]> andersk Git - gssapi-openssh.git/blame_incremental - openssh/servconf.c
andersk / gssapi-openssh.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz committe...
[gssapi-openssh.git] / openssh / servconf.c
... / ...
CommitLineData
1/* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 */
12
13#include "includes.h"
14
15#include <sys/types.h>
16#include <sys/socket.h>
17
18#include <netdb.h>
19#include <pwd.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23#include <signal.h>
24#include <unistd.h>
25#include <stdarg.h>
26#include <errno.h>
27
28#include "openbsd-compat/sys-queue.h"
29#include "xmalloc.h"
30#include "ssh.h"
31#include "log.h"
32#include "buffer.h"
33#include "servconf.h"
34#include "compat.h"
35#include "pathnames.h"
36#include "misc.h"
37#include "cipher.h"
38#include "key.h"
39#include "kex.h"
40#include "mac.h"
41#include "match.h"
42#include "channels.h"
43#include "groupaccess.h"
44
45static void add_listen_addr(ServerOptions *, char *, int);
46static void add_one_listen_addr(ServerOptions *, char *, int);
47
48/* Use of privilege separation or not */
49extern int use_privsep;
50extern Buffer cfg;
51
52/* Initializes the server options to their default values. */
53
54void
55initialize_server_options(ServerOptions *options)
56{
57 memset(options, 0, sizeof(*options));
58
59 /* Portable-specific options */
60 options->use_pam = -1;
61
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
79 options->x11_use_localhost = -1;
80 options->xauth_location = NULL;
81 options->strict_modes = -1;
82 options->tcp_keep_alive = -1;
83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93 options->kerberos_get_afs_token = -1;
94 options->gss_authentication=-1;
95 options->gss_keyex = -1;
96 options->gss_cleanup_creds = -1;
97 options->gss_strict_acceptor = -1;
98 options->gss_store_rekey = -1;
99 options->password_authentication = -1;
100 options->kbd_interactive_authentication = -1;
101 options->challenge_response_authentication = -1;
102 options->permit_empty_passwd = -1;
103 options->permit_user_env = -1;
104 options->use_login = -1;
105 options->compression = -1;
106 options->allow_tcp_forwarding = -1;
107 options->allow_agent_forwarding = -1;
108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
120 options->max_authtries = -1;
121 options->max_sessions = -1;
122 options->banner = NULL;
123 options->use_dns = -1;
124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
128 options->num_accept_env = 0;
129 options->permit_tun = -1;
130 options->num_permitted_opens = -1;
131 options->adm_forced_command = NULL;
132 options->chroot_directory = NULL;
133 options->zero_knowledge_password_authentication = -1;
134 options->none_enabled = -1;
135 options->tcp_rcv_buf_poll = -1;
136 options->hpn_disabled = -1;
137 options->hpn_buffer_size = -1;
138}
139
140void
141fill_default_server_options(ServerOptions *options)
142{
143 /* needed for hpn socket tests */
144 int sock;
145 int socksize;
146 int socksizelen = sizeof(int);
147
148 /* Portable-specific options */
149 if (options->use_pam == -1)
150 options->use_pam = 0;
151
152 /* Standard Options */
153 if (options->protocol == SSH_PROTO_UNKNOWN)
154 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
155 if (options->num_host_key_files == 0) {
156 /* fill default hostkeys for protocols */
157 if (options->protocol & SSH_PROTO_1)
158 options->host_key_files[options->num_host_key_files++] =
159 _PATH_HOST_KEY_FILE;
160 if (options->protocol & SSH_PROTO_2) {
161 options->host_key_files[options->num_host_key_files++] =
162 _PATH_HOST_RSA_KEY_FILE;
163 options->host_key_files[options->num_host_key_files++] =
164 _PATH_HOST_DSA_KEY_FILE;
165 }
166 }
167 if (options->num_ports == 0)
168 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
169 if (options->listen_addrs == NULL)
170 add_listen_addr(options, NULL, 0);
171 if (options->pid_file == NULL)
172 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
173 if (options->server_key_bits == -1)
174 options->server_key_bits = 1024;
175 if (options->login_grace_time == -1)
176 options->login_grace_time = 120;
177 if (options->key_regeneration_time == -1)
178 options->key_regeneration_time = 3600;
179 if (options->permit_root_login == PERMIT_NOT_SET)
180 options->permit_root_login = PERMIT_YES;
181 if (options->ignore_rhosts == -1)
182 options->ignore_rhosts = 1;
183 if (options->ignore_user_known_hosts == -1)
184 options->ignore_user_known_hosts = 0;
185 if (options->print_motd == -1)
186 options->print_motd = 1;
187 if (options->print_lastlog == -1)
188 options->print_lastlog = 1;
189 if (options->x11_forwarding == -1)
190 options->x11_forwarding = 0;
191 if (options->x11_display_offset == -1)
192 options->x11_display_offset = 10;
193 if (options->x11_use_localhost == -1)
194 options->x11_use_localhost = 1;
195 if (options->xauth_location == NULL)
196 options->xauth_location = _PATH_XAUTH;
197 if (options->strict_modes == -1)
198 options->strict_modes = 1;
199 if (options->tcp_keep_alive == -1)
200 options->tcp_keep_alive = 1;
201 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
202 options->log_facility = SYSLOG_FACILITY_AUTH;
203 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
204 options->log_level = SYSLOG_LEVEL_INFO;
205 if (options->rhosts_rsa_authentication == -1)
206 options->rhosts_rsa_authentication = 0;
207 if (options->hostbased_authentication == -1)
208 options->hostbased_authentication = 0;
209 if (options->hostbased_uses_name_from_packet_only == -1)
210 options->hostbased_uses_name_from_packet_only = 0;
211 if (options->rsa_authentication == -1)
212 options->rsa_authentication = 1;
213 if (options->pubkey_authentication == -1)
214 options->pubkey_authentication = 1;
215 if (options->kerberos_authentication == -1)
216 options->kerberos_authentication = 0;
217 if (options->kerberos_or_local_passwd == -1)
218 options->kerberos_or_local_passwd = 1;
219 if (options->kerberos_ticket_cleanup == -1)
220 options->kerberos_ticket_cleanup = 1;
221 if (options->kerberos_get_afs_token == -1)
222 options->kerberos_get_afs_token = 0;
223 if (options->gss_authentication == -1)
224 options->gss_authentication = 0;
225 if (options->gss_keyex == -1)
226 options->gss_keyex = 0;
227 if (options->gss_cleanup_creds == -1)
228 options->gss_cleanup_creds = 1;
229 if (options->gss_strict_acceptor == -1)
230 options->gss_strict_acceptor = 1;
231 if (options->gss_store_rekey == -1)
232 options->gss_store_rekey = 0;
233 if (options->password_authentication == -1)
234 options->password_authentication = 1;
235 if (options->kbd_interactive_authentication == -1)
236 options->kbd_interactive_authentication = 0;
237 if (options->challenge_response_authentication == -1)
238 options->challenge_response_authentication = 1;
239 if (options->permit_empty_passwd == -1)
240 options->permit_empty_passwd = 0;
241 if (options->permit_user_env == -1)
242 options->permit_user_env = 0;
243 if (options->use_login == -1)
244 options->use_login = 0;
245 if (options->compression == -1)
246 options->compression = COMP_DELAYED;
247 if (options->allow_tcp_forwarding == -1)
248 options->allow_tcp_forwarding = 1;
249 if (options->allow_agent_forwarding == -1)
250 options->allow_agent_forwarding = 1;
251 if (options->gateway_ports == -1)
252 options->gateway_ports = 0;
253 if (options->max_startups == -1)
254 options->max_startups = 10;
255 if (options->max_startups_rate == -1)
256 options->max_startups_rate = 100; /* 100% */
257 if (options->max_startups_begin == -1)
258 options->max_startups_begin = options->max_startups;
259 if (options->max_authtries == -1)
260 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
261 if (options->max_sessions == -1)
262 options->max_sessions = DEFAULT_SESSIONS_MAX;
263 if (options->use_dns == -1)
264 options->use_dns = 1;
265 if (options->client_alive_interval == -1)
266 options->client_alive_interval = 0;
267 if (options->client_alive_count_max == -1)
268 options->client_alive_count_max = 3;
269 if (options->authorized_keys_file2 == NULL) {
270 /* authorized_keys_file2 falls back to authorized_keys_file */
271 if (options->authorized_keys_file != NULL)
272 options->authorized_keys_file2 = options->authorized_keys_file;
273 else
274 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
275 }
276 if (options->authorized_keys_file == NULL)
277 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
278 if (options->permit_tun == -1)
279 options->permit_tun = SSH_TUNMODE_NO;
280 if (options->zero_knowledge_password_authentication == -1)
281 options->zero_knowledge_password_authentication = 0;
282
283 if (options->hpn_disabled == -1)
284 options->hpn_disabled = 0;
285
286 if (options->hpn_buffer_size == -1) {
287 /* option not explicitly set. Now we have to figure out */
288 /* what value to use */
289 if (options->hpn_disabled == 1) {
290 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
291 } else {
292 /* get the current RCV size and set it to that */
293 /*create a socket but don't connect it */
294 /* we use that the get the rcv socket size */
295 sock = socket(AF_INET, SOCK_STREAM, 0);
296 getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
297 &socksize, &socksizelen);
298 close(sock);
299 options->hpn_buffer_size = socksize;
300 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
301
302 }
303 } else {
304 /* we have to do this incase the user sets both values in a contradictory */
305 /* manner. hpn_disabled overrrides hpn_buffer_size*/
306 if (options->hpn_disabled <= 0) {
307 if (options->hpn_buffer_size == 0)
308 options->hpn_buffer_size = 1;
309 /* limit the maximum buffer to 64MB */
310 if (options->hpn_buffer_size > 64*1024) {
311 options->hpn_buffer_size = 64*1024*1024;
312 } else {
313 options->hpn_buffer_size *= 1024;
314 }
315 } else
316 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
317 }
318
319 /* Turn privilege separation on by default */
320 if (use_privsep == -1)
321 use_privsep = 1;
322
323#ifndef HAVE_MMAP
324 if (use_privsep && options->compression == 1) {
325 error("This platform does not support both privilege "
326 "separation and compression");
327 error("Compression disabled");
328 options->compression = 0;
329 }
330#endif
331
332}
333
334/* Keyword tokens. */
335typedef enum {
336 sBadOption, /* == unknown option */
337 /* Portable-specific options */
338 sUsePAM,
339 /* Standard Options */
340 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
341 sPermitRootLogin, sLogFacility, sLogLevel,
342 sRhostsRSAAuthentication, sRSAAuthentication,
343 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
344 sKerberosGetAFSToken,
345 sKerberosTgtPassing, sChallengeResponseAuthentication,
346 sPasswordAuthentication, sKbdInteractiveAuthentication,
347 sListenAddress, sAddressFamily,
348 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
349 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
350 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
351 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
352 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
353 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
354 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
355 sMaxStartups, sMaxAuthTries, sMaxSessions,
356 sBanner, sUseDNS, sHostbasedAuthentication,
357 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
358 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
359 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
360 sGssKeyEx, sGssStoreRekey,
361 sAcceptEnv, sPermitTunnel,
362 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
363 sUsePrivilegeSeparation, sAllowAgentForwarding,
364 sZeroKnowledgePasswordAuthentication,
365 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
366 sDeprecated, sUnsupported
367} ServerOpCodes;
368
369#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
370#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
371#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
372
373/* Textual representation of the tokens. */
374static struct {
375 const char *name;
376 ServerOpCodes opcode;
377 u_int flags;
378} keywords[] = {
379 /* Portable-specific options */
380#ifdef USE_PAM
381 { "usepam", sUsePAM, SSHCFG_GLOBAL },
382#else
383 { "usepam", sUnsupported, SSHCFG_GLOBAL },
384#endif
385 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
386 /* Standard Options */
387 { "port", sPort, SSHCFG_GLOBAL },
388 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
389 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
390 { "pidfile", sPidFile, SSHCFG_GLOBAL },
391 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
392 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
393 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
394 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
395 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
396 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
397 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
398 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
399 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
400 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
401 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
402 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
403 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
404#ifdef KRB5
405 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
406 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
407 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
408#ifdef USE_AFS
409 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
410#else
411 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
412#endif
413#else
414 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
415 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
416 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
417 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
418#endif
419 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
420 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
421#ifdef GSSAPI
422 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
423 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
424 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
425 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
426 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
427#else
428 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
429 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
430 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
431 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
432 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
433#endif
434 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
435 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
436 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
437 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
438#ifdef JPAKE
439 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
440#else
441 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
442#endif
443 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
444 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
445 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
446 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
447 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
448 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
449 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
450 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
451 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
452 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
453 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
454 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
455 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
456 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
457 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
458 { "compression", sCompression, SSHCFG_GLOBAL },
459 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
460 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
461 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
462 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
463 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
464 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
465 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
466 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
467 { "ciphers", sCiphers, SSHCFG_GLOBAL },
468 { "macs", sMacs, SSHCFG_GLOBAL },
469 { "protocol", sProtocol, SSHCFG_GLOBAL },
470 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
471 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
472 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
473 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
474 { "maxsessions", sMaxSessions, SSHCFG_ALL },
475 { "banner", sBanner, SSHCFG_ALL },
476 { "usedns", sUseDNS, SSHCFG_GLOBAL },
477 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
478 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
479 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
480 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
481 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
482 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
483 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
484 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
485 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
486 { "match", sMatch, SSHCFG_ALL },
487 { "permitopen", sPermitOpen, SSHCFG_ALL },
488 { "forcecommand", sForceCommand, SSHCFG_ALL },
489 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
490 { "noneenabled", sNoneEnabled },
491 { "hpndisabled", sHPNDisabled },
492 { "hpnbuffersize", sHPNBufferSize },
493 { "tcprcvbufpoll", sTcpRcvBufPoll },
494 { NULL, sBadOption, 0 }
495};
496
497static struct {
498 int val;
499 char *text;
500} tunmode_desc[] = {
501 { SSH_TUNMODE_NO, "no" },
502 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
503 { SSH_TUNMODE_ETHERNET, "ethernet" },
504 { SSH_TUNMODE_YES, "yes" },
505 { -1, NULL }
506};
507
508/*
509 * Returns the number of the token pointed to by cp or sBadOption.
510 */
511
512static ServerOpCodes
513parse_token(const char *cp, const char *filename,
514 int linenum, u_int *flags)
515{
516 u_int i;
517
518 for (i = 0; keywords[i].name; i++)
519 if (strcasecmp(cp, keywords[i].name) == 0) {
520 debug ("Config token is %s", keywords[i].name);
521 *flags = keywords[i].flags;
522 return keywords[i].opcode;
523 }
524
525 error("%s: line %d: Bad configuration option: %s",
526 filename, linenum, cp);
527 return sBadOption;
528}
529
530static void
531add_listen_addr(ServerOptions *options, char *addr, int port)
532{
533 u_int i;
534
535 if (options->num_ports == 0)
536 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
537 if (options->address_family == -1)
538 options->address_family = AF_UNSPEC;
539 if (port == 0)
540 for (i = 0; i < options->num_ports; i++)
541 add_one_listen_addr(options, addr, options->ports[i]);
542 else
543 add_one_listen_addr(options, addr, port);
544}
545
546static void
547add_one_listen_addr(ServerOptions *options, char *addr, int port)
548{
549 struct addrinfo hints, *ai, *aitop;
550 char strport[NI_MAXSERV];
551 int gaierr;
552
553 memset(&hints, 0, sizeof(hints));
554 hints.ai_family = options->address_family;
555 hints.ai_socktype = SOCK_STREAM;
556 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
557 snprintf(strport, sizeof strport, "%d", port);
558 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
559 fatal("bad addr or host: %s (%s)",
560 addr ? addr : "<NULL>",
561 ssh_gai_strerror(gaierr));
562 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
563 ;
564 ai->ai_next = options->listen_addrs;
565 options->listen_addrs = aitop;
566}
567
568/*
569 * The strategy for the Match blocks is that the config file is parsed twice.
570 *
571 * The first time is at startup. activep is initialized to 1 and the
572 * directives in the global context are processed and acted on. Hitting a
573 * Match directive unsets activep and the directives inside the block are
574 * checked for syntax only.
575 *
576 * The second time is after a connection has been established but before
577 * authentication. activep is initialized to 2 and global config directives
578 * are ignored since they have already been processed. If the criteria in a
579 * Match block is met, activep is set and the subsequent directives
580 * processed and actioned until EOF or another Match block unsets it. Any
581 * options set are copied into the main server config.
582 *
583 * Potential additions/improvements:
584 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
585 *
586 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
587 * Match Address 192.168.0.*
588 * Tag trusted
589 * Match Group wheel
590 * Tag trusted
591 * Match Tag trusted
592 * AllowTcpForwarding yes
593 * GatewayPorts clientspecified
594 * [...]
595 *
596 * - Add a PermittedChannelRequests directive
597 * Match Group shell
598 * PermittedChannelRequests session,forwarded-tcpip
599 */
600
601static int
602match_cfg_line_group(const char *grps, int line, const char *user)
603{
604 int result = 0;
605 struct passwd *pw;
606
607 if (user == NULL)
608 goto out;
609
610 if ((pw = getpwnam(user)) == NULL) {
611 debug("Can't match group at line %d because user %.100s does "
612 "not exist", line, user);
613 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
614 debug("Can't Match group because user %.100s not in any group "
615 "at line %d", user, line);
616 } else if (ga_match_pattern_list(grps) != 1) {
617 debug("user %.100s does not match group list %.100s at line %d",
618 user, grps, line);
619 } else {
620 debug("user %.100s matched group list %.100s at line %d", user,
621 grps, line);
622 result = 1;
623 }
624out:
625 ga_free();
626 return result;
627}
628
629static int
630match_cfg_line(char **condition, int line, const char *user, const char *host,
631 const char *address)
632{
633 int result = 1;
634 char *arg, *attrib, *cp = *condition;
635 size_t len;
636
637 if (user == NULL)
638 debug3("checking syntax for 'Match %s'", cp);
639 else
640 debug3("checking match for '%s' user %s host %s addr %s", cp,
641 user ? user : "(null)", host ? host : "(null)",
642 address ? address : "(null)");
643
644 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
645 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
646 error("Missing Match criteria for %s", attrib);
647 return -1;
648 }
649 len = strlen(arg);
650 if (strcasecmp(attrib, "user") == 0) {
651 if (!user) {
652 result = 0;
653 continue;
654 }
655 if (match_pattern_list(user, arg, len, 0) != 1)
656 result = 0;
657 else
658 debug("user %.100s matched 'User %.100s' at "
659 "line %d", user, arg, line);
660 } else if (strcasecmp(attrib, "group") == 0) {
661 switch (match_cfg_line_group(arg, line, user)) {
662 case -1:
663 return -1;
664 case 0:
665 result = 0;
666 }
667 } else if (strcasecmp(attrib, "host") == 0) {
668 if (!host) {
669 result = 0;
670 continue;
671 }
672 if (match_hostname(host, arg, len) != 1)
673 result = 0;
674 else
675 debug("connection from %.100s matched 'Host "
676 "%.100s' at line %d", host, arg, line);
677 } else if (strcasecmp(attrib, "address") == 0) {
678 switch (addr_match_list(address, arg)) {
679 case 1:
680 debug("connection from %.100s matched 'Address "
681 "%.100s' at line %d", address, arg, line);
682 break;
683 case 0:
684 case -1:
685 result = 0;
686 break;
687 case -2:
688 return -1;
689 }
690 } else {
691 error("Unsupported Match attribute %s", attrib);
692 return -1;
693 }
694 }
695 if (user != NULL)
696 debug3("match %sfound", result ? "" : "not ");
697 *condition = cp;
698 return result;
699}
700
701#define WHITESPACE " \t\r\n"
702
703int
704process_server_config_line(ServerOptions *options, char *line,
705 const char *filename, int linenum, int *activep, const char *user,
706 const char *host, const char *address)
707{
708 char *cp, **charptr, *arg, *p;
709 int cmdline = 0, *intptr, value, n;
710 SyslogFacility *log_facility_ptr;
711 LogLevel *log_level_ptr;
712 ServerOpCodes opcode;
713 int port;
714 u_int i, flags = 0;
715 size_t len;
716
717 cp = line;
718 if ((arg = strdelim(&cp)) == NULL)
719 return 0;
720 /* Ignore leading whitespace */
721 if (*arg == '\0')
722 arg = strdelim(&cp);
723 if (!arg || !*arg || *arg == '#')
724 return 0;
725 intptr = NULL;
726 charptr = NULL;
727 opcode = parse_token(arg, filename, linenum, &flags);
728
729 if (activep == NULL) { /* We are processing a command line directive */
730 cmdline = 1;
731 activep = &cmdline;
732 }
733 if (*activep && opcode != sMatch)
734 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
735 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
736 if (user == NULL) {
737 fatal("%s line %d: Directive '%s' is not allowed "
738 "within a Match block", filename, linenum, arg);
739 } else { /* this is a directive we have already processed */
740 while (arg)
741 arg = strdelim(&cp);
742 return 0;
743 }
744 }
745
746 switch (opcode) {
747 /* Portable-specific options */
748 case sUsePAM:
749 intptr = &options->use_pam;
750 goto parse_flag;
751
752 /* Standard Options */
753 case sBadOption:
754 return -1;
755 case sPort:
756 /* ignore ports from configfile if cmdline specifies ports */
757 if (options->ports_from_cmdline)
758 return 0;
759 if (options->listen_addrs != NULL)
760 fatal("%s line %d: ports must be specified before "
761 "ListenAddress.", filename, linenum);
762 if (options->num_ports >= MAX_PORTS)
763 fatal("%s line %d: too many ports.",
764 filename, linenum);
765 arg = strdelim(&cp);
766 if (!arg || *arg == '\0')
767 fatal("%s line %d: missing port number.",
768 filename, linenum);
769 options->ports[options->num_ports++] = a2port(arg);
770 if (options->ports[options->num_ports-1] <= 0)
771 fatal("%s line %d: Badly formatted port number.",
772 filename, linenum);
773 break;
774
775 case sServerKeyBits:
776 intptr = &options->server_key_bits;
777 parse_int:
778 arg = strdelim(&cp);
779 if (!arg || *arg == '\0')
780 fatal("%s line %d: missing integer value.",
781 filename, linenum);
782 value = atoi(arg);
783 if (*activep && *intptr == -1)
784 *intptr = value;
785 break;
786
787 case sLoginGraceTime:
788 intptr = &options->login_grace_time;
789 parse_time:
790 arg = strdelim(&cp);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: missing time value.",
793 filename, linenum);
794 if ((value = convtime(arg)) == -1)
795 fatal("%s line %d: invalid time value.",
796 filename, linenum);
797 if (*intptr == -1)
798 *intptr = value;
799 break;
800
801 case sKeyRegenerationTime:
802 intptr = &options->key_regeneration_time;
803 goto parse_time;
804
805 case sListenAddress:
806 arg = strdelim(&cp);
807 if (arg == NULL || *arg == '\0')
808 fatal("%s line %d: missing address",
809 filename, linenum);
810 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
811 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
812 && strchr(p+1, ':') != NULL) {
813 add_listen_addr(options, arg, 0);
814 break;
815 }
816 p = hpdelim(&arg);
817 if (p == NULL)
818 fatal("%s line %d: bad address:port usage",
819 filename, linenum);
820 p = cleanhostname(p);
821 if (arg == NULL)
822 port = 0;
823 else if ((port = a2port(arg)) <= 0)
824 fatal("%s line %d: bad port number", filename, linenum);
825
826 add_listen_addr(options, p, port);
827
828 break;
829
830 case sAddressFamily:
831 arg = strdelim(&cp);
832 if (!arg || *arg == '\0')
833 fatal("%s line %d: missing address family.",
834 filename, linenum);
835 intptr = &options->address_family;
836 if (options->listen_addrs != NULL)
837 fatal("%s line %d: address family must be specified before "
838 "ListenAddress.", filename, linenum);
839 if (strcasecmp(arg, "inet") == 0)
840 value = AF_INET;
841 else if (strcasecmp(arg, "inet6") == 0)
842 value = AF_INET6;
843 else if (strcasecmp(arg, "any") == 0)
844 value = AF_UNSPEC;
845 else
846 fatal("%s line %d: unsupported address family \"%s\".",
847 filename, linenum, arg);
848 if (*intptr == -1)
849 *intptr = value;
850 break;
851
852 case sHostKeyFile:
853 intptr = &options->num_host_key_files;
854 if (*intptr >= MAX_HOSTKEYS)
855 fatal("%s line %d: too many host keys specified (max %d).",
856 filename, linenum, MAX_HOSTKEYS);
857 charptr = &options->host_key_files[*intptr];
858 parse_filename:
859 arg = strdelim(&cp);
860 if (!arg || *arg == '\0')
861 fatal("%s line %d: missing file name.",
862 filename, linenum);
863 if (*activep && *charptr == NULL) {
864 *charptr = tilde_expand_filename(arg, getuid());
865 /* increase optional counter */
866 if (intptr != NULL)
867 *intptr = *intptr + 1;
868 }
869 break;
870
871 case sPidFile:
872 charptr = &options->pid_file;
873 goto parse_filename;
874
875 case sPermitRootLogin:
876 intptr = &options->permit_root_login;
877 arg = strdelim(&cp);
878 if (!arg || *arg == '\0')
879 fatal("%s line %d: missing yes/"
880 "without-password/forced-commands-only/no "
881 "argument.", filename, linenum);
882 value = 0; /* silence compiler */
883 if (strcmp(arg, "without-password") == 0)
884 value = PERMIT_NO_PASSWD;
885 else if (strcmp(arg, "forced-commands-only") == 0)
886 value = PERMIT_FORCED_ONLY;
887 else if (strcmp(arg, "yes") == 0)
888 value = PERMIT_YES;
889 else if (strcmp(arg, "no") == 0)
890 value = PERMIT_NO;
891 else
892 fatal("%s line %d: Bad yes/"
893 "without-password/forced-commands-only/no "
894 "argument: %s", filename, linenum, arg);
895 if (*activep && *intptr == -1)
896 *intptr = value;
897 break;
898
899 case sIgnoreRhosts:
900 intptr = &options->ignore_rhosts;
901 parse_flag:
902 arg = strdelim(&cp);
903 if (!arg || *arg == '\0')
904 fatal("%s line %d: missing yes/no argument.",
905 filename, linenum);
906 value = 0; /* silence compiler */
907 if (strcmp(arg, "yes") == 0)
908 value = 1;
909 else if (strcmp(arg, "no") == 0)
910 value = 0;
911 else
912 fatal("%s line %d: Bad yes/no argument: %s",
913 filename, linenum, arg);
914 if (*activep && *intptr == -1)
915 *intptr = value;
916 break;
917
918 case sNoneEnabled:
919 intptr = &options->none_enabled;
920 goto parse_flag;
921
922 case sTcpRcvBufPoll:
923 intptr = &options->tcp_rcv_buf_poll;
924 goto parse_flag;
925
926 case sHPNDisabled:
927 intptr = &options->hpn_disabled;
928 goto parse_flag;
929
930 case sHPNBufferSize:
931 intptr = &options->hpn_buffer_size;
932 goto parse_int;
933
934 case sIgnoreUserKnownHosts:
935 intptr = &options->ignore_user_known_hosts;
936 goto parse_flag;
937
938 case sRhostsRSAAuthentication:
939 intptr = &options->rhosts_rsa_authentication;
940 goto parse_flag;
941
942 case sHostbasedAuthentication:
943 intptr = &options->hostbased_authentication;
944 goto parse_flag;
945
946 case sHostbasedUsesNameFromPacketOnly:
947 intptr = &options->hostbased_uses_name_from_packet_only;
948 goto parse_flag;
949
950 case sRSAAuthentication:
951 intptr = &options->rsa_authentication;
952 goto parse_flag;
953
954 case sPubkeyAuthentication:
955 intptr = &options->pubkey_authentication;
956 goto parse_flag;
957
958 case sKerberosAuthentication:
959 intptr = &options->kerberos_authentication;
960 goto parse_flag;
961
962 case sKerberosOrLocalPasswd:
963 intptr = &options->kerberos_or_local_passwd;
964 goto parse_flag;
965
966 case sKerberosTicketCleanup:
967 intptr = &options->kerberos_ticket_cleanup;
968 goto parse_flag;
969
970 case sKerberosGetAFSToken:
971 intptr = &options->kerberos_get_afs_token;
972 goto parse_flag;
973
974 case sGssAuthentication:
975 intptr = &options->gss_authentication;
976 goto parse_flag;
977
978 case sGssKeyEx:
979 intptr = &options->gss_keyex;
980 goto parse_flag;
981
982 case sGssCleanupCreds:
983 intptr = &options->gss_cleanup_creds;
984 goto parse_flag;
985
986 case sGssStrictAcceptor:
987 intptr = &options->gss_strict_acceptor;
988 goto parse_flag;
989
990 case sGssStoreRekey:
991 intptr = &options->gss_store_rekey;
992 goto parse_flag;
993
994 case sPasswordAuthentication:
995 intptr = &options->password_authentication;
996 goto parse_flag;
997
998 case sZeroKnowledgePasswordAuthentication:
999 intptr = &options->zero_knowledge_password_authentication;
1000 goto parse_flag;
1001
1002 case sKbdInteractiveAuthentication:
1003 intptr = &options->kbd_interactive_authentication;
1004 goto parse_flag;
1005
1006 case sChallengeResponseAuthentication:
1007 intptr = &options->challenge_response_authentication;
1008 goto parse_flag;
1009
1010 case sPrintMotd:
1011 intptr = &options->print_motd;
1012 goto parse_flag;
1013
1014 case sPrintLastLog:
1015 intptr = &options->print_lastlog;
1016 goto parse_flag;
1017
1018 case sX11Forwarding:
1019 intptr = &options->x11_forwarding;
1020 goto parse_flag;
1021
1022 case sX11DisplayOffset:
1023 intptr = &options->x11_display_offset;
1024 goto parse_int;
1025
1026 case sX11UseLocalhost:
1027 intptr = &options->x11_use_localhost;
1028 goto parse_flag;
1029
1030 case sXAuthLocation:
1031 charptr = &options->xauth_location;
1032 goto parse_filename;
1033
1034 case sStrictModes:
1035 intptr = &options->strict_modes;
1036 goto parse_flag;
1037
1038 case sTCPKeepAlive:
1039 intptr = &options->tcp_keep_alive;
1040 goto parse_flag;
1041
1042 case sEmptyPasswd:
1043 intptr = &options->permit_empty_passwd;
1044 goto parse_flag;
1045
1046 case sPermitUserEnvironment:
1047 intptr = &options->permit_user_env;
1048 goto parse_flag;
1049
1050 case sUseLogin:
1051 intptr = &options->use_login;
1052 goto parse_flag;
1053
1054 case sCompression:
1055 intptr = &options->compression;
1056 arg = strdelim(&cp);
1057 if (!arg || *arg == '\0')
1058 fatal("%s line %d: missing yes/no/delayed "
1059 "argument.", filename, linenum);
1060 value = 0; /* silence compiler */
1061 if (strcmp(arg, "delayed") == 0)
1062 value = COMP_DELAYED;
1063 else if (strcmp(arg, "yes") == 0)
1064 value = COMP_ZLIB;
1065 else if (strcmp(arg, "no") == 0)
1066 value = COMP_NONE;
1067 else
1068 fatal("%s line %d: Bad yes/no/delayed "
1069 "argument: %s", filename, linenum, arg);
1070 if (*intptr == -1)
1071 *intptr = value;
1072 break;
1073
1074 case sGatewayPorts:
1075 intptr = &options->gateway_ports;
1076 arg = strdelim(&cp);
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: missing yes/no/clientspecified "
1079 "argument.", filename, linenum);
1080 value = 0; /* silence compiler */
1081 if (strcmp(arg, "clientspecified") == 0)
1082 value = 2;
1083 else if (strcmp(arg, "yes") == 0)
1084 value = 1;
1085 else if (strcmp(arg, "no") == 0)
1086 value = 0;
1087 else
1088 fatal("%s line %d: Bad yes/no/clientspecified "
1089 "argument: %s", filename, linenum, arg);
1090 if (*activep && *intptr == -1)
1091 *intptr = value;
1092 break;
1093
1094 case sUseDNS:
1095 intptr = &options->use_dns;
1096 goto parse_flag;
1097
1098 case sLogFacility:
1099 log_facility_ptr = &options->log_facility;
1100 arg = strdelim(&cp);
1101 value = log_facility_number(arg);
1102 if (value == SYSLOG_FACILITY_NOT_SET)
1103 fatal("%.200s line %d: unsupported log facility '%s'",
1104 filename, linenum, arg ? arg : "<NONE>");
1105 if (*log_facility_ptr == -1)
1106 *log_facility_ptr = (SyslogFacility) value;
1107 break;
1108
1109 case sLogLevel:
1110 log_level_ptr = &options->log_level;
1111 arg = strdelim(&cp);
1112 value = log_level_number(arg);
1113 if (value == SYSLOG_LEVEL_NOT_SET)
1114 fatal("%.200s line %d: unsupported log level '%s'",
1115 filename, linenum, arg ? arg : "<NONE>");
1116 if (*log_level_ptr == -1)
1117 *log_level_ptr = (LogLevel) value;
1118 break;
1119
1120 case sAllowTcpForwarding:
1121 intptr = &options->allow_tcp_forwarding;
1122 goto parse_flag;
1123
1124 case sAllowAgentForwarding:
1125 intptr = &options->allow_agent_forwarding;
1126 goto parse_flag;
1127
1128 case sUsePrivilegeSeparation:
1129 intptr = &use_privsep;
1130 goto parse_flag;
1131
1132 case sAllowUsers:
1133 while ((arg = strdelim(&cp)) && *arg != '\0') {
1134 if (options->num_allow_users >= MAX_ALLOW_USERS)
1135 fatal("%s line %d: too many allow users.",
1136 filename, linenum);
1137 options->allow_users[options->num_allow_users++] =
1138 xstrdup(arg);
1139 }
1140 break;
1141
1142 case sDenyUsers:
1143 while ((arg = strdelim(&cp)) && *arg != '\0') {
1144 if (options->num_deny_users >= MAX_DENY_USERS)
1145 fatal("%s line %d: too many deny users.",
1146 filename, linenum);
1147 options->deny_users[options->num_deny_users++] =
1148 xstrdup(arg);
1149 }
1150 break;
1151
1152 case sAllowGroups:
1153 while ((arg = strdelim(&cp)) && *arg != '\0') {
1154 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1155 fatal("%s line %d: too many allow groups.",
1156 filename, linenum);
1157 options->allow_groups[options->num_allow_groups++] =
1158 xstrdup(arg);
1159 }
1160 break;
1161
1162 case sDenyGroups:
1163 while ((arg = strdelim(&cp)) && *arg != '\0') {
1164 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1165 fatal("%s line %d: too many deny groups.",
1166 filename, linenum);
1167 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1168 }
1169 break;
1170
1171 case sCiphers:
1172 arg = strdelim(&cp);
1173 if (!arg || *arg == '\0')
1174 fatal("%s line %d: Missing argument.", filename, linenum);
1175 if (!ciphers_valid(arg))
1176 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1177 filename, linenum, arg ? arg : "<NONE>");
1178 if (options->ciphers == NULL)
1179 options->ciphers = xstrdup(arg);
1180 break;
1181
1182 case sMacs:
1183 arg = strdelim(&cp);
1184 if (!arg || *arg == '\0')
1185 fatal("%s line %d: Missing argument.", filename, linenum);
1186 if (!mac_valid(arg))
1187 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1188 filename, linenum, arg ? arg : "<NONE>");
1189 if (options->macs == NULL)
1190 options->macs = xstrdup(arg);
1191 break;
1192
1193 case sProtocol:
1194 intptr = &options->protocol;
1195 arg = strdelim(&cp);
1196 if (!arg || *arg == '\0')
1197 fatal("%s line %d: Missing argument.", filename, linenum);
1198 value = proto_spec(arg);
1199 if (value == SSH_PROTO_UNKNOWN)
1200 fatal("%s line %d: Bad protocol spec '%s'.",
1201 filename, linenum, arg ? arg : "<NONE>");
1202 if (*intptr == SSH_PROTO_UNKNOWN)
1203 *intptr = value;
1204 break;
1205
1206 case sSubsystem:
1207 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1208 fatal("%s line %d: too many subsystems defined.",
1209 filename, linenum);
1210 }
1211 arg = strdelim(&cp);
1212 if (!arg || *arg == '\0')
1213 fatal("%s line %d: Missing subsystem name.",
1214 filename, linenum);
1215 if (!*activep) {
1216 arg = strdelim(&cp);
1217 break;
1218 }
1219 for (i = 0; i < options->num_subsystems; i++)
1220 if (strcmp(arg, options->subsystem_name[i]) == 0)
1221 fatal("%s line %d: Subsystem '%s' already defined.",
1222 filename, linenum, arg);
1223 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1224 arg = strdelim(&cp);
1225 if (!arg || *arg == '\0')
1226 fatal("%s line %d: Missing subsystem command.",
1227 filename, linenum);
1228 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1229
1230 /* Collect arguments (separate to executable) */
1231 p = xstrdup(arg);
1232 len = strlen(p) + 1;
1233 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1234 len += 1 + strlen(arg);
1235 p = xrealloc(p, 1, len);
1236 strlcat(p, " ", len);
1237 strlcat(p, arg, len);
1238 }
1239 options->subsystem_args[options->num_subsystems] = p;
1240 options->num_subsystems++;
1241 break;
1242
1243 case sMaxStartups:
1244 arg = strdelim(&cp);
1245 if (!arg || *arg == '\0')
1246 fatal("%s line %d: Missing MaxStartups spec.",
1247 filename, linenum);
1248 if ((n = sscanf(arg, "%d:%d:%d",
1249 &options->max_startups_begin,
1250 &options->max_startups_rate,
1251 &options->max_startups)) == 3) {
1252 if (options->max_startups_begin >
1253 options->max_startups ||
1254 options->max_startups_rate > 100 ||
1255 options->max_startups_rate < 1)
1256 fatal("%s line %d: Illegal MaxStartups spec.",
1257 filename, linenum);
1258 } else if (n != 1)
1259 fatal("%s line %d: Illegal MaxStartups spec.",
1260 filename, linenum);
1261 else
1262 options->max_startups = options->max_startups_begin;
1263 break;
1264
1265 case sMaxAuthTries:
1266 intptr = &options->max_authtries;
1267 goto parse_int;
1268
1269 case sMaxSessions:
1270 intptr = &options->max_sessions;
1271 goto parse_int;
1272
1273 case sBanner:
1274 charptr = &options->banner;
1275 goto parse_filename;
1276
1277 /*
1278 * These options can contain %X options expanded at
1279 * connect time, so that you can specify paths like:
1280 *
1281 * AuthorizedKeysFile /etc/ssh_keys/%u
1282 */
1283 case sAuthorizedKeysFile:
1284 case sAuthorizedKeysFile2:
1285 charptr = (opcode == sAuthorizedKeysFile) ?
1286 &options->authorized_keys_file :
1287 &options->authorized_keys_file2;
1288 goto parse_filename;
1289
1290 case sClientAliveInterval:
1291 intptr = &options->client_alive_interval;
1292 goto parse_time;
1293
1294 case sClientAliveCountMax:
1295 intptr = &options->client_alive_count_max;
1296 goto parse_int;
1297
1298 case sAcceptEnv:
1299 while ((arg = strdelim(&cp)) && *arg != '\0') {
1300 if (strchr(arg, '=') != NULL)
1301 fatal("%s line %d: Invalid environment name.",
1302 filename, linenum);
1303 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1304 fatal("%s line %d: too many allow env.",
1305 filename, linenum);
1306 if (!*activep)
1307 break;
1308 options->accept_env[options->num_accept_env++] =
1309 xstrdup(arg);
1310 }
1311 break;
1312
1313 case sPermitTunnel:
1314 intptr = &options->permit_tun;
1315 arg = strdelim(&cp);
1316 if (!arg || *arg == '\0')
1317 fatal("%s line %d: Missing yes/point-to-point/"
1318 "ethernet/no argument.", filename, linenum);
1319 value = -1;
1320 for (i = 0; tunmode_desc[i].val != -1; i++)
1321 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1322 value = tunmode_desc[i].val;
1323 break;
1324 }
1325 if (value == -1)
1326 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1327 "no argument: %s", filename, linenum, arg);
1328 if (*intptr == -1)
1329 *intptr = value;
1330 break;
1331
1332 case sMatch:
1333 if (cmdline)
1334 fatal("Match directive not supported as a command-line "
1335 "option");
1336 value = match_cfg_line(&cp, linenum, user, host, address);
1337 if (value < 0)
1338 fatal("%s line %d: Bad Match condition", filename,
1339 linenum);
1340 *activep = value;
1341 break;
1342
1343 case sPermitOpen:
1344 arg = strdelim(&cp);
1345 if (!arg || *arg == '\0')
1346 fatal("%s line %d: missing PermitOpen specification",
1347 filename, linenum);
1348 n = options->num_permitted_opens; /* modified later */
1349 if (strcmp(arg, "any") == 0) {
1350 if (*activep && n == -1) {
1351 channel_clear_adm_permitted_opens();
1352 options->num_permitted_opens = 0;
1353 }
1354 break;
1355 }
1356 if (*activep && n == -1)
1357 channel_clear_adm_permitted_opens();
1358 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1359 p = hpdelim(&arg);
1360 if (p == NULL)
1361 fatal("%s line %d: missing host in PermitOpen",
1362 filename, linenum);
1363 p = cleanhostname(p);
1364 if (arg == NULL || (port = a2port(arg)) <= 0)
1365 fatal("%s line %d: bad port number in "
1366 "PermitOpen", filename, linenum);
1367 if (*activep && n == -1)
1368 options->num_permitted_opens =
1369 channel_add_adm_permitted_opens(p, port);
1370 }
1371 break;
1372
1373 case sForceCommand:
1374 if (cp == NULL)
1375 fatal("%.200s line %d: Missing argument.", filename,
1376 linenum);
1377 len = strspn(cp, WHITESPACE);
1378 if (*activep && options->adm_forced_command == NULL)
1379 options->adm_forced_command = xstrdup(cp + len);
1380 return 0;
1381
1382 case sChrootDirectory:
1383 charptr = &options->chroot_directory;
1384
1385 arg = strdelim(&cp);
1386 if (!arg || *arg == '\0')
1387 fatal("%s line %d: missing file name.",
1388 filename, linenum);
1389 if (*activep && *charptr == NULL)
1390 *charptr = xstrdup(arg);
1391 break;
1392
1393 case sDeprecated:
1394 logit("%s line %d: Deprecated option %s",
1395 filename, linenum, arg);
1396 while (arg)
1397 arg = strdelim(&cp);
1398 break;
1399
1400 case sUnsupported:
1401 logit("%s line %d: Unsupported option %s",
1402 filename, linenum, arg);
1403 while (arg)
1404 arg = strdelim(&cp);
1405 break;
1406
1407 default:
1408 fatal("%s line %d: Missing handler for opcode %s (%d)",
1409 filename, linenum, arg, opcode);
1410 }
1411 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1412 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1413 filename, linenum, arg);
1414 return 0;
1415}
1416
1417/* Reads the server configuration file. */
1418
1419void
1420load_server_config(const char *filename, Buffer *conf)
1421{
1422 char line[1024], *cp;
1423 FILE *f;
1424
1425 debug2("%s: filename %s", __func__, filename);
1426 if ((f = fopen(filename, "r")) == NULL) {
1427 perror(filename);
1428 exit(1);
1429 }
1430 buffer_clear(conf);
1431 while (fgets(line, sizeof(line), f)) {
1432 /*
1433 * Trim out comments and strip whitespace
1434 * NB - preserve newlines, they are needed to reproduce
1435 * line numbers later for error messages
1436 */
1437 if ((cp = strchr(line, '#')) != NULL)
1438 memcpy(cp, "\n", 2);
1439 cp = line + strspn(line, " \t\r");
1440
1441 buffer_append(conf, cp, strlen(cp));
1442 }
1443 buffer_append(conf, "\0", 1);
1444 fclose(f);
1445 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1446}
1447
1448void
1449parse_server_match_config(ServerOptions *options, const char *user,
1450 const char *host, const char *address)
1451{
1452 ServerOptions mo;
1453
1454 initialize_server_options(&mo);
1455 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1456 copy_set_server_options(options, &mo, 0);
1457}
1458
1459/* Helper macros */
1460#define M_CP_INTOPT(n) do {\
1461 if (src->n != -1) \
1462 dst->n = src->n; \
1463} while (0)
1464#define M_CP_STROPT(n) do {\
1465 if (src->n != NULL) { \
1466 if (dst->n != NULL) \
1467 xfree(dst->n); \
1468 dst->n = src->n; \
1469 } \
1470} while(0)
1471
1472/*
1473 * Copy any supported values that are set.
1474 *
1475 * If the preauth flag is set, we do not bother copying the the string or
1476 * array values that are not used pre-authentication, because any that we
1477 * do use must be explictly sent in mm_getpwnamallow().
1478 */
1479void
1480copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1481{
1482 M_CP_INTOPT(password_authentication);
1483 M_CP_INTOPT(gss_authentication);
1484 M_CP_INTOPT(rsa_authentication);
1485 M_CP_INTOPT(pubkey_authentication);
1486 M_CP_INTOPT(kerberos_authentication);
1487 M_CP_INTOPT(hostbased_authentication);
1488 M_CP_INTOPT(kbd_interactive_authentication);
1489 M_CP_INTOPT(zero_knowledge_password_authentication);
1490 M_CP_INTOPT(permit_root_login);
1491 M_CP_INTOPT(permit_empty_passwd);
1492
1493 M_CP_INTOPT(allow_tcp_forwarding);
1494 M_CP_INTOPT(allow_agent_forwarding);
1495 M_CP_INTOPT(gateway_ports);
1496 M_CP_INTOPT(x11_display_offset);
1497 M_CP_INTOPT(x11_forwarding);
1498 M_CP_INTOPT(x11_use_localhost);
1499 M_CP_INTOPT(max_sessions);
1500 M_CP_INTOPT(max_authtries);
1501
1502 M_CP_STROPT(banner);
1503 if (preauth)
1504 return;
1505 M_CP_STROPT(adm_forced_command);
1506 M_CP_STROPT(chroot_directory);
1507}
1508
1509#undef M_CP_INTOPT
1510#undef M_CP_STROPT
1511
1512void
1513parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1514 const char *user, const char *host, const char *address)
1515{
1516 int active, linenum, bad_options = 0;
1517 char *cp, *obuf, *cbuf;
1518
1519 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1520
1521 obuf = cbuf = xstrdup(buffer_ptr(conf));
1522 active = user ? 0 : 1;
1523 linenum = 1;
1524 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1525 if (process_server_config_line(options, cp, filename,
1526 linenum++, &active, user, host, address) != 0)
1527 bad_options++;
1528 }
1529 xfree(obuf);
1530 if (bad_options > 0)
1531 fatal("%s: terminating, %d bad configuration options",
1532 filename, bad_options);
1533}
1534
1535static const char *
1536fmt_intarg(ServerOpCodes code, int val)
1537{
1538 if (code == sAddressFamily) {
1539 switch (val) {
1540 case AF_INET:
1541 return "inet";
1542 case AF_INET6:
1543 return "inet6";
1544 case AF_UNSPEC:
1545 return "any";
1546 default:
1547 return "UNKNOWN";
1548 }
1549 }
1550 if (code == sPermitRootLogin) {
1551 switch (val) {
1552 case PERMIT_NO_PASSWD:
1553 return "without-password";
1554 case PERMIT_FORCED_ONLY:
1555 return "forced-commands-only";
1556 case PERMIT_YES:
1557 return "yes";
1558 }
1559 }
1560 if (code == sProtocol) {
1561 switch (val) {
1562 case SSH_PROTO_1:
1563 return "1";
1564 case SSH_PROTO_2:
1565 return "2";
1566 case (SSH_PROTO_1|SSH_PROTO_2):
1567 return "2,1";
1568 default:
1569 return "UNKNOWN";
1570 }
1571 }
1572 if (code == sGatewayPorts && val == 2)
1573 return "clientspecified";
1574 if (code == sCompression && val == COMP_DELAYED)
1575 return "delayed";
1576 switch (val) {
1577 case -1:
1578 return "unset";
1579 case 0:
1580 return "no";
1581 case 1:
1582 return "yes";
1583 }
1584 return "UNKNOWN";
1585}
1586
1587static const char *
1588lookup_opcode_name(ServerOpCodes code)
1589{
1590 u_int i;
1591
1592 for (i = 0; keywords[i].name != NULL; i++)
1593 if (keywords[i].opcode == code)
1594 return(keywords[i].name);
1595 return "UNKNOWN";
1596}
1597
1598static void
1599dump_cfg_int(ServerOpCodes code, int val)
1600{
1601 printf("%s %d\n", lookup_opcode_name(code), val);
1602}
1603
1604static void
1605dump_cfg_fmtint(ServerOpCodes code, int val)
1606{
1607 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1608}
1609
1610static void
1611dump_cfg_string(ServerOpCodes code, const char *val)
1612{
1613 if (val == NULL)
1614 return;
1615 printf("%s %s\n", lookup_opcode_name(code), val);
1616}
1617
1618static void
1619dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1620{
1621 u_int i;
1622
1623 for (i = 0; i < count; i++)
1624 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1625}
1626
1627void
1628dump_config(ServerOptions *o)
1629{
1630 u_int i;
1631 int ret;
1632 struct addrinfo *ai;
1633 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1634
1635 /* these are usually at the top of the config */
1636 for (i = 0; i < o->num_ports; i++)
1637 printf("port %d\n", o->ports[i]);
1638 dump_cfg_fmtint(sProtocol, o->protocol);
1639 dump_cfg_fmtint(sAddressFamily, o->address_family);
1640
1641 /* ListenAddress must be after Port */
1642 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1643 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1644 sizeof(addr), port, sizeof(port),
1645 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1646 error("getnameinfo failed: %.100s",
1647 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1648 strerror(errno));
1649 } else {
1650 if (ai->ai_family == AF_INET6)
1651 printf("listenaddress [%s]:%s\n", addr, port);
1652 else
1653 printf("listenaddress %s:%s\n", addr, port);
1654 }
1655 }
1656
1657 /* integer arguments */
1658#ifdef USE_PAM
1659 dump_cfg_int(sUsePAM, o->use_pam);
1660#endif
1661 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1662 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1663 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1664 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1665 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1666 dump_cfg_int(sMaxSessions, o->max_sessions);
1667 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1668 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1669
1670 /* formatted integer arguments */
1671 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1672 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1673 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1674 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1675 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1676 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1677 o->hostbased_uses_name_from_packet_only);
1678 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1679 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1680#ifdef KRB5
1681 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1682 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1683 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1684# ifdef USE_AFS
1685 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1686# endif
1687#endif
1688#ifdef GSSAPI
1689 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1690 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1691#endif
1692#ifdef JPAKE
1693 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1694 o->zero_knowledge_password_authentication);
1695#endif
1696 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1697 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1698 o->kbd_interactive_authentication);
1699 dump_cfg_fmtint(sChallengeResponseAuthentication,
1700 o->challenge_response_authentication);
1701 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1702 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1703 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1704 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1705 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1706 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1707 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1708 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1709 dump_cfg_fmtint(sUseLogin, o->use_login);
1710 dump_cfg_fmtint(sCompression, o->compression);
1711 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1712 dump_cfg_fmtint(sUseDNS, o->use_dns);
1713 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1714 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1715
1716 /* string arguments */
1717 dump_cfg_string(sPidFile, o->pid_file);
1718 dump_cfg_string(sXAuthLocation, o->xauth_location);
1719 dump_cfg_string(sCiphers, o->ciphers);
1720 dump_cfg_string(sMacs, o->macs);
1721 dump_cfg_string(sBanner, o->banner);
1722 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1723 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1724 dump_cfg_string(sForceCommand, o->adm_forced_command);
1725
1726 /* string arguments requiring a lookup */
1727 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1728 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1729
1730 /* string array arguments */
1731 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1732 o->host_key_files);
1733 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1734 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1735 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1736 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1737 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1738
1739 /* other arguments */
1740 for (i = 0; i < o->num_subsystems; i++)
1741 printf("subsystem %s %s\n", o->subsystem_name[i],
1742 o->subsystem_args[i]);
1743
1744 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1745 o->max_startups_rate, o->max_startups);
1746
1747 for (i = 0; tunmode_desc[i].val != -1; i++)
1748 if (tunmode_desc[i].val == o->permit_tun) {
1749 s = tunmode_desc[i].text;
1750 break;
1751 }
1752 dump_cfg_string(sPermitTunnel, s);
1753
1754 channel_print_adm_permitted_opens();
1755}
git-cvsimport mirror of GSI OpenSSH
This page took 0.066116 seconds and 5 git commands to generate.