]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
merged OPENSSH_3_8P1_GSSAPI_20040304 to gpt-branch
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
416fd2a8 13RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
24#include "kex.h"
25#include "mac.h"
26
27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
29
30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
2980ea68 32/* Use of privilege separation or not */
33extern int use_privsep;
3c0ef626 34
35/* Initializes the server options to their default values. */
36
37void
38initialize_server_options(ServerOptions *options)
39{
40 memset(options, 0, sizeof(*options));
41
42 /* Portable-specific options */
70791e56 43 options->use_pam = -1;
3c0ef626 44
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e9a17296 61 options->x11_use_localhost = -1;
3c0ef626 62 options->xauth_location = NULL;
63 options->strict_modes = -1;
416fd2a8 64 options->tcp_keep_alive = -1;
e9a17296 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
3c0ef626 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
88928908 75#ifdef SESSION_HOOKS
76 options->session_hooks_allow = -1;
77 options->session_hooks_startup_cmd = NULL;
78 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 79#endif
416fd2a8 80 options->kerberos_get_afs_token = -1;
70791e56 81 options->gss_authentication=-1;
82 options->gss_keyex=-1;
83 options->gss_use_session_ccache = -1;
84 options->gss_cleanup_creds = -1;
3c0ef626 85 options->password_authentication = -1;
86 options->kbd_interactive_authentication = -1;
87 options->challenge_response_authentication = -1;
88 options->permit_empty_passwd = -1;
e54b3d7c 89 options->permit_user_env = -1;
3c0ef626 90 options->use_login = -1;
ff2d7a98 91 options->compression = -1;
3c0ef626 92 options->allow_tcp_forwarding = -1;
93 options->num_allow_users = 0;
94 options->num_deny_users = 0;
95 options->num_allow_groups = 0;
96 options->num_deny_groups = 0;
97 options->ciphers = NULL;
98 options->macs = NULL;
99 options->protocol = SSH_PROTO_UNKNOWN;
100 options->gateway_ports = -1;
101 options->num_subsystems = 0;
102 options->max_startups_begin = -1;
103 options->max_startups_rate = -1;
104 options->max_startups = -1;
105 options->banner = NULL;
70791e56 106 options->use_dns = -1;
3c0ef626 107 options->client_alive_interval = -1;
108 options->client_alive_count_max = -1;
109 options->authorized_keys_file = NULL;
110 options->authorized_keys_file2 = NULL;
2980ea68 111
112 /* Needs to be accessable in many places */
113 use_privsep = -1;
3c0ef626 114}
115
116void
117fill_default_server_options(ServerOptions *options)
118{
119 /* Portable-specific options */
70791e56 120 if (options->use_pam == -1)
121 options->use_pam = 0;
3c0ef626 122
123 /* Standard Options */
124 if (options->protocol == SSH_PROTO_UNKNOWN)
125 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
126 if (options->num_host_key_files == 0) {
127 /* fill default hostkeys for protocols */
128 if (options->protocol & SSH_PROTO_1)
e9a17296 129 options->host_key_files[options->num_host_key_files++] =
130 _PATH_HOST_KEY_FILE;
131 if (options->protocol & SSH_PROTO_2) {
132 options->host_key_files[options->num_host_key_files++] =
133 _PATH_HOST_RSA_KEY_FILE;
134 options->host_key_files[options->num_host_key_files++] =
135 _PATH_HOST_DSA_KEY_FILE;
136 }
3c0ef626 137 }
138 if (options->num_ports == 0)
139 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
140 if (options->listen_addrs == NULL)
141 add_listen_addr(options, NULL, 0);
142 if (options->pid_file == NULL)
143 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
144 if (options->server_key_bits == -1)
145 options->server_key_bits = 768;
146 if (options->login_grace_time == -1)
e54b3d7c 147 options->login_grace_time = 120;
3c0ef626 148 if (options->key_regeneration_time == -1)
149 options->key_regeneration_time = 3600;
150 if (options->permit_root_login == PERMIT_NOT_SET)
151 options->permit_root_login = PERMIT_YES;
152 if (options->ignore_rhosts == -1)
153 options->ignore_rhosts = 1;
154 if (options->ignore_user_known_hosts == -1)
155 options->ignore_user_known_hosts = 0;
156 if (options->print_motd == -1)
157 options->print_motd = 1;
158 if (options->print_lastlog == -1)
159 options->print_lastlog = 1;
160 if (options->x11_forwarding == -1)
161 options->x11_forwarding = 0;
162 if (options->x11_display_offset == -1)
163 options->x11_display_offset = 10;
e9a17296 164 if (options->x11_use_localhost == -1)
165 options->x11_use_localhost = 1;
3c0ef626 166 if (options->xauth_location == NULL)
167 options->xauth_location = _PATH_XAUTH;
3c0ef626 168 if (options->strict_modes == -1)
169 options->strict_modes = 1;
416fd2a8 170 if (options->tcp_keep_alive == -1)
171 options->tcp_keep_alive = 1;
e9a17296 172 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 173 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 174 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 175 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 176 if (options->rhosts_rsa_authentication == -1)
177 options->rhosts_rsa_authentication = 0;
178 if (options->hostbased_authentication == -1)
179 options->hostbased_authentication = 0;
180 if (options->hostbased_uses_name_from_packet_only == -1)
181 options->hostbased_uses_name_from_packet_only = 0;
182 if (options->rsa_authentication == -1)
183 options->rsa_authentication = 1;
184 if (options->pubkey_authentication == -1)
185 options->pubkey_authentication = 1;
70791e56 186 if (options->kerberos_authentication == -1)
187 options->kerberos_authentication = 0;
188 if (options->kerberos_or_local_passwd == -1)
189 options->kerberos_or_local_passwd = 1;
190 if (options->kerberos_ticket_cleanup == -1)
191 options->kerberos_ticket_cleanup = 1;
416fd2a8 192 if (options->kerberos_get_afs_token == -1)
193 options->kerberos_get_afs_token = 0;
b9a54c29 194 if (options->gss_authentication == -1)
195 options->gss_authentication = 1;
196 if (options->gss_keyex == -1)
70791e56 197 options->gss_keyex = 1;
b9a54c29 198 if (options->gss_use_session_ccache == -1)
199 options->gss_use_session_ccache = 1;
200 if (options->gss_cleanup_creds == -1)
201 options->gss_cleanup_creds = 1;
3c0ef626 202 if (options->password_authentication == -1)
203 options->password_authentication = 1;
204 if (options->kbd_interactive_authentication == -1)
205 options->kbd_interactive_authentication = 0;
206 if (options->challenge_response_authentication == -1)
207 options->challenge_response_authentication = 1;
208 if (options->permit_empty_passwd == -1)
209 options->permit_empty_passwd = 0;
e54b3d7c 210 if (options->permit_user_env == -1)
211 options->permit_user_env = 0;
3c0ef626 212 if (options->use_login == -1)
213 options->use_login = 0;
ff2d7a98 214 if (options->compression == -1)
215 options->compression = 1;
3c0ef626 216 if (options->allow_tcp_forwarding == -1)
217 options->allow_tcp_forwarding = 1;
218 if (options->gateway_ports == -1)
219 options->gateway_ports = 0;
220 if (options->max_startups == -1)
221 options->max_startups = 10;
222 if (options->max_startups_rate == -1)
223 options->max_startups_rate = 100; /* 100% */
224 if (options->max_startups_begin == -1)
225 options->max_startups_begin = options->max_startups;
70791e56 226 if (options->use_dns == -1)
227 options->use_dns = 1;
3c0ef626 228 if (options->client_alive_interval == -1)
e9a17296 229 options->client_alive_interval = 0;
3c0ef626 230 if (options->client_alive_count_max == -1)
231 options->client_alive_count_max = 3;
232 if (options->authorized_keys_file2 == NULL) {
233 /* authorized_keys_file2 falls back to authorized_keys_file */
234 if (options->authorized_keys_file != NULL)
235 options->authorized_keys_file2 = options->authorized_keys_file;
236 else
237 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
238 }
239 if (options->authorized_keys_file == NULL)
240 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
2980ea68 241
ff2d7a98 242 /* Turn privilege separation on by default */
2980ea68 243 if (use_privsep == -1)
ff2d7a98 244 use_privsep = 1;
245
e54b3d7c 246#ifndef HAVE_MMAP
ff2d7a98 247 if (use_privsep && options->compression == 1) {
248 error("This platform does not support both privilege "
249 "separation and compression");
250 error("Compression disabled");
251 options->compression = 0;
252 }
253#endif
254
3c0ef626 255}
256
257/* Keyword tokens. */
258typedef enum {
259 sBadOption, /* == unknown option */
260 /* Portable-specific options */
70791e56 261 sUsePAM,
3c0ef626 262 /* Standard Options */
263 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
264 sPermitRootLogin, sLogFacility, sLogLevel,
70791e56 265 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 266 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
416fd2a8 267 sKerberosGetAFSToken,
70791e56 268 sKerberosTgtPassing, sChallengeResponseAuthentication,
88928908 269#ifdef SESSION_HOOKS
270 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 271#endif
3c0ef626 272 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
273 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 274 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
416fd2a8 275 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
e54b3d7c 276 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 277 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
278 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
279 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
70791e56 280 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 281 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 282 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
70791e56 283 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
2980ea68 284 sUsePrivilegeSeparation,
70791e56 285 sDeprecated, sUnsupported
3c0ef626 286} ServerOpCodes;
287
288/* Textual representation of the tokens. */
289static struct {
290 const char *name;
291 ServerOpCodes opcode;
292} keywords[] = {
293 /* Portable-specific options */
70791e56 294#ifdef USE_PAM
295 { "usepam", sUsePAM },
296#else
297 { "usepam", sUnsupported },
298#endif
299 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 300 /* Standard Options */
301 { "port", sPort },
302 { "hostkey", sHostKeyFile },
303 { "hostdsakey", sHostKeyFile }, /* alias */
304 { "pidfile", sPidFile },
305 { "serverkeybits", sServerKeyBits },
306 { "logingracetime", sLoginGraceTime },
307 { "keyregenerationinterval", sKeyRegenerationTime },
308 { "permitrootlogin", sPermitRootLogin },
309 { "syslogfacility", sLogFacility },
310 { "loglevel", sLogLevel },
70791e56 311 { "rhostsauthentication", sDeprecated },
3c0ef626 312 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
313 { "hostbasedauthentication", sHostbasedAuthentication },
314 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
315 { "rsaauthentication", sRSAAuthentication },
316 { "pubkeyauthentication", sPubkeyAuthentication },
317 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
70791e56 318#ifdef KRB5
319 { "kerberosauthentication", sKerberosAuthentication },
320 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
321 { "kerberosticketcleanup", sKerberosTicketCleanup },
416fd2a8 322#ifdef USE_AFS
323 { "kerberosgetafstoken", sKerberosGetAFSToken },
324#else
325 { "kerberosgetafstoken", sUnsupported },
326#endif
70791e56 327#else
328 { "kerberosauthentication", sUnsupported },
329 { "kerberosorlocalpasswd", sUnsupported },
330 { "kerberosticketcleanup", sUnsupported },
416fd2a8 331 { "kerberosgetafstoken", sUnsupported },
70791e56 332#endif
333 { "kerberostgtpassing", sUnsupported },
334 { "afstokenpassing", sUnsupported },
b9a54c29 335#ifdef GSSAPI
336 { "gssapiauthentication", sGssAuthentication },
337 { "gssapikeyexchange", sGssKeyEx },
338 { "gssusesessionccache", sGssUseSessionCredCache },
339 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
416fd2a8 340 { "gssapicleanupcredentials", sGssCleanupCreds },
70791e56 341#else
342 { "gssapiauthentication", sUnsupported },
343 { "gssapikeyexchange", sUnsupported },
344 { "gssusesessionccache", sUnsupported },
345 { "gssapiusesessioncredcache", sUnsupported },
416fd2a8 346 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 347#endif
88928908 348#ifdef SESSION_HOOKS
349 { "allowsessionhooks", sAllowSessionHooks },
350 { "sessionhookstartupcmd", sSessionHookStartupCmd },
351 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
352#endif
3c0ef626 353 { "passwordauthentication", sPasswordAuthentication },
354 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
355 { "challengeresponseauthentication", sChallengeResponseAuthentication },
356 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
357 { "checkmail", sDeprecated },
358 { "listenaddress", sListenAddress },
359 { "printmotd", sPrintMotd },
360 { "printlastlog", sPrintLastLog },
361 { "ignorerhosts", sIgnoreRhosts },
362 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
363 { "x11forwarding", sX11Forwarding },
364 { "x11displayoffset", sX11DisplayOffset },
e9a17296 365 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 366 { "xauthlocation", sXAuthLocation },
367 { "strictmodes", sStrictModes },
368 { "permitemptypasswords", sEmptyPasswd },
e54b3d7c 369 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 370 { "uselogin", sUseLogin },
ff2d7a98 371 { "compression", sCompression },
416fd2a8 372 { "tcpkeepalive", sTCPKeepAlive },
373 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 374 { "allowtcpforwarding", sAllowTcpForwarding },
375 { "allowusers", sAllowUsers },
376 { "denyusers", sDenyUsers },
377 { "allowgroups", sAllowGroups },
378 { "denygroups", sDenyGroups },
379 { "ciphers", sCiphers },
380 { "macs", sMacs },
381 { "protocol", sProtocol },
382 { "gatewayports", sGatewayPorts },
383 { "subsystem", sSubsystem },
384 { "maxstartups", sMaxStartups },
385 { "banner", sBanner },
70791e56 386 { "usedns", sUseDNS },
387 { "verifyreversemapping", sDeprecated },
388 { "reversemappingcheck", sDeprecated },
3c0ef626 389 { "clientaliveinterval", sClientAliveInterval },
390 { "clientalivecountmax", sClientAliveCountMax },
391 { "authorizedkeysfile", sAuthorizedKeysFile },
392 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
2980ea68 393 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 394 { NULL, sBadOption }
3c0ef626 395};
396
397/*
398 * Returns the number of the token pointed to by cp or sBadOption.
399 */
400
401static ServerOpCodes
402parse_token(const char *cp, const char *filename,
403 int linenum)
404{
405 u_int i;
406
407 for (i = 0; keywords[i].name; i++)
408 if (strcasecmp(cp, keywords[i].name) == 0)
409 return keywords[i].opcode;
410
411 error("%s: line %d: Bad configuration option: %s",
412 filename, linenum, cp);
413 return sBadOption;
414}
415
416static void
417add_listen_addr(ServerOptions *options, char *addr, u_short port)
418{
419 int i;
420
421 if (options->num_ports == 0)
422 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
423 if (port == 0)
424 for (i = 0; i < options->num_ports; i++)
425 add_one_listen_addr(options, addr, options->ports[i]);
426 else
427 add_one_listen_addr(options, addr, port);
428}
429
430static void
431add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
432{
433 struct addrinfo hints, *ai, *aitop;
434 char strport[NI_MAXSERV];
435 int gaierr;
436
437 memset(&hints, 0, sizeof(hints));
438 hints.ai_family = IPv4or6;
439 hints.ai_socktype = SOCK_STREAM;
440 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
ff2d7a98 441 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 442 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
443 fatal("bad addr or host: %s (%s)",
444 addr ? addr : "<NULL>",
445 gai_strerror(gaierr));
446 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
447 ;
448 ai->ai_next = options->listen_addrs;
449 options->listen_addrs = aitop;
450}
451
e9a17296 452int
453process_server_config_line(ServerOptions *options, char *line,
454 const char *filename, int linenum)
3c0ef626 455{
3c0ef626 456 char *cp, **charptr, *arg, *p;
ff2d7a98 457 int *intptr, value, i, n;
3c0ef626 458 ServerOpCodes opcode;
3c0ef626 459
e9a17296 460 cp = line;
461 arg = strdelim(&cp);
462 /* Ignore leading whitespace */
463 if (*arg == '\0')
3c0ef626 464 arg = strdelim(&cp);
e9a17296 465 if (!arg || !*arg || *arg == '#')
466 return 0;
467 intptr = NULL;
468 charptr = NULL;
469 opcode = parse_token(arg, filename, linenum);
470 switch (opcode) {
471 /* Portable-specific options */
70791e56 472 case sUsePAM:
473 intptr = &options->use_pam;
e9a17296 474 goto parse_flag;
3c0ef626 475
e9a17296 476 /* Standard Options */
477 case sBadOption:
478 return -1;
479 case sPort:
480 /* ignore ports from configfile if cmdline specifies ports */
481 if (options->ports_from_cmdline)
482 return 0;
483 if (options->listen_addrs != NULL)
484 fatal("%s line %d: ports must be specified before "
485 "ListenAddress.", filename, linenum);
486 if (options->num_ports >= MAX_PORTS)
487 fatal("%s line %d: too many ports.",
488 filename, linenum);
489 arg = strdelim(&cp);
490 if (!arg || *arg == '\0')
491 fatal("%s line %d: missing port number.",
492 filename, linenum);
493 options->ports[options->num_ports++] = a2port(arg);
494 if (options->ports[options->num_ports-1] == 0)
495 fatal("%s line %d: Badly formatted port number.",
496 filename, linenum);
497 break;
498
499 case sServerKeyBits:
500 intptr = &options->server_key_bits;
3c0ef626 501parse_int:
e9a17296 502 arg = strdelim(&cp);
503 if (!arg || *arg == '\0')
504 fatal("%s line %d: missing integer value.",
505 filename, linenum);
506 value = atoi(arg);
507 if (*intptr == -1)
508 *intptr = value;
509 break;
510
511 case sLoginGraceTime:
512 intptr = &options->login_grace_time;
3c0ef626 513parse_time:
e9a17296 514 arg = strdelim(&cp);
515 if (!arg || *arg == '\0')
516 fatal("%s line %d: missing time value.",
517 filename, linenum);
518 if ((value = convtime(arg)) == -1)
519 fatal("%s line %d: invalid time value.",
520 filename, linenum);
521 if (*intptr == -1)
522 *intptr = value;
523 break;
524
525 case sKeyRegenerationTime:
526 intptr = &options->key_regeneration_time;
527 goto parse_time;
528
529 case sListenAddress:
530 arg = strdelim(&cp);
531 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
532 fatal("%s line %d: missing inet addr.",
533 filename, linenum);
534 if (*arg == '[') {
535 if ((p = strchr(arg, ']')) == NULL)
536 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 537 filename, linenum);
e9a17296 538 arg++;
539 memmove(p, p+1, strlen(p+1)+1);
540 } else if (((p = strchr(arg, ':')) == NULL) ||
541 (strchr(p+1, ':') != NULL)) {
542 add_listen_addr(options, arg, 0);
3c0ef626 543 break;
e9a17296 544 }
545 if (*p == ':') {
546 u_short port;
3c0ef626 547
e9a17296 548 p++;
549 if (*p == '\0')
550 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 551 filename, linenum);
e9a17296 552 else {
553 *(p-1) = '\0';
554 if ((port = a2port(p)) == 0)
555 fatal("%s line %d: bad port number.",
3c0ef626 556 filename, linenum);
e9a17296 557 add_listen_addr(options, arg, port);
3c0ef626 558 }
e9a17296 559 } else if (*p == '\0')
560 add_listen_addr(options, arg, 0);
561 else
562 fatal("%s line %d: bad inet addr usage.",
563 filename, linenum);
564 break;
565
566 case sHostKeyFile:
567 intptr = &options->num_host_key_files;
568 if (*intptr >= MAX_HOSTKEYS)
569 fatal("%s line %d: too many host keys specified (max %d).",
570 filename, linenum, MAX_HOSTKEYS);
571 charptr = &options->host_key_files[*intptr];
3c0ef626 572parse_filename:
e9a17296 573 arg = strdelim(&cp);
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing file name.",
576 filename, linenum);
577 if (*charptr == NULL) {
578 *charptr = tilde_expand_filename(arg, getuid());
579 /* increase optional counter */
580 if (intptr != NULL)
581 *intptr = *intptr + 1;
582 }
583 break;
3c0ef626 584
e9a17296 585 case sPidFile:
586 charptr = &options->pid_file;
587 goto parse_filename;
3c0ef626 588
e9a17296 589 case sPermitRootLogin:
590 intptr = &options->permit_root_login;
591 arg = strdelim(&cp);
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/"
594 "without-password/forced-commands-only/no "
595 "argument.", filename, linenum);
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "without-password") == 0)
598 value = PERMIT_NO_PASSWD;
599 else if (strcmp(arg, "forced-commands-only") == 0)
600 value = PERMIT_FORCED_ONLY;
601 else if (strcmp(arg, "yes") == 0)
602 value = PERMIT_YES;
603 else if (strcmp(arg, "no") == 0)
604 value = PERMIT_NO;
605 else
606 fatal("%s line %d: Bad yes/"
607 "without-password/forced-commands-only/no "
608 "argument: %s", filename, linenum, arg);
609 if (*intptr == -1)
610 *intptr = value;
611 break;
612
613 case sIgnoreRhosts:
614 intptr = &options->ignore_rhosts;
3c0ef626 615parse_flag:
e9a17296 616 arg = strdelim(&cp);
617 if (!arg || *arg == '\0')
618 fatal("%s line %d: missing yes/no argument.",
619 filename, linenum);
620 value = 0; /* silence compiler */
621 if (strcmp(arg, "yes") == 0)
622 value = 1;
623 else if (strcmp(arg, "no") == 0)
624 value = 0;
625 else
626 fatal("%s line %d: Bad yes/no argument: %s",
627 filename, linenum, arg);
628 if (*intptr == -1)
629 *intptr = value;
630 break;
631
632 case sIgnoreUserKnownHosts:
633 intptr = &options->ignore_user_known_hosts;
634 goto parse_flag;
635
e9a17296 636 case sRhostsRSAAuthentication:
637 intptr = &options->rhosts_rsa_authentication;
638 goto parse_flag;
639
640 case sHostbasedAuthentication:
641 intptr = &options->hostbased_authentication;
642 goto parse_flag;
643
644 case sHostbasedUsesNameFromPacketOnly:
645 intptr = &options->hostbased_uses_name_from_packet_only;
646 goto parse_flag;
647
648 case sRSAAuthentication:
649 intptr = &options->rsa_authentication;
650 goto parse_flag;
651
652 case sPubkeyAuthentication:
653 intptr = &options->pubkey_authentication;
654 goto parse_flag;
70791e56 655
e9a17296 656 case sKerberosAuthentication:
657 intptr = &options->kerberos_authentication;
658 goto parse_flag;
3c0ef626 659
e9a17296 660 case sKerberosOrLocalPasswd:
661 intptr = &options->kerberos_or_local_passwd;
662 goto parse_flag;
3c0ef626 663
e9a17296 664 case sKerberosTicketCleanup:
665 intptr = &options->kerberos_ticket_cleanup;
666 goto parse_flag;
70791e56 667
416fd2a8 668 case sKerberosGetAFSToken:
669 intptr = &options->kerberos_get_afs_token;
670 goto parse_flag;
671
70791e56 672 case sGssAuthentication:
673 intptr = &options->gss_authentication;
e9a17296 674 goto parse_flag;
70791e56 675
676 case sGssKeyEx:
677 intptr = &options->gss_keyex;
e9a17296 678 goto parse_flag;
70791e56 679
680 case sGssUseSessionCredCache:
681 intptr = &options->gss_use_session_ccache;
682 goto parse_flag;
683
684 case sGssCleanupCreds:
685 intptr = &options->gss_cleanup_creds;
686 goto parse_flag;
687
88928908 688#ifdef SESSION_HOOKS
689 case sAllowSessionHooks:
690 intptr = &options->session_hooks_allow;
691 goto parse_flag;
692 case sSessionHookStartupCmd:
693 case sSessionHookShutdownCmd:
694 arg = strdelim(&cp);
695 if (!arg || *arg == '\0')
696 fatal("%s line %d: empty session hook command",
697 filename, linenum);
698 if (opcode==sSessionHookStartupCmd)
699 options->session_hooks_startup_cmd = strdup(arg);
700 else
701 options->session_hooks_shutdown_cmd = strdup(arg);
702 break;
703#endif
70791e56 704
e9a17296 705 case sPasswordAuthentication:
706 intptr = &options->password_authentication;
707 goto parse_flag;
3c0ef626 708
e9a17296 709 case sKbdInteractiveAuthentication:
710 intptr = &options->kbd_interactive_authentication;
711 goto parse_flag;
3c0ef626 712
e9a17296 713 case sChallengeResponseAuthentication:
714 intptr = &options->challenge_response_authentication;
715 goto parse_flag;
3c0ef626 716
e9a17296 717 case sPrintMotd:
718 intptr = &options->print_motd;
719 goto parse_flag;
3c0ef626 720
e9a17296 721 case sPrintLastLog:
722 intptr = &options->print_lastlog;
723 goto parse_flag;
3c0ef626 724
e9a17296 725 case sX11Forwarding:
726 intptr = &options->x11_forwarding;
727 goto parse_flag;
3c0ef626 728
e9a17296 729 case sX11DisplayOffset:
730 intptr = &options->x11_display_offset;
731 goto parse_int;
3c0ef626 732
e9a17296 733 case sX11UseLocalhost:
734 intptr = &options->x11_use_localhost;
735 goto parse_flag;
3c0ef626 736
e9a17296 737 case sXAuthLocation:
738 charptr = &options->xauth_location;
739 goto parse_filename;
3c0ef626 740
e9a17296 741 case sStrictModes:
742 intptr = &options->strict_modes;
743 goto parse_flag;
3c0ef626 744
416fd2a8 745 case sTCPKeepAlive:
746 intptr = &options->tcp_keep_alive;
e9a17296 747 goto parse_flag;
3c0ef626 748
e9a17296 749 case sEmptyPasswd:
750 intptr = &options->permit_empty_passwd;
751 goto parse_flag;
3c0ef626 752
e54b3d7c 753 case sPermitUserEnvironment:
754 intptr = &options->permit_user_env;
755 goto parse_flag;
756
e9a17296 757 case sUseLogin:
758 intptr = &options->use_login;
759 goto parse_flag;
3c0ef626 760
ff2d7a98 761 case sCompression:
762 intptr = &options->compression;
763 goto parse_flag;
764
e9a17296 765 case sGatewayPorts:
766 intptr = &options->gateway_ports;
767 goto parse_flag;
3c0ef626 768
70791e56 769 case sUseDNS:
770 intptr = &options->use_dns;
e9a17296 771 goto parse_flag;
3c0ef626 772
e9a17296 773 case sLogFacility:
774 intptr = (int *) &options->log_facility;
775 arg = strdelim(&cp);
776 value = log_facility_number(arg);
777 if (value == SYSLOG_FACILITY_NOT_SET)
778 fatal("%.200s line %d: unsupported log facility '%s'",
779 filename, linenum, arg ? arg : "<NONE>");
780 if (*intptr == -1)
781 *intptr = (SyslogFacility) value;
782 break;
783
784 case sLogLevel:
785 intptr = (int *) &options->log_level;
786 arg = strdelim(&cp);
787 value = log_level_number(arg);
788 if (value == SYSLOG_LEVEL_NOT_SET)
789 fatal("%.200s line %d: unsupported log level '%s'",
790 filename, linenum, arg ? arg : "<NONE>");
791 if (*intptr == -1)
792 *intptr = (LogLevel) value;
793 break;
794
795 case sAllowTcpForwarding:
796 intptr = &options->allow_tcp_forwarding;
797 goto parse_flag;
798
2980ea68 799 case sUsePrivilegeSeparation:
800 intptr = &use_privsep;
801 goto parse_flag;
802
e9a17296 803 case sAllowUsers:
804 while ((arg = strdelim(&cp)) && *arg != '\0') {
805 if (options->num_allow_users >= MAX_ALLOW_USERS)
806 fatal("%s line %d: too many allow users.",
807 filename, linenum);
ff2d7a98 808 options->allow_users[options->num_allow_users++] =
809 xstrdup(arg);
e9a17296 810 }
811 break;
3c0ef626 812
e9a17296 813 case sDenyUsers:
814 while ((arg = strdelim(&cp)) && *arg != '\0') {
815 if (options->num_deny_users >= MAX_DENY_USERS)
816 fatal( "%s line %d: too many deny users.",
817 filename, linenum);
ff2d7a98 818 options->deny_users[options->num_deny_users++] =
819 xstrdup(arg);
e9a17296 820 }
821 break;
3c0ef626 822
e9a17296 823 case sAllowGroups:
824 while ((arg = strdelim(&cp)) && *arg != '\0') {
825 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
826 fatal("%s line %d: too many allow groups.",
827 filename, linenum);
ff2d7a98 828 options->allow_groups[options->num_allow_groups++] =
829 xstrdup(arg);
e9a17296 830 }
831 break;
3c0ef626 832
e9a17296 833 case sDenyGroups:
834 while ((arg = strdelim(&cp)) && *arg != '\0') {
835 if (options->num_deny_groups >= MAX_DENY_GROUPS)
836 fatal("%s line %d: too many deny groups.",
837 filename, linenum);
838 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
839 }
840 break;
841
842 case sCiphers:
843 arg = strdelim(&cp);
844 if (!arg || *arg == '\0')
845 fatal("%s line %d: Missing argument.", filename, linenum);
846 if (!ciphers_valid(arg))
847 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
848 filename, linenum, arg ? arg : "<NONE>");
849 if (options->ciphers == NULL)
850 options->ciphers = xstrdup(arg);
851 break;
852
853 case sMacs:
854 arg = strdelim(&cp);
855 if (!arg || *arg == '\0')
856 fatal("%s line %d: Missing argument.", filename, linenum);
857 if (!mac_valid(arg))
858 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
859 filename, linenum, arg ? arg : "<NONE>");
860 if (options->macs == NULL)
861 options->macs = xstrdup(arg);
862 break;
863
864 case sProtocol:
865 intptr = &options->protocol;
866 arg = strdelim(&cp);
867 if (!arg || *arg == '\0')
868 fatal("%s line %d: Missing argument.", filename, linenum);
869 value = proto_spec(arg);
870 if (value == SSH_PROTO_UNKNOWN)
871 fatal("%s line %d: Bad protocol spec '%s'.",
872 filename, linenum, arg ? arg : "<NONE>");
873 if (*intptr == SSH_PROTO_UNKNOWN)
874 *intptr = value;
875 break;
876
877 case sSubsystem:
878 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
879 fatal("%s line %d: too many subsystems defined.",
880 filename, linenum);
881 }
882 arg = strdelim(&cp);
883 if (!arg || *arg == '\0')
884 fatal("%s line %d: Missing subsystem name.",
885 filename, linenum);
886 for (i = 0; i < options->num_subsystems; i++)
887 if (strcmp(arg, options->subsystem_name[i]) == 0)
888 fatal("%s line %d: Subsystem '%s' already defined.",
889 filename, linenum, arg);
890 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
891 arg = strdelim(&cp);
892 if (!arg || *arg == '\0')
893 fatal("%s line %d: Missing subsystem command.",
894 filename, linenum);
895 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
896 options->num_subsystems++;
897 break;
898
899 case sMaxStartups:
900 arg = strdelim(&cp);
901 if (!arg || *arg == '\0')
902 fatal("%s line %d: Missing MaxStartups spec.",
903 filename, linenum);
904 if ((n = sscanf(arg, "%d:%d:%d",
905 &options->max_startups_begin,
906 &options->max_startups_rate,
907 &options->max_startups)) == 3) {
908 if (options->max_startups_begin >
909 options->max_startups ||
910 options->max_startups_rate > 100 ||
911 options->max_startups_rate < 1)
3c0ef626 912 fatal("%s line %d: Illegal MaxStartups spec.",
913 filename, linenum);
e9a17296 914 } else if (n != 1)
915 fatal("%s line %d: Illegal MaxStartups spec.",
916 filename, linenum);
917 else
918 options->max_startups = options->max_startups_begin;
919 break;
920
921 case sBanner:
922 charptr = &options->banner;
923 goto parse_filename;
924 /*
925 * These options can contain %X options expanded at
926 * connect time, so that you can specify paths like:
927 *
928 * AuthorizedKeysFile /etc/ssh_keys/%u
929 */
930 case sAuthorizedKeysFile:
931 case sAuthorizedKeysFile2:
932 charptr = (opcode == sAuthorizedKeysFile ) ?
933 &options->authorized_keys_file :
934 &options->authorized_keys_file2;
935 goto parse_filename;
936
937 case sClientAliveInterval:
938 intptr = &options->client_alive_interval;
939 goto parse_time;
940
941 case sClientAliveCountMax:
942 intptr = &options->client_alive_count_max;
943 goto parse_int;
944
945 case sDeprecated:
70791e56 946 logit("%s line %d: Deprecated option %s",
947 filename, linenum, arg);
948 while (arg)
949 arg = strdelim(&cp);
950 break;
951
952 case sUnsupported:
953 logit("%s line %d: Unsupported option %s",
e9a17296 954 filename, linenum, arg);
955 while (arg)
956 arg = strdelim(&cp);
957 break;
958
959 default:
960 fatal("%s line %d: Missing handler for opcode %s (%d)",
961 filename, linenum, arg, opcode);
962 }
963 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
964 fatal("%s line %d: garbage at end of line; \"%.200s\".",
965 filename, linenum, arg);
966 return 0;
967}
3c0ef626 968
e9a17296 969/* Reads the server configuration file. */
3c0ef626 970
e9a17296 971void
972read_server_config(ServerOptions *options, const char *filename)
973{
ff2d7a98 974 int linenum, bad_options = 0;
e9a17296 975 char line[1024];
ff2d7a98 976 FILE *f;
e9a17296 977
1c14df9e 978 debug2("read_server_config: filename %s", filename);
e9a17296 979 f = fopen(filename, "r");
980 if (!f) {
981 perror(filename);
982 exit(1);
983 }
984 linenum = 0;
985 while (fgets(line, sizeof(line), f)) {
986 /* Update line number counter. */
987 linenum++;
988 if (process_server_config_line(options, line, filename, linenum) != 0)
989 bad_options++;
3c0ef626 990 }
991 fclose(f);
992 if (bad_options > 0)
993 fatal("%s: terminating, %d bad configuration options",
994 filename, bad_options);
995}
git-cvsimport mirror of GSI OpenSSH
This page took 0.231598 seconds and 5 git commands to generate.