]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merged hpn13v5 to trunk.
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
5156b1a1 1/* $OpenBSD: servconf.c,v 1.186 2008/07/04 03:44:59 djm Exp $ */
3c0ef626 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
13#include "includes.h"
3c0ef626 14
30460aeb 15#include <sys/types.h>
16#include <sys/socket.h>
17
18#include <netdb.h>
19#include <pwd.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23#include <signal.h>
24#include <unistd.h>
25#include <stdarg.h>
5156b1a1 26#include <errno.h>
30460aeb 27
5156b1a1 28#include "openbsd-compat/sys-queue.h"
30460aeb 29#include "xmalloc.h"
3c0ef626 30#include "ssh.h"
31#include "log.h"
30460aeb 32#include "buffer.h"
3c0ef626 33#include "servconf.h"
3c0ef626 34#include "compat.h"
35#include "pathnames.h"
3c0ef626 36#include "misc.h"
37#include "cipher.h"
30460aeb 38#include "key.h"
3c0ef626 39#include "kex.h"
40#include "mac.h"
30460aeb 41#include "match.h"
42#include "channels.h"
43#include "groupaccess.h"
3c0ef626 44
45static void add_listen_addr(ServerOptions *, char *, u_short);
46static void add_one_listen_addr(ServerOptions *, char *, u_short);
47
350391c5 48/* Use of privilege separation or not */
49extern int use_privsep;
30460aeb 50extern Buffer cfg;
3c0ef626 51
52/* Initializes the server options to their default values. */
53
54void
55initialize_server_options(ServerOptions *options)
56{
57 memset(options, 0, sizeof(*options));
58
59 /* Portable-specific options */
7cac2b65 60 options->use_pam = -1;
3c0ef626 61
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
dfddba3d 66 options->address_family = -1;
3c0ef626 67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
e9702f7d 79 options->x11_use_localhost = -1;
3c0ef626 80 options->xauth_location = NULL;
81 options->strict_modes = -1;
540d72c3 82 options->tcp_keep_alive = -1;
e9702f7d 83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
3c0ef626 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
75be3237 93#ifdef SESSION_HOOKS
94 options->session_hooks_allow = -1;
95 options->session_hooks_startup_cmd = NULL;
96 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 97#endif
540d72c3 98 options->kerberos_get_afs_token = -1;
05ed7e1e 99 options->gss_authentication = -1;
100 options->gss_deleg_creds = -1;
fe4ad273 101 options->gss_keyex = -1;
7cac2b65 102 options->gss_cleanup_creds = -1;
f713db99 103 options->gss_strict_acceptor = -1;
826a9049 104 options->gsi_allow_limited_proxy = -1;
3c0ef626 105 options->password_authentication = -1;
106 options->kbd_interactive_authentication = -1;
107 options->challenge_response_authentication = -1;
108 options->permit_empty_passwd = -1;
d03f4262 109 options->permit_user_env = -1;
3c0ef626 110 options->use_login = -1;
44a053a3 111 options->compression = -1;
3c0ef626 112 options->allow_tcp_forwarding = -1;
5156b1a1 113 options->allow_agent_forwarding = -1;
3c0ef626 114 options->num_allow_users = 0;
115 options->num_deny_users = 0;
116 options->num_allow_groups = 0;
117 options->num_deny_groups = 0;
118 options->ciphers = NULL;
119 options->macs = NULL;
120 options->protocol = SSH_PROTO_UNKNOWN;
121 options->gateway_ports = -1;
122 options->num_subsystems = 0;
123 options->max_startups_begin = -1;
124 options->max_startups_rate = -1;
125 options->max_startups = -1;
7e82606e 126 options->max_authtries = -1;
5156b1a1 127 options->max_sessions = -1;
3c0ef626 128 options->banner = NULL;
7cac2b65 129 options->use_dns = -1;
3c0ef626 130 options->client_alive_interval = -1;
131 options->client_alive_count_max = -1;
132 options->authorized_keys_file = NULL;
133 options->authorized_keys_file2 = NULL;
7e82606e 134 options->num_accept_env = 0;
08822d99 135 options->permit_tun = -1;
30460aeb 136 options->num_permitted_opens = -1;
137 options->adm_forced_command = NULL;
e74dc197 138 options->chroot_directory = NULL;
d3057ca4 139 options->none_enabled = -1;
140 options->tcp_rcv_buf_poll = -1;
141 options->hpn_disabled = -1;
142 options->hpn_buffer_size = -1;
3c0ef626 143}
144
145void
146fill_default_server_options(ServerOptions *options)
147{
d3057ca4 148 /* needed for hpn socket tests */
2d7c038e 149 int sock;
150 int socksize;
151 int socksizelen = sizeof(int);
a7213e65 152
3c0ef626 153 /* Portable-specific options */
7cac2b65 154 if (options->use_pam == -1)
29d88157 155 options->use_pam = 0;
3c0ef626 156
157 /* Standard Options */
158 if (options->protocol == SSH_PROTO_UNKNOWN)
159 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
160 if (options->num_host_key_files == 0) {
161 /* fill default hostkeys for protocols */
162 if (options->protocol & SSH_PROTO_1)
e9702f7d 163 options->host_key_files[options->num_host_key_files++] =
164 _PATH_HOST_KEY_FILE;
165 if (options->protocol & SSH_PROTO_2) {
166 options->host_key_files[options->num_host_key_files++] =
167 _PATH_HOST_RSA_KEY_FILE;
168 options->host_key_files[options->num_host_key_files++] =
169 _PATH_HOST_DSA_KEY_FILE;
170 }
3c0ef626 171 }
172 if (options->num_ports == 0)
173 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
174 if (options->listen_addrs == NULL)
175 add_listen_addr(options, NULL, 0);
176 if (options->pid_file == NULL)
177 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
178 if (options->server_key_bits == -1)
5156b1a1 179 options->server_key_bits = 1024;
3c0ef626 180 if (options->login_grace_time == -1)
d03f4262 181 options->login_grace_time = 120;
3c0ef626 182 if (options->key_regeneration_time == -1)
183 options->key_regeneration_time = 3600;
184 if (options->permit_root_login == PERMIT_NOT_SET)
185 options->permit_root_login = PERMIT_YES;
186 if (options->ignore_rhosts == -1)
187 options->ignore_rhosts = 1;
188 if (options->ignore_user_known_hosts == -1)
189 options->ignore_user_known_hosts = 0;
190 if (options->print_motd == -1)
191 options->print_motd = 1;
192 if (options->print_lastlog == -1)
193 options->print_lastlog = 1;
194 if (options->x11_forwarding == -1)
195 options->x11_forwarding = 0;
196 if (options->x11_display_offset == -1)
197 options->x11_display_offset = 10;
e9702f7d 198 if (options->x11_use_localhost == -1)
199 options->x11_use_localhost = 1;
3c0ef626 200 if (options->xauth_location == NULL)
201 options->xauth_location = _PATH_XAUTH;
3c0ef626 202 if (options->strict_modes == -1)
203 options->strict_modes = 1;
540d72c3 204 if (options->tcp_keep_alive == -1)
205 options->tcp_keep_alive = 1;
e9702f7d 206 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 207 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 208 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 209 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 210 if (options->rhosts_rsa_authentication == -1)
211 options->rhosts_rsa_authentication = 0;
212 if (options->hostbased_authentication == -1)
213 options->hostbased_authentication = 0;
214 if (options->hostbased_uses_name_from_packet_only == -1)
215 options->hostbased_uses_name_from_packet_only = 0;
216 if (options->rsa_authentication == -1)
217 options->rsa_authentication = 1;
218 if (options->pubkey_authentication == -1)
219 options->pubkey_authentication = 1;
7cac2b65 220 if (options->kerberos_authentication == -1)
221 options->kerberos_authentication = 0;
222 if (options->kerberos_or_local_passwd == -1)
223 options->kerberos_or_local_passwd = 1;
224 if (options->kerberos_ticket_cleanup == -1)
225 options->kerberos_ticket_cleanup = 1;
540d72c3 226 if (options->kerberos_get_afs_token == -1)
227 options->kerberos_get_afs_token = 0;
5598e598 228 if (options->gss_authentication == -1)
229 options->gss_authentication = 1;
05ed7e1e 230 if (options->gss_deleg_creds == -1)
231 options->gss_deleg_creds = 1;
5598e598 232 if (options->gss_keyex == -1)
7cac2b65 233 options->gss_keyex = 1;
5598e598 234 if (options->gss_cleanup_creds == -1)
235 options->gss_cleanup_creds = 1;
f713db99 236 if (options->gss_strict_acceptor == -1)
2d7c038e 237 options->gss_strict_acceptor = 1;
826a9049 238 if (options->gsi_allow_limited_proxy == -1)
239 options->gsi_allow_limited_proxy = 0;
3c0ef626 240 if (options->password_authentication == -1)
241 options->password_authentication = 1;
242 if (options->kbd_interactive_authentication == -1)
243 options->kbd_interactive_authentication = 0;
244 if (options->challenge_response_authentication == -1)
245 options->challenge_response_authentication = 1;
246 if (options->permit_empty_passwd == -1)
247 options->permit_empty_passwd = 0;
d03f4262 248 if (options->permit_user_env == -1)
249 options->permit_user_env = 0;
3c0ef626 250 if (options->use_login == -1)
251 options->use_login = 0;
44a053a3 252 if (options->compression == -1)
2ce0bfe4 253 options->compression = COMP_DELAYED;
3c0ef626 254 if (options->allow_tcp_forwarding == -1)
255 options->allow_tcp_forwarding = 1;
5156b1a1 256 if (options->allow_agent_forwarding == -1)
257 options->allow_agent_forwarding = 1;
3c0ef626 258 if (options->gateway_ports == -1)
259 options->gateway_ports = 0;
260 if (options->max_startups == -1)
261 options->max_startups = 10;
262 if (options->max_startups_rate == -1)
263 options->max_startups_rate = 100; /* 100% */
264 if (options->max_startups_begin == -1)
265 options->max_startups_begin = options->max_startups;
7e82606e 266 if (options->max_authtries == -1)
267 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
5156b1a1 268 if (options->max_sessions == -1)
269 options->max_sessions = DEFAULT_SESSIONS_MAX;
7cac2b65 270 if (options->use_dns == -1)
271 options->use_dns = 1;
3c0ef626 272 if (options->client_alive_interval == -1)
e9702f7d 273 options->client_alive_interval = 0;
3c0ef626 274 if (options->client_alive_count_max == -1)
275 options->client_alive_count_max = 3;
276 if (options->authorized_keys_file2 == NULL) {
277 /* authorized_keys_file2 falls back to authorized_keys_file */
278 if (options->authorized_keys_file != NULL)
279 options->authorized_keys_file2 = options->authorized_keys_file;
280 else
281 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
282 }
283 if (options->authorized_keys_file == NULL)
284 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
08822d99 285 if (options->permit_tun == -1)
286 options->permit_tun = SSH_TUNMODE_NO;
350391c5 287
a7213e65 288 if (options->hpn_disabled == -1)
289 options->hpn_disabled = 0;
290
6df46d40 291 if (options->hpn_buffer_size == -1) {
2d7c038e 292 /* option not explicitly set. Now we have to figure out */
293 /* what value to use */
6df46d40 294 if (options->hpn_disabled == 1) {
2d7c038e 295 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
6df46d40 296 } else {
2d7c038e 297 /* get the current RCV size and set it to that */
298 /*create a socket but don't connect it */
299 /* we use that the get the rcv socket size */
300 sock = socket(AF_INET, SOCK_STREAM, 0);
301 getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
302 &socksize, &socksizelen);
303 close(sock);
304 options->hpn_buffer_size = socksize;
305 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
306
307 }
6df46d40 308 } else {
2d7c038e 309 /* we have to do this incase the user sets both values in a contradictory */
310 /* manner. hpn_disabled overrrides hpn_buffer_size*/
d3057ca4 311 if (options->hpn_disabled <= 0) {
312 if (options->hpn_buffer_size == 0)
313 options->hpn_buffer_size = 1;
314 /* limit the maximum buffer to 64MB */
6df46d40 315 if (options->hpn_buffer_size > 64*1024) {
316 options->hpn_buffer_size = 64*1024*1024;
317 } else {
318 options->hpn_buffer_size *= 1024;
319 }
320 } else
321 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
a7213e65 322 }
323
44a053a3 324 /* Turn privilege separation on by default */
350391c5 325 if (use_privsep == -1)
44a053a3 326 use_privsep = 1;
327
d03f4262 328#ifndef HAVE_MMAP
44a053a3 329 if (use_privsep && options->compression == 1) {
330 error("This platform does not support both privilege "
331 "separation and compression");
332 error("Compression disabled");
333 options->compression = 0;
334 }
335#endif
336
3c0ef626 337}
338
339/* Keyword tokens. */
340typedef enum {
341 sBadOption, /* == unknown option */
342 /* Portable-specific options */
7cac2b65 343 sUsePAM,
3c0ef626 344 /* Standard Options */
345 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
346 sPermitRootLogin, sLogFacility, sLogLevel,
7cac2b65 347 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 348 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
540d72c3 349 sKerberosGetAFSToken,
7cac2b65 350 sKerberosTgtPassing, sChallengeResponseAuthentication,
75be3237 351#ifdef SESSION_HOOKS
352 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 353#endif
dfddba3d 354 sPasswordAuthentication, sKbdInteractiveAuthentication,
355 sListenAddress, sAddressFamily,
3c0ef626 356 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 357 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
540d72c3 358 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
d03f4262 359 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 360 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
361 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
7e82606e 362 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
5156b1a1 363 sMaxStartups, sMaxAuthTries, sMaxSessions,
7cac2b65 364 sBanner, sUseDNS, sHostbasedAuthentication,
e9702f7d 365 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 366 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
e74dc197 367 sGssAuthentication, sGssCleanupCreds,
05ed7e1e 368 sGssDelegateCreds,
e74dc197 369 sGssStrictAcceptor,
a7213e65 370 sGssKeyEx,
ae82558b 371 sGssCredsPath,
826a9049 372 sGsiAllowLimitedProxy,
f713db99 373 sAcceptEnv, sPermitTunnel,
e74dc197 374 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
5156b1a1 375 sUsePrivilegeSeparation, sAllowAgentForwarding,
d3057ca4 376 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
7cac2b65 377 sDeprecated, sUnsupported
3c0ef626 378} ServerOpCodes;
379
30460aeb 380#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
381#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
382#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
383
3c0ef626 384/* Textual representation of the tokens. */
385static struct {
386 const char *name;
387 ServerOpCodes opcode;
30460aeb 388 u_int flags;
3c0ef626 389} keywords[] = {
390 /* Portable-specific options */
7cac2b65 391#ifdef USE_PAM
30460aeb 392 { "usepam", sUsePAM, SSHCFG_GLOBAL },
7cac2b65 393#else
30460aeb 394 { "usepam", sUnsupported, SSHCFG_GLOBAL },
7cac2b65 395#endif
30460aeb 396 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
3c0ef626 397 /* Standard Options */
30460aeb 398 { "port", sPort, SSHCFG_GLOBAL },
399 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
400 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
401 { "pidfile", sPidFile, SSHCFG_GLOBAL },
402 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
403 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
404 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
e74dc197 405 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
30460aeb 406 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
407 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
408 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
0b90ac93 409 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
410 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
30460aeb 411 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
0b90ac93 412 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
413 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
30460aeb 414 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
7cac2b65 415#ifdef KRB5
0b90ac93 416 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
30460aeb 417 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
418 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
540d72c3 419#ifdef USE_AFS
30460aeb 420 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
540d72c3 421#else
30460aeb 422 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
540d72c3 423#endif
7cac2b65 424#else
0b90ac93 425 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
30460aeb 426 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
427 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
428 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
7cac2b65 429#endif
30460aeb 430 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
431 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
5598e598 432#ifdef GSSAPI
0b90ac93 433 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
05ed7e1e 434 { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_ALL },
30460aeb 435 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
f713db99 436 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
2d7c038e 437 { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
f713db99 438 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
826a9049 439#ifdef GSI
30460aeb 440 { "gsiallowlimitedproxy", sGsiAllowLimitedProxy, SSHCFG_GLOBAL },
826a9049 441#endif
7cac2b65 442#else
0b90ac93 443 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
05ed7e1e 444 { "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL },
30460aeb 445 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
f713db99 446 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
2d7c038e 447 { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
f713db99 448 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
449#ifdef GSI
450 { "gsiallowlimitedproxy", sUnsupported, SSHCFG_GLOBAL },
451#endif
3c0ef626 452#endif
75be3237 453#ifdef SESSION_HOOKS
30460aeb 454 { "allowsessionhooks", sAllowSessionHooks, SSHCFG_GLOBAL },
455 { "sessionhookstartupcmd", sSessionHookStartupCmd, SSHCFG_GLOBAL },
456 { "sessionhookshutdowncmd", sSessionHookShutdownCmd, SSHCFG_GLOBAL },
75be3237 457#endif
0b90ac93 458 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
459 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
30460aeb 460 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
461 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
462 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
463 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
464 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
465 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
466 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
467 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
468 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
469 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
470 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
471 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
472 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
473 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
474 { "permitemptypasswords", sEmptyPasswd, SSHCFG_GLOBAL },
475 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
476 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
477 { "compression", sCompression, SSHCFG_GLOBAL },
478 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
479 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
480 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
5156b1a1 481 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
30460aeb 482 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
483 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
484 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
485 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
486 { "ciphers", sCiphers, SSHCFG_GLOBAL },
487 { "macs", sMacs, SSHCFG_GLOBAL },
488 { "protocol", sProtocol, SSHCFG_GLOBAL },
489 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
490 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
491 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
5156b1a1 492 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
493 { "maxsessions", sMaxSessions, SSHCFG_ALL },
0b90ac93 494 { "banner", sBanner, SSHCFG_ALL },
30460aeb 495 { "usedns", sUseDNS, SSHCFG_GLOBAL },
496 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
497 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
498 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
499 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
500 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
501 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
502 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
503 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
504 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
505 { "match", sMatch, SSHCFG_ALL },
506 { "permitopen", sPermitOpen, SSHCFG_ALL },
507 { "forcecommand", sForceCommand, SSHCFG_ALL },
e74dc197 508 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
d3057ca4 509 { "noneenabled", sNoneEnabled },
510 { "hpndisabled", sHPNDisabled },
511 { "hpnbuffersize", sHPNBufferSize },
512 { "tcprcvbufpoll", sTcpRcvBufPoll },
30460aeb 513 { NULL, sBadOption, 0 }
3c0ef626 514};
515
5156b1a1 516static struct {
517 int val;
518 char *text;
519} tunmode_desc[] = {
520 { SSH_TUNMODE_NO, "no" },
521 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
522 { SSH_TUNMODE_ETHERNET, "ethernet" },
523 { SSH_TUNMODE_YES, "yes" },
524 { -1, NULL }
525};
526
3c0ef626 527/*
528 * Returns the number of the token pointed to by cp or sBadOption.
529 */
530
531static ServerOpCodes
532parse_token(const char *cp, const char *filename,
30460aeb 533 int linenum, u_int *flags)
3c0ef626 534{
535 u_int i;
536
537 for (i = 0; keywords[i].name; i++)
30460aeb 538 if (strcasecmp(cp, keywords[i].name) == 0) {
2d7c038e 539 debug ("Config token is %s", keywords[i].name);
30460aeb 540 *flags = keywords[i].flags;
541 return keywords[i].opcode;
542 }
543
3c0ef626 544 error("%s: line %d: Bad configuration option: %s",
545 filename, linenum, cp);
546 return sBadOption;
547}
548
549static void
550add_listen_addr(ServerOptions *options, char *addr, u_short port)
551{
2ce0bfe4 552 u_int i;
3c0ef626 553
554 if (options->num_ports == 0)
555 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
dfddba3d 556 if (options->address_family == -1)
557 options->address_family = AF_UNSPEC;
3c0ef626 558 if (port == 0)
559 for (i = 0; i < options->num_ports; i++)
560 add_one_listen_addr(options, addr, options->ports[i]);
561 else
562 add_one_listen_addr(options, addr, port);
563}
564
565static void
566add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
567{
568 struct addrinfo hints, *ai, *aitop;
569 char strport[NI_MAXSERV];
570 int gaierr;
571
572 memset(&hints, 0, sizeof(hints));
dfddba3d 573 hints.ai_family = options->address_family;
3c0ef626 574 hints.ai_socktype = SOCK_STREAM;
575 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
276b07a3 576 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 577 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
578 fatal("bad addr or host: %s (%s)",
579 addr ? addr : "<NULL>",
e74dc197 580 ssh_gai_strerror(gaierr));
3c0ef626 581 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
582 ;
583 ai->ai_next = options->listen_addrs;
584 options->listen_addrs = aitop;
585}
586
30460aeb 587/*
588 * The strategy for the Match blocks is that the config file is parsed twice.
589 *
590 * The first time is at startup. activep is initialized to 1 and the
591 * directives in the global context are processed and acted on. Hitting a
592 * Match directive unsets activep and the directives inside the block are
593 * checked for syntax only.
594 *
595 * The second time is after a connection has been established but before
596 * authentication. activep is initialized to 2 and global config directives
597 * are ignored since they have already been processed. If the criteria in a
598 * Match block is met, activep is set and the subsequent directives
599 * processed and actioned until EOF or another Match block unsets it. Any
600 * options set are copied into the main server config.
601 *
602 * Potential additions/improvements:
603 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
604 *
605 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
606 * Match Address 192.168.0.*
607 * Tag trusted
608 * Match Group wheel
609 * Tag trusted
610 * Match Tag trusted
611 * AllowTcpForwarding yes
612 * GatewayPorts clientspecified
613 * [...]
614 *
615 * - Add a PermittedChannelRequests directive
616 * Match Group shell
617 * PermittedChannelRequests session,forwarded-tcpip
618 */
619
620static int
621match_cfg_line_group(const char *grps, int line, const char *user)
622{
623 int result = 0;
30460aeb 624 struct passwd *pw;
625
30460aeb 626 if (user == NULL)
627 goto out;
628
629 if ((pw = getpwnam(user)) == NULL) {
630 debug("Can't match group at line %d because user %.100s does "
631 "not exist", line, user);
632 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
633 debug("Can't Match group because user %.100s not in any group "
634 "at line %d", user, line);
5156b1a1 635 } else if (ga_match_pattern_list(grps) != 1) {
636 debug("user %.100s does not match group list %.100s at line %d",
637 user, grps, line);
30460aeb 638 } else {
5156b1a1 639 debug("user %.100s matched group list %.100s at line %d", user,
640 grps, line);
30460aeb 641 result = 1;
642 }
643out:
644 ga_free();
30460aeb 645 return result;
646}
647
648static int
649match_cfg_line(char **condition, int line, const char *user, const char *host,
650 const char *address)
651{
652 int result = 1;
653 char *arg, *attrib, *cp = *condition;
654 size_t len;
655
656 if (user == NULL)
657 debug3("checking syntax for 'Match %s'", cp);
658 else
659 debug3("checking match for '%s' user %s host %s addr %s", cp,
660 user ? user : "(null)", host ? host : "(null)",
661 address ? address : "(null)");
662
663 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
664 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
665 error("Missing Match criteria for %s", attrib);
666 return -1;
667 }
668 len = strlen(arg);
669 if (strcasecmp(attrib, "user") == 0) {
670 if (!user) {
671 result = 0;
672 continue;
673 }
674 if (match_pattern_list(user, arg, len, 0) != 1)
675 result = 0;
676 else
677 debug("user %.100s matched 'User %.100s' at "
678 "line %d", user, arg, line);
679 } else if (strcasecmp(attrib, "group") == 0) {
680 switch (match_cfg_line_group(arg, line, user)) {
681 case -1:
682 return -1;
683 case 0:
684 result = 0;
685 }
686 } else if (strcasecmp(attrib, "host") == 0) {
687 if (!host) {
688 result = 0;
689 continue;
690 }
691 if (match_hostname(host, arg, len) != 1)
692 result = 0;
693 else
694 debug("connection from %.100s matched 'Host "
695 "%.100s' at line %d", host, arg, line);
696 } else if (strcasecmp(attrib, "address") == 0) {
5156b1a1 697 switch (addr_match_list(address, arg)) {
698 case 1:
30460aeb 699 debug("connection from %.100s matched 'Address "
700 "%.100s' at line %d", address, arg, line);
5156b1a1 701 break;
702 case 0:
703 case -1:
704 result = 0;
705 break;
706 case -2:
707 return -1;
708 }
30460aeb 709 } else {
710 error("Unsupported Match attribute %s", attrib);
711 return -1;
712 }
713 }
714 if (user != NULL)
715 debug3("match %sfound", result ? "" : "not ");
716 *condition = cp;
717 return result;
718}
719
720#define WHITESPACE " \t\r\n"
721
e9702f7d 722int
723process_server_config_line(ServerOptions *options, char *line,
30460aeb 724 const char *filename, int linenum, int *activep, const char *user,
725 const char *host, const char *address)
3c0ef626 726{
3c0ef626 727 char *cp, **charptr, *arg, *p;
30460aeb 728 int cmdline = 0, *intptr, value, n;
e74dc197 729 SyslogFacility *log_facility_ptr;
730 LogLevel *log_level_ptr;
3c0ef626 731 ServerOpCodes opcode;
dfddba3d 732 u_short port;
30460aeb 733 u_int i, flags = 0;
734 size_t len;
3c0ef626 735
e9702f7d 736 cp = line;
30460aeb 737 if ((arg = strdelim(&cp)) == NULL)
738 return 0;
e9702f7d 739 /* Ignore leading whitespace */
740 if (*arg == '\0')
3c0ef626 741 arg = strdelim(&cp);
e9702f7d 742 if (!arg || !*arg || *arg == '#')
743 return 0;
744 intptr = NULL;
745 charptr = NULL;
30460aeb 746 opcode = parse_token(arg, filename, linenum, &flags);
747
748 if (activep == NULL) { /* We are processing a command line directive */
749 cmdline = 1;
750 activep = &cmdline;
751 }
752 if (*activep && opcode != sMatch)
753 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
754 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
755 if (user == NULL) {
756 fatal("%s line %d: Directive '%s' is not allowed "
757 "within a Match block", filename, linenum, arg);
758 } else { /* this is a directive we have already processed */
759 while (arg)
760 arg = strdelim(&cp);
761 return 0;
762 }
763 }
a7213e65 764
e9702f7d 765 switch (opcode) {
766 /* Portable-specific options */
7cac2b65 767 case sUsePAM:
768 intptr = &options->use_pam;
e9702f7d 769 goto parse_flag;
3c0ef626 770
e9702f7d 771 /* Standard Options */
772 case sBadOption:
773 return -1;
774 case sPort:
775 /* ignore ports from configfile if cmdline specifies ports */
776 if (options->ports_from_cmdline)
777 return 0;
778 if (options->listen_addrs != NULL)
779 fatal("%s line %d: ports must be specified before "
780 "ListenAddress.", filename, linenum);
781 if (options->num_ports >= MAX_PORTS)
782 fatal("%s line %d: too many ports.",
783 filename, linenum);
784 arg = strdelim(&cp);
785 if (!arg || *arg == '\0')
786 fatal("%s line %d: missing port number.",
787 filename, linenum);
788 options->ports[options->num_ports++] = a2port(arg);
789 if (options->ports[options->num_ports-1] == 0)
790 fatal("%s line %d: Badly formatted port number.",
791 filename, linenum);
792 break;
793
794 case sServerKeyBits:
795 intptr = &options->server_key_bits;
5156b1a1 796 parse_int:
e9702f7d 797 arg = strdelim(&cp);
798 if (!arg || *arg == '\0')
799 fatal("%s line %d: missing integer value.",
800 filename, linenum);
801 value = atoi(arg);
30460aeb 802 if (*activep && *intptr == -1)
e9702f7d 803 *intptr = value;
804 break;
805
806 case sLoginGraceTime:
807 intptr = &options->login_grace_time;
5156b1a1 808 parse_time:
e9702f7d 809 arg = strdelim(&cp);
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: missing time value.",
812 filename, linenum);
813 if ((value = convtime(arg)) == -1)
814 fatal("%s line %d: invalid time value.",
815 filename, linenum);
816 if (*intptr == -1)
817 *intptr = value;
818 break;
819
820 case sKeyRegenerationTime:
821 intptr = &options->key_regeneration_time;
822 goto parse_time;
823
824 case sListenAddress:
825 arg = strdelim(&cp);
dfddba3d 826 if (arg == NULL || *arg == '\0')
827 fatal("%s line %d: missing address",
e9702f7d 828 filename, linenum);
2ce0bfe4 829 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
830 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
831 && strchr(p+1, ':') != NULL) {
832 add_listen_addr(options, arg, 0);
833 break;
834 }
dfddba3d 835 p = hpdelim(&arg);
836 if (p == NULL)
837 fatal("%s line %d: bad address:port usage",
e9702f7d 838 filename, linenum);
dfddba3d 839 p = cleanhostname(p);
840 if (arg == NULL)
841 port = 0;
842 else if ((port = a2port(arg)) == 0)
843 fatal("%s line %d: bad port number", filename, linenum);
844
845 add_listen_addr(options, p, port);
846
847 break;
848
849 case sAddressFamily:
850 arg = strdelim(&cp);
2ce0bfe4 851 if (!arg || *arg == '\0')
852 fatal("%s line %d: missing address family.",
853 filename, linenum);
dfddba3d 854 intptr = &options->address_family;
855 if (options->listen_addrs != NULL)
856 fatal("%s line %d: address family must be specified before "
857 "ListenAddress.", filename, linenum);
858 if (strcasecmp(arg, "inet") == 0)
859 value = AF_INET;
860 else if (strcasecmp(arg, "inet6") == 0)
861 value = AF_INET6;
862 else if (strcasecmp(arg, "any") == 0)
863 value = AF_UNSPEC;
864 else
865 fatal("%s line %d: unsupported address family \"%s\".",
866 filename, linenum, arg);
867 if (*intptr == -1)
868 *intptr = value;
e9702f7d 869 break;
870
871 case sHostKeyFile:
872 intptr = &options->num_host_key_files;
873 if (*intptr >= MAX_HOSTKEYS)
874 fatal("%s line %d: too many host keys specified (max %d).",
875 filename, linenum, MAX_HOSTKEYS);
876 charptr = &options->host_key_files[*intptr];
5156b1a1 877 parse_filename:
e9702f7d 878 arg = strdelim(&cp);
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: missing file name.",
881 filename, linenum);
30460aeb 882 if (*activep && *charptr == NULL) {
e9702f7d 883 *charptr = tilde_expand_filename(arg, getuid());
884 /* increase optional counter */
885 if (intptr != NULL)
886 *intptr = *intptr + 1;
887 }
888 break;
3c0ef626 889
e9702f7d 890 case sPidFile:
891 charptr = &options->pid_file;
892 goto parse_filename;
3c0ef626 893
e9702f7d 894 case sPermitRootLogin:
895 intptr = &options->permit_root_login;
896 arg = strdelim(&cp);
897 if (!arg || *arg == '\0')
898 fatal("%s line %d: missing yes/"
899 "without-password/forced-commands-only/no "
900 "argument.", filename, linenum);
901 value = 0; /* silence compiler */
902 if (strcmp(arg, "without-password") == 0)
903 value = PERMIT_NO_PASSWD;
904 else if (strcmp(arg, "forced-commands-only") == 0)
905 value = PERMIT_FORCED_ONLY;
906 else if (strcmp(arg, "yes") == 0)
907 value = PERMIT_YES;
908 else if (strcmp(arg, "no") == 0)
909 value = PERMIT_NO;
910 else
911 fatal("%s line %d: Bad yes/"
912 "without-password/forced-commands-only/no "
913 "argument: %s", filename, linenum, arg);
e74dc197 914 if (*activep && *intptr == -1)
e9702f7d 915 *intptr = value;
916 break;
3c0ef626 917
e9702f7d 918 case sIgnoreRhosts:
919 intptr = &options->ignore_rhosts;
5156b1a1 920 parse_flag:
e9702f7d 921 arg = strdelim(&cp);
922 if (!arg || *arg == '\0')
923 fatal("%s line %d: missing yes/no argument.",
924 filename, linenum);
925 value = 0; /* silence compiler */
926 if (strcmp(arg, "yes") == 0)
927 value = 1;
928 else if (strcmp(arg, "no") == 0)
929 value = 0;
930 else
931 fatal("%s line %d: Bad yes/no argument: %s",
932 filename, linenum, arg);
30460aeb 933 if (*activep && *intptr == -1)
e9702f7d 934 *intptr = value;
935 break;
936
a7213e65 937 case sNoneEnabled:
938 intptr = &options->none_enabled;
939 goto parse_flag;
940
941 case sTcpRcvBufPoll:
942 intptr = &options->tcp_rcv_buf_poll;
943 goto parse_flag;
944
945 case sHPNDisabled:
946 intptr = &options->hpn_disabled;
947 goto parse_flag;
948
949 case sHPNBufferSize:
950 intptr = &options->hpn_buffer_size;
951 goto parse_int;
952
e9702f7d 953 case sIgnoreUserKnownHosts:
954 intptr = &options->ignore_user_known_hosts;
955 goto parse_flag;
956
e9702f7d 957 case sRhostsRSAAuthentication:
958 intptr = &options->rhosts_rsa_authentication;
959 goto parse_flag;
960
961 case sHostbasedAuthentication:
962 intptr = &options->hostbased_authentication;
963 goto parse_flag;
964
965 case sHostbasedUsesNameFromPacketOnly:
966 intptr = &options->hostbased_uses_name_from_packet_only;
967 goto parse_flag;
968
969 case sRSAAuthentication:
970 intptr = &options->rsa_authentication;
971 goto parse_flag;
972
973 case sPubkeyAuthentication:
974 intptr = &options->pubkey_authentication;
975 goto parse_flag;
7cac2b65 976
e9702f7d 977 case sKerberosAuthentication:
978 intptr = &options->kerberos_authentication;
979 goto parse_flag;
3c0ef626 980
e9702f7d 981 case sKerberosOrLocalPasswd:
982 intptr = &options->kerberos_or_local_passwd;
983 goto parse_flag;
3c0ef626 984
e9702f7d 985 case sKerberosTicketCleanup:
986 intptr = &options->kerberos_ticket_cleanup;
987 goto parse_flag;
7cac2b65 988
540d72c3 989 case sKerberosGetAFSToken:
990 intptr = &options->kerberos_get_afs_token;
991 goto parse_flag;
992
7cac2b65 993 case sGssAuthentication:
994 intptr = &options->gss_authentication;
e9702f7d 995 goto parse_flag;
7cac2b65 996
05ed7e1e 997 case sGssDelegateCreds:
998 intptr = &options->gss_deleg_creds;
999 goto parse_flag;
1000
7cac2b65 1001 case sGssKeyEx:
1002 intptr = &options->gss_keyex;
e9702f7d 1003 goto parse_flag;
7cac2b65 1004
7cac2b65 1005 case sGssCleanupCreds:
1006 intptr = &options->gss_cleanup_creds;
1007 goto parse_flag;
1008
f713db99 1009 case sGssStrictAcceptor:
1010 intptr = &options->gss_strict_acceptor;
ae82558b 1011 goto parse_flag;
f713db99 1012
2d7c038e 1013 case sGssCredsPath:
1014 charptr = &options->gss_creds_path;
1015 goto parse_filename;
1016
826a9049 1017 case sGsiAllowLimitedProxy:
1018 intptr = &options->gsi_allow_limited_proxy;
1019 goto parse_flag;
1020
75be3237 1021#ifdef SESSION_HOOKS
1022 case sAllowSessionHooks:
1023 intptr = &options->session_hooks_allow;
1024 goto parse_flag;
1025 case sSessionHookStartupCmd:
1026 case sSessionHookShutdownCmd:
1027 arg = strdelim(&cp);
1028 if (!arg || *arg == '\0')
1029 fatal("%s line %d: empty session hook command",
1030 filename, linenum);
1031 if (opcode==sSessionHookStartupCmd)
1032 options->session_hooks_startup_cmd = strdup(arg);
1033 else
1034 options->session_hooks_shutdown_cmd = strdup(arg);
1035 break;
1036#endif
7cac2b65 1037
e9702f7d 1038 case sPasswordAuthentication:
1039 intptr = &options->password_authentication;
1040 goto parse_flag;
3c0ef626 1041
e9702f7d 1042 case sKbdInteractiveAuthentication:
1043 intptr = &options->kbd_interactive_authentication;
1044 goto parse_flag;
3c0ef626 1045
e9702f7d 1046 case sChallengeResponseAuthentication:
1047 intptr = &options->challenge_response_authentication;
1048 goto parse_flag;
3c0ef626 1049
e9702f7d 1050 case sPrintMotd:
1051 intptr = &options->print_motd;
1052 goto parse_flag;
3c0ef626 1053
e9702f7d 1054 case sPrintLastLog:
1055 intptr = &options->print_lastlog;
1056 goto parse_flag;
3c0ef626 1057
e9702f7d 1058 case sX11Forwarding:
1059 intptr = &options->x11_forwarding;
1060 goto parse_flag;
3c0ef626 1061
e9702f7d 1062 case sX11DisplayOffset:
1063 intptr = &options->x11_display_offset;
1064 goto parse_int;
3c0ef626 1065
e9702f7d 1066 case sX11UseLocalhost:
1067 intptr = &options->x11_use_localhost;
1068 goto parse_flag;
3c0ef626 1069
e9702f7d 1070 case sXAuthLocation:
1071 charptr = &options->xauth_location;
1072 goto parse_filename;
3c0ef626 1073
e9702f7d 1074 case sStrictModes:
1075 intptr = &options->strict_modes;
1076 goto parse_flag;
3c0ef626 1077
540d72c3 1078 case sTCPKeepAlive:
1079 intptr = &options->tcp_keep_alive;
e9702f7d 1080 goto parse_flag;
3c0ef626 1081
e9702f7d 1082 case sEmptyPasswd:
1083 intptr = &options->permit_empty_passwd;
1084 goto parse_flag;
1085
d03f4262 1086 case sPermitUserEnvironment:
1087 intptr = &options->permit_user_env;
1088 goto parse_flag;
1089
e9702f7d 1090 case sUseLogin:
1091 intptr = &options->use_login;
1092 goto parse_flag;
1093
44a053a3 1094 case sCompression:
1095 intptr = &options->compression;
2ce0bfe4 1096 arg = strdelim(&cp);
1097 if (!arg || *arg == '\0')
1098 fatal("%s line %d: missing yes/no/delayed "
1099 "argument.", filename, linenum);
1100 value = 0; /* silence compiler */
1101 if (strcmp(arg, "delayed") == 0)
1102 value = COMP_DELAYED;
1103 else if (strcmp(arg, "yes") == 0)
1104 value = COMP_ZLIB;
1105 else if (strcmp(arg, "no") == 0)
1106 value = COMP_NONE;
1107 else
1108 fatal("%s line %d: Bad yes/no/delayed "
1109 "argument: %s", filename, linenum, arg);
1110 if (*intptr == -1)
1111 *intptr = value;
1112 break;
44a053a3 1113
e9702f7d 1114 case sGatewayPorts:
1115 intptr = &options->gateway_ports;
dfddba3d 1116 arg = strdelim(&cp);
1117 if (!arg || *arg == '\0')
1118 fatal("%s line %d: missing yes/no/clientspecified "
1119 "argument.", filename, linenum);
1120 value = 0; /* silence compiler */
1121 if (strcmp(arg, "clientspecified") == 0)
1122 value = 2;
1123 else if (strcmp(arg, "yes") == 0)
1124 value = 1;
1125 else if (strcmp(arg, "no") == 0)
1126 value = 0;
1127 else
1128 fatal("%s line %d: Bad yes/no/clientspecified "
1129 "argument: %s", filename, linenum, arg);
0b90ac93 1130 if (*activep && *intptr == -1)
dfddba3d 1131 *intptr = value;
1132 break;
e9702f7d 1133
7cac2b65 1134 case sUseDNS:
1135 intptr = &options->use_dns;
e9702f7d 1136 goto parse_flag;
1137
1138 case sLogFacility:
e74dc197 1139 log_facility_ptr = &options->log_facility;
e9702f7d 1140 arg = strdelim(&cp);
1141 value = log_facility_number(arg);
1142 if (value == SYSLOG_FACILITY_NOT_SET)
1143 fatal("%.200s line %d: unsupported log facility '%s'",
1144 filename, linenum, arg ? arg : "<NONE>");
e74dc197 1145 if (*log_facility_ptr == -1)
1146 *log_facility_ptr = (SyslogFacility) value;
e9702f7d 1147 break;
1148
1149 case sLogLevel:
e74dc197 1150 log_level_ptr = &options->log_level;
e9702f7d 1151 arg = strdelim(&cp);
1152 value = log_level_number(arg);
1153 if (value == SYSLOG_LEVEL_NOT_SET)
1154 fatal("%.200s line %d: unsupported log level '%s'",
1155 filename, linenum, arg ? arg : "<NONE>");
e74dc197 1156 if (*log_level_ptr == -1)
1157 *log_level_ptr = (LogLevel) value;
e9702f7d 1158 break;
1159
1160 case sAllowTcpForwarding:
1161 intptr = &options->allow_tcp_forwarding;
1162 goto parse_flag;
1163
5156b1a1 1164 case sAllowAgentForwarding:
1165 intptr = &options->allow_agent_forwarding;
1166 goto parse_flag;
1167
350391c5 1168 case sUsePrivilegeSeparation:
1169 intptr = &use_privsep;
1170 goto parse_flag;
1171
e9702f7d 1172 case sAllowUsers:
1173 while ((arg = strdelim(&cp)) && *arg != '\0') {
1174 if (options->num_allow_users >= MAX_ALLOW_USERS)
1175 fatal("%s line %d: too many allow users.",
3c0ef626 1176 filename, linenum);
276b07a3 1177 options->allow_users[options->num_allow_users++] =
1178 xstrdup(arg);
e9702f7d 1179 }
1180 break;
3c0ef626 1181
e9702f7d 1182 case sDenyUsers:
1183 while ((arg = strdelim(&cp)) && *arg != '\0') {
1184 if (options->num_deny_users >= MAX_DENY_USERS)
30460aeb 1185 fatal("%s line %d: too many deny users.",
e9702f7d 1186 filename, linenum);
276b07a3 1187 options->deny_users[options->num_deny_users++] =
1188 xstrdup(arg);
e9702f7d 1189 }
1190 break;
3c0ef626 1191
e9702f7d 1192 case sAllowGroups:
1193 while ((arg = strdelim(&cp)) && *arg != '\0') {
1194 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1195 fatal("%s line %d: too many allow groups.",
1196 filename, linenum);
276b07a3 1197 options->allow_groups[options->num_allow_groups++] =
1198 xstrdup(arg);
e9702f7d 1199 }
1200 break;
1201
1202 case sDenyGroups:
1203 while ((arg = strdelim(&cp)) && *arg != '\0') {
1204 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1205 fatal("%s line %d: too many deny groups.",
1206 filename, linenum);
1207 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 1208 }
e9702f7d 1209 break;
1210
1211 case sCiphers:
1212 arg = strdelim(&cp);
1213 if (!arg || *arg == '\0')
1214 fatal("%s line %d: Missing argument.", filename, linenum);
1215 if (!ciphers_valid(arg))
1216 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1217 filename, linenum, arg ? arg : "<NONE>");
1218 if (options->ciphers == NULL)
1219 options->ciphers = xstrdup(arg);
1220 break;
1221
1222 case sMacs:
1223 arg = strdelim(&cp);
1224 if (!arg || *arg == '\0')
1225 fatal("%s line %d: Missing argument.", filename, linenum);
1226 if (!mac_valid(arg))
1227 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1228 filename, linenum, arg ? arg : "<NONE>");
1229 if (options->macs == NULL)
1230 options->macs = xstrdup(arg);
1231 break;
1232
1233 case sProtocol:
1234 intptr = &options->protocol;
1235 arg = strdelim(&cp);
1236 if (!arg || *arg == '\0')
1237 fatal("%s line %d: Missing argument.", filename, linenum);
1238 value = proto_spec(arg);
1239 if (value == SSH_PROTO_UNKNOWN)
1240 fatal("%s line %d: Bad protocol spec '%s'.",
1241 filename, linenum, arg ? arg : "<NONE>");
1242 if (*intptr == SSH_PROTO_UNKNOWN)
1243 *intptr = value;
1244 break;
1245
1246 case sSubsystem:
1247 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1248 fatal("%s line %d: too many subsystems defined.",
1249 filename, linenum);
1250 }
1251 arg = strdelim(&cp);
1252 if (!arg || *arg == '\0')
1253 fatal("%s line %d: Missing subsystem name.",
1254 filename, linenum);
30460aeb 1255 if (!*activep) {
1256 arg = strdelim(&cp);
1257 break;
1258 }
e9702f7d 1259 for (i = 0; i < options->num_subsystems; i++)
1260 if (strcmp(arg, options->subsystem_name[i]) == 0)
1261 fatal("%s line %d: Subsystem '%s' already defined.",
1262 filename, linenum, arg);
1263 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1264 arg = strdelim(&cp);
1265 if (!arg || *arg == '\0')
1266 fatal("%s line %d: Missing subsystem command.",
1267 filename, linenum);
1268 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
30460aeb 1269
1270 /* Collect arguments (separate to executable) */
1271 p = xstrdup(arg);
1272 len = strlen(p) + 1;
1273 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1274 len += 1 + strlen(arg);
1275 p = xrealloc(p, 1, len);
1276 strlcat(p, " ", len);
1277 strlcat(p, arg, len);
1278 }
1279 options->subsystem_args[options->num_subsystems] = p;
e9702f7d 1280 options->num_subsystems++;
1281 break;
1282
1283 case sMaxStartups:
1284 arg = strdelim(&cp);
1285 if (!arg || *arg == '\0')
1286 fatal("%s line %d: Missing MaxStartups spec.",
1287 filename, linenum);
1288 if ((n = sscanf(arg, "%d:%d:%d",
1289 &options->max_startups_begin,
1290 &options->max_startups_rate,
1291 &options->max_startups)) == 3) {
1292 if (options->max_startups_begin >
1293 options->max_startups ||
1294 options->max_startups_rate > 100 ||
1295 options->max_startups_rate < 1)
1296 fatal("%s line %d: Illegal MaxStartups spec.",
1297 filename, linenum);
1298 } else if (n != 1)
1299 fatal("%s line %d: Illegal MaxStartups spec.",
1300 filename, linenum);
1301 else
1302 options->max_startups = options->max_startups_begin;
1303 break;
1304
7e82606e 1305 case sMaxAuthTries:
1306 intptr = &options->max_authtries;
1307 goto parse_int;
1308
5156b1a1 1309 case sMaxSessions:
1310 intptr = &options->max_sessions;
1311 goto parse_int;
1312
e9702f7d 1313 case sBanner:
1314 charptr = &options->banner;
1315 goto parse_filename;
e74dc197 1316
e9702f7d 1317 /*
1318 * These options can contain %X options expanded at
1319 * connect time, so that you can specify paths like:
1320 *
1321 * AuthorizedKeysFile /etc/ssh_keys/%u
1322 */
1323 case sAuthorizedKeysFile:
1324 case sAuthorizedKeysFile2:
30460aeb 1325 charptr = (opcode == sAuthorizedKeysFile) ?
e9702f7d 1326 &options->authorized_keys_file :
1327 &options->authorized_keys_file2;
1328 goto parse_filename;
1329
1330 case sClientAliveInterval:
1331 intptr = &options->client_alive_interval;
1332 goto parse_time;
1333
1334 case sClientAliveCountMax:
1335 intptr = &options->client_alive_count_max;
1336 goto parse_int;
1337
7e82606e 1338 case sAcceptEnv:
1339 while ((arg = strdelim(&cp)) && *arg != '\0') {
1340 if (strchr(arg, '=') != NULL)
1341 fatal("%s line %d: Invalid environment name.",
1342 filename, linenum);
1343 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1344 fatal("%s line %d: too many allow env.",
1345 filename, linenum);
30460aeb 1346 if (!*activep)
1347 break;
7e82606e 1348 options->accept_env[options->num_accept_env++] =
1349 xstrdup(arg);
1350 }
1351 break;
1352
08822d99 1353 case sPermitTunnel:
1354 intptr = &options->permit_tun;
1355 arg = strdelim(&cp);
1356 if (!arg || *arg == '\0')
1357 fatal("%s line %d: Missing yes/point-to-point/"
1358 "ethernet/no argument.", filename, linenum);
5156b1a1 1359 value = -1;
1360 for (i = 0; tunmode_desc[i].val != -1; i++)
1361 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1362 value = tunmode_desc[i].val;
1363 break;
1364 }
1365 if (value == -1)
08822d99 1366 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1367 "no argument: %s", filename, linenum, arg);
1368 if (*intptr == -1)
1369 *intptr = value;
1370 break;
1371
30460aeb 1372 case sMatch:
1373 if (cmdline)
1374 fatal("Match directive not supported as a command-line "
1375 "option");
1376 value = match_cfg_line(&cp, linenum, user, host, address);
1377 if (value < 0)
1378 fatal("%s line %d: Bad Match condition", filename,
1379 linenum);
1380 *activep = value;
1381 break;
1382
1383 case sPermitOpen:
1384 arg = strdelim(&cp);
1385 if (!arg || *arg == '\0')
1386 fatal("%s line %d: missing PermitOpen specification",
1387 filename, linenum);
0b90ac93 1388 n = options->num_permitted_opens; /* modified later */
30460aeb 1389 if (strcmp(arg, "any") == 0) {
0b90ac93 1390 if (*activep && n == -1) {
30460aeb 1391 channel_clear_adm_permitted_opens();
1392 options->num_permitted_opens = 0;
1393 }
1394 break;
1395 }
0b90ac93 1396 if (*activep && n == -1)
1397 channel_clear_adm_permitted_opens();
30460aeb 1398 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1399 p = hpdelim(&arg);
1400 if (p == NULL)
1401 fatal("%s line %d: missing host in PermitOpen",
1402 filename, linenum);
1403 p = cleanhostname(p);
1404 if (arg == NULL || (port = a2port(arg)) == 0)
1405 fatal("%s line %d: bad port number in "
1406 "PermitOpen", filename, linenum);
0b90ac93 1407 if (*activep && n == -1)
30460aeb 1408 options->num_permitted_opens =
1409 channel_add_adm_permitted_opens(p, port);
30460aeb 1410 }
1411 break;
1412
1413 case sForceCommand:
1414 if (cp == NULL)
1415 fatal("%.200s line %d: Missing argument.", filename,
1416 linenum);
1417 len = strspn(cp, WHITESPACE);
1418 if (*activep && options->adm_forced_command == NULL)
1419 options->adm_forced_command = xstrdup(cp + len);
1420 return 0;
1421
e74dc197 1422 case sChrootDirectory:
1423 charptr = &options->chroot_directory;
1424
1425 arg = strdelim(&cp);
1426 if (!arg || *arg == '\0')
1427 fatal("%s line %d: missing file name.",
1428 filename, linenum);
1429 if (*activep && *charptr == NULL)
1430 *charptr = xstrdup(arg);
1431 break;
1432
e9702f7d 1433 case sDeprecated:
7cac2b65 1434 logit("%s line %d: Deprecated option %s",
1435 filename, linenum, arg);
1436 while (arg)
1437 arg = strdelim(&cp);
1438 break;
1439
1440 case sUnsupported:
1441 logit("%s line %d: Unsupported option %s",
e9702f7d 1442 filename, linenum, arg);
1443 while (arg)
1444 arg = strdelim(&cp);
1445 break;
1446
1447 default:
1448 fatal("%s line %d: Missing handler for opcode %s (%d)",
1449 filename, linenum, arg, opcode);
1450 }
1451 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1452 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1453 filename, linenum, arg);
1454 return 0;
1455}
1456
1457/* Reads the server configuration file. */
1458
1459void
7e82606e 1460load_server_config(const char *filename, Buffer *conf)
e9702f7d 1461{
7e82606e 1462 char line[1024], *cp;
276b07a3 1463 FILE *f;
e9702f7d 1464
7e82606e 1465 debug2("%s: filename %s", __func__, filename);
1466 if ((f = fopen(filename, "r")) == NULL) {
e9702f7d 1467 perror(filename);
1468 exit(1);
1469 }
7e82606e 1470 buffer_clear(conf);
e9702f7d 1471 while (fgets(line, sizeof(line), f)) {
7e82606e 1472 /*
1473 * Trim out comments and strip whitespace
1474 * NB - preserve newlines, they are needed to reproduce
1475 * line numbers later for error messages
1476 */
1477 if ((cp = strchr(line, '#')) != NULL)
1478 memcpy(cp, "\n", 2);
1479 cp = line + strspn(line, " \t\r");
1480
1481 buffer_append(conf, cp, strlen(cp));
3c0ef626 1482 }
7e82606e 1483 buffer_append(conf, "\0", 1);
3c0ef626 1484 fclose(f);
7e82606e 1485 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1486}
1487
1488void
30460aeb 1489parse_server_match_config(ServerOptions *options, const char *user,
1490 const char *host, const char *address)
1491{
1492 ServerOptions mo;
1493
1494 initialize_server_options(&mo);
1495 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
0b90ac93 1496 copy_set_server_options(options, &mo, 0);
30460aeb 1497}
1498
0b90ac93 1499/* Helper macros */
1500#define M_CP_INTOPT(n) do {\
1501 if (src->n != -1) \
1502 dst->n = src->n; \
1503} while (0)
1504#define M_CP_STROPT(n) do {\
1505 if (src->n != NULL) { \
1506 if (dst->n != NULL) \
1507 xfree(dst->n); \
1508 dst->n = src->n; \
1509 } \
1510} while(0)
1511
1512/*
1513 * Copy any supported values that are set.
1514 *
1515 * If the preauth flag is set, we do not bother copying the the string or
1516 * array values that are not used pre-authentication, because any that we
1517 * do use must be explictly sent in mm_getpwnamallow().
1518 */
30460aeb 1519void
0b90ac93 1520copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
30460aeb 1521{
0b90ac93 1522 M_CP_INTOPT(password_authentication);
1523 M_CP_INTOPT(gss_authentication);
05ed7e1e 1524 M_CP_INTOPT(gss_deleg_creds);
0b90ac93 1525 M_CP_INTOPT(rsa_authentication);
1526 M_CP_INTOPT(pubkey_authentication);
1527 M_CP_INTOPT(kerberos_authentication);
1528 M_CP_INTOPT(hostbased_authentication);
1529 M_CP_INTOPT(kbd_interactive_authentication);
e74dc197 1530 M_CP_INTOPT(permit_root_login);
0b90ac93 1531
1532 M_CP_INTOPT(allow_tcp_forwarding);
5156b1a1 1533 M_CP_INTOPT(allow_agent_forwarding);
0b90ac93 1534 M_CP_INTOPT(gateway_ports);
1535 M_CP_INTOPT(x11_display_offset);
1536 M_CP_INTOPT(x11_forwarding);
1537 M_CP_INTOPT(x11_use_localhost);
5156b1a1 1538 M_CP_INTOPT(max_sessions);
1539 M_CP_INTOPT(max_authtries);
0b90ac93 1540
1541 M_CP_STROPT(banner);
1542 if (preauth)
1543 return;
1544 M_CP_STROPT(adm_forced_command);
e74dc197 1545 M_CP_STROPT(chroot_directory);
30460aeb 1546}
1547
0b90ac93 1548#undef M_CP_INTOPT
1549#undef M_CP_STROPT
1550
30460aeb 1551void
1552parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1553 const char *user, const char *host, const char *address)
7e82606e 1554{
30460aeb 1555 int active, linenum, bad_options = 0;
7e82606e 1556 char *cp, *obuf, *cbuf;
1557
1558 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1559
1560 obuf = cbuf = xstrdup(buffer_ptr(conf));
30460aeb 1561 active = user ? 0 : 1;
7e82606e 1562 linenum = 1;
8b32eddc 1563 while ((cp = strsep(&cbuf, "\n")) != NULL) {
7e82606e 1564 if (process_server_config_line(options, cp, filename,
30460aeb 1565 linenum++, &active, user, host, address) != 0)
7e82606e 1566 bad_options++;
1567 }
1568 xfree(obuf);
3c0ef626 1569 if (bad_options > 0)
1570 fatal("%s: terminating, %d bad configuration options",
1571 filename, bad_options);
1572}
5156b1a1 1573
1574static const char *
1575fmt_intarg(ServerOpCodes code, int val)
1576{
1577 if (code == sAddressFamily) {
1578 switch (val) {
1579 case AF_INET:
1580 return "inet";
1581 case AF_INET6:
1582 return "inet6";
1583 case AF_UNSPEC:
1584 return "any";
1585 default:
1586 return "UNKNOWN";
1587 }
1588 }
1589 if (code == sPermitRootLogin) {
1590 switch (val) {
1591 case PERMIT_NO_PASSWD:
1592 return "without-passord";
1593 case PERMIT_FORCED_ONLY:
1594 return "forced-commands-only";
1595 case PERMIT_YES:
1596 return "yes";
1597 }
1598 }
1599 if (code == sProtocol) {
1600 switch (val) {
1601 case SSH_PROTO_1:
1602 return "1";
1603 case SSH_PROTO_2:
1604 return "2";
1605 case (SSH_PROTO_1|SSH_PROTO_2):
1606 return "2,1";
1607 default:
1608 return "UNKNOWN";
1609 }
1610 }
1611 if (code == sGatewayPorts && val == 2)
1612 return "clientspecified";
1613 if (code == sCompression && val == COMP_DELAYED)
1614 return "delayed";
1615 switch (val) {
1616 case -1:
1617 return "unset";
1618 case 0:
1619 return "no";
1620 case 1:
1621 return "yes";
1622 }
1623 return "UNKNOWN";
1624}
1625
1626static const char *
1627lookup_opcode_name(ServerOpCodes code)
1628{
1629 u_int i;
1630
1631 for (i = 0; keywords[i].name != NULL; i++)
1632 if (keywords[i].opcode == code)
1633 return(keywords[i].name);
1634 return "UNKNOWN";
1635}
1636
1637static void
1638dump_cfg_int(ServerOpCodes code, int val)
1639{
1640 printf("%s %d\n", lookup_opcode_name(code), val);
1641}
1642
1643static void
1644dump_cfg_fmtint(ServerOpCodes code, int val)
1645{
1646 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1647}
1648
1649static void
1650dump_cfg_string(ServerOpCodes code, const char *val)
1651{
1652 if (val == NULL)
1653 return;
1654 printf("%s %s\n", lookup_opcode_name(code), val);
1655}
1656
1657static void
1658dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1659{
1660 u_int i;
1661
1662 for (i = 0; i < count; i++)
1663 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1664}
1665
1666void
1667dump_config(ServerOptions *o)
1668{
1669 u_int i;
1670 int ret;
1671 struct addrinfo *ai;
1672 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1673
1674 /* these are usually at the top of the config */
1675 for (i = 0; i < o->num_ports; i++)
1676 printf("port %d\n", o->ports[i]);
1677 dump_cfg_fmtint(sProtocol, o->protocol);
1678 dump_cfg_fmtint(sAddressFamily, o->address_family);
1679
1680 /* ListenAddress must be after Port */
1681 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1682 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1683 sizeof(addr), port, sizeof(port),
1684 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1685 error("getnameinfo failed: %.100s",
1686 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1687 strerror(errno));
1688 } else {
1689 if (ai->ai_family == AF_INET6)
1690 printf("listenaddress [%s]:%s\n", addr, port);
1691 else
1692 printf("listenaddress %s:%s\n", addr, port);
1693 }
1694 }
1695
1696 /* integer arguments */
1697 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1698 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1699 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1700 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1701 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1702 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1703 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1704
1705 /* formatted integer arguments */
1706 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1707 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1708 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1709 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1710 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1711 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1712 o->hostbased_uses_name_from_packet_only);
1713 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1714 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1715 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1716 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1717 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1718 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1719 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1720 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1721 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1722 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1723 o->kbd_interactive_authentication);
1724 dump_cfg_fmtint(sChallengeResponseAuthentication,
1725 o->challenge_response_authentication);
1726 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1727 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1728 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1729 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1730 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1731 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1732 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1733 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1734 dump_cfg_fmtint(sUseLogin, o->use_login);
1735 dump_cfg_fmtint(sCompression, o->compression);
1736 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1737 dump_cfg_fmtint(sUseDNS, o->use_dns);
1738 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1739 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1740
1741 /* string arguments */
1742 dump_cfg_string(sPidFile, o->pid_file);
1743 dump_cfg_string(sXAuthLocation, o->xauth_location);
1744 dump_cfg_string(sCiphers, o->ciphers);
1745 dump_cfg_string(sMacs, o->macs);
1746 dump_cfg_string(sBanner, o->banner);
1747 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1748 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1749 dump_cfg_string(sForceCommand, o->adm_forced_command);
1750
1751 /* string arguments requiring a lookup */
1752 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1753 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1754
1755 /* string array arguments */
1756 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1757 o->host_key_files);
1758 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1759 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1760 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1761 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1762 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1763
1764 /* other arguments */
1765 for (i = 0; i < o->num_subsystems; i++)
1766 printf("subsystem %s %s\n", o->subsystem_name[i],
1767 o->subsystem_args[i]);
1768
1769 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1770 o->max_startups_rate, o->max_startups);
1771
1772 for (i = 0; tunmode_desc[i].val != -1; i++)
1773 if (tunmode_desc[i].val == o->permit_tun) {
1774 s = tunmode_desc[i].text;
1775 break;
1776 }
1777 dump_cfg_string(sPermitTunnel, s);
1778
1779 printf("permitopen");
1780 channel_print_adm_permitted_opens();
1781 printf("\n");
1782}
git-cvsimport mirror of GSI OpenSSH
This page took 1.985275 seconds and 5 git commands to generate.