]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
NCSA_GSSAPI_20060726
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
08822d99 13RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
3c0ef626 21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
350391c5 29/* Use of privilege separation or not */
30extern int use_privsep;
3c0ef626 31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
7cac2b65 40 options->use_pam = -1;
3c0ef626 41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
dfddba3d 46 options->address_family = -1;
3c0ef626 47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e9702f7d 59 options->x11_use_localhost = -1;
3c0ef626 60 options->xauth_location = NULL;
61 options->strict_modes = -1;
540d72c3 62 options->tcp_keep_alive = -1;
e9702f7d 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
3c0ef626 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
75be3237 73#ifdef SESSION_HOOKS
74 options->session_hooks_allow = -1;
75 options->session_hooks_startup_cmd = NULL;
76 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 77#endif
540d72c3 78 options->kerberos_get_afs_token = -1;
7cac2b65 79 options->gss_authentication=-1;
fe4ad273 80 options->gss_keyex = -1;
7cac2b65 81 options->gss_cleanup_creds = -1;
826a9049 82 options->gsi_allow_limited_proxy = -1;
3c0ef626 83 options->password_authentication = -1;
84 options->kbd_interactive_authentication = -1;
85 options->challenge_response_authentication = -1;
86 options->permit_empty_passwd = -1;
d03f4262 87 options->permit_user_env = -1;
3c0ef626 88 options->use_login = -1;
44a053a3 89 options->compression = -1;
3c0ef626 90 options->allow_tcp_forwarding = -1;
91 options->num_allow_users = 0;
92 options->num_deny_users = 0;
93 options->num_allow_groups = 0;
94 options->num_deny_groups = 0;
95 options->ciphers = NULL;
96 options->macs = NULL;
97 options->protocol = SSH_PROTO_UNKNOWN;
98 options->gateway_ports = -1;
99 options->num_subsystems = 0;
100 options->max_startups_begin = -1;
101 options->max_startups_rate = -1;
102 options->max_startups = -1;
7e82606e 103 options->max_authtries = -1;
3c0ef626 104 options->banner = NULL;
7cac2b65 105 options->use_dns = -1;
3c0ef626 106 options->client_alive_interval = -1;
107 options->client_alive_count_max = -1;
108 options->authorized_keys_file = NULL;
109 options->authorized_keys_file2 = NULL;
7e82606e 110 options->num_accept_env = 0;
08822d99 111 options->permit_tun = -1;
a7213e65 112 options->none_enabled = -1;
113 options->tcp_rcv_buf_poll = -1;
114 options->hpn_disabled = -1;
115 options->hpn_buffer_size = -1;
350391c5 116
117 /* Needs to be accessable in many places */
118 use_privsep = -1;
3c0ef626 119}
120
121void
122fill_default_server_options(ServerOptions *options)
123{
a7213e65 124
3c0ef626 125 /* Portable-specific options */
7cac2b65 126 if (options->use_pam == -1)
29d88157 127 options->use_pam = 0;
3c0ef626 128
129 /* Standard Options */
130 if (options->protocol == SSH_PROTO_UNKNOWN)
131 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
132 if (options->num_host_key_files == 0) {
133 /* fill default hostkeys for protocols */
134 if (options->protocol & SSH_PROTO_1)
e9702f7d 135 options->host_key_files[options->num_host_key_files++] =
136 _PATH_HOST_KEY_FILE;
137 if (options->protocol & SSH_PROTO_2) {
138 options->host_key_files[options->num_host_key_files++] =
139 _PATH_HOST_RSA_KEY_FILE;
140 options->host_key_files[options->num_host_key_files++] =
141 _PATH_HOST_DSA_KEY_FILE;
142 }
3c0ef626 143 }
144 if (options->num_ports == 0)
145 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
146 if (options->listen_addrs == NULL)
147 add_listen_addr(options, NULL, 0);
148 if (options->pid_file == NULL)
149 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
150 if (options->server_key_bits == -1)
151 options->server_key_bits = 768;
152 if (options->login_grace_time == -1)
d03f4262 153 options->login_grace_time = 120;
3c0ef626 154 if (options->key_regeneration_time == -1)
155 options->key_regeneration_time = 3600;
156 if (options->permit_root_login == PERMIT_NOT_SET)
157 options->permit_root_login = PERMIT_YES;
158 if (options->ignore_rhosts == -1)
159 options->ignore_rhosts = 1;
160 if (options->ignore_user_known_hosts == -1)
161 options->ignore_user_known_hosts = 0;
162 if (options->print_motd == -1)
163 options->print_motd = 1;
164 if (options->print_lastlog == -1)
165 options->print_lastlog = 1;
166 if (options->x11_forwarding == -1)
167 options->x11_forwarding = 0;
168 if (options->x11_display_offset == -1)
169 options->x11_display_offset = 10;
e9702f7d 170 if (options->x11_use_localhost == -1)
171 options->x11_use_localhost = 1;
3c0ef626 172 if (options->xauth_location == NULL)
173 options->xauth_location = _PATH_XAUTH;
3c0ef626 174 if (options->strict_modes == -1)
175 options->strict_modes = 1;
540d72c3 176 if (options->tcp_keep_alive == -1)
177 options->tcp_keep_alive = 1;
e9702f7d 178 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 179 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 180 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 181 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 182 if (options->rhosts_rsa_authentication == -1)
183 options->rhosts_rsa_authentication = 0;
184 if (options->hostbased_authentication == -1)
185 options->hostbased_authentication = 0;
186 if (options->hostbased_uses_name_from_packet_only == -1)
187 options->hostbased_uses_name_from_packet_only = 0;
188 if (options->rsa_authentication == -1)
189 options->rsa_authentication = 1;
190 if (options->pubkey_authentication == -1)
191 options->pubkey_authentication = 1;
7cac2b65 192 if (options->kerberos_authentication == -1)
193 options->kerberos_authentication = 0;
194 if (options->kerberos_or_local_passwd == -1)
195 options->kerberos_or_local_passwd = 1;
196 if (options->kerberos_ticket_cleanup == -1)
197 options->kerberos_ticket_cleanup = 1;
540d72c3 198 if (options->kerberos_get_afs_token == -1)
199 options->kerberos_get_afs_token = 0;
5598e598 200 if (options->gss_authentication == -1)
201 options->gss_authentication = 1;
202 if (options->gss_keyex == -1)
7cac2b65 203 options->gss_keyex = 1;
5598e598 204 if (options->gss_cleanup_creds == -1)
205 options->gss_cleanup_creds = 1;
826a9049 206 if (options->gsi_allow_limited_proxy == -1)
207 options->gsi_allow_limited_proxy = 0;
3c0ef626 208 if (options->password_authentication == -1)
209 options->password_authentication = 1;
210 if (options->kbd_interactive_authentication == -1)
211 options->kbd_interactive_authentication = 0;
212 if (options->challenge_response_authentication == -1)
213 options->challenge_response_authentication = 1;
214 if (options->permit_empty_passwd == -1)
215 options->permit_empty_passwd = 0;
d03f4262 216 if (options->permit_user_env == -1)
217 options->permit_user_env = 0;
3c0ef626 218 if (options->use_login == -1)
219 options->use_login = 0;
44a053a3 220 if (options->compression == -1)
2ce0bfe4 221 options->compression = COMP_DELAYED;
3c0ef626 222 if (options->allow_tcp_forwarding == -1)
223 options->allow_tcp_forwarding = 1;
224 if (options->gateway_ports == -1)
225 options->gateway_ports = 0;
226 if (options->max_startups == -1)
227 options->max_startups = 10;
228 if (options->max_startups_rate == -1)
229 options->max_startups_rate = 100; /* 100% */
230 if (options->max_startups_begin == -1)
231 options->max_startups_begin = options->max_startups;
7e82606e 232 if (options->max_authtries == -1)
233 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
7cac2b65 234 if (options->use_dns == -1)
235 options->use_dns = 1;
3c0ef626 236 if (options->client_alive_interval == -1)
e9702f7d 237 options->client_alive_interval = 0;
3c0ef626 238 if (options->client_alive_count_max == -1)
239 options->client_alive_count_max = 3;
240 if (options->authorized_keys_file2 == NULL) {
241 /* authorized_keys_file2 falls back to authorized_keys_file */
242 if (options->authorized_keys_file != NULL)
243 options->authorized_keys_file2 = options->authorized_keys_file;
244 else
245 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
246 }
247 if (options->authorized_keys_file == NULL)
248 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
08822d99 249 if (options->permit_tun == -1)
250 options->permit_tun = SSH_TUNMODE_NO;
350391c5 251
a7213e65 252 if (options->hpn_disabled == -1)
253 options->hpn_disabled = 0;
254
255 if (options->hpn_buffer_size == -1)
256 options->hpn_buffer_size = 2*1024*1024;
257 else {
258 if (options->hpn_buffer_size == 0)
259 options->hpn_buffer_size = 1;
260 /* limit the maximum buffer to 7MB */
261 if (options->hpn_buffer_size > 7168)
262 options->hpn_buffer_size = 7168;
263 options->hpn_buffer_size *=1024;
264 }
265
44a053a3 266 /* Turn privilege separation on by default */
350391c5 267 if (use_privsep == -1)
44a053a3 268 use_privsep = 1;
269
a7213e65 270
271
d03f4262 272#ifndef HAVE_MMAP
44a053a3 273 if (use_privsep && options->compression == 1) {
274 error("This platform does not support both privilege "
275 "separation and compression");
276 error("Compression disabled");
277 options->compression = 0;
278 }
279#endif
280
3c0ef626 281}
282
283/* Keyword tokens. */
284typedef enum {
285 sBadOption, /* == unknown option */
286 /* Portable-specific options */
7cac2b65 287 sUsePAM,
3c0ef626 288 /* Standard Options */
289 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
290 sPermitRootLogin, sLogFacility, sLogLevel,
7cac2b65 291 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 292 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
540d72c3 293 sKerberosGetAFSToken,
7cac2b65 294 sKerberosTgtPassing, sChallengeResponseAuthentication,
75be3237 295#ifdef SESSION_HOOKS
296 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 297#endif
dfddba3d 298 sPasswordAuthentication, sKbdInteractiveAuthentication,
299 sListenAddress, sAddressFamily,
3c0ef626 300 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 301 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
540d72c3 302 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
d03f4262 303 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 304 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
305 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
7e82606e 306 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
307 sMaxStartups, sMaxAuthTries,
7cac2b65 308 sBanner, sUseDNS, sHostbasedAuthentication,
e9702f7d 309 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 310 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
a7213e65 311 sGssKeyEx,
826a9049 312 sGsiAllowLimitedProxy,
a7213e65 313 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
314 sUsePrivilegeSeparation, sNoneEnabled, sTcpRcvBufPoll,
315 sHPNDisabled, sHPNBufferSize,
7cac2b65 316 sDeprecated, sUnsupported
3c0ef626 317} ServerOpCodes;
318
319/* Textual representation of the tokens. */
320static struct {
321 const char *name;
322 ServerOpCodes opcode;
323} keywords[] = {
324 /* Portable-specific options */
7cac2b65 325#ifdef USE_PAM
326 { "usepam", sUsePAM },
327#else
328 { "usepam", sUnsupported },
329#endif
330 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 331 /* Standard Options */
332 { "port", sPort },
333 { "hostkey", sHostKeyFile },
334 { "hostdsakey", sHostKeyFile }, /* alias */
335 { "pidfile", sPidFile },
336 { "serverkeybits", sServerKeyBits },
337 { "logingracetime", sLoginGraceTime },
338 { "keyregenerationinterval", sKeyRegenerationTime },
339 { "permitrootlogin", sPermitRootLogin },
340 { "syslogfacility", sLogFacility },
341 { "loglevel", sLogLevel },
7cac2b65 342 { "rhostsauthentication", sDeprecated },
3c0ef626 343 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
344 { "hostbasedauthentication", sHostbasedAuthentication },
345 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
346 { "rsaauthentication", sRSAAuthentication },
347 { "pubkeyauthentication", sPubkeyAuthentication },
348 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
7cac2b65 349#ifdef KRB5
350 { "kerberosauthentication", sKerberosAuthentication },
351 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
352 { "kerberosticketcleanup", sKerberosTicketCleanup },
540d72c3 353#ifdef USE_AFS
354 { "kerberosgetafstoken", sKerberosGetAFSToken },
355#else
356 { "kerberosgetafstoken", sUnsupported },
357#endif
7cac2b65 358#else
359 { "kerberosauthentication", sUnsupported },
360 { "kerberosorlocalpasswd", sUnsupported },
361 { "kerberosticketcleanup", sUnsupported },
540d72c3 362 { "kerberosgetafstoken", sUnsupported },
7cac2b65 363#endif
364 { "kerberostgtpassing", sUnsupported },
365 { "afstokenpassing", sUnsupported },
5598e598 366#ifdef GSSAPI
367 { "gssapiauthentication", sGssAuthentication },
368 { "gssapikeyexchange", sGssKeyEx },
540d72c3 369 { "gssapicleanupcredentials", sGssCleanupCreds },
826a9049 370#ifdef GSI
371 { "gsiallowlimitedproxy", sGsiAllowLimitedProxy },
372#endif
7cac2b65 373#else
374 { "gssapiauthentication", sUnsupported },
375 { "gssapikeyexchange", sUnsupported },
540d72c3 376 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 377#endif
75be3237 378#ifdef SESSION_HOOKS
379 { "allowsessionhooks", sAllowSessionHooks },
380 { "sessionhookstartupcmd", sSessionHookStartupCmd },
381 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
382#endif
3c0ef626 383 { "passwordauthentication", sPasswordAuthentication },
384 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
385 { "challengeresponseauthentication", sChallengeResponseAuthentication },
386 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
387 { "checkmail", sDeprecated },
388 { "listenaddress", sListenAddress },
dfddba3d 389 { "addressfamily", sAddressFamily },
3c0ef626 390 { "printmotd", sPrintMotd },
391 { "printlastlog", sPrintLastLog },
392 { "ignorerhosts", sIgnoreRhosts },
393 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
394 { "x11forwarding", sX11Forwarding },
395 { "x11displayoffset", sX11DisplayOffset },
e9702f7d 396 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 397 { "xauthlocation", sXAuthLocation },
398 { "strictmodes", sStrictModes },
399 { "permitemptypasswords", sEmptyPasswd },
d03f4262 400 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 401 { "uselogin", sUseLogin },
44a053a3 402 { "compression", sCompression },
540d72c3 403 { "tcpkeepalive", sTCPKeepAlive },
404 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 405 { "allowtcpforwarding", sAllowTcpForwarding },
406 { "allowusers", sAllowUsers },
407 { "denyusers", sDenyUsers },
408 { "allowgroups", sAllowGroups },
409 { "denygroups", sDenyGroups },
410 { "ciphers", sCiphers },
411 { "macs", sMacs },
412 { "protocol", sProtocol },
413 { "gatewayports", sGatewayPorts },
414 { "subsystem", sSubsystem },
415 { "maxstartups", sMaxStartups },
7e82606e 416 { "maxauthtries", sMaxAuthTries },
3c0ef626 417 { "banner", sBanner },
7cac2b65 418 { "usedns", sUseDNS },
419 { "verifyreversemapping", sDeprecated },
420 { "reversemappingcheck", sDeprecated },
3c0ef626 421 { "clientaliveinterval", sClientAliveInterval },
422 { "clientalivecountmax", sClientAliveCountMax },
423 { "authorizedkeysfile", sAuthorizedKeysFile },
424 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
350391c5 425 { "useprivilegeseparation", sUsePrivilegeSeparation},
7e82606e 426 { "acceptenv", sAcceptEnv },
a7213e65 427 { "noneenabled", sNoneEnabled },
428 { "hpndisabled", sHPNDisabled },
429 { "hpnbuffersize", sHPNBufferSize },
430 { "tcprcvbufpoll", sTcpRcvBufPoll },
08822d99 431 { "permittunnel", sPermitTunnel },
e9702f7d 432 { NULL, sBadOption }
3c0ef626 433};
434
435/*
436 * Returns the number of the token pointed to by cp or sBadOption.
437 */
438
439static ServerOpCodes
440parse_token(const char *cp, const char *filename,
441 int linenum)
442{
443 u_int i;
444
445 for (i = 0; keywords[i].name; i++)
a7213e65 446 if (strcasecmp(cp, keywords[i].name) == 0){
447 debug ("TOKEN IS %s", keywords[i].name);
448 return keywords[i].opcode;}
3c0ef626 449 error("%s: line %d: Bad configuration option: %s",
450 filename, linenum, cp);
451 return sBadOption;
452}
453
454static void
455add_listen_addr(ServerOptions *options, char *addr, u_short port)
456{
2ce0bfe4 457 u_int i;
3c0ef626 458
459 if (options->num_ports == 0)
460 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
dfddba3d 461 if (options->address_family == -1)
462 options->address_family = AF_UNSPEC;
3c0ef626 463 if (port == 0)
464 for (i = 0; i < options->num_ports; i++)
465 add_one_listen_addr(options, addr, options->ports[i]);
466 else
467 add_one_listen_addr(options, addr, port);
468}
469
470static void
471add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
472{
473 struct addrinfo hints, *ai, *aitop;
474 char strport[NI_MAXSERV];
475 int gaierr;
476
477 memset(&hints, 0, sizeof(hints));
dfddba3d 478 hints.ai_family = options->address_family;
3c0ef626 479 hints.ai_socktype = SOCK_STREAM;
480 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
276b07a3 481 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 482 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
483 fatal("bad addr or host: %s (%s)",
484 addr ? addr : "<NULL>",
485 gai_strerror(gaierr));
486 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
487 ;
488 ai->ai_next = options->listen_addrs;
489 options->listen_addrs = aitop;
490}
491
e9702f7d 492int
493process_server_config_line(ServerOptions *options, char *line,
494 const char *filename, int linenum)
3c0ef626 495{
3c0ef626 496 char *cp, **charptr, *arg, *p;
2ce0bfe4 497 int *intptr, value, n;
3c0ef626 498 ServerOpCodes opcode;
dfddba3d 499 u_short port;
2ce0bfe4 500 u_int i;
3c0ef626 501
e9702f7d 502 cp = line;
503 arg = strdelim(&cp);
504 /* Ignore leading whitespace */
505 if (*arg == '\0')
3c0ef626 506 arg = strdelim(&cp);
e9702f7d 507 if (!arg || !*arg || *arg == '#')
508 return 0;
509 intptr = NULL;
510 charptr = NULL;
511 opcode = parse_token(arg, filename, linenum);
a7213e65 512
e9702f7d 513 switch (opcode) {
514 /* Portable-specific options */
7cac2b65 515 case sUsePAM:
516 intptr = &options->use_pam;
e9702f7d 517 goto parse_flag;
3c0ef626 518
e9702f7d 519 /* Standard Options */
520 case sBadOption:
521 return -1;
522 case sPort:
523 /* ignore ports from configfile if cmdline specifies ports */
524 if (options->ports_from_cmdline)
525 return 0;
526 if (options->listen_addrs != NULL)
527 fatal("%s line %d: ports must be specified before "
528 "ListenAddress.", filename, linenum);
529 if (options->num_ports >= MAX_PORTS)
530 fatal("%s line %d: too many ports.",
531 filename, linenum);
532 arg = strdelim(&cp);
533 if (!arg || *arg == '\0')
534 fatal("%s line %d: missing port number.",
535 filename, linenum);
536 options->ports[options->num_ports++] = a2port(arg);
537 if (options->ports[options->num_ports-1] == 0)
538 fatal("%s line %d: Badly formatted port number.",
539 filename, linenum);
540 break;
541
542 case sServerKeyBits:
543 intptr = &options->server_key_bits;
3c0ef626 544parse_int:
e9702f7d 545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing integer value.",
548 filename, linenum);
549 value = atoi(arg);
550 if (*intptr == -1)
551 *intptr = value;
552 break;
553
554 case sLoginGraceTime:
555 intptr = &options->login_grace_time;
3c0ef626 556parse_time:
e9702f7d 557 arg = strdelim(&cp);
558 if (!arg || *arg == '\0')
559 fatal("%s line %d: missing time value.",
560 filename, linenum);
561 if ((value = convtime(arg)) == -1)
562 fatal("%s line %d: invalid time value.",
563 filename, linenum);
564 if (*intptr == -1)
565 *intptr = value;
566 break;
567
568 case sKeyRegenerationTime:
569 intptr = &options->key_regeneration_time;
570 goto parse_time;
571
572 case sListenAddress:
573 arg = strdelim(&cp);
dfddba3d 574 if (arg == NULL || *arg == '\0')
575 fatal("%s line %d: missing address",
e9702f7d 576 filename, linenum);
2ce0bfe4 577 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
578 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
579 && strchr(p+1, ':') != NULL) {
580 add_listen_addr(options, arg, 0);
581 break;
582 }
dfddba3d 583 p = hpdelim(&arg);
584 if (p == NULL)
585 fatal("%s line %d: bad address:port usage",
e9702f7d 586 filename, linenum);
dfddba3d 587 p = cleanhostname(p);
588 if (arg == NULL)
589 port = 0;
590 else if ((port = a2port(arg)) == 0)
591 fatal("%s line %d: bad port number", filename, linenum);
592
593 add_listen_addr(options, p, port);
594
595 break;
596
597 case sAddressFamily:
598 arg = strdelim(&cp);
2ce0bfe4 599 if (!arg || *arg == '\0')
600 fatal("%s line %d: missing address family.",
601 filename, linenum);
dfddba3d 602 intptr = &options->address_family;
603 if (options->listen_addrs != NULL)
604 fatal("%s line %d: address family must be specified before "
605 "ListenAddress.", filename, linenum);
606 if (strcasecmp(arg, "inet") == 0)
607 value = AF_INET;
608 else if (strcasecmp(arg, "inet6") == 0)
609 value = AF_INET6;
610 else if (strcasecmp(arg, "any") == 0)
611 value = AF_UNSPEC;
612 else
613 fatal("%s line %d: unsupported address family \"%s\".",
614 filename, linenum, arg);
615 if (*intptr == -1)
616 *intptr = value;
e9702f7d 617 break;
618
619 case sHostKeyFile:
620 intptr = &options->num_host_key_files;
621 if (*intptr >= MAX_HOSTKEYS)
622 fatal("%s line %d: too many host keys specified (max %d).",
623 filename, linenum, MAX_HOSTKEYS);
624 charptr = &options->host_key_files[*intptr];
3c0ef626 625parse_filename:
e9702f7d 626 arg = strdelim(&cp);
627 if (!arg || *arg == '\0')
628 fatal("%s line %d: missing file name.",
629 filename, linenum);
630 if (*charptr == NULL) {
631 *charptr = tilde_expand_filename(arg, getuid());
632 /* increase optional counter */
633 if (intptr != NULL)
634 *intptr = *intptr + 1;
635 }
636 break;
3c0ef626 637
e9702f7d 638 case sPidFile:
639 charptr = &options->pid_file;
640 goto parse_filename;
3c0ef626 641
e9702f7d 642 case sPermitRootLogin:
643 intptr = &options->permit_root_login;
644 arg = strdelim(&cp);
645 if (!arg || *arg == '\0')
646 fatal("%s line %d: missing yes/"
647 "without-password/forced-commands-only/no "
648 "argument.", filename, linenum);
649 value = 0; /* silence compiler */
650 if (strcmp(arg, "without-password") == 0)
651 value = PERMIT_NO_PASSWD;
652 else if (strcmp(arg, "forced-commands-only") == 0)
653 value = PERMIT_FORCED_ONLY;
654 else if (strcmp(arg, "yes") == 0)
655 value = PERMIT_YES;
656 else if (strcmp(arg, "no") == 0)
657 value = PERMIT_NO;
658 else
659 fatal("%s line %d: Bad yes/"
660 "without-password/forced-commands-only/no "
661 "argument: %s", filename, linenum, arg);
662 if (*intptr == -1)
663 *intptr = value;
664 break;
3c0ef626 665
e9702f7d 666 case sIgnoreRhosts:
667 intptr = &options->ignore_rhosts;
668parse_flag:
669 arg = strdelim(&cp);
670 if (!arg || *arg == '\0')
671 fatal("%s line %d: missing yes/no argument.",
672 filename, linenum);
673 value = 0; /* silence compiler */
674 if (strcmp(arg, "yes") == 0)
675 value = 1;
676 else if (strcmp(arg, "no") == 0)
677 value = 0;
678 else
679 fatal("%s line %d: Bad yes/no argument: %s",
680 filename, linenum, arg);
681 if (*intptr == -1)
682 *intptr = value;
683 break;
684
a7213e65 685 case sNoneEnabled:
686 intptr = &options->none_enabled;
687 goto parse_flag;
688
689 case sTcpRcvBufPoll:
690 intptr = &options->tcp_rcv_buf_poll;
691 goto parse_flag;
692
693 case sHPNDisabled:
694 intptr = &options->hpn_disabled;
695 goto parse_flag;
696
697 case sHPNBufferSize:
698 intptr = &options->hpn_buffer_size;
699 goto parse_int;
700
e9702f7d 701 case sIgnoreUserKnownHosts:
702 intptr = &options->ignore_user_known_hosts;
703 goto parse_flag;
704
e9702f7d 705 case sRhostsRSAAuthentication:
706 intptr = &options->rhosts_rsa_authentication;
707 goto parse_flag;
708
709 case sHostbasedAuthentication:
710 intptr = &options->hostbased_authentication;
711 goto parse_flag;
712
713 case sHostbasedUsesNameFromPacketOnly:
714 intptr = &options->hostbased_uses_name_from_packet_only;
715 goto parse_flag;
716
717 case sRSAAuthentication:
718 intptr = &options->rsa_authentication;
719 goto parse_flag;
720
721 case sPubkeyAuthentication:
722 intptr = &options->pubkey_authentication;
723 goto parse_flag;
7cac2b65 724
e9702f7d 725 case sKerberosAuthentication:
726 intptr = &options->kerberos_authentication;
727 goto parse_flag;
3c0ef626 728
e9702f7d 729 case sKerberosOrLocalPasswd:
730 intptr = &options->kerberos_or_local_passwd;
731 goto parse_flag;
3c0ef626 732
e9702f7d 733 case sKerberosTicketCleanup:
734 intptr = &options->kerberos_ticket_cleanup;
735 goto parse_flag;
7cac2b65 736
540d72c3 737 case sKerberosGetAFSToken:
738 intptr = &options->kerberos_get_afs_token;
739 goto parse_flag;
740
7cac2b65 741 case sGssAuthentication:
742 intptr = &options->gss_authentication;
e9702f7d 743 goto parse_flag;
7cac2b65 744
745 case sGssKeyEx:
746 intptr = &options->gss_keyex;
e9702f7d 747 goto parse_flag;
7cac2b65 748
7cac2b65 749 case sGssCleanupCreds:
750 intptr = &options->gss_cleanup_creds;
751 goto parse_flag;
752
826a9049 753 case sGsiAllowLimitedProxy:
754 intptr = &options->gsi_allow_limited_proxy;
755 goto parse_flag;
756
75be3237 757#ifdef SESSION_HOOKS
758 case sAllowSessionHooks:
759 intptr = &options->session_hooks_allow;
760 goto parse_flag;
761 case sSessionHookStartupCmd:
762 case sSessionHookShutdownCmd:
763 arg = strdelim(&cp);
764 if (!arg || *arg == '\0')
765 fatal("%s line %d: empty session hook command",
766 filename, linenum);
767 if (opcode==sSessionHookStartupCmd)
768 options->session_hooks_startup_cmd = strdup(arg);
769 else
770 options->session_hooks_shutdown_cmd = strdup(arg);
771 break;
772#endif
7cac2b65 773
e9702f7d 774 case sPasswordAuthentication:
775 intptr = &options->password_authentication;
776 goto parse_flag;
3c0ef626 777
e9702f7d 778 case sKbdInteractiveAuthentication:
779 intptr = &options->kbd_interactive_authentication;
780 goto parse_flag;
3c0ef626 781
e9702f7d 782 case sChallengeResponseAuthentication:
783 intptr = &options->challenge_response_authentication;
784 goto parse_flag;
3c0ef626 785
e9702f7d 786 case sPrintMotd:
787 intptr = &options->print_motd;
788 goto parse_flag;
3c0ef626 789
e9702f7d 790 case sPrintLastLog:
791 intptr = &options->print_lastlog;
792 goto parse_flag;
3c0ef626 793
e9702f7d 794 case sX11Forwarding:
795 intptr = &options->x11_forwarding;
796 goto parse_flag;
3c0ef626 797
e9702f7d 798 case sX11DisplayOffset:
799 intptr = &options->x11_display_offset;
800 goto parse_int;
3c0ef626 801
e9702f7d 802 case sX11UseLocalhost:
803 intptr = &options->x11_use_localhost;
804 goto parse_flag;
3c0ef626 805
e9702f7d 806 case sXAuthLocation:
807 charptr = &options->xauth_location;
808 goto parse_filename;
3c0ef626 809
e9702f7d 810 case sStrictModes:
811 intptr = &options->strict_modes;
812 goto parse_flag;
3c0ef626 813
540d72c3 814 case sTCPKeepAlive:
815 intptr = &options->tcp_keep_alive;
e9702f7d 816 goto parse_flag;
3c0ef626 817
e9702f7d 818 case sEmptyPasswd:
819 intptr = &options->permit_empty_passwd;
820 goto parse_flag;
821
d03f4262 822 case sPermitUserEnvironment:
823 intptr = &options->permit_user_env;
824 goto parse_flag;
825
e9702f7d 826 case sUseLogin:
827 intptr = &options->use_login;
828 goto parse_flag;
829
44a053a3 830 case sCompression:
831 intptr = &options->compression;
2ce0bfe4 832 arg = strdelim(&cp);
833 if (!arg || *arg == '\0')
834 fatal("%s line %d: missing yes/no/delayed "
835 "argument.", filename, linenum);
836 value = 0; /* silence compiler */
837 if (strcmp(arg, "delayed") == 0)
838 value = COMP_DELAYED;
839 else if (strcmp(arg, "yes") == 0)
840 value = COMP_ZLIB;
841 else if (strcmp(arg, "no") == 0)
842 value = COMP_NONE;
843 else
844 fatal("%s line %d: Bad yes/no/delayed "
845 "argument: %s", filename, linenum, arg);
846 if (*intptr == -1)
847 *intptr = value;
848 break;
44a053a3 849
e9702f7d 850 case sGatewayPorts:
851 intptr = &options->gateway_ports;
dfddba3d 852 arg = strdelim(&cp);
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: missing yes/no/clientspecified "
855 "argument.", filename, linenum);
856 value = 0; /* silence compiler */
857 if (strcmp(arg, "clientspecified") == 0)
858 value = 2;
859 else if (strcmp(arg, "yes") == 0)
860 value = 1;
861 else if (strcmp(arg, "no") == 0)
862 value = 0;
863 else
864 fatal("%s line %d: Bad yes/no/clientspecified "
865 "argument: %s", filename, linenum, arg);
866 if (*intptr == -1)
867 *intptr = value;
868 break;
e9702f7d 869
7cac2b65 870 case sUseDNS:
871 intptr = &options->use_dns;
e9702f7d 872 goto parse_flag;
873
874 case sLogFacility:
875 intptr = (int *) &options->log_facility;
876 arg = strdelim(&cp);
877 value = log_facility_number(arg);
878 if (value == SYSLOG_FACILITY_NOT_SET)
879 fatal("%.200s line %d: unsupported log facility '%s'",
880 filename, linenum, arg ? arg : "<NONE>");
881 if (*intptr == -1)
882 *intptr = (SyslogFacility) value;
883 break;
884
885 case sLogLevel:
886 intptr = (int *) &options->log_level;
887 arg = strdelim(&cp);
888 value = log_level_number(arg);
889 if (value == SYSLOG_LEVEL_NOT_SET)
890 fatal("%.200s line %d: unsupported log level '%s'",
891 filename, linenum, arg ? arg : "<NONE>");
892 if (*intptr == -1)
893 *intptr = (LogLevel) value;
894 break;
895
896 case sAllowTcpForwarding:
897 intptr = &options->allow_tcp_forwarding;
898 goto parse_flag;
899
350391c5 900 case sUsePrivilegeSeparation:
901 intptr = &use_privsep;
902 goto parse_flag;
903
e9702f7d 904 case sAllowUsers:
905 while ((arg = strdelim(&cp)) && *arg != '\0') {
906 if (options->num_allow_users >= MAX_ALLOW_USERS)
907 fatal("%s line %d: too many allow users.",
3c0ef626 908 filename, linenum);
276b07a3 909 options->allow_users[options->num_allow_users++] =
910 xstrdup(arg);
e9702f7d 911 }
912 break;
3c0ef626 913
e9702f7d 914 case sDenyUsers:
915 while ((arg = strdelim(&cp)) && *arg != '\0') {
916 if (options->num_deny_users >= MAX_DENY_USERS)
917 fatal( "%s line %d: too many deny users.",
918 filename, linenum);
276b07a3 919 options->deny_users[options->num_deny_users++] =
920 xstrdup(arg);
e9702f7d 921 }
922 break;
3c0ef626 923
e9702f7d 924 case sAllowGroups:
925 while ((arg = strdelim(&cp)) && *arg != '\0') {
926 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
927 fatal("%s line %d: too many allow groups.",
928 filename, linenum);
276b07a3 929 options->allow_groups[options->num_allow_groups++] =
930 xstrdup(arg);
e9702f7d 931 }
932 break;
933
934 case sDenyGroups:
935 while ((arg = strdelim(&cp)) && *arg != '\0') {
936 if (options->num_deny_groups >= MAX_DENY_GROUPS)
937 fatal("%s line %d: too many deny groups.",
938 filename, linenum);
939 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 940 }
e9702f7d 941 break;
942
943 case sCiphers:
944 arg = strdelim(&cp);
945 if (!arg || *arg == '\0')
946 fatal("%s line %d: Missing argument.", filename, linenum);
947 if (!ciphers_valid(arg))
948 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
949 filename, linenum, arg ? arg : "<NONE>");
950 if (options->ciphers == NULL)
951 options->ciphers = xstrdup(arg);
952 break;
953
954 case sMacs:
955 arg = strdelim(&cp);
956 if (!arg || *arg == '\0')
957 fatal("%s line %d: Missing argument.", filename, linenum);
958 if (!mac_valid(arg))
959 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
960 filename, linenum, arg ? arg : "<NONE>");
961 if (options->macs == NULL)
962 options->macs = xstrdup(arg);
963 break;
964
965 case sProtocol:
966 intptr = &options->protocol;
967 arg = strdelim(&cp);
968 if (!arg || *arg == '\0')
969 fatal("%s line %d: Missing argument.", filename, linenum);
970 value = proto_spec(arg);
971 if (value == SSH_PROTO_UNKNOWN)
972 fatal("%s line %d: Bad protocol spec '%s'.",
973 filename, linenum, arg ? arg : "<NONE>");
974 if (*intptr == SSH_PROTO_UNKNOWN)
975 *intptr = value;
976 break;
977
978 case sSubsystem:
979 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
980 fatal("%s line %d: too many subsystems defined.",
981 filename, linenum);
982 }
983 arg = strdelim(&cp);
984 if (!arg || *arg == '\0')
985 fatal("%s line %d: Missing subsystem name.",
986 filename, linenum);
987 for (i = 0; i < options->num_subsystems; i++)
988 if (strcmp(arg, options->subsystem_name[i]) == 0)
989 fatal("%s line %d: Subsystem '%s' already defined.",
990 filename, linenum, arg);
991 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
992 arg = strdelim(&cp);
993 if (!arg || *arg == '\0')
994 fatal("%s line %d: Missing subsystem command.",
995 filename, linenum);
996 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
997 options->num_subsystems++;
998 break;
999
1000 case sMaxStartups:
1001 arg = strdelim(&cp);
1002 if (!arg || *arg == '\0')
1003 fatal("%s line %d: Missing MaxStartups spec.",
1004 filename, linenum);
1005 if ((n = sscanf(arg, "%d:%d:%d",
1006 &options->max_startups_begin,
1007 &options->max_startups_rate,
1008 &options->max_startups)) == 3) {
1009 if (options->max_startups_begin >
1010 options->max_startups ||
1011 options->max_startups_rate > 100 ||
1012 options->max_startups_rate < 1)
1013 fatal("%s line %d: Illegal MaxStartups spec.",
1014 filename, linenum);
1015 } else if (n != 1)
1016 fatal("%s line %d: Illegal MaxStartups spec.",
1017 filename, linenum);
1018 else
1019 options->max_startups = options->max_startups_begin;
1020 break;
1021
7e82606e 1022 case sMaxAuthTries:
1023 intptr = &options->max_authtries;
1024 goto parse_int;
1025
e9702f7d 1026 case sBanner:
1027 charptr = &options->banner;
1028 goto parse_filename;
1029 /*
1030 * These options can contain %X options expanded at
1031 * connect time, so that you can specify paths like:
1032 *
1033 * AuthorizedKeysFile /etc/ssh_keys/%u
1034 */
1035 case sAuthorizedKeysFile:
1036 case sAuthorizedKeysFile2:
1037 charptr = (opcode == sAuthorizedKeysFile ) ?
1038 &options->authorized_keys_file :
1039 &options->authorized_keys_file2;
1040 goto parse_filename;
1041
1042 case sClientAliveInterval:
1043 intptr = &options->client_alive_interval;
1044 goto parse_time;
1045
1046 case sClientAliveCountMax:
1047 intptr = &options->client_alive_count_max;
1048 goto parse_int;
1049
7e82606e 1050 case sAcceptEnv:
1051 while ((arg = strdelim(&cp)) && *arg != '\0') {
1052 if (strchr(arg, '=') != NULL)
1053 fatal("%s line %d: Invalid environment name.",
1054 filename, linenum);
1055 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1056 fatal("%s line %d: too many allow env.",
1057 filename, linenum);
1058 options->accept_env[options->num_accept_env++] =
1059 xstrdup(arg);
1060 }
1061 break;
1062
08822d99 1063 case sPermitTunnel:
1064 intptr = &options->permit_tun;
1065 arg = strdelim(&cp);
1066 if (!arg || *arg == '\0')
1067 fatal("%s line %d: Missing yes/point-to-point/"
1068 "ethernet/no argument.", filename, linenum);
1069 value = 0; /* silence compiler */
1070 if (strcasecmp(arg, "ethernet") == 0)
1071 value = SSH_TUNMODE_ETHERNET;
1072 else if (strcasecmp(arg, "point-to-point") == 0)
1073 value = SSH_TUNMODE_POINTOPOINT;
1074 else if (strcasecmp(arg, "yes") == 0)
1075 value = SSH_TUNMODE_YES;
1076 else if (strcasecmp(arg, "no") == 0)
1077 value = SSH_TUNMODE_NO;
1078 else
1079 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1080 "no argument: %s", filename, linenum, arg);
1081 if (*intptr == -1)
1082 *intptr = value;
1083 break;
1084
e9702f7d 1085 case sDeprecated:
7cac2b65 1086 logit("%s line %d: Deprecated option %s",
1087 filename, linenum, arg);
1088 while (arg)
1089 arg = strdelim(&cp);
1090 break;
1091
1092 case sUnsupported:
1093 logit("%s line %d: Unsupported option %s",
e9702f7d 1094 filename, linenum, arg);
1095 while (arg)
1096 arg = strdelim(&cp);
1097 break;
1098
1099 default:
1100 fatal("%s line %d: Missing handler for opcode %s (%d)",
1101 filename, linenum, arg, opcode);
1102 }
1103 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1104 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1105 filename, linenum, arg);
1106 return 0;
1107}
1108
1109/* Reads the server configuration file. */
1110
1111void
7e82606e 1112load_server_config(const char *filename, Buffer *conf)
e9702f7d 1113{
7e82606e 1114 char line[1024], *cp;
276b07a3 1115 FILE *f;
e9702f7d 1116
7e82606e 1117 debug2("%s: filename %s", __func__, filename);
1118 if ((f = fopen(filename, "r")) == NULL) {
e9702f7d 1119 perror(filename);
1120 exit(1);
1121 }
7e82606e 1122 buffer_clear(conf);
e9702f7d 1123 while (fgets(line, sizeof(line), f)) {
7e82606e 1124 /*
1125 * Trim out comments and strip whitespace
1126 * NB - preserve newlines, they are needed to reproduce
1127 * line numbers later for error messages
1128 */
1129 if ((cp = strchr(line, '#')) != NULL)
1130 memcpy(cp, "\n", 2);
1131 cp = line + strspn(line, " \t\r");
1132
1133 buffer_append(conf, cp, strlen(cp));
3c0ef626 1134 }
7e82606e 1135 buffer_append(conf, "\0", 1);
3c0ef626 1136 fclose(f);
7e82606e 1137 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1138}
1139
1140void
1141parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1142{
1143 int linenum, bad_options = 0;
1144 char *cp, *obuf, *cbuf;
1145
1146 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1147
1148 obuf = cbuf = xstrdup(buffer_ptr(conf));
1149 linenum = 1;
8b32eddc 1150 while ((cp = strsep(&cbuf, "\n")) != NULL) {
7e82606e 1151 if (process_server_config_line(options, cp, filename,
1152 linenum++) != 0)
1153 bad_options++;
1154 }
1155 xfree(obuf);
3c0ef626 1156 if (bad_options > 0)
1157 fatal("%s: terminating, %d bad configuration options",
1158 filename, bad_options);
1159}
git-cvsimport mirror of GSI OpenSSH
This page took 0.249138 seconds and 5 git commands to generate.