1 /* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
134 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
135 oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
137 oDeprecated, oUnsupported
140 /* Textual representations of the tokens. */
146 { "forwardagent", oForwardAgent },
147 { "forwardx11", oForwardX11 },
148 { "forwardx11trusted", oForwardX11Trusted },
149 { "exitonforwardfailure", oExitOnForwardFailure },
150 { "xauthlocation", oXAuthLocation },
151 { "gatewayports", oGatewayPorts },
152 { "useprivilegedport", oUsePrivilegedPort },
153 { "rhostsauthentication", oDeprecated },
154 { "passwordauthentication", oPasswordAuthentication },
155 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
156 { "kbdinteractivedevices", oKbdInteractiveDevices },
157 { "rsaauthentication", oRSAAuthentication },
158 { "pubkeyauthentication", oPubkeyAuthentication },
159 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
160 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
161 { "hostbasedauthentication", oHostbasedAuthentication },
162 { "challengeresponseauthentication", oChallengeResponseAuthentication },
163 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
164 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "kerberosauthentication", oUnsupported },
166 { "kerberostgtpassing", oUnsupported },
167 { "afstokenpassing", oUnsupported },
169 { "gssapiauthentication", oGssAuthentication },
170 { "gssapikeyexchange", oGssKeyEx },
171 { "gssapidelegatecredentials", oGssDelegateCreds },
172 { "gssapitrustdns", oGssTrustDns },
174 { "gssapiauthentication", oUnsupported },
175 { "gssapikeyexchange", oUnsupported },
176 { "gssapidelegatecredentials", oUnsupported },
177 { "gssapitrustdns", oUnsupported },
179 { "fallbacktorsh", oDeprecated },
180 { "usersh", oDeprecated },
181 { "identityfile", oIdentityFile },
182 { "identityfile2", oIdentityFile }, /* alias */
183 { "identitiesonly", oIdentitiesOnly },
184 { "hostname", oHostName },
185 { "hostkeyalias", oHostKeyAlias },
186 { "proxycommand", oProxyCommand },
188 { "cipher", oCipher },
189 { "ciphers", oCiphers },
191 { "protocol", oProtocol },
192 { "remoteforward", oRemoteForward },
193 { "localforward", oLocalForward },
196 { "escapechar", oEscapeChar },
197 { "globalknownhostsfile", oGlobalKnownHostsFile },
198 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
199 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
200 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
201 { "connectionattempts", oConnectionAttempts },
202 { "batchmode", oBatchMode },
203 { "checkhostip", oCheckHostIP },
204 { "stricthostkeychecking", oStrictHostKeyChecking },
205 { "compression", oCompression },
206 { "compressionlevel", oCompressionLevel },
207 { "tcpkeepalive", oTCPKeepAlive },
208 { "keepalive", oTCPKeepAlive }, /* obsolete */
209 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
210 { "loglevel", oLogLevel },
211 { "dynamicforward", oDynamicForward },
212 { "preferredauthentications", oPreferredAuthentications },
213 { "hostkeyalgorithms", oHostKeyAlgorithms },
214 { "bindaddress", oBindAddress },
216 { "smartcarddevice", oSmartcardDevice },
218 { "smartcarddevice", oUnsupported },
220 { "clearallforwardings", oClearAllForwardings },
221 { "enablesshkeysign", oEnableSSHKeysign },
222 { "verifyhostkeydns", oVerifyHostKeyDNS },
223 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
224 { "rekeylimit", oRekeyLimit },
225 { "connecttimeout", oConnectTimeout },
226 { "addressfamily", oAddressFamily },
227 { "serveraliveinterval", oServerAliveInterval },
228 { "serveralivecountmax", oServerAliveCountMax },
229 { "sendenv", oSendEnv },
230 { "controlpath", oControlPath },
231 { "controlmaster", oControlMaster },
232 { "hashknownhosts", oHashKnownHosts },
233 { "tunnel", oTunnel },
234 { "tunneldevice", oTunnelDevice },
235 { "localcommand", oLocalCommand },
236 { "permitlocalcommand", oPermitLocalCommand },
237 { "noneenabled", oNoneEnabled },
238 { "tcprcvbufpoll", oTcpRcvBufPoll },
239 { "tcprcvbuf", oTcpRcvBuf },
240 { "noneswitch", oNoneSwitch },
241 { "hpndisabled", oHPNDisabled },
242 { "hpnbuffersize", oHPNBufferSize },
247 * Adds a local TCP/IP port forward to options. Never returns if there is an
252 add_local_forward(Options *options, const Forward *newfwd)
255 #ifndef NO_IPPORT_RESERVED_CONCEPT
256 extern uid_t original_real_uid;
257 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
258 fatal("Privileged ports can only be forwarded by root.");
260 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
261 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
262 fwd = &options->local_forwards[options->num_local_forwards++];
264 fwd->listen_host = (newfwd->listen_host == NULL) ?
265 NULL : xstrdup(newfwd->listen_host);
266 fwd->listen_port = newfwd->listen_port;
267 fwd->connect_host = xstrdup(newfwd->connect_host);
268 fwd->connect_port = newfwd->connect_port;
272 * Adds a remote TCP/IP port forward to options. Never returns if there is
277 add_remote_forward(Options *options, const Forward *newfwd)
280 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
281 fatal("Too many remote forwards (max %d).",
282 SSH_MAX_FORWARDS_PER_DIRECTION);
283 fwd = &options->remote_forwards[options->num_remote_forwards++];
285 fwd->listen_host = (newfwd->listen_host == NULL) ?
286 NULL : xstrdup(newfwd->listen_host);
287 fwd->listen_port = newfwd->listen_port;
288 fwd->connect_host = xstrdup(newfwd->connect_host);
289 fwd->connect_port = newfwd->connect_port;
293 clear_forwardings(Options *options)
297 for (i = 0; i < options->num_local_forwards; i++) {
298 if (options->local_forwards[i].listen_host != NULL)
299 xfree(options->local_forwards[i].listen_host);
300 xfree(options->local_forwards[i].connect_host);
302 options->num_local_forwards = 0;
303 for (i = 0; i < options->num_remote_forwards; i++) {
304 if (options->remote_forwards[i].listen_host != NULL)
305 xfree(options->remote_forwards[i].listen_host);
306 xfree(options->remote_forwards[i].connect_host);
308 options->num_remote_forwards = 0;
309 options->tun_open = SSH_TUNMODE_NO;
313 * Returns the number of the token pointed to by cp or oBadOption.
317 parse_token(const char *cp, const char *filename, int linenum)
321 for (i = 0; keywords[i].name; i++)
322 if (strcasecmp(cp, keywords[i].name) == 0)
323 return keywords[i].opcode;
325 error("%s: line %d: Bad configuration option: %s",
326 filename, linenum, cp);
331 * Processes a single option line as used in the configuration files. This
332 * only sets those values that have not already been set.
334 #define WHITESPACE " \t\r\n"
337 process_config_line(Options *options, const char *host,
338 char *line, const char *filename, int linenum,
341 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
342 int opcode, *intptr, value, value2, scale;
343 long long orig, val64;
347 /* Strip trailing whitespace */
348 for (len = strlen(line) - 1; len > 0; len--) {
349 if (strchr(WHITESPACE, line[len]) == NULL)
355 /* Get the keyword. (Each line is supposed to begin with a keyword). */
356 if ((keyword = strdelim(&s)) == NULL)
358 /* Ignore leading whitespace. */
359 if (*keyword == '\0')
360 keyword = strdelim(&s);
361 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
364 opcode = parse_token(keyword, filename, linenum);
368 /* don't panic, but count bad options */
371 case oConnectTimeout:
372 intptr = &options->connection_timeout;
375 if (!arg || *arg == '\0')
376 fatal("%s line %d: missing time value.",
378 if ((value = convtime(arg)) == -1)
379 fatal("%s line %d: invalid time value.",
386 intptr = &options->forward_agent;
389 if (!arg || *arg == '\0')
390 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
391 value = 0; /* To avoid compiler warning... */
392 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
394 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
397 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
398 if (*activep && *intptr == -1)
403 intptr = &options->forward_x11;
406 case oForwardX11Trusted:
407 intptr = &options->forward_x11_trusted;
411 intptr = &options->gateway_ports;
414 case oExitOnForwardFailure:
415 intptr = &options->exit_on_forward_failure;
418 case oUsePrivilegedPort:
419 intptr = &options->use_privileged_port;
422 case oPasswordAuthentication:
423 intptr = &options->password_authentication;
426 case oKbdInteractiveAuthentication:
427 intptr = &options->kbd_interactive_authentication;
430 case oKbdInteractiveDevices:
431 charptr = &options->kbd_interactive_devices;
434 case oPubkeyAuthentication:
435 intptr = &options->pubkey_authentication;
438 case oRSAAuthentication:
439 intptr = &options->rsa_authentication;
442 case oRhostsRSAAuthentication:
443 intptr = &options->rhosts_rsa_authentication;
446 case oHostbasedAuthentication:
447 intptr = &options->hostbased_authentication;
450 case oChallengeResponseAuthentication:
451 intptr = &options->challenge_response_authentication;
454 case oGssAuthentication:
455 intptr = &options->gss_authentication;
459 intptr = &options->gss_keyex;
462 case oGssDelegateCreds:
463 intptr = &options->gss_deleg_creds;
467 intptr = &options->gss_trust_dns;
471 intptr = &options->batch_mode;
475 intptr = &options->check_host_ip;
479 intptr = &options->none_enabled;
483 intptr = &options->none_switch;
487 intptr = &options->hpn_disabled;
491 intptr = &options->hpn_buffer_size;
495 intptr = &options->tcp_rcv_buf_poll;
498 case oVerifyHostKeyDNS:
499 intptr = &options->verify_host_key_dns;
503 case oStrictHostKeyChecking:
504 intptr = &options->strict_host_key_checking;
507 if (!arg || *arg == '\0')
508 fatal("%.200s line %d: Missing yes/no/ask argument.",
510 value = 0; /* To avoid compiler warning... */
511 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
513 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
515 else if (strcmp(arg, "ask") == 0)
518 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
519 if (*activep && *intptr == -1)
524 intptr = &options->compression;
528 intptr = &options->tcp_keep_alive;
531 case oNoHostAuthenticationForLocalhost:
532 intptr = &options->no_host_authentication_for_localhost;
535 case oNumberOfPasswordPrompts:
536 intptr = &options->number_of_password_prompts;
539 case oCompressionLevel:
540 intptr = &options->compression_level;
544 intptr = &options->rekey_limit;
546 if (!arg || *arg == '\0')
547 fatal("%.200s line %d: Missing argument.", filename, linenum);
548 if (arg[0] < '0' || arg[0] > '9')
549 fatal("%.200s line %d: Bad number.", filename, linenum);
550 orig = val64 = strtoll(arg, &endofnumber, 10);
551 if (arg == endofnumber)
552 fatal("%.200s line %d: Bad number.", filename, linenum);
553 switch (toupper(*endofnumber)) {
567 fatal("%.200s line %d: Invalid RekeyLimit suffix",
571 /* detect integer wrap and too-large limits */
572 if ((val64 / scale) != orig || val64 > INT_MAX)
573 fatal("%.200s line %d: RekeyLimit too large",
576 fatal("%.200s line %d: RekeyLimit too small",
578 if (*activep && *intptr == -1)
579 *intptr = (int)val64;
584 if (!arg || *arg == '\0')
585 fatal("%.200s line %d: Missing argument.", filename, linenum);
587 intptr = &options->num_identity_files;
588 if (*intptr >= SSH_MAX_IDENTITY_FILES)
589 fatal("%.200s line %d: Too many identity files specified (max %d).",
590 filename, linenum, SSH_MAX_IDENTITY_FILES);
591 charptr = &options->identity_files[*intptr];
592 *charptr = xstrdup(arg);
593 *intptr = *intptr + 1;
598 charptr=&options->xauth_location;
602 charptr = &options->user;
605 if (!arg || *arg == '\0')
606 fatal("%.200s line %d: Missing argument.", filename, linenum);
607 if (*activep && *charptr == NULL)
608 *charptr = xstrdup(arg);
611 case oGlobalKnownHostsFile:
612 charptr = &options->system_hostfile;
615 case oUserKnownHostsFile:
616 charptr = &options->user_hostfile;
619 case oGlobalKnownHostsFile2:
620 charptr = &options->system_hostfile2;
623 case oUserKnownHostsFile2:
624 charptr = &options->user_hostfile2;
628 charptr = &options->hostname;
632 charptr = &options->host_key_alias;
635 case oPreferredAuthentications:
636 charptr = &options->preferred_authentications;
640 charptr = &options->bind_address;
643 case oSmartcardDevice:
644 charptr = &options->smartcard_device;
648 charptr = &options->proxy_command;
651 fatal("%.200s line %d: Missing argument.", filename, linenum);
652 len = strspn(s, WHITESPACE "=");
653 if (*activep && *charptr == NULL)
654 *charptr = xstrdup(s + len);
658 intptr = &options->port;
661 if (!arg || *arg == '\0')
662 fatal("%.200s line %d: Missing argument.", filename, linenum);
663 if (arg[0] < '0' || arg[0] > '9')
664 fatal("%.200s line %d: Bad number.", filename, linenum);
666 /* Octal, decimal, or hex format? */
667 value = strtol(arg, &endofnumber, 0);
668 if (arg == endofnumber)
669 fatal("%.200s line %d: Bad number.", filename, linenum);
670 if (*activep && *intptr == -1)
674 case oConnectionAttempts:
675 intptr = &options->connection_attempts;
679 intptr = &options->tcp_rcv_buf;
683 intptr = &options->cipher;
685 if (!arg || *arg == '\0')
686 fatal("%.200s line %d: Missing argument.", filename, linenum);
687 value = cipher_number(arg);
689 fatal("%.200s line %d: Bad cipher '%s'.",
690 filename, linenum, arg ? arg : "<NONE>");
691 if (*activep && *intptr == -1)
697 if (!arg || *arg == '\0')
698 fatal("%.200s line %d: Missing argument.", filename, linenum);
699 if (!ciphers_valid(arg))
700 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
701 filename, linenum, arg ? arg : "<NONE>");
702 if (*activep && options->ciphers == NULL)
703 options->ciphers = xstrdup(arg);
708 if (!arg || *arg == '\0')
709 fatal("%.200s line %d: Missing argument.", filename, linenum);
711 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
712 filename, linenum, arg ? arg : "<NONE>");
713 if (*activep && options->macs == NULL)
714 options->macs = xstrdup(arg);
717 case oHostKeyAlgorithms:
719 if (!arg || *arg == '\0')
720 fatal("%.200s line %d: Missing argument.", filename, linenum);
721 if (!key_names_valid2(arg))
722 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
723 filename, linenum, arg ? arg : "<NONE>");
724 if (*activep && options->hostkeyalgorithms == NULL)
725 options->hostkeyalgorithms = xstrdup(arg);
729 intptr = &options->protocol;
731 if (!arg || *arg == '\0')
732 fatal("%.200s line %d: Missing argument.", filename, linenum);
733 value = proto_spec(arg);
734 if (value == SSH_PROTO_UNKNOWN)
735 fatal("%.200s line %d: Bad protocol spec '%s'.",
736 filename, linenum, arg ? arg : "<NONE>");
737 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
742 intptr = (int *) &options->log_level;
744 value = log_level_number(arg);
745 if (value == SYSLOG_LEVEL_NOT_SET)
746 fatal("%.200s line %d: unsupported log level '%s'",
747 filename, linenum, arg ? arg : "<NONE>");
748 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
749 *intptr = (LogLevel) value;
755 if (arg == NULL || *arg == '\0')
756 fatal("%.200s line %d: Missing port argument.",
759 if (arg2 == NULL || *arg2 == '\0')
760 fatal("%.200s line %d: Missing target argument.",
763 /* construct a string for parse_forward */
764 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
766 if (parse_forward(&fwd, fwdarg) == 0)
767 fatal("%.200s line %d: Bad forwarding specification.",
771 if (opcode == oLocalForward)
772 add_local_forward(options, &fwd);
773 else if (opcode == oRemoteForward)
774 add_remote_forward(options, &fwd);
778 case oDynamicForward:
780 if (!arg || *arg == '\0')
781 fatal("%.200s line %d: Missing port argument.",
783 memset(&fwd, '\0', sizeof(fwd));
784 fwd.connect_host = "socks";
785 fwd.listen_host = hpdelim(&arg);
786 if (fwd.listen_host == NULL ||
787 strlen(fwd.listen_host) >= NI_MAXHOST)
788 fatal("%.200s line %d: Bad forwarding specification.",
791 fwd.listen_port = a2port(arg);
792 fwd.listen_host = cleanhostname(fwd.listen_host);
794 fwd.listen_port = a2port(fwd.listen_host);
795 fwd.listen_host = NULL;
797 if (fwd.listen_port == 0)
798 fatal("%.200s line %d: Badly formatted port number.",
801 add_local_forward(options, &fwd);
804 case oClearAllForwardings:
805 intptr = &options->clear_forwardings;
810 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
811 if (match_pattern(host, arg)) {
812 debug("Applying options for %.100s", arg);
816 /* Avoid garbage check below, as strdelim is done. */
820 intptr = &options->escape_char;
822 if (!arg || *arg == '\0')
823 fatal("%.200s line %d: Missing argument.", filename, linenum);
824 if (arg[0] == '^' && arg[2] == 0 &&
825 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
826 value = (u_char) arg[1] & 31;
827 else if (strlen(arg) == 1)
828 value = (u_char) arg[0];
829 else if (strcmp(arg, "none") == 0)
830 value = SSH_ESCAPECHAR_NONE;
832 fatal("%.200s line %d: Bad escape character.",
835 value = 0; /* Avoid compiler warning. */
837 if (*activep && *intptr == -1)
843 if (!arg || *arg == '\0')
844 fatal("%s line %d: missing address family.",
846 intptr = &options->address_family;
847 if (strcasecmp(arg, "inet") == 0)
849 else if (strcasecmp(arg, "inet6") == 0)
851 else if (strcasecmp(arg, "any") == 0)
854 fatal("Unsupported AddressFamily \"%s\"", arg);
855 if (*activep && *intptr == -1)
859 case oEnableSSHKeysign:
860 intptr = &options->enable_ssh_keysign;
863 case oIdentitiesOnly:
864 intptr = &options->identities_only;
867 case oServerAliveInterval:
868 intptr = &options->server_alive_interval;
871 case oServerAliveCountMax:
872 intptr = &options->server_alive_count_max;
876 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
877 if (strchr(arg, '=') != NULL)
878 fatal("%s line %d: Invalid environment name.",
882 if (options->num_send_env >= MAX_SEND_ENV)
883 fatal("%s line %d: too many send env.",
885 options->send_env[options->num_send_env++] =
891 charptr = &options->control_path;
895 intptr = &options->control_master;
897 if (!arg || *arg == '\0')
898 fatal("%.200s line %d: Missing ControlMaster argument.",
900 value = 0; /* To avoid compiler warning... */
901 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
902 value = SSHCTL_MASTER_YES;
903 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
904 value = SSHCTL_MASTER_NO;
905 else if (strcmp(arg, "auto") == 0)
906 value = SSHCTL_MASTER_AUTO;
907 else if (strcmp(arg, "ask") == 0)
908 value = SSHCTL_MASTER_ASK;
909 else if (strcmp(arg, "autoask") == 0)
910 value = SSHCTL_MASTER_AUTO_ASK;
912 fatal("%.200s line %d: Bad ControlMaster argument.",
914 if (*activep && *intptr == -1)
918 case oHashKnownHosts:
919 intptr = &options->hash_known_hosts;
923 intptr = &options->tun_open;
925 if (!arg || *arg == '\0')
926 fatal("%s line %d: Missing yes/point-to-point/"
927 "ethernet/no argument.", filename, linenum);
928 value = 0; /* silence compiler */
929 if (strcasecmp(arg, "ethernet") == 0)
930 value = SSH_TUNMODE_ETHERNET;
931 else if (strcasecmp(arg, "point-to-point") == 0)
932 value = SSH_TUNMODE_POINTOPOINT;
933 else if (strcasecmp(arg, "yes") == 0)
934 value = SSH_TUNMODE_DEFAULT;
935 else if (strcasecmp(arg, "no") == 0)
936 value = SSH_TUNMODE_NO;
938 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
939 "no argument: %s", filename, linenum, arg);
946 if (!arg || *arg == '\0')
947 fatal("%.200s line %d: Missing argument.", filename, linenum);
948 value = a2tun(arg, &value2);
949 if (value == SSH_TUNID_ERR)
950 fatal("%.200s line %d: Bad tun device.", filename, linenum);
952 options->tun_local = value;
953 options->tun_remote = value2;
958 charptr = &options->local_command;
961 case oPermitLocalCommand:
962 intptr = &options->permit_local_command;
966 debug("%s line %d: Deprecated option \"%s\"",
967 filename, linenum, keyword);
971 error("%s line %d: Unsupported option \"%s\"",
972 filename, linenum, keyword);
976 fatal("process_config_line: Unimplemented opcode %d", opcode);
979 /* Check that there is no garbage at end of line. */
980 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
981 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
982 filename, linenum, arg);
989 * Reads the config file and modifies the options accordingly. Options
990 * should already be initialized before this call. This never returns if
991 * there is an error. If the file does not exist, this returns 0.
995 read_config_file(const char *filename, const char *host, Options *options,
1000 int active, linenum;
1001 int bad_options = 0;
1003 /* Open the file. */
1004 if ((f = fopen(filename, "r")) == NULL)
1010 if (fstat(fileno(f), &sb) == -1)
1011 fatal("fstat %s: %s", filename, strerror(errno));
1012 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1013 (sb.st_mode & 022) != 0))
1014 fatal("Bad owner or permissions on %s", filename);
1017 debug("Reading configuration data %.200s", filename);
1020 * Mark that we are now processing the options. This flag is turned
1021 * on/off by Host specifications.
1025 while (fgets(line, sizeof(line), f)) {
1026 /* Update line number counter. */
1028 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1032 if (bad_options > 0)
1033 fatal("%s: terminating, %d bad configuration options",
1034 filename, bad_options);
1039 * Initializes options to special values that indicate that they have not yet
1040 * been set. Read_config_file will only set options with this value. Options
1041 * are processed in the following order: command line, user config file,
1042 * system config file. Last, fill_default_options is called.
1046 initialize_options(Options * options)
1048 memset(options, 'X', sizeof(*options));
1049 options->forward_agent = -1;
1050 options->forward_x11 = -1;
1051 options->forward_x11_trusted = -1;
1052 options->exit_on_forward_failure = -1;
1053 options->xauth_location = NULL;
1054 options->gateway_ports = -1;
1055 options->use_privileged_port = -1;
1056 options->rsa_authentication = -1;
1057 options->pubkey_authentication = -1;
1058 options->challenge_response_authentication = -1;
1059 options->gss_authentication = -1;
1060 options->gss_keyex = -1;
1061 options->gss_deleg_creds = -1;
1062 options->gss_trust_dns = -1;
1063 options->password_authentication = -1;
1064 options->kbd_interactive_authentication = -1;
1065 options->kbd_interactive_devices = NULL;
1066 options->rhosts_rsa_authentication = -1;
1067 options->hostbased_authentication = -1;
1068 options->batch_mode = -1;
1069 options->check_host_ip = -1;
1070 options->strict_host_key_checking = -1;
1071 options->compression = -1;
1072 options->tcp_keep_alive = -1;
1073 options->compression_level = -1;
1075 options->address_family = -1;
1076 options->connection_attempts = -1;
1077 options->connection_timeout = -1;
1078 options->number_of_password_prompts = -1;
1079 options->cipher = -1;
1080 options->ciphers = NULL;
1081 options->macs = NULL;
1082 options->hostkeyalgorithms = NULL;
1083 options->protocol = SSH_PROTO_UNKNOWN;
1084 options->num_identity_files = 0;
1085 options->hostname = NULL;
1086 options->host_key_alias = NULL;
1087 options->proxy_command = NULL;
1088 options->user = NULL;
1089 options->escape_char = -1;
1090 options->system_hostfile = NULL;
1091 options->user_hostfile = NULL;
1092 options->system_hostfile2 = NULL;
1093 options->user_hostfile2 = NULL;
1094 options->num_local_forwards = 0;
1095 options->num_remote_forwards = 0;
1096 options->clear_forwardings = -1;
1097 options->log_level = SYSLOG_LEVEL_NOT_SET;
1098 options->preferred_authentications = NULL;
1099 options->bind_address = NULL;
1100 options->smartcard_device = NULL;
1101 options->enable_ssh_keysign = - 1;
1102 options->no_host_authentication_for_localhost = - 1;
1103 options->identities_only = - 1;
1104 options->rekey_limit = - 1;
1105 options->verify_host_key_dns = -1;
1106 options->server_alive_interval = -1;
1107 options->server_alive_count_max = -1;
1108 options->num_send_env = 0;
1109 options->control_path = NULL;
1110 options->control_master = -1;
1111 options->hash_known_hosts = -1;
1112 options->tun_open = -1;
1113 options->tun_local = -1;
1114 options->tun_remote = -1;
1115 options->local_command = NULL;
1116 options->permit_local_command = -1;
1117 options->none_switch = -1;
1118 options->none_enabled = -1;
1119 options->hpn_disabled = -1;
1120 options->hpn_buffer_size = -1;
1121 options->tcp_rcv_buf_poll = -1;
1122 options->tcp_rcv_buf = -1;
1126 * Called after processing other sources of option data, this fills those
1127 * options for which no value has been specified with their default values.
1131 fill_default_options(Options * options)
1135 if (options->forward_agent == -1)
1136 options->forward_agent = 0;
1137 if (options->forward_x11 == -1)
1138 options->forward_x11 = 0;
1139 if (options->forward_x11_trusted == -1)
1140 options->forward_x11_trusted = 0;
1141 if (options->exit_on_forward_failure == -1)
1142 options->exit_on_forward_failure = 0;
1143 if (options->xauth_location == NULL)
1144 options->xauth_location = _PATH_XAUTH;
1145 if (options->gateway_ports == -1)
1146 options->gateway_ports = 0;
1147 if (options->use_privileged_port == -1)
1148 options->use_privileged_port = 0;
1149 if (options->rsa_authentication == -1)
1150 options->rsa_authentication = 1;
1151 if (options->pubkey_authentication == -1)
1152 options->pubkey_authentication = 1;
1153 if (options->challenge_response_authentication == -1)
1154 options->challenge_response_authentication = 1;
1155 if (options->gss_authentication == -1)
1156 options->gss_authentication = 1;
1157 if (options->gss_keyex == -1)
1158 options->gss_keyex = 1;
1159 if (options->gss_deleg_creds == -1)
1160 options->gss_deleg_creds = 1;
1161 if (options->gss_trust_dns == -1)
1162 options->gss_trust_dns = 1;
1163 if (options->password_authentication == -1)
1164 options->password_authentication = 1;
1165 if (options->kbd_interactive_authentication == -1)
1166 options->kbd_interactive_authentication = 1;
1167 if (options->rhosts_rsa_authentication == -1)
1168 options->rhosts_rsa_authentication = 0;
1169 if (options->hostbased_authentication == -1)
1170 options->hostbased_authentication = 0;
1171 if (options->batch_mode == -1)
1172 options->batch_mode = 0;
1173 if (options->check_host_ip == -1)
1174 options->check_host_ip = 1;
1175 if (options->strict_host_key_checking == -1)
1176 options->strict_host_key_checking = 2; /* 2 is default */
1177 if (options->compression == -1)
1178 options->compression = 0;
1179 if (options->tcp_keep_alive == -1)
1180 options->tcp_keep_alive = 1;
1181 if (options->compression_level == -1)
1182 options->compression_level = 6;
1183 if (options->port == -1)
1184 options->port = 0; /* Filled in ssh_connect. */
1185 if (options->address_family == -1)
1186 options->address_family = AF_UNSPEC;
1187 if (options->connection_attempts == -1)
1188 options->connection_attempts = 1;
1189 if (options->number_of_password_prompts == -1)
1190 options->number_of_password_prompts = 3;
1191 /* Selected in ssh_login(). */
1192 if (options->cipher == -1)
1193 options->cipher = SSH_CIPHER_NOT_SET;
1194 /* options->ciphers, default set in myproposals.h */
1195 /* options->macs, default set in myproposals.h */
1196 /* options->hostkeyalgorithms, default set in myproposals.h */
1197 if (options->protocol == SSH_PROTO_UNKNOWN)
1198 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1199 if (options->num_identity_files == 0) {
1200 if (options->protocol & SSH_PROTO_1) {
1201 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1202 options->identity_files[options->num_identity_files] =
1204 snprintf(options->identity_files[options->num_identity_files++],
1205 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1207 if (options->protocol & SSH_PROTO_2) {
1208 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1209 options->identity_files[options->num_identity_files] =
1211 snprintf(options->identity_files[options->num_identity_files++],
1212 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1214 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1215 options->identity_files[options->num_identity_files] =
1217 snprintf(options->identity_files[options->num_identity_files++],
1218 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1221 if (options->escape_char == -1)
1222 options->escape_char = '~';
1223 if (options->system_hostfile == NULL)
1224 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1225 if (options->user_hostfile == NULL)
1226 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1227 if (options->system_hostfile2 == NULL)
1228 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1229 if (options->user_hostfile2 == NULL)
1230 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1231 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1232 options->log_level = SYSLOG_LEVEL_INFO;
1233 if (options->clear_forwardings == 1)
1234 clear_forwardings(options);
1235 if (options->no_host_authentication_for_localhost == - 1)
1236 options->no_host_authentication_for_localhost = 0;
1237 if (options->identities_only == -1)
1238 options->identities_only = 0;
1239 if (options->enable_ssh_keysign == -1)
1240 options->enable_ssh_keysign = 0;
1241 if (options->rekey_limit == -1)
1242 options->rekey_limit = 0;
1243 if (options->verify_host_key_dns == -1)
1244 options->verify_host_key_dns = 0;
1245 if (options->server_alive_interval == -1)
1246 options->server_alive_interval = 0;
1247 if (options->server_alive_count_max == -1)
1248 options->server_alive_count_max = 3;
1249 if (options->none_switch == -1)
1250 options->none_switch = 0;
1251 if (options->hpn_disabled == -1)
1252 options->hpn_disabled = 0;
1253 if (options->hpn_buffer_size > -1)
1255 if (options->hpn_buffer_size == 0)
1256 options->hpn_buffer_size = 1;
1257 /*limit the buffer to 7MB*/
1258 if (options->hpn_buffer_size > 7168)
1260 options->hpn_buffer_size = 7168;
1261 debug("User requested buffer larger than 7MB. Request reverted to 7MB");
1263 options->hpn_buffer_size *=1024;
1264 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1266 if (options->tcp_rcv_buf == 0)
1267 options->tcp_rcv_buf = 1;
1268 if (options->tcp_rcv_buf > -1)
1269 options->tcp_rcv_buf *=1024;
1270 if (options->control_master == -1)
1271 options->control_master = 0;
1272 if (options->hash_known_hosts == -1)
1273 options->hash_known_hosts = 0;
1274 if (options->tun_open == -1)
1275 options->tun_open = SSH_TUNMODE_NO;
1276 if (options->tun_local == -1)
1277 options->tun_local = SSH_TUNID_ANY;
1278 if (options->tun_remote == -1)
1279 options->tun_remote = SSH_TUNID_ANY;
1280 if (options->permit_local_command == -1)
1281 options->permit_local_command = 0;
1282 /* options->local_command should not be set by default */
1283 /* options->proxy_command should not be set by default */
1284 /* options->user will be set in the main program if appropriate */
1285 /* options->hostname will be set in the main program if appropriate */
1286 /* options->host_key_alias should not be set by default */
1287 /* options->preferred_authentications will be set in ssh */
1292 * parses a string containing a port forwarding specification of the form:
1293 * [listenhost:]listenport:connecthost:connectport
1294 * returns number of arguments parsed or zero on error
1297 parse_forward(Forward *fwd, const char *fwdspec)
1300 char *p, *cp, *fwdarg[4];
1302 memset(fwd, '\0', sizeof(*fwd));
1304 cp = p = xstrdup(fwdspec);
1306 /* skip leading spaces */
1307 while (*cp && isspace(*cp))
1310 for (i = 0; i < 4; ++i)
1311 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1314 /* Check for trailing garbage in 4-arg case*/
1316 i = 0; /* failure */
1320 fwd->listen_host = NULL;
1321 fwd->listen_port = a2port(fwdarg[0]);
1322 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1323 fwd->connect_port = a2port(fwdarg[2]);
1327 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1328 fwd->listen_port = a2port(fwdarg[1]);
1329 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1330 fwd->connect_port = a2port(fwdarg[3]);
1333 i = 0; /* failure */
1338 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1341 if (fwd->connect_host != NULL &&
1342 strlen(fwd->connect_host) >= NI_MAXHOST)
1348 if (fwd->connect_host != NULL)
1349 xfree(fwd->connect_host);
1350 if (fwd->listen_host != NULL)
1351 xfree(fwd->listen_host);