1 /* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
131 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
132 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
133 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
134 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
135 oDeprecated, oUnsupported
138 /* Textual representations of the tokens. */
144 { "forwardagent", oForwardAgent },
145 { "forwardx11", oForwardX11 },
146 { "forwardx11trusted", oForwardX11Trusted },
147 { "exitonforwardfailure", oExitOnForwardFailure },
148 { "xauthlocation", oXAuthLocation },
149 { "gatewayports", oGatewayPorts },
150 { "useprivilegedport", oUsePrivilegedPort },
151 { "rhostsauthentication", oDeprecated },
152 { "passwordauthentication", oPasswordAuthentication },
153 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
154 { "kbdinteractivedevices", oKbdInteractiveDevices },
155 { "rsaauthentication", oRSAAuthentication },
156 { "pubkeyauthentication", oPubkeyAuthentication },
157 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
158 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
159 { "hostbasedauthentication", oHostbasedAuthentication },
160 { "challengeresponseauthentication", oChallengeResponseAuthentication },
161 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
162 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
163 { "kerberosauthentication", oUnsupported },
164 { "kerberostgtpassing", oUnsupported },
165 { "afstokenpassing", oUnsupported },
167 { "gssapiauthentication", oGssAuthentication },
168 { "gssapikeyexchange", oGssKeyEx },
169 { "gssapidelegatecredentials", oGssDelegateCreds },
170 { "gssapitrustdns", oGssTrustDns },
171 { "gssapiclientidentity", oGssClientIdentity },
172 { "gssapirenewalforcesrekey", oGssRenewalRekey },
174 { "gssapiauthentication", oUnsupported },
175 { "gssapikeyexchange", oUnsupported },
176 { "gssapidelegatecredentials", oUnsupported },
177 { "gssapitrustdns", oUnsupported },
178 { "gssapiclientidentity", oUnsupported },
179 { "gssapirenewalforcesrekey", oUnsupported },
181 { "fallbacktorsh", oDeprecated },
182 { "usersh", oDeprecated },
183 { "identityfile", oIdentityFile },
184 { "identityfile2", oIdentityFile }, /* obsolete */
185 { "identitiesonly", oIdentitiesOnly },
186 { "hostname", oHostName },
187 { "hostkeyalias", oHostKeyAlias },
188 { "proxycommand", oProxyCommand },
190 { "cipher", oCipher },
191 { "ciphers", oCiphers },
193 { "protocol", oProtocol },
194 { "remoteforward", oRemoteForward },
195 { "localforward", oLocalForward },
198 { "escapechar", oEscapeChar },
199 { "globalknownhostsfile", oGlobalKnownHostsFile },
200 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
201 { "userknownhostsfile", oUserKnownHostsFile },
202 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
203 { "connectionattempts", oConnectionAttempts },
204 { "batchmode", oBatchMode },
205 { "checkhostip", oCheckHostIP },
206 { "stricthostkeychecking", oStrictHostKeyChecking },
207 { "compression", oCompression },
208 { "compressionlevel", oCompressionLevel },
209 { "tcpkeepalive", oTCPKeepAlive },
210 { "keepalive", oTCPKeepAlive }, /* obsolete */
211 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
212 { "loglevel", oLogLevel },
213 { "dynamicforward", oDynamicForward },
214 { "preferredauthentications", oPreferredAuthentications },
215 { "hostkeyalgorithms", oHostKeyAlgorithms },
216 { "bindaddress", oBindAddress },
218 { "smartcarddevice", oSmartcardDevice },
220 { "smartcarddevice", oUnsupported },
222 { "clearallforwardings", oClearAllForwardings },
223 { "enablesshkeysign", oEnableSSHKeysign },
224 { "verifyhostkeydns", oVerifyHostKeyDNS },
225 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
226 { "rekeylimit", oRekeyLimit },
227 { "connecttimeout", oConnectTimeout },
228 { "addressfamily", oAddressFamily },
229 { "serveraliveinterval", oServerAliveInterval },
230 { "serveralivecountmax", oServerAliveCountMax },
231 { "sendenv", oSendEnv },
232 { "controlpath", oControlPath },
233 { "controlmaster", oControlMaster },
234 { "hashknownhosts", oHashKnownHosts },
235 { "tunnel", oTunnel },
236 { "tunneldevice", oTunnelDevice },
237 { "localcommand", oLocalCommand },
238 { "permitlocalcommand", oPermitLocalCommand },
239 { "visualhostkey", oVisualHostKey },
241 { "zeroknowledgepasswordauthentication",
242 oZeroKnowledgePasswordAuthentication },
244 { "zeroknowledgepasswordauthentication", oUnsupported },
251 * Adds a local TCP/IP port forward to options. Never returns if there is an
256 add_local_forward(Options *options, const Forward *newfwd)
259 #ifndef NO_IPPORT_RESERVED_CONCEPT
260 extern uid_t original_real_uid;
261 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
262 fatal("Privileged ports can only be forwarded by root.");
264 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
265 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
266 fwd = &options->local_forwards[options->num_local_forwards++];
268 fwd->listen_host = newfwd->listen_host;
269 fwd->listen_port = newfwd->listen_port;
270 fwd->connect_host = newfwd->connect_host;
271 fwd->connect_port = newfwd->connect_port;
275 * Adds a remote TCP/IP port forward to options. Never returns if there is
280 add_remote_forward(Options *options, const Forward *newfwd)
283 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
284 fatal("Too many remote forwards (max %d).",
285 SSH_MAX_FORWARDS_PER_DIRECTION);
286 fwd = &options->remote_forwards[options->num_remote_forwards++];
288 fwd->listen_host = newfwd->listen_host;
289 fwd->listen_port = newfwd->listen_port;
290 fwd->connect_host = newfwd->connect_host;
291 fwd->connect_port = newfwd->connect_port;
295 clear_forwardings(Options *options)
299 for (i = 0; i < options->num_local_forwards; i++) {
300 if (options->local_forwards[i].listen_host != NULL)
301 xfree(options->local_forwards[i].listen_host);
302 xfree(options->local_forwards[i].connect_host);
304 options->num_local_forwards = 0;
305 for (i = 0; i < options->num_remote_forwards; i++) {
306 if (options->remote_forwards[i].listen_host != NULL)
307 xfree(options->remote_forwards[i].listen_host);
308 xfree(options->remote_forwards[i].connect_host);
310 options->num_remote_forwards = 0;
311 options->tun_open = SSH_TUNMODE_NO;
315 * Returns the number of the token pointed to by cp or oBadOption.
319 parse_token(const char *cp, const char *filename, int linenum)
323 for (i = 0; keywords[i].name; i++)
324 if (strcasecmp(cp, keywords[i].name) == 0)
325 return keywords[i].opcode;
327 error("%s: line %d: Bad configuration option: %s",
328 filename, linenum, cp);
333 * Processes a single option line as used in the configuration files. This
334 * only sets those values that have not already been set.
336 #define WHITESPACE " \t\r\n"
339 process_config_line(Options *options, const char *host,
340 char *line, const char *filename, int linenum,
343 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
344 int opcode, *intptr, value, value2, scale;
345 LogLevel *log_level_ptr;
346 long long orig, val64;
350 /* Strip trailing whitespace */
351 for (len = strlen(line) - 1; len > 0; len--) {
352 if (strchr(WHITESPACE, line[len]) == NULL)
358 /* Get the keyword. (Each line is supposed to begin with a keyword). */
359 if ((keyword = strdelim(&s)) == NULL)
361 /* Ignore leading whitespace. */
362 if (*keyword == '\0')
363 keyword = strdelim(&s);
364 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
367 opcode = parse_token(keyword, filename, linenum);
371 /* don't panic, but count bad options */
374 case oConnectTimeout:
375 intptr = &options->connection_timeout;
378 if (!arg || *arg == '\0')
379 fatal("%s line %d: missing time value.",
381 if ((value = convtime(arg)) == -1)
382 fatal("%s line %d: invalid time value.",
384 if (*activep && *intptr == -1)
389 intptr = &options->forward_agent;
392 if (!arg || *arg == '\0')
393 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
394 value = 0; /* To avoid compiler warning... */
395 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
397 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
400 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
401 if (*activep && *intptr == -1)
406 intptr = &options->forward_x11;
409 case oForwardX11Trusted:
410 intptr = &options->forward_x11_trusted;
414 intptr = &options->gateway_ports;
417 case oExitOnForwardFailure:
418 intptr = &options->exit_on_forward_failure;
421 case oUsePrivilegedPort:
422 intptr = &options->use_privileged_port;
425 case oPasswordAuthentication:
426 intptr = &options->password_authentication;
429 case oZeroKnowledgePasswordAuthentication:
430 intptr = &options->zero_knowledge_password_authentication;
433 case oKbdInteractiveAuthentication:
434 intptr = &options->kbd_interactive_authentication;
437 case oKbdInteractiveDevices:
438 charptr = &options->kbd_interactive_devices;
441 case oPubkeyAuthentication:
442 intptr = &options->pubkey_authentication;
445 case oRSAAuthentication:
446 intptr = &options->rsa_authentication;
449 case oRhostsRSAAuthentication:
450 intptr = &options->rhosts_rsa_authentication;
453 case oHostbasedAuthentication:
454 intptr = &options->hostbased_authentication;
457 case oChallengeResponseAuthentication:
458 intptr = &options->challenge_response_authentication;
461 case oGssAuthentication:
462 intptr = &options->gss_authentication;
466 intptr = &options->gss_keyex;
469 case oGssDelegateCreds:
470 intptr = &options->gss_deleg_creds;
474 intptr = &options->gss_trust_dns;
477 case oGssClientIdentity:
478 charptr = &options->gss_client_identity;
481 case oGssRenewalRekey:
482 intptr = &options->gss_renewal_rekey;
486 intptr = &options->batch_mode;
490 intptr = &options->check_host_ip;
493 case oVerifyHostKeyDNS:
494 intptr = &options->verify_host_key_dns;
497 case oStrictHostKeyChecking:
498 intptr = &options->strict_host_key_checking;
501 if (!arg || *arg == '\0')
502 fatal("%.200s line %d: Missing yes/no/ask argument.",
504 value = 0; /* To avoid compiler warning... */
505 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
507 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
509 else if (strcmp(arg, "ask") == 0)
512 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
513 if (*activep && *intptr == -1)
518 intptr = &options->compression;
522 intptr = &options->tcp_keep_alive;
525 case oNoHostAuthenticationForLocalhost:
526 intptr = &options->no_host_authentication_for_localhost;
529 case oNumberOfPasswordPrompts:
530 intptr = &options->number_of_password_prompts;
533 case oCompressionLevel:
534 intptr = &options->compression_level;
539 if (!arg || *arg == '\0')
540 fatal("%.200s line %d: Missing argument.", filename, linenum);
541 if (arg[0] < '0' || arg[0] > '9')
542 fatal("%.200s line %d: Bad number.", filename, linenum);
543 orig = val64 = strtoll(arg, &endofnumber, 10);
544 if (arg == endofnumber)
545 fatal("%.200s line %d: Bad number.", filename, linenum);
546 switch (toupper(*endofnumber)) {
560 fatal("%.200s line %d: Invalid RekeyLimit suffix",
564 /* detect integer wrap and too-large limits */
565 if ((val64 / scale) != orig || val64 > UINT_MAX)
566 fatal("%.200s line %d: RekeyLimit too large",
569 fatal("%.200s line %d: RekeyLimit too small",
571 if (*activep && options->rekey_limit == -1)
572 options->rekey_limit = (u_int32_t)val64;
577 if (!arg || *arg == '\0')
578 fatal("%.200s line %d: Missing argument.", filename, linenum);
580 intptr = &options->num_identity_files;
581 if (*intptr >= SSH_MAX_IDENTITY_FILES)
582 fatal("%.200s line %d: Too many identity files specified (max %d).",
583 filename, linenum, SSH_MAX_IDENTITY_FILES);
584 charptr = &options->identity_files[*intptr];
585 *charptr = xstrdup(arg);
586 *intptr = *intptr + 1;
591 charptr=&options->xauth_location;
595 charptr = &options->user;
598 if (!arg || *arg == '\0')
599 fatal("%.200s line %d: Missing argument.", filename, linenum);
600 if (*activep && *charptr == NULL)
601 *charptr = xstrdup(arg);
604 case oGlobalKnownHostsFile:
605 charptr = &options->system_hostfile;
608 case oUserKnownHostsFile:
609 charptr = &options->user_hostfile;
612 case oGlobalKnownHostsFile2:
613 charptr = &options->system_hostfile2;
616 case oUserKnownHostsFile2:
617 charptr = &options->user_hostfile2;
621 charptr = &options->hostname;
625 charptr = &options->host_key_alias;
628 case oPreferredAuthentications:
629 charptr = &options->preferred_authentications;
633 charptr = &options->bind_address;
636 case oSmartcardDevice:
637 charptr = &options->smartcard_device;
641 charptr = &options->proxy_command;
644 fatal("%.200s line %d: Missing argument.", filename, linenum);
645 len = strspn(s, WHITESPACE "=");
646 if (*activep && *charptr == NULL)
647 *charptr = xstrdup(s + len);
651 intptr = &options->port;
654 if (!arg || *arg == '\0')
655 fatal("%.200s line %d: Missing argument.", filename, linenum);
656 if (arg[0] < '0' || arg[0] > '9')
657 fatal("%.200s line %d: Bad number.", filename, linenum);
659 /* Octal, decimal, or hex format? */
660 value = strtol(arg, &endofnumber, 0);
661 if (arg == endofnumber)
662 fatal("%.200s line %d: Bad number.", filename, linenum);
663 if (*activep && *intptr == -1)
667 case oConnectionAttempts:
668 intptr = &options->connection_attempts;
672 intptr = &options->cipher;
674 if (!arg || *arg == '\0')
675 fatal("%.200s line %d: Missing argument.", filename, linenum);
676 value = cipher_number(arg);
678 fatal("%.200s line %d: Bad cipher '%s'.",
679 filename, linenum, arg ? arg : "<NONE>");
680 if (*activep && *intptr == -1)
686 if (!arg || *arg == '\0')
687 fatal("%.200s line %d: Missing argument.", filename, linenum);
688 if (!ciphers_valid(arg))
689 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
690 filename, linenum, arg ? arg : "<NONE>");
691 if (*activep && options->ciphers == NULL)
692 options->ciphers = xstrdup(arg);
697 if (!arg || *arg == '\0')
698 fatal("%.200s line %d: Missing argument.", filename, linenum);
700 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
701 filename, linenum, arg ? arg : "<NONE>");
702 if (*activep && options->macs == NULL)
703 options->macs = xstrdup(arg);
706 case oHostKeyAlgorithms:
708 if (!arg || *arg == '\0')
709 fatal("%.200s line %d: Missing argument.", filename, linenum);
710 if (!key_names_valid2(arg))
711 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
712 filename, linenum, arg ? arg : "<NONE>");
713 if (*activep && options->hostkeyalgorithms == NULL)
714 options->hostkeyalgorithms = xstrdup(arg);
718 intptr = &options->protocol;
720 if (!arg || *arg == '\0')
721 fatal("%.200s line %d: Missing argument.", filename, linenum);
722 value = proto_spec(arg);
723 if (value == SSH_PROTO_UNKNOWN)
724 fatal("%.200s line %d: Bad protocol spec '%s'.",
725 filename, linenum, arg ? arg : "<NONE>");
726 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
731 log_level_ptr = &options->log_level;
733 value = log_level_number(arg);
734 if (value == SYSLOG_LEVEL_NOT_SET)
735 fatal("%.200s line %d: unsupported log level '%s'",
736 filename, linenum, arg ? arg : "<NONE>");
737 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
738 *log_level_ptr = (LogLevel) value;
743 case oDynamicForward:
745 if (arg == NULL || *arg == '\0')
746 fatal("%.200s line %d: Missing port argument.",
749 if (opcode == oLocalForward ||
750 opcode == oRemoteForward) {
752 if (arg2 == NULL || *arg2 == '\0')
753 fatal("%.200s line %d: Missing target argument.",
756 /* construct a string for parse_forward */
757 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
758 } else if (opcode == oDynamicForward) {
759 strlcpy(fwdarg, arg, sizeof(fwdarg));
762 if (parse_forward(&fwd, fwdarg,
763 opcode == oDynamicForward ? 1 : 0,
764 opcode == oRemoteForward ? 1 : 0) == 0)
765 fatal("%.200s line %d: Bad forwarding specification.",
769 if (opcode == oLocalForward ||
770 opcode == oDynamicForward)
771 add_local_forward(options, &fwd);
772 else if (opcode == oRemoteForward)
773 add_remote_forward(options, &fwd);
777 case oClearAllForwardings:
778 intptr = &options->clear_forwardings;
783 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
784 if (match_pattern(host, arg)) {
785 debug("Applying options for %.100s", arg);
789 /* Avoid garbage check below, as strdelim is done. */
793 intptr = &options->escape_char;
795 if (!arg || *arg == '\0')
796 fatal("%.200s line %d: Missing argument.", filename, linenum);
797 if (arg[0] == '^' && arg[2] == 0 &&
798 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
799 value = (u_char) arg[1] & 31;
800 else if (strlen(arg) == 1)
801 value = (u_char) arg[0];
802 else if (strcmp(arg, "none") == 0)
803 value = SSH_ESCAPECHAR_NONE;
805 fatal("%.200s line %d: Bad escape character.",
808 value = 0; /* Avoid compiler warning. */
810 if (*activep && *intptr == -1)
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: missing address family.",
819 intptr = &options->address_family;
820 if (strcasecmp(arg, "inet") == 0)
822 else if (strcasecmp(arg, "inet6") == 0)
824 else if (strcasecmp(arg, "any") == 0)
827 fatal("Unsupported AddressFamily \"%s\"", arg);
828 if (*activep && *intptr == -1)
832 case oEnableSSHKeysign:
833 intptr = &options->enable_ssh_keysign;
836 case oIdentitiesOnly:
837 intptr = &options->identities_only;
840 case oServerAliveInterval:
841 intptr = &options->server_alive_interval;
844 case oServerAliveCountMax:
845 intptr = &options->server_alive_count_max;
849 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
850 if (strchr(arg, '=') != NULL)
851 fatal("%s line %d: Invalid environment name.",
855 if (options->num_send_env >= MAX_SEND_ENV)
856 fatal("%s line %d: too many send env.",
858 options->send_env[options->num_send_env++] =
864 charptr = &options->control_path;
868 intptr = &options->control_master;
870 if (!arg || *arg == '\0')
871 fatal("%.200s line %d: Missing ControlMaster argument.",
873 value = 0; /* To avoid compiler warning... */
874 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
875 value = SSHCTL_MASTER_YES;
876 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
877 value = SSHCTL_MASTER_NO;
878 else if (strcmp(arg, "auto") == 0)
879 value = SSHCTL_MASTER_AUTO;
880 else if (strcmp(arg, "ask") == 0)
881 value = SSHCTL_MASTER_ASK;
882 else if (strcmp(arg, "autoask") == 0)
883 value = SSHCTL_MASTER_AUTO_ASK;
885 fatal("%.200s line %d: Bad ControlMaster argument.",
887 if (*activep && *intptr == -1)
891 case oHashKnownHosts:
892 intptr = &options->hash_known_hosts;
896 intptr = &options->tun_open;
898 if (!arg || *arg == '\0')
899 fatal("%s line %d: Missing yes/point-to-point/"
900 "ethernet/no argument.", filename, linenum);
901 value = 0; /* silence compiler */
902 if (strcasecmp(arg, "ethernet") == 0)
903 value = SSH_TUNMODE_ETHERNET;
904 else if (strcasecmp(arg, "point-to-point") == 0)
905 value = SSH_TUNMODE_POINTOPOINT;
906 else if (strcasecmp(arg, "yes") == 0)
907 value = SSH_TUNMODE_DEFAULT;
908 else if (strcasecmp(arg, "no") == 0)
909 value = SSH_TUNMODE_NO;
911 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
912 "no argument: %s", filename, linenum, arg);
919 if (!arg || *arg == '\0')
920 fatal("%.200s line %d: Missing argument.", filename, linenum);
921 value = a2tun(arg, &value2);
922 if (value == SSH_TUNID_ERR)
923 fatal("%.200s line %d: Bad tun device.", filename, linenum);
925 options->tun_local = value;
926 options->tun_remote = value2;
931 charptr = &options->local_command;
934 case oPermitLocalCommand:
935 intptr = &options->permit_local_command;
939 intptr = &options->visual_host_key;
943 debug("%s line %d: Deprecated option \"%s\"",
944 filename, linenum, keyword);
948 error("%s line %d: Unsupported option \"%s\"",
949 filename, linenum, keyword);
953 fatal("process_config_line: Unimplemented opcode %d", opcode);
956 /* Check that there is no garbage at end of line. */
957 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
958 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
959 filename, linenum, arg);
966 * Reads the config file and modifies the options accordingly. Options
967 * should already be initialized before this call. This never returns if
968 * there is an error. If the file does not exist, this returns 0.
972 read_config_file(const char *filename, const char *host, Options *options,
980 if ((f = fopen(filename, "r")) == NULL)
986 if (fstat(fileno(f), &sb) == -1)
987 fatal("fstat %s: %s", filename, strerror(errno));
988 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
989 (sb.st_mode & 022) != 0))
990 fatal("Bad owner or permissions on %s", filename);
993 debug("Reading configuration data %.200s", filename);
996 * Mark that we are now processing the options. This flag is turned
997 * on/off by Host specifications.
1001 while (fgets(line, sizeof(line), f)) {
1002 /* Update line number counter. */
1004 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1008 if (bad_options > 0)
1009 fatal("%s: terminating, %d bad configuration options",
1010 filename, bad_options);
1015 * Initializes options to special values that indicate that they have not yet
1016 * been set. Read_config_file will only set options with this value. Options
1017 * are processed in the following order: command line, user config file,
1018 * system config file. Last, fill_default_options is called.
1022 initialize_options(Options * options)
1024 memset(options, 'X', sizeof(*options));
1025 options->forward_agent = -1;
1026 options->forward_x11 = -1;
1027 options->forward_x11_trusted = -1;
1028 options->exit_on_forward_failure = -1;
1029 options->xauth_location = NULL;
1030 options->gateway_ports = -1;
1031 options->use_privileged_port = -1;
1032 options->rsa_authentication = -1;
1033 options->pubkey_authentication = -1;
1034 options->challenge_response_authentication = -1;
1035 options->gss_authentication = -1;
1036 options->gss_keyex = -1;
1037 options->gss_deleg_creds = -1;
1038 options->gss_trust_dns = -1;
1039 options->gss_renewal_rekey = -1;
1040 options->gss_client_identity = NULL;
1041 options->password_authentication = -1;
1042 options->kbd_interactive_authentication = -1;
1043 options->kbd_interactive_devices = NULL;
1044 options->rhosts_rsa_authentication = -1;
1045 options->hostbased_authentication = -1;
1046 options->batch_mode = -1;
1047 options->check_host_ip = -1;
1048 options->strict_host_key_checking = -1;
1049 options->compression = -1;
1050 options->tcp_keep_alive = -1;
1051 options->compression_level = -1;
1053 options->address_family = -1;
1054 options->connection_attempts = -1;
1055 options->connection_timeout = -1;
1056 options->number_of_password_prompts = -1;
1057 options->cipher = -1;
1058 options->ciphers = NULL;
1059 options->macs = NULL;
1060 options->hostkeyalgorithms = NULL;
1061 options->protocol = SSH_PROTO_UNKNOWN;
1062 options->num_identity_files = 0;
1063 options->hostname = NULL;
1064 options->host_key_alias = NULL;
1065 options->proxy_command = NULL;
1066 options->user = NULL;
1067 options->escape_char = -1;
1068 options->system_hostfile = NULL;
1069 options->user_hostfile = NULL;
1070 options->system_hostfile2 = NULL;
1071 options->user_hostfile2 = NULL;
1072 options->num_local_forwards = 0;
1073 options->num_remote_forwards = 0;
1074 options->clear_forwardings = -1;
1075 options->log_level = SYSLOG_LEVEL_NOT_SET;
1076 options->preferred_authentications = NULL;
1077 options->bind_address = NULL;
1078 options->smartcard_device = NULL;
1079 options->enable_ssh_keysign = - 1;
1080 options->no_host_authentication_for_localhost = - 1;
1081 options->identities_only = - 1;
1082 options->rekey_limit = - 1;
1083 options->verify_host_key_dns = -1;
1084 options->server_alive_interval = -1;
1085 options->server_alive_count_max = -1;
1086 options->num_send_env = 0;
1087 options->control_path = NULL;
1088 options->control_master = -1;
1089 options->hash_known_hosts = -1;
1090 options->tun_open = -1;
1091 options->tun_local = -1;
1092 options->tun_remote = -1;
1093 options->local_command = NULL;
1094 options->permit_local_command = -1;
1095 options->visual_host_key = -1;
1096 options->zero_knowledge_password_authentication = -1;
1100 * Called after processing other sources of option data, this fills those
1101 * options for which no value has been specified with their default values.
1105 fill_default_options(Options * options)
1109 if (options->forward_agent == -1)
1110 options->forward_agent = 0;
1111 if (options->forward_x11 == -1)
1112 options->forward_x11 = 0;
1113 if (options->forward_x11_trusted == -1)
1114 options->forward_x11_trusted = 0;
1115 if (options->exit_on_forward_failure == -1)
1116 options->exit_on_forward_failure = 0;
1117 if (options->xauth_location == NULL)
1118 options->xauth_location = _PATH_XAUTH;
1119 if (options->gateway_ports == -1)
1120 options->gateway_ports = 0;
1121 if (options->use_privileged_port == -1)
1122 options->use_privileged_port = 0;
1123 if (options->rsa_authentication == -1)
1124 options->rsa_authentication = 1;
1125 if (options->pubkey_authentication == -1)
1126 options->pubkey_authentication = 1;
1127 if (options->challenge_response_authentication == -1)
1128 options->challenge_response_authentication = 1;
1129 if (options->gss_authentication == -1)
1130 options->gss_authentication = 0;
1131 if (options->gss_keyex == -1)
1132 options->gss_keyex = 0;
1133 if (options->gss_deleg_creds == -1)
1134 options->gss_deleg_creds = 0;
1135 if (options->gss_trust_dns == -1)
1136 options->gss_trust_dns = 0;
1137 if (options->gss_renewal_rekey == -1)
1138 options->gss_renewal_rekey = 0;
1139 if (options->password_authentication == -1)
1140 options->password_authentication = 1;
1141 if (options->kbd_interactive_authentication == -1)
1142 options->kbd_interactive_authentication = 1;
1143 if (options->rhosts_rsa_authentication == -1)
1144 options->rhosts_rsa_authentication = 0;
1145 if (options->hostbased_authentication == -1)
1146 options->hostbased_authentication = 0;
1147 if (options->batch_mode == -1)
1148 options->batch_mode = 0;
1149 if (options->check_host_ip == -1)
1150 options->check_host_ip = 1;
1151 if (options->strict_host_key_checking == -1)
1152 options->strict_host_key_checking = 2; /* 2 is default */
1153 if (options->compression == -1)
1154 options->compression = 0;
1155 if (options->tcp_keep_alive == -1)
1156 options->tcp_keep_alive = 1;
1157 if (options->compression_level == -1)
1158 options->compression_level = 6;
1159 if (options->port == -1)
1160 options->port = 0; /* Filled in ssh_connect. */
1161 if (options->address_family == -1)
1162 options->address_family = AF_UNSPEC;
1163 if (options->connection_attempts == -1)
1164 options->connection_attempts = 1;
1165 if (options->number_of_password_prompts == -1)
1166 options->number_of_password_prompts = 3;
1167 /* Selected in ssh_login(). */
1168 if (options->cipher == -1)
1169 options->cipher = SSH_CIPHER_NOT_SET;
1170 /* options->ciphers, default set in myproposals.h */
1171 /* options->macs, default set in myproposals.h */
1172 /* options->hostkeyalgorithms, default set in myproposals.h */
1173 if (options->protocol == SSH_PROTO_UNKNOWN)
1174 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1175 if (options->num_identity_files == 0) {
1176 if (options->protocol & SSH_PROTO_1) {
1177 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1178 options->identity_files[options->num_identity_files] =
1180 snprintf(options->identity_files[options->num_identity_files++],
1181 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1183 if (options->protocol & SSH_PROTO_2) {
1184 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1185 options->identity_files[options->num_identity_files] =
1187 snprintf(options->identity_files[options->num_identity_files++],
1188 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1190 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1191 options->identity_files[options->num_identity_files] =
1193 snprintf(options->identity_files[options->num_identity_files++],
1194 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1197 if (options->escape_char == -1)
1198 options->escape_char = '~';
1199 if (options->system_hostfile == NULL)
1200 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1201 if (options->user_hostfile == NULL)
1202 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1203 if (options->system_hostfile2 == NULL)
1204 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1205 if (options->user_hostfile2 == NULL)
1206 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1207 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1208 options->log_level = SYSLOG_LEVEL_INFO;
1209 if (options->clear_forwardings == 1)
1210 clear_forwardings(options);
1211 if (options->no_host_authentication_for_localhost == - 1)
1212 options->no_host_authentication_for_localhost = 0;
1213 if (options->identities_only == -1)
1214 options->identities_only = 0;
1215 if (options->enable_ssh_keysign == -1)
1216 options->enable_ssh_keysign = 0;
1217 if (options->rekey_limit == -1)
1218 options->rekey_limit = 0;
1219 if (options->verify_host_key_dns == -1)
1220 options->verify_host_key_dns = 0;
1221 if (options->server_alive_interval == -1)
1222 options->server_alive_interval = 0;
1223 if (options->server_alive_count_max == -1)
1224 options->server_alive_count_max = 3;
1225 if (options->control_master == -1)
1226 options->control_master = 0;
1227 if (options->hash_known_hosts == -1)
1228 options->hash_known_hosts = 0;
1229 if (options->tun_open == -1)
1230 options->tun_open = SSH_TUNMODE_NO;
1231 if (options->tun_local == -1)
1232 options->tun_local = SSH_TUNID_ANY;
1233 if (options->tun_remote == -1)
1234 options->tun_remote = SSH_TUNID_ANY;
1235 if (options->permit_local_command == -1)
1236 options->permit_local_command = 0;
1237 if (options->visual_host_key == -1)
1238 options->visual_host_key = 0;
1239 if (options->zero_knowledge_password_authentication == -1)
1240 options->zero_knowledge_password_authentication = 0;
1241 /* options->local_command should not be set by default */
1242 /* options->proxy_command should not be set by default */
1243 /* options->user will be set in the main program if appropriate */
1244 /* options->hostname will be set in the main program if appropriate */
1245 /* options->host_key_alias should not be set by default */
1246 /* options->preferred_authentications will be set in ssh */
1251 * parses a string containing a port forwarding specification of the form:
1253 * [listenhost:]listenport:connecthost:connectport
1255 * [listenhost:]listenport
1256 * returns number of arguments parsed or zero on error
1259 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1262 char *p, *cp, *fwdarg[4];
1264 memset(fwd, '\0', sizeof(*fwd));
1266 cp = p = xstrdup(fwdspec);
1268 /* skip leading spaces */
1269 while (isspace(*cp))
1272 for (i = 0; i < 4; ++i)
1273 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1276 /* Check for trailing garbage */
1278 i = 0; /* failure */
1282 fwd->listen_host = NULL;
1283 fwd->listen_port = a2port(fwdarg[0]);
1284 fwd->connect_host = xstrdup("socks");
1288 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1289 fwd->listen_port = a2port(fwdarg[1]);
1290 fwd->connect_host = xstrdup("socks");
1294 fwd->listen_host = NULL;
1295 fwd->listen_port = a2port(fwdarg[0]);
1296 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1297 fwd->connect_port = a2port(fwdarg[2]);
1301 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1302 fwd->listen_port = a2port(fwdarg[1]);
1303 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1304 fwd->connect_port = a2port(fwdarg[3]);
1307 i = 0; /* failure */
1313 if (!(i == 1 || i == 2))
1316 if (!(i == 3 || i == 4))
1318 if (fwd->connect_port <= 0)
1322 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1325 if (fwd->connect_host != NULL &&
1326 strlen(fwd->connect_host) >= NI_MAXHOST)
1328 if (fwd->listen_host != NULL &&
1329 strlen(fwd->listen_host) >= NI_MAXHOST)
1336 if (fwd->connect_host != NULL) {
1337 xfree(fwd->connect_host);
1338 fwd->connect_host = NULL;
1340 if (fwd->listen_host != NULL) {
1341 xfree(fwd->listen_host);
1342 fwd->listen_host = NULL;