]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Initial revision
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
e9702f7d 13RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");
3c0ef626 14
63119dd9 15#if defined(KRB4)
3c0ef626 16#include <krb.h>
17#endif
63119dd9 18#if defined(KRB5)
19#ifdef HEIMDAL
20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
26#endif
3c0ef626 27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
48
49/* Initializes the server options to their default values. */
50
51void
52initialize_server_options(ServerOptions *options)
53{
54 memset(options, 0, sizeof(*options));
55
56 /* Portable-specific options */
57 options->pam_authentication_via_kbd_int = -1;
58
59 /* Standard Options */
60 options->num_ports = 0;
61 options->ports_from_cmdline = 0;
62 options->listen_addrs = NULL;
63 options->num_host_key_files = 0;
64 options->pid_file = NULL;
65 options->server_key_bits = -1;
66 options->login_grace_time = -1;
67 options->key_regeneration_time = -1;
68 options->permit_root_login = PERMIT_NOT_SET;
69 options->ignore_rhosts = -1;
70 options->ignore_user_known_hosts = -1;
71 options->print_motd = -1;
72 options->print_lastlog = -1;
73 options->x11_forwarding = -1;
74 options->x11_display_offset = -1;
e9702f7d 75 options->x11_use_localhost = -1;
3c0ef626 76 options->xauth_location = NULL;
77 options->strict_modes = -1;
78 options->keepalives = -1;
e9702f7d 79 options->log_facility = SYSLOG_FACILITY_NOT_SET;
80 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 81 options->rhosts_authentication = -1;
82 options->rhosts_rsa_authentication = -1;
83 options->hostbased_authentication = -1;
84 options->hostbased_uses_name_from_packet_only = -1;
85 options->rsa_authentication = -1;
86 options->pubkey_authentication = -1;
5598e598 87#ifdef GSSAPI
88 options->gss_authentication=-1;
89 options->gss_keyex=-1;
90 options->gss_use_session_ccache = -1;
91 options->gss_cleanup_creds = -1;
92#endif
3c0ef626 93#if defined(KRB4) || defined(KRB5)
94 options->kerberos_authentication = -1;
95 options->kerberos_or_local_passwd = -1;
96 options->kerberos_ticket_cleanup = -1;
97#endif
98#if defined(AFS) || defined(KRB5)
99 options->kerberos_tgt_passing = -1;
100#endif
101#ifdef AFS
102 options->afs_token_passing = -1;
103#endif
104 options->password_authentication = -1;
105 options->kbd_interactive_authentication = -1;
106 options->challenge_response_authentication = -1;
107 options->permit_empty_passwd = -1;
108 options->use_login = -1;
109 options->allow_tcp_forwarding = -1;
110 options->num_allow_users = 0;
111 options->num_deny_users = 0;
112 options->num_allow_groups = 0;
113 options->num_deny_groups = 0;
114 options->ciphers = NULL;
115 options->macs = NULL;
116 options->protocol = SSH_PROTO_UNKNOWN;
117 options->gateway_ports = -1;
118 options->num_subsystems = 0;
119 options->max_startups_begin = -1;
120 options->max_startups_rate = -1;
121 options->max_startups = -1;
122 options->banner = NULL;
e9702f7d 123 options->verify_reverse_mapping = -1;
3c0ef626 124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
128}
129
130void
131fill_default_server_options(ServerOptions *options)
132{
133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
136
137 /* Standard Options */
138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
e9702f7d 143 options->host_key_files[options->num_host_key_files++] =
144 _PATH_HOST_KEY_FILE;
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
150 }
3c0ef626 151 }
152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
155 add_listen_addr(options, NULL, 0);
156 if (options->pid_file == NULL)
157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
166 if (options->ignore_rhosts == -1)
167 options->ignore_rhosts = 1;
168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
170 if (options->print_motd == -1)
171 options->print_motd = 1;
172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
174 if (options->x11_forwarding == -1)
175 options->x11_forwarding = 0;
176 if (options->x11_display_offset == -1)
177 options->x11_display_offset = 10;
e9702f7d 178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
3c0ef626 180 if (options->xauth_location == NULL)
181 options->xauth_location = _PATH_XAUTH;
3c0ef626 182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
e9702f7d 186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 187 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 189 options->log_level = SYSLOG_LEVEL_INFO;
190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
193 options->rhosts_rsa_authentication = 0;
194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
5598e598 202#ifdef GSSAPI
203 if (options->gss_authentication == -1)
204 options->gss_authentication = 1;
205 if (options->gss_keyex == -1)
206 options->gss_keyex =1;
207 if (options->gss_use_session_ccache == -1)
208 options->gss_use_session_ccache = 1;
209 if (options->gss_cleanup_creds == -1)
210 options->gss_cleanup_creds = 1;
211#endif
3c0ef626 212#if defined(KRB4) || defined(KRB5)
213 if (options->kerberos_authentication == -1)
214 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
215 if (options->kerberos_or_local_passwd == -1)
216 options->kerberos_or_local_passwd = 1;
217 if (options->kerberos_ticket_cleanup == -1)
218 options->kerberos_ticket_cleanup = 1;
219#endif
220#if defined(AFS) || defined(KRB5)
221 if (options->kerberos_tgt_passing == -1)
222 options->kerberos_tgt_passing = 0;
223#endif
e9702f7d 224#ifdef AFS
3c0ef626 225 if (options->afs_token_passing == -1)
226 options->afs_token_passing = k_hasafs();
227#endif
228 if (options->password_authentication == -1)
229 options->password_authentication = 1;
230 if (options->kbd_interactive_authentication == -1)
231 options->kbd_interactive_authentication = 0;
232 if (options->challenge_response_authentication == -1)
233 options->challenge_response_authentication = 1;
234 if (options->permit_empty_passwd == -1)
235 options->permit_empty_passwd = 0;
236 if (options->use_login == -1)
237 options->use_login = 0;
238 if (options->allow_tcp_forwarding == -1)
239 options->allow_tcp_forwarding = 1;
240 if (options->gateway_ports == -1)
241 options->gateway_ports = 0;
242 if (options->max_startups == -1)
243 options->max_startups = 10;
244 if (options->max_startups_rate == -1)
245 options->max_startups_rate = 100; /* 100% */
246 if (options->max_startups_begin == -1)
247 options->max_startups_begin = options->max_startups;
e9702f7d 248 if (options->verify_reverse_mapping == -1)
249 options->verify_reverse_mapping = 0;
3c0ef626 250 if (options->client_alive_interval == -1)
e9702f7d 251 options->client_alive_interval = 0;
3c0ef626 252 if (options->client_alive_count_max == -1)
253 options->client_alive_count_max = 3;
254 if (options->authorized_keys_file2 == NULL) {
255 /* authorized_keys_file2 falls back to authorized_keys_file */
256 if (options->authorized_keys_file != NULL)
257 options->authorized_keys_file2 = options->authorized_keys_file;
258 else
259 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
260 }
261 if (options->authorized_keys_file == NULL)
262 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
263}
264
265/* Keyword tokens. */
266typedef enum {
267 sBadOption, /* == unknown option */
268 /* Portable-specific options */
269 sPAMAuthenticationViaKbdInt,
270 /* Standard Options */
271 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
272 sPermitRootLogin, sLogFacility, sLogLevel,
273 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5598e598 274#ifdef GSSAPI
275 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
276#endif
3c0ef626 277#if defined(KRB4) || defined(KRB5)
278 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
279#endif
280#if defined(AFS) || defined(KRB5)
281 sKerberosTgtPassing,
282#endif
283#ifdef AFS
284 sAFSTokenPassing,
285#endif
286 sChallengeResponseAuthentication,
287 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
288 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 289 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 290 sStrictModes, sEmptyPasswd, sKeepAlives,
291 sUseLogin, sAllowTcpForwarding,
292 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
293 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
294 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9702f7d 295 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
296 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 297 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
e9702f7d 298 sDeprecated
3c0ef626 299} ServerOpCodes;
300
301/* Textual representation of the tokens. */
302static struct {
303 const char *name;
304 ServerOpCodes opcode;
305} keywords[] = {
306 /* Portable-specific options */
307 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
308 /* Standard Options */
309 { "port", sPort },
310 { "hostkey", sHostKeyFile },
311 { "hostdsakey", sHostKeyFile }, /* alias */
312 { "pidfile", sPidFile },
313 { "serverkeybits", sServerKeyBits },
314 { "logingracetime", sLoginGraceTime },
315 { "keyregenerationinterval", sKeyRegenerationTime },
316 { "permitrootlogin", sPermitRootLogin },
317 { "syslogfacility", sLogFacility },
318 { "loglevel", sLogLevel },
319 { "rhostsauthentication", sRhostsAuthentication },
320 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
321 { "hostbasedauthentication", sHostbasedAuthentication },
322 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
323 { "rsaauthentication", sRSAAuthentication },
324 { "pubkeyauthentication", sPubkeyAuthentication },
325 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
5598e598 326#ifdef GSSAPI
327 { "gssapiauthentication", sGssAuthentication },
328 { "gssapikeyexchange", sGssKeyEx },
329 { "gssusesessionccache", sGssUseSessionCredCache },
330 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
331 { "gssapicleanupcreds", sGssCleanupCreds },
332#endif
3c0ef626 333#if defined(KRB4) || defined(KRB5)
334 { "kerberosauthentication", sKerberosAuthentication },
335 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
336 { "kerberosticketcleanup", sKerberosTicketCleanup },
337#endif
338#if defined(AFS) || defined(KRB5)
339 { "kerberostgtpassing", sKerberosTgtPassing },
340#endif
341#ifdef AFS
342 { "afstokenpassing", sAFSTokenPassing },
343#endif
344 { "passwordauthentication", sPasswordAuthentication },
345 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
346 { "challengeresponseauthentication", sChallengeResponseAuthentication },
347 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
348 { "checkmail", sDeprecated },
349 { "listenaddress", sListenAddress },
350 { "printmotd", sPrintMotd },
351 { "printlastlog", sPrintLastLog },
352 { "ignorerhosts", sIgnoreRhosts },
353 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
354 { "x11forwarding", sX11Forwarding },
355 { "x11displayoffset", sX11DisplayOffset },
e9702f7d 356 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 357 { "xauthlocation", sXAuthLocation },
358 { "strictmodes", sStrictModes },
359 { "permitemptypasswords", sEmptyPasswd },
360 { "uselogin", sUseLogin },
361 { "keepalive", sKeepAlives },
362 { "allowtcpforwarding", sAllowTcpForwarding },
363 { "allowusers", sAllowUsers },
364 { "denyusers", sDenyUsers },
365 { "allowgroups", sAllowGroups },
366 { "denygroups", sDenyGroups },
367 { "ciphers", sCiphers },
368 { "macs", sMacs },
369 { "protocol", sProtocol },
370 { "gatewayports", sGatewayPorts },
371 { "subsystem", sSubsystem },
372 { "maxstartups", sMaxStartups },
373 { "banner", sBanner },
e9702f7d 374 { "verifyreversemapping", sVerifyReverseMapping },
375 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 376 { "clientaliveinterval", sClientAliveInterval },
377 { "clientalivecountmax", sClientAliveCountMax },
378 { "authorizedkeysfile", sAuthorizedKeysFile },
379 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
e9702f7d 380 { NULL, sBadOption }
3c0ef626 381};
382
383/*
384 * Returns the number of the token pointed to by cp or sBadOption.
385 */
386
387static ServerOpCodes
388parse_token(const char *cp, const char *filename,
389 int linenum)
390{
391 u_int i;
392
393 for (i = 0; keywords[i].name; i++)
394 if (strcasecmp(cp, keywords[i].name) == 0)
395 return keywords[i].opcode;
396
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
399 return sBadOption;
400}
401
402static void
403add_listen_addr(ServerOptions *options, char *addr, u_short port)
404{
405 int i;
406
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
409 if (port == 0)
410 for (i = 0; i < options->num_ports; i++)
411 add_one_listen_addr(options, addr, options->ports[i]);
412 else
413 add_one_listen_addr(options, addr, port);
414}
415
416static void
417add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
418{
419 struct addrinfo hints, *ai, *aitop;
420 char strport[NI_MAXSERV];
421 int gaierr;
422
423 memset(&hints, 0, sizeof(hints));
424 hints.ai_family = IPv4or6;
425 hints.ai_socktype = SOCK_STREAM;
426 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
427 snprintf(strport, sizeof strport, "%d", port);
428 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
429 fatal("bad addr or host: %s (%s)",
430 addr ? addr : "<NULL>",
431 gai_strerror(gaierr));
432 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
433 ;
434 ai->ai_next = options->listen_addrs;
435 options->listen_addrs = aitop;
436}
437
e9702f7d 438int
439process_server_config_line(ServerOptions *options, char *line,
440 const char *filename, int linenum)
3c0ef626 441{
3c0ef626 442 char *cp, **charptr, *arg, *p;
e9702f7d 443 int *intptr, value;
3c0ef626 444 ServerOpCodes opcode;
445 int i, n;
446
e9702f7d 447 cp = line;
448 arg = strdelim(&cp);
449 /* Ignore leading whitespace */
450 if (*arg == '\0')
3c0ef626 451 arg = strdelim(&cp);
e9702f7d 452 if (!arg || !*arg || *arg == '#')
453 return 0;
454 intptr = NULL;
455 charptr = NULL;
456 opcode = parse_token(arg, filename, linenum);
457 switch (opcode) {
458 /* Portable-specific options */
459 case sPAMAuthenticationViaKbdInt:
460 intptr = &options->pam_authentication_via_kbd_int;
461 goto parse_flag;
3c0ef626 462
e9702f7d 463 /* Standard Options */
464 case sBadOption:
465 return -1;
466 case sPort:
467 /* ignore ports from configfile if cmdline specifies ports */
468 if (options->ports_from_cmdline)
469 return 0;
470 if (options->listen_addrs != NULL)
471 fatal("%s line %d: ports must be specified before "
472 "ListenAddress.", filename, linenum);
473 if (options->num_ports >= MAX_PORTS)
474 fatal("%s line %d: too many ports.",
475 filename, linenum);
476 arg = strdelim(&cp);
477 if (!arg || *arg == '\0')
478 fatal("%s line %d: missing port number.",
479 filename, linenum);
480 options->ports[options->num_ports++] = a2port(arg);
481 if (options->ports[options->num_ports-1] == 0)
482 fatal("%s line %d: Badly formatted port number.",
483 filename, linenum);
484 break;
485
486 case sServerKeyBits:
487 intptr = &options->server_key_bits;
3c0ef626 488parse_int:
e9702f7d 489 arg = strdelim(&cp);
490 if (!arg || *arg == '\0')
491 fatal("%s line %d: missing integer value.",
492 filename, linenum);
493 value = atoi(arg);
494 if (*intptr == -1)
495 *intptr = value;
496 break;
497
498 case sLoginGraceTime:
499 intptr = &options->login_grace_time;
3c0ef626 500parse_time:
e9702f7d 501 arg = strdelim(&cp);
502 if (!arg || *arg == '\0')
503 fatal("%s line %d: missing time value.",
504 filename, linenum);
505 if ((value = convtime(arg)) == -1)
506 fatal("%s line %d: invalid time value.",
507 filename, linenum);
508 if (*intptr == -1)
509 *intptr = value;
510 break;
511
512 case sKeyRegenerationTime:
513 intptr = &options->key_regeneration_time;
514 goto parse_time;
515
516 case sListenAddress:
517 arg = strdelim(&cp);
518 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
519 fatal("%s line %d: missing inet addr.",
520 filename, linenum);
521 if (*arg == '[') {
522 if ((p = strchr(arg, ']')) == NULL)
523 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 524 filename, linenum);
e9702f7d 525 arg++;
526 memmove(p, p+1, strlen(p+1)+1);
527 } else if (((p = strchr(arg, ':')) == NULL) ||
528 (strchr(p+1, ':') != NULL)) {
529 add_listen_addr(options, arg, 0);
3c0ef626 530 break;
e9702f7d 531 }
532 if (*p == ':') {
533 u_short port;
3c0ef626 534
e9702f7d 535 p++;
536 if (*p == '\0')
537 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 538 filename, linenum);
e9702f7d 539 else {
540 *(p-1) = '\0';
541 if ((port = a2port(p)) == 0)
542 fatal("%s line %d: bad port number.",
3c0ef626 543 filename, linenum);
e9702f7d 544 add_listen_addr(options, arg, port);
3c0ef626 545 }
e9702f7d 546 } else if (*p == '\0')
547 add_listen_addr(options, arg, 0);
548 else
549 fatal("%s line %d: bad inet addr usage.",
550 filename, linenum);
551 break;
552
553 case sHostKeyFile:
554 intptr = &options->num_host_key_files;
555 if (*intptr >= MAX_HOSTKEYS)
556 fatal("%s line %d: too many host keys specified (max %d).",
557 filename, linenum, MAX_HOSTKEYS);
558 charptr = &options->host_key_files[*intptr];
3c0ef626 559parse_filename:
e9702f7d 560 arg = strdelim(&cp);
561 if (!arg || *arg == '\0')
562 fatal("%s line %d: missing file name.",
563 filename, linenum);
564 if (*charptr == NULL) {
565 *charptr = tilde_expand_filename(arg, getuid());
566 /* increase optional counter */
567 if (intptr != NULL)
568 *intptr = *intptr + 1;
569 }
570 break;
3c0ef626 571
e9702f7d 572 case sPidFile:
573 charptr = &options->pid_file;
574 goto parse_filename;
3c0ef626 575
e9702f7d 576 case sPermitRootLogin:
577 intptr = &options->permit_root_login;
578 arg = strdelim(&cp);
579 if (!arg || *arg == '\0')
580 fatal("%s line %d: missing yes/"
581 "without-password/forced-commands-only/no "
582 "argument.", filename, linenum);
583 value = 0; /* silence compiler */
584 if (strcmp(arg, "without-password") == 0)
585 value = PERMIT_NO_PASSWD;
586 else if (strcmp(arg, "forced-commands-only") == 0)
587 value = PERMIT_FORCED_ONLY;
588 else if (strcmp(arg, "yes") == 0)
589 value = PERMIT_YES;
590 else if (strcmp(arg, "no") == 0)
591 value = PERMIT_NO;
592 else
593 fatal("%s line %d: Bad yes/"
594 "without-password/forced-commands-only/no "
595 "argument: %s", filename, linenum, arg);
596 if (*intptr == -1)
597 *intptr = value;
598 break;
3c0ef626 599
e9702f7d 600 case sIgnoreRhosts:
601 intptr = &options->ignore_rhosts;
602parse_flag:
603 arg = strdelim(&cp);
604 if (!arg || *arg == '\0')
605 fatal("%s line %d: missing yes/no argument.",
606 filename, linenum);
607 value = 0; /* silence compiler */
608 if (strcmp(arg, "yes") == 0)
609 value = 1;
610 else if (strcmp(arg, "no") == 0)
611 value = 0;
612 else
613 fatal("%s line %d: Bad yes/no argument: %s",
614 filename, linenum, arg);
615 if (*intptr == -1)
616 *intptr = value;
617 break;
618
619 case sIgnoreUserKnownHosts:
620 intptr = &options->ignore_user_known_hosts;
621 goto parse_flag;
622
623 case sRhostsAuthentication:
624 intptr = &options->rhosts_authentication;
625 goto parse_flag;
626
627 case sRhostsRSAAuthentication:
628 intptr = &options->rhosts_rsa_authentication;
629 goto parse_flag;
630
631 case sHostbasedAuthentication:
632 intptr = &options->hostbased_authentication;
633 goto parse_flag;
634
635 case sHostbasedUsesNameFromPacketOnly:
636 intptr = &options->hostbased_uses_name_from_packet_only;
637 goto parse_flag;
638
639 case sRSAAuthentication:
640 intptr = &options->rsa_authentication;
641 goto parse_flag;
642
643 case sPubkeyAuthentication:
644 intptr = &options->pubkey_authentication;
645 goto parse_flag;
905081a4 646#ifdef GSSAPI
647 case sGssAuthentication:
648 intptr = &options->gss_authentication;
649 goto parse_flag;
650 case sGssKeyEx:
651 intptr = &options->gss_keyex;
652 goto parse_flag;
653 case sGssUseSessionCredCache:
654 intptr = &options->gss_use_session_ccache;
655 goto parse_flag;
656 case sGssCleanupCreds:
657 intptr = &options->gss_cleanup_creds;
658 goto parse_flag;
659#endif
3c0ef626 660#if defined(KRB4) || defined(KRB5)
e9702f7d 661 case sKerberosAuthentication:
662 intptr = &options->kerberos_authentication;
663 goto parse_flag;
3c0ef626 664
e9702f7d 665 case sKerberosOrLocalPasswd:
666 intptr = &options->kerberos_or_local_passwd;
667 goto parse_flag;
3c0ef626 668
e9702f7d 669 case sKerberosTicketCleanup:
670 intptr = &options->kerberos_ticket_cleanup;
671 goto parse_flag;
3c0ef626 672#endif
673#if defined(AFS) || defined(KRB5)
e9702f7d 674 case sKerberosTgtPassing:
675 intptr = &options->kerberos_tgt_passing;
676 goto parse_flag;
3c0ef626 677#endif
678#ifdef AFS
e9702f7d 679 case sAFSTokenPassing:
680 intptr = &options->afs_token_passing;
681 goto parse_flag;
3c0ef626 682#endif
683
e9702f7d 684 case sPasswordAuthentication:
685 intptr = &options->password_authentication;
686 goto parse_flag;
3c0ef626 687
e9702f7d 688 case sKbdInteractiveAuthentication:
689 intptr = &options->kbd_interactive_authentication;
690 goto parse_flag;
3c0ef626 691
e9702f7d 692 case sChallengeResponseAuthentication:
693 intptr = &options->challenge_response_authentication;
694 goto parse_flag;
3c0ef626 695
e9702f7d 696 case sPrintMotd:
697 intptr = &options->print_motd;
698 goto parse_flag;
3c0ef626 699
e9702f7d 700 case sPrintLastLog:
701 intptr = &options->print_lastlog;
702 goto parse_flag;
3c0ef626 703
e9702f7d 704 case sX11Forwarding:
705 intptr = &options->x11_forwarding;
706 goto parse_flag;
3c0ef626 707
e9702f7d 708 case sX11DisplayOffset:
709 intptr = &options->x11_display_offset;
710 goto parse_int;
3c0ef626 711
e9702f7d 712 case sX11UseLocalhost:
713 intptr = &options->x11_use_localhost;
714 goto parse_flag;
3c0ef626 715
e9702f7d 716 case sXAuthLocation:
717 charptr = &options->xauth_location;
718 goto parse_filename;
3c0ef626 719
e9702f7d 720 case sStrictModes:
721 intptr = &options->strict_modes;
722 goto parse_flag;
3c0ef626 723
e9702f7d 724 case sKeepAlives:
725 intptr = &options->keepalives;
726 goto parse_flag;
3c0ef626 727
e9702f7d 728 case sEmptyPasswd:
729 intptr = &options->permit_empty_passwd;
730 goto parse_flag;
731
732 case sUseLogin:
733 intptr = &options->use_login;
734 goto parse_flag;
735
736 case sGatewayPorts:
737 intptr = &options->gateway_ports;
738 goto parse_flag;
739
740 case sVerifyReverseMapping:
741 intptr = &options->verify_reverse_mapping;
742 goto parse_flag;
743
744 case sLogFacility:
745 intptr = (int *) &options->log_facility;
746 arg = strdelim(&cp);
747 value = log_facility_number(arg);
748 if (value == SYSLOG_FACILITY_NOT_SET)
749 fatal("%.200s line %d: unsupported log facility '%s'",
750 filename, linenum, arg ? arg : "<NONE>");
751 if (*intptr == -1)
752 *intptr = (SyslogFacility) value;
753 break;
754
755 case sLogLevel:
756 intptr = (int *) &options->log_level;
757 arg = strdelim(&cp);
758 value = log_level_number(arg);
759 if (value == SYSLOG_LEVEL_NOT_SET)
760 fatal("%.200s line %d: unsupported log level '%s'",
761 filename, linenum, arg ? arg : "<NONE>");
762 if (*intptr == -1)
763 *intptr = (LogLevel) value;
764 break;
765
766 case sAllowTcpForwarding:
767 intptr = &options->allow_tcp_forwarding;
768 goto parse_flag;
769
770 case sAllowUsers:
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_allow_users >= MAX_ALLOW_USERS)
773 fatal("%s line %d: too many allow users.",
3c0ef626 774 filename, linenum);
e9702f7d 775 options->allow_users[options->num_allow_users++] = xstrdup(arg);
776 }
777 break;
3c0ef626 778
e9702f7d 779 case sDenyUsers:
780 while ((arg = strdelim(&cp)) && *arg != '\0') {
781 if (options->num_deny_users >= MAX_DENY_USERS)
782 fatal( "%s line %d: too many deny users.",
783 filename, linenum);
784 options->deny_users[options->num_deny_users++] = xstrdup(arg);
785 }
786 break;
3c0ef626 787
e9702f7d 788 case sAllowGroups:
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
791 fatal("%s line %d: too many allow groups.",
792 filename, linenum);
793 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
794 }
795 break;
796
797 case sDenyGroups:
798 while ((arg = strdelim(&cp)) && *arg != '\0') {
799 if (options->num_deny_groups >= MAX_DENY_GROUPS)
800 fatal("%s line %d: too many deny groups.",
801 filename, linenum);
802 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 803 }
e9702f7d 804 break;
805
806 case sCiphers:
807 arg = strdelim(&cp);
808 if (!arg || *arg == '\0')
809 fatal("%s line %d: Missing argument.", filename, linenum);
810 if (!ciphers_valid(arg))
811 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
812 filename, linenum, arg ? arg : "<NONE>");
813 if (options->ciphers == NULL)
814 options->ciphers = xstrdup(arg);
815 break;
816
817 case sMacs:
818 arg = strdelim(&cp);
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing argument.", filename, linenum);
821 if (!mac_valid(arg))
822 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
823 filename, linenum, arg ? arg : "<NONE>");
824 if (options->macs == NULL)
825 options->macs = xstrdup(arg);
826 break;
827
828 case sProtocol:
829 intptr = &options->protocol;
830 arg = strdelim(&cp);
831 if (!arg || *arg == '\0')
832 fatal("%s line %d: Missing argument.", filename, linenum);
833 value = proto_spec(arg);
834 if (value == SSH_PROTO_UNKNOWN)
835 fatal("%s line %d: Bad protocol spec '%s'.",
836 filename, linenum, arg ? arg : "<NONE>");
837 if (*intptr == SSH_PROTO_UNKNOWN)
838 *intptr = value;
839 break;
840
841 case sSubsystem:
842 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
843 fatal("%s line %d: too many subsystems defined.",
844 filename, linenum);
845 }
846 arg = strdelim(&cp);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing subsystem name.",
849 filename, linenum);
850 for (i = 0; i < options->num_subsystems; i++)
851 if (strcmp(arg, options->subsystem_name[i]) == 0)
852 fatal("%s line %d: Subsystem '%s' already defined.",
853 filename, linenum, arg);
854 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
855 arg = strdelim(&cp);
856 if (!arg || *arg == '\0')
857 fatal("%s line %d: Missing subsystem command.",
858 filename, linenum);
859 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
860 options->num_subsystems++;
861 break;
862
863 case sMaxStartups:
864 arg = strdelim(&cp);
865 if (!arg || *arg == '\0')
866 fatal("%s line %d: Missing MaxStartups spec.",
867 filename, linenum);
868 if ((n = sscanf(arg, "%d:%d:%d",
869 &options->max_startups_begin,
870 &options->max_startups_rate,
871 &options->max_startups)) == 3) {
872 if (options->max_startups_begin >
873 options->max_startups ||
874 options->max_startups_rate > 100 ||
875 options->max_startups_rate < 1)
876 fatal("%s line %d: Illegal MaxStartups spec.",
877 filename, linenum);
878 } else if (n != 1)
879 fatal("%s line %d: Illegal MaxStartups spec.",
880 filename, linenum);
881 else
882 options->max_startups = options->max_startups_begin;
883 break;
884
885 case sBanner:
886 charptr = &options->banner;
887 goto parse_filename;
888 /*
889 * These options can contain %X options expanded at
890 * connect time, so that you can specify paths like:
891 *
892 * AuthorizedKeysFile /etc/ssh_keys/%u
893 */
894 case sAuthorizedKeysFile:
895 case sAuthorizedKeysFile2:
896 charptr = (opcode == sAuthorizedKeysFile ) ?
897 &options->authorized_keys_file :
898 &options->authorized_keys_file2;
899 goto parse_filename;
900
901 case sClientAliveInterval:
902 intptr = &options->client_alive_interval;
903 goto parse_time;
904
905 case sClientAliveCountMax:
906 intptr = &options->client_alive_count_max;
907 goto parse_int;
908
909 case sDeprecated:
910 log("%s line %d: Deprecated option %s",
911 filename, linenum, arg);
912 while (arg)
913 arg = strdelim(&cp);
914 break;
915
916 default:
917 fatal("%s line %d: Missing handler for opcode %s (%d)",
918 filename, linenum, arg, opcode);
919 }
920 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
921 fatal("%s line %d: garbage at end of line; \"%.200s\".",
922 filename, linenum, arg);
923 return 0;
924}
925
926/* Reads the server configuration file. */
927
928void
929read_server_config(ServerOptions *options, const char *filename)
930{
931 FILE *f;
932 char line[1024];
933 int linenum;
934 int bad_options = 0;
935
936 f = fopen(filename, "r");
937 if (!f) {
938 perror(filename);
939 exit(1);
940 }
941 linenum = 0;
942 while (fgets(line, sizeof(line), f)) {
943 /* Update line number counter. */
944 linenum++;
945 if (process_server_config_line(options, line, filename, linenum) != 0)
946 bad_options++;
3c0ef626 947 }
948 fclose(f);
949 if (bad_options > 0)
950 fatal("%s: terminating, %d bad configuration options",
951 filename, bad_options);
952}
git-cvsimport mirror of GSI OpenSSH
This page took 0.298513 seconds and 5 git commands to generate.