]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
check for existence of globus_gss_assist_map_and_authorize()
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
08822d99 13RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
3c0ef626 14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
3c0ef626 21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
350391c5 29/* Use of privilege separation or not */
30extern int use_privsep;
3c0ef626 31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
7cac2b65 40 options->use_pam = -1;
3c0ef626 41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
dfddba3d 46 options->address_family = -1;
3c0ef626 47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e9702f7d 59 options->x11_use_localhost = -1;
3c0ef626 60 options->xauth_location = NULL;
61 options->strict_modes = -1;
540d72c3 62 options->tcp_keep_alive = -1;
e9702f7d 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
3c0ef626 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
75be3237 73#ifdef SESSION_HOOKS
74 options->session_hooks_allow = -1;
75 options->session_hooks_startup_cmd = NULL;
76 options->session_hooks_shutdown_cmd = NULL;
3c0ef626 77#endif
540d72c3 78 options->kerberos_get_afs_token = -1;
7cac2b65 79 options->gss_authentication=-1;
fe4ad273 80 options->gss_keyex = -1;
7cac2b65 81 options->gss_cleanup_creds = -1;
826a9049 82 options->gsi_allow_limited_proxy = -1;
3c0ef626 83 options->password_authentication = -1;
84 options->kbd_interactive_authentication = -1;
85 options->challenge_response_authentication = -1;
86 options->permit_empty_passwd = -1;
d03f4262 87 options->permit_user_env = -1;
3c0ef626 88 options->use_login = -1;
44a053a3 89 options->compression = -1;
3c0ef626 90 options->allow_tcp_forwarding = -1;
91 options->num_allow_users = 0;
92 options->num_deny_users = 0;
93 options->num_allow_groups = 0;
94 options->num_deny_groups = 0;
95 options->ciphers = NULL;
96 options->macs = NULL;
97 options->protocol = SSH_PROTO_UNKNOWN;
98 options->gateway_ports = -1;
99 options->num_subsystems = 0;
100 options->max_startups_begin = -1;
101 options->max_startups_rate = -1;
102 options->max_startups = -1;
7e82606e 103 options->max_authtries = -1;
3c0ef626 104 options->banner = NULL;
7cac2b65 105 options->use_dns = -1;
3c0ef626 106 options->client_alive_interval = -1;
107 options->client_alive_count_max = -1;
108 options->authorized_keys_file = NULL;
109 options->authorized_keys_file2 = NULL;
7e82606e 110 options->num_accept_env = 0;
08822d99 111 options->permit_tun = -1;
350391c5 112
113 /* Needs to be accessable in many places */
114 use_privsep = -1;
3c0ef626 115}
116
117void
118fill_default_server_options(ServerOptions *options)
119{
120 /* Portable-specific options */
7cac2b65 121 if (options->use_pam == -1)
29d88157 122 options->use_pam = 0;
3c0ef626 123
124 /* Standard Options */
125 if (options->protocol == SSH_PROTO_UNKNOWN)
126 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
127 if (options->num_host_key_files == 0) {
128 /* fill default hostkeys for protocols */
129 if (options->protocol & SSH_PROTO_1)
e9702f7d 130 options->host_key_files[options->num_host_key_files++] =
131 _PATH_HOST_KEY_FILE;
132 if (options->protocol & SSH_PROTO_2) {
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_RSA_KEY_FILE;
135 options->host_key_files[options->num_host_key_files++] =
136 _PATH_HOST_DSA_KEY_FILE;
137 }
3c0ef626 138 }
139 if (options->num_ports == 0)
140 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
141 if (options->listen_addrs == NULL)
142 add_listen_addr(options, NULL, 0);
143 if (options->pid_file == NULL)
144 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
145 if (options->server_key_bits == -1)
146 options->server_key_bits = 768;
147 if (options->login_grace_time == -1)
d03f4262 148 options->login_grace_time = 120;
3c0ef626 149 if (options->key_regeneration_time == -1)
150 options->key_regeneration_time = 3600;
151 if (options->permit_root_login == PERMIT_NOT_SET)
152 options->permit_root_login = PERMIT_YES;
153 if (options->ignore_rhosts == -1)
154 options->ignore_rhosts = 1;
155 if (options->ignore_user_known_hosts == -1)
156 options->ignore_user_known_hosts = 0;
157 if (options->print_motd == -1)
158 options->print_motd = 1;
159 if (options->print_lastlog == -1)
160 options->print_lastlog = 1;
161 if (options->x11_forwarding == -1)
162 options->x11_forwarding = 0;
163 if (options->x11_display_offset == -1)
164 options->x11_display_offset = 10;
e9702f7d 165 if (options->x11_use_localhost == -1)
166 options->x11_use_localhost = 1;
3c0ef626 167 if (options->xauth_location == NULL)
168 options->xauth_location = _PATH_XAUTH;
3c0ef626 169 if (options->strict_modes == -1)
170 options->strict_modes = 1;
540d72c3 171 if (options->tcp_keep_alive == -1)
172 options->tcp_keep_alive = 1;
e9702f7d 173 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 174 options->log_facility = SYSLOG_FACILITY_AUTH;
e9702f7d 175 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 176 options->log_level = SYSLOG_LEVEL_INFO;
3c0ef626 177 if (options->rhosts_rsa_authentication == -1)
178 options->rhosts_rsa_authentication = 0;
179 if (options->hostbased_authentication == -1)
180 options->hostbased_authentication = 0;
181 if (options->hostbased_uses_name_from_packet_only == -1)
182 options->hostbased_uses_name_from_packet_only = 0;
183 if (options->rsa_authentication == -1)
184 options->rsa_authentication = 1;
185 if (options->pubkey_authentication == -1)
186 options->pubkey_authentication = 1;
7cac2b65 187 if (options->kerberos_authentication == -1)
188 options->kerberos_authentication = 0;
189 if (options->kerberos_or_local_passwd == -1)
190 options->kerberos_or_local_passwd = 1;
191 if (options->kerberos_ticket_cleanup == -1)
192 options->kerberos_ticket_cleanup = 1;
540d72c3 193 if (options->kerberos_get_afs_token == -1)
194 options->kerberos_get_afs_token = 0;
5598e598 195 if (options->gss_authentication == -1)
196 options->gss_authentication = 1;
197 if (options->gss_keyex == -1)
7cac2b65 198 options->gss_keyex = 1;
5598e598 199 if (options->gss_cleanup_creds == -1)
200 options->gss_cleanup_creds = 1;
826a9049 201 if (options->gsi_allow_limited_proxy == -1)
202 options->gsi_allow_limited_proxy = 0;
3c0ef626 203 if (options->password_authentication == -1)
204 options->password_authentication = 1;
205 if (options->kbd_interactive_authentication == -1)
206 options->kbd_interactive_authentication = 0;
207 if (options->challenge_response_authentication == -1)
208 options->challenge_response_authentication = 1;
209 if (options->permit_empty_passwd == -1)
210 options->permit_empty_passwd = 0;
d03f4262 211 if (options->permit_user_env == -1)
212 options->permit_user_env = 0;
3c0ef626 213 if (options->use_login == -1)
214 options->use_login = 0;
44a053a3 215 if (options->compression == -1)
2ce0bfe4 216 options->compression = COMP_DELAYED;
3c0ef626 217 if (options->allow_tcp_forwarding == -1)
218 options->allow_tcp_forwarding = 1;
219 if (options->gateway_ports == -1)
220 options->gateway_ports = 0;
221 if (options->max_startups == -1)
222 options->max_startups = 10;
223 if (options->max_startups_rate == -1)
224 options->max_startups_rate = 100; /* 100% */
225 if (options->max_startups_begin == -1)
226 options->max_startups_begin = options->max_startups;
7e82606e 227 if (options->max_authtries == -1)
228 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
7cac2b65 229 if (options->use_dns == -1)
230 options->use_dns = 1;
3c0ef626 231 if (options->client_alive_interval == -1)
e9702f7d 232 options->client_alive_interval = 0;
3c0ef626 233 if (options->client_alive_count_max == -1)
234 options->client_alive_count_max = 3;
235 if (options->authorized_keys_file2 == NULL) {
236 /* authorized_keys_file2 falls back to authorized_keys_file */
237 if (options->authorized_keys_file != NULL)
238 options->authorized_keys_file2 = options->authorized_keys_file;
239 else
240 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
241 }
242 if (options->authorized_keys_file == NULL)
243 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
08822d99 244 if (options->permit_tun == -1)
245 options->permit_tun = SSH_TUNMODE_NO;
350391c5 246
44a053a3 247 /* Turn privilege separation on by default */
350391c5 248 if (use_privsep == -1)
44a053a3 249 use_privsep = 1;
250
d03f4262 251#ifndef HAVE_MMAP
44a053a3 252 if (use_privsep && options->compression == 1) {
253 error("This platform does not support both privilege "
254 "separation and compression");
255 error("Compression disabled");
256 options->compression = 0;
257 }
258#endif
259
3c0ef626 260}
261
262/* Keyword tokens. */
263typedef enum {
264 sBadOption, /* == unknown option */
265 /* Portable-specific options */
7cac2b65 266 sUsePAM,
3c0ef626 267 /* Standard Options */
268 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
269 sPermitRootLogin, sLogFacility, sLogLevel,
7cac2b65 270 sRhostsRSAAuthentication, sRSAAuthentication,
3c0ef626 271 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
540d72c3 272 sKerberosGetAFSToken,
7cac2b65 273 sKerberosTgtPassing, sChallengeResponseAuthentication,
75be3237 274#ifdef SESSION_HOOKS
275 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
3c0ef626 276#endif
dfddba3d 277 sPasswordAuthentication, sKbdInteractiveAuthentication,
278 sListenAddress, sAddressFamily,
3c0ef626 279 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9702f7d 280 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
540d72c3 281 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
d03f4262 282 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 283 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
284 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
7e82606e 285 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
286 sMaxStartups, sMaxAuthTries,
7cac2b65 287 sBanner, sUseDNS, sHostbasedAuthentication,
e9702f7d 288 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 289 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
c06c9ae8 290 sGssAuthentication, sGssKeyEx, sGssCleanupCreds,
291 sAcceptEnv, sPermitTunnel,
826a9049 292 sGsiAllowLimitedProxy,
350391c5 293 sUsePrivilegeSeparation,
7cac2b65 294 sDeprecated, sUnsupported
3c0ef626 295} ServerOpCodes;
296
297/* Textual representation of the tokens. */
298static struct {
299 const char *name;
300 ServerOpCodes opcode;
301} keywords[] = {
302 /* Portable-specific options */
7cac2b65 303#ifdef USE_PAM
304 { "usepam", sUsePAM },
305#else
306 { "usepam", sUnsupported },
307#endif
308 { "pamauthenticationviakbdint", sDeprecated },
3c0ef626 309 /* Standard Options */
310 { "port", sPort },
311 { "hostkey", sHostKeyFile },
312 { "hostdsakey", sHostKeyFile }, /* alias */
313 { "pidfile", sPidFile },
314 { "serverkeybits", sServerKeyBits },
315 { "logingracetime", sLoginGraceTime },
316 { "keyregenerationinterval", sKeyRegenerationTime },
317 { "permitrootlogin", sPermitRootLogin },
318 { "syslogfacility", sLogFacility },
319 { "loglevel", sLogLevel },
7cac2b65 320 { "rhostsauthentication", sDeprecated },
3c0ef626 321 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
322 { "hostbasedauthentication", sHostbasedAuthentication },
323 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
324 { "rsaauthentication", sRSAAuthentication },
325 { "pubkeyauthentication", sPubkeyAuthentication },
326 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
7cac2b65 327#ifdef KRB5
328 { "kerberosauthentication", sKerberosAuthentication },
329 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
330 { "kerberosticketcleanup", sKerberosTicketCleanup },
540d72c3 331#ifdef USE_AFS
332 { "kerberosgetafstoken", sKerberosGetAFSToken },
333#else
334 { "kerberosgetafstoken", sUnsupported },
335#endif
7cac2b65 336#else
337 { "kerberosauthentication", sUnsupported },
338 { "kerberosorlocalpasswd", sUnsupported },
339 { "kerberosticketcleanup", sUnsupported },
540d72c3 340 { "kerberosgetafstoken", sUnsupported },
7cac2b65 341#endif
342 { "kerberostgtpassing", sUnsupported },
343 { "afstokenpassing", sUnsupported },
5598e598 344#ifdef GSSAPI
345 { "gssapiauthentication", sGssAuthentication },
346 { "gssapikeyexchange", sGssKeyEx },
540d72c3 347 { "gssapicleanupcredentials", sGssCleanupCreds },
826a9049 348#ifdef GSI
349 { "gsiallowlimitedproxy", sGsiAllowLimitedProxy },
350#endif
7cac2b65 351#else
352 { "gssapiauthentication", sUnsupported },
353 { "gssapikeyexchange", sUnsupported },
540d72c3 354 { "gssapicleanupcredentials", sUnsupported },
3c0ef626 355#endif
75be3237 356#ifdef SESSION_HOOKS
357 { "allowsessionhooks", sAllowSessionHooks },
358 { "sessionhookstartupcmd", sSessionHookStartupCmd },
359 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
360#endif
3c0ef626 361 { "passwordauthentication", sPasswordAuthentication },
362 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
363 { "challengeresponseauthentication", sChallengeResponseAuthentication },
364 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
365 { "checkmail", sDeprecated },
366 { "listenaddress", sListenAddress },
dfddba3d 367 { "addressfamily", sAddressFamily },
3c0ef626 368 { "printmotd", sPrintMotd },
369 { "printlastlog", sPrintLastLog },
370 { "ignorerhosts", sIgnoreRhosts },
371 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
372 { "x11forwarding", sX11Forwarding },
373 { "x11displayoffset", sX11DisplayOffset },
e9702f7d 374 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 375 { "xauthlocation", sXAuthLocation },
376 { "strictmodes", sStrictModes },
377 { "permitemptypasswords", sEmptyPasswd },
d03f4262 378 { "permituserenvironment", sPermitUserEnvironment },
3c0ef626 379 { "uselogin", sUseLogin },
44a053a3 380 { "compression", sCompression },
540d72c3 381 { "tcpkeepalive", sTCPKeepAlive },
382 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
3c0ef626 383 { "allowtcpforwarding", sAllowTcpForwarding },
384 { "allowusers", sAllowUsers },
385 { "denyusers", sDenyUsers },
386 { "allowgroups", sAllowGroups },
387 { "denygroups", sDenyGroups },
388 { "ciphers", sCiphers },
389 { "macs", sMacs },
390 { "protocol", sProtocol },
391 { "gatewayports", sGatewayPorts },
392 { "subsystem", sSubsystem },
393 { "maxstartups", sMaxStartups },
7e82606e 394 { "maxauthtries", sMaxAuthTries },
3c0ef626 395 { "banner", sBanner },
7cac2b65 396 { "usedns", sUseDNS },
397 { "verifyreversemapping", sDeprecated },
398 { "reversemappingcheck", sDeprecated },
3c0ef626 399 { "clientaliveinterval", sClientAliveInterval },
400 { "clientalivecountmax", sClientAliveCountMax },
401 { "authorizedkeysfile", sAuthorizedKeysFile },
402 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
350391c5 403 { "useprivilegeseparation", sUsePrivilegeSeparation},
7e82606e 404 { "acceptenv", sAcceptEnv },
08822d99 405 { "permittunnel", sPermitTunnel },
e9702f7d 406 { NULL, sBadOption }
3c0ef626 407};
408
409/*
410 * Returns the number of the token pointed to by cp or sBadOption.
411 */
412
413static ServerOpCodes
414parse_token(const char *cp, const char *filename,
415 int linenum)
416{
417 u_int i;
418
419 for (i = 0; keywords[i].name; i++)
420 if (strcasecmp(cp, keywords[i].name) == 0)
421 return keywords[i].opcode;
422
423 error("%s: line %d: Bad configuration option: %s",
424 filename, linenum, cp);
425 return sBadOption;
426}
427
428static void
429add_listen_addr(ServerOptions *options, char *addr, u_short port)
430{
2ce0bfe4 431 u_int i;
3c0ef626 432
433 if (options->num_ports == 0)
434 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
dfddba3d 435 if (options->address_family == -1)
436 options->address_family = AF_UNSPEC;
3c0ef626 437 if (port == 0)
438 for (i = 0; i < options->num_ports; i++)
439 add_one_listen_addr(options, addr, options->ports[i]);
440 else
441 add_one_listen_addr(options, addr, port);
442}
443
444static void
445add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
446{
447 struct addrinfo hints, *ai, *aitop;
448 char strport[NI_MAXSERV];
449 int gaierr;
450
451 memset(&hints, 0, sizeof(hints));
dfddba3d 452 hints.ai_family = options->address_family;
3c0ef626 453 hints.ai_socktype = SOCK_STREAM;
454 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
276b07a3 455 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 456 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
457 fatal("bad addr or host: %s (%s)",
458 addr ? addr : "<NULL>",
459 gai_strerror(gaierr));
460 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
461 ;
462 ai->ai_next = options->listen_addrs;
463 options->listen_addrs = aitop;
464}
465
e9702f7d 466int
467process_server_config_line(ServerOptions *options, char *line,
468 const char *filename, int linenum)
3c0ef626 469{
3c0ef626 470 char *cp, **charptr, *arg, *p;
2ce0bfe4 471 int *intptr, value, n;
3c0ef626 472 ServerOpCodes opcode;
dfddba3d 473 u_short port;
2ce0bfe4 474 u_int i;
3c0ef626 475
e9702f7d 476 cp = line;
477 arg = strdelim(&cp);
478 /* Ignore leading whitespace */
479 if (*arg == '\0')
3c0ef626 480 arg = strdelim(&cp);
e9702f7d 481 if (!arg || !*arg || *arg == '#')
482 return 0;
483 intptr = NULL;
484 charptr = NULL;
485 opcode = parse_token(arg, filename, linenum);
486 switch (opcode) {
487 /* Portable-specific options */
7cac2b65 488 case sUsePAM:
489 intptr = &options->use_pam;
e9702f7d 490 goto parse_flag;
3c0ef626 491
e9702f7d 492 /* Standard Options */
493 case sBadOption:
494 return -1;
495 case sPort:
496 /* ignore ports from configfile if cmdline specifies ports */
497 if (options->ports_from_cmdline)
498 return 0;
499 if (options->listen_addrs != NULL)
500 fatal("%s line %d: ports must be specified before "
501 "ListenAddress.", filename, linenum);
502 if (options->num_ports >= MAX_PORTS)
503 fatal("%s line %d: too many ports.",
504 filename, linenum);
505 arg = strdelim(&cp);
506 if (!arg || *arg == '\0')
507 fatal("%s line %d: missing port number.",
508 filename, linenum);
509 options->ports[options->num_ports++] = a2port(arg);
510 if (options->ports[options->num_ports-1] == 0)
511 fatal("%s line %d: Badly formatted port number.",
512 filename, linenum);
513 break;
514
515 case sServerKeyBits:
516 intptr = &options->server_key_bits;
3c0ef626 517parse_int:
e9702f7d 518 arg = strdelim(&cp);
519 if (!arg || *arg == '\0')
520 fatal("%s line %d: missing integer value.",
521 filename, linenum);
522 value = atoi(arg);
523 if (*intptr == -1)
524 *intptr = value;
525 break;
526
527 case sLoginGraceTime:
528 intptr = &options->login_grace_time;
3c0ef626 529parse_time:
e9702f7d 530 arg = strdelim(&cp);
531 if (!arg || *arg == '\0')
532 fatal("%s line %d: missing time value.",
533 filename, linenum);
534 if ((value = convtime(arg)) == -1)
535 fatal("%s line %d: invalid time value.",
536 filename, linenum);
537 if (*intptr == -1)
538 *intptr = value;
539 break;
540
541 case sKeyRegenerationTime:
542 intptr = &options->key_regeneration_time;
543 goto parse_time;
544
545 case sListenAddress:
546 arg = strdelim(&cp);
dfddba3d 547 if (arg == NULL || *arg == '\0')
548 fatal("%s line %d: missing address",
e9702f7d 549 filename, linenum);
2ce0bfe4 550 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
551 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
552 && strchr(p+1, ':') != NULL) {
553 add_listen_addr(options, arg, 0);
554 break;
555 }
dfddba3d 556 p = hpdelim(&arg);
557 if (p == NULL)
558 fatal("%s line %d: bad address:port usage",
e9702f7d 559 filename, linenum);
dfddba3d 560 p = cleanhostname(p);
561 if (arg == NULL)
562 port = 0;
563 else if ((port = a2port(arg)) == 0)
564 fatal("%s line %d: bad port number", filename, linenum);
565
566 add_listen_addr(options, p, port);
567
568 break;
569
570 case sAddressFamily:
571 arg = strdelim(&cp);
2ce0bfe4 572 if (!arg || *arg == '\0')
573 fatal("%s line %d: missing address family.",
574 filename, linenum);
dfddba3d 575 intptr = &options->address_family;
576 if (options->listen_addrs != NULL)
577 fatal("%s line %d: address family must be specified before "
578 "ListenAddress.", filename, linenum);
579 if (strcasecmp(arg, "inet") == 0)
580 value = AF_INET;
581 else if (strcasecmp(arg, "inet6") == 0)
582 value = AF_INET6;
583 else if (strcasecmp(arg, "any") == 0)
584 value = AF_UNSPEC;
585 else
586 fatal("%s line %d: unsupported address family \"%s\".",
587 filename, linenum, arg);
588 if (*intptr == -1)
589 *intptr = value;
e9702f7d 590 break;
591
592 case sHostKeyFile:
593 intptr = &options->num_host_key_files;
594 if (*intptr >= MAX_HOSTKEYS)
595 fatal("%s line %d: too many host keys specified (max %d).",
596 filename, linenum, MAX_HOSTKEYS);
597 charptr = &options->host_key_files[*intptr];
3c0ef626 598parse_filename:
e9702f7d 599 arg = strdelim(&cp);
600 if (!arg || *arg == '\0')
601 fatal("%s line %d: missing file name.",
602 filename, linenum);
603 if (*charptr == NULL) {
604 *charptr = tilde_expand_filename(arg, getuid());
605 /* increase optional counter */
606 if (intptr != NULL)
607 *intptr = *intptr + 1;
608 }
609 break;
3c0ef626 610
e9702f7d 611 case sPidFile:
612 charptr = &options->pid_file;
613 goto parse_filename;
3c0ef626 614
e9702f7d 615 case sPermitRootLogin:
616 intptr = &options->permit_root_login;
617 arg = strdelim(&cp);
618 if (!arg || *arg == '\0')
619 fatal("%s line %d: missing yes/"
620 "without-password/forced-commands-only/no "
621 "argument.", filename, linenum);
622 value = 0; /* silence compiler */
623 if (strcmp(arg, "without-password") == 0)
624 value = PERMIT_NO_PASSWD;
625 else if (strcmp(arg, "forced-commands-only") == 0)
626 value = PERMIT_FORCED_ONLY;
627 else if (strcmp(arg, "yes") == 0)
628 value = PERMIT_YES;
629 else if (strcmp(arg, "no") == 0)
630 value = PERMIT_NO;
631 else
632 fatal("%s line %d: Bad yes/"
633 "without-password/forced-commands-only/no "
634 "argument: %s", filename, linenum, arg);
635 if (*intptr == -1)
636 *intptr = value;
637 break;
3c0ef626 638
e9702f7d 639 case sIgnoreRhosts:
640 intptr = &options->ignore_rhosts;
641parse_flag:
642 arg = strdelim(&cp);
643 if (!arg || *arg == '\0')
644 fatal("%s line %d: missing yes/no argument.",
645 filename, linenum);
646 value = 0; /* silence compiler */
647 if (strcmp(arg, "yes") == 0)
648 value = 1;
649 else if (strcmp(arg, "no") == 0)
650 value = 0;
651 else
652 fatal("%s line %d: Bad yes/no argument: %s",
653 filename, linenum, arg);
654 if (*intptr == -1)
655 *intptr = value;
656 break;
657
658 case sIgnoreUserKnownHosts:
659 intptr = &options->ignore_user_known_hosts;
660 goto parse_flag;
661
e9702f7d 662 case sRhostsRSAAuthentication:
663 intptr = &options->rhosts_rsa_authentication;
664 goto parse_flag;
665
666 case sHostbasedAuthentication:
667 intptr = &options->hostbased_authentication;
668 goto parse_flag;
669
670 case sHostbasedUsesNameFromPacketOnly:
671 intptr = &options->hostbased_uses_name_from_packet_only;
672 goto parse_flag;
673
674 case sRSAAuthentication:
675 intptr = &options->rsa_authentication;
676 goto parse_flag;
677
678 case sPubkeyAuthentication:
679 intptr = &options->pubkey_authentication;
680 goto parse_flag;
7cac2b65 681
e9702f7d 682 case sKerberosAuthentication:
683 intptr = &options->kerberos_authentication;
684 goto parse_flag;
3c0ef626 685
e9702f7d 686 case sKerberosOrLocalPasswd:
687 intptr = &options->kerberos_or_local_passwd;
688 goto parse_flag;
3c0ef626 689
e9702f7d 690 case sKerberosTicketCleanup:
691 intptr = &options->kerberos_ticket_cleanup;
692 goto parse_flag;
7cac2b65 693
540d72c3 694 case sKerberosGetAFSToken:
695 intptr = &options->kerberos_get_afs_token;
696 goto parse_flag;
697
7cac2b65 698 case sGssAuthentication:
699 intptr = &options->gss_authentication;
e9702f7d 700 goto parse_flag;
7cac2b65 701
702 case sGssKeyEx:
703 intptr = &options->gss_keyex;
e9702f7d 704 goto parse_flag;
7cac2b65 705
7cac2b65 706 case sGssCleanupCreds:
707 intptr = &options->gss_cleanup_creds;
708 goto parse_flag;
709
826a9049 710 case sGsiAllowLimitedProxy:
711 intptr = &options->gsi_allow_limited_proxy;
712 goto parse_flag;
713
75be3237 714#ifdef SESSION_HOOKS
715 case sAllowSessionHooks:
716 intptr = &options->session_hooks_allow;
717 goto parse_flag;
718 case sSessionHookStartupCmd:
719 case sSessionHookShutdownCmd:
720 arg = strdelim(&cp);
721 if (!arg || *arg == '\0')
722 fatal("%s line %d: empty session hook command",
723 filename, linenum);
724 if (opcode==sSessionHookStartupCmd)
725 options->session_hooks_startup_cmd = strdup(arg);
726 else
727 options->session_hooks_shutdown_cmd = strdup(arg);
728 break;
729#endif
7cac2b65 730
e9702f7d 731 case sPasswordAuthentication:
732 intptr = &options->password_authentication;
733 goto parse_flag;
3c0ef626 734
e9702f7d 735 case sKbdInteractiveAuthentication:
736 intptr = &options->kbd_interactive_authentication;
737 goto parse_flag;
3c0ef626 738
e9702f7d 739 case sChallengeResponseAuthentication:
740 intptr = &options->challenge_response_authentication;
741 goto parse_flag;
3c0ef626 742
e9702f7d 743 case sPrintMotd:
744 intptr = &options->print_motd;
745 goto parse_flag;
3c0ef626 746
e9702f7d 747 case sPrintLastLog:
748 intptr = &options->print_lastlog;
749 goto parse_flag;
3c0ef626 750
e9702f7d 751 case sX11Forwarding:
752 intptr = &options->x11_forwarding;
753 goto parse_flag;
3c0ef626 754
e9702f7d 755 case sX11DisplayOffset:
756 intptr = &options->x11_display_offset;
757 goto parse_int;
3c0ef626 758
e9702f7d 759 case sX11UseLocalhost:
760 intptr = &options->x11_use_localhost;
761 goto parse_flag;
3c0ef626 762
e9702f7d 763 case sXAuthLocation:
764 charptr = &options->xauth_location;
765 goto parse_filename;
3c0ef626 766
e9702f7d 767 case sStrictModes:
768 intptr = &options->strict_modes;
769 goto parse_flag;
3c0ef626 770
540d72c3 771 case sTCPKeepAlive:
772 intptr = &options->tcp_keep_alive;
e9702f7d 773 goto parse_flag;
3c0ef626 774
e9702f7d 775 case sEmptyPasswd:
776 intptr = &options->permit_empty_passwd;
777 goto parse_flag;
778
d03f4262 779 case sPermitUserEnvironment:
780 intptr = &options->permit_user_env;
781 goto parse_flag;
782
e9702f7d 783 case sUseLogin:
784 intptr = &options->use_login;
785 goto parse_flag;
786
44a053a3 787 case sCompression:
788 intptr = &options->compression;
2ce0bfe4 789 arg = strdelim(&cp);
790 if (!arg || *arg == '\0')
791 fatal("%s line %d: missing yes/no/delayed "
792 "argument.", filename, linenum);
793 value = 0; /* silence compiler */
794 if (strcmp(arg, "delayed") == 0)
795 value = COMP_DELAYED;
796 else if (strcmp(arg, "yes") == 0)
797 value = COMP_ZLIB;
798 else if (strcmp(arg, "no") == 0)
799 value = COMP_NONE;
800 else
801 fatal("%s line %d: Bad yes/no/delayed "
802 "argument: %s", filename, linenum, arg);
803 if (*intptr == -1)
804 *intptr = value;
805 break;
44a053a3 806
e9702f7d 807 case sGatewayPorts:
808 intptr = &options->gateway_ports;
dfddba3d 809 arg = strdelim(&cp);
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: missing yes/no/clientspecified "
812 "argument.", filename, linenum);
813 value = 0; /* silence compiler */
814 if (strcmp(arg, "clientspecified") == 0)
815 value = 2;
816 else if (strcmp(arg, "yes") == 0)
817 value = 1;
818 else if (strcmp(arg, "no") == 0)
819 value = 0;
820 else
821 fatal("%s line %d: Bad yes/no/clientspecified "
822 "argument: %s", filename, linenum, arg);
823 if (*intptr == -1)
824 *intptr = value;
825 break;
e9702f7d 826
7cac2b65 827 case sUseDNS:
828 intptr = &options->use_dns;
e9702f7d 829 goto parse_flag;
830
831 case sLogFacility:
832 intptr = (int *) &options->log_facility;
833 arg = strdelim(&cp);
834 value = log_facility_number(arg);
835 if (value == SYSLOG_FACILITY_NOT_SET)
836 fatal("%.200s line %d: unsupported log facility '%s'",
837 filename, linenum, arg ? arg : "<NONE>");
838 if (*intptr == -1)
839 *intptr = (SyslogFacility) value;
840 break;
841
842 case sLogLevel:
843 intptr = (int *) &options->log_level;
844 arg = strdelim(&cp);
845 value = log_level_number(arg);
846 if (value == SYSLOG_LEVEL_NOT_SET)
847 fatal("%.200s line %d: unsupported log level '%s'",
848 filename, linenum, arg ? arg : "<NONE>");
849 if (*intptr == -1)
850 *intptr = (LogLevel) value;
851 break;
852
853 case sAllowTcpForwarding:
854 intptr = &options->allow_tcp_forwarding;
855 goto parse_flag;
856
350391c5 857 case sUsePrivilegeSeparation:
858 intptr = &use_privsep;
859 goto parse_flag;
860
e9702f7d 861 case sAllowUsers:
862 while ((arg = strdelim(&cp)) && *arg != '\0') {
863 if (options->num_allow_users >= MAX_ALLOW_USERS)
864 fatal("%s line %d: too many allow users.",
3c0ef626 865 filename, linenum);
276b07a3 866 options->allow_users[options->num_allow_users++] =
867 xstrdup(arg);
e9702f7d 868 }
869 break;
3c0ef626 870
e9702f7d 871 case sDenyUsers:
872 while ((arg = strdelim(&cp)) && *arg != '\0') {
873 if (options->num_deny_users >= MAX_DENY_USERS)
874 fatal( "%s line %d: too many deny users.",
875 filename, linenum);
276b07a3 876 options->deny_users[options->num_deny_users++] =
877 xstrdup(arg);
e9702f7d 878 }
879 break;
3c0ef626 880
e9702f7d 881 case sAllowGroups:
882 while ((arg = strdelim(&cp)) && *arg != '\0') {
883 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
884 fatal("%s line %d: too many allow groups.",
885 filename, linenum);
276b07a3 886 options->allow_groups[options->num_allow_groups++] =
887 xstrdup(arg);
e9702f7d 888 }
889 break;
890
891 case sDenyGroups:
892 while ((arg = strdelim(&cp)) && *arg != '\0') {
893 if (options->num_deny_groups >= MAX_DENY_GROUPS)
894 fatal("%s line %d: too many deny groups.",
895 filename, linenum);
896 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
3c0ef626 897 }
e9702f7d 898 break;
899
900 case sCiphers:
901 arg = strdelim(&cp);
902 if (!arg || *arg == '\0')
903 fatal("%s line %d: Missing argument.", filename, linenum);
904 if (!ciphers_valid(arg))
905 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
906 filename, linenum, arg ? arg : "<NONE>");
907 if (options->ciphers == NULL)
908 options->ciphers = xstrdup(arg);
909 break;
910
911 case sMacs:
912 arg = strdelim(&cp);
913 if (!arg || *arg == '\0')
914 fatal("%s line %d: Missing argument.", filename, linenum);
915 if (!mac_valid(arg))
916 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
917 filename, linenum, arg ? arg : "<NONE>");
918 if (options->macs == NULL)
919 options->macs = xstrdup(arg);
920 break;
921
922 case sProtocol:
923 intptr = &options->protocol;
924 arg = strdelim(&cp);
925 if (!arg || *arg == '\0')
926 fatal("%s line %d: Missing argument.", filename, linenum);
927 value = proto_spec(arg);
928 if (value == SSH_PROTO_UNKNOWN)
929 fatal("%s line %d: Bad protocol spec '%s'.",
930 filename, linenum, arg ? arg : "<NONE>");
931 if (*intptr == SSH_PROTO_UNKNOWN)
932 *intptr = value;
933 break;
934
935 case sSubsystem:
936 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
937 fatal("%s line %d: too many subsystems defined.",
938 filename, linenum);
939 }
940 arg = strdelim(&cp);
941 if (!arg || *arg == '\0')
942 fatal("%s line %d: Missing subsystem name.",
943 filename, linenum);
944 for (i = 0; i < options->num_subsystems; i++)
945 if (strcmp(arg, options->subsystem_name[i]) == 0)
946 fatal("%s line %d: Subsystem '%s' already defined.",
947 filename, linenum, arg);
948 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
949 arg = strdelim(&cp);
950 if (!arg || *arg == '\0')
951 fatal("%s line %d: Missing subsystem command.",
952 filename, linenum);
953 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
954 options->num_subsystems++;
955 break;
956
957 case sMaxStartups:
958 arg = strdelim(&cp);
959 if (!arg || *arg == '\0')
960 fatal("%s line %d: Missing MaxStartups spec.",
961 filename, linenum);
962 if ((n = sscanf(arg, "%d:%d:%d",
963 &options->max_startups_begin,
964 &options->max_startups_rate,
965 &options->max_startups)) == 3) {
966 if (options->max_startups_begin >
967 options->max_startups ||
968 options->max_startups_rate > 100 ||
969 options->max_startups_rate < 1)
970 fatal("%s line %d: Illegal MaxStartups spec.",
971 filename, linenum);
972 } else if (n != 1)
973 fatal("%s line %d: Illegal MaxStartups spec.",
974 filename, linenum);
975 else
976 options->max_startups = options->max_startups_begin;
977 break;
978
7e82606e 979 case sMaxAuthTries:
980 intptr = &options->max_authtries;
981 goto parse_int;
982
e9702f7d 983 case sBanner:
984 charptr = &options->banner;
985 goto parse_filename;
986 /*
987 * These options can contain %X options expanded at
988 * connect time, so that you can specify paths like:
989 *
990 * AuthorizedKeysFile /etc/ssh_keys/%u
991 */
992 case sAuthorizedKeysFile:
993 case sAuthorizedKeysFile2:
994 charptr = (opcode == sAuthorizedKeysFile ) ?
995 &options->authorized_keys_file :
996 &options->authorized_keys_file2;
997 goto parse_filename;
998
999 case sClientAliveInterval:
1000 intptr = &options->client_alive_interval;
1001 goto parse_time;
1002
1003 case sClientAliveCountMax:
1004 intptr = &options->client_alive_count_max;
1005 goto parse_int;
1006
7e82606e 1007 case sAcceptEnv:
1008 while ((arg = strdelim(&cp)) && *arg != '\0') {
1009 if (strchr(arg, '=') != NULL)
1010 fatal("%s line %d: Invalid environment name.",
1011 filename, linenum);
1012 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1013 fatal("%s line %d: too many allow env.",
1014 filename, linenum);
1015 options->accept_env[options->num_accept_env++] =
1016 xstrdup(arg);
1017 }
1018 break;
1019
08822d99 1020 case sPermitTunnel:
1021 intptr = &options->permit_tun;
1022 arg = strdelim(&cp);
1023 if (!arg || *arg == '\0')
1024 fatal("%s line %d: Missing yes/point-to-point/"
1025 "ethernet/no argument.", filename, linenum);
1026 value = 0; /* silence compiler */
1027 if (strcasecmp(arg, "ethernet") == 0)
1028 value = SSH_TUNMODE_ETHERNET;
1029 else if (strcasecmp(arg, "point-to-point") == 0)
1030 value = SSH_TUNMODE_POINTOPOINT;
1031 else if (strcasecmp(arg, "yes") == 0)
1032 value = SSH_TUNMODE_YES;
1033 else if (strcasecmp(arg, "no") == 0)
1034 value = SSH_TUNMODE_NO;
1035 else
1036 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1037 "no argument: %s", filename, linenum, arg);
1038 if (*intptr == -1)
1039 *intptr = value;
1040 break;
1041
e9702f7d 1042 case sDeprecated:
7cac2b65 1043 logit("%s line %d: Deprecated option %s",
1044 filename, linenum, arg);
1045 while (arg)
1046 arg = strdelim(&cp);
1047 break;
1048
1049 case sUnsupported:
1050 logit("%s line %d: Unsupported option %s",
e9702f7d 1051 filename, linenum, arg);
1052 while (arg)
1053 arg = strdelim(&cp);
1054 break;
1055
1056 default:
1057 fatal("%s line %d: Missing handler for opcode %s (%d)",
1058 filename, linenum, arg, opcode);
1059 }
1060 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1061 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1062 filename, linenum, arg);
1063 return 0;
1064}
1065
1066/* Reads the server configuration file. */
1067
1068void
7e82606e 1069load_server_config(const char *filename, Buffer *conf)
e9702f7d 1070{
7e82606e 1071 char line[1024], *cp;
276b07a3 1072 FILE *f;
e9702f7d 1073
7e82606e 1074 debug2("%s: filename %s", __func__, filename);
1075 if ((f = fopen(filename, "r")) == NULL) {
e9702f7d 1076 perror(filename);
1077 exit(1);
1078 }
7e82606e 1079 buffer_clear(conf);
e9702f7d 1080 while (fgets(line, sizeof(line), f)) {
7e82606e 1081 /*
1082 * Trim out comments and strip whitespace
1083 * NB - preserve newlines, they are needed to reproduce
1084 * line numbers later for error messages
1085 */
1086 if ((cp = strchr(line, '#')) != NULL)
1087 memcpy(cp, "\n", 2);
1088 cp = line + strspn(line, " \t\r");
1089
1090 buffer_append(conf, cp, strlen(cp));
3c0ef626 1091 }
7e82606e 1092 buffer_append(conf, "\0", 1);
3c0ef626 1093 fclose(f);
7e82606e 1094 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1095}
1096
1097void
1098parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1099{
1100 int linenum, bad_options = 0;
1101 char *cp, *obuf, *cbuf;
1102
1103 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1104
1105 obuf = cbuf = xstrdup(buffer_ptr(conf));
1106 linenum = 1;
8b32eddc 1107 while ((cp = strsep(&cbuf, "\n")) != NULL) {
7e82606e 1108 if (process_server_config_line(options, cp, filename,
1109 linenum++) != 0)
1110 bad_options++;
1111 }
1112 xfree(obuf);
3c0ef626 1113 if (bad_options > 0)
1114 fatal("%s: terminating, %d bad configuration options",
1115 filename, bad_options);
1116}
git-cvsimport mirror of GSI OpenSSH
This page took 0.351145 seconds and 5 git commands to generate.