2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.109 2002/05/15 21:02:52 markus Exp $");
22 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
24 #define KEYFILE "/etc/krb5.keytab"
36 #include "pathnames.h"
37 #include "tildexpand.h"
43 static void add_listen_addr(ServerOptions *, char *, u_short);
44 static void add_one_listen_addr(ServerOptions *, char *, u_short);
46 /* AF_UNSPEC or AF_INET or AF_INET6 */
48 /* Use of privilege separation or not */
49 extern int use_privsep;
51 /* Initializes the server options to their default values. */
54 initialize_server_options(ServerOptions *options)
56 memset(options, 0, sizeof(*options));
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
77 options->x11_use_localhost = -1;
78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89 #if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
94 #if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
98 options->afs_token_passing = -1;
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
105 options->allow_tcp_forwarding = -1;
106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
110 options->ciphers = NULL;
111 options->macs = NULL;
112 options->protocol = SSH_PROTO_UNKNOWN;
113 options->gateway_ports = -1;
114 options->num_subsystems = 0;
115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
117 options->max_startups = -1;
118 options->banner = NULL;
119 options->verify_reverse_mapping = -1;
120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
125 /* Needs to be accessable in many places */
130 fill_default_server_options(ServerOptions *options)
132 /* Portable-specific options */
133 if (options->pam_authentication_via_kbd_int == -1)
134 options->pam_authentication_via_kbd_int = 0;
136 /* Standard Options */
137 if (options->protocol == SSH_PROTO_UNKNOWN)
138 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
139 if (options->num_host_key_files == 0) {
140 /* fill default hostkeys for protocols */
141 if (options->protocol & SSH_PROTO_1)
142 options->host_key_files[options->num_host_key_files++] =
144 if (options->protocol & SSH_PROTO_2) {
145 options->host_key_files[options->num_host_key_files++] =
146 _PATH_HOST_RSA_KEY_FILE;
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_DSA_KEY_FILE;
151 if (options->num_ports == 0)
152 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
153 if (options->listen_addrs == NULL)
154 add_listen_addr(options, NULL, 0);
155 if (options->pid_file == NULL)
156 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
157 if (options->server_key_bits == -1)
158 options->server_key_bits = 768;
159 if (options->login_grace_time == -1)
160 options->login_grace_time = 600;
161 if (options->key_regeneration_time == -1)
162 options->key_regeneration_time = 3600;
163 if (options->permit_root_login == PERMIT_NOT_SET)
164 options->permit_root_login = PERMIT_YES;
165 if (options->ignore_rhosts == -1)
166 options->ignore_rhosts = 1;
167 if (options->ignore_user_known_hosts == -1)
168 options->ignore_user_known_hosts = 0;
169 if (options->print_motd == -1)
170 options->print_motd = 1;
171 if (options->print_lastlog == -1)
172 options->print_lastlog = 1;
173 if (options->x11_forwarding == -1)
174 options->x11_forwarding = 0;
175 if (options->x11_display_offset == -1)
176 options->x11_display_offset = 10;
177 if (options->x11_use_localhost == -1)
178 options->x11_use_localhost = 1;
179 if (options->xauth_location == NULL)
180 options->xauth_location = _PATH_XAUTH;
181 if (options->strict_modes == -1)
182 options->strict_modes = 1;
183 if (options->keepalives == -1)
184 options->keepalives = 1;
185 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
186 options->log_facility = SYSLOG_FACILITY_AUTH;
187 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
188 options->log_level = SYSLOG_LEVEL_INFO;
189 if (options->rhosts_authentication == -1)
190 options->rhosts_authentication = 0;
191 if (options->rhosts_rsa_authentication == -1)
192 options->rhosts_rsa_authentication = 0;
193 if (options->hostbased_authentication == -1)
194 options->hostbased_authentication = 0;
195 if (options->hostbased_uses_name_from_packet_only == -1)
196 options->hostbased_uses_name_from_packet_only = 0;
197 if (options->rsa_authentication == -1)
198 options->rsa_authentication = 1;
199 if (options->pubkey_authentication == -1)
200 options->pubkey_authentication = 1;
201 #if defined(KRB4) || defined(KRB5)
202 if (options->kerberos_authentication == -1)
203 options->kerberos_authentication = 0;
204 if (options->kerberos_or_local_passwd == -1)
205 options->kerberos_or_local_passwd = 1;
206 if (options->kerberos_ticket_cleanup == -1)
207 options->kerberos_ticket_cleanup = 1;
209 #if defined(AFS) || defined(KRB5)
210 if (options->kerberos_tgt_passing == -1)
211 options->kerberos_tgt_passing = 0;
214 if (options->afs_token_passing == -1)
215 options->afs_token_passing = 0;
217 if (options->password_authentication == -1)
218 options->password_authentication = 1;
219 if (options->kbd_interactive_authentication == -1)
220 options->kbd_interactive_authentication = 0;
221 if (options->challenge_response_authentication == -1)
222 options->challenge_response_authentication = 1;
223 if (options->permit_empty_passwd == -1)
224 options->permit_empty_passwd = 0;
225 if (options->use_login == -1)
226 options->use_login = 0;
227 if (options->allow_tcp_forwarding == -1)
228 options->allow_tcp_forwarding = 1;
229 if (options->gateway_ports == -1)
230 options->gateway_ports = 0;
231 if (options->max_startups == -1)
232 options->max_startups = 10;
233 if (options->max_startups_rate == -1)
234 options->max_startups_rate = 100; /* 100% */
235 if (options->max_startups_begin == -1)
236 options->max_startups_begin = options->max_startups;
237 if (options->verify_reverse_mapping == -1)
238 options->verify_reverse_mapping = 0;
239 if (options->client_alive_interval == -1)
240 options->client_alive_interval = 0;
241 if (options->client_alive_count_max == -1)
242 options->client_alive_count_max = 3;
243 if (options->authorized_keys_file2 == NULL) {
244 /* authorized_keys_file2 falls back to authorized_keys_file */
245 if (options->authorized_keys_file != NULL)
246 options->authorized_keys_file2 = options->authorized_keys_file;
248 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
250 if (options->authorized_keys_file == NULL)
251 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
253 /* Turn privilege separation _off_ by default */
254 if (use_privsep == -1)
258 /* Keyword tokens. */
260 sBadOption, /* == unknown option */
261 /* Portable-specific options */
262 sPAMAuthenticationViaKbdInt,
263 /* Standard Options */
264 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
265 sPermitRootLogin, sLogFacility, sLogLevel,
266 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
267 #if defined(KRB4) || defined(KRB5)
268 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
270 #if defined(AFS) || defined(KRB5)
276 sChallengeResponseAuthentication,
277 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
278 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
279 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
280 sStrictModes, sEmptyPasswd, sKeepAlives,
281 sUseLogin, sAllowTcpForwarding,
282 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
283 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
284 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
285 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
286 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
287 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
288 sUsePrivilegeSeparation,
292 /* Textual representation of the tokens. */
295 ServerOpCodes opcode;
297 /* Portable-specific options */
298 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
299 /* Standard Options */
301 { "hostkey", sHostKeyFile },
302 { "hostdsakey", sHostKeyFile }, /* alias */
303 { "pidfile", sPidFile },
304 { "serverkeybits", sServerKeyBits },
305 { "logingracetime", sLoginGraceTime },
306 { "keyregenerationinterval", sKeyRegenerationTime },
307 { "permitrootlogin", sPermitRootLogin },
308 { "syslogfacility", sLogFacility },
309 { "loglevel", sLogLevel },
310 { "rhostsauthentication", sRhostsAuthentication },
311 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
312 { "hostbasedauthentication", sHostbasedAuthentication },
313 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
314 { "rsaauthentication", sRSAAuthentication },
315 { "pubkeyauthentication", sPubkeyAuthentication },
316 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
317 #if defined(KRB4) || defined(KRB5)
318 { "kerberosauthentication", sKerberosAuthentication },
319 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
320 { "kerberosticketcleanup", sKerberosTicketCleanup },
322 #if defined(AFS) || defined(KRB5)
323 { "kerberostgtpassing", sKerberosTgtPassing },
326 { "afstokenpassing", sAFSTokenPassing },
328 { "passwordauthentication", sPasswordAuthentication },
329 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
330 { "challengeresponseauthentication", sChallengeResponseAuthentication },
331 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
332 { "checkmail", sDeprecated },
333 { "listenaddress", sListenAddress },
334 { "printmotd", sPrintMotd },
335 { "printlastlog", sPrintLastLog },
336 { "ignorerhosts", sIgnoreRhosts },
337 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
338 { "x11forwarding", sX11Forwarding },
339 { "x11displayoffset", sX11DisplayOffset },
340 { "x11uselocalhost", sX11UseLocalhost },
341 { "xauthlocation", sXAuthLocation },
342 { "strictmodes", sStrictModes },
343 { "permitemptypasswords", sEmptyPasswd },
344 { "uselogin", sUseLogin },
345 { "keepalive", sKeepAlives },
346 { "allowtcpforwarding", sAllowTcpForwarding },
347 { "allowusers", sAllowUsers },
348 { "denyusers", sDenyUsers },
349 { "allowgroups", sAllowGroups },
350 { "denygroups", sDenyGroups },
351 { "ciphers", sCiphers },
353 { "protocol", sProtocol },
354 { "gatewayports", sGatewayPorts },
355 { "subsystem", sSubsystem },
356 { "maxstartups", sMaxStartups },
357 { "banner", sBanner },
358 { "verifyreversemapping", sVerifyReverseMapping },
359 { "reversemappingcheck", sVerifyReverseMapping },
360 { "clientaliveinterval", sClientAliveInterval },
361 { "clientalivecountmax", sClientAliveCountMax },
362 { "authorizedkeysfile", sAuthorizedKeysFile },
363 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
364 { "useprivilegeseparation", sUsePrivilegeSeparation},
369 * Returns the number of the token pointed to by cp or sBadOption.
373 parse_token(const char *cp, const char *filename,
378 for (i = 0; keywords[i].name; i++)
379 if (strcasecmp(cp, keywords[i].name) == 0)
380 return keywords[i].opcode;
382 error("%s: line %d: Bad configuration option: %s",
383 filename, linenum, cp);
388 add_listen_addr(ServerOptions *options, char *addr, u_short port)
392 if (options->num_ports == 0)
393 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
395 for (i = 0; i < options->num_ports; i++)
396 add_one_listen_addr(options, addr, options->ports[i]);
398 add_one_listen_addr(options, addr, port);
402 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
404 struct addrinfo hints, *ai, *aitop;
405 char strport[NI_MAXSERV];
408 memset(&hints, 0, sizeof(hints));
409 hints.ai_family = IPv4or6;
410 hints.ai_socktype = SOCK_STREAM;
411 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
412 snprintf(strport, sizeof strport, "%d", port);
413 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
414 fatal("bad addr or host: %s (%s)",
415 addr ? addr : "<NULL>",
416 gai_strerror(gaierr));
417 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
419 ai->ai_next = options->listen_addrs;
420 options->listen_addrs = aitop;
424 process_server_config_line(ServerOptions *options, char *line,
425 const char *filename, int linenum)
427 char *cp, **charptr, *arg, *p;
429 ServerOpCodes opcode;
434 /* Ignore leading whitespace */
437 if (!arg || !*arg || *arg == '#')
441 opcode = parse_token(arg, filename, linenum);
443 /* Portable-specific options */
444 case sPAMAuthenticationViaKbdInt:
445 intptr = &options->pam_authentication_via_kbd_int;
448 /* Standard Options */
452 /* ignore ports from configfile if cmdline specifies ports */
453 if (options->ports_from_cmdline)
455 if (options->listen_addrs != NULL)
456 fatal("%s line %d: ports must be specified before "
457 "ListenAddress.", filename, linenum);
458 if (options->num_ports >= MAX_PORTS)
459 fatal("%s line %d: too many ports.",
462 if (!arg || *arg == '\0')
463 fatal("%s line %d: missing port number.",
465 options->ports[options->num_ports++] = a2port(arg);
466 if (options->ports[options->num_ports-1] == 0)
467 fatal("%s line %d: Badly formatted port number.",
472 intptr = &options->server_key_bits;
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing integer value.",
483 case sLoginGraceTime:
484 intptr = &options->login_grace_time;
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing time value.",
490 if ((value = convtime(arg)) == -1)
491 fatal("%s line %d: invalid time value.",
497 case sKeyRegenerationTime:
498 intptr = &options->key_regeneration_time;
503 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
504 fatal("%s line %d: missing inet addr.",
507 if ((p = strchr(arg, ']')) == NULL)
508 fatal("%s line %d: bad ipv6 inet addr usage.",
511 memmove(p, p+1, strlen(p+1)+1);
512 } else if (((p = strchr(arg, ':')) == NULL) ||
513 (strchr(p+1, ':') != NULL)) {
514 add_listen_addr(options, arg, 0);
522 fatal("%s line %d: bad inet addr:port usage.",
526 if ((port = a2port(p)) == 0)
527 fatal("%s line %d: bad port number.",
529 add_listen_addr(options, arg, port);
531 } else if (*p == '\0')
532 add_listen_addr(options, arg, 0);
534 fatal("%s line %d: bad inet addr usage.",
539 intptr = &options->num_host_key_files;
540 if (*intptr >= MAX_HOSTKEYS)
541 fatal("%s line %d: too many host keys specified (max %d).",
542 filename, linenum, MAX_HOSTKEYS);
543 charptr = &options->host_key_files[*intptr];
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing file name.",
549 if (*charptr == NULL) {
550 *charptr = tilde_expand_filename(arg, getuid());
551 /* increase optional counter */
553 *intptr = *intptr + 1;
558 charptr = &options->pid_file;
561 case sPermitRootLogin:
562 intptr = &options->permit_root_login;
564 if (!arg || *arg == '\0')
565 fatal("%s line %d: missing yes/"
566 "without-password/forced-commands-only/no "
567 "argument.", filename, linenum);
568 value = 0; /* silence compiler */
569 if (strcmp(arg, "without-password") == 0)
570 value = PERMIT_NO_PASSWD;
571 else if (strcmp(arg, "forced-commands-only") == 0)
572 value = PERMIT_FORCED_ONLY;
573 else if (strcmp(arg, "yes") == 0)
575 else if (strcmp(arg, "no") == 0)
578 fatal("%s line %d: Bad yes/"
579 "without-password/forced-commands-only/no "
580 "argument: %s", filename, linenum, arg);
586 intptr = &options->ignore_rhosts;
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing yes/no argument.",
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "yes") == 0)
595 else if (strcmp(arg, "no") == 0)
598 fatal("%s line %d: Bad yes/no argument: %s",
599 filename, linenum, arg);
604 case sIgnoreUserKnownHosts:
605 intptr = &options->ignore_user_known_hosts;
608 case sRhostsAuthentication:
609 intptr = &options->rhosts_authentication;
612 case sRhostsRSAAuthentication:
613 intptr = &options->rhosts_rsa_authentication;
616 case sHostbasedAuthentication:
617 intptr = &options->hostbased_authentication;
620 case sHostbasedUsesNameFromPacketOnly:
621 intptr = &options->hostbased_uses_name_from_packet_only;
624 case sRSAAuthentication:
625 intptr = &options->rsa_authentication;
628 case sPubkeyAuthentication:
629 intptr = &options->pubkey_authentication;
631 #if defined(KRB4) || defined(KRB5)
632 case sKerberosAuthentication:
633 intptr = &options->kerberos_authentication;
636 case sKerberosOrLocalPasswd:
637 intptr = &options->kerberos_or_local_passwd;
640 case sKerberosTicketCleanup:
641 intptr = &options->kerberos_ticket_cleanup;
644 #if defined(AFS) || defined(KRB5)
645 case sKerberosTgtPassing:
646 intptr = &options->kerberos_tgt_passing;
650 case sAFSTokenPassing:
651 intptr = &options->afs_token_passing;
655 case sPasswordAuthentication:
656 intptr = &options->password_authentication;
659 case sKbdInteractiveAuthentication:
660 intptr = &options->kbd_interactive_authentication;
663 case sChallengeResponseAuthentication:
664 intptr = &options->challenge_response_authentication;
668 intptr = &options->print_motd;
672 intptr = &options->print_lastlog;
676 intptr = &options->x11_forwarding;
679 case sX11DisplayOffset:
680 intptr = &options->x11_display_offset;
683 case sX11UseLocalhost:
684 intptr = &options->x11_use_localhost;
688 charptr = &options->xauth_location;
692 intptr = &options->strict_modes;
696 intptr = &options->keepalives;
700 intptr = &options->permit_empty_passwd;
704 intptr = &options->use_login;
708 intptr = &options->gateway_ports;
711 case sVerifyReverseMapping:
712 intptr = &options->verify_reverse_mapping;
716 intptr = (int *) &options->log_facility;
718 value = log_facility_number(arg);
719 if (value == SYSLOG_FACILITY_NOT_SET)
720 fatal("%.200s line %d: unsupported log facility '%s'",
721 filename, linenum, arg ? arg : "<NONE>");
723 *intptr = (SyslogFacility) value;
727 intptr = (int *) &options->log_level;
729 value = log_level_number(arg);
730 if (value == SYSLOG_LEVEL_NOT_SET)
731 fatal("%.200s line %d: unsupported log level '%s'",
732 filename, linenum, arg ? arg : "<NONE>");
734 *intptr = (LogLevel) value;
737 case sAllowTcpForwarding:
738 intptr = &options->allow_tcp_forwarding;
741 case sUsePrivilegeSeparation:
742 intptr = &use_privsep;
746 while ((arg = strdelim(&cp)) && *arg != '\0') {
747 if (options->num_allow_users >= MAX_ALLOW_USERS)
748 fatal("%s line %d: too many allow users.",
750 options->allow_users[options->num_allow_users++] = xstrdup(arg);
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_deny_users >= MAX_DENY_USERS)
757 fatal( "%s line %d: too many deny users.",
759 options->deny_users[options->num_deny_users++] = xstrdup(arg);
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
766 fatal("%s line %d: too many allow groups.",
768 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_groups >= MAX_DENY_GROUPS)
775 fatal("%s line %d: too many deny groups.",
777 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
783 if (!arg || *arg == '\0')
784 fatal("%s line %d: Missing argument.", filename, linenum);
785 if (!ciphers_valid(arg))
786 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
787 filename, linenum, arg ? arg : "<NONE>");
788 if (options->ciphers == NULL)
789 options->ciphers = xstrdup(arg);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: Missing argument.", filename, linenum);
797 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
798 filename, linenum, arg ? arg : "<NONE>");
799 if (options->macs == NULL)
800 options->macs = xstrdup(arg);
804 intptr = &options->protocol;
806 if (!arg || *arg == '\0')
807 fatal("%s line %d: Missing argument.", filename, linenum);
808 value = proto_spec(arg);
809 if (value == SSH_PROTO_UNKNOWN)
810 fatal("%s line %d: Bad protocol spec '%s'.",
811 filename, linenum, arg ? arg : "<NONE>");
812 if (*intptr == SSH_PROTO_UNKNOWN)
817 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
818 fatal("%s line %d: too many subsystems defined.",
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing subsystem name.",
825 for (i = 0; i < options->num_subsystems; i++)
826 if (strcmp(arg, options->subsystem_name[i]) == 0)
827 fatal("%s line %d: Subsystem '%s' already defined.",
828 filename, linenum, arg);
829 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
831 if (!arg || *arg == '\0')
832 fatal("%s line %d: Missing subsystem command.",
834 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
835 options->num_subsystems++;
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing MaxStartups spec.",
843 if ((n = sscanf(arg, "%d:%d:%d",
844 &options->max_startups_begin,
845 &options->max_startups_rate,
846 &options->max_startups)) == 3) {
847 if (options->max_startups_begin >
848 options->max_startups ||
849 options->max_startups_rate > 100 ||
850 options->max_startups_rate < 1)
851 fatal("%s line %d: Illegal MaxStartups spec.",
854 fatal("%s line %d: Illegal MaxStartups spec.",
857 options->max_startups = options->max_startups_begin;
861 charptr = &options->banner;
864 * These options can contain %X options expanded at
865 * connect time, so that you can specify paths like:
867 * AuthorizedKeysFile /etc/ssh_keys/%u
869 case sAuthorizedKeysFile:
870 case sAuthorizedKeysFile2:
871 charptr = (opcode == sAuthorizedKeysFile ) ?
872 &options->authorized_keys_file :
873 &options->authorized_keys_file2;
876 case sClientAliveInterval:
877 intptr = &options->client_alive_interval;
880 case sClientAliveCountMax:
881 intptr = &options->client_alive_count_max;
885 log("%s line %d: Deprecated option %s",
886 filename, linenum, arg);
892 fatal("%s line %d: Missing handler for opcode %s (%d)",
893 filename, linenum, arg, opcode);
895 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
896 fatal("%s line %d: garbage at end of line; \"%.200s\".",
897 filename, linenum, arg);
901 /* Reads the server configuration file. */
904 read_server_config(ServerOptions *options, const char *filename)
911 f = fopen(filename, "r");
917 while (fgets(line, sizeof(line), f)) {
918 /* Update line number counter. */
920 if (process_server_config_line(options, line, filename, linenum) != 0)
925 fatal("%s: terminating, %d bad configuration options",
926 filename, bad_options);