2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
22 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
24 #define KEYFILE "/etc/krb5.keytab"
36 #include "pathnames.h"
37 #include "tildexpand.h"
43 static void add_listen_addr(ServerOptions *, char *, u_short);
44 static void add_one_listen_addr(ServerOptions *, char *, u_short);
46 /* AF_UNSPEC or AF_INET or AF_INET6 */
48 /* Use of privilege separation or not */
49 extern int use_privsep;
51 /* Initializes the server options to their default values. */
54 initialize_server_options(ServerOptions *options)
56 memset(options, 0, sizeof(*options));
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
77 options->x11_use_localhost = -1;
78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
90 options->gss_authentication=-1;
91 options->gss_keyex=-1;
92 options->gss_use_session_ccache = -1;
93 options->gss_cleanup_creds = -1;
95 #if defined(KRB4) || defined(KRB5)
96 options->kerberos_authentication = -1;
97 options->kerberos_or_local_passwd = -1;
98 options->kerberos_ticket_cleanup = -1;
100 #if defined(AFS) || defined(KRB5)
101 options->kerberos_tgt_passing = -1;
104 options->afs_token_passing = -1;
106 options->password_authentication = -1;
107 options->kbd_interactive_authentication = -1;
108 options->challenge_response_authentication = -1;
109 options->permit_empty_passwd = -1;
110 options->permit_user_env = -1;
111 options->use_login = -1;
112 options->compression = -1;
113 options->allow_tcp_forwarding = -1;
114 options->num_allow_users = 0;
115 options->num_deny_users = 0;
116 options->num_allow_groups = 0;
117 options->num_deny_groups = 0;
118 options->ciphers = NULL;
119 options->macs = NULL;
120 options->protocol = SSH_PROTO_UNKNOWN;
121 options->gateway_ports = -1;
122 options->num_subsystems = 0;
123 options->max_startups_begin = -1;
124 options->max_startups_rate = -1;
125 options->max_startups = -1;
126 options->banner = NULL;
127 options->verify_reverse_mapping = -1;
128 options->client_alive_interval = -1;
129 options->client_alive_count_max = -1;
130 options->authorized_keys_file = NULL;
131 options->authorized_keys_file2 = NULL;
133 /* Needs to be accessable in many places */
138 fill_default_server_options(ServerOptions *options)
140 /* Portable-specific options */
141 if (options->pam_authentication_via_kbd_int == -1)
142 options->pam_authentication_via_kbd_int = 0;
144 /* Standard Options */
145 if (options->protocol == SSH_PROTO_UNKNOWN)
146 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
147 if (options->num_host_key_files == 0) {
148 /* fill default hostkeys for protocols */
149 if (options->protocol & SSH_PROTO_1)
150 options->host_key_files[options->num_host_key_files++] =
152 if (options->protocol & SSH_PROTO_2) {
153 options->host_key_files[options->num_host_key_files++] =
154 _PATH_HOST_RSA_KEY_FILE;
155 options->host_key_files[options->num_host_key_files++] =
156 _PATH_HOST_DSA_KEY_FILE;
159 if (options->num_ports == 0)
160 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
161 if (options->listen_addrs == NULL)
162 add_listen_addr(options, NULL, 0);
163 if (options->pid_file == NULL)
164 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
165 if (options->server_key_bits == -1)
166 options->server_key_bits = 768;
167 if (options->login_grace_time == -1)
168 options->login_grace_time = 120;
169 if (options->key_regeneration_time == -1)
170 options->key_regeneration_time = 3600;
171 if (options->permit_root_login == PERMIT_NOT_SET)
172 options->permit_root_login = PERMIT_YES;
173 if (options->ignore_rhosts == -1)
174 options->ignore_rhosts = 1;
175 if (options->ignore_user_known_hosts == -1)
176 options->ignore_user_known_hosts = 0;
177 if (options->print_motd == -1)
178 options->print_motd = 1;
179 if (options->print_lastlog == -1)
180 options->print_lastlog = 1;
181 if (options->x11_forwarding == -1)
182 options->x11_forwarding = 0;
183 if (options->x11_display_offset == -1)
184 options->x11_display_offset = 10;
185 if (options->x11_use_localhost == -1)
186 options->x11_use_localhost = 1;
187 if (options->xauth_location == NULL)
188 options->xauth_location = _PATH_XAUTH;
189 if (options->strict_modes == -1)
190 options->strict_modes = 1;
191 if (options->keepalives == -1)
192 options->keepalives = 1;
193 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
194 options->log_facility = SYSLOG_FACILITY_AUTH;
195 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
196 options->log_level = SYSLOG_LEVEL_INFO;
197 if (options->rhosts_authentication == -1)
198 options->rhosts_authentication = 0;
199 if (options->rhosts_rsa_authentication == -1)
200 options->rhosts_rsa_authentication = 0;
201 if (options->hostbased_authentication == -1)
202 options->hostbased_authentication = 0;
203 if (options->hostbased_uses_name_from_packet_only == -1)
204 options->hostbased_uses_name_from_packet_only = 0;
205 if (options->rsa_authentication == -1)
206 options->rsa_authentication = 1;
207 if (options->pubkey_authentication == -1)
208 options->pubkey_authentication = 1;
210 if (options->gss_authentication == -1)
211 options->gss_authentication = 1;
212 if (options->gss_keyex == -1)
213 options->gss_keyex =1;
214 if (options->gss_use_session_ccache == -1)
215 options->gss_use_session_ccache = 1;
216 if (options->gss_cleanup_creds == -1)
217 options->gss_cleanup_creds = 1;
219 #if defined(KRB4) || defined(KRB5)
220 if (options->kerberos_authentication == -1)
221 options->kerberos_authentication = 0;
222 if (options->kerberos_or_local_passwd == -1)
223 options->kerberos_or_local_passwd = 1;
224 if (options->kerberos_ticket_cleanup == -1)
225 options->kerberos_ticket_cleanup = 1;
227 #if defined(AFS) || defined(KRB5)
228 if (options->kerberos_tgt_passing == -1)
229 options->kerberos_tgt_passing = 0;
232 if (options->afs_token_passing == -1)
233 options->afs_token_passing = 0;
235 if (options->password_authentication == -1)
236 options->password_authentication = 1;
237 if (options->kbd_interactive_authentication == -1)
238 options->kbd_interactive_authentication = 0;
239 if (options->challenge_response_authentication == -1)
240 options->challenge_response_authentication = 1;
241 if (options->permit_empty_passwd == -1)
242 options->permit_empty_passwd = 0;
243 if (options->permit_user_env == -1)
244 options->permit_user_env = 0;
245 if (options->use_login == -1)
246 options->use_login = 0;
247 if (options->compression == -1)
248 options->compression = 1;
249 if (options->allow_tcp_forwarding == -1)
250 options->allow_tcp_forwarding = 1;
251 if (options->gateway_ports == -1)
252 options->gateway_ports = 0;
253 if (options->max_startups == -1)
254 options->max_startups = 10;
255 if (options->max_startups_rate == -1)
256 options->max_startups_rate = 100; /* 100% */
257 if (options->max_startups_begin == -1)
258 options->max_startups_begin = options->max_startups;
259 if (options->verify_reverse_mapping == -1)
260 options->verify_reverse_mapping = 0;
261 if (options->client_alive_interval == -1)
262 options->client_alive_interval = 0;
263 if (options->client_alive_count_max == -1)
264 options->client_alive_count_max = 3;
265 if (options->authorized_keys_file2 == NULL) {
266 /* authorized_keys_file2 falls back to authorized_keys_file */
267 if (options->authorized_keys_file != NULL)
268 options->authorized_keys_file2 = options->authorized_keys_file;
270 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
272 if (options->authorized_keys_file == NULL)
273 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
275 /* Turn privilege separation on by default */
276 if (use_privsep == -1)
280 if (use_privsep && options->compression == 1) {
281 error("This platform does not support both privilege "
282 "separation and compression");
283 error("Compression disabled");
284 options->compression = 0;
290 /* Keyword tokens. */
292 sBadOption, /* == unknown option */
293 /* Portable-specific options */
294 sPAMAuthenticationViaKbdInt,
295 /* Standard Options */
296 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
297 sPermitRootLogin, sLogFacility, sLogLevel,
298 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
300 sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
302 #if defined(KRB4) || defined(KRB5)
303 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
305 #if defined(AFS) || defined(KRB5)
311 sChallengeResponseAuthentication,
312 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
313 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
314 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
315 sStrictModes, sEmptyPasswd, sKeepAlives,
316 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
317 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
318 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
319 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
320 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
321 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
322 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
323 sUsePrivilegeSeparation,
327 /* Textual representation of the tokens. */
330 ServerOpCodes opcode;
332 /* Portable-specific options */
333 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
334 /* Standard Options */
336 { "hostkey", sHostKeyFile },
337 { "hostdsakey", sHostKeyFile }, /* alias */
338 { "pidfile", sPidFile },
339 { "serverkeybits", sServerKeyBits },
340 { "logingracetime", sLoginGraceTime },
341 { "keyregenerationinterval", sKeyRegenerationTime },
342 { "permitrootlogin", sPermitRootLogin },
343 { "syslogfacility", sLogFacility },
344 { "loglevel", sLogLevel },
345 { "rhostsauthentication", sRhostsAuthentication },
346 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
347 { "hostbasedauthentication", sHostbasedAuthentication },
348 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
349 { "rsaauthentication", sRSAAuthentication },
350 { "pubkeyauthentication", sPubkeyAuthentication },
351 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
353 { "gssapiauthentication", sGssAuthentication },
354 { "gssapikeyexchange", sGssKeyEx },
355 { "gssusesessionccache", sGssUseSessionCredCache },
356 { "gssapiusesessioncredcache", sGssUseSessionCredCache },
357 { "gssapicleanupcreds", sGssCleanupCreds },
359 #if defined(KRB4) || defined(KRB5)
360 { "kerberosauthentication", sKerberosAuthentication },
361 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
362 { "kerberosticketcleanup", sKerberosTicketCleanup },
364 #if defined(AFS) || defined(KRB5)
365 { "kerberostgtpassing", sKerberosTgtPassing },
368 { "afstokenpassing", sAFSTokenPassing },
370 { "passwordauthentication", sPasswordAuthentication },
371 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
372 { "challengeresponseauthentication", sChallengeResponseAuthentication },
373 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
374 { "checkmail", sDeprecated },
375 { "listenaddress", sListenAddress },
376 { "printmotd", sPrintMotd },
377 { "printlastlog", sPrintLastLog },
378 { "ignorerhosts", sIgnoreRhosts },
379 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
380 { "x11forwarding", sX11Forwarding },
381 { "x11displayoffset", sX11DisplayOffset },
382 { "x11uselocalhost", sX11UseLocalhost },
383 { "xauthlocation", sXAuthLocation },
384 { "strictmodes", sStrictModes },
385 { "permitemptypasswords", sEmptyPasswd },
386 { "permituserenvironment", sPermitUserEnvironment },
387 { "uselogin", sUseLogin },
388 { "compression", sCompression },
389 { "keepalive", sKeepAlives },
390 { "allowtcpforwarding", sAllowTcpForwarding },
391 { "allowusers", sAllowUsers },
392 { "denyusers", sDenyUsers },
393 { "allowgroups", sAllowGroups },
394 { "denygroups", sDenyGroups },
395 { "ciphers", sCiphers },
397 { "protocol", sProtocol },
398 { "gatewayports", sGatewayPorts },
399 { "subsystem", sSubsystem },
400 { "maxstartups", sMaxStartups },
401 { "banner", sBanner },
402 { "verifyreversemapping", sVerifyReverseMapping },
403 { "reversemappingcheck", sVerifyReverseMapping },
404 { "clientaliveinterval", sClientAliveInterval },
405 { "clientalivecountmax", sClientAliveCountMax },
406 { "authorizedkeysfile", sAuthorizedKeysFile },
407 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
408 { "useprivilegeseparation", sUsePrivilegeSeparation},
413 * Returns the number of the token pointed to by cp or sBadOption.
417 parse_token(const char *cp, const char *filename,
422 for (i = 0; keywords[i].name; i++)
423 if (strcasecmp(cp, keywords[i].name) == 0)
424 return keywords[i].opcode;
426 error("%s: line %d: Bad configuration option: %s",
427 filename, linenum, cp);
432 add_listen_addr(ServerOptions *options, char *addr, u_short port)
436 if (options->num_ports == 0)
437 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
439 for (i = 0; i < options->num_ports; i++)
440 add_one_listen_addr(options, addr, options->ports[i]);
442 add_one_listen_addr(options, addr, port);
446 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
448 struct addrinfo hints, *ai, *aitop;
449 char strport[NI_MAXSERV];
452 memset(&hints, 0, sizeof(hints));
453 hints.ai_family = IPv4or6;
454 hints.ai_socktype = SOCK_STREAM;
455 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
456 snprintf(strport, sizeof strport, "%u", port);
457 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
458 fatal("bad addr or host: %s (%s)",
459 addr ? addr : "<NULL>",
460 gai_strerror(gaierr));
461 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
463 ai->ai_next = options->listen_addrs;
464 options->listen_addrs = aitop;
468 process_server_config_line(ServerOptions *options, char *line,
469 const char *filename, int linenum)
471 char *cp, **charptr, *arg, *p;
472 int *intptr, value, i, n;
473 ServerOpCodes opcode;
477 /* Ignore leading whitespace */
480 if (!arg || !*arg || *arg == '#')
484 opcode = parse_token(arg, filename, linenum);
486 /* Portable-specific options */
487 case sPAMAuthenticationViaKbdInt:
488 intptr = &options->pam_authentication_via_kbd_int;
491 /* Standard Options */
495 /* ignore ports from configfile if cmdline specifies ports */
496 if (options->ports_from_cmdline)
498 if (options->listen_addrs != NULL)
499 fatal("%s line %d: ports must be specified before "
500 "ListenAddress.", filename, linenum);
501 if (options->num_ports >= MAX_PORTS)
502 fatal("%s line %d: too many ports.",
505 if (!arg || *arg == '\0')
506 fatal("%s line %d: missing port number.",
508 options->ports[options->num_ports++] = a2port(arg);
509 if (options->ports[options->num_ports-1] == 0)
510 fatal("%s line %d: Badly formatted port number.",
515 intptr = &options->server_key_bits;
518 if (!arg || *arg == '\0')
519 fatal("%s line %d: missing integer value.",
526 case sLoginGraceTime:
527 intptr = &options->login_grace_time;
530 if (!arg || *arg == '\0')
531 fatal("%s line %d: missing time value.",
533 if ((value = convtime(arg)) == -1)
534 fatal("%s line %d: invalid time value.",
540 case sKeyRegenerationTime:
541 intptr = &options->key_regeneration_time;
546 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
547 fatal("%s line %d: missing inet addr.",
550 if ((p = strchr(arg, ']')) == NULL)
551 fatal("%s line %d: bad ipv6 inet addr usage.",
554 memmove(p, p+1, strlen(p+1)+1);
555 } else if (((p = strchr(arg, ':')) == NULL) ||
556 (strchr(p+1, ':') != NULL)) {
557 add_listen_addr(options, arg, 0);
565 fatal("%s line %d: bad inet addr:port usage.",
569 if ((port = a2port(p)) == 0)
570 fatal("%s line %d: bad port number.",
572 add_listen_addr(options, arg, port);
574 } else if (*p == '\0')
575 add_listen_addr(options, arg, 0);
577 fatal("%s line %d: bad inet addr usage.",
582 intptr = &options->num_host_key_files;
583 if (*intptr >= MAX_HOSTKEYS)
584 fatal("%s line %d: too many host keys specified (max %d).",
585 filename, linenum, MAX_HOSTKEYS);
586 charptr = &options->host_key_files[*intptr];
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing file name.",
592 if (*charptr == NULL) {
593 *charptr = tilde_expand_filename(arg, getuid());
594 /* increase optional counter */
596 *intptr = *intptr + 1;
601 charptr = &options->pid_file;
604 case sPermitRootLogin:
605 intptr = &options->permit_root_login;
607 if (!arg || *arg == '\0')
608 fatal("%s line %d: missing yes/"
609 "without-password/forced-commands-only/no "
610 "argument.", filename, linenum);
611 value = 0; /* silence compiler */
612 if (strcmp(arg, "without-password") == 0)
613 value = PERMIT_NO_PASSWD;
614 else if (strcmp(arg, "forced-commands-only") == 0)
615 value = PERMIT_FORCED_ONLY;
616 else if (strcmp(arg, "yes") == 0)
618 else if (strcmp(arg, "no") == 0)
621 fatal("%s line %d: Bad yes/"
622 "without-password/forced-commands-only/no "
623 "argument: %s", filename, linenum, arg);
629 intptr = &options->ignore_rhosts;
632 if (!arg || *arg == '\0')
633 fatal("%s line %d: missing yes/no argument.",
635 value = 0; /* silence compiler */
636 if (strcmp(arg, "yes") == 0)
638 else if (strcmp(arg, "no") == 0)
641 fatal("%s line %d: Bad yes/no argument: %s",
642 filename, linenum, arg);
647 case sIgnoreUserKnownHosts:
648 intptr = &options->ignore_user_known_hosts;
651 case sRhostsAuthentication:
652 intptr = &options->rhosts_authentication;
655 case sRhostsRSAAuthentication:
656 intptr = &options->rhosts_rsa_authentication;
659 case sHostbasedAuthentication:
660 intptr = &options->hostbased_authentication;
663 case sHostbasedUsesNameFromPacketOnly:
664 intptr = &options->hostbased_uses_name_from_packet_only;
667 case sRSAAuthentication:
668 intptr = &options->rsa_authentication;
671 case sPubkeyAuthentication:
672 intptr = &options->pubkey_authentication;
675 case sGssAuthentication:
676 intptr = &options->gss_authentication;
679 intptr = &options->gss_keyex;
681 case sGssUseSessionCredCache:
682 intptr = &options->gss_use_session_ccache;
684 case sGssCleanupCreds:
685 intptr = &options->gss_cleanup_creds;
688 #if defined(KRB4) || defined(KRB5)
689 case sKerberosAuthentication:
690 intptr = &options->kerberos_authentication;
693 case sKerberosOrLocalPasswd:
694 intptr = &options->kerberos_or_local_passwd;
697 case sKerberosTicketCleanup:
698 intptr = &options->kerberos_ticket_cleanup;
701 #if defined(AFS) || defined(KRB5)
702 case sKerberosTgtPassing:
703 intptr = &options->kerberos_tgt_passing;
707 case sAFSTokenPassing:
708 intptr = &options->afs_token_passing;
712 case sPasswordAuthentication:
713 intptr = &options->password_authentication;
716 case sKbdInteractiveAuthentication:
717 intptr = &options->kbd_interactive_authentication;
720 case sChallengeResponseAuthentication:
721 intptr = &options->challenge_response_authentication;
725 intptr = &options->print_motd;
729 intptr = &options->print_lastlog;
733 intptr = &options->x11_forwarding;
736 case sX11DisplayOffset:
737 intptr = &options->x11_display_offset;
740 case sX11UseLocalhost:
741 intptr = &options->x11_use_localhost;
745 charptr = &options->xauth_location;
749 intptr = &options->strict_modes;
753 intptr = &options->keepalives;
757 intptr = &options->permit_empty_passwd;
760 case sPermitUserEnvironment:
761 intptr = &options->permit_user_env;
765 intptr = &options->use_login;
769 intptr = &options->compression;
773 intptr = &options->gateway_ports;
776 case sVerifyReverseMapping:
777 intptr = &options->verify_reverse_mapping;
781 intptr = (int *) &options->log_facility;
783 value = log_facility_number(arg);
784 if (value == SYSLOG_FACILITY_NOT_SET)
785 fatal("%.200s line %d: unsupported log facility '%s'",
786 filename, linenum, arg ? arg : "<NONE>");
788 *intptr = (SyslogFacility) value;
792 intptr = (int *) &options->log_level;
794 value = log_level_number(arg);
795 if (value == SYSLOG_LEVEL_NOT_SET)
796 fatal("%.200s line %d: unsupported log level '%s'",
797 filename, linenum, arg ? arg : "<NONE>");
799 *intptr = (LogLevel) value;
802 case sAllowTcpForwarding:
803 intptr = &options->allow_tcp_forwarding;
806 case sUsePrivilegeSeparation:
807 intptr = &use_privsep;
811 while ((arg = strdelim(&cp)) && *arg != '\0') {
812 if (options->num_allow_users >= MAX_ALLOW_USERS)
813 fatal("%s line %d: too many allow users.",
815 options->allow_users[options->num_allow_users++] =
821 while ((arg = strdelim(&cp)) && *arg != '\0') {
822 if (options->num_deny_users >= MAX_DENY_USERS)
823 fatal( "%s line %d: too many deny users.",
825 options->deny_users[options->num_deny_users++] =
831 while ((arg = strdelim(&cp)) && *arg != '\0') {
832 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
833 fatal("%s line %d: too many allow groups.",
835 options->allow_groups[options->num_allow_groups++] =
841 while ((arg = strdelim(&cp)) && *arg != '\0') {
842 if (options->num_deny_groups >= MAX_DENY_GROUPS)
843 fatal("%s line %d: too many deny groups.",
845 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing argument.", filename, linenum);
853 if (!ciphers_valid(arg))
854 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
855 filename, linenum, arg ? arg : "<NONE>");
856 if (options->ciphers == NULL)
857 options->ciphers = xstrdup(arg);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing argument.", filename, linenum);
865 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
866 filename, linenum, arg ? arg : "<NONE>");
867 if (options->macs == NULL)
868 options->macs = xstrdup(arg);
872 intptr = &options->protocol;
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing argument.", filename, linenum);
876 value = proto_spec(arg);
877 if (value == SSH_PROTO_UNKNOWN)
878 fatal("%s line %d: Bad protocol spec '%s'.",
879 filename, linenum, arg ? arg : "<NONE>");
880 if (*intptr == SSH_PROTO_UNKNOWN)
885 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
886 fatal("%s line %d: too many subsystems defined.",
890 if (!arg || *arg == '\0')
891 fatal("%s line %d: Missing subsystem name.",
893 for (i = 0; i < options->num_subsystems; i++)
894 if (strcmp(arg, options->subsystem_name[i]) == 0)
895 fatal("%s line %d: Subsystem '%s' already defined.",
896 filename, linenum, arg);
897 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
899 if (!arg || *arg == '\0')
900 fatal("%s line %d: Missing subsystem command.",
902 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
903 options->num_subsystems++;
908 if (!arg || *arg == '\0')
909 fatal("%s line %d: Missing MaxStartups spec.",
911 if ((n = sscanf(arg, "%d:%d:%d",
912 &options->max_startups_begin,
913 &options->max_startups_rate,
914 &options->max_startups)) == 3) {
915 if (options->max_startups_begin >
916 options->max_startups ||
917 options->max_startups_rate > 100 ||
918 options->max_startups_rate < 1)
919 fatal("%s line %d: Illegal MaxStartups spec.",
922 fatal("%s line %d: Illegal MaxStartups spec.",
925 options->max_startups = options->max_startups_begin;
929 charptr = &options->banner;
932 * These options can contain %X options expanded at
933 * connect time, so that you can specify paths like:
935 * AuthorizedKeysFile /etc/ssh_keys/%u
937 case sAuthorizedKeysFile:
938 case sAuthorizedKeysFile2:
939 charptr = (opcode == sAuthorizedKeysFile ) ?
940 &options->authorized_keys_file :
941 &options->authorized_keys_file2;
944 case sClientAliveInterval:
945 intptr = &options->client_alive_interval;
948 case sClientAliveCountMax:
949 intptr = &options->client_alive_count_max;
953 log("%s line %d: Deprecated option %s",
954 filename, linenum, arg);
960 fatal("%s line %d: Missing handler for opcode %s (%d)",
961 filename, linenum, arg, opcode);
963 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
964 fatal("%s line %d: garbage at end of line; \"%.200s\".",
965 filename, linenum, arg);
969 /* Reads the server configuration file. */
972 read_server_config(ServerOptions *options, const char *filename)
974 int linenum, bad_options = 0;
978 debug2("read_server_config: filename %s", filename);
979 f = fopen(filename, "r");
985 while (fgets(line, sizeof(line), f)) {
986 /* Update line number counter. */
988 if (process_server_config_line(options, line, filename, linenum) != 0)
993 fatal("%s: terminating, %d bad configuration options",
994 filename, bad_options);