1 /* $OpenBSD: readconf.c,v 1.167 2008/06/26 11:46:31 grunk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
134 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
136 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
138 oDeprecated, oUnsupported
141 /* Textual representations of the tokens. */
147 { "forwardagent", oForwardAgent },
148 { "forwardx11", oForwardX11 },
149 { "forwardx11trusted", oForwardX11Trusted },
150 { "exitonforwardfailure", oExitOnForwardFailure },
151 { "xauthlocation", oXAuthLocation },
152 { "gatewayports", oGatewayPorts },
153 { "useprivilegedport", oUsePrivilegedPort },
154 { "rhostsauthentication", oDeprecated },
155 { "passwordauthentication", oPasswordAuthentication },
156 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
157 { "kbdinteractivedevices", oKbdInteractiveDevices },
158 { "rsaauthentication", oRSAAuthentication },
159 { "pubkeyauthentication", oPubkeyAuthentication },
160 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
161 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
162 { "hostbasedauthentication", oHostbasedAuthentication },
163 { "challengeresponseauthentication", oChallengeResponseAuthentication },
164 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
166 { "kerberosauthentication", oUnsupported },
167 { "kerberostgtpassing", oUnsupported },
168 { "afstokenpassing", oUnsupported },
170 { "gssapiauthentication", oGssAuthentication },
171 { "gssapikeyexchange", oGssKeyEx },
172 { "gssapidelegatecredentials", oGssDelegateCreds },
173 { "gssapitrustdns", oGssTrustDns },
175 { "gssapiauthentication", oUnsupported },
176 { "gssapikeyexchange", oUnsupported },
177 { "gssapidelegatecredentials", oUnsupported },
178 { "gssapitrustdns", oUnsupported },
180 { "fallbacktorsh", oDeprecated },
181 { "usersh", oDeprecated },
182 { "identityfile", oIdentityFile },
183 { "identityfile2", oIdentityFile }, /* alias */
184 { "identitiesonly", oIdentitiesOnly },
185 { "hostname", oHostName },
186 { "hostkeyalias", oHostKeyAlias },
187 { "proxycommand", oProxyCommand },
189 { "cipher", oCipher },
190 { "ciphers", oCiphers },
192 { "protocol", oProtocol },
193 { "remoteforward", oRemoteForward },
194 { "localforward", oLocalForward },
197 { "escapechar", oEscapeChar },
198 { "globalknownhostsfile", oGlobalKnownHostsFile },
199 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
200 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
201 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
202 { "connectionattempts", oConnectionAttempts },
203 { "batchmode", oBatchMode },
204 { "checkhostip", oCheckHostIP },
205 { "stricthostkeychecking", oStrictHostKeyChecking },
206 { "compression", oCompression },
207 { "compressionlevel", oCompressionLevel },
208 { "tcpkeepalive", oTCPKeepAlive },
209 { "keepalive", oTCPKeepAlive }, /* obsolete */
210 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
211 { "loglevel", oLogLevel },
212 { "dynamicforward", oDynamicForward },
213 { "preferredauthentications", oPreferredAuthentications },
214 { "hostkeyalgorithms", oHostKeyAlgorithms },
215 { "bindaddress", oBindAddress },
217 { "smartcarddevice", oSmartcardDevice },
219 { "smartcarddevice", oUnsupported },
221 { "clearallforwardings", oClearAllForwardings },
222 { "enablesshkeysign", oEnableSSHKeysign },
223 { "verifyhostkeydns", oVerifyHostKeyDNS },
224 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
225 { "rekeylimit", oRekeyLimit },
226 { "connecttimeout", oConnectTimeout },
227 { "addressfamily", oAddressFamily },
228 { "serveraliveinterval", oServerAliveInterval },
229 { "serveralivecountmax", oServerAliveCountMax },
230 { "sendenv", oSendEnv },
231 { "controlpath", oControlPath },
232 { "controlmaster", oControlMaster },
233 { "hashknownhosts", oHashKnownHosts },
234 { "tunnel", oTunnel },
235 { "tunneldevice", oTunnelDevice },
236 { "localcommand", oLocalCommand },
237 { "permitlocalcommand", oPermitLocalCommand },
238 { "noneenabled", oNoneEnabled },
239 { "tcprcvbufpoll", oTcpRcvBufPoll },
240 { "tcprcvbuf", oTcpRcvBuf },
241 { "noneswitch", oNoneSwitch },
242 { "hpndisabled", oHPNDisabled },
243 { "hpnbuffersize", oHPNBufferSize },
244 { "visualhostkey", oVisualHostKey },
245 { "noneenabled", oNoneEnabled },
246 { "tcprcvbufpoll", oTcpRcvBufPoll },
247 { "tcprcvbuf", oTcpRcvBuf },
248 { "noneswitch", oNoneSwitch },
249 { "hpndisabled", oHPNDisabled },
250 { "hpnbuffersize", oHPNBufferSize },
255 * Adds a local TCP/IP port forward to options. Never returns if there is an
260 add_local_forward(Options *options, const Forward *newfwd)
263 #ifndef NO_IPPORT_RESERVED_CONCEPT
264 extern uid_t original_real_uid;
265 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
266 fatal("Privileged ports can only be forwarded by root.");
268 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
269 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
270 fwd = &options->local_forwards[options->num_local_forwards++];
272 fwd->listen_host = (newfwd->listen_host == NULL) ?
273 NULL : xstrdup(newfwd->listen_host);
274 fwd->listen_port = newfwd->listen_port;
275 fwd->connect_host = xstrdup(newfwd->connect_host);
276 fwd->connect_port = newfwd->connect_port;
280 * Adds a remote TCP/IP port forward to options. Never returns if there is
285 add_remote_forward(Options *options, const Forward *newfwd)
288 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
289 fatal("Too many remote forwards (max %d).",
290 SSH_MAX_FORWARDS_PER_DIRECTION);
291 fwd = &options->remote_forwards[options->num_remote_forwards++];
293 fwd->listen_host = (newfwd->listen_host == NULL) ?
294 NULL : xstrdup(newfwd->listen_host);
295 fwd->listen_port = newfwd->listen_port;
296 fwd->connect_host = xstrdup(newfwd->connect_host);
297 fwd->connect_port = newfwd->connect_port;
301 clear_forwardings(Options *options)
305 for (i = 0; i < options->num_local_forwards; i++) {
306 if (options->local_forwards[i].listen_host != NULL)
307 xfree(options->local_forwards[i].listen_host);
308 xfree(options->local_forwards[i].connect_host);
310 options->num_local_forwards = 0;
311 for (i = 0; i < options->num_remote_forwards; i++) {
312 if (options->remote_forwards[i].listen_host != NULL)
313 xfree(options->remote_forwards[i].listen_host);
314 xfree(options->remote_forwards[i].connect_host);
316 options->num_remote_forwards = 0;
317 options->tun_open = SSH_TUNMODE_NO;
321 * Returns the number of the token pointed to by cp or oBadOption.
325 parse_token(const char *cp, const char *filename, int linenum)
329 for (i = 0; keywords[i].name; i++)
330 if (strcasecmp(cp, keywords[i].name) == 0)
331 return keywords[i].opcode;
333 error("%s: line %d: Bad configuration option: %s",
334 filename, linenum, cp);
339 * Processes a single option line as used in the configuration files. This
340 * only sets those values that have not already been set.
342 #define WHITESPACE " \t\r\n"
345 process_config_line(Options *options, const char *host,
346 char *line, const char *filename, int linenum,
349 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
350 int opcode, *intptr, value, value2, scale;
351 LogLevel *log_level_ptr;
352 long long orig, val64;
356 /* Strip trailing whitespace */
357 for (len = strlen(line) - 1; len > 0; len--) {
358 if (strchr(WHITESPACE, line[len]) == NULL)
364 /* Get the keyword. (Each line is supposed to begin with a keyword). */
365 if ((keyword = strdelim(&s)) == NULL)
367 /* Ignore leading whitespace. */
368 if (*keyword == '\0')
369 keyword = strdelim(&s);
370 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
373 opcode = parse_token(keyword, filename, linenum);
377 /* don't panic, but count bad options */
380 case oConnectTimeout:
381 intptr = &options->connection_timeout;
384 if (!arg || *arg == '\0')
385 fatal("%s line %d: missing time value.",
387 if ((value = convtime(arg)) == -1)
388 fatal("%s line %d: invalid time value.",
390 if (*activep && *intptr == -1)
395 intptr = &options->forward_agent;
398 if (!arg || *arg == '\0')
399 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
400 value = 0; /* To avoid compiler warning... */
401 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
403 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
406 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
407 if (*activep && *intptr == -1)
412 intptr = &options->forward_x11;
415 case oForwardX11Trusted:
416 intptr = &options->forward_x11_trusted;
420 intptr = &options->gateway_ports;
423 case oExitOnForwardFailure:
424 intptr = &options->exit_on_forward_failure;
427 case oUsePrivilegedPort:
428 intptr = &options->use_privileged_port;
431 case oPasswordAuthentication:
432 intptr = &options->password_authentication;
435 case oKbdInteractiveAuthentication:
436 intptr = &options->kbd_interactive_authentication;
439 case oKbdInteractiveDevices:
440 charptr = &options->kbd_interactive_devices;
443 case oPubkeyAuthentication:
444 intptr = &options->pubkey_authentication;
447 case oRSAAuthentication:
448 intptr = &options->rsa_authentication;
451 case oRhostsRSAAuthentication:
452 intptr = &options->rhosts_rsa_authentication;
455 case oHostbasedAuthentication:
456 intptr = &options->hostbased_authentication;
459 case oChallengeResponseAuthentication:
460 intptr = &options->challenge_response_authentication;
463 case oGssAuthentication:
464 intptr = &options->gss_authentication;
468 intptr = &options->gss_keyex;
471 case oGssDelegateCreds:
472 intptr = &options->gss_deleg_creds;
476 intptr = &options->gss_trust_dns;
480 intptr = &options->batch_mode;
484 intptr = &options->check_host_ip;
488 intptr = &options->none_enabled;
491 /* we check to see if the command comes from the */
492 /* command line or not. If it does then enable it */
493 /* otherwise fail. NONE should never be a default configuration */
495 if(strcmp(filename,"command-line")==0)
497 intptr = &options->none_switch;
500 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
501 error("Continuing...");
502 debug("NoneSwitch directive found in %.200s.", filename);
507 intptr = &options->hpn_disabled;
511 intptr = &options->hpn_buffer_size;
515 intptr = &options->tcp_rcv_buf_poll;
518 case oVerifyHostKeyDNS:
519 intptr = &options->verify_host_key_dns;
522 case oStrictHostKeyChecking:
523 intptr = &options->strict_host_key_checking;
526 if (!arg || *arg == '\0')
527 fatal("%.200s line %d: Missing yes/no/ask argument.",
529 value = 0; /* To avoid compiler warning... */
530 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
532 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
534 else if (strcmp(arg, "ask") == 0)
537 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
538 if (*activep && *intptr == -1)
543 intptr = &options->compression;
547 intptr = &options->tcp_keep_alive;
550 case oNoHostAuthenticationForLocalhost:
551 intptr = &options->no_host_authentication_for_localhost;
554 case oNumberOfPasswordPrompts:
555 intptr = &options->number_of_password_prompts;
558 case oCompressionLevel:
559 intptr = &options->compression_level;
564 if (!arg || *arg == '\0')
565 fatal("%.200s line %d: Missing argument.", filename, linenum);
566 if (arg[0] < '0' || arg[0] > '9')
567 fatal("%.200s line %d: Bad number.", filename, linenum);
568 orig = val64 = strtoll(arg, &endofnumber, 10);
569 if (arg == endofnumber)
570 fatal("%.200s line %d: Bad number.", filename, linenum);
571 switch (toupper(*endofnumber)) {
585 fatal("%.200s line %d: Invalid RekeyLimit suffix",
589 /* detect integer wrap and too-large limits */
590 if ((val64 / scale) != orig || val64 > UINT_MAX)
591 fatal("%.200s line %d: RekeyLimit too large",
594 fatal("%.200s line %d: RekeyLimit too small",
596 if (*activep && options->rekey_limit == -1)
597 options->rekey_limit = (u_int32_t)val64;
602 if (!arg || *arg == '\0')
603 fatal("%.200s line %d: Missing argument.", filename, linenum);
605 intptr = &options->num_identity_files;
606 if (*intptr >= SSH_MAX_IDENTITY_FILES)
607 fatal("%.200s line %d: Too many identity files specified (max %d).",
608 filename, linenum, SSH_MAX_IDENTITY_FILES);
609 charptr = &options->identity_files[*intptr];
610 *charptr = xstrdup(arg);
611 *intptr = *intptr + 1;
616 charptr=&options->xauth_location;
620 charptr = &options->user;
623 if (!arg || *arg == '\0')
624 fatal("%.200s line %d: Missing argument.", filename, linenum);
625 if (*activep && *charptr == NULL)
626 *charptr = xstrdup(arg);
629 case oGlobalKnownHostsFile:
630 charptr = &options->system_hostfile;
633 case oUserKnownHostsFile:
634 charptr = &options->user_hostfile;
637 case oGlobalKnownHostsFile2:
638 charptr = &options->system_hostfile2;
641 case oUserKnownHostsFile2:
642 charptr = &options->user_hostfile2;
646 charptr = &options->hostname;
650 charptr = &options->host_key_alias;
653 case oPreferredAuthentications:
654 charptr = &options->preferred_authentications;
658 charptr = &options->bind_address;
661 case oSmartcardDevice:
662 charptr = &options->smartcard_device;
666 charptr = &options->proxy_command;
669 fatal("%.200s line %d: Missing argument.", filename, linenum);
670 len = strspn(s, WHITESPACE "=");
671 if (*activep && *charptr == NULL)
672 *charptr = xstrdup(s + len);
676 intptr = &options->port;
679 if (!arg || *arg == '\0')
680 fatal("%.200s line %d: Missing argument.", filename, linenum);
681 if (arg[0] < '0' || arg[0] > '9')
682 fatal("%.200s line %d: Bad number.", filename, linenum);
684 /* Octal, decimal, or hex format? */
685 value = strtol(arg, &endofnumber, 0);
686 if (arg == endofnumber)
687 fatal("%.200s line %d: Bad number.", filename, linenum);
688 if (*activep && *intptr == -1)
692 case oConnectionAttempts:
693 intptr = &options->connection_attempts;
697 intptr = &options->tcp_rcv_buf;
701 intptr = &options->cipher;
703 if (!arg || *arg == '\0')
704 fatal("%.200s line %d: Missing argument.", filename, linenum);
705 value = cipher_number(arg);
707 fatal("%.200s line %d: Bad cipher '%s'.",
708 filename, linenum, arg ? arg : "<NONE>");
709 if (*activep && *intptr == -1)
715 if (!arg || *arg == '\0')
716 fatal("%.200s line %d: Missing argument.", filename, linenum);
717 if (!ciphers_valid(arg))
718 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
719 filename, linenum, arg ? arg : "<NONE>");
720 if (*activep && options->ciphers == NULL)
721 options->ciphers = xstrdup(arg);
726 if (!arg || *arg == '\0')
727 fatal("%.200s line %d: Missing argument.", filename, linenum);
729 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
730 filename, linenum, arg ? arg : "<NONE>");
731 if (*activep && options->macs == NULL)
732 options->macs = xstrdup(arg);
735 case oHostKeyAlgorithms:
737 if (!arg || *arg == '\0')
738 fatal("%.200s line %d: Missing argument.", filename, linenum);
739 if (!key_names_valid2(arg))
740 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
741 filename, linenum, arg ? arg : "<NONE>");
742 if (*activep && options->hostkeyalgorithms == NULL)
743 options->hostkeyalgorithms = xstrdup(arg);
747 intptr = &options->protocol;
749 if (!arg || *arg == '\0')
750 fatal("%.200s line %d: Missing argument.", filename, linenum);
751 value = proto_spec(arg);
752 if (value == SSH_PROTO_UNKNOWN)
753 fatal("%.200s line %d: Bad protocol spec '%s'.",
754 filename, linenum, arg ? arg : "<NONE>");
755 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
760 log_level_ptr = &options->log_level;
762 value = log_level_number(arg);
763 if (value == SYSLOG_LEVEL_NOT_SET)
764 fatal("%.200s line %d: unsupported log level '%s'",
765 filename, linenum, arg ? arg : "<NONE>");
766 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
767 *log_level_ptr = (LogLevel) value;
773 if (arg == NULL || *arg == '\0')
774 fatal("%.200s line %d: Missing port argument.",
777 if (arg2 == NULL || *arg2 == '\0')
778 fatal("%.200s line %d: Missing target argument.",
781 /* construct a string for parse_forward */
782 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
784 if (parse_forward(&fwd, fwdarg) == 0)
785 fatal("%.200s line %d: Bad forwarding specification.",
789 if (opcode == oLocalForward)
790 add_local_forward(options, &fwd);
791 else if (opcode == oRemoteForward)
792 add_remote_forward(options, &fwd);
796 case oDynamicForward:
798 if (!arg || *arg == '\0')
799 fatal("%.200s line %d: Missing port argument.",
801 memset(&fwd, '\0', sizeof(fwd));
802 fwd.connect_host = "socks";
803 fwd.listen_host = hpdelim(&arg);
804 if (fwd.listen_host == NULL ||
805 strlen(fwd.listen_host) >= NI_MAXHOST)
806 fatal("%.200s line %d: Bad forwarding specification.",
809 fwd.listen_port = a2port(arg);
810 fwd.listen_host = cleanhostname(fwd.listen_host);
812 fwd.listen_port = a2port(fwd.listen_host);
813 fwd.listen_host = NULL;
815 if (fwd.listen_port == 0)
816 fatal("%.200s line %d: Badly formatted port number.",
819 add_local_forward(options, &fwd);
822 case oClearAllForwardings:
823 intptr = &options->clear_forwardings;
828 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
829 if (match_pattern(host, arg)) {
830 debug("Applying options for %.100s", arg);
834 /* Avoid garbage check below, as strdelim is done. */
838 intptr = &options->escape_char;
840 if (!arg || *arg == '\0')
841 fatal("%.200s line %d: Missing argument.", filename, linenum);
842 if (arg[0] == '^' && arg[2] == 0 &&
843 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
844 value = (u_char) arg[1] & 31;
845 else if (strlen(arg) == 1)
846 value = (u_char) arg[0];
847 else if (strcmp(arg, "none") == 0)
848 value = SSH_ESCAPECHAR_NONE;
850 fatal("%.200s line %d: Bad escape character.",
853 value = 0; /* Avoid compiler warning. */
855 if (*activep && *intptr == -1)
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: missing address family.",
864 intptr = &options->address_family;
865 if (strcasecmp(arg, "inet") == 0)
867 else if (strcasecmp(arg, "inet6") == 0)
869 else if (strcasecmp(arg, "any") == 0)
872 fatal("Unsupported AddressFamily \"%s\"", arg);
873 if (*activep && *intptr == -1)
877 case oEnableSSHKeysign:
878 intptr = &options->enable_ssh_keysign;
881 case oIdentitiesOnly:
882 intptr = &options->identities_only;
885 case oServerAliveInterval:
886 intptr = &options->server_alive_interval;
889 case oServerAliveCountMax:
890 intptr = &options->server_alive_count_max;
894 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
895 if (strchr(arg, '=') != NULL)
896 fatal("%s line %d: Invalid environment name.",
900 if (options->num_send_env >= MAX_SEND_ENV)
901 fatal("%s line %d: too many send env.",
903 options->send_env[options->num_send_env++] =
909 charptr = &options->control_path;
913 intptr = &options->control_master;
915 if (!arg || *arg == '\0')
916 fatal("%.200s line %d: Missing ControlMaster argument.",
918 value = 0; /* To avoid compiler warning... */
919 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
920 value = SSHCTL_MASTER_YES;
921 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
922 value = SSHCTL_MASTER_NO;
923 else if (strcmp(arg, "auto") == 0)
924 value = SSHCTL_MASTER_AUTO;
925 else if (strcmp(arg, "ask") == 0)
926 value = SSHCTL_MASTER_ASK;
927 else if (strcmp(arg, "autoask") == 0)
928 value = SSHCTL_MASTER_AUTO_ASK;
930 fatal("%.200s line %d: Bad ControlMaster argument.",
932 if (*activep && *intptr == -1)
936 case oHashKnownHosts:
937 intptr = &options->hash_known_hosts;
941 intptr = &options->tun_open;
943 if (!arg || *arg == '\0')
944 fatal("%s line %d: Missing yes/point-to-point/"
945 "ethernet/no argument.", filename, linenum);
946 value = 0; /* silence compiler */
947 if (strcasecmp(arg, "ethernet") == 0)
948 value = SSH_TUNMODE_ETHERNET;
949 else if (strcasecmp(arg, "point-to-point") == 0)
950 value = SSH_TUNMODE_POINTOPOINT;
951 else if (strcasecmp(arg, "yes") == 0)
952 value = SSH_TUNMODE_DEFAULT;
953 else if (strcasecmp(arg, "no") == 0)
954 value = SSH_TUNMODE_NO;
956 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
957 "no argument: %s", filename, linenum, arg);
964 if (!arg || *arg == '\0')
965 fatal("%.200s line %d: Missing argument.", filename, linenum);
966 value = a2tun(arg, &value2);
967 if (value == SSH_TUNID_ERR)
968 fatal("%.200s line %d: Bad tun device.", filename, linenum);
970 options->tun_local = value;
971 options->tun_remote = value2;
976 charptr = &options->local_command;
979 case oPermitLocalCommand:
980 intptr = &options->permit_local_command;
984 intptr = &options->visual_host_key;
988 debug("%s line %d: Deprecated option \"%s\"",
989 filename, linenum, keyword);
993 error("%s line %d: Unsupported option \"%s\"",
994 filename, linenum, keyword);
998 fatal("process_config_line: Unimplemented opcode %d", opcode);
1001 /* Check that there is no garbage at end of line. */
1002 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1003 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1004 filename, linenum, arg);
1011 * Reads the config file and modifies the options accordingly. Options
1012 * should already be initialized before this call. This never returns if
1013 * there is an error. If the file does not exist, this returns 0.
1017 read_config_file(const char *filename, const char *host, Options *options,
1022 int active, linenum;
1023 int bad_options = 0;
1025 /* Open the file. */
1026 if ((f = fopen(filename, "r")) == NULL)
1032 if (fstat(fileno(f), &sb) == -1)
1033 fatal("fstat %s: %s", filename, strerror(errno));
1034 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1035 (sb.st_mode & 022) != 0))
1036 fatal("Bad owner or permissions on %s", filename);
1039 debug("Reading configuration data %.200s", filename);
1042 * Mark that we are now processing the options. This flag is turned
1043 * on/off by Host specifications.
1047 while (fgets(line, sizeof(line), f)) {
1048 /* Update line number counter. */
1050 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1054 if (bad_options > 0)
1055 fatal("%s: terminating, %d bad configuration options",
1056 filename, bad_options);
1061 * Initializes options to special values that indicate that they have not yet
1062 * been set. Read_config_file will only set options with this value. Options
1063 * are processed in the following order: command line, user config file,
1064 * system config file. Last, fill_default_options is called.
1068 initialize_options(Options * options)
1070 memset(options, 'X', sizeof(*options));
1071 options->forward_agent = -1;
1072 options->forward_x11 = -1;
1073 options->forward_x11_trusted = -1;
1074 options->exit_on_forward_failure = -1;
1075 options->xauth_location = NULL;
1076 options->gateway_ports = -1;
1077 options->use_privileged_port = -1;
1078 options->rsa_authentication = -1;
1079 options->pubkey_authentication = -1;
1080 options->challenge_response_authentication = -1;
1081 options->gss_authentication = -1;
1082 options->gss_keyex = -1;
1083 options->gss_deleg_creds = -1;
1084 options->gss_trust_dns = -1;
1085 options->password_authentication = -1;
1086 options->kbd_interactive_authentication = -1;
1087 options->kbd_interactive_devices = NULL;
1088 options->rhosts_rsa_authentication = -1;
1089 options->hostbased_authentication = -1;
1090 options->batch_mode = -1;
1091 options->check_host_ip = -1;
1092 options->strict_host_key_checking = -1;
1093 options->compression = -1;
1094 options->tcp_keep_alive = -1;
1095 options->compression_level = -1;
1097 options->address_family = -1;
1098 options->connection_attempts = -1;
1099 options->connection_timeout = -1;
1100 options->number_of_password_prompts = -1;
1101 options->cipher = -1;
1102 options->ciphers = NULL;
1103 options->macs = NULL;
1104 options->hostkeyalgorithms = NULL;
1105 options->protocol = SSH_PROTO_UNKNOWN;
1106 options->num_identity_files = 0;
1107 options->hostname = NULL;
1108 options->host_key_alias = NULL;
1109 options->proxy_command = NULL;
1110 options->user = NULL;
1111 options->escape_char = -1;
1112 options->system_hostfile = NULL;
1113 options->user_hostfile = NULL;
1114 options->system_hostfile2 = NULL;
1115 options->user_hostfile2 = NULL;
1116 options->num_local_forwards = 0;
1117 options->num_remote_forwards = 0;
1118 options->clear_forwardings = -1;
1119 options->log_level = SYSLOG_LEVEL_NOT_SET;
1120 options->preferred_authentications = NULL;
1121 options->bind_address = NULL;
1122 options->smartcard_device = NULL;
1123 options->enable_ssh_keysign = - 1;
1124 options->no_host_authentication_for_localhost = - 1;
1125 options->identities_only = - 1;
1126 options->rekey_limit = - 1;
1127 options->verify_host_key_dns = -1;
1128 options->server_alive_interval = -1;
1129 options->server_alive_count_max = -1;
1130 options->num_send_env = 0;
1131 options->control_path = NULL;
1132 options->control_master = -1;
1133 options->hash_known_hosts = -1;
1134 options->tun_open = -1;
1135 options->tun_local = -1;
1136 options->tun_remote = -1;
1137 options->local_command = NULL;
1138 options->permit_local_command = -1;
1139 options->none_switch = -1;
1140 options->none_enabled = -1;
1141 options->hpn_disabled = -1;
1142 options->hpn_buffer_size = -1;
1143 options->tcp_rcv_buf_poll = -1;
1144 options->tcp_rcv_buf = -1;
1145 options->visual_host_key = -1;
1146 options->none_switch = -1;
1147 options->none_enabled = -1;
1148 options->hpn_disabled = -1;
1149 options->hpn_buffer_size = -1;
1150 options->tcp_rcv_buf_poll = -1;
1151 options->tcp_rcv_buf = -1;
1155 * Called after processing other sources of option data, this fills those
1156 * options for which no value has been specified with their default values.
1160 fill_default_options(Options * options)
1164 if (options->forward_agent == -1)
1165 options->forward_agent = 0;
1166 if (options->forward_x11 == -1)
1167 options->forward_x11 = 0;
1168 if (options->forward_x11_trusted == -1)
1169 options->forward_x11_trusted = 0;
1170 if (options->exit_on_forward_failure == -1)
1171 options->exit_on_forward_failure = 0;
1172 if (options->xauth_location == NULL)
1173 options->xauth_location = _PATH_XAUTH;
1174 if (options->gateway_ports == -1)
1175 options->gateway_ports = 0;
1176 if (options->use_privileged_port == -1)
1177 options->use_privileged_port = 0;
1178 if (options->rsa_authentication == -1)
1179 options->rsa_authentication = 1;
1180 if (options->pubkey_authentication == -1)
1181 options->pubkey_authentication = 1;
1182 if (options->challenge_response_authentication == -1)
1183 options->challenge_response_authentication = 1;
1184 if (options->gss_authentication == -1)
1185 options->gss_authentication = 1;
1186 if (options->gss_keyex == -1)
1187 options->gss_keyex = 1;
1188 if (options->gss_deleg_creds == -1)
1189 options->gss_deleg_creds = 1;
1190 if (options->gss_trust_dns == -1)
1191 options->gss_trust_dns = 1;
1192 if (options->password_authentication == -1)
1193 options->password_authentication = 1;
1194 if (options->kbd_interactive_authentication == -1)
1195 options->kbd_interactive_authentication = 1;
1196 if (options->rhosts_rsa_authentication == -1)
1197 options->rhosts_rsa_authentication = 0;
1198 if (options->hostbased_authentication == -1)
1199 options->hostbased_authentication = 0;
1200 if (options->batch_mode == -1)
1201 options->batch_mode = 0;
1202 if (options->check_host_ip == -1)
1203 options->check_host_ip = 1;
1204 if (options->strict_host_key_checking == -1)
1205 options->strict_host_key_checking = 2; /* 2 is default */
1206 if (options->compression == -1)
1207 options->compression = 0;
1208 if (options->tcp_keep_alive == -1)
1209 options->tcp_keep_alive = 1;
1210 if (options->compression_level == -1)
1211 options->compression_level = 6;
1212 if (options->port == -1)
1213 options->port = 0; /* Filled in ssh_connect. */
1214 if (options->address_family == -1)
1215 options->address_family = AF_UNSPEC;
1216 if (options->connection_attempts == -1)
1217 options->connection_attempts = 1;
1218 if (options->number_of_password_prompts == -1)
1219 options->number_of_password_prompts = 3;
1220 /* Selected in ssh_login(). */
1221 if (options->cipher == -1)
1222 options->cipher = SSH_CIPHER_NOT_SET;
1223 /* options->ciphers, default set in myproposals.h */
1224 /* options->macs, default set in myproposals.h */
1225 /* options->hostkeyalgorithms, default set in myproposals.h */
1226 if (options->protocol == SSH_PROTO_UNKNOWN)
1227 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1228 if (options->num_identity_files == 0) {
1229 if (options->protocol & SSH_PROTO_1) {
1230 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1231 options->identity_files[options->num_identity_files] =
1233 snprintf(options->identity_files[options->num_identity_files++],
1234 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1236 if (options->protocol & SSH_PROTO_2) {
1237 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1238 options->identity_files[options->num_identity_files] =
1240 snprintf(options->identity_files[options->num_identity_files++],
1241 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1243 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1244 options->identity_files[options->num_identity_files] =
1246 snprintf(options->identity_files[options->num_identity_files++],
1247 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1250 if (options->escape_char == -1)
1251 options->escape_char = '~';
1252 if (options->system_hostfile == NULL)
1253 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1254 if (options->user_hostfile == NULL)
1255 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1256 if (options->system_hostfile2 == NULL)
1257 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1258 if (options->user_hostfile2 == NULL)
1259 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1260 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1261 options->log_level = SYSLOG_LEVEL_INFO;
1262 if (options->clear_forwardings == 1)
1263 clear_forwardings(options);
1264 if (options->no_host_authentication_for_localhost == - 1)
1265 options->no_host_authentication_for_localhost = 0;
1266 if (options->identities_only == -1)
1267 options->identities_only = 0;
1268 if (options->enable_ssh_keysign == -1)
1269 options->enable_ssh_keysign = 0;
1270 if (options->rekey_limit == -1)
1271 options->rekey_limit = 0;
1272 if (options->verify_host_key_dns == -1)
1273 options->verify_host_key_dns = 0;
1274 if (options->server_alive_interval == -1)
1275 options->server_alive_interval = 0;
1276 if (options->server_alive_count_max == -1)
1277 options->server_alive_count_max = 3;
1278 if (options->none_switch == -1)
1279 options->none_switch = 0;
1280 if (options->hpn_disabled == -1)
1281 options->hpn_disabled = 0;
1282 if (options->hpn_buffer_size > -1)
1284 /* if a user tries to set the size to 0 set it to 1KB */
1285 if (options->hpn_buffer_size == 0)
1286 options->hpn_buffer_size = 1024;
1287 /*limit the buffer to 64MB*/
1288 if (options->hpn_buffer_size > 65536)
1290 options->hpn_buffer_size = 65536*1024;
1291 debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1293 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1295 if (options->tcp_rcv_buf == 0)
1296 options->tcp_rcv_buf = 1;
1297 if (options->tcp_rcv_buf > -1)
1298 options->tcp_rcv_buf *=1024;
1299 if (options->tcp_rcv_buf_poll == -1)
1300 options->tcp_rcv_buf_poll = 1;
1301 if (options->control_master == -1)
1302 options->control_master = 0;
1303 if (options->hash_known_hosts == -1)
1304 options->hash_known_hosts = 0;
1305 if (options->tun_open == -1)
1306 options->tun_open = SSH_TUNMODE_NO;
1307 if (options->tun_local == -1)
1308 options->tun_local = SSH_TUNID_ANY;
1309 if (options->tun_remote == -1)
1310 options->tun_remote = SSH_TUNID_ANY;
1311 if (options->permit_local_command == -1)
1312 options->permit_local_command = 0;
1313 if (options->visual_host_key == -1)
1314 options->visual_host_key = 0;
1315 /* options->local_command should not be set by default */
1316 /* options->proxy_command should not be set by default */
1317 /* options->user will be set in the main program if appropriate */
1318 /* options->hostname will be set in the main program if appropriate */
1319 /* options->host_key_alias should not be set by default */
1320 /* options->preferred_authentications will be set in ssh */
1325 * parses a string containing a port forwarding specification of the form:
1326 * [listenhost:]listenport:connecthost:connectport
1327 * returns number of arguments parsed or zero on error
1330 parse_forward(Forward *fwd, const char *fwdspec)
1333 char *p, *cp, *fwdarg[4];
1335 memset(fwd, '\0', sizeof(*fwd));
1337 cp = p = xstrdup(fwdspec);
1339 /* skip leading spaces */
1340 while (isspace(*cp))
1343 for (i = 0; i < 4; ++i)
1344 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1347 /* Check for trailing garbage in 4-arg case*/
1349 i = 0; /* failure */
1353 fwd->listen_host = NULL;
1354 fwd->listen_port = a2port(fwdarg[0]);
1355 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1356 fwd->connect_port = a2port(fwdarg[2]);
1360 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1361 fwd->listen_port = a2port(fwdarg[1]);
1362 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1363 fwd->connect_port = a2port(fwdarg[3]);
1366 i = 0; /* failure */
1371 if (fwd->listen_port == 0 || fwd->connect_port == 0)
1374 if (fwd->connect_host != NULL &&
1375 strlen(fwd->connect_host) >= NI_MAXHOST)
1381 if (fwd->connect_host != NULL)
1382 xfree(fwd->connect_host);
1383 if (fwd->listen_host != NULL)
1384 xfree(fwd->listen_host);