1 /* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
134 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
135 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
137 oDeprecated, oUnsupported
140 /* Textual representations of the tokens. */
146 { "forwardagent", oForwardAgent },
147 { "forwardx11", oForwardX11 },
148 { "forwardx11trusted", oForwardX11Trusted },
149 { "exitonforwardfailure", oExitOnForwardFailure },
150 { "xauthlocation", oXAuthLocation },
151 { "gatewayports", oGatewayPorts },
152 { "useprivilegedport", oUsePrivilegedPort },
153 { "rhostsauthentication", oDeprecated },
154 { "passwordauthentication", oPasswordAuthentication },
155 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
156 { "kbdinteractivedevices", oKbdInteractiveDevices },
157 { "rsaauthentication", oRSAAuthentication },
158 { "pubkeyauthentication", oPubkeyAuthentication },
159 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
160 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
161 { "hostbasedauthentication", oHostbasedAuthentication },
162 { "challengeresponseauthentication", oChallengeResponseAuthentication },
163 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
164 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "kerberosauthentication", oUnsupported },
166 { "kerberostgtpassing", oUnsupported },
167 { "afstokenpassing", oUnsupported },
169 { "gssapiauthentication", oGssAuthentication },
170 { "gssapikeyexchange", oGssKeyEx },
171 { "gssapidelegatecredentials", oGssDelegateCreds },
172 { "gssapitrustdns", oGssTrustDns },
174 { "gssapiauthentication", oUnsupported },
175 { "gssapikeyexchange", oUnsupported },
176 { "gssapidelegatecredentials", oUnsupported },
177 { "gssapitrustdns", oUnsupported },
179 { "fallbacktorsh", oDeprecated },
180 { "usersh", oDeprecated },
181 { "identityfile", oIdentityFile },
182 { "identityfile2", oIdentityFile }, /* alias */
183 { "identitiesonly", oIdentitiesOnly },
184 { "hostname", oHostName },
185 { "hostkeyalias", oHostKeyAlias },
186 { "proxycommand", oProxyCommand },
188 { "cipher", oCipher },
189 { "ciphers", oCiphers },
191 { "protocol", oProtocol },
192 { "remoteforward", oRemoteForward },
193 { "localforward", oLocalForward },
196 { "escapechar", oEscapeChar },
197 { "globalknownhostsfile", oGlobalKnownHostsFile },
198 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
199 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
200 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
201 { "connectionattempts", oConnectionAttempts },
202 { "batchmode", oBatchMode },
203 { "checkhostip", oCheckHostIP },
204 { "stricthostkeychecking", oStrictHostKeyChecking },
205 { "compression", oCompression },
206 { "compressionlevel", oCompressionLevel },
207 { "tcpkeepalive", oTCPKeepAlive },
208 { "keepalive", oTCPKeepAlive }, /* obsolete */
209 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
210 { "loglevel", oLogLevel },
211 { "dynamicforward", oDynamicForward },
212 { "preferredauthentications", oPreferredAuthentications },
213 { "hostkeyalgorithms", oHostKeyAlgorithms },
214 { "bindaddress", oBindAddress },
216 { "smartcarddevice", oSmartcardDevice },
218 { "smartcarddevice", oUnsupported },
220 { "clearallforwardings", oClearAllForwardings },
221 { "enablesshkeysign", oEnableSSHKeysign },
222 { "verifyhostkeydns", oVerifyHostKeyDNS },
223 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
224 { "rekeylimit", oRekeyLimit },
225 { "connecttimeout", oConnectTimeout },
226 { "addressfamily", oAddressFamily },
227 { "serveraliveinterval", oServerAliveInterval },
228 { "serveralivecountmax", oServerAliveCountMax },
229 { "sendenv", oSendEnv },
230 { "controlpath", oControlPath },
231 { "controlmaster", oControlMaster },
232 { "hashknownhosts", oHashKnownHosts },
233 { "tunnel", oTunnel },
234 { "tunneldevice", oTunnelDevice },
235 { "localcommand", oLocalCommand },
236 { "permitlocalcommand", oPermitLocalCommand },
237 { "noneenabled", oNoneEnabled },
238 { "tcprcvbufpoll", oTcpRcvBufPoll },
239 { "tcprcvbuf", oTcpRcvBuf },
240 { "noneswitch", oNoneSwitch },
241 { "hpndisabled", oHPNDisabled },
242 { "hpnbuffersize", oHPNBufferSize },
247 * Adds a local TCP/IP port forward to options. Never returns if there is an
252 add_local_forward(Options *options, const Forward *newfwd)
255 #ifndef NO_IPPORT_RESERVED_CONCEPT
256 extern uid_t original_real_uid;
257 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
258 fatal("Privileged ports can only be forwarded by root.");
260 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
261 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
262 fwd = &options->local_forwards[options->num_local_forwards++];
264 fwd->listen_host = (newfwd->listen_host == NULL) ?
265 NULL : xstrdup(newfwd->listen_host);
266 fwd->listen_port = newfwd->listen_port;
267 fwd->connect_host = xstrdup(newfwd->connect_host);
268 fwd->connect_port = newfwd->connect_port;
272 * Adds a remote TCP/IP port forward to options. Never returns if there is
277 add_remote_forward(Options *options, const Forward *newfwd)
280 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
281 fatal("Too many remote forwards (max %d).",
282 SSH_MAX_FORWARDS_PER_DIRECTION);
283 fwd = &options->remote_forwards[options->num_remote_forwards++];
285 fwd->listen_host = (newfwd->listen_host == NULL) ?
286 NULL : xstrdup(newfwd->listen_host);
287 fwd->listen_port = newfwd->listen_port;
288 fwd->connect_host = xstrdup(newfwd->connect_host);
289 fwd->connect_port = newfwd->connect_port;
293 clear_forwardings(Options *options)
297 for (i = 0; i < options->num_local_forwards; i++) {
298 if (options->local_forwards[i].listen_host != NULL)
299 xfree(options->local_forwards[i].listen_host);
300 xfree(options->local_forwards[i].connect_host);
302 options->num_local_forwards = 0;
303 for (i = 0; i < options->num_remote_forwards; i++) {
304 if (options->remote_forwards[i].listen_host != NULL)
305 xfree(options->remote_forwards[i].listen_host);
306 xfree(options->remote_forwards[i].connect_host);
308 options->num_remote_forwards = 0;
309 options->tun_open = SSH_TUNMODE_NO;
313 * Returns the number of the token pointed to by cp or oBadOption.
317 parse_token(const char *cp, const char *filename, int linenum)
321 for (i = 0; keywords[i].name; i++)
322 if (strcasecmp(cp, keywords[i].name) == 0)
323 return keywords[i].opcode;
325 error("%s: line %d: Bad configuration option: %s",
326 filename, linenum, cp);
331 * Processes a single option line as used in the configuration files. This
332 * only sets those values that have not already been set.
334 #define WHITESPACE " \t\r\n"
337 process_config_line(Options *options, const char *host,
338 char *line, const char *filename, int linenum,
341 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
342 int opcode, *intptr, value, value2, scale;
343 long long orig, val64;
347 /* Strip trailing whitespace */
348 for (len = strlen(line) - 1; len > 0; len--) {
349 if (strchr(WHITESPACE, line[len]) == NULL)
355 /* Get the keyword. (Each line is supposed to begin with a keyword). */
356 if ((keyword = strdelim(&s)) == NULL)
358 /* Ignore leading whitespace. */
359 if (*keyword == '\0')
360 keyword = strdelim(&s);
361 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
364 opcode = parse_token(keyword, filename, linenum);
368 /* don't panic, but count bad options */
371 case oConnectTimeout:
372 intptr = &options->connection_timeout;
375 if (!arg || *arg == '\0')
376 fatal("%s line %d: missing time value.",
378 if ((value = convtime(arg)) == -1)
379 fatal("%s line %d: invalid time value.",
381 if (*activep && *intptr == -1)
386 intptr = &options->forward_agent;
389 if (!arg || *arg == '\0')
390 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
391 value = 0; /* To avoid compiler warning... */
392 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
394 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
397 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
398 if (*activep && *intptr == -1)
403 intptr = &options->forward_x11;
406 case oForwardX11Trusted:
407 intptr = &options->forward_x11_trusted;
411 intptr = &options->gateway_ports;
414 case oExitOnForwardFailure:
415 intptr = &options->exit_on_forward_failure;
418 case oUsePrivilegedPort:
419 intptr = &options->use_privileged_port;
422 case oPasswordAuthentication:
423 intptr = &options->password_authentication;
426 case oKbdInteractiveAuthentication:
427 intptr = &options->kbd_interactive_authentication;
430 case oKbdInteractiveDevices:
431 charptr = &options->kbd_interactive_devices;
434 case oPubkeyAuthentication:
435 intptr = &options->pubkey_authentication;
438 case oRSAAuthentication:
439 intptr = &options->rsa_authentication;
442 case oRhostsRSAAuthentication:
443 intptr = &options->rhosts_rsa_authentication;
446 case oHostbasedAuthentication:
447 intptr = &options->hostbased_authentication;
450 case oChallengeResponseAuthentication:
451 intptr = &options->challenge_response_authentication;
454 case oGssAuthentication:
455 intptr = &options->gss_authentication;
459 intptr = &options->gss_keyex;
462 case oGssDelegateCreds:
463 intptr = &options->gss_deleg_creds;
467 intptr = &options->gss_trust_dns;
471 intptr = &options->batch_mode;
475 intptr = &options->check_host_ip;
479 intptr = &options->none_enabled;
482 /* we check to see if the command comes from the */
483 /* command line or not. If it does then enable it */
484 /* otherwise fail. NONE should never be a default configuration */
486 if(strcmp(filename,"command-line")==0)
488 intptr = &options->none_switch;
491 error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
492 error("Continuing...");
493 debug("NoneSwitch directive found in %.200s.", filename);
498 intptr = &options->hpn_disabled;
502 intptr = &options->hpn_buffer_size;
506 intptr = &options->tcp_rcv_buf_poll;
509 case oVerifyHostKeyDNS:
510 intptr = &options->verify_host_key_dns;
513 case oStrictHostKeyChecking:
514 intptr = &options->strict_host_key_checking;
517 if (!arg || *arg == '\0')
518 fatal("%.200s line %d: Missing yes/no/ask argument.",
520 value = 0; /* To avoid compiler warning... */
521 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
523 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
525 else if (strcmp(arg, "ask") == 0)
528 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
529 if (*activep && *intptr == -1)
534 intptr = &options->compression;
538 intptr = &options->tcp_keep_alive;
541 case oNoHostAuthenticationForLocalhost:
542 intptr = &options->no_host_authentication_for_localhost;
545 case oNumberOfPasswordPrompts:
546 intptr = &options->number_of_password_prompts;
549 case oCompressionLevel:
550 intptr = &options->compression_level;
554 intptr = &options->rekey_limit;
556 if (!arg || *arg == '\0')
557 fatal("%.200s line %d: Missing argument.", filename, linenum);
558 if (arg[0] < '0' || arg[0] > '9')
559 fatal("%.200s line %d: Bad number.", filename, linenum);
560 orig = val64 = strtoll(arg, &endofnumber, 10);
561 if (arg == endofnumber)
562 fatal("%.200s line %d: Bad number.", filename, linenum);
563 switch (toupper(*endofnumber)) {
577 fatal("%.200s line %d: Invalid RekeyLimit suffix",
581 /* detect integer wrap and too-large limits */
582 if ((val64 / scale) != orig || val64 > INT_MAX)
583 fatal("%.200s line %d: RekeyLimit too large",
586 fatal("%.200s line %d: RekeyLimit too small",
588 if (*activep && *intptr == -1)
589 *intptr = (int)val64;
594 if (!arg || *arg == '\0')
595 fatal("%.200s line %d: Missing argument.", filename, linenum);
597 intptr = &options->num_identity_files;
598 if (*intptr >= SSH_MAX_IDENTITY_FILES)
599 fatal("%.200s line %d: Too many identity files specified (max %d).",
600 filename, linenum, SSH_MAX_IDENTITY_FILES);
601 charptr = &options->identity_files[*intptr];
602 *charptr = xstrdup(arg);
603 *intptr = *intptr + 1;
608 charptr=&options->xauth_location;
612 charptr = &options->user;
615 if (!arg || *arg == '\0')
616 fatal("%.200s line %d: Missing argument.", filename, linenum);
617 if (*activep && *charptr == NULL)
618 *charptr = xstrdup(arg);
621 case oGlobalKnownHostsFile:
622 charptr = &options->system_hostfile;
625 case oUserKnownHostsFile:
626 charptr = &options->user_hostfile;
629 case oGlobalKnownHostsFile2:
630 charptr = &options->system_hostfile2;
633 case oUserKnownHostsFile2:
634 charptr = &options->user_hostfile2;
638 charptr = &options->hostname;
642 charptr = &options->host_key_alias;
645 case oPreferredAuthentications:
646 charptr = &options->preferred_authentications;
650 charptr = &options->bind_address;
653 case oSmartcardDevice:
654 charptr = &options->smartcard_device;
658 charptr = &options->proxy_command;
661 fatal("%.200s line %d: Missing argument.", filename, linenum);
662 len = strspn(s, WHITESPACE "=");
663 if (*activep && *charptr == NULL)
664 *charptr = xstrdup(s + len);
668 intptr = &options->port;
671 if (!arg || *arg == '\0')
672 fatal("%.200s line %d: Missing argument.", filename, linenum);
673 if (arg[0] < '0' || arg[0] > '9')
674 fatal("%.200s line %d: Bad number.", filename, linenum);
676 /* Octal, decimal, or hex format? */
677 value = strtol(arg, &endofnumber, 0);
678 if (arg == endofnumber)
679 fatal("%.200s line %d: Bad number.", filename, linenum);
680 if (*activep && *intptr == -1)
684 case oConnectionAttempts:
685 intptr = &options->connection_attempts;
689 intptr = &options->tcp_rcv_buf;
693 intptr = &options->cipher;
695 if (!arg || *arg == '\0')
696 fatal("%.200s line %d: Missing argument.", filename, linenum);
697 value = cipher_number(arg);
699 fatal("%.200s line %d: Bad cipher '%s'.",
700 filename, linenum, arg ? arg : "<NONE>");
701 if (*activep && *intptr == -1)
707 if (!arg || *arg == '\0')
708 fatal("%.200s line %d: Missing argument.", filename, linenum);
709 if (!ciphers_valid(arg))
710 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
711 filename, linenum, arg ? arg : "<NONE>");
712 if (*activep && options->ciphers == NULL)
713 options->ciphers = xstrdup(arg);
718 if (!arg || *arg == '\0')
719 fatal("%.200s line %d: Missing argument.", filename, linenum);
721 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
722 filename, linenum, arg ? arg : "<NONE>");
723 if (*activep && options->macs == NULL)
724 options->macs = xstrdup(arg);
727 case oHostKeyAlgorithms:
729 if (!arg || *arg == '\0')
730 fatal("%.200s line %d: Missing argument.", filename, linenum);
731 if (!key_names_valid2(arg))
732 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
733 filename, linenum, arg ? arg : "<NONE>");
734 if (*activep && options->hostkeyalgorithms == NULL)
735 options->hostkeyalgorithms = xstrdup(arg);
739 intptr = &options->protocol;
741 if (!arg || *arg == '\0')
742 fatal("%.200s line %d: Missing argument.", filename, linenum);
743 value = proto_spec(arg);
744 if (value == SSH_PROTO_UNKNOWN)
745 fatal("%.200s line %d: Bad protocol spec '%s'.",
746 filename, linenum, arg ? arg : "<NONE>");
747 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
752 intptr = (int *) &options->log_level;
754 value = log_level_number(arg);
755 if (value == SYSLOG_LEVEL_NOT_SET)
756 fatal("%.200s line %d: unsupported log level '%s'",
757 filename, linenum, arg ? arg : "<NONE>");
758 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
759 *intptr = (LogLevel) value;
765 if (arg == NULL || *arg == '\0')
766 fatal("%.200s line %d: Missing port argument.",
769 if (arg2 == NULL || *arg2 == '\0')
770 fatal("%.200s line %d: Missing target argument.",
773 /* construct a string for parse_forward */
774 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
776 if (parse_forward(&fwd, fwdarg) == 0)
777 fatal("%.200s line %d: Bad forwarding specification.",
781 if (opcode == oLocalForward)
782 add_local_forward(options, &fwd);
783 else if (opcode == oRemoteForward)
784 add_remote_forward(options, &fwd);
788 case oDynamicForward:
790 if (!arg || *arg == '\0')
791 fatal("%.200s line %d: Missing port argument.",
793 memset(&fwd, '\0', sizeof(fwd));
794 fwd.connect_host = "socks";
795 fwd.listen_host = hpdelim(&arg);
796 if (fwd.listen_host == NULL ||
797 strlen(fwd.listen_host) >= NI_MAXHOST)
798 fatal("%.200s line %d: Bad forwarding specification.",
801 fwd.listen_port = a2port(arg);
802 fwd.listen_host = cleanhostname(fwd.listen_host);
804 fwd.listen_port = a2port(fwd.listen_host);
805 fwd.listen_host = NULL;
807 if (fwd.listen_port == 0)
808 fatal("%.200s line %d: Badly formatted port number.",
811 add_local_forward(options, &fwd);
814 case oClearAllForwardings:
815 intptr = &options->clear_forwardings;
820 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
821 if (match_pattern(host, arg)) {
822 debug("Applying options for %.100s", arg);
826 /* Avoid garbage check below, as strdelim is done. */
830 intptr = &options->escape_char;
832 if (!arg || *arg == '\0')
833 fatal("%.200s line %d: Missing argument.", filename, linenum);
834 if (arg[0] == '^' && arg[2] == 0 &&
835 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
836 value = (u_char) arg[1] & 31;
837 else if (strlen(arg) == 1)
838 value = (u_char) arg[0];
839 else if (strcmp(arg, "none") == 0)
840 value = SSH_ESCAPECHAR_NONE;
842 fatal("%.200s line %d: Bad escape character.",
845 value = 0; /* Avoid compiler warning. */
847 if (*activep && *intptr == -1)
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: missing address family.",
856 intptr = &options->address_family;
857 if (strcasecmp(arg, "inet") == 0)
859 else if (strcasecmp(arg, "inet6") == 0)
861 else if (strcasecmp(arg, "any") == 0)
864 fatal("Unsupported AddressFamily \"%s\"", arg);
865 if (*activep && *intptr == -1)
869 case oEnableSSHKeysign:
870 intptr = &options->enable_ssh_keysign;
873 case oIdentitiesOnly:
874 intptr = &options->identities_only;
877 case oServerAliveInterval:
878 intptr = &options->server_alive_interval;
881 case oServerAliveCountMax:
882 intptr = &options->server_alive_count_max;
886 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
887 if (strchr(arg, '=') != NULL)
888 fatal("%s line %d: Invalid environment name.",
892 if (options->num_send_env >= MAX_SEND_ENV)
893 fatal("%s line %d: too many send env.",
895 options->send_env[options->num_send_env++] =
901 charptr = &options->control_path;
905 intptr = &options->control_master;
907 if (!arg || *arg == '\0')
908 fatal("%.200s line %d: Missing ControlMaster argument.",
910 value = 0; /* To avoid compiler warning... */
911 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
912 value = SSHCTL_MASTER_YES;
913 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
914 value = SSHCTL_MASTER_NO;
915 else if (strcmp(arg, "auto") == 0)
916 value = SSHCTL_MASTER_AUTO;
917 else if (strcmp(arg, "ask") == 0)
918 value = SSHCTL_MASTER_ASK;
919 else if (strcmp(arg, "autoask") == 0)
920 value = SSHCTL_MASTER_AUTO_ASK;
922 fatal("%.200s line %d: Bad ControlMaster argument.",
924 if (*activep && *intptr == -1)
928 case oHashKnownHosts:
929 intptr = &options->hash_known_hosts;
933 intptr = &options->tun_open;
935 if (!arg || *arg == '\0')
936 fatal("%s line %d: Missing yes/point-to-point/"
937 "ethernet/no argument.", filename, linenum);
938 value = 0; /* silence compiler */
939 if (strcasecmp(arg, "ethernet") == 0)
940 value = SSH_TUNMODE_ETHERNET;
941 else if (strcasecmp(arg, "point-to-point") == 0)
942 value = SSH_TUNMODE_POINTOPOINT;
943 else if (strcasecmp(arg, "yes") == 0)
944 value = SSH_TUNMODE_DEFAULT;
945 else if (strcasecmp(arg, "no") == 0)
946 value = SSH_TUNMODE_NO;
948 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
949 "no argument: %s", filename, linenum, arg);
956 if (!arg || *arg == '\0')
957 fatal("%.200s line %d: Missing argument.", filename, linenum);
958 value = a2tun(arg, &value2);
959 if (value == SSH_TUNID_ERR)
960 fatal("%.200s line %d: Bad tun device.", filename, linenum);
962 options->tun_local = value;
963 options->tun_remote = value2;
968 charptr = &options->local_command;
971 case oPermitLocalCommand:
972 intptr = &options->permit_local_command;
976 debug("%s line %d: Deprecated option \"%s\"",
977 filename, linenum, keyword);
981 error("%s line %d: Unsupported option \"%s\"",
982 filename, linenum, keyword);
986 fatal("process_config_line: Unimplemented opcode %d", opcode);
989 /* Check that there is no garbage at end of line. */
990 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
991 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
992 filename, linenum, arg);
999 * Reads the config file and modifies the options accordingly. Options
1000 * should already be initialized before this call. This never returns if
1001 * there is an error. If the file does not exist, this returns 0.
1005 read_config_file(const char *filename, const char *host, Options *options,
1010 int active, linenum;
1011 int bad_options = 0;
1013 /* Open the file. */
1014 if ((f = fopen(filename, "r")) == NULL)
1020 if (fstat(fileno(f), &sb) == -1)
1021 fatal("fstat %s: %s", filename, strerror(errno));
1022 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1023 (sb.st_mode & 022) != 0))
1024 fatal("Bad owner or permissions on %s", filename);
1027 debug("Reading configuration data %.200s", filename);
1030 * Mark that we are now processing the options. This flag is turned
1031 * on/off by Host specifications.
1035 while (fgets(line, sizeof(line), f)) {
1036 /* Update line number counter. */
1038 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1042 if (bad_options > 0)
1043 fatal("%s: terminating, %d bad configuration options",
1044 filename, bad_options);
1049 * Initializes options to special values that indicate that they have not yet
1050 * been set. Read_config_file will only set options with this value. Options
1051 * are processed in the following order: command line, user config file,
1052 * system config file. Last, fill_default_options is called.
1056 initialize_options(Options * options)
1058 memset(options, 'X', sizeof(*options));
1059 options->forward_agent = -1;
1060 options->forward_x11 = -1;
1061 options->forward_x11_trusted = -1;
1062 options->exit_on_forward_failure = -1;
1063 options->xauth_location = NULL;
1064 options->gateway_ports = -1;
1065 options->use_privileged_port = -1;
1066 options->rsa_authentication = -1;
1067 options->pubkey_authentication = -1;
1068 options->challenge_response_authentication = -1;
1069 options->gss_authentication = -1;
1070 options->gss_keyex = -1;
1071 options->gss_deleg_creds = -1;
1072 options->gss_trust_dns = -1;
1073 options->password_authentication = -1;
1074 options->kbd_interactive_authentication = -1;
1075 options->kbd_interactive_devices = NULL;
1076 options->rhosts_rsa_authentication = -1;
1077 options->hostbased_authentication = -1;
1078 options->batch_mode = -1;
1079 options->check_host_ip = -1;
1080 options->strict_host_key_checking = -1;
1081 options->compression = -1;
1082 options->tcp_keep_alive = -1;
1083 options->compression_level = -1;
1085 options->address_family = -1;
1086 options->connection_attempts = -1;
1087 options->connection_timeout = -1;
1088 options->number_of_password_prompts = -1;
1089 options->cipher = -1;
1090 options->ciphers = NULL;
1091 options->macs = NULL;
1092 options->hostkeyalgorithms = NULL;
1093 options->protocol = SSH_PROTO_UNKNOWN;
1094 options->num_identity_files = 0;
1095 options->hostname = NULL;
1096 options->host_key_alias = NULL;
1097 options->proxy_command = NULL;
1098 options->user = NULL;
1099 options->escape_char = -1;
1100 options->system_hostfile = NULL;
1101 options->user_hostfile = NULL;
1102 options->system_hostfile2 = NULL;
1103 options->user_hostfile2 = NULL;
1104 options->num_local_forwards = 0;
1105 options->num_remote_forwards = 0;
1106 options->clear_forwardings = -1;
1107 options->log_level = SYSLOG_LEVEL_NOT_SET;
1108 options->preferred_authentications = NULL;
1109 options->bind_address = NULL;
1110 options->smartcard_device = NULL;
1111 options->enable_ssh_keysign = - 1;
1112 options->no_host_authentication_for_localhost = - 1;
1113 options->identities_only = - 1;
1114 options->rekey_limit = - 1;
1115 options->verify_host_key_dns = -1;
1116 options->server_alive_interval = -1;
1117 options->server_alive_count_max = -1;
1118 options->num_send_env = 0;
1119 options->control_path = NULL;
1120 options->control_master = -1;
1121 options->hash_known_hosts = -1;
1122 options->tun_open = -1;
1123 options->tun_local = -1;
1124 options->tun_remote = -1;
1125 options->local_command = NULL;
1126 options->permit_local_command = -1;
1127 options->none_switch = -1;
1128 options->none_enabled = -1;
1129 options->hpn_disabled = -1;
1130 options->hpn_buffer_size = -1;
1131 options->tcp_rcv_buf_poll = -1;
1132 options->tcp_rcv_buf = -1;
1136 * Called after processing other sources of option data, this fills those
1137 * options for which no value has been specified with their default values.
1141 fill_default_options(Options * options)
1145 if (options->forward_agent == -1)
1146 options->forward_agent = 0;
1147 if (options->forward_x11 == -1)
1148 options->forward_x11 = 0;
1149 if (options->forward_x11_trusted == -1)
1150 options->forward_x11_trusted = 0;
1151 if (options->exit_on_forward_failure == -1)
1152 options->exit_on_forward_failure = 0;
1153 if (options->xauth_location == NULL)
1154 options->xauth_location = _PATH_XAUTH;
1155 if (options->gateway_ports == -1)
1156 options->gateway_ports = 0;
1157 if (options->use_privileged_port == -1)
1158 options->use_privileged_port = 0;
1159 if (options->rsa_authentication == -1)
1160 options->rsa_authentication = 1;
1161 if (options->pubkey_authentication == -1)
1162 options->pubkey_authentication = 1;
1163 if (options->challenge_response_authentication == -1)
1164 options->challenge_response_authentication = 1;
1165 if (options->gss_authentication == -1)
1166 options->gss_authentication = 1;
1167 if (options->gss_keyex == -1)
1168 options->gss_keyex = 1;
1169 if (options->gss_deleg_creds == -1)
1170 options->gss_deleg_creds = 1;
1171 if (options->gss_trust_dns == -1)
1172 options->gss_trust_dns = 1;
1173 if (options->password_authentication == -1)
1174 options->password_authentication = 1;
1175 if (options->kbd_interactive_authentication == -1)
1176 options->kbd_interactive_authentication = 1;
1177 if (options->rhosts_rsa_authentication == -1)
1178 options->rhosts_rsa_authentication = 0;
1179 if (options->hostbased_authentication == -1)
1180 options->hostbased_authentication = 0;
1181 if (options->batch_mode == -1)
1182 options->batch_mode = 0;
1183 if (options->check_host_ip == -1)
1184 options->check_host_ip = 1;
1185 if (options->strict_host_key_checking == -1)
1186 options->strict_host_key_checking = 2; /* 2 is default */
1187 if (options->compression == -1)
1188 options->compression = 0;
1189 if (options->tcp_keep_alive == -1)
1190 options->tcp_keep_alive = 1;
1191 if (options->compression_level == -1)
1192 options->compression_level = 6;
1193 if (options->port == -1)
1194 options->port = 0; /* Filled in ssh_connect. */
1195 if (options->address_family == -1)
1196 options->address_family = AF_UNSPEC;
1197 if (options->connection_attempts == -1)
1198 options->connection_attempts = 1;
1199 if (options->number_of_password_prompts == -1)
1200 options->number_of_password_prompts = 3;
1201 /* Selected in ssh_login(). */
1202 if (options->cipher == -1)
1203 options->cipher = SSH_CIPHER_NOT_SET;
1204 /* options->ciphers, default set in myproposals.h */
1205 /* options->macs, default set in myproposals.h */
1206 /* options->hostkeyalgorithms, default set in myproposals.h */
1207 if (options->protocol == SSH_PROTO_UNKNOWN)
1208 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1209 if (options->num_identity_files == 0) {
1210 if (options->protocol & SSH_PROTO_1) {
1211 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1212 options->identity_files[options->num_identity_files] =
1214 snprintf(options->identity_files[options->num_identity_files++],
1215 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1217 if (options->protocol & SSH_PROTO_2) {
1218 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1219 options->identity_files[options->num_identity_files] =
1221 snprintf(options->identity_files[options->num_identity_files++],
1222 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1224 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1225 options->identity_files[options->num_identity_files] =
1227 snprintf(options->identity_files[options->num_identity_files++],
1228 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1231 if (options->escape_char == -1)
1232 options->escape_char = '~';
1233 if (options->system_hostfile == NULL)
1234 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1235 if (options->user_hostfile == NULL)
1236 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1237 if (options->system_hostfile2 == NULL)
1238 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1239 if (options->user_hostfile2 == NULL)
1240 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1241 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1242 options->log_level = SYSLOG_LEVEL_INFO;
1243 if (options->clear_forwardings == 1)
1244 clear_forwardings(options);
1245 if (options->no_host_authentication_for_localhost == - 1)
1246 options->no_host_authentication_for_localhost = 0;
1247 if (options->identities_only == -1)
1248 options->identities_only = 0;
1249 if (options->enable_ssh_keysign == -1)
1250 options->enable_ssh_keysign = 0;
1251 if (options->rekey_limit == -1)
1252 options->rekey_limit = 0;
1253 if (options->verify_host_key_dns == -1)
1254 options->verify_host_key_dns = 0;
1255 if (options->server_alive_interval == -1)
1256 options->server_alive_interval = 0;
1257 if (options->server_alive_count_max == -1)
1258 options->server_alive_count_max = 3;
1259 if (options->none_switch == -1)
1260 options->none_switch = 0;
1261 if (options->hpn_disabled == -1)
1262 options->hpn_disabled = 0;
1263 if (options->hpn_buffer_size > -1)
1265 /* if a user tries to set the size to 0 set it to 1KB */
1266 if (options->hpn_buffer_size == 0)
1267 options->hpn_buffer_size = 1024;
1268 /*limit the buffer to 64MB*/
1269 if (options->hpn_buffer_size > 65536)
1271 options->hpn_buffer_size = 65536*1024;
1272 debug("User requested buffer larger than 64MB. Request reverted to 64MB");
1274 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1276 if (options->tcp_rcv_buf == 0)
1277 options->tcp_rcv_buf = 1;
1278 if (options->tcp_rcv_buf > -1)
1279 options->tcp_rcv_buf *=1024;
1280 if (options->tcp_rcv_buf_poll == -1)
1281 options->tcp_rcv_buf_poll = 1;
1282 if (options->control_master == -1)
1283 options->control_master = 0;
1284 if (options->hash_known_hosts == -1)
1285 options->hash_known_hosts = 0;
1286 if (options->tun_open == -1)
1287 options->tun_open = SSH_TUNMODE_NO;
1288 if (options->tun_local == -1)
1289 options->tun_local = SSH_TUNID_ANY;
1290 if (options->tun_remote == -1)
1291 options->tun_remote = SSH_TUNID_ANY;
1292 if (options->permit_local_command == -1)
1293 options->permit_local_command = 0;
1294 /* options->local_command should not be set by default */
1295 /* options->proxy_command should not be set by default */
1296 /* options->user will be set in the main program if appropriate */
1297 /* options->hostname will be set in the main program if appropriate */
1298 /* options->host_key_alias should not be set by default */
1299 /* options->preferred_authentications will be set in ssh */
1304 * parses a string containing a port forwarding specification of the form:
1305 * [listenhost:]listenport:connecthost:connectport
1306 * returns number of arguments parsed or zero on error
1309 parse_forward(Forward *fwd, const char *fwdspec)
1312 char *p, *cp, *fwdarg[4];
1314 memset(fwd, '\0', sizeof(*fwd));
1316 cp = p = xstrdup(fwdspec);
1318 /* skip leading spaces */
1319 while (isspace(*cp))
1322 for (i = 0; i < 4; ++i)
1323 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1326 /* Check for trailing garbage in 4-arg case*/
1328 i = 0; /* failure */
1332 fwd->listen_host = NULL;
1333 fwd->listen_port = a2port(fwdarg[0]);
1334 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1335 fwd->connect_port = a2port(fwdarg[2]);
1339 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1340 fwd->listen_port = a2port(fwdarg[1]);
1341 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1342 fwd->connect_port = a2port(fwdarg[3]);
1345 i = 0; /* failure */
1350 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1353 if (fwd->connect_host != NULL &&
1354 strlen(fwd->connect_host) >= NI_MAXHOST)
1360 if (fwd->connect_host != NULL)
1361 xfree(fwd->connect_host);
1362 if (fwd->listen_host != NULL)
1363 xfree(fwd->listen_host);