2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.137 2004/08/13 11:09:24 dtucker Exp $");
20 #include "pathnames.h"
26 static void add_listen_addr(ServerOptions *, char *, u_short);
27 static void add_one_listen_addr(ServerOptions *, char *, u_short);
29 /* AF_UNSPEC or AF_INET or AF_INET6 */
31 /* Use of privilege separation or not */
32 extern int use_privsep;
34 /* Initializes the server options to their default values. */
37 initialize_server_options(ServerOptions *options)
39 memset(options, 0, sizeof(*options));
41 /* Portable-specific options */
42 options->use_pam = -1;
44 /* Standard Options */
45 options->num_ports = 0;
46 options->ports_from_cmdline = 0;
47 options->listen_addrs = NULL;
48 options->num_host_key_files = 0;
49 options->pid_file = NULL;
50 options->server_key_bits = -1;
51 options->login_grace_time = -1;
52 options->key_regeneration_time = -1;
53 options->permit_root_login = PERMIT_NOT_SET;
54 options->ignore_rhosts = -1;
55 options->ignore_user_known_hosts = -1;
56 options->print_motd = -1;
57 options->print_lastlog = -1;
58 options->x11_forwarding = -1;
59 options->x11_display_offset = -1;
60 options->x11_use_localhost = -1;
61 options->xauth_location = NULL;
62 options->strict_modes = -1;
63 options->tcp_keep_alive = -1;
64 options->log_facility = SYSLOG_FACILITY_NOT_SET;
65 options->log_level = SYSLOG_LEVEL_NOT_SET;
66 options->rhosts_rsa_authentication = -1;
67 options->hostbased_authentication = -1;
68 options->hostbased_uses_name_from_packet_only = -1;
69 options->rsa_authentication = -1;
70 options->pubkey_authentication = -1;
71 options->kerberos_authentication = -1;
72 options->kerberos_or_local_passwd = -1;
73 options->kerberos_ticket_cleanup = -1;
75 options->session_hooks_allow = -1;
76 options->session_hooks_startup_cmd = NULL;
77 options->session_hooks_shutdown_cmd = NULL;
79 options->kerberos_get_afs_token = -1;
80 options->gss_authentication=-1;
81 options->gss_keyex=-1;
82 options->gss_cleanup_creds = -1;
83 options->password_authentication = -1;
84 options->kbd_interactive_authentication = -1;
85 options->challenge_response_authentication = -1;
86 options->permit_empty_passwd = -1;
87 options->permit_user_env = -1;
88 options->use_login = -1;
89 options->compression = -1;
90 options->allow_tcp_forwarding = -1;
91 options->num_allow_users = 0;
92 options->num_deny_users = 0;
93 options->num_allow_groups = 0;
94 options->num_deny_groups = 0;
95 options->ciphers = NULL;
97 options->protocol = SSH_PROTO_UNKNOWN;
98 options->gateway_ports = -1;
99 options->num_subsystems = 0;
100 options->max_startups_begin = -1;
101 options->max_startups_rate = -1;
102 options->max_startups = -1;
103 options->max_authtries = -1;
104 options->banner = NULL;
105 options->use_dns = -1;
106 options->client_alive_interval = -1;
107 options->client_alive_count_max = -1;
108 options->authorized_keys_file = NULL;
109 options->authorized_keys_file2 = NULL;
110 options->num_accept_env = 0;
112 /* Needs to be accessable in many places */
117 fill_default_server_options(ServerOptions *options)
119 /* Portable-specific options */
120 if (options->use_pam == -1)
121 options->use_pam = 0;
123 /* Standard Options */
124 if (options->protocol == SSH_PROTO_UNKNOWN)
125 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
126 if (options->num_host_key_files == 0) {
127 /* fill default hostkeys for protocols */
128 if (options->protocol & SSH_PROTO_1)
129 options->host_key_files[options->num_host_key_files++] =
131 if (options->protocol & SSH_PROTO_2) {
132 options->host_key_files[options->num_host_key_files++] =
133 _PATH_HOST_RSA_KEY_FILE;
134 options->host_key_files[options->num_host_key_files++] =
135 _PATH_HOST_DSA_KEY_FILE;
138 if (options->num_ports == 0)
139 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
140 if (options->listen_addrs == NULL)
141 add_listen_addr(options, NULL, 0);
142 if (options->pid_file == NULL)
143 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
144 if (options->server_key_bits == -1)
145 options->server_key_bits = 768;
146 if (options->login_grace_time == -1)
147 options->login_grace_time = 120;
148 if (options->key_regeneration_time == -1)
149 options->key_regeneration_time = 3600;
150 if (options->permit_root_login == PERMIT_NOT_SET)
151 options->permit_root_login = PERMIT_YES;
152 if (options->ignore_rhosts == -1)
153 options->ignore_rhosts = 1;
154 if (options->ignore_user_known_hosts == -1)
155 options->ignore_user_known_hosts = 0;
156 if (options->print_motd == -1)
157 options->print_motd = 1;
158 if (options->print_lastlog == -1)
159 options->print_lastlog = 1;
160 if (options->x11_forwarding == -1)
161 options->x11_forwarding = 0;
162 if (options->x11_display_offset == -1)
163 options->x11_display_offset = 10;
164 if (options->x11_use_localhost == -1)
165 options->x11_use_localhost = 1;
166 if (options->xauth_location == NULL)
167 options->xauth_location = _PATH_XAUTH;
168 if (options->strict_modes == -1)
169 options->strict_modes = 1;
170 if (options->tcp_keep_alive == -1)
171 options->tcp_keep_alive = 1;
172 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
173 options->log_facility = SYSLOG_FACILITY_AUTH;
174 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
175 options->log_level = SYSLOG_LEVEL_INFO;
176 if (options->rhosts_rsa_authentication == -1)
177 options->rhosts_rsa_authentication = 0;
178 if (options->hostbased_authentication == -1)
179 options->hostbased_authentication = 0;
180 if (options->hostbased_uses_name_from_packet_only == -1)
181 options->hostbased_uses_name_from_packet_only = 0;
182 if (options->rsa_authentication == -1)
183 options->rsa_authentication = 1;
184 if (options->pubkey_authentication == -1)
185 options->pubkey_authentication = 1;
186 if (options->kerberos_authentication == -1)
187 options->kerberos_authentication = 0;
188 if (options->kerberos_or_local_passwd == -1)
189 options->kerberos_or_local_passwd = 1;
190 if (options->kerberos_ticket_cleanup == -1)
191 options->kerberos_ticket_cleanup = 1;
192 if (options->kerberos_get_afs_token == -1)
193 options->kerberos_get_afs_token = 0;
194 if (options->gss_authentication == -1)
195 options->gss_authentication = 1;
196 if (options->gss_keyex == -1)
197 options->gss_keyex = 1;
198 if (options->gss_cleanup_creds == -1)
199 options->gss_cleanup_creds = 1;
200 if (options->password_authentication == -1)
201 options->password_authentication = 1;
202 if (options->kbd_interactive_authentication == -1)
203 options->kbd_interactive_authentication = 0;
204 if (options->challenge_response_authentication == -1)
205 options->challenge_response_authentication = 1;
206 if (options->permit_empty_passwd == -1)
207 options->permit_empty_passwd = 0;
208 if (options->permit_user_env == -1)
209 options->permit_user_env = 0;
210 if (options->use_login == -1)
211 options->use_login = 0;
212 if (options->compression == -1)
213 options->compression = 1;
214 if (options->allow_tcp_forwarding == -1)
215 options->allow_tcp_forwarding = 1;
216 if (options->gateway_ports == -1)
217 options->gateway_ports = 0;
218 if (options->max_startups == -1)
219 options->max_startups = 10;
220 if (options->max_startups_rate == -1)
221 options->max_startups_rate = 100; /* 100% */
222 if (options->max_startups_begin == -1)
223 options->max_startups_begin = options->max_startups;
224 if (options->max_authtries == -1)
225 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
226 if (options->use_dns == -1)
227 options->use_dns = 1;
228 if (options->client_alive_interval == -1)
229 options->client_alive_interval = 0;
230 if (options->client_alive_count_max == -1)
231 options->client_alive_count_max = 3;
232 if (options->authorized_keys_file2 == NULL) {
233 /* authorized_keys_file2 falls back to authorized_keys_file */
234 if (options->authorized_keys_file != NULL)
235 options->authorized_keys_file2 = options->authorized_keys_file;
237 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
239 if (options->authorized_keys_file == NULL)
240 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
242 /* Turn privilege separation on by default */
243 if (use_privsep == -1)
247 if (use_privsep && options->compression == 1) {
248 error("This platform does not support both privilege "
249 "separation and compression");
250 error("Compression disabled");
251 options->compression = 0;
257 /* Keyword tokens. */
259 sBadOption, /* == unknown option */
260 /* Portable-specific options */
262 /* Standard Options */
263 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
264 sPermitRootLogin, sLogFacility, sLogLevel,
265 sRhostsRSAAuthentication, sRSAAuthentication,
266 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
267 sKerberosGetAFSToken,
268 sKerberosTgtPassing, sChallengeResponseAuthentication,
270 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
272 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
273 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
274 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
275 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
276 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
277 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
278 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
279 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
280 sMaxStartups, sMaxAuthTries,
281 sBanner, sUseDNS, sHostbasedAuthentication,
282 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
283 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
284 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
286 sUsePrivilegeSeparation,
287 sDeprecated, sUnsupported
290 /* Textual representation of the tokens. */
293 ServerOpCodes opcode;
295 /* Portable-specific options */
297 { "usepam", sUsePAM },
299 { "usepam", sUnsupported },
301 { "pamauthenticationviakbdint", sDeprecated },
302 /* Standard Options */
304 { "hostkey", sHostKeyFile },
305 { "hostdsakey", sHostKeyFile }, /* alias */
306 { "pidfile", sPidFile },
307 { "serverkeybits", sServerKeyBits },
308 { "logingracetime", sLoginGraceTime },
309 { "keyregenerationinterval", sKeyRegenerationTime },
310 { "permitrootlogin", sPermitRootLogin },
311 { "syslogfacility", sLogFacility },
312 { "loglevel", sLogLevel },
313 { "rhostsauthentication", sDeprecated },
314 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
315 { "hostbasedauthentication", sHostbasedAuthentication },
316 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
317 { "rsaauthentication", sRSAAuthentication },
318 { "pubkeyauthentication", sPubkeyAuthentication },
319 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
321 { "kerberosauthentication", sKerberosAuthentication },
322 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
323 { "kerberosticketcleanup", sKerberosTicketCleanup },
325 { "kerberosgetafstoken", sKerberosGetAFSToken },
327 { "kerberosgetafstoken", sUnsupported },
330 { "kerberosauthentication", sUnsupported },
331 { "kerberosorlocalpasswd", sUnsupported },
332 { "kerberosticketcleanup", sUnsupported },
333 { "kerberosgetafstoken", sUnsupported },
335 { "kerberostgtpassing", sUnsupported },
336 { "afstokenpassing", sUnsupported },
338 { "gssapiauthentication", sGssAuthentication },
339 { "gssapikeyexchange", sGssKeyEx },
340 { "gssapicleanupcredentials", sGssCleanupCreds },
342 { "gssapiauthentication", sUnsupported },
343 { "gssapikeyexchange", sUnsupported },
344 { "gssapicleanupcredentials", sUnsupported },
347 { "allowsessionhooks", sAllowSessionHooks },
348 { "sessionhookstartupcmd", sSessionHookStartupCmd },
349 { "sessionhookshutdowncmd", sSessionHookShutdownCmd },
351 { "passwordauthentication", sPasswordAuthentication },
352 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
353 { "challengeresponseauthentication", sChallengeResponseAuthentication },
354 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
355 { "checkmail", sDeprecated },
356 { "listenaddress", sListenAddress },
357 { "printmotd", sPrintMotd },
358 { "printlastlog", sPrintLastLog },
359 { "ignorerhosts", sIgnoreRhosts },
360 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
361 { "x11forwarding", sX11Forwarding },
362 { "x11displayoffset", sX11DisplayOffset },
363 { "x11uselocalhost", sX11UseLocalhost },
364 { "xauthlocation", sXAuthLocation },
365 { "strictmodes", sStrictModes },
366 { "permitemptypasswords", sEmptyPasswd },
367 { "permituserenvironment", sPermitUserEnvironment },
368 { "uselogin", sUseLogin },
369 { "compression", sCompression },
370 { "tcpkeepalive", sTCPKeepAlive },
371 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
372 { "allowtcpforwarding", sAllowTcpForwarding },
373 { "allowusers", sAllowUsers },
374 { "denyusers", sDenyUsers },
375 { "allowgroups", sAllowGroups },
376 { "denygroups", sDenyGroups },
377 { "ciphers", sCiphers },
379 { "protocol", sProtocol },
380 { "gatewayports", sGatewayPorts },
381 { "subsystem", sSubsystem },
382 { "maxstartups", sMaxStartups },
383 { "maxauthtries", sMaxAuthTries },
384 { "banner", sBanner },
385 { "usedns", sUseDNS },
386 { "verifyreversemapping", sDeprecated },
387 { "reversemappingcheck", sDeprecated },
388 { "clientaliveinterval", sClientAliveInterval },
389 { "clientalivecountmax", sClientAliveCountMax },
390 { "authorizedkeysfile", sAuthorizedKeysFile },
391 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
392 { "useprivilegeseparation", sUsePrivilegeSeparation},
393 { "acceptenv", sAcceptEnv },
398 * Returns the number of the token pointed to by cp or sBadOption.
402 parse_token(const char *cp, const char *filename,
407 for (i = 0; keywords[i].name; i++)
408 if (strcasecmp(cp, keywords[i].name) == 0)
409 return keywords[i].opcode;
411 error("%s: line %d: Bad configuration option: %s",
412 filename, linenum, cp);
417 add_listen_addr(ServerOptions *options, char *addr, u_short port)
421 if (options->num_ports == 0)
422 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
424 for (i = 0; i < options->num_ports; i++)
425 add_one_listen_addr(options, addr, options->ports[i]);
427 add_one_listen_addr(options, addr, port);
431 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
433 struct addrinfo hints, *ai, *aitop;
434 char strport[NI_MAXSERV];
437 memset(&hints, 0, sizeof(hints));
438 hints.ai_family = IPv4or6;
439 hints.ai_socktype = SOCK_STREAM;
440 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
441 snprintf(strport, sizeof strport, "%u", port);
442 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
443 fatal("bad addr or host: %s (%s)",
444 addr ? addr : "<NULL>",
445 gai_strerror(gaierr));
446 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
448 ai->ai_next = options->listen_addrs;
449 options->listen_addrs = aitop;
453 process_server_config_line(ServerOptions *options, char *line,
454 const char *filename, int linenum)
456 char *cp, **charptr, *arg, *p;
457 int *intptr, value, i, n;
458 ServerOpCodes opcode;
462 /* Ignore leading whitespace */
465 if (!arg || !*arg || *arg == '#')
469 opcode = parse_token(arg, filename, linenum);
471 /* Portable-specific options */
473 intptr = &options->use_pam;
476 /* Standard Options */
480 /* ignore ports from configfile if cmdline specifies ports */
481 if (options->ports_from_cmdline)
483 if (options->listen_addrs != NULL)
484 fatal("%s line %d: ports must be specified before "
485 "ListenAddress.", filename, linenum);
486 if (options->num_ports >= MAX_PORTS)
487 fatal("%s line %d: too many ports.",
490 if (!arg || *arg == '\0')
491 fatal("%s line %d: missing port number.",
493 options->ports[options->num_ports++] = a2port(arg);
494 if (options->ports[options->num_ports-1] == 0)
495 fatal("%s line %d: Badly formatted port number.",
500 intptr = &options->server_key_bits;
503 if (!arg || *arg == '\0')
504 fatal("%s line %d: missing integer value.",
511 case sLoginGraceTime:
512 intptr = &options->login_grace_time;
515 if (!arg || *arg == '\0')
516 fatal("%s line %d: missing time value.",
518 if ((value = convtime(arg)) == -1)
519 fatal("%s line %d: invalid time value.",
525 case sKeyRegenerationTime:
526 intptr = &options->key_regeneration_time;
531 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
532 fatal("%s line %d: missing inet addr.",
535 if ((p = strchr(arg, ']')) == NULL)
536 fatal("%s line %d: bad ipv6 inet addr usage.",
539 memmove(p, p+1, strlen(p+1)+1);
540 } else if (((p = strchr(arg, ':')) == NULL) ||
541 (strchr(p+1, ':') != NULL)) {
542 add_listen_addr(options, arg, 0);
550 fatal("%s line %d: bad inet addr:port usage.",
554 if ((port = a2port(p)) == 0)
555 fatal("%s line %d: bad port number.",
557 add_listen_addr(options, arg, port);
559 } else if (*p == '\0')
560 add_listen_addr(options, arg, 0);
562 fatal("%s line %d: bad inet addr usage.",
567 intptr = &options->num_host_key_files;
568 if (*intptr >= MAX_HOSTKEYS)
569 fatal("%s line %d: too many host keys specified (max %d).",
570 filename, linenum, MAX_HOSTKEYS);
571 charptr = &options->host_key_files[*intptr];
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing file name.",
577 if (*charptr == NULL) {
578 *charptr = tilde_expand_filename(arg, getuid());
579 /* increase optional counter */
581 *intptr = *intptr + 1;
586 charptr = &options->pid_file;
589 case sPermitRootLogin:
590 intptr = &options->permit_root_login;
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/"
594 "without-password/forced-commands-only/no "
595 "argument.", filename, linenum);
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "without-password") == 0)
598 value = PERMIT_NO_PASSWD;
599 else if (strcmp(arg, "forced-commands-only") == 0)
600 value = PERMIT_FORCED_ONLY;
601 else if (strcmp(arg, "yes") == 0)
603 else if (strcmp(arg, "no") == 0)
606 fatal("%s line %d: Bad yes/"
607 "without-password/forced-commands-only/no "
608 "argument: %s", filename, linenum, arg);
614 intptr = &options->ignore_rhosts;
617 if (!arg || *arg == '\0')
618 fatal("%s line %d: missing yes/no argument.",
620 value = 0; /* silence compiler */
621 if (strcmp(arg, "yes") == 0)
623 else if (strcmp(arg, "no") == 0)
626 fatal("%s line %d: Bad yes/no argument: %s",
627 filename, linenum, arg);
632 case sIgnoreUserKnownHosts:
633 intptr = &options->ignore_user_known_hosts;
636 case sRhostsRSAAuthentication:
637 intptr = &options->rhosts_rsa_authentication;
640 case sHostbasedAuthentication:
641 intptr = &options->hostbased_authentication;
644 case sHostbasedUsesNameFromPacketOnly:
645 intptr = &options->hostbased_uses_name_from_packet_only;
648 case sRSAAuthentication:
649 intptr = &options->rsa_authentication;
652 case sPubkeyAuthentication:
653 intptr = &options->pubkey_authentication;
656 case sKerberosAuthentication:
657 intptr = &options->kerberos_authentication;
660 case sKerberosOrLocalPasswd:
661 intptr = &options->kerberos_or_local_passwd;
664 case sKerberosTicketCleanup:
665 intptr = &options->kerberos_ticket_cleanup;
668 case sKerberosGetAFSToken:
669 intptr = &options->kerberos_get_afs_token;
672 case sGssAuthentication:
673 intptr = &options->gss_authentication;
677 intptr = &options->gss_keyex;
680 case sGssCleanupCreds:
681 intptr = &options->gss_cleanup_creds;
685 case sAllowSessionHooks:
686 intptr = &options->session_hooks_allow;
688 case sSessionHookStartupCmd:
689 case sSessionHookShutdownCmd:
691 if (!arg || *arg == '\0')
692 fatal("%s line %d: empty session hook command",
694 if (opcode==sSessionHookStartupCmd)
695 options->session_hooks_startup_cmd = strdup(arg);
697 options->session_hooks_shutdown_cmd = strdup(arg);
701 case sPasswordAuthentication:
702 intptr = &options->password_authentication;
705 case sKbdInteractiveAuthentication:
706 intptr = &options->kbd_interactive_authentication;
709 case sChallengeResponseAuthentication:
710 intptr = &options->challenge_response_authentication;
714 intptr = &options->print_motd;
718 intptr = &options->print_lastlog;
722 intptr = &options->x11_forwarding;
725 case sX11DisplayOffset:
726 intptr = &options->x11_display_offset;
729 case sX11UseLocalhost:
730 intptr = &options->x11_use_localhost;
734 charptr = &options->xauth_location;
738 intptr = &options->strict_modes;
742 intptr = &options->tcp_keep_alive;
746 intptr = &options->permit_empty_passwd;
749 case sPermitUserEnvironment:
750 intptr = &options->permit_user_env;
754 intptr = &options->use_login;
758 intptr = &options->compression;
762 intptr = &options->gateway_ports;
766 intptr = &options->use_dns;
770 intptr = (int *) &options->log_facility;
772 value = log_facility_number(arg);
773 if (value == SYSLOG_FACILITY_NOT_SET)
774 fatal("%.200s line %d: unsupported log facility '%s'",
775 filename, linenum, arg ? arg : "<NONE>");
777 *intptr = (SyslogFacility) value;
781 intptr = (int *) &options->log_level;
783 value = log_level_number(arg);
784 if (value == SYSLOG_LEVEL_NOT_SET)
785 fatal("%.200s line %d: unsupported log level '%s'",
786 filename, linenum, arg ? arg : "<NONE>");
788 *intptr = (LogLevel) value;
791 case sAllowTcpForwarding:
792 intptr = &options->allow_tcp_forwarding;
795 case sUsePrivilegeSeparation:
796 intptr = &use_privsep;
800 while ((arg = strdelim(&cp)) && *arg != '\0') {
801 if (options->num_allow_users >= MAX_ALLOW_USERS)
802 fatal("%s line %d: too many allow users.",
804 options->allow_users[options->num_allow_users++] =
810 while ((arg = strdelim(&cp)) && *arg != '\0') {
811 if (options->num_deny_users >= MAX_DENY_USERS)
812 fatal( "%s line %d: too many deny users.",
814 options->deny_users[options->num_deny_users++] =
820 while ((arg = strdelim(&cp)) && *arg != '\0') {
821 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
822 fatal("%s line %d: too many allow groups.",
824 options->allow_groups[options->num_allow_groups++] =
830 while ((arg = strdelim(&cp)) && *arg != '\0') {
831 if (options->num_deny_groups >= MAX_DENY_GROUPS)
832 fatal("%s line %d: too many deny groups.",
834 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing argument.", filename, linenum);
842 if (!ciphers_valid(arg))
843 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
844 filename, linenum, arg ? arg : "<NONE>");
845 if (options->ciphers == NULL)
846 options->ciphers = xstrdup(arg);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing argument.", filename, linenum);
854 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
855 filename, linenum, arg ? arg : "<NONE>");
856 if (options->macs == NULL)
857 options->macs = xstrdup(arg);
861 intptr = &options->protocol;
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing argument.", filename, linenum);
865 value = proto_spec(arg);
866 if (value == SSH_PROTO_UNKNOWN)
867 fatal("%s line %d: Bad protocol spec '%s'.",
868 filename, linenum, arg ? arg : "<NONE>");
869 if (*intptr == SSH_PROTO_UNKNOWN)
874 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
875 fatal("%s line %d: too many subsystems defined.",
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: Missing subsystem name.",
882 for (i = 0; i < options->num_subsystems; i++)
883 if (strcmp(arg, options->subsystem_name[i]) == 0)
884 fatal("%s line %d: Subsystem '%s' already defined.",
885 filename, linenum, arg);
886 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
888 if (!arg || *arg == '\0')
889 fatal("%s line %d: Missing subsystem command.",
891 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
892 options->num_subsystems++;
897 if (!arg || *arg == '\0')
898 fatal("%s line %d: Missing MaxStartups spec.",
900 if ((n = sscanf(arg, "%d:%d:%d",
901 &options->max_startups_begin,
902 &options->max_startups_rate,
903 &options->max_startups)) == 3) {
904 if (options->max_startups_begin >
905 options->max_startups ||
906 options->max_startups_rate > 100 ||
907 options->max_startups_rate < 1)
908 fatal("%s line %d: Illegal MaxStartups spec.",
911 fatal("%s line %d: Illegal MaxStartups spec.",
914 options->max_startups = options->max_startups_begin;
918 intptr = &options->max_authtries;
922 charptr = &options->banner;
925 * These options can contain %X options expanded at
926 * connect time, so that you can specify paths like:
928 * AuthorizedKeysFile /etc/ssh_keys/%u
930 case sAuthorizedKeysFile:
931 case sAuthorizedKeysFile2:
932 charptr = (opcode == sAuthorizedKeysFile ) ?
933 &options->authorized_keys_file :
934 &options->authorized_keys_file2;
937 case sClientAliveInterval:
938 intptr = &options->client_alive_interval;
941 case sClientAliveCountMax:
942 intptr = &options->client_alive_count_max;
946 while ((arg = strdelim(&cp)) && *arg != '\0') {
947 if (strchr(arg, '=') != NULL)
948 fatal("%s line %d: Invalid environment name.",
950 if (options->num_accept_env >= MAX_ACCEPT_ENV)
951 fatal("%s line %d: too many allow env.",
953 options->accept_env[options->num_accept_env++] =
959 logit("%s line %d: Deprecated option %s",
960 filename, linenum, arg);
966 logit("%s line %d: Unsupported option %s",
967 filename, linenum, arg);
973 fatal("%s line %d: Missing handler for opcode %s (%d)",
974 filename, linenum, arg, opcode);
976 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
977 fatal("%s line %d: garbage at end of line; \"%.200s\".",
978 filename, linenum, arg);
982 /* Reads the server configuration file. */
985 load_server_config(const char *filename, Buffer *conf)
987 char line[1024], *cp;
990 debug2("%s: filename %s", __func__, filename);
991 if ((f = fopen(filename, "r")) == NULL) {
996 while (fgets(line, sizeof(line), f)) {
998 * Trim out comments and strip whitespace
999 * NB - preserve newlines, they are needed to reproduce
1000 * line numbers later for error messages
1002 if ((cp = strchr(line, '#')) != NULL)
1003 memcpy(cp, "\n", 2);
1004 cp = line + strspn(line, " \t\r");
1006 buffer_append(conf, cp, strlen(cp));
1008 buffer_append(conf, "\0", 1);
1010 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1014 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1016 int linenum, bad_options = 0;
1017 char *cp, *obuf, *cbuf;
1019 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1021 obuf = cbuf = xstrdup(buffer_ptr(conf));
1023 while((cp = strsep(&cbuf, "\n")) != NULL) {
1024 if (process_server_config_line(options, cp, filename,
1029 if (bad_options > 0)
1030 fatal("%s: terminating, %d bad configuration options",
1031 filename, bad_options);