1 /* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
134 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
135 oDeprecated, oUnsupported
138 /* Textual representations of the tokens. */
144 { "forwardagent", oForwardAgent },
145 { "forwardx11", oForwardX11 },
146 { "forwardx11trusted", oForwardX11Trusted },
147 { "exitonforwardfailure", oExitOnForwardFailure },
148 { "xauthlocation", oXAuthLocation },
149 { "gatewayports", oGatewayPorts },
150 { "useprivilegedport", oUsePrivilegedPort },
151 { "rhostsauthentication", oDeprecated },
152 { "passwordauthentication", oPasswordAuthentication },
153 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
154 { "kbdinteractivedevices", oKbdInteractiveDevices },
155 { "rsaauthentication", oRSAAuthentication },
156 { "pubkeyauthentication", oPubkeyAuthentication },
157 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
158 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
159 { "hostbasedauthentication", oHostbasedAuthentication },
160 { "challengeresponseauthentication", oChallengeResponseAuthentication },
161 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
162 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
163 { "kerberosauthentication", oUnsupported },
164 { "kerberostgtpassing", oUnsupported },
165 { "afstokenpassing", oUnsupported },
167 { "gssapiauthentication", oGssAuthentication },
168 { "gssapikeyexchange", oGssKeyEx },
169 { "gssapidelegatecredentials", oGssDelegateCreds },
170 { "gssapitrustdns", oGssTrustDns },
172 { "gssapiauthentication", oUnsupported },
173 { "gssapikeyexchange", oUnsupported },
174 { "gssapidelegatecredentials", oUnsupported },
175 { "gssapitrustdns", oUnsupported },
177 { "fallbacktorsh", oDeprecated },
178 { "usersh", oDeprecated },
179 { "identityfile", oIdentityFile },
180 { "identityfile2", oIdentityFile }, /* alias */
181 { "identitiesonly", oIdentitiesOnly },
182 { "hostname", oHostName },
183 { "hostkeyalias", oHostKeyAlias },
184 { "proxycommand", oProxyCommand },
186 { "cipher", oCipher },
187 { "ciphers", oCiphers },
189 { "protocol", oProtocol },
190 { "remoteforward", oRemoteForward },
191 { "localforward", oLocalForward },
194 { "escapechar", oEscapeChar },
195 { "globalknownhostsfile", oGlobalKnownHostsFile },
196 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
197 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
198 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
199 { "connectionattempts", oConnectionAttempts },
200 { "batchmode", oBatchMode },
201 { "checkhostip", oCheckHostIP },
202 { "stricthostkeychecking", oStrictHostKeyChecking },
203 { "compression", oCompression },
204 { "compressionlevel", oCompressionLevel },
205 { "tcpkeepalive", oTCPKeepAlive },
206 { "keepalive", oTCPKeepAlive }, /* obsolete */
207 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
208 { "loglevel", oLogLevel },
209 { "dynamicforward", oDynamicForward },
210 { "preferredauthentications", oPreferredAuthentications },
211 { "hostkeyalgorithms", oHostKeyAlgorithms },
212 { "bindaddress", oBindAddress },
214 { "smartcarddevice", oSmartcardDevice },
216 { "smartcarddevice", oUnsupported },
218 { "clearallforwardings", oClearAllForwardings },
219 { "enablesshkeysign", oEnableSSHKeysign },
220 { "verifyhostkeydns", oVerifyHostKeyDNS },
221 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
222 { "rekeylimit", oRekeyLimit },
223 { "connecttimeout", oConnectTimeout },
224 { "addressfamily", oAddressFamily },
225 { "serveraliveinterval", oServerAliveInterval },
226 { "serveralivecountmax", oServerAliveCountMax },
227 { "sendenv", oSendEnv },
228 { "controlpath", oControlPath },
229 { "controlmaster", oControlMaster },
230 { "hashknownhosts", oHashKnownHosts },
231 { "tunnel", oTunnel },
232 { "tunneldevice", oTunnelDevice },
233 { "localcommand", oLocalCommand },
234 { "permitlocalcommand", oPermitLocalCommand },
239 * Adds a local TCP/IP port forward to options. Never returns if there is an
244 add_local_forward(Options *options, const Forward *newfwd)
247 #ifndef NO_IPPORT_RESERVED_CONCEPT
248 extern uid_t original_real_uid;
249 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
250 fatal("Privileged ports can only be forwarded by root.");
252 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
253 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
254 fwd = &options->local_forwards[options->num_local_forwards++];
256 fwd->listen_host = (newfwd->listen_host == NULL) ?
257 NULL : xstrdup(newfwd->listen_host);
258 fwd->listen_port = newfwd->listen_port;
259 fwd->connect_host = xstrdup(newfwd->connect_host);
260 fwd->connect_port = newfwd->connect_port;
264 * Adds a remote TCP/IP port forward to options. Never returns if there is
269 add_remote_forward(Options *options, const Forward *newfwd)
272 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
273 fatal("Too many remote forwards (max %d).",
274 SSH_MAX_FORWARDS_PER_DIRECTION);
275 fwd = &options->remote_forwards[options->num_remote_forwards++];
277 fwd->listen_host = (newfwd->listen_host == NULL) ?
278 NULL : xstrdup(newfwd->listen_host);
279 fwd->listen_port = newfwd->listen_port;
280 fwd->connect_host = xstrdup(newfwd->connect_host);
281 fwd->connect_port = newfwd->connect_port;
285 clear_forwardings(Options *options)
289 for (i = 0; i < options->num_local_forwards; i++) {
290 if (options->local_forwards[i].listen_host != NULL)
291 xfree(options->local_forwards[i].listen_host);
292 xfree(options->local_forwards[i].connect_host);
294 options->num_local_forwards = 0;
295 for (i = 0; i < options->num_remote_forwards; i++) {
296 if (options->remote_forwards[i].listen_host != NULL)
297 xfree(options->remote_forwards[i].listen_host);
298 xfree(options->remote_forwards[i].connect_host);
300 options->num_remote_forwards = 0;
301 options->tun_open = SSH_TUNMODE_NO;
305 * Returns the number of the token pointed to by cp or oBadOption.
309 parse_token(const char *cp, const char *filename, int linenum)
313 for (i = 0; keywords[i].name; i++)
314 if (strcasecmp(cp, keywords[i].name) == 0)
315 return keywords[i].opcode;
317 error("%s: line %d: Bad configuration option: %s",
318 filename, linenum, cp);
323 * Processes a single option line as used in the configuration files. This
324 * only sets those values that have not already been set.
326 #define WHITESPACE " \t\r\n"
329 process_config_line(Options *options, const char *host,
330 char *line, const char *filename, int linenum,
333 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
334 int opcode, *intptr, value, value2, scale;
335 long long orig, val64;
339 /* Strip trailing whitespace */
340 for (len = strlen(line) - 1; len > 0; len--) {
341 if (strchr(WHITESPACE, line[len]) == NULL)
347 /* Get the keyword. (Each line is supposed to begin with a keyword). */
348 if ((keyword = strdelim(&s)) == NULL)
350 /* Ignore leading whitespace. */
351 if (*keyword == '\0')
352 keyword = strdelim(&s);
353 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
356 opcode = parse_token(keyword, filename, linenum);
360 /* don't panic, but count bad options */
363 case oConnectTimeout:
364 intptr = &options->connection_timeout;
367 if (!arg || *arg == '\0')
368 fatal("%s line %d: missing time value.",
370 if ((value = convtime(arg)) == -1)
371 fatal("%s line %d: invalid time value.",
378 intptr = &options->forward_agent;
381 if (!arg || *arg == '\0')
382 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
383 value = 0; /* To avoid compiler warning... */
384 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
386 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
389 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
390 if (*activep && *intptr == -1)
395 intptr = &options->forward_x11;
398 case oForwardX11Trusted:
399 intptr = &options->forward_x11_trusted;
403 intptr = &options->gateway_ports;
406 case oExitOnForwardFailure:
407 intptr = &options->exit_on_forward_failure;
410 case oUsePrivilegedPort:
411 intptr = &options->use_privileged_port;
414 case oPasswordAuthentication:
415 intptr = &options->password_authentication;
418 case oKbdInteractiveAuthentication:
419 intptr = &options->kbd_interactive_authentication;
422 case oKbdInteractiveDevices:
423 charptr = &options->kbd_interactive_devices;
426 case oPubkeyAuthentication:
427 intptr = &options->pubkey_authentication;
430 case oRSAAuthentication:
431 intptr = &options->rsa_authentication;
434 case oRhostsRSAAuthentication:
435 intptr = &options->rhosts_rsa_authentication;
438 case oHostbasedAuthentication:
439 intptr = &options->hostbased_authentication;
442 case oChallengeResponseAuthentication:
443 intptr = &options->challenge_response_authentication;
446 case oGssAuthentication:
447 intptr = &options->gss_authentication;
451 intptr = &options->gss_keyex;
454 case oGssDelegateCreds:
455 intptr = &options->gss_deleg_creds;
459 intptr = &options->gss_trust_dns;
463 intptr = &options->batch_mode;
467 intptr = &options->check_host_ip;
470 case oVerifyHostKeyDNS:
471 intptr = &options->verify_host_key_dns;
474 case oStrictHostKeyChecking:
475 intptr = &options->strict_host_key_checking;
478 if (!arg || *arg == '\0')
479 fatal("%.200s line %d: Missing yes/no/ask argument.",
481 value = 0; /* To avoid compiler warning... */
482 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
484 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
486 else if (strcmp(arg, "ask") == 0)
489 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
490 if (*activep && *intptr == -1)
495 intptr = &options->compression;
499 intptr = &options->tcp_keep_alive;
502 case oNoHostAuthenticationForLocalhost:
503 intptr = &options->no_host_authentication_for_localhost;
506 case oNumberOfPasswordPrompts:
507 intptr = &options->number_of_password_prompts;
510 case oCompressionLevel:
511 intptr = &options->compression_level;
515 intptr = &options->rekey_limit;
517 if (!arg || *arg == '\0')
518 fatal("%.200s line %d: Missing argument.", filename, linenum);
519 if (arg[0] < '0' || arg[0] > '9')
520 fatal("%.200s line %d: Bad number.", filename, linenum);
521 orig = val64 = strtoll(arg, &endofnumber, 10);
522 if (arg == endofnumber)
523 fatal("%.200s line %d: Bad number.", filename, linenum);
524 switch (toupper(*endofnumber)) {
538 fatal("%.200s line %d: Invalid RekeyLimit suffix",
542 /* detect integer wrap and too-large limits */
543 if ((val64 / scale) != orig || val64 > INT_MAX)
544 fatal("%.200s line %d: RekeyLimit too large",
547 fatal("%.200s line %d: RekeyLimit too small",
549 if (*activep && *intptr == -1)
550 *intptr = (int)val64;
555 if (!arg || *arg == '\0')
556 fatal("%.200s line %d: Missing argument.", filename, linenum);
558 intptr = &options->num_identity_files;
559 if (*intptr >= SSH_MAX_IDENTITY_FILES)
560 fatal("%.200s line %d: Too many identity files specified (max %d).",
561 filename, linenum, SSH_MAX_IDENTITY_FILES);
562 charptr = &options->identity_files[*intptr];
563 *charptr = xstrdup(arg);
564 *intptr = *intptr + 1;
569 charptr=&options->xauth_location;
573 charptr = &options->user;
576 if (!arg || *arg == '\0')
577 fatal("%.200s line %d: Missing argument.", filename, linenum);
578 if (*activep && *charptr == NULL)
579 *charptr = xstrdup(arg);
582 case oGlobalKnownHostsFile:
583 charptr = &options->system_hostfile;
586 case oUserKnownHostsFile:
587 charptr = &options->user_hostfile;
590 case oGlobalKnownHostsFile2:
591 charptr = &options->system_hostfile2;
594 case oUserKnownHostsFile2:
595 charptr = &options->user_hostfile2;
599 charptr = &options->hostname;
603 charptr = &options->host_key_alias;
606 case oPreferredAuthentications:
607 charptr = &options->preferred_authentications;
611 charptr = &options->bind_address;
614 case oSmartcardDevice:
615 charptr = &options->smartcard_device;
619 charptr = &options->proxy_command;
622 fatal("%.200s line %d: Missing argument.", filename, linenum);
623 len = strspn(s, WHITESPACE "=");
624 if (*activep && *charptr == NULL)
625 *charptr = xstrdup(s + len);
629 intptr = &options->port;
632 if (!arg || *arg == '\0')
633 fatal("%.200s line %d: Missing argument.", filename, linenum);
634 if (arg[0] < '0' || arg[0] > '9')
635 fatal("%.200s line %d: Bad number.", filename, linenum);
637 /* Octal, decimal, or hex format? */
638 value = strtol(arg, &endofnumber, 0);
639 if (arg == endofnumber)
640 fatal("%.200s line %d: Bad number.", filename, linenum);
641 if (*activep && *intptr == -1)
645 case oConnectionAttempts:
646 intptr = &options->connection_attempts;
650 intptr = &options->cipher;
652 if (!arg || *arg == '\0')
653 fatal("%.200s line %d: Missing argument.", filename, linenum);
654 value = cipher_number(arg);
656 fatal("%.200s line %d: Bad cipher '%s'.",
657 filename, linenum, arg ? arg : "<NONE>");
658 if (*activep && *intptr == -1)
664 if (!arg || *arg == '\0')
665 fatal("%.200s line %d: Missing argument.", filename, linenum);
666 if (!ciphers_valid(arg))
667 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
668 filename, linenum, arg ? arg : "<NONE>");
669 if (*activep && options->ciphers == NULL)
670 options->ciphers = xstrdup(arg);
675 if (!arg || *arg == '\0')
676 fatal("%.200s line %d: Missing argument.", filename, linenum);
678 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
679 filename, linenum, arg ? arg : "<NONE>");
680 if (*activep && options->macs == NULL)
681 options->macs = xstrdup(arg);
684 case oHostKeyAlgorithms:
686 if (!arg || *arg == '\0')
687 fatal("%.200s line %d: Missing argument.", filename, linenum);
688 if (!key_names_valid2(arg))
689 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
690 filename, linenum, arg ? arg : "<NONE>");
691 if (*activep && options->hostkeyalgorithms == NULL)
692 options->hostkeyalgorithms = xstrdup(arg);
696 intptr = &options->protocol;
698 if (!arg || *arg == '\0')
699 fatal("%.200s line %d: Missing argument.", filename, linenum);
700 value = proto_spec(arg);
701 if (value == SSH_PROTO_UNKNOWN)
702 fatal("%.200s line %d: Bad protocol spec '%s'.",
703 filename, linenum, arg ? arg : "<NONE>");
704 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
709 intptr = (int *) &options->log_level;
711 value = log_level_number(arg);
712 if (value == SYSLOG_LEVEL_NOT_SET)
713 fatal("%.200s line %d: unsupported log level '%s'",
714 filename, linenum, arg ? arg : "<NONE>");
715 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
716 *intptr = (LogLevel) value;
722 if (arg == NULL || *arg == '\0')
723 fatal("%.200s line %d: Missing port argument.",
726 if (arg2 == NULL || *arg2 == '\0')
727 fatal("%.200s line %d: Missing target argument.",
730 /* construct a string for parse_forward */
731 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
733 if (parse_forward(&fwd, fwdarg) == 0)
734 fatal("%.200s line %d: Bad forwarding specification.",
738 if (opcode == oLocalForward)
739 add_local_forward(options, &fwd);
740 else if (opcode == oRemoteForward)
741 add_remote_forward(options, &fwd);
745 case oDynamicForward:
747 if (!arg || *arg == '\0')
748 fatal("%.200s line %d: Missing port argument.",
750 memset(&fwd, '\0', sizeof(fwd));
751 fwd.connect_host = "socks";
752 fwd.listen_host = hpdelim(&arg);
753 if (fwd.listen_host == NULL ||
754 strlen(fwd.listen_host) >= NI_MAXHOST)
755 fatal("%.200s line %d: Bad forwarding specification.",
758 fwd.listen_port = a2port(arg);
759 fwd.listen_host = cleanhostname(fwd.listen_host);
761 fwd.listen_port = a2port(fwd.listen_host);
762 fwd.listen_host = NULL;
764 if (fwd.listen_port == 0)
765 fatal("%.200s line %d: Badly formatted port number.",
768 add_local_forward(options, &fwd);
771 case oClearAllForwardings:
772 intptr = &options->clear_forwardings;
777 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
778 if (match_pattern(host, arg)) {
779 debug("Applying options for %.100s", arg);
783 /* Avoid garbage check below, as strdelim is done. */
787 intptr = &options->escape_char;
789 if (!arg || *arg == '\0')
790 fatal("%.200s line %d: Missing argument.", filename, linenum);
791 if (arg[0] == '^' && arg[2] == 0 &&
792 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
793 value = (u_char) arg[1] & 31;
794 else if (strlen(arg) == 1)
795 value = (u_char) arg[0];
796 else if (strcmp(arg, "none") == 0)
797 value = SSH_ESCAPECHAR_NONE;
799 fatal("%.200s line %d: Bad escape character.",
802 value = 0; /* Avoid compiler warning. */
804 if (*activep && *intptr == -1)
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: missing address family.",
813 intptr = &options->address_family;
814 if (strcasecmp(arg, "inet") == 0)
816 else if (strcasecmp(arg, "inet6") == 0)
818 else if (strcasecmp(arg, "any") == 0)
821 fatal("Unsupported AddressFamily \"%s\"", arg);
822 if (*activep && *intptr == -1)
826 case oEnableSSHKeysign:
827 intptr = &options->enable_ssh_keysign;
830 case oIdentitiesOnly:
831 intptr = &options->identities_only;
834 case oServerAliveInterval:
835 intptr = &options->server_alive_interval;
838 case oServerAliveCountMax:
839 intptr = &options->server_alive_count_max;
843 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
844 if (strchr(arg, '=') != NULL)
845 fatal("%s line %d: Invalid environment name.",
849 if (options->num_send_env >= MAX_SEND_ENV)
850 fatal("%s line %d: too many send env.",
852 options->send_env[options->num_send_env++] =
858 charptr = &options->control_path;
862 intptr = &options->control_master;
864 if (!arg || *arg == '\0')
865 fatal("%.200s line %d: Missing ControlMaster argument.",
867 value = 0; /* To avoid compiler warning... */
868 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
869 value = SSHCTL_MASTER_YES;
870 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
871 value = SSHCTL_MASTER_NO;
872 else if (strcmp(arg, "auto") == 0)
873 value = SSHCTL_MASTER_AUTO;
874 else if (strcmp(arg, "ask") == 0)
875 value = SSHCTL_MASTER_ASK;
876 else if (strcmp(arg, "autoask") == 0)
877 value = SSHCTL_MASTER_AUTO_ASK;
879 fatal("%.200s line %d: Bad ControlMaster argument.",
881 if (*activep && *intptr == -1)
885 case oHashKnownHosts:
886 intptr = &options->hash_known_hosts;
890 intptr = &options->tun_open;
892 if (!arg || *arg == '\0')
893 fatal("%s line %d: Missing yes/point-to-point/"
894 "ethernet/no argument.", filename, linenum);
895 value = 0; /* silence compiler */
896 if (strcasecmp(arg, "ethernet") == 0)
897 value = SSH_TUNMODE_ETHERNET;
898 else if (strcasecmp(arg, "point-to-point") == 0)
899 value = SSH_TUNMODE_POINTOPOINT;
900 else if (strcasecmp(arg, "yes") == 0)
901 value = SSH_TUNMODE_DEFAULT;
902 else if (strcasecmp(arg, "no") == 0)
903 value = SSH_TUNMODE_NO;
905 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
906 "no argument: %s", filename, linenum, arg);
913 if (!arg || *arg == '\0')
914 fatal("%.200s line %d: Missing argument.", filename, linenum);
915 value = a2tun(arg, &value2);
916 if (value == SSH_TUNID_ERR)
917 fatal("%.200s line %d: Bad tun device.", filename, linenum);
919 options->tun_local = value;
920 options->tun_remote = value2;
925 charptr = &options->local_command;
928 case oPermitLocalCommand:
929 intptr = &options->permit_local_command;
933 debug("%s line %d: Deprecated option \"%s\"",
934 filename, linenum, keyword);
938 error("%s line %d: Unsupported option \"%s\"",
939 filename, linenum, keyword);
943 fatal("process_config_line: Unimplemented opcode %d", opcode);
946 /* Check that there is no garbage at end of line. */
947 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
948 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
949 filename, linenum, arg);
956 * Reads the config file and modifies the options accordingly. Options
957 * should already be initialized before this call. This never returns if
958 * there is an error. If the file does not exist, this returns 0.
962 read_config_file(const char *filename, const char *host, Options *options,
971 if ((f = fopen(filename, "r")) == NULL)
977 if (fstat(fileno(f), &sb) == -1)
978 fatal("fstat %s: %s", filename, strerror(errno));
979 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
980 (sb.st_mode & 022) != 0))
981 fatal("Bad owner or permissions on %s", filename);
984 debug("Reading configuration data %.200s", filename);
987 * Mark that we are now processing the options. This flag is turned
988 * on/off by Host specifications.
992 while (fgets(line, sizeof(line), f)) {
993 /* Update line number counter. */
995 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1000 fatal("%s: terminating, %d bad configuration options",
1001 filename, bad_options);
1006 * Initializes options to special values that indicate that they have not yet
1007 * been set. Read_config_file will only set options with this value. Options
1008 * are processed in the following order: command line, user config file,
1009 * system config file. Last, fill_default_options is called.
1013 initialize_options(Options * options)
1015 memset(options, 'X', sizeof(*options));
1016 options->forward_agent = -1;
1017 options->forward_x11 = -1;
1018 options->forward_x11_trusted = -1;
1019 options->exit_on_forward_failure = -1;
1020 options->xauth_location = NULL;
1021 options->gateway_ports = -1;
1022 options->use_privileged_port = -1;
1023 options->rsa_authentication = -1;
1024 options->pubkey_authentication = -1;
1025 options->challenge_response_authentication = -1;
1026 options->gss_authentication = -1;
1027 options->gss_keyex = -1;
1028 options->gss_deleg_creds = -1;
1029 options->gss_trust_dns = -1;
1030 options->password_authentication = -1;
1031 options->kbd_interactive_authentication = -1;
1032 options->kbd_interactive_devices = NULL;
1033 options->rhosts_rsa_authentication = -1;
1034 options->hostbased_authentication = -1;
1035 options->batch_mode = -1;
1036 options->check_host_ip = -1;
1037 options->strict_host_key_checking = -1;
1038 options->compression = -1;
1039 options->tcp_keep_alive = -1;
1040 options->compression_level = -1;
1042 options->address_family = -1;
1043 options->connection_attempts = -1;
1044 options->connection_timeout = -1;
1045 options->number_of_password_prompts = -1;
1046 options->cipher = -1;
1047 options->ciphers = NULL;
1048 options->macs = NULL;
1049 options->hostkeyalgorithms = NULL;
1050 options->protocol = SSH_PROTO_UNKNOWN;
1051 options->num_identity_files = 0;
1052 options->hostname = NULL;
1053 options->host_key_alias = NULL;
1054 options->proxy_command = NULL;
1055 options->user = NULL;
1056 options->escape_char = -1;
1057 options->system_hostfile = NULL;
1058 options->user_hostfile = NULL;
1059 options->system_hostfile2 = NULL;
1060 options->user_hostfile2 = NULL;
1061 options->num_local_forwards = 0;
1062 options->num_remote_forwards = 0;
1063 options->clear_forwardings = -1;
1064 options->log_level = SYSLOG_LEVEL_NOT_SET;
1065 options->preferred_authentications = NULL;
1066 options->bind_address = NULL;
1067 options->smartcard_device = NULL;
1068 options->enable_ssh_keysign = - 1;
1069 options->no_host_authentication_for_localhost = - 1;
1070 options->identities_only = - 1;
1071 options->rekey_limit = - 1;
1072 options->verify_host_key_dns = -1;
1073 options->server_alive_interval = -1;
1074 options->server_alive_count_max = -1;
1075 options->num_send_env = 0;
1076 options->control_path = NULL;
1077 options->control_master = -1;
1078 options->hash_known_hosts = -1;
1079 options->tun_open = -1;
1080 options->tun_local = -1;
1081 options->tun_remote = -1;
1082 options->local_command = NULL;
1083 options->permit_local_command = -1;
1087 * Called after processing other sources of option data, this fills those
1088 * options for which no value has been specified with their default values.
1092 fill_default_options(Options * options)
1096 if (options->forward_agent == -1)
1097 options->forward_agent = 0;
1098 if (options->forward_x11 == -1)
1099 options->forward_x11 = 0;
1100 if (options->forward_x11_trusted == -1)
1101 options->forward_x11_trusted = 0;
1102 if (options->exit_on_forward_failure == -1)
1103 options->exit_on_forward_failure = 0;
1104 if (options->xauth_location == NULL)
1105 options->xauth_location = _PATH_XAUTH;
1106 if (options->gateway_ports == -1)
1107 options->gateway_ports = 0;
1108 if (options->use_privileged_port == -1)
1109 options->use_privileged_port = 0;
1110 if (options->rsa_authentication == -1)
1111 options->rsa_authentication = 1;
1112 if (options->pubkey_authentication == -1)
1113 options->pubkey_authentication = 1;
1114 if (options->challenge_response_authentication == -1)
1115 options->challenge_response_authentication = 1;
1116 if (options->gss_authentication == -1)
1117 options->gss_authentication = 0;
1118 if (options->gss_keyex == -1)
1119 options->gss_keyex = 0;
1120 if (options->gss_deleg_creds == -1)
1121 options->gss_deleg_creds = 0;
1122 if (options->gss_trust_dns == -1)
1123 options->gss_trust_dns = 0;
1124 if (options->password_authentication == -1)
1125 options->password_authentication = 1;
1126 if (options->kbd_interactive_authentication == -1)
1127 options->kbd_interactive_authentication = 1;
1128 if (options->rhosts_rsa_authentication == -1)
1129 options->rhosts_rsa_authentication = 0;
1130 if (options->hostbased_authentication == -1)
1131 options->hostbased_authentication = 0;
1132 if (options->batch_mode == -1)
1133 options->batch_mode = 0;
1134 if (options->check_host_ip == -1)
1135 options->check_host_ip = 1;
1136 if (options->strict_host_key_checking == -1)
1137 options->strict_host_key_checking = 2; /* 2 is default */
1138 if (options->compression == -1)
1139 options->compression = 0;
1140 if (options->tcp_keep_alive == -1)
1141 options->tcp_keep_alive = 1;
1142 if (options->compression_level == -1)
1143 options->compression_level = 6;
1144 if (options->port == -1)
1145 options->port = 0; /* Filled in ssh_connect. */
1146 if (options->address_family == -1)
1147 options->address_family = AF_UNSPEC;
1148 if (options->connection_attempts == -1)
1149 options->connection_attempts = 1;
1150 if (options->number_of_password_prompts == -1)
1151 options->number_of_password_prompts = 3;
1152 /* Selected in ssh_login(). */
1153 if (options->cipher == -1)
1154 options->cipher = SSH_CIPHER_NOT_SET;
1155 /* options->ciphers, default set in myproposals.h */
1156 /* options->macs, default set in myproposals.h */
1157 /* options->hostkeyalgorithms, default set in myproposals.h */
1158 if (options->protocol == SSH_PROTO_UNKNOWN)
1159 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1160 if (options->num_identity_files == 0) {
1161 if (options->protocol & SSH_PROTO_1) {
1162 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1163 options->identity_files[options->num_identity_files] =
1165 snprintf(options->identity_files[options->num_identity_files++],
1166 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1168 if (options->protocol & SSH_PROTO_2) {
1169 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1170 options->identity_files[options->num_identity_files] =
1172 snprintf(options->identity_files[options->num_identity_files++],
1173 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1175 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1176 options->identity_files[options->num_identity_files] =
1178 snprintf(options->identity_files[options->num_identity_files++],
1179 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1182 if (options->escape_char == -1)
1183 options->escape_char = '~';
1184 if (options->system_hostfile == NULL)
1185 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1186 if (options->user_hostfile == NULL)
1187 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1188 if (options->system_hostfile2 == NULL)
1189 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1190 if (options->user_hostfile2 == NULL)
1191 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1192 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1193 options->log_level = SYSLOG_LEVEL_INFO;
1194 if (options->clear_forwardings == 1)
1195 clear_forwardings(options);
1196 if (options->no_host_authentication_for_localhost == - 1)
1197 options->no_host_authentication_for_localhost = 0;
1198 if (options->identities_only == -1)
1199 options->identities_only = 0;
1200 if (options->enable_ssh_keysign == -1)
1201 options->enable_ssh_keysign = 0;
1202 if (options->rekey_limit == -1)
1203 options->rekey_limit = 0;
1204 if (options->verify_host_key_dns == -1)
1205 options->verify_host_key_dns = 0;
1206 if (options->server_alive_interval == -1)
1207 options->server_alive_interval = 0;
1208 if (options->server_alive_count_max == -1)
1209 options->server_alive_count_max = 3;
1210 if (options->control_master == -1)
1211 options->control_master = 0;
1212 if (options->hash_known_hosts == -1)
1213 options->hash_known_hosts = 0;
1214 if (options->tun_open == -1)
1215 options->tun_open = SSH_TUNMODE_NO;
1216 if (options->tun_local == -1)
1217 options->tun_local = SSH_TUNID_ANY;
1218 if (options->tun_remote == -1)
1219 options->tun_remote = SSH_TUNID_ANY;
1220 if (options->permit_local_command == -1)
1221 options->permit_local_command = 0;
1222 /* options->local_command should not be set by default */
1223 /* options->proxy_command should not be set by default */
1224 /* options->user will be set in the main program if appropriate */
1225 /* options->hostname will be set in the main program if appropriate */
1226 /* options->host_key_alias should not be set by default */
1227 /* options->preferred_authentications will be set in ssh */
1232 * parses a string containing a port forwarding specification of the form:
1233 * [listenhost:]listenport:connecthost:connectport
1234 * returns number of arguments parsed or zero on error
1237 parse_forward(Forward *fwd, const char *fwdspec)
1240 char *p, *cp, *fwdarg[4];
1242 memset(fwd, '\0', sizeof(*fwd));
1244 cp = p = xstrdup(fwdspec);
1246 /* skip leading spaces */
1247 while (*cp && isspace(*cp))
1250 for (i = 0; i < 4; ++i)
1251 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1254 /* Check for trailing garbage in 4-arg case*/
1256 i = 0; /* failure */
1260 fwd->listen_host = NULL;
1261 fwd->listen_port = a2port(fwdarg[0]);
1262 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1263 fwd->connect_port = a2port(fwdarg[2]);
1267 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1268 fwd->listen_port = a2port(fwdarg[1]);
1269 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1270 fwd->connect_port = a2port(fwdarg[3]);
1273 i = 0; /* failure */
1278 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1281 if (fwd->connect_host != NULL &&
1282 strlen(fwd->connect_host) >= NI_MAXHOST)
1288 if (fwd->connect_host != NULL)
1289 xfree(fwd->connect_host);
1290 if (fwd->listen_host != NULL)
1291 xfree(fwd->listen_host);