]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
backout import of openssh-SNAP-20040105
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
9cb1827b 13RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
24#include "kex.h"
25#include "mac.h"
26
27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
29
30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
700318f3 32/* Use of privilege separation or not */
33extern int use_privsep;
3c0ef626 34
35/* Initializes the server options to their default values. */
36
37void
38initialize_server_options(ServerOptions *options)
39{
40 memset(options, 0, sizeof(*options));
41
42 /* Portable-specific options */
0fff78ff 43 options->use_pam = -1;
3c0ef626 44
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e9a17296 61 options->x11_use_localhost = -1;
3c0ef626 62 options->xauth_location = NULL;
63 options->strict_modes = -1;
9cb1827b 64 options->keepalives = -1;
e9a17296 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
3c0ef626 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
0fff78ff 75 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1;
3c0ef626 77 options->password_authentication = -1;
78 options->kbd_interactive_authentication = -1;
79 options->challenge_response_authentication = -1;
80 options->permit_empty_passwd = -1;
41b2f314 81 options->permit_user_env = -1;
3c0ef626 82 options->use_login = -1;
f5799ae1 83 options->compression = -1;
3c0ef626 84 options->allow_tcp_forwarding = -1;
85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
89 options->ciphers = NULL;
90 options->macs = NULL;
91 options->protocol = SSH_PROTO_UNKNOWN;
92 options->gateway_ports = -1;
93 options->num_subsystems = 0;
94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
96 options->max_startups = -1;
97 options->banner = NULL;
0fff78ff 98 options->use_dns = -1;
3c0ef626 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
700318f3 103
104 /* Needs to be accessable in many places */
105 use_privsep = -1;
3c0ef626 106}
107
108void
109fill_default_server_options(ServerOptions *options)
110{
111 /* Portable-specific options */
0fff78ff 112 if (options->use_pam == -1)
acc3d05e 113 options->use_pam = 0;
3c0ef626 114
115 /* Standard Options */
116 if (options->protocol == SSH_PROTO_UNKNOWN)
117 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
118 if (options->num_host_key_files == 0) {
119 /* fill default hostkeys for protocols */
120 if (options->protocol & SSH_PROTO_1)
e9a17296 121 options->host_key_files[options->num_host_key_files++] =
122 _PATH_HOST_KEY_FILE;
123 if (options->protocol & SSH_PROTO_2) {
124 options->host_key_files[options->num_host_key_files++] =
125 _PATH_HOST_RSA_KEY_FILE;
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_DSA_KEY_FILE;
128 }
3c0ef626 129 }
130 if (options->num_ports == 0)
131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
132 if (options->listen_addrs == NULL)
133 add_listen_addr(options, NULL, 0);
134 if (options->pid_file == NULL)
135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
136 if (options->server_key_bits == -1)
137 options->server_key_bits = 768;
138 if (options->login_grace_time == -1)
41b2f314 139 options->login_grace_time = 120;
3c0ef626 140 if (options->key_regeneration_time == -1)
141 options->key_regeneration_time = 3600;
142 if (options->permit_root_login == PERMIT_NOT_SET)
143 options->permit_root_login = PERMIT_YES;
144 if (options->ignore_rhosts == -1)
145 options->ignore_rhosts = 1;
146 if (options->ignore_user_known_hosts == -1)
147 options->ignore_user_known_hosts = 0;
148 if (options->print_motd == -1)
149 options->print_motd = 1;
150 if (options->print_lastlog == -1)
151 options->print_lastlog = 1;
152 if (options->x11_forwarding == -1)
153 options->x11_forwarding = 0;
154 if (options->x11_display_offset == -1)
155 options->x11_display_offset = 10;
e9a17296 156 if (options->x11_use_localhost == -1)
157 options->x11_use_localhost = 1;
3c0ef626 158 if (options->xauth_location == NULL)
159 options->xauth_location = _PATH_XAUTH;
3c0ef626 160 if (options->strict_modes == -1)
161 options->strict_modes = 1;
9cb1827b 162 if (options->keepalives == -1)
163 options->keepalives = 1;
e9a17296 164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 165 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 166 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 167 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 168 if (options->rhosts_rsa_authentication == -1)
169 options->rhosts_rsa_authentication = 0;
170 if (options->hostbased_authentication == -1)
171 options->hostbased_authentication = 0;
172 if (options->hostbased_uses_name_from_packet_only == -1)
173 options->hostbased_uses_name_from_packet_only = 0;
174 if (options->rsa_authentication == -1)
175 options->rsa_authentication = 1;
176 if (options->pubkey_authentication == -1)
177 options->pubkey_authentication = 1;
3c0ef626 178 if (options->kerberos_authentication == -1)
700318f3 179 options->kerberos_authentication = 0;
3c0ef626 180 if (options->kerberos_or_local_passwd == -1)
181 options->kerberos_or_local_passwd = 1;
182 if (options->kerberos_ticket_cleanup == -1)
183 options->kerberos_ticket_cleanup = 1;
0fff78ff 184 if (options->gss_authentication == -1)
185 options->gss_authentication = 0;
186 if (options->gss_cleanup_creds == -1)
187 options->gss_cleanup_creds = 1;
3c0ef626 188 if (options->password_authentication == -1)
189 options->password_authentication = 1;
190 if (options->kbd_interactive_authentication == -1)
191 options->kbd_interactive_authentication = 0;
192 if (options->challenge_response_authentication == -1)
193 options->challenge_response_authentication = 1;
194 if (options->permit_empty_passwd == -1)
195 options->permit_empty_passwd = 0;
41b2f314 196 if (options->permit_user_env == -1)
197 options->permit_user_env = 0;
3c0ef626 198 if (options->use_login == -1)
199 options->use_login = 0;
f5799ae1 200 if (options->compression == -1)
201 options->compression = 1;
3c0ef626 202 if (options->allow_tcp_forwarding == -1)
203 options->allow_tcp_forwarding = 1;
204 if (options->gateway_ports == -1)
205 options->gateway_ports = 0;
206 if (options->max_startups == -1)
207 options->max_startups = 10;
208 if (options->max_startups_rate == -1)
209 options->max_startups_rate = 100; /* 100% */
210 if (options->max_startups_begin == -1)
211 options->max_startups_begin = options->max_startups;
0fff78ff 212 if (options->use_dns == -1)
213 options->use_dns = 1;
3c0ef626 214 if (options->client_alive_interval == -1)
e9a17296 215 options->client_alive_interval = 0;
3c0ef626 216 if (options->client_alive_count_max == -1)
217 options->client_alive_count_max = 3;
218 if (options->authorized_keys_file2 == NULL) {
219 /* authorized_keys_file2 falls back to authorized_keys_file */
220 if (options->authorized_keys_file != NULL)
221 options->authorized_keys_file2 = options->authorized_keys_file;
222 else
223 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
224 }
225 if (options->authorized_keys_file == NULL)
226 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 227
f5799ae1 228 /* Turn privilege separation on by default */
700318f3 229 if (use_privsep == -1)
f5799ae1 230 use_privsep = 1;
231
41b2f314 232#ifndef HAVE_MMAP
f5799ae1 233 if (use_privsep && options->compression == 1) {
234 error("This platform does not support both privilege "
235 "separation and compression");
236 error("Compression disabled");
237 options->compression = 0;
238 }
239#endif
240
3c0ef626 241}
242
243/* Keyword tokens. */
244typedef enum {
245 sBadOption, /* == unknown option */
246 /* Portable-specific options */
0fff78ff 247 sUsePAM,
3c0ef626 248 /* Standard Options */
249 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
250 sPermitRootLogin, sLogFacility, sLogLevel,
0fff78ff 251 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
0fff78ff 253 sKerberosTgtPassing, sChallengeResponseAuthentication,
3c0ef626 254 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
255 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 256 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
9cb1827b 257 sStrictModes, sEmptyPasswd, sKeepAlives,
41b2f314 258 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 259 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
260 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
261 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
0fff78ff 262 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 263 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 264 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
0fff78ff 265 sGssAuthentication, sGssCleanupCreds,
700318f3 266 sUsePrivilegeSeparation,
0fff78ff 267 sDeprecated, sUnsupported
3c0ef626 268} ServerOpCodes;
269
270/* Textual representation of the tokens. */
271static struct {
272 const char *name;
273 ServerOpCodes opcode;
274} keywords[] = {
275 /* Portable-specific options */
0fff78ff 276#ifdef USE_PAM
277 { "usepam", sUsePAM },
278#else
279 { "usepam", sUnsupported },
280#endif
281 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 282 /* Standard Options */
283 { "port", sPort },
284 { "hostkey", sHostKeyFile },
285 { "hostdsakey", sHostKeyFile }, /* alias */
286 { "pidfile", sPidFile },
287 { "serverkeybits", sServerKeyBits },
288 { "logingracetime", sLoginGraceTime },
289 { "keyregenerationinterval", sKeyRegenerationTime },
290 { "permitrootlogin", sPermitRootLogin },
291 { "syslogfacility", sLogFacility },
292 { "loglevel", sLogLevel },
0fff78ff 293 { "rhostsauthentication", sDeprecated },
3c0ef626 294 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
295 { "hostbasedauthentication", sHostbasedAuthentication },
296 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
297 { "rsaauthentication", sRSAAuthentication },
298 { "pubkeyauthentication", sPubkeyAuthentication },
299 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
0fff78ff 300#ifdef KRB5
3c0ef626 301 { "kerberosauthentication", sKerberosAuthentication },
302 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
303 { "kerberosticketcleanup", sKerberosTicketCleanup },
0fff78ff 304#else
305 { "kerberosauthentication", sUnsupported },
306 { "kerberosorlocalpasswd", sUnsupported },
307 { "kerberosticketcleanup", sUnsupported },
3c0ef626 308#endif
0fff78ff 309 { "kerberostgtpassing", sUnsupported },
310 { "afstokenpassing", sUnsupported },
311#ifdef GSSAPI
312 { "gssapiauthentication", sGssAuthentication },
9cb1827b 313 { "gssapicleanupcreds", sGssCleanupCreds },
0fff78ff 314#else
315 { "gssapiauthentication", sUnsupported },
9cb1827b 316 { "gssapicleanupcreds", sUnsupported },
3c0ef626 317#endif
318 { "passwordauthentication", sPasswordAuthentication },
319 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
320 { "challengeresponseauthentication", sChallengeResponseAuthentication },
321 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
322 { "checkmail", sDeprecated },
323 { "listenaddress", sListenAddress },
324 { "printmotd", sPrintMotd },
325 { "printlastlog", sPrintLastLog },
326 { "ignorerhosts", sIgnoreRhosts },
327 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
328 { "x11forwarding", sX11Forwarding },
329 { "x11displayoffset", sX11DisplayOffset },
e9a17296 330 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 331 { "xauthlocation", sXAuthLocation },
332 { "strictmodes", sStrictModes },
333 { "permitemptypasswords", sEmptyPasswd },
41b2f314 334 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 335 { "uselogin", sUseLogin },
f5799ae1 336 { "compression", sCompression },
9cb1827b 337 { "keepalive", sKeepAlives },
3c0ef626 338 { "allowtcpforwarding", sAllowTcpForwarding },
339 { "allowusers", sAllowUsers },
340 { "denyusers", sDenyUsers },
341 { "allowgroups", sAllowGroups },
342 { "denygroups", sDenyGroups },
343 { "ciphers", sCiphers },
344 { "macs", sMacs },
345 { "protocol", sProtocol },
346 { "gatewayports", sGatewayPorts },
347 { "subsystem", sSubsystem },
348 { "maxstartups", sMaxStartups },
349 { "banner", sBanner },
0fff78ff 350 { "usedns", sUseDNS },
351 { "verifyreversemapping", sDeprecated },
352 { "reversemappingcheck", sDeprecated },
3c0ef626 353 { "clientaliveinterval", sClientAliveInterval },
354 { "clientalivecountmax", sClientAliveCountMax },
355 { "authorizedkeysfile", sAuthorizedKeysFile },
356 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 357 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 358 { NULL, sBadOption }
3c0ef626 359};
360
361/*
362 * Returns the number of the token pointed to by cp or sBadOption.
363 */
364
365static ServerOpCodes
366parse_token(const char *cp, const char *filename,
367 int linenum)
368{
369 u_int i;
370
371 for (i = 0; keywords[i].name; i++)
372 if (strcasecmp(cp, keywords[i].name) == 0)
373 return keywords[i].opcode;
374
375 error("%s: line %d: Bad configuration option: %s",
376 filename, linenum, cp);
377 return sBadOption;
378}
379
380static void
381add_listen_addr(ServerOptions *options, char *addr, u_short port)
382{
383 int i;
384
385 if (options->num_ports == 0)
386 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
387 if (port == 0)
388 for (i = 0; i < options->num_ports; i++)
389 add_one_listen_addr(options, addr, options->ports[i]);
390 else
391 add_one_listen_addr(options, addr, port);
392}
393
394static void
395add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
396{
397 struct addrinfo hints, *ai, *aitop;
398 char strport[NI_MAXSERV];
399 int gaierr;
400
401 memset(&hints, 0, sizeof(hints));
402 hints.ai_family = IPv4or6;
403 hints.ai_socktype = SOCK_STREAM;
404 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 405 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 406 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
407 fatal("bad addr or host: %s (%s)",
408 addr ? addr : "<NULL>",
409 gai_strerror(gaierr));
410 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
411 ;
412 ai->ai_next = options->listen_addrs;
413 options->listen_addrs = aitop;
414}
415
e9a17296 416int
417process_server_config_line(ServerOptions *options, char *line,
418 const char *filename, int linenum)
3c0ef626 419{
3c0ef626 420 char *cp, **charptr, *arg, *p;
680cee3b 421 int *intptr, value, i, n;
3c0ef626 422 ServerOpCodes opcode;
3c0ef626 423
e9a17296 424 cp = line;
425 arg = strdelim(&cp);
426 /* Ignore leading whitespace */
427 if (*arg == '\0')
3c0ef626 428 arg = strdelim(&cp);
e9a17296 429 if (!arg || !*arg || *arg == '#')
430 return 0;
431 intptr = NULL;
432 charptr = NULL;
433 opcode = parse_token(arg, filename, linenum);
434 switch (opcode) {
435 /* Portable-specific options */
0fff78ff 436 case sUsePAM:
437 intptr = &options->use_pam;
e9a17296 438 goto parse_flag;
3c0ef626 439
e9a17296 440 /* Standard Options */
441 case sBadOption:
442 return -1;
443 case sPort:
444 /* ignore ports from configfile if cmdline specifies ports */
445 if (options->ports_from_cmdline)
446 return 0;
447 if (options->listen_addrs != NULL)
448 fatal("%s line %d: ports must be specified before "
449 "ListenAddress.", filename, linenum);
450 if (options->num_ports >= MAX_PORTS)
451 fatal("%s line %d: too many ports.",
452 filename, linenum);
453 arg = strdelim(&cp);
454 if (!arg || *arg == '\0')
455 fatal("%s line %d: missing port number.",
456 filename, linenum);
457 options->ports[options->num_ports++] = a2port(arg);
458 if (options->ports[options->num_ports-1] == 0)
459 fatal("%s line %d: Badly formatted port number.",
460 filename, linenum);
461 break;
462
463 case sServerKeyBits:
464 intptr = &options->server_key_bits;
3c0ef626 465parse_int:
e9a17296 466 arg = strdelim(&cp);
467 if (!arg || *arg == '\0')
468 fatal("%s line %d: missing integer value.",
469 filename, linenum);
470 value = atoi(arg);
471 if (*intptr == -1)
472 *intptr = value;
473 break;
474
475 case sLoginGraceTime:
476 intptr = &options->login_grace_time;
3c0ef626 477parse_time:
e9a17296 478 arg = strdelim(&cp);
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing time value.",
481 filename, linenum);
482 if ((value = convtime(arg)) == -1)
483 fatal("%s line %d: invalid time value.",
484 filename, linenum);
485 if (*intptr == -1)
486 *intptr = value;
487 break;
488
489 case sKeyRegenerationTime:
490 intptr = &options->key_regeneration_time;
491 goto parse_time;
492
493 case sListenAddress:
494 arg = strdelim(&cp);
495 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
496 fatal("%s line %d: missing inet addr.",
497 filename, linenum);
498 if (*arg == '[') {
499 if ((p = strchr(arg, ']')) == NULL)
500 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 501 filename, linenum);
e9a17296 502 arg++;
503 memmove(p, p+1, strlen(p+1)+1);
504 } else if (((p = strchr(arg, ':')) == NULL) ||
505 (strchr(p+1, ':') != NULL)) {
506 add_listen_addr(options, arg, 0);
3c0ef626 507 break;
e9a17296 508 }
509 if (*p == ':') {
510 u_short port;
3c0ef626 511
e9a17296 512 p++;
513 if (*p == '\0')
514 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 515 filename, linenum);
e9a17296 516 else {
517 *(p-1) = '\0';
518 if ((port = a2port(p)) == 0)
519 fatal("%s line %d: bad port number.",
3c0ef626 520 filename, linenum);
e9a17296 521 add_listen_addr(options, arg, port);
3c0ef626 522 }
e9a17296 523 } else if (*p == '\0')
524 add_listen_addr(options, arg, 0);
525 else
526 fatal("%s line %d: bad inet addr usage.",
527 filename, linenum);
528 break;
529
530 case sHostKeyFile:
531 intptr = &options->num_host_key_files;
532 if (*intptr >= MAX_HOSTKEYS)
533 fatal("%s line %d: too many host keys specified (max %d).",
534 filename, linenum, MAX_HOSTKEYS);
535 charptr = &options->host_key_files[*intptr];
3c0ef626 536parse_filename:
e9a17296 537 arg = strdelim(&cp);
538 if (!arg || *arg == '\0')
539 fatal("%s line %d: missing file name.",
540 filename, linenum);
541 if (*charptr == NULL) {
542 *charptr = tilde_expand_filename(arg, getuid());
543 /* increase optional counter */
544 if (intptr != NULL)
545 *intptr = *intptr + 1;
546 }
547 break;
3c0ef626 548
e9a17296 549 case sPidFile:
550 charptr = &options->pid_file;
551 goto parse_filename;
3c0ef626 552
e9a17296 553 case sPermitRootLogin:
554 intptr = &options->permit_root_login;
555 arg = strdelim(&cp);
556 if (!arg || *arg == '\0')
557 fatal("%s line %d: missing yes/"
558 "without-password/forced-commands-only/no "
559 "argument.", filename, linenum);
560 value = 0; /* silence compiler */
561 if (strcmp(arg, "without-password") == 0)
562 value = PERMIT_NO_PASSWD;
563 else if (strcmp(arg, "forced-commands-only") == 0)
564 value = PERMIT_FORCED_ONLY;
565 else if (strcmp(arg, "yes") == 0)
566 value = PERMIT_YES;
567 else if (strcmp(arg, "no") == 0)
568 value = PERMIT_NO;
569 else
570 fatal("%s line %d: Bad yes/"
571 "without-password/forced-commands-only/no "
572 "argument: %s", filename, linenum, arg);
573 if (*intptr == -1)
574 *intptr = value;
575 break;
576
577 case sIgnoreRhosts:
578 intptr = &options->ignore_rhosts;
3c0ef626 579parse_flag:
e9a17296 580 arg = strdelim(&cp);
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/no argument.",
583 filename, linenum);
584 value = 0; /* silence compiler */
585 if (strcmp(arg, "yes") == 0)
586 value = 1;
587 else if (strcmp(arg, "no") == 0)
588 value = 0;
589 else
590 fatal("%s line %d: Bad yes/no argument: %s",
591 filename, linenum, arg);
592 if (*intptr == -1)
593 *intptr = value;
594 break;
595
596 case sIgnoreUserKnownHosts:
597 intptr = &options->ignore_user_known_hosts;
598 goto parse_flag;
599
e9a17296 600 case sRhostsRSAAuthentication:
601 intptr = &options->rhosts_rsa_authentication;
602 goto parse_flag;
603
604 case sHostbasedAuthentication:
605 intptr = &options->hostbased_authentication;
606 goto parse_flag;
607
608 case sHostbasedUsesNameFromPacketOnly:
609 intptr = &options->hostbased_uses_name_from_packet_only;
610 goto parse_flag;
611
612 case sRSAAuthentication:
613 intptr = &options->rsa_authentication;
614 goto parse_flag;
615
616 case sPubkeyAuthentication:
617 intptr = &options->pubkey_authentication;
618 goto parse_flag;
0fff78ff 619
e9a17296 620 case sKerberosAuthentication:
621 intptr = &options->kerberos_authentication;
622 goto parse_flag;
3c0ef626 623
e9a17296 624 case sKerberosOrLocalPasswd:
625 intptr = &options->kerberos_or_local_passwd;
626 goto parse_flag;
3c0ef626 627
e9a17296 628 case sKerberosTicketCleanup:
629 intptr = &options->kerberos_ticket_cleanup;
630 goto parse_flag;
0fff78ff 631
632 case sGssAuthentication:
633 intptr = &options->gss_authentication;
e9a17296 634 goto parse_flag;
0fff78ff 635
636 case sGssCleanupCreds:
637 intptr = &options->gss_cleanup_creds;
e9a17296 638 goto parse_flag;
3c0ef626 639
e9a17296 640 case sPasswordAuthentication:
641 intptr = &options->password_authentication;
642 goto parse_flag;
3c0ef626 643
e9a17296 644 case sKbdInteractiveAuthentication:
645 intptr = &options->kbd_interactive_authentication;
646 goto parse_flag;
3c0ef626 647
e9a17296 648 case sChallengeResponseAuthentication:
649 intptr = &options->challenge_response_authentication;
650 goto parse_flag;
3c0ef626 651
e9a17296 652 case sPrintMotd:
653 intptr = &options->print_motd;
654 goto parse_flag;
3c0ef626 655
e9a17296 656 case sPrintLastLog:
657 intptr = &options->print_lastlog;
658 goto parse_flag;
3c0ef626 659
e9a17296 660 case sX11Forwarding:
661 intptr = &options->x11_forwarding;
662 goto parse_flag;
3c0ef626 663
e9a17296 664 case sX11DisplayOffset:
665 intptr = &options->x11_display_offset;
666 goto parse_int;
3c0ef626 667
e9a17296 668 case sX11UseLocalhost:
669 intptr = &options->x11_use_localhost;
670 goto parse_flag;
3c0ef626 671
e9a17296 672 case sXAuthLocation:
673 charptr = &options->xauth_location;
674 goto parse_filename;
3c0ef626 675
e9a17296 676 case sStrictModes:
677 intptr = &options->strict_modes;
678 goto parse_flag;
3c0ef626 679
9cb1827b 680 case sKeepAlives:
681 intptr = &options->keepalives;
e9a17296 682 goto parse_flag;
3c0ef626 683
e9a17296 684 case sEmptyPasswd:
685 intptr = &options->permit_empty_passwd;
686 goto parse_flag;
3c0ef626 687
41b2f314 688 case sPermitUserEnvironment:
689 intptr = &options->permit_user_env;
690 goto parse_flag;
691
e9a17296 692 case sUseLogin:
693 intptr = &options->use_login;
694 goto parse_flag;
3c0ef626 695
f5799ae1 696 case sCompression:
697 intptr = &options->compression;
698 goto parse_flag;
699
e9a17296 700 case sGatewayPorts:
701 intptr = &options->gateway_ports;
702 goto parse_flag;
3c0ef626 703
0fff78ff 704 case sUseDNS:
705 intptr = &options->use_dns;
e9a17296 706 goto parse_flag;
3c0ef626 707
e9a17296 708 case sLogFacility:
709 intptr = (int *) &options->log_facility;
710 arg = strdelim(&cp);
711 value = log_facility_number(arg);
712 if (value == SYSLOG_FACILITY_NOT_SET)
713 fatal("%.200s line %d: unsupported log facility '%s'",
714 filename, linenum, arg ? arg : "<NONE>");
715 if (*intptr == -1)
716 *intptr = (SyslogFacility) value;
717 break;
718
719 case sLogLevel:
720 intptr = (int *) &options->log_level;
721 arg = strdelim(&cp);
722 value = log_level_number(arg);
723 if (value == SYSLOG_LEVEL_NOT_SET)
724 fatal("%.200s line %d: unsupported log level '%s'",
725 filename, linenum, arg ? arg : "<NONE>");
726 if (*intptr == -1)
727 *intptr = (LogLevel) value;
728 break;
729
730 case sAllowTcpForwarding:
731 intptr = &options->allow_tcp_forwarding;
732 goto parse_flag;
733
700318f3 734 case sUsePrivilegeSeparation:
735 intptr = &use_privsep;
736 goto parse_flag;
737
e9a17296 738 case sAllowUsers:
739 while ((arg = strdelim(&cp)) && *arg != '\0') {
740 if (options->num_allow_users >= MAX_ALLOW_USERS)
741 fatal("%s line %d: too many allow users.",
742 filename, linenum);
680cee3b 743 options->allow_users[options->num_allow_users++] =
744 xstrdup(arg);
e9a17296 745 }
746 break;
3c0ef626 747
e9a17296 748 case sDenyUsers:
749 while ((arg = strdelim(&cp)) && *arg != '\0') {
750 if (options->num_deny_users >= MAX_DENY_USERS)
751 fatal( "%s line %d: too many deny users.",
752 filename, linenum);
680cee3b 753 options->deny_users[options->num_deny_users++] =
754 xstrdup(arg);
e9a17296 755 }
756 break;
3c0ef626 757
e9a17296 758 case sAllowGroups:
759 while ((arg = strdelim(&cp)) && *arg != '\0') {
760 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
761 fatal("%s line %d: too many allow groups.",
762 filename, linenum);
680cee3b 763 options->allow_groups[options->num_allow_groups++] =
764 xstrdup(arg);
e9a17296 765 }
766 break;
3c0ef626 767
e9a17296 768 case sDenyGroups:
769 while ((arg = strdelim(&cp)) && *arg != '\0') {
770 if (options->num_deny_groups >= MAX_DENY_GROUPS)
771 fatal("%s line %d: too many deny groups.",
772 filename, linenum);
773 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
774 }
775 break;
776
777 case sCiphers:
778 arg = strdelim(&cp);
779 if (!arg || *arg == '\0')
780 fatal("%s line %d: Missing argument.", filename, linenum);
781 if (!ciphers_valid(arg))
782 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
783 filename, linenum, arg ? arg : "<NONE>");
784 if (options->ciphers == NULL)
785 options->ciphers = xstrdup(arg);
786 break;
787
788 case sMacs:
789 arg = strdelim(&cp);
790 if (!arg || *arg == '\0')
791 fatal("%s line %d: Missing argument.", filename, linenum);
792 if (!mac_valid(arg))
793 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
794 filename, linenum, arg ? arg : "<NONE>");
795 if (options->macs == NULL)
796 options->macs = xstrdup(arg);
797 break;
798
799 case sProtocol:
800 intptr = &options->protocol;
801 arg = strdelim(&cp);
802 if (!arg || *arg == '\0')
803 fatal("%s line %d: Missing argument.", filename, linenum);
804 value = proto_spec(arg);
805 if (value == SSH_PROTO_UNKNOWN)
806 fatal("%s line %d: Bad protocol spec '%s'.",
807 filename, linenum, arg ? arg : "<NONE>");
808 if (*intptr == SSH_PROTO_UNKNOWN)
809 *intptr = value;
810 break;
811
812 case sSubsystem:
813 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
814 fatal("%s line %d: too many subsystems defined.",
815 filename, linenum);
816 }
817 arg = strdelim(&cp);
818 if (!arg || *arg == '\0')
819 fatal("%s line %d: Missing subsystem name.",
820 filename, linenum);
821 for (i = 0; i < options->num_subsystems; i++)
822 if (strcmp(arg, options->subsystem_name[i]) == 0)
823 fatal("%s line %d: Subsystem '%s' already defined.",
824 filename, linenum, arg);
825 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
826 arg = strdelim(&cp);
827 if (!arg || *arg == '\0')
828 fatal("%s line %d: Missing subsystem command.",
829 filename, linenum);
830 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
831 options->num_subsystems++;
832 break;
833
834 case sMaxStartups:
835 arg = strdelim(&cp);
836 if (!arg || *arg == '\0')
837 fatal("%s line %d: Missing MaxStartups spec.",
838 filename, linenum);
839 if ((n = sscanf(arg, "%d:%d:%d",
840 &options->max_startups_begin,
841 &options->max_startups_rate,
842 &options->max_startups)) == 3) {
843 if (options->max_startups_begin >
844 options->max_startups ||
845 options->max_startups_rate > 100 ||
846 options->max_startups_rate < 1)
3c0ef626 847 fatal("%s line %d: Illegal MaxStartups spec.",
848 filename, linenum);
e9a17296 849 } else if (n != 1)
850 fatal("%s line %d: Illegal MaxStartups spec.",
851 filename, linenum);
852 else
853 options->max_startups = options->max_startups_begin;
854 break;
855
856 case sBanner:
857 charptr = &options->banner;
858 goto parse_filename;
859 /*
860 * These options can contain %X options expanded at
861 * connect time, so that you can specify paths like:
862 *
863 * AuthorizedKeysFile /etc/ssh_keys/%u
864 */
865 case sAuthorizedKeysFile:
866 case sAuthorizedKeysFile2:
867 charptr = (opcode == sAuthorizedKeysFile ) ?
868 &options->authorized_keys_file :
869 &options->authorized_keys_file2;
870 goto parse_filename;
871
872 case sClientAliveInterval:
873 intptr = &options->client_alive_interval;
874 goto parse_time;
875
876 case sClientAliveCountMax:
877 intptr = &options->client_alive_count_max;
878 goto parse_int;
879
880 case sDeprecated:
0fff78ff 881 logit("%s line %d: Deprecated option %s",
882 filename, linenum, arg);
883 while (arg)
884 arg = strdelim(&cp);
885 break;
886
887 case sUnsupported:
888 logit("%s line %d: Unsupported option %s",
e9a17296 889 filename, linenum, arg);
890 while (arg)
891 arg = strdelim(&cp);
892 break;
893
894 default:
895 fatal("%s line %d: Missing handler for opcode %s (%d)",
896 filename, linenum, arg, opcode);
897 }
898 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
899 fatal("%s line %d: garbage at end of line; \"%.200s\".",
900 filename, linenum, arg);
901 return 0;
902}
3c0ef626 903
e9a17296 904/* Reads the server configuration file. */
3c0ef626 905
e9a17296 906void
907read_server_config(ServerOptions *options, const char *filename)
908{
680cee3b 909 int linenum, bad_options = 0;
e9a17296 910 char line[1024];
680cee3b 911 FILE *f;
e9a17296 912
6a9b3198 913 debug2("read_server_config: filename %s", filename);
e9a17296 914 f = fopen(filename, "r");
915 if (!f) {
916 perror(filename);
917 exit(1);
918 }
919 linenum = 0;
920 while (fgets(line, sizeof(line), f)) {
921 /* Update line number counter. */
922 linenum++;
923 if (process_server_config_line(options, line, filename, linenum) != 0)
924 bad_options++;
3c0ef626 925 }
926 fclose(f);
927 if (bad_options > 0)
928 fatal("%s: terminating, %d bad configuration options",
929 filename, bad_options);
930}
git-cvsimport mirror of GSI OpenSSH
This page took 0.299144 seconds and 5 git commands to generate.