]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
Import of OpenSSH 3.4p1
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
680cee3b 13RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
3c0ef626 14
700318f3 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
3c0ef626 20#include <krb.h>
700318f3 21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
3c0ef626 26#endif
27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
700318f3 48/* Use of privilege separation or not */
49extern int use_privsep;
3c0ef626 50
51/* Initializes the server options to their default values. */
52
53void
54initialize_server_options(ServerOptions *options)
55{
56 memset(options, 0, sizeof(*options));
57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e9a17296 77 options->x11_use_localhost = -1;
3c0ef626 78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
e9a17296 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89#if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93#endif
94#if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
96#endif
97#ifdef AFS
98 options->afs_token_passing = -1;
99#endif
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
f5799ae1 105 options->compression = -1;
3c0ef626 106 options->allow_tcp_forwarding = -1;
107 options->num_allow_users = 0;
108 options->num_deny_users = 0;
109 options->num_allow_groups = 0;
110 options->num_deny_groups = 0;
111 options->ciphers = NULL;
112 options->macs = NULL;
113 options->protocol = SSH_PROTO_UNKNOWN;
114 options->gateway_ports = -1;
115 options->num_subsystems = 0;
116 options->max_startups_begin = -1;
117 options->max_startups_rate = -1;
118 options->max_startups = -1;
119 options->banner = NULL;
e9a17296 120 options->verify_reverse_mapping = -1;
3c0ef626 121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
700318f3 125
126 /* Needs to be accessable in many places */
127 use_privsep = -1;
3c0ef626 128}
129
130void
131fill_default_server_options(ServerOptions *options)
132{
133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
136
137 /* Standard Options */
138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
e9a17296 143 options->host_key_files[options->num_host_key_files++] =
144 _PATH_HOST_KEY_FILE;
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
150 }
3c0ef626 151 }
152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
155 add_listen_addr(options, NULL, 0);
156 if (options->pid_file == NULL)
157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
166 if (options->ignore_rhosts == -1)
167 options->ignore_rhosts = 1;
168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
170 if (options->print_motd == -1)
171 options->print_motd = 1;
172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
174 if (options->x11_forwarding == -1)
175 options->x11_forwarding = 0;
176 if (options->x11_display_offset == -1)
177 options->x11_display_offset = 10;
e9a17296 178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
3c0ef626 180 if (options->xauth_location == NULL)
181 options->xauth_location = _PATH_XAUTH;
3c0ef626 182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
e9a17296 186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 187 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 189 options->log_level = SYSLOG_LEVEL_INFO;
190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
193 options->rhosts_rsa_authentication = 0;
194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
202#if defined(KRB4) || defined(KRB5)
203 if (options->kerberos_authentication == -1)
700318f3 204 options->kerberos_authentication = 0;
3c0ef626 205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
209#endif
210#if defined(AFS) || defined(KRB5)
211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
213#endif
e9a17296 214#ifdef AFS
3c0ef626 215 if (options->afs_token_passing == -1)
700318f3 216 options->afs_token_passing = 0;
3c0ef626 217#endif
218 if (options->password_authentication == -1)
219 options->password_authentication = 1;
220 if (options->kbd_interactive_authentication == -1)
221 options->kbd_interactive_authentication = 0;
222 if (options->challenge_response_authentication == -1)
223 options->challenge_response_authentication = 1;
224 if (options->permit_empty_passwd == -1)
225 options->permit_empty_passwd = 0;
226 if (options->use_login == -1)
227 options->use_login = 0;
f5799ae1 228 if (options->compression == -1)
229 options->compression = 1;
3c0ef626 230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
232 if (options->gateway_ports == -1)
233 options->gateway_ports = 0;
234 if (options->max_startups == -1)
235 options->max_startups = 10;
236 if (options->max_startups_rate == -1)
237 options->max_startups_rate = 100; /* 100% */
238 if (options->max_startups_begin == -1)
239 options->max_startups_begin = options->max_startups;
e9a17296 240 if (options->verify_reverse_mapping == -1)
241 options->verify_reverse_mapping = 0;
3c0ef626 242 if (options->client_alive_interval == -1)
e9a17296 243 options->client_alive_interval = 0;
3c0ef626 244 if (options->client_alive_count_max == -1)
245 options->client_alive_count_max = 3;
246 if (options->authorized_keys_file2 == NULL) {
247 /* authorized_keys_file2 falls back to authorized_keys_file */
248 if (options->authorized_keys_file != NULL)
249 options->authorized_keys_file2 = options->authorized_keys_file;
250 else
251 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
252 }
253 if (options->authorized_keys_file == NULL)
254 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 255
f5799ae1 256 /* Turn privilege separation on by default */
700318f3 257 if (use_privsep == -1)
f5799ae1 258 use_privsep = 1;
259
680cee3b 260#if !defined(HAVE_MMAP_ANON_SHARED)
f5799ae1 261 if (use_privsep && options->compression == 1) {
262 error("This platform does not support both privilege "
263 "separation and compression");
264 error("Compression disabled");
265 options->compression = 0;
266 }
267#endif
268
3c0ef626 269}
270
271/* Keyword tokens. */
272typedef enum {
273 sBadOption, /* == unknown option */
274 /* Portable-specific options */
275 sPAMAuthenticationViaKbdInt,
276 /* Standard Options */
277 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
278 sPermitRootLogin, sLogFacility, sLogLevel,
279 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
280#if defined(KRB4) || defined(KRB5)
281 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
282#endif
283#if defined(AFS) || defined(KRB5)
284 sKerberosTgtPassing,
285#endif
286#ifdef AFS
287 sAFSTokenPassing,
288#endif
289 sChallengeResponseAuthentication,
290 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
291 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 292 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 293 sStrictModes, sEmptyPasswd, sKeepAlives,
f5799ae1 294 sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 295 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
296 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
297 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9a17296 298 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
299 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 300 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
700318f3 301 sUsePrivilegeSeparation,
e9a17296 302 sDeprecated
3c0ef626 303} ServerOpCodes;
304
305/* Textual representation of the tokens. */
306static struct {
307 const char *name;
308 ServerOpCodes opcode;
309} keywords[] = {
310 /* Portable-specific options */
311 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
312 /* Standard Options */
313 { "port", sPort },
314 { "hostkey", sHostKeyFile },
315 { "hostdsakey", sHostKeyFile }, /* alias */
316 { "pidfile", sPidFile },
317 { "serverkeybits", sServerKeyBits },
318 { "logingracetime", sLoginGraceTime },
319 { "keyregenerationinterval", sKeyRegenerationTime },
320 { "permitrootlogin", sPermitRootLogin },
321 { "syslogfacility", sLogFacility },
322 { "loglevel", sLogLevel },
323 { "rhostsauthentication", sRhostsAuthentication },
324 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
325 { "hostbasedauthentication", sHostbasedAuthentication },
326 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
327 { "rsaauthentication", sRSAAuthentication },
328 { "pubkeyauthentication", sPubkeyAuthentication },
329 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
330#if defined(KRB4) || defined(KRB5)
331 { "kerberosauthentication", sKerberosAuthentication },
332 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
333 { "kerberosticketcleanup", sKerberosTicketCleanup },
334#endif
335#if defined(AFS) || defined(KRB5)
336 { "kerberostgtpassing", sKerberosTgtPassing },
337#endif
338#ifdef AFS
339 { "afstokenpassing", sAFSTokenPassing },
340#endif
341 { "passwordauthentication", sPasswordAuthentication },
342 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
343 { "challengeresponseauthentication", sChallengeResponseAuthentication },
344 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
345 { "checkmail", sDeprecated },
346 { "listenaddress", sListenAddress },
347 { "printmotd", sPrintMotd },
348 { "printlastlog", sPrintLastLog },
349 { "ignorerhosts", sIgnoreRhosts },
350 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
351 { "x11forwarding", sX11Forwarding },
352 { "x11displayoffset", sX11DisplayOffset },
e9a17296 353 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 354 { "xauthlocation", sXAuthLocation },
355 { "strictmodes", sStrictModes },
356 { "permitemptypasswords", sEmptyPasswd },
357 { "uselogin", sUseLogin },
f5799ae1 358 { "compression", sCompression },
3c0ef626 359 { "keepalive", sKeepAlives },
360 { "allowtcpforwarding", sAllowTcpForwarding },
361 { "allowusers", sAllowUsers },
362 { "denyusers", sDenyUsers },
363 { "allowgroups", sAllowGroups },
364 { "denygroups", sDenyGroups },
365 { "ciphers", sCiphers },
366 { "macs", sMacs },
367 { "protocol", sProtocol },
368 { "gatewayports", sGatewayPorts },
369 { "subsystem", sSubsystem },
370 { "maxstartups", sMaxStartups },
371 { "banner", sBanner },
e9a17296 372 { "verifyreversemapping", sVerifyReverseMapping },
373 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 374 { "clientaliveinterval", sClientAliveInterval },
375 { "clientalivecountmax", sClientAliveCountMax },
376 { "authorizedkeysfile", sAuthorizedKeysFile },
377 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 378 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 379 { NULL, sBadOption }
3c0ef626 380};
381
382/*
383 * Returns the number of the token pointed to by cp or sBadOption.
384 */
385
386static ServerOpCodes
387parse_token(const char *cp, const char *filename,
388 int linenum)
389{
390 u_int i;
391
392 for (i = 0; keywords[i].name; i++)
393 if (strcasecmp(cp, keywords[i].name) == 0)
394 return keywords[i].opcode;
395
396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
398 return sBadOption;
399}
400
401static void
402add_listen_addr(ServerOptions *options, char *addr, u_short port)
403{
404 int i;
405
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
408 if (port == 0)
409 for (i = 0; i < options->num_ports; i++)
410 add_one_listen_addr(options, addr, options->ports[i]);
411 else
412 add_one_listen_addr(options, addr, port);
413}
414
415static void
416add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
417{
418 struct addrinfo hints, *ai, *aitop;
419 char strport[NI_MAXSERV];
420 int gaierr;
421
422 memset(&hints, 0, sizeof(hints));
423 hints.ai_family = IPv4or6;
424 hints.ai_socktype = SOCK_STREAM;
425 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 426 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 427 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
428 fatal("bad addr or host: %s (%s)",
429 addr ? addr : "<NULL>",
430 gai_strerror(gaierr));
431 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
432 ;
433 ai->ai_next = options->listen_addrs;
434 options->listen_addrs = aitop;
435}
436
e9a17296 437int
438process_server_config_line(ServerOptions *options, char *line,
439 const char *filename, int linenum)
3c0ef626 440{
3c0ef626 441 char *cp, **charptr, *arg, *p;
680cee3b 442 int *intptr, value, i, n;
3c0ef626 443 ServerOpCodes opcode;
3c0ef626 444
e9a17296 445 cp = line;
446 arg = strdelim(&cp);
447 /* Ignore leading whitespace */
448 if (*arg == '\0')
3c0ef626 449 arg = strdelim(&cp);
e9a17296 450 if (!arg || !*arg || *arg == '#')
451 return 0;
452 intptr = NULL;
453 charptr = NULL;
454 opcode = parse_token(arg, filename, linenum);
455 switch (opcode) {
456 /* Portable-specific options */
457 case sPAMAuthenticationViaKbdInt:
458 intptr = &options->pam_authentication_via_kbd_int;
459 goto parse_flag;
3c0ef626 460
e9a17296 461 /* Standard Options */
462 case sBadOption:
463 return -1;
464 case sPort:
465 /* ignore ports from configfile if cmdline specifies ports */
466 if (options->ports_from_cmdline)
467 return 0;
468 if (options->listen_addrs != NULL)
469 fatal("%s line %d: ports must be specified before "
470 "ListenAddress.", filename, linenum);
471 if (options->num_ports >= MAX_PORTS)
472 fatal("%s line %d: too many ports.",
473 filename, linenum);
474 arg = strdelim(&cp);
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing port number.",
477 filename, linenum);
478 options->ports[options->num_ports++] = a2port(arg);
479 if (options->ports[options->num_ports-1] == 0)
480 fatal("%s line %d: Badly formatted port number.",
481 filename, linenum);
482 break;
483
484 case sServerKeyBits:
485 intptr = &options->server_key_bits;
3c0ef626 486parse_int:
e9a17296 487 arg = strdelim(&cp);
488 if (!arg || *arg == '\0')
489 fatal("%s line %d: missing integer value.",
490 filename, linenum);
491 value = atoi(arg);
492 if (*intptr == -1)
493 *intptr = value;
494 break;
495
496 case sLoginGraceTime:
497 intptr = &options->login_grace_time;
3c0ef626 498parse_time:
e9a17296 499 arg = strdelim(&cp);
500 if (!arg || *arg == '\0')
501 fatal("%s line %d: missing time value.",
502 filename, linenum);
503 if ((value = convtime(arg)) == -1)
504 fatal("%s line %d: invalid time value.",
505 filename, linenum);
506 if (*intptr == -1)
507 *intptr = value;
508 break;
509
510 case sKeyRegenerationTime:
511 intptr = &options->key_regeneration_time;
512 goto parse_time;
513
514 case sListenAddress:
515 arg = strdelim(&cp);
516 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
517 fatal("%s line %d: missing inet addr.",
518 filename, linenum);
519 if (*arg == '[') {
520 if ((p = strchr(arg, ']')) == NULL)
521 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 522 filename, linenum);
e9a17296 523 arg++;
524 memmove(p, p+1, strlen(p+1)+1);
525 } else if (((p = strchr(arg, ':')) == NULL) ||
526 (strchr(p+1, ':') != NULL)) {
527 add_listen_addr(options, arg, 0);
3c0ef626 528 break;
e9a17296 529 }
530 if (*p == ':') {
531 u_short port;
3c0ef626 532
e9a17296 533 p++;
534 if (*p == '\0')
535 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 536 filename, linenum);
e9a17296 537 else {
538 *(p-1) = '\0';
539 if ((port = a2port(p)) == 0)
540 fatal("%s line %d: bad port number.",
3c0ef626 541 filename, linenum);
e9a17296 542 add_listen_addr(options, arg, port);
3c0ef626 543 }
e9a17296 544 } else if (*p == '\0')
545 add_listen_addr(options, arg, 0);
546 else
547 fatal("%s line %d: bad inet addr usage.",
548 filename, linenum);
549 break;
550
551 case sHostKeyFile:
552 intptr = &options->num_host_key_files;
553 if (*intptr >= MAX_HOSTKEYS)
554 fatal("%s line %d: too many host keys specified (max %d).",
555 filename, linenum, MAX_HOSTKEYS);
556 charptr = &options->host_key_files[*intptr];
3c0ef626 557parse_filename:
e9a17296 558 arg = strdelim(&cp);
559 if (!arg || *arg == '\0')
560 fatal("%s line %d: missing file name.",
561 filename, linenum);
562 if (*charptr == NULL) {
563 *charptr = tilde_expand_filename(arg, getuid());
564 /* increase optional counter */
565 if (intptr != NULL)
566 *intptr = *intptr + 1;
567 }
568 break;
3c0ef626 569
e9a17296 570 case sPidFile:
571 charptr = &options->pid_file;
572 goto parse_filename;
3c0ef626 573
e9a17296 574 case sPermitRootLogin:
575 intptr = &options->permit_root_login;
576 arg = strdelim(&cp);
577 if (!arg || *arg == '\0')
578 fatal("%s line %d: missing yes/"
579 "without-password/forced-commands-only/no "
580 "argument.", filename, linenum);
581 value = 0; /* silence compiler */
582 if (strcmp(arg, "without-password") == 0)
583 value = PERMIT_NO_PASSWD;
584 else if (strcmp(arg, "forced-commands-only") == 0)
585 value = PERMIT_FORCED_ONLY;
586 else if (strcmp(arg, "yes") == 0)
587 value = PERMIT_YES;
588 else if (strcmp(arg, "no") == 0)
589 value = PERMIT_NO;
590 else
591 fatal("%s line %d: Bad yes/"
592 "without-password/forced-commands-only/no "
593 "argument: %s", filename, linenum, arg);
594 if (*intptr == -1)
595 *intptr = value;
596 break;
597
598 case sIgnoreRhosts:
599 intptr = &options->ignore_rhosts;
3c0ef626 600parse_flag:
e9a17296 601 arg = strdelim(&cp);
602 if (!arg || *arg == '\0')
603 fatal("%s line %d: missing yes/no argument.",
604 filename, linenum);
605 value = 0; /* silence compiler */
606 if (strcmp(arg, "yes") == 0)
607 value = 1;
608 else if (strcmp(arg, "no") == 0)
609 value = 0;
610 else
611 fatal("%s line %d: Bad yes/no argument: %s",
612 filename, linenum, arg);
613 if (*intptr == -1)
614 *intptr = value;
615 break;
616
617 case sIgnoreUserKnownHosts:
618 intptr = &options->ignore_user_known_hosts;
619 goto parse_flag;
620
621 case sRhostsAuthentication:
622 intptr = &options->rhosts_authentication;
623 goto parse_flag;
624
625 case sRhostsRSAAuthentication:
626 intptr = &options->rhosts_rsa_authentication;
627 goto parse_flag;
628
629 case sHostbasedAuthentication:
630 intptr = &options->hostbased_authentication;
631 goto parse_flag;
632
633 case sHostbasedUsesNameFromPacketOnly:
634 intptr = &options->hostbased_uses_name_from_packet_only;
635 goto parse_flag;
636
637 case sRSAAuthentication:
638 intptr = &options->rsa_authentication;
639 goto parse_flag;
640
641 case sPubkeyAuthentication:
642 intptr = &options->pubkey_authentication;
643 goto parse_flag;
644#if defined(KRB4) || defined(KRB5)
645 case sKerberosAuthentication:
646 intptr = &options->kerberos_authentication;
647 goto parse_flag;
3c0ef626 648
e9a17296 649 case sKerberosOrLocalPasswd:
650 intptr = &options->kerberos_or_local_passwd;
651 goto parse_flag;
3c0ef626 652
e9a17296 653 case sKerberosTicketCleanup:
654 intptr = &options->kerberos_ticket_cleanup;
655 goto parse_flag;
656#endif
657#if defined(AFS) || defined(KRB5)
658 case sKerberosTgtPassing:
659 intptr = &options->kerberos_tgt_passing;
660 goto parse_flag;
661#endif
662#ifdef AFS
663 case sAFSTokenPassing:
664 intptr = &options->afs_token_passing;
665 goto parse_flag;
666#endif
3c0ef626 667
e9a17296 668 case sPasswordAuthentication:
669 intptr = &options->password_authentication;
670 goto parse_flag;
3c0ef626 671
e9a17296 672 case sKbdInteractiveAuthentication:
673 intptr = &options->kbd_interactive_authentication;
674 goto parse_flag;
3c0ef626 675
e9a17296 676 case sChallengeResponseAuthentication:
677 intptr = &options->challenge_response_authentication;
678 goto parse_flag;
3c0ef626 679
e9a17296 680 case sPrintMotd:
681 intptr = &options->print_motd;
682 goto parse_flag;
3c0ef626 683
e9a17296 684 case sPrintLastLog:
685 intptr = &options->print_lastlog;
686 goto parse_flag;
3c0ef626 687
e9a17296 688 case sX11Forwarding:
689 intptr = &options->x11_forwarding;
690 goto parse_flag;
3c0ef626 691
e9a17296 692 case sX11DisplayOffset:
693 intptr = &options->x11_display_offset;
694 goto parse_int;
3c0ef626 695
e9a17296 696 case sX11UseLocalhost:
697 intptr = &options->x11_use_localhost;
698 goto parse_flag;
3c0ef626 699
e9a17296 700 case sXAuthLocation:
701 charptr = &options->xauth_location;
702 goto parse_filename;
3c0ef626 703
e9a17296 704 case sStrictModes:
705 intptr = &options->strict_modes;
706 goto parse_flag;
3c0ef626 707
e9a17296 708 case sKeepAlives:
709 intptr = &options->keepalives;
710 goto parse_flag;
3c0ef626 711
e9a17296 712 case sEmptyPasswd:
713 intptr = &options->permit_empty_passwd;
714 goto parse_flag;
3c0ef626 715
e9a17296 716 case sUseLogin:
717 intptr = &options->use_login;
718 goto parse_flag;
3c0ef626 719
f5799ae1 720 case sCompression:
721 intptr = &options->compression;
722 goto parse_flag;
723
e9a17296 724 case sGatewayPorts:
725 intptr = &options->gateway_ports;
726 goto parse_flag;
3c0ef626 727
e9a17296 728 case sVerifyReverseMapping:
729 intptr = &options->verify_reverse_mapping;
730 goto parse_flag;
3c0ef626 731
e9a17296 732 case sLogFacility:
733 intptr = (int *) &options->log_facility;
734 arg = strdelim(&cp);
735 value = log_facility_number(arg);
736 if (value == SYSLOG_FACILITY_NOT_SET)
737 fatal("%.200s line %d: unsupported log facility '%s'",
738 filename, linenum, arg ? arg : "<NONE>");
739 if (*intptr == -1)
740 *intptr = (SyslogFacility) value;
741 break;
742
743 case sLogLevel:
744 intptr = (int *) &options->log_level;
745 arg = strdelim(&cp);
746 value = log_level_number(arg);
747 if (value == SYSLOG_LEVEL_NOT_SET)
748 fatal("%.200s line %d: unsupported log level '%s'",
749 filename, linenum, arg ? arg : "<NONE>");
750 if (*intptr == -1)
751 *intptr = (LogLevel) value;
752 break;
753
754 case sAllowTcpForwarding:
755 intptr = &options->allow_tcp_forwarding;
756 goto parse_flag;
757
700318f3 758 case sUsePrivilegeSeparation:
759 intptr = &use_privsep;
760 goto parse_flag;
761
e9a17296 762 case sAllowUsers:
763 while ((arg = strdelim(&cp)) && *arg != '\0') {
764 if (options->num_allow_users >= MAX_ALLOW_USERS)
765 fatal("%s line %d: too many allow users.",
766 filename, linenum);
680cee3b 767 options->allow_users[options->num_allow_users++] =
768 xstrdup(arg);
e9a17296 769 }
770 break;
3c0ef626 771
e9a17296 772 case sDenyUsers:
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_users >= MAX_DENY_USERS)
775 fatal( "%s line %d: too many deny users.",
776 filename, linenum);
680cee3b 777 options->deny_users[options->num_deny_users++] =
778 xstrdup(arg);
e9a17296 779 }
780 break;
3c0ef626 781
e9a17296 782 case sAllowGroups:
783 while ((arg = strdelim(&cp)) && *arg != '\0') {
784 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
785 fatal("%s line %d: too many allow groups.",
786 filename, linenum);
680cee3b 787 options->allow_groups[options->num_allow_groups++] =
788 xstrdup(arg);
e9a17296 789 }
790 break;
3c0ef626 791
e9a17296 792 case sDenyGroups:
793 while ((arg = strdelim(&cp)) && *arg != '\0') {
794 if (options->num_deny_groups >= MAX_DENY_GROUPS)
795 fatal("%s line %d: too many deny groups.",
796 filename, linenum);
797 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
798 }
799 break;
800
801 case sCiphers:
802 arg = strdelim(&cp);
803 if (!arg || *arg == '\0')
804 fatal("%s line %d: Missing argument.", filename, linenum);
805 if (!ciphers_valid(arg))
806 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
807 filename, linenum, arg ? arg : "<NONE>");
808 if (options->ciphers == NULL)
809 options->ciphers = xstrdup(arg);
810 break;
811
812 case sMacs:
813 arg = strdelim(&cp);
814 if (!arg || *arg == '\0')
815 fatal("%s line %d: Missing argument.", filename, linenum);
816 if (!mac_valid(arg))
817 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
818 filename, linenum, arg ? arg : "<NONE>");
819 if (options->macs == NULL)
820 options->macs = xstrdup(arg);
821 break;
822
823 case sProtocol:
824 intptr = &options->protocol;
825 arg = strdelim(&cp);
826 if (!arg || *arg == '\0')
827 fatal("%s line %d: Missing argument.", filename, linenum);
828 value = proto_spec(arg);
829 if (value == SSH_PROTO_UNKNOWN)
830 fatal("%s line %d: Bad protocol spec '%s'.",
831 filename, linenum, arg ? arg : "<NONE>");
832 if (*intptr == SSH_PROTO_UNKNOWN)
833 *intptr = value;
834 break;
835
836 case sSubsystem:
837 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
838 fatal("%s line %d: too many subsystems defined.",
839 filename, linenum);
840 }
841 arg = strdelim(&cp);
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing subsystem name.",
844 filename, linenum);
845 for (i = 0; i < options->num_subsystems; i++)
846 if (strcmp(arg, options->subsystem_name[i]) == 0)
847 fatal("%s line %d: Subsystem '%s' already defined.",
848 filename, linenum, arg);
849 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing subsystem command.",
853 filename, linenum);
854 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
855 options->num_subsystems++;
856 break;
857
858 case sMaxStartups:
859 arg = strdelim(&cp);
860 if (!arg || *arg == '\0')
861 fatal("%s line %d: Missing MaxStartups spec.",
862 filename, linenum);
863 if ((n = sscanf(arg, "%d:%d:%d",
864 &options->max_startups_begin,
865 &options->max_startups_rate,
866 &options->max_startups)) == 3) {
867 if (options->max_startups_begin >
868 options->max_startups ||
869 options->max_startups_rate > 100 ||
870 options->max_startups_rate < 1)
3c0ef626 871 fatal("%s line %d: Illegal MaxStartups spec.",
872 filename, linenum);
e9a17296 873 } else if (n != 1)
874 fatal("%s line %d: Illegal MaxStartups spec.",
875 filename, linenum);
876 else
877 options->max_startups = options->max_startups_begin;
878 break;
879
880 case sBanner:
881 charptr = &options->banner;
882 goto parse_filename;
883 /*
884 * These options can contain %X options expanded at
885 * connect time, so that you can specify paths like:
886 *
887 * AuthorizedKeysFile /etc/ssh_keys/%u
888 */
889 case sAuthorizedKeysFile:
890 case sAuthorizedKeysFile2:
891 charptr = (opcode == sAuthorizedKeysFile ) ?
892 &options->authorized_keys_file :
893 &options->authorized_keys_file2;
894 goto parse_filename;
895
896 case sClientAliveInterval:
897 intptr = &options->client_alive_interval;
898 goto parse_time;
899
900 case sClientAliveCountMax:
901 intptr = &options->client_alive_count_max;
902 goto parse_int;
903
904 case sDeprecated:
905 log("%s line %d: Deprecated option %s",
906 filename, linenum, arg);
907 while (arg)
908 arg = strdelim(&cp);
909 break;
910
911 default:
912 fatal("%s line %d: Missing handler for opcode %s (%d)",
913 filename, linenum, arg, opcode);
914 }
915 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
916 fatal("%s line %d: garbage at end of line; \"%.200s\".",
917 filename, linenum, arg);
918 return 0;
919}
3c0ef626 920
e9a17296 921/* Reads the server configuration file. */
3c0ef626 922
e9a17296 923void
924read_server_config(ServerOptions *options, const char *filename)
925{
680cee3b 926 int linenum, bad_options = 0;
e9a17296 927 char line[1024];
680cee3b 928 FILE *f;
e9a17296 929
930 f = fopen(filename, "r");
931 if (!f) {
932 perror(filename);
933 exit(1);
934 }
935 linenum = 0;
936 while (fgets(line, sizeof(line), f)) {
937 /* Update line number counter. */
938 linenum++;
939 if (process_server_config_line(options, line, filename, linenum) != 0)
940 bad_options++;
3c0ef626 941 }
942 fclose(f);
943 if (bad_options > 0)
944 fatal("%s: terminating, %d bad configuration options",
945 filename, bad_options);
946}
This page took 0.196403 seconds and 5 git commands to generate.