1 /* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
134 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
135 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
136 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
138 oDeprecated, oUnsupported
141 /* Textual representations of the tokens. */
147 { "forwardagent", oForwardAgent },
148 { "forwardx11", oForwardX11 },
149 { "forwardx11trusted", oForwardX11Trusted },
150 { "exitonforwardfailure", oExitOnForwardFailure },
151 { "xauthlocation", oXAuthLocation },
152 { "gatewayports", oGatewayPorts },
153 { "useprivilegedport", oUsePrivilegedPort },
154 { "rhostsauthentication", oDeprecated },
155 { "passwordauthentication", oPasswordAuthentication },
156 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
157 { "kbdinteractivedevices", oKbdInteractiveDevices },
158 { "rsaauthentication", oRSAAuthentication },
159 { "pubkeyauthentication", oPubkeyAuthentication },
160 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
161 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
162 { "hostbasedauthentication", oHostbasedAuthentication },
163 { "challengeresponseauthentication", oChallengeResponseAuthentication },
164 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
166 { "kerberosauthentication", oUnsupported },
167 { "kerberostgtpassing", oUnsupported },
168 { "afstokenpassing", oUnsupported },
170 { "gssapiauthentication", oGssAuthentication },
171 { "gssapikeyexchange", oGssKeyEx },
172 { "gssapidelegatecredentials", oGssDelegateCreds },
173 { "gssapitrustdns", oGssTrustDns },
175 { "gssapiauthentication", oUnsupported },
176 { "gssapikeyexchange", oUnsupported },
177 { "gssapidelegatecredentials", oUnsupported },
178 { "gssapitrustdns", oUnsupported },
180 { "fallbacktorsh", oDeprecated },
181 { "usersh", oDeprecated },
182 { "identityfile", oIdentityFile },
183 { "identityfile2", oIdentityFile }, /* obsolete */
184 { "identitiesonly", oIdentitiesOnly },
185 { "hostname", oHostName },
186 { "hostkeyalias", oHostKeyAlias },
187 { "proxycommand", oProxyCommand },
189 { "cipher", oCipher },
190 { "ciphers", oCiphers },
192 { "protocol", oProtocol },
193 { "remoteforward", oRemoteForward },
194 { "localforward", oLocalForward },
197 { "escapechar", oEscapeChar },
198 { "globalknownhostsfile", oGlobalKnownHostsFile },
199 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
200 { "userknownhostsfile", oUserKnownHostsFile },
201 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
202 { "connectionattempts", oConnectionAttempts },
203 { "batchmode", oBatchMode },
204 { "checkhostip", oCheckHostIP },
205 { "stricthostkeychecking", oStrictHostKeyChecking },
206 { "compression", oCompression },
207 { "compressionlevel", oCompressionLevel },
208 { "tcpkeepalive", oTCPKeepAlive },
209 { "keepalive", oTCPKeepAlive }, /* obsolete */
210 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
211 { "loglevel", oLogLevel },
212 { "dynamicforward", oDynamicForward },
213 { "preferredauthentications", oPreferredAuthentications },
214 { "hostkeyalgorithms", oHostKeyAlgorithms },
215 { "bindaddress", oBindAddress },
217 { "smartcarddevice", oSmartcardDevice },
219 { "smartcarddevice", oUnsupported },
221 { "clearallforwardings", oClearAllForwardings },
222 { "enablesshkeysign", oEnableSSHKeysign },
223 { "verifyhostkeydns", oVerifyHostKeyDNS },
224 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
225 { "rekeylimit", oRekeyLimit },
226 { "connecttimeout", oConnectTimeout },
227 { "addressfamily", oAddressFamily },
228 { "serveraliveinterval", oServerAliveInterval },
229 { "serveralivecountmax", oServerAliveCountMax },
230 { "sendenv", oSendEnv },
231 { "controlpath", oControlPath },
232 { "controlmaster", oControlMaster },
233 { "hashknownhosts", oHashKnownHosts },
234 { "tunnel", oTunnel },
235 { "tunneldevice", oTunnelDevice },
236 { "localcommand", oLocalCommand },
237 { "permitlocalcommand", oPermitLocalCommand },
238 { "noneenabled", oNoneEnabled },
239 { "tcprcvbufpoll", oTcpRcvBufPoll },
240 { "tcprcvbuf", oTcpRcvBuf },
241 { "noneswitch", oNoneSwitch },
242 { "hpndisabled", oHPNDisabled },
243 { "hpnbuffersize", oHPNBufferSize },
244 { "visualhostkey", oVisualHostKey },
245 { "noneenabled", oNoneEnabled },
246 { "tcprcvbufpoll", oTcpRcvBufPoll },
247 { "tcprcvbuf", oTcpRcvBuf },
248 { "noneswitch", oNoneSwitch },
249 { "hpndisabled", oHPNDisabled },
250 { "hpnbuffersize", oHPNBufferSize },
252 { "zeroknowledgepasswordauthentication",
253 oZeroKnowledgePasswordAuthentication },
255 { "zeroknowledgepasswordauthentication", oUnsupported },
261 * Adds a local TCP/IP port forward to options. Never returns if there is an
266 add_local_forward(Options *options, const Forward *newfwd)
269 #ifndef NO_IPPORT_RESERVED_CONCEPT
270 extern uid_t original_real_uid;
271 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
272 fatal("Privileged ports can only be forwarded by root.");
274 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
275 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
276 fwd = &options->local_forwards[options->num_local_forwards++];
278 fwd->listen_host = newfwd->listen_host;
279 fwd->listen_port = newfwd->listen_port;
280 fwd->connect_host = newfwd->connect_host;
281 fwd->connect_port = newfwd->connect_port;
285 * Adds a remote TCP/IP port forward to options. Never returns if there is
290 add_remote_forward(Options *options, const Forward *newfwd)
293 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
294 fatal("Too many remote forwards (max %d).",
295 SSH_MAX_FORWARDS_PER_DIRECTION);
296 fwd = &options->remote_forwards[options->num_remote_forwards++];
298 fwd->listen_host = newfwd->listen_host;
299 fwd->listen_port = newfwd->listen_port;
300 fwd->connect_host = newfwd->connect_host;
301 fwd->connect_port = newfwd->connect_port;
305 clear_forwardings(Options *options)
309 for (i = 0; i < options->num_local_forwards; i++) {
310 if (options->local_forwards[i].listen_host != NULL)
311 xfree(options->local_forwards[i].listen_host);
312 xfree(options->local_forwards[i].connect_host);
314 options->num_local_forwards = 0;
315 for (i = 0; i < options->num_remote_forwards; i++) {
316 if (options->remote_forwards[i].listen_host != NULL)
317 xfree(options->remote_forwards[i].listen_host);
318 xfree(options->remote_forwards[i].connect_host);
320 options->num_remote_forwards = 0;
321 options->tun_open = SSH_TUNMODE_NO;
325 * Returns the number of the token pointed to by cp or oBadOption.
329 parse_token(const char *cp, const char *filename, int linenum)
333 for (i = 0; keywords[i].name; i++)
334 if (strcasecmp(cp, keywords[i].name) == 0)
335 return keywords[i].opcode;
337 error("%s: line %d: Bad configuration option: %s",
338 filename, linenum, cp);
343 * Processes a single option line as used in the configuration files. This
344 * only sets those values that have not already been set.
346 #define WHITESPACE " \t\r\n"
349 process_config_line(Options *options, const char *host,
350 char *line, const char *filename, int linenum,
353 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
354 int opcode, *intptr, value, value2, scale;
355 LogLevel *log_level_ptr;
356 long long orig, val64;
360 /* Strip trailing whitespace */
361 for (len = strlen(line) - 1; len > 0; len--) {
362 if (strchr(WHITESPACE, line[len]) == NULL)
368 /* Get the keyword. (Each line is supposed to begin with a keyword). */
369 if ((keyword = strdelim(&s)) == NULL)
371 /* Ignore leading whitespace. */
372 if (*keyword == '\0')
373 keyword = strdelim(&s);
374 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
377 opcode = parse_token(keyword, filename, linenum);
381 /* don't panic, but count bad options */
384 case oConnectTimeout:
385 intptr = &options->connection_timeout;
388 if (!arg || *arg == '\0')
389 fatal("%s line %d: missing time value.",
391 if ((value = convtime(arg)) == -1)
392 fatal("%s line %d: invalid time value.",
394 if (*activep && *intptr == -1)
399 intptr = &options->forward_agent;
402 if (!arg || *arg == '\0')
403 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
404 value = 0; /* To avoid compiler warning... */
405 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
407 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
410 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
411 if (*activep && *intptr == -1)
416 intptr = &options->forward_x11;
419 case oForwardX11Trusted:
420 intptr = &options->forward_x11_trusted;
424 intptr = &options->gateway_ports;
427 case oExitOnForwardFailure:
428 intptr = &options->exit_on_forward_failure;
431 case oUsePrivilegedPort:
432 intptr = &options->use_privileged_port;
435 case oPasswordAuthentication:
436 intptr = &options->password_authentication;
439 case oZeroKnowledgePasswordAuthentication:
440 intptr = &options->zero_knowledge_password_authentication;
443 case oKbdInteractiveAuthentication:
444 intptr = &options->kbd_interactive_authentication;
447 case oKbdInteractiveDevices:
448 charptr = &options->kbd_interactive_devices;
451 case oPubkeyAuthentication:
452 intptr = &options->pubkey_authentication;
455 case oRSAAuthentication:
456 intptr = &options->rsa_authentication;
459 case oRhostsRSAAuthentication:
460 intptr = &options->rhosts_rsa_authentication;
463 case oHostbasedAuthentication:
464 intptr = &options->hostbased_authentication;
467 case oChallengeResponseAuthentication:
468 intptr = &options->challenge_response_authentication;
471 case oGssAuthentication:
472 intptr = &options->gss_authentication;
476 intptr = &options->gss_keyex;
479 case oGssDelegateCreds:
480 intptr = &options->gss_deleg_creds;
484 intptr = &options->gss_trust_dns;
488 intptr = &options->batch_mode;
492 intptr = &options->check_host_ip;
496 intptr = &options->none_enabled;
499 /* we check to see if the command comes from the */
500 /* command line or not. If it does then enable it */
501 /* otherwise fail. NONE should never be a default configuration */
503 if(strcmp(filename,"command-line")==0)
505 intptr = &options->none_switch;
508 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
509 error("Continuing...");
510 debug("NoneSwitch directive found in %.200s.", filename);
515 intptr = &options->hpn_disabled;
519 intptr = &options->hpn_buffer_size;
523 intptr = &options->tcp_rcv_buf_poll;
526 case oVerifyHostKeyDNS:
527 intptr = &options->verify_host_key_dns;
530 case oStrictHostKeyChecking:
531 intptr = &options->strict_host_key_checking;
534 if (!arg || *arg == '\0')
535 fatal("%.200s line %d: Missing yes/no/ask argument.",
537 value = 0; /* To avoid compiler warning... */
538 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
540 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
542 else if (strcmp(arg, "ask") == 0)
545 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
546 if (*activep && *intptr == -1)
551 intptr = &options->compression;
555 intptr = &options->tcp_keep_alive;
558 case oNoHostAuthenticationForLocalhost:
559 intptr = &options->no_host_authentication_for_localhost;
562 case oNumberOfPasswordPrompts:
563 intptr = &options->number_of_password_prompts;
566 case oCompressionLevel:
567 intptr = &options->compression_level;
572 if (!arg || *arg == '\0')
573 fatal("%.200s line %d: Missing argument.", filename, linenum);
574 if (arg[0] < '0' || arg[0] > '9')
575 fatal("%.200s line %d: Bad number.", filename, linenum);
576 orig = val64 = strtoll(arg, &endofnumber, 10);
577 if (arg == endofnumber)
578 fatal("%.200s line %d: Bad number.", filename, linenum);
579 switch (toupper(*endofnumber)) {
593 fatal("%.200s line %d: Invalid RekeyLimit suffix",
597 /* detect integer wrap and too-large limits */
598 if ((val64 / scale) != orig || val64 > UINT_MAX)
599 fatal("%.200s line %d: RekeyLimit too large",
602 fatal("%.200s line %d: RekeyLimit too small",
604 if (*activep && options->rekey_limit == -1)
605 options->rekey_limit = (u_int32_t)val64;
610 if (!arg || *arg == '\0')
611 fatal("%.200s line %d: Missing argument.", filename, linenum);
613 intptr = &options->num_identity_files;
614 if (*intptr >= SSH_MAX_IDENTITY_FILES)
615 fatal("%.200s line %d: Too many identity files specified (max %d).",
616 filename, linenum, SSH_MAX_IDENTITY_FILES);
617 charptr = &options->identity_files[*intptr];
618 *charptr = xstrdup(arg);
619 *intptr = *intptr + 1;
624 charptr=&options->xauth_location;
628 charptr = &options->user;
631 if (!arg || *arg == '\0')
632 fatal("%.200s line %d: Missing argument.", filename, linenum);
633 if (*activep && *charptr == NULL)
634 *charptr = xstrdup(arg);
637 case oGlobalKnownHostsFile:
638 charptr = &options->system_hostfile;
641 case oUserKnownHostsFile:
642 charptr = &options->user_hostfile;
645 case oGlobalKnownHostsFile2:
646 charptr = &options->system_hostfile2;
649 case oUserKnownHostsFile2:
650 charptr = &options->user_hostfile2;
654 charptr = &options->hostname;
658 charptr = &options->host_key_alias;
661 case oPreferredAuthentications:
662 charptr = &options->preferred_authentications;
666 charptr = &options->bind_address;
669 case oSmartcardDevice:
670 charptr = &options->smartcard_device;
674 charptr = &options->proxy_command;
677 fatal("%.200s line %d: Missing argument.", filename, linenum);
678 len = strspn(s, WHITESPACE "=");
679 if (*activep && *charptr == NULL)
680 *charptr = xstrdup(s + len);
684 intptr = &options->port;
687 if (!arg || *arg == '\0')
688 fatal("%.200s line %d: Missing argument.", filename, linenum);
689 if (arg[0] < '0' || arg[0] > '9')
690 fatal("%.200s line %d: Bad number.", filename, linenum);
692 /* Octal, decimal, or hex format? */
693 value = strtol(arg, &endofnumber, 0);
694 if (arg == endofnumber)
695 fatal("%.200s line %d: Bad number.", filename, linenum);
696 if (*activep && *intptr == -1)
700 case oConnectionAttempts:
701 intptr = &options->connection_attempts;
705 intptr = &options->tcp_rcv_buf;
709 intptr = &options->cipher;
711 if (!arg || *arg == '\0')
712 fatal("%.200s line %d: Missing argument.", filename, linenum);
713 value = cipher_number(arg);
715 fatal("%.200s line %d: Bad cipher '%s'.",
716 filename, linenum, arg ? arg : "<NONE>");
717 if (*activep && *intptr == -1)
723 if (!arg || *arg == '\0')
724 fatal("%.200s line %d: Missing argument.", filename, linenum);
725 if (!ciphers_valid(arg))
726 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
727 filename, linenum, arg ? arg : "<NONE>");
728 if (*activep && options->ciphers == NULL)
729 options->ciphers = xstrdup(arg);
734 if (!arg || *arg == '\0')
735 fatal("%.200s line %d: Missing argument.", filename, linenum);
737 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
738 filename, linenum, arg ? arg : "<NONE>");
739 if (*activep && options->macs == NULL)
740 options->macs = xstrdup(arg);
743 case oHostKeyAlgorithms:
745 if (!arg || *arg == '\0')
746 fatal("%.200s line %d: Missing argument.", filename, linenum);
747 if (!key_names_valid2(arg))
748 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
749 filename, linenum, arg ? arg : "<NONE>");
750 if (*activep && options->hostkeyalgorithms == NULL)
751 options->hostkeyalgorithms = xstrdup(arg);
755 intptr = &options->protocol;
757 if (!arg || *arg == '\0')
758 fatal("%.200s line %d: Missing argument.", filename, linenum);
759 value = proto_spec(arg);
760 if (value == SSH_PROTO_UNKNOWN)
761 fatal("%.200s line %d: Bad protocol spec '%s'.",
762 filename, linenum, arg ? arg : "<NONE>");
763 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
768 log_level_ptr = &options->log_level;
770 value = log_level_number(arg);
771 if (value == SYSLOG_LEVEL_NOT_SET)
772 fatal("%.200s line %d: unsupported log level '%s'",
773 filename, linenum, arg ? arg : "<NONE>");
774 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
775 *log_level_ptr = (LogLevel) value;
780 case oDynamicForward:
782 if (arg == NULL || *arg == '\0')
783 fatal("%.200s line %d: Missing port argument.",
786 if (opcode == oLocalForward ||
787 opcode == oRemoteForward) {
789 if (arg2 == NULL || *arg2 == '\0')
790 fatal("%.200s line %d: Missing target argument.",
793 /* construct a string for parse_forward */
794 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
795 } else if (opcode == oDynamicForward) {
796 strlcpy(fwdarg, arg, sizeof(fwdarg));
799 if (parse_forward(&fwd, fwdarg,
800 opcode == oDynamicForward ? 1 : 0,
801 opcode == oRemoteForward ? 1 : 0) == 0)
802 fatal("%.200s line %d: Bad forwarding specification.",
806 if (opcode == oLocalForward ||
807 opcode == oDynamicForward)
808 add_local_forward(options, &fwd);
809 else if (opcode == oRemoteForward)
810 add_remote_forward(options, &fwd);
814 case oClearAllForwardings:
815 intptr = &options->clear_forwardings;
820 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
821 if (match_pattern(host, arg)) {
822 debug("Applying options for %.100s", arg);
826 /* Avoid garbage check below, as strdelim is done. */
830 intptr = &options->escape_char;
832 if (!arg || *arg == '\0')
833 fatal("%.200s line %d: Missing argument.", filename, linenum);
834 if (arg[0] == '^' && arg[2] == 0 &&
835 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
836 value = (u_char) arg[1] & 31;
837 else if (strlen(arg) == 1)
838 value = (u_char) arg[0];
839 else if (strcmp(arg, "none") == 0)
840 value = SSH_ESCAPECHAR_NONE;
842 fatal("%.200s line %d: Bad escape character.",
845 value = 0; /* Avoid compiler warning. */
847 if (*activep && *intptr == -1)
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: missing address family.",
856 intptr = &options->address_family;
857 if (strcasecmp(arg, "inet") == 0)
859 else if (strcasecmp(arg, "inet6") == 0)
861 else if (strcasecmp(arg, "any") == 0)
864 fatal("Unsupported AddressFamily \"%s\"", arg);
865 if (*activep && *intptr == -1)
869 case oEnableSSHKeysign:
870 intptr = &options->enable_ssh_keysign;
873 case oIdentitiesOnly:
874 intptr = &options->identities_only;
877 case oServerAliveInterval:
878 intptr = &options->server_alive_interval;
881 case oServerAliveCountMax:
882 intptr = &options->server_alive_count_max;
886 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
887 if (strchr(arg, '=') != NULL)
888 fatal("%s line %d: Invalid environment name.",
892 if (options->num_send_env >= MAX_SEND_ENV)
893 fatal("%s line %d: too many send env.",
895 options->send_env[options->num_send_env++] =
901 charptr = &options->control_path;
905 intptr = &options->control_master;
907 if (!arg || *arg == '\0')
908 fatal("%.200s line %d: Missing ControlMaster argument.",
910 value = 0; /* To avoid compiler warning... */
911 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
912 value = SSHCTL_MASTER_YES;
913 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
914 value = SSHCTL_MASTER_NO;
915 else if (strcmp(arg, "auto") == 0)
916 value = SSHCTL_MASTER_AUTO;
917 else if (strcmp(arg, "ask") == 0)
918 value = SSHCTL_MASTER_ASK;
919 else if (strcmp(arg, "autoask") == 0)
920 value = SSHCTL_MASTER_AUTO_ASK;
922 fatal("%.200s line %d: Bad ControlMaster argument.",
924 if (*activep && *intptr == -1)
928 case oHashKnownHosts:
929 intptr = &options->hash_known_hosts;
933 intptr = &options->tun_open;
935 if (!arg || *arg == '\0')
936 fatal("%s line %d: Missing yes/point-to-point/"
937 "ethernet/no argument.", filename, linenum);
938 value = 0; /* silence compiler */
939 if (strcasecmp(arg, "ethernet") == 0)
940 value = SSH_TUNMODE_ETHERNET;
941 else if (strcasecmp(arg, "point-to-point") == 0)
942 value = SSH_TUNMODE_POINTOPOINT;
943 else if (strcasecmp(arg, "yes") == 0)
944 value = SSH_TUNMODE_DEFAULT;
945 else if (strcasecmp(arg, "no") == 0)
946 value = SSH_TUNMODE_NO;
948 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
949 "no argument: %s", filename, linenum, arg);
956 if (!arg || *arg == '\0')
957 fatal("%.200s line %d: Missing argument.", filename, linenum);
958 value = a2tun(arg, &value2);
959 if (value == SSH_TUNID_ERR)
960 fatal("%.200s line %d: Bad tun device.", filename, linenum);
962 options->tun_local = value;
963 options->tun_remote = value2;
968 charptr = &options->local_command;
971 case oPermitLocalCommand:
972 intptr = &options->permit_local_command;
976 intptr = &options->visual_host_key;
980 debug("%s line %d: Deprecated option \"%s\"",
981 filename, linenum, keyword);
985 error("%s line %d: Unsupported option \"%s\"",
986 filename, linenum, keyword);
990 fatal("process_config_line: Unimplemented opcode %d", opcode);
993 /* Check that there is no garbage at end of line. */
994 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
995 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
996 filename, linenum, arg);
1003 * Reads the config file and modifies the options accordingly. Options
1004 * should already be initialized before this call. This never returns if
1005 * there is an error. If the file does not exist, this returns 0.
1009 read_config_file(const char *filename, const char *host, Options *options,
1014 int active, linenum;
1015 int bad_options = 0;
1017 if ((f = fopen(filename, "r")) == NULL)
1023 if (fstat(fileno(f), &sb) == -1)
1024 fatal("fstat %s: %s", filename, strerror(errno));
1025 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1026 (sb.st_mode & 022) != 0))
1027 fatal("Bad owner or permissions on %s", filename);
1030 debug("Reading configuration data %.200s", filename);
1033 * Mark that we are now processing the options. This flag is turned
1034 * on/off by Host specifications.
1038 while (fgets(line, sizeof(line), f)) {
1039 /* Update line number counter. */
1041 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1045 if (bad_options > 0)
1046 fatal("%s: terminating, %d bad configuration options",
1047 filename, bad_options);
1052 * Initializes options to special values that indicate that they have not yet
1053 * been set. Read_config_file will only set options with this value. Options
1054 * are processed in the following order: command line, user config file,
1055 * system config file. Last, fill_default_options is called.
1059 initialize_options(Options * options)
1061 memset(options, 'X', sizeof(*options));
1062 options->forward_agent = -1;
1063 options->forward_x11 = -1;
1064 options->forward_x11_trusted = -1;
1065 options->exit_on_forward_failure = -1;
1066 options->xauth_location = NULL;
1067 options->gateway_ports = -1;
1068 options->use_privileged_port = -1;
1069 options->rsa_authentication = -1;
1070 options->pubkey_authentication = -1;
1071 options->challenge_response_authentication = -1;
1072 options->gss_authentication = -1;
1073 options->gss_keyex = -1;
1074 options->gss_deleg_creds = -1;
1075 options->gss_trust_dns = -1;
1076 options->password_authentication = -1;
1077 options->kbd_interactive_authentication = -1;
1078 options->kbd_interactive_devices = NULL;
1079 options->rhosts_rsa_authentication = -1;
1080 options->hostbased_authentication = -1;
1081 options->batch_mode = -1;
1082 options->check_host_ip = -1;
1083 options->strict_host_key_checking = -1;
1084 options->compression = -1;
1085 options->tcp_keep_alive = -1;
1086 options->compression_level = -1;
1088 options->address_family = -1;
1089 options->connection_attempts = -1;
1090 options->connection_timeout = -1;
1091 options->number_of_password_prompts = -1;
1092 options->cipher = -1;
1093 options->ciphers = NULL;
1094 options->macs = NULL;
1095 options->hostkeyalgorithms = NULL;
1096 options->protocol = SSH_PROTO_UNKNOWN;
1097 options->num_identity_files = 0;
1098 options->hostname = NULL;
1099 options->host_key_alias = NULL;
1100 options->proxy_command = NULL;
1101 options->user = NULL;
1102 options->escape_char = -1;
1103 options->system_hostfile = NULL;
1104 options->user_hostfile = NULL;
1105 options->system_hostfile2 = NULL;
1106 options->user_hostfile2 = NULL;
1107 options->num_local_forwards = 0;
1108 options->num_remote_forwards = 0;
1109 options->clear_forwardings = -1;
1110 options->log_level = SYSLOG_LEVEL_NOT_SET;
1111 options->preferred_authentications = NULL;
1112 options->bind_address = NULL;
1113 options->smartcard_device = NULL;
1114 options->enable_ssh_keysign = - 1;
1115 options->no_host_authentication_for_localhost = - 1;
1116 options->identities_only = - 1;
1117 options->rekey_limit = - 1;
1118 options->verify_host_key_dns = -1;
1119 options->server_alive_interval = -1;
1120 options->server_alive_count_max = -1;
1121 options->num_send_env = 0;
1122 options->control_path = NULL;
1123 options->control_master = -1;
1124 options->hash_known_hosts = -1;
1125 options->tun_open = -1;
1126 options->tun_local = -1;
1127 options->tun_remote = -1;
1128 options->local_command = NULL;
1129 options->permit_local_command = -1;
1130 options->none_switch = -1;
1131 options->none_enabled = -1;
1132 options->hpn_disabled = -1;
1133 options->hpn_buffer_size = -1;
1134 options->tcp_rcv_buf_poll = -1;
1135 options->tcp_rcv_buf = -1;
1136 options->visual_host_key = -1;
1137 options->none_switch = -1;
1138 options->none_enabled = -1;
1139 options->hpn_disabled = -1;
1140 options->hpn_buffer_size = -1;
1141 options->tcp_rcv_buf_poll = -1;
1142 options->tcp_rcv_buf = -1;
1143 options->zero_knowledge_password_authentication = -1;
1147 * Called after processing other sources of option data, this fills those
1148 * options for which no value has been specified with their default values.
1152 fill_default_options(Options * options)
1156 if (options->forward_agent == -1)
1157 options->forward_agent = 0;
1158 if (options->forward_x11 == -1)
1159 options->forward_x11 = 0;
1160 if (options->forward_x11_trusted == -1)
1161 options->forward_x11_trusted = 0;
1162 if (options->exit_on_forward_failure == -1)
1163 options->exit_on_forward_failure = 0;
1164 if (options->xauth_location == NULL)
1165 options->xauth_location = _PATH_XAUTH;
1166 if (options->gateway_ports == -1)
1167 options->gateway_ports = 0;
1168 if (options->use_privileged_port == -1)
1169 options->use_privileged_port = 0;
1170 if (options->rsa_authentication == -1)
1171 options->rsa_authentication = 1;
1172 if (options->pubkey_authentication == -1)
1173 options->pubkey_authentication = 1;
1174 if (options->challenge_response_authentication == -1)
1175 options->challenge_response_authentication = 1;
1176 if (options->gss_authentication == -1)
1177 options->gss_authentication = 1;
1178 if (options->gss_keyex == -1)
1179 options->gss_keyex = 1;
1180 if (options->gss_deleg_creds == -1)
1181 options->gss_deleg_creds = 1;
1182 if (options->gss_trust_dns == -1)
1183 options->gss_trust_dns = 1;
1184 if (options->password_authentication == -1)
1185 options->password_authentication = 1;
1186 if (options->kbd_interactive_authentication == -1)
1187 options->kbd_interactive_authentication = 1;
1188 if (options->rhosts_rsa_authentication == -1)
1189 options->rhosts_rsa_authentication = 0;
1190 if (options->hostbased_authentication == -1)
1191 options->hostbased_authentication = 0;
1192 if (options->batch_mode == -1)
1193 options->batch_mode = 0;
1194 if (options->check_host_ip == -1)
1195 options->check_host_ip = 1;
1196 if (options->strict_host_key_checking == -1)
1197 options->strict_host_key_checking = 2; /* 2 is default */
1198 if (options->compression == -1)
1199 options->compression = 0;
1200 if (options->tcp_keep_alive == -1)
1201 options->tcp_keep_alive = 1;
1202 if (options->compression_level == -1)
1203 options->compression_level = 6;
1204 if (options->port == -1)
1205 options->port = 0; /* Filled in ssh_connect. */
1206 if (options->address_family == -1)
1207 options->address_family = AF_UNSPEC;
1208 if (options->connection_attempts == -1)
1209 options->connection_attempts = 1;
1210 if (options->number_of_password_prompts == -1)
1211 options->number_of_password_prompts = 3;
1212 /* Selected in ssh_login(). */
1213 if (options->cipher == -1)
1214 options->cipher = SSH_CIPHER_NOT_SET;
1215 /* options->ciphers, default set in myproposals.h */
1216 /* options->macs, default set in myproposals.h */
1217 /* options->hostkeyalgorithms, default set in myproposals.h */
1218 if (options->protocol == SSH_PROTO_UNKNOWN)
1219 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1220 if (options->num_identity_files == 0) {
1221 if (options->protocol & SSH_PROTO_1) {
1222 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1223 options->identity_files[options->num_identity_files] =
1225 snprintf(options->identity_files[options->num_identity_files++],
1226 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1228 if (options->protocol & SSH_PROTO_2) {
1229 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1230 options->identity_files[options->num_identity_files] =
1232 snprintf(options->identity_files[options->num_identity_files++],
1233 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1235 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1236 options->identity_files[options->num_identity_files] =
1238 snprintf(options->identity_files[options->num_identity_files++],
1239 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1242 if (options->escape_char == -1)
1243 options->escape_char = '~';
1244 if (options->system_hostfile == NULL)
1245 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1246 if (options->user_hostfile == NULL)
1247 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1248 if (options->system_hostfile2 == NULL)
1249 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1250 if (options->user_hostfile2 == NULL)
1251 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1252 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1253 options->log_level = SYSLOG_LEVEL_INFO;
1254 if (options->clear_forwardings == 1)
1255 clear_forwardings(options);
1256 if (options->no_host_authentication_for_localhost == - 1)
1257 options->no_host_authentication_for_localhost = 0;
1258 if (options->identities_only == -1)
1259 options->identities_only = 0;
1260 if (options->enable_ssh_keysign == -1)
1261 options->enable_ssh_keysign = 0;
1262 if (options->rekey_limit == -1)
1263 options->rekey_limit = 0;
1264 if (options->verify_host_key_dns == -1)
1265 options->verify_host_key_dns = 0;
1266 if (options->server_alive_interval == -1)
1267 options->server_alive_interval = 0;
1268 if (options->server_alive_count_max == -1)
1269 options->server_alive_count_max = 3;
1270 if (options->none_switch == -1)
1271 options->none_switch = 0;
1272 if (options->hpn_disabled == -1)
1273 options->hpn_disabled = 0;
1274 if (options->hpn_buffer_size > -1)
1276 /* if a user tries to set the size to 0 set it to 1KB */
1277 if (options->hpn_buffer_size == 0)
1278 options->hpn_buffer_size = 1024;
1279 /*limit the buffer to 64MB*/
1280 if (options->hpn_buffer_size > 65536)
1282 options->hpn_buffer_size = 65536*1024;
1283 debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1285 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1287 if (options->tcp_rcv_buf == 0)
1288 options->tcp_rcv_buf = 1;
1289 if (options->tcp_rcv_buf > -1)
1290 options->tcp_rcv_buf *=1024;
1291 if (options->tcp_rcv_buf_poll == -1)
1292 options->tcp_rcv_buf_poll = 1;
1293 if (options->control_master == -1)
1294 options->control_master = 0;
1295 if (options->hash_known_hosts == -1)
1296 options->hash_known_hosts = 0;
1297 if (options->tun_open == -1)
1298 options->tun_open = SSH_TUNMODE_NO;
1299 if (options->tun_local == -1)
1300 options->tun_local = SSH_TUNID_ANY;
1301 if (options->tun_remote == -1)
1302 options->tun_remote = SSH_TUNID_ANY;
1303 if (options->permit_local_command == -1)
1304 options->permit_local_command = 0;
1305 if (options->visual_host_key == -1)
1306 options->visual_host_key = 0;
1307 if (options->zero_knowledge_password_authentication == -1)
1308 options->zero_knowledge_password_authentication = 0;
1309 /* options->local_command should not be set by default */
1310 /* options->proxy_command should not be set by default */
1311 /* options->user will be set in the main program if appropriate */
1312 /* options->hostname will be set in the main program if appropriate */
1313 /* options->host_key_alias should not be set by default */
1314 /* options->preferred_authentications will be set in ssh */
1319 * parses a string containing a port forwarding specification of the form:
1321 * [listenhost:]listenport:connecthost:connectport
1323 * [listenhost:]listenport
1324 * returns number of arguments parsed or zero on error
1327 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1330 char *p, *cp, *fwdarg[4];
1332 memset(fwd, '\0', sizeof(*fwd));
1334 cp = p = xstrdup(fwdspec);
1336 /* skip leading spaces */
1337 while (isspace(*cp))
1340 for (i = 0; i < 4; ++i)
1341 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1344 /* Check for trailing garbage */
1346 i = 0; /* failure */
1350 fwd->listen_host = NULL;
1351 fwd->listen_port = a2port(fwdarg[0]);
1352 fwd->connect_host = xstrdup("socks");
1356 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1357 fwd->listen_port = a2port(fwdarg[1]);
1358 fwd->connect_host = xstrdup("socks");
1362 fwd->listen_host = NULL;
1363 fwd->listen_port = a2port(fwdarg[0]);
1364 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1365 fwd->connect_port = a2port(fwdarg[2]);
1369 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1370 fwd->listen_port = a2port(fwdarg[1]);
1371 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1372 fwd->connect_port = a2port(fwdarg[3]);
1375 i = 0; /* failure */
1381 if (!(i == 1 || i == 2))
1384 if (!(i == 3 || i == 4))
1386 if (fwd->connect_port <= 0)
1390 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1393 if (fwd->connect_host != NULL &&
1394 strlen(fwd->connect_host) >= NI_MAXHOST)
1396 if (fwd->listen_host != NULL &&
1397 strlen(fwd->listen_host) >= NI_MAXHOST)
1404 if (fwd->connect_host != NULL) {
1405 xfree(fwd->connect_host);
1406 fwd->connect_host = NULL;
1408 if (fwd->listen_host != NULL) {
1409 xfree(fwd->listen_host);
1410 fwd->listen_host = NULL;