2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");
22 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
24 #define KEYFILE "/etc/krb5.keytab"
36 #include "pathnames.h"
37 #include "tildexpand.h"
43 static void add_listen_addr(ServerOptions *, char *, u_short);
44 static void add_one_listen_addr(ServerOptions *, char *, u_short);
46 /* AF_UNSPEC or AF_INET or AF_INET6 */
49 /* Initializes the server options to their default values. */
52 initialize_server_options(ServerOptions *options)
54 memset(options, 0, sizeof(*options));
56 /* Portable-specific options */
57 options->pam_authentication_via_kbd_int = -1;
59 /* Standard Options */
60 options->num_ports = 0;
61 options->ports_from_cmdline = 0;
62 options->listen_addrs = NULL;
63 options->num_host_key_files = 0;
64 options->pid_file = NULL;
65 options->server_key_bits = -1;
66 options->login_grace_time = -1;
67 options->key_regeneration_time = -1;
68 options->permit_root_login = PERMIT_NOT_SET;
69 options->ignore_rhosts = -1;
70 options->ignore_user_known_hosts = -1;
71 options->print_motd = -1;
72 options->print_lastlog = -1;
73 options->x11_forwarding = -1;
74 options->x11_display_offset = -1;
75 options->x11_use_localhost = -1;
76 options->xauth_location = NULL;
77 options->strict_modes = -1;
78 options->keepalives = -1;
79 options->log_facility = SYSLOG_FACILITY_NOT_SET;
80 options->log_level = SYSLOG_LEVEL_NOT_SET;
81 options->rhosts_authentication = -1;
82 options->rhosts_rsa_authentication = -1;
83 options->hostbased_authentication = -1;
84 options->hostbased_uses_name_from_packet_only = -1;
85 options->rsa_authentication = -1;
86 options->pubkey_authentication = -1;
88 options->gss_authentication=-1;
89 options->gss_keyex=-1;
90 options->gss_use_session_ccache = -1;
91 options->gss_cleanup_creds = -1;
93 #if defined(KRB4) || defined(KRB5)
94 options->kerberos_authentication = -1;
95 options->kerberos_or_local_passwd = -1;
96 options->kerberos_ticket_cleanup = -1;
98 #if defined(AFS) || defined(KRB5)
99 options->kerberos_tgt_passing = -1;
102 options->afs_token_passing = -1;
104 options->password_authentication = -1;
105 options->kbd_interactive_authentication = -1;
106 options->challenge_response_authentication = -1;
107 options->permit_empty_passwd = -1;
108 options->use_login = -1;
109 options->allow_tcp_forwarding = -1;
110 options->num_allow_users = 0;
111 options->num_deny_users = 0;
112 options->num_allow_groups = 0;
113 options->num_deny_groups = 0;
114 options->ciphers = NULL;
115 options->macs = NULL;
116 options->protocol = SSH_PROTO_UNKNOWN;
117 options->gateway_ports = -1;
118 options->num_subsystems = 0;
119 options->max_startups_begin = -1;
120 options->max_startups_rate = -1;
121 options->max_startups = -1;
122 options->banner = NULL;
123 options->verify_reverse_mapping = -1;
124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
131 fill_default_server_options(ServerOptions *options)
133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
137 /* Standard Options */
138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
143 options->host_key_files[options->num_host_key_files++] =
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
155 add_listen_addr(options, NULL, 0);
156 if (options->pid_file == NULL)
157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
166 if (options->ignore_rhosts == -1)
167 options->ignore_rhosts = 1;
168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
170 if (options->print_motd == -1)
171 options->print_motd = 1;
172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
174 if (options->x11_forwarding == -1)
175 options->x11_forwarding = 0;
176 if (options->x11_display_offset == -1)
177 options->x11_display_offset = 10;
178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
180 if (options->xauth_location == NULL)
181 options->xauth_location = _PATH_XAUTH;
182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
187 options->log_facility = SYSLOG_FACILITY_AUTH;
188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
189 options->log_level = SYSLOG_LEVEL_INFO;
190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
193 options->rhosts_rsa_authentication = 0;
194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
203 if (options->gss_authentication == -1)
204 options->gss_authentication = 1;
205 if (options->gss_keyex == -1)
206 options->gss_keyex =1;
207 if (options->gss_use_session_ccache == -1)
208 options->gss_use_session_ccache = 1;
209 if (options->gss_cleanup_creds == -1)
210 options->gss_cleanup_creds = 1;
212 #if defined(KRB4) || defined(KRB5)
213 if (options->kerberos_authentication == -1)
214 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
215 if (options->kerberos_or_local_passwd == -1)
216 options->kerberos_or_local_passwd = 1;
217 if (options->kerberos_ticket_cleanup == -1)
218 options->kerberos_ticket_cleanup = 1;
220 #if defined(AFS) || defined(KRB5)
221 if (options->kerberos_tgt_passing == -1)
222 options->kerberos_tgt_passing = 0;
225 if (options->afs_token_passing == -1)
226 options->afs_token_passing = k_hasafs();
228 if (options->password_authentication == -1)
229 options->password_authentication = 1;
230 if (options->kbd_interactive_authentication == -1)
231 options->kbd_interactive_authentication = 0;
232 if (options->challenge_response_authentication == -1)
233 options->challenge_response_authentication = 1;
234 if (options->permit_empty_passwd == -1)
235 options->permit_empty_passwd = 0;
236 if (options->use_login == -1)
237 options->use_login = 0;
238 if (options->allow_tcp_forwarding == -1)
239 options->allow_tcp_forwarding = 1;
240 if (options->gateway_ports == -1)
241 options->gateway_ports = 0;
242 if (options->max_startups == -1)
243 options->max_startups = 10;
244 if (options->max_startups_rate == -1)
245 options->max_startups_rate = 100; /* 100% */
246 if (options->max_startups_begin == -1)
247 options->max_startups_begin = options->max_startups;
248 if (options->verify_reverse_mapping == -1)
249 options->verify_reverse_mapping = 0;
250 if (options->client_alive_interval == -1)
251 options->client_alive_interval = 0;
252 if (options->client_alive_count_max == -1)
253 options->client_alive_count_max = 3;
254 if (options->authorized_keys_file2 == NULL) {
255 /* authorized_keys_file2 falls back to authorized_keys_file */
256 if (options->authorized_keys_file != NULL)
257 options->authorized_keys_file2 = options->authorized_keys_file;
259 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
261 if (options->authorized_keys_file == NULL)
262 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
265 /* Keyword tokens. */
267 sBadOption, /* == unknown option */
268 /* Portable-specific options */
269 sPAMAuthenticationViaKbdInt,
270 /* Standard Options */
271 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
272 sPermitRootLogin, sLogFacility, sLogLevel,
273 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
275 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
277 #if defined(KRB4) || defined(KRB5)
278 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
280 #if defined(AFS) || defined(KRB5)
286 sChallengeResponseAuthentication,
287 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
288 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
289 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
290 sStrictModes, sEmptyPasswd, sKeepAlives,
291 sUseLogin, sAllowTcpForwarding,
292 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
293 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
294 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
295 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
296 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
297 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
301 /* Textual representation of the tokens. */
304 ServerOpCodes opcode;
306 /* Portable-specific options */
307 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
308 /* Standard Options */
310 { "hostkey", sHostKeyFile },
311 { "hostdsakey", sHostKeyFile }, /* alias */
312 { "pidfile", sPidFile },
313 { "serverkeybits", sServerKeyBits },
314 { "logingracetime", sLoginGraceTime },
315 { "keyregenerationinterval", sKeyRegenerationTime },
316 { "permitrootlogin", sPermitRootLogin },
317 { "syslogfacility", sLogFacility },
318 { "loglevel", sLogLevel },
319 { "rhostsauthentication", sRhostsAuthentication },
320 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
321 { "hostbasedauthentication", sHostbasedAuthentication },
322 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
323 { "rsaauthentication", sRSAAuthentication },
324 { "pubkeyauthentication", sPubkeyAuthentication },
325 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
327 { "gssapiauthentication", sGssAuthentication },
328 { "gssapikeyexchange", sGssKeyEx },
329 { "gssusesessionccache", sGssUseSessionCredCache },
330 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
331 { "gssapicleanupcreds", sGssCleanupCreds },
333 #if defined(KRB4) || defined(KRB5)
334 { "kerberosauthentication", sKerberosAuthentication },
335 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
336 { "kerberosticketcleanup", sKerberosTicketCleanup },
338 #if defined(AFS) || defined(KRB5)
339 { "kerberostgtpassing", sKerberosTgtPassing },
342 { "afstokenpassing", sAFSTokenPassing },
344 { "passwordauthentication", sPasswordAuthentication },
345 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
346 { "challengeresponseauthentication", sChallengeResponseAuthentication },
347 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
348 { "checkmail", sDeprecated },
349 { "listenaddress", sListenAddress },
350 { "printmotd", sPrintMotd },
351 { "printlastlog", sPrintLastLog },
352 { "ignorerhosts", sIgnoreRhosts },
353 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
354 { "x11forwarding", sX11Forwarding },
355 { "x11displayoffset", sX11DisplayOffset },
356 { "x11uselocalhost", sX11UseLocalhost },
357 { "xauthlocation", sXAuthLocation },
358 { "strictmodes", sStrictModes },
359 { "permitemptypasswords", sEmptyPasswd },
360 { "uselogin", sUseLogin },
361 { "keepalive", sKeepAlives },
362 { "allowtcpforwarding", sAllowTcpForwarding },
363 { "allowusers", sAllowUsers },
364 { "denyusers", sDenyUsers },
365 { "allowgroups", sAllowGroups },
366 { "denygroups", sDenyGroups },
367 { "ciphers", sCiphers },
369 { "protocol", sProtocol },
370 { "gatewayports", sGatewayPorts },
371 { "subsystem", sSubsystem },
372 { "maxstartups", sMaxStartups },
373 { "banner", sBanner },
374 { "verifyreversemapping", sVerifyReverseMapping },
375 { "reversemappingcheck", sVerifyReverseMapping },
376 { "clientaliveinterval", sClientAliveInterval },
377 { "clientalivecountmax", sClientAliveCountMax },
378 { "authorizedkeysfile", sAuthorizedKeysFile },
379 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
384 * Returns the number of the token pointed to by cp or sBadOption.
388 parse_token(const char *cp, const char *filename,
393 for (i = 0; keywords[i].name; i++)
394 if (strcasecmp(cp, keywords[i].name) == 0)
395 return keywords[i].opcode;
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
403 add_listen_addr(ServerOptions *options, char *addr, u_short port)
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
410 for (i = 0; i < options->num_ports; i++)
411 add_one_listen_addr(options, addr, options->ports[i]);
413 add_one_listen_addr(options, addr, port);
417 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
419 struct addrinfo hints, *ai, *aitop;
420 char strport[NI_MAXSERV];
423 memset(&hints, 0, sizeof(hints));
424 hints.ai_family = IPv4or6;
425 hints.ai_socktype = SOCK_STREAM;
426 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
427 snprintf(strport, sizeof strport, "%d", port);
428 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
429 fatal("bad addr or host: %s (%s)",
430 addr ? addr : "<NULL>",
431 gai_strerror(gaierr));
432 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
434 ai->ai_next = options->listen_addrs;
435 options->listen_addrs = aitop;
439 process_server_config_line(ServerOptions *options, char *line,
440 const char *filename, int linenum)
442 char *cp, **charptr, *arg, *p;
444 ServerOpCodes opcode;
449 /* Ignore leading whitespace */
452 if (!arg || !*arg || *arg == '#')
456 opcode = parse_token(arg, filename, linenum);
458 /* Portable-specific options */
459 case sPAMAuthenticationViaKbdInt:
460 intptr = &options->pam_authentication_via_kbd_int;
463 /* Standard Options */
467 /* ignore ports from configfile if cmdline specifies ports */
468 if (options->ports_from_cmdline)
470 if (options->listen_addrs != NULL)
471 fatal("%s line %d: ports must be specified before "
472 "ListenAddress.", filename, linenum);
473 if (options->num_ports >= MAX_PORTS)
474 fatal("%s line %d: too many ports.",
477 if (!arg || *arg == '\0')
478 fatal("%s line %d: missing port number.",
480 options->ports[options->num_ports++] = a2port(arg);
481 if (options->ports[options->num_ports-1] == 0)
482 fatal("%s line %d: Badly formatted port number.",
487 intptr = &options->server_key_bits;
490 if (!arg || *arg == '\0')
491 fatal("%s line %d: missing integer value.",
498 case sLoginGraceTime:
499 intptr = &options->login_grace_time;
502 if (!arg || *arg == '\0')
503 fatal("%s line %d: missing time value.",
505 if ((value = convtime(arg)) == -1)
506 fatal("%s line %d: invalid time value.",
512 case sKeyRegenerationTime:
513 intptr = &options->key_regeneration_time;
518 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
519 fatal("%s line %d: missing inet addr.",
522 if ((p = strchr(arg, ']')) == NULL)
523 fatal("%s line %d: bad ipv6 inet addr usage.",
526 memmove(p, p+1, strlen(p+1)+1);
527 } else if (((p = strchr(arg, ':')) == NULL) ||
528 (strchr(p+1, ':') != NULL)) {
529 add_listen_addr(options, arg, 0);
537 fatal("%s line %d: bad inet addr:port usage.",
541 if ((port = a2port(p)) == 0)
542 fatal("%s line %d: bad port number.",
544 add_listen_addr(options, arg, port);
546 } else if (*p == '\0')
547 add_listen_addr(options, arg, 0);
549 fatal("%s line %d: bad inet addr usage.",
554 intptr = &options->num_host_key_files;
555 if (*intptr >= MAX_HOSTKEYS)
556 fatal("%s line %d: too many host keys specified (max %d).",
557 filename, linenum, MAX_HOSTKEYS);
558 charptr = &options->host_key_files[*intptr];
561 if (!arg || *arg == '\0')
562 fatal("%s line %d: missing file name.",
564 if (*charptr == NULL) {
565 *charptr = tilde_expand_filename(arg, getuid());
566 /* increase optional counter */
568 *intptr = *intptr + 1;
573 charptr = &options->pid_file;
576 case sPermitRootLogin:
577 intptr = &options->permit_root_login;
579 if (!arg || *arg == '\0')
580 fatal("%s line %d: missing yes/"
581 "without-password/forced-commands-only/no "
582 "argument.", filename, linenum);
583 value = 0; /* silence compiler */
584 if (strcmp(arg, "without-password") == 0)
585 value = PERMIT_NO_PASSWD;
586 else if (strcmp(arg, "forced-commands-only") == 0)
587 value = PERMIT_FORCED_ONLY;
588 else if (strcmp(arg, "yes") == 0)
590 else if (strcmp(arg, "no") == 0)
593 fatal("%s line %d: Bad yes/"
594 "without-password/forced-commands-only/no "
595 "argument: %s", filename, linenum, arg);
601 intptr = &options->ignore_rhosts;
604 if (!arg || *arg == '\0')
605 fatal("%s line %d: missing yes/no argument.",
607 value = 0; /* silence compiler */
608 if (strcmp(arg, "yes") == 0)
610 else if (strcmp(arg, "no") == 0)
613 fatal("%s line %d: Bad yes/no argument: %s",
614 filename, linenum, arg);
619 case sIgnoreUserKnownHosts:
620 intptr = &options->ignore_user_known_hosts;
623 case sRhostsAuthentication:
624 intptr = &options->rhosts_authentication;
627 case sRhostsRSAAuthentication:
628 intptr = &options->rhosts_rsa_authentication;
631 case sHostbasedAuthentication:
632 intptr = &options->hostbased_authentication;
635 case sHostbasedUsesNameFromPacketOnly:
636 intptr = &options->hostbased_uses_name_from_packet_only;
639 case sRSAAuthentication:
640 intptr = &options->rsa_authentication;
643 case sPubkeyAuthentication:
644 intptr = &options->pubkey_authentication;
647 case sGssAuthentication:
648 intptr = &options->gss_authentication;
651 intptr = &options->gss_keyex;
653 case sGssUseSessionCredCache:
654 intptr = &options->gss_use_session_ccache;
656 case sGssCleanupCreds:
657 intptr = &options->gss_cleanup_creds;
660 #if defined(KRB4) || defined(KRB5)
661 case sKerberosAuthentication:
662 intptr = &options->kerberos_authentication;
665 case sKerberosOrLocalPasswd:
666 intptr = &options->kerberos_or_local_passwd;
669 case sKerberosTicketCleanup:
670 intptr = &options->kerberos_ticket_cleanup;
673 #if defined(AFS) || defined(KRB5)
674 case sKerberosTgtPassing:
675 intptr = &options->kerberos_tgt_passing;
679 case sAFSTokenPassing:
680 intptr = &options->afs_token_passing;
684 case sPasswordAuthentication:
685 intptr = &options->password_authentication;
688 case sKbdInteractiveAuthentication:
689 intptr = &options->kbd_interactive_authentication;
692 case sChallengeResponseAuthentication:
693 intptr = &options->challenge_response_authentication;
697 intptr = &options->print_motd;
701 intptr = &options->print_lastlog;
705 intptr = &options->x11_forwarding;
708 case sX11DisplayOffset:
709 intptr = &options->x11_display_offset;
712 case sX11UseLocalhost:
713 intptr = &options->x11_use_localhost;
717 charptr = &options->xauth_location;
721 intptr = &options->strict_modes;
725 intptr = &options->keepalives;
729 intptr = &options->permit_empty_passwd;
733 intptr = &options->use_login;
737 intptr = &options->gateway_ports;
740 case sVerifyReverseMapping:
741 intptr = &options->verify_reverse_mapping;
745 intptr = (int *) &options->log_facility;
747 value = log_facility_number(arg);
748 if (value == SYSLOG_FACILITY_NOT_SET)
749 fatal("%.200s line %d: unsupported log facility '%s'",
750 filename, linenum, arg ? arg : "<NONE>");
752 *intptr = (SyslogFacility) value;
756 intptr = (int *) &options->log_level;
758 value = log_level_number(arg);
759 if (value == SYSLOG_LEVEL_NOT_SET)
760 fatal("%.200s line %d: unsupported log level '%s'",
761 filename, linenum, arg ? arg : "<NONE>");
763 *intptr = (LogLevel) value;
766 case sAllowTcpForwarding:
767 intptr = &options->allow_tcp_forwarding;
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_allow_users >= MAX_ALLOW_USERS)
773 fatal("%s line %d: too many allow users.",
775 options->allow_users[options->num_allow_users++] = xstrdup(arg);
780 while ((arg = strdelim(&cp)) && *arg != '\0') {
781 if (options->num_deny_users >= MAX_DENY_USERS)
782 fatal( "%s line %d: too many deny users.",
784 options->deny_users[options->num_deny_users++] = xstrdup(arg);
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
791 fatal("%s line %d: too many allow groups.",
793 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
798 while ((arg = strdelim(&cp)) && *arg != '\0') {
799 if (options->num_deny_groups >= MAX_DENY_GROUPS)
800 fatal("%s line %d: too many deny groups.",
802 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
808 if (!arg || *arg == '\0')
809 fatal("%s line %d: Missing argument.", filename, linenum);
810 if (!ciphers_valid(arg))
811 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
812 filename, linenum, arg ? arg : "<NONE>");
813 if (options->ciphers == NULL)
814 options->ciphers = xstrdup(arg);
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing argument.", filename, linenum);
822 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
823 filename, linenum, arg ? arg : "<NONE>");
824 if (options->macs == NULL)
825 options->macs = xstrdup(arg);
829 intptr = &options->protocol;
831 if (!arg || *arg == '\0')
832 fatal("%s line %d: Missing argument.", filename, linenum);
833 value = proto_spec(arg);
834 if (value == SSH_PROTO_UNKNOWN)
835 fatal("%s line %d: Bad protocol spec '%s'.",
836 filename, linenum, arg ? arg : "<NONE>");
837 if (*intptr == SSH_PROTO_UNKNOWN)
842 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
843 fatal("%s line %d: too many subsystems defined.",
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing subsystem name.",
850 for (i = 0; i < options->num_subsystems; i++)
851 if (strcmp(arg, options->subsystem_name[i]) == 0)
852 fatal("%s line %d: Subsystem '%s' already defined.",
853 filename, linenum, arg);
854 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
856 if (!arg || *arg == '\0')
857 fatal("%s line %d: Missing subsystem command.",
859 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
860 options->num_subsystems++;
865 if (!arg || *arg == '\0')
866 fatal("%s line %d: Missing MaxStartups spec.",
868 if ((n = sscanf(arg, "%d:%d:%d",
869 &options->max_startups_begin,
870 &options->max_startups_rate,
871 &options->max_startups)) == 3) {
872 if (options->max_startups_begin >
873 options->max_startups ||
874 options->max_startups_rate > 100 ||
875 options->max_startups_rate < 1)
876 fatal("%s line %d: Illegal MaxStartups spec.",
879 fatal("%s line %d: Illegal MaxStartups spec.",
882 options->max_startups = options->max_startups_begin;
886 charptr = &options->banner;
889 * These options can contain %X options expanded at
890 * connect time, so that you can specify paths like:
892 * AuthorizedKeysFile /etc/ssh_keys/%u
894 case sAuthorizedKeysFile:
895 case sAuthorizedKeysFile2:
896 charptr = (opcode == sAuthorizedKeysFile ) ?
897 &options->authorized_keys_file :
898 &options->authorized_keys_file2;
901 case sClientAliveInterval:
902 intptr = &options->client_alive_interval;
905 case sClientAliveCountMax:
906 intptr = &options->client_alive_count_max;
910 log("%s line %d: Deprecated option %s",
911 filename, linenum, arg);
917 fatal("%s line %d: Missing handler for opcode %s (%d)",
918 filename, linenum, arg, opcode);
920 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
921 fatal("%s line %d: garbage at end of line; \"%.200s\".",
922 filename, linenum, arg);
926 /* Reads the server configuration file. */
929 read_server_config(ServerOptions *options, const char *filename)
936 f = fopen(filename, "r");
942 while (fgets(line, sizeof(line), f)) {
943 /* Update line number counter. */
945 if (process_server_config_line(options, line, filename, linenum) != 0)
950 fatal("%s: terminating, %d bad configuration options",
951 filename, bad_options);