2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
22 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
24 #define KEYFILE "/etc/krb5.keytab"
36 #include "pathnames.h"
37 #include "tildexpand.h"
43 static void add_listen_addr(ServerOptions *, char *, u_short);
44 static void add_one_listen_addr(ServerOptions *, char *, u_short);
46 /* AF_UNSPEC or AF_INET or AF_INET6 */
48 /* Use of privilege separation or not */
49 extern int use_privsep;
51 /* Initializes the server options to their default values. */
54 initialize_server_options(ServerOptions *options)
56 memset(options, 0, sizeof(*options));
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
77 options->x11_use_localhost = -1;
78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89 #if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
94 #if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
98 options->afs_token_passing = -1;
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
104 options->permit_user_env = -1;
105 options->use_login = -1;
106 options->compression = -1;
107 options->allow_tcp_forwarding = -1;
108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
120 options->banner = NULL;
121 options->verify_reverse_mapping = -1;
122 options->client_alive_interval = -1;
123 options->client_alive_count_max = -1;
124 options->authorized_keys_file = NULL;
125 options->authorized_keys_file2 = NULL;
127 /* Needs to be accessable in many places */
132 fill_default_server_options(ServerOptions *options)
134 /* Portable-specific options */
135 if (options->pam_authentication_via_kbd_int == -1)
136 options->pam_authentication_via_kbd_int = 0;
138 /* Standard Options */
139 if (options->protocol == SSH_PROTO_UNKNOWN)
140 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
141 if (options->num_host_key_files == 0) {
142 /* fill default hostkeys for protocols */
143 if (options->protocol & SSH_PROTO_1)
144 options->host_key_files[options->num_host_key_files++] =
146 if (options->protocol & SSH_PROTO_2) {
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_RSA_KEY_FILE;
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_DSA_KEY_FILE;
153 if (options->num_ports == 0)
154 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
155 if (options->listen_addrs == NULL)
156 add_listen_addr(options, NULL, 0);
157 if (options->pid_file == NULL)
158 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
159 if (options->server_key_bits == -1)
160 options->server_key_bits = 768;
161 if (options->login_grace_time == -1)
162 options->login_grace_time = 120;
163 if (options->key_regeneration_time == -1)
164 options->key_regeneration_time = 3600;
165 if (options->permit_root_login == PERMIT_NOT_SET)
166 options->permit_root_login = PERMIT_YES;
167 if (options->ignore_rhosts == -1)
168 options->ignore_rhosts = 1;
169 if (options->ignore_user_known_hosts == -1)
170 options->ignore_user_known_hosts = 0;
171 if (options->print_motd == -1)
172 options->print_motd = 1;
173 if (options->print_lastlog == -1)
174 options->print_lastlog = 1;
175 if (options->x11_forwarding == -1)
176 options->x11_forwarding = 0;
177 if (options->x11_display_offset == -1)
178 options->x11_display_offset = 10;
179 if (options->x11_use_localhost == -1)
180 options->x11_use_localhost = 1;
181 if (options->xauth_location == NULL)
182 options->xauth_location = _PATH_XAUTH;
183 if (options->strict_modes == -1)
184 options->strict_modes = 1;
185 if (options->keepalives == -1)
186 options->keepalives = 1;
187 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
188 options->log_facility = SYSLOG_FACILITY_AUTH;
189 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
190 options->log_level = SYSLOG_LEVEL_INFO;
191 if (options->rhosts_authentication == -1)
192 options->rhosts_authentication = 0;
193 if (options->rhosts_rsa_authentication == -1)
194 options->rhosts_rsa_authentication = 0;
195 if (options->hostbased_authentication == -1)
196 options->hostbased_authentication = 0;
197 if (options->hostbased_uses_name_from_packet_only == -1)
198 options->hostbased_uses_name_from_packet_only = 0;
199 if (options->rsa_authentication == -1)
200 options->rsa_authentication = 1;
201 if (options->pubkey_authentication == -1)
202 options->pubkey_authentication = 1;
203 #if defined(KRB4) || defined(KRB5)
204 if (options->kerberos_authentication == -1)
205 options->kerberos_authentication = 0;
206 if (options->kerberos_or_local_passwd == -1)
207 options->kerberos_or_local_passwd = 1;
208 if (options->kerberos_ticket_cleanup == -1)
209 options->kerberos_ticket_cleanup = 1;
211 #if defined(AFS) || defined(KRB5)
212 if (options->kerberos_tgt_passing == -1)
213 options->kerberos_tgt_passing = 0;
216 if (options->afs_token_passing == -1)
217 options->afs_token_passing = 0;
219 if (options->password_authentication == -1)
220 options->password_authentication = 1;
221 if (options->kbd_interactive_authentication == -1)
222 options->kbd_interactive_authentication = 0;
223 if (options->challenge_response_authentication == -1)
224 options->challenge_response_authentication = 1;
225 if (options->permit_empty_passwd == -1)
226 options->permit_empty_passwd = 0;
227 if (options->permit_user_env == -1)
228 options->permit_user_env = 0;
229 if (options->use_login == -1)
230 options->use_login = 0;
231 if (options->compression == -1)
232 options->compression = 1;
233 if (options->allow_tcp_forwarding == -1)
234 options->allow_tcp_forwarding = 1;
235 if (options->gateway_ports == -1)
236 options->gateway_ports = 0;
237 if (options->max_startups == -1)
238 options->max_startups = 10;
239 if (options->max_startups_rate == -1)
240 options->max_startups_rate = 100; /* 100% */
241 if (options->max_startups_begin == -1)
242 options->max_startups_begin = options->max_startups;
243 if (options->verify_reverse_mapping == -1)
244 options->verify_reverse_mapping = 0;
245 if (options->client_alive_interval == -1)
246 options->client_alive_interval = 0;
247 if (options->client_alive_count_max == -1)
248 options->client_alive_count_max = 3;
249 if (options->authorized_keys_file2 == NULL) {
250 /* authorized_keys_file2 falls back to authorized_keys_file */
251 if (options->authorized_keys_file != NULL)
252 options->authorized_keys_file2 = options->authorized_keys_file;
254 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
256 if (options->authorized_keys_file == NULL)
257 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
259 /* Turn privilege separation on by default */
260 if (use_privsep == -1)
264 if (use_privsep && options->compression == 1) {
265 error("This platform does not support both privilege "
266 "separation and compression");
267 error("Compression disabled");
268 options->compression = 0;
274 /* Keyword tokens. */
276 sBadOption, /* == unknown option */
277 /* Portable-specific options */
278 sPAMAuthenticationViaKbdInt,
279 /* Standard Options */
280 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
281 sPermitRootLogin, sLogFacility, sLogLevel,
282 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
283 #if defined(KRB4) || defined(KRB5)
284 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
286 #if defined(AFS) || defined(KRB5)
292 sChallengeResponseAuthentication,
293 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
294 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
295 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
296 sStrictModes, sEmptyPasswd, sKeepAlives,
297 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
298 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
299 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
300 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
301 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
302 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
303 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
304 sUsePrivilegeSeparation,
308 /* Textual representation of the tokens. */
311 ServerOpCodes opcode;
313 /* Portable-specific options */
314 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
315 /* Standard Options */
317 { "hostkey", sHostKeyFile },
318 { "hostdsakey", sHostKeyFile }, /* alias */
319 { "pidfile", sPidFile },
320 { "serverkeybits", sServerKeyBits },
321 { "logingracetime", sLoginGraceTime },
322 { "keyregenerationinterval", sKeyRegenerationTime },
323 { "permitrootlogin", sPermitRootLogin },
324 { "syslogfacility", sLogFacility },
325 { "loglevel", sLogLevel },
326 { "rhostsauthentication", sRhostsAuthentication },
327 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
328 { "hostbasedauthentication", sHostbasedAuthentication },
329 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
330 { "rsaauthentication", sRSAAuthentication },
331 { "pubkeyauthentication", sPubkeyAuthentication },
332 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
333 #if defined(KRB4) || defined(KRB5)
334 { "kerberosauthentication", sKerberosAuthentication },
335 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
336 { "kerberosticketcleanup", sKerberosTicketCleanup },
338 #if defined(AFS) || defined(KRB5)
339 { "kerberostgtpassing", sKerberosTgtPassing },
342 { "afstokenpassing", sAFSTokenPassing },
344 { "passwordauthentication", sPasswordAuthentication },
345 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
346 { "challengeresponseauthentication", sChallengeResponseAuthentication },
347 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
348 { "checkmail", sDeprecated },
349 { "listenaddress", sListenAddress },
350 { "printmotd", sPrintMotd },
351 { "printlastlog", sPrintLastLog },
352 { "ignorerhosts", sIgnoreRhosts },
353 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
354 { "x11forwarding", sX11Forwarding },
355 { "x11displayoffset", sX11DisplayOffset },
356 { "x11uselocalhost", sX11UseLocalhost },
357 { "xauthlocation", sXAuthLocation },
358 { "strictmodes", sStrictModes },
359 { "permitemptypasswords", sEmptyPasswd },
360 { "permituserenvironment", sPermitUserEnvironment },
361 { "uselogin", sUseLogin },
362 { "compression", sCompression },
363 { "keepalive", sKeepAlives },
364 { "allowtcpforwarding", sAllowTcpForwarding },
365 { "allowusers", sAllowUsers },
366 { "denyusers", sDenyUsers },
367 { "allowgroups", sAllowGroups },
368 { "denygroups", sDenyGroups },
369 { "ciphers", sCiphers },
371 { "protocol", sProtocol },
372 { "gatewayports", sGatewayPorts },
373 { "subsystem", sSubsystem },
374 { "maxstartups", sMaxStartups },
375 { "banner", sBanner },
376 { "verifyreversemapping", sVerifyReverseMapping },
377 { "reversemappingcheck", sVerifyReverseMapping },
378 { "clientaliveinterval", sClientAliveInterval },
379 { "clientalivecountmax", sClientAliveCountMax },
380 { "authorizedkeysfile", sAuthorizedKeysFile },
381 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
382 { "useprivilegeseparation", sUsePrivilegeSeparation},
387 * Returns the number of the token pointed to by cp or sBadOption.
391 parse_token(const char *cp, const char *filename,
396 for (i = 0; keywords[i].name; i++)
397 if (strcasecmp(cp, keywords[i].name) == 0)
398 return keywords[i].opcode;
400 error("%s: line %d: Bad configuration option: %s",
401 filename, linenum, cp);
406 add_listen_addr(ServerOptions *options, char *addr, u_short port)
410 if (options->num_ports == 0)
411 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
413 for (i = 0; i < options->num_ports; i++)
414 add_one_listen_addr(options, addr, options->ports[i]);
416 add_one_listen_addr(options, addr, port);
420 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
422 struct addrinfo hints, *ai, *aitop;
423 char strport[NI_MAXSERV];
426 memset(&hints, 0, sizeof(hints));
427 hints.ai_family = IPv4or6;
428 hints.ai_socktype = SOCK_STREAM;
429 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
430 snprintf(strport, sizeof strport, "%u", port);
431 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
432 fatal("bad addr or host: %s (%s)",
433 addr ? addr : "<NULL>",
434 gai_strerror(gaierr));
435 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
437 ai->ai_next = options->listen_addrs;
438 options->listen_addrs = aitop;
442 process_server_config_line(ServerOptions *options, char *line,
443 const char *filename, int linenum)
445 char *cp, **charptr, *arg, *p;
446 int *intptr, value, i, n;
447 ServerOpCodes opcode;
451 /* Ignore leading whitespace */
454 if (!arg || !*arg || *arg == '#')
458 opcode = parse_token(arg, filename, linenum);
460 /* Portable-specific options */
461 case sPAMAuthenticationViaKbdInt:
462 intptr = &options->pam_authentication_via_kbd_int;
465 /* Standard Options */
469 /* ignore ports from configfile if cmdline specifies ports */
470 if (options->ports_from_cmdline)
472 if (options->listen_addrs != NULL)
473 fatal("%s line %d: ports must be specified before "
474 "ListenAddress.", filename, linenum);
475 if (options->num_ports >= MAX_PORTS)
476 fatal("%s line %d: too many ports.",
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing port number.",
482 options->ports[options->num_ports++] = a2port(arg);
483 if (options->ports[options->num_ports-1] == 0)
484 fatal("%s line %d: Badly formatted port number.",
489 intptr = &options->server_key_bits;
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing integer value.",
500 case sLoginGraceTime:
501 intptr = &options->login_grace_time;
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing time value.",
507 if ((value = convtime(arg)) == -1)
508 fatal("%s line %d: invalid time value.",
514 case sKeyRegenerationTime:
515 intptr = &options->key_regeneration_time;
520 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
521 fatal("%s line %d: missing inet addr.",
524 if ((p = strchr(arg, ']')) == NULL)
525 fatal("%s line %d: bad ipv6 inet addr usage.",
528 memmove(p, p+1, strlen(p+1)+1);
529 } else if (((p = strchr(arg, ':')) == NULL) ||
530 (strchr(p+1, ':') != NULL)) {
531 add_listen_addr(options, arg, 0);
539 fatal("%s line %d: bad inet addr:port usage.",
543 if ((port = a2port(p)) == 0)
544 fatal("%s line %d: bad port number.",
546 add_listen_addr(options, arg, port);
548 } else if (*p == '\0')
549 add_listen_addr(options, arg, 0);
551 fatal("%s line %d: bad inet addr usage.",
556 intptr = &options->num_host_key_files;
557 if (*intptr >= MAX_HOSTKEYS)
558 fatal("%s line %d: too many host keys specified (max %d).",
559 filename, linenum, MAX_HOSTKEYS);
560 charptr = &options->host_key_files[*intptr];
563 if (!arg || *arg == '\0')
564 fatal("%s line %d: missing file name.",
566 if (*charptr == NULL) {
567 *charptr = tilde_expand_filename(arg, getuid());
568 /* increase optional counter */
570 *intptr = *intptr + 1;
575 charptr = &options->pid_file;
578 case sPermitRootLogin:
579 intptr = &options->permit_root_login;
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/"
583 "without-password/forced-commands-only/no "
584 "argument.", filename, linenum);
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "without-password") == 0)
587 value = PERMIT_NO_PASSWD;
588 else if (strcmp(arg, "forced-commands-only") == 0)
589 value = PERMIT_FORCED_ONLY;
590 else if (strcmp(arg, "yes") == 0)
592 else if (strcmp(arg, "no") == 0)
595 fatal("%s line %d: Bad yes/"
596 "without-password/forced-commands-only/no "
597 "argument: %s", filename, linenum, arg);
603 intptr = &options->ignore_rhosts;
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/no argument.",
609 value = 0; /* silence compiler */
610 if (strcmp(arg, "yes") == 0)
612 else if (strcmp(arg, "no") == 0)
615 fatal("%s line %d: Bad yes/no argument: %s",
616 filename, linenum, arg);
621 case sIgnoreUserKnownHosts:
622 intptr = &options->ignore_user_known_hosts;
625 case sRhostsAuthentication:
626 intptr = &options->rhosts_authentication;
629 case sRhostsRSAAuthentication:
630 intptr = &options->rhosts_rsa_authentication;
633 case sHostbasedAuthentication:
634 intptr = &options->hostbased_authentication;
637 case sHostbasedUsesNameFromPacketOnly:
638 intptr = &options->hostbased_uses_name_from_packet_only;
641 case sRSAAuthentication:
642 intptr = &options->rsa_authentication;
645 case sPubkeyAuthentication:
646 intptr = &options->pubkey_authentication;
648 #if defined(KRB4) || defined(KRB5)
649 case sKerberosAuthentication:
650 intptr = &options->kerberos_authentication;
653 case sKerberosOrLocalPasswd:
654 intptr = &options->kerberos_or_local_passwd;
657 case sKerberosTicketCleanup:
658 intptr = &options->kerberos_ticket_cleanup;
661 #if defined(AFS) || defined(KRB5)
662 case sKerberosTgtPassing:
663 intptr = &options->kerberos_tgt_passing;
667 case sAFSTokenPassing:
668 intptr = &options->afs_token_passing;
672 case sPasswordAuthentication:
673 intptr = &options->password_authentication;
676 case sKbdInteractiveAuthentication:
677 intptr = &options->kbd_interactive_authentication;
680 case sChallengeResponseAuthentication:
681 intptr = &options->challenge_response_authentication;
685 intptr = &options->print_motd;
689 intptr = &options->print_lastlog;
693 intptr = &options->x11_forwarding;
696 case sX11DisplayOffset:
697 intptr = &options->x11_display_offset;
700 case sX11UseLocalhost:
701 intptr = &options->x11_use_localhost;
705 charptr = &options->xauth_location;
709 intptr = &options->strict_modes;
713 intptr = &options->keepalives;
717 intptr = &options->permit_empty_passwd;
720 case sPermitUserEnvironment:
721 intptr = &options->permit_user_env;
725 intptr = &options->use_login;
729 intptr = &options->compression;
733 intptr = &options->gateway_ports;
736 case sVerifyReverseMapping:
737 intptr = &options->verify_reverse_mapping;
741 intptr = (int *) &options->log_facility;
743 value = log_facility_number(arg);
744 if (value == SYSLOG_FACILITY_NOT_SET)
745 fatal("%.200s line %d: unsupported log facility '%s'",
746 filename, linenum, arg ? arg : "<NONE>");
748 *intptr = (SyslogFacility) value;
752 intptr = (int *) &options->log_level;
754 value = log_level_number(arg);
755 if (value == SYSLOG_LEVEL_NOT_SET)
756 fatal("%.200s line %d: unsupported log level '%s'",
757 filename, linenum, arg ? arg : "<NONE>");
759 *intptr = (LogLevel) value;
762 case sAllowTcpForwarding:
763 intptr = &options->allow_tcp_forwarding;
766 case sUsePrivilegeSeparation:
767 intptr = &use_privsep;
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_allow_users >= MAX_ALLOW_USERS)
773 fatal("%s line %d: too many allow users.",
775 options->allow_users[options->num_allow_users++] =
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_deny_users >= MAX_DENY_USERS)
783 fatal( "%s line %d: too many deny users.",
785 options->deny_users[options->num_deny_users++] =
791 while ((arg = strdelim(&cp)) && *arg != '\0') {
792 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
793 fatal("%s line %d: too many allow groups.",
795 options->allow_groups[options->num_allow_groups++] =
801 while ((arg = strdelim(&cp)) && *arg != '\0') {
802 if (options->num_deny_groups >= MAX_DENY_GROUPS)
803 fatal("%s line %d: too many deny groups.",
805 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
811 if (!arg || *arg == '\0')
812 fatal("%s line %d: Missing argument.", filename, linenum);
813 if (!ciphers_valid(arg))
814 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
815 filename, linenum, arg ? arg : "<NONE>");
816 if (options->ciphers == NULL)
817 options->ciphers = xstrdup(arg);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
825 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
826 filename, linenum, arg ? arg : "<NONE>");
827 if (options->macs == NULL)
828 options->macs = xstrdup(arg);
832 intptr = &options->protocol;
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing argument.", filename, linenum);
836 value = proto_spec(arg);
837 if (value == SSH_PROTO_UNKNOWN)
838 fatal("%s line %d: Bad protocol spec '%s'.",
839 filename, linenum, arg ? arg : "<NONE>");
840 if (*intptr == SSH_PROTO_UNKNOWN)
845 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
846 fatal("%s line %d: too many subsystems defined.",
850 if (!arg || *arg == '\0')
851 fatal("%s line %d: Missing subsystem name.",
853 for (i = 0; i < options->num_subsystems; i++)
854 if (strcmp(arg, options->subsystem_name[i]) == 0)
855 fatal("%s line %d: Subsystem '%s' already defined.",
856 filename, linenum, arg);
857 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
859 if (!arg || *arg == '\0')
860 fatal("%s line %d: Missing subsystem command.",
862 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
863 options->num_subsystems++;
868 if (!arg || *arg == '\0')
869 fatal("%s line %d: Missing MaxStartups spec.",
871 if ((n = sscanf(arg, "%d:%d:%d",
872 &options->max_startups_begin,
873 &options->max_startups_rate,
874 &options->max_startups)) == 3) {
875 if (options->max_startups_begin >
876 options->max_startups ||
877 options->max_startups_rate > 100 ||
878 options->max_startups_rate < 1)
879 fatal("%s line %d: Illegal MaxStartups spec.",
882 fatal("%s line %d: Illegal MaxStartups spec.",
885 options->max_startups = options->max_startups_begin;
889 charptr = &options->banner;
892 * These options can contain %X options expanded at
893 * connect time, so that you can specify paths like:
895 * AuthorizedKeysFile /etc/ssh_keys/%u
897 case sAuthorizedKeysFile:
898 case sAuthorizedKeysFile2:
899 charptr = (opcode == sAuthorizedKeysFile ) ?
900 &options->authorized_keys_file :
901 &options->authorized_keys_file2;
904 case sClientAliveInterval:
905 intptr = &options->client_alive_interval;
908 case sClientAliveCountMax:
909 intptr = &options->client_alive_count_max;
913 log("%s line %d: Deprecated option %s",
914 filename, linenum, arg);
920 fatal("%s line %d: Missing handler for opcode %s (%d)",
921 filename, linenum, arg, opcode);
923 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
924 fatal("%s line %d: garbage at end of line; \"%.200s\".",
925 filename, linenum, arg);
929 /* Reads the server configuration file. */
932 read_server_config(ServerOptions *options, const char *filename)
934 int linenum, bad_options = 0;
938 f = fopen(filename, "r");
944 while (fgets(line, sizeof(line), f)) {
945 /* Update line number counter. */
947 if (process_server_config_line(options, line, filename, linenum) != 0)
952 fatal("%s: terminating, %d bad configuration options",
953 filename, bad_options);