1 /* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
79 options->x11_use_localhost = -1;
80 options->xauth_location = NULL;
81 options->strict_modes = -1;
82 options->tcp_keep_alive = -1;
83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93 options->kerberos_get_afs_token = -1;
94 options->gss_authentication=-1;
95 options->gss_keyex = -1;
96 options->gss_cleanup_creds = -1;
97 options->gss_strict_acceptor = -1;
98 options->gss_store_rekey = -1;
99 options->password_authentication = -1;
100 options->kbd_interactive_authentication = -1;
101 options->challenge_response_authentication = -1;
102 options->permit_empty_passwd = -1;
103 options->permit_user_env = -1;
104 options->use_login = -1;
105 options->compression = -1;
106 options->allow_tcp_forwarding = -1;
107 options->allow_agent_forwarding = -1;
108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
120 options->max_authtries = -1;
121 options->max_sessions = -1;
122 options->banner = NULL;
123 options->use_dns = -1;
124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
128 options->num_accept_env = 0;
129 options->permit_tun = -1;
130 options->num_permitted_opens = -1;
131 options->adm_forced_command = NULL;
132 options->chroot_directory = NULL;
133 options->zero_knowledge_password_authentication = -1;
134 options->none_enabled = -1;
135 options->tcp_rcv_buf_poll = -1;
136 options->hpn_disabled = -1;
137 options->hpn_buffer_size = -1;
141 fill_default_server_options(ServerOptions *options)
143 /* needed for hpn socket tests */
146 int socksizelen = sizeof(int);
148 /* Portable-specific options */
149 if (options->use_pam == -1)
150 options->use_pam = 0;
152 /* Standard Options */
153 if (options->protocol == SSH_PROTO_UNKNOWN)
154 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
155 if (options->num_host_key_files == 0) {
156 /* fill default hostkeys for protocols */
157 if (options->protocol & SSH_PROTO_1)
158 options->host_key_files[options->num_host_key_files++] =
160 if (options->protocol & SSH_PROTO_2) {
161 options->host_key_files[options->num_host_key_files++] =
162 _PATH_HOST_RSA_KEY_FILE;
163 options->host_key_files[options->num_host_key_files++] =
164 _PATH_HOST_DSA_KEY_FILE;
167 if (options->num_ports == 0)
168 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
169 if (options->listen_addrs == NULL)
170 add_listen_addr(options, NULL, 0);
171 if (options->pid_file == NULL)
172 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
173 if (options->server_key_bits == -1)
174 options->server_key_bits = 1024;
175 if (options->login_grace_time == -1)
176 options->login_grace_time = 120;
177 if (options->key_regeneration_time == -1)
178 options->key_regeneration_time = 3600;
179 if (options->permit_root_login == PERMIT_NOT_SET)
180 options->permit_root_login = PERMIT_YES;
181 if (options->ignore_rhosts == -1)
182 options->ignore_rhosts = 1;
183 if (options->ignore_user_known_hosts == -1)
184 options->ignore_user_known_hosts = 0;
185 if (options->print_motd == -1)
186 options->print_motd = 1;
187 if (options->print_lastlog == -1)
188 options->print_lastlog = 1;
189 if (options->x11_forwarding == -1)
190 options->x11_forwarding = 0;
191 if (options->x11_display_offset == -1)
192 options->x11_display_offset = 10;
193 if (options->x11_use_localhost == -1)
194 options->x11_use_localhost = 1;
195 if (options->xauth_location == NULL)
196 options->xauth_location = _PATH_XAUTH;
197 if (options->strict_modes == -1)
198 options->strict_modes = 1;
199 if (options->tcp_keep_alive == -1)
200 options->tcp_keep_alive = 1;
201 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
202 options->log_facility = SYSLOG_FACILITY_AUTH;
203 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
204 options->log_level = SYSLOG_LEVEL_INFO;
205 if (options->rhosts_rsa_authentication == -1)
206 options->rhosts_rsa_authentication = 0;
207 if (options->hostbased_authentication == -1)
208 options->hostbased_authentication = 0;
209 if (options->hostbased_uses_name_from_packet_only == -1)
210 options->hostbased_uses_name_from_packet_only = 0;
211 if (options->rsa_authentication == -1)
212 options->rsa_authentication = 1;
213 if (options->pubkey_authentication == -1)
214 options->pubkey_authentication = 1;
215 if (options->kerberos_authentication == -1)
216 options->kerberos_authentication = 0;
217 if (options->kerberos_or_local_passwd == -1)
218 options->kerberos_or_local_passwd = 1;
219 if (options->kerberos_ticket_cleanup == -1)
220 options->kerberos_ticket_cleanup = 1;
221 if (options->kerberos_get_afs_token == -1)
222 options->kerberos_get_afs_token = 0;
223 if (options->gss_authentication == -1)
224 options->gss_authentication = 0;
225 if (options->gss_keyex == -1)
226 options->gss_keyex = 0;
227 if (options->gss_cleanup_creds == -1)
228 options->gss_cleanup_creds = 1;
229 if (options->gss_strict_acceptor == -1)
230 options->gss_strict_acceptor = 1;
231 if (options->gss_store_rekey == -1)
232 options->gss_store_rekey = 0;
233 if (options->password_authentication == -1)
234 options->password_authentication = 1;
235 if (options->kbd_interactive_authentication == -1)
236 options->kbd_interactive_authentication = 0;
237 if (options->challenge_response_authentication == -1)
238 options->challenge_response_authentication = 1;
239 if (options->permit_empty_passwd == -1)
240 options->permit_empty_passwd = 0;
241 if (options->permit_user_env == -1)
242 options->permit_user_env = 0;
243 if (options->use_login == -1)
244 options->use_login = 0;
245 if (options->compression == -1)
246 options->compression = COMP_DELAYED;
247 if (options->allow_tcp_forwarding == -1)
248 options->allow_tcp_forwarding = 1;
249 if (options->allow_agent_forwarding == -1)
250 options->allow_agent_forwarding = 1;
251 if (options->gateway_ports == -1)
252 options->gateway_ports = 0;
253 if (options->max_startups == -1)
254 options->max_startups = 10;
255 if (options->max_startups_rate == -1)
256 options->max_startups_rate = 100; /* 100% */
257 if (options->max_startups_begin == -1)
258 options->max_startups_begin = options->max_startups;
259 if (options->max_authtries == -1)
260 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
261 if (options->max_sessions == -1)
262 options->max_sessions = DEFAULT_SESSIONS_MAX;
263 if (options->use_dns == -1)
264 options->use_dns = 1;
265 if (options->client_alive_interval == -1)
266 options->client_alive_interval = 0;
267 if (options->client_alive_count_max == -1)
268 options->client_alive_count_max = 3;
269 if (options->authorized_keys_file2 == NULL) {
270 /* authorized_keys_file2 falls back to authorized_keys_file */
271 if (options->authorized_keys_file != NULL)
272 options->authorized_keys_file2 = options->authorized_keys_file;
274 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
276 if (options->authorized_keys_file == NULL)
277 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
278 if (options->permit_tun == -1)
279 options->permit_tun = SSH_TUNMODE_NO;
280 if (options->zero_knowledge_password_authentication == -1)
281 options->zero_knowledge_password_authentication = 0;
283 if (options->hpn_disabled == -1)
284 options->hpn_disabled = 0;
286 if (options->hpn_buffer_size == -1) {
287 /* option not explicitly set. Now we have to figure out */
288 /* what value to use */
289 if (options->hpn_disabled == 1) {
290 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
292 /* get the current RCV size and set it to that */
293 /*create a socket but don't connect it */
294 /* we use that the get the rcv socket size */
295 sock = socket(AF_INET, SOCK_STREAM, 0);
296 getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
297 &socksize, &socksizelen);
299 options->hpn_buffer_size = socksize;
300 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
304 /* we have to do this incase the user sets both values in a contradictory */
305 /* manner. hpn_disabled overrrides hpn_buffer_size*/
306 if (options->hpn_disabled <= 0) {
307 if (options->hpn_buffer_size == 0)
308 options->hpn_buffer_size = 1;
309 /* limit the maximum buffer to 64MB */
310 if (options->hpn_buffer_size > 64*1024) {
311 options->hpn_buffer_size = 64*1024*1024;
313 options->hpn_buffer_size *= 1024;
316 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
319 /* Turn privilege separation on by default */
320 if (use_privsep == -1)
324 if (use_privsep && options->compression == 1) {
325 error("This platform does not support both privilege "
326 "separation and compression");
327 error("Compression disabled");
328 options->compression = 0;
334 /* Keyword tokens. */
336 sBadOption, /* == unknown option */
337 /* Portable-specific options */
339 /* Standard Options */
340 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
341 sPermitRootLogin, sLogFacility, sLogLevel,
342 sRhostsRSAAuthentication, sRSAAuthentication,
343 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
344 sKerberosGetAFSToken,
345 sKerberosTgtPassing, sChallengeResponseAuthentication,
346 sPasswordAuthentication, sKbdInteractiveAuthentication,
347 sListenAddress, sAddressFamily,
348 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
349 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
350 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
351 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
352 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
353 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
354 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
355 sMaxStartups, sMaxAuthTries, sMaxSessions,
356 sBanner, sUseDNS, sHostbasedAuthentication,
357 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
358 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
359 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
360 sGssKeyEx, sGssStoreRekey,
361 sAcceptEnv, sPermitTunnel,
362 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
363 sUsePrivilegeSeparation, sAllowAgentForwarding,
364 sZeroKnowledgePasswordAuthentication,
365 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
366 sDeprecated, sUnsupported
369 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
370 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
371 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
373 /* Textual representation of the tokens. */
376 ServerOpCodes opcode;
379 /* Portable-specific options */
381 { "usepam", sUsePAM, SSHCFG_GLOBAL },
383 { "usepam", sUnsupported, SSHCFG_GLOBAL },
385 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
386 /* Standard Options */
387 { "port", sPort, SSHCFG_GLOBAL },
388 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
389 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
390 { "pidfile", sPidFile, SSHCFG_GLOBAL },
391 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
392 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
393 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
394 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
395 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
396 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
397 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
398 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
399 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
400 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
401 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
402 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
403 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
405 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
406 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
407 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
409 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
411 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
414 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
415 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
416 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
417 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
419 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
420 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
422 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
423 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
424 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
425 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
426 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
428 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
429 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
430 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
431 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
432 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
434 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
435 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
436 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
437 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
439 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
441 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
443 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
444 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
445 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
446 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
447 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
448 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
449 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
450 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
451 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
452 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
453 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
454 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
455 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
456 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
457 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
458 { "compression", sCompression, SSHCFG_GLOBAL },
459 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
460 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
461 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
462 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
463 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
464 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
465 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
466 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
467 { "ciphers", sCiphers, SSHCFG_GLOBAL },
468 { "macs", sMacs, SSHCFG_GLOBAL },
469 { "protocol", sProtocol, SSHCFG_GLOBAL },
470 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
471 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
472 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
473 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
474 { "maxsessions", sMaxSessions, SSHCFG_ALL },
475 { "banner", sBanner, SSHCFG_ALL },
476 { "usedns", sUseDNS, SSHCFG_GLOBAL },
477 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
478 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
479 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
480 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
481 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
482 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
483 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
484 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
485 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
486 { "match", sMatch, SSHCFG_ALL },
487 { "permitopen", sPermitOpen, SSHCFG_ALL },
488 { "forcecommand", sForceCommand, SSHCFG_ALL },
489 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
490 { "noneenabled", sNoneEnabled },
491 { "hpndisabled", sHPNDisabled },
492 { "hpnbuffersize", sHPNBufferSize },
493 { "tcprcvbufpoll", sTcpRcvBufPoll },
494 { NULL, sBadOption, 0 }
501 { SSH_TUNMODE_NO, "no" },
502 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
503 { SSH_TUNMODE_ETHERNET, "ethernet" },
504 { SSH_TUNMODE_YES, "yes" },
509 * Returns the number of the token pointed to by cp or sBadOption.
513 parse_token(const char *cp, const char *filename,
514 int linenum, u_int *flags)
518 for (i = 0; keywords[i].name; i++)
519 if (strcasecmp(cp, keywords[i].name) == 0) {
520 debug ("Config token is %s", keywords[i].name);
521 *flags = keywords[i].flags;
522 return keywords[i].opcode;
525 error("%s: line %d: Bad configuration option: %s",
526 filename, linenum, cp);
531 add_listen_addr(ServerOptions *options, char *addr, int port)
535 if (options->num_ports == 0)
536 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
537 if (options->address_family == -1)
538 options->address_family = AF_UNSPEC;
540 for (i = 0; i < options->num_ports; i++)
541 add_one_listen_addr(options, addr, options->ports[i]);
543 add_one_listen_addr(options, addr, port);
547 add_one_listen_addr(ServerOptions *options, char *addr, int port)
549 struct addrinfo hints, *ai, *aitop;
550 char strport[NI_MAXSERV];
553 memset(&hints, 0, sizeof(hints));
554 hints.ai_family = options->address_family;
555 hints.ai_socktype = SOCK_STREAM;
556 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
557 snprintf(strport, sizeof strport, "%d", port);
558 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
559 fatal("bad addr or host: %s (%s)",
560 addr ? addr : "<NULL>",
561 ssh_gai_strerror(gaierr));
562 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
564 ai->ai_next = options->listen_addrs;
565 options->listen_addrs = aitop;
569 * The strategy for the Match blocks is that the config file is parsed twice.
571 * The first time is at startup. activep is initialized to 1 and the
572 * directives in the global context are processed and acted on. Hitting a
573 * Match directive unsets activep and the directives inside the block are
574 * checked for syntax only.
576 * The second time is after a connection has been established but before
577 * authentication. activep is initialized to 2 and global config directives
578 * are ignored since they have already been processed. If the criteria in a
579 * Match block is met, activep is set and the subsequent directives
580 * processed and actioned until EOF or another Match block unsets it. Any
581 * options set are copied into the main server config.
583 * Potential additions/improvements:
584 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
586 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
587 * Match Address 192.168.0.*
592 * AllowTcpForwarding yes
593 * GatewayPorts clientspecified
596 * - Add a PermittedChannelRequests directive
598 * PermittedChannelRequests session,forwarded-tcpip
602 match_cfg_line_group(const char *grps, int line, const char *user)
610 if ((pw = getpwnam(user)) == NULL) {
611 debug("Can't match group at line %d because user %.100s does "
612 "not exist", line, user);
613 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
614 debug("Can't Match group because user %.100s not in any group "
615 "at line %d", user, line);
616 } else if (ga_match_pattern_list(grps) != 1) {
617 debug("user %.100s does not match group list %.100s at line %d",
620 debug("user %.100s matched group list %.100s at line %d", user,
630 match_cfg_line(char **condition, int line, const char *user, const char *host,
634 char *arg, *attrib, *cp = *condition;
638 debug3("checking syntax for 'Match %s'", cp);
640 debug3("checking match for '%s' user %s host %s addr %s", cp,
641 user ? user : "(null)", host ? host : "(null)",
642 address ? address : "(null)");
644 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
645 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
646 error("Missing Match criteria for %s", attrib);
650 if (strcasecmp(attrib, "user") == 0) {
655 if (match_pattern_list(user, arg, len, 0) != 1)
658 debug("user %.100s matched 'User %.100s' at "
659 "line %d", user, arg, line);
660 } else if (strcasecmp(attrib, "group") == 0) {
661 switch (match_cfg_line_group(arg, line, user)) {
667 } else if (strcasecmp(attrib, "host") == 0) {
672 if (match_hostname(host, arg, len) != 1)
675 debug("connection from %.100s matched 'Host "
676 "%.100s' at line %d", host, arg, line);
677 } else if (strcasecmp(attrib, "address") == 0) {
678 switch (addr_match_list(address, arg)) {
680 debug("connection from %.100s matched 'Address "
681 "%.100s' at line %d", address, arg, line);
691 error("Unsupported Match attribute %s", attrib);
696 debug3("match %sfound", result ? "" : "not ");
701 #define WHITESPACE " \t\r\n"
704 process_server_config_line(ServerOptions *options, char *line,
705 const char *filename, int linenum, int *activep, const char *user,
706 const char *host, const char *address)
708 char *cp, **charptr, *arg, *p;
709 int cmdline = 0, *intptr, value, n;
710 SyslogFacility *log_facility_ptr;
711 LogLevel *log_level_ptr;
712 ServerOpCodes opcode;
718 if ((arg = strdelim(&cp)) == NULL)
720 /* Ignore leading whitespace */
723 if (!arg || !*arg || *arg == '#')
727 opcode = parse_token(arg, filename, linenum, &flags);
729 if (activep == NULL) { /* We are processing a command line directive */
733 if (*activep && opcode != sMatch)
734 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
735 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
737 fatal("%s line %d: Directive '%s' is not allowed "
738 "within a Match block", filename, linenum, arg);
739 } else { /* this is a directive we have already processed */
747 /* Portable-specific options */
749 intptr = &options->use_pam;
752 /* Standard Options */
756 /* ignore ports from configfile if cmdline specifies ports */
757 if (options->ports_from_cmdline)
759 if (options->listen_addrs != NULL)
760 fatal("%s line %d: ports must be specified before "
761 "ListenAddress.", filename, linenum);
762 if (options->num_ports >= MAX_PORTS)
763 fatal("%s line %d: too many ports.",
766 if (!arg || *arg == '\0')
767 fatal("%s line %d: missing port number.",
769 options->ports[options->num_ports++] = a2port(arg);
770 if (options->ports[options->num_ports-1] <= 0)
771 fatal("%s line %d: Badly formatted port number.",
776 intptr = &options->server_key_bits;
779 if (!arg || *arg == '\0')
780 fatal("%s line %d: missing integer value.",
783 if (*activep && *intptr == -1)
787 case sLoginGraceTime:
788 intptr = &options->login_grace_time;
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: missing time value.",
794 if ((value = convtime(arg)) == -1)
795 fatal("%s line %d: invalid time value.",
801 case sKeyRegenerationTime:
802 intptr = &options->key_regeneration_time;
807 if (arg == NULL || *arg == '\0')
808 fatal("%s line %d: missing address",
810 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
811 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
812 && strchr(p+1, ':') != NULL) {
813 add_listen_addr(options, arg, 0);
818 fatal("%s line %d: bad address:port usage",
820 p = cleanhostname(p);
823 else if ((port = a2port(arg)) <= 0)
824 fatal("%s line %d: bad port number", filename, linenum);
826 add_listen_addr(options, p, port);
832 if (!arg || *arg == '\0')
833 fatal("%s line %d: missing address family.",
835 intptr = &options->address_family;
836 if (options->listen_addrs != NULL)
837 fatal("%s line %d: address family must be specified before "
838 "ListenAddress.", filename, linenum);
839 if (strcasecmp(arg, "inet") == 0)
841 else if (strcasecmp(arg, "inet6") == 0)
843 else if (strcasecmp(arg, "any") == 0)
846 fatal("%s line %d: unsupported address family \"%s\".",
847 filename, linenum, arg);
853 intptr = &options->num_host_key_files;
854 if (*intptr >= MAX_HOSTKEYS)
855 fatal("%s line %d: too many host keys specified (max %d).",
856 filename, linenum, MAX_HOSTKEYS);
857 charptr = &options->host_key_files[*intptr];
860 if (!arg || *arg == '\0')
861 fatal("%s line %d: missing file name.",
863 if (*activep && *charptr == NULL) {
864 *charptr = tilde_expand_filename(arg, getuid());
865 /* increase optional counter */
867 *intptr = *intptr + 1;
872 charptr = &options->pid_file;
875 case sPermitRootLogin:
876 intptr = &options->permit_root_login;
878 if (!arg || *arg == '\0')
879 fatal("%s line %d: missing yes/"
880 "without-password/forced-commands-only/no "
881 "argument.", filename, linenum);
882 value = 0; /* silence compiler */
883 if (strcmp(arg, "without-password") == 0)
884 value = PERMIT_NO_PASSWD;
885 else if (strcmp(arg, "forced-commands-only") == 0)
886 value = PERMIT_FORCED_ONLY;
887 else if (strcmp(arg, "yes") == 0)
889 else if (strcmp(arg, "no") == 0)
892 fatal("%s line %d: Bad yes/"
893 "without-password/forced-commands-only/no "
894 "argument: %s", filename, linenum, arg);
895 if (*activep && *intptr == -1)
900 intptr = &options->ignore_rhosts;
903 if (!arg || *arg == '\0')
904 fatal("%s line %d: missing yes/no argument.",
906 value = 0; /* silence compiler */
907 if (strcmp(arg, "yes") == 0)
909 else if (strcmp(arg, "no") == 0)
912 fatal("%s line %d: Bad yes/no argument: %s",
913 filename, linenum, arg);
914 if (*activep && *intptr == -1)
919 intptr = &options->none_enabled;
923 intptr = &options->tcp_rcv_buf_poll;
927 intptr = &options->hpn_disabled;
931 intptr = &options->hpn_buffer_size;
934 case sIgnoreUserKnownHosts:
935 intptr = &options->ignore_user_known_hosts;
938 case sRhostsRSAAuthentication:
939 intptr = &options->rhosts_rsa_authentication;
942 case sHostbasedAuthentication:
943 intptr = &options->hostbased_authentication;
946 case sHostbasedUsesNameFromPacketOnly:
947 intptr = &options->hostbased_uses_name_from_packet_only;
950 case sRSAAuthentication:
951 intptr = &options->rsa_authentication;
954 case sPubkeyAuthentication:
955 intptr = &options->pubkey_authentication;
958 case sKerberosAuthentication:
959 intptr = &options->kerberos_authentication;
962 case sKerberosOrLocalPasswd:
963 intptr = &options->kerberos_or_local_passwd;
966 case sKerberosTicketCleanup:
967 intptr = &options->kerberos_ticket_cleanup;
970 case sKerberosGetAFSToken:
971 intptr = &options->kerberos_get_afs_token;
974 case sGssAuthentication:
975 intptr = &options->gss_authentication;
979 intptr = &options->gss_keyex;
982 case sGssCleanupCreds:
983 intptr = &options->gss_cleanup_creds;
986 case sGssStrictAcceptor:
987 intptr = &options->gss_strict_acceptor;
991 intptr = &options->gss_store_rekey;
994 case sPasswordAuthentication:
995 intptr = &options->password_authentication;
998 case sZeroKnowledgePasswordAuthentication:
999 intptr = &options->zero_knowledge_password_authentication;
1002 case sKbdInteractiveAuthentication:
1003 intptr = &options->kbd_interactive_authentication;
1006 case sChallengeResponseAuthentication:
1007 intptr = &options->challenge_response_authentication;
1011 intptr = &options->print_motd;
1015 intptr = &options->print_lastlog;
1018 case sX11Forwarding:
1019 intptr = &options->x11_forwarding;
1022 case sX11DisplayOffset:
1023 intptr = &options->x11_display_offset;
1026 case sX11UseLocalhost:
1027 intptr = &options->x11_use_localhost;
1030 case sXAuthLocation:
1031 charptr = &options->xauth_location;
1032 goto parse_filename;
1035 intptr = &options->strict_modes;
1039 intptr = &options->tcp_keep_alive;
1043 intptr = &options->permit_empty_passwd;
1046 case sPermitUserEnvironment:
1047 intptr = &options->permit_user_env;
1051 intptr = &options->use_login;
1055 intptr = &options->compression;
1056 arg = strdelim(&cp);
1057 if (!arg || *arg == '\0')
1058 fatal("%s line %d: missing yes/no/delayed "
1059 "argument.", filename, linenum);
1060 value = 0; /* silence compiler */
1061 if (strcmp(arg, "delayed") == 0)
1062 value = COMP_DELAYED;
1063 else if (strcmp(arg, "yes") == 0)
1065 else if (strcmp(arg, "no") == 0)
1068 fatal("%s line %d: Bad yes/no/delayed "
1069 "argument: %s", filename, linenum, arg);
1075 intptr = &options->gateway_ports;
1076 arg = strdelim(&cp);
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: missing yes/no/clientspecified "
1079 "argument.", filename, linenum);
1080 value = 0; /* silence compiler */
1081 if (strcmp(arg, "clientspecified") == 0)
1083 else if (strcmp(arg, "yes") == 0)
1085 else if (strcmp(arg, "no") == 0)
1088 fatal("%s line %d: Bad yes/no/clientspecified "
1089 "argument: %s", filename, linenum, arg);
1090 if (*activep && *intptr == -1)
1095 intptr = &options->use_dns;
1099 log_facility_ptr = &options->log_facility;
1100 arg = strdelim(&cp);
1101 value = log_facility_number(arg);
1102 if (value == SYSLOG_FACILITY_NOT_SET)
1103 fatal("%.200s line %d: unsupported log facility '%s'",
1104 filename, linenum, arg ? arg : "<NONE>");
1105 if (*log_facility_ptr == -1)
1106 *log_facility_ptr = (SyslogFacility) value;
1110 log_level_ptr = &options->log_level;
1111 arg = strdelim(&cp);
1112 value = log_level_number(arg);
1113 if (value == SYSLOG_LEVEL_NOT_SET)
1114 fatal("%.200s line %d: unsupported log level '%s'",
1115 filename, linenum, arg ? arg : "<NONE>");
1116 if (*log_level_ptr == -1)
1117 *log_level_ptr = (LogLevel) value;
1120 case sAllowTcpForwarding:
1121 intptr = &options->allow_tcp_forwarding;
1124 case sAllowAgentForwarding:
1125 intptr = &options->allow_agent_forwarding;
1128 case sUsePrivilegeSeparation:
1129 intptr = &use_privsep;
1133 while ((arg = strdelim(&cp)) && *arg != '\0') {
1134 if (options->num_allow_users >= MAX_ALLOW_USERS)
1135 fatal("%s line %d: too many allow users.",
1137 options->allow_users[options->num_allow_users++] =
1143 while ((arg = strdelim(&cp)) && *arg != '\0') {
1144 if (options->num_deny_users >= MAX_DENY_USERS)
1145 fatal("%s line %d: too many deny users.",
1147 options->deny_users[options->num_deny_users++] =
1153 while ((arg = strdelim(&cp)) && *arg != '\0') {
1154 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1155 fatal("%s line %d: too many allow groups.",
1157 options->allow_groups[options->num_allow_groups++] =
1163 while ((arg = strdelim(&cp)) && *arg != '\0') {
1164 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1165 fatal("%s line %d: too many deny groups.",
1167 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1172 arg = strdelim(&cp);
1173 if (!arg || *arg == '\0')
1174 fatal("%s line %d: Missing argument.", filename, linenum);
1175 if (!ciphers_valid(arg))
1176 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1177 filename, linenum, arg ? arg : "<NONE>");
1178 if (options->ciphers == NULL)
1179 options->ciphers = xstrdup(arg);
1183 arg = strdelim(&cp);
1184 if (!arg || *arg == '\0')
1185 fatal("%s line %d: Missing argument.", filename, linenum);
1186 if (!mac_valid(arg))
1187 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1188 filename, linenum, arg ? arg : "<NONE>");
1189 if (options->macs == NULL)
1190 options->macs = xstrdup(arg);
1194 intptr = &options->protocol;
1195 arg = strdelim(&cp);
1196 if (!arg || *arg == '\0')
1197 fatal("%s line %d: Missing argument.", filename, linenum);
1198 value = proto_spec(arg);
1199 if (value == SSH_PROTO_UNKNOWN)
1200 fatal("%s line %d: Bad protocol spec '%s'.",
1201 filename, linenum, arg ? arg : "<NONE>");
1202 if (*intptr == SSH_PROTO_UNKNOWN)
1207 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1208 fatal("%s line %d: too many subsystems defined.",
1211 arg = strdelim(&cp);
1212 if (!arg || *arg == '\0')
1213 fatal("%s line %d: Missing subsystem name.",
1216 arg = strdelim(&cp);
1219 for (i = 0; i < options->num_subsystems; i++)
1220 if (strcmp(arg, options->subsystem_name[i]) == 0)
1221 fatal("%s line %d: Subsystem '%s' already defined.",
1222 filename, linenum, arg);
1223 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1224 arg = strdelim(&cp);
1225 if (!arg || *arg == '\0')
1226 fatal("%s line %d: Missing subsystem command.",
1228 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1230 /* Collect arguments (separate to executable) */
1232 len = strlen(p) + 1;
1233 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1234 len += 1 + strlen(arg);
1235 p = xrealloc(p, 1, len);
1236 strlcat(p, " ", len);
1237 strlcat(p, arg, len);
1239 options->subsystem_args[options->num_subsystems] = p;
1240 options->num_subsystems++;
1244 arg = strdelim(&cp);
1245 if (!arg || *arg == '\0')
1246 fatal("%s line %d: Missing MaxStartups spec.",
1248 if ((n = sscanf(arg, "%d:%d:%d",
1249 &options->max_startups_begin,
1250 &options->max_startups_rate,
1251 &options->max_startups)) == 3) {
1252 if (options->max_startups_begin >
1253 options->max_startups ||
1254 options->max_startups_rate > 100 ||
1255 options->max_startups_rate < 1)
1256 fatal("%s line %d: Illegal MaxStartups spec.",
1259 fatal("%s line %d: Illegal MaxStartups spec.",
1262 options->max_startups = options->max_startups_begin;
1266 intptr = &options->max_authtries;
1270 intptr = &options->max_sessions;
1274 charptr = &options->banner;
1275 goto parse_filename;
1278 * These options can contain %X options expanded at
1279 * connect time, so that you can specify paths like:
1281 * AuthorizedKeysFile /etc/ssh_keys/%u
1283 case sAuthorizedKeysFile:
1284 case sAuthorizedKeysFile2:
1285 charptr = (opcode == sAuthorizedKeysFile) ?
1286 &options->authorized_keys_file :
1287 &options->authorized_keys_file2;
1288 goto parse_filename;
1290 case sClientAliveInterval:
1291 intptr = &options->client_alive_interval;
1294 case sClientAliveCountMax:
1295 intptr = &options->client_alive_count_max;
1299 while ((arg = strdelim(&cp)) && *arg != '\0') {
1300 if (strchr(arg, '=') != NULL)
1301 fatal("%s line %d: Invalid environment name.",
1303 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1304 fatal("%s line %d: too many allow env.",
1308 options->accept_env[options->num_accept_env++] =
1314 intptr = &options->permit_tun;
1315 arg = strdelim(&cp);
1316 if (!arg || *arg == '\0')
1317 fatal("%s line %d: Missing yes/point-to-point/"
1318 "ethernet/no argument.", filename, linenum);
1320 for (i = 0; tunmode_desc[i].val != -1; i++)
1321 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1322 value = tunmode_desc[i].val;
1326 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1327 "no argument: %s", filename, linenum, arg);
1334 fatal("Match directive not supported as a command-line "
1336 value = match_cfg_line(&cp, linenum, user, host, address);
1338 fatal("%s line %d: Bad Match condition", filename,
1344 arg = strdelim(&cp);
1345 if (!arg || *arg == '\0')
1346 fatal("%s line %d: missing PermitOpen specification",
1348 n = options->num_permitted_opens; /* modified later */
1349 if (strcmp(arg, "any") == 0) {
1350 if (*activep && n == -1) {
1351 channel_clear_adm_permitted_opens();
1352 options->num_permitted_opens = 0;
1356 if (*activep && n == -1)
1357 channel_clear_adm_permitted_opens();
1358 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1361 fatal("%s line %d: missing host in PermitOpen",
1363 p = cleanhostname(p);
1364 if (arg == NULL || (port = a2port(arg)) <= 0)
1365 fatal("%s line %d: bad port number in "
1366 "PermitOpen", filename, linenum);
1367 if (*activep && n == -1)
1368 options->num_permitted_opens =
1369 channel_add_adm_permitted_opens(p, port);
1375 fatal("%.200s line %d: Missing argument.", filename,
1377 len = strspn(cp, WHITESPACE);
1378 if (*activep && options->adm_forced_command == NULL)
1379 options->adm_forced_command = xstrdup(cp + len);
1382 case sChrootDirectory:
1383 charptr = &options->chroot_directory;
1385 arg = strdelim(&cp);
1386 if (!arg || *arg == '\0')
1387 fatal("%s line %d: missing file name.",
1389 if (*activep && *charptr == NULL)
1390 *charptr = xstrdup(arg);
1394 logit("%s line %d: Deprecated option %s",
1395 filename, linenum, arg);
1397 arg = strdelim(&cp);
1401 logit("%s line %d: Unsupported option %s",
1402 filename, linenum, arg);
1404 arg = strdelim(&cp);
1408 fatal("%s line %d: Missing handler for opcode %s (%d)",
1409 filename, linenum, arg, opcode);
1411 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1412 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1413 filename, linenum, arg);
1417 /* Reads the server configuration file. */
1420 load_server_config(const char *filename, Buffer *conf)
1422 char line[1024], *cp;
1425 debug2("%s: filename %s", __func__, filename);
1426 if ((f = fopen(filename, "r")) == NULL) {
1431 while (fgets(line, sizeof(line), f)) {
1433 * Trim out comments and strip whitespace
1434 * NB - preserve newlines, they are needed to reproduce
1435 * line numbers later for error messages
1437 if ((cp = strchr(line, '#')) != NULL)
1438 memcpy(cp, "\n", 2);
1439 cp = line + strspn(line, " \t\r");
1441 buffer_append(conf, cp, strlen(cp));
1443 buffer_append(conf, "\0", 1);
1445 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1449 parse_server_match_config(ServerOptions *options, const char *user,
1450 const char *host, const char *address)
1454 initialize_server_options(&mo);
1455 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1456 copy_set_server_options(options, &mo, 0);
1460 #define M_CP_INTOPT(n) do {\
1464 #define M_CP_STROPT(n) do {\
1465 if (src->n != NULL) { \
1466 if (dst->n != NULL) \
1473 * Copy any supported values that are set.
1475 * If the preauth flag is set, we do not bother copying the the string or
1476 * array values that are not used pre-authentication, because any that we
1477 * do use must be explictly sent in mm_getpwnamallow().
1480 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1482 M_CP_INTOPT(password_authentication);
1483 M_CP_INTOPT(gss_authentication);
1484 M_CP_INTOPT(rsa_authentication);
1485 M_CP_INTOPT(pubkey_authentication);
1486 M_CP_INTOPT(kerberos_authentication);
1487 M_CP_INTOPT(hostbased_authentication);
1488 M_CP_INTOPT(kbd_interactive_authentication);
1489 M_CP_INTOPT(zero_knowledge_password_authentication);
1490 M_CP_INTOPT(permit_root_login);
1491 M_CP_INTOPT(permit_empty_passwd);
1493 M_CP_INTOPT(allow_tcp_forwarding);
1494 M_CP_INTOPT(allow_agent_forwarding);
1495 M_CP_INTOPT(gateway_ports);
1496 M_CP_INTOPT(x11_display_offset);
1497 M_CP_INTOPT(x11_forwarding);
1498 M_CP_INTOPT(x11_use_localhost);
1499 M_CP_INTOPT(max_sessions);
1500 M_CP_INTOPT(max_authtries);
1502 M_CP_STROPT(banner);
1505 M_CP_STROPT(adm_forced_command);
1506 M_CP_STROPT(chroot_directory);
1513 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1514 const char *user, const char *host, const char *address)
1516 int active, linenum, bad_options = 0;
1517 char *cp, *obuf, *cbuf;
1519 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1521 obuf = cbuf = xstrdup(buffer_ptr(conf));
1522 active = user ? 0 : 1;
1524 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1525 if (process_server_config_line(options, cp, filename,
1526 linenum++, &active, user, host, address) != 0)
1530 if (bad_options > 0)
1531 fatal("%s: terminating, %d bad configuration options",
1532 filename, bad_options);
1536 fmt_intarg(ServerOpCodes code, int val)
1538 if (code == sAddressFamily) {
1550 if (code == sPermitRootLogin) {
1552 case PERMIT_NO_PASSWD:
1553 return "without-password";
1554 case PERMIT_FORCED_ONLY:
1555 return "forced-commands-only";
1560 if (code == sProtocol) {
1566 case (SSH_PROTO_1|SSH_PROTO_2):
1572 if (code == sGatewayPorts && val == 2)
1573 return "clientspecified";
1574 if (code == sCompression && val == COMP_DELAYED)
1588 lookup_opcode_name(ServerOpCodes code)
1592 for (i = 0; keywords[i].name != NULL; i++)
1593 if (keywords[i].opcode == code)
1594 return(keywords[i].name);
1599 dump_cfg_int(ServerOpCodes code, int val)
1601 printf("%s %d\n", lookup_opcode_name(code), val);
1605 dump_cfg_fmtint(ServerOpCodes code, int val)
1607 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1611 dump_cfg_string(ServerOpCodes code, const char *val)
1615 printf("%s %s\n", lookup_opcode_name(code), val);
1619 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1623 for (i = 0; i < count; i++)
1624 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1628 dump_config(ServerOptions *o)
1632 struct addrinfo *ai;
1633 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1635 /* these are usually at the top of the config */
1636 for (i = 0; i < o->num_ports; i++)
1637 printf("port %d\n", o->ports[i]);
1638 dump_cfg_fmtint(sProtocol, o->protocol);
1639 dump_cfg_fmtint(sAddressFamily, o->address_family);
1641 /* ListenAddress must be after Port */
1642 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1643 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1644 sizeof(addr), port, sizeof(port),
1645 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1646 error("getnameinfo failed: %.100s",
1647 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1650 if (ai->ai_family == AF_INET6)
1651 printf("listenaddress [%s]:%s\n", addr, port);
1653 printf("listenaddress %s:%s\n", addr, port);
1657 /* integer arguments */
1659 dump_cfg_int(sUsePAM, o->use_pam);
1661 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1662 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1663 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1664 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1665 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1666 dump_cfg_int(sMaxSessions, o->max_sessions);
1667 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1668 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1670 /* formatted integer arguments */
1671 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1672 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1673 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1674 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1675 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1676 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1677 o->hostbased_uses_name_from_packet_only);
1678 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1679 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1681 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1682 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1683 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1685 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1689 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1690 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1693 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1694 o->zero_knowledge_password_authentication);
1696 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1697 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1698 o->kbd_interactive_authentication);
1699 dump_cfg_fmtint(sChallengeResponseAuthentication,
1700 o->challenge_response_authentication);
1701 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1702 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1703 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1704 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1705 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1706 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1707 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1708 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1709 dump_cfg_fmtint(sUseLogin, o->use_login);
1710 dump_cfg_fmtint(sCompression, o->compression);
1711 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1712 dump_cfg_fmtint(sUseDNS, o->use_dns);
1713 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1714 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1716 /* string arguments */
1717 dump_cfg_string(sPidFile, o->pid_file);
1718 dump_cfg_string(sXAuthLocation, o->xauth_location);
1719 dump_cfg_string(sCiphers, o->ciphers);
1720 dump_cfg_string(sMacs, o->macs);
1721 dump_cfg_string(sBanner, o->banner);
1722 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1723 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1724 dump_cfg_string(sForceCommand, o->adm_forced_command);
1726 /* string arguments requiring a lookup */
1727 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1728 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1730 /* string array arguments */
1731 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1733 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1734 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1735 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1736 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1737 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1739 /* other arguments */
1740 for (i = 0; i < o->num_subsystems; i++)
1741 printf("subsystem %s %s\n", o->subsystem_name[i],
1742 o->subsystem_args[i]);
1744 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1745 o->max_startups_rate, o->max_startups);
1747 for (i = 0; tunmode_desc[i].val != -1; i++)
1748 if (tunmode_desc[i].val == o->permit_tun) {
1749 s = tunmode_desc[i].text;
1752 dump_cfg_string(sPermitTunnel, s);
1754 channel_print_adm_permitted_opens();