]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
last appeared in 3.1p1
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
700318f3 13RCSID("$OpenBSD: servconf.c,v 1.109 2002/05/15 21:02:52 markus Exp $");
3c0ef626 14
700318f3 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
3c0ef626 20#include <krb.h>
700318f3 21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
3c0ef626 26#endif
27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
700318f3 48/* Use of privilege separation or not */
49extern int use_privsep;
3c0ef626 50
51/* Initializes the server options to their default values. */
52
53void
54initialize_server_options(ServerOptions *options)
55{
56 memset(options, 0, sizeof(*options));
57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e9a17296 77 options->x11_use_localhost = -1;
3c0ef626 78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
e9a17296 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89#if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93#endif
94#if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
96#endif
97#ifdef AFS
98 options->afs_token_passing = -1;
99#endif
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
105 options->allow_tcp_forwarding = -1;
106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
110 options->ciphers = NULL;
111 options->macs = NULL;
112 options->protocol = SSH_PROTO_UNKNOWN;
113 options->gateway_ports = -1;
114 options->num_subsystems = 0;
115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
117 options->max_startups = -1;
118 options->banner = NULL;
e9a17296 119 options->verify_reverse_mapping = -1;
3c0ef626 120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
700318f3 124
125 /* Needs to be accessable in many places */
126 use_privsep = -1;
3c0ef626 127}
128
129void
130fill_default_server_options(ServerOptions *options)
131{
132 /* Portable-specific options */
133 if (options->pam_authentication_via_kbd_int == -1)
134 options->pam_authentication_via_kbd_int = 0;
135
136 /* Standard Options */
137 if (options->protocol == SSH_PROTO_UNKNOWN)
138 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
139 if (options->num_host_key_files == 0) {
140 /* fill default hostkeys for protocols */
141 if (options->protocol & SSH_PROTO_1)
e9a17296 142 options->host_key_files[options->num_host_key_files++] =
143 _PATH_HOST_KEY_FILE;
144 if (options->protocol & SSH_PROTO_2) {
145 options->host_key_files[options->num_host_key_files++] =
146 _PATH_HOST_RSA_KEY_FILE;
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_DSA_KEY_FILE;
149 }
3c0ef626 150 }
151 if (options->num_ports == 0)
152 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
153 if (options->listen_addrs == NULL)
154 add_listen_addr(options, NULL, 0);
155 if (options->pid_file == NULL)
156 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
157 if (options->server_key_bits == -1)
158 options->server_key_bits = 768;
159 if (options->login_grace_time == -1)
160 options->login_grace_time = 600;
161 if (options->key_regeneration_time == -1)
162 options->key_regeneration_time = 3600;
163 if (options->permit_root_login == PERMIT_NOT_SET)
164 options->permit_root_login = PERMIT_YES;
165 if (options->ignore_rhosts == -1)
166 options->ignore_rhosts = 1;
167 if (options->ignore_user_known_hosts == -1)
168 options->ignore_user_known_hosts = 0;
169 if (options->print_motd == -1)
170 options->print_motd = 1;
171 if (options->print_lastlog == -1)
172 options->print_lastlog = 1;
173 if (options->x11_forwarding == -1)
174 options->x11_forwarding = 0;
175 if (options->x11_display_offset == -1)
176 options->x11_display_offset = 10;
e9a17296 177 if (options->x11_use_localhost == -1)
178 options->x11_use_localhost = 1;
3c0ef626 179 if (options->xauth_location == NULL)
180 options->xauth_location = _PATH_XAUTH;
3c0ef626 181 if (options->strict_modes == -1)
182 options->strict_modes = 1;
183 if (options->keepalives == -1)
184 options->keepalives = 1;
e9a17296 185 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 186 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 187 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 188 options->log_level = SYSLOG_LEVEL_INFO;
189 if (options->rhosts_authentication == -1)
190 options->rhosts_authentication = 0;
191 if (options->rhosts_rsa_authentication == -1)
192 options->rhosts_rsa_authentication = 0;
193 if (options->hostbased_authentication == -1)
194 options->hostbased_authentication = 0;
195 if (options->hostbased_uses_name_from_packet_only == -1)
196 options->hostbased_uses_name_from_packet_only = 0;
197 if (options->rsa_authentication == -1)
198 options->rsa_authentication = 1;
199 if (options->pubkey_authentication == -1)
200 options->pubkey_authentication = 1;
201#if defined(KRB4) || defined(KRB5)
202 if (options->kerberos_authentication == -1)
700318f3 203 options->kerberos_authentication = 0;
3c0ef626 204 if (options->kerberos_or_local_passwd == -1)
205 options->kerberos_or_local_passwd = 1;
206 if (options->kerberos_ticket_cleanup == -1)
207 options->kerberos_ticket_cleanup = 1;
208#endif
209#if defined(AFS) || defined(KRB5)
210 if (options->kerberos_tgt_passing == -1)
211 options->kerberos_tgt_passing = 0;
212#endif
e9a17296 213#ifdef AFS
3c0ef626 214 if (options->afs_token_passing == -1)
700318f3 215 options->afs_token_passing = 0;
3c0ef626 216#endif
217 if (options->password_authentication == -1)
218 options->password_authentication = 1;
219 if (options->kbd_interactive_authentication == -1)
220 options->kbd_interactive_authentication = 0;
221 if (options->challenge_response_authentication == -1)
222 options->challenge_response_authentication = 1;
223 if (options->permit_empty_passwd == -1)
224 options->permit_empty_passwd = 0;
225 if (options->use_login == -1)
226 options->use_login = 0;
227 if (options->allow_tcp_forwarding == -1)
228 options->allow_tcp_forwarding = 1;
229 if (options->gateway_ports == -1)
230 options->gateway_ports = 0;
231 if (options->max_startups == -1)
232 options->max_startups = 10;
233 if (options->max_startups_rate == -1)
234 options->max_startups_rate = 100; /* 100% */
235 if (options->max_startups_begin == -1)
236 options->max_startups_begin = options->max_startups;
e9a17296 237 if (options->verify_reverse_mapping == -1)
238 options->verify_reverse_mapping = 0;
3c0ef626 239 if (options->client_alive_interval == -1)
e9a17296 240 options->client_alive_interval = 0;
3c0ef626 241 if (options->client_alive_count_max == -1)
242 options->client_alive_count_max = 3;
243 if (options->authorized_keys_file2 == NULL) {
244 /* authorized_keys_file2 falls back to authorized_keys_file */
245 if (options->authorized_keys_file != NULL)
246 options->authorized_keys_file2 = options->authorized_keys_file;
247 else
248 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
249 }
250 if (options->authorized_keys_file == NULL)
251 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 252
253 /* Turn privilege separation _off_ by default */
254 if (use_privsep == -1)
255 use_privsep = 0;
3c0ef626 256}
257
258/* Keyword tokens. */
259typedef enum {
260 sBadOption, /* == unknown option */
261 /* Portable-specific options */
262 sPAMAuthenticationViaKbdInt,
263 /* Standard Options */
264 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
265 sPermitRootLogin, sLogFacility, sLogLevel,
266 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
267#if defined(KRB4) || defined(KRB5)
268 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
269#endif
270#if defined(AFS) || defined(KRB5)
271 sKerberosTgtPassing,
272#endif
273#ifdef AFS
274 sAFSTokenPassing,
275#endif
276 sChallengeResponseAuthentication,
277 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
278 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 279 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 280 sStrictModes, sEmptyPasswd, sKeepAlives,
281 sUseLogin, sAllowTcpForwarding,
282 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
283 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
284 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9a17296 285 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
286 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 287 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
700318f3 288 sUsePrivilegeSeparation,
e9a17296 289 sDeprecated
3c0ef626 290} ServerOpCodes;
291
292/* Textual representation of the tokens. */
293static struct {
294 const char *name;
295 ServerOpCodes opcode;
296} keywords[] = {
297 /* Portable-specific options */
298 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
299 /* Standard Options */
300 { "port", sPort },
301 { "hostkey", sHostKeyFile },
302 { "hostdsakey", sHostKeyFile }, /* alias */
303 { "pidfile", sPidFile },
304 { "serverkeybits", sServerKeyBits },
305 { "logingracetime", sLoginGraceTime },
306 { "keyregenerationinterval", sKeyRegenerationTime },
307 { "permitrootlogin", sPermitRootLogin },
308 { "syslogfacility", sLogFacility },
309 { "loglevel", sLogLevel },
310 { "rhostsauthentication", sRhostsAuthentication },
311 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
312 { "hostbasedauthentication", sHostbasedAuthentication },
313 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
314 { "rsaauthentication", sRSAAuthentication },
315 { "pubkeyauthentication", sPubkeyAuthentication },
316 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
317#if defined(KRB4) || defined(KRB5)
318 { "kerberosauthentication", sKerberosAuthentication },
319 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
320 { "kerberosticketcleanup", sKerberosTicketCleanup },
321#endif
322#if defined(AFS) || defined(KRB5)
323 { "kerberostgtpassing", sKerberosTgtPassing },
324#endif
325#ifdef AFS
326 { "afstokenpassing", sAFSTokenPassing },
327#endif
328 { "passwordauthentication", sPasswordAuthentication },
329 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
330 { "challengeresponseauthentication", sChallengeResponseAuthentication },
331 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
332 { "checkmail", sDeprecated },
333 { "listenaddress", sListenAddress },
334 { "printmotd", sPrintMotd },
335 { "printlastlog", sPrintLastLog },
336 { "ignorerhosts", sIgnoreRhosts },
337 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
338 { "x11forwarding", sX11Forwarding },
339 { "x11displayoffset", sX11DisplayOffset },
e9a17296 340 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 341 { "xauthlocation", sXAuthLocation },
342 { "strictmodes", sStrictModes },
343 { "permitemptypasswords", sEmptyPasswd },
344 { "uselogin", sUseLogin },
345 { "keepalive", sKeepAlives },
346 { "allowtcpforwarding", sAllowTcpForwarding },
347 { "allowusers", sAllowUsers },
348 { "denyusers", sDenyUsers },
349 { "allowgroups", sAllowGroups },
350 { "denygroups", sDenyGroups },
351 { "ciphers", sCiphers },
352 { "macs", sMacs },
353 { "protocol", sProtocol },
354 { "gatewayports", sGatewayPorts },
355 { "subsystem", sSubsystem },
356 { "maxstartups", sMaxStartups },
357 { "banner", sBanner },
e9a17296 358 { "verifyreversemapping", sVerifyReverseMapping },
359 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 360 { "clientaliveinterval", sClientAliveInterval },
361 { "clientalivecountmax", sClientAliveCountMax },
362 { "authorizedkeysfile", sAuthorizedKeysFile },
363 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 364 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 365 { NULL, sBadOption }
3c0ef626 366};
367
368/*
369 * Returns the number of the token pointed to by cp or sBadOption.
370 */
371
372static ServerOpCodes
373parse_token(const char *cp, const char *filename,
374 int linenum)
375{
376 u_int i;
377
378 for (i = 0; keywords[i].name; i++)
379 if (strcasecmp(cp, keywords[i].name) == 0)
380 return keywords[i].opcode;
381
382 error("%s: line %d: Bad configuration option: %s",
383 filename, linenum, cp);
384 return sBadOption;
385}
386
387static void
388add_listen_addr(ServerOptions *options, char *addr, u_short port)
389{
390 int i;
391
392 if (options->num_ports == 0)
393 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
394 if (port == 0)
395 for (i = 0; i < options->num_ports; i++)
396 add_one_listen_addr(options, addr, options->ports[i]);
397 else
398 add_one_listen_addr(options, addr, port);
399}
400
401static void
402add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
403{
404 struct addrinfo hints, *ai, *aitop;
405 char strport[NI_MAXSERV];
406 int gaierr;
407
408 memset(&hints, 0, sizeof(hints));
409 hints.ai_family = IPv4or6;
410 hints.ai_socktype = SOCK_STREAM;
411 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
412 snprintf(strport, sizeof strport, "%d", port);
413 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
414 fatal("bad addr or host: %s (%s)",
415 addr ? addr : "<NULL>",
416 gai_strerror(gaierr));
417 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
418 ;
419 ai->ai_next = options->listen_addrs;
420 options->listen_addrs = aitop;
421}
422
e9a17296 423int
424process_server_config_line(ServerOptions *options, char *line,
425 const char *filename, int linenum)
3c0ef626 426{
3c0ef626 427 char *cp, **charptr, *arg, *p;
e9a17296 428 int *intptr, value;
3c0ef626 429 ServerOpCodes opcode;
430 int i, n;
431
e9a17296 432 cp = line;
433 arg = strdelim(&cp);
434 /* Ignore leading whitespace */
435 if (*arg == '\0')
3c0ef626 436 arg = strdelim(&cp);
e9a17296 437 if (!arg || !*arg || *arg == '#')
438 return 0;
439 intptr = NULL;
440 charptr = NULL;
441 opcode = parse_token(arg, filename, linenum);
442 switch (opcode) {
443 /* Portable-specific options */
444 case sPAMAuthenticationViaKbdInt:
445 intptr = &options->pam_authentication_via_kbd_int;
446 goto parse_flag;
3c0ef626 447
e9a17296 448 /* Standard Options */
449 case sBadOption:
450 return -1;
451 case sPort:
452 /* ignore ports from configfile if cmdline specifies ports */
453 if (options->ports_from_cmdline)
454 return 0;
455 if (options->listen_addrs != NULL)
456 fatal("%s line %d: ports must be specified before "
457 "ListenAddress.", filename, linenum);
458 if (options->num_ports >= MAX_PORTS)
459 fatal("%s line %d: too many ports.",
460 filename, linenum);
461 arg = strdelim(&cp);
462 if (!arg || *arg == '\0')
463 fatal("%s line %d: missing port number.",
464 filename, linenum);
465 options->ports[options->num_ports++] = a2port(arg);
466 if (options->ports[options->num_ports-1] == 0)
467 fatal("%s line %d: Badly formatted port number.",
468 filename, linenum);
469 break;
470
471 case sServerKeyBits:
472 intptr = &options->server_key_bits;
3c0ef626 473parse_int:
e9a17296 474 arg = strdelim(&cp);
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing integer value.",
477 filename, linenum);
478 value = atoi(arg);
479 if (*intptr == -1)
480 *intptr = value;
481 break;
482
483 case sLoginGraceTime:
484 intptr = &options->login_grace_time;
3c0ef626 485parse_time:
e9a17296 486 arg = strdelim(&cp);
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing time value.",
489 filename, linenum);
490 if ((value = convtime(arg)) == -1)
491 fatal("%s line %d: invalid time value.",
492 filename, linenum);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sKeyRegenerationTime:
498 intptr = &options->key_regeneration_time;
499 goto parse_time;
500
501 case sListenAddress:
502 arg = strdelim(&cp);
503 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
504 fatal("%s line %d: missing inet addr.",
505 filename, linenum);
506 if (*arg == '[') {
507 if ((p = strchr(arg, ']')) == NULL)
508 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 509 filename, linenum);
e9a17296 510 arg++;
511 memmove(p, p+1, strlen(p+1)+1);
512 } else if (((p = strchr(arg, ':')) == NULL) ||
513 (strchr(p+1, ':') != NULL)) {
514 add_listen_addr(options, arg, 0);
3c0ef626 515 break;
e9a17296 516 }
517 if (*p == ':') {
518 u_short port;
3c0ef626 519
e9a17296 520 p++;
521 if (*p == '\0')
522 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 523 filename, linenum);
e9a17296 524 else {
525 *(p-1) = '\0';
526 if ((port = a2port(p)) == 0)
527 fatal("%s line %d: bad port number.",
3c0ef626 528 filename, linenum);
e9a17296 529 add_listen_addr(options, arg, port);
3c0ef626 530 }
e9a17296 531 } else if (*p == '\0')
532 add_listen_addr(options, arg, 0);
533 else
534 fatal("%s line %d: bad inet addr usage.",
535 filename, linenum);
536 break;
537
538 case sHostKeyFile:
539 intptr = &options->num_host_key_files;
540 if (*intptr >= MAX_HOSTKEYS)
541 fatal("%s line %d: too many host keys specified (max %d).",
542 filename, linenum, MAX_HOSTKEYS);
543 charptr = &options->host_key_files[*intptr];
3c0ef626 544parse_filename:
e9a17296 545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing file name.",
548 filename, linenum);
549 if (*charptr == NULL) {
550 *charptr = tilde_expand_filename(arg, getuid());
551 /* increase optional counter */
552 if (intptr != NULL)
553 *intptr = *intptr + 1;
554 }
555 break;
3c0ef626 556
e9a17296 557 case sPidFile:
558 charptr = &options->pid_file;
559 goto parse_filename;
3c0ef626 560
e9a17296 561 case sPermitRootLogin:
562 intptr = &options->permit_root_login;
563 arg = strdelim(&cp);
564 if (!arg || *arg == '\0')
565 fatal("%s line %d: missing yes/"
566 "without-password/forced-commands-only/no "
567 "argument.", filename, linenum);
568 value = 0; /* silence compiler */
569 if (strcmp(arg, "without-password") == 0)
570 value = PERMIT_NO_PASSWD;
571 else if (strcmp(arg, "forced-commands-only") == 0)
572 value = PERMIT_FORCED_ONLY;
573 else if (strcmp(arg, "yes") == 0)
574 value = PERMIT_YES;
575 else if (strcmp(arg, "no") == 0)
576 value = PERMIT_NO;
577 else
578 fatal("%s line %d: Bad yes/"
579 "without-password/forced-commands-only/no "
580 "argument: %s", filename, linenum, arg);
581 if (*intptr == -1)
582 *intptr = value;
583 break;
584
585 case sIgnoreRhosts:
586 intptr = &options->ignore_rhosts;
3c0ef626 587parse_flag:
e9a17296 588 arg = strdelim(&cp);
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing yes/no argument.",
591 filename, linenum);
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "yes") == 0)
594 value = 1;
595 else if (strcmp(arg, "no") == 0)
596 value = 0;
597 else
598 fatal("%s line %d: Bad yes/no argument: %s",
599 filename, linenum, arg);
600 if (*intptr == -1)
601 *intptr = value;
602 break;
603
604 case sIgnoreUserKnownHosts:
605 intptr = &options->ignore_user_known_hosts;
606 goto parse_flag;
607
608 case sRhostsAuthentication:
609 intptr = &options->rhosts_authentication;
610 goto parse_flag;
611
612 case sRhostsRSAAuthentication:
613 intptr = &options->rhosts_rsa_authentication;
614 goto parse_flag;
615
616 case sHostbasedAuthentication:
617 intptr = &options->hostbased_authentication;
618 goto parse_flag;
619
620 case sHostbasedUsesNameFromPacketOnly:
621 intptr = &options->hostbased_uses_name_from_packet_only;
622 goto parse_flag;
623
624 case sRSAAuthentication:
625 intptr = &options->rsa_authentication;
626 goto parse_flag;
627
628 case sPubkeyAuthentication:
629 intptr = &options->pubkey_authentication;
630 goto parse_flag;
631#if defined(KRB4) || defined(KRB5)
632 case sKerberosAuthentication:
633 intptr = &options->kerberos_authentication;
634 goto parse_flag;
3c0ef626 635
e9a17296 636 case sKerberosOrLocalPasswd:
637 intptr = &options->kerberos_or_local_passwd;
638 goto parse_flag;
3c0ef626 639
e9a17296 640 case sKerberosTicketCleanup:
641 intptr = &options->kerberos_ticket_cleanup;
642 goto parse_flag;
643#endif
644#if defined(AFS) || defined(KRB5)
645 case sKerberosTgtPassing:
646 intptr = &options->kerberos_tgt_passing;
647 goto parse_flag;
648#endif
649#ifdef AFS
650 case sAFSTokenPassing:
651 intptr = &options->afs_token_passing;
652 goto parse_flag;
653#endif
3c0ef626 654
e9a17296 655 case sPasswordAuthentication:
656 intptr = &options->password_authentication;
657 goto parse_flag;
3c0ef626 658
e9a17296 659 case sKbdInteractiveAuthentication:
660 intptr = &options->kbd_interactive_authentication;
661 goto parse_flag;
3c0ef626 662
e9a17296 663 case sChallengeResponseAuthentication:
664 intptr = &options->challenge_response_authentication;
665 goto parse_flag;
3c0ef626 666
e9a17296 667 case sPrintMotd:
668 intptr = &options->print_motd;
669 goto parse_flag;
3c0ef626 670
e9a17296 671 case sPrintLastLog:
672 intptr = &options->print_lastlog;
673 goto parse_flag;
3c0ef626 674
e9a17296 675 case sX11Forwarding:
676 intptr = &options->x11_forwarding;
677 goto parse_flag;
3c0ef626 678
e9a17296 679 case sX11DisplayOffset:
680 intptr = &options->x11_display_offset;
681 goto parse_int;
3c0ef626 682
e9a17296 683 case sX11UseLocalhost:
684 intptr = &options->x11_use_localhost;
685 goto parse_flag;
3c0ef626 686
e9a17296 687 case sXAuthLocation:
688 charptr = &options->xauth_location;
689 goto parse_filename;
3c0ef626 690
e9a17296 691 case sStrictModes:
692 intptr = &options->strict_modes;
693 goto parse_flag;
3c0ef626 694
e9a17296 695 case sKeepAlives:
696 intptr = &options->keepalives;
697 goto parse_flag;
3c0ef626 698
e9a17296 699 case sEmptyPasswd:
700 intptr = &options->permit_empty_passwd;
701 goto parse_flag;
3c0ef626 702
e9a17296 703 case sUseLogin:
704 intptr = &options->use_login;
705 goto parse_flag;
3c0ef626 706
e9a17296 707 case sGatewayPorts:
708 intptr = &options->gateway_ports;
709 goto parse_flag;
3c0ef626 710
e9a17296 711 case sVerifyReverseMapping:
712 intptr = &options->verify_reverse_mapping;
713 goto parse_flag;
3c0ef626 714
e9a17296 715 case sLogFacility:
716 intptr = (int *) &options->log_facility;
717 arg = strdelim(&cp);
718 value = log_facility_number(arg);
719 if (value == SYSLOG_FACILITY_NOT_SET)
720 fatal("%.200s line %d: unsupported log facility '%s'",
721 filename, linenum, arg ? arg : "<NONE>");
722 if (*intptr == -1)
723 *intptr = (SyslogFacility) value;
724 break;
725
726 case sLogLevel:
727 intptr = (int *) &options->log_level;
728 arg = strdelim(&cp);
729 value = log_level_number(arg);
730 if (value == SYSLOG_LEVEL_NOT_SET)
731 fatal("%.200s line %d: unsupported log level '%s'",
732 filename, linenum, arg ? arg : "<NONE>");
733 if (*intptr == -1)
734 *intptr = (LogLevel) value;
735 break;
736
737 case sAllowTcpForwarding:
738 intptr = &options->allow_tcp_forwarding;
739 goto parse_flag;
740
700318f3 741 case sUsePrivilegeSeparation:
742 intptr = &use_privsep;
743 goto parse_flag;
744
e9a17296 745 case sAllowUsers:
746 while ((arg = strdelim(&cp)) && *arg != '\0') {
747 if (options->num_allow_users >= MAX_ALLOW_USERS)
748 fatal("%s line %d: too many allow users.",
749 filename, linenum);
750 options->allow_users[options->num_allow_users++] = xstrdup(arg);
751 }
752 break;
3c0ef626 753
e9a17296 754 case sDenyUsers:
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_deny_users >= MAX_DENY_USERS)
757 fatal( "%s line %d: too many deny users.",
758 filename, linenum);
759 options->deny_users[options->num_deny_users++] = xstrdup(arg);
760 }
761 break;
3c0ef626 762
e9a17296 763 case sAllowGroups:
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
766 fatal("%s line %d: too many allow groups.",
767 filename, linenum);
768 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
769 }
770 break;
3c0ef626 771
e9a17296 772 case sDenyGroups:
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_groups >= MAX_DENY_GROUPS)
775 fatal("%s line %d: too many deny groups.",
776 filename, linenum);
777 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
778 }
779 break;
780
781 case sCiphers:
782 arg = strdelim(&cp);
783 if (!arg || *arg == '\0')
784 fatal("%s line %d: Missing argument.", filename, linenum);
785 if (!ciphers_valid(arg))
786 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
787 filename, linenum, arg ? arg : "<NONE>");
788 if (options->ciphers == NULL)
789 options->ciphers = xstrdup(arg);
790 break;
791
792 case sMacs:
793 arg = strdelim(&cp);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: Missing argument.", filename, linenum);
796 if (!mac_valid(arg))
797 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
798 filename, linenum, arg ? arg : "<NONE>");
799 if (options->macs == NULL)
800 options->macs = xstrdup(arg);
801 break;
802
803 case sProtocol:
804 intptr = &options->protocol;
805 arg = strdelim(&cp);
806 if (!arg || *arg == '\0')
807 fatal("%s line %d: Missing argument.", filename, linenum);
808 value = proto_spec(arg);
809 if (value == SSH_PROTO_UNKNOWN)
810 fatal("%s line %d: Bad protocol spec '%s'.",
811 filename, linenum, arg ? arg : "<NONE>");
812 if (*intptr == SSH_PROTO_UNKNOWN)
813 *intptr = value;
814 break;
815
816 case sSubsystem:
817 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
818 fatal("%s line %d: too many subsystems defined.",
819 filename, linenum);
820 }
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing subsystem name.",
824 filename, linenum);
825 for (i = 0; i < options->num_subsystems; i++)
826 if (strcmp(arg, options->subsystem_name[i]) == 0)
827 fatal("%s line %d: Subsystem '%s' already defined.",
828 filename, linenum, arg);
829 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
830 arg = strdelim(&cp);
831 if (!arg || *arg == '\0')
832 fatal("%s line %d: Missing subsystem command.",
833 filename, linenum);
834 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
835 options->num_subsystems++;
836 break;
837
838 case sMaxStartups:
839 arg = strdelim(&cp);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing MaxStartups spec.",
842 filename, linenum);
843 if ((n = sscanf(arg, "%d:%d:%d",
844 &options->max_startups_begin,
845 &options->max_startups_rate,
846 &options->max_startups)) == 3) {
847 if (options->max_startups_begin >
848 options->max_startups ||
849 options->max_startups_rate > 100 ||
850 options->max_startups_rate < 1)
3c0ef626 851 fatal("%s line %d: Illegal MaxStartups spec.",
852 filename, linenum);
e9a17296 853 } else if (n != 1)
854 fatal("%s line %d: Illegal MaxStartups spec.",
855 filename, linenum);
856 else
857 options->max_startups = options->max_startups_begin;
858 break;
859
860 case sBanner:
861 charptr = &options->banner;
862 goto parse_filename;
863 /*
864 * These options can contain %X options expanded at
865 * connect time, so that you can specify paths like:
866 *
867 * AuthorizedKeysFile /etc/ssh_keys/%u
868 */
869 case sAuthorizedKeysFile:
870 case sAuthorizedKeysFile2:
871 charptr = (opcode == sAuthorizedKeysFile ) ?
872 &options->authorized_keys_file :
873 &options->authorized_keys_file2;
874 goto parse_filename;
875
876 case sClientAliveInterval:
877 intptr = &options->client_alive_interval;
878 goto parse_time;
879
880 case sClientAliveCountMax:
881 intptr = &options->client_alive_count_max;
882 goto parse_int;
883
884 case sDeprecated:
885 log("%s line %d: Deprecated option %s",
886 filename, linenum, arg);
887 while (arg)
888 arg = strdelim(&cp);
889 break;
890
891 default:
892 fatal("%s line %d: Missing handler for opcode %s (%d)",
893 filename, linenum, arg, opcode);
894 }
895 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
896 fatal("%s line %d: garbage at end of line; \"%.200s\".",
897 filename, linenum, arg);
898 return 0;
899}
3c0ef626 900
e9a17296 901/* Reads the server configuration file. */
3c0ef626 902
e9a17296 903void
904read_server_config(ServerOptions *options, const char *filename)
905{
906 FILE *f;
907 char line[1024];
908 int linenum;
909 int bad_options = 0;
910
911 f = fopen(filename, "r");
912 if (!f) {
913 perror(filename);
914 exit(1);
915 }
916 linenum = 0;
917 while (fgets(line, sizeof(line), f)) {
918 /* Update line number counter. */
919 linenum++;
920 if (process_server_config_line(options, line, filename, linenum) != 0)
921 bad_options++;
3c0ef626 922 }
923 fclose(f);
924 if (bad_options > 0)
925 fatal("%s: terminating, %d bad configuration options",
926 filename, bad_options);
927}
git-cvsimport mirror of GSI OpenSSH
This page took 1.045965 seconds and 5 git commands to generate.