1 /* $OpenBSD: servconf.c,v 1.194 2009/01/22 10:02:34 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
79 options->x11_use_localhost = -1;
80 options->xauth_location = NULL;
81 options->strict_modes = -1;
82 options->tcp_keep_alive = -1;
83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93 options->kerberos_get_afs_token = -1;
94 options->gss_authentication=-1;
95 options->gss_keyex = -1;
96 options->gss_cleanup_creds = -1;
97 options->gss_strict_acceptor = -1;
98 options->gss_store_rekey = -1;
99 options->password_authentication = -1;
100 options->kbd_interactive_authentication = -1;
101 options->challenge_response_authentication = -1;
102 options->permit_empty_passwd = -1;
103 options->permit_user_env = -1;
104 options->use_login = -1;
105 options->compression = -1;
106 options->allow_tcp_forwarding = -1;
107 options->allow_agent_forwarding = -1;
108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
120 options->max_authtries = -1;
121 options->max_sessions = -1;
122 options->banner = NULL;
123 options->use_dns = -1;
124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
128 options->num_accept_env = 0;
129 options->permit_tun = -1;
130 options->num_permitted_opens = -1;
131 options->adm_forced_command = NULL;
132 options->chroot_directory = NULL;
133 options->zero_knowledge_password_authentication = -1;
137 fill_default_server_options(ServerOptions *options)
139 /* Portable-specific options */
140 if (options->use_pam == -1)
141 options->use_pam = 0;
143 /* Standard Options */
144 if (options->protocol == SSH_PROTO_UNKNOWN)
145 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
146 if (options->num_host_key_files == 0) {
147 /* fill default hostkeys for protocols */
148 if (options->protocol & SSH_PROTO_1)
149 options->host_key_files[options->num_host_key_files++] =
151 if (options->protocol & SSH_PROTO_2) {
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_RSA_KEY_FILE;
154 options->host_key_files[options->num_host_key_files++] =
155 _PATH_HOST_DSA_KEY_FILE;
158 if (options->num_ports == 0)
159 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
160 if (options->listen_addrs == NULL)
161 add_listen_addr(options, NULL, 0);
162 if (options->pid_file == NULL)
163 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
164 if (options->server_key_bits == -1)
165 options->server_key_bits = 1024;
166 if (options->login_grace_time == -1)
167 options->login_grace_time = 120;
168 if (options->key_regeneration_time == -1)
169 options->key_regeneration_time = 3600;
170 if (options->permit_root_login == PERMIT_NOT_SET)
171 options->permit_root_login = PERMIT_YES;
172 if (options->ignore_rhosts == -1)
173 options->ignore_rhosts = 1;
174 if (options->ignore_user_known_hosts == -1)
175 options->ignore_user_known_hosts = 0;
176 if (options->print_motd == -1)
177 options->print_motd = 1;
178 if (options->print_lastlog == -1)
179 options->print_lastlog = 1;
180 if (options->x11_forwarding == -1)
181 options->x11_forwarding = 0;
182 if (options->x11_display_offset == -1)
183 options->x11_display_offset = 10;
184 if (options->x11_use_localhost == -1)
185 options->x11_use_localhost = 1;
186 if (options->xauth_location == NULL)
187 options->xauth_location = _PATH_XAUTH;
188 if (options->strict_modes == -1)
189 options->strict_modes = 1;
190 if (options->tcp_keep_alive == -1)
191 options->tcp_keep_alive = 1;
192 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
193 options->log_facility = SYSLOG_FACILITY_AUTH;
194 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
195 options->log_level = SYSLOG_LEVEL_INFO;
196 if (options->rhosts_rsa_authentication == -1)
197 options->rhosts_rsa_authentication = 0;
198 if (options->hostbased_authentication == -1)
199 options->hostbased_authentication = 0;
200 if (options->hostbased_uses_name_from_packet_only == -1)
201 options->hostbased_uses_name_from_packet_only = 0;
202 if (options->rsa_authentication == -1)
203 options->rsa_authentication = 1;
204 if (options->pubkey_authentication == -1)
205 options->pubkey_authentication = 1;
206 if (options->kerberos_authentication == -1)
207 options->kerberos_authentication = 0;
208 if (options->kerberos_or_local_passwd == -1)
209 options->kerberos_or_local_passwd = 1;
210 if (options->kerberos_ticket_cleanup == -1)
211 options->kerberos_ticket_cleanup = 1;
212 if (options->kerberos_get_afs_token == -1)
213 options->kerberos_get_afs_token = 0;
214 if (options->gss_authentication == -1)
215 options->gss_authentication = 0;
216 if (options->gss_keyex == -1)
217 options->gss_keyex = 0;
218 if (options->gss_cleanup_creds == -1)
219 options->gss_cleanup_creds = 1;
220 if (options->gss_strict_acceptor == -1)
221 options->gss_strict_acceptor = 1;
222 if (options->gss_store_rekey == -1)
223 options->gss_store_rekey = 0;
224 if (options->password_authentication == -1)
225 options->password_authentication = 1;
226 if (options->kbd_interactive_authentication == -1)
227 options->kbd_interactive_authentication = 0;
228 if (options->challenge_response_authentication == -1)
229 options->challenge_response_authentication = 1;
230 if (options->permit_empty_passwd == -1)
231 options->permit_empty_passwd = 0;
232 if (options->permit_user_env == -1)
233 options->permit_user_env = 0;
234 if (options->use_login == -1)
235 options->use_login = 0;
236 if (options->compression == -1)
237 options->compression = COMP_DELAYED;
238 if (options->allow_tcp_forwarding == -1)
239 options->allow_tcp_forwarding = 1;
240 if (options->allow_agent_forwarding == -1)
241 options->allow_agent_forwarding = 1;
242 if (options->gateway_ports == -1)
243 options->gateway_ports = 0;
244 if (options->max_startups == -1)
245 options->max_startups = 10;
246 if (options->max_startups_rate == -1)
247 options->max_startups_rate = 100; /* 100% */
248 if (options->max_startups_begin == -1)
249 options->max_startups_begin = options->max_startups;
250 if (options->max_authtries == -1)
251 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
252 if (options->max_sessions == -1)
253 options->max_sessions = DEFAULT_SESSIONS_MAX;
254 if (options->use_dns == -1)
255 options->use_dns = 1;
256 if (options->client_alive_interval == -1)
257 options->client_alive_interval = 0;
258 if (options->client_alive_count_max == -1)
259 options->client_alive_count_max = 3;
260 if (options->authorized_keys_file2 == NULL) {
261 /* authorized_keys_file2 falls back to authorized_keys_file */
262 if (options->authorized_keys_file != NULL)
263 options->authorized_keys_file2 = options->authorized_keys_file;
265 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
267 if (options->authorized_keys_file == NULL)
268 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
269 if (options->permit_tun == -1)
270 options->permit_tun = SSH_TUNMODE_NO;
271 if (options->zero_knowledge_password_authentication == -1)
272 options->zero_knowledge_password_authentication = 0;
274 /* Turn privilege separation on by default */
275 if (use_privsep == -1)
279 if (use_privsep && options->compression == 1) {
280 error("This platform does not support both privilege "
281 "separation and compression");
282 error("Compression disabled");
283 options->compression = 0;
289 /* Keyword tokens. */
291 sBadOption, /* == unknown option */
292 /* Portable-specific options */
294 /* Standard Options */
295 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
296 sPermitRootLogin, sLogFacility, sLogLevel,
297 sRhostsRSAAuthentication, sRSAAuthentication,
298 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
299 sKerberosGetAFSToken,
300 sKerberosTgtPassing, sChallengeResponseAuthentication,
301 sPasswordAuthentication, sKbdInteractiveAuthentication,
302 sListenAddress, sAddressFamily,
303 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
304 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
305 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
306 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
307 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
308 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
309 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
310 sMaxStartups, sMaxAuthTries, sMaxSessions,
311 sBanner, sUseDNS, sHostbasedAuthentication,
312 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
313 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
314 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
315 sGssKeyEx, sGssStoreRekey,
316 sAcceptEnv, sPermitTunnel,
317 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
318 sUsePrivilegeSeparation, sAllowAgentForwarding,
319 sZeroKnowledgePasswordAuthentication,
320 sDeprecated, sUnsupported
323 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
324 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
325 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
327 /* Textual representation of the tokens. */
330 ServerOpCodes opcode;
333 /* Portable-specific options */
335 { "usepam", sUsePAM, SSHCFG_GLOBAL },
337 { "usepam", sUnsupported, SSHCFG_GLOBAL },
339 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
340 /* Standard Options */
341 { "port", sPort, SSHCFG_GLOBAL },
342 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
343 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
344 { "pidfile", sPidFile, SSHCFG_GLOBAL },
345 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
346 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
347 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
348 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
349 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
350 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
351 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
352 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
353 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
354 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
355 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
356 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
357 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
359 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
360 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
361 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
363 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
365 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
368 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
369 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
370 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
371 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
373 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
374 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
376 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
377 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
378 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
379 { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
380 { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
382 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
383 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
384 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
385 { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
386 { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
388 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
389 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
390 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
391 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
393 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
395 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
397 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
398 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
399 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
400 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
401 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
402 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
403 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
404 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
405 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
406 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
407 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
408 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
409 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
410 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
411 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
412 { "compression", sCompression, SSHCFG_GLOBAL },
413 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
414 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
415 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
416 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
417 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
418 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
419 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
420 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
421 { "ciphers", sCiphers, SSHCFG_GLOBAL },
422 { "macs", sMacs, SSHCFG_GLOBAL },
423 { "protocol", sProtocol, SSHCFG_GLOBAL },
424 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
425 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
426 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
427 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
428 { "maxsessions", sMaxSessions, SSHCFG_ALL },
429 { "banner", sBanner, SSHCFG_ALL },
430 { "usedns", sUseDNS, SSHCFG_GLOBAL },
431 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
432 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
433 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
434 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
435 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
436 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
437 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL },
438 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
439 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
440 { "match", sMatch, SSHCFG_ALL },
441 { "permitopen", sPermitOpen, SSHCFG_ALL },
442 { "forcecommand", sForceCommand, SSHCFG_ALL },
443 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
444 { NULL, sBadOption, 0 }
451 { SSH_TUNMODE_NO, "no" },
452 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
453 { SSH_TUNMODE_ETHERNET, "ethernet" },
454 { SSH_TUNMODE_YES, "yes" },
459 * Returns the number of the token pointed to by cp or sBadOption.
463 parse_token(const char *cp, const char *filename,
464 int linenum, u_int *flags)
468 for (i = 0; keywords[i].name; i++)
469 if (strcasecmp(cp, keywords[i].name) == 0) {
470 *flags = keywords[i].flags;
471 return keywords[i].opcode;
474 error("%s: line %d: Bad configuration option: %s",
475 filename, linenum, cp);
480 add_listen_addr(ServerOptions *options, char *addr, int port)
484 if (options->num_ports == 0)
485 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
486 if (options->address_family == -1)
487 options->address_family = AF_UNSPEC;
489 for (i = 0; i < options->num_ports; i++)
490 add_one_listen_addr(options, addr, options->ports[i]);
492 add_one_listen_addr(options, addr, port);
496 add_one_listen_addr(ServerOptions *options, char *addr, int port)
498 struct addrinfo hints, *ai, *aitop;
499 char strport[NI_MAXSERV];
502 memset(&hints, 0, sizeof(hints));
503 hints.ai_family = options->address_family;
504 hints.ai_socktype = SOCK_STREAM;
505 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
506 snprintf(strport, sizeof strport, "%d", port);
507 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
508 fatal("bad addr or host: %s (%s)",
509 addr ? addr : "<NULL>",
510 ssh_gai_strerror(gaierr));
511 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
513 ai->ai_next = options->listen_addrs;
514 options->listen_addrs = aitop;
518 * The strategy for the Match blocks is that the config file is parsed twice.
520 * The first time is at startup. activep is initialized to 1 and the
521 * directives in the global context are processed and acted on. Hitting a
522 * Match directive unsets activep and the directives inside the block are
523 * checked for syntax only.
525 * The second time is after a connection has been established but before
526 * authentication. activep is initialized to 2 and global config directives
527 * are ignored since they have already been processed. If the criteria in a
528 * Match block is met, activep is set and the subsequent directives
529 * processed and actioned until EOF or another Match block unsets it. Any
530 * options set are copied into the main server config.
532 * Potential additions/improvements:
533 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
535 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
536 * Match Address 192.168.0.*
541 * AllowTcpForwarding yes
542 * GatewayPorts clientspecified
545 * - Add a PermittedChannelRequests directive
547 * PermittedChannelRequests session,forwarded-tcpip
551 match_cfg_line_group(const char *grps, int line, const char *user)
559 if ((pw = getpwnam(user)) == NULL) {
560 debug("Can't match group at line %d because user %.100s does "
561 "not exist", line, user);
562 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
563 debug("Can't Match group because user %.100s not in any group "
564 "at line %d", user, line);
565 } else if (ga_match_pattern_list(grps) != 1) {
566 debug("user %.100s does not match group list %.100s at line %d",
569 debug("user %.100s matched group list %.100s at line %d", user,
579 match_cfg_line(char **condition, int line, const char *user, const char *host,
583 char *arg, *attrib, *cp = *condition;
587 debug3("checking syntax for 'Match %s'", cp);
589 debug3("checking match for '%s' user %s host %s addr %s", cp,
590 user ? user : "(null)", host ? host : "(null)",
591 address ? address : "(null)");
593 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
594 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
595 error("Missing Match criteria for %s", attrib);
599 if (strcasecmp(attrib, "user") == 0) {
604 if (match_pattern_list(user, arg, len, 0) != 1)
607 debug("user %.100s matched 'User %.100s' at "
608 "line %d", user, arg, line);
609 } else if (strcasecmp(attrib, "group") == 0) {
610 switch (match_cfg_line_group(arg, line, user)) {
616 } else if (strcasecmp(attrib, "host") == 0) {
621 if (match_hostname(host, arg, len) != 1)
624 debug("connection from %.100s matched 'Host "
625 "%.100s' at line %d", host, arg, line);
626 } else if (strcasecmp(attrib, "address") == 0) {
627 switch (addr_match_list(address, arg)) {
629 debug("connection from %.100s matched 'Address "
630 "%.100s' at line %d", address, arg, line);
640 error("Unsupported Match attribute %s", attrib);
645 debug3("match %sfound", result ? "" : "not ");
650 #define WHITESPACE " \t\r\n"
653 process_server_config_line(ServerOptions *options, char *line,
654 const char *filename, int linenum, int *activep, const char *user,
655 const char *host, const char *address)
657 char *cp, **charptr, *arg, *p;
658 int cmdline = 0, *intptr, value, n;
659 SyslogFacility *log_facility_ptr;
660 LogLevel *log_level_ptr;
661 ServerOpCodes opcode;
667 if ((arg = strdelim(&cp)) == NULL)
669 /* Ignore leading whitespace */
672 if (!arg || !*arg || *arg == '#')
676 opcode = parse_token(arg, filename, linenum, &flags);
678 if (activep == NULL) { /* We are processing a command line directive */
682 if (*activep && opcode != sMatch)
683 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
684 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
686 fatal("%s line %d: Directive '%s' is not allowed "
687 "within a Match block", filename, linenum, arg);
688 } else { /* this is a directive we have already processed */
696 /* Portable-specific options */
698 intptr = &options->use_pam;
701 /* Standard Options */
705 /* ignore ports from configfile if cmdline specifies ports */
706 if (options->ports_from_cmdline)
708 if (options->listen_addrs != NULL)
709 fatal("%s line %d: ports must be specified before "
710 "ListenAddress.", filename, linenum);
711 if (options->num_ports >= MAX_PORTS)
712 fatal("%s line %d: too many ports.",
715 if (!arg || *arg == '\0')
716 fatal("%s line %d: missing port number.",
718 options->ports[options->num_ports++] = a2port(arg);
719 if (options->ports[options->num_ports-1] <= 0)
720 fatal("%s line %d: Badly formatted port number.",
725 intptr = &options->server_key_bits;
728 if (!arg || *arg == '\0')
729 fatal("%s line %d: missing integer value.",
732 if (*activep && *intptr == -1)
736 case sLoginGraceTime:
737 intptr = &options->login_grace_time;
740 if (!arg || *arg == '\0')
741 fatal("%s line %d: missing time value.",
743 if ((value = convtime(arg)) == -1)
744 fatal("%s line %d: invalid time value.",
750 case sKeyRegenerationTime:
751 intptr = &options->key_regeneration_time;
756 if (arg == NULL || *arg == '\0')
757 fatal("%s line %d: missing address",
759 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
760 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
761 && strchr(p+1, ':') != NULL) {
762 add_listen_addr(options, arg, 0);
767 fatal("%s line %d: bad address:port usage",
769 p = cleanhostname(p);
772 else if ((port = a2port(arg)) <= 0)
773 fatal("%s line %d: bad port number", filename, linenum);
775 add_listen_addr(options, p, port);
781 if (!arg || *arg == '\0')
782 fatal("%s line %d: missing address family.",
784 intptr = &options->address_family;
785 if (options->listen_addrs != NULL)
786 fatal("%s line %d: address family must be specified before "
787 "ListenAddress.", filename, linenum);
788 if (strcasecmp(arg, "inet") == 0)
790 else if (strcasecmp(arg, "inet6") == 0)
792 else if (strcasecmp(arg, "any") == 0)
795 fatal("%s line %d: unsupported address family \"%s\".",
796 filename, linenum, arg);
802 intptr = &options->num_host_key_files;
803 if (*intptr >= MAX_HOSTKEYS)
804 fatal("%s line %d: too many host keys specified (max %d).",
805 filename, linenum, MAX_HOSTKEYS);
806 charptr = &options->host_key_files[*intptr];
809 if (!arg || *arg == '\0')
810 fatal("%s line %d: missing file name.",
812 if (*activep && *charptr == NULL) {
813 *charptr = tilde_expand_filename(arg, getuid());
814 /* increase optional counter */
816 *intptr = *intptr + 1;
821 charptr = &options->pid_file;
824 case sPermitRootLogin:
825 intptr = &options->permit_root_login;
827 if (!arg || *arg == '\0')
828 fatal("%s line %d: missing yes/"
829 "without-password/forced-commands-only/no "
830 "argument.", filename, linenum);
831 value = 0; /* silence compiler */
832 if (strcmp(arg, "without-password") == 0)
833 value = PERMIT_NO_PASSWD;
834 else if (strcmp(arg, "forced-commands-only") == 0)
835 value = PERMIT_FORCED_ONLY;
836 else if (strcmp(arg, "yes") == 0)
838 else if (strcmp(arg, "no") == 0)
841 fatal("%s line %d: Bad yes/"
842 "without-password/forced-commands-only/no "
843 "argument: %s", filename, linenum, arg);
844 if (*activep && *intptr == -1)
849 intptr = &options->ignore_rhosts;
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: missing yes/no argument.",
855 value = 0; /* silence compiler */
856 if (strcmp(arg, "yes") == 0)
858 else if (strcmp(arg, "no") == 0)
861 fatal("%s line %d: Bad yes/no argument: %s",
862 filename, linenum, arg);
863 if (*activep && *intptr == -1)
867 case sIgnoreUserKnownHosts:
868 intptr = &options->ignore_user_known_hosts;
871 case sRhostsRSAAuthentication:
872 intptr = &options->rhosts_rsa_authentication;
875 case sHostbasedAuthentication:
876 intptr = &options->hostbased_authentication;
879 case sHostbasedUsesNameFromPacketOnly:
880 intptr = &options->hostbased_uses_name_from_packet_only;
883 case sRSAAuthentication:
884 intptr = &options->rsa_authentication;
887 case sPubkeyAuthentication:
888 intptr = &options->pubkey_authentication;
891 case sKerberosAuthentication:
892 intptr = &options->kerberos_authentication;
895 case sKerberosOrLocalPasswd:
896 intptr = &options->kerberos_or_local_passwd;
899 case sKerberosTicketCleanup:
900 intptr = &options->kerberos_ticket_cleanup;
903 case sKerberosGetAFSToken:
904 intptr = &options->kerberos_get_afs_token;
907 case sGssAuthentication:
908 intptr = &options->gss_authentication;
912 intptr = &options->gss_keyex;
915 case sGssCleanupCreds:
916 intptr = &options->gss_cleanup_creds;
919 case sGssStrictAcceptor:
920 intptr = &options->gss_strict_acceptor;
924 intptr = &options->gss_store_rekey;
927 case sPasswordAuthentication:
928 intptr = &options->password_authentication;
931 case sZeroKnowledgePasswordAuthentication:
932 intptr = &options->zero_knowledge_password_authentication;
935 case sKbdInteractiveAuthentication:
936 intptr = &options->kbd_interactive_authentication;
939 case sChallengeResponseAuthentication:
940 intptr = &options->challenge_response_authentication;
944 intptr = &options->print_motd;
948 intptr = &options->print_lastlog;
952 intptr = &options->x11_forwarding;
955 case sX11DisplayOffset:
956 intptr = &options->x11_display_offset;
959 case sX11UseLocalhost:
960 intptr = &options->x11_use_localhost;
964 charptr = &options->xauth_location;
968 intptr = &options->strict_modes;
972 intptr = &options->tcp_keep_alive;
976 intptr = &options->permit_empty_passwd;
979 case sPermitUserEnvironment:
980 intptr = &options->permit_user_env;
984 intptr = &options->use_login;
988 intptr = &options->compression;
990 if (!arg || *arg == '\0')
991 fatal("%s line %d: missing yes/no/delayed "
992 "argument.", filename, linenum);
993 value = 0; /* silence compiler */
994 if (strcmp(arg, "delayed") == 0)
995 value = COMP_DELAYED;
996 else if (strcmp(arg, "yes") == 0)
998 else if (strcmp(arg, "no") == 0)
1001 fatal("%s line %d: Bad yes/no/delayed "
1002 "argument: %s", filename, linenum, arg);
1008 intptr = &options->gateway_ports;
1009 arg = strdelim(&cp);
1010 if (!arg || *arg == '\0')
1011 fatal("%s line %d: missing yes/no/clientspecified "
1012 "argument.", filename, linenum);
1013 value = 0; /* silence compiler */
1014 if (strcmp(arg, "clientspecified") == 0)
1016 else if (strcmp(arg, "yes") == 0)
1018 else if (strcmp(arg, "no") == 0)
1021 fatal("%s line %d: Bad yes/no/clientspecified "
1022 "argument: %s", filename, linenum, arg);
1023 if (*activep && *intptr == -1)
1028 intptr = &options->use_dns;
1032 log_facility_ptr = &options->log_facility;
1033 arg = strdelim(&cp);
1034 value = log_facility_number(arg);
1035 if (value == SYSLOG_FACILITY_NOT_SET)
1036 fatal("%.200s line %d: unsupported log facility '%s'",
1037 filename, linenum, arg ? arg : "<NONE>");
1038 if (*log_facility_ptr == -1)
1039 *log_facility_ptr = (SyslogFacility) value;
1043 log_level_ptr = &options->log_level;
1044 arg = strdelim(&cp);
1045 value = log_level_number(arg);
1046 if (value == SYSLOG_LEVEL_NOT_SET)
1047 fatal("%.200s line %d: unsupported log level '%s'",
1048 filename, linenum, arg ? arg : "<NONE>");
1049 if (*log_level_ptr == -1)
1050 *log_level_ptr = (LogLevel) value;
1053 case sAllowTcpForwarding:
1054 intptr = &options->allow_tcp_forwarding;
1057 case sAllowAgentForwarding:
1058 intptr = &options->allow_agent_forwarding;
1061 case sUsePrivilegeSeparation:
1062 intptr = &use_privsep;
1066 while ((arg = strdelim(&cp)) && *arg != '\0') {
1067 if (options->num_allow_users >= MAX_ALLOW_USERS)
1068 fatal("%s line %d: too many allow users.",
1070 options->allow_users[options->num_allow_users++] =
1076 while ((arg = strdelim(&cp)) && *arg != '\0') {
1077 if (options->num_deny_users >= MAX_DENY_USERS)
1078 fatal("%s line %d: too many deny users.",
1080 options->deny_users[options->num_deny_users++] =
1086 while ((arg = strdelim(&cp)) && *arg != '\0') {
1087 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1088 fatal("%s line %d: too many allow groups.",
1090 options->allow_groups[options->num_allow_groups++] =
1096 while ((arg = strdelim(&cp)) && *arg != '\0') {
1097 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1098 fatal("%s line %d: too many deny groups.",
1100 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1105 arg = strdelim(&cp);
1106 if (!arg || *arg == '\0')
1107 fatal("%s line %d: Missing argument.", filename, linenum);
1108 if (!ciphers_valid(arg))
1109 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1110 filename, linenum, arg ? arg : "<NONE>");
1111 if (options->ciphers == NULL)
1112 options->ciphers = xstrdup(arg);
1116 arg = strdelim(&cp);
1117 if (!arg || *arg == '\0')
1118 fatal("%s line %d: Missing argument.", filename, linenum);
1119 if (!mac_valid(arg))
1120 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1121 filename, linenum, arg ? arg : "<NONE>");
1122 if (options->macs == NULL)
1123 options->macs = xstrdup(arg);
1127 intptr = &options->protocol;
1128 arg = strdelim(&cp);
1129 if (!arg || *arg == '\0')
1130 fatal("%s line %d: Missing argument.", filename, linenum);
1131 value = proto_spec(arg);
1132 if (value == SSH_PROTO_UNKNOWN)
1133 fatal("%s line %d: Bad protocol spec '%s'.",
1134 filename, linenum, arg ? arg : "<NONE>");
1135 if (*intptr == SSH_PROTO_UNKNOWN)
1140 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1141 fatal("%s line %d: too many subsystems defined.",
1144 arg = strdelim(&cp);
1145 if (!arg || *arg == '\0')
1146 fatal("%s line %d: Missing subsystem name.",
1149 arg = strdelim(&cp);
1152 for (i = 0; i < options->num_subsystems; i++)
1153 if (strcmp(arg, options->subsystem_name[i]) == 0)
1154 fatal("%s line %d: Subsystem '%s' already defined.",
1155 filename, linenum, arg);
1156 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1157 arg = strdelim(&cp);
1158 if (!arg || *arg == '\0')
1159 fatal("%s line %d: Missing subsystem command.",
1161 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1163 /* Collect arguments (separate to executable) */
1165 len = strlen(p) + 1;
1166 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1167 len += 1 + strlen(arg);
1168 p = xrealloc(p, 1, len);
1169 strlcat(p, " ", len);
1170 strlcat(p, arg, len);
1172 options->subsystem_args[options->num_subsystems] = p;
1173 options->num_subsystems++;
1177 arg = strdelim(&cp);
1178 if (!arg || *arg == '\0')
1179 fatal("%s line %d: Missing MaxStartups spec.",
1181 if ((n = sscanf(arg, "%d:%d:%d",
1182 &options->max_startups_begin,
1183 &options->max_startups_rate,
1184 &options->max_startups)) == 3) {
1185 if (options->max_startups_begin >
1186 options->max_startups ||
1187 options->max_startups_rate > 100 ||
1188 options->max_startups_rate < 1)
1189 fatal("%s line %d: Illegal MaxStartups spec.",
1192 fatal("%s line %d: Illegal MaxStartups spec.",
1195 options->max_startups = options->max_startups_begin;
1199 intptr = &options->max_authtries;
1203 intptr = &options->max_sessions;
1207 charptr = &options->banner;
1208 goto parse_filename;
1211 * These options can contain %X options expanded at
1212 * connect time, so that you can specify paths like:
1214 * AuthorizedKeysFile /etc/ssh_keys/%u
1216 case sAuthorizedKeysFile:
1217 case sAuthorizedKeysFile2:
1218 charptr = (opcode == sAuthorizedKeysFile) ?
1219 &options->authorized_keys_file :
1220 &options->authorized_keys_file2;
1221 goto parse_filename;
1223 case sClientAliveInterval:
1224 intptr = &options->client_alive_interval;
1227 case sClientAliveCountMax:
1228 intptr = &options->client_alive_count_max;
1232 while ((arg = strdelim(&cp)) && *arg != '\0') {
1233 if (strchr(arg, '=') != NULL)
1234 fatal("%s line %d: Invalid environment name.",
1236 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1237 fatal("%s line %d: too many allow env.",
1241 options->accept_env[options->num_accept_env++] =
1247 intptr = &options->permit_tun;
1248 arg = strdelim(&cp);
1249 if (!arg || *arg == '\0')
1250 fatal("%s line %d: Missing yes/point-to-point/"
1251 "ethernet/no argument.", filename, linenum);
1253 for (i = 0; tunmode_desc[i].val != -1; i++)
1254 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1255 value = tunmode_desc[i].val;
1259 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1260 "no argument: %s", filename, linenum, arg);
1267 fatal("Match directive not supported as a command-line "
1269 value = match_cfg_line(&cp, linenum, user, host, address);
1271 fatal("%s line %d: Bad Match condition", filename,
1277 arg = strdelim(&cp);
1278 if (!arg || *arg == '\0')
1279 fatal("%s line %d: missing PermitOpen specification",
1281 n = options->num_permitted_opens; /* modified later */
1282 if (strcmp(arg, "any") == 0) {
1283 if (*activep && n == -1) {
1284 channel_clear_adm_permitted_opens();
1285 options->num_permitted_opens = 0;
1289 if (*activep && n == -1)
1290 channel_clear_adm_permitted_opens();
1291 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1294 fatal("%s line %d: missing host in PermitOpen",
1296 p = cleanhostname(p);
1297 if (arg == NULL || (port = a2port(arg)) <= 0)
1298 fatal("%s line %d: bad port number in "
1299 "PermitOpen", filename, linenum);
1300 if (*activep && n == -1)
1301 options->num_permitted_opens =
1302 channel_add_adm_permitted_opens(p, port);
1308 fatal("%.200s line %d: Missing argument.", filename,
1310 len = strspn(cp, WHITESPACE);
1311 if (*activep && options->adm_forced_command == NULL)
1312 options->adm_forced_command = xstrdup(cp + len);
1315 case sChrootDirectory:
1316 charptr = &options->chroot_directory;
1318 arg = strdelim(&cp);
1319 if (!arg || *arg == '\0')
1320 fatal("%s line %d: missing file name.",
1322 if (*activep && *charptr == NULL)
1323 *charptr = xstrdup(arg);
1327 logit("%s line %d: Deprecated option %s",
1328 filename, linenum, arg);
1330 arg = strdelim(&cp);
1334 logit("%s line %d: Unsupported option %s",
1335 filename, linenum, arg);
1337 arg = strdelim(&cp);
1341 fatal("%s line %d: Missing handler for opcode %s (%d)",
1342 filename, linenum, arg, opcode);
1344 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1345 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1346 filename, linenum, arg);
1350 /* Reads the server configuration file. */
1353 load_server_config(const char *filename, Buffer *conf)
1355 char line[1024], *cp;
1358 debug2("%s: filename %s", __func__, filename);
1359 if ((f = fopen(filename, "r")) == NULL) {
1364 while (fgets(line, sizeof(line), f)) {
1366 * Trim out comments and strip whitespace
1367 * NB - preserve newlines, they are needed to reproduce
1368 * line numbers later for error messages
1370 if ((cp = strchr(line, '#')) != NULL)
1371 memcpy(cp, "\n", 2);
1372 cp = line + strspn(line, " \t\r");
1374 buffer_append(conf, cp, strlen(cp));
1376 buffer_append(conf, "\0", 1);
1378 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1382 parse_server_match_config(ServerOptions *options, const char *user,
1383 const char *host, const char *address)
1387 initialize_server_options(&mo);
1388 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1389 copy_set_server_options(options, &mo, 0);
1393 #define M_CP_INTOPT(n) do {\
1397 #define M_CP_STROPT(n) do {\
1398 if (src->n != NULL) { \
1399 if (dst->n != NULL) \
1406 * Copy any supported values that are set.
1408 * If the preauth flag is set, we do not bother copying the the string or
1409 * array values that are not used pre-authentication, because any that we
1410 * do use must be explictly sent in mm_getpwnamallow().
1413 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1415 M_CP_INTOPT(password_authentication);
1416 M_CP_INTOPT(gss_authentication);
1417 M_CP_INTOPT(rsa_authentication);
1418 M_CP_INTOPT(pubkey_authentication);
1419 M_CP_INTOPT(kerberos_authentication);
1420 M_CP_INTOPT(hostbased_authentication);
1421 M_CP_INTOPT(kbd_interactive_authentication);
1422 M_CP_INTOPT(zero_knowledge_password_authentication);
1423 M_CP_INTOPT(permit_root_login);
1424 M_CP_INTOPT(permit_empty_passwd);
1426 M_CP_INTOPT(allow_tcp_forwarding);
1427 M_CP_INTOPT(allow_agent_forwarding);
1428 M_CP_INTOPT(gateway_ports);
1429 M_CP_INTOPT(x11_display_offset);
1430 M_CP_INTOPT(x11_forwarding);
1431 M_CP_INTOPT(x11_use_localhost);
1432 M_CP_INTOPT(max_sessions);
1433 M_CP_INTOPT(max_authtries);
1435 M_CP_STROPT(banner);
1438 M_CP_STROPT(adm_forced_command);
1439 M_CP_STROPT(chroot_directory);
1446 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1447 const char *user, const char *host, const char *address)
1449 int active, linenum, bad_options = 0;
1450 char *cp, *obuf, *cbuf;
1452 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1454 obuf = cbuf = xstrdup(buffer_ptr(conf));
1455 active = user ? 0 : 1;
1457 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1458 if (process_server_config_line(options, cp, filename,
1459 linenum++, &active, user, host, address) != 0)
1463 if (bad_options > 0)
1464 fatal("%s: terminating, %d bad configuration options",
1465 filename, bad_options);
1469 fmt_intarg(ServerOpCodes code, int val)
1471 if (code == sAddressFamily) {
1483 if (code == sPermitRootLogin) {
1485 case PERMIT_NO_PASSWD:
1486 return "without-password";
1487 case PERMIT_FORCED_ONLY:
1488 return "forced-commands-only";
1493 if (code == sProtocol) {
1499 case (SSH_PROTO_1|SSH_PROTO_2):
1505 if (code == sGatewayPorts && val == 2)
1506 return "clientspecified";
1507 if (code == sCompression && val == COMP_DELAYED)
1521 lookup_opcode_name(ServerOpCodes code)
1525 for (i = 0; keywords[i].name != NULL; i++)
1526 if (keywords[i].opcode == code)
1527 return(keywords[i].name);
1532 dump_cfg_int(ServerOpCodes code, int val)
1534 printf("%s %d\n", lookup_opcode_name(code), val);
1538 dump_cfg_fmtint(ServerOpCodes code, int val)
1540 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1544 dump_cfg_string(ServerOpCodes code, const char *val)
1548 printf("%s %s\n", lookup_opcode_name(code), val);
1552 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1556 for (i = 0; i < count; i++)
1557 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1561 dump_config(ServerOptions *o)
1565 struct addrinfo *ai;
1566 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1568 /* these are usually at the top of the config */
1569 for (i = 0; i < o->num_ports; i++)
1570 printf("port %d\n", o->ports[i]);
1571 dump_cfg_fmtint(sProtocol, o->protocol);
1572 dump_cfg_fmtint(sAddressFamily, o->address_family);
1574 /* ListenAddress must be after Port */
1575 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1576 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1577 sizeof(addr), port, sizeof(port),
1578 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1579 error("getnameinfo failed: %.100s",
1580 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1583 if (ai->ai_family == AF_INET6)
1584 printf("listenaddress [%s]:%s\n", addr, port);
1586 printf("listenaddress %s:%s\n", addr, port);
1590 /* integer arguments */
1592 dump_cfg_int(sUsePAM, o->use_pam);
1594 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1595 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1596 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1597 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1598 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1599 dump_cfg_int(sMaxSessions, o->max_sessions);
1600 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1601 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1603 /* formatted integer arguments */
1604 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1605 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1606 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1607 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1608 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1609 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1610 o->hostbased_uses_name_from_packet_only);
1611 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1612 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1614 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1615 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1616 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1618 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1622 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1623 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1626 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1627 o->zero_knowledge_password_authentication);
1629 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1630 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1631 o->kbd_interactive_authentication);
1632 dump_cfg_fmtint(sChallengeResponseAuthentication,
1633 o->challenge_response_authentication);
1634 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1635 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1636 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1637 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1638 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1639 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1640 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1641 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1642 dump_cfg_fmtint(sUseLogin, o->use_login);
1643 dump_cfg_fmtint(sCompression, o->compression);
1644 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1645 dump_cfg_fmtint(sUseDNS, o->use_dns);
1646 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1647 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1649 /* string arguments */
1650 dump_cfg_string(sPidFile, o->pid_file);
1651 dump_cfg_string(sXAuthLocation, o->xauth_location);
1652 dump_cfg_string(sCiphers, o->ciphers);
1653 dump_cfg_string(sMacs, o->macs);
1654 dump_cfg_string(sBanner, o->banner);
1655 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1656 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1657 dump_cfg_string(sForceCommand, o->adm_forced_command);
1659 /* string arguments requiring a lookup */
1660 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1661 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1663 /* string array arguments */
1664 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1666 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1667 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1668 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1669 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1670 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1672 /* other arguments */
1673 for (i = 0; i < o->num_subsystems; i++)
1674 printf("subsystem %s %s\n", o->subsystem_name[i],
1675 o->subsystem_args[i]);
1677 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1678 o->max_startups_rate, o->max_startups);
1680 for (i = 0; tunmode_desc[i].val != -1; i++)
1681 if (tunmode_desc[i].val == o->permit_tun) {
1682 s = tunmode_desc[i].text;
1685 dump_cfg_string(sPermitTunnel, s);
1687 channel_print_adm_permitted_opens();