1 /* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
61 options->permit_pam_user_change = -1;
63 /* Standard Options */
64 options->num_ports = 0;
65 options->ports_from_cmdline = 0;
66 options->listen_addrs = NULL;
67 options->address_family = -1;
68 options->num_host_key_files = 0;
69 options->pid_file = NULL;
70 options->server_key_bits = -1;
71 options->login_grace_time = -1;
72 options->key_regeneration_time = -1;
73 options->permit_root_login = PERMIT_NOT_SET;
74 options->ignore_rhosts = -1;
75 options->ignore_user_known_hosts = -1;
76 options->print_motd = -1;
77 options->print_lastlog = -1;
78 options->x11_forwarding = -1;
79 options->x11_display_offset = -1;
80 options->x11_use_localhost = -1;
81 options->xauth_location = NULL;
82 options->strict_modes = -1;
83 options->tcp_keep_alive = -1;
84 options->log_facility = SYSLOG_FACILITY_NOT_SET;
85 options->log_level = SYSLOG_LEVEL_NOT_SET;
86 options->rhosts_rsa_authentication = -1;
87 options->hostbased_authentication = -1;
88 options->hostbased_uses_name_from_packet_only = -1;
89 options->rsa_authentication = -1;
90 options->pubkey_authentication = -1;
91 options->kerberos_authentication = -1;
92 options->kerberos_or_local_passwd = -1;
93 options->kerberos_ticket_cleanup = -1;
95 options->session_hooks_allow = -1;
96 options->session_hooks_startup_cmd = NULL;
97 options->session_hooks_shutdown_cmd = NULL;
99 options->kerberos_get_afs_token = -1;
100 options->gss_authentication = -1;
101 options->gss_deleg_creds = -1;
102 options->gss_keyex = -1;
103 options->gss_cleanup_creds = -1;
104 options->gss_strict_acceptor = -1;
105 options->gsi_allow_limited_proxy = -1;
106 options->password_authentication = -1;
107 options->kbd_interactive_authentication = -1;
108 options->challenge_response_authentication = -1;
109 options->permit_empty_passwd = -1;
110 options->permit_user_env = -1;
111 options->use_login = -1;
112 options->compression = -1;
113 options->allow_tcp_forwarding = -1;
114 options->allow_agent_forwarding = -1;
115 options->num_allow_users = 0;
116 options->num_deny_users = 0;
117 options->num_allow_groups = 0;
118 options->num_deny_groups = 0;
119 options->ciphers = NULL;
120 options->macs = NULL;
121 options->protocol = SSH_PROTO_UNKNOWN;
122 options->gateway_ports = -1;
123 options->num_subsystems = 0;
124 options->max_startups_begin = -1;
125 options->max_startups_rate = -1;
126 options->max_startups = -1;
127 options->max_authtries = -1;
128 options->max_sessions = -1;
129 options->banner = NULL;
130 options->use_dns = -1;
131 options->client_alive_interval = -1;
132 options->client_alive_count_max = -1;
133 options->authorized_keys_file = NULL;
134 options->authorized_keys_file2 = NULL;
135 options->num_accept_env = 0;
136 options->permit_tun = -1;
137 options->num_permitted_opens = -1;
138 options->adm_forced_command = NULL;
139 options->chroot_directory = NULL;
140 options->none_enabled = -1;
141 options->tcp_rcv_buf_poll = -1;
142 options->hpn_disabled = -1;
143 options->hpn_buffer_size = -1;
144 options->zero_knowledge_password_authentication = -1;
148 fill_default_server_options(ServerOptions *options)
150 /* needed for hpn socket tests */
153 int socksizelen = sizeof(int);
155 /* Portable-specific options */
156 if (options->use_pam == -1)
157 options->use_pam = 0;
158 if (options->permit_pam_user_change == -1)
159 options->permit_pam_user_change = 0;
161 /* Standard Options */
162 if (options->protocol == SSH_PROTO_UNKNOWN)
163 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
164 if (options->num_host_key_files == 0) {
165 /* fill default hostkeys for protocols */
166 if (options->protocol & SSH_PROTO_1)
167 options->host_key_files[options->num_host_key_files++] =
169 if (options->protocol & SSH_PROTO_2) {
170 options->host_key_files[options->num_host_key_files++] =
171 _PATH_HOST_RSA_KEY_FILE;
172 options->host_key_files[options->num_host_key_files++] =
173 _PATH_HOST_DSA_KEY_FILE;
176 if (options->num_ports == 0)
177 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
178 if (options->listen_addrs == NULL)
179 add_listen_addr(options, NULL, 0);
180 if (options->pid_file == NULL)
181 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
182 if (options->server_key_bits == -1)
183 options->server_key_bits = 1024;
184 if (options->login_grace_time == -1)
185 options->login_grace_time = 120;
186 if (options->key_regeneration_time == -1)
187 options->key_regeneration_time = 3600;
188 if (options->permit_root_login == PERMIT_NOT_SET)
189 options->permit_root_login = PERMIT_YES;
190 if (options->ignore_rhosts == -1)
191 options->ignore_rhosts = 1;
192 if (options->ignore_user_known_hosts == -1)
193 options->ignore_user_known_hosts = 0;
194 if (options->print_motd == -1)
195 options->print_motd = 1;
196 if (options->print_lastlog == -1)
197 options->print_lastlog = 1;
198 if (options->x11_forwarding == -1)
199 options->x11_forwarding = 0;
200 if (options->x11_display_offset == -1)
201 options->x11_display_offset = 10;
202 if (options->x11_use_localhost == -1)
203 options->x11_use_localhost = 1;
204 if (options->xauth_location == NULL)
205 options->xauth_location = _PATH_XAUTH;
206 if (options->strict_modes == -1)
207 options->strict_modes = 1;
208 if (options->tcp_keep_alive == -1)
209 options->tcp_keep_alive = 1;
210 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
211 options->log_facility = SYSLOG_FACILITY_AUTH;
212 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
213 options->log_level = SYSLOG_LEVEL_INFO;
214 if (options->rhosts_rsa_authentication == -1)
215 options->rhosts_rsa_authentication = 0;
216 if (options->hostbased_authentication == -1)
217 options->hostbased_authentication = 0;
218 if (options->hostbased_uses_name_from_packet_only == -1)
219 options->hostbased_uses_name_from_packet_only = 0;
220 if (options->rsa_authentication == -1)
221 options->rsa_authentication = 1;
222 if (options->pubkey_authentication == -1)
223 options->pubkey_authentication = 1;
224 if (options->kerberos_authentication == -1)
225 options->kerberos_authentication = 0;
226 if (options->kerberos_or_local_passwd == -1)
227 options->kerberos_or_local_passwd = 1;
228 if (options->kerberos_ticket_cleanup == -1)
229 options->kerberos_ticket_cleanup = 1;
230 if (options->kerberos_get_afs_token == -1)
231 options->kerberos_get_afs_token = 0;
232 if (options->gss_authentication == -1)
233 options->gss_authentication = 1;
234 if (options->gss_deleg_creds == -1)
235 options->gss_deleg_creds = 1;
236 if (options->gss_keyex == -1)
237 options->gss_keyex = 1;
238 if (options->gss_cleanup_creds == -1)
239 options->gss_cleanup_creds = 1;
240 if (options->gss_strict_acceptor == -1)
241 options->gss_strict_acceptor = 1;
242 if (options->gsi_allow_limited_proxy == -1)
243 options->gsi_allow_limited_proxy = 0;
244 if (options->password_authentication == -1)
245 options->password_authentication = 1;
246 if (options->kbd_interactive_authentication == -1)
247 options->kbd_interactive_authentication = 0;
248 if (options->challenge_response_authentication == -1)
249 options->challenge_response_authentication = 1;
250 if (options->permit_empty_passwd == -1)
251 options->permit_empty_passwd = 0;
252 if (options->permit_user_env == -1)
253 options->permit_user_env = 0;
254 if (options->use_login == -1)
255 options->use_login = 0;
256 if (options->compression == -1)
257 options->compression = COMP_DELAYED;
258 if (options->allow_tcp_forwarding == -1)
259 options->allow_tcp_forwarding = 1;
260 if (options->allow_agent_forwarding == -1)
261 options->allow_agent_forwarding = 1;
262 if (options->gateway_ports == -1)
263 options->gateway_ports = 0;
264 if (options->max_startups == -1)
265 options->max_startups = 10;
266 if (options->max_startups_rate == -1)
267 options->max_startups_rate = 100; /* 100% */
268 if (options->max_startups_begin == -1)
269 options->max_startups_begin = options->max_startups;
270 if (options->max_authtries == -1)
271 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
272 if (options->max_sessions == -1)
273 options->max_sessions = DEFAULT_SESSIONS_MAX;
274 if (options->use_dns == -1)
275 options->use_dns = 1;
276 if (options->client_alive_interval == -1)
277 options->client_alive_interval = 0;
278 if (options->client_alive_count_max == -1)
279 options->client_alive_count_max = 3;
280 if (options->authorized_keys_file2 == NULL) {
281 /* authorized_keys_file2 falls back to authorized_keys_file */
282 if (options->authorized_keys_file != NULL)
283 options->authorized_keys_file2 = options->authorized_keys_file;
285 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
287 if (options->authorized_keys_file == NULL)
288 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
289 if (options->permit_tun == -1)
290 options->permit_tun = SSH_TUNMODE_NO;
291 if (options->zero_knowledge_password_authentication == -1)
292 options->zero_knowledge_password_authentication = 0;
294 if (options->hpn_disabled == -1)
295 options->hpn_disabled = 0;
297 if (options->hpn_buffer_size == -1) {
298 /* option not explicitly set. Now we have to figure out */
299 /* what value to use */
300 if (options->hpn_disabled == 1) {
301 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
303 /* get the current RCV size and set it to that */
304 /*create a socket but don't connect it */
305 /* we use that the get the rcv socket size */
306 sock = socket(AF_INET, SOCK_STREAM, 0);
307 getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
308 &socksize, &socksizelen);
310 options->hpn_buffer_size = socksize;
311 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
315 /* we have to do this incase the user sets both values in a contradictory */
316 /* manner. hpn_disabled overrrides hpn_buffer_size*/
317 if (options->hpn_disabled <= 0) {
318 if (options->hpn_buffer_size == 0)
319 options->hpn_buffer_size = 1;
320 /* limit the maximum buffer to 64MB */
321 if (options->hpn_buffer_size > 64*1024) {
322 options->hpn_buffer_size = 64*1024*1024;
324 options->hpn_buffer_size *= 1024;
327 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
330 /* Turn privilege separation on by default */
331 if (use_privsep == -1)
335 if (use_privsep && options->compression == 1) {
336 error("This platform does not support both privilege "
337 "separation and compression");
338 error("Compression disabled");
339 options->compression = 0;
345 /* Keyword tokens. */
347 sBadOption, /* == unknown option */
348 /* Portable-specific options */
349 sUsePAM, sPermitPAMUserChange,
350 /* Standard Options */
351 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
352 sPermitRootLogin, sLogFacility, sLogLevel,
353 sRhostsRSAAuthentication, sRSAAuthentication,
354 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
355 sKerberosGetAFSToken,
356 sKerberosTgtPassing, sChallengeResponseAuthentication,
358 sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
360 sPasswordAuthentication, sKbdInteractiveAuthentication,
361 sListenAddress, sAddressFamily,
362 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
363 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
364 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
365 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
366 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
367 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
368 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
369 sMaxStartups, sMaxAuthTries, sMaxSessions,
370 sBanner, sUseDNS, sHostbasedAuthentication,
371 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
372 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
373 sGssAuthentication, sGssCleanupCreds,
378 sGsiAllowLimitedProxy,
379 sAcceptEnv, sPermitTunnel,
380 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
381 sUsePrivilegeSeparation, sAllowAgentForwarding,
382 sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
383 sZeroKnowledgePasswordAuthentication,
384 sDeprecated, sUnsupported
387 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
388 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
389 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
391 /* Textual representation of the tokens. */
394 ServerOpCodes opcode;
397 /* Portable-specific options */
399 { "usepam", sUsePAM, SSHCFG_GLOBAL },
400 { "permitpamuserchange", sPermitPAMUserChange, SSHCFG_GLOBAL }
402 { "usepam", sUnsupported, SSHCFG_GLOBAL },
403 { "permitpamuserchange", sUnsupported, SSHCFG_GLOBAL },
405 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
406 /* Standard Options */
407 { "port", sPort, SSHCFG_GLOBAL },
408 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
409 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
410 { "pidfile", sPidFile, SSHCFG_GLOBAL },
411 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
412 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
413 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
414 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
415 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
416 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
417 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
418 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
419 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
420 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
421 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
422 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
423 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
425 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
426 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
427 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
429 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
431 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
434 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
435 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
436 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
437 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
439 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
440 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
442 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
443 { "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_ALL },
444 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
445 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
446 { "gssapicredentialspath", sGssCredsPath, SSHCFG_GLOBAL },
447 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
449 { "gsiallowlimitedproxy", sGsiAllowLimitedProxy, SSHCFG_GLOBAL },
452 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
453 { "gssapidelegatecredentials", sUnsupported, SSHCFG_ALL },
454 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
455 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
456 { "gssapicredentialspath", sUnsupported, SSHCFG_GLOBAL },
457 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
459 { "gsiallowlimitedproxy", sUnsupported, SSHCFG_GLOBAL },
463 { "allowsessionhooks", sAllowSessionHooks, SSHCFG_GLOBAL },
464 { "sessionhookstartupcmd", sSessionHookStartupCmd, SSHCFG_GLOBAL },
465 { "sessionhookshutdowncmd", sSessionHookShutdownCmd, SSHCFG_GLOBAL },
467 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
468 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
469 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
470 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
472 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
474 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
476 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
477 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
478 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
479 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
480 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
481 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
482 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
483 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
484 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
485 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
486 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
487 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
488 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
489 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
490 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
491 { "compression", sCompression, SSHCFG_GLOBAL },
492 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
493 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
494 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
495 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
496 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
497 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
498 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
499 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
500 { "ciphers", sCiphers, SSHCFG_GLOBAL },
501 { "macs", sMacs, SSHCFG_GLOBAL },
502 { "protocol", sProtocol, SSHCFG_GLOBAL },
503 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
504 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
505 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
506 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
507 { "maxsessions", sMaxSessions, SSHCFG_ALL },
508 { "banner", sBanner, SSHCFG_ALL },
509 { "usedns", sUseDNS, SSHCFG_GLOBAL },
510 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
511 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
512 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
513 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
514 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
515 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
516 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
517 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
518 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
519 { "match", sMatch, SSHCFG_ALL },
520 { "permitopen", sPermitOpen, SSHCFG_ALL },
521 { "forcecommand", sForceCommand, SSHCFG_ALL },
522 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
523 { "noneenabled", sNoneEnabled },
524 { "hpndisabled", sHPNDisabled },
525 { "hpnbuffersize", sHPNBufferSize },
526 { "tcprcvbufpoll", sTcpRcvBufPoll },
527 { NULL, sBadOption, 0 }
534 { SSH_TUNMODE_NO, "no" },
535 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
536 { SSH_TUNMODE_ETHERNET, "ethernet" },
537 { SSH_TUNMODE_YES, "yes" },
542 * Returns the number of the token pointed to by cp or sBadOption.
546 parse_token(const char *cp, const char *filename,
547 int linenum, u_int *flags)
551 for (i = 0; keywords[i].name; i++)
552 if (strcasecmp(cp, keywords[i].name) == 0) {
553 debug ("Config token is %s", keywords[i].name);
554 *flags = keywords[i].flags;
555 return keywords[i].opcode;
558 error("%s: line %d: Bad configuration option: %s",
559 filename, linenum, cp);
564 add_listen_addr(ServerOptions *options, char *addr, int port)
568 if (options->num_ports == 0)
569 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
570 if (options->address_family == -1)
571 options->address_family = AF_UNSPEC;
573 for (i = 0; i < options->num_ports; i++)
574 add_one_listen_addr(options, addr, options->ports[i]);
576 add_one_listen_addr(options, addr, port);
580 add_one_listen_addr(ServerOptions *options, char *addr, int port)
582 struct addrinfo hints, *ai, *aitop;
583 char strport[NI_MAXSERV];
586 memset(&hints, 0, sizeof(hints));
587 hints.ai_family = options->address_family;
588 hints.ai_socktype = SOCK_STREAM;
589 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
590 snprintf(strport, sizeof strport, "%d", port);
591 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
592 fatal("bad addr or host: %s (%s)",
593 addr ? addr : "<NULL>",
594 ssh_gai_strerror(gaierr));
595 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
597 ai->ai_next = options->listen_addrs;
598 options->listen_addrs = aitop;
602 * The strategy for the Match blocks is that the config file is parsed twice.
604 * The first time is at startup. activep is initialized to 1 and the
605 * directives in the global context are processed and acted on. Hitting a
606 * Match directive unsets activep and the directives inside the block are
607 * checked for syntax only.
609 * The second time is after a connection has been established but before
610 * authentication. activep is initialized to 2 and global config directives
611 * are ignored since they have already been processed. If the criteria in a
612 * Match block is met, activep is set and the subsequent directives
613 * processed and actioned until EOF or another Match block unsets it. Any
614 * options set are copied into the main server config.
616 * Potential additions/improvements:
617 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
619 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
620 * Match Address 192.168.0.*
625 * AllowTcpForwarding yes
626 * GatewayPorts clientspecified
629 * - Add a PermittedChannelRequests directive
631 * PermittedChannelRequests session,forwarded-tcpip
635 match_cfg_line_group(const char *grps, int line, const char *user)
643 if ((pw = getpwnam(user)) == NULL) {
644 debug("Can't match group at line %d because user %.100s does "
645 "not exist", line, user);
646 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
647 debug("Can't Match group because user %.100s not in any group "
648 "at line %d", user, line);
649 } else if (ga_match_pattern_list(grps) != 1) {
650 debug("user %.100s does not match group list %.100s at line %d",
653 debug("user %.100s matched group list %.100s at line %d", user,
663 match_cfg_line(char **condition, int line, const char *user, const char *host,
667 char *arg, *attrib, *cp = *condition;
671 debug3("checking syntax for 'Match %s'", cp);
673 debug3("checking match for '%s' user %s host %s addr %s", cp,
674 user ? user : "(null)", host ? host : "(null)",
675 address ? address : "(null)");
677 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
678 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
679 error("Missing Match criteria for %s", attrib);
683 if (strcasecmp(attrib, "user") == 0) {
688 if (match_pattern_list(user, arg, len, 0) != 1)
691 debug("user %.100s matched 'User %.100s' at "
692 "line %d", user, arg, line);
693 } else if (strcasecmp(attrib, "group") == 0) {
694 switch (match_cfg_line_group(arg, line, user)) {
700 } else if (strcasecmp(attrib, "host") == 0) {
705 if (match_hostname(host, arg, len) != 1)
708 debug("connection from %.100s matched 'Host "
709 "%.100s' at line %d", host, arg, line);
710 } else if (strcasecmp(attrib, "address") == 0) {
711 switch (addr_match_list(address, arg)) {
713 debug("connection from %.100s matched 'Address "
714 "%.100s' at line %d", address, arg, line);
724 error("Unsupported Match attribute %s", attrib);
729 debug3("match %sfound", result ? "" : "not ");
734 #define WHITESPACE " \t\r\n"
737 process_server_config_line(ServerOptions *options, char *line,
738 const char *filename, int linenum, int *activep, const char *user,
739 const char *host, const char *address)
741 char *cp, **charptr, *arg, *p;
742 int cmdline = 0, *intptr, value, n;
743 SyslogFacility *log_facility_ptr;
744 LogLevel *log_level_ptr;
745 ServerOpCodes opcode;
751 if ((arg = strdelim(&cp)) == NULL)
753 /* Ignore leading whitespace */
756 if (!arg || !*arg || *arg == '#')
760 opcode = parse_token(arg, filename, linenum, &flags);
762 if (activep == NULL) { /* We are processing a command line directive */
766 if (*activep && opcode != sMatch)
767 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
768 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
770 fatal("%s line %d: Directive '%s' is not allowed "
771 "within a Match block", filename, linenum, arg);
772 } else { /* this is a directive we have already processed */
780 /* Portable-specific options */
782 intptr = &options->use_pam;
785 case sPermitPAMUserChange:
786 intptr = &options->permit_pam_user_change;
789 /* Standard Options */
793 /* ignore ports from configfile if cmdline specifies ports */
794 if (options->ports_from_cmdline)
796 if (options->listen_addrs != NULL)
797 fatal("%s line %d: ports must be specified before "
798 "ListenAddress.", filename, linenum);
799 if (options->num_ports >= MAX_PORTS)
800 fatal("%s line %d: too many ports.",
803 if (!arg || *arg == '\0')
804 fatal("%s line %d: missing port number.",
806 options->ports[options->num_ports++] = a2port(arg);
807 if (options->ports[options->num_ports-1] <= 0)
808 fatal("%s line %d: Badly formatted port number.",
813 intptr = &options->server_key_bits;
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: missing integer value.",
820 if (*activep && *intptr == -1)
824 case sLoginGraceTime:
825 intptr = &options->login_grace_time;
828 if (!arg || *arg == '\0')
829 fatal("%s line %d: missing time value.",
831 if ((value = convtime(arg)) == -1)
832 fatal("%s line %d: invalid time value.",
838 case sKeyRegenerationTime:
839 intptr = &options->key_regeneration_time;
844 if (arg == NULL || *arg == '\0')
845 fatal("%s line %d: missing address",
847 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
848 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
849 && strchr(p+1, ':') != NULL) {
850 add_listen_addr(options, arg, 0);
855 fatal("%s line %d: bad address:port usage",
857 p = cleanhostname(p);
860 else if ((port = a2port(arg)) <= 0)
861 fatal("%s line %d: bad port number", filename, linenum);
863 add_listen_addr(options, p, port);
869 if (!arg || *arg == '\0')
870 fatal("%s line %d: missing address family.",
872 intptr = &options->address_family;
873 if (options->listen_addrs != NULL)
874 fatal("%s line %d: address family must be specified before "
875 "ListenAddress.", filename, linenum);
876 if (strcasecmp(arg, "inet") == 0)
878 else if (strcasecmp(arg, "inet6") == 0)
880 else if (strcasecmp(arg, "any") == 0)
883 fatal("%s line %d: unsupported address family \"%s\".",
884 filename, linenum, arg);
890 intptr = &options->num_host_key_files;
891 if (*intptr >= MAX_HOSTKEYS)
892 fatal("%s line %d: too many host keys specified (max %d).",
893 filename, linenum, MAX_HOSTKEYS);
894 charptr = &options->host_key_files[*intptr];
897 if (!arg || *arg == '\0')
898 fatal("%s line %d: missing file name.",
900 if (*activep && *charptr == NULL) {
901 *charptr = tilde_expand_filename(arg, getuid());
902 /* increase optional counter */
904 *intptr = *intptr + 1;
909 charptr = &options->pid_file;
912 case sPermitRootLogin:
913 intptr = &options->permit_root_login;
915 if (!arg || *arg == '\0')
916 fatal("%s line %d: missing yes/"
917 "without-password/forced-commands-only/no "
918 "argument.", filename, linenum);
919 value = 0; /* silence compiler */
920 if (strcmp(arg, "without-password") == 0)
921 value = PERMIT_NO_PASSWD;
922 else if (strcmp(arg, "forced-commands-only") == 0)
923 value = PERMIT_FORCED_ONLY;
924 else if (strcmp(arg, "yes") == 0)
926 else if (strcmp(arg, "no") == 0)
929 fatal("%s line %d: Bad yes/"
930 "without-password/forced-commands-only/no "
931 "argument: %s", filename, linenum, arg);
932 if (*activep && *intptr == -1)
937 intptr = &options->ignore_rhosts;
940 if (!arg || *arg == '\0')
941 fatal("%s line %d: missing yes/no argument.",
943 value = 0; /* silence compiler */
944 if (strcmp(arg, "yes") == 0)
946 else if (strcmp(arg, "no") == 0)
949 fatal("%s line %d: Bad yes/no argument: %s",
950 filename, linenum, arg);
951 if (*activep && *intptr == -1)
956 intptr = &options->none_enabled;
960 intptr = &options->tcp_rcv_buf_poll;
964 intptr = &options->hpn_disabled;
968 intptr = &options->hpn_buffer_size;
971 case sIgnoreUserKnownHosts:
972 intptr = &options->ignore_user_known_hosts;
975 case sRhostsRSAAuthentication:
976 intptr = &options->rhosts_rsa_authentication;
979 case sHostbasedAuthentication:
980 intptr = &options->hostbased_authentication;
983 case sHostbasedUsesNameFromPacketOnly:
984 intptr = &options->hostbased_uses_name_from_packet_only;
987 case sRSAAuthentication:
988 intptr = &options->rsa_authentication;
991 case sPubkeyAuthentication:
992 intptr = &options->pubkey_authentication;
995 case sKerberosAuthentication:
996 intptr = &options->kerberos_authentication;
999 case sKerberosOrLocalPasswd:
1000 intptr = &options->kerberos_or_local_passwd;
1003 case sKerberosTicketCleanup:
1004 intptr = &options->kerberos_ticket_cleanup;
1007 case sKerberosGetAFSToken:
1008 intptr = &options->kerberos_get_afs_token;
1011 case sGssAuthentication:
1012 intptr = &options->gss_authentication;
1015 case sGssDelegateCreds:
1016 intptr = &options->gss_deleg_creds;
1020 intptr = &options->gss_keyex;
1023 case sGssCleanupCreds:
1024 intptr = &options->gss_cleanup_creds;
1027 case sGssStrictAcceptor:
1028 intptr = &options->gss_strict_acceptor;
1032 charptr = &options->gss_creds_path;
1033 goto parse_filename;
1035 case sGsiAllowLimitedProxy:
1036 intptr = &options->gsi_allow_limited_proxy;
1039 #ifdef SESSION_HOOKS
1040 case sAllowSessionHooks:
1041 intptr = &options->session_hooks_allow;
1043 case sSessionHookStartupCmd:
1044 case sSessionHookShutdownCmd:
1045 arg = strdelim(&cp);
1046 if (!arg || *arg == '\0')
1047 fatal("%s line %d: empty session hook command",
1049 if (opcode==sSessionHookStartupCmd)
1050 options->session_hooks_startup_cmd = strdup(arg);
1052 options->session_hooks_shutdown_cmd = strdup(arg);
1056 case sPasswordAuthentication:
1057 intptr = &options->password_authentication;
1060 case sZeroKnowledgePasswordAuthentication:
1061 intptr = &options->zero_knowledge_password_authentication;
1064 case sKbdInteractiveAuthentication:
1065 intptr = &options->kbd_interactive_authentication;
1068 case sChallengeResponseAuthentication:
1069 intptr = &options->challenge_response_authentication;
1073 intptr = &options->print_motd;
1077 intptr = &options->print_lastlog;
1080 case sX11Forwarding:
1081 intptr = &options->x11_forwarding;
1084 case sX11DisplayOffset:
1085 intptr = &options->x11_display_offset;
1088 case sX11UseLocalhost:
1089 intptr = &options->x11_use_localhost;
1092 case sXAuthLocation:
1093 charptr = &options->xauth_location;
1094 goto parse_filename;
1097 intptr = &options->strict_modes;
1101 intptr = &options->tcp_keep_alive;
1105 intptr = &options->permit_empty_passwd;
1108 case sPermitUserEnvironment:
1109 intptr = &options->permit_user_env;
1113 intptr = &options->use_login;
1117 intptr = &options->compression;
1118 arg = strdelim(&cp);
1119 if (!arg || *arg == '\0')
1120 fatal("%s line %d: missing yes/no/delayed "
1121 "argument.", filename, linenum);
1122 value = 0; /* silence compiler */
1123 if (strcmp(arg, "delayed") == 0)
1124 value = COMP_DELAYED;
1125 else if (strcmp(arg, "yes") == 0)
1127 else if (strcmp(arg, "no") == 0)
1130 fatal("%s line %d: Bad yes/no/delayed "
1131 "argument: %s", filename, linenum, arg);
1137 intptr = &options->gateway_ports;
1138 arg = strdelim(&cp);
1139 if (!arg || *arg == '\0')
1140 fatal("%s line %d: missing yes/no/clientspecified "
1141 "argument.", filename, linenum);
1142 value = 0; /* silence compiler */
1143 if (strcmp(arg, "clientspecified") == 0)
1145 else if (strcmp(arg, "yes") == 0)
1147 else if (strcmp(arg, "no") == 0)
1150 fatal("%s line %d: Bad yes/no/clientspecified "
1151 "argument: %s", filename, linenum, arg);
1152 if (*activep && *intptr == -1)
1157 intptr = &options->use_dns;
1161 log_facility_ptr = &options->log_facility;
1162 arg = strdelim(&cp);
1163 value = log_facility_number(arg);
1164 if (value == SYSLOG_FACILITY_NOT_SET)
1165 fatal("%.200s line %d: unsupported log facility '%s'",
1166 filename, linenum, arg ? arg : "<NONE>");
1167 if (*log_facility_ptr == -1)
1168 *log_facility_ptr = (SyslogFacility) value;
1172 log_level_ptr = &options->log_level;
1173 arg = strdelim(&cp);
1174 value = log_level_number(arg);
1175 if (value == SYSLOG_LEVEL_NOT_SET)
1176 fatal("%.200s line %d: unsupported log level '%s'",
1177 filename, linenum, arg ? arg : "<NONE>");
1178 if (*log_level_ptr == -1)
1179 *log_level_ptr = (LogLevel) value;
1182 case sAllowTcpForwarding:
1183 intptr = &options->allow_tcp_forwarding;
1186 case sAllowAgentForwarding:
1187 intptr = &options->allow_agent_forwarding;
1190 case sUsePrivilegeSeparation:
1191 intptr = &use_privsep;
1195 while ((arg = strdelim(&cp)) && *arg != '\0') {
1196 if (options->num_allow_users >= MAX_ALLOW_USERS)
1197 fatal("%s line %d: too many allow users.",
1199 options->allow_users[options->num_allow_users++] =
1205 while ((arg = strdelim(&cp)) && *arg != '\0') {
1206 if (options->num_deny_users >= MAX_DENY_USERS)
1207 fatal("%s line %d: too many deny users.",
1209 options->deny_users[options->num_deny_users++] =
1215 while ((arg = strdelim(&cp)) && *arg != '\0') {
1216 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1217 fatal("%s line %d: too many allow groups.",
1219 options->allow_groups[options->num_allow_groups++] =
1225 while ((arg = strdelim(&cp)) && *arg != '\0') {
1226 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1227 fatal("%s line %d: too many deny groups.",
1229 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1234 arg = strdelim(&cp);
1235 if (!arg || *arg == '\0')
1236 fatal("%s line %d: Missing argument.", filename, linenum);
1237 if (!ciphers_valid(arg))
1238 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1239 filename, linenum, arg ? arg : "<NONE>");
1240 if (options->ciphers == NULL)
1241 options->ciphers = xstrdup(arg);
1245 arg = strdelim(&cp);
1246 if (!arg || *arg == '\0')
1247 fatal("%s line %d: Missing argument.", filename, linenum);
1248 if (!mac_valid(arg))
1249 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1250 filename, linenum, arg ? arg : "<NONE>");
1251 if (options->macs == NULL)
1252 options->macs = xstrdup(arg);
1256 intptr = &options->protocol;
1257 arg = strdelim(&cp);
1258 if (!arg || *arg == '\0')
1259 fatal("%s line %d: Missing argument.", filename, linenum);
1260 value = proto_spec(arg);
1261 if (value == SSH_PROTO_UNKNOWN)
1262 fatal("%s line %d: Bad protocol spec '%s'.",
1263 filename, linenum, arg ? arg : "<NONE>");
1264 if (*intptr == SSH_PROTO_UNKNOWN)
1269 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1270 fatal("%s line %d: too many subsystems defined.",
1273 arg = strdelim(&cp);
1274 if (!arg || *arg == '\0')
1275 fatal("%s line %d: Missing subsystem name.",
1278 arg = strdelim(&cp);
1281 for (i = 0; i < options->num_subsystems; i++)
1282 if (strcmp(arg, options->subsystem_name[i]) == 0)
1283 fatal("%s line %d: Subsystem '%s' already defined.",
1284 filename, linenum, arg);
1285 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1286 arg = strdelim(&cp);
1287 if (!arg || *arg == '\0')
1288 fatal("%s line %d: Missing subsystem command.",
1290 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1292 /* Collect arguments (separate to executable) */
1294 len = strlen(p) + 1;
1295 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1296 len += 1 + strlen(arg);
1297 p = xrealloc(p, 1, len);
1298 strlcat(p, " ", len);
1299 strlcat(p, arg, len);
1301 options->subsystem_args[options->num_subsystems] = p;
1302 options->num_subsystems++;
1306 arg = strdelim(&cp);
1307 if (!arg || *arg == '\0')
1308 fatal("%s line %d: Missing MaxStartups spec.",
1310 if ((n = sscanf(arg, "%d:%d:%d",
1311 &options->max_startups_begin,
1312 &options->max_startups_rate,
1313 &options->max_startups)) == 3) {
1314 if (options->max_startups_begin >
1315 options->max_startups ||
1316 options->max_startups_rate > 100 ||
1317 options->max_startups_rate < 1)
1318 fatal("%s line %d: Illegal MaxStartups spec.",
1321 fatal("%s line %d: Illegal MaxStartups spec.",
1324 options->max_startups = options->max_startups_begin;
1328 intptr = &options->max_authtries;
1332 intptr = &options->max_sessions;
1336 charptr = &options->banner;
1337 goto parse_filename;
1340 * These options can contain %X options expanded at
1341 * connect time, so that you can specify paths like:
1343 * AuthorizedKeysFile /etc/ssh_keys/%u
1345 case sAuthorizedKeysFile:
1346 case sAuthorizedKeysFile2:
1347 charptr = (opcode == sAuthorizedKeysFile) ?
1348 &options->authorized_keys_file :
1349 &options->authorized_keys_file2;
1350 goto parse_filename;
1352 case sClientAliveInterval:
1353 intptr = &options->client_alive_interval;
1356 case sClientAliveCountMax:
1357 intptr = &options->client_alive_count_max;
1361 while ((arg = strdelim(&cp)) && *arg != '\0') {
1362 if (strchr(arg, '=') != NULL)
1363 fatal("%s line %d: Invalid environment name.",
1365 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1366 fatal("%s line %d: too many allow env.",
1370 options->accept_env[options->num_accept_env++] =
1376 intptr = &options->permit_tun;
1377 arg = strdelim(&cp);
1378 if (!arg || *arg == '\0')
1379 fatal("%s line %d: Missing yes/point-to-point/"
1380 "ethernet/no argument.", filename, linenum);
1382 for (i = 0; tunmode_desc[i].val != -1; i++)
1383 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1384 value = tunmode_desc[i].val;
1388 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1389 "no argument: %s", filename, linenum, arg);
1396 fatal("Match directive not supported as a command-line "
1398 value = match_cfg_line(&cp, linenum, user, host, address);
1400 fatal("%s line %d: Bad Match condition", filename,
1406 arg = strdelim(&cp);
1407 if (!arg || *arg == '\0')
1408 fatal("%s line %d: missing PermitOpen specification",
1410 n = options->num_permitted_opens; /* modified later */
1411 if (strcmp(arg, "any") == 0) {
1412 if (*activep && n == -1) {
1413 channel_clear_adm_permitted_opens();
1414 options->num_permitted_opens = 0;
1418 if (*activep && n == -1)
1419 channel_clear_adm_permitted_opens();
1420 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1423 fatal("%s line %d: missing host in PermitOpen",
1425 p = cleanhostname(p);
1426 if (arg == NULL || (port = a2port(arg)) <= 0)
1427 fatal("%s line %d: bad port number in "
1428 "PermitOpen", filename, linenum);
1429 if (*activep && n == -1)
1430 options->num_permitted_opens =
1431 channel_add_adm_permitted_opens(p, port);
1437 fatal("%.200s line %d: Missing argument.", filename,
1439 len = strspn(cp, WHITESPACE);
1440 if (*activep && options->adm_forced_command == NULL)
1441 options->adm_forced_command = xstrdup(cp + len);
1444 case sChrootDirectory:
1445 charptr = &options->chroot_directory;
1447 arg = strdelim(&cp);
1448 if (!arg || *arg == '\0')
1449 fatal("%s line %d: missing file name.",
1451 if (*activep && *charptr == NULL)
1452 *charptr = xstrdup(arg);
1456 logit("%s line %d: Deprecated option %s",
1457 filename, linenum, arg);
1459 arg = strdelim(&cp);
1463 logit("%s line %d: Unsupported option %s",
1464 filename, linenum, arg);
1466 arg = strdelim(&cp);
1470 fatal("%s line %d: Missing handler for opcode %s (%d)",
1471 filename, linenum, arg, opcode);
1473 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1474 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1475 filename, linenum, arg);
1479 /* Reads the server configuration file. */
1482 load_server_config(const char *filename, Buffer *conf)
1484 char line[1024], *cp;
1487 debug2("%s: filename %s", __func__, filename);
1488 if ((f = fopen(filename, "r")) == NULL) {
1493 while (fgets(line, sizeof(line), f)) {
1495 * Trim out comments and strip whitespace
1496 * NB - preserve newlines, they are needed to reproduce
1497 * line numbers later for error messages
1499 if ((cp = strchr(line, '#')) != NULL)
1500 memcpy(cp, "\n", 2);
1501 cp = line + strspn(line, " \t\r");
1503 buffer_append(conf, cp, strlen(cp));
1505 buffer_append(conf, "\0", 1);
1507 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1511 parse_server_match_config(ServerOptions *options, const char *user,
1512 const char *host, const char *address)
1516 initialize_server_options(&mo);
1517 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1518 copy_set_server_options(options, &mo, 0);
1522 #define M_CP_INTOPT(n) do {\
1526 #define M_CP_STROPT(n) do {\
1527 if (src->n != NULL) { \
1528 if (dst->n != NULL) \
1535 * Copy any supported values that are set.
1537 * If the preauth flag is set, we do not bother copying the the string or
1538 * array values that are not used pre-authentication, because any that we
1539 * do use must be explictly sent in mm_getpwnamallow().
1542 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1544 M_CP_INTOPT(password_authentication);
1545 M_CP_INTOPT(gss_authentication);
1546 M_CP_INTOPT(gss_deleg_creds);
1547 M_CP_INTOPT(rsa_authentication);
1548 M_CP_INTOPT(pubkey_authentication);
1549 M_CP_INTOPT(kerberos_authentication);
1550 M_CP_INTOPT(hostbased_authentication);
1551 M_CP_INTOPT(kbd_interactive_authentication);
1552 M_CP_INTOPT(zero_knowledge_password_authentication);
1553 M_CP_INTOPT(permit_root_login);
1554 M_CP_INTOPT(permit_empty_passwd);
1556 M_CP_INTOPT(allow_tcp_forwarding);
1557 M_CP_INTOPT(allow_agent_forwarding);
1558 M_CP_INTOPT(gateway_ports);
1559 M_CP_INTOPT(x11_display_offset);
1560 M_CP_INTOPT(x11_forwarding);
1561 M_CP_INTOPT(x11_use_localhost);
1562 M_CP_INTOPT(max_sessions);
1563 M_CP_INTOPT(max_authtries);
1565 M_CP_STROPT(banner);
1568 M_CP_STROPT(adm_forced_command);
1569 M_CP_STROPT(chroot_directory);
1576 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1577 const char *user, const char *host, const char *address)
1579 int active, linenum, bad_options = 0;
1580 char *cp, *obuf, *cbuf;
1582 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1584 obuf = cbuf = xstrdup(buffer_ptr(conf));
1585 active = user ? 0 : 1;
1587 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1588 if (process_server_config_line(options, cp, filename,
1589 linenum++, &active, user, host, address) != 0)
1593 if (bad_options > 0)
1594 fatal("%s: terminating, %d bad configuration options",
1595 filename, bad_options);
1599 fmt_intarg(ServerOpCodes code, int val)
1601 if (code == sAddressFamily) {
1613 if (code == sPermitRootLogin) {
1615 case PERMIT_NO_PASSWD:
1616 return "without-password";
1617 case PERMIT_FORCED_ONLY:
1618 return "forced-commands-only";
1623 if (code == sProtocol) {
1629 case (SSH_PROTO_1|SSH_PROTO_2):
1635 if (code == sGatewayPorts && val == 2)
1636 return "clientspecified";
1637 if (code == sCompression && val == COMP_DELAYED)
1651 lookup_opcode_name(ServerOpCodes code)
1655 for (i = 0; keywords[i].name != NULL; i++)
1656 if (keywords[i].opcode == code)
1657 return(keywords[i].name);
1662 dump_cfg_int(ServerOpCodes code, int val)
1664 printf("%s %d\n", lookup_opcode_name(code), val);
1668 dump_cfg_fmtint(ServerOpCodes code, int val)
1670 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1674 dump_cfg_string(ServerOpCodes code, const char *val)
1678 printf("%s %s\n", lookup_opcode_name(code), val);
1682 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1686 for (i = 0; i < count; i++)
1687 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1691 dump_config(ServerOptions *o)
1695 struct addrinfo *ai;
1696 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1698 /* these are usually at the top of the config */
1699 for (i = 0; i < o->num_ports; i++)
1700 printf("port %d\n", o->ports[i]);
1701 dump_cfg_fmtint(sProtocol, o->protocol);
1702 dump_cfg_fmtint(sAddressFamily, o->address_family);
1704 /* ListenAddress must be after Port */
1705 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1706 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1707 sizeof(addr), port, sizeof(port),
1708 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1709 error("getnameinfo failed: %.100s",
1710 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1713 if (ai->ai_family == AF_INET6)
1714 printf("listenaddress [%s]:%s\n", addr, port);
1716 printf("listenaddress %s:%s\n", addr, port);
1720 /* integer arguments */
1722 dump_cfg_int(sUsePAM, o->use_pam);
1724 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1725 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1726 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1727 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1728 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1729 dump_cfg_int(sMaxSessions, o->max_sessions);
1730 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1731 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1733 /* formatted integer arguments */
1734 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1735 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1736 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1737 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1738 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1739 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1740 o->hostbased_uses_name_from_packet_only);
1741 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1742 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1744 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1745 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1746 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1748 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1752 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1753 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1756 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1757 o->zero_knowledge_password_authentication);
1759 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1760 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1761 o->kbd_interactive_authentication);
1762 dump_cfg_fmtint(sChallengeResponseAuthentication,
1763 o->challenge_response_authentication);
1764 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1765 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1766 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1767 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1768 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1769 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1770 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1771 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1772 dump_cfg_fmtint(sUseLogin, o->use_login);
1773 dump_cfg_fmtint(sCompression, o->compression);
1774 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1775 dump_cfg_fmtint(sUseDNS, o->use_dns);
1776 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1777 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1779 /* string arguments */
1780 dump_cfg_string(sPidFile, o->pid_file);
1781 dump_cfg_string(sXAuthLocation, o->xauth_location);
1782 dump_cfg_string(sCiphers, o->ciphers);
1783 dump_cfg_string(sMacs, o->macs);
1784 dump_cfg_string(sBanner, o->banner);
1785 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1786 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1787 dump_cfg_string(sForceCommand, o->adm_forced_command);
1789 /* string arguments requiring a lookup */
1790 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1791 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1793 /* string array arguments */
1794 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1796 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1797 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1798 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1799 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1800 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1802 /* other arguments */
1803 for (i = 0; i < o->num_subsystems; i++)
1804 printf("subsystem %s %s\n", o->subsystem_name[i],
1805 o->subsystem_args[i]);
1807 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1808 o->max_startups_rate, o->max_startups);
1810 for (i = 0; tunmode_desc[i].val != -1; i++)
1811 if (tunmode_desc[i].val == o->permit_tun) {
1812 s = tunmode_desc[i].text;
1815 dump_cfg_string(sPermitTunnel, s);
1817 channel_print_adm_permitted_opens();