]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
merged OPENSSH_4_2P1_GSSAPI_20051220 to GPT branch
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
34fee935 13RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
3c0ef626 21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
2980ea68 29/* Use of privilege separation or not */
30extern int use_privsep;
3c0ef626 31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
70791e56 40 options->use_pam = -1;
3c0ef626 41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
34fee935 46 options->address_family = -1;
3c0ef626 47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e9a17296 59 options->x11_use_localhost = -1;
3c0ef626 60 options->xauth_location = NULL;
61 options->strict_modes = -1;
416fd2a8 62 options->tcp_keep_alive = -1;
e9a17296 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
3c0ef626 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
88928908 73#ifdef SESSION_HOOKS
74 options->session_hooks_allow = -1;
75 options->session_hooks_startup_cmd = NULL;
76 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 77#endif
416fd2a8 78 options->kerberos_get_afs_token = -1;
70791e56 79 options->gss_authentication=-1;
34fee935 80 options->gss_keyex = -1;
70791e56 81 options->gss_cleanup_creds = -1;
3c0ef626 82 options->password_authentication = -1;
83 options->kbd_interactive_authentication = -1;
84 options->challenge_response_authentication = -1;
85 options->permit_empty_passwd = -1;
e54b3d7c 86 options->permit_user_env = -1;
3c0ef626 87 options->use_login = -1;
ff2d7a98 88 options->compression = -1;
3c0ef626 89 options->allow_tcp_forwarding = -1;
90 options->num_allow_users = 0;
91 options->num_deny_users = 0;
92 options->num_allow_groups = 0;
93 options->num_deny_groups = 0;
94 options->ciphers = NULL;
95 options->macs = NULL;
96 options->protocol = SSH_PROTO_UNKNOWN;
97 options->gateway_ports = -1;
98 options->num_subsystems = 0;
99 options->max_startups_begin = -1;
100 options->max_startups_rate = -1;
101 options->max_startups = -1;
1b56ff3d 102 options->max_authtries = -1;
3c0ef626 103 options->banner = NULL;
70791e56 104 options->use_dns = -1;
3c0ef626 105 options->client_alive_interval = -1;
106 options->client_alive_count_max = -1;
107 options->authorized_keys_file = NULL;
108 options->authorized_keys_file2 = NULL;
1b56ff3d 109 options->num_accept_env = 0;
2980ea68 110
111 /* Needs to be accessable in many places */
112 use_privsep = -1;
3c0ef626 113}
114
115void
116fill_default_server_options(ServerOptions *options)
117{
118 /* Portable-specific options */
70791e56 119 if (options->use_pam == -1)
120 options->use_pam = 0;
3c0ef626 121
122 /* Standard Options */
123 if (options->protocol == SSH_PROTO_UNKNOWN)
124 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
125 if (options->num_host_key_files == 0) {
126 /* fill default hostkeys for protocols */
127 if (options->protocol & SSH_PROTO_1)
e9a17296 128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_KEY_FILE;
130 if (options->protocol & SSH_PROTO_2) {
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_RSA_KEY_FILE;
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_DSA_KEY_FILE;
135 }
3c0ef626 136 }
137 if (options->num_ports == 0)
138 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
139 if (options->listen_addrs == NULL)
140 add_listen_addr(options, NULL, 0);
141 if (options->pid_file == NULL)
142 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
143 if (options->server_key_bits == -1)
144 options->server_key_bits = 768;
145 if (options->login_grace_time == -1)
e54b3d7c 146 options->login_grace_time = 120;
3c0ef626 147 if (options->key_regeneration_time == -1)
148 options->key_regeneration_time = 3600;
149 if (options->permit_root_login == PERMIT_NOT_SET)
150 options->permit_root_login = PERMIT_YES;
151 if (options->ignore_rhosts == -1)
152 options->ignore_rhosts = 1;
153 if (options->ignore_user_known_hosts == -1)
154 options->ignore_user_known_hosts = 0;
155 if (options->print_motd == -1)
156 options->print_motd = 1;
157 if (options->print_lastlog == -1)
158 options->print_lastlog = 1;
159 if (options->x11_forwarding == -1)
160 options->x11_forwarding = 0;
161 if (options->x11_display_offset == -1)
162 options->x11_display_offset = 10;
e9a17296 163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
3c0ef626 165 if (options->xauth_location == NULL)
166 options->xauth_location = _PATH_XAUTH;
3c0ef626 167 if (options->strict_modes == -1)
168 options->strict_modes = 1;
416fd2a8 169 if (options->tcp_keep_alive == -1)
170 options->tcp_keep_alive = 1;
e9a17296 171 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 172 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 174 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 175 if (options->rhosts_rsa_authentication == -1)
176 options->rhosts_rsa_authentication = 0;
177 if (options->hostbased_authentication == -1)
178 options->hostbased_authentication = 0;
179 if (options->hostbased_uses_name_from_packet_only == -1)
180 options->hostbased_uses_name_from_packet_only = 0;
181 if (options->rsa_authentication == -1)
182 options->rsa_authentication = 1;
183 if (options->pubkey_authentication == -1)
184 options->pubkey_authentication = 1;
70791e56 185 if (options->kerberos_authentication == -1)
186 options->kerberos_authentication = 0;
187 if (options->kerberos_or_local_passwd == -1)
188 options->kerberos_or_local_passwd = 1;
189 if (options->kerberos_ticket_cleanup == -1)
190 options->kerberos_ticket_cleanup = 1;
416fd2a8 191 if (options->kerberos_get_afs_token == -1)
192 options->kerberos_get_afs_token = 0;
b9a54c29 193 if (options->gss_authentication == -1)
194 options->gss_authentication = 1;
195 if (options->gss_keyex == -1)
70791e56 196 options->gss_keyex = 1;
b9a54c29 197 if (options->gss_cleanup_creds == -1)
198 options->gss_cleanup_creds = 1;
3c0ef626 199 if (options->password_authentication == -1)
200 options->password_authentication = 1;
201 if (options->kbd_interactive_authentication == -1)
202 options->kbd_interactive_authentication = 0;
203 if (options->challenge_response_authentication == -1)
204 options->challenge_response_authentication = 1;
205 if (options->permit_empty_passwd == -1)
206 options->permit_empty_passwd = 0;
e54b3d7c 207 if (options->permit_user_env == -1)
208 options->permit_user_env = 0;
3c0ef626 209 if (options->use_login == -1)
210 options->use_login = 0;
ff2d7a98 211 if (options->compression == -1)
34fee935 212 options->compression = COMP_DELAYED;
3c0ef626 213 if (options->allow_tcp_forwarding == -1)
214 options->allow_tcp_forwarding = 1;
215 if (options->gateway_ports == -1)
216 options->gateway_ports = 0;
217 if (options->max_startups == -1)
218 options->max_startups = 10;
219 if (options->max_startups_rate == -1)
220 options->max_startups_rate = 100; /* 100% */
221 if (options->max_startups_begin == -1)
222 options->max_startups_begin = options->max_startups;
1b56ff3d 223 if (options->max_authtries == -1)
224 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
70791e56 225 if (options->use_dns == -1)
226 options->use_dns = 1;
3c0ef626 227 if (options->client_alive_interval == -1)
e9a17296 228 options->client_alive_interval = 0;
3c0ef626 229 if (options->client_alive_count_max == -1)
230 options->client_alive_count_max = 3;
231 if (options->authorized_keys_file2 == NULL) {
232 /* authorized_keys_file2 falls back to authorized_keys_file */
233 if (options->authorized_keys_file != NULL)
234 options->authorized_keys_file2 = options->authorized_keys_file;
235 else
236 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
237 }
238 if (options->authorized_keys_file == NULL)
239 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
2980ea68 240
ff2d7a98 241 /* Turn privilege separation on by default */
2980ea68 242 if (use_privsep == -1)
ff2d7a98 243 use_privsep = 1;
244
e54b3d7c 245#ifndef HAVE_MMAP
ff2d7a98 246 if (use_privsep && options->compression == 1) {
247 error("This platform does not support both privilege "
248 "separation and compression");
249 error("Compression disabled");
250 options->compression = 0;
251 }
252#endif
253
3c0ef626 254}
255
256/* Keyword tokens. */
257typedef enum {
258 sBadOption, /* == unknown option */
259 /* Portable-specific options */
70791e56 260 sUsePAM,
3c0ef626 261 /* Standard Options */
262 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
263 sPermitRootLogin, sLogFacility, sLogLevel,
70791e56 264 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 265 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
416fd2a8 266 sKerberosGetAFSToken,
70791e56 267 sKerberosTgtPassing, sChallengeResponseAuthentication,
88928908 268#ifdef SESSION_HOOKS
269 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 270#endif
34fee935 271 sPasswordAuthentication, sKbdInteractiveAuthentication,
272 sListenAddress, sAddressFamily,
3c0ef626 273 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 274 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
416fd2a8 275 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
e54b3d7c 276 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 277 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
278 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
1b56ff3d 279 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
280 sMaxStartups, sMaxAuthTries,
70791e56 281 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 282 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 283 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
34fee935 284 sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sAcceptEnv,
2980ea68 285 sUsePrivilegeSeparation,
70791e56 286 sDeprecated, sUnsupported
3c0ef626 287} ServerOpCodes;
288
289/* Textual representation of the tokens. */
290static struct {
291 const char *name;
292 ServerOpCodes opcode;
293} keywords[] = {
294 /* Portable-specific options */
70791e56 295#ifdef USE_PAM
296 { "usepam", sUsePAM },
297#else
298 { "usepam", sUnsupported },
299#endif
300 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 301 /* Standard Options */
302 { "port", sPort },
303 { "hostkey", sHostKeyFile },
304 { "hostdsakey", sHostKeyFile }, /* alias */
305 { "pidfile", sPidFile },
306 { "serverkeybits", sServerKeyBits },
307 { "logingracetime", sLoginGraceTime },
308 { "keyregenerationinterval", sKeyRegenerationTime },
309 { "permitrootlogin", sPermitRootLogin },
310 { "syslogfacility", sLogFacility },
311 { "loglevel", sLogLevel },
70791e56 312 { "rhostsauthentication", sDeprecated },
3c0ef626 313 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
314 { "hostbasedauthentication", sHostbasedAuthentication },
315 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
316 { "rsaauthentication", sRSAAuthentication },
317 { "pubkeyauthentication", sPubkeyAuthentication },
318 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
70791e56 319#ifdef KRB5
320 { "kerberosauthentication", sKerberosAuthentication },
321 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
322 { "kerberosticketcleanup", sKerberosTicketCleanup },
416fd2a8 323#ifdef USE_AFS
324 { "kerberosgetafstoken", sKerberosGetAFSToken },
325#else
326 { "kerberosgetafstoken", sUnsupported },
327#endif
70791e56 328#else
329 { "kerberosauthentication", sUnsupported },
330 { "kerberosorlocalpasswd", sUnsupported },
331 { "kerberosticketcleanup", sUnsupported },
416fd2a8 332 { "kerberosgetafstoken", sUnsupported },
70791e56 333#endif
334 { "kerberostgtpassing", sUnsupported },
335 { "afstokenpassing", sUnsupported },
b9a54c29 336#ifdef GSSAPI
337 { "gssapiauthentication", sGssAuthentication },
338 { "gssapikeyexchange", sGssKeyEx },
416fd2a8 339 { "gssapicleanupcredentials", sGssCleanupCreds },
70791e56 340#else
341 { "gssapiauthentication", sUnsupported },
342 { "gssapikeyexchange", sUnsupported },
416fd2a8 343 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 344#endif
88928908 345#ifdef SESSION_HOOKS
346 { "allowsessionhooks", sAllowSessionHooks },
347 { "sessionhookstartupcmd", sSessionHookStartupCmd },
348 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
349#endif
3c0ef626 350 { "passwordauthentication", sPasswordAuthentication },
351 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
352 { "challengeresponseauthentication", sChallengeResponseAuthentication },
353 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
354 { "checkmail", sDeprecated },
355 { "listenaddress", sListenAddress },
34fee935 356 { "addressfamily", sAddressFamily },
3c0ef626 357 { "printmotd", sPrintMotd },
358 { "printlastlog", sPrintLastLog },
359 { "ignorerhosts", sIgnoreRhosts },
360 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
361 { "x11forwarding", sX11Forwarding },
362 { "x11displayoffset", sX11DisplayOffset },
e9a17296 363 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 364 { "xauthlocation", sXAuthLocation },
365 { "strictmodes", sStrictModes },
366 { "permitemptypasswords", sEmptyPasswd },
e54b3d7c 367 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 368 { "uselogin", sUseLogin },
ff2d7a98 369 { "compression", sCompression },
416fd2a8 370 { "tcpkeepalive", sTCPKeepAlive },
371 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 372 { "allowtcpforwarding", sAllowTcpForwarding },
373 { "allowusers", sAllowUsers },
374 { "denyusers", sDenyUsers },
375 { "allowgroups", sAllowGroups },
376 { "denygroups", sDenyGroups },
377 { "ciphers", sCiphers },
378 { "macs", sMacs },
379 { "protocol", sProtocol },
380 { "gatewayports", sGatewayPorts },
381 { "subsystem", sSubsystem },
382 { "maxstartups", sMaxStartups },
1b56ff3d 383 { "maxauthtries", sMaxAuthTries },
3c0ef626 384 { "banner", sBanner },
70791e56 385 { "usedns", sUseDNS },
386 { "verifyreversemapping", sDeprecated },
387 { "reversemappingcheck", sDeprecated },
3c0ef626 388 { "clientaliveinterval", sClientAliveInterval },
389 { "clientalivecountmax", sClientAliveCountMax },
390 { "authorizedkeysfile", sAuthorizedKeysFile },
391 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
2980ea68 392 { "useprivilegeseparation", sUsePrivilegeSeparation},
1b56ff3d 393 { "acceptenv", sAcceptEnv },
e9a17296 394 { NULL, sBadOption }
3c0ef626 395};
396
397/*
398 * Returns the number of the token pointed to by cp or sBadOption.
399 */
400
401static ServerOpCodes
402parse_token(const char *cp, const char *filename,
403 int linenum)
404{
405 u_int i;
406
407 for (i = 0; keywords[i].name; i++)
408 if (strcasecmp(cp, keywords[i].name) == 0)
409 return keywords[i].opcode;
410
411 error("%s: line %d: Bad configuration option: %s",
412 filename, linenum, cp);
413 return sBadOption;
414}
415
416static void
417add_listen_addr(ServerOptions *options, char *addr, u_short port)
418{
34fee935 419 u_int i;
3c0ef626 420
421 if (options->num_ports == 0)
422 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
34fee935 423 if (options->address_family == -1)
424 options->address_family = AF_UNSPEC;
3c0ef626 425 if (port == 0)
426 for (i = 0; i < options->num_ports; i++)
427 add_one_listen_addr(options, addr, options->ports[i]);
428 else
429 add_one_listen_addr(options, addr, port);
430}
431
432static void
433add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
434{
435 struct addrinfo hints, *ai, *aitop;
436 char strport[NI_MAXSERV];
437 int gaierr;
438
439 memset(&hints, 0, sizeof(hints));
34fee935 440 hints.ai_family = options->address_family;
3c0ef626 441 hints.ai_socktype = SOCK_STREAM;
442 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
ff2d7a98 443 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 444 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
445 fatal("bad addr or host: %s (%s)",
446 addr ? addr : "<NULL>",
447 gai_strerror(gaierr));
448 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
449 ;
450 ai->ai_next = options->listen_addrs;
451 options->listen_addrs = aitop;
452}
453
e9a17296 454int
455process_server_config_line(ServerOptions *options, char *line,
456 const char *filename, int linenum)
3c0ef626 457{
3c0ef626 458 char *cp, **charptr, *arg, *p;
34fee935 459 int *intptr, value, n;
3c0ef626 460 ServerOpCodes opcode;
34fee935 461 u_short port;
462 u_int i;
3c0ef626 463
e9a17296 464 cp = line;
465 arg = strdelim(&cp);
466 /* Ignore leading whitespace */
467 if (*arg == '\0')
3c0ef626 468 arg = strdelim(&cp);
e9a17296 469 if (!arg || !*arg || *arg == '#')
470 return 0;
471 intptr = NULL;
472 charptr = NULL;
473 opcode = parse_token(arg, filename, linenum);
474 switch (opcode) {
475 /* Portable-specific options */
70791e56 476 case sUsePAM:
477 intptr = &options->use_pam;
e9a17296 478 goto parse_flag;
3c0ef626 479
e9a17296 480 /* Standard Options */
481 case sBadOption:
482 return -1;
483 case sPort:
484 /* ignore ports from configfile if cmdline specifies ports */
485 if (options->ports_from_cmdline)
486 return 0;
487 if (options->listen_addrs != NULL)
488 fatal("%s line %d: ports must be specified before "
489 "ListenAddress.", filename, linenum);
490 if (options->num_ports >= MAX_PORTS)
491 fatal("%s line %d: too many ports.",
492 filename, linenum);
493 arg = strdelim(&cp);
494 if (!arg || *arg == '\0')
495 fatal("%s line %d: missing port number.",
496 filename, linenum);
497 options->ports[options->num_ports++] = a2port(arg);
498 if (options->ports[options->num_ports-1] == 0)
499 fatal("%s line %d: Badly formatted port number.",
500 filename, linenum);
501 break;
502
503 case sServerKeyBits:
504 intptr = &options->server_key_bits;
3c0ef626 505parse_int:
e9a17296 506 arg = strdelim(&cp);
507 if (!arg || *arg == '\0')
508 fatal("%s line %d: missing integer value.",
509 filename, linenum);
510 value = atoi(arg);
511 if (*intptr == -1)
512 *intptr = value;
513 break;
514
515 case sLoginGraceTime:
516 intptr = &options->login_grace_time;
3c0ef626 517parse_time:
e9a17296 518 arg = strdelim(&cp);
519 if (!arg || *arg == '\0')
520 fatal("%s line %d: missing time value.",
521 filename, linenum);
522 if ((value = convtime(arg)) == -1)
523 fatal("%s line %d: invalid time value.",
524 filename, linenum);
525 if (*intptr == -1)
526 *intptr = value;
527 break;
528
529 case sKeyRegenerationTime:
530 intptr = &options->key_regeneration_time;
531 goto parse_time;
532
533 case sListenAddress:
534 arg = strdelim(&cp);
34fee935 535 if (arg == NULL || *arg == '\0')
536 fatal("%s line %d: missing address",
e9a17296 537 filename, linenum);
34fee935 538 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
539 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
540 && strchr(p+1, ':') != NULL) {
e9a17296 541 add_listen_addr(options, arg, 0);
3c0ef626 542 break;
e9a17296 543 }
34fee935 544 p = hpdelim(&arg);
545 if (p == NULL)
546 fatal("%s line %d: bad address:port usage",
547 filename, linenum);
548 p = cleanhostname(p);
549 if (arg == NULL)
550 port = 0;
551 else if ((port = a2port(arg)) == 0)
552 fatal("%s line %d: bad port number", filename, linenum);
3c0ef626 553
34fee935 554 add_listen_addr(options, p, port);
555
556 break;
557
558 case sAddressFamily:
559 arg = strdelim(&cp);
560 if (!arg || *arg == '\0')
561 fatal("%s line %d: missing address family.",
e9a17296 562 filename, linenum);
34fee935 563 intptr = &options->address_family;
564 if (options->listen_addrs != NULL)
565 fatal("%s line %d: address family must be specified before "
566 "ListenAddress.", filename, linenum);
567 if (strcasecmp(arg, "inet") == 0)
568 value = AF_INET;
569 else if (strcasecmp(arg, "inet6") == 0)
570 value = AF_INET6;
571 else if (strcasecmp(arg, "any") == 0)
572 value = AF_UNSPEC;
573 else
574 fatal("%s line %d: unsupported address family \"%s\".",
575 filename, linenum, arg);
576 if (*intptr == -1)
577 *intptr = value;
e9a17296 578 break;
579
580 case sHostKeyFile:
581 intptr = &options->num_host_key_files;
582 if (*intptr >= MAX_HOSTKEYS)
583 fatal("%s line %d: too many host keys specified (max %d).",
584 filename, linenum, MAX_HOSTKEYS);
585 charptr = &options->host_key_files[*intptr];
3c0ef626 586parse_filename:
e9a17296 587 arg = strdelim(&cp);
588 if (!arg || *arg == '\0')
589 fatal("%s line %d: missing file name.",
590 filename, linenum);
591 if (*charptr == NULL) {
592 *charptr = tilde_expand_filename(arg, getuid());
593 /* increase optional counter */
594 if (intptr != NULL)
595 *intptr = *intptr + 1;
596 }
597 break;
3c0ef626 598
e9a17296 599 case sPidFile:
600 charptr = &options->pid_file;
601 goto parse_filename;
3c0ef626 602
e9a17296 603 case sPermitRootLogin:
604 intptr = &options->permit_root_login;
605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/"
608 "without-password/forced-commands-only/no "
609 "argument.", filename, linenum);
610 value = 0; /* silence compiler */
611 if (strcmp(arg, "without-password") == 0)
612 value = PERMIT_NO_PASSWD;
613 else if (strcmp(arg, "forced-commands-only") == 0)
614 value = PERMIT_FORCED_ONLY;
615 else if (strcmp(arg, "yes") == 0)
616 value = PERMIT_YES;
617 else if (strcmp(arg, "no") == 0)
618 value = PERMIT_NO;
619 else
620 fatal("%s line %d: Bad yes/"
621 "without-password/forced-commands-only/no "
622 "argument: %s", filename, linenum, arg);
623 if (*intptr == -1)
624 *intptr = value;
625 break;
626
627 case sIgnoreRhosts:
628 intptr = &options->ignore_rhosts;
3c0ef626 629parse_flag:
e9a17296 630 arg = strdelim(&cp);
631 if (!arg || *arg == '\0')
632 fatal("%s line %d: missing yes/no argument.",
633 filename, linenum);
634 value = 0; /* silence compiler */
635 if (strcmp(arg, "yes") == 0)
636 value = 1;
637 else if (strcmp(arg, "no") == 0)
638 value = 0;
639 else
640 fatal("%s line %d: Bad yes/no argument: %s",
641 filename, linenum, arg);
642 if (*intptr == -1)
643 *intptr = value;
644 break;
645
646 case sIgnoreUserKnownHosts:
647 intptr = &options->ignore_user_known_hosts;
648 goto parse_flag;
649
e9a17296 650 case sRhostsRSAAuthentication:
651 intptr = &options->rhosts_rsa_authentication;
652 goto parse_flag;
653
654 case sHostbasedAuthentication:
655 intptr = &options->hostbased_authentication;
656 goto parse_flag;
657
658 case sHostbasedUsesNameFromPacketOnly:
659 intptr = &options->hostbased_uses_name_from_packet_only;
660 goto parse_flag;
661
662 case sRSAAuthentication:
663 intptr = &options->rsa_authentication;
664 goto parse_flag;
665
666 case sPubkeyAuthentication:
667 intptr = &options->pubkey_authentication;
668 goto parse_flag;
70791e56 669
e9a17296 670 case sKerberosAuthentication:
671 intptr = &options->kerberos_authentication;
672 goto parse_flag;
3c0ef626 673
e9a17296 674 case sKerberosOrLocalPasswd:
675 intptr = &options->kerberos_or_local_passwd;
676 goto parse_flag;
3c0ef626 677
e9a17296 678 case sKerberosTicketCleanup:
679 intptr = &options->kerberos_ticket_cleanup;
680 goto parse_flag;
70791e56 681
416fd2a8 682 case sKerberosGetAFSToken:
683 intptr = &options->kerberos_get_afs_token;
684 goto parse_flag;
685
70791e56 686 case sGssAuthentication:
687 intptr = &options->gss_authentication;
e9a17296 688 goto parse_flag;
70791e56 689
690 case sGssKeyEx:
691 intptr = &options->gss_keyex;
e9a17296 692 goto parse_flag;
70791e56 693
70791e56 694 case sGssCleanupCreds:
695 intptr = &options->gss_cleanup_creds;
696 goto parse_flag;
697
88928908 698#ifdef SESSION_HOOKS
699 case sAllowSessionHooks:
700 intptr = &options->session_hooks_allow;
701 goto parse_flag;
702 case sSessionHookStartupCmd:
703 case sSessionHookShutdownCmd:
704 arg = strdelim(&cp);
705 if (!arg || *arg == '\0')
706 fatal("%s line %d: empty session hook command",
707 filename, linenum);
708 if (opcode==sSessionHookStartupCmd)
709 options->session_hooks_startup_cmd = strdup(arg);
710 else
711 options->session_hooks_shutdown_cmd = strdup(arg);
712 break;
713#endif
70791e56 714
e9a17296 715 case sPasswordAuthentication:
716 intptr = &options->password_authentication;
717 goto parse_flag;
3c0ef626 718
e9a17296 719 case sKbdInteractiveAuthentication:
720 intptr = &options->kbd_interactive_authentication;
721 goto parse_flag;
3c0ef626 722
e9a17296 723 case sChallengeResponseAuthentication:
724 intptr = &options->challenge_response_authentication;
725 goto parse_flag;
3c0ef626 726
e9a17296 727 case sPrintMotd:
728 intptr = &options->print_motd;
729 goto parse_flag;
3c0ef626 730
e9a17296 731 case sPrintLastLog:
732 intptr = &options->print_lastlog;
733 goto parse_flag;
3c0ef626 734
e9a17296 735 case sX11Forwarding:
736 intptr = &options->x11_forwarding;
737 goto parse_flag;
3c0ef626 738
e9a17296 739 case sX11DisplayOffset:
740 intptr = &options->x11_display_offset;
741 goto parse_int;
3c0ef626 742
e9a17296 743 case sX11UseLocalhost:
744 intptr = &options->x11_use_localhost;
745 goto parse_flag;
3c0ef626 746
e9a17296 747 case sXAuthLocation:
748 charptr = &options->xauth_location;
749 goto parse_filename;
3c0ef626 750
e9a17296 751 case sStrictModes:
752 intptr = &options->strict_modes;
753 goto parse_flag;
3c0ef626 754
416fd2a8 755 case sTCPKeepAlive:
756 intptr = &options->tcp_keep_alive;
e9a17296 757 goto parse_flag;
3c0ef626 758
e9a17296 759 case sEmptyPasswd:
760 intptr = &options->permit_empty_passwd;
761 goto parse_flag;
3c0ef626 762
e54b3d7c 763 case sPermitUserEnvironment:
764 intptr = &options->permit_user_env;
765 goto parse_flag;
766
e9a17296 767 case sUseLogin:
768 intptr = &options->use_login;
769 goto parse_flag;
3c0ef626 770
ff2d7a98 771 case sCompression:
772 intptr = &options->compression;
34fee935 773 arg = strdelim(&cp);
774 if (!arg || *arg == '\0')
775 fatal("%s line %d: missing yes/no/delayed "
776 "argument.", filename, linenum);
777 value = 0; /* silence compiler */
778 if (strcmp(arg, "delayed") == 0)
779 value = COMP_DELAYED;
780 else if (strcmp(arg, "yes") == 0)
781 value = COMP_ZLIB;
782 else if (strcmp(arg, "no") == 0)
783 value = COMP_NONE;
784 else
785 fatal("%s line %d: Bad yes/no/delayed "
786 "argument: %s", filename, linenum, arg);
787 if (*intptr == -1)
788 *intptr = value;
789 break;
ff2d7a98 790
e9a17296 791 case sGatewayPorts:
792 intptr = &options->gateway_ports;
34fee935 793 arg = strdelim(&cp);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: missing yes/no/clientspecified "
796 "argument.", filename, linenum);
797 value = 0; /* silence compiler */
798 if (strcmp(arg, "clientspecified") == 0)
799 value = 2;
800 else if (strcmp(arg, "yes") == 0)
801 value = 1;
802 else if (strcmp(arg, "no") == 0)
803 value = 0;
804 else
805 fatal("%s line %d: Bad yes/no/clientspecified "
806 "argument: %s", filename, linenum, arg);
807 if (*intptr == -1)
808 *intptr = value;
809 break;
3c0ef626 810
70791e56 811 case sUseDNS:
812 intptr = &options->use_dns;
e9a17296 813 goto parse_flag;
3c0ef626 814
e9a17296 815 case sLogFacility:
816 intptr = (int *) &options->log_facility;
817 arg = strdelim(&cp);
818 value = log_facility_number(arg);
819 if (value == SYSLOG_FACILITY_NOT_SET)
820 fatal("%.200s line %d: unsupported log facility '%s'",
821 filename, linenum, arg ? arg : "<NONE>");
822 if (*intptr == -1)
823 *intptr = (SyslogFacility) value;
824 break;
825
826 case sLogLevel:
827 intptr = (int *) &options->log_level;
828 arg = strdelim(&cp);
829 value = log_level_number(arg);
830 if (value == SYSLOG_LEVEL_NOT_SET)
831 fatal("%.200s line %d: unsupported log level '%s'",
832 filename, linenum, arg ? arg : "<NONE>");
833 if (*intptr == -1)
834 *intptr = (LogLevel) value;
835 break;
836
837 case sAllowTcpForwarding:
838 intptr = &options->allow_tcp_forwarding;
839 goto parse_flag;
840
2980ea68 841 case sUsePrivilegeSeparation:
842 intptr = &use_privsep;
843 goto parse_flag;
844
e9a17296 845 case sAllowUsers:
846 while ((arg = strdelim(&cp)) && *arg != '\0') {
847 if (options->num_allow_users >= MAX_ALLOW_USERS)
848 fatal("%s line %d: too many allow users.",
849 filename, linenum);
ff2d7a98 850 options->allow_users[options->num_allow_users++] =
851 xstrdup(arg);
e9a17296 852 }
853 break;
3c0ef626 854
e9a17296 855 case sDenyUsers:
856 while ((arg = strdelim(&cp)) && *arg != '\0') {
857 if (options->num_deny_users >= MAX_DENY_USERS)
858 fatal( "%s line %d: too many deny users.",
859 filename, linenum);
ff2d7a98 860 options->deny_users[options->num_deny_users++] =
861 xstrdup(arg);
e9a17296 862 }
863 break;
3c0ef626 864
e9a17296 865 case sAllowGroups:
866 while ((arg = strdelim(&cp)) && *arg != '\0') {
867 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
868 fatal("%s line %d: too many allow groups.",
869 filename, linenum);
ff2d7a98 870 options->allow_groups[options->num_allow_groups++] =
871 xstrdup(arg);
e9a17296 872 }
873 break;
3c0ef626 874
e9a17296 875 case sDenyGroups:
876 while ((arg = strdelim(&cp)) && *arg != '\0') {
877 if (options->num_deny_groups >= MAX_DENY_GROUPS)
878 fatal("%s line %d: too many deny groups.",
879 filename, linenum);
880 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
881 }
882 break;
883
884 case sCiphers:
885 arg = strdelim(&cp);
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing argument.", filename, linenum);
888 if (!ciphers_valid(arg))
889 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
890 filename, linenum, arg ? arg : "<NONE>");
891 if (options->ciphers == NULL)
892 options->ciphers = xstrdup(arg);
893 break;
894
895 case sMacs:
896 arg = strdelim(&cp);
897 if (!arg || *arg == '\0')
898 fatal("%s line %d: Missing argument.", filename, linenum);
899 if (!mac_valid(arg))
900 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
901 filename, linenum, arg ? arg : "<NONE>");
902 if (options->macs == NULL)
903 options->macs = xstrdup(arg);
904 break;
905
906 case sProtocol:
907 intptr = &options->protocol;
908 arg = strdelim(&cp);
909 if (!arg || *arg == '\0')
910 fatal("%s line %d: Missing argument.", filename, linenum);
911 value = proto_spec(arg);
912 if (value == SSH_PROTO_UNKNOWN)
913 fatal("%s line %d: Bad protocol spec '%s'.",
914 filename, linenum, arg ? arg : "<NONE>");
915 if (*intptr == SSH_PROTO_UNKNOWN)
916 *intptr = value;
917 break;
918
919 case sSubsystem:
920 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
921 fatal("%s line %d: too many subsystems defined.",
922 filename, linenum);
923 }
924 arg = strdelim(&cp);
925 if (!arg || *arg == '\0')
926 fatal("%s line %d: Missing subsystem name.",
927 filename, linenum);
928 for (i = 0; i < options->num_subsystems; i++)
929 if (strcmp(arg, options->subsystem_name[i]) == 0)
930 fatal("%s line %d: Subsystem '%s' already defined.",
931 filename, linenum, arg);
932 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
933 arg = strdelim(&cp);
934 if (!arg || *arg == '\0')
935 fatal("%s line %d: Missing subsystem command.",
936 filename, linenum);
937 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
938 options->num_subsystems++;
939 break;
940
941 case sMaxStartups:
942 arg = strdelim(&cp);
943 if (!arg || *arg == '\0')
944 fatal("%s line %d: Missing MaxStartups spec.",
945 filename, linenum);
946 if ((n = sscanf(arg, "%d:%d:%d",
947 &options->max_startups_begin,
948 &options->max_startups_rate,
949 &options->max_startups)) == 3) {
950 if (options->max_startups_begin >
951 options->max_startups ||
952 options->max_startups_rate > 100 ||
953 options->max_startups_rate < 1)
3c0ef626 954 fatal("%s line %d: Illegal MaxStartups spec.",
955 filename, linenum);
e9a17296 956 } else if (n != 1)
957 fatal("%s line %d: Illegal MaxStartups spec.",
958 filename, linenum);
959 else
960 options->max_startups = options->max_startups_begin;
961 break;
962
1b56ff3d 963 case sMaxAuthTries:
964 intptr = &options->max_authtries;
965 goto parse_int;
966
e9a17296 967 case sBanner:
968 charptr = &options->banner;
969 goto parse_filename;
970 /*
971 * These options can contain %X options expanded at
972 * connect time, so that you can specify paths like:
973 *
974 * AuthorizedKeysFile /etc/ssh_keys/%u
975 */
976 case sAuthorizedKeysFile:
977 case sAuthorizedKeysFile2:
978 charptr = (opcode == sAuthorizedKeysFile ) ?
979 &options->authorized_keys_file :
980 &options->authorized_keys_file2;
981 goto parse_filename;
982
983 case sClientAliveInterval:
984 intptr = &options->client_alive_interval;
985 goto parse_time;
986
987 case sClientAliveCountMax:
988 intptr = &options->client_alive_count_max;
989 goto parse_int;
990
1b56ff3d 991 case sAcceptEnv:
992 while ((arg = strdelim(&cp)) && *arg != '\0') {
993 if (strchr(arg, '=') != NULL)
994 fatal("%s line %d: Invalid environment name.",
995 filename, linenum);
996 if (options->num_accept_env >= MAX_ACCEPT_ENV)
997 fatal("%s line %d: too many allow env.",
998 filename, linenum);
999 options->accept_env[options->num_accept_env++] =
1000 xstrdup(arg);
1001 }
1002 break;
1003
e9a17296 1004 case sDeprecated:
70791e56 1005 logit("%s line %d: Deprecated option %s",
1006 filename, linenum, arg);
1007 while (arg)
1008 arg = strdelim(&cp);
1009 break;
1010
1011 case sUnsupported:
1012 logit("%s line %d: Unsupported option %s",
e9a17296 1013 filename, linenum, arg);
1014 while (arg)
1015 arg = strdelim(&cp);
1016 break;
1017
1018 default:
1019 fatal("%s line %d: Missing handler for opcode %s (%d)",
1020 filename, linenum, arg, opcode);
1021 }
1022 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1023 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1024 filename, linenum, arg);
1025 return 0;
1026}
3c0ef626 1027
e9a17296 1028/* Reads the server configuration file. */
3c0ef626 1029
e9a17296 1030void
1b56ff3d 1031load_server_config(const char *filename, Buffer *conf)
e9a17296 1032{
1b56ff3d 1033 char line[1024], *cp;
ff2d7a98 1034 FILE *f;
e9a17296 1035
1b56ff3d 1036 debug2("%s: filename %s", __func__, filename);
1037 if ((f = fopen(filename, "r")) == NULL) {
e9a17296 1038 perror(filename);
1039 exit(1);
1040 }
1b56ff3d 1041 buffer_clear(conf);
e9a17296 1042 while (fgets(line, sizeof(line), f)) {
1b56ff3d 1043 /*
1044 * Trim out comments and strip whitespace
1045 * NB - preserve newlines, they are needed to reproduce
1046 * line numbers later for error messages
1047 */
1048 if ((cp = strchr(line, '#')) != NULL)
1049 memcpy(cp, "\n", 2);
1050 cp = line + strspn(line, " \t\r");
1051
1052 buffer_append(conf, cp, strlen(cp));
3c0ef626 1053 }
1b56ff3d 1054 buffer_append(conf, "\0", 1);
3c0ef626 1055 fclose(f);
1b56ff3d 1056 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1057}
1058
1059void
1060parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1061{
1062 int linenum, bad_options = 0;
1063 char *cp, *obuf, *cbuf;
1064
1065 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1066
1067 obuf = cbuf = xstrdup(buffer_ptr(conf));
1068 linenum = 1;
34fee935 1069 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1b56ff3d 1070 if (process_server_config_line(options, cp, filename,
1071 linenum++) != 0)
1072 bad_options++;
1073 }
1074 xfree(obuf);
3c0ef626 1075 if (bad_options > 0)
1076 fatal("%s: terminating, %d bad configuration options",
1077 filename, bad_options);
1078}
git-cvsimport mirror of GSI OpenSSH
This page took 0.243824 seconds and 5 git commands to generate.