1 /* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
133 oDeprecated, oUnsupported
136 /* Textual representations of the tokens. */
142 { "forwardagent", oForwardAgent },
143 { "forwardx11", oForwardX11 },
144 { "forwardx11trusted", oForwardX11Trusted },
145 { "exitonforwardfailure", oExitOnForwardFailure },
146 { "xauthlocation", oXAuthLocation },
147 { "gatewayports", oGatewayPorts },
148 { "useprivilegedport", oUsePrivilegedPort },
149 { "rhostsauthentication", oDeprecated },
150 { "passwordauthentication", oPasswordAuthentication },
151 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
152 { "kbdinteractivedevices", oKbdInteractiveDevices },
153 { "rsaauthentication", oRSAAuthentication },
154 { "pubkeyauthentication", oPubkeyAuthentication },
155 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
156 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
157 { "hostbasedauthentication", oHostbasedAuthentication },
158 { "challengeresponseauthentication", oChallengeResponseAuthentication },
159 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
160 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
161 { "kerberosauthentication", oUnsupported },
162 { "kerberostgtpassing", oUnsupported },
163 { "afstokenpassing", oUnsupported },
165 { "gssapiauthentication", oGssAuthentication },
166 { "gssapidelegatecredentials", oGssDelegateCreds },
168 { "gssapiauthentication", oUnsupported },
169 { "gssapidelegatecredentials", oUnsupported },
171 { "fallbacktorsh", oDeprecated },
172 { "usersh", oDeprecated },
173 { "identityfile", oIdentityFile },
174 { "identityfile2", oIdentityFile }, /* alias */
175 { "identitiesonly", oIdentitiesOnly },
176 { "hostname", oHostName },
177 { "hostkeyalias", oHostKeyAlias },
178 { "proxycommand", oProxyCommand },
180 { "cipher", oCipher },
181 { "ciphers", oCiphers },
183 { "protocol", oProtocol },
184 { "remoteforward", oRemoteForward },
185 { "localforward", oLocalForward },
188 { "escapechar", oEscapeChar },
189 { "globalknownhostsfile", oGlobalKnownHostsFile },
190 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
191 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
192 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
193 { "connectionattempts", oConnectionAttempts },
194 { "batchmode", oBatchMode },
195 { "checkhostip", oCheckHostIP },
196 { "stricthostkeychecking", oStrictHostKeyChecking },
197 { "compression", oCompression },
198 { "compressionlevel", oCompressionLevel },
199 { "tcpkeepalive", oTCPKeepAlive },
200 { "keepalive", oTCPKeepAlive }, /* obsolete */
201 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
202 { "loglevel", oLogLevel },
203 { "dynamicforward", oDynamicForward },
204 { "preferredauthentications", oPreferredAuthentications },
205 { "hostkeyalgorithms", oHostKeyAlgorithms },
206 { "bindaddress", oBindAddress },
208 { "smartcarddevice", oSmartcardDevice },
210 { "smartcarddevice", oUnsupported },
212 { "clearallforwardings", oClearAllForwardings },
213 { "enablesshkeysign", oEnableSSHKeysign },
214 { "verifyhostkeydns", oVerifyHostKeyDNS },
215 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
216 { "rekeylimit", oRekeyLimit },
217 { "connecttimeout", oConnectTimeout },
218 { "addressfamily", oAddressFamily },
219 { "serveraliveinterval", oServerAliveInterval },
220 { "serveralivecountmax", oServerAliveCountMax },
221 { "sendenv", oSendEnv },
222 { "controlpath", oControlPath },
223 { "controlmaster", oControlMaster },
224 { "hashknownhosts", oHashKnownHosts },
225 { "tunnel", oTunnel },
226 { "tunneldevice", oTunnelDevice },
227 { "localcommand", oLocalCommand },
228 { "permitlocalcommand", oPermitLocalCommand },
233 * Adds a local TCP/IP port forward to options. Never returns if there is an
238 add_local_forward(Options *options, const Forward *newfwd)
241 #ifndef NO_IPPORT_RESERVED_CONCEPT
242 extern uid_t original_real_uid;
243 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
244 fatal("Privileged ports can only be forwarded by root.");
246 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
247 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
248 fwd = &options->local_forwards[options->num_local_forwards++];
250 fwd->listen_host = (newfwd->listen_host == NULL) ?
251 NULL : xstrdup(newfwd->listen_host);
252 fwd->listen_port = newfwd->listen_port;
253 fwd->connect_host = xstrdup(newfwd->connect_host);
254 fwd->connect_port = newfwd->connect_port;
258 * Adds a remote TCP/IP port forward to options. Never returns if there is
263 add_remote_forward(Options *options, const Forward *newfwd)
266 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
267 fatal("Too many remote forwards (max %d).",
268 SSH_MAX_FORWARDS_PER_DIRECTION);
269 fwd = &options->remote_forwards[options->num_remote_forwards++];
271 fwd->listen_host = (newfwd->listen_host == NULL) ?
272 NULL : xstrdup(newfwd->listen_host);
273 fwd->listen_port = newfwd->listen_port;
274 fwd->connect_host = xstrdup(newfwd->connect_host);
275 fwd->connect_port = newfwd->connect_port;
279 clear_forwardings(Options *options)
283 for (i = 0; i < options->num_local_forwards; i++) {
284 if (options->local_forwards[i].listen_host != NULL)
285 xfree(options->local_forwards[i].listen_host);
286 xfree(options->local_forwards[i].connect_host);
288 options->num_local_forwards = 0;
289 for (i = 0; i < options->num_remote_forwards; i++) {
290 if (options->remote_forwards[i].listen_host != NULL)
291 xfree(options->remote_forwards[i].listen_host);
292 xfree(options->remote_forwards[i].connect_host);
294 options->num_remote_forwards = 0;
295 options->tun_open = SSH_TUNMODE_NO;
299 * Returns the number of the token pointed to by cp or oBadOption.
303 parse_token(const char *cp, const char *filename, int linenum)
307 for (i = 0; keywords[i].name; i++)
308 if (strcasecmp(cp, keywords[i].name) == 0)
309 return keywords[i].opcode;
311 error("%s: line %d: Bad configuration option: %s",
312 filename, linenum, cp);
317 * Processes a single option line as used in the configuration files. This
318 * only sets those values that have not already been set.
320 #define WHITESPACE " \t\r\n"
323 process_config_line(Options *options, const char *host,
324 char *line, const char *filename, int linenum,
327 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
328 int opcode, *intptr, value, value2, scale;
329 long long orig, val64;
333 /* Strip trailing whitespace */
334 for (len = strlen(line) - 1; len > 0; len--) {
335 if (strchr(WHITESPACE, line[len]) == NULL)
341 /* Get the keyword. (Each line is supposed to begin with a keyword). */
342 if ((keyword = strdelim(&s)) == NULL)
344 /* Ignore leading whitespace. */
345 if (*keyword == '\0')
346 keyword = strdelim(&s);
347 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
350 opcode = parse_token(keyword, filename, linenum);
354 /* don't panic, but count bad options */
357 case oConnectTimeout:
358 intptr = &options->connection_timeout;
361 if (!arg || *arg == '\0')
362 fatal("%s line %d: missing time value.",
364 if ((value = convtime(arg)) == -1)
365 fatal("%s line %d: invalid time value.",
367 if (*activep && *intptr == -1)
372 intptr = &options->forward_agent;
375 if (!arg || *arg == '\0')
376 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
377 value = 0; /* To avoid compiler warning... */
378 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
380 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
383 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
384 if (*activep && *intptr == -1)
389 intptr = &options->forward_x11;
392 case oForwardX11Trusted:
393 intptr = &options->forward_x11_trusted;
397 intptr = &options->gateway_ports;
400 case oExitOnForwardFailure:
401 intptr = &options->exit_on_forward_failure;
404 case oUsePrivilegedPort:
405 intptr = &options->use_privileged_port;
408 case oPasswordAuthentication:
409 intptr = &options->password_authentication;
412 case oKbdInteractiveAuthentication:
413 intptr = &options->kbd_interactive_authentication;
416 case oKbdInteractiveDevices:
417 charptr = &options->kbd_interactive_devices;
420 case oPubkeyAuthentication:
421 intptr = &options->pubkey_authentication;
424 case oRSAAuthentication:
425 intptr = &options->rsa_authentication;
428 case oRhostsRSAAuthentication:
429 intptr = &options->rhosts_rsa_authentication;
432 case oHostbasedAuthentication:
433 intptr = &options->hostbased_authentication;
436 case oChallengeResponseAuthentication:
437 intptr = &options->challenge_response_authentication;
440 case oGssAuthentication:
441 intptr = &options->gss_authentication;
444 case oGssDelegateCreds:
445 intptr = &options->gss_deleg_creds;
449 intptr = &options->batch_mode;
453 intptr = &options->check_host_ip;
456 case oVerifyHostKeyDNS:
457 intptr = &options->verify_host_key_dns;
460 case oStrictHostKeyChecking:
461 intptr = &options->strict_host_key_checking;
464 if (!arg || *arg == '\0')
465 fatal("%.200s line %d: Missing yes/no/ask argument.",
467 value = 0; /* To avoid compiler warning... */
468 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
470 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
472 else if (strcmp(arg, "ask") == 0)
475 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
476 if (*activep && *intptr == -1)
481 intptr = &options->compression;
485 intptr = &options->tcp_keep_alive;
488 case oNoHostAuthenticationForLocalhost:
489 intptr = &options->no_host_authentication_for_localhost;
492 case oNumberOfPasswordPrompts:
493 intptr = &options->number_of_password_prompts;
496 case oCompressionLevel:
497 intptr = &options->compression_level;
501 intptr = &options->rekey_limit;
503 if (!arg || *arg == '\0')
504 fatal("%.200s line %d: Missing argument.", filename, linenum);
505 if (arg[0] < '0' || arg[0] > '9')
506 fatal("%.200s line %d: Bad number.", filename, linenum);
507 orig = val64 = strtoll(arg, &endofnumber, 10);
508 if (arg == endofnumber)
509 fatal("%.200s line %d: Bad number.", filename, linenum);
510 switch (toupper(*endofnumber)) {
524 fatal("%.200s line %d: Invalid RekeyLimit suffix",
528 /* detect integer wrap and too-large limits */
529 if ((val64 / scale) != orig || val64 > INT_MAX)
530 fatal("%.200s line %d: RekeyLimit too large",
533 fatal("%.200s line %d: RekeyLimit too small",
535 if (*activep && *intptr == -1)
536 *intptr = (int)val64;
541 if (!arg || *arg == '\0')
542 fatal("%.200s line %d: Missing argument.", filename, linenum);
544 intptr = &options->num_identity_files;
545 if (*intptr >= SSH_MAX_IDENTITY_FILES)
546 fatal("%.200s line %d: Too many identity files specified (max %d).",
547 filename, linenum, SSH_MAX_IDENTITY_FILES);
548 charptr = &options->identity_files[*intptr];
549 *charptr = xstrdup(arg);
550 *intptr = *intptr + 1;
555 charptr=&options->xauth_location;
559 charptr = &options->user;
562 if (!arg || *arg == '\0')
563 fatal("%.200s line %d: Missing argument.", filename, linenum);
564 if (*activep && *charptr == NULL)
565 *charptr = xstrdup(arg);
568 case oGlobalKnownHostsFile:
569 charptr = &options->system_hostfile;
572 case oUserKnownHostsFile:
573 charptr = &options->user_hostfile;
576 case oGlobalKnownHostsFile2:
577 charptr = &options->system_hostfile2;
580 case oUserKnownHostsFile2:
581 charptr = &options->user_hostfile2;
585 charptr = &options->hostname;
589 charptr = &options->host_key_alias;
592 case oPreferredAuthentications:
593 charptr = &options->preferred_authentications;
597 charptr = &options->bind_address;
600 case oSmartcardDevice:
601 charptr = &options->smartcard_device;
605 charptr = &options->proxy_command;
608 fatal("%.200s line %d: Missing argument.", filename, linenum);
609 len = strspn(s, WHITESPACE "=");
610 if (*activep && *charptr == NULL)
611 *charptr = xstrdup(s + len);
615 intptr = &options->port;
618 if (!arg || *arg == '\0')
619 fatal("%.200s line %d: Missing argument.", filename, linenum);
620 if (arg[0] < '0' || arg[0] > '9')
621 fatal("%.200s line %d: Bad number.", filename, linenum);
623 /* Octal, decimal, or hex format? */
624 value = strtol(arg, &endofnumber, 0);
625 if (arg == endofnumber)
626 fatal("%.200s line %d: Bad number.", filename, linenum);
627 if (*activep && *intptr == -1)
631 case oConnectionAttempts:
632 intptr = &options->connection_attempts;
636 intptr = &options->cipher;
638 if (!arg || *arg == '\0')
639 fatal("%.200s line %d: Missing argument.", filename, linenum);
640 value = cipher_number(arg);
642 fatal("%.200s line %d: Bad cipher '%s'.",
643 filename, linenum, arg ? arg : "<NONE>");
644 if (*activep && *intptr == -1)
650 if (!arg || *arg == '\0')
651 fatal("%.200s line %d: Missing argument.", filename, linenum);
652 if (!ciphers_valid(arg))
653 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
654 filename, linenum, arg ? arg : "<NONE>");
655 if (*activep && options->ciphers == NULL)
656 options->ciphers = xstrdup(arg);
661 if (!arg || *arg == '\0')
662 fatal("%.200s line %d: Missing argument.", filename, linenum);
664 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
665 filename, linenum, arg ? arg : "<NONE>");
666 if (*activep && options->macs == NULL)
667 options->macs = xstrdup(arg);
670 case oHostKeyAlgorithms:
672 if (!arg || *arg == '\0')
673 fatal("%.200s line %d: Missing argument.", filename, linenum);
674 if (!key_names_valid2(arg))
675 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
676 filename, linenum, arg ? arg : "<NONE>");
677 if (*activep && options->hostkeyalgorithms == NULL)
678 options->hostkeyalgorithms = xstrdup(arg);
682 intptr = &options->protocol;
684 if (!arg || *arg == '\0')
685 fatal("%.200s line %d: Missing argument.", filename, linenum);
686 value = proto_spec(arg);
687 if (value == SSH_PROTO_UNKNOWN)
688 fatal("%.200s line %d: Bad protocol spec '%s'.",
689 filename, linenum, arg ? arg : "<NONE>");
690 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
695 intptr = (int *) &options->log_level;
697 value = log_level_number(arg);
698 if (value == SYSLOG_LEVEL_NOT_SET)
699 fatal("%.200s line %d: unsupported log level '%s'",
700 filename, linenum, arg ? arg : "<NONE>");
701 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
702 *intptr = (LogLevel) value;
708 if (arg == NULL || *arg == '\0')
709 fatal("%.200s line %d: Missing port argument.",
712 if (arg2 == NULL || *arg2 == '\0')
713 fatal("%.200s line %d: Missing target argument.",
716 /* construct a string for parse_forward */
717 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
719 if (parse_forward(&fwd, fwdarg) == 0)
720 fatal("%.200s line %d: Bad forwarding specification.",
724 if (opcode == oLocalForward)
725 add_local_forward(options, &fwd);
726 else if (opcode == oRemoteForward)
727 add_remote_forward(options, &fwd);
731 case oDynamicForward:
733 if (!arg || *arg == '\0')
734 fatal("%.200s line %d: Missing port argument.",
736 memset(&fwd, '\0', sizeof(fwd));
737 fwd.connect_host = "socks";
738 fwd.listen_host = hpdelim(&arg);
739 if (fwd.listen_host == NULL ||
740 strlen(fwd.listen_host) >= NI_MAXHOST)
741 fatal("%.200s line %d: Bad forwarding specification.",
744 fwd.listen_port = a2port(arg);
745 fwd.listen_host = cleanhostname(fwd.listen_host);
747 fwd.listen_port = a2port(fwd.listen_host);
748 fwd.listen_host = NULL;
750 if (fwd.listen_port == 0)
751 fatal("%.200s line %d: Badly formatted port number.",
754 add_local_forward(options, &fwd);
757 case oClearAllForwardings:
758 intptr = &options->clear_forwardings;
763 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
764 if (match_pattern(host, arg)) {
765 debug("Applying options for %.100s", arg);
769 /* Avoid garbage check below, as strdelim is done. */
773 intptr = &options->escape_char;
775 if (!arg || *arg == '\0')
776 fatal("%.200s line %d: Missing argument.", filename, linenum);
777 if (arg[0] == '^' && arg[2] == 0 &&
778 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
779 value = (u_char) arg[1] & 31;
780 else if (strlen(arg) == 1)
781 value = (u_char) arg[0];
782 else if (strcmp(arg, "none") == 0)
783 value = SSH_ESCAPECHAR_NONE;
785 fatal("%.200s line %d: Bad escape character.",
788 value = 0; /* Avoid compiler warning. */
790 if (*activep && *intptr == -1)
796 if (!arg || *arg == '\0')
797 fatal("%s line %d: missing address family.",
799 intptr = &options->address_family;
800 if (strcasecmp(arg, "inet") == 0)
802 else if (strcasecmp(arg, "inet6") == 0)
804 else if (strcasecmp(arg, "any") == 0)
807 fatal("Unsupported AddressFamily \"%s\"", arg);
808 if (*activep && *intptr == -1)
812 case oEnableSSHKeysign:
813 intptr = &options->enable_ssh_keysign;
816 case oIdentitiesOnly:
817 intptr = &options->identities_only;
820 case oServerAliveInterval:
821 intptr = &options->server_alive_interval;
824 case oServerAliveCountMax:
825 intptr = &options->server_alive_count_max;
829 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
830 if (strchr(arg, '=') != NULL)
831 fatal("%s line %d: Invalid environment name.",
835 if (options->num_send_env >= MAX_SEND_ENV)
836 fatal("%s line %d: too many send env.",
838 options->send_env[options->num_send_env++] =
844 charptr = &options->control_path;
848 intptr = &options->control_master;
850 if (!arg || *arg == '\0')
851 fatal("%.200s line %d: Missing ControlMaster argument.",
853 value = 0; /* To avoid compiler warning... */
854 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
855 value = SSHCTL_MASTER_YES;
856 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
857 value = SSHCTL_MASTER_NO;
858 else if (strcmp(arg, "auto") == 0)
859 value = SSHCTL_MASTER_AUTO;
860 else if (strcmp(arg, "ask") == 0)
861 value = SSHCTL_MASTER_ASK;
862 else if (strcmp(arg, "autoask") == 0)
863 value = SSHCTL_MASTER_AUTO_ASK;
865 fatal("%.200s line %d: Bad ControlMaster argument.",
867 if (*activep && *intptr == -1)
871 case oHashKnownHosts:
872 intptr = &options->hash_known_hosts;
876 intptr = &options->tun_open;
878 if (!arg || *arg == '\0')
879 fatal("%s line %d: Missing yes/point-to-point/"
880 "ethernet/no argument.", filename, linenum);
881 value = 0; /* silence compiler */
882 if (strcasecmp(arg, "ethernet") == 0)
883 value = SSH_TUNMODE_ETHERNET;
884 else if (strcasecmp(arg, "point-to-point") == 0)
885 value = SSH_TUNMODE_POINTOPOINT;
886 else if (strcasecmp(arg, "yes") == 0)
887 value = SSH_TUNMODE_DEFAULT;
888 else if (strcasecmp(arg, "no") == 0)
889 value = SSH_TUNMODE_NO;
891 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
892 "no argument: %s", filename, linenum, arg);
899 if (!arg || *arg == '\0')
900 fatal("%.200s line %d: Missing argument.", filename, linenum);
901 value = a2tun(arg, &value2);
902 if (value == SSH_TUNID_ERR)
903 fatal("%.200s line %d: Bad tun device.", filename, linenum);
905 options->tun_local = value;
906 options->tun_remote = value2;
911 charptr = &options->local_command;
914 case oPermitLocalCommand:
915 intptr = &options->permit_local_command;
919 debug("%s line %d: Deprecated option \"%s\"",
920 filename, linenum, keyword);
924 error("%s line %d: Unsupported option \"%s\"",
925 filename, linenum, keyword);
929 fatal("process_config_line: Unimplemented opcode %d", opcode);
932 /* Check that there is no garbage at end of line. */
933 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
934 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
935 filename, linenum, arg);
942 * Reads the config file and modifies the options accordingly. Options
943 * should already be initialized before this call. This never returns if
944 * there is an error. If the file does not exist, this returns 0.
948 read_config_file(const char *filename, const char *host, Options *options,
957 if ((f = fopen(filename, "r")) == NULL)
963 if (fstat(fileno(f), &sb) == -1)
964 fatal("fstat %s: %s", filename, strerror(errno));
965 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
966 (sb.st_mode & 022) != 0))
967 fatal("Bad owner or permissions on %s", filename);
970 debug("Reading configuration data %.200s", filename);
973 * Mark that we are now processing the options. This flag is turned
974 * on/off by Host specifications.
978 while (fgets(line, sizeof(line), f)) {
979 /* Update line number counter. */
981 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
986 fatal("%s: terminating, %d bad configuration options",
987 filename, bad_options);
992 * Initializes options to special values that indicate that they have not yet
993 * been set. Read_config_file will only set options with this value. Options
994 * are processed in the following order: command line, user config file,
995 * system config file. Last, fill_default_options is called.
999 initialize_options(Options * options)
1001 memset(options, 'X', sizeof(*options));
1002 options->forward_agent = -1;
1003 options->forward_x11 = -1;
1004 options->forward_x11_trusted = -1;
1005 options->exit_on_forward_failure = -1;
1006 options->xauth_location = NULL;
1007 options->gateway_ports = -1;
1008 options->use_privileged_port = -1;
1009 options->rsa_authentication = -1;
1010 options->pubkey_authentication = -1;
1011 options->challenge_response_authentication = -1;
1012 options->gss_authentication = -1;
1013 options->gss_deleg_creds = -1;
1014 options->password_authentication = -1;
1015 options->kbd_interactive_authentication = -1;
1016 options->kbd_interactive_devices = NULL;
1017 options->rhosts_rsa_authentication = -1;
1018 options->hostbased_authentication = -1;
1019 options->batch_mode = -1;
1020 options->check_host_ip = -1;
1021 options->strict_host_key_checking = -1;
1022 options->compression = -1;
1023 options->tcp_keep_alive = -1;
1024 options->compression_level = -1;
1026 options->address_family = -1;
1027 options->connection_attempts = -1;
1028 options->connection_timeout = -1;
1029 options->number_of_password_prompts = -1;
1030 options->cipher = -1;
1031 options->ciphers = NULL;
1032 options->macs = NULL;
1033 options->hostkeyalgorithms = NULL;
1034 options->protocol = SSH_PROTO_UNKNOWN;
1035 options->num_identity_files = 0;
1036 options->hostname = NULL;
1037 options->host_key_alias = NULL;
1038 options->proxy_command = NULL;
1039 options->user = NULL;
1040 options->escape_char = -1;
1041 options->system_hostfile = NULL;
1042 options->user_hostfile = NULL;
1043 options->system_hostfile2 = NULL;
1044 options->user_hostfile2 = NULL;
1045 options->num_local_forwards = 0;
1046 options->num_remote_forwards = 0;
1047 options->clear_forwardings = -1;
1048 options->log_level = SYSLOG_LEVEL_NOT_SET;
1049 options->preferred_authentications = NULL;
1050 options->bind_address = NULL;
1051 options->smartcard_device = NULL;
1052 options->enable_ssh_keysign = - 1;
1053 options->no_host_authentication_for_localhost = - 1;
1054 options->identities_only = - 1;
1055 options->rekey_limit = - 1;
1056 options->verify_host_key_dns = -1;
1057 options->server_alive_interval = -1;
1058 options->server_alive_count_max = -1;
1059 options->num_send_env = 0;
1060 options->control_path = NULL;
1061 options->control_master = -1;
1062 options->hash_known_hosts = -1;
1063 options->tun_open = -1;
1064 options->tun_local = -1;
1065 options->tun_remote = -1;
1066 options->local_command = NULL;
1067 options->permit_local_command = -1;
1071 * Called after processing other sources of option data, this fills those
1072 * options for which no value has been specified with their default values.
1076 fill_default_options(Options * options)
1080 if (options->forward_agent == -1)
1081 options->forward_agent = 0;
1082 if (options->forward_x11 == -1)
1083 options->forward_x11 = 0;
1084 if (options->forward_x11_trusted == -1)
1085 options->forward_x11_trusted = 0;
1086 if (options->exit_on_forward_failure == -1)
1087 options->exit_on_forward_failure = 0;
1088 if (options->xauth_location == NULL)
1089 options->xauth_location = _PATH_XAUTH;
1090 if (options->gateway_ports == -1)
1091 options->gateway_ports = 0;
1092 if (options->use_privileged_port == -1)
1093 options->use_privileged_port = 0;
1094 if (options->rsa_authentication == -1)
1095 options->rsa_authentication = 1;
1096 if (options->pubkey_authentication == -1)
1097 options->pubkey_authentication = 1;
1098 if (options->challenge_response_authentication == -1)
1099 options->challenge_response_authentication = 1;
1100 if (options->gss_authentication == -1)
1101 options->gss_authentication = 0;
1102 if (options->gss_deleg_creds == -1)
1103 options->gss_deleg_creds = 0;
1104 if (options->password_authentication == -1)
1105 options->password_authentication = 1;
1106 if (options->kbd_interactive_authentication == -1)
1107 options->kbd_interactive_authentication = 1;
1108 if (options->rhosts_rsa_authentication == -1)
1109 options->rhosts_rsa_authentication = 0;
1110 if (options->hostbased_authentication == -1)
1111 options->hostbased_authentication = 0;
1112 if (options->batch_mode == -1)
1113 options->batch_mode = 0;
1114 if (options->check_host_ip == -1)
1115 options->check_host_ip = 1;
1116 if (options->strict_host_key_checking == -1)
1117 options->strict_host_key_checking = 2; /* 2 is default */
1118 if (options->compression == -1)
1119 options->compression = 0;
1120 if (options->tcp_keep_alive == -1)
1121 options->tcp_keep_alive = 1;
1122 if (options->compression_level == -1)
1123 options->compression_level = 6;
1124 if (options->port == -1)
1125 options->port = 0; /* Filled in ssh_connect. */
1126 if (options->address_family == -1)
1127 options->address_family = AF_UNSPEC;
1128 if (options->connection_attempts == -1)
1129 options->connection_attempts = 1;
1130 if (options->number_of_password_prompts == -1)
1131 options->number_of_password_prompts = 3;
1132 /* Selected in ssh_login(). */
1133 if (options->cipher == -1)
1134 options->cipher = SSH_CIPHER_NOT_SET;
1135 /* options->ciphers, default set in myproposals.h */
1136 /* options->macs, default set in myproposals.h */
1137 /* options->hostkeyalgorithms, default set in myproposals.h */
1138 if (options->protocol == SSH_PROTO_UNKNOWN)
1139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1140 if (options->num_identity_files == 0) {
1141 if (options->protocol & SSH_PROTO_1) {
1142 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1143 options->identity_files[options->num_identity_files] =
1145 snprintf(options->identity_files[options->num_identity_files++],
1146 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1148 if (options->protocol & SSH_PROTO_2) {
1149 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1150 options->identity_files[options->num_identity_files] =
1152 snprintf(options->identity_files[options->num_identity_files++],
1153 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1155 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1156 options->identity_files[options->num_identity_files] =
1158 snprintf(options->identity_files[options->num_identity_files++],
1159 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1162 if (options->escape_char == -1)
1163 options->escape_char = '~';
1164 if (options->system_hostfile == NULL)
1165 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1166 if (options->user_hostfile == NULL)
1167 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1168 if (options->system_hostfile2 == NULL)
1169 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1170 if (options->user_hostfile2 == NULL)
1171 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1172 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1173 options->log_level = SYSLOG_LEVEL_INFO;
1174 if (options->clear_forwardings == 1)
1175 clear_forwardings(options);
1176 if (options->no_host_authentication_for_localhost == - 1)
1177 options->no_host_authentication_for_localhost = 0;
1178 if (options->identities_only == -1)
1179 options->identities_only = 0;
1180 if (options->enable_ssh_keysign == -1)
1181 options->enable_ssh_keysign = 0;
1182 if (options->rekey_limit == -1)
1183 options->rekey_limit = 0;
1184 if (options->verify_host_key_dns == -1)
1185 options->verify_host_key_dns = 0;
1186 if (options->server_alive_interval == -1)
1187 options->server_alive_interval = 0;
1188 if (options->server_alive_count_max == -1)
1189 options->server_alive_count_max = 3;
1190 if (options->control_master == -1)
1191 options->control_master = 0;
1192 if (options->hash_known_hosts == -1)
1193 options->hash_known_hosts = 0;
1194 if (options->tun_open == -1)
1195 options->tun_open = SSH_TUNMODE_NO;
1196 if (options->tun_local == -1)
1197 options->tun_local = SSH_TUNID_ANY;
1198 if (options->tun_remote == -1)
1199 options->tun_remote = SSH_TUNID_ANY;
1200 if (options->permit_local_command == -1)
1201 options->permit_local_command = 0;
1202 /* options->local_command should not be set by default */
1203 /* options->proxy_command should not be set by default */
1204 /* options->user will be set in the main program if appropriate */
1205 /* options->hostname will be set in the main program if appropriate */
1206 /* options->host_key_alias should not be set by default */
1207 /* options->preferred_authentications will be set in ssh */
1212 * parses a string containing a port forwarding specification of the form:
1213 * [listenhost:]listenport:connecthost:connectport
1214 * returns number of arguments parsed or zero on error
1217 parse_forward(Forward *fwd, const char *fwdspec)
1220 char *p, *cp, *fwdarg[4];
1222 memset(fwd, '\0', sizeof(*fwd));
1224 cp = p = xstrdup(fwdspec);
1226 /* skip leading spaces */
1227 while (isspace(*cp))
1230 for (i = 0; i < 4; ++i)
1231 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1234 /* Check for trailing garbage in 4-arg case*/
1236 i = 0; /* failure */
1240 fwd->listen_host = NULL;
1241 fwd->listen_port = a2port(fwdarg[0]);
1242 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1243 fwd->connect_port = a2port(fwdarg[2]);
1247 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1248 fwd->listen_port = a2port(fwdarg[1]);
1249 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1250 fwd->connect_port = a2port(fwdarg[3]);
1253 i = 0; /* failure */
1258 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1261 if (fwd->connect_host != NULL &&
1262 strlen(fwd->connect_host) >= NI_MAXHOST)
1268 if (fwd->connect_host != NULL)
1269 xfree(fwd->connect_host);
1270 if (fwd->listen_host != NULL)
1271 xfree(fwd->listen_host);