2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Functions for reading the configuration files.
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
15 RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
21 #include "pathnames.h"
29 /* Format of the configuration file:
31 # Configuration data is parsed as follows:
32 # 1. command line options
33 # 2. user-specific file
35 # Any configuration value is only changed the first time it is set.
36 # Thus, host-specific definitions should be at the beginning of the
37 # configuration file, and defaults at the end.
39 # Host-specific declarations. These may override anything above. A single
40 # host may match multiple declarations; these are processed in the order
41 # that they are given in.
47 HostName another.host.name.real.org
54 RemoteForward 9999 shadows.cs.hut.fi:9999
60 PasswordAuthentication no
64 ProxyCommand ssh-proxy %h %p
67 PublicKeyAuthentication no
71 PasswordAuthentication no
77 # Defaults for various options
81 PasswordAuthentication yes
83 RhostsRSAAuthentication yes
84 StrictHostKeyChecking yes
86 IdentityFile ~/.ssh/identity
96 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
97 oPasswordAuthentication, oRSAAuthentication,
98 oChallengeResponseAuthentication, oXAuthLocation,
99 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
100 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
101 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
102 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
103 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
104 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
105 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
106 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
107 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
108 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
109 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
110 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
111 oAddressFamily, oGssAuthentication, oGssKeyEx, oGssDelegateCreds,
113 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
114 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
115 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
116 oDeprecated, oUnsupported
119 /* Textual representations of the tokens. */
125 { "forwardagent", oForwardAgent },
126 { "forwardx11", oForwardX11 },
127 { "forwardx11trusted", oForwardX11Trusted },
128 { "xauthlocation", oXAuthLocation },
129 { "gatewayports", oGatewayPorts },
130 { "useprivilegedport", oUsePrivilegedPort },
131 { "rhostsauthentication", oDeprecated },
132 { "passwordauthentication", oPasswordAuthentication },
133 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
134 { "kbdinteractivedevices", oKbdInteractiveDevices },
135 { "rsaauthentication", oRSAAuthentication },
136 { "pubkeyauthentication", oPubkeyAuthentication },
137 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
138 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
139 { "hostbasedauthentication", oHostbasedAuthentication },
140 { "challengeresponseauthentication", oChallengeResponseAuthentication },
141 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
142 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
143 { "kerberosauthentication", oUnsupported },
144 { "kerberostgtpassing", oUnsupported },
145 { "afstokenpassing", oUnsupported },
147 { "gssapiauthentication", oGssAuthentication },
148 { "gssapikeyexchange", oGssKeyEx },
149 { "gssapidelegatecredentials", oGssDelegateCreds },
150 { "gssapitrustdns", oGssTrustDns },
152 { "gssapiauthentication", oUnsupported },
153 { "gssapikeyexchange", oUnsupported },
154 { "gssapidelegatecredentials", oUnsupported },
155 { "gssapitrustdns", oUnsupported },
157 { "fallbacktorsh", oDeprecated },
158 { "usersh", oDeprecated },
159 { "identityfile", oIdentityFile },
160 { "identityfile2", oIdentityFile }, /* alias */
161 { "identitiesonly", oIdentitiesOnly },
162 { "hostname", oHostName },
163 { "hostkeyalias", oHostKeyAlias },
164 { "proxycommand", oProxyCommand },
166 { "cipher", oCipher },
167 { "ciphers", oCiphers },
169 { "protocol", oProtocol },
170 { "remoteforward", oRemoteForward },
171 { "localforward", oLocalForward },
174 { "escapechar", oEscapeChar },
175 { "globalknownhostsfile", oGlobalKnownHostsFile },
176 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
177 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
178 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
179 { "connectionattempts", oConnectionAttempts },
180 { "batchmode", oBatchMode },
181 { "checkhostip", oCheckHostIP },
182 { "stricthostkeychecking", oStrictHostKeyChecking },
183 { "compression", oCompression },
184 { "compressionlevel", oCompressionLevel },
185 { "tcpkeepalive", oTCPKeepAlive },
186 { "keepalive", oTCPKeepAlive }, /* obsolete */
187 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
188 { "loglevel", oLogLevel },
189 { "dynamicforward", oDynamicForward },
190 { "preferredauthentications", oPreferredAuthentications },
191 { "hostkeyalgorithms", oHostKeyAlgorithms },
192 { "bindaddress", oBindAddress },
194 { "smartcarddevice", oSmartcardDevice },
196 { "smartcarddevice", oUnsupported },
198 { "clearallforwardings", oClearAllForwardings },
199 { "enablesshkeysign", oEnableSSHKeysign },
200 { "verifyhostkeydns", oVerifyHostKeyDNS },
201 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
202 { "rekeylimit", oRekeyLimit },
203 { "connecttimeout", oConnectTimeout },
204 { "addressfamily", oAddressFamily },
205 { "serveraliveinterval", oServerAliveInterval },
206 { "serveralivecountmax", oServerAliveCountMax },
207 { "sendenv", oSendEnv },
208 { "controlpath", oControlPath },
209 { "controlmaster", oControlMaster },
210 { "hashknownhosts", oHashKnownHosts },
211 { "tunnel", oTunnel },
212 { "tunneldevice", oTunnelDevice },
213 { "localcommand", oLocalCommand },
214 { "permitlocalcommand", oPermitLocalCommand },
219 * Adds a local TCP/IP port forward to options. Never returns if there is an
224 add_local_forward(Options *options, const Forward *newfwd)
227 #ifndef NO_IPPORT_RESERVED_CONCEPT
228 extern uid_t original_real_uid;
229 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
230 fatal("Privileged ports can only be forwarded by root.");
232 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
233 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
234 fwd = &options->local_forwards[options->num_local_forwards++];
236 fwd->listen_host = (newfwd->listen_host == NULL) ?
237 NULL : xstrdup(newfwd->listen_host);
238 fwd->listen_port = newfwd->listen_port;
239 fwd->connect_host = xstrdup(newfwd->connect_host);
240 fwd->connect_port = newfwd->connect_port;
244 * Adds a remote TCP/IP port forward to options. Never returns if there is
249 add_remote_forward(Options *options, const Forward *newfwd)
252 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
253 fatal("Too many remote forwards (max %d).",
254 SSH_MAX_FORWARDS_PER_DIRECTION);
255 fwd = &options->remote_forwards[options->num_remote_forwards++];
257 fwd->listen_host = (newfwd->listen_host == NULL) ?
258 NULL : xstrdup(newfwd->listen_host);
259 fwd->listen_port = newfwd->listen_port;
260 fwd->connect_host = xstrdup(newfwd->connect_host);
261 fwd->connect_port = newfwd->connect_port;
265 clear_forwardings(Options *options)
269 for (i = 0; i < options->num_local_forwards; i++) {
270 if (options->local_forwards[i].listen_host != NULL)
271 xfree(options->local_forwards[i].listen_host);
272 xfree(options->local_forwards[i].connect_host);
274 options->num_local_forwards = 0;
275 for (i = 0; i < options->num_remote_forwards; i++) {
276 if (options->remote_forwards[i].listen_host != NULL)
277 xfree(options->remote_forwards[i].listen_host);
278 xfree(options->remote_forwards[i].connect_host);
280 options->num_remote_forwards = 0;
281 options->tun_open = SSH_TUNMODE_NO;
285 * Returns the number of the token pointed to by cp or oBadOption.
289 parse_token(const char *cp, const char *filename, int linenum)
293 for (i = 0; keywords[i].name; i++)
294 if (strcasecmp(cp, keywords[i].name) == 0)
295 return keywords[i].opcode;
297 error("%s: line %d: Bad configuration option: %s",
298 filename, linenum, cp);
303 * Processes a single option line as used in the configuration files. This
304 * only sets those values that have not already been set.
306 #define WHITESPACE " \t\r\n"
309 process_config_line(Options *options, const char *host,
310 char *line, const char *filename, int linenum,
313 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
314 int opcode, *intptr, value, value2;
318 /* Strip trailing whitespace */
319 for (len = strlen(line) - 1; len > 0; len--) {
320 if (strchr(WHITESPACE, line[len]) == NULL)
326 /* Get the keyword. (Each line is supposed to begin with a keyword). */
327 keyword = strdelim(&s);
328 /* Ignore leading whitespace. */
329 if (*keyword == '\0')
330 keyword = strdelim(&s);
331 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
334 opcode = parse_token(keyword, filename, linenum);
338 /* don't panic, but count bad options */
341 case oConnectTimeout:
342 intptr = &options->connection_timeout;
345 if (!arg || *arg == '\0')
346 fatal("%s line %d: missing time value.",
348 if ((value = convtime(arg)) == -1)
349 fatal("%s line %d: invalid time value.",
356 intptr = &options->forward_agent;
359 if (!arg || *arg == '\0')
360 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
361 value = 0; /* To avoid compiler warning... */
362 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
364 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
367 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
368 if (*activep && *intptr == -1)
373 intptr = &options->forward_x11;
376 case oForwardX11Trusted:
377 intptr = &options->forward_x11_trusted;
381 intptr = &options->gateway_ports;
384 case oUsePrivilegedPort:
385 intptr = &options->use_privileged_port;
388 case oPasswordAuthentication:
389 intptr = &options->password_authentication;
392 case oKbdInteractiveAuthentication:
393 intptr = &options->kbd_interactive_authentication;
396 case oKbdInteractiveDevices:
397 charptr = &options->kbd_interactive_devices;
400 case oPubkeyAuthentication:
401 intptr = &options->pubkey_authentication;
404 case oRSAAuthentication:
405 intptr = &options->rsa_authentication;
408 case oRhostsRSAAuthentication:
409 intptr = &options->rhosts_rsa_authentication;
412 case oHostbasedAuthentication:
413 intptr = &options->hostbased_authentication;
416 case oChallengeResponseAuthentication:
417 intptr = &options->challenge_response_authentication;
420 case oGssAuthentication:
421 intptr = &options->gss_authentication;
425 intptr = &options->gss_keyex;
428 case oGssDelegateCreds:
429 intptr = &options->gss_deleg_creds;
433 intptr = &options->gss_trust_dns;
437 intptr = &options->batch_mode;
441 intptr = &options->check_host_ip;
444 case oVerifyHostKeyDNS:
445 intptr = &options->verify_host_key_dns;
448 case oStrictHostKeyChecking:
449 intptr = &options->strict_host_key_checking;
452 if (!arg || *arg == '\0')
453 fatal("%.200s line %d: Missing yes/no/ask argument.",
455 value = 0; /* To avoid compiler warning... */
456 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
458 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
460 else if (strcmp(arg, "ask") == 0)
463 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
464 if (*activep && *intptr == -1)
469 intptr = &options->compression;
473 intptr = &options->tcp_keep_alive;
476 case oNoHostAuthenticationForLocalhost:
477 intptr = &options->no_host_authentication_for_localhost;
480 case oNumberOfPasswordPrompts:
481 intptr = &options->number_of_password_prompts;
484 case oCompressionLevel:
485 intptr = &options->compression_level;
489 intptr = &options->rekey_limit;
491 if (!arg || *arg == '\0')
492 fatal("%.200s line %d: Missing argument.", filename, linenum);
493 if (arg[0] < '0' || arg[0] > '9')
494 fatal("%.200s line %d: Bad number.", filename, linenum);
495 value = strtol(arg, &endofnumber, 10);
496 if (arg == endofnumber)
497 fatal("%.200s line %d: Bad number.", filename, linenum);
498 switch (toupper(*endofnumber)) {
509 if (*activep && *intptr == -1)
515 if (!arg || *arg == '\0')
516 fatal("%.200s line %d: Missing argument.", filename, linenum);
518 intptr = &options->num_identity_files;
519 if (*intptr >= SSH_MAX_IDENTITY_FILES)
520 fatal("%.200s line %d: Too many identity files specified (max %d).",
521 filename, linenum, SSH_MAX_IDENTITY_FILES);
522 charptr = &options->identity_files[*intptr];
523 *charptr = xstrdup(arg);
524 *intptr = *intptr + 1;
529 charptr=&options->xauth_location;
533 charptr = &options->user;
536 if (!arg || *arg == '\0')
537 fatal("%.200s line %d: Missing argument.", filename, linenum);
538 if (*activep && *charptr == NULL)
539 *charptr = xstrdup(arg);
542 case oGlobalKnownHostsFile:
543 charptr = &options->system_hostfile;
546 case oUserKnownHostsFile:
547 charptr = &options->user_hostfile;
550 case oGlobalKnownHostsFile2:
551 charptr = &options->system_hostfile2;
554 case oUserKnownHostsFile2:
555 charptr = &options->user_hostfile2;
559 charptr = &options->hostname;
563 charptr = &options->host_key_alias;
566 case oPreferredAuthentications:
567 charptr = &options->preferred_authentications;
571 charptr = &options->bind_address;
574 case oSmartcardDevice:
575 charptr = &options->smartcard_device;
579 charptr = &options->proxy_command;
582 fatal("%.200s line %d: Missing argument.", filename, linenum);
583 len = strspn(s, WHITESPACE "=");
584 if (*activep && *charptr == NULL)
585 *charptr = xstrdup(s + len);
589 intptr = &options->port;
592 if (!arg || *arg == '\0')
593 fatal("%.200s line %d: Missing argument.", filename, linenum);
594 if (arg[0] < '0' || arg[0] > '9')
595 fatal("%.200s line %d: Bad number.", filename, linenum);
597 /* Octal, decimal, or hex format? */
598 value = strtol(arg, &endofnumber, 0);
599 if (arg == endofnumber)
600 fatal("%.200s line %d: Bad number.", filename, linenum);
601 if (*activep && *intptr == -1)
605 case oConnectionAttempts:
606 intptr = &options->connection_attempts;
610 intptr = &options->cipher;
612 if (!arg || *arg == '\0')
613 fatal("%.200s line %d: Missing argument.", filename, linenum);
614 value = cipher_number(arg);
616 fatal("%.200s line %d: Bad cipher '%s'.",
617 filename, linenum, arg ? arg : "<NONE>");
618 if (*activep && *intptr == -1)
624 if (!arg || *arg == '\0')
625 fatal("%.200s line %d: Missing argument.", filename, linenum);
626 if (!ciphers_valid(arg))
627 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
628 filename, linenum, arg ? arg : "<NONE>");
629 if (*activep && options->ciphers == NULL)
630 options->ciphers = xstrdup(arg);
635 if (!arg || *arg == '\0')
636 fatal("%.200s line %d: Missing argument.", filename, linenum);
638 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
639 filename, linenum, arg ? arg : "<NONE>");
640 if (*activep && options->macs == NULL)
641 options->macs = xstrdup(arg);
644 case oHostKeyAlgorithms:
646 if (!arg || *arg == '\0')
647 fatal("%.200s line %d: Missing argument.", filename, linenum);
648 if (!key_names_valid2(arg))
649 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
650 filename, linenum, arg ? arg : "<NONE>");
651 if (*activep && options->hostkeyalgorithms == NULL)
652 options->hostkeyalgorithms = xstrdup(arg);
656 intptr = &options->protocol;
658 if (!arg || *arg == '\0')
659 fatal("%.200s line %d: Missing argument.", filename, linenum);
660 value = proto_spec(arg);
661 if (value == SSH_PROTO_UNKNOWN)
662 fatal("%.200s line %d: Bad protocol spec '%s'.",
663 filename, linenum, arg ? arg : "<NONE>");
664 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
669 intptr = (int *) &options->log_level;
671 value = log_level_number(arg);
672 if (value == SYSLOG_LEVEL_NOT_SET)
673 fatal("%.200s line %d: unsupported log level '%s'",
674 filename, linenum, arg ? arg : "<NONE>");
675 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
676 *intptr = (LogLevel) value;
682 if (arg == NULL || *arg == '\0')
683 fatal("%.200s line %d: Missing port argument.",
686 if (arg2 == NULL || *arg2 == '\0')
687 fatal("%.200s line %d: Missing target argument.",
690 /* construct a string for parse_forward */
691 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
693 if (parse_forward(&fwd, fwdarg) == 0)
694 fatal("%.200s line %d: Bad forwarding specification.",
698 if (opcode == oLocalForward)
699 add_local_forward(options, &fwd);
700 else if (opcode == oRemoteForward)
701 add_remote_forward(options, &fwd);
705 case oDynamicForward:
707 if (!arg || *arg == '\0')
708 fatal("%.200s line %d: Missing port argument.",
710 memset(&fwd, '\0', sizeof(fwd));
711 fwd.connect_host = "socks";
712 fwd.listen_host = hpdelim(&arg);
713 if (fwd.listen_host == NULL ||
714 strlen(fwd.listen_host) >= NI_MAXHOST)
715 fatal("%.200s line %d: Bad forwarding specification.",
718 fwd.listen_port = a2port(arg);
719 fwd.listen_host = cleanhostname(fwd.listen_host);
721 fwd.listen_port = a2port(fwd.listen_host);
722 fwd.listen_host = NULL;
724 if (fwd.listen_port == 0)
725 fatal("%.200s line %d: Badly formatted port number.",
728 add_local_forward(options, &fwd);
731 case oClearAllForwardings:
732 intptr = &options->clear_forwardings;
737 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
738 if (match_pattern(host, arg)) {
739 debug("Applying options for %.100s", arg);
743 /* Avoid garbage check below, as strdelim is done. */
747 intptr = &options->escape_char;
749 if (!arg || *arg == '\0')
750 fatal("%.200s line %d: Missing argument.", filename, linenum);
751 if (arg[0] == '^' && arg[2] == 0 &&
752 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
753 value = (u_char) arg[1] & 31;
754 else if (strlen(arg) == 1)
755 value = (u_char) arg[0];
756 else if (strcmp(arg, "none") == 0)
757 value = SSH_ESCAPECHAR_NONE;
759 fatal("%.200s line %d: Bad escape character.",
762 value = 0; /* Avoid compiler warning. */
764 if (*activep && *intptr == -1)
770 if (!arg || *arg == '\0')
771 fatal("%s line %d: missing address family.",
773 intptr = &options->address_family;
774 if (strcasecmp(arg, "inet") == 0)
776 else if (strcasecmp(arg, "inet6") == 0)
778 else if (strcasecmp(arg, "any") == 0)
781 fatal("Unsupported AddressFamily \"%s\"", arg);
782 if (*activep && *intptr == -1)
786 case oEnableSSHKeysign:
787 intptr = &options->enable_ssh_keysign;
790 case oIdentitiesOnly:
791 intptr = &options->identities_only;
794 case oServerAliveInterval:
795 intptr = &options->server_alive_interval;
798 case oServerAliveCountMax:
799 intptr = &options->server_alive_count_max;
803 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
804 if (strchr(arg, '=') != NULL)
805 fatal("%s line %d: Invalid environment name.",
809 if (options->num_send_env >= MAX_SEND_ENV)
810 fatal("%s line %d: too many send env.",
812 options->send_env[options->num_send_env++] =
818 charptr = &options->control_path;
822 intptr = &options->control_master;
824 if (!arg || *arg == '\0')
825 fatal("%.200s line %d: Missing ControlMaster argument.",
827 value = 0; /* To avoid compiler warning... */
828 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
829 value = SSHCTL_MASTER_YES;
830 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
831 value = SSHCTL_MASTER_NO;
832 else if (strcmp(arg, "auto") == 0)
833 value = SSHCTL_MASTER_AUTO;
834 else if (strcmp(arg, "ask") == 0)
835 value = SSHCTL_MASTER_ASK;
836 else if (strcmp(arg, "autoask") == 0)
837 value = SSHCTL_MASTER_AUTO_ASK;
839 fatal("%.200s line %d: Bad ControlMaster argument.",
841 if (*activep && *intptr == -1)
845 case oHashKnownHosts:
846 intptr = &options->hash_known_hosts;
850 intptr = &options->tun_open;
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing yes/point-to-point/"
854 "ethernet/no argument.", filename, linenum);
855 value = 0; /* silence compiler */
856 if (strcasecmp(arg, "ethernet") == 0)
857 value = SSH_TUNMODE_ETHERNET;
858 else if (strcasecmp(arg, "point-to-point") == 0)
859 value = SSH_TUNMODE_POINTOPOINT;
860 else if (strcasecmp(arg, "yes") == 0)
861 value = SSH_TUNMODE_DEFAULT;
862 else if (strcasecmp(arg, "no") == 0)
863 value = SSH_TUNMODE_NO;
865 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
866 "no argument: %s", filename, linenum, arg);
873 if (!arg || *arg == '\0')
874 fatal("%.200s line %d: Missing argument.", filename, linenum);
875 value = a2tun(arg, &value2);
876 if (value == SSH_TUNID_ERR)
877 fatal("%.200s line %d: Bad tun device.", filename, linenum);
879 options->tun_local = value;
880 options->tun_remote = value2;
885 charptr = &options->local_command;
888 case oPermitLocalCommand:
889 intptr = &options->permit_local_command;
893 debug("%s line %d: Deprecated option \"%s\"",
894 filename, linenum, keyword);
898 error("%s line %d: Unsupported option \"%s\"",
899 filename, linenum, keyword);
903 fatal("process_config_line: Unimplemented opcode %d", opcode);
906 /* Check that there is no garbage at end of line. */
907 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
908 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
909 filename, linenum, arg);
916 * Reads the config file and modifies the options accordingly. Options
917 * should already be initialized before this call. This never returns if
918 * there is an error. If the file does not exist, this returns 0.
922 read_config_file(const char *filename, const char *host, Options *options,
931 if ((f = fopen(filename, "r")) == NULL)
937 if (fstat(fileno(f), &sb) == -1)
938 fatal("fstat %s: %s", filename, strerror(errno));
939 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
940 (sb.st_mode & 022) != 0))
941 fatal("Bad owner or permissions on %s", filename);
944 debug("Reading configuration data %.200s", filename);
947 * Mark that we are now processing the options. This flag is turned
948 * on/off by Host specifications.
952 while (fgets(line, sizeof(line), f)) {
953 /* Update line number counter. */
955 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
960 fatal("%s: terminating, %d bad configuration options",
961 filename, bad_options);
966 * Initializes options to special values that indicate that they have not yet
967 * been set. Read_config_file will only set options with this value. Options
968 * are processed in the following order: command line, user config file,
969 * system config file. Last, fill_default_options is called.
973 initialize_options(Options * options)
975 memset(options, 'X', sizeof(*options));
976 options->forward_agent = -1;
977 options->forward_x11 = -1;
978 options->forward_x11_trusted = -1;
979 options->xauth_location = NULL;
980 options->gateway_ports = -1;
981 options->use_privileged_port = -1;
982 options->rsa_authentication = -1;
983 options->pubkey_authentication = -1;
984 options->challenge_response_authentication = -1;
985 options->gss_authentication = -1;
986 options->gss_keyex = -1;
987 options->gss_deleg_creds = -1;
988 options->gss_trust_dns = -1;
989 options->password_authentication = -1;
990 options->kbd_interactive_authentication = -1;
991 options->kbd_interactive_devices = NULL;
992 options->rhosts_rsa_authentication = -1;
993 options->hostbased_authentication = -1;
994 options->batch_mode = -1;
995 options->check_host_ip = -1;
996 options->strict_host_key_checking = -1;
997 options->compression = -1;
998 options->tcp_keep_alive = -1;
999 options->compression_level = -1;
1001 options->address_family = -1;
1002 options->connection_attempts = -1;
1003 options->connection_timeout = -1;
1004 options->number_of_password_prompts = -1;
1005 options->cipher = -1;
1006 options->ciphers = NULL;
1007 options->macs = NULL;
1008 options->hostkeyalgorithms = NULL;
1009 options->protocol = SSH_PROTO_UNKNOWN;
1010 options->num_identity_files = 0;
1011 options->hostname = NULL;
1012 options->host_key_alias = NULL;
1013 options->proxy_command = NULL;
1014 options->user = NULL;
1015 options->escape_char = -1;
1016 options->system_hostfile = NULL;
1017 options->user_hostfile = NULL;
1018 options->system_hostfile2 = NULL;
1019 options->user_hostfile2 = NULL;
1020 options->num_local_forwards = 0;
1021 options->num_remote_forwards = 0;
1022 options->clear_forwardings = -1;
1023 options->log_level = SYSLOG_LEVEL_NOT_SET;
1024 options->preferred_authentications = NULL;
1025 options->bind_address = NULL;
1026 options->smartcard_device = NULL;
1027 options->enable_ssh_keysign = - 1;
1028 options->no_host_authentication_for_localhost = - 1;
1029 options->identities_only = - 1;
1030 options->rekey_limit = - 1;
1031 options->verify_host_key_dns = -1;
1032 options->server_alive_interval = -1;
1033 options->server_alive_count_max = -1;
1034 options->none_switch = -1;
1035 options->num_send_env = 0;
1036 options->control_path = NULL;
1037 options->control_master = -1;
1038 options->hash_known_hosts = -1;
1039 options->tun_open = -1;
1040 options->tun_local = -1;
1041 options->tun_remote = -1;
1042 options->local_command = NULL;
1043 options->permit_local_command = -1;
1047 * Called after processing other sources of option data, this fills those
1048 * options for which no value has been specified with their default values.
1052 fill_default_options(Options * options)
1056 if (options->forward_agent == -1)
1057 options->forward_agent = 0;
1058 if (options->forward_x11 == -1)
1059 options->forward_x11 = 0;
1060 if (options->forward_x11_trusted == -1)
1061 options->forward_x11_trusted = 0;
1062 if (options->xauth_location == NULL)
1063 options->xauth_location = _PATH_XAUTH;
1064 if (options->gateway_ports == -1)
1065 options->gateway_ports = 0;
1066 if (options->use_privileged_port == -1)
1067 options->use_privileged_port = 0;
1068 if (options->rsa_authentication == -1)
1069 options->rsa_authentication = 1;
1070 if (options->pubkey_authentication == -1)
1071 options->pubkey_authentication = 1;
1072 if (options->challenge_response_authentication == -1)
1073 options->challenge_response_authentication = 1;
1074 if (options->gss_authentication == -1)
1075 options->gss_authentication = 1;
1076 if (options->gss_keyex == -1)
1077 options->gss_keyex = 1;
1078 if (options->gss_deleg_creds == -1)
1079 options->gss_deleg_creds = 1;
1080 if (options->gss_trust_dns == -1)
1081 options->gss_trust_dns = 1;
1082 if (options->password_authentication == -1)
1083 options->password_authentication = 1;
1084 if (options->kbd_interactive_authentication == -1)
1085 options->kbd_interactive_authentication = 1;
1086 if (options->rhosts_rsa_authentication == -1)
1087 options->rhosts_rsa_authentication = 0;
1088 if (options->hostbased_authentication == -1)
1089 options->hostbased_authentication = 0;
1090 if (options->batch_mode == -1)
1091 options->batch_mode = 0;
1092 if (options->check_host_ip == -1)
1093 options->check_host_ip = 1;
1094 if (options->strict_host_key_checking == -1)
1095 options->strict_host_key_checking = 2; /* 2 is default */
1096 if (options->compression == -1)
1097 options->compression = 0;
1098 if (options->tcp_keep_alive == -1)
1099 options->tcp_keep_alive = 1;
1100 if (options->compression_level == -1)
1101 options->compression_level = 6;
1102 if (options->port == -1)
1103 options->port = 0; /* Filled in ssh_connect. */
1104 if (options->address_family == -1)
1105 options->address_family = AF_UNSPEC;
1106 if (options->connection_attempts == -1)
1107 options->connection_attempts = 1;
1108 if (options->number_of_password_prompts == -1)
1109 options->number_of_password_prompts = 3;
1110 /* Selected in ssh_login(). */
1111 if (options->cipher == -1)
1112 options->cipher = SSH_CIPHER_NOT_SET;
1113 /* options->ciphers, default set in myproposals.h */
1114 /* options->macs, default set in myproposals.h */
1115 /* options->hostkeyalgorithms, default set in myproposals.h */
1116 if (options->protocol == SSH_PROTO_UNKNOWN)
1117 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1118 if (options->num_identity_files == 0) {
1119 if (options->protocol & SSH_PROTO_1) {
1120 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1121 options->identity_files[options->num_identity_files] =
1123 snprintf(options->identity_files[options->num_identity_files++],
1124 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1126 if (options->protocol & SSH_PROTO_2) {
1127 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1128 options->identity_files[options->num_identity_files] =
1130 snprintf(options->identity_files[options->num_identity_files++],
1131 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1133 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1134 options->identity_files[options->num_identity_files] =
1136 snprintf(options->identity_files[options->num_identity_files++],
1137 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1140 if (options->escape_char == -1)
1141 options->escape_char = '~';
1142 if (options->system_hostfile == NULL)
1143 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1144 if (options->user_hostfile == NULL)
1145 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1146 if (options->system_hostfile2 == NULL)
1147 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1148 if (options->user_hostfile2 == NULL)
1149 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1150 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1151 options->log_level = SYSLOG_LEVEL_INFO;
1152 if (options->clear_forwardings == 1)
1153 clear_forwardings(options);
1154 if (options->no_host_authentication_for_localhost == - 1)
1155 options->no_host_authentication_for_localhost = 0;
1156 if (options->identities_only == -1)
1157 options->identities_only = 0;
1158 if (options->enable_ssh_keysign == -1)
1159 options->enable_ssh_keysign = 0;
1160 if (options->rekey_limit == -1)
1161 options->rekey_limit = 0;
1162 if (options->verify_host_key_dns == -1)
1163 options->verify_host_key_dns = 0;
1164 if (options->server_alive_interval == -1)
1165 options->server_alive_interval = 0;
1166 if (options->server_alive_count_max == -1)
1167 options->server_alive_count_max = 3;
1168 if (options->none_switch == -1)
1169 options->none_switch = 0;
1170 if (options->control_master == -1)
1171 options->control_master = 0;
1172 if (options->hash_known_hosts == -1)
1173 options->hash_known_hosts = 0;
1174 if (options->tun_open == -1)
1175 options->tun_open = SSH_TUNMODE_NO;
1176 if (options->tun_local == -1)
1177 options->tun_local = SSH_TUNID_ANY;
1178 if (options->tun_remote == -1)
1179 options->tun_remote = SSH_TUNID_ANY;
1180 if (options->permit_local_command == -1)
1181 options->permit_local_command = 0;
1182 /* options->local_command should not be set by default */
1183 /* options->proxy_command should not be set by default */
1184 /* options->user will be set in the main program if appropriate */
1185 /* options->hostname will be set in the main program if appropriate */
1186 /* options->host_key_alias should not be set by default */
1187 /* options->preferred_authentications will be set in ssh */
1192 * parses a string containing a port forwarding specification of the form:
1193 * [listenhost:]listenport:connecthost:connectport
1194 * returns number of arguments parsed or zero on error
1197 parse_forward(Forward *fwd, const char *fwdspec)
1200 char *p, *cp, *fwdarg[4];
1202 memset(fwd, '\0', sizeof(*fwd));
1204 cp = p = xstrdup(fwdspec);
1206 /* skip leading spaces */
1207 while (*cp && isspace(*cp))
1210 for (i = 0; i < 4; ++i)
1211 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1214 /* Check for trailing garbage in 4-arg case*/
1216 i = 0; /* failure */
1220 fwd->listen_host = NULL;
1221 fwd->listen_port = a2port(fwdarg[0]);
1222 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1223 fwd->connect_port = a2port(fwdarg[2]);
1227 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1228 fwd->listen_port = a2port(fwdarg[1]);
1229 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1230 fwd->connect_port = a2port(fwdarg[3]);
1233 i = 0; /* failure */
1238 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1241 if (fwd->connect_host != NULL &&
1242 strlen(fwd->connect_host) >= NI_MAXHOST)
1248 if (fwd->connect_host != NULL)
1249 xfree(fwd->connect_host);
1250 if (fwd->listen_host != NULL)
1251 xfree(fwd->listen_host);