]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
o remove stuff that will get me in trouble
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
70791e56 13RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
24#include "kex.h"
25#include "mac.h"
26
27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
29
30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
2980ea68 32/* Use of privilege separation or not */
33extern int use_privsep;
3c0ef626 34
35/* Initializes the server options to their default values. */
36
37void
38initialize_server_options(ServerOptions *options)
39{
40 memset(options, 0, sizeof(*options));
41
42 /* Portable-specific options */
70791e56 43 options->use_pam = -1;
3c0ef626 44
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e9a17296 61 options->x11_use_localhost = -1;
3c0ef626 62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->keepalives = -1;
e9a17296 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
3c0ef626 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
88928908 75#ifdef SESSION_HOOKS
76 options->session_hooks_allow = -1;
77 options->session_hooks_startup_cmd = NULL;
78 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 79#endif
70791e56 80 options->gss_authentication=-1;
81 options->gss_keyex=-1;
82 options->gss_use_session_ccache = -1;
83 options->gss_cleanup_creds = -1;
3c0ef626 84 options->password_authentication = -1;
85 options->kbd_interactive_authentication = -1;
86 options->challenge_response_authentication = -1;
87 options->permit_empty_passwd = -1;
e54b3d7c 88 options->permit_user_env = -1;
3c0ef626 89 options->use_login = -1;
ff2d7a98 90 options->compression = -1;
3c0ef626 91 options->allow_tcp_forwarding = -1;
92 options->num_allow_users = 0;
93 options->num_deny_users = 0;
94 options->num_allow_groups = 0;
95 options->num_deny_groups = 0;
96 options->ciphers = NULL;
97 options->macs = NULL;
98 options->protocol = SSH_PROTO_UNKNOWN;
99 options->gateway_ports = -1;
100 options->num_subsystems = 0;
101 options->max_startups_begin = -1;
102 options->max_startups_rate = -1;
103 options->max_startups = -1;
104 options->banner = NULL;
70791e56 105 options->use_dns = -1;
3c0ef626 106 options->client_alive_interval = -1;
107 options->client_alive_count_max = -1;
108 options->authorized_keys_file = NULL;
109 options->authorized_keys_file2 = NULL;
2980ea68 110
111 /* Needs to be accessable in many places */
112 use_privsep = -1;
3c0ef626 113}
114
115void
116fill_default_server_options(ServerOptions *options)
117{
118 /* Portable-specific options */
70791e56 119 if (options->use_pam == -1)
120 options->use_pam = 0;
3c0ef626 121
122 /* Standard Options */
123 if (options->protocol == SSH_PROTO_UNKNOWN)
124 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
125 if (options->num_host_key_files == 0) {
126 /* fill default hostkeys for protocols */
127 if (options->protocol & SSH_PROTO_1)
e9a17296 128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_KEY_FILE;
130 if (options->protocol & SSH_PROTO_2) {
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_RSA_KEY_FILE;
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_DSA_KEY_FILE;
135 }
3c0ef626 136 }
137 if (options->num_ports == 0)
138 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
139 if (options->listen_addrs == NULL)
140 add_listen_addr(options, NULL, 0);
141 if (options->pid_file == NULL)
142 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
143 if (options->server_key_bits == -1)
144 options->server_key_bits = 768;
145 if (options->login_grace_time == -1)
e54b3d7c 146 options->login_grace_time = 120;
3c0ef626 147 if (options->key_regeneration_time == -1)
148 options->key_regeneration_time = 3600;
149 if (options->permit_root_login == PERMIT_NOT_SET)
150 options->permit_root_login = PERMIT_YES;
151 if (options->ignore_rhosts == -1)
152 options->ignore_rhosts = 1;
153 if (options->ignore_user_known_hosts == -1)
154 options->ignore_user_known_hosts = 0;
155 if (options->print_motd == -1)
156 options->print_motd = 1;
157 if (options->print_lastlog == -1)
158 options->print_lastlog = 1;
159 if (options->x11_forwarding == -1)
160 options->x11_forwarding = 0;
161 if (options->x11_display_offset == -1)
162 options->x11_display_offset = 10;
e9a17296 163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
3c0ef626 165 if (options->xauth_location == NULL)
166 options->xauth_location = _PATH_XAUTH;
3c0ef626 167 if (options->strict_modes == -1)
168 options->strict_modes = 1;
169 if (options->keepalives == -1)
170 options->keepalives = 1;
e9a17296 171 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 172 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 174 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 175 if (options->rhosts_rsa_authentication == -1)
176 options->rhosts_rsa_authentication = 0;
177 if (options->hostbased_authentication == -1)
178 options->hostbased_authentication = 0;
179 if (options->hostbased_uses_name_from_packet_only == -1)
180 options->hostbased_uses_name_from_packet_only = 0;
181 if (options->rsa_authentication == -1)
182 options->rsa_authentication = 1;
183 if (options->pubkey_authentication == -1)
184 options->pubkey_authentication = 1;
70791e56 185 if (options->kerberos_authentication == -1)
186 options->kerberos_authentication = 0;
187 if (options->kerberos_or_local_passwd == -1)
188 options->kerberos_or_local_passwd = 1;
189 if (options->kerberos_ticket_cleanup == -1)
190 options->kerberos_ticket_cleanup = 1;
b9a54c29 191 if (options->gss_authentication == -1)
192 options->gss_authentication = 1;
193 if (options->gss_keyex == -1)
70791e56 194 options->gss_keyex = 1;
b9a54c29 195 if (options->gss_use_session_ccache == -1)
196 options->gss_use_session_ccache = 1;
197 if (options->gss_cleanup_creds == -1)
198 options->gss_cleanup_creds = 1;
3c0ef626 199 if (options->password_authentication == -1)
200 options->password_authentication = 1;
201 if (options->kbd_interactive_authentication == -1)
202 options->kbd_interactive_authentication = 0;
203 if (options->challenge_response_authentication == -1)
204 options->challenge_response_authentication = 1;
205 if (options->permit_empty_passwd == -1)
206 options->permit_empty_passwd = 0;
e54b3d7c 207 if (options->permit_user_env == -1)
208 options->permit_user_env = 0;
3c0ef626 209 if (options->use_login == -1)
210 options->use_login = 0;
ff2d7a98 211 if (options->compression == -1)
212 options->compression = 1;
3c0ef626 213 if (options->allow_tcp_forwarding == -1)
214 options->allow_tcp_forwarding = 1;
215 if (options->gateway_ports == -1)
216 options->gateway_ports = 0;
217 if (options->max_startups == -1)
218 options->max_startups = 10;
219 if (options->max_startups_rate == -1)
220 options->max_startups_rate = 100; /* 100% */
221 if (options->max_startups_begin == -1)
222 options->max_startups_begin = options->max_startups;
70791e56 223 if (options->use_dns == -1)
224 options->use_dns = 1;
3c0ef626 225 if (options->client_alive_interval == -1)
e9a17296 226 options->client_alive_interval = 0;
3c0ef626 227 if (options->client_alive_count_max == -1)
228 options->client_alive_count_max = 3;
229 if (options->authorized_keys_file2 == NULL) {
230 /* authorized_keys_file2 falls back to authorized_keys_file */
231 if (options->authorized_keys_file != NULL)
232 options->authorized_keys_file2 = options->authorized_keys_file;
233 else
234 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
235 }
236 if (options->authorized_keys_file == NULL)
237 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
2980ea68 238
ff2d7a98 239 /* Turn privilege separation on by default */
2980ea68 240 if (use_privsep == -1)
ff2d7a98 241 use_privsep = 1;
242
e54b3d7c 243#ifndef HAVE_MMAP
ff2d7a98 244 if (use_privsep && options->compression == 1) {
245 error("This platform does not support both privilege "
246 "separation and compression");
247 error("Compression disabled");
248 options->compression = 0;
249 }
250#endif
251
3c0ef626 252}
253
254/* Keyword tokens. */
255typedef enum {
256 sBadOption, /* == unknown option */
257 /* Portable-specific options */
70791e56 258 sUsePAM,
3c0ef626 259 /* Standard Options */
260 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
261 sPermitRootLogin, sLogFacility, sLogLevel,
70791e56 262 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 263 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
70791e56 264 sKerberosTgtPassing, sChallengeResponseAuthentication,
88928908 265#ifdef SESSION_HOOKS
266 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 267#endif
3c0ef626 268 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
269 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 270 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 271 sStrictModes, sEmptyPasswd, sKeepAlives,
e54b3d7c 272 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 273 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
274 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
275 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
70791e56 276 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 277 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 278 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
70791e56 279 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
2980ea68 280 sUsePrivilegeSeparation,
70791e56 281 sDeprecated, sUnsupported
3c0ef626 282} ServerOpCodes;
283
284/* Textual representation of the tokens. */
285static struct {
286 const char *name;
287 ServerOpCodes opcode;
288} keywords[] = {
289 /* Portable-specific options */
70791e56 290#ifdef USE_PAM
291 { "usepam", sUsePAM },
292#else
293 { "usepam", sUnsupported },
294#endif
295 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 296 /* Standard Options */
297 { "port", sPort },
298 { "hostkey", sHostKeyFile },
299 { "hostdsakey", sHostKeyFile }, /* alias */
300 { "pidfile", sPidFile },
301 { "serverkeybits", sServerKeyBits },
302 { "logingracetime", sLoginGraceTime },
303 { "keyregenerationinterval", sKeyRegenerationTime },
304 { "permitrootlogin", sPermitRootLogin },
305 { "syslogfacility", sLogFacility },
306 { "loglevel", sLogLevel },
70791e56 307 { "rhostsauthentication", sDeprecated },
3c0ef626 308 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
309 { "hostbasedauthentication", sHostbasedAuthentication },
310 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
311 { "rsaauthentication", sRSAAuthentication },
312 { "pubkeyauthentication", sPubkeyAuthentication },
313 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
70791e56 314#ifdef KRB5
315 { "kerberosauthentication", sKerberosAuthentication },
316 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
317 { "kerberosticketcleanup", sKerberosTicketCleanup },
318#else
319 { "kerberosauthentication", sUnsupported },
320 { "kerberosorlocalpasswd", sUnsupported },
321 { "kerberosticketcleanup", sUnsupported },
322#endif
323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
b9a54c29 325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
327 { "gssapikeyexchange", sGssKeyEx },
328 { "gssusesessionccache", sGssUseSessionCredCache },
329 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
330 { "gssapicleanupcreds", sGssCleanupCreds },
70791e56 331#else
332 { "gssapiauthentication", sUnsupported },
333 { "gssapikeyexchange", sUnsupported },
334 { "gssusesessionccache", sUnsupported },
335 { "gssapiusesessioncredcache", sUnsupported },
336 { "gssapicleanupcreds", sUnsupported },
3c0ef626 337#endif
88928908 338#ifdef SESSION_HOOKS
339 { "allowsessionhooks", sAllowSessionHooks },
340 { "sessionhookstartupcmd", sSessionHookStartupCmd },
341 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
342#endif
3c0ef626 343 { "passwordauthentication", sPasswordAuthentication },
344 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
345 { "challengeresponseauthentication", sChallengeResponseAuthentication },
346 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
347 { "checkmail", sDeprecated },
348 { "listenaddress", sListenAddress },
349 { "printmotd", sPrintMotd },
350 { "printlastlog", sPrintLastLog },
351 { "ignorerhosts", sIgnoreRhosts },
352 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
353 { "x11forwarding", sX11Forwarding },
354 { "x11displayoffset", sX11DisplayOffset },
e9a17296 355 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 356 { "xauthlocation", sXAuthLocation },
357 { "strictmodes", sStrictModes },
358 { "permitemptypasswords", sEmptyPasswd },
e54b3d7c 359 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 360 { "uselogin", sUseLogin },
ff2d7a98 361 { "compression", sCompression },
3c0ef626 362 { "keepalive", sKeepAlives },
363 { "allowtcpforwarding", sAllowTcpForwarding },
364 { "allowusers", sAllowUsers },
365 { "denyusers", sDenyUsers },
366 { "allowgroups", sAllowGroups },
367 { "denygroups", sDenyGroups },
368 { "ciphers", sCiphers },
369 { "macs", sMacs },
370 { "protocol", sProtocol },
371 { "gatewayports", sGatewayPorts },
372 { "subsystem", sSubsystem },
373 { "maxstartups", sMaxStartups },
374 { "banner", sBanner },
70791e56 375 { "usedns", sUseDNS },
376 { "verifyreversemapping", sDeprecated },
377 { "reversemappingcheck", sDeprecated },
3c0ef626 378 { "clientaliveinterval", sClientAliveInterval },
379 { "clientalivecountmax", sClientAliveCountMax },
380 { "authorizedkeysfile", sAuthorizedKeysFile },
381 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
2980ea68 382 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 383 { NULL, sBadOption }
3c0ef626 384};
385
386/*
387 * Returns the number of the token pointed to by cp or sBadOption.
388 */
389
390static ServerOpCodes
391parse_token(const char *cp, const char *filename,
392 int linenum)
393{
394 u_int i;
395
396 for (i = 0; keywords[i].name; i++)
397 if (strcasecmp(cp, keywords[i].name) == 0)
398 return keywords[i].opcode;
399
400 error("%s: line %d: Bad configuration option: %s",
401 filename, linenum, cp);
402 return sBadOption;
403}
404
405static void
406add_listen_addr(ServerOptions *options, char *addr, u_short port)
407{
408 int i;
409
410 if (options->num_ports == 0)
411 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
412 if (port == 0)
413 for (i = 0; i < options->num_ports; i++)
414 add_one_listen_addr(options, addr, options->ports[i]);
415 else
416 add_one_listen_addr(options, addr, port);
417}
418
419static void
420add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
421{
422 struct addrinfo hints, *ai, *aitop;
423 char strport[NI_MAXSERV];
424 int gaierr;
425
426 memset(&hints, 0, sizeof(hints));
427 hints.ai_family = IPv4or6;
428 hints.ai_socktype = SOCK_STREAM;
429 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
ff2d7a98 430 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 431 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
432 fatal("bad addr or host: %s (%s)",
433 addr ? addr : "<NULL>",
434 gai_strerror(gaierr));
435 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
436 ;
437 ai->ai_next = options->listen_addrs;
438 options->listen_addrs = aitop;
439}
440
e9a17296 441int
442process_server_config_line(ServerOptions *options, char *line,
443 const char *filename, int linenum)
3c0ef626 444{
3c0ef626 445 char *cp, **charptr, *arg, *p;
ff2d7a98 446 int *intptr, value, i, n;
3c0ef626 447 ServerOpCodes opcode;
3c0ef626 448
e9a17296 449 cp = line;
450 arg = strdelim(&cp);
451 /* Ignore leading whitespace */
452 if (*arg == '\0')
3c0ef626 453 arg = strdelim(&cp);
e9a17296 454 if (!arg || !*arg || *arg == '#')
455 return 0;
456 intptr = NULL;
457 charptr = NULL;
458 opcode = parse_token(arg, filename, linenum);
459 switch (opcode) {
460 /* Portable-specific options */
70791e56 461 case sUsePAM:
462 intptr = &options->use_pam;
e9a17296 463 goto parse_flag;
3c0ef626 464
e9a17296 465 /* Standard Options */
466 case sBadOption:
467 return -1;
468 case sPort:
469 /* ignore ports from configfile if cmdline specifies ports */
470 if (options->ports_from_cmdline)
471 return 0;
472 if (options->listen_addrs != NULL)
473 fatal("%s line %d: ports must be specified before "
474 "ListenAddress.", filename, linenum);
475 if (options->num_ports >= MAX_PORTS)
476 fatal("%s line %d: too many ports.",
477 filename, linenum);
478 arg = strdelim(&cp);
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing port number.",
481 filename, linenum);
482 options->ports[options->num_ports++] = a2port(arg);
483 if (options->ports[options->num_ports-1] == 0)
484 fatal("%s line %d: Badly formatted port number.",
485 filename, linenum);
486 break;
487
488 case sServerKeyBits:
489 intptr = &options->server_key_bits;
3c0ef626 490parse_int:
e9a17296 491 arg = strdelim(&cp);
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing integer value.",
494 filename, linenum);
495 value = atoi(arg);
496 if (*intptr == -1)
497 *intptr = value;
498 break;
499
500 case sLoginGraceTime:
501 intptr = &options->login_grace_time;
3c0ef626 502parse_time:
e9a17296 503 arg = strdelim(&cp);
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing time value.",
506 filename, linenum);
507 if ((value = convtime(arg)) == -1)
508 fatal("%s line %d: invalid time value.",
509 filename, linenum);
510 if (*intptr == -1)
511 *intptr = value;
512 break;
513
514 case sKeyRegenerationTime:
515 intptr = &options->key_regeneration_time;
516 goto parse_time;
517
518 case sListenAddress:
519 arg = strdelim(&cp);
520 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
521 fatal("%s line %d: missing inet addr.",
522 filename, linenum);
523 if (*arg == '[') {
524 if ((p = strchr(arg, ']')) == NULL)
525 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 526 filename, linenum);
e9a17296 527 arg++;
528 memmove(p, p+1, strlen(p+1)+1);
529 } else if (((p = strchr(arg, ':')) == NULL) ||
530 (strchr(p+1, ':') != NULL)) {
531 add_listen_addr(options, arg, 0);
3c0ef626 532 break;
e9a17296 533 }
534 if (*p == ':') {
535 u_short port;
3c0ef626 536
e9a17296 537 p++;
538 if (*p == '\0')
539 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 540 filename, linenum);
e9a17296 541 else {
542 *(p-1) = '\0';
543 if ((port = a2port(p)) == 0)
544 fatal("%s line %d: bad port number.",
3c0ef626 545 filename, linenum);
e9a17296 546 add_listen_addr(options, arg, port);
3c0ef626 547 }
e9a17296 548 } else if (*p == '\0')
549 add_listen_addr(options, arg, 0);
550 else
551 fatal("%s line %d: bad inet addr usage.",
552 filename, linenum);
553 break;
554
555 case sHostKeyFile:
556 intptr = &options->num_host_key_files;
557 if (*intptr >= MAX_HOSTKEYS)
558 fatal("%s line %d: too many host keys specified (max %d).",
559 filename, linenum, MAX_HOSTKEYS);
560 charptr = &options->host_key_files[*intptr];
3c0ef626 561parse_filename:
e9a17296 562 arg = strdelim(&cp);
563 if (!arg || *arg == '\0')
564 fatal("%s line %d: missing file name.",
565 filename, linenum);
566 if (*charptr == NULL) {
567 *charptr = tilde_expand_filename(arg, getuid());
568 /* increase optional counter */
569 if (intptr != NULL)
570 *intptr = *intptr + 1;
571 }
572 break;
3c0ef626 573
e9a17296 574 case sPidFile:
575 charptr = &options->pid_file;
576 goto parse_filename;
3c0ef626 577
e9a17296 578 case sPermitRootLogin:
579 intptr = &options->permit_root_login;
580 arg = strdelim(&cp);
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/"
583 "without-password/forced-commands-only/no "
584 "argument.", filename, linenum);
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "without-password") == 0)
587 value = PERMIT_NO_PASSWD;
588 else if (strcmp(arg, "forced-commands-only") == 0)
589 value = PERMIT_FORCED_ONLY;
590 else if (strcmp(arg, "yes") == 0)
591 value = PERMIT_YES;
592 else if (strcmp(arg, "no") == 0)
593 value = PERMIT_NO;
594 else
595 fatal("%s line %d: Bad yes/"
596 "without-password/forced-commands-only/no "
597 "argument: %s", filename, linenum, arg);
598 if (*intptr == -1)
599 *intptr = value;
600 break;
601
602 case sIgnoreRhosts:
603 intptr = &options->ignore_rhosts;
3c0ef626 604parse_flag:
e9a17296 605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/no argument.",
608 filename, linenum);
609 value = 0; /* silence compiler */
610 if (strcmp(arg, "yes") == 0)
611 value = 1;
612 else if (strcmp(arg, "no") == 0)
613 value = 0;
614 else
615 fatal("%s line %d: Bad yes/no argument: %s",
616 filename, linenum, arg);
617 if (*intptr == -1)
618 *intptr = value;
619 break;
620
621 case sIgnoreUserKnownHosts:
622 intptr = &options->ignore_user_known_hosts;
623 goto parse_flag;
624
e9a17296 625 case sRhostsRSAAuthentication:
626 intptr = &options->rhosts_rsa_authentication;
627 goto parse_flag;
628
629 case sHostbasedAuthentication:
630 intptr = &options->hostbased_authentication;
631 goto parse_flag;
632
633 case sHostbasedUsesNameFromPacketOnly:
634 intptr = &options->hostbased_uses_name_from_packet_only;
635 goto parse_flag;
636
637 case sRSAAuthentication:
638 intptr = &options->rsa_authentication;
639 goto parse_flag;
640
641 case sPubkeyAuthentication:
642 intptr = &options->pubkey_authentication;
643 goto parse_flag;
70791e56 644
e9a17296 645 case sKerberosAuthentication:
646 intptr = &options->kerberos_authentication;
647 goto parse_flag;
3c0ef626 648
e9a17296 649 case sKerberosOrLocalPasswd:
650 intptr = &options->kerberos_or_local_passwd;
651 goto parse_flag;
3c0ef626 652
e9a17296 653 case sKerberosTicketCleanup:
654 intptr = &options->kerberos_ticket_cleanup;
655 goto parse_flag;
70791e56 656
657 case sGssAuthentication:
658 intptr = &options->gss_authentication;
e9a17296 659 goto parse_flag;
70791e56 660
661 case sGssKeyEx:
662 intptr = &options->gss_keyex;
e9a17296 663 goto parse_flag;
70791e56 664
665 case sGssUseSessionCredCache:
666 intptr = &options->gss_use_session_ccache;
667 goto parse_flag;
668
669 case sGssCleanupCreds:
670 intptr = &options->gss_cleanup_creds;
671 goto parse_flag;
672
88928908 673#ifdef SESSION_HOOKS
674 case sAllowSessionHooks:
675 intptr = &options->session_hooks_allow;
676 goto parse_flag;
677 case sSessionHookStartupCmd:
678 case sSessionHookShutdownCmd:
679 arg = strdelim(&cp);
680 if (!arg || *arg == '\0')
681 fatal("%s line %d: empty session hook command",
682 filename, linenum);
683 if (opcode==sSessionHookStartupCmd)
684 options->session_hooks_startup_cmd = strdup(arg);
685 else
686 options->session_hooks_shutdown_cmd = strdup(arg);
687 break;
688#endif
70791e56 689
e9a17296 690 case sPasswordAuthentication:
691 intptr = &options->password_authentication;
692 goto parse_flag;
3c0ef626 693
e9a17296 694 case sKbdInteractiveAuthentication:
695 intptr = &options->kbd_interactive_authentication;
696 goto parse_flag;
3c0ef626 697
e9a17296 698 case sChallengeResponseAuthentication:
699 intptr = &options->challenge_response_authentication;
700 goto parse_flag;
3c0ef626 701
e9a17296 702 case sPrintMotd:
703 intptr = &options->print_motd;
704 goto parse_flag;
3c0ef626 705
e9a17296 706 case sPrintLastLog:
707 intptr = &options->print_lastlog;
708 goto parse_flag;
3c0ef626 709
e9a17296 710 case sX11Forwarding:
711 intptr = &options->x11_forwarding;
712 goto parse_flag;
3c0ef626 713
e9a17296 714 case sX11DisplayOffset:
715 intptr = &options->x11_display_offset;
716 goto parse_int;
3c0ef626 717
e9a17296 718 case sX11UseLocalhost:
719 intptr = &options->x11_use_localhost;
720 goto parse_flag;
3c0ef626 721
e9a17296 722 case sXAuthLocation:
723 charptr = &options->xauth_location;
724 goto parse_filename;
3c0ef626 725
e9a17296 726 case sStrictModes:
727 intptr = &options->strict_modes;
728 goto parse_flag;
3c0ef626 729
e9a17296 730 case sKeepAlives:
731 intptr = &options->keepalives;
732 goto parse_flag;
3c0ef626 733
e9a17296 734 case sEmptyPasswd:
735 intptr = &options->permit_empty_passwd;
736 goto parse_flag;
3c0ef626 737
e54b3d7c 738 case sPermitUserEnvironment:
739 intptr = &options->permit_user_env;
740 goto parse_flag;
741
e9a17296 742 case sUseLogin:
743 intptr = &options->use_login;
744 goto parse_flag;
3c0ef626 745
ff2d7a98 746 case sCompression:
747 intptr = &options->compression;
748 goto parse_flag;
749
e9a17296 750 case sGatewayPorts:
751 intptr = &options->gateway_ports;
752 goto parse_flag;
3c0ef626 753
70791e56 754 case sUseDNS:
755 intptr = &options->use_dns;
e9a17296 756 goto parse_flag;
3c0ef626 757
e9a17296 758 case sLogFacility:
759 intptr = (int *) &options->log_facility;
760 arg = strdelim(&cp);
761 value = log_facility_number(arg);
762 if (value == SYSLOG_FACILITY_NOT_SET)
763 fatal("%.200s line %d: unsupported log facility '%s'",
764 filename, linenum, arg ? arg : "<NONE>");
765 if (*intptr == -1)
766 *intptr = (SyslogFacility) value;
767 break;
768
769 case sLogLevel:
770 intptr = (int *) &options->log_level;
771 arg = strdelim(&cp);
772 value = log_level_number(arg);
773 if (value == SYSLOG_LEVEL_NOT_SET)
774 fatal("%.200s line %d: unsupported log level '%s'",
775 filename, linenum, arg ? arg : "<NONE>");
776 if (*intptr == -1)
777 *intptr = (LogLevel) value;
778 break;
779
780 case sAllowTcpForwarding:
781 intptr = &options->allow_tcp_forwarding;
782 goto parse_flag;
783
2980ea68 784 case sUsePrivilegeSeparation:
785 intptr = &use_privsep;
786 goto parse_flag;
787
e9a17296 788 case sAllowUsers:
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_allow_users >= MAX_ALLOW_USERS)
791 fatal("%s line %d: too many allow users.",
792 filename, linenum);
ff2d7a98 793 options->allow_users[options->num_allow_users++] =
794 xstrdup(arg);
e9a17296 795 }
796 break;
3c0ef626 797
e9a17296 798 case sDenyUsers:
799 while ((arg = strdelim(&cp)) && *arg != '\0') {
800 if (options->num_deny_users >= MAX_DENY_USERS)
801 fatal( "%s line %d: too many deny users.",
802 filename, linenum);
ff2d7a98 803 options->deny_users[options->num_deny_users++] =
804 xstrdup(arg);
e9a17296 805 }
806 break;
3c0ef626 807
e9a17296 808 case sAllowGroups:
809 while ((arg = strdelim(&cp)) && *arg != '\0') {
810 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
811 fatal("%s line %d: too many allow groups.",
812 filename, linenum);
ff2d7a98 813 options->allow_groups[options->num_allow_groups++] =
814 xstrdup(arg);
e9a17296 815 }
816 break;
3c0ef626 817
e9a17296 818 case sDenyGroups:
819 while ((arg = strdelim(&cp)) && *arg != '\0') {
820 if (options->num_deny_groups >= MAX_DENY_GROUPS)
821 fatal("%s line %d: too many deny groups.",
822 filename, linenum);
823 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
824 }
825 break;
826
827 case sCiphers:
828 arg = strdelim(&cp);
829 if (!arg || *arg == '\0')
830 fatal("%s line %d: Missing argument.", filename, linenum);
831 if (!ciphers_valid(arg))
832 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
833 filename, linenum, arg ? arg : "<NONE>");
834 if (options->ciphers == NULL)
835 options->ciphers = xstrdup(arg);
836 break;
837
838 case sMacs:
839 arg = strdelim(&cp);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing argument.", filename, linenum);
842 if (!mac_valid(arg))
843 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
844 filename, linenum, arg ? arg : "<NONE>");
845 if (options->macs == NULL)
846 options->macs = xstrdup(arg);
847 break;
848
849 case sProtocol:
850 intptr = &options->protocol;
851 arg = strdelim(&cp);
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing argument.", filename, linenum);
854 value = proto_spec(arg);
855 if (value == SSH_PROTO_UNKNOWN)
856 fatal("%s line %d: Bad protocol spec '%s'.",
857 filename, linenum, arg ? arg : "<NONE>");
858 if (*intptr == SSH_PROTO_UNKNOWN)
859 *intptr = value;
860 break;
861
862 case sSubsystem:
863 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
864 fatal("%s line %d: too many subsystems defined.",
865 filename, linenum);
866 }
867 arg = strdelim(&cp);
868 if (!arg || *arg == '\0')
869 fatal("%s line %d: Missing subsystem name.",
870 filename, linenum);
871 for (i = 0; i < options->num_subsystems; i++)
872 if (strcmp(arg, options->subsystem_name[i]) == 0)
873 fatal("%s line %d: Subsystem '%s' already defined.",
874 filename, linenum, arg);
875 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
876 arg = strdelim(&cp);
877 if (!arg || *arg == '\0')
878 fatal("%s line %d: Missing subsystem command.",
879 filename, linenum);
880 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
881 options->num_subsystems++;
882 break;
883
884 case sMaxStartups:
885 arg = strdelim(&cp);
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing MaxStartups spec.",
888 filename, linenum);
889 if ((n = sscanf(arg, "%d:%d:%d",
890 &options->max_startups_begin,
891 &options->max_startups_rate,
892 &options->max_startups)) == 3) {
893 if (options->max_startups_begin >
894 options->max_startups ||
895 options->max_startups_rate > 100 ||
896 options->max_startups_rate < 1)
3c0ef626 897 fatal("%s line %d: Illegal MaxStartups spec.",
898 filename, linenum);
e9a17296 899 } else if (n != 1)
900 fatal("%s line %d: Illegal MaxStartups spec.",
901 filename, linenum);
902 else
903 options->max_startups = options->max_startups_begin;
904 break;
905
906 case sBanner:
907 charptr = &options->banner;
908 goto parse_filename;
909 /*
910 * These options can contain %X options expanded at
911 * connect time, so that you can specify paths like:
912 *
913 * AuthorizedKeysFile /etc/ssh_keys/%u
914 */
915 case sAuthorizedKeysFile:
916 case sAuthorizedKeysFile2:
917 charptr = (opcode == sAuthorizedKeysFile ) ?
918 &options->authorized_keys_file :
919 &options->authorized_keys_file2;
920 goto parse_filename;
921
922 case sClientAliveInterval:
923 intptr = &options->client_alive_interval;
924 goto parse_time;
925
926 case sClientAliveCountMax:
927 intptr = &options->client_alive_count_max;
928 goto parse_int;
929
930 case sDeprecated:
70791e56 931 logit("%s line %d: Deprecated option %s",
932 filename, linenum, arg);
933 while (arg)
934 arg = strdelim(&cp);
935 break;
936
937 case sUnsupported:
938 logit("%s line %d: Unsupported option %s",
e9a17296 939 filename, linenum, arg);
940 while (arg)
941 arg = strdelim(&cp);
942 break;
943
944 default:
945 fatal("%s line %d: Missing handler for opcode %s (%d)",
946 filename, linenum, arg, opcode);
947 }
948 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
949 fatal("%s line %d: garbage at end of line; \"%.200s\".",
950 filename, linenum, arg);
951 return 0;
952}
3c0ef626 953
e9a17296 954/* Reads the server configuration file. */
3c0ef626 955
e9a17296 956void
957read_server_config(ServerOptions *options, const char *filename)
958{
ff2d7a98 959 int linenum, bad_options = 0;
e9a17296 960 char line[1024];
ff2d7a98 961 FILE *f;
e9a17296 962
1c14df9e 963 debug2("read_server_config: filename %s", filename);
e9a17296 964 f = fopen(filename, "r");
965 if (!f) {
966 perror(filename);
967 exit(1);
968 }
969 linenum = 0;
970 while (fgets(line, sizeof(line), f)) {
971 /* Update line number counter. */
972 linenum++;
973 if (process_server_config_line(options, line, filename, linenum) != 0)
974 bad_options++;
3c0ef626 975 }
976 fclose(f);
977 if (bad_options > 0)
978 fatal("%s: terminating, %d bad configuration options",
979 filename, bad_options);
980}
git-cvsimport mirror of GSI OpenSSH
This page took 0.209341 seconds and 5 git commands to generate.