]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
shouldn't have been committed to OPENSSH_PORTABLE_DIST branch
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
665a873d 13RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
3c0ef626 21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
700318f3 29/* Use of privilege separation or not */
30extern int use_privsep;
3c0ef626 31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
0fff78ff 40 options->use_pam = -1;
3c0ef626 41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
996d5e62 46 options->address_family = -1;
3c0ef626 47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e9a17296 59 options->x11_use_localhost = -1;
3c0ef626 60 options->xauth_location = NULL;
61 options->strict_modes = -1;
cdd66111 62 options->tcp_keep_alive = -1;
e9a17296 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
3c0ef626 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
cdd66111 73 options->kerberos_get_afs_token = -1;
0fff78ff 74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
3c0ef626 76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
41b2f314 80 options->permit_user_env = -1;
3c0ef626 81 options->use_login = -1;
f5799ae1 82 options->compression = -1;
3c0ef626 83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
89 options->macs = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
c9f39d2c 96 options->max_authtries = -1;
3c0ef626 97 options->banner = NULL;
0fff78ff 98 options->use_dns = -1;
3c0ef626 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
c9f39d2c 103 options->num_accept_env = 0;
700318f3 104
105 /* Needs to be accessable in many places */
106 use_privsep = -1;
3c0ef626 107}
108
109void
110fill_default_server_options(ServerOptions *options)
111{
112 /* Portable-specific options */
0fff78ff 113 if (options->use_pam == -1)
acc3d05e 114 options->use_pam = 0;
3c0ef626 115
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
e9a17296 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
3c0ef626 130 }
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
41b2f314 140 options->login_grace_time = 120;
3c0ef626 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
e9a17296 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
3c0ef626 159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
3c0ef626 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
cdd66111 163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
e9a17296 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 166 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 168 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
3c0ef626 179 if (options->kerberos_authentication == -1)
700318f3 180 options->kerberos_authentication = 0;
3c0ef626 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
cdd66111 185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
0fff78ff 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
3c0ef626 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
41b2f314 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
3c0ef626 201 if (options->use_login == -1)
202 options->use_login = 0;
f5799ae1 203 if (options->compression == -1)
665a873d 204 options->compression = COMP_DELAYED;
3c0ef626 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
c9f39d2c 215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
0fff78ff 217 if (options->use_dns == -1)
218 options->use_dns = 1;
3c0ef626 219 if (options->client_alive_interval == -1)
e9a17296 220 options->client_alive_interval = 0;
3c0ef626 221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
227 else
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 }
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 232
f5799ae1 233 /* Turn privilege separation on by default */
700318f3 234 if (use_privsep == -1)
f5799ae1 235 use_privsep = 1;
236
41b2f314 237#ifndef HAVE_MMAP
f5799ae1 238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
243 }
244#endif
245
3c0ef626 246}
247
248/* Keyword tokens. */
249typedef enum {
250 sBadOption, /* == unknown option */
251 /* Portable-specific options */
0fff78ff 252 sUsePAM,
3c0ef626 253 /* Standard Options */
254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
0fff78ff 256 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
cdd66111 258 sKerberosGetAFSToken,
0fff78ff 259 sKerberosTgtPassing, sChallengeResponseAuthentication,
996d5e62 260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
3c0ef626 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
cdd66111 264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
41b2f314 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
c9f39d2c 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
0fff78ff 270 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
c9f39d2c 273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
700318f3 274 sUsePrivilegeSeparation,
0fff78ff 275 sDeprecated, sUnsupported
3c0ef626 276} ServerOpCodes;
277
278/* Textual representation of the tokens. */
279static struct {
280 const char *name;
281 ServerOpCodes opcode;
282} keywords[] = {
283 /* Portable-specific options */
0fff78ff 284#ifdef USE_PAM
285 { "usepam", sUsePAM },
286#else
287 { "usepam", sUnsupported },
288#endif
289 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 290 /* Standard Options */
291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
293 { "hostdsakey", sHostKeyFile }, /* alias */
294 { "pidfile", sPidFile },
295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
0fff78ff 301 { "rhostsauthentication", sDeprecated },
3c0ef626 302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
305 { "rsaauthentication", sRSAAuthentication },
306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
0fff78ff 308#ifdef KRB5
3c0ef626 309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
cdd66111 312#ifdef USE_AFS
313 { "kerberosgetafstoken", sKerberosGetAFSToken },
314#else
315 { "kerberosgetafstoken", sUnsupported },
316#endif
0fff78ff 317#else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
cdd66111 321 { "kerberosgetafstoken", sUnsupported },
3c0ef626 322#endif
0fff78ff 323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
cdd66111 327 { "gssapicleanupcredentials", sGssCleanupCreds },
0fff78ff 328#else
329 { "gssapiauthentication", sUnsupported },
cdd66111 330 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 331#endif
332 { "passwordauthentication", sPasswordAuthentication },
333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
336 { "checkmail", sDeprecated },
337 { "listenaddress", sListenAddress },
996d5e62 338 { "addressfamily", sAddressFamily },
3c0ef626 339 { "printmotd", sPrintMotd },
340 { "printlastlog", sPrintLastLog },
341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
e9a17296 345 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 346 { "xauthlocation", sXAuthLocation },
347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
41b2f314 349 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 350 { "uselogin", sUseLogin },
f5799ae1 351 { "compression", sCompression },
cdd66111 352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 354 { "allowtcpforwarding", sAllowTcpForwarding },
355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
359 { "ciphers", sCiphers },
360 { "macs", sMacs },
361 { "protocol", sProtocol },
362 { "gatewayports", sGatewayPorts },
363 { "subsystem", sSubsystem },
364 { "maxstartups", sMaxStartups },
c9f39d2c 365 { "maxauthtries", sMaxAuthTries },
3c0ef626 366 { "banner", sBanner },
0fff78ff 367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
3c0ef626 370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 374 { "useprivilegeseparation", sUsePrivilegeSeparation},
c9f39d2c 375 { "acceptenv", sAcceptEnv },
e9a17296 376 { NULL, sBadOption }
3c0ef626 377};
378
379/*
380 * Returns the number of the token pointed to by cp or sBadOption.
381 */
382
383static ServerOpCodes
384parse_token(const char *cp, const char *filename,
385 int linenum)
386{
387 u_int i;
388
389 for (i = 0; keywords[i].name; i++)
390 if (strcasecmp(cp, keywords[i].name) == 0)
391 return keywords[i].opcode;
392
393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
395 return sBadOption;
396}
397
398static void
399add_listen_addr(ServerOptions *options, char *addr, u_short port)
400{
665a873d 401 u_int i;
3c0ef626 402
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
996d5e62 405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
3c0ef626 407 if (port == 0)
408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
410 else
411 add_one_listen_addr(options, addr, port);
412}
413
414static void
415add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
416{
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
419 int gaierr;
420
421 memset(&hints, 0, sizeof(hints));
996d5e62 422 hints.ai_family = options->address_family;
3c0ef626 423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 425 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
431 ;
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
434}
435
e9a17296 436int
437process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
3c0ef626 439{
3c0ef626 440 char *cp, **charptr, *arg, *p;
665a873d 441 int *intptr, value, n;
3c0ef626 442 ServerOpCodes opcode;
996d5e62 443 u_short port;
665a873d 444 u_int i;
3c0ef626 445
e9a17296 446 cp = line;
447 arg = strdelim(&cp);
448 /* Ignore leading whitespace */
449 if (*arg == '\0')
3c0ef626 450 arg = strdelim(&cp);
e9a17296 451 if (!arg || !*arg || *arg == '#')
452 return 0;
453 intptr = NULL;
454 charptr = NULL;
455 opcode = parse_token(arg, filename, linenum);
456 switch (opcode) {
457 /* Portable-specific options */
0fff78ff 458 case sUsePAM:
459 intptr = &options->use_pam;
e9a17296 460 goto parse_flag;
3c0ef626 461
e9a17296 462 /* Standard Options */
463 case sBadOption:
464 return -1;
465 case sPort:
466 /* ignore ports from configfile if cmdline specifies ports */
467 if (options->ports_from_cmdline)
468 return 0;
469 if (options->listen_addrs != NULL)
470 fatal("%s line %d: ports must be specified before "
471 "ListenAddress.", filename, linenum);
472 if (options->num_ports >= MAX_PORTS)
473 fatal("%s line %d: too many ports.",
474 filename, linenum);
475 arg = strdelim(&cp);
476 if (!arg || *arg == '\0')
477 fatal("%s line %d: missing port number.",
478 filename, linenum);
479 options->ports[options->num_ports++] = a2port(arg);
480 if (options->ports[options->num_ports-1] == 0)
481 fatal("%s line %d: Badly formatted port number.",
482 filename, linenum);
483 break;
484
485 case sServerKeyBits:
486 intptr = &options->server_key_bits;
3c0ef626 487parse_int:
e9a17296 488 arg = strdelim(&cp);
489 if (!arg || *arg == '\0')
490 fatal("%s line %d: missing integer value.",
491 filename, linenum);
492 value = atoi(arg);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sLoginGraceTime:
498 intptr = &options->login_grace_time;
3c0ef626 499parse_time:
e9a17296 500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing time value.",
503 filename, linenum);
504 if ((value = convtime(arg)) == -1)
505 fatal("%s line %d: invalid time value.",
506 filename, linenum);
507 if (*intptr == -1)
508 *intptr = value;
509 break;
510
511 case sKeyRegenerationTime:
512 intptr = &options->key_regeneration_time;
513 goto parse_time;
514
515 case sListenAddress:
516 arg = strdelim(&cp);
996d5e62 517 if (arg == NULL || *arg == '\0')
518 fatal("%s line %d: missing address",
e9a17296 519 filename, linenum);
665a873d 520 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
521 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
522 && strchr(p+1, ':') != NULL) {
523 add_listen_addr(options, arg, 0);
524 break;
525 }
996d5e62 526 p = hpdelim(&arg);
527 if (p == NULL)
528 fatal("%s line %d: bad address:port usage",
e9a17296 529 filename, linenum);
996d5e62 530 p = cleanhostname(p);
531 if (arg == NULL)
532 port = 0;
533 else if ((port = a2port(arg)) == 0)
534 fatal("%s line %d: bad port number", filename, linenum);
535
536 add_listen_addr(options, p, port);
537
538 break;
539
540 case sAddressFamily:
541 arg = strdelim(&cp);
665a873d 542 if (!arg || *arg == '\0')
543 fatal("%s line %d: missing address family.",
544 filename, linenum);
996d5e62 545 intptr = &options->address_family;
546 if (options->listen_addrs != NULL)
547 fatal("%s line %d: address family must be specified before "
548 "ListenAddress.", filename, linenum);
549 if (strcasecmp(arg, "inet") == 0)
550 value = AF_INET;
551 else if (strcasecmp(arg, "inet6") == 0)
552 value = AF_INET6;
553 else if (strcasecmp(arg, "any") == 0)
554 value = AF_UNSPEC;
555 else
556 fatal("%s line %d: unsupported address family \"%s\".",
557 filename, linenum, arg);
558 if (*intptr == -1)
559 *intptr = value;
e9a17296 560 break;
561
562 case sHostKeyFile:
563 intptr = &options->num_host_key_files;
564 if (*intptr >= MAX_HOSTKEYS)
565 fatal("%s line %d: too many host keys specified (max %d).",
566 filename, linenum, MAX_HOSTKEYS);
567 charptr = &options->host_key_files[*intptr];
3c0ef626 568parse_filename:
e9a17296 569 arg = strdelim(&cp);
570 if (!arg || *arg == '\0')
571 fatal("%s line %d: missing file name.",
572 filename, linenum);
573 if (*charptr == NULL) {
574 *charptr = tilde_expand_filename(arg, getuid());
575 /* increase optional counter */
576 if (intptr != NULL)
577 *intptr = *intptr + 1;
578 }
579 break;
3c0ef626 580
e9a17296 581 case sPidFile:
582 charptr = &options->pid_file;
583 goto parse_filename;
3c0ef626 584
e9a17296 585 case sPermitRootLogin:
586 intptr = &options->permit_root_login;
587 arg = strdelim(&cp);
588 if (!arg || *arg == '\0')
589 fatal("%s line %d: missing yes/"
590 "without-password/forced-commands-only/no "
591 "argument.", filename, linenum);
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "without-password") == 0)
594 value = PERMIT_NO_PASSWD;
595 else if (strcmp(arg, "forced-commands-only") == 0)
596 value = PERMIT_FORCED_ONLY;
597 else if (strcmp(arg, "yes") == 0)
598 value = PERMIT_YES;
599 else if (strcmp(arg, "no") == 0)
600 value = PERMIT_NO;
601 else
602 fatal("%s line %d: Bad yes/"
603 "without-password/forced-commands-only/no "
604 "argument: %s", filename, linenum, arg);
605 if (*intptr == -1)
606 *intptr = value;
607 break;
608
609 case sIgnoreRhosts:
610 intptr = &options->ignore_rhosts;
3c0ef626 611parse_flag:
e9a17296 612 arg = strdelim(&cp);
613 if (!arg || *arg == '\0')
614 fatal("%s line %d: missing yes/no argument.",
615 filename, linenum);
616 value = 0; /* silence compiler */
617 if (strcmp(arg, "yes") == 0)
618 value = 1;
619 else if (strcmp(arg, "no") == 0)
620 value = 0;
621 else
622 fatal("%s line %d: Bad yes/no argument: %s",
623 filename, linenum, arg);
624 if (*intptr == -1)
625 *intptr = value;
626 break;
627
628 case sIgnoreUserKnownHosts:
629 intptr = &options->ignore_user_known_hosts;
630 goto parse_flag;
631
e9a17296 632 case sRhostsRSAAuthentication:
633 intptr = &options->rhosts_rsa_authentication;
634 goto parse_flag;
635
636 case sHostbasedAuthentication:
637 intptr = &options->hostbased_authentication;
638 goto parse_flag;
639
640 case sHostbasedUsesNameFromPacketOnly:
641 intptr = &options->hostbased_uses_name_from_packet_only;
642 goto parse_flag;
643
644 case sRSAAuthentication:
645 intptr = &options->rsa_authentication;
646 goto parse_flag;
647
648 case sPubkeyAuthentication:
649 intptr = &options->pubkey_authentication;
650 goto parse_flag;
0fff78ff 651
e9a17296 652 case sKerberosAuthentication:
653 intptr = &options->kerberos_authentication;
654 goto parse_flag;
3c0ef626 655
e9a17296 656 case sKerberosOrLocalPasswd:
657 intptr = &options->kerberos_or_local_passwd;
658 goto parse_flag;
3c0ef626 659
e9a17296 660 case sKerberosTicketCleanup:
661 intptr = &options->kerberos_ticket_cleanup;
662 goto parse_flag;
0fff78ff 663
cdd66111 664 case sKerberosGetAFSToken:
665 intptr = &options->kerberos_get_afs_token;
666 goto parse_flag;
667
0fff78ff 668 case sGssAuthentication:
669 intptr = &options->gss_authentication;
e9a17296 670 goto parse_flag;
0fff78ff 671
672 case sGssCleanupCreds:
673 intptr = &options->gss_cleanup_creds;
e9a17296 674 goto parse_flag;
3c0ef626 675
e9a17296 676 case sPasswordAuthentication:
677 intptr = &options->password_authentication;
678 goto parse_flag;
3c0ef626 679
e9a17296 680 case sKbdInteractiveAuthentication:
681 intptr = &options->kbd_interactive_authentication;
682 goto parse_flag;
3c0ef626 683
e9a17296 684 case sChallengeResponseAuthentication:
685 intptr = &options->challenge_response_authentication;
686 goto parse_flag;
3c0ef626 687
e9a17296 688 case sPrintMotd:
689 intptr = &options->print_motd;
690 goto parse_flag;
3c0ef626 691
e9a17296 692 case sPrintLastLog:
693 intptr = &options->print_lastlog;
694 goto parse_flag;
3c0ef626 695
e9a17296 696 case sX11Forwarding:
697 intptr = &options->x11_forwarding;
698 goto parse_flag;
3c0ef626 699
e9a17296 700 case sX11DisplayOffset:
701 intptr = &options->x11_display_offset;
702 goto parse_int;
3c0ef626 703
e9a17296 704 case sX11UseLocalhost:
705 intptr = &options->x11_use_localhost;
706 goto parse_flag;
3c0ef626 707
e9a17296 708 case sXAuthLocation:
709 charptr = &options->xauth_location;
710 goto parse_filename;
3c0ef626 711
e9a17296 712 case sStrictModes:
713 intptr = &options->strict_modes;
714 goto parse_flag;
3c0ef626 715
cdd66111 716 case sTCPKeepAlive:
717 intptr = &options->tcp_keep_alive;
e9a17296 718 goto parse_flag;
3c0ef626 719
e9a17296 720 case sEmptyPasswd:
721 intptr = &options->permit_empty_passwd;
722 goto parse_flag;
3c0ef626 723
41b2f314 724 case sPermitUserEnvironment:
725 intptr = &options->permit_user_env;
726 goto parse_flag;
727
e9a17296 728 case sUseLogin:
729 intptr = &options->use_login;
730 goto parse_flag;
3c0ef626 731
f5799ae1 732 case sCompression:
733 intptr = &options->compression;
665a873d 734 arg = strdelim(&cp);
735 if (!arg || *arg == '\0')
736 fatal("%s line %d: missing yes/no/delayed "
737 "argument.", filename, linenum);
738 value = 0; /* silence compiler */
739 if (strcmp(arg, "delayed") == 0)
740 value = COMP_DELAYED;
741 else if (strcmp(arg, "yes") == 0)
742 value = COMP_ZLIB;
743 else if (strcmp(arg, "no") == 0)
744 value = COMP_NONE;
745 else
746 fatal("%s line %d: Bad yes/no/delayed "
747 "argument: %s", filename, linenum, arg);
748 if (*intptr == -1)
749 *intptr = value;
750 break;
f5799ae1 751
e9a17296 752 case sGatewayPorts:
753 intptr = &options->gateway_ports;
996d5e62 754 arg = strdelim(&cp);
755 if (!arg || *arg == '\0')
756 fatal("%s line %d: missing yes/no/clientspecified "
757 "argument.", filename, linenum);
758 value = 0; /* silence compiler */
759 if (strcmp(arg, "clientspecified") == 0)
760 value = 2;
761 else if (strcmp(arg, "yes") == 0)
762 value = 1;
763 else if (strcmp(arg, "no") == 0)
764 value = 0;
765 else
766 fatal("%s line %d: Bad yes/no/clientspecified "
767 "argument: %s", filename, linenum, arg);
768 if (*intptr == -1)
769 *intptr = value;
770 break;
3c0ef626 771
0fff78ff 772 case sUseDNS:
773 intptr = &options->use_dns;
e9a17296 774 goto parse_flag;
3c0ef626 775
e9a17296 776 case sLogFacility:
777 intptr = (int *) &options->log_facility;
778 arg = strdelim(&cp);
779 value = log_facility_number(arg);
780 if (value == SYSLOG_FACILITY_NOT_SET)
781 fatal("%.200s line %d: unsupported log facility '%s'",
782 filename, linenum, arg ? arg : "<NONE>");
783 if (*intptr == -1)
784 *intptr = (SyslogFacility) value;
785 break;
786
787 case sLogLevel:
788 intptr = (int *) &options->log_level;
789 arg = strdelim(&cp);
790 value = log_level_number(arg);
791 if (value == SYSLOG_LEVEL_NOT_SET)
792 fatal("%.200s line %d: unsupported log level '%s'",
793 filename, linenum, arg ? arg : "<NONE>");
794 if (*intptr == -1)
795 *intptr = (LogLevel) value;
796 break;
797
798 case sAllowTcpForwarding:
799 intptr = &options->allow_tcp_forwarding;
800 goto parse_flag;
801
700318f3 802 case sUsePrivilegeSeparation:
803 intptr = &use_privsep;
804 goto parse_flag;
805
e9a17296 806 case sAllowUsers:
807 while ((arg = strdelim(&cp)) && *arg != '\0') {
808 if (options->num_allow_users >= MAX_ALLOW_USERS)
809 fatal("%s line %d: too many allow users.",
810 filename, linenum);
680cee3b 811 options->allow_users[options->num_allow_users++] =
812 xstrdup(arg);
e9a17296 813 }
814 break;
3c0ef626 815
e9a17296 816 case sDenyUsers:
817 while ((arg = strdelim(&cp)) && *arg != '\0') {
818 if (options->num_deny_users >= MAX_DENY_USERS)
819 fatal( "%s line %d: too many deny users.",
820 filename, linenum);
680cee3b 821 options->deny_users[options->num_deny_users++] =
822 xstrdup(arg);
e9a17296 823 }
824 break;
3c0ef626 825
e9a17296 826 case sAllowGroups:
827 while ((arg = strdelim(&cp)) && *arg != '\0') {
828 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
829 fatal("%s line %d: too many allow groups.",
830 filename, linenum);
680cee3b 831 options->allow_groups[options->num_allow_groups++] =
832 xstrdup(arg);
e9a17296 833 }
834 break;
3c0ef626 835
e9a17296 836 case sDenyGroups:
837 while ((arg = strdelim(&cp)) && *arg != '\0') {
838 if (options->num_deny_groups >= MAX_DENY_GROUPS)
839 fatal("%s line %d: too many deny groups.",
840 filename, linenum);
841 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
842 }
843 break;
844
845 case sCiphers:
846 arg = strdelim(&cp);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing argument.", filename, linenum);
849 if (!ciphers_valid(arg))
850 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
851 filename, linenum, arg ? arg : "<NONE>");
852 if (options->ciphers == NULL)
853 options->ciphers = xstrdup(arg);
854 break;
855
856 case sMacs:
857 arg = strdelim(&cp);
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing argument.", filename, linenum);
860 if (!mac_valid(arg))
861 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
862 filename, linenum, arg ? arg : "<NONE>");
863 if (options->macs == NULL)
864 options->macs = xstrdup(arg);
865 break;
866
867 case sProtocol:
868 intptr = &options->protocol;
869 arg = strdelim(&cp);
870 if (!arg || *arg == '\0')
871 fatal("%s line %d: Missing argument.", filename, linenum);
872 value = proto_spec(arg);
873 if (value == SSH_PROTO_UNKNOWN)
874 fatal("%s line %d: Bad protocol spec '%s'.",
875 filename, linenum, arg ? arg : "<NONE>");
876 if (*intptr == SSH_PROTO_UNKNOWN)
877 *intptr = value;
878 break;
879
880 case sSubsystem:
881 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
882 fatal("%s line %d: too many subsystems defined.",
883 filename, linenum);
884 }
885 arg = strdelim(&cp);
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing subsystem name.",
888 filename, linenum);
889 for (i = 0; i < options->num_subsystems; i++)
890 if (strcmp(arg, options->subsystem_name[i]) == 0)
891 fatal("%s line %d: Subsystem '%s' already defined.",
892 filename, linenum, arg);
893 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
894 arg = strdelim(&cp);
895 if (!arg || *arg == '\0')
896 fatal("%s line %d: Missing subsystem command.",
897 filename, linenum);
898 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
899 options->num_subsystems++;
900 break;
901
902 case sMaxStartups:
903 arg = strdelim(&cp);
904 if (!arg || *arg == '\0')
905 fatal("%s line %d: Missing MaxStartups spec.",
906 filename, linenum);
907 if ((n = sscanf(arg, "%d:%d:%d",
908 &options->max_startups_begin,
909 &options->max_startups_rate,
910 &options->max_startups)) == 3) {
911 if (options->max_startups_begin >
912 options->max_startups ||
913 options->max_startups_rate > 100 ||
914 options->max_startups_rate < 1)
3c0ef626 915 fatal("%s line %d: Illegal MaxStartups spec.",
916 filename, linenum);
e9a17296 917 } else if (n != 1)
918 fatal("%s line %d: Illegal MaxStartups spec.",
919 filename, linenum);
920 else
921 options->max_startups = options->max_startups_begin;
922 break;
923
c9f39d2c 924 case sMaxAuthTries:
925 intptr = &options->max_authtries;
926 goto parse_int;
927
e9a17296 928 case sBanner:
929 charptr = &options->banner;
930 goto parse_filename;
931 /*
932 * These options can contain %X options expanded at
933 * connect time, so that you can specify paths like:
934 *
935 * AuthorizedKeysFile /etc/ssh_keys/%u
936 */
937 case sAuthorizedKeysFile:
938 case sAuthorizedKeysFile2:
939 charptr = (opcode == sAuthorizedKeysFile ) ?
940 &options->authorized_keys_file :
941 &options->authorized_keys_file2;
942 goto parse_filename;
943
944 case sClientAliveInterval:
945 intptr = &options->client_alive_interval;
946 goto parse_time;
947
948 case sClientAliveCountMax:
949 intptr = &options->client_alive_count_max;
950 goto parse_int;
951
c9f39d2c 952 case sAcceptEnv:
953 while ((arg = strdelim(&cp)) && *arg != '\0') {
954 if (strchr(arg, '=') != NULL)
955 fatal("%s line %d: Invalid environment name.",
956 filename, linenum);
957 if (options->num_accept_env >= MAX_ACCEPT_ENV)
958 fatal("%s line %d: too many allow env.",
959 filename, linenum);
960 options->accept_env[options->num_accept_env++] =
961 xstrdup(arg);
962 }
963 break;
964
e9a17296 965 case sDeprecated:
0fff78ff 966 logit("%s line %d: Deprecated option %s",
967 filename, linenum, arg);
968 while (arg)
969 arg = strdelim(&cp);
970 break;
971
972 case sUnsupported:
973 logit("%s line %d: Unsupported option %s",
e9a17296 974 filename, linenum, arg);
975 while (arg)
976 arg = strdelim(&cp);
977 break;
978
979 default:
980 fatal("%s line %d: Missing handler for opcode %s (%d)",
981 filename, linenum, arg, opcode);
982 }
983 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
984 fatal("%s line %d: garbage at end of line; \"%.200s\".",
985 filename, linenum, arg);
986 return 0;
987}
3c0ef626 988
e9a17296 989/* Reads the server configuration file. */
3c0ef626 990
e9a17296 991void
c9f39d2c 992load_server_config(const char *filename, Buffer *conf)
e9a17296 993{
c9f39d2c 994 char line[1024], *cp;
680cee3b 995 FILE *f;
e9a17296 996
c9f39d2c 997 debug2("%s: filename %s", __func__, filename);
998 if ((f = fopen(filename, "r")) == NULL) {
e9a17296 999 perror(filename);
1000 exit(1);
1001 }
c9f39d2c 1002 buffer_clear(conf);
e9a17296 1003 while (fgets(line, sizeof(line), f)) {
c9f39d2c 1004 /*
1005 * Trim out comments and strip whitespace
1006 * NB - preserve newlines, they are needed to reproduce
1007 * line numbers later for error messages
1008 */
1009 if ((cp = strchr(line, '#')) != NULL)
1010 memcpy(cp, "\n", 2);
1011 cp = line + strspn(line, " \t\r");
1012
1013 buffer_append(conf, cp, strlen(cp));
3c0ef626 1014 }
c9f39d2c 1015 buffer_append(conf, "\0", 1);
3c0ef626 1016 fclose(f);
c9f39d2c 1017 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1018}
1019
1020void
1021parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1022{
1023 int linenum, bad_options = 0;
1024 char *cp, *obuf, *cbuf;
1025
1026 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1027
1028 obuf = cbuf = xstrdup(buffer_ptr(conf));
1029 linenum = 1;
dec6d9fe 1030 while ((cp = strsep(&cbuf, "\n")) != NULL) {
c9f39d2c 1031 if (process_server_config_line(options, cp, filename,
1032 linenum++) != 0)
1033 bad_options++;
1034 }
1035 xfree(obuf);
3c0ef626 1036 if (bad_options > 0)
1037 fatal("%s: terminating, %d bad configuration options",
1038 filename, bad_options);
1039}
git-cvsimport mirror of GSI OpenSSH
This page took 0.219669 seconds and 5 git commands to generate.