2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $");
20 #include "pathnames.h"
21 #include "tildexpand.h"
27 static void add_listen_addr(ServerOptions *, char *, u_short);
28 static void add_one_listen_addr(ServerOptions *, char *, u_short);
30 /* AF_UNSPEC or AF_INET or AF_INET6 */
32 /* Use of privilege separation or not */
33 extern int use_privsep;
35 /* Initializes the server options to their default values. */
38 initialize_server_options(ServerOptions *options)
40 memset(options, 0, sizeof(*options));
42 /* Portable-specific options */
43 options->use_pam = -1;
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
61 options->x11_use_localhost = -1;
62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->keepalives = -1;
65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
76 options->session_hooks_allow = -1;
77 options->session_hooks_startup_cmd = NULL;
78 options->session_hooks_shutdown_cmd = NULL;
80 options->gss_authentication=-1;
81 options->gss_keyex=-1;
82 options->gss_use_session_ccache = -1;
83 options->gss_cleanup_creds = -1;
84 options->password_authentication = -1;
85 options->kbd_interactive_authentication = -1;
86 options->challenge_response_authentication = -1;
87 options->permit_empty_passwd = -1;
88 options->permit_user_env = -1;
89 options->use_login = -1;
90 options->compression = -1;
91 options->allow_tcp_forwarding = -1;
92 options->num_allow_users = 0;
93 options->num_deny_users = 0;
94 options->num_allow_groups = 0;
95 options->num_deny_groups = 0;
96 options->ciphers = NULL;
98 options->protocol = SSH_PROTO_UNKNOWN;
99 options->gateway_ports = -1;
100 options->num_subsystems = 0;
101 options->max_startups_begin = -1;
102 options->max_startups_rate = -1;
103 options->max_startups = -1;
104 options->banner = NULL;
105 options->use_dns = -1;
106 options->client_alive_interval = -1;
107 options->client_alive_count_max = -1;
108 options->authorized_keys_file = NULL;
109 options->authorized_keys_file2 = NULL;
111 /* Needs to be accessable in many places */
116 fill_default_server_options(ServerOptions *options)
118 /* Portable-specific options */
119 if (options->use_pam == -1)
120 options->use_pam = 0;
122 /* Standard Options */
123 if (options->protocol == SSH_PROTO_UNKNOWN)
124 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
125 if (options->num_host_key_files == 0) {
126 /* fill default hostkeys for protocols */
127 if (options->protocol & SSH_PROTO_1)
128 options->host_key_files[options->num_host_key_files++] =
130 if (options->protocol & SSH_PROTO_2) {
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_RSA_KEY_FILE;
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_DSA_KEY_FILE;
137 if (options->num_ports == 0)
138 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
139 if (options->listen_addrs == NULL)
140 add_listen_addr(options, NULL, 0);
141 if (options->pid_file == NULL)
142 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
143 if (options->server_key_bits == -1)
144 options->server_key_bits = 768;
145 if (options->login_grace_time == -1)
146 options->login_grace_time = 120;
147 if (options->key_regeneration_time == -1)
148 options->key_regeneration_time = 3600;
149 if (options->permit_root_login == PERMIT_NOT_SET)
150 options->permit_root_login = PERMIT_YES;
151 if (options->ignore_rhosts == -1)
152 options->ignore_rhosts = 1;
153 if (options->ignore_user_known_hosts == -1)
154 options->ignore_user_known_hosts = 0;
155 if (options->print_motd == -1)
156 options->print_motd = 1;
157 if (options->print_lastlog == -1)
158 options->print_lastlog = 1;
159 if (options->x11_forwarding == -1)
160 options->x11_forwarding = 0;
161 if (options->x11_display_offset == -1)
162 options->x11_display_offset = 10;
163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
165 if (options->xauth_location == NULL)
166 options->xauth_location = _PATH_XAUTH;
167 if (options->strict_modes == -1)
168 options->strict_modes = 1;
169 if (options->keepalives == -1)
170 options->keepalives = 1;
171 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
172 options->log_facility = SYSLOG_FACILITY_AUTH;
173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
174 options->log_level = SYSLOG_LEVEL_INFO;
175 if (options->rhosts_rsa_authentication == -1)
176 options->rhosts_rsa_authentication = 0;
177 if (options->hostbased_authentication == -1)
178 options->hostbased_authentication = 0;
179 if (options->hostbased_uses_name_from_packet_only == -1)
180 options->hostbased_uses_name_from_packet_only = 0;
181 if (options->rsa_authentication == -1)
182 options->rsa_authentication = 1;
183 if (options->pubkey_authentication == -1)
184 options->pubkey_authentication = 1;
185 if (options->kerberos_authentication == -1)
186 options->kerberos_authentication = 0;
187 if (options->kerberos_or_local_passwd == -1)
188 options->kerberos_or_local_passwd = 1;
189 if (options->kerberos_ticket_cleanup == -1)
190 options->kerberos_ticket_cleanup = 1;
191 if (options->gss_authentication == -1)
192 options->gss_authentication = 1;
193 if (options->gss_keyex == -1)
194 options->gss_keyex = 1;
195 if (options->gss_use_session_ccache == -1)
196 options->gss_use_session_ccache = 1;
197 if (options->gss_cleanup_creds == -1)
198 options->gss_cleanup_creds = 1;
199 if (options->password_authentication == -1)
200 options->password_authentication = 1;
201 if (options->kbd_interactive_authentication == -1)
202 options->kbd_interactive_authentication = 0;
203 if (options->challenge_response_authentication == -1)
204 options->challenge_response_authentication = 1;
205 if (options->permit_empty_passwd == -1)
206 options->permit_empty_passwd = 0;
207 if (options->permit_user_env == -1)
208 options->permit_user_env = 0;
209 if (options->use_login == -1)
210 options->use_login = 0;
211 if (options->compression == -1)
212 options->compression = 1;
213 if (options->allow_tcp_forwarding == -1)
214 options->allow_tcp_forwarding = 1;
215 if (options->gateway_ports == -1)
216 options->gateway_ports = 0;
217 if (options->max_startups == -1)
218 options->max_startups = 10;
219 if (options->max_startups_rate == -1)
220 options->max_startups_rate = 100; /* 100% */
221 if (options->max_startups_begin == -1)
222 options->max_startups_begin = options->max_startups;
223 if (options->use_dns == -1)
224 options->use_dns = 1;
225 if (options->client_alive_interval == -1)
226 options->client_alive_interval = 0;
227 if (options->client_alive_count_max == -1)
228 options->client_alive_count_max = 3;
229 if (options->authorized_keys_file2 == NULL) {
230 /* authorized_keys_file2 falls back to authorized_keys_file */
231 if (options->authorized_keys_file != NULL)
232 options->authorized_keys_file2 = options->authorized_keys_file;
234 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
236 if (options->authorized_keys_file == NULL)
237 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
239 /* Turn privilege separation on by default */
240 if (use_privsep == -1)
244 if (use_privsep && options->compression == 1) {
245 error("This platform does not support both privilege "
246 "separation and compression");
247 error("Compression disabled");
248 options->compression = 0;
254 /* Keyword tokens. */
256 sBadOption, /* == unknown option */
257 /* Portable-specific options */
259 /* Standard Options */
260 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
261 sPermitRootLogin, sLogFacility, sLogLevel,
262 sRhostsRSAAuthentication, sRSAAuthentication,
263 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
264 sKerberosTgtPassing, sChallengeResponseAuthentication,
266 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
268 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
269 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
270 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
271 sStrictModes, sEmptyPasswd, sKeepAlives,
272 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
273 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
274 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
275 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
276 sBanner, sUseDNS, sHostbasedAuthentication,
277 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
278 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
279 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
280 sUsePrivilegeSeparation,
281 sDeprecated, sUnsupported
284 /* Textual representation of the tokens. */
287 ServerOpCodes opcode;
289 /* Portable-specific options */
291 { "usepam", sUsePAM },
293 { "usepam", sUnsupported },
295 { "pamauthenticationviakbdint", sDeprecated },
296 /* Standard Options */
298 { "hostkey", sHostKeyFile },
299 { "hostdsakey", sHostKeyFile }, /* alias */
300 { "pidfile", sPidFile },
301 { "serverkeybits", sServerKeyBits },
302 { "logingracetime", sLoginGraceTime },
303 { "keyregenerationinterval", sKeyRegenerationTime },
304 { "permitrootlogin", sPermitRootLogin },
305 { "syslogfacility", sLogFacility },
306 { "loglevel", sLogLevel },
307 { "rhostsauthentication", sDeprecated },
308 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
309 { "hostbasedauthentication", sHostbasedAuthentication },
310 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
311 { "rsaauthentication", sRSAAuthentication },
312 { "pubkeyauthentication", sPubkeyAuthentication },
313 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
315 { "kerberosauthentication", sKerberosAuthentication },
316 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
317 { "kerberosticketcleanup", sKerberosTicketCleanup },
319 { "kerberosauthentication", sUnsupported },
320 { "kerberosorlocalpasswd", sUnsupported },
321 { "kerberosticketcleanup", sUnsupported },
323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
326 { "gssapiauthentication", sGssAuthentication },
327 { "gssapikeyexchange", sGssKeyEx },
328 { "gssusesessionccache", sGssUseSessionCredCache },
329 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
330 { "gssapicleanupcreds", sGssCleanupCreds },
332 { "gssapiauthentication", sUnsupported },
333 { "gssapikeyexchange", sUnsupported },
334 { "gssusesessionccache", sUnsupported },
335 { "gssapiusesessioncredcache", sUnsupported },
336 { "gssapicleanupcreds", sUnsupported },
339 { "allowsessionhooks", sAllowSessionHooks },
340 { "sessionhookstartupcmd", sSessionHookStartupCmd },
341 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
343 { "passwordauthentication", sPasswordAuthentication },
344 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
345 { "challengeresponseauthentication", sChallengeResponseAuthentication },
346 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
347 { "checkmail", sDeprecated },
348 { "listenaddress", sListenAddress },
349 { "printmotd", sPrintMotd },
350 { "printlastlog", sPrintLastLog },
351 { "ignorerhosts", sIgnoreRhosts },
352 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
353 { "x11forwarding", sX11Forwarding },
354 { "x11displayoffset", sX11DisplayOffset },
355 { "x11uselocalhost", sX11UseLocalhost },
356 { "xauthlocation", sXAuthLocation },
357 { "strictmodes", sStrictModes },
358 { "permitemptypasswords", sEmptyPasswd },
359 { "permituserenvironment", sPermitUserEnvironment },
360 { "uselogin", sUseLogin },
361 { "compression", sCompression },
362 { "keepalive", sKeepAlives },
363 { "allowtcpforwarding", sAllowTcpForwarding },
364 { "allowusers", sAllowUsers },
365 { "denyusers", sDenyUsers },
366 { "allowgroups", sAllowGroups },
367 { "denygroups", sDenyGroups },
368 { "ciphers", sCiphers },
370 { "protocol", sProtocol },
371 { "gatewayports", sGatewayPorts },
372 { "subsystem", sSubsystem },
373 { "maxstartups", sMaxStartups },
374 { "banner", sBanner },
375 { "usedns", sUseDNS },
376 { "verifyreversemapping", sDeprecated },
377 { "reversemappingcheck", sDeprecated },
378 { "clientaliveinterval", sClientAliveInterval },
379 { "clientalivecountmax", sClientAliveCountMax },
380 { "authorizedkeysfile", sAuthorizedKeysFile },
381 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
382 { "useprivilegeseparation", sUsePrivilegeSeparation},
387 * Returns the number of the token pointed to by cp or sBadOption.
391 parse_token(const char *cp, const char *filename,
396 for (i = 0; keywords[i].name; i++)
397 if (strcasecmp(cp, keywords[i].name) == 0)
398 return keywords[i].opcode;
400 error("%s: line %d: Bad configuration option: %s",
401 filename, linenum, cp);
406 add_listen_addr(ServerOptions *options, char *addr, u_short port)
410 if (options->num_ports == 0)
411 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
413 for (i = 0; i < options->num_ports; i++)
414 add_one_listen_addr(options, addr, options->ports[i]);
416 add_one_listen_addr(options, addr, port);
420 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
422 struct addrinfo hints, *ai, *aitop;
423 char strport[NI_MAXSERV];
426 memset(&hints, 0, sizeof(hints));
427 hints.ai_family = IPv4or6;
428 hints.ai_socktype = SOCK_STREAM;
429 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
430 snprintf(strport, sizeof strport, "%u", port);
431 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
432 fatal("bad addr or host: %s (%s)",
433 addr ? addr : "<NULL>",
434 gai_strerror(gaierr));
435 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
437 ai->ai_next = options->listen_addrs;
438 options->listen_addrs = aitop;
442 process_server_config_line(ServerOptions *options, char *line,
443 const char *filename, int linenum)
445 char *cp, **charptr, *arg, *p;
446 int *intptr, value, i, n;
447 ServerOpCodes opcode;
451 /* Ignore leading whitespace */
454 if (!arg || !*arg || *arg == '#')
458 opcode = parse_token(arg, filename, linenum);
460 /* Portable-specific options */
462 intptr = &options->use_pam;
465 /* Standard Options */
469 /* ignore ports from configfile if cmdline specifies ports */
470 if (options->ports_from_cmdline)
472 if (options->listen_addrs != NULL)
473 fatal("%s line %d: ports must be specified before "
474 "ListenAddress.", filename, linenum);
475 if (options->num_ports >= MAX_PORTS)
476 fatal("%s line %d: too many ports.",
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing port number.",
482 options->ports[options->num_ports++] = a2port(arg);
483 if (options->ports[options->num_ports-1] == 0)
484 fatal("%s line %d: Badly formatted port number.",
489 intptr = &options->server_key_bits;
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing integer value.",
500 case sLoginGraceTime:
501 intptr = &options->login_grace_time;
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing time value.",
507 if ((value = convtime(arg)) == -1)
508 fatal("%s line %d: invalid time value.",
514 case sKeyRegenerationTime:
515 intptr = &options->key_regeneration_time;
520 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
521 fatal("%s line %d: missing inet addr.",
524 if ((p = strchr(arg, ']')) == NULL)
525 fatal("%s line %d: bad ipv6 inet addr usage.",
528 memmove(p, p+1, strlen(p+1)+1);
529 } else if (((p = strchr(arg, ':')) == NULL) ||
530 (strchr(p+1, ':') != NULL)) {
531 add_listen_addr(options, arg, 0);
539 fatal("%s line %d: bad inet addr:port usage.",
543 if ((port = a2port(p)) == 0)
544 fatal("%s line %d: bad port number.",
546 add_listen_addr(options, arg, port);
548 } else if (*p == '\0')
549 add_listen_addr(options, arg, 0);
551 fatal("%s line %d: bad inet addr usage.",
556 intptr = &options->num_host_key_files;
557 if (*intptr >= MAX_HOSTKEYS)
558 fatal("%s line %d: too many host keys specified (max %d).",
559 filename, linenum, MAX_HOSTKEYS);
560 charptr = &options->host_key_files[*intptr];
563 if (!arg || *arg == '\0')
564 fatal("%s line %d: missing file name.",
566 if (*charptr == NULL) {
567 *charptr = tilde_expand_filename(arg, getuid());
568 /* increase optional counter */
570 *intptr = *intptr + 1;
575 charptr = &options->pid_file;
578 case sPermitRootLogin:
579 intptr = &options->permit_root_login;
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/"
583 "without-password/forced-commands-only/no "
584 "argument.", filename, linenum);
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "without-password") == 0)
587 value = PERMIT_NO_PASSWD;
588 else if (strcmp(arg, "forced-commands-only") == 0)
589 value = PERMIT_FORCED_ONLY;
590 else if (strcmp(arg, "yes") == 0)
592 else if (strcmp(arg, "no") == 0)
595 fatal("%s line %d: Bad yes/"
596 "without-password/forced-commands-only/no "
597 "argument: %s", filename, linenum, arg);
603 intptr = &options->ignore_rhosts;
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/no argument.",
609 value = 0; /* silence compiler */
610 if (strcmp(arg, "yes") == 0)
612 else if (strcmp(arg, "no") == 0)
615 fatal("%s line %d: Bad yes/no argument: %s",
616 filename, linenum, arg);
621 case sIgnoreUserKnownHosts:
622 intptr = &options->ignore_user_known_hosts;
625 case sRhostsRSAAuthentication:
626 intptr = &options->rhosts_rsa_authentication;
629 case sHostbasedAuthentication:
630 intptr = &options->hostbased_authentication;
633 case sHostbasedUsesNameFromPacketOnly:
634 intptr = &options->hostbased_uses_name_from_packet_only;
637 case sRSAAuthentication:
638 intptr = &options->rsa_authentication;
641 case sPubkeyAuthentication:
642 intptr = &options->pubkey_authentication;
645 case sKerberosAuthentication:
646 intptr = &options->kerberos_authentication;
649 case sKerberosOrLocalPasswd:
650 intptr = &options->kerberos_or_local_passwd;
653 case sKerberosTicketCleanup:
654 intptr = &options->kerberos_ticket_cleanup;
657 case sGssAuthentication:
658 intptr = &options->gss_authentication;
662 intptr = &options->gss_keyex;
665 case sGssUseSessionCredCache:
666 intptr = &options->gss_use_session_ccache;
669 case sGssCleanupCreds:
670 intptr = &options->gss_cleanup_creds;
674 case sAllowSessionHooks:
675 intptr = &options->session_hooks_allow;
677 case sSessionHookStartupCmd:
678 case sSessionHookShutdownCmd:
680 if (!arg || *arg == '\0')
681 fatal("%s line %d: empty session hook command",
683 if (opcode==sSessionHookStartupCmd)
684 options->session_hooks_startup_cmd = strdup(arg);
686 options->session_hooks_shutdown_cmd = strdup(arg);
690 case sPasswordAuthentication:
691 intptr = &options->password_authentication;
694 case sKbdInteractiveAuthentication:
695 intptr = &options->kbd_interactive_authentication;
698 case sChallengeResponseAuthentication:
699 intptr = &options->challenge_response_authentication;
703 intptr = &options->print_motd;
707 intptr = &options->print_lastlog;
711 intptr = &options->x11_forwarding;
714 case sX11DisplayOffset:
715 intptr = &options->x11_display_offset;
718 case sX11UseLocalhost:
719 intptr = &options->x11_use_localhost;
723 charptr = &options->xauth_location;
727 intptr = &options->strict_modes;
731 intptr = &options->keepalives;
735 intptr = &options->permit_empty_passwd;
738 case sPermitUserEnvironment:
739 intptr = &options->permit_user_env;
743 intptr = &options->use_login;
747 intptr = &options->compression;
751 intptr = &options->gateway_ports;
755 intptr = &options->use_dns;
759 intptr = (int *) &options->log_facility;
761 value = log_facility_number(arg);
762 if (value == SYSLOG_FACILITY_NOT_SET)
763 fatal("%.200s line %d: unsupported log facility '%s'",
764 filename, linenum, arg ? arg : "<NONE>");
766 *intptr = (SyslogFacility) value;
770 intptr = (int *) &options->log_level;
772 value = log_level_number(arg);
773 if (value == SYSLOG_LEVEL_NOT_SET)
774 fatal("%.200s line %d: unsupported log level '%s'",
775 filename, linenum, arg ? arg : "<NONE>");
777 *intptr = (LogLevel) value;
780 case sAllowTcpForwarding:
781 intptr = &options->allow_tcp_forwarding;
784 case sUsePrivilegeSeparation:
785 intptr = &use_privsep;
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_allow_users >= MAX_ALLOW_USERS)
791 fatal("%s line %d: too many allow users.",
793 options->allow_users[options->num_allow_users++] =
799 while ((arg = strdelim(&cp)) && *arg != '\0') {
800 if (options->num_deny_users >= MAX_DENY_USERS)
801 fatal( "%s line %d: too many deny users.",
803 options->deny_users[options->num_deny_users++] =
809 while ((arg = strdelim(&cp)) && *arg != '\0') {
810 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
811 fatal("%s line %d: too many allow groups.",
813 options->allow_groups[options->num_allow_groups++] =
819 while ((arg = strdelim(&cp)) && *arg != '\0') {
820 if (options->num_deny_groups >= MAX_DENY_GROUPS)
821 fatal("%s line %d: too many deny groups.",
823 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
829 if (!arg || *arg == '\0')
830 fatal("%s line %d: Missing argument.", filename, linenum);
831 if (!ciphers_valid(arg))
832 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
833 filename, linenum, arg ? arg : "<NONE>");
834 if (options->ciphers == NULL)
835 options->ciphers = xstrdup(arg);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing argument.", filename, linenum);
843 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
844 filename, linenum, arg ? arg : "<NONE>");
845 if (options->macs == NULL)
846 options->macs = xstrdup(arg);
850 intptr = &options->protocol;
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing argument.", filename, linenum);
854 value = proto_spec(arg);
855 if (value == SSH_PROTO_UNKNOWN)
856 fatal("%s line %d: Bad protocol spec '%s'.",
857 filename, linenum, arg ? arg : "<NONE>");
858 if (*intptr == SSH_PROTO_UNKNOWN)
863 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
864 fatal("%s line %d: too many subsystems defined.",
868 if (!arg || *arg == '\0')
869 fatal("%s line %d: Missing subsystem name.",
871 for (i = 0; i < options->num_subsystems; i++)
872 if (strcmp(arg, options->subsystem_name[i]) == 0)
873 fatal("%s line %d: Subsystem '%s' already defined.",
874 filename, linenum, arg);
875 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
877 if (!arg || *arg == '\0')
878 fatal("%s line %d: Missing subsystem command.",
880 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
881 options->num_subsystems++;
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing MaxStartups spec.",
889 if ((n = sscanf(arg, "%d:%d:%d",
890 &options->max_startups_begin,
891 &options->max_startups_rate,
892 &options->max_startups)) == 3) {
893 if (options->max_startups_begin >
894 options->max_startups ||
895 options->max_startups_rate > 100 ||
896 options->max_startups_rate < 1)
897 fatal("%s line %d: Illegal MaxStartups spec.",
900 fatal("%s line %d: Illegal MaxStartups spec.",
903 options->max_startups = options->max_startups_begin;
907 charptr = &options->banner;
910 * These options can contain %X options expanded at
911 * connect time, so that you can specify paths like:
913 * AuthorizedKeysFile /etc/ssh_keys/%u
915 case sAuthorizedKeysFile:
916 case sAuthorizedKeysFile2:
917 charptr = (opcode == sAuthorizedKeysFile ) ?
918 &options->authorized_keys_file :
919 &options->authorized_keys_file2;
922 case sClientAliveInterval:
923 intptr = &options->client_alive_interval;
926 case sClientAliveCountMax:
927 intptr = &options->client_alive_count_max;
931 logit("%s line %d: Deprecated option %s",
932 filename, linenum, arg);
938 logit("%s line %d: Unsupported option %s",
939 filename, linenum, arg);
945 fatal("%s line %d: Missing handler for opcode %s (%d)",
946 filename, linenum, arg, opcode);
948 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
949 fatal("%s line %d: garbage at end of line; \"%.200s\".",
950 filename, linenum, arg);
954 /* Reads the server configuration file. */
957 read_server_config(ServerOptions *options, const char *filename)
959 int linenum, bad_options = 0;
963 debug2("read_server_config: filename %s", filename);
964 f = fopen(filename, "r");
970 while (fgets(line, sizeof(line), f)) {
971 /* Update line number counter. */
973 if (process_server_config_line(options, line, filename, linenum) != 0)
978 fatal("%s: terminating, %d bad configuration options",
979 filename, bad_options);