2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Functions for reading the configuration files.
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
15 RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
21 #include "pathnames.h"
29 /* Format of the configuration file:
31 # Configuration data is parsed as follows:
32 # 1. command line options
33 # 2. user-specific file
35 # Any configuration value is only changed the first time it is set.
36 # Thus, host-specific definitions should be at the beginning of the
37 # configuration file, and defaults at the end.
39 # Host-specific declarations. These may override anything above. A single
40 # host may match multiple declarations; these are processed in the order
41 # that they are given in.
47 HostName another.host.name.real.org
54 RemoteForward 9999 shadows.cs.hut.fi:9999
60 PasswordAuthentication no
64 ProxyCommand ssh-proxy %h %p
67 PublicKeyAuthentication no
71 PasswordAuthentication no
77 # Defaults for various options
81 PasswordAuthentication yes
83 RhostsRSAAuthentication yes
84 StrictHostKeyChecking yes
86 IdentityFile ~/.ssh/identity
96 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
97 oPasswordAuthentication, oRSAAuthentication,
98 oChallengeResponseAuthentication, oXAuthLocation,
99 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
100 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
101 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
102 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
103 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
104 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
105 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
106 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
107 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
108 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
109 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
110 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
111 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
114 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
115 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
116 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
117 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
119 oDeprecated, oUnsupported
122 /* Textual representations of the tokens. */
128 { "forwardagent", oForwardAgent },
129 { "forwardx11", oForwardX11 },
130 { "forwardx11trusted", oForwardX11Trusted },
131 { "xauthlocation", oXAuthLocation },
132 { "gatewayports", oGatewayPorts },
133 { "useprivilegedport", oUsePrivilegedPort },
134 { "rhostsauthentication", oDeprecated },
135 { "passwordauthentication", oPasswordAuthentication },
136 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
137 { "kbdinteractivedevices", oKbdInteractiveDevices },
138 { "rsaauthentication", oRSAAuthentication },
139 { "pubkeyauthentication", oPubkeyAuthentication },
140 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
141 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
142 { "hostbasedauthentication", oHostbasedAuthentication },
143 { "challengeresponseauthentication", oChallengeResponseAuthentication },
144 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
145 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
146 { "kerberosauthentication", oUnsupported },
147 { "kerberostgtpassing", oUnsupported },
148 { "afstokenpassing", oUnsupported },
150 { "gssapiauthentication", oGssAuthentication },
151 { "gssapikeyexchange", oGssKeyEx },
152 { "gssapidelegatecredentials", oGssDelegateCreds },
153 { "gssapitrustdns", oGssTrustDns },
155 { "gssapiauthentication", oUnsupported },
156 { "gssapikeyexchange", oUnsupported },
157 { "gssapidelegatecredentials", oUnsupported },
158 { "gssapitrustdns", oUnsupported },
160 { "fallbacktorsh", oDeprecated },
161 { "usersh", oDeprecated },
162 { "identityfile", oIdentityFile },
163 { "identityfile2", oIdentityFile }, /* alias */
164 { "identitiesonly", oIdentitiesOnly },
165 { "hostname", oHostName },
166 { "hostkeyalias", oHostKeyAlias },
167 { "proxycommand", oProxyCommand },
169 { "cipher", oCipher },
170 { "ciphers", oCiphers },
172 { "protocol", oProtocol },
173 { "remoteforward", oRemoteForward },
174 { "localforward", oLocalForward },
177 { "escapechar", oEscapeChar },
178 { "globalknownhostsfile", oGlobalKnownHostsFile },
179 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
180 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
181 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
182 { "connectionattempts", oConnectionAttempts },
183 { "batchmode", oBatchMode },
184 { "checkhostip", oCheckHostIP },
185 { "stricthostkeychecking", oStrictHostKeyChecking },
186 { "compression", oCompression },
187 { "compressionlevel", oCompressionLevel },
188 { "tcpkeepalive", oTCPKeepAlive },
189 { "keepalive", oTCPKeepAlive }, /* obsolete */
190 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
191 { "loglevel", oLogLevel },
192 { "dynamicforward", oDynamicForward },
193 { "preferredauthentications", oPreferredAuthentications },
194 { "hostkeyalgorithms", oHostKeyAlgorithms },
195 { "bindaddress", oBindAddress },
197 { "smartcarddevice", oSmartcardDevice },
199 { "smartcarddevice", oUnsupported },
201 { "clearallforwardings", oClearAllForwardings },
202 { "enablesshkeysign", oEnableSSHKeysign },
203 { "verifyhostkeydns", oVerifyHostKeyDNS },
204 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
205 { "rekeylimit", oRekeyLimit },
206 { "connecttimeout", oConnectTimeout },
207 { "addressfamily", oAddressFamily },
208 { "serveraliveinterval", oServerAliveInterval },
209 { "serveralivecountmax", oServerAliveCountMax },
210 { "sendenv", oSendEnv },
211 { "controlpath", oControlPath },
212 { "controlmaster", oControlMaster },
213 { "hashknownhosts", oHashKnownHosts },
214 { "tunnel", oTunnel },
215 { "tunneldevice", oTunnelDevice },
216 { "localcommand", oLocalCommand },
217 { "permitlocalcommand", oPermitLocalCommand },
218 { "noneenabled", oNoneEnabled },
219 { "tcprcvbufpoll", oTcpRcvBufPoll },
220 { "tcprcvbuf", oTcpRcvBuf },
221 { "noneswitch", oNoneSwitch },
222 { "hpndisabled", oHPNDisabled },
223 { "hpnbuffersize", oHPNBufferSize },
228 * Adds a local TCP/IP port forward to options. Never returns if there is an
233 add_local_forward(Options *options, const Forward *newfwd)
236 #ifndef NO_IPPORT_RESERVED_CONCEPT
237 extern uid_t original_real_uid;
238 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
239 fatal("Privileged ports can only be forwarded by root.");
241 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
242 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
243 fwd = &options->local_forwards[options->num_local_forwards++];
245 fwd->listen_host = (newfwd->listen_host == NULL) ?
246 NULL : xstrdup(newfwd->listen_host);
247 fwd->listen_port = newfwd->listen_port;
248 fwd->connect_host = xstrdup(newfwd->connect_host);
249 fwd->connect_port = newfwd->connect_port;
253 * Adds a remote TCP/IP port forward to options. Never returns if there is
258 add_remote_forward(Options *options, const Forward *newfwd)
261 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
262 fatal("Too many remote forwards (max %d).",
263 SSH_MAX_FORWARDS_PER_DIRECTION);
264 fwd = &options->remote_forwards[options->num_remote_forwards++];
266 fwd->listen_host = (newfwd->listen_host == NULL) ?
267 NULL : xstrdup(newfwd->listen_host);
268 fwd->listen_port = newfwd->listen_port;
269 fwd->connect_host = xstrdup(newfwd->connect_host);
270 fwd->connect_port = newfwd->connect_port;
274 clear_forwardings(Options *options)
278 for (i = 0; i < options->num_local_forwards; i++) {
279 if (options->local_forwards[i].listen_host != NULL)
280 xfree(options->local_forwards[i].listen_host);
281 xfree(options->local_forwards[i].connect_host);
283 options->num_local_forwards = 0;
284 for (i = 0; i < options->num_remote_forwards; i++) {
285 if (options->remote_forwards[i].listen_host != NULL)
286 xfree(options->remote_forwards[i].listen_host);
287 xfree(options->remote_forwards[i].connect_host);
289 options->num_remote_forwards = 0;
290 options->tun_open = SSH_TUNMODE_NO;
294 * Returns the number of the token pointed to by cp or oBadOption.
298 parse_token(const char *cp, const char *filename, int linenum)
302 for (i = 0; keywords[i].name; i++)
303 if (strcasecmp(cp, keywords[i].name) == 0)
304 return keywords[i].opcode;
306 error("%s: line %d: Bad configuration option: %s",
307 filename, linenum, cp);
312 * Processes a single option line as used in the configuration files. This
313 * only sets those values that have not already been set.
315 #define WHITESPACE " \t\r\n"
318 process_config_line(Options *options, const char *host,
319 char *line, const char *filename, int linenum,
322 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
323 int opcode, *intptr, value, value2;
327 /* Strip trailing whitespace */
328 for (len = strlen(line) - 1; len > 0; len--) {
329 if (strchr(WHITESPACE, line[len]) == NULL)
335 /* Get the keyword. (Each line is supposed to begin with a keyword). */
336 keyword = strdelim(&s);
337 /* Ignore leading whitespace. */
338 if (*keyword == '\0')
339 keyword = strdelim(&s);
340 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
343 opcode = parse_token(keyword, filename, linenum);
347 /* don't panic, but count bad options */
350 case oConnectTimeout:
351 intptr = &options->connection_timeout;
354 if (!arg || *arg == '\0')
355 fatal("%s line %d: missing time value.",
357 if ((value = convtime(arg)) == -1)
358 fatal("%s line %d: invalid time value.",
365 intptr = &options->forward_agent;
368 if (!arg || *arg == '\0')
369 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
370 value = 0; /* To avoid compiler warning... */
371 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
373 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
376 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
377 if (*activep && *intptr == -1)
382 intptr = &options->forward_x11;
385 case oForwardX11Trusted:
386 intptr = &options->forward_x11_trusted;
390 intptr = &options->gateway_ports;
393 case oUsePrivilegedPort:
394 intptr = &options->use_privileged_port;
397 case oPasswordAuthentication:
398 intptr = &options->password_authentication;
401 case oKbdInteractiveAuthentication:
402 intptr = &options->kbd_interactive_authentication;
405 case oKbdInteractiveDevices:
406 charptr = &options->kbd_interactive_devices;
409 case oPubkeyAuthentication:
410 intptr = &options->pubkey_authentication;
413 case oRSAAuthentication:
414 intptr = &options->rsa_authentication;
417 case oRhostsRSAAuthentication:
418 intptr = &options->rhosts_rsa_authentication;
421 case oHostbasedAuthentication:
422 intptr = &options->hostbased_authentication;
425 case oChallengeResponseAuthentication:
426 intptr = &options->challenge_response_authentication;
429 case oGssAuthentication:
430 intptr = &options->gss_authentication;
434 intptr = &options->gss_keyex;
437 case oGssDelegateCreds:
438 intptr = &options->gss_deleg_creds;
442 intptr = &options->gss_trust_dns;
446 intptr = &options->batch_mode;
450 intptr = &options->check_host_ip;
454 intptr = &options->none_enabled;
458 intptr = &options->none_switch;
462 intptr = &options->hpn_disabled;
466 intptr = &options->hpn_buffer_size;
470 intptr = &options->tcp_rcv_buf_poll;
473 case oVerifyHostKeyDNS:
474 intptr = &options->verify_host_key_dns;
478 case oStrictHostKeyChecking:
479 intptr = &options->strict_host_key_checking;
482 if (!arg || *arg == '\0')
483 fatal("%.200s line %d: Missing yes/no/ask argument.",
485 value = 0; /* To avoid compiler warning... */
486 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
488 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
490 else if (strcmp(arg, "ask") == 0)
493 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
494 if (*activep && *intptr == -1)
499 intptr = &options->compression;
503 intptr = &options->tcp_keep_alive;
506 case oNoHostAuthenticationForLocalhost:
507 intptr = &options->no_host_authentication_for_localhost;
510 case oNumberOfPasswordPrompts:
511 intptr = &options->number_of_password_prompts;
514 case oCompressionLevel:
515 intptr = &options->compression_level;
519 intptr = &options->rekey_limit;
521 if (!arg || *arg == '\0')
522 fatal("%.200s line %d: Missing argument.", filename, linenum);
523 if (arg[0] < '0' || arg[0] > '9')
524 fatal("%.200s line %d: Bad number.", filename, linenum);
525 value = strtol(arg, &endofnumber, 10);
526 if (arg == endofnumber)
527 fatal("%.200s line %d: Bad number.", filename, linenum);
528 switch (toupper(*endofnumber)) {
539 if (*activep && *intptr == -1)
545 if (!arg || *arg == '\0')
546 fatal("%.200s line %d: Missing argument.", filename, linenum);
548 intptr = &options->num_identity_files;
549 if (*intptr >= SSH_MAX_IDENTITY_FILES)
550 fatal("%.200s line %d: Too many identity files specified (max %d).",
551 filename, linenum, SSH_MAX_IDENTITY_FILES);
552 charptr = &options->identity_files[*intptr];
553 *charptr = xstrdup(arg);
554 *intptr = *intptr + 1;
559 charptr=&options->xauth_location;
563 charptr = &options->user;
566 if (!arg || *arg == '\0')
567 fatal("%.200s line %d: Missing argument.", filename, linenum);
568 if (*activep && *charptr == NULL)
569 *charptr = xstrdup(arg);
572 case oGlobalKnownHostsFile:
573 charptr = &options->system_hostfile;
576 case oUserKnownHostsFile:
577 charptr = &options->user_hostfile;
580 case oGlobalKnownHostsFile2:
581 charptr = &options->system_hostfile2;
584 case oUserKnownHostsFile2:
585 charptr = &options->user_hostfile2;
589 charptr = &options->hostname;
593 charptr = &options->host_key_alias;
596 case oPreferredAuthentications:
597 charptr = &options->preferred_authentications;
601 charptr = &options->bind_address;
604 case oSmartcardDevice:
605 charptr = &options->smartcard_device;
609 charptr = &options->proxy_command;
612 fatal("%.200s line %d: Missing argument.", filename, linenum);
613 len = strspn(s, WHITESPACE "=");
614 if (*activep && *charptr == NULL)
615 *charptr = xstrdup(s + len);
619 intptr = &options->port;
622 if (!arg || *arg == '\0')
623 fatal("%.200s line %d: Missing argument.", filename, linenum);
624 if (arg[0] < '0' || arg[0] > '9')
625 fatal("%.200s line %d: Bad number.", filename, linenum);
627 /* Octal, decimal, or hex format? */
628 value = strtol(arg, &endofnumber, 0);
629 if (arg == endofnumber)
630 fatal("%.200s line %d: Bad number.", filename, linenum);
631 if (*activep && *intptr == -1)
635 case oConnectionAttempts:
636 intptr = &options->connection_attempts;
640 intptr = &options->tcp_rcv_buf;
644 intptr = &options->cipher;
646 if (!arg || *arg == '\0')
647 fatal("%.200s line %d: Missing argument.", filename, linenum);
648 value = cipher_number(arg);
650 fatal("%.200s line %d: Bad cipher '%s'.",
651 filename, linenum, arg ? arg : "<NONE>");
652 if (*activep && *intptr == -1)
658 if (!arg || *arg == '\0')
659 fatal("%.200s line %d: Missing argument.", filename, linenum);
660 if (!ciphers_valid(arg))
661 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
662 filename, linenum, arg ? arg : "<NONE>");
663 if (*activep && options->ciphers == NULL)
664 options->ciphers = xstrdup(arg);
669 if (!arg || *arg == '\0')
670 fatal("%.200s line %d: Missing argument.", filename, linenum);
672 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
673 filename, linenum, arg ? arg : "<NONE>");
674 if (*activep && options->macs == NULL)
675 options->macs = xstrdup(arg);
678 case oHostKeyAlgorithms:
680 if (!arg || *arg == '\0')
681 fatal("%.200s line %d: Missing argument.", filename, linenum);
682 if (!key_names_valid2(arg))
683 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
684 filename, linenum, arg ? arg : "<NONE>");
685 if (*activep && options->hostkeyalgorithms == NULL)
686 options->hostkeyalgorithms = xstrdup(arg);
690 intptr = &options->protocol;
692 if (!arg || *arg == '\0')
693 fatal("%.200s line %d: Missing argument.", filename, linenum);
694 value = proto_spec(arg);
695 if (value == SSH_PROTO_UNKNOWN)
696 fatal("%.200s line %d: Bad protocol spec '%s'.",
697 filename, linenum, arg ? arg : "<NONE>");
698 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
703 intptr = (int *) &options->log_level;
705 value = log_level_number(arg);
706 if (value == SYSLOG_LEVEL_NOT_SET)
707 fatal("%.200s line %d: unsupported log level '%s'",
708 filename, linenum, arg ? arg : "<NONE>");
709 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
710 *intptr = (LogLevel) value;
716 if (arg == NULL || *arg == '\0')
717 fatal("%.200s line %d: Missing port argument.",
720 if (arg2 == NULL || *arg2 == '\0')
721 fatal("%.200s line %d: Missing target argument.",
724 /* construct a string for parse_forward */
725 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
727 if (parse_forward(&fwd, fwdarg) == 0)
728 fatal("%.200s line %d: Bad forwarding specification.",
732 if (opcode == oLocalForward)
733 add_local_forward(options, &fwd);
734 else if (opcode == oRemoteForward)
735 add_remote_forward(options, &fwd);
739 case oDynamicForward:
741 if (!arg || *arg == '\0')
742 fatal("%.200s line %d: Missing port argument.",
744 memset(&fwd, '\0', sizeof(fwd));
745 fwd.connect_host = "socks";
746 fwd.listen_host = hpdelim(&arg);
747 if (fwd.listen_host == NULL ||
748 strlen(fwd.listen_host) >= NI_MAXHOST)
749 fatal("%.200s line %d: Bad forwarding specification.",
752 fwd.listen_port = a2port(arg);
753 fwd.listen_host = cleanhostname(fwd.listen_host);
755 fwd.listen_port = a2port(fwd.listen_host);
756 fwd.listen_host = NULL;
758 if (fwd.listen_port == 0)
759 fatal("%.200s line %d: Badly formatted port number.",
762 add_local_forward(options, &fwd);
765 case oClearAllForwardings:
766 intptr = &options->clear_forwardings;
771 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
772 if (match_pattern(host, arg)) {
773 debug("Applying options for %.100s", arg);
777 /* Avoid garbage check below, as strdelim is done. */
781 intptr = &options->escape_char;
783 if (!arg || *arg == '\0')
784 fatal("%.200s line %d: Missing argument.", filename, linenum);
785 if (arg[0] == '^' && arg[2] == 0 &&
786 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
787 value = (u_char) arg[1] & 31;
788 else if (strlen(arg) == 1)
789 value = (u_char) arg[0];
790 else if (strcmp(arg, "none") == 0)
791 value = SSH_ESCAPECHAR_NONE;
793 fatal("%.200s line %d: Bad escape character.",
796 value = 0; /* Avoid compiler warning. */
798 if (*activep && *intptr == -1)
804 if (!arg || *arg == '\0')
805 fatal("%s line %d: missing address family.",
807 intptr = &options->address_family;
808 if (strcasecmp(arg, "inet") == 0)
810 else if (strcasecmp(arg, "inet6") == 0)
812 else if (strcasecmp(arg, "any") == 0)
815 fatal("Unsupported AddressFamily \"%s\"", arg);
816 if (*activep && *intptr == -1)
820 case oEnableSSHKeysign:
821 intptr = &options->enable_ssh_keysign;
824 case oIdentitiesOnly:
825 intptr = &options->identities_only;
828 case oServerAliveInterval:
829 intptr = &options->server_alive_interval;
832 case oServerAliveCountMax:
833 intptr = &options->server_alive_count_max;
837 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
838 if (strchr(arg, '=') != NULL)
839 fatal("%s line %d: Invalid environment name.",
843 if (options->num_send_env >= MAX_SEND_ENV)
844 fatal("%s line %d: too many send env.",
846 options->send_env[options->num_send_env++] =
852 charptr = &options->control_path;
856 intptr = &options->control_master;
858 if (!arg || *arg == '\0')
859 fatal("%.200s line %d: Missing ControlMaster argument.",
861 value = 0; /* To avoid compiler warning... */
862 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
863 value = SSHCTL_MASTER_YES;
864 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
865 value = SSHCTL_MASTER_NO;
866 else if (strcmp(arg, "auto") == 0)
867 value = SSHCTL_MASTER_AUTO;
868 else if (strcmp(arg, "ask") == 0)
869 value = SSHCTL_MASTER_ASK;
870 else if (strcmp(arg, "autoask") == 0)
871 value = SSHCTL_MASTER_AUTO_ASK;
873 fatal("%.200s line %d: Bad ControlMaster argument.",
875 if (*activep && *intptr == -1)
879 case oHashKnownHosts:
880 intptr = &options->hash_known_hosts;
884 intptr = &options->tun_open;
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing yes/point-to-point/"
888 "ethernet/no argument.", filename, linenum);
889 value = 0; /* silence compiler */
890 if (strcasecmp(arg, "ethernet") == 0)
891 value = SSH_TUNMODE_ETHERNET;
892 else if (strcasecmp(arg, "point-to-point") == 0)
893 value = SSH_TUNMODE_POINTOPOINT;
894 else if (strcasecmp(arg, "yes") == 0)
895 value = SSH_TUNMODE_DEFAULT;
896 else if (strcasecmp(arg, "no") == 0)
897 value = SSH_TUNMODE_NO;
899 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
900 "no argument: %s", filename, linenum, arg);
907 if (!arg || *arg == '\0')
908 fatal("%.200s line %d: Missing argument.", filename, linenum);
909 value = a2tun(arg, &value2);
910 if (value == SSH_TUNID_ERR)
911 fatal("%.200s line %d: Bad tun device.", filename, linenum);
913 options->tun_local = value;
914 options->tun_remote = value2;
919 charptr = &options->local_command;
922 case oPermitLocalCommand:
923 intptr = &options->permit_local_command;
927 debug("%s line %d: Deprecated option \"%s\"",
928 filename, linenum, keyword);
932 error("%s line %d: Unsupported option \"%s\"",
933 filename, linenum, keyword);
937 fatal("process_config_line: Unimplemented opcode %d", opcode);
940 /* Check that there is no garbage at end of line. */
941 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
942 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
943 filename, linenum, arg);
950 * Reads the config file and modifies the options accordingly. Options
951 * should already be initialized before this call. This never returns if
952 * there is an error. If the file does not exist, this returns 0.
956 read_config_file(const char *filename, const char *host, Options *options,
965 if ((f = fopen(filename, "r")) == NULL)
971 if (fstat(fileno(f), &sb) == -1)
972 fatal("fstat %s: %s", filename, strerror(errno));
973 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
974 (sb.st_mode & 022) != 0))
975 fatal("Bad owner or permissions on %s", filename);
978 debug("Reading configuration data %.200s", filename);
981 * Mark that we are now processing the options. This flag is turned
982 * on/off by Host specifications.
986 while (fgets(line, sizeof(line), f)) {
987 /* Update line number counter. */
989 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
994 fatal("%s: terminating, %d bad configuration options",
995 filename, bad_options);
1000 * Initializes options to special values that indicate that they have not yet
1001 * been set. Read_config_file will only set options with this value. Options
1002 * are processed in the following order: command line, user config file,
1003 * system config file. Last, fill_default_options is called.
1007 initialize_options(Options * options)
1009 memset(options, 'X', sizeof(*options));
1010 options->forward_agent = -1;
1011 options->forward_x11 = -1;
1012 options->forward_x11_trusted = -1;
1013 options->xauth_location = NULL;
1014 options->gateway_ports = -1;
1015 options->use_privileged_port = -1;
1016 options->rsa_authentication = -1;
1017 options->pubkey_authentication = -1;
1018 options->challenge_response_authentication = -1;
1019 options->gss_authentication = -1;
1020 options->gss_keyex = -1;
1021 options->gss_deleg_creds = -1;
1022 options->gss_trust_dns = -1;
1023 options->password_authentication = -1;
1024 options->kbd_interactive_authentication = -1;
1025 options->kbd_interactive_devices = NULL;
1026 options->rhosts_rsa_authentication = -1;
1027 options->hostbased_authentication = -1;
1028 options->batch_mode = -1;
1029 options->check_host_ip = -1;
1030 options->strict_host_key_checking = -1;
1031 options->compression = -1;
1032 options->tcp_keep_alive = -1;
1033 options->compression_level = -1;
1035 options->address_family = -1;
1036 options->connection_attempts = -1;
1037 options->connection_timeout = -1;
1038 options->number_of_password_prompts = -1;
1039 options->cipher = -1;
1040 options->ciphers = NULL;
1041 options->macs = NULL;
1042 options->hostkeyalgorithms = NULL;
1043 options->protocol = SSH_PROTO_UNKNOWN;
1044 options->num_identity_files = 0;
1045 options->hostname = NULL;
1046 options->host_key_alias = NULL;
1047 options->proxy_command = NULL;
1048 options->user = NULL;
1049 options->escape_char = -1;
1050 options->system_hostfile = NULL;
1051 options->user_hostfile = NULL;
1052 options->system_hostfile2 = NULL;
1053 options->user_hostfile2 = NULL;
1054 options->num_local_forwards = 0;
1055 options->num_remote_forwards = 0;
1056 options->clear_forwardings = -1;
1057 options->log_level = SYSLOG_LEVEL_NOT_SET;
1058 options->preferred_authentications = NULL;
1059 options->bind_address = NULL;
1060 options->smartcard_device = NULL;
1061 options->enable_ssh_keysign = - 1;
1062 options->no_host_authentication_for_localhost = - 1;
1063 options->identities_only = - 1;
1064 options->rekey_limit = - 1;
1065 options->verify_host_key_dns = -1;
1066 options->server_alive_interval = -1;
1067 options->server_alive_count_max = -1;
1068 options->num_send_env = 0;
1069 options->control_path = NULL;
1070 options->control_master = -1;
1071 options->hash_known_hosts = -1;
1072 options->tun_open = -1;
1073 options->tun_local = -1;
1074 options->tun_remote = -1;
1075 options->local_command = NULL;
1076 options->permit_local_command = -1;
1077 options->none_switch = -1;
1078 options->none_enabled = -1;
1079 options->hpn_disabled = -1;
1080 options->hpn_buffer_size = -1;
1081 options->tcp_rcv_buf_poll = -1;
1082 options->tcp_rcv_buf = -1;
1086 * Called after processing other sources of option data, this fills those
1087 * options for which no value has been specified with their default values.
1091 fill_default_options(Options * options)
1095 if (options->forward_agent == -1)
1096 options->forward_agent = 0;
1097 if (options->forward_x11 == -1)
1098 options->forward_x11 = 0;
1099 if (options->forward_x11_trusted == -1)
1100 options->forward_x11_trusted = 0;
1101 if (options->xauth_location == NULL)
1102 options->xauth_location = _PATH_XAUTH;
1103 if (options->gateway_ports == -1)
1104 options->gateway_ports = 0;
1105 if (options->use_privileged_port == -1)
1106 options->use_privileged_port = 0;
1107 if (options->rsa_authentication == -1)
1108 options->rsa_authentication = 1;
1109 if (options->pubkey_authentication == -1)
1110 options->pubkey_authentication = 1;
1111 if (options->challenge_response_authentication == -1)
1112 options->challenge_response_authentication = 1;
1113 if (options->gss_authentication == -1)
1114 options->gss_authentication = 1;
1115 if (options->gss_keyex == -1)
1116 options->gss_keyex = 1;
1117 if (options->gss_deleg_creds == -1)
1118 options->gss_deleg_creds = 1;
1119 if (options->gss_trust_dns == -1)
1120 options->gss_trust_dns = 1;
1121 if (options->password_authentication == -1)
1122 options->password_authentication = 1;
1123 if (options->kbd_interactive_authentication == -1)
1124 options->kbd_interactive_authentication = 1;
1125 if (options->rhosts_rsa_authentication == -1)
1126 options->rhosts_rsa_authentication = 0;
1127 if (options->hostbased_authentication == -1)
1128 options->hostbased_authentication = 0;
1129 if (options->batch_mode == -1)
1130 options->batch_mode = 0;
1131 if (options->check_host_ip == -1)
1132 options->check_host_ip = 1;
1133 if (options->strict_host_key_checking == -1)
1134 options->strict_host_key_checking = 2; /* 2 is default */
1135 if (options->compression == -1)
1136 options->compression = 0;
1137 if (options->tcp_keep_alive == -1)
1138 options->tcp_keep_alive = 1;
1139 if (options->compression_level == -1)
1140 options->compression_level = 6;
1141 if (options->port == -1)
1142 options->port = 0; /* Filled in ssh_connect. */
1143 if (options->address_family == -1)
1144 options->address_family = AF_UNSPEC;
1145 if (options->connection_attempts == -1)
1146 options->connection_attempts = 1;
1147 if (options->number_of_password_prompts == -1)
1148 options->number_of_password_prompts = 3;
1149 /* Selected in ssh_login(). */
1150 if (options->cipher == -1)
1151 options->cipher = SSH_CIPHER_NOT_SET;
1152 /* options->ciphers, default set in myproposals.h */
1153 /* options->macs, default set in myproposals.h */
1154 /* options->hostkeyalgorithms, default set in myproposals.h */
1155 if (options->protocol == SSH_PROTO_UNKNOWN)
1156 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1157 if (options->num_identity_files == 0) {
1158 if (options->protocol & SSH_PROTO_1) {
1159 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1160 options->identity_files[options->num_identity_files] =
1162 snprintf(options->identity_files[options->num_identity_files++],
1163 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1165 if (options->protocol & SSH_PROTO_2) {
1166 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1167 options->identity_files[options->num_identity_files] =
1169 snprintf(options->identity_files[options->num_identity_files++],
1170 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1172 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1173 options->identity_files[options->num_identity_files] =
1175 snprintf(options->identity_files[options->num_identity_files++],
1176 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1179 if (options->escape_char == -1)
1180 options->escape_char = '~';
1181 if (options->system_hostfile == NULL)
1182 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1183 if (options->user_hostfile == NULL)
1184 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1185 if (options->system_hostfile2 == NULL)
1186 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1187 if (options->user_hostfile2 == NULL)
1188 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1189 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1190 options->log_level = SYSLOG_LEVEL_INFO;
1191 if (options->clear_forwardings == 1)
1192 clear_forwardings(options);
1193 if (options->no_host_authentication_for_localhost == - 1)
1194 options->no_host_authentication_for_localhost = 0;
1195 if (options->identities_only == -1)
1196 options->identities_only = 0;
1197 if (options->enable_ssh_keysign == -1)
1198 options->enable_ssh_keysign = 0;
1199 if (options->rekey_limit == -1)
1200 options->rekey_limit = 0;
1201 if (options->verify_host_key_dns == -1)
1202 options->verify_host_key_dns = 0;
1203 if (options->server_alive_interval == -1)
1204 options->server_alive_interval = 0;
1205 if (options->server_alive_count_max == -1)
1206 options->server_alive_count_max = 3;
1207 if (options->none_switch == -1)
1208 options->none_switch = 0;
1209 if (options->hpn_disabled == -1)
1210 options->hpn_disabled = 0;
1211 if (options->hpn_buffer_size == -1)
1212 options->hpn_buffer_size = 2*1024*1024;
1214 if (options->hpn_buffer_size == 0)
1215 options->hpn_buffer_size = 1;
1216 /*limit the buffer to 7MB*/
1217 if (options->hpn_buffer_size > 7168)
1218 options->hpn_buffer_size = 7168;
1219 options->hpn_buffer_size *=1024;
1221 if (options->tcp_rcv_buf == 0)
1222 options->tcp_rcv_buf = 1;
1223 if (options->tcp_rcv_buf > -1)
1224 options->tcp_rcv_buf *=1024;
1225 if (options->control_master == -1)
1226 options->control_master = 0;
1227 if (options->hash_known_hosts == -1)
1228 options->hash_known_hosts = 0;
1229 if (options->tun_open == -1)
1230 options->tun_open = SSH_TUNMODE_NO;
1231 if (options->tun_local == -1)
1232 options->tun_local = SSH_TUNID_ANY;
1233 if (options->tun_remote == -1)
1234 options->tun_remote = SSH_TUNID_ANY;
1235 if (options->permit_local_command == -1)
1236 options->permit_local_command = 0;
1237 /* options->local_command should not be set by default */
1238 /* options->proxy_command should not be set by default */
1239 /* options->user will be set in the main program if appropriate */
1240 /* options->hostname will be set in the main program if appropriate */
1241 /* options->host_key_alias should not be set by default */
1242 /* options->preferred_authentications will be set in ssh */
1247 * parses a string containing a port forwarding specification of the form:
1248 * [listenhost:]listenport:connecthost:connectport
1249 * returns number of arguments parsed or zero on error
1252 parse_forward(Forward *fwd, const char *fwdspec)
1255 char *p, *cp, *fwdarg[4];
1257 memset(fwd, '\0', sizeof(*fwd));
1259 cp = p = xstrdup(fwdspec);
1261 /* skip leading spaces */
1262 while (*cp && isspace(*cp))
1265 for (i = 0; i < 4; ++i)
1266 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1269 /* Check for trailing garbage in 4-arg case*/
1271 i = 0; /* failure */
1275 fwd->listen_host = NULL;
1276 fwd->listen_port = a2port(fwdarg[0]);
1277 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1278 fwd->connect_port = a2port(fwdarg[2]);
1282 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1283 fwd->listen_port = a2port(fwdarg[1]);
1284 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1285 fwd->connect_port = a2port(fwdarg[3]);
1288 i = 0; /* failure */
1293 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1296 if (fwd->connect_host != NULL &&
1297 strlen(fwd->connect_host) >= NI_MAXHOST)
1303 if (fwd->connect_host != NULL)
1304 xfree(fwd->connect_host);
1305 if (fwd->listen_host != NULL)
1306 xfree(fwd->listen_host);