]> andersk Git - gssapi-openssh.git/blame - openssh/servconf.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
patched 3.4p1 with openssh-3.4p1-gssapi-20020627.diff from Simon
[gssapi-openssh.git] / openssh / servconf.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
680cee3b 13RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
3c0ef626 14
700318f3 15#if defined(KRB4)
16#include <krb.h>
17#endif
18#if defined(KRB5)
19#ifdef HEIMDAL
3c0ef626 20#include <krb.h>
700318f3 21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
3c0ef626 26#endif
27#ifdef AFS
28#include <kafs.h>
29#endif
30
31#include "ssh.h"
32#include "log.h"
33#include "servconf.h"
34#include "xmalloc.h"
35#include "compat.h"
36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
40#include "kex.h"
41#include "mac.h"
42
43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
45
46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
700318f3 48/* Use of privilege separation or not */
49extern int use_privsep;
3c0ef626 50
51/* Initializes the server options to their default values. */
52
53void
54initialize_server_options(ServerOptions *options)
55{
56 memset(options, 0, sizeof(*options));
57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e9a17296 77 options->x11_use_localhost = -1;
3c0ef626 78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
e9a17296 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
3c0ef626 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
af9555ad 89#ifdef GSSAPI
90 options->gss_authentication=-1;
91 options->gss_keyex=-1;
92 options->gss_use_session_ccache = -1;
93 options->gss_cleanup_creds = -1;
94#endif
3c0ef626 95#if defined(KRB4) || defined(KRB5)
96 options->kerberos_authentication = -1;
97 options->kerberos_or_local_passwd = -1;
98 options->kerberos_ticket_cleanup = -1;
99#endif
100#if defined(AFS) || defined(KRB5)
101 options->kerberos_tgt_passing = -1;
102#endif
103#ifdef AFS
104 options->afs_token_passing = -1;
105#endif
106 options->password_authentication = -1;
107 options->kbd_interactive_authentication = -1;
108 options->challenge_response_authentication = -1;
109 options->permit_empty_passwd = -1;
110 options->use_login = -1;
f5799ae1 111 options->compression = -1;
3c0ef626 112 options->allow_tcp_forwarding = -1;
113 options->num_allow_users = 0;
114 options->num_deny_users = 0;
115 options->num_allow_groups = 0;
116 options->num_deny_groups = 0;
117 options->ciphers = NULL;
118 options->macs = NULL;
119 options->protocol = SSH_PROTO_UNKNOWN;
120 options->gateway_ports = -1;
121 options->num_subsystems = 0;
122 options->max_startups_begin = -1;
123 options->max_startups_rate = -1;
124 options->max_startups = -1;
125 options->banner = NULL;
e9a17296 126 options->verify_reverse_mapping = -1;
3c0ef626 127 options->client_alive_interval = -1;
128 options->client_alive_count_max = -1;
129 options->authorized_keys_file = NULL;
130 options->authorized_keys_file2 = NULL;
700318f3 131
132 /* Needs to be accessable in many places */
133 use_privsep = -1;
3c0ef626 134}
135
136void
137fill_default_server_options(ServerOptions *options)
138{
139 /* Portable-specific options */
140 if (options->pam_authentication_via_kbd_int == -1)
141 options->pam_authentication_via_kbd_int = 0;
142
143 /* Standard Options */
144 if (options->protocol == SSH_PROTO_UNKNOWN)
145 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
146 if (options->num_host_key_files == 0) {
147 /* fill default hostkeys for protocols */
148 if (options->protocol & SSH_PROTO_1)
e9a17296 149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_KEY_FILE;
151 if (options->protocol & SSH_PROTO_2) {
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_RSA_KEY_FILE;
154 options->host_key_files[options->num_host_key_files++] =
155 _PATH_HOST_DSA_KEY_FILE;
156 }
3c0ef626 157 }
158 if (options->num_ports == 0)
159 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
160 if (options->listen_addrs == NULL)
161 add_listen_addr(options, NULL, 0);
162 if (options->pid_file == NULL)
163 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
164 if (options->server_key_bits == -1)
165 options->server_key_bits = 768;
166 if (options->login_grace_time == -1)
167 options->login_grace_time = 600;
168 if (options->key_regeneration_time == -1)
169 options->key_regeneration_time = 3600;
170 if (options->permit_root_login == PERMIT_NOT_SET)
171 options->permit_root_login = PERMIT_YES;
172 if (options->ignore_rhosts == -1)
173 options->ignore_rhosts = 1;
174 if (options->ignore_user_known_hosts == -1)
175 options->ignore_user_known_hosts = 0;
176 if (options->print_motd == -1)
177 options->print_motd = 1;
178 if (options->print_lastlog == -1)
179 options->print_lastlog = 1;
180 if (options->x11_forwarding == -1)
181 options->x11_forwarding = 0;
182 if (options->x11_display_offset == -1)
183 options->x11_display_offset = 10;
e9a17296 184 if (options->x11_use_localhost == -1)
185 options->x11_use_localhost = 1;
3c0ef626 186 if (options->xauth_location == NULL)
187 options->xauth_location = _PATH_XAUTH;
3c0ef626 188 if (options->strict_modes == -1)
189 options->strict_modes = 1;
190 if (options->keepalives == -1)
191 options->keepalives = 1;
e9a17296 192 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
3c0ef626 193 options->log_facility = SYSLOG_FACILITY_AUTH;
e9a17296 194 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
3c0ef626 195 options->log_level = SYSLOG_LEVEL_INFO;
196 if (options->rhosts_authentication == -1)
197 options->rhosts_authentication = 0;
198 if (options->rhosts_rsa_authentication == -1)
199 options->rhosts_rsa_authentication = 0;
200 if (options->hostbased_authentication == -1)
201 options->hostbased_authentication = 0;
202 if (options->hostbased_uses_name_from_packet_only == -1)
203 options->hostbased_uses_name_from_packet_only = 0;
204 if (options->rsa_authentication == -1)
205 options->rsa_authentication = 1;
206 if (options->pubkey_authentication == -1)
207 options->pubkey_authentication = 1;
af9555ad 208#ifdef GSSAPI
209 if (options->gss_authentication == -1)
210 options->gss_authentication = 1;
211 if (options->gss_keyex == -1)
212 options->gss_keyex =1;
213 if (options->gss_use_session_ccache == -1)
214 options->gss_use_session_ccache = 1;
215 if (options->gss_cleanup_creds == -1)
216 options->gss_cleanup_creds = 1;
217#endif
3c0ef626 218#if defined(KRB4) || defined(KRB5)
219 if (options->kerberos_authentication == -1)
700318f3 220 options->kerberos_authentication = 0;
3c0ef626 221 if (options->kerberos_or_local_passwd == -1)
222 options->kerberos_or_local_passwd = 1;
223 if (options->kerberos_ticket_cleanup == -1)
224 options->kerberos_ticket_cleanup = 1;
225#endif
226#if defined(AFS) || defined(KRB5)
227 if (options->kerberos_tgt_passing == -1)
228 options->kerberos_tgt_passing = 0;
229#endif
e9a17296 230#ifdef AFS
3c0ef626 231 if (options->afs_token_passing == -1)
700318f3 232 options->afs_token_passing = 0;
3c0ef626 233#endif
234 if (options->password_authentication == -1)
235 options->password_authentication = 1;
236 if (options->kbd_interactive_authentication == -1)
237 options->kbd_interactive_authentication = 0;
238 if (options->challenge_response_authentication == -1)
239 options->challenge_response_authentication = 1;
240 if (options->permit_empty_passwd == -1)
241 options->permit_empty_passwd = 0;
242 if (options->use_login == -1)
243 options->use_login = 0;
f5799ae1 244 if (options->compression == -1)
245 options->compression = 1;
3c0ef626 246 if (options->allow_tcp_forwarding == -1)
247 options->allow_tcp_forwarding = 1;
248 if (options->gateway_ports == -1)
249 options->gateway_ports = 0;
250 if (options->max_startups == -1)
251 options->max_startups = 10;
252 if (options->max_startups_rate == -1)
253 options->max_startups_rate = 100; /* 100% */
254 if (options->max_startups_begin == -1)
255 options->max_startups_begin = options->max_startups;
e9a17296 256 if (options->verify_reverse_mapping == -1)
257 options->verify_reverse_mapping = 0;
3c0ef626 258 if (options->client_alive_interval == -1)
e9a17296 259 options->client_alive_interval = 0;
3c0ef626 260 if (options->client_alive_count_max == -1)
261 options->client_alive_count_max = 3;
262 if (options->authorized_keys_file2 == NULL) {
263 /* authorized_keys_file2 falls back to authorized_keys_file */
264 if (options->authorized_keys_file != NULL)
265 options->authorized_keys_file2 = options->authorized_keys_file;
266 else
267 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
268 }
269 if (options->authorized_keys_file == NULL)
270 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
700318f3 271
f5799ae1 272 /* Turn privilege separation on by default */
700318f3 273 if (use_privsep == -1)
f5799ae1 274 use_privsep = 1;
275
680cee3b 276#if !defined(HAVE_MMAP_ANON_SHARED)
f5799ae1 277 if (use_privsep && options->compression == 1) {
278 error("This platform does not support both privilege "
279 "separation and compression");
280 error("Compression disabled");
281 options->compression = 0;
282 }
283#endif
284
3c0ef626 285}
286
287/* Keyword tokens. */
288typedef enum {
289 sBadOption, /* == unknown option */
290 /* Portable-specific options */
291 sPAMAuthenticationViaKbdInt,
292 /* Standard Options */
293 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
294 sPermitRootLogin, sLogFacility, sLogLevel,
295 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
af9555ad 296#ifdef GSSAPI
297 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
298#endif
3c0ef626 299#if defined(KRB4) || defined(KRB5)
300 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
301#endif
302#if defined(AFS) || defined(KRB5)
303 sKerberosTgtPassing,
304#endif
305#ifdef AFS
306 sAFSTokenPassing,
307#endif
308 sChallengeResponseAuthentication,
309 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
310 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e9a17296 311 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
3c0ef626 312 sStrictModes, sEmptyPasswd, sKeepAlives,
f5799ae1 313 sUseLogin, sAllowTcpForwarding, sCompression,
3c0ef626 314 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
315 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
316 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
e9a17296 317 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
318 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
3c0ef626 319 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
700318f3 320 sUsePrivilegeSeparation,
e9a17296 321 sDeprecated
3c0ef626 322} ServerOpCodes;
323
324/* Textual representation of the tokens. */
325static struct {
326 const char *name;
327 ServerOpCodes opcode;
328} keywords[] = {
329 /* Portable-specific options */
330 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
331 /* Standard Options */
332 { "port", sPort },
333 { "hostkey", sHostKeyFile },
334 { "hostdsakey", sHostKeyFile }, /* alias */
335 { "pidfile", sPidFile },
336 { "serverkeybits", sServerKeyBits },
337 { "logingracetime", sLoginGraceTime },
338 { "keyregenerationinterval", sKeyRegenerationTime },
339 { "permitrootlogin", sPermitRootLogin },
340 { "syslogfacility", sLogFacility },
341 { "loglevel", sLogLevel },
342 { "rhostsauthentication", sRhostsAuthentication },
343 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
344 { "hostbasedauthentication", sHostbasedAuthentication },
345 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
346 { "rsaauthentication", sRSAAuthentication },
347 { "pubkeyauthentication", sPubkeyAuthentication },
348 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
af9555ad 349#ifdef GSSAPI
350 { "gssapiauthentication", sGssAuthentication },
351 { "gssapikeyexchange", sGssKeyEx },
352 { "gssusesessionccache", sGssUseSessionCredCache },
353 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
354 { "gssapicleanupcreds", sGssCleanupCreds },
355#endif
3c0ef626 356#if defined(KRB4) || defined(KRB5)
357 { "kerberosauthentication", sKerberosAuthentication },
358 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
359 { "kerberosticketcleanup", sKerberosTicketCleanup },
360#endif
361#if defined(AFS) || defined(KRB5)
362 { "kerberostgtpassing", sKerberosTgtPassing },
363#endif
364#ifdef AFS
365 { "afstokenpassing", sAFSTokenPassing },
366#endif
367 { "passwordauthentication", sPasswordAuthentication },
368 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
369 { "challengeresponseauthentication", sChallengeResponseAuthentication },
370 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
371 { "checkmail", sDeprecated },
372 { "listenaddress", sListenAddress },
373 { "printmotd", sPrintMotd },
374 { "printlastlog", sPrintLastLog },
375 { "ignorerhosts", sIgnoreRhosts },
376 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
377 { "x11forwarding", sX11Forwarding },
378 { "x11displayoffset", sX11DisplayOffset },
e9a17296 379 { "x11uselocalhost", sX11UseLocalhost },
3c0ef626 380 { "xauthlocation", sXAuthLocation },
381 { "strictmodes", sStrictModes },
382 { "permitemptypasswords", sEmptyPasswd },
383 { "uselogin", sUseLogin },
f5799ae1 384 { "compression", sCompression },
3c0ef626 385 { "keepalive", sKeepAlives },
386 { "allowtcpforwarding", sAllowTcpForwarding },
387 { "allowusers", sAllowUsers },
388 { "denyusers", sDenyUsers },
389 { "allowgroups", sAllowGroups },
390 { "denygroups", sDenyGroups },
391 { "ciphers", sCiphers },
392 { "macs", sMacs },
393 { "protocol", sProtocol },
394 { "gatewayports", sGatewayPorts },
395 { "subsystem", sSubsystem },
396 { "maxstartups", sMaxStartups },
397 { "banner", sBanner },
e9a17296 398 { "verifyreversemapping", sVerifyReverseMapping },
399 { "reversemappingcheck", sVerifyReverseMapping },
3c0ef626 400 { "clientaliveinterval", sClientAliveInterval },
401 { "clientalivecountmax", sClientAliveCountMax },
402 { "authorizedkeysfile", sAuthorizedKeysFile },
403 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
700318f3 404 { "useprivilegeseparation", sUsePrivilegeSeparation},
e9a17296 405 { NULL, sBadOption }
3c0ef626 406};
407
408/*
409 * Returns the number of the token pointed to by cp or sBadOption.
410 */
411
412static ServerOpCodes
413parse_token(const char *cp, const char *filename,
414 int linenum)
415{
416 u_int i;
417
418 for (i = 0; keywords[i].name; i++)
419 if (strcasecmp(cp, keywords[i].name) == 0)
420 return keywords[i].opcode;
421
422 error("%s: line %d: Bad configuration option: %s",
423 filename, linenum, cp);
424 return sBadOption;
425}
426
427static void
428add_listen_addr(ServerOptions *options, char *addr, u_short port)
429{
430 int i;
431
432 if (options->num_ports == 0)
433 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
434 if (port == 0)
435 for (i = 0; i < options->num_ports; i++)
436 add_one_listen_addr(options, addr, options->ports[i]);
437 else
438 add_one_listen_addr(options, addr, port);
439}
440
441static void
442add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
443{
444 struct addrinfo hints, *ai, *aitop;
445 char strport[NI_MAXSERV];
446 int gaierr;
447
448 memset(&hints, 0, sizeof(hints));
449 hints.ai_family = IPv4or6;
450 hints.ai_socktype = SOCK_STREAM;
451 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
680cee3b 452 snprintf(strport, sizeof strport, "%u", port);
3c0ef626 453 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
454 fatal("bad addr or host: %s (%s)",
455 addr ? addr : "<NULL>",
456 gai_strerror(gaierr));
457 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
458 ;
459 ai->ai_next = options->listen_addrs;
460 options->listen_addrs = aitop;
461}
462
e9a17296 463int
464process_server_config_line(ServerOptions *options, char *line,
465 const char *filename, int linenum)
3c0ef626 466{
3c0ef626 467 char *cp, **charptr, *arg, *p;
680cee3b 468 int *intptr, value, i, n;
3c0ef626 469 ServerOpCodes opcode;
3c0ef626 470
e9a17296 471 cp = line;
472 arg = strdelim(&cp);
473 /* Ignore leading whitespace */
474 if (*arg == '\0')
3c0ef626 475 arg = strdelim(&cp);
e9a17296 476 if (!arg || !*arg || *arg == '#')
477 return 0;
478 intptr = NULL;
479 charptr = NULL;
480 opcode = parse_token(arg, filename, linenum);
481 switch (opcode) {
482 /* Portable-specific options */
483 case sPAMAuthenticationViaKbdInt:
484 intptr = &options->pam_authentication_via_kbd_int;
485 goto parse_flag;
3c0ef626 486
e9a17296 487 /* Standard Options */
488 case sBadOption:
489 return -1;
490 case sPort:
491 /* ignore ports from configfile if cmdline specifies ports */
492 if (options->ports_from_cmdline)
493 return 0;
494 if (options->listen_addrs != NULL)
495 fatal("%s line %d: ports must be specified before "
496 "ListenAddress.", filename, linenum);
497 if (options->num_ports >= MAX_PORTS)
498 fatal("%s line %d: too many ports.",
499 filename, linenum);
500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing port number.",
503 filename, linenum);
504 options->ports[options->num_ports++] = a2port(arg);
505 if (options->ports[options->num_ports-1] == 0)
506 fatal("%s line %d: Badly formatted port number.",
507 filename, linenum);
508 break;
509
510 case sServerKeyBits:
511 intptr = &options->server_key_bits;
3c0ef626 512parse_int:
e9a17296 513 arg = strdelim(&cp);
514 if (!arg || *arg == '\0')
515 fatal("%s line %d: missing integer value.",
516 filename, linenum);
517 value = atoi(arg);
518 if (*intptr == -1)
519 *intptr = value;
520 break;
521
522 case sLoginGraceTime:
523 intptr = &options->login_grace_time;
3c0ef626 524parse_time:
e9a17296 525 arg = strdelim(&cp);
526 if (!arg || *arg == '\0')
527 fatal("%s line %d: missing time value.",
528 filename, linenum);
529 if ((value = convtime(arg)) == -1)
530 fatal("%s line %d: invalid time value.",
531 filename, linenum);
532 if (*intptr == -1)
533 *intptr = value;
534 break;
535
536 case sKeyRegenerationTime:
537 intptr = &options->key_regeneration_time;
538 goto parse_time;
539
540 case sListenAddress:
541 arg = strdelim(&cp);
542 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
543 fatal("%s line %d: missing inet addr.",
544 filename, linenum);
545 if (*arg == '[') {
546 if ((p = strchr(arg, ']')) == NULL)
547 fatal("%s line %d: bad ipv6 inet addr usage.",
3c0ef626 548 filename, linenum);
e9a17296 549 arg++;
550 memmove(p, p+1, strlen(p+1)+1);
551 } else if (((p = strchr(arg, ':')) == NULL) ||
552 (strchr(p+1, ':') != NULL)) {
553 add_listen_addr(options, arg, 0);
3c0ef626 554 break;
e9a17296 555 }
556 if (*p == ':') {
557 u_short port;
3c0ef626 558
e9a17296 559 p++;
560 if (*p == '\0')
561 fatal("%s line %d: bad inet addr:port usage.",
3c0ef626 562 filename, linenum);
e9a17296 563 else {
564 *(p-1) = '\0';
565 if ((port = a2port(p)) == 0)
566 fatal("%s line %d: bad port number.",
3c0ef626 567 filename, linenum);
e9a17296 568 add_listen_addr(options, arg, port);
3c0ef626 569 }
e9a17296 570 } else if (*p == '\0')
571 add_listen_addr(options, arg, 0);
572 else
573 fatal("%s line %d: bad inet addr usage.",
574 filename, linenum);
575 break;
576
577 case sHostKeyFile:
578 intptr = &options->num_host_key_files;
579 if (*intptr >= MAX_HOSTKEYS)
580 fatal("%s line %d: too many host keys specified (max %d).",
581 filename, linenum, MAX_HOSTKEYS);
582 charptr = &options->host_key_files[*intptr];
3c0ef626 583parse_filename:
e9a17296 584 arg = strdelim(&cp);
585 if (!arg || *arg == '\0')
586 fatal("%s line %d: missing file name.",
587 filename, linenum);
588 if (*charptr == NULL) {
589 *charptr = tilde_expand_filename(arg, getuid());
590 /* increase optional counter */
591 if (intptr != NULL)
592 *intptr = *intptr + 1;
593 }
594 break;
3c0ef626 595
e9a17296 596 case sPidFile:
597 charptr = &options->pid_file;
598 goto parse_filename;
3c0ef626 599
e9a17296 600 case sPermitRootLogin:
601 intptr = &options->permit_root_login;
602 arg = strdelim(&cp);
603 if (!arg || *arg == '\0')
604 fatal("%s line %d: missing yes/"
605 "without-password/forced-commands-only/no "
606 "argument.", filename, linenum);
607 value = 0; /* silence compiler */
608 if (strcmp(arg, "without-password") == 0)
609 value = PERMIT_NO_PASSWD;
610 else if (strcmp(arg, "forced-commands-only") == 0)
611 value = PERMIT_FORCED_ONLY;
612 else if (strcmp(arg, "yes") == 0)
613 value = PERMIT_YES;
614 else if (strcmp(arg, "no") == 0)
615 value = PERMIT_NO;
616 else
617 fatal("%s line %d: Bad yes/"
618 "without-password/forced-commands-only/no "
619 "argument: %s", filename, linenum, arg);
620 if (*intptr == -1)
621 *intptr = value;
622 break;
623
624 case sIgnoreRhosts:
625 intptr = &options->ignore_rhosts;
3c0ef626 626parse_flag:
e9a17296 627 arg = strdelim(&cp);
628 if (!arg || *arg == '\0')
629 fatal("%s line %d: missing yes/no argument.",
630 filename, linenum);
631 value = 0; /* silence compiler */
632 if (strcmp(arg, "yes") == 0)
633 value = 1;
634 else if (strcmp(arg, "no") == 0)
635 value = 0;
636 else
637 fatal("%s line %d: Bad yes/no argument: %s",
638 filename, linenum, arg);
639 if (*intptr == -1)
640 *intptr = value;
641 break;
642
643 case sIgnoreUserKnownHosts:
644 intptr = &options->ignore_user_known_hosts;
645 goto parse_flag;
646
647 case sRhostsAuthentication:
648 intptr = &options->rhosts_authentication;
649 goto parse_flag;
650
651 case sRhostsRSAAuthentication:
652 intptr = &options->rhosts_rsa_authentication;
653 goto parse_flag;
654
655 case sHostbasedAuthentication:
656 intptr = &options->hostbased_authentication;
657 goto parse_flag;
658
659 case sHostbasedUsesNameFromPacketOnly:
660 intptr = &options->hostbased_uses_name_from_packet_only;
661 goto parse_flag;
662
663 case sRSAAuthentication:
664 intptr = &options->rsa_authentication;
665 goto parse_flag;
666
667 case sPubkeyAuthentication:
668 intptr = &options->pubkey_authentication;
669 goto parse_flag;
af9555ad 670#ifdef GSSAPI
671 case sGssAuthentication:
672 intptr = &options->gss_authentication;
673 goto parse_flag;
674 case sGssKeyEx:
675 intptr = &options->gss_keyex;
676 goto parse_flag;
677 case sGssUseSessionCredCache:
678 intptr = &options->gss_use_session_ccache;
679 goto parse_flag;
680 case sGssCleanupCreds:
681 intptr = &options->gss_cleanup_creds;
682 goto parse_flag;
683#endif
e9a17296 684#if defined(KRB4) || defined(KRB5)
685 case sKerberosAuthentication:
686 intptr = &options->kerberos_authentication;
687 goto parse_flag;
3c0ef626 688
e9a17296 689 case sKerberosOrLocalPasswd:
690 intptr = &options->kerberos_or_local_passwd;
691 goto parse_flag;
3c0ef626 692
e9a17296 693 case sKerberosTicketCleanup:
694 intptr = &options->kerberos_ticket_cleanup;
695 goto parse_flag;
696#endif
697#if defined(AFS) || defined(KRB5)
698 case sKerberosTgtPassing:
699 intptr = &options->kerberos_tgt_passing;
700 goto parse_flag;
701#endif
702#ifdef AFS
703 case sAFSTokenPassing:
704 intptr = &options->afs_token_passing;
705 goto parse_flag;
706#endif
3c0ef626 707
e9a17296 708 case sPasswordAuthentication:
709 intptr = &options->password_authentication;
710 goto parse_flag;
3c0ef626 711
e9a17296 712 case sKbdInteractiveAuthentication:
713 intptr = &options->kbd_interactive_authentication;
714 goto parse_flag;
3c0ef626 715
e9a17296 716 case sChallengeResponseAuthentication:
717 intptr = &options->challenge_response_authentication;
718 goto parse_flag;
3c0ef626 719
e9a17296 720 case sPrintMotd:
721 intptr = &options->print_motd;
722 goto parse_flag;
3c0ef626 723
e9a17296 724 case sPrintLastLog:
725 intptr = &options->print_lastlog;
726 goto parse_flag;
3c0ef626 727
e9a17296 728 case sX11Forwarding:
729 intptr = &options->x11_forwarding;
730 goto parse_flag;
3c0ef626 731
e9a17296 732 case sX11DisplayOffset:
733 intptr = &options->x11_display_offset;
734 goto parse_int;
3c0ef626 735
e9a17296 736 case sX11UseLocalhost:
737 intptr = &options->x11_use_localhost;
738 goto parse_flag;
3c0ef626 739
e9a17296 740 case sXAuthLocation:
741 charptr = &options->xauth_location;
742 goto parse_filename;
3c0ef626 743
e9a17296 744 case sStrictModes:
745 intptr = &options->strict_modes;
746 goto parse_flag;
3c0ef626 747
e9a17296 748 case sKeepAlives:
749 intptr = &options->keepalives;
750 goto parse_flag;
3c0ef626 751
e9a17296 752 case sEmptyPasswd:
753 intptr = &options->permit_empty_passwd;
754 goto parse_flag;
3c0ef626 755
e9a17296 756 case sUseLogin:
757 intptr = &options->use_login;
758 goto parse_flag;
3c0ef626 759
f5799ae1 760 case sCompression:
761 intptr = &options->compression;
762 goto parse_flag;
763
e9a17296 764 case sGatewayPorts:
765 intptr = &options->gateway_ports;
766 goto parse_flag;
3c0ef626 767
e9a17296 768 case sVerifyReverseMapping:
769 intptr = &options->verify_reverse_mapping;
770 goto parse_flag;
3c0ef626 771
e9a17296 772 case sLogFacility:
773 intptr = (int *) &options->log_facility;
774 arg = strdelim(&cp);
775 value = log_facility_number(arg);
776 if (value == SYSLOG_FACILITY_NOT_SET)
777 fatal("%.200s line %d: unsupported log facility '%s'",
778 filename, linenum, arg ? arg : "<NONE>");
779 if (*intptr == -1)
780 *intptr = (SyslogFacility) value;
781 break;
782
783 case sLogLevel:
784 intptr = (int *) &options->log_level;
785 arg = strdelim(&cp);
786 value = log_level_number(arg);
787 if (value == SYSLOG_LEVEL_NOT_SET)
788 fatal("%.200s line %d: unsupported log level '%s'",
789 filename, linenum, arg ? arg : "<NONE>");
790 if (*intptr == -1)
791 *intptr = (LogLevel) value;
792 break;
793
794 case sAllowTcpForwarding:
795 intptr = &options->allow_tcp_forwarding;
796 goto parse_flag;
797
700318f3 798 case sUsePrivilegeSeparation:
799 intptr = &use_privsep;
800 goto parse_flag;
801
e9a17296 802 case sAllowUsers:
803 while ((arg = strdelim(&cp)) && *arg != '\0') {
804 if (options->num_allow_users >= MAX_ALLOW_USERS)
805 fatal("%s line %d: too many allow users.",
806 filename, linenum);
680cee3b 807 options->allow_users[options->num_allow_users++] =
808 xstrdup(arg);
e9a17296 809 }
810 break;
3c0ef626 811
e9a17296 812 case sDenyUsers:
813 while ((arg = strdelim(&cp)) && *arg != '\0') {
814 if (options->num_deny_users >= MAX_DENY_USERS)
815 fatal( "%s line %d: too many deny users.",
816 filename, linenum);
680cee3b 817 options->deny_users[options->num_deny_users++] =
818 xstrdup(arg);
e9a17296 819 }
820 break;
3c0ef626 821
e9a17296 822 case sAllowGroups:
823 while ((arg = strdelim(&cp)) && *arg != '\0') {
824 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
825 fatal("%s line %d: too many allow groups.",
826 filename, linenum);
680cee3b 827 options->allow_groups[options->num_allow_groups++] =
828 xstrdup(arg);
e9a17296 829 }
830 break;
3c0ef626 831
e9a17296 832 case sDenyGroups:
833 while ((arg = strdelim(&cp)) && *arg != '\0') {
834 if (options->num_deny_groups >= MAX_DENY_GROUPS)
835 fatal("%s line %d: too many deny groups.",
836 filename, linenum);
837 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
838 }
839 break;
840
841 case sCiphers:
842 arg = strdelim(&cp);
843 if (!arg || *arg == '\0')
844 fatal("%s line %d: Missing argument.", filename, linenum);
845 if (!ciphers_valid(arg))
846 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
847 filename, linenum, arg ? arg : "<NONE>");
848 if (options->ciphers == NULL)
849 options->ciphers = xstrdup(arg);
850 break;
851
852 case sMacs:
853 arg = strdelim(&cp);
854 if (!arg || *arg == '\0')
855 fatal("%s line %d: Missing argument.", filename, linenum);
856 if (!mac_valid(arg))
857 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
858 filename, linenum, arg ? arg : "<NONE>");
859 if (options->macs == NULL)
860 options->macs = xstrdup(arg);
861 break;
862
863 case sProtocol:
864 intptr = &options->protocol;
865 arg = strdelim(&cp);
866 if (!arg || *arg == '\0')
867 fatal("%s line %d: Missing argument.", filename, linenum);
868 value = proto_spec(arg);
869 if (value == SSH_PROTO_UNKNOWN)
870 fatal("%s line %d: Bad protocol spec '%s'.",
871 filename, linenum, arg ? arg : "<NONE>");
872 if (*intptr == SSH_PROTO_UNKNOWN)
873 *intptr = value;
874 break;
875
876 case sSubsystem:
877 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
878 fatal("%s line %d: too many subsystems defined.",
879 filename, linenum);
880 }
881 arg = strdelim(&cp);
882 if (!arg || *arg == '\0')
883 fatal("%s line %d: Missing subsystem name.",
884 filename, linenum);
885 for (i = 0; i < options->num_subsystems; i++)
886 if (strcmp(arg, options->subsystem_name[i]) == 0)
887 fatal("%s line %d: Subsystem '%s' already defined.",
888 filename, linenum, arg);
889 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
890 arg = strdelim(&cp);
891 if (!arg || *arg == '\0')
892 fatal("%s line %d: Missing subsystem command.",
893 filename, linenum);
894 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
895 options->num_subsystems++;
896 break;
897
898 case sMaxStartups:
899 arg = strdelim(&cp);
900 if (!arg || *arg == '\0')
901 fatal("%s line %d: Missing MaxStartups spec.",
902 filename, linenum);
903 if ((n = sscanf(arg, "%d:%d:%d",
904 &options->max_startups_begin,
905 &options->max_startups_rate,
906 &options->max_startups)) == 3) {
907 if (options->max_startups_begin >
908 options->max_startups ||
909 options->max_startups_rate > 100 ||
910 options->max_startups_rate < 1)
3c0ef626 911 fatal("%s line %d: Illegal MaxStartups spec.",
912 filename, linenum);
e9a17296 913 } else if (n != 1)
914 fatal("%s line %d: Illegal MaxStartups spec.",
915 filename, linenum);
916 else
917 options->max_startups = options->max_startups_begin;
918 break;
919
920 case sBanner:
921 charptr = &options->banner;
922 goto parse_filename;
923 /*
924 * These options can contain %X options expanded at
925 * connect time, so that you can specify paths like:
926 *
927 * AuthorizedKeysFile /etc/ssh_keys/%u
928 */
929 case sAuthorizedKeysFile:
930 case sAuthorizedKeysFile2:
931 charptr = (opcode == sAuthorizedKeysFile ) ?
932 &options->authorized_keys_file :
933 &options->authorized_keys_file2;
934 goto parse_filename;
935
936 case sClientAliveInterval:
937 intptr = &options->client_alive_interval;
938 goto parse_time;
939
940 case sClientAliveCountMax:
941 intptr = &options->client_alive_count_max;
942 goto parse_int;
943
944 case sDeprecated:
945 log("%s line %d: Deprecated option %s",
946 filename, linenum, arg);
947 while (arg)
948 arg = strdelim(&cp);
949 break;
950
951 default:
952 fatal("%s line %d: Missing handler for opcode %s (%d)",
953 filename, linenum, arg, opcode);
954 }
955 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
956 fatal("%s line %d: garbage at end of line; \"%.200s\".",
957 filename, linenum, arg);
958 return 0;
959}
3c0ef626 960
e9a17296 961/* Reads the server configuration file. */
3c0ef626 962
e9a17296 963void
964read_server_config(ServerOptions *options, const char *filename)
965{
680cee3b 966 int linenum, bad_options = 0;
e9a17296 967 char line[1024];
680cee3b 968 FILE *f;
e9a17296 969
970 f = fopen(filename, "r");
971 if (!f) {
972 perror(filename);
973 exit(1);
974 }
975 linenum = 0;
976 while (fgets(line, sizeof(line), f)) {
977 /* Update line number counter. */
978 linenum++;
979 if (process_server_config_line(options, line, filename, linenum) != 0)
980 bad_options++;
3c0ef626 981 }
982 fclose(f);
983 if (bad_options > 0)
984 fatal("%s: terminating, %d bad configuration options",
985 filename, bad_options);
986}
git-cvsimport mirror of GSI OpenSSH
This page took 0.193478 seconds and 5 git commands to generate.