]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
openssh-4.3p2-hpn12.diff
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
2c06c99b 13RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
3c0ef626 21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
700318f3 29/* Use of privilege separation or not */
30extern int use_privsep;
3c0ef626 31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
0fff78ff 40 options->use_pam = -1;
3c0ef626 41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
996d5e62 46 options->address_family = -1;
3c0ef626 47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e9a17296 59 options->x11_use_localhost = -1;
3c0ef626 60 options->xauth_location = NULL;
61 options->strict_modes = -1;
cdd66111 62 options->tcp_keep_alive = -1;
e9a17296 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
3c0ef626 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
cdd66111 73 options->kerberos_get_afs_token = -1;
0fff78ff 74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
3c0ef626 76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
41b2f314 80 options->permit_user_env = -1;
3c0ef626 81 options->use_login = -1;
f5799ae1 82 options->compression = -1;
3c0ef626 83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
89 options->macs = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
c9f39d2c 96 options->max_authtries = -1;
3c0ef626 97 options->banner = NULL;
0fff78ff 98 options->use_dns = -1;
3c0ef626 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
c9f39d2c 103 options->num_accept_env = 0;
2c06c99b 104 options->permit_tun = -1;
d4e9cd2c 105 options->none_enabled = -1;
106 options->tcp_rcv_buf_poll = -1;
107 options->hpn_disabled = -1;
108 options->hpn_buffer_size = -1;
700318f3 109
110 /* Needs to be accessable in many places */
111 use_privsep = -1;
3c0ef626 112}
113
114void
115fill_default_server_options(ServerOptions *options)
116{
d4e9cd2c 117
3c0ef626 118 /* Portable-specific options */
0fff78ff 119 if (options->use_pam == -1)
acc3d05e 120 options->use_pam = 0;
3c0ef626 121
122 /* Standard Options */
123 if (options->protocol == SSH_PROTO_UNKNOWN)
124 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
125 if (options->num_host_key_files == 0) {
126 /* fill default hostkeys for protocols */
127 if (options->protocol & SSH_PROTO_1)
e9a17296 128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_KEY_FILE;
130 if (options->protocol & SSH_PROTO_2) {
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_RSA_KEY_FILE;
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_DSA_KEY_FILE;
135 }
3c0ef626 136 }
137 if (options->num_ports == 0)
138 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
139 if (options->listen_addrs == NULL)
140 add_listen_addr(options, NULL, 0);
141 if (options->pid_file == NULL)
142 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
143 if (options->server_key_bits == -1)
144 options->server_key_bits = 768;
145 if (options->login_grace_time == -1)
41b2f314 146 options->login_grace_time = 120;
3c0ef626 147 if (options->key_regeneration_time == -1)
148 options->key_regeneration_time = 3600;
149 if (options->permit_root_login == PERMIT_NOT_SET)
150 options->permit_root_login = PERMIT_YES;
151 if (options->ignore_rhosts == -1)
152 options->ignore_rhosts = 1;
153 if (options->ignore_user_known_hosts == -1)
154 options->ignore_user_known_hosts = 0;
155 if (options->print_motd == -1)
156 options->print_motd = 1;
157 if (options->print_lastlog == -1)
158 options->print_lastlog = 1;
159 if (options->x11_forwarding == -1)
160 options->x11_forwarding = 0;
161 if (options->x11_display_offset == -1)
162 options->x11_display_offset = 10;
e9a17296 163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
3c0ef626 165 if (options->xauth_location == NULL)
166 options->xauth_location = _PATH_XAUTH;
3c0ef626 167 if (options->strict_modes == -1)
168 options->strict_modes = 1;
cdd66111 169 if (options->tcp_keep_alive == -1)
170 options->tcp_keep_alive = 1;
e9a17296 171 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 172 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 174 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 175 if (options->rhosts_rsa_authentication == -1)
176 options->rhosts_rsa_authentication = 0;
177 if (options->hostbased_authentication == -1)
178 options->hostbased_authentication = 0;
179 if (options->hostbased_uses_name_from_packet_only == -1)
180 options->hostbased_uses_name_from_packet_only = 0;
181 if (options->rsa_authentication == -1)
182 options->rsa_authentication = 1;
183 if (options->pubkey_authentication == -1)
184 options->pubkey_authentication = 1;
3c0ef626 185 if (options->kerberos_authentication == -1)
700318f3 186 options->kerberos_authentication = 0;
3c0ef626 187 if (options->kerberos_or_local_passwd == -1)
188 options->kerberos_or_local_passwd = 1;
189 if (options->kerberos_ticket_cleanup == -1)
190 options->kerberos_ticket_cleanup = 1;
cdd66111 191 if (options->kerberos_get_afs_token == -1)
192 options->kerberos_get_afs_token = 0;
0fff78ff 193 if (options->gss_authentication == -1)
194 options->gss_authentication = 0;
195 if (options->gss_cleanup_creds == -1)
196 options->gss_cleanup_creds = 1;
3c0ef626 197 if (options->password_authentication == -1)
198 options->password_authentication = 1;
199 if (options->kbd_interactive_authentication == -1)
200 options->kbd_interactive_authentication = 0;
201 if (options->challenge_response_authentication == -1)
202 options->challenge_response_authentication = 1;
203 if (options->permit_empty_passwd == -1)
204 options->permit_empty_passwd = 0;
41b2f314 205 if (options->permit_user_env == -1)
206 options->permit_user_env = 0;
3c0ef626 207 if (options->use_login == -1)
208 options->use_login = 0;
f5799ae1 209 if (options->compression == -1)
665a873d 210 options->compression = COMP_DELAYED;
3c0ef626 211 if (options->allow_tcp_forwarding == -1)
212 options->allow_tcp_forwarding = 1;
213 if (options->gateway_ports == -1)
214 options->gateway_ports = 0;
215 if (options->max_startups == -1)
216 options->max_startups = 10;
217 if (options->max_startups_rate == -1)
218 options->max_startups_rate = 100; /* 100% */
219 if (options->max_startups_begin == -1)
220 options->max_startups_begin = options->max_startups;
c9f39d2c 221 if (options->max_authtries == -1)
222 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
0fff78ff 223 if (options->use_dns == -1)
224 options->use_dns = 1;
3c0ef626 225 if (options->client_alive_interval == -1)
e9a17296 226 options->client_alive_interval = 0;
3c0ef626 227 if (options->client_alive_count_max == -1)
228 options->client_alive_count_max = 3;
229 if (options->authorized_keys_file2 == NULL) {
230 /* authorized_keys_file2 falls back to authorized_keys_file */
231 if (options->authorized_keys_file != NULL)
232 options->authorized_keys_file2 = options->authorized_keys_file;
233 else
234 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
235 }
236 if (options->authorized_keys_file == NULL)
237 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
2c06c99b 238 if (options->permit_tun == -1)
239 options->permit_tun = SSH_TUNMODE_NO;
700318f3 240
d4e9cd2c 241 if (options->hpn_disabled == -1)
242 options->hpn_disabled = 0;
243
244 if (options->hpn_buffer_size == -1)
245 options->hpn_buffer_size = 2*1024*1024;
246 else {
247 if (options->hpn_buffer_size == 0)
248 options->hpn_buffer_size = 1;
249 /* limit the maximum buffer to 7MB */
250 if (options->hpn_buffer_size > 7168)
251 options->hpn_buffer_size = 7168;
252 options->hpn_buffer_size *=1024;
253 }
254
f5799ae1 255 /* Turn privilege separation on by default */
700318f3 256 if (use_privsep == -1)
f5799ae1 257 use_privsep = 1;
258
d4e9cd2c 259
260
41b2f314 261#ifndef HAVE_MMAP
f5799ae1 262 if (use_privsep && options->compression == 1) {
263 error("This platform does not support both privilege "
264 "separation and compression");
265 error("Compression disabled");
266 options->compression = 0;
267 }
268#endif
269
3c0ef626 270}
271
272/* Keyword tokens. */
273typedef enum {
274 sBadOption, /* == unknown option */
275 /* Portable-specific options */
0fff78ff 276 sUsePAM,
3c0ef626 277 /* Standard Options */
278 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
279 sPermitRootLogin, sLogFacility, sLogLevel,
0fff78ff 280 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 281 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
cdd66111 282 sKerberosGetAFSToken,
0fff78ff 283 sKerberosTgtPassing, sChallengeResponseAuthentication,
996d5e62 284 sPasswordAuthentication, sKbdInteractiveAuthentication,
285 sListenAddress, sAddressFamily,
3c0ef626 286 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 287 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
cdd66111 288 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
41b2f314 289 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 290 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
291 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
c9f39d2c 292 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
293 sMaxStartups, sMaxAuthTries,
0fff78ff 294 sBanner, sUseDNS, sHostbasedAuthentication,
e9a17296 295 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 296 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2c06c99b 297 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
d4e9cd2c 298 sUsePrivilegeSeparation, sNoneEnabled, sTcpRcvBufPoll,
299 sHPNDisabled, sHPNBufferSize,
0fff78ff 300 sDeprecated, sUnsupported
3c0ef626 301} ServerOpCodes;
302
303/* Textual representation of the tokens. */
304static struct {
305 const char *name;
306 ServerOpCodes opcode;
307} keywords[] = {
308 /* Portable-specific options */
0fff78ff 309#ifdef USE_PAM
310 { "usepam", sUsePAM },
311#else
312 { "usepam", sUnsupported },
313#endif
314 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 315 /* Standard Options */
316 { "port", sPort },
317 { "hostkey", sHostKeyFile },
318 { "hostdsakey", sHostKeyFile }, /* alias */
319 { "pidfile", sPidFile },
320 { "serverkeybits", sServerKeyBits },
321 { "logingracetime", sLoginGraceTime },
322 { "keyregenerationinterval", sKeyRegenerationTime },
323 { "permitrootlogin", sPermitRootLogin },
324 { "syslogfacility", sLogFacility },
325 { "loglevel", sLogLevel },
0fff78ff 326 { "rhostsauthentication", sDeprecated },
3c0ef626 327 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
328 { "hostbasedauthentication", sHostbasedAuthentication },
329 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
330 { "rsaauthentication", sRSAAuthentication },
331 { "pubkeyauthentication", sPubkeyAuthentication },
332 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
0fff78ff 333#ifdef KRB5
3c0ef626 334 { "kerberosauthentication", sKerberosAuthentication },
335 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
336 { "kerberosticketcleanup", sKerberosTicketCleanup },
cdd66111 337#ifdef USE_AFS
338 { "kerberosgetafstoken", sKerberosGetAFSToken },
339#else
340 { "kerberosgetafstoken", sUnsupported },
341#endif
0fff78ff 342#else
343 { "kerberosauthentication", sUnsupported },
344 { "kerberosorlocalpasswd", sUnsupported },
345 { "kerberosticketcleanup", sUnsupported },
cdd66111 346 { "kerberosgetafstoken", sUnsupported },
3c0ef626 347#endif
0fff78ff 348 { "kerberostgtpassing", sUnsupported },
349 { "afstokenpassing", sUnsupported },
350#ifdef GSSAPI
351 { "gssapiauthentication", sGssAuthentication },
cdd66111 352 { "gssapicleanupcredentials", sGssCleanupCreds },
0fff78ff 353#else
354 { "gssapiauthentication", sUnsupported },
cdd66111 355 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 356#endif
357 { "passwordauthentication", sPasswordAuthentication },
358 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
359 { "challengeresponseauthentication", sChallengeResponseAuthentication },
360 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
361 { "checkmail", sDeprecated },
362 { "listenaddress", sListenAddress },
996d5e62 363 { "addressfamily", sAddressFamily },
3c0ef626 364 { "printmotd", sPrintMotd },
365 { "printlastlog", sPrintLastLog },
366 { "ignorerhosts", sIgnoreRhosts },
367 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
368 { "x11forwarding", sX11Forwarding },
369 { "x11displayoffset", sX11DisplayOffset },
e9a17296 370 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 371 { "xauthlocation", sXAuthLocation },
372 { "strictmodes", sStrictModes },
373 { "permitemptypasswords", sEmptyPasswd },
41b2f314 374 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 375 { "uselogin", sUseLogin },
f5799ae1 376 { "compression", sCompression },
cdd66111 377 { "tcpkeepalive", sTCPKeepAlive },
378 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 379 { "allowtcpforwarding", sAllowTcpForwarding },
380 { "allowusers", sAllowUsers },
381 { "denyusers", sDenyUsers },
382 { "allowgroups", sAllowGroups },
383 { "denygroups", sDenyGroups },
384 { "ciphers", sCiphers },
385 { "macs", sMacs },
386 { "protocol", sProtocol },
387 { "gatewayports", sGatewayPorts },
388 { "subsystem", sSubsystem },
389 { "maxstartups", sMaxStartups },
c9f39d2c 390 { "maxauthtries", sMaxAuthTries },
3c0ef626 391 { "banner", sBanner },
0fff78ff 392 { "usedns", sUseDNS },
393 { "verifyreversemapping", sDeprecated },
394 { "reversemappingcheck", sDeprecated },
3c0ef626 395 { "clientaliveinterval", sClientAliveInterval },
396 { "clientalivecountmax", sClientAliveCountMax },
397 { "authorizedkeysfile", sAuthorizedKeysFile },
398 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 399 { "useprivilegeseparation", sUsePrivilegeSeparation},
c9f39d2c 400 { "acceptenv", sAcceptEnv },
d4e9cd2c 401 { "noneenabled", sNoneEnabled },
402 { "hpndisabled", sHPNDisabled },
403 { "hpnbuffersize", sHPNBufferSize },
404 { "tcprcvbufpoll", sTcpRcvBufPoll },
2c06c99b 405 { "permittunnel", sPermitTunnel },
e9a17296 406 { NULL, sBadOption }
3c0ef626 407};
408
409/*
410 * Returns the number of the token pointed to by cp or sBadOption.
411 */
412
413static ServerOpCodes
414parse_token(const char *cp, const char *filename,
415 int linenum)
416{
417 u_int i;
418
419 for (i = 0; keywords[i].name; i++)
d4e9cd2c 420 if (strcasecmp(cp, keywords[i].name) == 0){
421 debug ("TOKEN IS %s", keywords[i].name);
422 return keywords[i].opcode;}
3c0ef626 423 error("%s: line %d: Bad configuration option: %s",
424 filename, linenum, cp);
425 return sBadOption;
426}
427
428static void
429add_listen_addr(ServerOptions *options, char *addr, u_short port)
430{
665a873d 431 u_int i;
3c0ef626 432
433 if (options->num_ports == 0)
434 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
996d5e62 435 if (options->address_family == -1)
436 options->address_family = AF_UNSPEC;
3c0ef626 437 if (port == 0)
438 for (i = 0; i < options->num_ports; i++)
439 add_one_listen_addr(options, addr, options->ports[i]);
440 else
441 add_one_listen_addr(options, addr, port);
442}
443
444static void
445add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
446{
447 struct addrinfo hints, *ai, *aitop;
448 char strport[NI_MAXSERV];
449 int gaierr;
450
451 memset(&hints, 0, sizeof(hints));
996d5e62 452 hints.ai_family = options->address_family;
3c0ef626 453 hints.ai_socktype = SOCK_STREAM;
454 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 455 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 456 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
457 fatal("bad addr or host: %s (%s)",
458 addr ? addr : "<NULL>",
459 gai_strerror(gaierr));
460 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
461 ;
462 ai->ai_next = options->listen_addrs;
463 options->listen_addrs = aitop;
464}
465
e9a17296 466int
467process_server_config_line(ServerOptions *options, char *line,
468 const char *filename, int linenum)
3c0ef626 469{
3c0ef626 470 char *cp, **charptr, *arg, *p;
665a873d 471 int *intptr, value, n;
3c0ef626 472 ServerOpCodes opcode;
996d5e62 473 u_short port;
665a873d 474 u_int i;
3c0ef626 475
e9a17296 476 cp = line;
477 arg = strdelim(&cp);
478 /* Ignore leading whitespace */
479 if (*arg == '\0')
3c0ef626 480 arg = strdelim(&cp);
e9a17296 481 if (!arg || !*arg || *arg == '#')
482 return 0;
483 intptr = NULL;
484 charptr = NULL;
485 opcode = parse_token(arg, filename, linenum);
d4e9cd2c 486
e9a17296 487 switch (opcode) {
488 /* Portable-specific options */
0fff78ff 489 case sUsePAM:
490 intptr = &options->use_pam;
e9a17296 491 goto parse_flag;
3c0ef626 492
e9a17296 493 /* Standard Options */
494 case sBadOption:
495 return -1;
496 case sPort:
497 /* ignore ports from configfile if cmdline specifies ports */
498 if (options->ports_from_cmdline)
499 return 0;
500 if (options->listen_addrs != NULL)
501 fatal("%s line %d: ports must be specified before "
502 "ListenAddress.", filename, linenum);
503 if (options->num_ports >= MAX_PORTS)
504 fatal("%s line %d: too many ports.",
505 filename, linenum);
506 arg = strdelim(&cp);
507 if (!arg || *arg == '\0')
508 fatal("%s line %d: missing port number.",
509 filename, linenum);
510 options->ports[options->num_ports++] = a2port(arg);
511 if (options->ports[options->num_ports-1] == 0)
512 fatal("%s line %d: Badly formatted port number.",
513 filename, linenum);
514 break;
515
516 case sServerKeyBits:
517 intptr = &options->server_key_bits;
3c0ef626 518parse_int:
e9a17296 519 arg = strdelim(&cp);
520 if (!arg || *arg == '\0')
521 fatal("%s line %d: missing integer value.",
522 filename, linenum);
523 value = atoi(arg);
524 if (*intptr == -1)
525 *intptr = value;
526 break;
527
528 case sLoginGraceTime:
529 intptr = &options->login_grace_time;
3c0ef626 530parse_time:
e9a17296 531 arg = strdelim(&cp);
532 if (!arg || *arg == '\0')
533 fatal("%s line %d: missing time value.",
534 filename, linenum);
535 if ((value = convtime(arg)) == -1)
536 fatal("%s line %d: invalid time value.",
537 filename, linenum);
538 if (*intptr == -1)
539 *intptr = value;
540 break;
541
542 case sKeyRegenerationTime:
543 intptr = &options->key_regeneration_time;
544 goto parse_time;
545
546 case sListenAddress:
547 arg = strdelim(&cp);
996d5e62 548 if (arg == NULL || *arg == '\0')
549 fatal("%s line %d: missing address",
e9a17296 550 filename, linenum);
665a873d 551 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
552 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
553 && strchr(p+1, ':') != NULL) {
554 add_listen_addr(options, arg, 0);
555 break;
556 }
996d5e62 557 p = hpdelim(&arg);
558 if (p == NULL)
559 fatal("%s line %d: bad address:port usage",
e9a17296 560 filename, linenum);
996d5e62 561 p = cleanhostname(p);
562 if (arg == NULL)
563 port = 0;
564 else if ((port = a2port(arg)) == 0)
565 fatal("%s line %d: bad port number", filename, linenum);
566
567 add_listen_addr(options, p, port);
568
569 break;
570
571 case sAddressFamily:
572 arg = strdelim(&cp);
665a873d 573 if (!arg || *arg == '\0')
574 fatal("%s line %d: missing address family.",
575 filename, linenum);
996d5e62 576 intptr = &options->address_family;
577 if (options->listen_addrs != NULL)
578 fatal("%s line %d: address family must be specified before "
579 "ListenAddress.", filename, linenum);
580 if (strcasecmp(arg, "inet") == 0)
581 value = AF_INET;
582 else if (strcasecmp(arg, "inet6") == 0)
583 value = AF_INET6;
584 else if (strcasecmp(arg, "any") == 0)
585 value = AF_UNSPEC;
586 else
587 fatal("%s line %d: unsupported address family \"%s\".",
588 filename, linenum, arg);
589 if (*intptr == -1)
590 *intptr = value;
e9a17296 591 break;
592
593 case sHostKeyFile:
594 intptr = &options->num_host_key_files;
595 if (*intptr >= MAX_HOSTKEYS)
596 fatal("%s line %d: too many host keys specified (max %d).",
597 filename, linenum, MAX_HOSTKEYS);
598 charptr = &options->host_key_files[*intptr];
3c0ef626 599parse_filename:
e9a17296 600 arg = strdelim(&cp);
601 if (!arg || *arg == '\0')
602 fatal("%s line %d: missing file name.",
603 filename, linenum);
604 if (*charptr == NULL) {
605 *charptr = tilde_expand_filename(arg, getuid());
606 /* increase optional counter */
607 if (intptr != NULL)
608 *intptr = *intptr + 1;
609 }
610 break;
3c0ef626 611
e9a17296 612 case sPidFile:
613 charptr = &options->pid_file;
614 goto parse_filename;
3c0ef626 615
e9a17296 616 case sPermitRootLogin:
617 intptr = &options->permit_root_login;
618 arg = strdelim(&cp);
619 if (!arg || *arg == '\0')
620 fatal("%s line %d: missing yes/"
621 "without-password/forced-commands-only/no "
622 "argument.", filename, linenum);
623 value = 0; /* silence compiler */
624 if (strcmp(arg, "without-password") == 0)
625 value = PERMIT_NO_PASSWD;
626 else if (strcmp(arg, "forced-commands-only") == 0)
627 value = PERMIT_FORCED_ONLY;
628 else if (strcmp(arg, "yes") == 0)
629 value = PERMIT_YES;
630 else if (strcmp(arg, "no") == 0)
631 value = PERMIT_NO;
632 else
633 fatal("%s line %d: Bad yes/"
634 "without-password/forced-commands-only/no "
635 "argument: %s", filename, linenum, arg);
636 if (*intptr == -1)
637 *intptr = value;
638 break;
639
640 case sIgnoreRhosts:
641 intptr = &options->ignore_rhosts;
3c0ef626 642parse_flag:
e9a17296 643 arg = strdelim(&cp);
644 if (!arg || *arg == '\0')
645 fatal("%s line %d: missing yes/no argument.",
646 filename, linenum);
647 value = 0; /* silence compiler */
648 if (strcmp(arg, "yes") == 0)
649 value = 1;
650 else if (strcmp(arg, "no") == 0)
651 value = 0;
652 else
653 fatal("%s line %d: Bad yes/no argument: %s",
654 filename, linenum, arg);
655 if (*intptr == -1)
656 *intptr = value;
657 break;
658
d4e9cd2c 659 case sNoneEnabled:
660 intptr = &options->none_enabled;
661 goto parse_flag;
662
663 case sTcpRcvBufPoll:
664 intptr = &options->tcp_rcv_buf_poll;
665 goto parse_flag;
666
667 case sHPNDisabled:
668 intptr = &options->hpn_disabled;
669 goto parse_flag;
670
671 case sHPNBufferSize:
672 intptr = &options->hpn_buffer_size;
673 goto parse_int;
674
e9a17296 675 case sIgnoreUserKnownHosts:
676 intptr = &options->ignore_user_known_hosts;
677 goto parse_flag;
678
e9a17296 679 case sRhostsRSAAuthentication:
680 intptr = &options->rhosts_rsa_authentication;
681 goto parse_flag;
682
683 case sHostbasedAuthentication:
684 intptr = &options->hostbased_authentication;
685 goto parse_flag;
686
687 case sHostbasedUsesNameFromPacketOnly:
688 intptr = &options->hostbased_uses_name_from_packet_only;
689 goto parse_flag;
690
691 case sRSAAuthentication:
692 intptr = &options->rsa_authentication;
693 goto parse_flag;
694
695 case sPubkeyAuthentication:
696 intptr = &options->pubkey_authentication;
697 goto parse_flag;
0fff78ff 698
e9a17296 699 case sKerberosAuthentication:
700 intptr = &options->kerberos_authentication;
701 goto parse_flag;
3c0ef626 702
e9a17296 703 case sKerberosOrLocalPasswd:
704 intptr = &options->kerberos_or_local_passwd;
705 goto parse_flag;
3c0ef626 706
e9a17296 707 case sKerberosTicketCleanup:
708 intptr = &options->kerberos_ticket_cleanup;
709 goto parse_flag;
0fff78ff 710
cdd66111 711 case sKerberosGetAFSToken:
712 intptr = &options->kerberos_get_afs_token;
713 goto parse_flag;
714
0fff78ff 715 case sGssAuthentication:
716 intptr = &options->gss_authentication;
e9a17296 717 goto parse_flag;
0fff78ff 718
719 case sGssCleanupCreds:
720 intptr = &options->gss_cleanup_creds;
e9a17296 721 goto parse_flag;
3c0ef626 722
e9a17296 723 case sPasswordAuthentication:
724 intptr = &options->password_authentication;
725 goto parse_flag;
3c0ef626 726
e9a17296 727 case sKbdInteractiveAuthentication:
728 intptr = &options->kbd_interactive_authentication;
729 goto parse_flag;
3c0ef626 730
e9a17296 731 case sChallengeResponseAuthentication:
732 intptr = &options->challenge_response_authentication;
733 goto parse_flag;
3c0ef626 734
e9a17296 735 case sPrintMotd:
736 intptr = &options->print_motd;
737 goto parse_flag;
3c0ef626 738
e9a17296 739 case sPrintLastLog:
740 intptr = &options->print_lastlog;
741 goto parse_flag;
3c0ef626 742
e9a17296 743 case sX11Forwarding:
744 intptr = &options->x11_forwarding;
745 goto parse_flag;
3c0ef626 746
e9a17296 747 case sX11DisplayOffset:
748 intptr = &options->x11_display_offset;
749 goto parse_int;
3c0ef626 750
e9a17296 751 case sX11UseLocalhost:
752 intptr = &options->x11_use_localhost;
753 goto parse_flag;
3c0ef626 754
e9a17296 755 case sXAuthLocation:
756 charptr = &options->xauth_location;
757 goto parse_filename;
3c0ef626 758
e9a17296 759 case sStrictModes:
760 intptr = &options->strict_modes;
761 goto parse_flag;
3c0ef626 762
cdd66111 763 case sTCPKeepAlive:
764 intptr = &options->tcp_keep_alive;
e9a17296 765 goto parse_flag;
3c0ef626 766
e9a17296 767 case sEmptyPasswd:
768 intptr = &options->permit_empty_passwd;
769 goto parse_flag;
3c0ef626 770
41b2f314 771 case sPermitUserEnvironment:
772 intptr = &options->permit_user_env;
773 goto parse_flag;
774
e9a17296 775 case sUseLogin:
776 intptr = &options->use_login;
777 goto parse_flag;
3c0ef626 778
f5799ae1 779 case sCompression:
780 intptr = &options->compression;
665a873d 781 arg = strdelim(&cp);
782 if (!arg || *arg == '\0')
783 fatal("%s line %d: missing yes/no/delayed "
784 "argument.", filename, linenum);
785 value = 0; /* silence compiler */
786 if (strcmp(arg, "delayed") == 0)
787 value = COMP_DELAYED;
788 else if (strcmp(arg, "yes") == 0)
789 value = COMP_ZLIB;
790 else if (strcmp(arg, "no") == 0)
791 value = COMP_NONE;
792 else
793 fatal("%s line %d: Bad yes/no/delayed "
794 "argument: %s", filename, linenum, arg);
795 if (*intptr == -1)
796 *intptr = value;
797 break;
f5799ae1 798
e9a17296 799 case sGatewayPorts:
800 intptr = &options->gateway_ports;
996d5e62 801 arg = strdelim(&cp);
802 if (!arg || *arg == '\0')
803 fatal("%s line %d: missing yes/no/clientspecified "
804 "argument.", filename, linenum);
805 value = 0; /* silence compiler */
806 if (strcmp(arg, "clientspecified") == 0)
807 value = 2;
808 else if (strcmp(arg, "yes") == 0)
809 value = 1;
810 else if (strcmp(arg, "no") == 0)
811 value = 0;
812 else
813 fatal("%s line %d: Bad yes/no/clientspecified "
814 "argument: %s", filename, linenum, arg);
815 if (*intptr == -1)
816 *intptr = value;
817 break;
3c0ef626 818
0fff78ff 819 case sUseDNS:
820 intptr = &options->use_dns;
e9a17296 821 goto parse_flag;
3c0ef626 822
e9a17296 823 case sLogFacility:
824 intptr = (int *) &options->log_facility;
825 arg = strdelim(&cp);
826 value = log_facility_number(arg);
827 if (value == SYSLOG_FACILITY_NOT_SET)
828 fatal("%.200s line %d: unsupported log facility '%s'",
829 filename, linenum, arg ? arg : "<NONE>");
830 if (*intptr == -1)
831 *intptr = (SyslogFacility) value;
832 break;
833
834 case sLogLevel:
835 intptr = (int *) &options->log_level;
836 arg = strdelim(&cp);
837 value = log_level_number(arg);
838 if (value == SYSLOG_LEVEL_NOT_SET)
839 fatal("%.200s line %d: unsupported log level '%s'",
840 filename, linenum, arg ? arg : "<NONE>");
841 if (*intptr == -1)
842 *intptr = (LogLevel) value;
843 break;
844
845 case sAllowTcpForwarding:
846 intptr = &options->allow_tcp_forwarding;
847 goto parse_flag;
848
700318f3 849 case sUsePrivilegeSeparation:
850 intptr = &use_privsep;
851 goto parse_flag;
852
e9a17296 853 case sAllowUsers:
854 while ((arg = strdelim(&cp)) && *arg != '\0') {
855 if (options->num_allow_users >= MAX_ALLOW_USERS)
856 fatal("%s line %d: too many allow users.",
857 filename, linenum);
680cee3b 858 options->allow_users[options->num_allow_users++] =
859 xstrdup(arg);
e9a17296 860 }
861 break;
3c0ef626 862
e9a17296 863 case sDenyUsers:
864 while ((arg = strdelim(&cp)) && *arg != '\0') {
865 if (options->num_deny_users >= MAX_DENY_USERS)
866 fatal( "%s line %d: too many deny users.",
867 filename, linenum);
680cee3b 868 options->deny_users[options->num_deny_users++] =
869 xstrdup(arg);
e9a17296 870 }
871 break;
3c0ef626 872
e9a17296 873 case sAllowGroups:
874 while ((arg = strdelim(&cp)) && *arg != '\0') {
875 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
876 fatal("%s line %d: too many allow groups.",
877 filename, linenum);
680cee3b 878 options->allow_groups[options->num_allow_groups++] =
879 xstrdup(arg);
e9a17296 880 }
881 break;
3c0ef626 882
e9a17296 883 case sDenyGroups:
884 while ((arg = strdelim(&cp)) && *arg != '\0') {
885 if (options->num_deny_groups >= MAX_DENY_GROUPS)
886 fatal("%s line %d: too many deny groups.",
887 filename, linenum);
888 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
889 }
890 break;
891
892 case sCiphers:
893 arg = strdelim(&cp);
894 if (!arg || *arg == '\0')
895 fatal("%s line %d: Missing argument.", filename, linenum);
896 if (!ciphers_valid(arg))
897 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
898 filename, linenum, arg ? arg : "<NONE>");
899 if (options->ciphers == NULL)
900 options->ciphers = xstrdup(arg);
901 break;
902
903 case sMacs:
904 arg = strdelim(&cp);
905 if (!arg || *arg == '\0')
906 fatal("%s line %d: Missing argument.", filename, linenum);
907 if (!mac_valid(arg))
908 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
909 filename, linenum, arg ? arg : "<NONE>");
910 if (options->macs == NULL)
911 options->macs = xstrdup(arg);
912 break;
913
914 case sProtocol:
915 intptr = &options->protocol;
916 arg = strdelim(&cp);
917 if (!arg || *arg == '\0')
918 fatal("%s line %d: Missing argument.", filename, linenum);
919 value = proto_spec(arg);
920 if (value == SSH_PROTO_UNKNOWN)
921 fatal("%s line %d: Bad protocol spec '%s'.",
922 filename, linenum, arg ? arg : "<NONE>");
923 if (*intptr == SSH_PROTO_UNKNOWN)
924 *intptr = value;
925 break;
926
927 case sSubsystem:
928 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
929 fatal("%s line %d: too many subsystems defined.",
930 filename, linenum);
931 }
932 arg = strdelim(&cp);
933 if (!arg || *arg == '\0')
934 fatal("%s line %d: Missing subsystem name.",
935 filename, linenum);
936 for (i = 0; i < options->num_subsystems; i++)
937 if (strcmp(arg, options->subsystem_name[i]) == 0)
938 fatal("%s line %d: Subsystem '%s' already defined.",
939 filename, linenum, arg);
940 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
941 arg = strdelim(&cp);
942 if (!arg || *arg == '\0')
943 fatal("%s line %d: Missing subsystem command.",
944 filename, linenum);
945 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
946 options->num_subsystems++;
947 break;
948
949 case sMaxStartups:
950 arg = strdelim(&cp);
951 if (!arg || *arg == '\0')
952 fatal("%s line %d: Missing MaxStartups spec.",
953 filename, linenum);
954 if ((n = sscanf(arg, "%d:%d:%d",
955 &options->max_startups_begin,
956 &options->max_startups_rate,
957 &options->max_startups)) == 3) {
958 if (options->max_startups_begin >
959 options->max_startups ||
960 options->max_startups_rate > 100 ||
961 options->max_startups_rate < 1)
3c0ef626 962 fatal("%s line %d: Illegal MaxStartups spec.",
963 filename, linenum);
e9a17296 964 } else if (n != 1)
965 fatal("%s line %d: Illegal MaxStartups spec.",
966 filename, linenum);
967 else
968 options->max_startups = options->max_startups_begin;
969 break;
970
c9f39d2c 971 case sMaxAuthTries:
972 intptr = &options->max_authtries;
973 goto parse_int;
974
e9a17296 975 case sBanner:
976 charptr = &options->banner;
977 goto parse_filename;
978 /*
979 * These options can contain %X options expanded at
980 * connect time, so that you can specify paths like:
981 *
982 * AuthorizedKeysFile /etc/ssh_keys/%u
983 */
984 case sAuthorizedKeysFile:
985 case sAuthorizedKeysFile2:
986 charptr = (opcode == sAuthorizedKeysFile ) ?
987 &options->authorized_keys_file :
988 &options->authorized_keys_file2;
989 goto parse_filename;
990
991 case sClientAliveInterval:
992 intptr = &options->client_alive_interval;
993 goto parse_time;
994
995 case sClientAliveCountMax:
996 intptr = &options->client_alive_count_max;
997 goto parse_int;
998
c9f39d2c 999 case sAcceptEnv:
1000 while ((arg = strdelim(&cp)) && *arg != '\0') {
1001 if (strchr(arg, '=') != NULL)
1002 fatal("%s line %d: Invalid environment name.",
1003 filename, linenum);
1004 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1005 fatal("%s line %d: too many allow env.",
1006 filename, linenum);
1007 options->accept_env[options->num_accept_env++] =
1008 xstrdup(arg);
1009 }
1010 break;
1011
2c06c99b 1012 case sPermitTunnel:
1013 intptr = &options->permit_tun;
1014 arg = strdelim(&cp);
1015 if (!arg || *arg == '\0')
1016 fatal("%s line %d: Missing yes/point-to-point/"
1017 "ethernet/no argument.", filename, linenum);
1018 value = 0; /* silence compiler */
1019 if (strcasecmp(arg, "ethernet") == 0)
1020 value = SSH_TUNMODE_ETHERNET;
1021 else if (strcasecmp(arg, "point-to-point") == 0)
1022 value = SSH_TUNMODE_POINTOPOINT;
1023 else if (strcasecmp(arg, "yes") == 0)
1024 value = SSH_TUNMODE_YES;
1025 else if (strcasecmp(arg, "no") == 0)
1026 value = SSH_TUNMODE_NO;
1027 else
1028 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1029 "no argument: %s", filename, linenum, arg);
1030 if (*intptr == -1)
1031 *intptr = value;
1032 break;
1033
e9a17296 1034 case sDeprecated:
0fff78ff 1035 logit("%s line %d: Deprecated option %s",
1036 filename, linenum, arg);
1037 while (arg)
1038 arg = strdelim(&cp);
1039 break;
1040
1041 case sUnsupported:
1042 logit("%s line %d: Unsupported option %s",
e9a17296 1043 filename, linenum, arg);
1044 while (arg)
1045 arg = strdelim(&cp);
1046 break;
1047
1048 default:
1049 fatal("%s line %d: Missing handler for opcode %s (%d)",
1050 filename, linenum, arg, opcode);
1051 }
1052 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1053 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1054 filename, linenum, arg);
1055 return 0;
1056}
3c0ef626 1057
e9a17296 1058/* Reads the server configuration file. */
3c0ef626 1059
e9a17296 1060void
c9f39d2c 1061load_server_config(const char *filename, Buffer *conf)
e9a17296 1062{
c9f39d2c 1063 char line[1024], *cp;
680cee3b 1064 FILE *f;
e9a17296 1065
c9f39d2c 1066 debug2("%s: filename %s", __func__, filename);
1067 if ((f = fopen(filename, "r")) == NULL) {
e9a17296 1068 perror(filename);
1069 exit(1);
1070 }
c9f39d2c 1071 buffer_clear(conf);
e9a17296 1072 while (fgets(line, sizeof(line), f)) {
c9f39d2c 1073 /*
1074 * Trim out comments and strip whitespace
1075 * NB - preserve newlines, they are needed to reproduce
1076 * line numbers later for error messages
1077 */
1078 if ((cp = strchr(line, '#')) != NULL)
1079 memcpy(cp, "\n", 2);
1080 cp = line + strspn(line, " \t\r");
1081
1082 buffer_append(conf, cp, strlen(cp));
3c0ef626 1083 }
c9f39d2c 1084 buffer_append(conf, "\0", 1);
3c0ef626 1085 fclose(f);
c9f39d2c 1086 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1087}
1088
1089void
1090parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1091{
1092 int linenum, bad_options = 0;
1093 char *cp, *obuf, *cbuf;
1094
1095 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1096
1097 obuf = cbuf = xstrdup(buffer_ptr(conf));
1098 linenum = 1;
dec6d9fe 1099 while ((cp = strsep(&cbuf, "\n")) != NULL) {
c9f39d2c 1100 if (process_server_config_line(options, cp, filename,
1101 linenum++) != 0)
1102 bad_options++;
1103 }
1104 xfree(obuf);
3c0ef626 1105 if (bad_options > 0)
1106 fatal("%s: terminating, %d bad configuration options",
1107 filename, bad_options);
1108}
git-cvsimport mirror of GSI OpenSSH
This page took 0.222503 seconds and 5 git commands to generate.