2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Functions for reading the configuration files.
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
15 RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
21 #include "pathnames.h"
29 /* Format of the configuration file:
31 # Configuration data is parsed as follows:
32 # 1. command line options
33 # 2. user-specific file
35 # Any configuration value is only changed the first time it is set.
36 # Thus, host-specific definitions should be at the beginning of the
37 # configuration file, and defaults at the end.
39 # Host-specific declarations. These may override anything above. A single
40 # host may match multiple declarations; these are processed in the order
41 # that they are given in.
47 HostName another.host.name.real.org
54 RemoteForward 9999 shadows.cs.hut.fi:9999
60 PasswordAuthentication no
64 ProxyCommand ssh-proxy %h %p
67 PublicKeyAuthentication no
71 PasswordAuthentication no
77 # Defaults for various options
81 PasswordAuthentication yes
83 RhostsRSAAuthentication yes
84 StrictHostKeyChecking yes
86 IdentityFile ~/.ssh/identity
96 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
97 oPasswordAuthentication, oRSAAuthentication,
98 oChallengeResponseAuthentication, oXAuthLocation,
99 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
100 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
101 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
102 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
103 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
104 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
105 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
106 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
107 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
108 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
109 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
110 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
111 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
112 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
113 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
114 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
115 oDeprecated, oUnsupported
118 /* Textual representations of the tokens. */
124 { "forwardagent", oForwardAgent },
125 { "forwardx11", oForwardX11 },
126 { "forwardx11trusted", oForwardX11Trusted },
127 { "xauthlocation", oXAuthLocation },
128 { "gatewayports", oGatewayPorts },
129 { "useprivilegedport", oUsePrivilegedPort },
130 { "rhostsauthentication", oDeprecated },
131 { "passwordauthentication", oPasswordAuthentication },
132 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
133 { "kbdinteractivedevices", oKbdInteractiveDevices },
134 { "rsaauthentication", oRSAAuthentication },
135 { "pubkeyauthentication", oPubkeyAuthentication },
136 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
137 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
138 { "hostbasedauthentication", oHostbasedAuthentication },
139 { "challengeresponseauthentication", oChallengeResponseAuthentication },
140 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
141 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
142 { "kerberosauthentication", oUnsupported },
143 { "kerberostgtpassing", oUnsupported },
144 { "afstokenpassing", oUnsupported },
146 { "gssapiauthentication", oGssAuthentication },
147 { "gssapidelegatecredentials", oGssDelegateCreds },
149 { "gssapiauthentication", oUnsupported },
150 { "gssapidelegatecredentials", oUnsupported },
152 { "fallbacktorsh", oDeprecated },
153 { "usersh", oDeprecated },
154 { "identityfile", oIdentityFile },
155 { "identityfile2", oIdentityFile }, /* alias */
156 { "identitiesonly", oIdentitiesOnly },
157 { "hostname", oHostName },
158 { "hostkeyalias", oHostKeyAlias },
159 { "proxycommand", oProxyCommand },
161 { "cipher", oCipher },
162 { "ciphers", oCiphers },
164 { "protocol", oProtocol },
165 { "remoteforward", oRemoteForward },
166 { "localforward", oLocalForward },
169 { "escapechar", oEscapeChar },
170 { "globalknownhostsfile", oGlobalKnownHostsFile },
171 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
172 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
173 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
174 { "connectionattempts", oConnectionAttempts },
175 { "batchmode", oBatchMode },
176 { "checkhostip", oCheckHostIP },
177 { "stricthostkeychecking", oStrictHostKeyChecking },
178 { "compression", oCompression },
179 { "compressionlevel", oCompressionLevel },
180 { "tcpkeepalive", oTCPKeepAlive },
181 { "keepalive", oTCPKeepAlive }, /* obsolete */
182 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
183 { "loglevel", oLogLevel },
184 { "dynamicforward", oDynamicForward },
185 { "preferredauthentications", oPreferredAuthentications },
186 { "hostkeyalgorithms", oHostKeyAlgorithms },
187 { "bindaddress", oBindAddress },
189 { "smartcarddevice", oSmartcardDevice },
191 { "smartcarddevice", oUnsupported },
193 { "clearallforwardings", oClearAllForwardings },
194 { "enablesshkeysign", oEnableSSHKeysign },
195 { "verifyhostkeydns", oVerifyHostKeyDNS },
196 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
197 { "rekeylimit", oRekeyLimit },
198 { "connecttimeout", oConnectTimeout },
199 { "addressfamily", oAddressFamily },
200 { "serveraliveinterval", oServerAliveInterval },
201 { "serveralivecountmax", oServerAliveCountMax },
202 { "sendenv", oSendEnv },
203 { "controlpath", oControlPath },
204 { "controlmaster", oControlMaster },
205 { "hashknownhosts", oHashKnownHosts },
206 { "tunnel", oTunnel },
207 { "tunneldevice", oTunnelDevice },
208 { "localcommand", oLocalCommand },
209 { "permitlocalcommand", oPermitLocalCommand },
214 * Adds a local TCP/IP port forward to options. Never returns if there is an
219 add_local_forward(Options *options, const Forward *newfwd)
222 #ifndef NO_IPPORT_RESERVED_CONCEPT
223 extern uid_t original_real_uid;
224 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
225 fatal("Privileged ports can only be forwarded by root.");
227 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
228 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
229 fwd = &options->local_forwards[options->num_local_forwards++];
231 fwd->listen_host = (newfwd->listen_host == NULL) ?
232 NULL : xstrdup(newfwd->listen_host);
233 fwd->listen_port = newfwd->listen_port;
234 fwd->connect_host = xstrdup(newfwd->connect_host);
235 fwd->connect_port = newfwd->connect_port;
239 * Adds a remote TCP/IP port forward to options. Never returns if there is
244 add_remote_forward(Options *options, const Forward *newfwd)
247 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
248 fatal("Too many remote forwards (max %d).",
249 SSH_MAX_FORWARDS_PER_DIRECTION);
250 fwd = &options->remote_forwards[options->num_remote_forwards++];
252 fwd->listen_host = (newfwd->listen_host == NULL) ?
253 NULL : xstrdup(newfwd->listen_host);
254 fwd->listen_port = newfwd->listen_port;
255 fwd->connect_host = xstrdup(newfwd->connect_host);
256 fwd->connect_port = newfwd->connect_port;
260 clear_forwardings(Options *options)
264 for (i = 0; i < options->num_local_forwards; i++) {
265 if (options->local_forwards[i].listen_host != NULL)
266 xfree(options->local_forwards[i].listen_host);
267 xfree(options->local_forwards[i].connect_host);
269 options->num_local_forwards = 0;
270 for (i = 0; i < options->num_remote_forwards; i++) {
271 if (options->remote_forwards[i].listen_host != NULL)
272 xfree(options->remote_forwards[i].listen_host);
273 xfree(options->remote_forwards[i].connect_host);
275 options->num_remote_forwards = 0;
276 options->tun_open = SSH_TUNMODE_NO;
280 * Returns the number of the token pointed to by cp or oBadOption.
284 parse_token(const char *cp, const char *filename, int linenum)
288 for (i = 0; keywords[i].name; i++)
289 if (strcasecmp(cp, keywords[i].name) == 0)
290 return keywords[i].opcode;
292 error("%s: line %d: Bad configuration option: %s",
293 filename, linenum, cp);
298 * Processes a single option line as used in the configuration files. This
299 * only sets those values that have not already been set.
301 #define WHITESPACE " \t\r\n"
304 process_config_line(Options *options, const char *host,
305 char *line, const char *filename, int linenum,
308 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
309 int opcode, *intptr, value, value2;
313 /* Strip trailing whitespace */
314 for (len = strlen(line) - 1; len > 0; len--) {
315 if (strchr(WHITESPACE, line[len]) == NULL)
321 /* Get the keyword. (Each line is supposed to begin with a keyword). */
322 keyword = strdelim(&s);
323 /* Ignore leading whitespace. */
324 if (*keyword == '\0')
325 keyword = strdelim(&s);
326 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
329 opcode = parse_token(keyword, filename, linenum);
333 /* don't panic, but count bad options */
336 case oConnectTimeout:
337 intptr = &options->connection_timeout;
340 if (!arg || *arg == '\0')
341 fatal("%s line %d: missing time value.",
343 if ((value = convtime(arg)) == -1)
344 fatal("%s line %d: invalid time value.",
351 intptr = &options->forward_agent;
354 if (!arg || *arg == '\0')
355 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
356 value = 0; /* To avoid compiler warning... */
357 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
359 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
362 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
363 if (*activep && *intptr == -1)
368 intptr = &options->forward_x11;
371 case oForwardX11Trusted:
372 intptr = &options->forward_x11_trusted;
376 intptr = &options->gateway_ports;
379 case oUsePrivilegedPort:
380 intptr = &options->use_privileged_port;
383 case oPasswordAuthentication:
384 intptr = &options->password_authentication;
387 case oKbdInteractiveAuthentication:
388 intptr = &options->kbd_interactive_authentication;
391 case oKbdInteractiveDevices:
392 charptr = &options->kbd_interactive_devices;
395 case oPubkeyAuthentication:
396 intptr = &options->pubkey_authentication;
399 case oRSAAuthentication:
400 intptr = &options->rsa_authentication;
403 case oRhostsRSAAuthentication:
404 intptr = &options->rhosts_rsa_authentication;
407 case oHostbasedAuthentication:
408 intptr = &options->hostbased_authentication;
411 case oChallengeResponseAuthentication:
412 intptr = &options->challenge_response_authentication;
415 case oGssAuthentication:
416 intptr = &options->gss_authentication;
419 case oGssDelegateCreds:
420 intptr = &options->gss_deleg_creds;
424 intptr = &options->batch_mode;
428 intptr = &options->check_host_ip;
431 case oVerifyHostKeyDNS:
432 intptr = &options->verify_host_key_dns;
435 case oStrictHostKeyChecking:
436 intptr = &options->strict_host_key_checking;
439 if (!arg || *arg == '\0')
440 fatal("%.200s line %d: Missing yes/no/ask argument.",
442 value = 0; /* To avoid compiler warning... */
443 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
445 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
447 else if (strcmp(arg, "ask") == 0)
450 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
451 if (*activep && *intptr == -1)
456 intptr = &options->compression;
460 intptr = &options->tcp_keep_alive;
463 case oNoHostAuthenticationForLocalhost:
464 intptr = &options->no_host_authentication_for_localhost;
467 case oNumberOfPasswordPrompts:
468 intptr = &options->number_of_password_prompts;
471 case oCompressionLevel:
472 intptr = &options->compression_level;
476 intptr = &options->rekey_limit;
478 if (!arg || *arg == '\0')
479 fatal("%.200s line %d: Missing argument.", filename, linenum);
480 if (arg[0] < '0' || arg[0] > '9')
481 fatal("%.200s line %d: Bad number.", filename, linenum);
482 value = strtol(arg, &endofnumber, 10);
483 if (arg == endofnumber)
484 fatal("%.200s line %d: Bad number.", filename, linenum);
485 switch (toupper(*endofnumber)) {
496 if (*activep && *intptr == -1)
502 if (!arg || *arg == '\0')
503 fatal("%.200s line %d: Missing argument.", filename, linenum);
505 intptr = &options->num_identity_files;
506 if (*intptr >= SSH_MAX_IDENTITY_FILES)
507 fatal("%.200s line %d: Too many identity files specified (max %d).",
508 filename, linenum, SSH_MAX_IDENTITY_FILES);
509 charptr = &options->identity_files[*intptr];
510 *charptr = xstrdup(arg);
511 *intptr = *intptr + 1;
516 charptr=&options->xauth_location;
520 charptr = &options->user;
523 if (!arg || *arg == '\0')
524 fatal("%.200s line %d: Missing argument.", filename, linenum);
525 if (*activep && *charptr == NULL)
526 *charptr = xstrdup(arg);
529 case oGlobalKnownHostsFile:
530 charptr = &options->system_hostfile;
533 case oUserKnownHostsFile:
534 charptr = &options->user_hostfile;
537 case oGlobalKnownHostsFile2:
538 charptr = &options->system_hostfile2;
541 case oUserKnownHostsFile2:
542 charptr = &options->user_hostfile2;
546 charptr = &options->hostname;
550 charptr = &options->host_key_alias;
553 case oPreferredAuthentications:
554 charptr = &options->preferred_authentications;
558 charptr = &options->bind_address;
561 case oSmartcardDevice:
562 charptr = &options->smartcard_device;
566 charptr = &options->proxy_command;
569 fatal("%.200s line %d: Missing argument.", filename, linenum);
570 len = strspn(s, WHITESPACE "=");
571 if (*activep && *charptr == NULL)
572 *charptr = xstrdup(s + len);
576 intptr = &options->port;
579 if (!arg || *arg == '\0')
580 fatal("%.200s line %d: Missing argument.", filename, linenum);
581 if (arg[0] < '0' || arg[0] > '9')
582 fatal("%.200s line %d: Bad number.", filename, linenum);
584 /* Octal, decimal, or hex format? */
585 value = strtol(arg, &endofnumber, 0);
586 if (arg == endofnumber)
587 fatal("%.200s line %d: Bad number.", filename, linenum);
588 if (*activep && *intptr == -1)
592 case oConnectionAttempts:
593 intptr = &options->connection_attempts;
597 intptr = &options->cipher;
599 if (!arg || *arg == '\0')
600 fatal("%.200s line %d: Missing argument.", filename, linenum);
601 value = cipher_number(arg);
603 fatal("%.200s line %d: Bad cipher '%s'.",
604 filename, linenum, arg ? arg : "<NONE>");
605 if (*activep && *intptr == -1)
611 if (!arg || *arg == '\0')
612 fatal("%.200s line %d: Missing argument.", filename, linenum);
613 if (!ciphers_valid(arg))
614 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
615 filename, linenum, arg ? arg : "<NONE>");
616 if (*activep && options->ciphers == NULL)
617 options->ciphers = xstrdup(arg);
622 if (!arg || *arg == '\0')
623 fatal("%.200s line %d: Missing argument.", filename, linenum);
625 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
626 filename, linenum, arg ? arg : "<NONE>");
627 if (*activep && options->macs == NULL)
628 options->macs = xstrdup(arg);
631 case oHostKeyAlgorithms:
633 if (!arg || *arg == '\0')
634 fatal("%.200s line %d: Missing argument.", filename, linenum);
635 if (!key_names_valid2(arg))
636 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
637 filename, linenum, arg ? arg : "<NONE>");
638 if (*activep && options->hostkeyalgorithms == NULL)
639 options->hostkeyalgorithms = xstrdup(arg);
643 intptr = &options->protocol;
645 if (!arg || *arg == '\0')
646 fatal("%.200s line %d: Missing argument.", filename, linenum);
647 value = proto_spec(arg);
648 if (value == SSH_PROTO_UNKNOWN)
649 fatal("%.200s line %d: Bad protocol spec '%s'.",
650 filename, linenum, arg ? arg : "<NONE>");
651 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
656 intptr = (int *) &options->log_level;
658 value = log_level_number(arg);
659 if (value == SYSLOG_LEVEL_NOT_SET)
660 fatal("%.200s line %d: unsupported log level '%s'",
661 filename, linenum, arg ? arg : "<NONE>");
662 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
663 *intptr = (LogLevel) value;
669 if (arg == NULL || *arg == '\0')
670 fatal("%.200s line %d: Missing port argument.",
673 if (arg2 == NULL || *arg2 == '\0')
674 fatal("%.200s line %d: Missing target argument.",
677 /* construct a string for parse_forward */
678 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
680 if (parse_forward(&fwd, fwdarg) == 0)
681 fatal("%.200s line %d: Bad forwarding specification.",
685 if (opcode == oLocalForward)
686 add_local_forward(options, &fwd);
687 else if (opcode == oRemoteForward)
688 add_remote_forward(options, &fwd);
692 case oDynamicForward:
694 if (!arg || *arg == '\0')
695 fatal("%.200s line %d: Missing port argument.",
697 memset(&fwd, '\0', sizeof(fwd));
698 fwd.connect_host = "socks";
699 fwd.listen_host = hpdelim(&arg);
700 if (fwd.listen_host == NULL ||
701 strlen(fwd.listen_host) >= NI_MAXHOST)
702 fatal("%.200s line %d: Bad forwarding specification.",
705 fwd.listen_port = a2port(arg);
706 fwd.listen_host = cleanhostname(fwd.listen_host);
708 fwd.listen_port = a2port(fwd.listen_host);
709 fwd.listen_host = NULL;
711 if (fwd.listen_port == 0)
712 fatal("%.200s line %d: Badly formatted port number.",
715 add_local_forward(options, &fwd);
718 case oClearAllForwardings:
719 intptr = &options->clear_forwardings;
724 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
725 if (match_pattern(host, arg)) {
726 debug("Applying options for %.100s", arg);
730 /* Avoid garbage check below, as strdelim is done. */
734 intptr = &options->escape_char;
736 if (!arg || *arg == '\0')
737 fatal("%.200s line %d: Missing argument.", filename, linenum);
738 if (arg[0] == '^' && arg[2] == 0 &&
739 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
740 value = (u_char) arg[1] & 31;
741 else if (strlen(arg) == 1)
742 value = (u_char) arg[0];
743 else if (strcmp(arg, "none") == 0)
744 value = SSH_ESCAPECHAR_NONE;
746 fatal("%.200s line %d: Bad escape character.",
749 value = 0; /* Avoid compiler warning. */
751 if (*activep && *intptr == -1)
757 if (!arg || *arg == '\0')
758 fatal("%s line %d: missing address family.",
760 intptr = &options->address_family;
761 if (strcasecmp(arg, "inet") == 0)
763 else if (strcasecmp(arg, "inet6") == 0)
765 else if (strcasecmp(arg, "any") == 0)
768 fatal("Unsupported AddressFamily \"%s\"", arg);
769 if (*activep && *intptr == -1)
773 case oEnableSSHKeysign:
774 intptr = &options->enable_ssh_keysign;
777 case oIdentitiesOnly:
778 intptr = &options->identities_only;
781 case oServerAliveInterval:
782 intptr = &options->server_alive_interval;
785 case oServerAliveCountMax:
786 intptr = &options->server_alive_count_max;
790 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
791 if (strchr(arg, '=') != NULL)
792 fatal("%s line %d: Invalid environment name.",
796 if (options->num_send_env >= MAX_SEND_ENV)
797 fatal("%s line %d: too many send env.",
799 options->send_env[options->num_send_env++] =
805 charptr = &options->control_path;
809 intptr = &options->control_master;
811 if (!arg || *arg == '\0')
812 fatal("%.200s line %d: Missing ControlMaster argument.",
814 value = 0; /* To avoid compiler warning... */
815 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
816 value = SSHCTL_MASTER_YES;
817 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
818 value = SSHCTL_MASTER_NO;
819 else if (strcmp(arg, "auto") == 0)
820 value = SSHCTL_MASTER_AUTO;
821 else if (strcmp(arg, "ask") == 0)
822 value = SSHCTL_MASTER_ASK;
823 else if (strcmp(arg, "autoask") == 0)
824 value = SSHCTL_MASTER_AUTO_ASK;
826 fatal("%.200s line %d: Bad ControlMaster argument.",
828 if (*activep && *intptr == -1)
832 case oHashKnownHosts:
833 intptr = &options->hash_known_hosts;
837 intptr = &options->tun_open;
839 if (!arg || *arg == '\0')
840 fatal("%s line %d: Missing yes/point-to-point/"
841 "ethernet/no argument.", filename, linenum);
842 value = 0; /* silence compiler */
843 if (strcasecmp(arg, "ethernet") == 0)
844 value = SSH_TUNMODE_ETHERNET;
845 else if (strcasecmp(arg, "point-to-point") == 0)
846 value = SSH_TUNMODE_POINTOPOINT;
847 else if (strcasecmp(arg, "yes") == 0)
848 value = SSH_TUNMODE_DEFAULT;
849 else if (strcasecmp(arg, "no") == 0)
850 value = SSH_TUNMODE_NO;
852 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
853 "no argument: %s", filename, linenum, arg);
860 if (!arg || *arg == '\0')
861 fatal("%.200s line %d: Missing argument.", filename, linenum);
862 value = a2tun(arg, &value2);
863 if (value == SSH_TUNID_ERR)
864 fatal("%.200s line %d: Bad tun device.", filename, linenum);
866 options->tun_local = value;
867 options->tun_remote = value2;
872 charptr = &options->local_command;
875 case oPermitLocalCommand:
876 intptr = &options->permit_local_command;
880 debug("%s line %d: Deprecated option \"%s\"",
881 filename, linenum, keyword);
885 error("%s line %d: Unsupported option \"%s\"",
886 filename, linenum, keyword);
890 fatal("process_config_line: Unimplemented opcode %d", opcode);
893 /* Check that there is no garbage at end of line. */
894 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
895 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
896 filename, linenum, arg);
903 * Reads the config file and modifies the options accordingly. Options
904 * should already be initialized before this call. This never returns if
905 * there is an error. If the file does not exist, this returns 0.
909 read_config_file(const char *filename, const char *host, Options *options,
918 if ((f = fopen(filename, "r")) == NULL)
924 if (fstat(fileno(f), &sb) == -1)
925 fatal("fstat %s: %s", filename, strerror(errno));
926 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
927 (sb.st_mode & 022) != 0))
928 fatal("Bad owner or permissions on %s", filename);
931 debug("Reading configuration data %.200s", filename);
934 * Mark that we are now processing the options. This flag is turned
935 * on/off by Host specifications.
939 while (fgets(line, sizeof(line), f)) {
940 /* Update line number counter. */
942 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
947 fatal("%s: terminating, %d bad configuration options",
948 filename, bad_options);
953 * Initializes options to special values that indicate that they have not yet
954 * been set. Read_config_file will only set options with this value. Options
955 * are processed in the following order: command line, user config file,
956 * system config file. Last, fill_default_options is called.
960 initialize_options(Options * options)
962 memset(options, 'X', sizeof(*options));
963 options->forward_agent = -1;
964 options->forward_x11 = -1;
965 options->forward_x11_trusted = -1;
966 options->xauth_location = NULL;
967 options->gateway_ports = -1;
968 options->use_privileged_port = -1;
969 options->rsa_authentication = -1;
970 options->pubkey_authentication = -1;
971 options->challenge_response_authentication = -1;
972 options->gss_authentication = -1;
973 options->gss_deleg_creds = -1;
974 options->password_authentication = -1;
975 options->kbd_interactive_authentication = -1;
976 options->kbd_interactive_devices = NULL;
977 options->rhosts_rsa_authentication = -1;
978 options->hostbased_authentication = -1;
979 options->batch_mode = -1;
980 options->check_host_ip = -1;
981 options->strict_host_key_checking = -1;
982 options->compression = -1;
983 options->tcp_keep_alive = -1;
984 options->compression_level = -1;
986 options->address_family = -1;
987 options->connection_attempts = -1;
988 options->connection_timeout = -1;
989 options->number_of_password_prompts = -1;
990 options->cipher = -1;
991 options->ciphers = NULL;
992 options->macs = NULL;
993 options->hostkeyalgorithms = NULL;
994 options->protocol = SSH_PROTO_UNKNOWN;
995 options->num_identity_files = 0;
996 options->hostname = NULL;
997 options->host_key_alias = NULL;
998 options->proxy_command = NULL;
999 options->user = NULL;
1000 options->escape_char = -1;
1001 options->system_hostfile = NULL;
1002 options->user_hostfile = NULL;
1003 options->system_hostfile2 = NULL;
1004 options->user_hostfile2 = NULL;
1005 options->num_local_forwards = 0;
1006 options->num_remote_forwards = 0;
1007 options->clear_forwardings = -1;
1008 options->log_level = SYSLOG_LEVEL_NOT_SET;
1009 options->preferred_authentications = NULL;
1010 options->bind_address = NULL;
1011 options->smartcard_device = NULL;
1012 options->enable_ssh_keysign = - 1;
1013 options->no_host_authentication_for_localhost = - 1;
1014 options->identities_only = - 1;
1015 options->rekey_limit = - 1;
1016 options->verify_host_key_dns = -1;
1017 options->server_alive_interval = -1;
1018 options->server_alive_count_max = -1;
1019 options->none_switch = -1;
1020 options->num_send_env = 0;
1021 options->control_path = NULL;
1022 options->control_master = -1;
1023 options->hash_known_hosts = -1;
1024 options->tun_open = -1;
1025 options->tun_local = -1;
1026 options->tun_remote = -1;
1027 options->local_command = NULL;
1028 options->permit_local_command = -1;
1032 * Called after processing other sources of option data, this fills those
1033 * options for which no value has been specified with their default values.
1037 fill_default_options(Options * options)
1041 if (options->forward_agent == -1)
1042 options->forward_agent = 0;
1043 if (options->forward_x11 == -1)
1044 options->forward_x11 = 0;
1045 if (options->forward_x11_trusted == -1)
1046 options->forward_x11_trusted = 0;
1047 if (options->xauth_location == NULL)
1048 options->xauth_location = _PATH_XAUTH;
1049 if (options->gateway_ports == -1)
1050 options->gateway_ports = 0;
1051 if (options->use_privileged_port == -1)
1052 options->use_privileged_port = 0;
1053 if (options->rsa_authentication == -1)
1054 options->rsa_authentication = 1;
1055 if (options->pubkey_authentication == -1)
1056 options->pubkey_authentication = 1;
1057 if (options->challenge_response_authentication == -1)
1058 options->challenge_response_authentication = 1;
1059 if (options->gss_authentication == -1)
1060 options->gss_authentication = 0;
1061 if (options->gss_deleg_creds == -1)
1062 options->gss_deleg_creds = 0;
1063 if (options->password_authentication == -1)
1064 options->password_authentication = 1;
1065 if (options->kbd_interactive_authentication == -1)
1066 options->kbd_interactive_authentication = 1;
1067 if (options->rhosts_rsa_authentication == -1)
1068 options->rhosts_rsa_authentication = 0;
1069 if (options->hostbased_authentication == -1)
1070 options->hostbased_authentication = 0;
1071 if (options->batch_mode == -1)
1072 options->batch_mode = 0;
1073 if (options->check_host_ip == -1)
1074 options->check_host_ip = 1;
1075 if (options->strict_host_key_checking == -1)
1076 options->strict_host_key_checking = 2; /* 2 is default */
1077 if (options->compression == -1)
1078 options->compression = 0;
1079 if (options->tcp_keep_alive == -1)
1080 options->tcp_keep_alive = 1;
1081 if (options->compression_level == -1)
1082 options->compression_level = 6;
1083 if (options->port == -1)
1084 options->port = 0; /* Filled in ssh_connect. */
1085 if (options->address_family == -1)
1086 options->address_family = AF_UNSPEC;
1087 if (options->connection_attempts == -1)
1088 options->connection_attempts = 1;
1089 if (options->number_of_password_prompts == -1)
1090 options->number_of_password_prompts = 3;
1091 /* Selected in ssh_login(). */
1092 if (options->cipher == -1)
1093 options->cipher = SSH_CIPHER_NOT_SET;
1094 /* options->ciphers, default set in myproposals.h */
1095 /* options->macs, default set in myproposals.h */
1096 /* options->hostkeyalgorithms, default set in myproposals.h */
1097 if (options->protocol == SSH_PROTO_UNKNOWN)
1098 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1099 if (options->num_identity_files == 0) {
1100 if (options->protocol & SSH_PROTO_1) {
1101 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1102 options->identity_files[options->num_identity_files] =
1104 snprintf(options->identity_files[options->num_identity_files++],
1105 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1107 if (options->protocol & SSH_PROTO_2) {
1108 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1109 options->identity_files[options->num_identity_files] =
1111 snprintf(options->identity_files[options->num_identity_files++],
1112 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1114 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1115 options->identity_files[options->num_identity_files] =
1117 snprintf(options->identity_files[options->num_identity_files++],
1118 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1121 if (options->escape_char == -1)
1122 options->escape_char = '~';
1123 if (options->system_hostfile == NULL)
1124 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1125 if (options->user_hostfile == NULL)
1126 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1127 if (options->system_hostfile2 == NULL)
1128 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1129 if (options->user_hostfile2 == NULL)
1130 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1131 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1132 options->log_level = SYSLOG_LEVEL_INFO;
1133 if (options->clear_forwardings == 1)
1134 clear_forwardings(options);
1135 if (options->no_host_authentication_for_localhost == - 1)
1136 options->no_host_authentication_for_localhost = 0;
1137 if (options->identities_only == -1)
1138 options->identities_only = 0;
1139 if (options->enable_ssh_keysign == -1)
1140 options->enable_ssh_keysign = 0;
1141 if (options->rekey_limit == -1)
1142 options->rekey_limit = 0;
1143 if (options->verify_host_key_dns == -1)
1144 options->verify_host_key_dns = 0;
1145 if (options->server_alive_interval == -1)
1146 options->server_alive_interval = 0;
1147 if (options->server_alive_count_max == -1)
1148 options->server_alive_count_max = 3;
1149 if (options->none_switch == -1)
1150 options->none_switch = 0;
1151 if (options->control_master == -1)
1152 options->control_master = 0;
1153 if (options->hash_known_hosts == -1)
1154 options->hash_known_hosts = 0;
1155 if (options->tun_open == -1)
1156 options->tun_open = SSH_TUNMODE_NO;
1157 if (options->tun_local == -1)
1158 options->tun_local = SSH_TUNID_ANY;
1159 if (options->tun_remote == -1)
1160 options->tun_remote = SSH_TUNID_ANY;
1161 if (options->permit_local_command == -1)
1162 options->permit_local_command = 0;
1163 /* options->local_command should not be set by default */
1164 /* options->proxy_command should not be set by default */
1165 /* options->user will be set in the main program if appropriate */
1166 /* options->hostname will be set in the main program if appropriate */
1167 /* options->host_key_alias should not be set by default */
1168 /* options->preferred_authentications will be set in ssh */
1173 * parses a string containing a port forwarding specification of the form:
1174 * [listenhost:]listenport:connecthost:connectport
1175 * returns number of arguments parsed or zero on error
1178 parse_forward(Forward *fwd, const char *fwdspec)
1181 char *p, *cp, *fwdarg[4];
1183 memset(fwd, '\0', sizeof(*fwd));
1185 cp = p = xstrdup(fwdspec);
1187 /* skip leading spaces */
1188 while (*cp && isspace(*cp))
1191 for (i = 0; i < 4; ++i)
1192 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1195 /* Check for trailing garbage in 4-arg case*/
1197 i = 0; /* failure */
1201 fwd->listen_host = NULL;
1202 fwd->listen_port = a2port(fwdarg[0]);
1203 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1204 fwd->connect_port = a2port(fwdarg[2]);
1208 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1209 fwd->listen_port = a2port(fwdarg[1]);
1210 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1211 fwd->connect_port = a2port(fwdarg[3]);
1214 i = 0; /* failure */
1219 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1222 if (fwd->connect_host != NULL &&
1223 strlen(fwd->connect_host) >= NI_MAXHOST)
1229 if (fwd->connect_host != NULL)
1230 xfree(fwd->connect_host);
1231 if (fwd->listen_host != NULL)
1232 xfree(fwd->listen_host);