]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
o Merge changes from OPENSSH_3_5P1_GSI_20021018.
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
e54b3d7c 13RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
3c0ef626 14
b9a54c29 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
b9a54c29 20#else
21/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
22 * keytab */
23#define KEYFILE "/etc/krb5.keytab"
24#endif
3c0ef626 25#endif
26#ifdef AFS
27#include <kafs.h>
28#endif
29
30#include "ssh.h"
31#include "log.h"
32#include "servconf.h"
33#include "xmalloc.h"
34#include "compat.h"
35#include "pathnames.h"
36#include "tildexpand.h"
37#include "misc.h"
38#include "cipher.h"
39#include "kex.h"
40#include "mac.h"
41
42static void add_listen_addr(ServerOptions *, char *, u_short);
43static void add_one_listen_addr(ServerOptions *, char *, u_short);
44
45/* AF_UNSPEC or AF_INET or AF_INET6 */
46extern int IPv4or6;
2980ea68 47/* Use of privilege separation or not */
48extern int use_privsep;
3c0ef626 49
50/* Initializes the server options to their default values. */
51
52void
53initialize_server_options(ServerOptions *options)
54{
55 memset(options, 0, sizeof(*options));
56
57 /* Portable-specific options */
58 options->pam_authentication_via_kbd_int = -1;
59
60 /* Standard Options */
61 options->num_ports = 0;
62 options->ports_from_cmdline = 0;
63 options->listen_addrs = NULL;
64 options->num_host_key_files = 0;
65 options->pid_file = NULL;
66 options->server_key_bits = -1;
67 options->login_grace_time = -1;
68 options->key_regeneration_time = -1;
69 options->permit_root_login = PERMIT_NOT_SET;
70 options->ignore_rhosts = -1;
71 options->ignore_user_known_hosts = -1;
72 options->print_motd = -1;
73 options->print_lastlog = -1;
74 options->x11_forwarding = -1;
75 options->x11_display_offset = -1;
e9a17296 76 options->x11_use_localhost = -1;
3c0ef626 77 options->xauth_location = NULL;
78 options->strict_modes = -1;
79 options->keepalives = -1;
e9a17296 80 options->log_facility = SYSLOG_FACILITY_NOT_SET;
81 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 82 options->rhosts_authentication = -1;
83 options->rhosts_rsa_authentication = -1;
84 options->hostbased_authentication = -1;
85 options->hostbased_uses_name_from_packet_only = -1;
86 options->rsa_authentication = -1;
87 options->pubkey_authentication = -1;
b9a54c29 88#ifdef GSSAPI
89 options->gss_authentication=-1;
90 options->gss_keyex=-1;
91 options->gss_use_session_ccache = -1;
92 options->gss_cleanup_creds = -1;
93#endif
3c0ef626 94#if defined(KRB4) || defined(KRB5)
95 options->kerberos_authentication = -1;
96 options->kerberos_or_local_passwd = -1;
97 options->kerberos_ticket_cleanup = -1;
98#endif
99#if defined(AFS) || defined(KRB5)
100 options->kerberos_tgt_passing = -1;
101#endif
102#ifdef AFS
103 options->afs_token_passing = -1;
104#endif
105 options->password_authentication = -1;
106 options->kbd_interactive_authentication = -1;
107 options->challenge_response_authentication = -1;
108 options->permit_empty_passwd = -1;
e54b3d7c 109 options->permit_user_env = -1;
3c0ef626 110 options->use_login = -1;
ff2d7a98 111 options->compression = -1;
3c0ef626 112 options->allow_tcp_forwarding = -1;
113 options->num_allow_users = 0;
114 options->num_deny_users = 0;
115 options->num_allow_groups = 0;
116 options->num_deny_groups = 0;
117 options->ciphers = NULL;
118 options->macs = NULL;
119 options->protocol = SSH_PROTO_UNKNOWN;
120 options->gateway_ports = -1;
121 options->num_subsystems = 0;
122 options->max_startups_begin = -1;
123 options->max_startups_rate = -1;
124 options->max_startups = -1;
125 options->banner = NULL;
e9a17296 126 options->verify_reverse_mapping = -1;
3c0ef626 127 options->client_alive_interval = -1;
128 options->client_alive_count_max = -1;
129 options->authorized_keys_file = NULL;
130 options->authorized_keys_file2 = NULL;
2980ea68 131
132 /* Needs to be accessable in many places */
133 use_privsep = -1;
3c0ef626 134}
135
136void
137fill_default_server_options(ServerOptions *options)
138{
139 /* Portable-specific options */
140 if (options->pam_authentication_via_kbd_int == -1)
141 options->pam_authentication_via_kbd_int = 0;
142
143 /* Standard Options */
144 if (options->protocol == SSH_PROTO_UNKNOWN)
145 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
146 if (options->num_host_key_files == 0) {
147 /* fill default hostkeys for protocols */
148 if (options->protocol & SSH_PROTO_1)
e9a17296 149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_KEY_FILE;
151 if (options->protocol & SSH_PROTO_2) {
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_RSA_KEY_FILE;
154 options->host_key_files[options->num_host_key_files++] =
155 _PATH_HOST_DSA_KEY_FILE;
156 }
3c0ef626 157 }
158 if (options->num_ports == 0)
159 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
160 if (options->listen_addrs == NULL)
161 add_listen_addr(options, NULL, 0);
162 if (options->pid_file == NULL)
163 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
164 if (options->server_key_bits == -1)
165 options->server_key_bits = 768;
166 if (options->login_grace_time == -1)
e54b3d7c 167 options->login_grace_time = 120;
3c0ef626 168 if (options->key_regeneration_time == -1)
169 options->key_regeneration_time = 3600;
170 if (options->permit_root_login == PERMIT_NOT_SET)
171 options->permit_root_login = PERMIT_YES;
172 if (options->ignore_rhosts == -1)
173 options->ignore_rhosts = 1;
174 if (options->ignore_user_known_hosts == -1)
175 options->ignore_user_known_hosts = 0;
176 if (options->print_motd == -1)
177 options->print_motd = 1;
178 if (options->print_lastlog == -1)
179 options->print_lastlog = 1;
180 if (options->x11_forwarding == -1)
181 options->x11_forwarding = 0;
182 if (options->x11_display_offset == -1)
183 options->x11_display_offset = 10;
e9a17296 184 if (options->x11_use_localhost == -1)
185 options->x11_use_localhost = 1;
3c0ef626 186 if (options->xauth_location == NULL)
187 options->xauth_location = _PATH_XAUTH;
3c0ef626 188 if (options->strict_modes == -1)
189 options->strict_modes = 1;
190 if (options->keepalives == -1)
191 options->keepalives = 1;
e9a17296 192 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 193 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 194 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 195 options->log_level = SYSLOG_LEVEL_INFO;
196 if (options->rhosts_authentication == -1)
197 options->rhosts_authentication = 0;
198 if (options->rhosts_rsa_authentication == -1)
199 options->rhosts_rsa_authentication = 0;
200 if (options->hostbased_authentication == -1)
201 options->hostbased_authentication = 0;
202 if (options->hostbased_uses_name_from_packet_only == -1)
203 options->hostbased_uses_name_from_packet_only = 0;
204 if (options->rsa_authentication == -1)
205 options->rsa_authentication = 1;
206 if (options->pubkey_authentication == -1)
207 options->pubkey_authentication = 1;
b9a54c29 208#ifdef GSSAPI
209 if (options->gss_authentication == -1)
210 options->gss_authentication = 1;
211 if (options->gss_keyex == -1)
212 options->gss_keyex =1;
213 if (options->gss_use_session_ccache == -1)
214 options->gss_use_session_ccache = 1;
215 if (options->gss_cleanup_creds == -1)
216 options->gss_cleanup_creds = 1;
217#endif
3c0ef626 218#if defined(KRB4) || defined(KRB5)
219 if (options->kerberos_authentication == -1)
2980ea68 220 options->kerberos_authentication = 0;
3c0ef626 221 if (options->kerberos_or_local_passwd == -1)
222 options->kerberos_or_local_passwd = 1;
223 if (options->kerberos_ticket_cleanup == -1)
224 options->kerberos_ticket_cleanup = 1;
225#endif
226#if defined(AFS) || defined(KRB5)
227 if (options->kerberos_tgt_passing == -1)
228 options->kerberos_tgt_passing = 0;
229#endif
e9a17296 230#ifdef AFS
3c0ef626 231 if (options->afs_token_passing == -1)
2980ea68 232 options->afs_token_passing = 0;
3c0ef626 233#endif
234 if (options->password_authentication == -1)
235 options->password_authentication = 1;
236 if (options->kbd_interactive_authentication == -1)
237 options->kbd_interactive_authentication = 0;
238 if (options->challenge_response_authentication == -1)
239 options->challenge_response_authentication = 1;
240 if (options->permit_empty_passwd == -1)
241 options->permit_empty_passwd = 0;
e54b3d7c 242 if (options->permit_user_env == -1)
243 options->permit_user_env = 0;
3c0ef626 244 if (options->use_login == -1)
245 options->use_login = 0;
ff2d7a98 246 if (options->compression == -1)
247 options->compression = 1;
3c0ef626 248 if (options->allow_tcp_forwarding == -1)
249 options->allow_tcp_forwarding = 1;
250 if (options->gateway_ports == -1)
251 options->gateway_ports = 0;
252 if (options->max_startups == -1)
253 options->max_startups = 10;
254 if (options->max_startups_rate == -1)
255 options->max_startups_rate = 100; /* 100% */
256 if (options->max_startups_begin == -1)
257 options->max_startups_begin = options->max_startups;
e9a17296 258 if (options->verify_reverse_mapping == -1)
259 options->verify_reverse_mapping = 0;
3c0ef626 260 if (options->client_alive_interval == -1)
e9a17296 261 options->client_alive_interval = 0;
3c0ef626 262 if (options->client_alive_count_max == -1)
263 options->client_alive_count_max = 3;
264 if (options->authorized_keys_file2 == NULL) {
265 /* authorized_keys_file2 falls back to authorized_keys_file */
266 if (options->authorized_keys_file != NULL)
267 options->authorized_keys_file2 = options->authorized_keys_file;
268 else
269 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
270 }
271 if (options->authorized_keys_file == NULL)
272 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
2980ea68 273
ff2d7a98 274 /* Turn privilege separation on by default */
2980ea68 275 if (use_privsep == -1)
ff2d7a98 276 use_privsep = 1;
277
e54b3d7c 278#ifndef HAVE_MMAP
ff2d7a98 279 if (use_privsep && options->compression == 1) {
280 error("This platform does not support both privilege "
281 "separation and compression");
282 error("Compression disabled");
283 options->compression = 0;
284 }
285#endif
286
3c0ef626 287}
288
289/* Keyword tokens. */
290typedef enum {
291 sBadOption, /* == unknown option */
292 /* Portable-specific options */
293 sPAMAuthenticationViaKbdInt,
294 /* Standard Options */
295 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
296 sPermitRootLogin, sLogFacility, sLogLevel,
297 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
b9a54c29 298#ifdef GSSAPI
299 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
300#endif
3c0ef626 301#if defined(KRB4) || defined(KRB5)
302 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
303#endif
304#if defined(AFS) || defined(KRB5)
305 sKerberosTgtPassing,
306#endif
307#ifdef AFS
308 sAFSTokenPassing,
309#endif
310 sChallengeResponseAuthentication,
311 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
312 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 313 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 314 sStrictModes, sEmptyPasswd, sKeepAlives,
e54b3d7c 315 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 316 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
317 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
318 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9a17296 319 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
320 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 321 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2980ea68 322 sUsePrivilegeSeparation,
e9a17296 323 sDeprecated
3c0ef626 324} ServerOpCodes;
325
326/* Textual representation of the tokens. */
327static struct {
328 const char *name;
329 ServerOpCodes opcode;
330} keywords[] = {
331 /* Portable-specific options */
332 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
333 /* Standard Options */
334 { "port", sPort },
335 { "hostkey", sHostKeyFile },
336 { "hostdsakey", sHostKeyFile }, /* alias */
337 { "pidfile", sPidFile },
338 { "serverkeybits", sServerKeyBits },
339 { "logingracetime", sLoginGraceTime },
340 { "keyregenerationinterval", sKeyRegenerationTime },
341 { "permitrootlogin", sPermitRootLogin },
342 { "syslogfacility", sLogFacility },
343 { "loglevel", sLogLevel },
344 { "rhostsauthentication", sRhostsAuthentication },
345 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
346 { "hostbasedauthentication", sHostbasedAuthentication },
347 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
348 { "rsaauthentication", sRSAAuthentication },
349 { "pubkeyauthentication", sPubkeyAuthentication },
350 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
b9a54c29 351#ifdef GSSAPI
352 { "gssapiauthentication", sGssAuthentication },
353 { "gssapikeyexchange", sGssKeyEx },
354 { "gssusesessionccache", sGssUseSessionCredCache },
355 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
356 { "gssapicleanupcreds", sGssCleanupCreds },
357#endif
3c0ef626 358#if defined(KRB4) || defined(KRB5)
359 { "kerberosauthentication", sKerberosAuthentication },
360 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
361 { "kerberosticketcleanup", sKerberosTicketCleanup },
362#endif
363#if defined(AFS) || defined(KRB5)
364 { "kerberostgtpassing", sKerberosTgtPassing },
365#endif
366#ifdef AFS
367 { "afstokenpassing", sAFSTokenPassing },
368#endif
369 { "passwordauthentication", sPasswordAuthentication },
370 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
371 { "challengeresponseauthentication", sChallengeResponseAuthentication },
372 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
373 { "checkmail", sDeprecated },
374 { "listenaddress", sListenAddress },
375 { "printmotd", sPrintMotd },
376 { "printlastlog", sPrintLastLog },
377 { "ignorerhosts", sIgnoreRhosts },
378 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
379 { "x11forwarding", sX11Forwarding },
380 { "x11displayoffset", sX11DisplayOffset },
e9a17296 381 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 382 { "xauthlocation", sXAuthLocation },
383 { "strictmodes", sStrictModes },
384 { "permitemptypasswords", sEmptyPasswd },
e54b3d7c 385 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 386 { "uselogin", sUseLogin },
ff2d7a98 387 { "compression", sCompression },
3c0ef626 388 { "keepalive", sKeepAlives },
389 { "allowtcpforwarding", sAllowTcpForwarding },
390 { "allowusers", sAllowUsers },
391 { "denyusers", sDenyUsers },
392 { "allowgroups", sAllowGroups },
393 { "denygroups", sDenyGroups },
394 { "ciphers", sCiphers },
395 { "macs", sMacs },
396 { "protocol", sProtocol },
397 { "gatewayports", sGatewayPorts },
398 { "subsystem", sSubsystem },
399 { "maxstartups", sMaxStartups },
400 { "banner", sBanner },
e9a17296 401 { "verifyreversemapping", sVerifyReverseMapping },
402 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 403 { "clientaliveinterval", sClientAliveInterval },
404 { "clientalivecountmax", sClientAliveCountMax },
405 { "authorizedkeysfile", sAuthorizedKeysFile },
406 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
2980ea68 407 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 408 { NULL, sBadOption }
3c0ef626 409};
410
411/*
412 * Returns the number of the token pointed to by cp or sBadOption.
413 */
414
415static ServerOpCodes
416parse_token(const char *cp, const char *filename,
417 int linenum)
418{
419 u_int i;
420
421 for (i = 0; keywords[i].name; i++)
422 if (strcasecmp(cp, keywords[i].name) == 0)
423 return keywords[i].opcode;
424
425 error("%s: line %d: Bad configuration option: %s",
426 filename, linenum, cp);
427 return sBadOption;
428}
429
430static void
431add_listen_addr(ServerOptions *options, char *addr, u_short port)
432{
433 int i;
434
435 if (options->num_ports == 0)
436 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
437 if (port == 0)
438 for (i = 0; i < options->num_ports; i++)
439 add_one_listen_addr(options, addr, options->ports[i]);
440 else
441 add_one_listen_addr(options, addr, port);
442}
443
444static void
445add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
446{
447 struct addrinfo hints, *ai, *aitop;
448 char strport[NI_MAXSERV];
449 int gaierr;
450
451 memset(&hints, 0, sizeof(hints));
452 hints.ai_family = IPv4or6;
453 hints.ai_socktype = SOCK_STREAM;
454 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
ff2d7a98 455 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 456 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
457 fatal("bad addr or host: %s (%s)",
458 addr ? addr : "<NULL>",
459 gai_strerror(gaierr));
460 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
461 ;
462 ai->ai_next = options->listen_addrs;
463 options->listen_addrs = aitop;
464}
465
e9a17296 466int
467process_server_config_line(ServerOptions *options, char *line,
468 const char *filename, int linenum)
3c0ef626 469{
3c0ef626 470 char *cp, **charptr, *arg, *p;
ff2d7a98 471 int *intptr, value, i, n;
3c0ef626 472 ServerOpCodes opcode;
3c0ef626 473
e9a17296 474 cp = line;
475 arg = strdelim(&cp);
476 /* Ignore leading whitespace */
477 if (*arg == '\0')
3c0ef626 478 arg = strdelim(&cp);
e9a17296 479 if (!arg || !*arg || *arg == '#')
480 return 0;
481 intptr = NULL;
482 charptr = NULL;
483 opcode = parse_token(arg, filename, linenum);
484 switch (opcode) {
485 /* Portable-specific options */
486 case sPAMAuthenticationViaKbdInt:
487 intptr = &options->pam_authentication_via_kbd_int;
488 goto parse_flag;
3c0ef626 489
e9a17296 490 /* Standard Options */
491 case sBadOption:
492 return -1;
493 case sPort:
494 /* ignore ports from configfile if cmdline specifies ports */
495 if (options->ports_from_cmdline)
496 return 0;
497 if (options->listen_addrs != NULL)
498 fatal("%s line %d: ports must be specified before "
499 "ListenAddress.", filename, linenum);
500 if (options->num_ports >= MAX_PORTS)
501 fatal("%s line %d: too many ports.",
502 filename, linenum);
503 arg = strdelim(&cp);
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing port number.",
506 filename, linenum);
507 options->ports[options->num_ports++] = a2port(arg);
508 if (options->ports[options->num_ports-1] == 0)
509 fatal("%s line %d: Badly formatted port number.",
510 filename, linenum);
511 break;
512
513 case sServerKeyBits:
514 intptr = &options->server_key_bits;
3c0ef626 515parse_int:
e9a17296 516 arg = strdelim(&cp);
517 if (!arg || *arg == '\0')
518 fatal("%s line %d: missing integer value.",
519 filename, linenum);
520 value = atoi(arg);
521 if (*intptr == -1)
522 *intptr = value;
523 break;
524
525 case sLoginGraceTime:
526 intptr = &options->login_grace_time;
3c0ef626 527parse_time:
e9a17296 528 arg = strdelim(&cp);
529 if (!arg || *arg == '\0')
530 fatal("%s line %d: missing time value.",
531 filename, linenum);
532 if ((value = convtime(arg)) == -1)
533 fatal("%s line %d: invalid time value.",
534 filename, linenum);
535 if (*intptr == -1)
536 *intptr = value;
537 break;
538
539 case sKeyRegenerationTime:
540 intptr = &options->key_regeneration_time;
541 goto parse_time;
542
543 case sListenAddress:
544 arg = strdelim(&cp);
545 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
546 fatal("%s line %d: missing inet addr.",
547 filename, linenum);
548 if (*arg == '[') {
549 if ((p = strchr(arg, ']')) == NULL)
550 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 551 filename, linenum);
e9a17296 552 arg++;
553 memmove(p, p+1, strlen(p+1)+1);
554 } else if (((p = strchr(arg, ':')) == NULL) ||
555 (strchr(p+1, ':') != NULL)) {
556 add_listen_addr(options, arg, 0);
3c0ef626 557 break;
e9a17296 558 }
559 if (*p == ':') {
560 u_short port;
3c0ef626 561
e9a17296 562 p++;
563 if (*p == '\0')
564 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 565 filename, linenum);
e9a17296 566 else {
567 *(p-1) = '\0';
568 if ((port = a2port(p)) == 0)
569 fatal("%s line %d: bad port number.",
3c0ef626 570 filename, linenum);
e9a17296 571 add_listen_addr(options, arg, port);
3c0ef626 572 }
e9a17296 573 } else if (*p == '\0')
574 add_listen_addr(options, arg, 0);
575 else
576 fatal("%s line %d: bad inet addr usage.",
577 filename, linenum);
578 break;
579
580 case sHostKeyFile:
581 intptr = &options->num_host_key_files;
582 if (*intptr >= MAX_HOSTKEYS)
583 fatal("%s line %d: too many host keys specified (max %d).",
584 filename, linenum, MAX_HOSTKEYS);
585 charptr = &options->host_key_files[*intptr];
3c0ef626 586parse_filename:
e9a17296 587 arg = strdelim(&cp);
588 if (!arg || *arg == '\0')
589 fatal("%s line %d: missing file name.",
590 filename, linenum);
591 if (*charptr == NULL) {
592 *charptr = tilde_expand_filename(arg, getuid());
593 /* increase optional counter */
594 if (intptr != NULL)
595 *intptr = *intptr + 1;
596 }
597 break;
3c0ef626 598
e9a17296 599 case sPidFile:
600 charptr = &options->pid_file;
601 goto parse_filename;
3c0ef626 602
e9a17296 603 case sPermitRootLogin:
604 intptr = &options->permit_root_login;
605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/"
608 "without-password/forced-commands-only/no "
609 "argument.", filename, linenum);
610 value = 0; /* silence compiler */
611 if (strcmp(arg, "without-password") == 0)
612 value = PERMIT_NO_PASSWD;
613 else if (strcmp(arg, "forced-commands-only") == 0)
614 value = PERMIT_FORCED_ONLY;
615 else if (strcmp(arg, "yes") == 0)
616 value = PERMIT_YES;
617 else if (strcmp(arg, "no") == 0)
618 value = PERMIT_NO;
619 else
620 fatal("%s line %d: Bad yes/"
621 "without-password/forced-commands-only/no "
622 "argument: %s", filename, linenum, arg);
623 if (*intptr == -1)
624 *intptr = value;
625 break;
626
627 case sIgnoreRhosts:
628 intptr = &options->ignore_rhosts;
3c0ef626 629parse_flag:
e9a17296 630 arg = strdelim(&cp);
631 if (!arg || *arg == '\0')
632 fatal("%s line %d: missing yes/no argument.",
633 filename, linenum);
634 value = 0; /* silence compiler */
635 if (strcmp(arg, "yes") == 0)
636 value = 1;
637 else if (strcmp(arg, "no") == 0)
638 value = 0;
639 else
640 fatal("%s line %d: Bad yes/no argument: %s",
641 filename, linenum, arg);
642 if (*intptr == -1)
643 *intptr = value;
644 break;
645
646 case sIgnoreUserKnownHosts:
647 intptr = &options->ignore_user_known_hosts;
648 goto parse_flag;
649
650 case sRhostsAuthentication:
651 intptr = &options->rhosts_authentication;
652 goto parse_flag;
653
654 case sRhostsRSAAuthentication:
655 intptr = &options->rhosts_rsa_authentication;
656 goto parse_flag;
657
658 case sHostbasedAuthentication:
659 intptr = &options->hostbased_authentication;
660 goto parse_flag;
661
662 case sHostbasedUsesNameFromPacketOnly:
663 intptr = &options->hostbased_uses_name_from_packet_only;
664 goto parse_flag;
665
666 case sRSAAuthentication:
667 intptr = &options->rsa_authentication;
668 goto parse_flag;
669
670 case sPubkeyAuthentication:
671 intptr = &options->pubkey_authentication;
672 goto parse_flag;
b9a54c29 673#ifdef GSSAPI
674 case sGssAuthentication:
675 intptr = &options->gss_authentication;
676 goto parse_flag;
677 case sGssKeyEx:
678 intptr = &options->gss_keyex;
679 goto parse_flag;
680 case sGssUseSessionCredCache:
681 intptr = &options->gss_use_session_ccache;
682 goto parse_flag;
683 case sGssCleanupCreds:
684 intptr = &options->gss_cleanup_creds;
685 goto parse_flag;
686#endif
e9a17296 687#if defined(KRB4) || defined(KRB5)
688 case sKerberosAuthentication:
689 intptr = &options->kerberos_authentication;
690 goto parse_flag;
3c0ef626 691
e9a17296 692 case sKerberosOrLocalPasswd:
693 intptr = &options->kerberos_or_local_passwd;
694 goto parse_flag;
3c0ef626 695
e9a17296 696 case sKerberosTicketCleanup:
697 intptr = &options->kerberos_ticket_cleanup;
698 goto parse_flag;
699#endif
700#if defined(AFS) || defined(KRB5)
701 case sKerberosTgtPassing:
702 intptr = &options->kerberos_tgt_passing;
703 goto parse_flag;
704#endif
705#ifdef AFS
706 case sAFSTokenPassing:
707 intptr = &options->afs_token_passing;
708 goto parse_flag;
709#endif
3c0ef626 710
e9a17296 711 case sPasswordAuthentication:
712 intptr = &options->password_authentication;
713 goto parse_flag;
3c0ef626 714
e9a17296 715 case sKbdInteractiveAuthentication:
716 intptr = &options->kbd_interactive_authentication;
717 goto parse_flag;
3c0ef626 718
e9a17296 719 case sChallengeResponseAuthentication:
720 intptr = &options->challenge_response_authentication;
721 goto parse_flag;
3c0ef626 722
e9a17296 723 case sPrintMotd:
724 intptr = &options->print_motd;
725 goto parse_flag;
3c0ef626 726
e9a17296 727 case sPrintLastLog:
728 intptr = &options->print_lastlog;
729 goto parse_flag;
3c0ef626 730
e9a17296 731 case sX11Forwarding:
732 intptr = &options->x11_forwarding;
733 goto parse_flag;
3c0ef626 734
e9a17296 735 case sX11DisplayOffset:
736 intptr = &options->x11_display_offset;
737 goto parse_int;
3c0ef626 738
e9a17296 739 case sX11UseLocalhost:
740 intptr = &options->x11_use_localhost;
741 goto parse_flag;
3c0ef626 742
e9a17296 743 case sXAuthLocation:
744 charptr = &options->xauth_location;
745 goto parse_filename;
3c0ef626 746
e9a17296 747 case sStrictModes:
748 intptr = &options->strict_modes;
749 goto parse_flag;
3c0ef626 750
e9a17296 751 case sKeepAlives:
752 intptr = &options->keepalives;
753 goto parse_flag;
3c0ef626 754
e9a17296 755 case sEmptyPasswd:
756 intptr = &options->permit_empty_passwd;
757 goto parse_flag;
3c0ef626 758
e54b3d7c 759 case sPermitUserEnvironment:
760 intptr = &options->permit_user_env;
761 goto parse_flag;
762
e9a17296 763 case sUseLogin:
764 intptr = &options->use_login;
765 goto parse_flag;
3c0ef626 766
ff2d7a98 767 case sCompression:
768 intptr = &options->compression;
769 goto parse_flag;
770
e9a17296 771 case sGatewayPorts:
772 intptr = &options->gateway_ports;
773 goto parse_flag;
3c0ef626 774
e9a17296 775 case sVerifyReverseMapping:
776 intptr = &options->verify_reverse_mapping;
777 goto parse_flag;
3c0ef626 778
e9a17296 779 case sLogFacility:
780 intptr = (int *) &options->log_facility;
781 arg = strdelim(&cp);
782 value = log_facility_number(arg);
783 if (value == SYSLOG_FACILITY_NOT_SET)
784 fatal("%.200s line %d: unsupported log facility '%s'",
785 filename, linenum, arg ? arg : "<NONE>");
786 if (*intptr == -1)
787 *intptr = (SyslogFacility) value;
788 break;
789
790 case sLogLevel:
791 intptr = (int *) &options->log_level;
792 arg = strdelim(&cp);
793 value = log_level_number(arg);
794 if (value == SYSLOG_LEVEL_NOT_SET)
795 fatal("%.200s line %d: unsupported log level '%s'",
796 filename, linenum, arg ? arg : "<NONE>");
797 if (*intptr == -1)
798 *intptr = (LogLevel) value;
799 break;
800
801 case sAllowTcpForwarding:
802 intptr = &options->allow_tcp_forwarding;
803 goto parse_flag;
804
2980ea68 805 case sUsePrivilegeSeparation:
806 intptr = &use_privsep;
807 goto parse_flag;
808
e9a17296 809 case sAllowUsers:
810 while ((arg = strdelim(&cp)) && *arg != '\0') {
811 if (options->num_allow_users >= MAX_ALLOW_USERS)
812 fatal("%s line %d: too many allow users.",
813 filename, linenum);
ff2d7a98 814 options->allow_users[options->num_allow_users++] =
815 xstrdup(arg);
e9a17296 816 }
817 break;
3c0ef626 818
e9a17296 819 case sDenyUsers:
820 while ((arg = strdelim(&cp)) && *arg != '\0') {
821 if (options->num_deny_users >= MAX_DENY_USERS)
822 fatal( "%s line %d: too many deny users.",
823 filename, linenum);
ff2d7a98 824 options->deny_users[options->num_deny_users++] =
825 xstrdup(arg);
e9a17296 826 }
827 break;
3c0ef626 828
e9a17296 829 case sAllowGroups:
830 while ((arg = strdelim(&cp)) && *arg != '\0') {
831 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
832 fatal("%s line %d: too many allow groups.",
833 filename, linenum);
ff2d7a98 834 options->allow_groups[options->num_allow_groups++] =
835 xstrdup(arg);
e9a17296 836 }
837 break;
3c0ef626 838
e9a17296 839 case sDenyGroups:
840 while ((arg = strdelim(&cp)) && *arg != '\0') {
841 if (options->num_deny_groups >= MAX_DENY_GROUPS)
842 fatal("%s line %d: too many deny groups.",
843 filename, linenum);
844 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
845 }
846 break;
847
848 case sCiphers:
849 arg = strdelim(&cp);
850 if (!arg || *arg == '\0')
851 fatal("%s line %d: Missing argument.", filename, linenum);
852 if (!ciphers_valid(arg))
853 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
854 filename, linenum, arg ? arg : "<NONE>");
855 if (options->ciphers == NULL)
856 options->ciphers = xstrdup(arg);
857 break;
858
859 case sMacs:
860 arg = strdelim(&cp);
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: Missing argument.", filename, linenum);
863 if (!mac_valid(arg))
864 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
865 filename, linenum, arg ? arg : "<NONE>");
866 if (options->macs == NULL)
867 options->macs = xstrdup(arg);
868 break;
869
870 case sProtocol:
871 intptr = &options->protocol;
872 arg = strdelim(&cp);
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: Missing argument.", filename, linenum);
875 value = proto_spec(arg);
876 if (value == SSH_PROTO_UNKNOWN)
877 fatal("%s line %d: Bad protocol spec '%s'.",
878 filename, linenum, arg ? arg : "<NONE>");
879 if (*intptr == SSH_PROTO_UNKNOWN)
880 *intptr = value;
881 break;
882
883 case sSubsystem:
884 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
885 fatal("%s line %d: too many subsystems defined.",
886 filename, linenum);
887 }
888 arg = strdelim(&cp);
889 if (!arg || *arg == '\0')
890 fatal("%s line %d: Missing subsystem name.",
891 filename, linenum);
892 for (i = 0; i < options->num_subsystems; i++)
893 if (strcmp(arg, options->subsystem_name[i]) == 0)
894 fatal("%s line %d: Subsystem '%s' already defined.",
895 filename, linenum, arg);
896 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
897 arg = strdelim(&cp);
898 if (!arg || *arg == '\0')
899 fatal("%s line %d: Missing subsystem command.",
900 filename, linenum);
901 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
902 options->num_subsystems++;
903 break;
904
905 case sMaxStartups:
906 arg = strdelim(&cp);
907 if (!arg || *arg == '\0')
908 fatal("%s line %d: Missing MaxStartups spec.",
909 filename, linenum);
910 if ((n = sscanf(arg, "%d:%d:%d",
911 &options->max_startups_begin,
912 &options->max_startups_rate,
913 &options->max_startups)) == 3) {
914 if (options->max_startups_begin >
915 options->max_startups ||
916 options->max_startups_rate > 100 ||
917 options->max_startups_rate < 1)
3c0ef626 918 fatal("%s line %d: Illegal MaxStartups spec.",
919 filename, linenum);
e9a17296 920 } else if (n != 1)
921 fatal("%s line %d: Illegal MaxStartups spec.",
922 filename, linenum);
923 else
924 options->max_startups = options->max_startups_begin;
925 break;
926
927 case sBanner:
928 charptr = &options->banner;
929 goto parse_filename;
930 /*
931 * These options can contain %X options expanded at
932 * connect time, so that you can specify paths like:
933 *
934 * AuthorizedKeysFile /etc/ssh_keys/%u
935 */
936 case sAuthorizedKeysFile:
937 case sAuthorizedKeysFile2:
938 charptr = (opcode == sAuthorizedKeysFile ) ?
939 &options->authorized_keys_file :
940 &options->authorized_keys_file2;
941 goto parse_filename;
942
943 case sClientAliveInterval:
944 intptr = &options->client_alive_interval;
945 goto parse_time;
946
947 case sClientAliveCountMax:
948 intptr = &options->client_alive_count_max;
949 goto parse_int;
950
951 case sDeprecated:
952 log("%s line %d: Deprecated option %s",
953 filename, linenum, arg);
954 while (arg)
955 arg = strdelim(&cp);
956 break;
957
958 default:
959 fatal("%s line %d: Missing handler for opcode %s (%d)",
960 filename, linenum, arg, opcode);
961 }
962 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
963 fatal("%s line %d: garbage at end of line; \"%.200s\".",
964 filename, linenum, arg);
965 return 0;
966}
3c0ef626 967
e9a17296 968/* Reads the server configuration file. */
3c0ef626 969
e9a17296 970void
971read_server_config(ServerOptions *options, const char *filename)
972{
ff2d7a98 973 int linenum, bad_options = 0;
e9a17296 974 char line[1024];
ff2d7a98 975 FILE *f;
e9a17296 976
977 f = fopen(filename, "r");
978 if (!f) {
979 perror(filename);
980 exit(1);
981 }
982 linenum = 0;
983 while (fgets(line, sizeof(line), f)) {
984 /* Update line number counter. */
985 linenum++;
986 if (process_server_config_line(options, line, filename, linenum) != 0)
987 bad_options++;
3c0ef626 988 }
989 fclose(f);
990 if (bad_options > 0)
991 fatal("%s: terminating, %d bad configuration options",
992 filename, bad_options);
993}
git-cvsimport mirror of GSI OpenSSH
This page took 0.223443 seconds and 5 git commands to generate.