = &options->kerberos_authentication;
654 goto parse_flag;
655
656 case sKerberosOrLocalPasswd:
657 intptr = &options->kerberos_or_local_passwd;
658 goto parse_flag;
659
660 case sKerberosTicketCleanup:
661 intptr = &options->kerberos_ticket_cleanup;
662 goto parse_flag;
663
664 case sKerberosGetAFSToken:
665 intptr = &options->kerberos_get_afs_token;
666 goto parse_flag;
667
668 case sGssAuthentication:
669 intptr = &options->gss_authentication;
670 goto parse_flag;
671
672 case sGssCleanupCreds:
673 intptr = &options->gss_cleanup_creds;
674 goto parse_flag;
675
676 case sPasswordAuthentication:
677 intptr = &options->password_authentication;
678 goto parse_flag;
679
680 case sKbdInteractiveAuthentication:
681 intptr = &options->kbd_interactive_authentication;
682 goto parse_flag;
683
684 case sChallengeResponseAuthentication:
685 intptr = &options->challenge_response_authentication;
686 goto parse_flag;
687
688 case sPrintMotd:
689 intptr = &options->print_motd;
690 goto parse_flag;
691
692 case sPrintLastLog:
693 intptr = &options->print_lastlog;
694 goto parse_flag;
695
696 case sX11Forwarding:
697 intptr = &options->x11_forwarding;
698 goto parse_flag;
699
700 case sX11DisplayOffset:
701 intptr = &options->x11_display_offset;
702 goto parse_int;
703
704 case sX11UseLocalhost:
705 intptr = &options->x11_use_localhost;
706 goto parse_flag;
707
708 case sXAuthLocation:
709 charptr = &options->xauth_location;
710 goto parse_filename;
711
712 case sStrictModes:
713 intptr = &options->strict_modes;
714 goto parse_flag;
715
716 case sTCPKeepAlive:
717 intptr = &options->tcp_keep_alive;
718 goto parse_flag;
719
720 case sEmptyPasswd:
721 intptr = &options->permit_empty_passwd;
722 goto parse_flag;
723
724 case sPermitUserEnvironment:
725 intptr = &options->permit_user_env;
726 goto parse_flag;
727
728 case sUseLogin:
729 intptr = &options->use_login;
730 goto parse_flag;
731
732 case sCompression:
733 intptr = &options->compression;
734 arg = strdelim(&cp);
735 if (!arg || *arg == '\0')
736 fatal("%s line %d: missing yes/no/delayed "
737 "argument.", filename, linenum);
738 value = 0; /* silence compiler */
739 if (strcmp(arg, "delayed") == 0)
740 value = COMP_DELAYED;
741 else if (strcmp(arg, "yes") == 0)
742 value = COMP_ZLIB;
743 else if (strcmp(arg, "no") == 0)
744 value = COMP_NONE;
745 else
746 fatal("%s line %d: Bad yes/no/delayed "
747 "argument: %s", filename, linenum, arg);
748 if (*intptr == -1)
749 *intptr = value;
750 break;
751
752 case sGatewayPorts:
753 intptr = &options->gateway_ports;
754 arg = strdelim(&cp);
755 if (!arg || *arg == '\0')
756 fatal("%s line %d: missing yes/no/clientspecified "
757 "argument.", filename, linenum);
758 value = 0; /* silence compiler */
759 if (strcmp(arg, "clientspecified") == 0)
760 value = 2;
761 else if (strcmp(arg, "yes") == 0)
762 value = 1;
763 else if (strcmp(arg, "no") == 0)
764 value = 0;
765 else
766 fatal("%s line %d: Bad yes/no/clientspecified "
767 "argument: %s", filename, linenum, arg);
768 if (*intptr == -1)
769 *intptr = value;
770 break;
771
772 case sUseDNS:
773 intptr = &options->use_dns;
774 goto parse_flag;
775
776 case sLogFacility:
777 intptr = (int *) &options->log_facility;
778 arg = strdelim(&cp);
779 value = log_facility_number(arg);
780 if (value == SYSLOG_FACILITY_NOT_SET)
781 fatal("%.200s line %d: unsupported log facility '%s'",
782 filename, linenum, arg ? arg : "<NONE>");
783 if (*intptr == -1)
784 *intptr = (SyslogFacility) value;
785 break;
786
787 case sLogLevel:
788 intptr = (int *) &options->log_level;
789 arg = strdelim(&cp);
790 value = log_level_number(arg);
791 if (value == SYSLOG_LEVEL_NOT_SET)
792 fatal("%.200s line %d: unsupported log level '%s'",
793 filename, linenum, arg ? arg : "<NONE>");
794 if (*intptr == -1)
795 *intptr = (LogLevel) value;
796 break;
797
798 case sAllowTcpForwarding:
799 intptr = &options->allow_tcp_forwarding;
800 goto parse_flag;
801
802 case sUsePrivilegeSeparation:
803 intptr = &use_privsep;
804 goto parse_flag;
805
806 case sAllowUsers:
807 while ((arg = strdelim(&cp)) && *arg != '\0') {
808 if (options->num_allow_users >= MAX_ALLOW_USERS)
809 fatal("%s line %d: too many allow users.",
810 filename, linenum);
811 options->allow_users[options->num_allow_users++] =
812 xstrdup(arg);
813 }
814 break;
815
816 case sDenyUsers:
817 while ((arg = strdelim(&cp)) && *arg != '\0') {
818 if (options->num_deny_users >= MAX_DENY_USERS)
819 fatal( "%s line %d: too many deny users.",
820 filename, linenum);
821 options->deny_users[options->num_deny_users++] =
822 xstrdup(arg);
823 }
824 break;
825
826 case sAllowGroups:
827 while ((arg = strdelim(&cp)) && *arg != '\0') {
828 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
829 fatal("%s line %d: too many allow groups.",
830 filename, linenum);
831 options->allow_groups[options->num_allow_groups++] =
832 xstrdup(arg);
833 }
834 break;
835
836 case sDenyGroups:
837 while ((arg = strdelim(&cp)) && *arg != '\0') {
838 if (options->num_deny_groups >= MAX_DENY_GROUPS)
839 fatal("%s line %d: too many deny groups.",
840 filename, linenum);
841 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
842 }
843 break;
844
845 case sCiphers:
846 arg = strdelim(&cp);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing argument.", filename, linenum);
849 if (!ciphers_valid(arg))
850 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
851 filename, linenum, arg ? arg : "<NONE>");
852 if (options->ciphers == NULL)
853 options->ciphers = xstrdup(arg);
854 break;
855
856 case sMacs:
857 arg = strdelim(&cp);
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing argument.", filename, linenum);
860 if (!mac_valid(arg))
861 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
862 filename, linenum, arg ? arg : "<NONE>");
863 if (options->macs == NULL)
864 options->macs = xstrdup(arg);
865 break;
866
867 case sProtocol:
868 intptr = &options->protocol;
869 arg = strdelim(&cp);
870 if (!arg || *arg == '\0')
871 fatal("%s line %d: Missing argument.", filename, linenum);
872 value = proto_spec(arg);
873 if (value == SSH_PROTO_UNKNOWN)
874 fatal("%s line %d: Bad protocol spec '%s'.",
875 filename, linenum, arg ? arg : "<NONE>");
876 if (*intptr == SSH_PROTO_UNKNOWN)
877 *intptr = value;
878 break;
879
880 case sSubsystem:
881 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
882 fatal("%s line %d: too many subsystems defined.",
883 filename, linenum);
884 }
885 arg = strdelim(&cp);
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing subsystem name.",
888 filename, linenum);
889 for (i = 0; i < options->num_subsystems; i++)
890 if (strcmp(arg, options->subsystem_name[i]) == 0)
891 fatal("%s line %d: Subsystem '%s' already defined.",
892 filename, linenum, arg);
893 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
894 arg = strdelim(&cp);
895 if (!arg || *arg == '\0')
896 fatal("%s line %d: Missing subsystem command.",
897 filename, linenum);
898 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
899 options->num_subsystems++;
900 break;
901
902 case sMaxStartups:
903 arg = strdelim(&cp);
904 if (!arg || *arg == '\0')
905 fatal("%s line %d: Missing MaxStartups spec.",
906 filename, linenum);
907 if ((n = sscanf(arg, "%d:%d:%d",
908 &options->max_startups_begin,
909 &options->max_startups_rate,
910 &options->max_startups)) == 3) {
911 if (options->max_startups_begin >
912 options->max_startups ||
913 options->max_startups_rate > 100 ||
914 options->max_startups_rate < 1)
915 fatal("%s line %d: Illegal MaxStartups spec.",
916 filename, linenum);
917 } else if (n != 1)
918 fatal("%s line %d: Illegal MaxStartups spec.",
919 filename, linenum);
920 else
921 options->max_startups = options->max_startups_begin;
922 break;
923
924 case sMaxAuthTries:
925 intptr = &options->max_authtries;
926 goto parse_int;
927
928 case sBanner:
929 charptr = &options->banner;
930 goto parse_filename;
931 /*
932 * These options can contain %X options expanded at
933 * connect time, so that you can specify paths like:
934 *
935 * AuthorizedKeysFile /etc/ssh_keys/%u
936 */
937 case sAuthorizedKeysFile:
938 case sAuthorizedKeysFile2:
939 charptr = (opcode == sAuthorizedKeysFile ) ?
940 &options->authorized_keys_file :
941 &options->authorized_keys_file2;
942 goto parse_filename;
943
944 case sClientAliveInterval:
945 intptr = &options->client_alive_interval;
946 goto parse_time;
947
948 case sClientAliveCountMax:
949 intptr = &options->client_alive_count_max;
950 goto parse_int;
951
952 case sAcceptEnv:
953 while ((arg = strdelim(&cp)) && *arg != '\0') {
954 if (strchr(arg, '=') != NULL)
955 fatal("%s line %d: Invalid environment name.",
956 filename, linenum);
957 if (options->num_accept_env >= MAX_ACCEPT_ENV)
958 fatal("%s line %d: too many allow env.",
959 filename, linenum);
960 options->accept_env[options->num_accept_env++] =
961 xstrdup(arg);
962 }
963 break;
964
965 case sDeprecated:
966 logit("%s line %d: Deprecated option %s",
967 filename, linenum, arg);
968 while (arg)
969 arg = strdelim(&cp);
970 break;
971
972 case sUnsupported:
973 logit("%s line %d: Unsupported option %s",
974 filename, linenum, arg);
975 while (arg)
976 arg = strdelim(&cp);
977 break;
978
979 default:
980 fatal("%s line %d: Missing handler for opcode %s (%d)",
981 filename, linenum, arg, opcode);
982 }
983 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
984 fatal("%s line %d: garbage at end of line; \"%.200s\".",
985 filename, linenum, arg);
986 return 0;
987 }
988
989 /* Reads the server configuration file. */
990
991 void
992 load_server_config(const char *filename, Buffer *conf)
993 {
994 char line[1024], *cp;
995 FILE *f;
996
997 debug2("%s: filename %s", __func__, filename);
998 if ((f = fopen(filename, "r")) == NULL) {
999 perror(filename);
1000 exit(1);
1001 }
1002 buffer_clear(conf);
1003 while (fgets(line, sizeof(line), f)) {
1004 /*
1005 * Trim out comments and strip whitespace
1006 * NB - preserve newlines, they are needed to reproduce
1007 * line numbers later for error messages
1008 */
1009 if ((cp = strchr(line, '#')) != NULL)
1010 memcpy(cp, "\n", 2);
1011 cp = line + strspn(line, " \t\r");
1012
1013 buffer_append(conf, cp, strlen(cp));
1014 }
1015 buffer_append(conf, "\0", 1);
1016 fclose(f);
1017 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1018 }
1019
1020 void
1021 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1022 {
1023 int linenum, bad_options = 0;
1024 char *cp, *obuf, *cbuf;
1025
1026 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1027
1028 obuf = cbuf = xstrdup(buffer_ptr(conf));
1029 linenum = 1;
1030 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1031 if (process_server_config_line(options, cp, filename,
1032 linenum++) != 0)
1033 bad_options++;
1034 }
1035 xfree(obuf);
1036 if (bad_options > 0)
1037 fatal("%s: terminating, %d bad configuration options",
1038 filename, bad_options);
1039 }
A clone of openssh git repository