]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
should have been ignored by cvs
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
6a9b3198 13RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
3c0ef626 14
700318f3 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
3c0ef626 20#include <krb.h>
700318f3 21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
3c0ef626 26#endif
27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
700318f3 48/* Use of privilege separation or not */
49extern int use_privsep;
3c0ef626 50
51/* Initializes the server options to their default values. */
52
53void
54initialize_server_options(ServerOptions *options)
55{
56 memset(options, 0, sizeof(*options));
57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e9a17296 77 options->x11_use_localhost = -1;
3c0ef626 78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
e9a17296 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89#if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93#endif
94#if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
96#endif
97#ifdef AFS
98 options->afs_token_passing = -1;
99#endif
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
41b2f314 104 options->permit_user_env = -1;
3c0ef626 105 options->use_login = -1;
f5799ae1 106 options->compression = -1;
3c0ef626 107 options->allow_tcp_forwarding = -1;
108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
120 options->banner = NULL;
e9a17296 121 options->verify_reverse_mapping = -1;
3c0ef626 122 options->client_alive_interval = -1;
123 options->client_alive_count_max = -1;
124 options->authorized_keys_file = NULL;
125 options->authorized_keys_file2 = NULL;
700318f3 126
127 /* Needs to be accessable in many places */
128 use_privsep = -1;
3c0ef626 129}
130
131void
132fill_default_server_options(ServerOptions *options)
133{
134 /* Portable-specific options */
135 if (options->pam_authentication_via_kbd_int == -1)
136 options->pam_authentication_via_kbd_int = 0;
137
138 /* Standard Options */
139 if (options->protocol == SSH_PROTO_UNKNOWN)
140 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
141 if (options->num_host_key_files == 0) {
142 /* fill default hostkeys for protocols */
143 if (options->protocol & SSH_PROTO_1)
e9a17296 144 options->host_key_files[options->num_host_key_files++] =
145 _PATH_HOST_KEY_FILE;
146 if (options->protocol & SSH_PROTO_2) {
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_RSA_KEY_FILE;
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_DSA_KEY_FILE;
151 }
3c0ef626 152 }
153 if (options->num_ports == 0)
154 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
155 if (options->listen_addrs == NULL)
156 add_listen_addr(options, NULL, 0);
157 if (options->pid_file == NULL)
158 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
159 if (options->server_key_bits == -1)
160 options->server_key_bits = 768;
161 if (options->login_grace_time == -1)
41b2f314 162 options->login_grace_time = 120;
3c0ef626 163 if (options->key_regeneration_time == -1)
164 options->key_regeneration_time = 3600;
165 if (options->permit_root_login == PERMIT_NOT_SET)
166 options->permit_root_login = PERMIT_YES;
167 if (options->ignore_rhosts == -1)
168 options->ignore_rhosts = 1;
169 if (options->ignore_user_known_hosts == -1)
170 options->ignore_user_known_hosts = 0;
171 if (options->print_motd == -1)
172 options->print_motd = 1;
173 if (options->print_lastlog == -1)
174 options->print_lastlog = 1;
175 if (options->x11_forwarding == -1)
176 options->x11_forwarding = 0;
177 if (options->x11_display_offset == -1)
178 options->x11_display_offset = 10;
e9a17296 179 if (options->x11_use_localhost == -1)
180 options->x11_use_localhost = 1;
3c0ef626 181 if (options->xauth_location == NULL)
182 options->xauth_location = _PATH_XAUTH;
3c0ef626 183 if (options->strict_modes == -1)
184 options->strict_modes = 1;
185 if (options->keepalives == -1)
186 options->keepalives = 1;
e9a17296 187 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 188 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 189 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 190 options->log_level = SYSLOG_LEVEL_INFO;
191 if (options->rhosts_authentication == -1)
192 options->rhosts_authentication = 0;
193 if (options->rhosts_rsa_authentication == -1)
194 options->rhosts_rsa_authentication = 0;
195 if (options->hostbased_authentication == -1)
196 options->hostbased_authentication = 0;
197 if (options->hostbased_uses_name_from_packet_only == -1)
198 options->hostbased_uses_name_from_packet_only = 0;
199 if (options->rsa_authentication == -1)
200 options->rsa_authentication = 1;
201 if (options->pubkey_authentication == -1)
202 options->pubkey_authentication = 1;
203#if defined(KRB4) || defined(KRB5)
204 if (options->kerberos_authentication == -1)
700318f3 205 options->kerberos_authentication = 0;
3c0ef626 206 if (options->kerberos_or_local_passwd == -1)
207 options->kerberos_or_local_passwd = 1;
208 if (options->kerberos_ticket_cleanup == -1)
209 options->kerberos_ticket_cleanup = 1;
210#endif
211#if defined(AFS) || defined(KRB5)
212 if (options->kerberos_tgt_passing == -1)
213 options->kerberos_tgt_passing = 0;
214#endif
e9a17296 215#ifdef AFS
3c0ef626 216 if (options->afs_token_passing == -1)
700318f3 217 options->afs_token_passing = 0;
3c0ef626 218#endif
219 if (options->password_authentication == -1)
220 options->password_authentication = 1;
221 if (options->kbd_interactive_authentication == -1)
222 options->kbd_interactive_authentication = 0;
223 if (options->challenge_response_authentication == -1)
224 options->challenge_response_authentication = 1;
225 if (options->permit_empty_passwd == -1)
226 options->permit_empty_passwd = 0;
41b2f314 227 if (options->permit_user_env == -1)
228 options->permit_user_env = 0;
3c0ef626 229 if (options->use_login == -1)
230 options->use_login = 0;
f5799ae1 231 if (options->compression == -1)
232 options->compression = 1;
3c0ef626 233 if (options->allow_tcp_forwarding == -1)
234 options->allow_tcp_forwarding = 1;
235 if (options->gateway_ports == -1)
236 options->gateway_ports = 0;
237 if (options->max_startups == -1)
238 options->max_startups = 10;
239 if (options->max_startups_rate == -1)
240 options->max_startups_rate = 100; /* 100% */
241 if (options->max_startups_begin == -1)
242 options->max_startups_begin = options->max_startups;
e9a17296 243 if (options->verify_reverse_mapping == -1)
244 options->verify_reverse_mapping = 0;
3c0ef626 245 if (options->client_alive_interval == -1)
e9a17296 246 options->client_alive_interval = 0;
3c0ef626 247 if (options->client_alive_count_max == -1)
248 options->client_alive_count_max = 3;
249 if (options->authorized_keys_file2 == NULL) {
250 /* authorized_keys_file2 falls back to authorized_keys_file */
251 if (options->authorized_keys_file != NULL)
252 options->authorized_keys_file2 = options->authorized_keys_file;
253 else
254 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
255 }
256 if (options->authorized_keys_file == NULL)
257 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 258
f5799ae1 259 /* Turn privilege separation on by default */
700318f3 260 if (use_privsep == -1)
f5799ae1 261 use_privsep = 1;
262
41b2f314 263#ifndef HAVE_MMAP
f5799ae1 264 if (use_privsep && options->compression == 1) {
265 error("This platform does not support both privilege "
266 "separation and compression");
267 error("Compression disabled");
268 options->compression = 0;
269 }
270#endif
271
3c0ef626 272}
273
274/* Keyword tokens. */
275typedef enum {
276 sBadOption, /* == unknown option */
277 /* Portable-specific options */
278 sPAMAuthenticationViaKbdInt,
279 /* Standard Options */
280 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
281 sPermitRootLogin, sLogFacility, sLogLevel,
282 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
283#if defined(KRB4) || defined(KRB5)
284 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
285#endif
286#if defined(AFS) || defined(KRB5)
287 sKerberosTgtPassing,
288#endif
289#ifdef AFS
290 sAFSTokenPassing,
291#endif
292 sChallengeResponseAuthentication,
293 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
294 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 295 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 296 sStrictModes, sEmptyPasswd, sKeepAlives,
41b2f314 297 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 298 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
299 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
300 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9a17296 301 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
302 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 303 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
700318f3 304 sUsePrivilegeSeparation,
e9a17296 305 sDeprecated
3c0ef626 306} ServerOpCodes;
307
308/* Textual representation of the tokens. */
309static struct {
310 const char *name;
311 ServerOpCodes opcode;
312} keywords[] = {
313 /* Portable-specific options */
314 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
315 /* Standard Options */
316 { "port", sPort },
317 { "hostkey", sHostKeyFile },
318 { "hostdsakey", sHostKeyFile }, /* alias */
319 { "pidfile", sPidFile },
320 { "serverkeybits", sServerKeyBits },
321 { "logingracetime", sLoginGraceTime },
322 { "keyregenerationinterval", sKeyRegenerationTime },
323 { "permitrootlogin", sPermitRootLogin },
324 { "syslogfacility", sLogFacility },
325 { "loglevel", sLogLevel },
326 { "rhostsauthentication", sRhostsAuthentication },
327 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
328 { "hostbasedauthentication", sHostbasedAuthentication },
329 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
330 { "rsaauthentication", sRSAAuthentication },
331 { "pubkeyauthentication", sPubkeyAuthentication },
332 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
333#if defined(KRB4) || defined(KRB5)
334 { "kerberosauthentication", sKerberosAuthentication },
335 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
336 { "kerberosticketcleanup", sKerberosTicketCleanup },
337#endif
338#if defined(AFS) || defined(KRB5)
339 { "kerberostgtpassing", sKerberosTgtPassing },
340#endif
341#ifdef AFS
342 { "afstokenpassing", sAFSTokenPassing },
343#endif
344 { "passwordauthentication", sPasswordAuthentication },
345 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
346 { "challengeresponseauthentication", sChallengeResponseAuthentication },
347 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
348 { "checkmail", sDeprecated },
349 { "listenaddress", sListenAddress },
350 { "printmotd", sPrintMotd },
351 { "printlastlog", sPrintLastLog },
352 { "ignorerhosts", sIgnoreRhosts },
353 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
354 { "x11forwarding", sX11Forwarding },
355 { "x11displayoffset", sX11DisplayOffset },
e9a17296 356 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 357 { "xauthlocation", sXAuthLocation },
358 { "strictmodes", sStrictModes },
359 { "permitemptypasswords", sEmptyPasswd },
41b2f314 360 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 361 { "uselogin", sUseLogin },
f5799ae1 362 { "compression", sCompression },
3c0ef626 363 { "keepalive", sKeepAlives },
364 { "allowtcpforwarding", sAllowTcpForwarding },
365 { "allowusers", sAllowUsers },
366 { "denyusers", sDenyUsers },
367 { "allowgroups", sAllowGroups },
368 { "denygroups", sDenyGroups },
369 { "ciphers", sCiphers },
370 { "macs", sMacs },
371 { "protocol", sProtocol },
372 { "gatewayports", sGatewayPorts },
373 { "subsystem", sSubsystem },
374 { "maxstartups", sMaxStartups },
375 { "banner", sBanner },
e9a17296 376 { "verifyreversemapping", sVerifyReverseMapping },
377 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 378 { "clientaliveinterval", sClientAliveInterval },
379 { "clientalivecountmax", sClientAliveCountMax },
380 { "authorizedkeysfile", sAuthorizedKeysFile },
381 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 382 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 383 { NULL, sBadOption }
3c0ef626 384};
385
386/*
387 * Returns the number of the token pointed to by cp or sBadOption.
388 */
389
390static ServerOpCodes
391parse_token(const char *cp, const char *filename,
392 int linenum)
393{
394 u_int i;
395
396 for (i = 0; keywords[i].name; i++)
397 if (strcasecmp(cp, keywords[i].name) == 0)
398 return keywords[i].opcode;
399
400 error("%s: line %d: Bad configuration option: %s",
401 filename, linenum, cp);
402 return sBadOption;
403}
404
405static void
406add_listen_addr(ServerOptions *options, char *addr, u_short port)
407{
408 int i;
409
410 if (options->num_ports == 0)
411 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
412 if (port == 0)
413 for (i = 0; i < options->num_ports; i++)
414 add_one_listen_addr(options, addr, options->ports[i]);
415 else
416 add_one_listen_addr(options, addr, port);
417}
418
419static void
420add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
421{
422 struct addrinfo hints, *ai, *aitop;
423 char strport[NI_MAXSERV];
424 int gaierr;
425
426 memset(&hints, 0, sizeof(hints));
427 hints.ai_family = IPv4or6;
428 hints.ai_socktype = SOCK_STREAM;
429 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 430 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 431 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
432 fatal("bad addr or host: %s (%s)",
433 addr ? addr : "<NULL>",
434 gai_strerror(gaierr));
435 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
436 ;
437 ai->ai_next = options->listen_addrs;
438 options->listen_addrs = aitop;
439}
440
e9a17296 441int
442process_server_config_line(ServerOptions *options, char *line,
443 const char *filename, int linenum)
3c0ef626 444{
3c0ef626 445 char *cp, **charptr, *arg, *p;
680cee3b 446 int *intptr, value, i, n;
3c0ef626 447 ServerOpCodes opcode;
3c0ef626 448
e9a17296 449 cp = line;
450 arg = strdelim(&cp);
451 /* Ignore leading whitespace */
452 if (*arg == '\0')
3c0ef626 453 arg = strdelim(&cp);
e9a17296 454 if (!arg || !*arg || *arg == '#')
455 return 0;
456 intptr = NULL;
457 charptr = NULL;
458 opcode = parse_token(arg, filename, linenum);
459 switch (opcode) {
460 /* Portable-specific options */
461 case sPAMAuthenticationViaKbdInt:
462 intptr = &options->pam_authentication_via_kbd_int;
463 goto parse_flag;
3c0ef626 464
e9a17296 465 /* Standard Options */
466 case sBadOption:
467 return -1;
468 case sPort:
469 /* ignore ports from configfile if cmdline specifies ports */
470 if (options->ports_from_cmdline)
471 return 0;
472 if (options->listen_addrs != NULL)
473 fatal("%s line %d: ports must be specified before "
474 "ListenAddress.", filename, linenum);
475 if (options->num_ports >= MAX_PORTS)
476 fatal("%s line %d: too many ports.",
477 filename, linenum);
478 arg = strdelim(&cp);
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing port number.",
481 filename, linenum);
482 options->ports[options->num_ports++] = a2port(arg);
483 if (options->ports[options->num_ports-1] == 0)
484 fatal("%s line %d: Badly formatted port number.",
485 filename, linenum);
486 break;
487
488 case sServerKeyBits:
489 intptr = &options->server_key_bits;
3c0ef626 490parse_int:
e9a17296 491 arg = strdelim(&cp);
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing integer value.",
494 filename, linenum);
495 value = atoi(arg);
496 if (*intptr == -1)
497 *intptr = value;
498 break;
499
500 case sLoginGraceTime:
501 intptr = &options->login_grace_time;
3c0ef626 502parse_time:
e9a17296 503 arg = strdelim(&cp);
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing time value.",
506 filename, linenum);
507 if ((value = convtime(arg)) == -1)
508 fatal("%s line %d: invalid time value.",
509 filename, linenum);
510 if (*intptr == -1)
511 *intptr = value;
512 break;
513
514 case sKeyRegenerationTime:
515 intptr = &options->key_regeneration_time;
516 goto parse_time;
517
518 case sListenAddress:
519 arg = strdelim(&cp);
520 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
521 fatal("%s line %d: missing inet addr.",
522 filename, linenum);
523 if (*arg == '[') {
524 if ((p = strchr(arg, ']')) == NULL)
525 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 526 filename, linenum);
e9a17296 527 arg++;
528 memmove(p, p+1, strlen(p+1)+1);
529 } else if (((p = strchr(arg, ':')) == NULL) ||
530 (strchr(p+1, ':') != NULL)) {
531 add_listen_addr(options, arg, 0);
3c0ef626 532 break;
e9a17296 533 }
534 if (*p == ':') {
535 u_short port;
3c0ef626 536
e9a17296 537 p++;
538 if (*p == '\0')
539 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 540 filename, linenum);
e9a17296 541 else {
542 *(p-1) = '\0';
543 if ((port = a2port(p)) == 0)
544 fatal("%s line %d: bad port number.",
3c0ef626 545 filename, linenum);
e9a17296 546 add_listen_addr(options, arg, port);
3c0ef626 547 }
e9a17296 548 } else if (*p == '\0')
549 add_listen_addr(options, arg, 0);
550 else
551 fatal("%s line %d: bad inet addr usage.",
552 filename, linenum);
553 break;
554
555 case sHostKeyFile:
556 intptr = &options->num_host_key_files;
557 if (*intptr >= MAX_HOSTKEYS)
558 fatal("%s line %d: too many host keys specified (max %d).",
559 filename, linenum, MAX_HOSTKEYS);
560 charptr = &options->host_key_files[*intptr];
3c0ef626 561parse_filename:
e9a17296 562 arg = strdelim(&cp);
563 if (!arg || *arg == '\0')
564 fatal("%s line %d: missing file name.",
565 filename, linenum);
566 if (*charptr == NULL) {
567 *charptr = tilde_expand_filename(arg, getuid());
568 /* increase optional counter */
569 if (intptr != NULL)
570 *intptr = *intptr + 1;
571 }
572 break;
3c0ef626 573
e9a17296 574 case sPidFile:
575 charptr = &options->pid_file;
576 goto parse_filename;
3c0ef626 577
e9a17296 578 case sPermitRootLogin:
579 intptr = &options->permit_root_login;
580 arg = strdelim(&cp);
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/"
583 "without-password/forced-commands-only/no "
584 "argument.", filename, linenum);
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "without-password") == 0)
587 value = PERMIT_NO_PASSWD;
588 else if (strcmp(arg, "forced-commands-only") == 0)
589 value = PERMIT_FORCED_ONLY;
590 else if (strcmp(arg, "yes") == 0)
591 value = PERMIT_YES;
592 else if (strcmp(arg, "no") == 0)
593 value = PERMIT_NO;
594 else
595 fatal("%s line %d: Bad yes/"
596 "without-password/forced-commands-only/no "
597 "argument: %s", filename, linenum, arg);
598 if (*intptr == -1)
599 *intptr = value;
600 break;
601
602 case sIgnoreRhosts:
603 intptr = &options->ignore_rhosts;
3c0ef626 604parse_flag:
e9a17296 605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/no argument.",
608 filename, linenum);
609 value = 0; /* silence compiler */
610 if (strcmp(arg, "yes") == 0)
611 value = 1;
612 else if (strcmp(arg, "no") == 0)
613 value = 0;
614 else
615 fatal("%s line %d: Bad yes/no argument: %s",
616 filename, linenum, arg);
617 if (*intptr == -1)
618 *intptr = value;
619 break;
620
621 case sIgnoreUserKnownHosts:
622 intptr = &options->ignore_user_known_hosts;
623 goto parse_flag;
624
625 case sRhostsAuthentication:
626 intptr = &options->rhosts_authentication;
627 goto parse_flag;
628
629 case sRhostsRSAAuthentication:
630 intptr = &options->rhosts_rsa_authentication;
631 goto parse_flag;
632
633 case sHostbasedAuthentication:
634 intptr = &options->hostbased_authentication;
635 goto parse_flag;
636
637 case sHostbasedUsesNameFromPacketOnly:
638 intptr = &options->hostbased_uses_name_from_packet_only;
639 goto parse_flag;
640
641 case sRSAAuthentication:
642 intptr = &options->rsa_authentication;
643 goto parse_flag;
644
645 case sPubkeyAuthentication:
646 intptr = &options->pubkey_authentication;
647 goto parse_flag;
648#if defined(KRB4) || defined(KRB5)
649 case sKerberosAuthentication:
650 intptr = &options->kerberos_authentication;
651 goto parse_flag;
3c0ef626 652
e9a17296 653 case sKerberosOrLocalPasswd:
654 intptr = &options->kerberos_or_local_passwd;
655 goto parse_flag;
3c0ef626 656
e9a17296 657 case sKerberosTicketCleanup:
658 intptr = &options->kerberos_ticket_cleanup;
659 goto parse_flag;
660#endif
661#if defined(AFS) || defined(KRB5)
662 case sKerberosTgtPassing:
663 intptr = &options->kerberos_tgt_passing;
664 goto parse_flag;
665#endif
666#ifdef AFS
667 case sAFSTokenPassing:
668 intptr = &options->afs_token_passing;
669 goto parse_flag;
670#endif
3c0ef626 671
e9a17296 672 case sPasswordAuthentication:
673 intptr = &options->password_authentication;
674 goto parse_flag;
3c0ef626 675
e9a17296 676 case sKbdInteractiveAuthentication:
677 intptr = &options->kbd_interactive_authentication;
678 goto parse_flag;
3c0ef626 679
e9a17296 680 case sChallengeResponseAuthentication:
681 intptr = &options->challenge_response_authentication;
682 goto parse_flag;
3c0ef626 683
e9a17296 684 case sPrintMotd:
685 intptr = &options->print_motd;
686 goto parse_flag;
3c0ef626 687
e9a17296 688 case sPrintLastLog:
689 intptr = &options->print_lastlog;
690 goto parse_flag;
3c0ef626 691
e9a17296 692 case sX11Forwarding:
693 intptr = &options->x11_forwarding;
694 goto parse_flag;
3c0ef626 695
e9a17296 696 case sX11DisplayOffset:
697 intptr = &options->x11_display_offset;
698 goto parse_int;
3c0ef626 699
e9a17296 700 case sX11UseLocalhost:
701 intptr = &options->x11_use_localhost;
702 goto parse_flag;
3c0ef626 703
e9a17296 704 case sXAuthLocation:
705 charptr = &options->xauth_location;
706 goto parse_filename;
3c0ef626 707
e9a17296 708 case sStrictModes:
709 intptr = &options->strict_modes;
710 goto parse_flag;
3c0ef626 711
e9a17296 712 case sKeepAlives:
713 intptr = &options->keepalives;
714 goto parse_flag;
3c0ef626 715
e9a17296 716 case sEmptyPasswd:
717 intptr = &options->permit_empty_passwd;
718 goto parse_flag;
3c0ef626 719
41b2f314 720 case sPermitUserEnvironment:
721 intptr = &options->permit_user_env;
722 goto parse_flag;
723
e9a17296 724 case sUseLogin:
725 intptr = &options->use_login;
726 goto parse_flag;
3c0ef626 727
f5799ae1 728 case sCompression:
729 intptr = &options->compression;
730 goto parse_flag;
731
e9a17296 732 case sGatewayPorts:
733 intptr = &options->gateway_ports;
734 goto parse_flag;
3c0ef626 735
e9a17296 736 case sVerifyReverseMapping:
737 intptr = &options->verify_reverse_mapping;
738 goto parse_flag;
3c0ef626 739
e9a17296 740 case sLogFacility:
741 intptr = (int *) &options->log_facility;
742 arg = strdelim(&cp);
743 value = log_facility_number(arg);
744 if (value == SYSLOG_FACILITY_NOT_SET)
745 fatal("%.200s line %d: unsupported log facility '%s'",
746 filename, linenum, arg ? arg : "<NONE>");
747 if (*intptr == -1)
748 *intptr = (SyslogFacility) value;
749 break;
750
751 case sLogLevel:
752 intptr = (int *) &options->log_level;
753 arg = strdelim(&cp);
754 value = log_level_number(arg);
755 if (value == SYSLOG_LEVEL_NOT_SET)
756 fatal("%.200s line %d: unsupported log level '%s'",
757 filename, linenum, arg ? arg : "<NONE>");
758 if (*intptr == -1)
759 *intptr = (LogLevel) value;
760 break;
761
762 case sAllowTcpForwarding:
763 intptr = &options->allow_tcp_forwarding;
764 goto parse_flag;
765
700318f3 766 case sUsePrivilegeSeparation:
767 intptr = &use_privsep;
768 goto parse_flag;
769
e9a17296 770 case sAllowUsers:
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_allow_users >= MAX_ALLOW_USERS)
773 fatal("%s line %d: too many allow users.",
774 filename, linenum);
680cee3b 775 options->allow_users[options->num_allow_users++] =
776 xstrdup(arg);
e9a17296 777 }
778 break;
3c0ef626 779
e9a17296 780 case sDenyUsers:
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_deny_users >= MAX_DENY_USERS)
783 fatal( "%s line %d: too many deny users.",
784 filename, linenum);
680cee3b 785 options->deny_users[options->num_deny_users++] =
786 xstrdup(arg);
e9a17296 787 }
788 break;
3c0ef626 789
e9a17296 790 case sAllowGroups:
791 while ((arg = strdelim(&cp)) && *arg != '\0') {
792 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
793 fatal("%s line %d: too many allow groups.",
794 filename, linenum);
680cee3b 795 options->allow_groups[options->num_allow_groups++] =
796 xstrdup(arg);
e9a17296 797 }
798 break;
3c0ef626 799
e9a17296 800 case sDenyGroups:
801 while ((arg = strdelim(&cp)) && *arg != '\0') {
802 if (options->num_deny_groups >= MAX_DENY_GROUPS)
803 fatal("%s line %d: too many deny groups.",
804 filename, linenum);
805 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
806 }
807 break;
808
809 case sCiphers:
810 arg = strdelim(&cp);
811 if (!arg || *arg == '\0')
812 fatal("%s line %d: Missing argument.", filename, linenum);
813 if (!ciphers_valid(arg))
814 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
815 filename, linenum, arg ? arg : "<NONE>");
816 if (options->ciphers == NULL)
817 options->ciphers = xstrdup(arg);
818 break;
819
820 case sMacs:
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
824 if (!mac_valid(arg))
825 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
826 filename, linenum, arg ? arg : "<NONE>");
827 if (options->macs == NULL)
828 options->macs = xstrdup(arg);
829 break;
830
831 case sProtocol:
832 intptr = &options->protocol;
833 arg = strdelim(&cp);
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing argument.", filename, linenum);
836 value = proto_spec(arg);
837 if (value == SSH_PROTO_UNKNOWN)
838 fatal("%s line %d: Bad protocol spec '%s'.",
839 filename, linenum, arg ? arg : "<NONE>");
840 if (*intptr == SSH_PROTO_UNKNOWN)
841 *intptr = value;
842 break;
843
844 case sSubsystem:
845 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
846 fatal("%s line %d: too many subsystems defined.",
847 filename, linenum);
848 }
849 arg = strdelim(&cp);
850 if (!arg || *arg == '\0')
851 fatal("%s line %d: Missing subsystem name.",
852 filename, linenum);
853 for (i = 0; i < options->num_subsystems; i++)
854 if (strcmp(arg, options->subsystem_name[i]) == 0)
855 fatal("%s line %d: Subsystem '%s' already defined.",
856 filename, linenum, arg);
857 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
858 arg = strdelim(&cp);
859 if (!arg || *arg == '\0')
860 fatal("%s line %d: Missing subsystem command.",
861 filename, linenum);
862 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
863 options->num_subsystems++;
864 break;
865
866 case sMaxStartups:
867 arg = strdelim(&cp);
868 if (!arg || *arg == '\0')
869 fatal("%s line %d: Missing MaxStartups spec.",
870 filename, linenum);
871 if ((n = sscanf(arg, "%d:%d:%d",
872 &options->max_startups_begin,
873 &options->max_startups_rate,
874 &options->max_startups)) == 3) {
875 if (options->max_startups_begin >
876 options->max_startups ||
877 options->max_startups_rate > 100 ||
878 options->max_startups_rate < 1)
3c0ef626 879 fatal("%s line %d: Illegal MaxStartups spec.",
880 filename, linenum);
e9a17296 881 } else if (n != 1)
882 fatal("%s line %d: Illegal MaxStartups spec.",
883 filename, linenum);
884 else
885 options->max_startups = options->max_startups_begin;
886 break;
887
888 case sBanner:
889 charptr = &options->banner;
890 goto parse_filename;
891 /*
892 * These options can contain %X options expanded at
893 * connect time, so that you can specify paths like:
894 *
895 * AuthorizedKeysFile /etc/ssh_keys/%u
896 */
897 case sAuthorizedKeysFile:
898 case sAuthorizedKeysFile2:
899 charptr = (opcode == sAuthorizedKeysFile ) ?
900 &options->authorized_keys_file :
901 &options->authorized_keys_file2;
902 goto parse_filename;
903
904 case sClientAliveInterval:
905 intptr = &options->client_alive_interval;
906 goto parse_time;
907
908 case sClientAliveCountMax:
909 intptr = &options->client_alive_count_max;
910 goto parse_int;
911
912 case sDeprecated:
913 log("%s line %d: Deprecated option %s",
914 filename, linenum, arg);
915 while (arg)
916 arg = strdelim(&cp);
917 break;
918
919 default:
920 fatal("%s line %d: Missing handler for opcode %s (%d)",
921 filename, linenum, arg, opcode);
922 }
923 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
924 fatal("%s line %d: garbage at end of line; \"%.200s\".",
925 filename, linenum, arg);
926 return 0;
927}
3c0ef626 928
e9a17296 929/* Reads the server configuration file. */
3c0ef626 930
e9a17296 931void
932read_server_config(ServerOptions *options, const char *filename)
933{
680cee3b 934 int linenum, bad_options = 0;
e9a17296 935 char line[1024];
680cee3b 936 FILE *f;
e9a17296 937
6a9b3198 938 debug2("read_server_config: filename %s", filename);
e9a17296 939 f = fopen(filename, "r");
940 if (!f) {
941 perror(filename);
942 exit(1);
943 }
944 linenum = 0;
945 while (fgets(line, sizeof(line), f)) {
946 /* Update line number counter. */
947 linenum++;
948 if (process_server_config_line(options, line, filename, linenum) != 0)
949 bad_options++;
3c0ef626 950 }
951 fclose(f);
952 if (bad_options > 0)
953 fatal("%s: terminating, %d bad configuration options",
954 filename, bad_options);
955}
git-cvsimport mirror of GSI OpenSSH
This page took 0.302795 seconds and 5 git commands to generate.