]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
openssh-3.6.1p2-gssapi-20030430.diff from Simon
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
6a9b3198 13RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
3c0ef626 14
700318f3 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
3c0ef626 20#include <krb.h>
700318f3 21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
3c0ef626 26#endif
27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
700318f3 48/* Use of privilege separation or not */
49extern int use_privsep;
3c0ef626 50
51/* Initializes the server options to their default values. */
52
53void
54initialize_server_options(ServerOptions *options)
55{
56 memset(options, 0, sizeof(*options));
57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e9a17296 77 options->x11_use_localhost = -1;
3c0ef626 78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
e9a17296 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
c0fc5818 89#ifdef GSSAPI
90 options->gss_authentication=-1;
91 options->gss_keyex=-1;
92 options->gss_use_session_ccache = -1;
93 options->gss_cleanup_creds = -1;
94#endif
3c0ef626 95#if defined(KRB4) || defined(KRB5)
96 options->kerberos_authentication = -1;
97 options->kerberos_or_local_passwd = -1;
98 options->kerberos_ticket_cleanup = -1;
99#endif
100#if defined(AFS) || defined(KRB5)
101 options->kerberos_tgt_passing = -1;
102#endif
103#ifdef AFS
104 options->afs_token_passing = -1;
105#endif
106 options->password_authentication = -1;
107 options->kbd_interactive_authentication = -1;
108 options->challenge_response_authentication = -1;
109 options->permit_empty_passwd = -1;
41b2f314 110 options->permit_user_env = -1;
3c0ef626 111 options->use_login = -1;
f5799ae1 112 options->compression = -1;
3c0ef626 113 options->allow_tcp_forwarding = -1;
114 options->num_allow_users = 0;
115 options->num_deny_users = 0;
116 options->num_allow_groups = 0;
117 options->num_deny_groups = 0;
118 options->ciphers = NULL;
119 options->macs = NULL;
120 options->protocol = SSH_PROTO_UNKNOWN;
121 options->gateway_ports = -1;
122 options->num_subsystems = 0;
123 options->max_startups_begin = -1;
124 options->max_startups_rate = -1;
125 options->max_startups = -1;
126 options->banner = NULL;
e9a17296 127 options->verify_reverse_mapping = -1;
3c0ef626 128 options->client_alive_interval = -1;
129 options->client_alive_count_max = -1;
130 options->authorized_keys_file = NULL;
131 options->authorized_keys_file2 = NULL;
700318f3 132
133 /* Needs to be accessable in many places */
134 use_privsep = -1;
3c0ef626 135}
136
137void
138fill_default_server_options(ServerOptions *options)
139{
140 /* Portable-specific options */
141 if (options->pam_authentication_via_kbd_int == -1)
142 options->pam_authentication_via_kbd_int = 0;
143
144 /* Standard Options */
145 if (options->protocol == SSH_PROTO_UNKNOWN)
146 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
147 if (options->num_host_key_files == 0) {
148 /* fill default hostkeys for protocols */
149 if (options->protocol & SSH_PROTO_1)
e9a17296 150 options->host_key_files[options->num_host_key_files++] =
151 _PATH_HOST_KEY_FILE;
152 if (options->protocol & SSH_PROTO_2) {
153 options->host_key_files[options->num_host_key_files++] =
154 _PATH_HOST_RSA_KEY_FILE;
155 options->host_key_files[options->num_host_key_files++] =
156 _PATH_HOST_DSA_KEY_FILE;
157 }
3c0ef626 158 }
159 if (options->num_ports == 0)
160 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
161 if (options->listen_addrs == NULL)
162 add_listen_addr(options, NULL, 0);
163 if (options->pid_file == NULL)
164 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
165 if (options->server_key_bits == -1)
166 options->server_key_bits = 768;
167 if (options->login_grace_time == -1)
41b2f314 168 options->login_grace_time = 120;
3c0ef626 169 if (options->key_regeneration_time == -1)
170 options->key_regeneration_time = 3600;
171 if (options->permit_root_login == PERMIT_NOT_SET)
172 options->permit_root_login = PERMIT_YES;
173 if (options->ignore_rhosts == -1)
174 options->ignore_rhosts = 1;
175 if (options->ignore_user_known_hosts == -1)
176 options->ignore_user_known_hosts = 0;
177 if (options->print_motd == -1)
178 options->print_motd = 1;
179 if (options->print_lastlog == -1)
180 options->print_lastlog = 1;
181 if (options->x11_forwarding == -1)
182 options->x11_forwarding = 0;
183 if (options->x11_display_offset == -1)
184 options->x11_display_offset = 10;
e9a17296 185 if (options->x11_use_localhost == -1)
186 options->x11_use_localhost = 1;
3c0ef626 187 if (options->xauth_location == NULL)
188 options->xauth_location = _PATH_XAUTH;
3c0ef626 189 if (options->strict_modes == -1)
190 options->strict_modes = 1;
191 if (options->keepalives == -1)
192 options->keepalives = 1;
e9a17296 193 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 194 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 195 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 196 options->log_level = SYSLOG_LEVEL_INFO;
197 if (options->rhosts_authentication == -1)
198 options->rhosts_authentication = 0;
199 if (options->rhosts_rsa_authentication == -1)
200 options->rhosts_rsa_authentication = 0;
201 if (options->hostbased_authentication == -1)
202 options->hostbased_authentication = 0;
203 if (options->hostbased_uses_name_from_packet_only == -1)
204 options->hostbased_uses_name_from_packet_only = 0;
205 if (options->rsa_authentication == -1)
206 options->rsa_authentication = 1;
207 if (options->pubkey_authentication == -1)
208 options->pubkey_authentication = 1;
c0fc5818 209#ifdef GSSAPI
210 if (options->gss_authentication == -1)
211 options->gss_authentication = 1;
212 if (options->gss_keyex == -1)
213 options->gss_keyex =1;
214 if (options->gss_use_session_ccache == -1)
215 options->gss_use_session_ccache = 1;
216 if (options->gss_cleanup_creds == -1)
217 options->gss_cleanup_creds = 1;
218#endif
3c0ef626 219#if defined(KRB4) || defined(KRB5)
220 if (options->kerberos_authentication == -1)
700318f3 221 options->kerberos_authentication = 0;
3c0ef626 222 if (options->kerberos_or_local_passwd == -1)
223 options->kerberos_or_local_passwd = 1;
224 if (options->kerberos_ticket_cleanup == -1)
225 options->kerberos_ticket_cleanup = 1;
226#endif
227#if defined(AFS) || defined(KRB5)
228 if (options->kerberos_tgt_passing == -1)
229 options->kerberos_tgt_passing = 0;
230#endif
e9a17296 231#ifdef AFS
3c0ef626 232 if (options->afs_token_passing == -1)
700318f3 233 options->afs_token_passing = 0;
3c0ef626 234#endif
235 if (options->password_authentication == -1)
236 options->password_authentication = 1;
237 if (options->kbd_interactive_authentication == -1)
238 options->kbd_interactive_authentication = 0;
239 if (options->challenge_response_authentication == -1)
240 options->challenge_response_authentication = 1;
241 if (options->permit_empty_passwd == -1)
242 options->permit_empty_passwd = 0;
41b2f314 243 if (options->permit_user_env == -1)
244 options->permit_user_env = 0;
3c0ef626 245 if (options->use_login == -1)
246 options->use_login = 0;
f5799ae1 247 if (options->compression == -1)
248 options->compression = 1;
3c0ef626 249 if (options->allow_tcp_forwarding == -1)
250 options->allow_tcp_forwarding = 1;
251 if (options->gateway_ports == -1)
252 options->gateway_ports = 0;
253 if (options->max_startups == -1)
254 options->max_startups = 10;
255 if (options->max_startups_rate == -1)
256 options->max_startups_rate = 100; /* 100% */
257 if (options->max_startups_begin == -1)
258 options->max_startups_begin = options->max_startups;
e9a17296 259 if (options->verify_reverse_mapping == -1)
260 options->verify_reverse_mapping = 0;
3c0ef626 261 if (options->client_alive_interval == -1)
e9a17296 262 options->client_alive_interval = 0;
3c0ef626 263 if (options->client_alive_count_max == -1)
264 options->client_alive_count_max = 3;
265 if (options->authorized_keys_file2 == NULL) {
266 /* authorized_keys_file2 falls back to authorized_keys_file */
267 if (options->authorized_keys_file != NULL)
268 options->authorized_keys_file2 = options->authorized_keys_file;
269 else
270 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
271 }
272 if (options->authorized_keys_file == NULL)
273 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 274
f5799ae1 275 /* Turn privilege separation on by default */
700318f3 276 if (use_privsep == -1)
f5799ae1 277 use_privsep = 1;
278
41b2f314 279#ifndef HAVE_MMAP
f5799ae1 280 if (use_privsep && options->compression == 1) {
281 error("This platform does not support both privilege "
282 "separation and compression");
283 error("Compression disabled");
284 options->compression = 0;
285 }
286#endif
287
3c0ef626 288}
289
290/* Keyword tokens. */
291typedef enum {
292 sBadOption, /* == unknown option */
293 /* Portable-specific options */
294 sPAMAuthenticationViaKbdInt,
295 /* Standard Options */
296 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
297 sPermitRootLogin, sLogFacility, sLogLevel,
298 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
c0fc5818 299#ifdef GSSAPI
300 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
301#endif
3c0ef626 302#if defined(KRB4) || defined(KRB5)
303 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
304#endif
305#if defined(AFS) || defined(KRB5)
306 sKerberosTgtPassing,
307#endif
308#ifdef AFS
309 sAFSTokenPassing,
310#endif
311 sChallengeResponseAuthentication,
312 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
313 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 314 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 315 sStrictModes, sEmptyPasswd, sKeepAlives,
41b2f314 316 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 317 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
318 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
319 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9a17296 320 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
321 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 322 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
700318f3 323 sUsePrivilegeSeparation,
e9a17296 324 sDeprecated
3c0ef626 325} ServerOpCodes;
326
327/* Textual representation of the tokens. */
328static struct {
329 const char *name;
330 ServerOpCodes opcode;
331} keywords[] = {
332 /* Portable-specific options */
333 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
334 /* Standard Options */
335 { "port", sPort },
336 { "hostkey", sHostKeyFile },
337 { "hostdsakey", sHostKeyFile }, /* alias */
338 { "pidfile", sPidFile },
339 { "serverkeybits", sServerKeyBits },
340 { "logingracetime", sLoginGraceTime },
341 { "keyregenerationinterval", sKeyRegenerationTime },
342 { "permitrootlogin", sPermitRootLogin },
343 { "syslogfacility", sLogFacility },
344 { "loglevel", sLogLevel },
345 { "rhostsauthentication", sRhostsAuthentication },
346 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
347 { "hostbasedauthentication", sHostbasedAuthentication },
348 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
349 { "rsaauthentication", sRSAAuthentication },
350 { "pubkeyauthentication", sPubkeyAuthentication },
351 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
c0fc5818 352#ifdef GSSAPI
353 { "gssapiauthentication", sGssAuthentication },
354 { "gssapikeyexchange", sGssKeyEx },
355 { "gssusesessionccache", sGssUseSessionCredCache },
356 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
357 { "gssapicleanupcreds", sGssCleanupCreds },
358#endif
3c0ef626 359#if defined(KRB4) || defined(KRB5)
360 { "kerberosauthentication", sKerberosAuthentication },
361 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
362 { "kerberosticketcleanup", sKerberosTicketCleanup },
363#endif
364#if defined(AFS) || defined(KRB5)
365 { "kerberostgtpassing", sKerberosTgtPassing },
366#endif
367#ifdef AFS
368 { "afstokenpassing", sAFSTokenPassing },
369#endif
370 { "passwordauthentication", sPasswordAuthentication },
371 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
372 { "challengeresponseauthentication", sChallengeResponseAuthentication },
373 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
374 { "checkmail", sDeprecated },
375 { "listenaddress", sListenAddress },
376 { "printmotd", sPrintMotd },
377 { "printlastlog", sPrintLastLog },
378 { "ignorerhosts", sIgnoreRhosts },
379 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
380 { "x11forwarding", sX11Forwarding },
381 { "x11displayoffset", sX11DisplayOffset },
e9a17296 382 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 383 { "xauthlocation", sXAuthLocation },
384 { "strictmodes", sStrictModes },
385 { "permitemptypasswords", sEmptyPasswd },
41b2f314 386 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 387 { "uselogin", sUseLogin },
f5799ae1 388 { "compression", sCompression },
3c0ef626 389 { "keepalive", sKeepAlives },
390 { "allowtcpforwarding", sAllowTcpForwarding },
391 { "allowusers", sAllowUsers },
392 { "denyusers", sDenyUsers },
393 { "allowgroups", sAllowGroups },
394 { "denygroups", sDenyGroups },
395 { "ciphers", sCiphers },
396 { "macs", sMacs },
397 { "protocol", sProtocol },
398 { "gatewayports", sGatewayPorts },
399 { "subsystem", sSubsystem },
400 { "maxstartups", sMaxStartups },
401 { "banner", sBanner },
e9a17296 402 { "verifyreversemapping", sVerifyReverseMapping },
403 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 404 { "clientaliveinterval", sClientAliveInterval },
405 { "clientalivecountmax", sClientAliveCountMax },
406 { "authorizedkeysfile", sAuthorizedKeysFile },
407 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 408 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 409 { NULL, sBadOption }
3c0ef626 410};
411
412/*
413 * Returns the number of the token pointed to by cp or sBadOption.
414 */
415
416static ServerOpCodes
417parse_token(const char *cp, const char *filename,
418 int linenum)
419{
420 u_int i;
421
422 for (i = 0; keywords[i].name; i++)
423 if (strcasecmp(cp, keywords[i].name) == 0)
424 return keywords[i].opcode;
425
426 error("%s: line %d: Bad configuration option: %s",
427 filename, linenum, cp);
428 return sBadOption;
429}
430
431static void
432add_listen_addr(ServerOptions *options, char *addr, u_short port)
433{
434 int i;
435
436 if (options->num_ports == 0)
437 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
438 if (port == 0)
439 for (i = 0; i < options->num_ports; i++)
440 add_one_listen_addr(options, addr, options->ports[i]);
441 else
442 add_one_listen_addr(options, addr, port);
443}
444
445static void
446add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
447{
448 struct addrinfo hints, *ai, *aitop;
449 char strport[NI_MAXSERV];
450 int gaierr;
451
452 memset(&hints, 0, sizeof(hints));
453 hints.ai_family = IPv4or6;
454 hints.ai_socktype = SOCK_STREAM;
455 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 456 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 457 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
458 fatal("bad addr or host: %s (%s)",
459 addr ? addr : "<NULL>",
460 gai_strerror(gaierr));
461 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
462 ;
463 ai->ai_next = options->listen_addrs;
464 options->listen_addrs = aitop;
465}
466
e9a17296 467int
468process_server_config_line(ServerOptions *options, char *line,
469 const char *filename, int linenum)
3c0ef626 470{
3c0ef626 471 char *cp, **charptr, *arg, *p;
680cee3b 472 int *intptr, value, i, n;
3c0ef626 473 ServerOpCodes opcode;
3c0ef626 474
e9a17296 475 cp = line;
476 arg = strdelim(&cp);
477 /* Ignore leading whitespace */
478 if (*arg == '\0')
3c0ef626 479 arg = strdelim(&cp);
e9a17296 480 if (!arg || !*arg || *arg == '#')
481 return 0;
482 intptr = NULL;
483 charptr = NULL;
484 opcode = parse_token(arg, filename, linenum);
485 switch (opcode) {
486 /* Portable-specific options */
487 case sPAMAuthenticationViaKbdInt:
488 intptr = &options->pam_authentication_via_kbd_int;
489 goto parse_flag;
3c0ef626 490
e9a17296 491 /* Standard Options */
492 case sBadOption:
493 return -1;
494 case sPort:
495 /* ignore ports from configfile if cmdline specifies ports */
496 if (options->ports_from_cmdline)
497 return 0;
498 if (options->listen_addrs != NULL)
499 fatal("%s line %d: ports must be specified before "
500 "ListenAddress.", filename, linenum);
501 if (options->num_ports >= MAX_PORTS)
502 fatal("%s line %d: too many ports.",
503 filename, linenum);
504 arg = strdelim(&cp);
505 if (!arg || *arg == '\0')
506 fatal("%s line %d: missing port number.",
507 filename, linenum);
508 options->ports[options->num_ports++] = a2port(arg);
509 if (options->ports[options->num_ports-1] == 0)
510 fatal("%s line %d: Badly formatted port number.",
511 filename, linenum);
512 break;
513
514 case sServerKeyBits:
515 intptr = &options->server_key_bits;
3c0ef626 516parse_int:
e9a17296 517 arg = strdelim(&cp);
518 if (!arg || *arg == '\0')
519 fatal("%s line %d: missing integer value.",
520 filename, linenum);
521 value = atoi(arg);
522 if (*intptr == -1)
523 *intptr = value;
524 break;
525
526 case sLoginGraceTime:
527 intptr = &options->login_grace_time;
3c0ef626 528parse_time:
e9a17296 529 arg = strdelim(&cp);
530 if (!arg || *arg == '\0')
531 fatal("%s line %d: missing time value.",
532 filename, linenum);
533 if ((value = convtime(arg)) == -1)
534 fatal("%s line %d: invalid time value.",
535 filename, linenum);
536 if (*intptr == -1)
537 *intptr = value;
538 break;
539
540 case sKeyRegenerationTime:
541 intptr = &options->key_regeneration_time;
542 goto parse_time;
543
544 case sListenAddress:
545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
547 fatal("%s line %d: missing inet addr.",
548 filename, linenum);
549 if (*arg == '[') {
550 if ((p = strchr(arg, ']')) == NULL)
551 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 552 filename, linenum);
e9a17296 553 arg++;
554 memmove(p, p+1, strlen(p+1)+1);
555 } else if (((p = strchr(arg, ':')) == NULL) ||
556 (strchr(p+1, ':') != NULL)) {
557 add_listen_addr(options, arg, 0);
3c0ef626 558 break;
e9a17296 559 }
560 if (*p == ':') {
561 u_short port;
3c0ef626 562
e9a17296 563 p++;
564 if (*p == '\0')
565 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 566 filename, linenum);
e9a17296 567 else {
568 *(p-1) = '\0';
569 if ((port = a2port(p)) == 0)
570 fatal("%s line %d: bad port number.",
3c0ef626 571 filename, linenum);
e9a17296 572 add_listen_addr(options, arg, port);
3c0ef626 573 }
e9a17296 574 } else if (*p == '\0')
575 add_listen_addr(options, arg, 0);
576 else
577 fatal("%s line %d: bad inet addr usage.",
578 filename, linenum);
579 break;
580
581 case sHostKeyFile:
582 intptr = &options->num_host_key_files;
583 if (*intptr >= MAX_HOSTKEYS)
584 fatal("%s line %d: too many host keys specified (max %d).",
585 filename, linenum, MAX_HOSTKEYS);
586 charptr = &options->host_key_files[*intptr];
3c0ef626 587parse_filename:
e9a17296 588 arg = strdelim(&cp);
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing file name.",
591 filename, linenum);
592 if (*charptr == NULL) {
593 *charptr = tilde_expand_filename(arg, getuid());
594 /* increase optional counter */
595 if (intptr != NULL)
596 *intptr = *intptr + 1;
597 }
598 break;
3c0ef626 599
e9a17296 600 case sPidFile:
601 charptr = &options->pid_file;
602 goto parse_filename;
3c0ef626 603
e9a17296 604 case sPermitRootLogin:
605 intptr = &options->permit_root_login;
606 arg = strdelim(&cp);
607 if (!arg || *arg == '\0')
608 fatal("%s line %d: missing yes/"
609 "without-password/forced-commands-only/no "
610 "argument.", filename, linenum);
611 value = 0; /* silence compiler */
612 if (strcmp(arg, "without-password") == 0)
613 value = PERMIT_NO_PASSWD;
614 else if (strcmp(arg, "forced-commands-only") == 0)
615 value = PERMIT_FORCED_ONLY;
616 else if (strcmp(arg, "yes") == 0)
617 value = PERMIT_YES;
618 else if (strcmp(arg, "no") == 0)
619 value = PERMIT_NO;
620 else
621 fatal("%s line %d: Bad yes/"
622 "without-password/forced-commands-only/no "
623 "argument: %s", filename, linenum, arg);
624 if (*intptr == -1)
625 *intptr = value;
626 break;
627
628 case sIgnoreRhosts:
629 intptr = &options->ignore_rhosts;
3c0ef626 630parse_flag:
e9a17296 631 arg = strdelim(&cp);
632 if (!arg || *arg == '\0')
633 fatal("%s line %d: missing yes/no argument.",
634 filename, linenum);
635 value = 0; /* silence compiler */
636 if (strcmp(arg, "yes") == 0)
637 value = 1;
638 else if (strcmp(arg, "no") == 0)
639 value = 0;
640 else
641 fatal("%s line %d: Bad yes/no argument: %s",
642 filename, linenum, arg);
643 if (*intptr == -1)
644 *intptr = value;
645 break;
646
647 case sIgnoreUserKnownHosts:
648 intptr = &options->ignore_user_known_hosts;
649 goto parse_flag;
650
651 case sRhostsAuthentication:
652 intptr = &options->rhosts_authentication;
653 goto parse_flag;
654
655 case sRhostsRSAAuthentication:
656 intptr = &options->rhosts_rsa_authentication;
657 goto parse_flag;
658
659 case sHostbasedAuthentication:
660 intptr = &options->hostbased_authentication;
661 goto parse_flag;
662
663 case sHostbasedUsesNameFromPacketOnly:
664 intptr = &options->hostbased_uses_name_from_packet_only;
665 goto parse_flag;
666
667 case sRSAAuthentication:
668 intptr = &options->rsa_authentication;
669 goto parse_flag;
670
671 case sPubkeyAuthentication:
672 intptr = &options->pubkey_authentication;
673 goto parse_flag;
c0fc5818 674#ifdef GSSAPI
675 case sGssAuthentication:
676 intptr = &options->gss_authentication;
677 goto parse_flag;
678 case sGssKeyEx:
679 intptr = &options->gss_keyex;
680 goto parse_flag;
681 case sGssUseSessionCredCache:
682 intptr = &options->gss_use_session_ccache;
683 goto parse_flag;
684 case sGssCleanupCreds:
685 intptr = &options->gss_cleanup_creds;
686 goto parse_flag;
687#endif
e9a17296 688#if defined(KRB4) || defined(KRB5)
689 case sKerberosAuthentication:
690 intptr = &options->kerberos_authentication;
691 goto parse_flag;
3c0ef626 692
e9a17296 693 case sKerberosOrLocalPasswd:
694 intptr = &options->kerberos_or_local_passwd;
695 goto parse_flag;
3c0ef626 696
e9a17296 697 case sKerberosTicketCleanup:
698 intptr = &options->kerberos_ticket_cleanup;
699 goto parse_flag;
700#endif
701#if defined(AFS) || defined(KRB5)
702 case sKerberosTgtPassing:
703 intptr = &options->kerberos_tgt_passing;
704 goto parse_flag;
705#endif
706#ifdef AFS
707 case sAFSTokenPassing:
708 intptr = &options->afs_token_passing;
709 goto parse_flag;
710#endif
3c0ef626 711
e9a17296 712 case sPasswordAuthentication:
713 intptr = &options->password_authentication;
714 goto parse_flag;
3c0ef626 715
e9a17296 716 case sKbdInteractiveAuthentication:
717 intptr = &options->kbd_interactive_authentication;
718 goto parse_flag;
3c0ef626 719
e9a17296 720 case sChallengeResponseAuthentication:
721 intptr = &options->challenge_response_authentication;
722 goto parse_flag;
3c0ef626 723
e9a17296 724 case sPrintMotd:
725 intptr = &options->print_motd;
726 goto parse_flag;
3c0ef626 727
e9a17296 728 case sPrintLastLog:
729 intptr = &options->print_lastlog;
730 goto parse_flag;
3c0ef626 731
e9a17296 732 case sX11Forwarding:
733 intptr = &options->x11_forwarding;
734 goto parse_flag;
3c0ef626 735
e9a17296 736 case sX11DisplayOffset:
737 intptr = &options->x11_display_offset;
738 goto parse_int;
3c0ef626 739
e9a17296 740 case sX11UseLocalhost:
741 intptr = &options->x11_use_localhost;
742 goto parse_flag;
3c0ef626 743
e9a17296 744 case sXAuthLocation:
745 charptr = &options->xauth_location;
746 goto parse_filename;
3c0ef626 747
e9a17296 748 case sStrictModes:
749 intptr = &options->strict_modes;
750 goto parse_flag;
3c0ef626 751
e9a17296 752 case sKeepAlives:
753 intptr = &options->keepalives;
754 goto parse_flag;
3c0ef626 755
e9a17296 756 case sEmptyPasswd:
757 intptr = &options->permit_empty_passwd;
758 goto parse_flag;
3c0ef626 759
41b2f314 760 case sPermitUserEnvironment:
761 intptr = &options->permit_user_env;
762 goto parse_flag;
763
e9a17296 764 case sUseLogin:
765 intptr = &options->use_login;
766 goto parse_flag;
3c0ef626 767
f5799ae1 768 case sCompression:
769 intptr = &options->compression;
770 goto parse_flag;
771
e9a17296 772 case sGatewayPorts:
773 intptr = &options->gateway_ports;
774 goto parse_flag;
3c0ef626 775
e9a17296 776 case sVerifyReverseMapping:
777 intptr = &options->verify_reverse_mapping;
778 goto parse_flag;
3c0ef626 779
e9a17296 780 case sLogFacility:
781 intptr = (int *) &options->log_facility;
782 arg = strdelim(&cp);
783 value = log_facility_number(arg);
784 if (value == SYSLOG_FACILITY_NOT_SET)
785 fatal("%.200s line %d: unsupported log facility '%s'",
786 filename, linenum, arg ? arg : "<NONE>");
787 if (*intptr == -1)
788 *intptr = (SyslogFacility) value;
789 break;
790
791 case sLogLevel:
792 intptr = (int *) &options->log_level;
793 arg = strdelim(&cp);
794 value = log_level_number(arg);
795 if (value == SYSLOG_LEVEL_NOT_SET)
796 fatal("%.200s line %d: unsupported log level '%s'",
797 filename, linenum, arg ? arg : "<NONE>");
798 if (*intptr == -1)
799 *intptr = (LogLevel) value;
800 break;
801
802 case sAllowTcpForwarding:
803 intptr = &options->allow_tcp_forwarding;
804 goto parse_flag;
805
700318f3 806 case sUsePrivilegeSeparation:
807 intptr = &use_privsep;
808 goto parse_flag;
809
e9a17296 810 case sAllowUsers:
811 while ((arg = strdelim(&cp)) && *arg != '\0') {
812 if (options->num_allow_users >= MAX_ALLOW_USERS)
813 fatal("%s line %d: too many allow users.",
814 filename, linenum);
680cee3b 815 options->allow_users[options->num_allow_users++] =
816 xstrdup(arg);
e9a17296 817 }
818 break;
3c0ef626 819
e9a17296 820 case sDenyUsers:
821 while ((arg = strdelim(&cp)) && *arg != '\0') {
822 if (options->num_deny_users >= MAX_DENY_USERS)
823 fatal( "%s line %d: too many deny users.",
824 filename, linenum);
680cee3b 825 options->deny_users[options->num_deny_users++] =
826 xstrdup(arg);
e9a17296 827 }
828 break;
3c0ef626 829
e9a17296 830 case sAllowGroups:
831 while ((arg = strdelim(&cp)) && *arg != '\0') {
832 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
833 fatal("%s line %d: too many allow groups.",
834 filename, linenum);
680cee3b 835 options->allow_groups[options->num_allow_groups++] =
836 xstrdup(arg);
e9a17296 837 }
838 break;
3c0ef626 839
e9a17296 840 case sDenyGroups:
841 while ((arg = strdelim(&cp)) && *arg != '\0') {
842 if (options->num_deny_groups >= MAX_DENY_GROUPS)
843 fatal("%s line %d: too many deny groups.",
844 filename, linenum);
845 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
846 }
847 break;
848
849 case sCiphers:
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing argument.", filename, linenum);
853 if (!ciphers_valid(arg))
854 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
855 filename, linenum, arg ? arg : "<NONE>");
856 if (options->ciphers == NULL)
857 options->ciphers = xstrdup(arg);
858 break;
859
860 case sMacs:
861 arg = strdelim(&cp);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing argument.", filename, linenum);
864 if (!mac_valid(arg))
865 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
866 filename, linenum, arg ? arg : "<NONE>");
867 if (options->macs == NULL)
868 options->macs = xstrdup(arg);
869 break;
870
871 case sProtocol:
872 intptr = &options->protocol;
873 arg = strdelim(&cp);
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing argument.", filename, linenum);
876 value = proto_spec(arg);
877 if (value == SSH_PROTO_UNKNOWN)
878 fatal("%s line %d: Bad protocol spec '%s'.",
879 filename, linenum, arg ? arg : "<NONE>");
880 if (*intptr == SSH_PROTO_UNKNOWN)
881 *intptr = value;
882 break;
883
884 case sSubsystem:
885 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
886 fatal("%s line %d: too many subsystems defined.",
887 filename, linenum);
888 }
889 arg = strdelim(&cp);
890 if (!arg || *arg == '\0')
891 fatal("%s line %d: Missing subsystem name.",
892 filename, linenum);
893 for (i = 0; i < options->num_subsystems; i++)
894 if (strcmp(arg, options->subsystem_name[i]) == 0)
895 fatal("%s line %d: Subsystem '%s' already defined.",
896 filename, linenum, arg);
897 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
898 arg = strdelim(&cp);
899 if (!arg || *arg == '\0')
900 fatal("%s line %d: Missing subsystem command.",
901 filename, linenum);
902 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
903 options->num_subsystems++;
904 break;
905
906 case sMaxStartups:
907 arg = strdelim(&cp);
908 if (!arg || *arg == '\0')
909 fatal("%s line %d: Missing MaxStartups spec.",
910 filename, linenum);
911 if ((n = sscanf(arg, "%d:%d:%d",
912 &options->max_startups_begin,
913 &options->max_startups_rate,
914 &options->max_startups)) == 3) {
915 if (options->max_startups_begin >
916 options->max_startups ||
917 options->max_startups_rate > 100 ||
918 options->max_startups_rate < 1)
3c0ef626 919 fatal("%s line %d: Illegal MaxStartups spec.",
920 filename, linenum);
e9a17296 921 } else if (n != 1)
922 fatal("%s line %d: Illegal MaxStartups spec.",
923 filename, linenum);
924 else
925 options->max_startups = options->max_startups_begin;
926 break;
927
928 case sBanner:
929 charptr = &options->banner;
930 goto parse_filename;
931 /*
932 * These options can contain %X options expanded at
933 * connect time, so that you can specify paths like:
934 *
935 * AuthorizedKeysFile /etc/ssh_keys/%u
936 */
937 case sAuthorizedKeysFile:
938 case sAuthorizedKeysFile2:
939 charptr = (opcode == sAuthorizedKeysFile ) ?
940 &options->authorized_keys_file :
941 &options->authorized_keys_file2;
942 goto parse_filename;
943
944 case sClientAliveInterval:
945 intptr = &options->client_alive_interval;
946 goto parse_time;
947
948 case sClientAliveCountMax:
949 intptr = &options->client_alive_count_max;
950 goto parse_int;
951
952 case sDeprecated:
953 log("%s line %d: Deprecated option %s",
954 filename, linenum, arg);
955 while (arg)
956 arg = strdelim(&cp);
957 break;
958
959 default:
960 fatal("%s line %d: Missing handler for opcode %s (%d)",
961 filename, linenum, arg, opcode);
962 }
963 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
964 fatal("%s line %d: garbage at end of line; \"%.200s\".",
965 filename, linenum, arg);
966 return 0;
967}
3c0ef626 968
e9a17296 969/* Reads the server configuration file. */
3c0ef626 970
e9a17296 971void
972read_server_config(ServerOptions *options, const char *filename)
973{
680cee3b 974 int linenum, bad_options = 0;
e9a17296 975 char line[1024];
680cee3b 976 FILE *f;
e9a17296 977
6a9b3198 978 debug2("read_server_config: filename %s", filename);
e9a17296 979 f = fopen(filename, "r");
980 if (!f) {
981 perror(filename);
982 exit(1);
983 }
984 linenum = 0;
985 while (fgets(line, sizeof(line), f)) {
986 /* Update line number counter. */
987 linenum++;
988 if (process_server_config_line(options, line, filename, linenum) != 0)
989 bad_options++;
3c0ef626 990 }
991 fclose(f);
992 if (bad_options > 0)
993 fatal("%s: terminating, %d bad configuration options",
994 filename, bad_options);
995}
git-cvsimport mirror of GSI OpenSSH
This page took 0.20484 seconds and 5 git commands to generate.