]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Initial revision
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
350391c5 13RCSID("$OpenBSD: servconf.c,v 1.109 2002/05/15 21:02:52 markus Exp $");
3c0ef626 14
63119dd9 15#if defined(KRB4)
3c0ef626 16#include <krb.h>
17#endif
63119dd9 18#if defined(KRB5)
19#ifdef HEIMDAL
20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
26#endif
3c0ef626 27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
350391c5 48/* Use of privilege separation or not */
49extern int use_privsep;
3c0ef626 50
51/* Initializes the server options to their default values. */
52
53void
54initialize_server_options(ServerOptions *options)
55{
56 memset(options, 0, sizeof(*options));
57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e9702f7d 77 options->x11_use_localhost = -1;
3c0ef626 78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
e9702f7d 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
5598e598 89#ifdef GSSAPI
90 options->gss_authentication=-1;
91 options->gss_keyex=-1;
92 options->gss_use_session_ccache = -1;
93 options->gss_cleanup_creds = -1;
94#endif
3c0ef626 95#if defined(KRB4) || defined(KRB5)
96 options->kerberos_authentication = -1;
97 options->kerberos_or_local_passwd = -1;
98 options->kerberos_ticket_cleanup = -1;
99#endif
100#if defined(AFS) || defined(KRB5)
101 options->kerberos_tgt_passing = -1;
102#endif
103#ifdef AFS
104 options->afs_token_passing = -1;
105#endif
106 options->password_authentication = -1;
107 options->kbd_interactive_authentication = -1;
108 options->challenge_response_authentication = -1;
109 options->permit_empty_passwd = -1;
110 options->use_login = -1;
111 options->allow_tcp_forwarding = -1;
112 options->num_allow_users = 0;
113 options->num_deny_users = 0;
114 options->num_allow_groups = 0;
115 options->num_deny_groups = 0;
116 options->ciphers = NULL;
117 options->macs = NULL;
118 options->protocol = SSH_PROTO_UNKNOWN;
119 options->gateway_ports = -1;
120 options->num_subsystems = 0;
121 options->max_startups_begin = -1;
122 options->max_startups_rate = -1;
123 options->max_startups = -1;
124 options->banner = NULL;
e9702f7d 125 options->verify_reverse_mapping = -1;
3c0ef626 126 options->client_alive_interval = -1;
127 options->client_alive_count_max = -1;
128 options->authorized_keys_file = NULL;
129 options->authorized_keys_file2 = NULL;
350391c5 130
131 /* Needs to be accessable in many places */
132 use_privsep = -1;
3c0ef626 133}
134
135void
136fill_default_server_options(ServerOptions *options)
137{
138 /* Portable-specific options */
139 if (options->pam_authentication_via_kbd_int == -1)
140 options->pam_authentication_via_kbd_int = 0;
141
142 /* Standard Options */
143 if (options->protocol == SSH_PROTO_UNKNOWN)
144 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
145 if (options->num_host_key_files == 0) {
146 /* fill default hostkeys for protocols */
147 if (options->protocol & SSH_PROTO_1)
e9702f7d 148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_KEY_FILE;
150 if (options->protocol & SSH_PROTO_2) {
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_RSA_KEY_FILE;
153 options->host_key_files[options->num_host_key_files++] =
154 _PATH_HOST_DSA_KEY_FILE;
155 }
3c0ef626 156 }
157 if (options->num_ports == 0)
158 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
159 if (options->listen_addrs == NULL)
160 add_listen_addr(options, NULL, 0);
161 if (options->pid_file == NULL)
162 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
163 if (options->server_key_bits == -1)
164 options->server_key_bits = 768;
165 if (options->login_grace_time == -1)
166 options->login_grace_time = 600;
167 if (options->key_regeneration_time == -1)
168 options->key_regeneration_time = 3600;
169 if (options->permit_root_login == PERMIT_NOT_SET)
170 options->permit_root_login = PERMIT_YES;
171 if (options->ignore_rhosts == -1)
172 options->ignore_rhosts = 1;
173 if (options->ignore_user_known_hosts == -1)
174 options->ignore_user_known_hosts = 0;
175 if (options->print_motd == -1)
176 options->print_motd = 1;
177 if (options->print_lastlog == -1)
178 options->print_lastlog = 1;
179 if (options->x11_forwarding == -1)
180 options->x11_forwarding = 0;
181 if (options->x11_display_offset == -1)
182 options->x11_display_offset = 10;
e9702f7d 183 if (options->x11_use_localhost == -1)
184 options->x11_use_localhost = 1;
3c0ef626 185 if (options->xauth_location == NULL)
186 options->xauth_location = _PATH_XAUTH;
3c0ef626 187 if (options->strict_modes == -1)
188 options->strict_modes = 1;
189 if (options->keepalives == -1)
190 options->keepalives = 1;
e9702f7d 191 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 192 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 193 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 194 options->log_level = SYSLOG_LEVEL_INFO;
195 if (options->rhosts_authentication == -1)
196 options->rhosts_authentication = 0;
197 if (options->rhosts_rsa_authentication == -1)
198 options->rhosts_rsa_authentication = 0;
199 if (options->hostbased_authentication == -1)
200 options->hostbased_authentication = 0;
201 if (options->hostbased_uses_name_from_packet_only == -1)
202 options->hostbased_uses_name_from_packet_only = 0;
203 if (options->rsa_authentication == -1)
204 options->rsa_authentication = 1;
205 if (options->pubkey_authentication == -1)
206 options->pubkey_authentication = 1;
5598e598 207#ifdef GSSAPI
208 if (options->gss_authentication == -1)
209 options->gss_authentication = 1;
210 if (options->gss_keyex == -1)
211 options->gss_keyex =1;
212 if (options->gss_use_session_ccache == -1)
213 options->gss_use_session_ccache = 1;
214 if (options->gss_cleanup_creds == -1)
215 options->gss_cleanup_creds = 1;
216#endif
3c0ef626 217#if defined(KRB4) || defined(KRB5)
218 if (options->kerberos_authentication == -1)
350391c5 219 options->kerberos_authentication = 0;
3c0ef626 220 if (options->kerberos_or_local_passwd == -1)
221 options->kerberos_or_local_passwd = 1;
222 if (options->kerberos_ticket_cleanup == -1)
223 options->kerberos_ticket_cleanup = 1;
224#endif
225#if defined(AFS) || defined(KRB5)
226 if (options->kerberos_tgt_passing == -1)
227 options->kerberos_tgt_passing = 0;
228#endif
e9702f7d 229#ifdef AFS
3c0ef626 230 if (options->afs_token_passing == -1)
350391c5 231 options->afs_token_passing = 0;
3c0ef626 232#endif
233 if (options->password_authentication == -1)
234 options->password_authentication = 1;
235 if (options->kbd_interactive_authentication == -1)
236 options->kbd_interactive_authentication = 0;
237 if (options->challenge_response_authentication == -1)
238 options->challenge_response_authentication = 1;
239 if (options->permit_empty_passwd == -1)
240 options->permit_empty_passwd = 0;
241 if (options->use_login == -1)
242 options->use_login = 0;
243 if (options->allow_tcp_forwarding == -1)
244 options->allow_tcp_forwarding = 1;
245 if (options->gateway_ports == -1)
246 options->gateway_ports = 0;
247 if (options->max_startups == -1)
248 options->max_startups = 10;
249 if (options->max_startups_rate == -1)
250 options->max_startups_rate = 100; /* 100% */
251 if (options->max_startups_begin == -1)
252 options->max_startups_begin = options->max_startups;
e9702f7d 253 if (options->verify_reverse_mapping == -1)
254 options->verify_reverse_mapping = 0;
3c0ef626 255 if (options->client_alive_interval == -1)
e9702f7d 256 options->client_alive_interval = 0;
3c0ef626 257 if (options->client_alive_count_max == -1)
258 options->client_alive_count_max = 3;
259 if (options->authorized_keys_file2 == NULL) {
260 /* authorized_keys_file2 falls back to authorized_keys_file */
261 if (options->authorized_keys_file != NULL)
262 options->authorized_keys_file2 = options->authorized_keys_file;
263 else
264 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
265 }
266 if (options->authorized_keys_file == NULL)
267 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
350391c5 268
269 /* Turn privilege separation _off_ by default */
270 if (use_privsep == -1)
271 use_privsep = 0;
3c0ef626 272}
273
274/* Keyword tokens. */
275typedef enum {
276 sBadOption, /* == unknown option */
277 /* Portable-specific options */
278 sPAMAuthenticationViaKbdInt,
279 /* Standard Options */
280 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
281 sPermitRootLogin, sLogFacility, sLogLevel,
282 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5598e598 283#ifdef GSSAPI
284 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
285#endif
3c0ef626 286#if defined(KRB4) || defined(KRB5)
287 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
288#endif
289#if defined(AFS) || defined(KRB5)
290 sKerberosTgtPassing,
291#endif
292#ifdef AFS
293 sAFSTokenPassing,
294#endif
295 sChallengeResponseAuthentication,
296 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
297 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 298 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 299 sStrictModes, sEmptyPasswd, sKeepAlives,
300 sUseLogin, sAllowTcpForwarding,
301 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
302 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
303 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9702f7d 304 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
305 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 306 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
350391c5 307 sUsePrivilegeSeparation,
e9702f7d 308 sDeprecated
3c0ef626 309} ServerOpCodes;
310
311/* Textual representation of the tokens. */
312static struct {
313 const char *name;
314 ServerOpCodes opcode;
315} keywords[] = {
316 /* Portable-specific options */
317 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
318 /* Standard Options */
319 { "port", sPort },
320 { "hostkey", sHostKeyFile },
321 { "hostdsakey", sHostKeyFile }, /* alias */
322 { "pidfile", sPidFile },
323 { "serverkeybits", sServerKeyBits },
324 { "logingracetime", sLoginGraceTime },
325 { "keyregenerationinterval", sKeyRegenerationTime },
326 { "permitrootlogin", sPermitRootLogin },
327 { "syslogfacility", sLogFacility },
328 { "loglevel", sLogLevel },
329 { "rhostsauthentication", sRhostsAuthentication },
330 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
331 { "hostbasedauthentication", sHostbasedAuthentication },
332 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
333 { "rsaauthentication", sRSAAuthentication },
334 { "pubkeyauthentication", sPubkeyAuthentication },
335 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
5598e598 336#ifdef GSSAPI
337 { "gssapiauthentication", sGssAuthentication },
338 { "gssapikeyexchange", sGssKeyEx },
339 { "gssusesessionccache", sGssUseSessionCredCache },
340 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
341 { "gssapicleanupcreds", sGssCleanupCreds },
342#endif
3c0ef626 343#if defined(KRB4) || defined(KRB5)
344 { "kerberosauthentication", sKerberosAuthentication },
345 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
346 { "kerberosticketcleanup", sKerberosTicketCleanup },
347#endif
348#if defined(AFS) || defined(KRB5)
349 { "kerberostgtpassing", sKerberosTgtPassing },
350#endif
351#ifdef AFS
352 { "afstokenpassing", sAFSTokenPassing },
353#endif
354 { "passwordauthentication", sPasswordAuthentication },
355 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
356 { "challengeresponseauthentication", sChallengeResponseAuthentication },
357 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
358 { "checkmail", sDeprecated },
359 { "listenaddress", sListenAddress },
360 { "printmotd", sPrintMotd },
361 { "printlastlog", sPrintLastLog },
362 { "ignorerhosts", sIgnoreRhosts },
363 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
364 { "x11forwarding", sX11Forwarding },
365 { "x11displayoffset", sX11DisplayOffset },
e9702f7d 366 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 367 { "xauthlocation", sXAuthLocation },
368 { "strictmodes", sStrictModes },
369 { "permitemptypasswords", sEmptyPasswd },
370 { "uselogin", sUseLogin },
371 { "keepalive", sKeepAlives },
372 { "allowtcpforwarding", sAllowTcpForwarding },
373 { "allowusers", sAllowUsers },
374 { "denyusers", sDenyUsers },
375 { "allowgroups", sAllowGroups },
376 { "denygroups", sDenyGroups },
377 { "ciphers", sCiphers },
378 { "macs", sMacs },
379 { "protocol", sProtocol },
380 { "gatewayports", sGatewayPorts },
381 { "subsystem", sSubsystem },
382 { "maxstartups", sMaxStartups },
383 { "banner", sBanner },
e9702f7d 384 { "verifyreversemapping", sVerifyReverseMapping },
385 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 386 { "clientaliveinterval", sClientAliveInterval },
387 { "clientalivecountmax", sClientAliveCountMax },
388 { "authorizedkeysfile", sAuthorizedKeysFile },
389 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
350391c5 390 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9702f7d 391 { NULL, sBadOption }
3c0ef626 392};
393
394/*
395 * Returns the number of the token pointed to by cp or sBadOption.
396 */
397
398static ServerOpCodes
399parse_token(const char *cp, const char *filename,
400 int linenum)
401{
402 u_int i;
403
404 for (i = 0; keywords[i].name; i++)
405 if (strcasecmp(cp, keywords[i].name) == 0)
406 return keywords[i].opcode;
407
408 error("%s: line %d: Bad configuration option: %s",
409 filename, linenum, cp);
410 return sBadOption;
411}
412
413static void
414add_listen_addr(ServerOptions *options, char *addr, u_short port)
415{
416 int i;
417
418 if (options->num_ports == 0)
419 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
420 if (port == 0)
421 for (i = 0; i < options->num_ports; i++)
422 add_one_listen_addr(options, addr, options->ports[i]);
423 else
424 add_one_listen_addr(options, addr, port);
425}
426
427static void
428add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
429{
430 struct addrinfo hints, *ai, *aitop;
431 char strport[NI_MAXSERV];
432 int gaierr;
433
434 memset(&hints, 0, sizeof(hints));
435 hints.ai_family = IPv4or6;
436 hints.ai_socktype = SOCK_STREAM;
437 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
438 snprintf(strport, sizeof strport, "%d", port);
439 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
440 fatal("bad addr or host: %s (%s)",
441 addr ? addr : "<NULL>",
442 gai_strerror(gaierr));
443 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
444 ;
445 ai->ai_next = options->listen_addrs;
446 options->listen_addrs = aitop;
447}
448
e9702f7d 449int
450process_server_config_line(ServerOptions *options, char *line,
451 const char *filename, int linenum)
3c0ef626 452{
3c0ef626 453 char *cp, **charptr, *arg, *p;
e9702f7d 454 int *intptr, value;
3c0ef626 455 ServerOpCodes opcode;
456 int i, n;
457
e9702f7d 458 cp = line;
459 arg = strdelim(&cp);
460 /* Ignore leading whitespace */
461 if (*arg == '\0')
3c0ef626 462 arg = strdelim(&cp);
e9702f7d 463 if (!arg || !*arg || *arg == '#')
464 return 0;
465 intptr = NULL;
466 charptr = NULL;
467 opcode = parse_token(arg, filename, linenum);
468 switch (opcode) {
469 /* Portable-specific options */
470 case sPAMAuthenticationViaKbdInt:
471 intptr = &options->pam_authentication_via_kbd_int;
472 goto parse_flag;
3c0ef626 473
e9702f7d 474 /* Standard Options */
475 case sBadOption:
476 return -1;
477 case sPort:
478 /* ignore ports from configfile if cmdline specifies ports */
479 if (options->ports_from_cmdline)
480 return 0;
481 if (options->listen_addrs != NULL)
482 fatal("%s line %d: ports must be specified before "
483 "ListenAddress.", filename, linenum);
484 if (options->num_ports >= MAX_PORTS)
485 fatal("%s line %d: too many ports.",
486 filename, linenum);
487 arg = strdelim(&cp);
488 if (!arg || *arg == '\0')
489 fatal("%s line %d: missing port number.",
490 filename, linenum);
491 options->ports[options->num_ports++] = a2port(arg);
492 if (options->ports[options->num_ports-1] == 0)
493 fatal("%s line %d: Badly formatted port number.",
494 filename, linenum);
495 break;
496
497 case sServerKeyBits:
498 intptr = &options->server_key_bits;
3c0ef626 499parse_int:
e9702f7d 500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing integer value.",
503 filename, linenum);
504 value = atoi(arg);
505 if (*intptr == -1)
506 *intptr = value;
507 break;
508
509 case sLoginGraceTime:
510 intptr = &options->login_grace_time;
3c0ef626 511parse_time:
e9702f7d 512 arg = strdelim(&cp);
513 if (!arg || *arg == '\0')
514 fatal("%s line %d: missing time value.",
515 filename, linenum);
516 if ((value = convtime(arg)) == -1)
517 fatal("%s line %d: invalid time value.",
518 filename, linenum);
519 if (*intptr == -1)
520 *intptr = value;
521 break;
522
523 case sKeyRegenerationTime:
524 intptr = &options->key_regeneration_time;
525 goto parse_time;
526
527 case sListenAddress:
528 arg = strdelim(&cp);
529 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
530 fatal("%s line %d: missing inet addr.",
531 filename, linenum);
532 if (*arg == '[') {
533 if ((p = strchr(arg, ']')) == NULL)
534 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 535 filename, linenum);
e9702f7d 536 arg++;
537 memmove(p, p+1, strlen(p+1)+1);
538 } else if (((p = strchr(arg, ':')) == NULL) ||
539 (strchr(p+1, ':') != NULL)) {
540 add_listen_addr(options, arg, 0);
3c0ef626 541 break;
e9702f7d 542 }
543 if (*p == ':') {
544 u_short port;
3c0ef626 545
e9702f7d 546 p++;
547 if (*p == '\0')
548 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 549 filename, linenum);
e9702f7d 550 else {
551 *(p-1) = '\0';
552 if ((port = a2port(p)) == 0)
553 fatal("%s line %d: bad port number.",
3c0ef626 554 filename, linenum);
e9702f7d 555 add_listen_addr(options, arg, port);
3c0ef626 556 }
e9702f7d 557 } else if (*p == '\0')
558 add_listen_addr(options, arg, 0);
559 else
560 fatal("%s line %d: bad inet addr usage.",
561 filename, linenum);
562 break;
563
564 case sHostKeyFile:
565 intptr = &options->num_host_key_files;
566 if (*intptr >= MAX_HOSTKEYS)
567 fatal("%s line %d: too many host keys specified (max %d).",
568 filename, linenum, MAX_HOSTKEYS);
569 charptr = &options->host_key_files[*intptr];
3c0ef626 570parse_filename:
e9702f7d 571 arg = strdelim(&cp);
572 if (!arg || *arg == '\0')
573 fatal("%s line %d: missing file name.",
574 filename, linenum);
575 if (*charptr == NULL) {
576 *charptr = tilde_expand_filename(arg, getuid());
577 /* increase optional counter */
578 if (intptr != NULL)
579 *intptr = *intptr + 1;
580 }
581 break;
3c0ef626 582
e9702f7d 583 case sPidFile:
584 charptr = &options->pid_file;
585 goto parse_filename;
3c0ef626 586
e9702f7d 587 case sPermitRootLogin:
588 intptr = &options->permit_root_login;
589 arg = strdelim(&cp);
590 if (!arg || *arg == '\0')
591 fatal("%s line %d: missing yes/"
592 "without-password/forced-commands-only/no "
593 "argument.", filename, linenum);
594 value = 0; /* silence compiler */
595 if (strcmp(arg, "without-password") == 0)
596 value = PERMIT_NO_PASSWD;
597 else if (strcmp(arg, "forced-commands-only") == 0)
598 value = PERMIT_FORCED_ONLY;
599 else if (strcmp(arg, "yes") == 0)
600 value = PERMIT_YES;
601 else if (strcmp(arg, "no") == 0)
602 value = PERMIT_NO;
603 else
604 fatal("%s line %d: Bad yes/"
605 "without-password/forced-commands-only/no "
606 "argument: %s", filename, linenum, arg);
607 if (*intptr == -1)
608 *intptr = value;
609 break;
3c0ef626 610
e9702f7d 611 case sIgnoreRhosts:
612 intptr = &options->ignore_rhosts;
613parse_flag:
614 arg = strdelim(&cp);
615 if (!arg || *arg == '\0')
616 fatal("%s line %d: missing yes/no argument.",
617 filename, linenum);
618 value = 0; /* silence compiler */
619 if (strcmp(arg, "yes") == 0)
620 value = 1;
621 else if (strcmp(arg, "no") == 0)
622 value = 0;
623 else
624 fatal("%s line %d: Bad yes/no argument: %s",
625 filename, linenum, arg);
626 if (*intptr == -1)
627 *intptr = value;
628 break;
629
630 case sIgnoreUserKnownHosts:
631 intptr = &options->ignore_user_known_hosts;
632 goto parse_flag;
633
634 case sRhostsAuthentication:
635 intptr = &options->rhosts_authentication;
636 goto parse_flag;
637
638 case sRhostsRSAAuthentication:
639 intptr = &options->rhosts_rsa_authentication;
640 goto parse_flag;
641
642 case sHostbasedAuthentication:
643 intptr = &options->hostbased_authentication;
644 goto parse_flag;
645
646 case sHostbasedUsesNameFromPacketOnly:
647 intptr = &options->hostbased_uses_name_from_packet_only;
648 goto parse_flag;
649
650 case sRSAAuthentication:
651 intptr = &options->rsa_authentication;
652 goto parse_flag;
653
654 case sPubkeyAuthentication:
655 intptr = &options->pubkey_authentication;
656 goto parse_flag;
905081a4 657#ifdef GSSAPI
658 case sGssAuthentication:
659 intptr = &options->gss_authentication;
660 goto parse_flag;
661 case sGssKeyEx:
662 intptr = &options->gss_keyex;
663 goto parse_flag;
664 case sGssUseSessionCredCache:
665 intptr = &options->gss_use_session_ccache;
666 goto parse_flag;
667 case sGssCleanupCreds:
668 intptr = &options->gss_cleanup_creds;
669 goto parse_flag;
670#endif
3c0ef626 671#if defined(KRB4) || defined(KRB5)
e9702f7d 672 case sKerberosAuthentication:
673 intptr = &options->kerberos_authentication;
674 goto parse_flag;
3c0ef626 675
e9702f7d 676 case sKerberosOrLocalPasswd:
677 intptr = &options->kerberos_or_local_passwd;
678 goto parse_flag;
3c0ef626 679
e9702f7d 680 case sKerberosTicketCleanup:
681 intptr = &options->kerberos_ticket_cleanup;
682 goto parse_flag;
3c0ef626 683#endif
684#if defined(AFS) || defined(KRB5)
e9702f7d 685 case sKerberosTgtPassing:
686 intptr = &options->kerberos_tgt_passing;
687 goto parse_flag;
3c0ef626 688#endif
689#ifdef AFS
e9702f7d 690 case sAFSTokenPassing:
691 intptr = &options->afs_token_passing;
692 goto parse_flag;
3c0ef626 693#endif
694
e9702f7d 695 case sPasswordAuthentication:
696 intptr = &options->password_authentication;
697 goto parse_flag;
3c0ef626 698
e9702f7d 699 case sKbdInteractiveAuthentication:
700 intptr = &options->kbd_interactive_authentication;
701 goto parse_flag;
3c0ef626 702
e9702f7d 703 case sChallengeResponseAuthentication:
704 intptr = &options->challenge_response_authentication;
705 goto parse_flag;
3c0ef626 706
e9702f7d 707 case sPrintMotd:
708 intptr = &options->print_motd;
709 goto parse_flag;
3c0ef626 710
e9702f7d 711 case sPrintLastLog:
712 intptr = &options->print_lastlog;
713 goto parse_flag;
3c0ef626 714
e9702f7d 715 case sX11Forwarding:
716 intptr = &options->x11_forwarding;
717 goto parse_flag;
3c0ef626 718
e9702f7d 719 case sX11DisplayOffset:
720 intptr = &options->x11_display_offset;
721 goto parse_int;
3c0ef626 722
e9702f7d 723 case sX11UseLocalhost:
724 intptr = &options->x11_use_localhost;
725 goto parse_flag;
3c0ef626 726
e9702f7d 727 case sXAuthLocation:
728 charptr = &options->xauth_location;
729 goto parse_filename;
3c0ef626 730
e9702f7d 731 case sStrictModes:
732 intptr = &options->strict_modes;
733 goto parse_flag;
3c0ef626 734
e9702f7d 735 case sKeepAlives:
736 intptr = &options->keepalives;
737 goto parse_flag;
3c0ef626 738
e9702f7d 739 case sEmptyPasswd:
740 intptr = &options->permit_empty_passwd;
741 goto parse_flag;
742
743 case sUseLogin:
744 intptr = &options->use_login;
745 goto parse_flag;
746
747 case sGatewayPorts:
748 intptr = &options->gateway_ports;
749 goto parse_flag;
750
751 case sVerifyReverseMapping:
752 intptr = &options->verify_reverse_mapping;
753 goto parse_flag;
754
755 case sLogFacility:
756 intptr = (int *) &options->log_facility;
757 arg = strdelim(&cp);
758 value = log_facility_number(arg);
759 if (value == SYSLOG_FACILITY_NOT_SET)
760 fatal("%.200s line %d: unsupported log facility '%s'",
761 filename, linenum, arg ? arg : "<NONE>");
762 if (*intptr == -1)
763 *intptr = (SyslogFacility) value;
764 break;
765
766 case sLogLevel:
767 intptr = (int *) &options->log_level;
768 arg = strdelim(&cp);
769 value = log_level_number(arg);
770 if (value == SYSLOG_LEVEL_NOT_SET)
771 fatal("%.200s line %d: unsupported log level '%s'",
772 filename, linenum, arg ? arg : "<NONE>");
773 if (*intptr == -1)
774 *intptr = (LogLevel) value;
775 break;
776
777 case sAllowTcpForwarding:
778 intptr = &options->allow_tcp_forwarding;
779 goto parse_flag;
780
350391c5 781 case sUsePrivilegeSeparation:
782 intptr = &use_privsep;
783 goto parse_flag;
784
e9702f7d 785 case sAllowUsers:
786 while ((arg = strdelim(&cp)) && *arg != '\0') {
787 if (options->num_allow_users >= MAX_ALLOW_USERS)
788 fatal("%s line %d: too many allow users.",
3c0ef626 789 filename, linenum);
e9702f7d 790 options->allow_users[options->num_allow_users++] = xstrdup(arg);
791 }
792 break;
3c0ef626 793
e9702f7d 794 case sDenyUsers:
795 while ((arg = strdelim(&cp)) && *arg != '\0') {
796 if (options->num_deny_users >= MAX_DENY_USERS)
797 fatal( "%s line %d: too many deny users.",
798 filename, linenum);
799 options->deny_users[options->num_deny_users++] = xstrdup(arg);
800 }
801 break;
3c0ef626 802
e9702f7d 803 case sAllowGroups:
804 while ((arg = strdelim(&cp)) && *arg != '\0') {
805 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
806 fatal("%s line %d: too many allow groups.",
807 filename, linenum);
808 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
809 }
810 break;
811
812 case sDenyGroups:
813 while ((arg = strdelim(&cp)) && *arg != '\0') {
814 if (options->num_deny_groups >= MAX_DENY_GROUPS)
815 fatal("%s line %d: too many deny groups.",
816 filename, linenum);
817 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 818 }
e9702f7d 819 break;
820
821 case sCiphers:
822 arg = strdelim(&cp);
823 if (!arg || *arg == '\0')
824 fatal("%s line %d: Missing argument.", filename, linenum);
825 if (!ciphers_valid(arg))
826 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
827 filename, linenum, arg ? arg : "<NONE>");
828 if (options->ciphers == NULL)
829 options->ciphers = xstrdup(arg);
830 break;
831
832 case sMacs:
833 arg = strdelim(&cp);
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing argument.", filename, linenum);
836 if (!mac_valid(arg))
837 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
838 filename, linenum, arg ? arg : "<NONE>");
839 if (options->macs == NULL)
840 options->macs = xstrdup(arg);
841 break;
842
843 case sProtocol:
844 intptr = &options->protocol;
845 arg = strdelim(&cp);
846 if (!arg || *arg == '\0')
847 fatal("%s line %d: Missing argument.", filename, linenum);
848 value = proto_spec(arg);
849 if (value == SSH_PROTO_UNKNOWN)
850 fatal("%s line %d: Bad protocol spec '%s'.",
851 filename, linenum, arg ? arg : "<NONE>");
852 if (*intptr == SSH_PROTO_UNKNOWN)
853 *intptr = value;
854 break;
855
856 case sSubsystem:
857 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
858 fatal("%s line %d: too many subsystems defined.",
859 filename, linenum);
860 }
861 arg = strdelim(&cp);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing subsystem name.",
864 filename, linenum);
865 for (i = 0; i < options->num_subsystems; i++)
866 if (strcmp(arg, options->subsystem_name[i]) == 0)
867 fatal("%s line %d: Subsystem '%s' already defined.",
868 filename, linenum, arg);
869 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
870 arg = strdelim(&cp);
871 if (!arg || *arg == '\0')
872 fatal("%s line %d: Missing subsystem command.",
873 filename, linenum);
874 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
875 options->num_subsystems++;
876 break;
877
878 case sMaxStartups:
879 arg = strdelim(&cp);
880 if (!arg || *arg == '\0')
881 fatal("%s line %d: Missing MaxStartups spec.",
882 filename, linenum);
883 if ((n = sscanf(arg, "%d:%d:%d",
884 &options->max_startups_begin,
885 &options->max_startups_rate,
886 &options->max_startups)) == 3) {
887 if (options->max_startups_begin >
888 options->max_startups ||
889 options->max_startups_rate > 100 ||
890 options->max_startups_rate < 1)
891 fatal("%s line %d: Illegal MaxStartups spec.",
892 filename, linenum);
893 } else if (n != 1)
894 fatal("%s line %d: Illegal MaxStartups spec.",
895 filename, linenum);
896 else
897 options->max_startups = options->max_startups_begin;
898 break;
899
900 case sBanner:
901 charptr = &options->banner;
902 goto parse_filename;
903 /*
904 * These options can contain %X options expanded at
905 * connect time, so that you can specify paths like:
906 *
907 * AuthorizedKeysFile /etc/ssh_keys/%u
908 */
909 case sAuthorizedKeysFile:
910 case sAuthorizedKeysFile2:
911 charptr = (opcode == sAuthorizedKeysFile ) ?
912 &options->authorized_keys_file :
913 &options->authorized_keys_file2;
914 goto parse_filename;
915
916 case sClientAliveInterval:
917 intptr = &options->client_alive_interval;
918 goto parse_time;
919
920 case sClientAliveCountMax:
921 intptr = &options->client_alive_count_max;
922 goto parse_int;
923
924 case sDeprecated:
925 log("%s line %d: Deprecated option %s",
926 filename, linenum, arg);
927 while (arg)
928 arg = strdelim(&cp);
929 break;
930
931 default:
932 fatal("%s line %d: Missing handler for opcode %s (%d)",
933 filename, linenum, arg, opcode);
934 }
935 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
936 fatal("%s line %d: garbage at end of line; \"%.200s\".",
937 filename, linenum, arg);
938 return 0;
939}
940
941/* Reads the server configuration file. */
942
943void
944read_server_config(ServerOptions *options, const char *filename)
945{
946 FILE *f;
947 char line[1024];
948 int linenum;
949 int bad_options = 0;
950
951 f = fopen(filename, "r");
952 if (!f) {
953 perror(filename);
954 exit(1);
955 }
956 linenum = 0;
957 while (fgets(line, sizeof(line), f)) {
958 /* Update line number counter. */
959 linenum++;
960 if (process_server_config_line(options, line, filename, linenum) != 0)
961 bad_options++;
3c0ef626 962 }
963 fclose(f);
964 if (bad_options > 0)
965 fatal("%s: terminating, %d bad configuration options",
966 filename, bad_options);
967}
git-cvsimport mirror of GSI OpenSSH
This page took 0.246858 seconds and 5 git commands to generate.