]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz committe...
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
91d9cdd3 1/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
3c0ef626 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
13#include "includes.h"
3c0ef626 14
9108f8d9 15#include <sys/types.h>
16#include <sys/socket.h>
17
18#include <netdb.h>
19#include <pwd.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23#include <signal.h>
24#include <unistd.h>
25#include <stdarg.h>
22616013 26#include <errno.h>
9108f8d9 27
22616013 28#include "openbsd-compat/sys-queue.h"
9108f8d9 29#include "xmalloc.h"
3c0ef626 30#include "ssh.h"
31#include "log.h"
9108f8d9 32#include "buffer.h"
3c0ef626 33#include "servconf.h"
3c0ef626 34#include "compat.h"
35#include "pathnames.h"
3c0ef626 36#include "misc.h"
37#include "cipher.h"
9108f8d9 38#include "key.h"
3c0ef626 39#include "kex.h"
40#include "mac.h"
9108f8d9 41#include "match.h"
42#include "channels.h"
43#include "groupaccess.h"
3c0ef626 44
91d9cdd3 45static void add_listen_addr(ServerOptions *, char *, int);
46static void add_one_listen_addr(ServerOptions *, char *, int);
3c0ef626 47
700318f3 48/* Use of privilege separation or not */
49extern int use_privsep;
9108f8d9 50extern Buffer cfg;
3c0ef626 51
52/* Initializes the server options to their default values. */
53
54void
55initialize_server_options(ServerOptions *options)
56{
57 memset(options, 0, sizeof(*options));
58
59 /* Portable-specific options */
0fff78ff 60 options->use_pam = -1;
3c0ef626 61
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
996d5e62 66 options->address_family = -1;
3c0ef626 67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
e9a17296 79 options->x11_use_localhost = -1;
3c0ef626 80 options->xauth_location = NULL;
81 options->strict_modes = -1;
cdd66111 82 options->tcp_keep_alive = -1;
e9a17296 83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
3c0ef626 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
cdd66111 93 options->kerberos_get_afs_token = -1;
0fff78ff 94 options->gss_authentication=-1;
f97edba6 95 options->gss_keyex = -1;
0fff78ff 96 options->gss_cleanup_creds = -1;
f97edba6 97 options->gss_strict_acceptor = -1;
98 options->gss_store_rekey = -1;
3c0ef626 99 options->password_authentication = -1;
100 options->kbd_interactive_authentication = -1;
101 options->challenge_response_authentication = -1;
102 options->permit_empty_passwd = -1;
41b2f314 103 options->permit_user_env = -1;
3c0ef626 104 options->use_login = -1;
f5799ae1 105 options->compression = -1;
3c0ef626 106 options->allow_tcp_forwarding = -1;
22616013 107 options->allow_agent_forwarding = -1;
3c0ef626 108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
c9f39d2c 120 options->max_authtries = -1;
22616013 121 options->max_sessions = -1;
3c0ef626 122 options->banner = NULL;
0fff78ff 123 options->use_dns = -1;
3c0ef626 124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
c9f39d2c 128 options->num_accept_env = 0;
2c06c99b 129 options->permit_tun = -1;
9108f8d9 130 options->num_permitted_opens = -1;
131 options->adm_forced_command = NULL;
47686178 132 options->chroot_directory = NULL;
91d9cdd3 133 options->zero_knowledge_password_authentication = -1;
76d45d2f 134 options->none_enabled = -1;
135 options->tcp_rcv_buf_poll = -1;
136 options->hpn_disabled = -1;
137 options->hpn_buffer_size = -1;
3c0ef626 138}
139
140void
141fill_default_server_options(ServerOptions *options)
142{
76d45d2f 143 /* needed for hpn socket tests */
144 int sock;
145 int socksize;
146 int socksizelen = sizeof(int);
147
3c0ef626 148 /* Portable-specific options */
0fff78ff 149 if (options->use_pam == -1)
acc3d05e 150 options->use_pam = 0;
3c0ef626 151
152 /* Standard Options */
153 if (options->protocol == SSH_PROTO_UNKNOWN)
154 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
155 if (options->num_host_key_files == 0) {
156 /* fill default hostkeys for protocols */
157 if (options->protocol & SSH_PROTO_1)
e9a17296 158 options->host_key_files[options->num_host_key_files++] =
159 _PATH_HOST_KEY_FILE;
160 if (options->protocol & SSH_PROTO_2) {
161 options->host_key_files[options->num_host_key_files++] =
162 _PATH_HOST_RSA_KEY_FILE;
163 options->host_key_files[options->num_host_key_files++] =
164 _PATH_HOST_DSA_KEY_FILE;
165 }
3c0ef626 166 }
167 if (options->num_ports == 0)
168 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
169 if (options->listen_addrs == NULL)
170 add_listen_addr(options, NULL, 0);
171 if (options->pid_file == NULL)
172 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
173 if (options->server_key_bits == -1)
22616013 174 options->server_key_bits = 1024;
3c0ef626 175 if (options->login_grace_time == -1)
41b2f314 176 options->login_grace_time = 120;
3c0ef626 177 if (options->key_regeneration_time == -1)
178 options->key_regeneration_time = 3600;
179 if (options->permit_root_login == PERMIT_NOT_SET)
180 options->permit_root_login = PERMIT_YES;
181 if (options->ignore_rhosts == -1)
182 options->ignore_rhosts = 1;
183 if (options->ignore_user_known_hosts == -1)
184 options->ignore_user_known_hosts = 0;
185 if (options->print_motd == -1)
186 options->print_motd = 1;
187 if (options->print_lastlog == -1)
188 options->print_lastlog = 1;
189 if (options->x11_forwarding == -1)
190 options->x11_forwarding = 0;
191 if (options->x11_display_offset == -1)
192 options->x11_display_offset = 10;
e9a17296 193 if (options->x11_use_localhost == -1)
194 options->x11_use_localhost = 1;
3c0ef626 195 if (options->xauth_location == NULL)
196 options->xauth_location = _PATH_XAUTH;
3c0ef626 197 if (options->strict_modes == -1)
198 options->strict_modes = 1;
cdd66111 199 if (options->tcp_keep_alive == -1)
200 options->tcp_keep_alive = 1;
e9a17296 201 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 202 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 203 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 204 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 205 if (options->rhosts_rsa_authentication == -1)
206 options->rhosts_rsa_authentication = 0;
207 if (options->hostbased_authentication == -1)
208 options->hostbased_authentication = 0;
209 if (options->hostbased_uses_name_from_packet_only == -1)
210 options->hostbased_uses_name_from_packet_only = 0;
211 if (options->rsa_authentication == -1)
212 options->rsa_authentication = 1;
213 if (options->pubkey_authentication == -1)
214 options->pubkey_authentication = 1;
3c0ef626 215 if (options->kerberos_authentication == -1)
700318f3 216 options->kerberos_authentication = 0;
3c0ef626 217 if (options->kerberos_or_local_passwd == -1)
218 options->kerberos_or_local_passwd = 1;
219 if (options->kerberos_ticket_cleanup == -1)
220 options->kerberos_ticket_cleanup = 1;
cdd66111 221 if (options->kerberos_get_afs_token == -1)
222 options->kerberos_get_afs_token = 0;
0fff78ff 223 if (options->gss_authentication == -1)
224 options->gss_authentication = 0;
f97edba6 225 if (options->gss_keyex == -1)
226 options->gss_keyex = 0;
0fff78ff 227 if (options->gss_cleanup_creds == -1)
228 options->gss_cleanup_creds = 1;
f97edba6 229 if (options->gss_strict_acceptor == -1)
230 options->gss_strict_acceptor = 1;
231 if (options->gss_store_rekey == -1)
232 options->gss_store_rekey = 0;
3c0ef626 233 if (options->password_authentication == -1)
234 options->password_authentication = 1;
235 if (options->kbd_interactive_authentication == -1)
236 options->kbd_interactive_authentication = 0;
237 if (options->challenge_response_authentication == -1)
238 options->challenge_response_authentication = 1;
239 if (options->permit_empty_passwd == -1)
240 options->permit_empty_passwd = 0;
41b2f314 241 if (options->permit_user_env == -1)
242 options->permit_user_env = 0;
3c0ef626 243 if (options->use_login == -1)
244 options->use_login = 0;
f5799ae1 245 if (options->compression == -1)
665a873d 246 options->compression = COMP_DELAYED;
3c0ef626 247 if (options->allow_tcp_forwarding == -1)
248 options->allow_tcp_forwarding = 1;
22616013 249 if (options->allow_agent_forwarding == -1)
250 options->allow_agent_forwarding = 1;
3c0ef626 251 if (options->gateway_ports == -1)
252 options->gateway_ports = 0;
253 if (options->max_startups == -1)
254 options->max_startups = 10;
255 if (options->max_startups_rate == -1)
256 options->max_startups_rate = 100; /* 100% */
257 if (options->max_startups_begin == -1)
258 options->max_startups_begin = options->max_startups;
c9f39d2c 259 if (options->max_authtries == -1)
260 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
22616013 261 if (options->max_sessions == -1)
262 options->max_sessions = DEFAULT_SESSIONS_MAX;
0fff78ff 263 if (options->use_dns == -1)
264 options->use_dns = 1;
3c0ef626 265 if (options->client_alive_interval == -1)
e9a17296 266 options->client_alive_interval = 0;
3c0ef626 267 if (options->client_alive_count_max == -1)
268 options->client_alive_count_max = 3;
269 if (options->authorized_keys_file2 == NULL) {
270 /* authorized_keys_file2 falls back to authorized_keys_file */
271 if (options->authorized_keys_file != NULL)
272 options->authorized_keys_file2 = options->authorized_keys_file;
273 else
274 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
275 }
276 if (options->authorized_keys_file == NULL)
277 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
2c06c99b 278 if (options->permit_tun == -1)
279 options->permit_tun = SSH_TUNMODE_NO;
91d9cdd3 280 if (options->zero_knowledge_password_authentication == -1)
281 options->zero_knowledge_password_authentication = 0;
700318f3 282
76d45d2f 283 if (options->hpn_disabled == -1)
284 options->hpn_disabled = 0;
285
286 if (options->hpn_buffer_size == -1) {
287 /* option not explicitly set. Now we have to figure out */
288 /* what value to use */
289 if (options->hpn_disabled == 1) {
290 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
291 } else {
292 /* get the current RCV size and set it to that */
293 /*create a socket but don't connect it */
294 /* we use that the get the rcv socket size */
295 sock = socket(AF_INET, SOCK_STREAM, 0);
296 getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
297 &socksize, &socksizelen);
298 close(sock);
299 options->hpn_buffer_size = socksize;
300 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
301
302 }
303 } else {
304 /* we have to do this incase the user sets both values in a contradictory */
305 /* manner. hpn_disabled overrrides hpn_buffer_size*/
306 if (options->hpn_disabled <= 0) {
307 if (options->hpn_buffer_size == 0)
308 options->hpn_buffer_size = 1;
309 /* limit the maximum buffer to 64MB */
310 if (options->hpn_buffer_size > 64*1024) {
311 options->hpn_buffer_size = 64*1024*1024;
312 } else {
313 options->hpn_buffer_size *= 1024;
314 }
315 } else
316 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
317 }
318
f5799ae1 319 /* Turn privilege separation on by default */
700318f3 320 if (use_privsep == -1)
f5799ae1 321 use_privsep = 1;
322
41b2f314 323#ifndef HAVE_MMAP
f5799ae1 324 if (use_privsep && options->compression == 1) {
325 error("This platform does not support both privilege "
326 "separation and compression");
327 error("Compression disabled");
328 options->compression = 0;
329 }
330#endif
331
3c0ef626 332}
333
334/* Keyword tokens. */
335typedef enum {
336 sBadOption, /* == unknown option */
337 /* Portable-specific options */
0fff78ff 338 sUsePAM,
3c0ef626 339 /* Standard Options */
340 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
341 sPermitRootLogin, sLogFacility, sLogLevel,
0fff78ff 342 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 343 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
cdd66111 344 sKerberosGetAFSToken,
0fff78ff 345 sKerberosTgtPassing, sChallengeResponseAuthentication,
996d5e62 346 sPasswordAuthentication, sKbdInteractiveAuthentication,
347 sListenAddress, sAddressFamily,
3c0ef626 348 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 349 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
cdd66111 350 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
41b2f314 351 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 352 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
353 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
c9f39d2c 354 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
22616013 355 sMaxStartups, sMaxAuthTries, sMaxSessions,
0fff78ff 356 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 357 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 358 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
f97edba6 359 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
360 sGssKeyEx, sGssStoreRekey,
361 sAcceptEnv, sPermitTunnel,
47686178 362 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
22616013 363 sUsePrivilegeSeparation, sAllowAgentForwarding,
91d9cdd3 364 sZeroKnowledgePasswordAuthentication,
76d45d2f 365 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
0fff78ff 366 sDeprecated, sUnsupported
3c0ef626 367} ServerOpCodes;
368
9108f8d9 369#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
370#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
371#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
372
3c0ef626 373/* Textual representation of the tokens. */
374static struct {
375 const char *name;
376 ServerOpCodes opcode;
9108f8d9 377 u_int flags;
3c0ef626 378} keywords[] = {
379 /* Portable-specific options */
0fff78ff 380#ifdef USE_PAM
9108f8d9 381 { "usepam", sUsePAM, SSHCFG_GLOBAL },
0fff78ff 382#else
9108f8d9 383 { "usepam", sUnsupported, SSHCFG_GLOBAL },
0fff78ff 384#endif
9108f8d9 385 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
3c0ef626 386 /* Standard Options */
9108f8d9 387 { "port", sPort, SSHCFG_GLOBAL },
388 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
389 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
390 { "pidfile", sPidFile, SSHCFG_GLOBAL },
391 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
392 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
393 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
47686178 394 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
9108f8d9 395 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
396 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
397 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
799ae497 398 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
399 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
9108f8d9 400 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
799ae497 401 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
402 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
9108f8d9 403 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
0fff78ff 404#ifdef KRB5
799ae497 405 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
9108f8d9 406 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
407 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
cdd66111 408#ifdef USE_AFS
9108f8d9 409 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
cdd66111 410#else
9108f8d9 411 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
cdd66111 412#endif
0fff78ff 413#else
799ae497 414 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
9108f8d9 415 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
416 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
417 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
3c0ef626 418#endif
9108f8d9 419 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
420 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
0fff78ff 421#ifdef GSSAPI
799ae497 422 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
9108f8d9 423 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
f97edba6 424 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
425 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
426 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
0fff78ff 427#else
799ae497 428 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
9108f8d9 429 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
f97edba6 430 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
431 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
432 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
3c0ef626 433#endif
799ae497 434 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
435 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
9108f8d9 436 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
437 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
91d9cdd3 438#ifdef JPAKE
439 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
440#else
441 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
442#endif
9108f8d9 443 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
444 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
445 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
446 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
447 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
448 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
449 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
450 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
451 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
452 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
453 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
454 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
91d9cdd3 455 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
9108f8d9 456 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
457 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
458 { "compression", sCompression, SSHCFG_GLOBAL },
459 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
460 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
461 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
22616013 462 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
9108f8d9 463 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
464 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
465 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
466 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
467 { "ciphers", sCiphers, SSHCFG_GLOBAL },
468 { "macs", sMacs, SSHCFG_GLOBAL },
469 { "protocol", sProtocol, SSHCFG_GLOBAL },
470 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
471 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
472 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
22616013 473 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
474 { "maxsessions", sMaxSessions, SSHCFG_ALL },
799ae497 475 { "banner", sBanner, SSHCFG_ALL },
9108f8d9 476 { "usedns", sUseDNS, SSHCFG_GLOBAL },
477 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
478 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
479 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
480 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
481 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
482 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
483 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
484 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
485 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
486 { "match", sMatch, SSHCFG_ALL },
487 { "permitopen", sPermitOpen, SSHCFG_ALL },
488 { "forcecommand", sForceCommand, SSHCFG_ALL },
47686178 489 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
76d45d2f 490 { "noneenabled", sNoneEnabled },
491 { "hpndisabled", sHPNDisabled },
492 { "hpnbuffersize", sHPNBufferSize },
493 { "tcprcvbufpoll", sTcpRcvBufPoll },
9108f8d9 494 { NULL, sBadOption, 0 }
3c0ef626 495};
496
22616013 497static struct {
498 int val;
499 char *text;
500} tunmode_desc[] = {
501 { SSH_TUNMODE_NO, "no" },
502 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
503 { SSH_TUNMODE_ETHERNET, "ethernet" },
504 { SSH_TUNMODE_YES, "yes" },
505 { -1, NULL }
506};
507
3c0ef626 508/*
509 * Returns the number of the token pointed to by cp or sBadOption.
510 */
511
512static ServerOpCodes
513parse_token(const char *cp, const char *filename,
9108f8d9 514 int linenum, u_int *flags)
3c0ef626 515{
516 u_int i;
517
518 for (i = 0; keywords[i].name; i++)
9108f8d9 519 if (strcasecmp(cp, keywords[i].name) == 0) {
76d45d2f 520 debug ("Config token is %s", keywords[i].name);
9108f8d9 521 *flags = keywords[i].flags;
3c0ef626 522 return keywords[i].opcode;
9108f8d9 523 }
3c0ef626 524
525 error("%s: line %d: Bad configuration option: %s",
526 filename, linenum, cp);
527 return sBadOption;
528}
529
530static void
91d9cdd3 531add_listen_addr(ServerOptions *options, char *addr, int port)
3c0ef626 532{
665a873d 533 u_int i;
3c0ef626 534
535 if (options->num_ports == 0)
536 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
996d5e62 537 if (options->address_family == -1)
538 options->address_family = AF_UNSPEC;
3c0ef626 539 if (port == 0)
540 for (i = 0; i < options->num_ports; i++)
541 add_one_listen_addr(options, addr, options->ports[i]);
542 else
543 add_one_listen_addr(options, addr, port);
544}
545
546static void
91d9cdd3 547add_one_listen_addr(ServerOptions *options, char *addr, int port)
3c0ef626 548{
549 struct addrinfo hints, *ai, *aitop;
550 char strport[NI_MAXSERV];
551 int gaierr;
552
553 memset(&hints, 0, sizeof(hints));
996d5e62 554 hints.ai_family = options->address_family;
3c0ef626 555 hints.ai_socktype = SOCK_STREAM;
556 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
91d9cdd3 557 snprintf(strport, sizeof strport, "%d", port);
3c0ef626 558 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
559 fatal("bad addr or host: %s (%s)",
560 addr ? addr : "<NULL>",
47686178 561 ssh_gai_strerror(gaierr));
3c0ef626 562 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
563 ;
564 ai->ai_next = options->listen_addrs;
565 options->listen_addrs = aitop;
566}
567
9108f8d9 568/*
569 * The strategy for the Match blocks is that the config file is parsed twice.
570 *
571 * The first time is at startup. activep is initialized to 1 and the
572 * directives in the global context are processed and acted on. Hitting a
573 * Match directive unsets activep and the directives inside the block are
574 * checked for syntax only.
575 *
576 * The second time is after a connection has been established but before
577 * authentication. activep is initialized to 2 and global config directives
578 * are ignored since they have already been processed. If the criteria in a
579 * Match block is met, activep is set and the subsequent directives
580 * processed and actioned until EOF or another Match block unsets it. Any
581 * options set are copied into the main server config.
582 *
583 * Potential additions/improvements:
584 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
585 *
586 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
587 * Match Address 192.168.0.*
588 * Tag trusted
589 * Match Group wheel
590 * Tag trusted
591 * Match Tag trusted
592 * AllowTcpForwarding yes
593 * GatewayPorts clientspecified
594 * [...]
595 *
596 * - Add a PermittedChannelRequests directive
597 * Match Group shell
598 * PermittedChannelRequests session,forwarded-tcpip
599 */
600
601static int
602match_cfg_line_group(const char *grps, int line, const char *user)
603{
604 int result = 0;
9108f8d9 605 struct passwd *pw;
606
9108f8d9 607 if (user == NULL)
608 goto out;
609
610 if ((pw = getpwnam(user)) == NULL) {
611 debug("Can't match group at line %d because user %.100s does "
612 "not exist", line, user);
613 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
614 debug("Can't Match group because user %.100s not in any group "
615 "at line %d", user, line);
22616013 616 } else if (ga_match_pattern_list(grps) != 1) {
617 debug("user %.100s does not match group list %.100s at line %d",
618 user, grps, line);
9108f8d9 619 } else {
22616013 620 debug("user %.100s matched group list %.100s at line %d", user,
621 grps, line);
9108f8d9 622 result = 1;
623 }
624out:
625 ga_free();
9108f8d9 626 return result;
627}
628
629static int
630match_cfg_line(char **condition, int line, const char *user, const char *host,
631 const char *address)
632{
633 int result = 1;
634 char *arg, *attrib, *cp = *condition;
635 size_t len;
636
637 if (user == NULL)
638 debug3("checking syntax for 'Match %s'", cp);
639 else
640 debug3("checking match for '%s' user %s host %s addr %s", cp,
641 user ? user : "(null)", host ? host : "(null)",
642 address ? address : "(null)");
643
644 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
645 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
646 error("Missing Match criteria for %s", attrib);
647 return -1;
648 }
649 len = strlen(arg);
650 if (strcasecmp(attrib, "user") == 0) {
651 if (!user) {
652 result = 0;
653 continue;
654 }
655 if (match_pattern_list(user, arg, len, 0) != 1)
656 result = 0;
657 else
658 debug("user %.100s matched 'User %.100s' at "
659 "line %d", user, arg, line);
660 } else if (strcasecmp(attrib, "group") == 0) {
661 switch (match_cfg_line_group(arg, line, user)) {
662 case -1:
663 return -1;
664 case 0:
665 result = 0;
666 }
667 } else if (strcasecmp(attrib, "host") == 0) {
668 if (!host) {
669 result = 0;
670 continue;
671 }
672 if (match_hostname(host, arg, len) != 1)
673 result = 0;
674 else
675 debug("connection from %.100s matched 'Host "
676 "%.100s' at line %d", host, arg, line);
677 } else if (strcasecmp(attrib, "address") == 0) {
22616013 678 switch (addr_match_list(address, arg)) {
679 case 1:
9108f8d9 680 debug("connection from %.100s matched 'Address "
681 "%.100s' at line %d", address, arg, line);
22616013 682 break;
683 case 0:
684 case -1:
685 result = 0;
686 break;
687 case -2:
688 return -1;
689 }
9108f8d9 690 } else {
691 error("Unsupported Match attribute %s", attrib);
692 return -1;
693 }
694 }
695 if (user != NULL)
696 debug3("match %sfound", result ? "" : "not ");
697 *condition = cp;
698 return result;
699}
700
701#define WHITESPACE " \t\r\n"
702
e9a17296 703int
704process_server_config_line(ServerOptions *options, char *line,
9108f8d9 705 const char *filename, int linenum, int *activep, const char *user,
706 const char *host, const char *address)
3c0ef626 707{
3c0ef626 708 char *cp, **charptr, *arg, *p;
9108f8d9 709 int cmdline = 0, *intptr, value, n;
47686178 710 SyslogFacility *log_facility_ptr;
711 LogLevel *log_level_ptr;
3c0ef626 712 ServerOpCodes opcode;
91d9cdd3 713 int port;
9108f8d9 714 u_int i, flags = 0;
715 size_t len;
3c0ef626 716
e9a17296 717 cp = line;
9108f8d9 718 if ((arg = strdelim(&cp)) == NULL)
719 return 0;
e9a17296 720 /* Ignore leading whitespace */
721 if (*arg == '\0')
3c0ef626 722 arg = strdelim(&cp);
e9a17296 723 if (!arg || !*arg || *arg == '#')
724 return 0;
725 intptr = NULL;
726 charptr = NULL;
9108f8d9 727 opcode = parse_token(arg, filename, linenum, &flags);
728
729 if (activep == NULL) { /* We are processing a command line directive */
730 cmdline = 1;
731 activep = &cmdline;
732 }
733 if (*activep && opcode != sMatch)
734 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
735 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
736 if (user == NULL) {
737 fatal("%s line %d: Directive '%s' is not allowed "
738 "within a Match block", filename, linenum, arg);
739 } else { /* this is a directive we have already processed */
740 while (arg)
741 arg = strdelim(&cp);
742 return 0;
743 }
744 }
745
e9a17296 746 switch (opcode) {
747 /* Portable-specific options */
0fff78ff 748 case sUsePAM:
749 intptr = &options->use_pam;
e9a17296 750 goto parse_flag;
3c0ef626 751
e9a17296 752 /* Standard Options */
753 case sBadOption:
754 return -1;
755 case sPort:
756 /* ignore ports from configfile if cmdline specifies ports */
757 if (options->ports_from_cmdline)
758 return 0;
759 if (options->listen_addrs != NULL)
760 fatal("%s line %d: ports must be specified before "
761 "ListenAddress.", filename, linenum);
762 if (options->num_ports >= MAX_PORTS)
763 fatal("%s line %d: too many ports.",
764 filename, linenum);
765 arg = strdelim(&cp);
766 if (!arg || *arg == '\0')
767 fatal("%s line %d: missing port number.",
768 filename, linenum);
769 options->ports[options->num_ports++] = a2port(arg);
91d9cdd3 770 if (options->ports[options->num_ports-1] <= 0)
e9a17296 771 fatal("%s line %d: Badly formatted port number.",
772 filename, linenum);
773 break;
774
775 case sServerKeyBits:
776 intptr = &options->server_key_bits;
22616013 777 parse_int:
e9a17296 778 arg = strdelim(&cp);
779 if (!arg || *arg == '\0')
780 fatal("%s line %d: missing integer value.",
781 filename, linenum);
782 value = atoi(arg);
9108f8d9 783 if (*activep && *intptr == -1)
e9a17296 784 *intptr = value;
785 break;
786
787 case sLoginGraceTime:
788 intptr = &options->login_grace_time;
22616013 789 parse_time:
e9a17296 790 arg = strdelim(&cp);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: missing time value.",
793 filename, linenum);
794 if ((value = convtime(arg)) == -1)
795 fatal("%s line %d: invalid time value.",
796 filename, linenum);
797 if (*intptr == -1)
798 *intptr = value;
799 break;
800
801 case sKeyRegenerationTime:
802 intptr = &options->key_regeneration_time;
803 goto parse_time;
804
805 case sListenAddress:
806 arg = strdelim(&cp);
996d5e62 807 if (arg == NULL || *arg == '\0')
808 fatal("%s line %d: missing address",
e9a17296 809 filename, linenum);
665a873d 810 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
811 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
812 && strchr(p+1, ':') != NULL) {
813 add_listen_addr(options, arg, 0);
814 break;
815 }
996d5e62 816 p = hpdelim(&arg);
817 if (p == NULL)
818 fatal("%s line %d: bad address:port usage",
e9a17296 819 filename, linenum);
996d5e62 820 p = cleanhostname(p);
821 if (arg == NULL)
822 port = 0;
91d9cdd3 823 else if ((port = a2port(arg)) <= 0)
996d5e62 824 fatal("%s line %d: bad port number", filename, linenum);
825
826 add_listen_addr(options, p, port);
827
828 break;
829
830 case sAddressFamily:
831 arg = strdelim(&cp);
665a873d 832 if (!arg || *arg == '\0')
833 fatal("%s line %d: missing address family.",
834 filename, linenum);
996d5e62 835 intptr = &options->address_family;
836 if (options->listen_addrs != NULL)
837 fatal("%s line %d: address family must be specified before "
838 "ListenAddress.", filename, linenum);
839 if (strcasecmp(arg, "inet") == 0)
840 value = AF_INET;
841 else if (strcasecmp(arg, "inet6") == 0)
842 value = AF_INET6;
843 else if (strcasecmp(arg, "any") == 0)
844 value = AF_UNSPEC;
845 else
846 fatal("%s line %d: unsupported address family \"%s\".",
847 filename, linenum, arg);
848 if (*intptr == -1)
849 *intptr = value;
e9a17296 850 break;
851
852 case sHostKeyFile:
853 intptr = &options->num_host_key_files;
854 if (*intptr >= MAX_HOSTKEYS)
855 fatal("%s line %d: too many host keys specified (max %d).",
856 filename, linenum, MAX_HOSTKEYS);
857 charptr = &options->host_key_files[*intptr];
22616013 858 parse_filename:
e9a17296 859 arg = strdelim(&cp);
860 if (!arg || *arg == '\0')
861 fatal("%s line %d: missing file name.",
862 filename, linenum);
9108f8d9 863 if (*activep && *charptr == NULL) {
e9a17296 864 *charptr = tilde_expand_filename(arg, getuid());
865 /* increase optional counter */
866 if (intptr != NULL)
867 *intptr = *intptr + 1;
868 }
869 break;
3c0ef626 870
e9a17296 871 case sPidFile:
872 charptr = &options->pid_file;
873 goto parse_filename;
3c0ef626 874
e9a17296 875 case sPermitRootLogin:
876 intptr = &options->permit_root_login;
877 arg = strdelim(&cp);
878 if (!arg || *arg == '\0')
879 fatal("%s line %d: missing yes/"
880 "without-password/forced-commands-only/no "
881 "argument.", filename, linenum);
882 value = 0; /* silence compiler */
883 if (strcmp(arg, "without-password") == 0)
884 value = PERMIT_NO_PASSWD;
885 else if (strcmp(arg, "forced-commands-only") == 0)
886 value = PERMIT_FORCED_ONLY;
887 else if (strcmp(arg, "yes") == 0)
888 value = PERMIT_YES;
889 else if (strcmp(arg, "no") == 0)
890 value = PERMIT_NO;
891 else
892 fatal("%s line %d: Bad yes/"
893 "without-password/forced-commands-only/no "
894 "argument: %s", filename, linenum, arg);
47686178 895 if (*activep && *intptr == -1)
e9a17296 896 *intptr = value;
897 break;
898
899 case sIgnoreRhosts:
900 intptr = &options->ignore_rhosts;
22616013 901 parse_flag:
e9a17296 902 arg = strdelim(&cp);
903 if (!arg || *arg == '\0')
904 fatal("%s line %d: missing yes/no argument.",
905 filename, linenum);
906 value = 0; /* silence compiler */
907 if (strcmp(arg, "yes") == 0)
908 value = 1;
909 else if (strcmp(arg, "no") == 0)
910 value = 0;
911 else
912 fatal("%s line %d: Bad yes/no argument: %s",
913 filename, linenum, arg);
9108f8d9 914 if (*activep && *intptr == -1)
e9a17296 915 *intptr = value;
916 break;
917
76d45d2f 918 case sNoneEnabled:
919 intptr = &options->none_enabled;
920 goto parse_flag;
921
922 case sTcpRcvBufPoll:
923 intptr = &options->tcp_rcv_buf_poll;
924 goto parse_flag;
925
926 case sHPNDisabled:
927 intptr = &options->hpn_disabled;
928 goto parse_flag;
929
930 case sHPNBufferSize:
931 intptr = &options->hpn_buffer_size;
932 goto parse_int;
933
e9a17296 934 case sIgnoreUserKnownHosts:
935 intptr = &options->ignore_user_known_hosts;
936 goto parse_flag;
937
e9a17296 938 case sRhostsRSAAuthentication:
939 intptr = &options->rhosts_rsa_authentication;
940 goto parse_flag;
941
942 case sHostbasedAuthentication:
943 intptr = &options->hostbased_authentication;
944 goto parse_flag;
945
946 case sHostbasedUsesNameFromPacketOnly:
947 intptr = &options->hostbased_uses_name_from_packet_only;
948 goto parse_flag;
949
950 case sRSAAuthentication:
951 intptr = &options->rsa_authentication;
952 goto parse_flag;
953
954 case sPubkeyAuthentication:
955 intptr = &options->pubkey_authentication;
956 goto parse_flag;
0fff78ff 957
e9a17296 958 case sKerberosAuthentication:
959 intptr = &options->kerberos_authentication;
960 goto parse_flag;
3c0ef626 961
e9a17296 962 case sKerberosOrLocalPasswd:
963 intptr = &options->kerberos_or_local_passwd;
964 goto parse_flag;
3c0ef626 965
e9a17296 966 case sKerberosTicketCleanup:
967 intptr = &options->kerberos_ticket_cleanup;
968 goto parse_flag;
0fff78ff 969
cdd66111 970 case sKerberosGetAFSToken:
971 intptr = &options->kerberos_get_afs_token;
972 goto parse_flag;
973
0fff78ff 974 case sGssAuthentication:
975 intptr = &options->gss_authentication;
e9a17296 976 goto parse_flag;
0fff78ff 977
f97edba6 978 case sGssKeyEx:
979 intptr = &options->gss_keyex;
980 goto parse_flag;
981
0fff78ff 982 case sGssCleanupCreds:
983 intptr = &options->gss_cleanup_creds;
e9a17296 984 goto parse_flag;
3c0ef626 985
f97edba6 986 case sGssStrictAcceptor:
987 intptr = &options->gss_strict_acceptor;
988 goto parse_flag;
989
990 case sGssStoreRekey:
991 intptr = &options->gss_store_rekey;
992 goto parse_flag;
993
e9a17296 994 case sPasswordAuthentication:
995 intptr = &options->password_authentication;
996 goto parse_flag;
3c0ef626 997
91d9cdd3 998 case sZeroKnowledgePasswordAuthentication:
999 intptr = &options->zero_knowledge_password_authentication;
1000 goto parse_flag;
1001
e9a17296 1002 case sKbdInteractiveAuthentication:
1003 intptr = &options->kbd_interactive_authentication;
1004 goto parse_flag;
3c0ef626 1005
e9a17296 1006 case sChallengeResponseAuthentication:
1007 intptr = &options->challenge_response_authentication;
1008 goto parse_flag;
3c0ef626 1009
e9a17296 1010 case sPrintMotd:
1011 intptr = &options->print_motd;
1012 goto parse_flag;
3c0ef626 1013
e9a17296 1014 case sPrintLastLog:
1015 intptr = &options->print_lastlog;
1016 goto parse_flag;
3c0ef626 1017
e9a17296 1018 case sX11Forwarding:
1019 intptr = &options->x11_forwarding;
1020 goto parse_flag;
3c0ef626 1021
e9a17296 1022 case sX11DisplayOffset:
1023 intptr = &options->x11_display_offset;
1024 goto parse_int;
3c0ef626 1025
e9a17296 1026 case sX11UseLocalhost:
1027 intptr = &options->x11_use_localhost;
1028 goto parse_flag;
3c0ef626 1029
e9a17296 1030 case sXAuthLocation:
1031 charptr = &options->xauth_location;
1032 goto parse_filename;
3c0ef626 1033
e9a17296 1034 case sStrictModes:
1035 intptr = &options->strict_modes;
1036 goto parse_flag;
3c0ef626 1037
cdd66111 1038 case sTCPKeepAlive:
1039 intptr = &options->tcp_keep_alive;
e9a17296 1040 goto parse_flag;
3c0ef626 1041
e9a17296 1042 case sEmptyPasswd:
1043 intptr = &options->permit_empty_passwd;
1044 goto parse_flag;
3c0ef626 1045
41b2f314 1046 case sPermitUserEnvironment:
1047 intptr = &options->permit_user_env;
1048 goto parse_flag;
1049
e9a17296 1050 case sUseLogin:
1051 intptr = &options->use_login;
1052 goto parse_flag;
3c0ef626 1053
f5799ae1 1054 case sCompression:
1055 intptr = &options->compression;
665a873d 1056 arg = strdelim(&cp);
1057 if (!arg || *arg == '\0')
1058 fatal("%s line %d: missing yes/no/delayed "
1059 "argument.", filename, linenum);
1060 value = 0; /* silence compiler */
1061 if (strcmp(arg, "delayed") == 0)
1062 value = COMP_DELAYED;
1063 else if (strcmp(arg, "yes") == 0)
1064 value = COMP_ZLIB;
1065 else if (strcmp(arg, "no") == 0)
1066 value = COMP_NONE;
1067 else
1068 fatal("%s line %d: Bad yes/no/delayed "
1069 "argument: %s", filename, linenum, arg);
1070 if (*intptr == -1)
1071 *intptr = value;
1072 break;
f5799ae1 1073
e9a17296 1074 case sGatewayPorts:
1075 intptr = &options->gateway_ports;
996d5e62 1076 arg = strdelim(&cp);
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: missing yes/no/clientspecified "
1079 "argument.", filename, linenum);
1080 value = 0; /* silence compiler */
1081 if (strcmp(arg, "clientspecified") == 0)
1082 value = 2;
1083 else if (strcmp(arg, "yes") == 0)
1084 value = 1;
1085 else if (strcmp(arg, "no") == 0)
1086 value = 0;
1087 else
1088 fatal("%s line %d: Bad yes/no/clientspecified "
1089 "argument: %s", filename, linenum, arg);
799ae497 1090 if (*activep && *intptr == -1)
996d5e62 1091 *intptr = value;
1092 break;
3c0ef626 1093
0fff78ff 1094 case sUseDNS:
1095 intptr = &options->use_dns;
e9a17296 1096 goto parse_flag;
3c0ef626 1097
e9a17296 1098 case sLogFacility:
47686178 1099 log_facility_ptr = &options->log_facility;
e9a17296 1100 arg = strdelim(&cp);
1101 value = log_facility_number(arg);
1102 if (value == SYSLOG_FACILITY_NOT_SET)
1103 fatal("%.200s line %d: unsupported log facility '%s'",
1104 filename, linenum, arg ? arg : "<NONE>");
47686178 1105 if (*log_facility_ptr == -1)
1106 *log_facility_ptr = (SyslogFacility) value;
e9a17296 1107 break;
1108
1109 case sLogLevel:
47686178 1110 log_level_ptr = &options->log_level;
e9a17296 1111 arg = strdelim(&cp);
1112 value = log_level_number(arg);
1113 if (value == SYSLOG_LEVEL_NOT_SET)
1114 fatal("%.200s line %d: unsupported log level '%s'",
1115 filename, linenum, arg ? arg : "<NONE>");
47686178 1116 if (*log_level_ptr == -1)
1117 *log_level_ptr = (LogLevel) value;
e9a17296 1118 break;
1119
1120 case sAllowTcpForwarding:
1121 intptr = &options->allow_tcp_forwarding;
1122 goto parse_flag;
1123
22616013 1124 case sAllowAgentForwarding:
1125 intptr = &options->allow_agent_forwarding;
1126 goto parse_flag;
1127
700318f3 1128 case sUsePrivilegeSeparation:
1129 intptr = &use_privsep;
1130 goto parse_flag;
1131
e9a17296 1132 case sAllowUsers:
1133 while ((arg = strdelim(&cp)) && *arg != '\0') {
1134 if (options->num_allow_users >= MAX_ALLOW_USERS)
1135 fatal("%s line %d: too many allow users.",
1136 filename, linenum);
680cee3b 1137 options->allow_users[options->num_allow_users++] =
1138 xstrdup(arg);
e9a17296 1139 }
1140 break;
3c0ef626 1141
e9a17296 1142 case sDenyUsers:
1143 while ((arg = strdelim(&cp)) && *arg != '\0') {
1144 if (options->num_deny_users >= MAX_DENY_USERS)
9108f8d9 1145 fatal("%s line %d: too many deny users.",
e9a17296 1146 filename, linenum);
680cee3b 1147 options->deny_users[options->num_deny_users++] =
1148 xstrdup(arg);
e9a17296 1149 }
1150 break;
3c0ef626 1151
e9a17296 1152 case sAllowGroups:
1153 while ((arg = strdelim(&cp)) && *arg != '\0') {
1154 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1155 fatal("%s line %d: too many allow groups.",
1156 filename, linenum);
680cee3b 1157 options->allow_groups[options->num_allow_groups++] =
1158 xstrdup(arg);
e9a17296 1159 }
1160 break;
3c0ef626 1161
e9a17296 1162 case sDenyGroups:
1163 while ((arg = strdelim(&cp)) && *arg != '\0') {
1164 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1165 fatal("%s line %d: too many deny groups.",
1166 filename, linenum);
1167 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1168 }
1169 break;
1170
1171 case sCiphers:
1172 arg = strdelim(&cp);
1173 if (!arg || *arg == '\0')
1174 fatal("%s line %d: Missing argument.", filename, linenum);
1175 if (!ciphers_valid(arg))
1176 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1177 filename, linenum, arg ? arg : "<NONE>");
1178 if (options->ciphers == NULL)
1179 options->ciphers = xstrdup(arg);
1180 break;
1181
1182 case sMacs:
1183 arg = strdelim(&cp);
1184 if (!arg || *arg == '\0')
1185 fatal("%s line %d: Missing argument.", filename, linenum);
1186 if (!mac_valid(arg))
1187 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1188 filename, linenum, arg ? arg : "<NONE>");
1189 if (options->macs == NULL)
1190 options->macs = xstrdup(arg);
1191 break;
1192
1193 case sProtocol:
1194 intptr = &options->protocol;
1195 arg = strdelim(&cp);
1196 if (!arg || *arg == '\0')
1197 fatal("%s line %d: Missing argument.", filename, linenum);
1198 value = proto_spec(arg);
1199 if (value == SSH_PROTO_UNKNOWN)
1200 fatal("%s line %d: Bad protocol spec '%s'.",
1201 filename, linenum, arg ? arg : "<NONE>");
1202 if (*intptr == SSH_PROTO_UNKNOWN)
1203 *intptr = value;
1204 break;
1205
1206 case sSubsystem:
1207 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1208 fatal("%s line %d: too many subsystems defined.",
1209 filename, linenum);
1210 }
1211 arg = strdelim(&cp);
1212 if (!arg || *arg == '\0')
1213 fatal("%s line %d: Missing subsystem name.",
1214 filename, linenum);
9108f8d9 1215 if (!*activep) {
1216 arg = strdelim(&cp);
1217 break;
1218 }
e9a17296 1219 for (i = 0; i < options->num_subsystems; i++)
1220 if (strcmp(arg, options->subsystem_name[i]) == 0)
1221 fatal("%s line %d: Subsystem '%s' already defined.",
1222 filename, linenum, arg);
1223 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1224 arg = strdelim(&cp);
1225 if (!arg || *arg == '\0')
1226 fatal("%s line %d: Missing subsystem command.",
1227 filename, linenum);
1228 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
9108f8d9 1229
1230 /* Collect arguments (separate to executable) */
1231 p = xstrdup(arg);
1232 len = strlen(p) + 1;
1233 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1234 len += 1 + strlen(arg);
1235 p = xrealloc(p, 1, len);
1236 strlcat(p, " ", len);
1237 strlcat(p, arg, len);
1238 }
1239 options->subsystem_args[options->num_subsystems] = p;
e9a17296 1240 options->num_subsystems++;
1241 break;
1242
1243 case sMaxStartups:
1244 arg = strdelim(&cp);
1245 if (!arg || *arg == '\0')
1246 fatal("%s line %d: Missing MaxStartups spec.",
1247 filename, linenum);
1248 if ((n = sscanf(arg, "%d:%d:%d",
1249 &options->max_startups_begin,
1250 &options->max_startups_rate,
1251 &options->max_startups)) == 3) {
1252 if (options->max_startups_begin >
1253 options->max_startups ||
1254 options->max_startups_rate > 100 ||
1255 options->max_startups_rate < 1)
3c0ef626 1256 fatal("%s line %d: Illegal MaxStartups spec.",
1257 filename, linenum);
e9a17296 1258 } else if (n != 1)
1259 fatal("%s line %d: Illegal MaxStartups spec.",
1260 filename, linenum);
1261 else
1262 options->max_startups = options->max_startups_begin;
1263 break;
1264
c9f39d2c 1265 case sMaxAuthTries:
1266 intptr = &options->max_authtries;
1267 goto parse_int;
1268
22616013 1269 case sMaxSessions:
1270 intptr = &options->max_sessions;
1271 goto parse_int;
1272
e9a17296 1273 case sBanner:
1274 charptr = &options->banner;
1275 goto parse_filename;
47686178 1276
e9a17296 1277 /*
1278 * These options can contain %X options expanded at
1279 * connect time, so that you can specify paths like:
1280 *
1281 * AuthorizedKeysFile /etc/ssh_keys/%u
1282 */
1283 case sAuthorizedKeysFile:
1284 case sAuthorizedKeysFile2:
9108f8d9 1285 charptr = (opcode == sAuthorizedKeysFile) ?
e9a17296 1286 &options->authorized_keys_file :
1287 &options->authorized_keys_file2;
1288 goto parse_filename;
1289
1290 case sClientAliveInterval:
1291 intptr = &options->client_alive_interval;
1292 goto parse_time;
1293
1294 case sClientAliveCountMax:
1295 intptr = &options->client_alive_count_max;
1296 goto parse_int;
1297
c9f39d2c 1298 case sAcceptEnv:
1299 while ((arg = strdelim(&cp)) && *arg != '\0') {
1300 if (strchr(arg, '=') != NULL)
1301 fatal("%s line %d: Invalid environment name.",
1302 filename, linenum);
1303 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1304 fatal("%s line %d: too many allow env.",
1305 filename, linenum);
9108f8d9 1306 if (!*activep)
1307 break;
c9f39d2c 1308 options->accept_env[options->num_accept_env++] =
1309 xstrdup(arg);
1310 }
1311 break;
1312
2c06c99b 1313 case sPermitTunnel:
1314 intptr = &options->permit_tun;
1315 arg = strdelim(&cp);
1316 if (!arg || *arg == '\0')
1317 fatal("%s line %d: Missing yes/point-to-point/"
1318 "ethernet/no argument.", filename, linenum);
22616013 1319 value = -1;
1320 for (i = 0; tunmode_desc[i].val != -1; i++)
1321 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1322 value = tunmode_desc[i].val;
1323 break;
1324 }
1325 if (value == -1)
2c06c99b 1326 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1327 "no argument: %s", filename, linenum, arg);
1328 if (*intptr == -1)
1329 *intptr = value;
1330 break;
1331
9108f8d9 1332 case sMatch:
1333 if (cmdline)
1334 fatal("Match directive not supported as a command-line "
1335 "option");
1336 value = match_cfg_line(&cp, linenum, user, host, address);
1337 if (value < 0)
1338 fatal("%s line %d: Bad Match condition", filename,
1339 linenum);
1340 *activep = value;
1341 break;
1342
1343 case sPermitOpen:
1344 arg = strdelim(&cp);
1345 if (!arg || *arg == '\0')
1346 fatal("%s line %d: missing PermitOpen specification",
1347 filename, linenum);
799ae497 1348 n = options->num_permitted_opens; /* modified later */
9108f8d9 1349 if (strcmp(arg, "any") == 0) {
799ae497 1350 if (*activep && n == -1) {
9108f8d9 1351 channel_clear_adm_permitted_opens();
1352 options->num_permitted_opens = 0;
1353 }
1354 break;
1355 }
799ae497 1356 if (*activep && n == -1)
1357 channel_clear_adm_permitted_opens();
9108f8d9 1358 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1359 p = hpdelim(&arg);
1360 if (p == NULL)
1361 fatal("%s line %d: missing host in PermitOpen",
1362 filename, linenum);
1363 p = cleanhostname(p);
91d9cdd3 1364 if (arg == NULL || (port = a2port(arg)) <= 0)
9108f8d9 1365 fatal("%s line %d: bad port number in "
1366 "PermitOpen", filename, linenum);
799ae497 1367 if (*activep && n == -1)
9108f8d9 1368 options->num_permitted_opens =
1369 channel_add_adm_permitted_opens(p, port);
9108f8d9 1370 }
1371 break;
1372
1373 case sForceCommand:
1374 if (cp == NULL)
1375 fatal("%.200s line %d: Missing argument.", filename,
1376 linenum);
1377 len = strspn(cp, WHITESPACE);
1378 if (*activep && options->adm_forced_command == NULL)
1379 options->adm_forced_command = xstrdup(cp + len);
1380 return 0;
1381
47686178 1382 case sChrootDirectory:
1383 charptr = &options->chroot_directory;
1384
1385 arg = strdelim(&cp);
1386 if (!arg || *arg == '\0')
1387 fatal("%s line %d: missing file name.",
1388 filename, linenum);
1389 if (*activep && *charptr == NULL)
1390 *charptr = xstrdup(arg);
1391 break;
1392
e9a17296 1393 case sDeprecated:
0fff78ff 1394 logit("%s line %d: Deprecated option %s",
1395 filename, linenum, arg);
1396 while (arg)
1397 arg = strdelim(&cp);
1398 break;
1399
1400 case sUnsupported:
1401 logit("%s line %d: Unsupported option %s",
e9a17296 1402 filename, linenum, arg);
1403 while (arg)
1404 arg = strdelim(&cp);
1405 break;
1406
1407 default:
1408 fatal("%s line %d: Missing handler for opcode %s (%d)",
1409 filename, linenum, arg, opcode);
1410 }
1411 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1412 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1413 filename, linenum, arg);
1414 return 0;
1415}
3c0ef626 1416
e9a17296 1417/* Reads the server configuration file. */
3c0ef626 1418
e9a17296 1419void
c9f39d2c 1420load_server_config(const char *filename, Buffer *conf)
e9a17296 1421{
c9f39d2c 1422 char line[1024], *cp;
680cee3b 1423 FILE *f;
e9a17296 1424
c9f39d2c 1425 debug2("%s: filename %s", __func__, filename);
1426 if ((f = fopen(filename, "r")) == NULL) {
e9a17296 1427 perror(filename);
1428 exit(1);
1429 }
c9f39d2c 1430 buffer_clear(conf);
e9a17296 1431 while (fgets(line, sizeof(line), f)) {
c9f39d2c 1432 /*
1433 * Trim out comments and strip whitespace
1434 * NB - preserve newlines, they are needed to reproduce
1435 * line numbers later for error messages
1436 */
1437 if ((cp = strchr(line, '#')) != NULL)
1438 memcpy(cp, "\n", 2);
1439 cp = line + strspn(line, " \t\r");
1440
1441 buffer_append(conf, cp, strlen(cp));
3c0ef626 1442 }
c9f39d2c 1443 buffer_append(conf, "\0", 1);
3c0ef626 1444 fclose(f);
c9f39d2c 1445 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1446}
1447
1448void
9108f8d9 1449parse_server_match_config(ServerOptions *options, const char *user,
1450 const char *host, const char *address)
1451{
1452 ServerOptions mo;
1453
1454 initialize_server_options(&mo);
1455 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
799ae497 1456 copy_set_server_options(options, &mo, 0);
9108f8d9 1457}
1458
799ae497 1459/* Helper macros */
1460#define M_CP_INTOPT(n) do {\
1461 if (src->n != -1) \
1462 dst->n = src->n; \
1463} while (0)
1464#define M_CP_STROPT(n) do {\
1465 if (src->n != NULL) { \
1466 if (dst->n != NULL) \
1467 xfree(dst->n); \
1468 dst->n = src->n; \
1469 } \
1470} while(0)
1471
1472/*
1473 * Copy any supported values that are set.
1474 *
1475 * If the preauth flag is set, we do not bother copying the the string or
1476 * array values that are not used pre-authentication, because any that we
1477 * do use must be explictly sent in mm_getpwnamallow().
1478 */
9108f8d9 1479void
799ae497 1480copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
9108f8d9 1481{
799ae497 1482 M_CP_INTOPT(password_authentication);
1483 M_CP_INTOPT(gss_authentication);
1484 M_CP_INTOPT(rsa_authentication);
1485 M_CP_INTOPT(pubkey_authentication);
1486 M_CP_INTOPT(kerberos_authentication);
1487 M_CP_INTOPT(hostbased_authentication);
1488 M_CP_INTOPT(kbd_interactive_authentication);
91d9cdd3 1489 M_CP_INTOPT(zero_knowledge_password_authentication);
47686178 1490 M_CP_INTOPT(permit_root_login);
91d9cdd3 1491 M_CP_INTOPT(permit_empty_passwd);
799ae497 1492
1493 M_CP_INTOPT(allow_tcp_forwarding);
22616013 1494 M_CP_INTOPT(allow_agent_forwarding);
799ae497 1495 M_CP_INTOPT(gateway_ports);
1496 M_CP_INTOPT(x11_display_offset);
1497 M_CP_INTOPT(x11_forwarding);
1498 M_CP_INTOPT(x11_use_localhost);
22616013 1499 M_CP_INTOPT(max_sessions);
1500 M_CP_INTOPT(max_authtries);
799ae497 1501
1502 M_CP_STROPT(banner);
1503 if (preauth)
1504 return;
1505 M_CP_STROPT(adm_forced_command);
47686178 1506 M_CP_STROPT(chroot_directory);
9108f8d9 1507}
1508
799ae497 1509#undef M_CP_INTOPT
1510#undef M_CP_STROPT
1511
9108f8d9 1512void
1513parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1514 const char *user, const char *host, const char *address)
c9f39d2c 1515{
9108f8d9 1516 int active, linenum, bad_options = 0;
c9f39d2c 1517 char *cp, *obuf, *cbuf;
1518
1519 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1520
1521 obuf = cbuf = xstrdup(buffer_ptr(conf));
9108f8d9 1522 active = user ? 0 : 1;
c9f39d2c 1523 linenum = 1;
dec6d9fe 1524 while ((cp = strsep(&cbuf, "\n")) != NULL) {
c9f39d2c 1525 if (process_server_config_line(options, cp, filename,
9108f8d9 1526 linenum++, &active, user, host, address) != 0)
c9f39d2c 1527 bad_options++;
1528 }
1529 xfree(obuf);
3c0ef626 1530 if (bad_options > 0)
1531 fatal("%s: terminating, %d bad configuration options",
1532 filename, bad_options);
1533}
22616013 1534
1535static const char *
1536fmt_intarg(ServerOpCodes code, int val)
1537{
1538 if (code == sAddressFamily) {
1539 switch (val) {
1540 case AF_INET:
1541 return "inet";
1542 case AF_INET6:
1543 return "inet6";
1544 case AF_UNSPEC:
1545 return "any";
1546 default:
1547 return "UNKNOWN";
1548 }
1549 }
1550 if (code == sPermitRootLogin) {
1551 switch (val) {
1552 case PERMIT_NO_PASSWD:
91d9cdd3 1553 return "without-password";
22616013 1554 case PERMIT_FORCED_ONLY:
1555 return "forced-commands-only";
1556 case PERMIT_YES:
1557 return "yes";
1558 }
1559 }
1560 if (code == sProtocol) {
1561 switch (val) {
1562 case SSH_PROTO_1:
1563 return "1";
1564 case SSH_PROTO_2:
1565 return "2";
1566 case (SSH_PROTO_1|SSH_PROTO_2):
1567 return "2,1";
1568 default:
1569 return "UNKNOWN";
1570 }
1571 }
1572 if (code == sGatewayPorts && val == 2)
1573 return "clientspecified";
1574 if (code == sCompression && val == COMP_DELAYED)
1575 return "delayed";
1576 switch (val) {
1577 case -1:
1578 return "unset";
1579 case 0:
1580 return "no";
1581 case 1:
1582 return "yes";
1583 }
1584 return "UNKNOWN";
1585}
1586
1587static const char *
1588lookup_opcode_name(ServerOpCodes code)
1589{
1590 u_int i;
1591
1592 for (i = 0; keywords[i].name != NULL; i++)
1593 if (keywords[i].opcode == code)
1594 return(keywords[i].name);
1595 return "UNKNOWN";
1596}
1597
1598static void
1599dump_cfg_int(ServerOpCodes code, int val)
1600{
1601 printf("%s %d\n", lookup_opcode_name(code), val);
1602}
1603
1604static void
1605dump_cfg_fmtint(ServerOpCodes code, int val)
1606{
1607 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1608}
1609
1610static void
1611dump_cfg_string(ServerOpCodes code, const char *val)
1612{
1613 if (val == NULL)
1614 return;
1615 printf("%s %s\n", lookup_opcode_name(code), val);
1616}
1617
1618static void
1619dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1620{
1621 u_int i;
1622
1623 for (i = 0; i < count; i++)
1624 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1625}
1626
1627void
1628dump_config(ServerOptions *o)
1629{
1630 u_int i;
1631 int ret;
1632 struct addrinfo *ai;
1633 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1634
1635 /* these are usually at the top of the config */
1636 for (i = 0; i < o->num_ports; i++)
1637 printf("port %d\n", o->ports[i]);
1638 dump_cfg_fmtint(sProtocol, o->protocol);
1639 dump_cfg_fmtint(sAddressFamily, o->address_family);
1640
1641 /* ListenAddress must be after Port */
1642 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1643 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1644 sizeof(addr), port, sizeof(port),
1645 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1646 error("getnameinfo failed: %.100s",
1647 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1648 strerror(errno));
1649 } else {
1650 if (ai->ai_family == AF_INET6)
1651 printf("listenaddress [%s]:%s\n", addr, port);
1652 else
1653 printf("listenaddress %s:%s\n", addr, port);
1654 }
1655 }
1656
1657 /* integer arguments */
91d9cdd3 1658#ifdef USE_PAM
1659 dump_cfg_int(sUsePAM, o->use_pam);
1660#endif
22616013 1661 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1662 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1663 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1664 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1665 dump_cfg_int(sMaxAuthTries, o->max_authtries);
91d9cdd3 1666 dump_cfg_int(sMaxSessions, o->max_sessions);
22616013 1667 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1668 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1669
1670 /* formatted integer arguments */
1671 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1672 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1673 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1674 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1675 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1676 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1677 o->hostbased_uses_name_from_packet_only);
1678 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1679 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
91d9cdd3 1680#ifdef KRB5
22616013 1681 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1682 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1683 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
91d9cdd3 1684# ifdef USE_AFS
22616013 1685 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
91d9cdd3 1686# endif
1687#endif
1688#ifdef GSSAPI
22616013 1689 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1690 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
91d9cdd3 1691#endif
1692#ifdef JPAKE
1693 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1694 o->zero_knowledge_password_authentication);
1695#endif
22616013 1696 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1697 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1698 o->kbd_interactive_authentication);
1699 dump_cfg_fmtint(sChallengeResponseAuthentication,
1700 o->challenge_response_authentication);
1701 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1702 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1703 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1704 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1705 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1706 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1707 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1708 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1709 dump_cfg_fmtint(sUseLogin, o->use_login);
1710 dump_cfg_fmtint(sCompression, o->compression);
1711 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1712 dump_cfg_fmtint(sUseDNS, o->use_dns);
1713 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1714 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1715
1716 /* string arguments */
1717 dump_cfg_string(sPidFile, o->pid_file);
1718 dump_cfg_string(sXAuthLocation, o->xauth_location);
1719 dump_cfg_string(sCiphers, o->ciphers);
1720 dump_cfg_string(sMacs, o->macs);
1721 dump_cfg_string(sBanner, o->banner);
1722 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1723 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1724 dump_cfg_string(sForceCommand, o->adm_forced_command);
1725
1726 /* string arguments requiring a lookup */
1727 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1728 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1729
1730 /* string array arguments */
1731 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1732 o->host_key_files);
1733 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1734 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1735 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1736 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1737 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1738
1739 /* other arguments */
1740 for (i = 0; i < o->num_subsystems; i++)
1741 printf("subsystem %s %s\n", o->subsystem_name[i],
1742 o->subsystem_args[i]);
1743
1744 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1745 o->max_startups_rate, o->max_startups);
1746
1747 for (i = 0; tunmode_desc[i].val != -1; i++)
1748 if (tunmode_desc[i].val == o->permit_tun) {
1749 s = tunmode_desc[i].text;
1750 break;
1751 }
1752 dump_cfg_string(sPermitTunnel, s);
1753
22616013 1754 channel_print_adm_permitted_opens();
22616013 1755}
git-cvsimport mirror of GSI OpenSSH
This page took 2.744005 seconds and 5 git commands to generate.