1 /* $OpenBSD: servconf.c,v 1.212 2010/09/30 11:04:51 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions
*, char *, int);
46 static void add_one_listen_addr(ServerOptions
*, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep
;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions
*options
)
57 memset(options
, 0, sizeof(*options
));
59 /* Portable-specific options */
60 options
->use_pam
= -1;
62 /* Standard Options */
63 options
->num_ports
= 0;
64 options
->ports_from_cmdline
= 0;
65 options
->listen_addrs
= NULL
;
66 options
->address_family
= -1;
67 options
->num_host_key_files
= 0;
68 options
->num_host_cert_files
= 0;
69 options
->pid_file
= NULL
;
70 options
->server_key_bits
= -1;
71 options
->login_grace_time
= -1;
72 options
->key_regeneration_time
= -1;
73 options
->permit_root_login
= PERMIT_NOT_SET
;
74 options
->ignore_rhosts
= -1;
75 options
->ignore_user_known_hosts
= -1;
76 options
->print_motd
= -1;
77 options
->print_lastlog
= -1;
78 options
->x11_forwarding
= -1;
79 options
->x11_display_offset
= -1;
80 options
->x11_use_localhost
= -1;
81 options
->xauth_location
= NULL
;
82 options
->strict_modes
= -1;
83 options
->tcp_keep_alive
= -1;
84 options
->log_facility
= SYSLOG_FACILITY_NOT_SET
;
85 options
->log_level
= SYSLOG_LEVEL_NOT_SET
;
86 options
->rhosts_rsa_authentication
= -1;
87 options
->hostbased_authentication
= -1;
88 options
->hostbased_uses_name_from_packet_only
= -1;
89 options
->rsa_authentication
= -1;
90 options
->pubkey_authentication
= -1;
91 options
->kerberos_authentication
= -1;
92 options
->kerberos_or_local_passwd
= -1;
93 options
->kerberos_ticket_cleanup
= -1;
94 options
->kerberos_get_afs_token
= -1;
95 options
->gss_authentication
=-1;
96 options
->gss_cleanup_creds
= -1;
97 options
->password_authentication
= -1;
98 options
->kbd_interactive_authentication
= -1;
99 options
->challenge_response_authentication
= -1;
100 options
->permit_empty_passwd
= -1;
101 options
->permit_user_env
= -1;
102 options
->use_login
= -1;
103 options
->compression
= -1;
104 options
->allow_tcp_forwarding
= -1;
105 options
->allow_agent_forwarding
= -1;
106 options
->num_allow_users
= 0;
107 options
->num_deny_users
= 0;
108 options
->num_allow_groups
= 0;
109 options
->num_deny_groups
= 0;
110 options
->ciphers
= NULL
;
111 options
->macs
= NULL
;
112 options
->kex_algorithms
= NULL
;
113 options
->protocol
= SSH_PROTO_UNKNOWN
;
114 options
->gateway_ports
= -1;
115 options
->num_subsystems
= 0;
116 options
->max_startups_begin
= -1;
117 options
->max_startups_rate
= -1;
118 options
->max_startups
= -1;
119 options
->max_authtries
= -1;
120 options
->max_sessions
= -1;
121 options
->banner
= NULL
;
122 options
->use_dns
= -1;
123 options
->client_alive_interval
= -1;
124 options
->client_alive_count_max
= -1;
125 options
->authorized_keys_file
= NULL
;
126 options
->authorized_keys_file2
= NULL
;
127 options
->num_accept_env
= 0;
128 options
->permit_tun
= -1;
129 options
->num_permitted_opens
= -1;
130 options
->adm_forced_command
= NULL
;
131 options
->chroot_directory
= NULL
;
132 options
->zero_knowledge_password_authentication
= -1;
133 options
->revoked_keys_file
= NULL
;
134 options
->trusted_user_ca_keys
= NULL
;
135 options
->authorized_principals_file
= NULL
;
139 fill_default_server_options(ServerOptions
*options
)
141 /* Portable-specific options */
142 if (options
->use_pam
== -1)
143 options
->use_pam
= 0;
145 /* Standard Options */
146 if (options
->protocol
== SSH_PROTO_UNKNOWN
)
147 options
->protocol
= SSH_PROTO_2
;
148 if (options
->num_host_key_files
== 0) {
149 /* fill default hostkeys for protocols */
150 if (options
->protocol
& SSH_PROTO_1
)
151 options
->host_key_files
[options
->num_host_key_files
++] =
153 if (options
->protocol
& SSH_PROTO_2
) {
154 options
->host_key_files
[options
->num_host_key_files
++] =
155 _PATH_HOST_RSA_KEY_FILE
;
156 options
->host_key_files
[options
->num_host_key_files
++] =
157 _PATH_HOST_DSA_KEY_FILE
;
158 options
->host_key_files
[options
->num_host_key_files
++] =
159 _PATH_HOST_ECDSA_KEY_FILE
;
162 /* No certificates by default */
163 if (options
->num_ports
== 0)
164 options
->ports
[options
->num_ports
++] = SSH_DEFAULT_PORT
;
165 if (options
->listen_addrs
== NULL
)
166 add_listen_addr(options
, NULL
, 0);
167 if (options
->pid_file
== NULL
)
168 options
->pid_file
= _PATH_SSH_DAEMON_PID_FILE
;
169 if (options
->server_key_bits
== -1)
170 options
->server_key_bits
= 1024;
171 if (options
->login_grace_time
== -1)
172 options
->login_grace_time
= 120;
173 if (options
->key_regeneration_time
== -1)
174 options
->key_regeneration_time
= 3600;
175 if (options
->permit_root_login
== PERMIT_NOT_SET
)
176 options
->permit_root_login
= PERMIT_YES
;
177 if (options
->ignore_rhosts
== -1)
178 options
->ignore_rhosts
= 1;
179 if (options
->ignore_user_known_hosts
== -1)
180 options
->ignore_user_known_hosts
= 0;
181 if (options
->print_motd
== -1)
182 options
->print_motd
= 1;
183 if (options
->print_lastlog
== -1)
184 options
->print_lastlog
= 1;
185 if (options
->x11_forwarding
== -1)
186 options
->x11_forwarding
= 0;
187 if (options
->x11_display_offset
== -1)
188 options
->x11_display_offset
= 10;
189 if (options
->x11_use_localhost
== -1)
190 options
->x11_use_localhost
= 1;
191 if (options
->xauth_location
== NULL
)
192 options
->xauth_location
= _PATH_XAUTH
;
193 if (options
->strict_modes
== -1)
194 options
->strict_modes
= 1;
195 if (options
->tcp_keep_alive
== -1)
196 options
->tcp_keep_alive
= 1;
197 if (options
->log_facility
== SYSLOG_FACILITY_NOT_SET
)
198 options
->log_facility
= SYSLOG_FACILITY_AUTH
;
199 if (options
->log_level
== SYSLOG_LEVEL_NOT_SET
)
200 options
->log_level
= SYSLOG_LEVEL_INFO
;
201 if (options
->rhosts_rsa_authentication
== -1)
202 options
->rhosts_rsa_authentication
= 0;
203 if (options
->hostbased_authentication
== -1)
204 options
->hostbased_authentication
= 0;
205 if (options
->hostbased_uses_name_from_packet_only
== -1)
206 options
->hostbased_uses_name_from_packet_only
= 0;
207 if (options
->rsa_authentication
== -1)
208 options
->rsa_authentication
= 1;
209 if (options
->pubkey_authentication
== -1)
210 options
->pubkey_authentication
= 1;
211 if (options
->kerberos_authentication
== -1)
212 options
->kerberos_authentication
= 0;
213 if (options
->kerberos_or_local_passwd
== -1)
214 options
->kerberos_or_local_passwd
= 1;
215 if (options
->kerberos_ticket_cleanup
== -1)
216 options
->kerberos_ticket_cleanup
= 1;
217 if (options
->kerberos_get_afs_token
== -1)
218 options
->kerberos_get_afs_token
= 0;
219 if (options
->gss_authentication
== -1)
220 options
->gss_authentication
= 0;
221 if (options
->gss_cleanup_creds
== -1)
222 options
->gss_cleanup_creds
= 1;
223 if (options
->password_authentication
== -1)
224 options
->password_authentication
= 1;
225 if (options
->kbd_interactive_authentication
== -1)
226 options
->kbd_interactive_authentication
= 0;
227 if (options
->challenge_response_authentication
== -1)
228 options
->challenge_response_authentication
= 1;
229 if (options
->permit_empty_passwd
== -1)
230 options
->permit_empty_passwd
= 0;
231 if (options
->permit_user_env
== -1)
232 options
->permit_user_env
= 0;
233 if (options
->use_login
== -1)
234 options
->use_login
= 0;
235 if (options
->compression
== -1)
236 options
->compression
= COMP_DELAYED
;
237 if (options
->allow_tcp_forwarding
== -1)
238 options
->allow_tcp_forwarding
= 1;
239 if (options
->allow_agent_forwarding
== -1)
240 options
->allow_agent_forwarding
= 1;
241 if (options
->gateway_ports
== -1)
242 options
->gateway_ports
= 0;
243 if (options
->max_startups
== -1)
244 options
->max_startups
= 10;
245 if (options
->max_startups_rate
== -1)
246 options
->max_startups_rate
= 100; /* 100% */
247 if (options
->max_startups_begin
== -1)
248 options
->max_startups_begin
= options
->max_startups
;
249 if (options
->max_authtries
== -1)
250 options
->max_authtries
= DEFAULT_AUTH_FAIL_MAX
;
251 if (options
->max_sessions
== -1)
252 options
->max_sessions
= DEFAULT_SESSIONS_MAX
;
253 if (options
->use_dns
== -1)
254 options
->use_dns
= 1;
255 if (options
->client_alive_interval
== -1)
256 options
->client_alive_interval
= 0;
257 if (options
->client_alive_count_max
== -1)
258 options
->client_alive_count_max
= 3;
259 if (options
->authorized_keys_file2
== NULL
) {
260 /* authorized_keys_file2 falls back to authorized_keys_file */
261 if (options
->authorized_keys_file
!= NULL
)
262 options
->authorized_keys_file2
= xstrdup(options
->authorized_keys_file
);
264 options
->authorized_keys_file2
= xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2
);
266 if (options
->authorized_keys_file
== NULL
)
267 options
->authorized_keys_file
= xstrdup(_PATH_SSH_USER_PERMITTED_KEYS
);
268 if (options
->permit_tun
== -1)
269 options
->permit_tun
= SSH_TUNMODE_NO
;
270 if (options
->zero_knowledge_password_authentication
== -1)
271 options
->zero_knowledge_password_authentication
= 0;
273 /* Turn privilege separation on by default */
274 if (use_privsep
== -1)
278 if (use_privsep
&& options
->compression
== 1) {
279 error("This platform does not support both privilege "
280 "separation and compression");
281 error("Compression disabled");
282 options
->compression
= 0;
288 /* Keyword tokens. */
290 sBadOption
, /* == unknown option */
291 /* Portable-specific options */
293 /* Standard Options */
294 sPort
, sHostKeyFile
, sServerKeyBits
, sLoginGraceTime
, sKeyRegenerationTime
,
295 sPermitRootLogin
, sLogFacility
, sLogLevel
,
296 sRhostsRSAAuthentication
, sRSAAuthentication
,
297 sKerberosAuthentication
, sKerberosOrLocalPasswd
, sKerberosTicketCleanup
,
298 sKerberosGetAFSToken
,
299 sKerberosTgtPassing
, sChallengeResponseAuthentication
,
300 sPasswordAuthentication
, sKbdInteractiveAuthentication
,
301 sListenAddress
, sAddressFamily
,
302 sPrintMotd
, sPrintLastLog
, sIgnoreRhosts
,
303 sX11Forwarding
, sX11DisplayOffset
, sX11UseLocalhost
,
304 sStrictModes
, sEmptyPasswd
, sTCPKeepAlive
,
305 sPermitUserEnvironment
, sUseLogin
, sAllowTcpForwarding
, sCompression
,
306 sAllowUsers
, sDenyUsers
, sAllowGroups
, sDenyGroups
,
307 sIgnoreUserKnownHosts
, sCiphers
, sMacs
, sProtocol
, sPidFile
,
308 sGatewayPorts
, sPubkeyAuthentication
, sXAuthLocation
, sSubsystem
,
309 sMaxStartups
, sMaxAuthTries
, sMaxSessions
,
310 sBanner
, sUseDNS
, sHostbasedAuthentication
,
311 sHostbasedUsesNameFromPacketOnly
, sClientAliveInterval
,
312 sClientAliveCountMax
, sAuthorizedKeysFile
, sAuthorizedKeysFile2
,
313 sGssAuthentication
, sGssCleanupCreds
, sAcceptEnv
, sPermitTunnel
,
314 sMatch
, sPermitOpen
, sForceCommand
, sChrootDirectory
,
315 sUsePrivilegeSeparation
, sAllowAgentForwarding
,
316 sZeroKnowledgePasswordAuthentication
, sHostCertificate
,
317 sRevokedKeys
, sTrustedUserCAKeys
, sAuthorizedPrincipalsFile
,
319 sDeprecated
, sUnsupported
322 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
323 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
324 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
326 /* Textual representation of the tokens. */
329 ServerOpCodes opcode
;
332 /* Portable-specific options */
334 { "usepam", sUsePAM
, SSHCFG_GLOBAL
},
336 { "usepam", sUnsupported
, SSHCFG_GLOBAL
},
338 { "pamauthenticationviakbdint", sDeprecated
, SSHCFG_GLOBAL
},
339 /* Standard Options */
340 { "port", sPort
, SSHCFG_GLOBAL
},
341 { "hostkey", sHostKeyFile
, SSHCFG_GLOBAL
},
342 { "hostdsakey", sHostKeyFile
, SSHCFG_GLOBAL
}, /* alias */
343 { "pidfile", sPidFile
, SSHCFG_GLOBAL
},
344 { "serverkeybits", sServerKeyBits
, SSHCFG_GLOBAL
},
345 { "logingracetime", sLoginGraceTime
, SSHCFG_GLOBAL
},
346 { "keyregenerationinterval", sKeyRegenerationTime
, SSHCFG_GLOBAL
},
347 { "permitrootlogin", sPermitRootLogin
, SSHCFG_ALL
},
348 { "syslogfacility", sLogFacility
, SSHCFG_GLOBAL
},
349 { "loglevel", sLogLevel
, SSHCFG_GLOBAL
},
350 { "rhostsauthentication", sDeprecated
, SSHCFG_GLOBAL
},
351 { "rhostsrsaauthentication", sRhostsRSAAuthentication
, SSHCFG_ALL
},
352 { "hostbasedauthentication", sHostbasedAuthentication
, SSHCFG_ALL
},
353 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly
, SSHCFG_ALL
},
354 { "rsaauthentication", sRSAAuthentication
, SSHCFG_ALL
},
355 { "pubkeyauthentication", sPubkeyAuthentication
, SSHCFG_ALL
},
356 { "dsaauthentication", sPubkeyAuthentication
, SSHCFG_GLOBAL
}, /* alias */
358 { "kerberosauthentication", sKerberosAuthentication
, SSHCFG_ALL
},
359 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd
, SSHCFG_GLOBAL
},
360 { "kerberosticketcleanup", sKerberosTicketCleanup
, SSHCFG_GLOBAL
},
362 { "kerberosgetafstoken", sKerberosGetAFSToken
, SSHCFG_GLOBAL
},
364 { "kerberosgetafstoken", sUnsupported
, SSHCFG_GLOBAL
},
367 { "kerberosauthentication", sUnsupported
, SSHCFG_ALL
},
368 { "kerberosorlocalpasswd", sUnsupported
, SSHCFG_GLOBAL
},
369 { "kerberosticketcleanup", sUnsupported
, SSHCFG_GLOBAL
},
370 { "kerberosgetafstoken", sUnsupported
, SSHCFG_GLOBAL
},
372 { "kerberostgtpassing", sUnsupported
, SSHCFG_GLOBAL
},
373 { "afstokenpassing", sUnsupported
, SSHCFG_GLOBAL
},
375 { "gssapiauthentication", sGssAuthentication
, SSHCFG_ALL
},
376 { "gssapicleanupcredentials", sGssCleanupCreds
, SSHCFG_GLOBAL
},
378 { "gssapiauthentication", sUnsupported
, SSHCFG_ALL
},
379 { "gssapicleanupcredentials", sUnsupported
, SSHCFG_GLOBAL
},
381 { "passwordauthentication", sPasswordAuthentication
, SSHCFG_ALL
},
382 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication
, SSHCFG_ALL
},
383 { "challengeresponseauthentication", sChallengeResponseAuthentication
, SSHCFG_GLOBAL
},
384 { "skeyauthentication", sChallengeResponseAuthentication
, SSHCFG_GLOBAL
}, /* alias */
386 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication
, SSHCFG_ALL
},
388 { "zeroknowledgepasswordauthentication", sUnsupported
, SSHCFG_ALL
},
390 { "checkmail", sDeprecated
, SSHCFG_GLOBAL
},
391 { "listenaddress", sListenAddress
, SSHCFG_GLOBAL
},
392 { "addressfamily", sAddressFamily
, SSHCFG_GLOBAL
},
393 { "printmotd", sPrintMotd
, SSHCFG_GLOBAL
},
394 { "printlastlog", sPrintLastLog
, SSHCFG_GLOBAL
},
395 { "ignorerhosts", sIgnoreRhosts
, SSHCFG_GLOBAL
},
396 { "ignoreuserknownhosts", sIgnoreUserKnownHosts
, SSHCFG_GLOBAL
},
397 { "x11forwarding", sX11Forwarding
, SSHCFG_ALL
},
398 { "x11displayoffset", sX11DisplayOffset
, SSHCFG_ALL
},
399 { "x11uselocalhost", sX11UseLocalhost
, SSHCFG_ALL
},
400 { "xauthlocation", sXAuthLocation
, SSHCFG_GLOBAL
},
401 { "strictmodes", sStrictModes
, SSHCFG_GLOBAL
},
402 { "permitemptypasswords", sEmptyPasswd
, SSHCFG_ALL
},
403 { "permituserenvironment", sPermitUserEnvironment
, SSHCFG_GLOBAL
},
404 { "uselogin", sUseLogin
, SSHCFG_GLOBAL
},
405 { "compression", sCompression
, SSHCFG_GLOBAL
},
406 { "tcpkeepalive", sTCPKeepAlive
, SSHCFG_GLOBAL
},
407 { "keepalive", sTCPKeepAlive
, SSHCFG_GLOBAL
}, /* obsolete alias */
408 { "allowtcpforwarding", sAllowTcpForwarding
, SSHCFG_ALL
},
409 { "allowagentforwarding", sAllowAgentForwarding
, SSHCFG_ALL
},
410 { "allowusers", sAllowUsers
, SSHCFG_GLOBAL
},
411 { "denyusers", sDenyUsers
, SSHCFG_GLOBAL
},
412 { "allowgroups", sAllowGroups
, SSHCFG_GLOBAL
},
413 { "denygroups", sDenyGroups
, SSHCFG_GLOBAL
},
414 { "ciphers", sCiphers
, SSHCFG_GLOBAL
},
415 { "macs", sMacs
, SSHCFG_GLOBAL
},
416 { "protocol", sProtocol
, SSHCFG_GLOBAL
},
417 { "gatewayports", sGatewayPorts
, SSHCFG_ALL
},
418 { "subsystem", sSubsystem
, SSHCFG_GLOBAL
},
419 { "maxstartups", sMaxStartups
, SSHCFG_GLOBAL
},
420 { "maxauthtries", sMaxAuthTries
, SSHCFG_ALL
},
421 { "maxsessions", sMaxSessions
, SSHCFG_ALL
},
422 { "banner", sBanner
, SSHCFG_ALL
},
423 { "usedns", sUseDNS
, SSHCFG_GLOBAL
},
424 { "verifyreversemapping", sDeprecated
, SSHCFG_GLOBAL
},
425 { "reversemappingcheck", sDeprecated
, SSHCFG_GLOBAL
},
426 { "clientaliveinterval", sClientAliveInterval
, SSHCFG_GLOBAL
},
427 { "clientalivecountmax", sClientAliveCountMax
, SSHCFG_GLOBAL
},
428 { "authorizedkeysfile", sAuthorizedKeysFile
, SSHCFG_ALL
},
429 { "authorizedkeysfile2", sAuthorizedKeysFile2
, SSHCFG_ALL
},
430 { "useprivilegeseparation", sUsePrivilegeSeparation
, SSHCFG_GLOBAL
},
431 { "acceptenv", sAcceptEnv
, SSHCFG_GLOBAL
},
432 { "permittunnel", sPermitTunnel
, SSHCFG_ALL
},
433 { "match", sMatch
, SSHCFG_ALL
},
434 { "permitopen", sPermitOpen
, SSHCFG_ALL
},
435 { "forcecommand", sForceCommand
, SSHCFG_ALL
},
436 { "chrootdirectory", sChrootDirectory
, SSHCFG_ALL
},
437 { "hostcertificate", sHostCertificate
, SSHCFG_GLOBAL
},
438 { "revokedkeys", sRevokedKeys
, SSHCFG_ALL
},
439 { "trustedusercakeys", sTrustedUserCAKeys
, SSHCFG_ALL
},
440 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile
, SSHCFG_ALL
},
441 { "kexalgorithms", sKexAlgorithms
, SSHCFG_GLOBAL
},
442 { NULL
, sBadOption
, 0 }
449 { SSH_TUNMODE_NO
, "no" },
450 { SSH_TUNMODE_POINTOPOINT
, "point-to-point" },
451 { SSH_TUNMODE_ETHERNET
, "ethernet" },
452 { SSH_TUNMODE_YES
, "yes" },
457 * Returns the number of the token pointed to by cp or sBadOption.
461 parse_token(const char *cp
, const char *filename
,
462 int linenum
, u_int
*flags
)
466 for (i
= 0; keywords
[i
].name
; i
++)
467 if (strcasecmp(cp
, keywords
[i
].name
) == 0) {
468 *flags
= keywords
[i
].flags
;
469 return keywords
[i
].opcode
;
472 error("%s: line %d: Bad configuration option: %s",
473 filename
, linenum
, cp
);
478 derelativise_path(const char *path
)
480 char *expanded
, *ret
, cwd
[MAXPATHLEN
];
482 expanded
= tilde_expand_filename(path
, getuid());
483 if (*expanded
== '/')
485 if (getcwd(cwd
, sizeof(cwd
)) == NULL
)
486 fatal("%s: getcwd: %s", __func__
, strerror(errno
));
487 xasprintf(&ret
, "%s/%s", cwd
, expanded
);
493 add_listen_addr(ServerOptions
*options
, char *addr
, int port
)
497 if (options
->num_ports
== 0)
498 options
->ports
[options
->num_ports
++] = SSH_DEFAULT_PORT
;
499 if (options
->address_family
== -1)
500 options
->address_family
= AF_UNSPEC
;
502 for (i
= 0; i
< options
->num_ports
; i
++)
503 add_one_listen_addr(options
, addr
, options
->ports
[i
]);
505 add_one_listen_addr(options
, addr
, port
);
509 add_one_listen_addr(ServerOptions
*options
, char *addr
, int port
)
511 struct addrinfo hints
, *ai
, *aitop
;
512 char strport
[NI_MAXSERV
];
515 memset(&hints
, 0, sizeof(hints
));
516 hints
.ai_family
= options
->address_family
;
517 hints
.ai_socktype
= SOCK_STREAM
;
518 hints
.ai_flags
= (addr
== NULL
) ? AI_PASSIVE
: 0;
519 snprintf(strport
, sizeof strport
, "%d", port
);
520 if ((gaierr
= getaddrinfo(addr
, strport
, &hints
, &aitop
)) != 0)
521 fatal("bad addr or host: %s (%s)",
522 addr
? addr
: "<NULL>",
523 ssh_gai_strerror(gaierr
));
524 for (ai
= aitop
; ai
->ai_next
; ai
= ai
->ai_next
)
526 ai
->ai_next
= options
->listen_addrs
;
527 options
->listen_addrs
= aitop
;
531 * The strategy for the Match blocks is that the config file is parsed twice.
533 * The first time is at startup. activep is initialized to 1 and the
534 * directives in the global context are processed and acted on. Hitting a
535 * Match directive unsets activep and the directives inside the block are
536 * checked for syntax only.
538 * The second time is after a connection has been established but before
539 * authentication. activep is initialized to 2 and global config directives
540 * are ignored since they have already been processed. If the criteria in a
541 * Match block is met, activep is set and the subsequent directives
542 * processed and actioned until EOF or another Match block unsets it. Any
543 * options set are copied into the main server config.
545 * Potential additions/improvements:
546 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
548 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
549 * Match Address 192.168.0.*
554 * AllowTcpForwarding yes
555 * GatewayPorts clientspecified
558 * - Add a PermittedChannelRequests directive
560 * PermittedChannelRequests session,forwarded-tcpip
564 match_cfg_line_group(const char *grps
, int line
, const char *user
)
572 if ((pw
= getpwnam(user
)) == NULL
) {
573 debug("Can't match group at line %d because user %.100s does "
574 "not exist", line
, user
);
575 } else if (ga_init(pw
->pw_name
, pw
->pw_gid
) == 0) {
576 debug("Can't Match group because user %.100s not in any group "
577 "at line %d", user
, line
);
578 } else if (ga_match_pattern_list(grps
) != 1) {
579 debug("user %.100s does not match group list %.100s at line %d",
582 debug("user %.100s matched group list %.100s at line %d", user
,
592 match_cfg_line(char **condition
, int line
, const char *user
, const char *host
,
596 char *arg
, *attrib
, *cp
= *condition
;
600 debug3("checking syntax for 'Match %s'", cp
);
602 debug3("checking match for '%s' user %s host %s addr %s", cp
,
603 user
? user
: "(null)", host
? host
: "(null)",
604 address
? address
: "(null)");
606 while ((attrib
= strdelim(&cp
)) && *attrib
!= '\0') {
607 if ((arg
= strdelim(&cp
)) == NULL
|| *arg
== '\0') {
608 error("Missing Match criteria for %s", attrib
);
612 if (strcasecmp(attrib
, "user") == 0) {
617 if (match_pattern_list(user
, arg
, len
, 0) != 1)
620 debug("user %.100s matched 'User %.100s' at "
621 "line %d", user
, arg
, line
);
622 } else if (strcasecmp(attrib
, "group") == 0) {
623 switch (match_cfg_line_group(arg
, line
, user
)) {
629 } else if (strcasecmp(attrib
, "host") == 0) {
634 if (match_hostname(host
, arg
, len
) != 1)
637 debug("connection from %.100s matched 'Host "
638 "%.100s' at line %d", host
, arg
, line
);
639 } else if (strcasecmp(attrib
, "address") == 0) {
640 switch (addr_match_list(address
, arg
)) {
642 debug("connection from %.100s matched 'Address "
643 "%.100s' at line %d", address
, arg
, line
);
653 error("Unsupported Match attribute %s", attrib
);
658 debug3("match %sfound", result
? "" : "not ");
663 #define WHITESPACE " \t\r\n"
666 process_server_config_line(ServerOptions
*options
, char *line
,
667 const char *filename
, int linenum
, int *activep
, const char *user
,
668 const char *host
, const char *address
)
670 char *cp
, **charptr
, *arg
, *p
;
671 int cmdline
= 0, *intptr
, value
, n
;
672 SyslogFacility
*log_facility_ptr
;
673 LogLevel
*log_level_ptr
;
674 ServerOpCodes opcode
;
680 if ((arg
= strdelim(&cp
)) == NULL
)
682 /* Ignore leading whitespace */
685 if (!arg
|| !*arg
|| *arg
== '#')
689 opcode
= parse_token(arg
, filename
, linenum
, &flags
);
691 if (activep
== NULL
) { /* We are processing a command line directive */
695 if (*activep
&& opcode
!= sMatch
)
696 debug3("%s:%d setting %s %s", filename
, linenum
, arg
, cp
);
697 if (*activep
== 0 && !(flags
& SSHCFG_MATCH
)) {
699 fatal("%s line %d: Directive '%s' is not allowed "
700 "within a Match block", filename
, linenum
, arg
);
701 } else { /* this is a directive we have already processed */
709 /* Portable-specific options */
711 intptr
= &options
->use_pam
;
714 /* Standard Options */
718 /* ignore ports from configfile if cmdline specifies ports */
719 if (options
->ports_from_cmdline
)
721 if (options
->listen_addrs
!= NULL
)
722 fatal("%s line %d: ports must be specified before "
723 "ListenAddress.", filename
, linenum
);
724 if (options
->num_ports
>= MAX_PORTS
)
725 fatal("%s line %d: too many ports.",
728 if (!arg
|| *arg
== '\0')
729 fatal("%s line %d: missing port number.",
731 options
->ports
[options
->num_ports
++] = a2port(arg
);
732 if (options
->ports
[options
->num_ports
-1] <= 0)
733 fatal("%s line %d: Badly formatted port number.",
738 intptr
= &options
->server_key_bits
;
741 if (!arg
|| *arg
== '\0')
742 fatal("%s line %d: missing integer value.",
745 if (*activep
&& *intptr
== -1)
749 case sLoginGraceTime
:
750 intptr
= &options
->login_grace_time
;
753 if (!arg
|| *arg
== '\0')
754 fatal("%s line %d: missing time value.",
756 if ((value
= convtime(arg
)) == -1)
757 fatal("%s line %d: invalid time value.",
763 case sKeyRegenerationTime
:
764 intptr
= &options
->key_regeneration_time
;
769 if (arg
== NULL
|| *arg
== '\0')
770 fatal("%s line %d: missing address",
772 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
773 if (strchr(arg
, '[') == NULL
&& (p
= strchr(arg
, ':')) != NULL
774 && strchr(p
+1, ':') != NULL
) {
775 add_listen_addr(options
, arg
, 0);
780 fatal("%s line %d: bad address:port usage",
782 p
= cleanhostname(p
);
785 else if ((port
= a2port(arg
)) <= 0)
786 fatal("%s line %d: bad port number", filename
, linenum
);
788 add_listen_addr(options
, p
, port
);
794 if (!arg
|| *arg
== '\0')
795 fatal("%s line %d: missing address family.",
797 intptr
= &options
->address_family
;
798 if (options
->listen_addrs
!= NULL
)
799 fatal("%s line %d: address family must be specified before "
800 "ListenAddress.", filename
, linenum
);
801 if (strcasecmp(arg
, "inet") == 0)
803 else if (strcasecmp(arg
, "inet6") == 0)
805 else if (strcasecmp(arg
, "any") == 0)
808 fatal("%s line %d: unsupported address family \"%s\".",
809 filename
, linenum
, arg
);
815 intptr
= &options
->num_host_key_files
;
816 if (*intptr
>= MAX_HOSTKEYS
)
817 fatal("%s line %d: too many host keys specified (max %d).",
818 filename
, linenum
, MAX_HOSTKEYS
);
819 charptr
= &options
->host_key_files
[*intptr
];
822 if (!arg
|| *arg
== '\0')
823 fatal("%s line %d: missing file name.",
825 if (*activep
&& *charptr
== NULL
) {
826 *charptr
= derelativise_path(arg
);
827 /* increase optional counter */
829 *intptr
= *intptr
+ 1;
833 case sHostCertificate
:
834 intptr
= &options
->num_host_cert_files
;
835 if (*intptr
>= MAX_HOSTKEYS
)
836 fatal("%s line %d: too many host certificates "
837 "specified (max %d).", filename
, linenum
,
839 charptr
= &options
->host_cert_files
[*intptr
];
844 charptr
= &options
->pid_file
;
847 case sPermitRootLogin
:
848 intptr
= &options
->permit_root_login
;
850 if (!arg
|| *arg
== '\0')
851 fatal("%s line %d: missing yes/"
852 "without-password/forced-commands-only/no "
853 "argument.", filename
, linenum
);
854 value
= 0; /* silence compiler */
855 if (strcmp(arg
, "without-password") == 0)
856 value
= PERMIT_NO_PASSWD
;
857 else if (strcmp(arg
, "forced-commands-only") == 0)
858 value
= PERMIT_FORCED_ONLY
;
859 else if (strcmp(arg
, "yes") == 0)
861 else if (strcmp(arg
, "no") == 0)
864 fatal("%s line %d: Bad yes/"
865 "without-password/forced-commands-only/no "
866 "argument: %s", filename
, linenum
, arg
);
867 if (*activep
&& *intptr
== -1)
872 intptr
= &options
->ignore_rhosts
;
875 if (!arg
|| *arg
== '\0')
876 fatal("%s line %d: missing yes/no argument.",
878 value
= 0; /* silence compiler */
879 if (strcmp(arg
, "yes") == 0)
881 else if (strcmp(arg
, "no") == 0)
884 fatal("%s line %d: Bad yes/no argument: %s",
885 filename
, linenum
, arg
);
886 if (*activep
&& *intptr
== -1)
890 case sIgnoreUserKnownHosts
:
891 intptr
= &options
->ignore_user_known_hosts
;
894 case sRhostsRSAAuthentication
:
895 intptr
= &options
->rhosts_rsa_authentication
;
898 case sHostbasedAuthentication
:
899 intptr
= &options
->hostbased_authentication
;
902 case sHostbasedUsesNameFromPacketOnly
:
903 intptr
= &options
->hostbased_uses_name_from_packet_only
;
906 case sRSAAuthentication
:
907 intptr
= &options
->rsa_authentication
;
910 case sPubkeyAuthentication
:
911 intptr
= &options
->pubkey_authentication
;
914 case sKerberosAuthentication
:
915 intptr
= &options
->kerberos_authentication
;
918 case sKerberosOrLocalPasswd
:
919 intptr
= &options
->kerberos_or_local_passwd
;
922 case sKerberosTicketCleanup
:
923 intptr
= &options
->kerberos_ticket_cleanup
;
926 case sKerberosGetAFSToken
:
927 intptr
= &options
->kerberos_get_afs_token
;
930 case sGssAuthentication
:
931 intptr
= &options
->gss_authentication
;
934 case sGssCleanupCreds
:
935 intptr
= &options
->gss_cleanup_creds
;
938 case sPasswordAuthentication
:
939 intptr
= &options
->password_authentication
;
942 case sZeroKnowledgePasswordAuthentication
:
943 intptr
= &options
->zero_knowledge_password_authentication
;
946 case sKbdInteractiveAuthentication
:
947 intptr
= &options
->kbd_interactive_authentication
;
950 case sChallengeResponseAuthentication
:
951 intptr
= &options
->challenge_response_authentication
;
955 intptr
= &options
->print_motd
;
959 intptr
= &options
->print_lastlog
;
963 intptr
= &options
->x11_forwarding
;
966 case sX11DisplayOffset
:
967 intptr
= &options
->x11_display_offset
;
970 case sX11UseLocalhost
:
971 intptr
= &options
->x11_use_localhost
;
975 charptr
= &options
->xauth_location
;
979 intptr
= &options
->strict_modes
;
983 intptr
= &options
->tcp_keep_alive
;
987 intptr
= &options
->permit_empty_passwd
;
990 case sPermitUserEnvironment
:
991 intptr
= &options
->permit_user_env
;
995 intptr
= &options
->use_login
;
999 intptr
= &options
->compression
;
1000 arg
= strdelim(&cp
);
1001 if (!arg
|| *arg
== '\0')
1002 fatal("%s line %d: missing yes/no/delayed "
1003 "argument.", filename
, linenum
);
1004 value
= 0; /* silence compiler */
1005 if (strcmp(arg
, "delayed") == 0)
1006 value
= COMP_DELAYED
;
1007 else if (strcmp(arg
, "yes") == 0)
1009 else if (strcmp(arg
, "no") == 0)
1012 fatal("%s line %d: Bad yes/no/delayed "
1013 "argument: %s", filename
, linenum
, arg
);
1019 intptr
= &options
->gateway_ports
;
1020 arg
= strdelim(&cp
);
1021 if (!arg
|| *arg
== '\0')
1022 fatal("%s line %d: missing yes/no/clientspecified "
1023 "argument.", filename
, linenum
);
1024 value
= 0; /* silence compiler */
1025 if (strcmp(arg
, "clientspecified") == 0)
1027 else if (strcmp(arg
, "yes") == 0)
1029 else if (strcmp(arg
, "no") == 0)
1032 fatal("%s line %d: Bad yes/no/clientspecified "
1033 "argument: %s", filename
, linenum
, arg
);
1034 if (*activep
&& *intptr
== -1)
1039 intptr
= &options
->use_dns
;
1043 log_facility_ptr
= &options
->log_facility
;
1044 arg
= strdelim(&cp
);
1045 value
= log_facility_number(arg
);
1046 if (value
== SYSLOG_FACILITY_NOT_SET
)
1047 fatal("%.200s line %d: unsupported log facility '%s'",
1048 filename
, linenum
, arg
? arg
: "<NONE>");
1049 if (*log_facility_ptr
== -1)
1050 *log_facility_ptr
= (SyslogFacility
) value
;
1054 log_level_ptr
= &options
->log_level
;
1055 arg
= strdelim(&cp
);
1056 value
= log_level_number(arg
);
1057 if (value
== SYSLOG_LEVEL_NOT_SET
)
1058 fatal("%.200s line %d: unsupported log level '%s'",
1059 filename
, linenum
, arg
? arg
: "<NONE>");
1060 if (*log_level_ptr
== -1)
1061 *log_level_ptr
= (LogLevel
) value
;
1064 case sAllowTcpForwarding
:
1065 intptr
= &options
->allow_tcp_forwarding
;
1068 case sAllowAgentForwarding
:
1069 intptr
= &options
->allow_agent_forwarding
;
1072 case sUsePrivilegeSeparation
:
1073 intptr
= &use_privsep
;
1077 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1078 if (options
->num_allow_users
>= MAX_ALLOW_USERS
)
1079 fatal("%s line %d: too many allow users.",
1081 options
->allow_users
[options
->num_allow_users
++] =
1087 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1088 if (options
->num_deny_users
>= MAX_DENY_USERS
)
1089 fatal("%s line %d: too many deny users.",
1091 options
->deny_users
[options
->num_deny_users
++] =
1097 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1098 if (options
->num_allow_groups
>= MAX_ALLOW_GROUPS
)
1099 fatal("%s line %d: too many allow groups.",
1101 options
->allow_groups
[options
->num_allow_groups
++] =
1107 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1108 if (options
->num_deny_groups
>= MAX_DENY_GROUPS
)
1109 fatal("%s line %d: too many deny groups.",
1111 options
->deny_groups
[options
->num_deny_groups
++] = xstrdup(arg
);
1116 arg
= strdelim(&cp
);
1117 if (!arg
|| *arg
== '\0')
1118 fatal("%s line %d: Missing argument.", filename
, linenum
);
1119 if (!ciphers_valid(arg
))
1120 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1121 filename
, linenum
, arg
? arg
: "<NONE>");
1122 if (options
->ciphers
== NULL
)
1123 options
->ciphers
= xstrdup(arg
);
1127 arg
= strdelim(&cp
);
1128 if (!arg
|| *arg
== '\0')
1129 fatal("%s line %d: Missing argument.", filename
, linenum
);
1130 if (!mac_valid(arg
))
1131 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1132 filename
, linenum
, arg
? arg
: "<NONE>");
1133 if (options
->macs
== NULL
)
1134 options
->macs
= xstrdup(arg
);
1137 case sKexAlgorithms
:
1138 arg
= strdelim(&cp
);
1139 if (!arg
|| *arg
== '\0')
1140 fatal("%s line %d: Missing argument.",
1142 if (!kex_names_valid(arg
))
1143 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1144 filename
, linenum
, arg
? arg
: "<NONE>");
1145 if (options
->kex_algorithms
== NULL
)
1146 options
->kex_algorithms
= xstrdup(arg
);
1150 intptr
= &options
->protocol
;
1151 arg
= strdelim(&cp
);
1152 if (!arg
|| *arg
== '\0')
1153 fatal("%s line %d: Missing argument.", filename
, linenum
);
1154 value
= proto_spec(arg
);
1155 if (value
== SSH_PROTO_UNKNOWN
)
1156 fatal("%s line %d: Bad protocol spec '%s'.",
1157 filename
, linenum
, arg
? arg
: "<NONE>");
1158 if (*intptr
== SSH_PROTO_UNKNOWN
)
1163 if (options
->num_subsystems
>= MAX_SUBSYSTEMS
) {
1164 fatal("%s line %d: too many subsystems defined.",
1167 arg
= strdelim(&cp
);
1168 if (!arg
|| *arg
== '\0')
1169 fatal("%s line %d: Missing subsystem name.",
1172 arg
= strdelim(&cp
);
1175 for (i
= 0; i
< options
->num_subsystems
; i
++)
1176 if (strcmp(arg
, options
->subsystem_name
[i
]) == 0)
1177 fatal("%s line %d: Subsystem '%s' already defined.",
1178 filename
, linenum
, arg
);
1179 options
->subsystem_name
[options
->num_subsystems
] = xstrdup(arg
);
1180 arg
= strdelim(&cp
);
1181 if (!arg
|| *arg
== '\0')
1182 fatal("%s line %d: Missing subsystem command.",
1184 options
->subsystem_command
[options
->num_subsystems
] = xstrdup(arg
);
1186 /* Collect arguments (separate to executable) */
1188 len
= strlen(p
) + 1;
1189 while ((arg
= strdelim(&cp
)) != NULL
&& *arg
!= '\0') {
1190 len
+= 1 + strlen(arg
);
1191 p
= xrealloc(p
, 1, len
);
1192 strlcat(p
, " ", len
);
1193 strlcat(p
, arg
, len
);
1195 options
->subsystem_args
[options
->num_subsystems
] = p
;
1196 options
->num_subsystems
++;
1200 arg
= strdelim(&cp
);
1201 if (!arg
|| *arg
== '\0')
1202 fatal("%s line %d: Missing MaxStartups spec.",
1204 if ((n
= sscanf(arg
, "%d:%d:%d",
1205 &options
->max_startups_begin
,
1206 &options
->max_startups_rate
,
1207 &options
->max_startups
)) == 3) {
1208 if (options
->max_startups_begin
>
1209 options
->max_startups
||
1210 options
->max_startups_rate
> 100 ||
1211 options
->max_startups_rate
< 1)
1212 fatal("%s line %d: Illegal MaxStartups spec.",
1215 fatal("%s line %d: Illegal MaxStartups spec.",
1218 options
->max_startups
= options
->max_startups_begin
;
1222 intptr
= &options
->max_authtries
;
1226 intptr
= &options
->max_sessions
;
1230 charptr
= &options
->banner
;
1231 goto parse_filename
;
1234 * These options can contain %X options expanded at
1235 * connect time, so that you can specify paths like:
1237 * AuthorizedKeysFile /etc/ssh_keys/%u
1239 case sAuthorizedKeysFile
:
1240 charptr
= &options
->authorized_keys_file
;
1241 goto parse_tilde_filename
;
1242 case sAuthorizedKeysFile2
:
1243 charptr
= &options
->authorized_keys_file2
;
1244 goto parse_tilde_filename
;
1245 case sAuthorizedPrincipalsFile
:
1246 charptr
= &options
->authorized_principals_file
;
1247 parse_tilde_filename
:
1248 arg
= strdelim(&cp
);
1249 if (!arg
|| *arg
== '\0')
1250 fatal("%s line %d: missing file name.",
1252 if (*activep
&& *charptr
== NULL
) {
1253 *charptr
= tilde_expand_filename(arg
, getuid());
1254 /* increase optional counter */
1256 *intptr
= *intptr
+ 1;
1260 case sClientAliveInterval
:
1261 intptr
= &options
->client_alive_interval
;
1264 case sClientAliveCountMax
:
1265 intptr
= &options
->client_alive_count_max
;
1269 while ((arg
= strdelim(&cp
)) && *arg
!= '\0') {
1270 if (strchr(arg
, '=') != NULL
)
1271 fatal("%s line %d: Invalid environment name.",
1273 if (options
->num_accept_env
>= MAX_ACCEPT_ENV
)
1274 fatal("%s line %d: too many allow env.",
1278 options
->accept_env
[options
->num_accept_env
++] =
1284 intptr
= &options
->permit_tun
;
1285 arg
= strdelim(&cp
);
1286 if (!arg
|| *arg
== '\0')
1287 fatal("%s line %d: Missing yes/point-to-point/"
1288 "ethernet/no argument.", filename
, linenum
);
1290 for (i
= 0; tunmode_desc
[i
].val
!= -1; i
++)
1291 if (strcmp(tunmode_desc
[i
].text
, arg
) == 0) {
1292 value
= tunmode_desc
[i
].val
;
1296 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1297 "no argument: %s", filename
, linenum
, arg
);
1304 fatal("Match directive not supported as a command-line "
1306 value
= match_cfg_line(&cp
, linenum
, user
, host
, address
);
1308 fatal("%s line %d: Bad Match condition", filename
,
1314 arg
= strdelim(&cp
);
1315 if (!arg
|| *arg
== '\0')
1316 fatal("%s line %d: missing PermitOpen specification",
1318 n
= options
->num_permitted_opens
; /* modified later */
1319 if (strcmp(arg
, "any") == 0) {
1320 if (*activep
&& n
== -1) {
1321 channel_clear_adm_permitted_opens();
1322 options
->num_permitted_opens
= 0;
1326 if (*activep
&& n
== -1)
1327 channel_clear_adm_permitted_opens();
1328 for (; arg
!= NULL
&& *arg
!= '\0'; arg
= strdelim(&cp
)) {
1331 fatal("%s line %d: missing host in PermitOpen",
1333 p
= cleanhostname(p
);
1334 if (arg
== NULL
|| (port
= a2port(arg
)) <= 0)
1335 fatal("%s line %d: bad port number in "
1336 "PermitOpen", filename
, linenum
);
1337 if (*activep
&& n
== -1)
1338 options
->num_permitted_opens
=
1339 channel_add_adm_permitted_opens(p
, port
);
1345 fatal("%.200s line %d: Missing argument.", filename
,
1347 len
= strspn(cp
, WHITESPACE
);
1348 if (*activep
&& options
->adm_forced_command
== NULL
)
1349 options
->adm_forced_command
= xstrdup(cp
+ len
);
1352 case sChrootDirectory
:
1353 charptr
= &options
->chroot_directory
;
1355 arg
= strdelim(&cp
);
1356 if (!arg
|| *arg
== '\0')
1357 fatal("%s line %d: missing file name.",
1359 if (*activep
&& *charptr
== NULL
)
1360 *charptr
= xstrdup(arg
);
1363 case sTrustedUserCAKeys
:
1364 charptr
= &options
->trusted_user_ca_keys
;
1365 goto parse_filename
;
1368 charptr
= &options
->revoked_keys_file
;
1369 goto parse_filename
;
1372 logit("%s line %d: Deprecated option %s",
1373 filename
, linenum
, arg
);
1375 arg
= strdelim(&cp
);
1379 logit("%s line %d: Unsupported option %s",
1380 filename
, linenum
, arg
);
1382 arg
= strdelim(&cp
);
1386 fatal("%s line %d: Missing handler for opcode %s (%d)",
1387 filename
, linenum
, arg
, opcode
);
1389 if ((arg
= strdelim(&cp
)) != NULL
&& *arg
!= '\0')
1390 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1391 filename
, linenum
, arg
);
1395 /* Reads the server configuration file. */
1398 load_server_config(const char *filename
, Buffer
*conf
)
1400 char line
[1024], *cp
;
1403 debug2("%s: filename %s", __func__
, filename
);
1404 if ((f
= fopen(filename
, "r")) == NULL
) {
1409 while (fgets(line
, sizeof(line
), f
)) {
1411 * Trim out comments and strip whitespace
1412 * NB - preserve newlines, they are needed to reproduce
1413 * line numbers later for error messages
1415 if ((cp
= strchr(line
, '#')) != NULL
)
1416 memcpy(cp
, "\n", 2);
1417 cp
= line
+ strspn(line
, " \t\r");
1419 buffer_append(conf
, cp
, strlen(cp
));
1421 buffer_append(conf
, "\0", 1);
1423 debug2("%s: done config len = %d", __func__
, buffer_len(conf
));
1427 parse_server_match_config(ServerOptions
*options
, const char *user
,
1428 const char *host
, const char *address
)
1432 initialize_server_options(&mo
);
1433 parse_server_config(&mo
, "reprocess config", &cfg
, user
, host
, address
);
1434 copy_set_server_options(options
, &mo
, 0);
1438 #define M_CP_INTOPT(n) do {\
1442 #define M_CP_STROPT(n) do {\
1443 if (src->n != NULL) { \
1444 if (dst->n != NULL) \
1451 * Copy any supported values that are set.
1453 * If the preauth flag is set, we do not bother copying the string or
1454 * array values that are not used pre-authentication, because any that we
1455 * do use must be explictly sent in mm_getpwnamallow().
1458 copy_set_server_options(ServerOptions
*dst
, ServerOptions
*src
, int preauth
)
1460 M_CP_INTOPT(password_authentication
);
1461 M_CP_INTOPT(gss_authentication
);
1462 M_CP_INTOPT(rsa_authentication
);
1463 M_CP_INTOPT(pubkey_authentication
);
1464 M_CP_INTOPT(kerberos_authentication
);
1465 M_CP_INTOPT(hostbased_authentication
);
1466 M_CP_INTOPT(hostbased_uses_name_from_packet_only
);
1467 M_CP_INTOPT(kbd_interactive_authentication
);
1468 M_CP_INTOPT(zero_knowledge_password_authentication
);
1469 M_CP_INTOPT(permit_root_login
);
1470 M_CP_INTOPT(permit_empty_passwd
);
1472 M_CP_INTOPT(allow_tcp_forwarding
);
1473 M_CP_INTOPT(allow_agent_forwarding
);
1474 M_CP_INTOPT(permit_tun
);
1475 M_CP_INTOPT(gateway_ports
);
1476 M_CP_INTOPT(x11_display_offset
);
1477 M_CP_INTOPT(x11_forwarding
);
1478 M_CP_INTOPT(x11_use_localhost
);
1479 M_CP_INTOPT(max_sessions
);
1480 M_CP_INTOPT(max_authtries
);
1482 M_CP_STROPT(banner
);
1485 M_CP_STROPT(adm_forced_command
);
1486 M_CP_STROPT(chroot_directory
);
1487 M_CP_STROPT(trusted_user_ca_keys
);
1488 M_CP_STROPT(revoked_keys_file
);
1489 M_CP_STROPT(authorized_keys_file
);
1490 M_CP_STROPT(authorized_keys_file2
);
1491 M_CP_STROPT(authorized_principals_file
);
1498 parse_server_config(ServerOptions
*options
, const char *filename
, Buffer
*conf
,
1499 const char *user
, const char *host
, const char *address
)
1501 int active
, linenum
, bad_options
= 0;
1502 char *cp
, *obuf
, *cbuf
;
1504 debug2("%s: config %s len %d", __func__
, filename
, buffer_len(conf
));
1506 obuf
= cbuf
= xstrdup(buffer_ptr(conf
));
1507 active
= user
? 0 : 1;
1509 while ((cp
= strsep(&cbuf
, "\n")) != NULL
) {
1510 if (process_server_config_line(options
, cp
, filename
,
1511 linenum
++, &active
, user
, host
, address
) != 0)
1515 if (bad_options
> 0)
1516 fatal("%s: terminating, %d bad configuration options",
1517 filename
, bad_options
);
1521 fmt_intarg(ServerOpCodes code
, int val
)
1523 if (code
== sAddressFamily
) {
1535 if (code
== sPermitRootLogin
) {
1537 case PERMIT_NO_PASSWD
:
1538 return "without-password";
1539 case PERMIT_FORCED_ONLY
:
1540 return "forced-commands-only";
1545 if (code
== sProtocol
) {
1551 case (SSH_PROTO_1
|SSH_PROTO_2
):
1557 if (code
== sGatewayPorts
&& val
== 2)
1558 return "clientspecified";
1559 if (code
== sCompression
&& val
== COMP_DELAYED
)
1573 lookup_opcode_name(ServerOpCodes code
)
1577 for (i
= 0; keywords
[i
].name
!= NULL
; i
++)
1578 if (keywords
[i
].opcode
== code
)
1579 return(keywords
[i
].name
);
1584 dump_cfg_int(ServerOpCodes code
, int val
)
1586 printf("%s %d\n", lookup_opcode_name(code
), val
);
1590 dump_cfg_fmtint(ServerOpCodes code
, int val
)
1592 printf("%s %s\n", lookup_opcode_name(code
), fmt_intarg(code
, val
));
1596 dump_cfg_string(ServerOpCodes code
, const char *val
)
1600 printf("%s %s\n", lookup_opcode_name(code
), val
);
1604 dump_cfg_strarray(ServerOpCodes code
, u_int count
, char **vals
)
1608 for (i
= 0; i
< count
; i
++)
1609 printf("%s %s\n", lookup_opcode_name(code
), vals
[i
]);
1613 dump_config(ServerOptions
*o
)
1617 struct addrinfo
*ai
;
1618 char addr
[NI_MAXHOST
], port
[NI_MAXSERV
], *s
= NULL
;
1620 /* these are usually at the top of the config */
1621 for (i
= 0; i
< o
->num_ports
; i
++)
1622 printf("port %d\n", o
->ports
[i
]);
1623 dump_cfg_fmtint(sProtocol
, o
->protocol
);
1624 dump_cfg_fmtint(sAddressFamily
, o
->address_family
);
1626 /* ListenAddress must be after Port */
1627 for (ai
= o
->listen_addrs
; ai
; ai
= ai
->ai_next
) {
1628 if ((ret
= getnameinfo(ai
->ai_addr
, ai
->ai_addrlen
, addr
,
1629 sizeof(addr
), port
, sizeof(port
),
1630 NI_NUMERICHOST
|NI_NUMERICSERV
)) != 0) {
1631 error("getnameinfo failed: %.100s",
1632 (ret
!= EAI_SYSTEM
) ? gai_strerror(ret
) :
1635 if (ai
->ai_family
== AF_INET6
)
1636 printf("listenaddress [%s]:%s\n", addr
, port
);
1638 printf("listenaddress %s:%s\n", addr
, port
);
1642 /* integer arguments */
1644 dump_cfg_int(sUsePAM
, o
->use_pam
);
1646 dump_cfg_int(sServerKeyBits
, o
->server_key_bits
);
1647 dump_cfg_int(sLoginGraceTime
, o
->login_grace_time
);
1648 dump_cfg_int(sKeyRegenerationTime
, o
->key_regeneration_time
);
1649 dump_cfg_int(sX11DisplayOffset
, o
->x11_display_offset
);
1650 dump_cfg_int(sMaxAuthTries
, o
->max_authtries
);
1651 dump_cfg_int(sMaxSessions
, o
->max_sessions
);
1652 dump_cfg_int(sClientAliveInterval
, o
->client_alive_interval
);
1653 dump_cfg_int(sClientAliveCountMax
, o
->client_alive_count_max
);
1655 /* formatted integer arguments */
1656 dump_cfg_fmtint(sPermitRootLogin
, o
->permit_root_login
);
1657 dump_cfg_fmtint(sIgnoreRhosts
, o
->ignore_rhosts
);
1658 dump_cfg_fmtint(sIgnoreUserKnownHosts
, o
->ignore_user_known_hosts
);
1659 dump_cfg_fmtint(sRhostsRSAAuthentication
, o
->rhosts_rsa_authentication
);
1660 dump_cfg_fmtint(sHostbasedAuthentication
, o
->hostbased_authentication
);
1661 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly
,
1662 o
->hostbased_uses_name_from_packet_only
);
1663 dump_cfg_fmtint(sRSAAuthentication
, o
->rsa_authentication
);
1664 dump_cfg_fmtint(sPubkeyAuthentication
, o
->pubkey_authentication
);
1666 dump_cfg_fmtint(sKerberosAuthentication
, o
->kerberos_authentication
);
1667 dump_cfg_fmtint(sKerberosOrLocalPasswd
, o
->kerberos_or_local_passwd
);
1668 dump_cfg_fmtint(sKerberosTicketCleanup
, o
->kerberos_ticket_cleanup
);
1670 dump_cfg_fmtint(sKerberosGetAFSToken
, o
->kerberos_get_afs_token
);
1674 dump_cfg_fmtint(sGssAuthentication
, o
->gss_authentication
);
1675 dump_cfg_fmtint(sGssCleanupCreds
, o
->gss_cleanup_creds
);
1678 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication
,
1679 o
->zero_knowledge_password_authentication
);
1681 dump_cfg_fmtint(sPasswordAuthentication
, o
->password_authentication
);
1682 dump_cfg_fmtint(sKbdInteractiveAuthentication
,
1683 o
->kbd_interactive_authentication
);
1684 dump_cfg_fmtint(sChallengeResponseAuthentication
,
1685 o
->challenge_response_authentication
);
1686 dump_cfg_fmtint(sPrintMotd
, o
->print_motd
);
1687 dump_cfg_fmtint(sPrintLastLog
, o
->print_lastlog
);
1688 dump_cfg_fmtint(sX11Forwarding
, o
->x11_forwarding
);
1689 dump_cfg_fmtint(sX11UseLocalhost
, o
->x11_use_localhost
);
1690 dump_cfg_fmtint(sStrictModes
, o
->strict_modes
);
1691 dump_cfg_fmtint(sTCPKeepAlive
, o
->tcp_keep_alive
);
1692 dump_cfg_fmtint(sEmptyPasswd
, o
->permit_empty_passwd
);
1693 dump_cfg_fmtint(sPermitUserEnvironment
, o
->permit_user_env
);
1694 dump_cfg_fmtint(sUseLogin
, o
->use_login
);
1695 dump_cfg_fmtint(sCompression
, o
->compression
);
1696 dump_cfg_fmtint(sGatewayPorts
, o
->gateway_ports
);
1697 dump_cfg_fmtint(sUseDNS
, o
->use_dns
);
1698 dump_cfg_fmtint(sAllowTcpForwarding
, o
->allow_tcp_forwarding
);
1699 dump_cfg_fmtint(sUsePrivilegeSeparation
, use_privsep
);
1701 /* string arguments */
1702 dump_cfg_string(sPidFile
, o
->pid_file
);
1703 dump_cfg_string(sXAuthLocation
, o
->xauth_location
);
1704 dump_cfg_string(sCiphers
, o
->ciphers
);
1705 dump_cfg_string(sMacs
, o
->macs
);
1706 dump_cfg_string(sBanner
, o
->banner
);
1707 dump_cfg_string(sAuthorizedKeysFile
, o
->authorized_keys_file
);
1708 dump_cfg_string(sAuthorizedKeysFile2
, o
->authorized_keys_file2
);
1709 dump_cfg_string(sForceCommand
, o
->adm_forced_command
);
1710 dump_cfg_string(sChrootDirectory
, o
->chroot_directory
);
1711 dump_cfg_string(sTrustedUserCAKeys
, o
->trusted_user_ca_keys
);
1712 dump_cfg_string(sRevokedKeys
, o
->revoked_keys_file
);
1713 dump_cfg_string(sAuthorizedPrincipalsFile
,
1714 o
->authorized_principals_file
);
1716 /* string arguments requiring a lookup */
1717 dump_cfg_string(sLogLevel
, log_level_name(o
->log_level
));
1718 dump_cfg_string(sLogFacility
, log_facility_name(o
->log_facility
));
1720 /* string array arguments */
1721 dump_cfg_strarray(sHostKeyFile
, o
->num_host_key_files
,
1723 dump_cfg_strarray(sHostKeyFile
, o
->num_host_cert_files
,
1724 o
->host_cert_files
);
1725 dump_cfg_strarray(sAllowUsers
, o
->num_allow_users
, o
->allow_users
);
1726 dump_cfg_strarray(sDenyUsers
, o
->num_deny_users
, o
->deny_users
);
1727 dump_cfg_strarray(sAllowGroups
, o
->num_allow_groups
, o
->allow_groups
);
1728 dump_cfg_strarray(sDenyGroups
, o
->num_deny_groups
, o
->deny_groups
);
1729 dump_cfg_strarray(sAcceptEnv
, o
->num_accept_env
, o
->accept_env
);
1731 /* other arguments */
1732 for (i
= 0; i
< o
->num_subsystems
; i
++)
1733 printf("subsystem %s %s\n", o
->subsystem_name
[i
],
1734 o
->subsystem_args
[i
]);
1736 printf("maxstartups %d:%d:%d\n", o
->max_startups_begin
,
1737 o
->max_startups_rate
, o
->max_startups
);
1739 for (i
= 0; tunmode_desc
[i
].val
!= -1; i
++)
1740 if (tunmode_desc
[i
].val
== o
->permit_tun
) {
1741 s
= tunmode_desc
[i
].text
;
1744 dump_cfg_string(sPermitTunnel
, s
);
1746 channel_print_adm_permitted_opens();