search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- dtucker@cvs.openbsd.org 2009/06/22 05:39:28
[openssh-git.git] / readconf.c
blob53fc6c7ba598c0fe5a0f4e0581320fca05b876e7
1 /* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
2 /*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
6 * Functions for reading the configuration files.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 */
14
15 #include "includes.h"
16
17 #include <sys/types.h>
18 #include <sys/stat.h>
19 #include <sys/socket.h>
20
21 #include <netinet/in.h>
22
23 #include <ctype.h>
24 #include <errno.h>
25 #include <netdb.h>
26 #include <signal.h>
27 #include <stdarg.h>
28 #include <stdio.h>
29 #include <string.h>
30 #include <unistd.h>
31
32 #include "xmalloc.h"
33 #include "ssh.h"
34 #include "compat.h"
35 #include "cipher.h"
36 #include "pathnames.h"
37 #include "log.h"
38 #include "key.h"
39 #include "readconf.h"
40 #include "match.h"
41 #include "misc.h"
42 #include "buffer.h"
43 #include "kex.h"
44 #include "mac.h"
45
46 /* Format of the configuration file:
47
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
51 # 3. system-wide file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
55
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
59
60 Host *.ngs.fi ngs.fi
61 User foo
62
63 Host fake.com
64 HostName another.host.name.real.org
65 User blaah
66 Port 34289
67 ForwardX11 no
68 ForwardAgent no
69
70 Host books.com
71 RemoteForward 9999 shadows.cs.hut.fi:9999
72 Cipher 3des
73
74 Host fascist.blob.com
75 Port 23123
76 User tylonen
77 PasswordAuthentication no
78
79 Host puukko.hut.fi
80 User t35124p
81 ProxyCommand ssh-proxy %h %p
82
83 Host *.fr
84 PublicKeyAuthentication no
85
86 Host *.su
87 Cipher none
88 PasswordAuthentication no
89
90 Host vpn.fake.com
91 Tunnel yes
92 TunnelDevice 3
93
94 # Defaults for various options
95 Host *
96 ForwardAgent no
97 ForwardX11 no
98 PasswordAuthentication yes
99 RSAAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
102 TcpKeepAlive no
103 IdentityFile ~/.ssh/identity
104 Port 22
105 EscapeChar ~
106
107 */
108
109 /* Keyword tokens. */
110
111 typedef enum {
112 oBadOption,
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
133 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
134 oDeprecated, oUnsupported
135 } OpCodes;
136
137 /* Textual representations of the tokens. */
138
139 static struct {
140 const char *name;
141 OpCodes opcode;
142 } keywords[] = {
143 { "forwardagent", oForwardAgent },
144 { "forwardx11", oForwardX11 },
145 { "forwardx11trusted", oForwardX11Trusted },
146 { "exitonforwardfailure", oExitOnForwardFailure },
147 { "xauthlocation", oXAuthLocation },
148 { "gatewayports", oGatewayPorts },
149 { "useprivilegedport", oUsePrivilegedPort },
150 { "rhostsauthentication", oDeprecated },
151 { "passwordauthentication", oPasswordAuthentication },
152 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
153 { "kbdinteractivedevices", oKbdInteractiveDevices },
154 { "rsaauthentication", oRSAAuthentication },
155 { "pubkeyauthentication", oPubkeyAuthentication },
156 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
157 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
158 { "hostbasedauthentication", oHostbasedAuthentication },
159 { "challengeresponseauthentication", oChallengeResponseAuthentication },
160 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
161 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
162 { "kerberosauthentication", oUnsupported },
163 { "kerberostgtpassing", oUnsupported },
164 { "afstokenpassing", oUnsupported },
165 #if defined(GSSAPI)
166 { "gssapiauthentication", oGssAuthentication },
167 { "gssapidelegatecredentials", oGssDelegateCreds },
168 #else
169 { "gssapiauthentication", oUnsupported },
170 { "gssapidelegatecredentials", oUnsupported },
171 #endif
172 { "fallbacktorsh", oDeprecated },
173 { "usersh", oDeprecated },
174 { "identityfile", oIdentityFile },
175 { "identityfile2", oIdentityFile }, /* obsolete */
176 { "identitiesonly", oIdentitiesOnly },
177 { "hostname", oHostName },
178 { "hostkeyalias", oHostKeyAlias },
179 { "proxycommand", oProxyCommand },
180 { "port", oPort },
181 { "cipher", oCipher },
182 { "ciphers", oCiphers },
183 { "macs", oMacs },
184 { "protocol", oProtocol },
185 { "remoteforward", oRemoteForward },
186 { "localforward", oLocalForward },
187 { "user", oUser },
188 { "host", oHost },
189 { "escapechar", oEscapeChar },
190 { "globalknownhostsfile", oGlobalKnownHostsFile },
191 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
192 { "userknownhostsfile", oUserKnownHostsFile },
193 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
194 { "connectionattempts", oConnectionAttempts },
195 { "batchmode", oBatchMode },
196 { "checkhostip", oCheckHostIP },
197 { "stricthostkeychecking", oStrictHostKeyChecking },
198 { "compression", oCompression },
199 { "compressionlevel", oCompressionLevel },
200 { "tcpkeepalive", oTCPKeepAlive },
201 { "keepalive", oTCPKeepAlive }, /* obsolete */
202 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
203 { "loglevel", oLogLevel },
204 { "dynamicforward", oDynamicForward },
205 { "preferredauthentications", oPreferredAuthentications },
206 { "hostkeyalgorithms", oHostKeyAlgorithms },
207 { "bindaddress", oBindAddress },
208 #ifdef SMARTCARD
209 { "smartcarddevice", oSmartcardDevice },
210 #else
211 { "smartcarddevice", oUnsupported },
212 #endif
213 { "clearallforwardings", oClearAllForwardings },
214 { "enablesshkeysign", oEnableSSHKeysign },
215 { "verifyhostkeydns", oVerifyHostKeyDNS },
216 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
217 { "rekeylimit", oRekeyLimit },
218 { "connecttimeout", oConnectTimeout },
219 { "addressfamily", oAddressFamily },
220 { "serveraliveinterval", oServerAliveInterval },
221 { "serveralivecountmax", oServerAliveCountMax },
222 { "sendenv", oSendEnv },
223 { "controlpath", oControlPath },
224 { "controlmaster", oControlMaster },
225 { "hashknownhosts", oHashKnownHosts },
226 { "tunnel", oTunnel },
227 { "tunneldevice", oTunnelDevice },
228 { "localcommand", oLocalCommand },
229 { "permitlocalcommand", oPermitLocalCommand },
230 { "visualhostkey", oVisualHostKey },
231 #ifdef JPAKE
232 { "zeroknowledgepasswordauthentication",
233 oZeroKnowledgePasswordAuthentication },
234 #else
235 { "zeroknowledgepasswordauthentication", oUnsupported },
236 #endif
237
238 { NULL, oBadOption }
239 };
240
241 /*
242 * Adds a local TCP/IP port forward to options. Never returns if there is an
243 * error.
244 */
245
246 void
247 add_local_forward(Options *options, const Forward *newfwd)
248 {
249 Forward *fwd;
250 #ifndef NO_IPPORT_RESERVED_CONCEPT
251 extern uid_t original_real_uid;
252 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
253 fatal("Privileged ports can only be forwarded by root.");
254 #endif
255 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
256 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
257 fwd = &options->local_forwards[options->num_local_forwards++];
258
259 fwd->listen_host = newfwd->listen_host;
260 fwd->listen_port = newfwd->listen_port;
261 fwd->connect_host = newfwd->connect_host;
262 fwd->connect_port = newfwd->connect_port;
263 }
264
265 /*
266 * Adds a remote TCP/IP port forward to options. Never returns if there is
267 * an error.
268 */
269
270 void
271 add_remote_forward(Options *options, const Forward *newfwd)
272 {
273 Forward *fwd;
274 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
275 fatal("Too many remote forwards (max %d).",
276 SSH_MAX_FORWARDS_PER_DIRECTION);
277 fwd = &options->remote_forwards[options->num_remote_forwards++];
278
279 fwd->listen_host = newfwd->listen_host;
280 fwd->listen_port = newfwd->listen_port;
281 fwd->connect_host = newfwd->connect_host;
282 fwd->connect_port = newfwd->connect_port;
283 }
284
285 static void
286 clear_forwardings(Options *options)
287 {
288 int i;
289
290 for (i = 0; i < options->num_local_forwards; i++) {
291 if (options->local_forwards[i].listen_host != NULL)
292 xfree(options->local_forwards[i].listen_host);
293 xfree(options->local_forwards[i].connect_host);
294 }
295 options->num_local_forwards = 0;
296 for (i = 0; i < options->num_remote_forwards; i++) {
297 if (options->remote_forwards[i].listen_host != NULL)
298 xfree(options->remote_forwards[i].listen_host);
299 xfree(options->remote_forwards[i].connect_host);
300 }
301 options->num_remote_forwards = 0;
302 options->tun_open = SSH_TUNMODE_NO;
303 }
304
305 /*
306 * Returns the number of the token pointed to by cp or oBadOption.
307 */
308
309 static OpCodes
310 parse_token(const char *cp, const char *filename, int linenum)
311 {
312 u_int i;
313
314 for (i = 0; keywords[i].name; i++)
315 if (strcasecmp(cp, keywords[i].name) == 0)
316 return keywords[i].opcode;
317
318 error("%s: line %d: Bad configuration option: %s",
319 filename, linenum, cp);
320 return oBadOption;
321 }
322
323 /*
324 * Processes a single option line as used in the configuration files. This
325 * only sets those values that have not already been set.
326 */
327 #define WHITESPACE " \t\r\n"
328
329 int
330 process_config_line(Options *options, const char *host,
331 char *line, const char *filename, int linenum,
332 int *activep)
333 {
334 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
335 int opcode, *intptr, value, value2, scale;
336 LogLevel *log_level_ptr;
337 long long orig, val64;
338 size_t len;
339 Forward fwd;
340
341 /* Strip trailing whitespace */
342 for (len = strlen(line) - 1; len > 0; len--) {
343 if (strchr(WHITESPACE, line[len]) == NULL)
344 break;
345 line[len] = '\0';
346 }
347
348 s = line;
349 /* Get the keyword. (Each line is supposed to begin with a keyword). */
350 if ((keyword = strdelim(&s)) == NULL)
351 return 0;
352 /* Ignore leading whitespace. */
353 if (*keyword == '\0')
354 keyword = strdelim(&s);
355 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
356 return 0;
357
358 opcode = parse_token(keyword, filename, linenum);
359
360 switch (opcode) {
361 case oBadOption:
362 /* don't panic, but count bad options */
363 return -1;
364 /* NOTREACHED */
365 case oConnectTimeout:
366 intptr = &options->connection_timeout;
367 parse_time:
368 arg = strdelim(&s);
369 if (!arg || *arg == '\0')
370 fatal("%s line %d: missing time value.",
371 filename, linenum);
372 if ((value = convtime(arg)) == -1)
373 fatal("%s line %d: invalid time value.",
374 filename, linenum);
375 if (*activep && *intptr == -1)
376 *intptr = value;
377 break;
378
379 case oForwardAgent:
380 intptr = &options->forward_agent;
381 parse_flag:
382 arg = strdelim(&s);
383 if (!arg || *arg == '\0')
384 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
385 value = 0; /* To avoid compiler warning... */
386 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
387 value = 1;
388 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
389 value = 0;
390 else
391 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
392 if (*activep && *intptr == -1)
393 *intptr = value;
394 break;
395
396 case oForwardX11:
397 intptr = &options->forward_x11;
398 goto parse_flag;
399
400 case oForwardX11Trusted:
401 intptr = &options->forward_x11_trusted;
402 goto parse_flag;
403
404 case oGatewayPorts:
405 intptr = &options->gateway_ports;
406 goto parse_flag;
407
408 case oExitOnForwardFailure:
409 intptr = &options->exit_on_forward_failure;
410 goto parse_flag;
411
412 case oUsePrivilegedPort:
413 intptr = &options->use_privileged_port;
414 goto parse_flag;
415
416 case oPasswordAuthentication:
417 intptr = &options->password_authentication;
418 goto parse_flag;
419
420 case oZeroKnowledgePasswordAuthentication:
421 intptr = &options->zero_knowledge_password_authentication;
422 goto parse_flag;
423
424 case oKbdInteractiveAuthentication:
425 intptr = &options->kbd_interactive_authentication;
426 goto parse_flag;
427
428 case oKbdInteractiveDevices:
429 charptr = &options->kbd_interactive_devices;
430 goto parse_string;
431
432 case oPubkeyAuthentication:
433 intptr = &options->pubkey_authentication;
434 goto parse_flag;
435
436 case oRSAAuthentication:
437 intptr = &options->rsa_authentication;
438 goto parse_flag;
439
440 case oRhostsRSAAuthentication:
441 intptr = &options->rhosts_rsa_authentication;
442 goto parse_flag;
443
444 case oHostbasedAuthentication:
445 intptr = &options->hostbased_authentication;
446 goto parse_flag;
447
448 case oChallengeResponseAuthentication:
449 intptr = &options->challenge_response_authentication;
450 goto parse_flag;
451
452 case oGssAuthentication:
453 intptr = &options->gss_authentication;
454 goto parse_flag;
455
456 case oGssDelegateCreds:
457 intptr = &options->gss_deleg_creds;
458 goto parse_flag;
459
460 case oBatchMode:
461 intptr = &options->batch_mode;
462 goto parse_flag;
463
464 case oCheckHostIP:
465 intptr = &options->check_host_ip;
466 goto parse_flag;
467
468 case oVerifyHostKeyDNS:
469 intptr = &options->verify_host_key_dns;
470 goto parse_yesnoask;
471
472 case oStrictHostKeyChecking:
473 intptr = &options->strict_host_key_checking;
474 parse_yesnoask:
475 arg = strdelim(&s);
476 if (!arg || *arg == '\0')
477 fatal("%.200s line %d: Missing yes/no/ask argument.",
478 filename, linenum);
479 value = 0; /* To avoid compiler warning... */
480 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
481 value = 1;
482 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
483 value = 0;
484 else if (strcmp(arg, "ask") == 0)
485 value = 2;
486 else
487 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
488 if (*activep && *intptr == -1)
489 *intptr = value;
490 break;
491
492 case oCompression:
493 intptr = &options->compression;
494 goto parse_flag;
495
496 case oTCPKeepAlive:
497 intptr = &options->tcp_keep_alive;
498 goto parse_flag;
499
500 case oNoHostAuthenticationForLocalhost:
501 intptr = &options->no_host_authentication_for_localhost;
502 goto parse_flag;
503
504 case oNumberOfPasswordPrompts:
505 intptr = &options->number_of_password_prompts;
506 goto parse_int;
507
508 case oCompressionLevel:
509 intptr = &options->compression_level;
510 goto parse_int;
511
512 case oRekeyLimit:
513 arg = strdelim(&s);
514 if (!arg || *arg == '\0')
515 fatal("%.200s line %d: Missing argument.", filename, linenum);
516 if (arg[0] < '0' || arg[0] > '9')
517 fatal("%.200s line %d: Bad number.", filename, linenum);
518 orig = val64 = strtoll(arg, &endofnumber, 10);
519 if (arg == endofnumber)
520 fatal("%.200s line %d: Bad number.", filename, linenum);
521 switch (toupper(*endofnumber)) {
522 case '\0':
523 scale = 1;
524 break;
525 case 'K':
526 scale = 1<<10;
527 break;
528 case 'M':
529 scale = 1<<20;
530 break;
531 case 'G':
532 scale = 1<<30;
533 break;
534 default:
535 fatal("%.200s line %d: Invalid RekeyLimit suffix",
536 filename, linenum);
537 }
538 val64 *= scale;
539 /* detect integer wrap and too-large limits */
540 if ((val64 / scale) != orig || val64 > UINT_MAX)
541 fatal("%.200s line %d: RekeyLimit too large",
542 filename, linenum);
543 if (val64 < 16)
544 fatal("%.200s line %d: RekeyLimit too small",
545 filename, linenum);
546 if (*activep && options->rekey_limit == -1)
547 options->rekey_limit = (u_int32_t)val64;
548 break;
549
550 case oIdentityFile:
551 arg = strdelim(&s);
552 if (!arg || *arg == '\0')
553 fatal("%.200s line %d: Missing argument.", filename, linenum);
554 if (*activep) {
555 intptr = &options->num_identity_files;
556 if (*intptr >= SSH_MAX_IDENTITY_FILES)
557 fatal("%.200s line %d: Too many identity files specified (max %d).",
558 filename, linenum, SSH_MAX_IDENTITY_FILES);
559 charptr = &options->identity_files[*intptr];
560 *charptr = xstrdup(arg);
561 *intptr = *intptr + 1;
562 }
563 break;
564
565 case oXAuthLocation:
566 charptr=&options->xauth_location;
567 goto parse_string;
568
569 case oUser:
570 charptr = &options->user;
571 parse_string:
572 arg = strdelim(&s);
573 if (!arg || *arg == '\0')
574 fatal("%.200s line %d: Missing argument.", filename, linenum);
575 if (*activep && *charptr == NULL)
576 *charptr = xstrdup(arg);
577 break;
578
579 case oGlobalKnownHostsFile:
580 charptr = &options->system_hostfile;
581 goto parse_string;
582
583 case oUserKnownHostsFile:
584 charptr = &options->user_hostfile;
585 goto parse_string;
586
587 case oGlobalKnownHostsFile2:
588 charptr = &options->system_hostfile2;
589 goto parse_string;
590
591 case oUserKnownHostsFile2:
592 charptr = &options->user_hostfile2;
593 goto parse_string;
594
595 case oHostName:
596 charptr = &options->hostname;
597 goto parse_string;
598
599 case oHostKeyAlias:
600 charptr = &options->host_key_alias;
601 goto parse_string;
602
603 case oPreferredAuthentications:
604 charptr = &options->preferred_authentications;
605 goto parse_string;
606
607 case oBindAddress:
608 charptr = &options->bind_address;
609 goto parse_string;
610
611 case oSmartcardDevice:
612 charptr = &options->smartcard_device;
613 goto parse_string;
614
615 case oProxyCommand:
616 charptr = &options->proxy_command;
617 parse_command:
618 if (s == NULL)
619 fatal("%.200s line %d: Missing argument.", filename, linenum);
620 len = strspn(s, WHITESPACE "=");
621 if (*activep && *charptr == NULL)
622 *charptr = xstrdup(s + len);
623 return 0;
624
625 case oPort:
626 intptr = &options->port;
627 parse_int:
628 arg = strdelim(&s);
629 if (!arg || *arg == '\0')
630 fatal("%.200s line %d: Missing argument.", filename, linenum);
631 if (arg[0] < '0' || arg[0] > '9')
632 fatal("%.200s line %d: Bad number.", filename, linenum);
633
634 /* Octal, decimal, or hex format? */
635 value = strtol(arg, &endofnumber, 0);
636 if (arg == endofnumber)
637 fatal("%.200s line %d: Bad number.", filename, linenum);
638 if (*activep && *intptr == -1)
639 *intptr = value;
640 break;
641
642 case oConnectionAttempts:
643 intptr = &options->connection_attempts;
644 goto parse_int;
645
646 case oCipher:
647 intptr = &options->cipher;
648 arg = strdelim(&s);
649 if (!arg || *arg == '\0')
650 fatal("%.200s line %d: Missing argument.", filename, linenum);
651 value = cipher_number(arg);
652 if (value == -1)
653 fatal("%.200s line %d: Bad cipher '%s'.",
654 filename, linenum, arg ? arg : "<NONE>");
655 if (*activep && *intptr == -1)
656 *intptr = value;
657 break;
658
659 case oCiphers:
660 arg = strdelim(&s);
661 if (!arg || *arg == '\0')
662 fatal("%.200s line %d: Missing argument.", filename, linenum);
663 if (!ciphers_valid(arg))
664 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
665 filename, linenum, arg ? arg : "<NONE>");
666 if (*activep && options->ciphers == NULL)
667 options->ciphers = xstrdup(arg);
668 break;
669
670 case oMacs:
671 arg = strdelim(&s);
672 if (!arg || *arg == '\0')
673 fatal("%.200s line %d: Missing argument.", filename, linenum);
674 if (!mac_valid(arg))
675 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
676 filename, linenum, arg ? arg : "<NONE>");
677 if (*activep && options->macs == NULL)
678 options->macs = xstrdup(arg);
679 break;
680
681 case oHostKeyAlgorithms:
682 arg = strdelim(&s);
683 if (!arg || *arg == '\0')
684 fatal("%.200s line %d: Missing argument.", filename, linenum);
685 if (!key_names_valid2(arg))
686 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
687 filename, linenum, arg ? arg : "<NONE>");
688 if (*activep && options->hostkeyalgorithms == NULL)
689 options->hostkeyalgorithms = xstrdup(arg);
690 break;
691
692 case oProtocol:
693 intptr = &options->protocol;
694 arg = strdelim(&s);
695 if (!arg || *arg == '\0')
696 fatal("%.200s line %d: Missing argument.", filename, linenum);
697 value = proto_spec(arg);
698 if (value == SSH_PROTO_UNKNOWN)
699 fatal("%.200s line %d: Bad protocol spec '%s'.",
700 filename, linenum, arg ? arg : "<NONE>");
701 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
702 *intptr = value;
703 break;
704
705 case oLogLevel:
706 log_level_ptr = &options->log_level;
707 arg = strdelim(&s);
708 value = log_level_number(arg);
709 if (value == SYSLOG_LEVEL_NOT_SET)
710 fatal("%.200s line %d: unsupported log level '%s'",
711 filename, linenum, arg ? arg : "<NONE>");
712 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
713 *log_level_ptr = (LogLevel) value;
714 break;
715
716 case oLocalForward:
717 case oRemoteForward:
718 case oDynamicForward:
719 arg = strdelim(&s);
720 if (arg == NULL || *arg == '\0')
721 fatal("%.200s line %d: Missing port argument.",
722 filename, linenum);
723
724 if (opcode == oLocalForward ||
725 opcode == oRemoteForward) {
726 arg2 = strdelim(&s);
727 if (arg2 == NULL || *arg2 == '\0')
728 fatal("%.200s line %d: Missing target argument.",
729 filename, linenum);
730
731 /* construct a string for parse_forward */
732 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
733 } else if (opcode == oDynamicForward) {
734 strlcpy(fwdarg, arg, sizeof(fwdarg));
735 }
736
737 if (parse_forward(&fwd, fwdarg,
738 opcode == oDynamicForward ? 1 : 0,
739 opcode == oRemoteForward ? 1 : 0) == 0)
740 fatal("%.200s line %d: Bad forwarding specification.",
741 filename, linenum);
742
743 if (*activep) {
744 if (opcode == oLocalForward ||
745 opcode == oDynamicForward)
746 add_local_forward(options, &fwd);
747 else if (opcode == oRemoteForward)
748 add_remote_forward(options, &fwd);
749 }
750 break;
751
752 case oClearAllForwardings:
753 intptr = &options->clear_forwardings;
754 goto parse_flag;
755
756 case oHost:
757 *activep = 0;
758 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
759 if (match_pattern(host, arg)) {
760 debug("Applying options for %.100s", arg);
761 *activep = 1;
762 break;
763 }
764 /* Avoid garbage check below, as strdelim is done. */
765 return 0;
766
767 case oEscapeChar:
768 intptr = &options->escape_char;
769 arg = strdelim(&s);
770 if (!arg || *arg == '\0')
771 fatal("%.200s line %d: Missing argument.", filename, linenum);
772 if (arg[0] == '^' && arg[2] == 0 &&
773 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
774 value = (u_char) arg[1] & 31;
775 else if (strlen(arg) == 1)
776 value = (u_char) arg[0];
777 else if (strcmp(arg, "none") == 0)
778 value = SSH_ESCAPECHAR_NONE;
779 else {
780 fatal("%.200s line %d: Bad escape character.",
781 filename, linenum);
782 /* NOTREACHED */
783 value = 0; /* Avoid compiler warning. */
784 }
785 if (*activep && *intptr == -1)
786 *intptr = value;
787 break;
788
789 case oAddressFamily:
790 arg = strdelim(&s);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: missing address family.",
793 filename, linenum);
794 intptr = &options->address_family;
795 if (strcasecmp(arg, "inet") == 0)
796 value = AF_INET;
797 else if (strcasecmp(arg, "inet6") == 0)
798 value = AF_INET6;
799 else if (strcasecmp(arg, "any") == 0)
800 value = AF_UNSPEC;
801 else
802 fatal("Unsupported AddressFamily \"%s\"", arg);
803 if (*activep && *intptr == -1)
804 *intptr = value;
805 break;
806
807 case oEnableSSHKeysign:
808 intptr = &options->enable_ssh_keysign;
809 goto parse_flag;
810
811 case oIdentitiesOnly:
812 intptr = &options->identities_only;
813 goto parse_flag;
814
815 case oServerAliveInterval:
816 intptr = &options->server_alive_interval;
817 goto parse_time;
818
819 case oServerAliveCountMax:
820 intptr = &options->server_alive_count_max;
821 goto parse_int;
822
823 case oSendEnv:
824 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
825 if (strchr(arg, '=') != NULL)
826 fatal("%s line %d: Invalid environment name.",
827 filename, linenum);
828 if (!*activep)
829 continue;
830 if (options->num_send_env >= MAX_SEND_ENV)
831 fatal("%s line %d: too many send env.",
832 filename, linenum);
833 options->send_env[options->num_send_env++] =
834 xstrdup(arg);
835 }
836 break;
837
838 case oControlPath:
839 charptr = &options->control_path;
840 goto parse_string;
841
842 case oControlMaster:
843 intptr = &options->control_master;
844 arg = strdelim(&s);
845 if (!arg || *arg == '\0')
846 fatal("%.200s line %d: Missing ControlMaster argument.",
847 filename, linenum);
848 value = 0; /* To avoid compiler warning... */
849 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
850 value = SSHCTL_MASTER_YES;
851 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
852 value = SSHCTL_MASTER_NO;
853 else if (strcmp(arg, "auto") == 0)
854 value = SSHCTL_MASTER_AUTO;
855 else if (strcmp(arg, "ask") == 0)
856 value = SSHCTL_MASTER_ASK;
857 else if (strcmp(arg, "autoask") == 0)
858 value = SSHCTL_MASTER_AUTO_ASK;
859 else
860 fatal("%.200s line %d: Bad ControlMaster argument.",
861 filename, linenum);
862 if (*activep && *intptr == -1)
863 *intptr = value;
864 break;
865
866 case oHashKnownHosts:
867 intptr = &options->hash_known_hosts;
868 goto parse_flag;
869
870 case oTunnel:
871 intptr = &options->tun_open;
872 arg = strdelim(&s);
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: Missing yes/point-to-point/"
875 "ethernet/no argument.", filename, linenum);
876 value = 0; /* silence compiler */
877 if (strcasecmp(arg, "ethernet") == 0)
878 value = SSH_TUNMODE_ETHERNET;
879 else if (strcasecmp(arg, "point-to-point") == 0)
880 value = SSH_TUNMODE_POINTOPOINT;
881 else if (strcasecmp(arg, "yes") == 0)
882 value = SSH_TUNMODE_DEFAULT;
883 else if (strcasecmp(arg, "no") == 0)
884 value = SSH_TUNMODE_NO;
885 else
886 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
887 "no argument: %s", filename, linenum, arg);
888 if (*activep)
889 *intptr = value;
890 break;
891
892 case oTunnelDevice:
893 arg = strdelim(&s);
894 if (!arg || *arg == '\0')
895 fatal("%.200s line %d: Missing argument.", filename, linenum);
896 value = a2tun(arg, &value2);
897 if (value == SSH_TUNID_ERR)
898 fatal("%.200s line %d: Bad tun device.", filename, linenum);
899 if (*activep) {
900 options->tun_local = value;
901 options->tun_remote = value2;
902 }
903 break;
904
905 case oLocalCommand:
906 charptr = &options->local_command;
907 goto parse_command;
908
909 case oPermitLocalCommand:
910 intptr = &options->permit_local_command;
911 goto parse_flag;
912
913 case oVisualHostKey:
914 intptr = &options->visual_host_key;
915 goto parse_flag;
916
917 case oDeprecated:
918 debug("%s line %d: Deprecated option \"%s\"",
919 filename, linenum, keyword);
920 return 0;
921
922 case oUnsupported:
923 error("%s line %d: Unsupported option \"%s\"",
924 filename, linenum, keyword);
925 return 0;
926
927 default:
928 fatal("process_config_line: Unimplemented opcode %d", opcode);
929 }
930
931 /* Check that there is no garbage at end of line. */
932 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
933 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
934 filename, linenum, arg);
935 }
936 return 0;
937 }
938
939
940 /*
941 * Reads the config file and modifies the options accordingly. Options
942 * should already be initialized before this call. This never returns if
943 * there is an error. If the file does not exist, this returns 0.
944 */
945
946 int
947 read_config_file(const char *filename, const char *host, Options *options,
948 int checkperm)
949 {
950 FILE *f;
951 char line[1024];
952 int active, linenum;
953 int bad_options = 0;
954
955 if ((f = fopen(filename, "r")) == NULL)
956 return 0;
957
958 if (checkperm) {
959 struct stat sb;
960
961 if (fstat(fileno(f), &sb) == -1)
962 fatal("fstat %s: %s", filename, strerror(errno));
963 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
964 (sb.st_mode & 022) != 0))
965 fatal("Bad owner or permissions on %s", filename);
966 }
967
968 debug("Reading configuration data %.200s", filename);
969
970 /*
971 * Mark that we are now processing the options. This flag is turned
972 * on/off by Host specifications.
973 */
974 active = 1;
975 linenum = 0;
976 while (fgets(line, sizeof(line), f)) {
977 /* Update line number counter. */
978 linenum++;
979 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
980 bad_options++;
981 }
982 fclose(f);
983 if (bad_options > 0)
984 fatal("%s: terminating, %d bad configuration options",
985 filename, bad_options);
986 return 1;
987 }
988
989 /*
990 * Initializes options to special values that indicate that they have not yet
991 * been set. Read_config_file will only set options with this value. Options
992 * are processed in the following order: command line, user config file,
993 * system config file. Last, fill_default_options is called.
994 */
995
996 void
997 initialize_options(Options * options)
998 {
999 memset(options, 'X', sizeof(*options));
1000 options->forward_agent = -1;
1001 options->forward_x11 = -1;
1002 options->forward_x11_trusted = -1;
1003 options->exit_on_forward_failure = -1;
1004 options->xauth_location = NULL;
1005 options->gateway_ports = -1;
1006 options->use_privileged_port = -1;
1007 options->rsa_authentication = -1;
1008 options->pubkey_authentication = -1;
1009 options->challenge_response_authentication = -1;
1010 options->gss_authentication = -1;
1011 options->gss_deleg_creds = -1;
1012 options->password_authentication = -1;
1013 options->kbd_interactive_authentication = -1;
1014 options->kbd_interactive_devices = NULL;
1015 options->rhosts_rsa_authentication = -1;
1016 options->hostbased_authentication = -1;
1017 options->batch_mode = -1;
1018 options->check_host_ip = -1;
1019 options->strict_host_key_checking = -1;
1020 options->compression = -1;
1021 options->tcp_keep_alive = -1;
1022 options->compression_level = -1;
1023 options->port = -1;
1024 options->address_family = -1;
1025 options->connection_attempts = -1;
1026 options->connection_timeout = -1;
1027 options->number_of_password_prompts = -1;
1028 options->cipher = -1;
1029 options->ciphers = NULL;
1030 options->macs = NULL;
1031 options->hostkeyalgorithms = NULL;
1032 options->protocol = SSH_PROTO_UNKNOWN;
1033 options->num_identity_files = 0;
1034 options->hostname = NULL;
1035 options->host_key_alias = NULL;
1036 options->proxy_command = NULL;
1037 options->user = NULL;
1038 options->escape_char = -1;
1039 options->system_hostfile = NULL;
1040 options->user_hostfile = NULL;
1041 options->system_hostfile2 = NULL;
1042 options->user_hostfile2 = NULL;
1043 options->num_local_forwards = 0;
1044 options->num_remote_forwards = 0;
1045 options->clear_forwardings = -1;
1046 options->log_level = SYSLOG_LEVEL_NOT_SET;
1047 options->preferred_authentications = NULL;
1048 options->bind_address = NULL;
1049 options->smartcard_device = NULL;
1050 options->enable_ssh_keysign = - 1;
1051 options->no_host_authentication_for_localhost = - 1;
1052 options->identities_only = - 1;
1053 options->rekey_limit = - 1;
1054 options->verify_host_key_dns = -1;
1055 options->server_alive_interval = -1;
1056 options->server_alive_count_max = -1;
1057 options->num_send_env = 0;
1058 options->control_path = NULL;
1059 options->control_master = -1;
1060 options->hash_known_hosts = -1;
1061 options->tun_open = -1;
1062 options->tun_local = -1;
1063 options->tun_remote = -1;
1064 options->local_command = NULL;
1065 options->permit_local_command = -1;
1066 options->visual_host_key = -1;
1067 options->zero_knowledge_password_authentication = -1;
1068 }
1069
1070 /*
1071 * Called after processing other sources of option data, this fills those
1072 * options for which no value has been specified with their default values.
1073 */
1074
1075 void
1076 fill_default_options(Options * options)
1077 {
1078 int len;
1079
1080 if (options->forward_agent == -1)
1081 options->forward_agent = 0;
1082 if (options->forward_x11 == -1)
1083 options->forward_x11 = 0;
1084 if (options->forward_x11_trusted == -1)
1085 options->forward_x11_trusted = 0;
1086 if (options->exit_on_forward_failure == -1)
1087 options->exit_on_forward_failure = 0;
1088 if (options->xauth_location == NULL)
1089 options->xauth_location = _PATH_XAUTH;
1090 if (options->gateway_ports == -1)
1091 options->gateway_ports = 0;
1092 if (options->use_privileged_port == -1)
1093 options->use_privileged_port = 0;
1094 if (options->rsa_authentication == -1)
1095 options->rsa_authentication = 1;
1096 if (options->pubkey_authentication == -1)
1097 options->pubkey_authentication = 1;
1098 if (options->challenge_response_authentication == -1)
1099 options->challenge_response_authentication = 1;
1100 if (options->gss_authentication == -1)
1101 options->gss_authentication = 0;
1102 if (options->gss_deleg_creds == -1)
1103 options->gss_deleg_creds = 0;
1104 if (options->password_authentication == -1)
1105 options->password_authentication = 1;
1106 if (options->kbd_interactive_authentication == -1)
1107 options->kbd_interactive_authentication = 1;
1108 if (options->rhosts_rsa_authentication == -1)
1109 options->rhosts_rsa_authentication = 0;
1110 if (options->hostbased_authentication == -1)
1111 options->hostbased_authentication = 0;
1112 if (options->batch_mode == -1)
1113 options->batch_mode = 0;
1114 if (options->check_host_ip == -1)
1115 options->check_host_ip = 1;
1116 if (options->strict_host_key_checking == -1)
1117 options->strict_host_key_checking = 2; /* 2 is default */
1118 if (options->compression == -1)
1119 options->compression = 0;
1120 if (options->tcp_keep_alive == -1)
1121 options->tcp_keep_alive = 1;
1122 if (options->compression_level == -1)
1123 options->compression_level = 6;
1124 if (options->port == -1)
1125 options->port = 0; /* Filled in ssh_connect. */
1126 if (options->address_family == -1)
1127 options->address_family = AF_UNSPEC;
1128 if (options->connection_attempts == -1)
1129 options->connection_attempts = 1;
1130 if (options->number_of_password_prompts == -1)
1131 options->number_of_password_prompts = 3;
1132 /* Selected in ssh_login(). */
1133 if (options->cipher == -1)
1134 options->cipher = SSH_CIPHER_NOT_SET;
1135 /* options->ciphers, default set in myproposals.h */
1136 /* options->macs, default set in myproposals.h */
1137 /* options->hostkeyalgorithms, default set in myproposals.h */
1138 if (options->protocol == SSH_PROTO_UNKNOWN)
1139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1140 if (options->num_identity_files == 0) {
1141 if (options->protocol & SSH_PROTO_1) {
1142 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1143 options->identity_files[options->num_identity_files] =
1144 xmalloc(len);
1145 snprintf(options->identity_files[options->num_identity_files++],
1146 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1147 }
1148 if (options->protocol & SSH_PROTO_2) {
1149 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1150 options->identity_files[options->num_identity_files] =
1151 xmalloc(len);
1152 snprintf(options->identity_files[options->num_identity_files++],
1153 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1154
1155 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1156 options->identity_files[options->num_identity_files] =
1157 xmalloc(len);
1158 snprintf(options->identity_files[options->num_identity_files++],
1159 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1160 }
1161 }
1162 if (options->escape_char == -1)
1163 options->escape_char = '~';
1164 if (options->system_hostfile == NULL)
1165 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1166 if (options->user_hostfile == NULL)
1167 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1168 if (options->system_hostfile2 == NULL)
1169 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1170 if (options->user_hostfile2 == NULL)
1171 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1172 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1173 options->log_level = SYSLOG_LEVEL_INFO;
1174 if (options->clear_forwardings == 1)
1175 clear_forwardings(options);
1176 if (options->no_host_authentication_for_localhost == - 1)
1177 options->no_host_authentication_for_localhost = 0;
1178 if (options->identities_only == -1)
1179 options->identities_only = 0;
1180 if (options->enable_ssh_keysign == -1)
1181 options->enable_ssh_keysign = 0;
1182 if (options->rekey_limit == -1)
1183 options->rekey_limit = 0;
1184 if (options->verify_host_key_dns == -1)
1185 options->verify_host_key_dns = 0;
1186 if (options->server_alive_interval == -1)
1187 options->server_alive_interval = 0;
1188 if (options->server_alive_count_max == -1)
1189 options->server_alive_count_max = 3;
1190 if (options->control_master == -1)
1191 options->control_master = 0;
1192 if (options->hash_known_hosts == -1)
1193 options->hash_known_hosts = 0;
1194 if (options->tun_open == -1)
1195 options->tun_open = SSH_TUNMODE_NO;
1196 if (options->tun_local == -1)
1197 options->tun_local = SSH_TUNID_ANY;
1198 if (options->tun_remote == -1)
1199 options->tun_remote = SSH_TUNID_ANY;
1200 if (options->permit_local_command == -1)
1201 options->permit_local_command = 0;
1202 if (options->visual_host_key == -1)
1203 options->visual_host_key = 0;
1204 if (options->zero_knowledge_password_authentication == -1)
1205 options->zero_knowledge_password_authentication = 0;
1206 /* options->local_command should not be set by default */
1207 /* options->proxy_command should not be set by default */
1208 /* options->user will be set in the main program if appropriate */
1209 /* options->hostname will be set in the main program if appropriate */
1210 /* options->host_key_alias should not be set by default */
1211 /* options->preferred_authentications will be set in ssh */
1212 }
1213
1214 /*
1215 * parse_forward
1216 * parses a string containing a port forwarding specification of the form:
1217 * dynamicfwd == 0
1218 * [listenhost:]listenport:connecthost:connectport
1219 * dynamicfwd == 1
1220 * [listenhost:]listenport
1221 * returns number of arguments parsed or zero on error
1222 */
1223 int
1224 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1225 {
1226 int i;
1227 char *p, *cp, *fwdarg[4];
1228
1229 memset(fwd, '\0', sizeof(*fwd));
1230
1231 cp = p = xstrdup(fwdspec);
1232
1233 /* skip leading spaces */
1234 while (isspace(*cp))
1235 cp++;
1236
1237 for (i = 0; i < 4; ++i)
1238 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1239 break;
1240
1241 /* Check for trailing garbage */
1242 if (cp != NULL)
1243 i = 0; /* failure */
1244
1245 switch (i) {
1246 case 1:
1247 fwd->listen_host = NULL;
1248 fwd->listen_port = a2port(fwdarg[0]);
1249 fwd->connect_host = xstrdup("socks");
1250 break;
1251
1252 case 2:
1253 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1254 fwd->listen_port = a2port(fwdarg[1]);
1255 fwd->connect_host = xstrdup("socks");
1256 break;
1257
1258 case 3:
1259 fwd->listen_host = NULL;
1260 fwd->listen_port = a2port(fwdarg[0]);
1261 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1262 fwd->connect_port = a2port(fwdarg[2]);
1263 break;
1264
1265 case 4:
1266 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1267 fwd->listen_port = a2port(fwdarg[1]);
1268 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1269 fwd->connect_port = a2port(fwdarg[3]);
1270 break;
1271 default:
1272 i = 0; /* failure */
1273 }
1274
1275 xfree(p);
1276
1277 if (dynamicfwd) {
1278 if (!(i == 1 || i == 2))
1279 goto fail_free;
1280 } else {
1281 if (!(i == 3 || i == 4))
1282 goto fail_free;
1283 if (fwd->connect_port <= 0)
1284 goto fail_free;
1285 }
1286
1287 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1288 goto fail_free;
1289
1290 if (fwd->connect_host != NULL &&
1291 strlen(fwd->connect_host) >= NI_MAXHOST)
1292 goto fail_free;
1293 if (fwd->listen_host != NULL &&
1294 strlen(fwd->listen_host) >= NI_MAXHOST)
1295 goto fail_free;
1296
1297
1298 return (i);
1299
1300 fail_free:
1301 if (fwd->connect_host != NULL) {
1302 xfree(fwd->connect_host);
1303 fwd->connect_host = NULL;
1304 }
1305 if (fwd->listen_host != NULL) {
1306 xfree(fwd->listen_host);
1307 fwd->listen_host = NULL;
1308 }
1309 return (0);
1310 }
A clone of openssh git repository