]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
fix typo on last checkin
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
dfddba3d 13RCSID("$OpenBSD: servconf.c,v 1.139 2005/03/01 10:09:52 djm Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
3c0ef626 21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
350391c5 29/* Use of privilege separation or not */
30extern int use_privsep;
3c0ef626 31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
7cac2b65 40 options->use_pam = -1;
3c0ef626 41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
dfddba3d 46 options->address_family = -1;
3c0ef626 47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e9702f7d 59 options->x11_use_localhost = -1;
3c0ef626 60 options->xauth_location = NULL;
61 options->strict_modes = -1;
540d72c3 62 options->tcp_keep_alive = -1;
e9702f7d 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
3c0ef626 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
75be3237 73#ifdef SESSION_HOOKS
74 options->session_hooks_allow = -1;
75 options->session_hooks_startup_cmd = NULL;
76 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 77#endif
540d72c3 78 options->kerberos_get_afs_token = -1;
7cac2b65 79 options->gss_authentication=-1;
80 options->gss_keyex=-1;
7cac2b65 81 options->gss_cleanup_creds = -1;
3c0ef626 82 options->password_authentication = -1;
83 options->kbd_interactive_authentication = -1;
84 options->challenge_response_authentication = -1;
85 options->permit_empty_passwd = -1;
d03f4262 86 options->permit_user_env = -1;
3c0ef626 87 options->use_login = -1;
44a053a3 88 options->compression = -1;
3c0ef626 89 options->allow_tcp_forwarding = -1;
90 options->num_allow_users = 0;
91 options->num_deny_users = 0;
92 options->num_allow_groups = 0;
93 options->num_deny_groups = 0;
94 options->ciphers = NULL;
95 options->macs = NULL;
96 options->protocol = SSH_PROTO_UNKNOWN;
97 options->gateway_ports = -1;
98 options->num_subsystems = 0;
99 options->max_startups_begin = -1;
100 options->max_startups_rate = -1;
101 options->max_startups = -1;
7e82606e 102 options->max_authtries = -1;
3c0ef626 103 options->banner = NULL;
7cac2b65 104 options->use_dns = -1;
3c0ef626 105 options->client_alive_interval = -1;
106 options->client_alive_count_max = -1;
107 options->authorized_keys_file = NULL;
108 options->authorized_keys_file2 = NULL;
7e82606e 109 options->num_accept_env = 0;
350391c5 110
111 /* Needs to be accessable in many places */
112 use_privsep = -1;
3c0ef626 113}
114
115void
116fill_default_server_options(ServerOptions *options)
117{
118 /* Portable-specific options */
7cac2b65 119 if (options->use_pam == -1)
29d88157 120 options->use_pam = 0;
3c0ef626 121
122 /* Standard Options */
123 if (options->protocol == SSH_PROTO_UNKNOWN)
124 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
125 if (options->num_host_key_files == 0) {
126 /* fill default hostkeys for protocols */
127 if (options->protocol & SSH_PROTO_1)
e9702f7d 128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_KEY_FILE;
130 if (options->protocol & SSH_PROTO_2) {
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_RSA_KEY_FILE;
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_DSA_KEY_FILE;
135 }
3c0ef626 136 }
137 if (options->num_ports == 0)
138 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
139 if (options->listen_addrs == NULL)
140 add_listen_addr(options, NULL, 0);
141 if (options->pid_file == NULL)
142 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
143 if (options->server_key_bits == -1)
144 options->server_key_bits = 768;
145 if (options->login_grace_time == -1)
d03f4262 146 options->login_grace_time = 120;
3c0ef626 147 if (options->key_regeneration_time == -1)
148 options->key_regeneration_time = 3600;
149 if (options->permit_root_login == PERMIT_NOT_SET)
150 options->permit_root_login = PERMIT_YES;
151 if (options->ignore_rhosts == -1)
152 options->ignore_rhosts = 1;
153 if (options->ignore_user_known_hosts == -1)
154 options->ignore_user_known_hosts = 0;
155 if (options->print_motd == -1)
156 options->print_motd = 1;
157 if (options->print_lastlog == -1)
158 options->print_lastlog = 1;
159 if (options->x11_forwarding == -1)
160 options->x11_forwarding = 0;
161 if (options->x11_display_offset == -1)
162 options->x11_display_offset = 10;
e9702f7d 163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
3c0ef626 165 if (options->xauth_location == NULL)
166 options->xauth_location = _PATH_XAUTH;
3c0ef626 167 if (options->strict_modes == -1)
168 options->strict_modes = 1;
540d72c3 169 if (options->tcp_keep_alive == -1)
170 options->tcp_keep_alive = 1;
e9702f7d 171 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 172 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 174 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 175 if (options->rhosts_rsa_authentication == -1)
176 options->rhosts_rsa_authentication = 0;
177 if (options->hostbased_authentication == -1)
178 options->hostbased_authentication = 0;
179 if (options->hostbased_uses_name_from_packet_only == -1)
180 options->hostbased_uses_name_from_packet_only = 0;
181 if (options->rsa_authentication == -1)
182 options->rsa_authentication = 1;
183 if (options->pubkey_authentication == -1)
184 options->pubkey_authentication = 1;
7cac2b65 185 if (options->kerberos_authentication == -1)
186 options->kerberos_authentication = 0;
187 if (options->kerberos_or_local_passwd == -1)
188 options->kerberos_or_local_passwd = 1;
189 if (options->kerberos_ticket_cleanup == -1)
190 options->kerberos_ticket_cleanup = 1;
540d72c3 191 if (options->kerberos_get_afs_token == -1)
192 options->kerberos_get_afs_token = 0;
5598e598 193 if (options->gss_authentication == -1)
194 options->gss_authentication = 1;
195 if (options->gss_keyex == -1)
7cac2b65 196 options->gss_keyex = 1;
5598e598 197 if (options->gss_cleanup_creds == -1)
198 options->gss_cleanup_creds = 1;
3c0ef626 199 if (options->password_authentication == -1)
200 options->password_authentication = 1;
201 if (options->kbd_interactive_authentication == -1)
202 options->kbd_interactive_authentication = 0;
203 if (options->challenge_response_authentication == -1)
204 options->challenge_response_authentication = 1;
205 if (options->permit_empty_passwd == -1)
206 options->permit_empty_passwd = 0;
d03f4262 207 if (options->permit_user_env == -1)
208 options->permit_user_env = 0;
3c0ef626 209 if (options->use_login == -1)
210 options->use_login = 0;
44a053a3 211 if (options->compression == -1)
212 options->compression = 1;
3c0ef626 213 if (options->allow_tcp_forwarding == -1)
214 options->allow_tcp_forwarding = 1;
215 if (options->gateway_ports == -1)
216 options->gateway_ports = 0;
217 if (options->max_startups == -1)
218 options->max_startups = 10;
219 if (options->max_startups_rate == -1)
220 options->max_startups_rate = 100; /* 100% */
221 if (options->max_startups_begin == -1)
222 options->max_startups_begin = options->max_startups;
7e82606e 223 if (options->max_authtries == -1)
224 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
7cac2b65 225 if (options->use_dns == -1)
226 options->use_dns = 1;
3c0ef626 227 if (options->client_alive_interval == -1)
e9702f7d 228 options->client_alive_interval = 0;
3c0ef626 229 if (options->client_alive_count_max == -1)
230 options->client_alive_count_max = 3;
231 if (options->authorized_keys_file2 == NULL) {
232 /* authorized_keys_file2 falls back to authorized_keys_file */
233 if (options->authorized_keys_file != NULL)
234 options->authorized_keys_file2 = options->authorized_keys_file;
235 else
236 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
237 }
238 if (options->authorized_keys_file == NULL)
239 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
350391c5 240
44a053a3 241 /* Turn privilege separation on by default */
350391c5 242 if (use_privsep == -1)
44a053a3 243 use_privsep = 1;
244
d03f4262 245#ifndef HAVE_MMAP
44a053a3 246 if (use_privsep && options->compression == 1) {
247 error("This platform does not support both privilege "
248 "separation and compression");
249 error("Compression disabled");
250 options->compression = 0;
251 }
252#endif
253
3c0ef626 254}
255
256/* Keyword tokens. */
257typedef enum {
258 sBadOption, /* == unknown option */
259 /* Portable-specific options */
7cac2b65 260 sUsePAM,
3c0ef626 261 /* Standard Options */
262 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
263 sPermitRootLogin, sLogFacility, sLogLevel,
7cac2b65 264 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 265 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
540d72c3 266 sKerberosGetAFSToken,
7cac2b65 267 sKerberosTgtPassing, sChallengeResponseAuthentication,
75be3237 268#ifdef SESSION_HOOKS
269 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 270#endif
dfddba3d 271 sPasswordAuthentication, sKbdInteractiveAuthentication,
272 sListenAddress, sAddressFamily,
3c0ef626 273 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 274 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
540d72c3 275 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
d03f4262 276 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 277 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
278 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
7e82606e 279 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
280 sMaxStartups, sMaxAuthTries,
7cac2b65 281 sBanner, sUseDNS, sHostbasedAuthentication,
e9702f7d 282 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 283 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
7e82606e 284 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
285 sGssKeyEx,
350391c5 286 sUsePrivilegeSeparation,
7cac2b65 287 sDeprecated, sUnsupported
3c0ef626 288} ServerOpCodes;
289
290/* Textual representation of the tokens. */
291static struct {
292 const char *name;
293 ServerOpCodes opcode;
294} keywords[] = {
295 /* Portable-specific options */
7cac2b65 296#ifdef USE_PAM
297 { "usepam", sUsePAM },
298#else
299 { "usepam", sUnsupported },
300#endif
301 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 302 /* Standard Options */
303 { "port", sPort },
304 { "hostkey", sHostKeyFile },
305 { "hostdsakey", sHostKeyFile }, /* alias */
306 { "pidfile", sPidFile },
307 { "serverkeybits", sServerKeyBits },
308 { "logingracetime", sLoginGraceTime },
309 { "keyregenerationinterval", sKeyRegenerationTime },
310 { "permitrootlogin", sPermitRootLogin },
311 { "syslogfacility", sLogFacility },
312 { "loglevel", sLogLevel },
7cac2b65 313 { "rhostsauthentication", sDeprecated },
3c0ef626 314 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
315 { "hostbasedauthentication", sHostbasedAuthentication },
316 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
317 { "rsaauthentication", sRSAAuthentication },
318 { "pubkeyauthentication", sPubkeyAuthentication },
319 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
7cac2b65 320#ifdef KRB5
321 { "kerberosauthentication", sKerberosAuthentication },
322 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
323 { "kerberosticketcleanup", sKerberosTicketCleanup },
540d72c3 324#ifdef USE_AFS
325 { "kerberosgetafstoken", sKerberosGetAFSToken },
326#else
327 { "kerberosgetafstoken", sUnsupported },
328#endif
7cac2b65 329#else
330 { "kerberosauthentication", sUnsupported },
331 { "kerberosorlocalpasswd", sUnsupported },
332 { "kerberosticketcleanup", sUnsupported },
540d72c3 333 { "kerberosgetafstoken", sUnsupported },
7cac2b65 334#endif
335 { "kerberostgtpassing", sUnsupported },
336 { "afstokenpassing", sUnsupported },
5598e598 337#ifdef GSSAPI
338 { "gssapiauthentication", sGssAuthentication },
339 { "gssapikeyexchange", sGssKeyEx },
540d72c3 340 { "gssapicleanupcredentials", sGssCleanupCreds },
7cac2b65 341#else
342 { "gssapiauthentication", sUnsupported },
343 { "gssapikeyexchange", sUnsupported },
540d72c3 344 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 345#endif
75be3237 346#ifdef SESSION_HOOKS
347 { "allowsessionhooks", sAllowSessionHooks },
348 { "sessionhookstartupcmd", sSessionHookStartupCmd },
349 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
350#endif
3c0ef626 351 { "passwordauthentication", sPasswordAuthentication },
352 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
353 { "challengeresponseauthentication", sChallengeResponseAuthentication },
354 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
355 { "checkmail", sDeprecated },
356 { "listenaddress", sListenAddress },
dfddba3d 357 { "addressfamily", sAddressFamily },
3c0ef626 358 { "printmotd", sPrintMotd },
359 { "printlastlog", sPrintLastLog },
360 { "ignorerhosts", sIgnoreRhosts },
361 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
362 { "x11forwarding", sX11Forwarding },
363 { "x11displayoffset", sX11DisplayOffset },
e9702f7d 364 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 365 { "xauthlocation", sXAuthLocation },
366 { "strictmodes", sStrictModes },
367 { "permitemptypasswords", sEmptyPasswd },
d03f4262 368 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 369 { "uselogin", sUseLogin },
44a053a3 370 { "compression", sCompression },
540d72c3 371 { "tcpkeepalive", sTCPKeepAlive },
372 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 373 { "allowtcpforwarding", sAllowTcpForwarding },
374 { "allowusers", sAllowUsers },
375 { "denyusers", sDenyUsers },
376 { "allowgroups", sAllowGroups },
377 { "denygroups", sDenyGroups },
378 { "ciphers", sCiphers },
379 { "macs", sMacs },
380 { "protocol", sProtocol },
381 { "gatewayports", sGatewayPorts },
382 { "subsystem", sSubsystem },
383 { "maxstartups", sMaxStartups },
7e82606e 384 { "maxauthtries", sMaxAuthTries },
3c0ef626 385 { "banner", sBanner },
7cac2b65 386 { "usedns", sUseDNS },
387 { "verifyreversemapping", sDeprecated },
388 { "reversemappingcheck", sDeprecated },
3c0ef626 389 { "clientaliveinterval", sClientAliveInterval },
390 { "clientalivecountmax", sClientAliveCountMax },
391 { "authorizedkeysfile", sAuthorizedKeysFile },
392 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
350391c5 393 { "useprivilegeseparation", sUsePrivilegeSeparation},
7e82606e 394 { "acceptenv", sAcceptEnv },
e9702f7d 395 { NULL, sBadOption }
3c0ef626 396};
397
398/*
399 * Returns the number of the token pointed to by cp or sBadOption.
400 */
401
402static ServerOpCodes
403parse_token(const char *cp, const char *filename,
404 int linenum)
405{
406 u_int i;
407
408 for (i = 0; keywords[i].name; i++)
409 if (strcasecmp(cp, keywords[i].name) == 0)
410 return keywords[i].opcode;
411
412 error("%s: line %d: Bad configuration option: %s",
413 filename, linenum, cp);
414 return sBadOption;
415}
416
417static void
418add_listen_addr(ServerOptions *options, char *addr, u_short port)
419{
420 int i;
421
422 if (options->num_ports == 0)
423 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
dfddba3d 424 if (options->address_family == -1)
425 options->address_family = AF_UNSPEC;
3c0ef626 426 if (port == 0)
427 for (i = 0; i < options->num_ports; i++)
428 add_one_listen_addr(options, addr, options->ports[i]);
429 else
430 add_one_listen_addr(options, addr, port);
431}
432
433static void
434add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
435{
436 struct addrinfo hints, *ai, *aitop;
437 char strport[NI_MAXSERV];
438 int gaierr;
439
440 memset(&hints, 0, sizeof(hints));
dfddba3d 441 hints.ai_family = options->address_family;
3c0ef626 442 hints.ai_socktype = SOCK_STREAM;
443 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
276b07a3 444 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 445 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
446 fatal("bad addr or host: %s (%s)",
447 addr ? addr : "<NULL>",
448 gai_strerror(gaierr));
449 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
450 ;
451 ai->ai_next = options->listen_addrs;
452 options->listen_addrs = aitop;
453}
454
e9702f7d 455int
456process_server_config_line(ServerOptions *options, char *line,
457 const char *filename, int linenum)
3c0ef626 458{
3c0ef626 459 char *cp, **charptr, *arg, *p;
276b07a3 460 int *intptr, value, i, n;
3c0ef626 461 ServerOpCodes opcode;
dfddba3d 462 u_short port;
3c0ef626 463
e9702f7d 464 cp = line;
465 arg = strdelim(&cp);
466 /* Ignore leading whitespace */
467 if (*arg == '\0')
3c0ef626 468 arg = strdelim(&cp);
e9702f7d 469 if (!arg || !*arg || *arg == '#')
470 return 0;
471 intptr = NULL;
472 charptr = NULL;
473 opcode = parse_token(arg, filename, linenum);
474 switch (opcode) {
475 /* Portable-specific options */
7cac2b65 476 case sUsePAM:
477 intptr = &options->use_pam;
e9702f7d 478 goto parse_flag;
3c0ef626 479
e9702f7d 480 /* Standard Options */
481 case sBadOption:
482 return -1;
483 case sPort:
484 /* ignore ports from configfile if cmdline specifies ports */
485 if (options->ports_from_cmdline)
486 return 0;
487 if (options->listen_addrs != NULL)
488 fatal("%s line %d: ports must be specified before "
489 "ListenAddress.", filename, linenum);
490 if (options->num_ports >= MAX_PORTS)
491 fatal("%s line %d: too many ports.",
492 filename, linenum);
493 arg = strdelim(&cp);
494 if (!arg || *arg == '\0')
495 fatal("%s line %d: missing port number.",
496 filename, linenum);
497 options->ports[options->num_ports++] = a2port(arg);
498 if (options->ports[options->num_ports-1] == 0)
499 fatal("%s line %d: Badly formatted port number.",
500 filename, linenum);
501 break;
502
503 case sServerKeyBits:
504 intptr = &options->server_key_bits;
3c0ef626 505parse_int:
e9702f7d 506 arg = strdelim(&cp);
507 if (!arg || *arg == '\0')
508 fatal("%s line %d: missing integer value.",
509 filename, linenum);
510 value = atoi(arg);
511 if (*intptr == -1)
512 *intptr = value;
513 break;
514
515 case sLoginGraceTime:
516 intptr = &options->login_grace_time;
3c0ef626 517parse_time:
e9702f7d 518 arg = strdelim(&cp);
519 if (!arg || *arg == '\0')
520 fatal("%s line %d: missing time value.",
521 filename, linenum);
522 if ((value = convtime(arg)) == -1)
523 fatal("%s line %d: invalid time value.",
524 filename, linenum);
525 if (*intptr == -1)
526 *intptr = value;
527 break;
528
529 case sKeyRegenerationTime:
530 intptr = &options->key_regeneration_time;
531 goto parse_time;
532
533 case sListenAddress:
534 arg = strdelim(&cp);
dfddba3d 535 if (arg == NULL || *arg == '\0')
536 fatal("%s line %d: missing address",
e9702f7d 537 filename, linenum);
dfddba3d 538 p = hpdelim(&arg);
539 if (p == NULL)
540 fatal("%s line %d: bad address:port usage",
e9702f7d 541 filename, linenum);
dfddba3d 542 p = cleanhostname(p);
543 if (arg == NULL)
544 port = 0;
545 else if ((port = a2port(arg)) == 0)
546 fatal("%s line %d: bad port number", filename, linenum);
547
548 add_listen_addr(options, p, port);
549
550 break;
551
552 case sAddressFamily:
553 arg = strdelim(&cp);
554 intptr = &options->address_family;
555 if (options->listen_addrs != NULL)
556 fatal("%s line %d: address family must be specified before "
557 "ListenAddress.", filename, linenum);
558 if (strcasecmp(arg, "inet") == 0)
559 value = AF_INET;
560 else if (strcasecmp(arg, "inet6") == 0)
561 value = AF_INET6;
562 else if (strcasecmp(arg, "any") == 0)
563 value = AF_UNSPEC;
564 else
565 fatal("%s line %d: unsupported address family \"%s\".",
566 filename, linenum, arg);
567 if (*intptr == -1)
568 *intptr = value;
e9702f7d 569 break;
570
571 case sHostKeyFile:
572 intptr = &options->num_host_key_files;
573 if (*intptr >= MAX_HOSTKEYS)
574 fatal("%s line %d: too many host keys specified (max %d).",
575 filename, linenum, MAX_HOSTKEYS);
576 charptr = &options->host_key_files[*intptr];
3c0ef626 577parse_filename:
e9702f7d 578 arg = strdelim(&cp);
579 if (!arg || *arg == '\0')
580 fatal("%s line %d: missing file name.",
581 filename, linenum);
582 if (*charptr == NULL) {
583 *charptr = tilde_expand_filename(arg, getuid());
584 /* increase optional counter */
585 if (intptr != NULL)
586 *intptr = *intptr + 1;
587 }
588 break;
3c0ef626 589
e9702f7d 590 case sPidFile:
591 charptr = &options->pid_file;
592 goto parse_filename;
3c0ef626 593
e9702f7d 594 case sPermitRootLogin:
595 intptr = &options->permit_root_login;
596 arg = strdelim(&cp);
597 if (!arg || *arg == '\0')
598 fatal("%s line %d: missing yes/"
599 "without-password/forced-commands-only/no "
600 "argument.", filename, linenum);
601 value = 0; /* silence compiler */
602 if (strcmp(arg, "without-password") == 0)
603 value = PERMIT_NO_PASSWD;
604 else if (strcmp(arg, "forced-commands-only") == 0)
605 value = PERMIT_FORCED_ONLY;
606 else if (strcmp(arg, "yes") == 0)
607 value = PERMIT_YES;
608 else if (strcmp(arg, "no") == 0)
609 value = PERMIT_NO;
610 else
611 fatal("%s line %d: Bad yes/"
612 "without-password/forced-commands-only/no "
613 "argument: %s", filename, linenum, arg);
614 if (*intptr == -1)
615 *intptr = value;
616 break;
3c0ef626 617
e9702f7d 618 case sIgnoreRhosts:
619 intptr = &options->ignore_rhosts;
620parse_flag:
621 arg = strdelim(&cp);
622 if (!arg || *arg == '\0')
623 fatal("%s line %d: missing yes/no argument.",
624 filename, linenum);
625 value = 0; /* silence compiler */
626 if (strcmp(arg, "yes") == 0)
627 value = 1;
628 else if (strcmp(arg, "no") == 0)
629 value = 0;
630 else
631 fatal("%s line %d: Bad yes/no argument: %s",
632 filename, linenum, arg);
633 if (*intptr == -1)
634 *intptr = value;
635 break;
636
637 case sIgnoreUserKnownHosts:
638 intptr = &options->ignore_user_known_hosts;
639 goto parse_flag;
640
e9702f7d 641 case sRhostsRSAAuthentication:
642 intptr = &options->rhosts_rsa_authentication;
643 goto parse_flag;
644
645 case sHostbasedAuthentication:
646 intptr = &options->hostbased_authentication;
647 goto parse_flag;
648
649 case sHostbasedUsesNameFromPacketOnly:
650 intptr = &options->hostbased_uses_name_from_packet_only;
651 goto parse_flag;
652
653 case sRSAAuthentication:
654 intptr = &options->rsa_authentication;
655 goto parse_flag;
656
657 case sPubkeyAuthentication:
658 intptr = &options->pubkey_authentication;
659 goto parse_flag;
7cac2b65 660
e9702f7d 661 case sKerberosAuthentication:
662 intptr = &options->kerberos_authentication;
663 goto parse_flag;
3c0ef626 664
e9702f7d 665 case sKerberosOrLocalPasswd:
666 intptr = &options->kerberos_or_local_passwd;
667 goto parse_flag;
3c0ef626 668
e9702f7d 669 case sKerberosTicketCleanup:
670 intptr = &options->kerberos_ticket_cleanup;
671 goto parse_flag;
7cac2b65 672
540d72c3 673 case sKerberosGetAFSToken:
674 intptr = &options->kerberos_get_afs_token;
675 goto parse_flag;
676
7cac2b65 677 case sGssAuthentication:
678 intptr = &options->gss_authentication;
e9702f7d 679 goto parse_flag;
7cac2b65 680
681 case sGssKeyEx:
682 intptr = &options->gss_keyex;
e9702f7d 683 goto parse_flag;
7cac2b65 684
7cac2b65 685 case sGssCleanupCreds:
686 intptr = &options->gss_cleanup_creds;
687 goto parse_flag;
688
75be3237 689#ifdef SESSION_HOOKS
690 case sAllowSessionHooks:
691 intptr = &options->session_hooks_allow;
692 goto parse_flag;
693 case sSessionHookStartupCmd:
694 case sSessionHookShutdownCmd:
695 arg = strdelim(&cp);
696 if (!arg || *arg == '\0')
697 fatal("%s line %d: empty session hook command",
698 filename, linenum);
699 if (opcode==sSessionHookStartupCmd)
700 options->session_hooks_startup_cmd = strdup(arg);
701 else
702 options->session_hooks_shutdown_cmd = strdup(arg);
703 break;
704#endif
7cac2b65 705
e9702f7d 706 case sPasswordAuthentication:
707 intptr = &options->password_authentication;
708 goto parse_flag;
3c0ef626 709
e9702f7d 710 case sKbdInteractiveAuthentication:
711 intptr = &options->kbd_interactive_authentication;
712 goto parse_flag;
3c0ef626 713
e9702f7d 714 case sChallengeResponseAuthentication:
715 intptr = &options->challenge_response_authentication;
716 goto parse_flag;
3c0ef626 717
e9702f7d 718 case sPrintMotd:
719 intptr = &options->print_motd;
720 goto parse_flag;
3c0ef626 721
e9702f7d 722 case sPrintLastLog:
723 intptr = &options->print_lastlog;
724 goto parse_flag;
3c0ef626 725
e9702f7d 726 case sX11Forwarding:
727 intptr = &options->x11_forwarding;
728 goto parse_flag;
3c0ef626 729
e9702f7d 730 case sX11DisplayOffset:
731 intptr = &options->x11_display_offset;
732 goto parse_int;
3c0ef626 733
e9702f7d 734 case sX11UseLocalhost:
735 intptr = &options->x11_use_localhost;
736 goto parse_flag;
3c0ef626 737
e9702f7d 738 case sXAuthLocation:
739 charptr = &options->xauth_location;
740 goto parse_filename;
3c0ef626 741
e9702f7d 742 case sStrictModes:
743 intptr = &options->strict_modes;
744 goto parse_flag;
3c0ef626 745
540d72c3 746 case sTCPKeepAlive:
747 intptr = &options->tcp_keep_alive;
e9702f7d 748 goto parse_flag;
3c0ef626 749
e9702f7d 750 case sEmptyPasswd:
751 intptr = &options->permit_empty_passwd;
752 goto parse_flag;
753
d03f4262 754 case sPermitUserEnvironment:
755 intptr = &options->permit_user_env;
756 goto parse_flag;
757
e9702f7d 758 case sUseLogin:
759 intptr = &options->use_login;
760 goto parse_flag;
761
44a053a3 762 case sCompression:
763 intptr = &options->compression;
764 goto parse_flag;
765
e9702f7d 766 case sGatewayPorts:
767 intptr = &options->gateway_ports;
dfddba3d 768 arg = strdelim(&cp);
769 if (!arg || *arg == '\0')
770 fatal("%s line %d: missing yes/no/clientspecified "
771 "argument.", filename, linenum);
772 value = 0; /* silence compiler */
773 if (strcmp(arg, "clientspecified") == 0)
774 value = 2;
775 else if (strcmp(arg, "yes") == 0)
776 value = 1;
777 else if (strcmp(arg, "no") == 0)
778 value = 0;
779 else
780 fatal("%s line %d: Bad yes/no/clientspecified "
781 "argument: %s", filename, linenum, arg);
782 if (*intptr == -1)
783 *intptr = value;
784 break;
e9702f7d 785
7cac2b65 786 case sUseDNS:
787 intptr = &options->use_dns;
e9702f7d 788 goto parse_flag;
789
790 case sLogFacility:
791 intptr = (int *) &options->log_facility;
792 arg = strdelim(&cp);
793 value = log_facility_number(arg);
794 if (value == SYSLOG_FACILITY_NOT_SET)
795 fatal("%.200s line %d: unsupported log facility '%s'",
796 filename, linenum, arg ? arg : "<NONE>");
797 if (*intptr == -1)
798 *intptr = (SyslogFacility) value;
799 break;
800
801 case sLogLevel:
802 intptr = (int *) &options->log_level;
803 arg = strdelim(&cp);
804 value = log_level_number(arg);
805 if (value == SYSLOG_LEVEL_NOT_SET)
806 fatal("%.200s line %d: unsupported log level '%s'",
807 filename, linenum, arg ? arg : "<NONE>");
808 if (*intptr == -1)
809 *intptr = (LogLevel) value;
810 break;
811
812 case sAllowTcpForwarding:
813 intptr = &options->allow_tcp_forwarding;
814 goto parse_flag;
815
350391c5 816 case sUsePrivilegeSeparation:
817 intptr = &use_privsep;
818 goto parse_flag;
819
e9702f7d 820 case sAllowUsers:
821 while ((arg = strdelim(&cp)) && *arg != '\0') {
822 if (options->num_allow_users >= MAX_ALLOW_USERS)
823 fatal("%s line %d: too many allow users.",
3c0ef626 824 filename, linenum);
276b07a3 825 options->allow_users[options->num_allow_users++] =
826 xstrdup(arg);
e9702f7d 827 }
828 break;
3c0ef626 829
e9702f7d 830 case sDenyUsers:
831 while ((arg = strdelim(&cp)) && *arg != '\0') {
832 if (options->num_deny_users >= MAX_DENY_USERS)
833 fatal( "%s line %d: too many deny users.",
834 filename, linenum);
276b07a3 835 options->deny_users[options->num_deny_users++] =
836 xstrdup(arg);
e9702f7d 837 }
838 break;
3c0ef626 839
e9702f7d 840 case sAllowGroups:
841 while ((arg = strdelim(&cp)) && *arg != '\0') {
842 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
843 fatal("%s line %d: too many allow groups.",
844 filename, linenum);
276b07a3 845 options->allow_groups[options->num_allow_groups++] =
846 xstrdup(arg);
e9702f7d 847 }
848 break;
849
850 case sDenyGroups:
851 while ((arg = strdelim(&cp)) && *arg != '\0') {
852 if (options->num_deny_groups >= MAX_DENY_GROUPS)
853 fatal("%s line %d: too many deny groups.",
854 filename, linenum);
855 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 856 }
e9702f7d 857 break;
858
859 case sCiphers:
860 arg = strdelim(&cp);
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: Missing argument.", filename, linenum);
863 if (!ciphers_valid(arg))
864 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
865 filename, linenum, arg ? arg : "<NONE>");
866 if (options->ciphers == NULL)
867 options->ciphers = xstrdup(arg);
868 break;
869
870 case sMacs:
871 arg = strdelim(&cp);
872 if (!arg || *arg == '\0')
873 fatal("%s line %d: Missing argument.", filename, linenum);
874 if (!mac_valid(arg))
875 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
876 filename, linenum, arg ? arg : "<NONE>");
877 if (options->macs == NULL)
878 options->macs = xstrdup(arg);
879 break;
880
881 case sProtocol:
882 intptr = &options->protocol;
883 arg = strdelim(&cp);
884 if (!arg || *arg == '\0')
885 fatal("%s line %d: Missing argument.", filename, linenum);
886 value = proto_spec(arg);
887 if (value == SSH_PROTO_UNKNOWN)
888 fatal("%s line %d: Bad protocol spec '%s'.",
889 filename, linenum, arg ? arg : "<NONE>");
890 if (*intptr == SSH_PROTO_UNKNOWN)
891 *intptr = value;
892 break;
893
894 case sSubsystem:
895 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
896 fatal("%s line %d: too many subsystems defined.",
897 filename, linenum);
898 }
899 arg = strdelim(&cp);
900 if (!arg || *arg == '\0')
901 fatal("%s line %d: Missing subsystem name.",
902 filename, linenum);
903 for (i = 0; i < options->num_subsystems; i++)
904 if (strcmp(arg, options->subsystem_name[i]) == 0)
905 fatal("%s line %d: Subsystem '%s' already defined.",
906 filename, linenum, arg);
907 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
908 arg = strdelim(&cp);
909 if (!arg || *arg == '\0')
910 fatal("%s line %d: Missing subsystem command.",
911 filename, linenum);
912 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
913 options->num_subsystems++;
914 break;
915
916 case sMaxStartups:
917 arg = strdelim(&cp);
918 if (!arg || *arg == '\0')
919 fatal("%s line %d: Missing MaxStartups spec.",
920 filename, linenum);
921 if ((n = sscanf(arg, "%d:%d:%d",
922 &options->max_startups_begin,
923 &options->max_startups_rate,
924 &options->max_startups)) == 3) {
925 if (options->max_startups_begin >
926 options->max_startups ||
927 options->max_startups_rate > 100 ||
928 options->max_startups_rate < 1)
929 fatal("%s line %d: Illegal MaxStartups spec.",
930 filename, linenum);
931 } else if (n != 1)
932 fatal("%s line %d: Illegal MaxStartups spec.",
933 filename, linenum);
934 else
935 options->max_startups = options->max_startups_begin;
936 break;
937
7e82606e 938 case sMaxAuthTries:
939 intptr = &options->max_authtries;
940 goto parse_int;
941
e9702f7d 942 case sBanner:
943 charptr = &options->banner;
944 goto parse_filename;
945 /*
946 * These options can contain %X options expanded at
947 * connect time, so that you can specify paths like:
948 *
949 * AuthorizedKeysFile /etc/ssh_keys/%u
950 */
951 case sAuthorizedKeysFile:
952 case sAuthorizedKeysFile2:
953 charptr = (opcode == sAuthorizedKeysFile ) ?
954 &options->authorized_keys_file :
955 &options->authorized_keys_file2;
956 goto parse_filename;
957
958 case sClientAliveInterval:
959 intptr = &options->client_alive_interval;
960 goto parse_time;
961
962 case sClientAliveCountMax:
963 intptr = &options->client_alive_count_max;
964 goto parse_int;
965
7e82606e 966 case sAcceptEnv:
967 while ((arg = strdelim(&cp)) && *arg != '\0') {
968 if (strchr(arg, '=') != NULL)
969 fatal("%s line %d: Invalid environment name.",
970 filename, linenum);
971 if (options->num_accept_env >= MAX_ACCEPT_ENV)
972 fatal("%s line %d: too many allow env.",
973 filename, linenum);
974 options->accept_env[options->num_accept_env++] =
975 xstrdup(arg);
976 }
977 break;
978
e9702f7d 979 case sDeprecated:
7cac2b65 980 logit("%s line %d: Deprecated option %s",
981 filename, linenum, arg);
982 while (arg)
983 arg = strdelim(&cp);
984 break;
985
986 case sUnsupported:
987 logit("%s line %d: Unsupported option %s",
e9702f7d 988 filename, linenum, arg);
989 while (arg)
990 arg = strdelim(&cp);
991 break;
992
993 default:
994 fatal("%s line %d: Missing handler for opcode %s (%d)",
995 filename, linenum, arg, opcode);
996 }
997 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
998 fatal("%s line %d: garbage at end of line; \"%.200s\".",
999 filename, linenum, arg);
1000 return 0;
1001}
1002
1003/* Reads the server configuration file. */
1004
1005void
7e82606e 1006load_server_config(const char *filename, Buffer *conf)
e9702f7d 1007{
7e82606e 1008 char line[1024], *cp;
276b07a3 1009 FILE *f;
e9702f7d 1010
7e82606e 1011 debug2("%s: filename %s", __func__, filename);
1012 if ((f = fopen(filename, "r")) == NULL) {
e9702f7d 1013 perror(filename);
1014 exit(1);
1015 }
7e82606e 1016 buffer_clear(conf);
e9702f7d 1017 while (fgets(line, sizeof(line), f)) {
7e82606e 1018 /*
1019 * Trim out comments and strip whitespace
1020 * NB - preserve newlines, they are needed to reproduce
1021 * line numbers later for error messages
1022 */
1023 if ((cp = strchr(line, '#')) != NULL)
1024 memcpy(cp, "\n", 2);
1025 cp = line + strspn(line, " \t\r");
1026
1027 buffer_append(conf, cp, strlen(cp));
3c0ef626 1028 }
7e82606e 1029 buffer_append(conf, "\0", 1);
3c0ef626 1030 fclose(f);
7e82606e 1031 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1032}
1033
1034void
1035parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1036{
1037 int linenum, bad_options = 0;
1038 char *cp, *obuf, *cbuf;
1039
1040 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1041
1042 obuf = cbuf = xstrdup(buffer_ptr(conf));
1043 linenum = 1;
1044 while((cp = strsep(&cbuf, "\n")) != NULL) {
1045 if (process_server_config_line(options, cp, filename,
1046 linenum++) != 0)
1047 bad_options++;
1048 }
1049 xfree(obuf);
3c0ef626 1050 if (bad_options > 0)
1051 fatal("%s: terminating, %d bad configuration options",
1052 filename, bad_options);
1053}
git-cvsimport mirror of GSI OpenSSH
This page took 0.231988 seconds and 5 git commands to generate.