]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
move code around to match Simon's patch
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
bfe49944 13RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
3c0ef626 14
63119dd9 15#if defined(KRB4)
3c0ef626 16#include <krb.h>
17#endif
63119dd9 18#if defined(KRB5)
19#ifdef HEIMDAL
63119dd9 20#else
21/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
22 * keytab */
23#define KEYFILE "/etc/krb5.keytab"
24#endif
25#endif
3c0ef626 26#ifdef AFS
27#include <kafs.h>
28#endif
29
30#include "ssh.h"
31#include "log.h"
32#include "servconf.h"
33#include "xmalloc.h"
34#include "compat.h"
35#include "pathnames.h"
36#include "tildexpand.h"
37#include "misc.h"
38#include "cipher.h"
39#include "kex.h"
40#include "mac.h"
41
42static void add_listen_addr(ServerOptions *, char *, u_short);
43static void add_one_listen_addr(ServerOptions *, char *, u_short);
44
45/* AF_UNSPEC or AF_INET or AF_INET6 */
46extern int IPv4or6;
350391c5 47/* Use of privilege separation or not */
48extern int use_privsep;
3c0ef626 49
50/* Initializes the server options to their default values. */
51
52void
53initialize_server_options(ServerOptions *options)
54{
55 memset(options, 0, sizeof(*options));
56
57 /* Portable-specific options */
58 options->pam_authentication_via_kbd_int = -1;
59
60 /* Standard Options */
61 options->num_ports = 0;
62 options->ports_from_cmdline = 0;
63 options->listen_addrs = NULL;
64 options->num_host_key_files = 0;
65 options->pid_file = NULL;
66 options->server_key_bits = -1;
67 options->login_grace_time = -1;
68 options->key_regeneration_time = -1;
69 options->permit_root_login = PERMIT_NOT_SET;
70 options->ignore_rhosts = -1;
71 options->ignore_user_known_hosts = -1;
72 options->print_motd = -1;
73 options->print_lastlog = -1;
74 options->x11_forwarding = -1;
75 options->x11_display_offset = -1;
e9702f7d 76 options->x11_use_localhost = -1;
3c0ef626 77 options->xauth_location = NULL;
78 options->strict_modes = -1;
79 options->keepalives = -1;
e9702f7d 80 options->log_facility = SYSLOG_FACILITY_NOT_SET;
81 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 82 options->rhosts_authentication = -1;
83 options->rhosts_rsa_authentication = -1;
84 options->hostbased_authentication = -1;
85 options->hostbased_uses_name_from_packet_only = -1;
86 options->rsa_authentication = -1;
87 options->pubkey_authentication = -1;
5598e598 88#ifdef GSSAPI
89 options->gss_authentication=-1;
90 options->gss_keyex=-1;
91 options->gss_use_session_ccache = -1;
92 options->gss_cleanup_creds = -1;
93#endif
3c0ef626 94#if defined(KRB4) || defined(KRB5)
95 options->kerberos_authentication = -1;
96 options->kerberos_or_local_passwd = -1;
97 options->kerberos_ticket_cleanup = -1;
98#endif
99#if defined(AFS) || defined(KRB5)
100 options->kerberos_tgt_passing = -1;
101#endif
102#ifdef AFS
103 options->afs_token_passing = -1;
104#endif
105 options->password_authentication = -1;
106 options->kbd_interactive_authentication = -1;
107 options->challenge_response_authentication = -1;
108 options->permit_empty_passwd = -1;
d03f4262 109 options->permit_user_env = -1;
3c0ef626 110 options->use_login = -1;
44a053a3 111 options->compression = -1;
3c0ef626 112 options->allow_tcp_forwarding = -1;
113 options->num_allow_users = 0;
114 options->num_deny_users = 0;
115 options->num_allow_groups = 0;
116 options->num_deny_groups = 0;
117 options->ciphers = NULL;
118 options->macs = NULL;
119 options->protocol = SSH_PROTO_UNKNOWN;
120 options->gateway_ports = -1;
121 options->num_subsystems = 0;
122 options->max_startups_begin = -1;
123 options->max_startups_rate = -1;
124 options->max_startups = -1;
125 options->banner = NULL;
e9702f7d 126 options->verify_reverse_mapping = -1;
3c0ef626 127 options->client_alive_interval = -1;
128 options->client_alive_count_max = -1;
129 options->authorized_keys_file = NULL;
130 options->authorized_keys_file2 = NULL;
350391c5 131
132 /* Needs to be accessable in many places */
133 use_privsep = -1;
3c0ef626 134}
135
136void
137fill_default_server_options(ServerOptions *options)
138{
139 /* Portable-specific options */
140 if (options->pam_authentication_via_kbd_int == -1)
141 options->pam_authentication_via_kbd_int = 0;
142
143 /* Standard Options */
144 if (options->protocol == SSH_PROTO_UNKNOWN)
145 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
146 if (options->num_host_key_files == 0) {
147 /* fill default hostkeys for protocols */
148 if (options->protocol & SSH_PROTO_1)
e9702f7d 149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_KEY_FILE;
151 if (options->protocol & SSH_PROTO_2) {
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_RSA_KEY_FILE;
154 options->host_key_files[options->num_host_key_files++] =
155 _PATH_HOST_DSA_KEY_FILE;
156 }
3c0ef626 157 }
158 if (options->num_ports == 0)
159 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
160 if (options->listen_addrs == NULL)
161 add_listen_addr(options, NULL, 0);
162 if (options->pid_file == NULL)
163 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
164 if (options->server_key_bits == -1)
165 options->server_key_bits = 768;
166 if (options->login_grace_time == -1)
d03f4262 167 options->login_grace_time = 120;
3c0ef626 168 if (options->key_regeneration_time == -1)
169 options->key_regeneration_time = 3600;
170 if (options->permit_root_login == PERMIT_NOT_SET)
171 options->permit_root_login = PERMIT_YES;
172 if (options->ignore_rhosts == -1)
173 options->ignore_rhosts = 1;
174 if (options->ignore_user_known_hosts == -1)
175 options->ignore_user_known_hosts = 0;
176 if (options->print_motd == -1)
177 options->print_motd = 1;
178 if (options->print_lastlog == -1)
179 options->print_lastlog = 1;
180 if (options->x11_forwarding == -1)
181 options->x11_forwarding = 0;
182 if (options->x11_display_offset == -1)
183 options->x11_display_offset = 10;
e9702f7d 184 if (options->x11_use_localhost == -1)
185 options->x11_use_localhost = 1;
3c0ef626 186 if (options->xauth_location == NULL)
187 options->xauth_location = _PATH_XAUTH;
3c0ef626 188 if (options->strict_modes == -1)
189 options->strict_modes = 1;
190 if (options->keepalives == -1)
191 options->keepalives = 1;
e9702f7d 192 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 193 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 194 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 195 options->log_level = SYSLOG_LEVEL_INFO;
196 if (options->rhosts_authentication == -1)
197 options->rhosts_authentication = 0;
198 if (options->rhosts_rsa_authentication == -1)
199 options->rhosts_rsa_authentication = 0;
200 if (options->hostbased_authentication == -1)
201 options->hostbased_authentication = 0;
202 if (options->hostbased_uses_name_from_packet_only == -1)
203 options->hostbased_uses_name_from_packet_only = 0;
204 if (options->rsa_authentication == -1)
205 options->rsa_authentication = 1;
206 if (options->pubkey_authentication == -1)
207 options->pubkey_authentication = 1;
5598e598 208#ifdef GSSAPI
209 if (options->gss_authentication == -1)
210 options->gss_authentication = 1;
211 if (options->gss_keyex == -1)
212 options->gss_keyex =1;
213 if (options->gss_use_session_ccache == -1)
214 options->gss_use_session_ccache = 1;
215 if (options->gss_cleanup_creds == -1)
216 options->gss_cleanup_creds = 1;
217#endif
3c0ef626 218#if defined(KRB4) || defined(KRB5)
219 if (options->kerberos_authentication == -1)
350391c5 220 options->kerberos_authentication = 0;
3c0ef626 221 if (options->kerberos_or_local_passwd == -1)
222 options->kerberos_or_local_passwd = 1;
223 if (options->kerberos_ticket_cleanup == -1)
224 options->kerberos_ticket_cleanup = 1;
225#endif
226#if defined(AFS) || defined(KRB5)
227 if (options->kerberos_tgt_passing == -1)
228 options->kerberos_tgt_passing = 0;
229#endif
e9702f7d 230#ifdef AFS
3c0ef626 231 if (options->afs_token_passing == -1)
350391c5 232 options->afs_token_passing = 0;
3c0ef626 233#endif
234 if (options->password_authentication == -1)
235 options->password_authentication = 1;
236 if (options->kbd_interactive_authentication == -1)
237 options->kbd_interactive_authentication = 0;
238 if (options->challenge_response_authentication == -1)
239 options->challenge_response_authentication = 1;
240 if (options->permit_empty_passwd == -1)
241 options->permit_empty_passwd = 0;
d03f4262 242 if (options->permit_user_env == -1)
243 options->permit_user_env = 0;
3c0ef626 244 if (options->use_login == -1)
245 options->use_login = 0;
44a053a3 246 if (options->compression == -1)
247 options->compression = 1;
3c0ef626 248 if (options->allow_tcp_forwarding == -1)
249 options->allow_tcp_forwarding = 1;
250 if (options->gateway_ports == -1)
251 options->gateway_ports = 0;
252 if (options->max_startups == -1)
253 options->max_startups = 10;
254 if (options->max_startups_rate == -1)
255 options->max_startups_rate = 100; /* 100% */
256 if (options->max_startups_begin == -1)
257 options->max_startups_begin = options->max_startups;
e9702f7d 258 if (options->verify_reverse_mapping == -1)
259 options->verify_reverse_mapping = 0;
3c0ef626 260 if (options->client_alive_interval == -1)
e9702f7d 261 options->client_alive_interval = 0;
3c0ef626 262 if (options->client_alive_count_max == -1)
263 options->client_alive_count_max = 3;
264 if (options->authorized_keys_file2 == NULL) {
265 /* authorized_keys_file2 falls back to authorized_keys_file */
266 if (options->authorized_keys_file != NULL)
267 options->authorized_keys_file2 = options->authorized_keys_file;
268 else
269 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
270 }
271 if (options->authorized_keys_file == NULL)
272 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
350391c5 273
44a053a3 274 /* Turn privilege separation on by default */
350391c5 275 if (use_privsep == -1)
44a053a3 276 use_privsep = 1;
277
d03f4262 278#ifndef HAVE_MMAP
44a053a3 279 if (use_privsep && options->compression == 1) {
280 error("This platform does not support both privilege "
281 "separation and compression");
282 error("Compression disabled");
283 options->compression = 0;
284 }
285#endif
286
3c0ef626 287}
288
289/* Keyword tokens. */
290typedef enum {
291 sBadOption, /* == unknown option */
292 /* Portable-specific options */
293 sPAMAuthenticationViaKbdInt,
294 /* Standard Options */
295 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
296 sPermitRootLogin, sLogFacility, sLogLevel,
297 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5598e598 298#ifdef GSSAPI
299 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
300#endif
3c0ef626 301#if defined(KRB4) || defined(KRB5)
302 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
303#endif
304#if defined(AFS) || defined(KRB5)
305 sKerberosTgtPassing,
306#endif
307#ifdef AFS
308 sAFSTokenPassing,
309#endif
310 sChallengeResponseAuthentication,
311 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
312 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 313 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 314 sStrictModes, sEmptyPasswd, sKeepAlives,
d03f4262 315 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 316 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
317 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
318 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9702f7d 319 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
320 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 321 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
350391c5 322 sUsePrivilegeSeparation,
e9702f7d 323 sDeprecated
3c0ef626 324} ServerOpCodes;
325
326/* Textual representation of the tokens. */
327static struct {
328 const char *name;
329 ServerOpCodes opcode;
330} keywords[] = {
331 /* Portable-specific options */
332 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
333 /* Standard Options */
334 { "port", sPort },
335 { "hostkey", sHostKeyFile },
336 { "hostdsakey", sHostKeyFile }, /* alias */
337 { "pidfile", sPidFile },
338 { "serverkeybits", sServerKeyBits },
339 { "logingracetime", sLoginGraceTime },
340 { "keyregenerationinterval", sKeyRegenerationTime },
341 { "permitrootlogin", sPermitRootLogin },
342 { "syslogfacility", sLogFacility },
343 { "loglevel", sLogLevel },
344 { "rhostsauthentication", sRhostsAuthentication },
345 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
346 { "hostbasedauthentication", sHostbasedAuthentication },
347 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
348 { "rsaauthentication", sRSAAuthentication },
349 { "pubkeyauthentication", sPubkeyAuthentication },
350 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
5598e598 351#ifdef GSSAPI
352 { "gssapiauthentication", sGssAuthentication },
353 { "gssapikeyexchange", sGssKeyEx },
354 { "gssusesessionccache", sGssUseSessionCredCache },
355 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
356 { "gssapicleanupcreds", sGssCleanupCreds },
357#endif
3c0ef626 358#if defined(KRB4) || defined(KRB5)
359 { "kerberosauthentication", sKerberosAuthentication },
360 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
361 { "kerberosticketcleanup", sKerberosTicketCleanup },
362#endif
363#if defined(AFS) || defined(KRB5)
364 { "kerberostgtpassing", sKerberosTgtPassing },
365#endif
366#ifdef AFS
367 { "afstokenpassing", sAFSTokenPassing },
368#endif
369 { "passwordauthentication", sPasswordAuthentication },
370 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
371 { "challengeresponseauthentication", sChallengeResponseAuthentication },
372 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
373 { "checkmail", sDeprecated },
374 { "listenaddress", sListenAddress },
375 { "printmotd", sPrintMotd },
376 { "printlastlog", sPrintLastLog },
377 { "ignorerhosts", sIgnoreRhosts },
378 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
379 { "x11forwarding", sX11Forwarding },
380 { "x11displayoffset", sX11DisplayOffset },
e9702f7d 381 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 382 { "xauthlocation", sXAuthLocation },
383 { "strictmodes", sStrictModes },
384 { "permitemptypasswords", sEmptyPasswd },
d03f4262 385 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 386 { "uselogin", sUseLogin },
44a053a3 387 { "compression", sCompression },
3c0ef626 388 { "keepalive", sKeepAlives },
389 { "allowtcpforwarding", sAllowTcpForwarding },
390 { "allowusers", sAllowUsers },
391 { "denyusers", sDenyUsers },
392 { "allowgroups", sAllowGroups },
393 { "denygroups", sDenyGroups },
394 { "ciphers", sCiphers },
395 { "macs", sMacs },
396 { "protocol", sProtocol },
397 { "gatewayports", sGatewayPorts },
398 { "subsystem", sSubsystem },
399 { "maxstartups", sMaxStartups },
400 { "banner", sBanner },
e9702f7d 401 { "verifyreversemapping", sVerifyReverseMapping },
402 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 403 { "clientaliveinterval", sClientAliveInterval },
404 { "clientalivecountmax", sClientAliveCountMax },
405 { "authorizedkeysfile", sAuthorizedKeysFile },
406 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
350391c5 407 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9702f7d 408 { NULL, sBadOption }
3c0ef626 409};
410
411/*
412 * Returns the number of the token pointed to by cp or sBadOption.
413 */
414
415static ServerOpCodes
416parse_token(const char *cp, const char *filename,
417 int linenum)
418{
419 u_int i;
420
421 for (i = 0; keywords[i].name; i++)
422 if (strcasecmp(cp, keywords[i].name) == 0)
423 return keywords[i].opcode;
424
425 error("%s: line %d: Bad configuration option: %s",
426 filename, linenum, cp);
427 return sBadOption;
428}
429
430static void
431add_listen_addr(ServerOptions *options, char *addr, u_short port)
432{
433 int i;
434
435 if (options->num_ports == 0)
436 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
437 if (port == 0)
438 for (i = 0; i < options->num_ports; i++)
439 add_one_listen_addr(options, addr, options->ports[i]);
440 else
441 add_one_listen_addr(options, addr, port);
442}
443
444static void
445add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
446{
447 struct addrinfo hints, *ai, *aitop;
448 char strport[NI_MAXSERV];
449 int gaierr;
450
451 memset(&hints, 0, sizeof(hints));
452 hints.ai_family = IPv4or6;
453 hints.ai_socktype = SOCK_STREAM;
454 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
276b07a3 455 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 456 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
457 fatal("bad addr or host: %s (%s)",
458 addr ? addr : "<NULL>",
459 gai_strerror(gaierr));
460 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
461 ;
462 ai->ai_next = options->listen_addrs;
463 options->listen_addrs = aitop;
464}
465
e9702f7d 466int
467process_server_config_line(ServerOptions *options, char *line,
468 const char *filename, int linenum)
3c0ef626 469{
3c0ef626 470 char *cp, **charptr, *arg, *p;
276b07a3 471 int *intptr, value, i, n;
3c0ef626 472 ServerOpCodes opcode;
3c0ef626 473
e9702f7d 474 cp = line;
475 arg = strdelim(&cp);
476 /* Ignore leading whitespace */
477 if (*arg == '\0')
3c0ef626 478 arg = strdelim(&cp);
e9702f7d 479 if (!arg || !*arg || *arg == '#')
480 return 0;
481 intptr = NULL;
482 charptr = NULL;
483 opcode = parse_token(arg, filename, linenum);
484 switch (opcode) {
485 /* Portable-specific options */
486 case sPAMAuthenticationViaKbdInt:
487 intptr = &options->pam_authentication_via_kbd_int;
488 goto parse_flag;
3c0ef626 489
e9702f7d 490 /* Standard Options */
491 case sBadOption:
492 return -1;
493 case sPort:
494 /* ignore ports from configfile if cmdline specifies ports */
495 if (options->ports_from_cmdline)
496 return 0;
497 if (options->listen_addrs != NULL)
498 fatal("%s line %d: ports must be specified before "
499 "ListenAddress.", filename, linenum);
500 if (options->num_ports >= MAX_PORTS)
501 fatal("%s line %d: too many ports.",
502 filename, linenum);
503 arg = strdelim(&cp);
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing port number.",
506 filename, linenum);
507 options->ports[options->num_ports++] = a2port(arg);
508 if (options->ports[options->num_ports-1] == 0)
509 fatal("%s line %d: Badly formatted port number.",
510 filename, linenum);
511 break;
512
513 case sServerKeyBits:
514 intptr = &options->server_key_bits;
3c0ef626 515parse_int:
e9702f7d 516 arg = strdelim(&cp);
517 if (!arg || *arg == '\0')
518 fatal("%s line %d: missing integer value.",
519 filename, linenum);
520 value = atoi(arg);
521 if (*intptr == -1)
522 *intptr = value;
523 break;
524
525 case sLoginGraceTime:
526 intptr = &options->login_grace_time;
3c0ef626 527parse_time:
e9702f7d 528 arg = strdelim(&cp);
529 if (!arg || *arg == '\0')
530 fatal("%s line %d: missing time value.",
531 filename, linenum);
532 if ((value = convtime(arg)) == -1)
533 fatal("%s line %d: invalid time value.",
534 filename, linenum);
535 if (*intptr == -1)
536 *intptr = value;
537 break;
538
539 case sKeyRegenerationTime:
540 intptr = &options->key_regeneration_time;
541 goto parse_time;
542
543 case sListenAddress:
544 arg = strdelim(&cp);
545 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
546 fatal("%s line %d: missing inet addr.",
547 filename, linenum);
548 if (*arg == '[') {
549 if ((p = strchr(arg, ']')) == NULL)
550 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 551 filename, linenum);
e9702f7d 552 arg++;
553 memmove(p, p+1, strlen(p+1)+1);
554 } else if (((p = strchr(arg, ':')) == NULL) ||
555 (strchr(p+1, ':') != NULL)) {
556 add_listen_addr(options, arg, 0);
3c0ef626 557 break;
e9702f7d 558 }
559 if (*p == ':') {
560 u_short port;
3c0ef626 561
e9702f7d 562 p++;
563 if (*p == '\0')
564 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 565 filename, linenum);
e9702f7d 566 else {
567 *(p-1) = '\0';
568 if ((port = a2port(p)) == 0)
569 fatal("%s line %d: bad port number.",
3c0ef626 570 filename, linenum);
e9702f7d 571 add_listen_addr(options, arg, port);
3c0ef626 572 }
e9702f7d 573 } else if (*p == '\0')
574 add_listen_addr(options, arg, 0);
575 else
576 fatal("%s line %d: bad inet addr usage.",
577 filename, linenum);
578 break;
579
580 case sHostKeyFile:
581 intptr = &options->num_host_key_files;
582 if (*intptr >= MAX_HOSTKEYS)
583 fatal("%s line %d: too many host keys specified (max %d).",
584 filename, linenum, MAX_HOSTKEYS);
585 charptr = &options->host_key_files[*intptr];
3c0ef626 586parse_filename:
e9702f7d 587 arg = strdelim(&cp);
588 if (!arg || *arg == '\0')
589 fatal("%s line %d: missing file name.",
590 filename, linenum);
591 if (*charptr == NULL) {
592 *charptr = tilde_expand_filename(arg, getuid());
593 /* increase optional counter */
594 if (intptr != NULL)
595 *intptr = *intptr + 1;
596 }
597 break;
3c0ef626 598
e9702f7d 599 case sPidFile:
600 charptr = &options->pid_file;
601 goto parse_filename;
3c0ef626 602
e9702f7d 603 case sPermitRootLogin:
604 intptr = &options->permit_root_login;
605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/"
608 "without-password/forced-commands-only/no "
609 "argument.", filename, linenum);
610 value = 0; /* silence compiler */
611 if (strcmp(arg, "without-password") == 0)
612 value = PERMIT_NO_PASSWD;
613 else if (strcmp(arg, "forced-commands-only") == 0)
614 value = PERMIT_FORCED_ONLY;
615 else if (strcmp(arg, "yes") == 0)
616 value = PERMIT_YES;
617 else if (strcmp(arg, "no") == 0)
618 value = PERMIT_NO;
619 else
620 fatal("%s line %d: Bad yes/"
621 "without-password/forced-commands-only/no "
622 "argument: %s", filename, linenum, arg);
623 if (*intptr == -1)
624 *intptr = value;
625 break;
3c0ef626 626
e9702f7d 627 case sIgnoreRhosts:
628 intptr = &options->ignore_rhosts;
629parse_flag:
630 arg = strdelim(&cp);
631 if (!arg || *arg == '\0')
632 fatal("%s line %d: missing yes/no argument.",
633 filename, linenum);
634 value = 0; /* silence compiler */
635 if (strcmp(arg, "yes") == 0)
636 value = 1;
637 else if (strcmp(arg, "no") == 0)
638 value = 0;
639 else
640 fatal("%s line %d: Bad yes/no argument: %s",
641 filename, linenum, arg);
642 if (*intptr == -1)
643 *intptr = value;
644 break;
645
646 case sIgnoreUserKnownHosts:
647 intptr = &options->ignore_user_known_hosts;
648 goto parse_flag;
649
650 case sRhostsAuthentication:
651 intptr = &options->rhosts_authentication;
652 goto parse_flag;
653
654 case sRhostsRSAAuthentication:
655 intptr = &options->rhosts_rsa_authentication;
656 goto parse_flag;
657
658 case sHostbasedAuthentication:
659 intptr = &options->hostbased_authentication;
660 goto parse_flag;
661
662 case sHostbasedUsesNameFromPacketOnly:
663 intptr = &options->hostbased_uses_name_from_packet_only;
664 goto parse_flag;
665
666 case sRSAAuthentication:
667 intptr = &options->rsa_authentication;
668 goto parse_flag;
669
670 case sPubkeyAuthentication:
671 intptr = &options->pubkey_authentication;
672 goto parse_flag;
905081a4 673#ifdef GSSAPI
674 case sGssAuthentication:
675 intptr = &options->gss_authentication;
676 goto parse_flag;
677 case sGssKeyEx:
678 intptr = &options->gss_keyex;
679 goto parse_flag;
680 case sGssUseSessionCredCache:
681 intptr = &options->gss_use_session_ccache;
682 goto parse_flag;
683 case sGssCleanupCreds:
684 intptr = &options->gss_cleanup_creds;
685 goto parse_flag;
686#endif
3c0ef626 687#if defined(KRB4) || defined(KRB5)
e9702f7d 688 case sKerberosAuthentication:
689 intptr = &options->kerberos_authentication;
690 goto parse_flag;
3c0ef626 691
e9702f7d 692 case sKerberosOrLocalPasswd:
693 intptr = &options->kerberos_or_local_passwd;
694 goto parse_flag;
3c0ef626 695
e9702f7d 696 case sKerberosTicketCleanup:
697 intptr = &options->kerberos_ticket_cleanup;
698 goto parse_flag;
3c0ef626 699#endif
700#if defined(AFS) || defined(KRB5)
e9702f7d 701 case sKerberosTgtPassing:
702 intptr = &options->kerberos_tgt_passing;
703 goto parse_flag;
3c0ef626 704#endif
705#ifdef AFS
e9702f7d 706 case sAFSTokenPassing:
707 intptr = &options->afs_token_passing;
708 goto parse_flag;
3c0ef626 709#endif
710
e9702f7d 711 case sPasswordAuthentication:
712 intptr = &options->password_authentication;
713 goto parse_flag;
3c0ef626 714
e9702f7d 715 case sKbdInteractiveAuthentication:
716 intptr = &options->kbd_interactive_authentication;
717 goto parse_flag;
3c0ef626 718
e9702f7d 719 case sChallengeResponseAuthentication:
720 intptr = &options->challenge_response_authentication;
721 goto parse_flag;
3c0ef626 722
e9702f7d 723 case sPrintMotd:
724 intptr = &options->print_motd;
725 goto parse_flag;
3c0ef626 726
e9702f7d 727 case sPrintLastLog:
728 intptr = &options->print_lastlog;
729 goto parse_flag;
3c0ef626 730
e9702f7d 731 case sX11Forwarding:
732 intptr = &options->x11_forwarding;
733 goto parse_flag;
3c0ef626 734
e9702f7d 735 case sX11DisplayOffset:
736 intptr = &options->x11_display_offset;
737 goto parse_int;
3c0ef626 738
e9702f7d 739 case sX11UseLocalhost:
740 intptr = &options->x11_use_localhost;
741 goto parse_flag;
3c0ef626 742
e9702f7d 743 case sXAuthLocation:
744 charptr = &options->xauth_location;
745 goto parse_filename;
3c0ef626 746
e9702f7d 747 case sStrictModes:
748 intptr = &options->strict_modes;
749 goto parse_flag;
3c0ef626 750
e9702f7d 751 case sKeepAlives:
752 intptr = &options->keepalives;
753 goto parse_flag;
3c0ef626 754
e9702f7d 755 case sEmptyPasswd:
756 intptr = &options->permit_empty_passwd;
757 goto parse_flag;
758
d03f4262 759 case sPermitUserEnvironment:
760 intptr = &options->permit_user_env;
761 goto parse_flag;
762
e9702f7d 763 case sUseLogin:
764 intptr = &options->use_login;
765 goto parse_flag;
766
44a053a3 767 case sCompression:
768 intptr = &options->compression;
769 goto parse_flag;
770
e9702f7d 771 case sGatewayPorts:
772 intptr = &options->gateway_ports;
773 goto parse_flag;
774
775 case sVerifyReverseMapping:
776 intptr = &options->verify_reverse_mapping;
777 goto parse_flag;
778
779 case sLogFacility:
780 intptr = (int *) &options->log_facility;
781 arg = strdelim(&cp);
782 value = log_facility_number(arg);
783 if (value == SYSLOG_FACILITY_NOT_SET)
784 fatal("%.200s line %d: unsupported log facility '%s'",
785 filename, linenum, arg ? arg : "<NONE>");
786 if (*intptr == -1)
787 *intptr = (SyslogFacility) value;
788 break;
789
790 case sLogLevel:
791 intptr = (int *) &options->log_level;
792 arg = strdelim(&cp);
793 value = log_level_number(arg);
794 if (value == SYSLOG_LEVEL_NOT_SET)
795 fatal("%.200s line %d: unsupported log level '%s'",
796 filename, linenum, arg ? arg : "<NONE>");
797 if (*intptr == -1)
798 *intptr = (LogLevel) value;
799 break;
800
801 case sAllowTcpForwarding:
802 intptr = &options->allow_tcp_forwarding;
803 goto parse_flag;
804
350391c5 805 case sUsePrivilegeSeparation:
806 intptr = &use_privsep;
807 goto parse_flag;
808
e9702f7d 809 case sAllowUsers:
810 while ((arg = strdelim(&cp)) && *arg != '\0') {
811 if (options->num_allow_users >= MAX_ALLOW_USERS)
812 fatal("%s line %d: too many allow users.",
3c0ef626 813 filename, linenum);
276b07a3 814 options->allow_users[options->num_allow_users++] =
815 xstrdup(arg);
e9702f7d 816 }
817 break;
3c0ef626 818
e9702f7d 819 case sDenyUsers:
820 while ((arg = strdelim(&cp)) && *arg != '\0') {
821 if (options->num_deny_users >= MAX_DENY_USERS)
822 fatal( "%s line %d: too many deny users.",
823 filename, linenum);
276b07a3 824 options->deny_users[options->num_deny_users++] =
825 xstrdup(arg);
e9702f7d 826 }
827 break;
3c0ef626 828
e9702f7d 829 case sAllowGroups:
830 while ((arg = strdelim(&cp)) && *arg != '\0') {
831 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
832 fatal("%s line %d: too many allow groups.",
833 filename, linenum);
276b07a3 834 options->allow_groups[options->num_allow_groups++] =
835 xstrdup(arg);
e9702f7d 836 }
837 break;
838
839 case sDenyGroups:
840 while ((arg = strdelim(&cp)) && *arg != '\0') {
841 if (options->num_deny_groups >= MAX_DENY_GROUPS)
842 fatal("%s line %d: too many deny groups.",
843 filename, linenum);
844 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 845 }
e9702f7d 846 break;
847
848 case sCiphers:
849 arg = strdelim(&cp);
850 if (!arg || *arg == '\0')
851 fatal("%s line %d: Missing argument.", filename, linenum);
852 if (!ciphers_valid(arg))
853 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
854 filename, linenum, arg ? arg : "<NONE>");
855 if (options->ciphers == NULL)
856 options->ciphers = xstrdup(arg);
857 break;
858
859 case sMacs:
860 arg = strdelim(&cp);
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: Missing argument.", filename, linenum);
863 if (!mac_valid(arg))
864 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
865 filename, linenum, arg ? arg : "<NONE>");
866 if (options->macs == NULL)
867 options->macs = xstrdup(arg);
868 break;
869
870 case sProtocol:
871 intptr = &options->protocol;
872 arg = strdelim(&cp);
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: Missing argument.", filename, linenum);
875 value = proto_spec(arg);
876 if (value == SSH_PROTO_UNKNOWN)
877 fatal("%s line %d: Bad protocol spec '%s'.",
878 filename, linenum, arg ? arg : "<NONE>");
879 if (*intptr == SSH_PROTO_UNKNOWN)
880 *intptr = value;
881 break;
882
883 case sSubsystem:
884 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
885 fatal("%s line %d: too many subsystems defined.",
886 filename, linenum);
887 }
888 arg = strdelim(&cp);
889 if (!arg || *arg == '\0')
890 fatal("%s line %d: Missing subsystem name.",
891 filename, linenum);
892 for (i = 0; i < options->num_subsystems; i++)
893 if (strcmp(arg, options->subsystem_name[i]) == 0)
894 fatal("%s line %d: Subsystem '%s' already defined.",
895 filename, linenum, arg);
896 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
897 arg = strdelim(&cp);
898 if (!arg || *arg == '\0')
899 fatal("%s line %d: Missing subsystem command.",
900 filename, linenum);
901 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
902 options->num_subsystems++;
903 break;
904
905 case sMaxStartups:
906 arg = strdelim(&cp);
907 if (!arg || *arg == '\0')
908 fatal("%s line %d: Missing MaxStartups spec.",
909 filename, linenum);
910 if ((n = sscanf(arg, "%d:%d:%d",
911 &options->max_startups_begin,
912 &options->max_startups_rate,
913 &options->max_startups)) == 3) {
914 if (options->max_startups_begin >
915 options->max_startups ||
916 options->max_startups_rate > 100 ||
917 options->max_startups_rate < 1)
918 fatal("%s line %d: Illegal MaxStartups spec.",
919 filename, linenum);
920 } else if (n != 1)
921 fatal("%s line %d: Illegal MaxStartups spec.",
922 filename, linenum);
923 else
924 options->max_startups = options->max_startups_begin;
925 break;
926
927 case sBanner:
928 charptr = &options->banner;
929 goto parse_filename;
930 /*
931 * These options can contain %X options expanded at
932 * connect time, so that you can specify paths like:
933 *
934 * AuthorizedKeysFile /etc/ssh_keys/%u
935 */
936 case sAuthorizedKeysFile:
937 case sAuthorizedKeysFile2:
938 charptr = (opcode == sAuthorizedKeysFile ) ?
939 &options->authorized_keys_file :
940 &options->authorized_keys_file2;
941 goto parse_filename;
942
943 case sClientAliveInterval:
944 intptr = &options->client_alive_interval;
945 goto parse_time;
946
947 case sClientAliveCountMax:
948 intptr = &options->client_alive_count_max;
949 goto parse_int;
950
951 case sDeprecated:
952 log("%s line %d: Deprecated option %s",
953 filename, linenum, arg);
954 while (arg)
955 arg = strdelim(&cp);
956 break;
957
958 default:
959 fatal("%s line %d: Missing handler for opcode %s (%d)",
960 filename, linenum, arg, opcode);
961 }
962 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
963 fatal("%s line %d: garbage at end of line; \"%.200s\".",
964 filename, linenum, arg);
965 return 0;
966}
967
968/* Reads the server configuration file. */
969
970void
971read_server_config(ServerOptions *options, const char *filename)
972{
276b07a3 973 int linenum, bad_options = 0;
e9702f7d 974 char line[1024];
276b07a3 975 FILE *f;
e9702f7d 976
bfe49944 977 debug2("read_server_config: filename %s", filename);
e9702f7d 978 f = fopen(filename, "r");
979 if (!f) {
980 perror(filename);
981 exit(1);
982 }
983 linenum = 0;
984 while (fgets(line, sizeof(line), f)) {
985 /* Update line number counter. */
986 linenum++;
987 if (process_server_config_line(options, line, filename, linenum) != 0)
988 bad_options++;
3c0ef626 989 }
990 fclose(f);
991 if (bad_options > 0)
992 fatal("%s: terminating, %d bad configuration options",
993 filename, bad_options);
994}
git-cvsimport mirror of GSI OpenSSH
This page took 0.195634 seconds and 5 git commands to generate.