*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.116 2003/02/21 09:05:53 markus Exp $");
-
-#if defined(KRB4)
-#include <krb.h>
-#endif
-#if defined(KRB5)
-#ifdef HEIMDAL
-#else
-/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
- * keytab */
-#define KEYFILE "/etc/krb5.keytab"
-#endif
-#endif
-#ifdef AFS
-#include <kafs.h>
-#endif
+RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
#include "ssh.h"
#include "log.h"
memset(options, 0, sizeof(*options));
/* Portable-specific options */
- options->pam_authentication_via_kbd_int = -1;
+ options->use_pam = -1;
/* Standard Options */
options->num_ports = 0;
options->x11_use_localhost = -1;
options->xauth_location = NULL;
options->strict_modes = -1;
- options->keepalives = -1;
+ options->tcp_keep_alive = -1;
options->log_facility = SYSLOG_FACILITY_NOT_SET;
options->log_level = SYSLOG_LEVEL_NOT_SET;
- options->rhosts_authentication = -1;
options->rhosts_rsa_authentication = -1;
options->hostbased_authentication = -1;
options->hostbased_uses_name_from_packet_only = -1;
options->rsa_authentication = -1;
options->pubkey_authentication = -1;
-#ifdef GSSAPI
- options->gss_authentication=-1;
- options->gss_keyex=-1;
- options->gss_use_session_ccache = -1;
- options->gss_cleanup_creds = -1;
-#endif
-#if defined(KRB4) || defined(KRB5)
options->kerberos_authentication = -1;
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
-#endif
-#if defined(AFS) || defined(KRB5)
- options->kerberos_tgt_passing = -1;
-#endif
-#ifdef AFS
- options->afs_token_passing = -1;
-#endif
#ifdef SESSION_HOOKS
options->session_hooks_allow = -1;
options->session_hooks_startup_cmd = NULL;
options->session_hooks_shutdown_cmd = NULL;
#endif
+ options->kerberos_get_afs_token = -1;
+ options->gss_authentication=-1;
+ options->gss_keyex=-1;
+ options->gss_use_session_ccache = -1;
+ options->gss_cleanup_creds = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->max_startups_rate = -1;
options->max_startups = -1;
options->banner = NULL;
- options->verify_reverse_mapping = -1;
+ options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
options->authorized_keys_file = NULL;
fill_default_server_options(ServerOptions *options)
{
/* Portable-specific options */
- if (options->pam_authentication_via_kbd_int == -1)
- options->pam_authentication_via_kbd_int = 0;
+ if (options->use_pam == -1)
+ options->use_pam = 0;
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
options->xauth_location = _PATH_XAUTH;
if (options->strict_modes == -1)
options->strict_modes = 1;
- if (options->keepalives == -1)
- options->keepalives = 1;
+ if (options->tcp_keep_alive == -1)
+ options->tcp_keep_alive = 1;
if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
options->log_facility = SYSLOG_FACILITY_AUTH;
if (options->log_level == SYSLOG_LEVEL_NOT_SET)
options->log_level = SYSLOG_LEVEL_INFO;
- if (options->rhosts_authentication == -1)
- options->rhosts_authentication = 0;
if (options->rhosts_rsa_authentication == -1)
options->rhosts_rsa_authentication = 0;
if (options->hostbased_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
options->pubkey_authentication = 1;
-#ifdef GSSAPI
+ if (options->kerberos_authentication == -1)
+ options->kerberos_authentication = 0;
+ if (options->kerberos_or_local_passwd == -1)
+ options->kerberos_or_local_passwd = 1;
+ if (options->kerberos_ticket_cleanup == -1)
+ options->kerberos_ticket_cleanup = 1;
+ if (options->kerberos_get_afs_token == -1)
+ options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 1;
if (options->gss_keyex == -1)
- options->gss_keyex =1;
+ options->gss_keyex = 1;
if (options->gss_use_session_ccache == -1)
options->gss_use_session_ccache = 1;
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
-#endif
-#if defined(KRB4) || defined(KRB5)
- if (options->kerberos_authentication == -1)
- options->kerberos_authentication = 0;
- if (options->kerberos_or_local_passwd == -1)
- options->kerberos_or_local_passwd = 1;
- if (options->kerberos_ticket_cleanup == -1)
- options->kerberos_ticket_cleanup = 1;
-#endif
-#if defined(AFS) || defined(KRB5)
- if (options->kerberos_tgt_passing == -1)
- options->kerberos_tgt_passing = 0;
-#endif
-#ifdef AFS
- if (options->afs_token_passing == -1)
- options->afs_token_passing = 0;
-#endif
-#ifdef SESSION_HOOKS
- if (options->session_hooks_allow == -1)
- {
- options->session_hooks_allow = 0;
- options->session_hooks_startup_cmd = NULL;
- options->session_hooks_shutdown_cmd = NULL;
- }
-#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
options->max_startups_rate = 100; /* 100% */
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
- if (options->verify_reverse_mapping == -1)
- options->verify_reverse_mapping = 0;
+ if (options->use_dns == -1)
+ options->use_dns = 1;
if (options->client_alive_interval == -1)
options->client_alive_interval = 0;
if (options->client_alive_count_max == -1)
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sPAMAuthenticationViaKbdInt,
+ sUsePAM,
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
- sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
-#ifdef GSSAPI
- sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
-#endif
-#if defined(KRB4) || defined(KRB5)
+ sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-#endif
-#if defined(AFS) || defined(KRB5)
- sKerberosTgtPassing,
-#endif
-#ifdef AFS
- sAFSTokenPassing,
-#endif
+ sKerberosGetAFSToken,
+ sKerberosTgtPassing, sChallengeResponseAuthentication,
#ifdef SESSION_HOOKS
sAllowSessionHooks, sSessionHookStartupCmd, sSessionHookShutdownCmd,
#endif
- sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
- sStrictModes, sEmptyPasswd, sKeepAlives,
+ sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
- sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
+ sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ sGssAuthentication, sGssKeyEx, sGssUseSessionCredCache, sGssCleanupCreds,
sUsePrivilegeSeparation,
- sDeprecated
+ sDeprecated, sUnsupported
} ServerOpCodes;
/* Textual representation of the tokens. */
ServerOpCodes opcode;
} keywords[] = {
/* Portable-specific options */
- { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
+#ifdef USE_PAM
+ { "usepam", sUsePAM },
+#else
+ { "usepam", sUnsupported },
+#endif
+ { "pamauthenticationviakbdint", sDeprecated },
/* Standard Options */
{ "port", sPort },
{ "hostkey", sHostKeyFile },
{ "permitrootlogin", sPermitRootLogin },
{ "syslogfacility", sLogFacility },
{ "loglevel", sLogLevel },
- { "rhostsauthentication", sRhostsAuthentication },
+ { "rhostsauthentication", sDeprecated },
{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
{ "hostbasedauthentication", sHostbasedAuthentication },
{ "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
{ "rsaauthentication", sRSAAuthentication },
{ "pubkeyauthentication", sPubkeyAuthentication },
{ "dsaauthentication", sPubkeyAuthentication }, /* alias */
-#ifdef GSSAPI
- { "gssapiauthentication", sGssAuthentication },
- { "gssapikeyexchange", sGssKeyEx },
- { "gssusesessionccache", sGssUseSessionCredCache },
- { "gssapiusesessioncredcache", sGssUseSessionCredCache },
- { "gssapicleanupcreds", sGssCleanupCreds },
-#endif
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
{ "kerberosauthentication", sKerberosAuthentication },
{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
{ "kerberosticketcleanup", sKerberosTicketCleanup },
+#ifdef USE_AFS
+ { "kerberosgetafstoken", sKerberosGetAFSToken },
+#else
+ { "kerberosgetafstoken", sUnsupported },
#endif
-#if defined(AFS) || defined(KRB5)
- { "kerberostgtpassing", sKerberosTgtPassing },
+#else
+ { "kerberosauthentication", sUnsupported },
+ { "kerberosorlocalpasswd", sUnsupported },
+ { "kerberosticketcleanup", sUnsupported },
+ { "kerberosgetafstoken", sUnsupported },
#endif
-#ifdef AFS
- { "afstokenpassing", sAFSTokenPassing },
+ { "kerberostgtpassing", sUnsupported },
+ { "afstokenpassing", sUnsupported },
+#ifdef GSSAPI
+ { "gssapiauthentication", sGssAuthentication },
+ { "gssapikeyexchange", sGssKeyEx },
+ { "gssusesessionccache", sGssUseSessionCredCache },
+ { "gssapiusesessioncredcache", sGssUseSessionCredCache },
+ { "gssapicleanupcredentials", sGssCleanupCreds },
+#else
+ { "gssapiauthentication", sUnsupported },
+ { "gssapikeyexchange", sUnsupported },
+ { "gssusesessionccache", sUnsupported },
+ { "gssapiusesessioncredcache", sUnsupported },
+ { "gssapicleanupcredentials", sUnsupported },
#endif
#ifdef SESSION_HOOKS
{ "allowsessionhooks", sAllowSessionHooks },
{ "permituserenvironment", sPermitUserEnvironment },
{ "uselogin", sUseLogin },
{ "compression", sCompression },
- { "keepalive", sKeepAlives },
+ { "tcpkeepalive", sTCPKeepAlive },
+ { "keepalive", sTCPKeepAlive }, /* obsolete alias */
{ "allowtcpforwarding", sAllowTcpForwarding },
{ "allowusers", sAllowUsers },
{ "denyusers", sDenyUsers },
{ "subsystem", sSubsystem },
{ "maxstartups", sMaxStartups },
{ "banner", sBanner },
- { "verifyreversemapping", sVerifyReverseMapping },
- { "reversemappingcheck", sVerifyReverseMapping },
+ { "usedns", sUseDNS },
+ { "verifyreversemapping", sDeprecated },
+ { "reversemappingcheck", sDeprecated },
{ "clientaliveinterval", sClientAliveInterval },
{ "clientalivecountmax", sClientAliveCountMax },
{ "authorizedkeysfile", sAuthorizedKeysFile },
opcode = parse_token(arg, filename, linenum);
switch (opcode) {
/* Portable-specific options */
- case sPAMAuthenticationViaKbdInt:
- intptr = &options->pam_authentication_via_kbd_int;
+ case sUsePAM:
+ intptr = &options->use_pam;
goto parse_flag;
/* Standard Options */
intptr = &options->ignore_user_known_hosts;
goto parse_flag;
- case sRhostsAuthentication:
- intptr = &options->rhosts_authentication;
- goto parse_flag;
-
case sRhostsRSAAuthentication:
intptr = &options->rhosts_rsa_authentication;
goto parse_flag;
case sPubkeyAuthentication:
intptr = &options->pubkey_authentication;
goto parse_flag;
-#ifdef GSSAPI
- case sGssAuthentication:
- intptr = &options->gss_authentication;
- goto parse_flag;
- case sGssKeyEx:
- intptr = &options->gss_keyex;
- goto parse_flag;
- case sGssUseSessionCredCache:
- intptr = &options->gss_use_session_ccache;
- goto parse_flag;
- case sGssCleanupCreds:
- intptr = &options->gss_cleanup_creds;
- goto parse_flag;
-#endif
-#if defined(KRB4) || defined(KRB5)
+
case sKerberosAuthentication:
intptr = &options->kerberos_authentication;
goto parse_flag;
case sKerberosTicketCleanup:
intptr = &options->kerberos_ticket_cleanup;
goto parse_flag;
-#endif
-#if defined(AFS) || defined(KRB5)
- case sKerberosTgtPassing:
- intptr = &options->kerberos_tgt_passing;
+
+ case sKerberosGetAFSToken:
+ intptr = &options->kerberos_get_afs_token;
goto parse_flag;
-#endif
-#ifdef AFS
- case sAFSTokenPassing:
- intptr = &options->afs_token_passing;
+
+ case sGssAuthentication:
+ intptr = &options->gss_authentication;
goto parse_flag;
-#endif
+
+ case sGssKeyEx:
+ intptr = &options->gss_keyex;
+ goto parse_flag;
+
+ case sGssUseSessionCredCache:
+ intptr = &options->gss_use_session_ccache;
+ goto parse_flag;
+
+ case sGssCleanupCreds:
+ intptr = &options->gss_cleanup_creds;
+ goto parse_flag;
+
#ifdef SESSION_HOOKS
case sAllowSessionHooks:
intptr = &options->session_hooks_allow;
options->session_hooks_shutdown_cmd = strdup(arg);
break;
#endif
+
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
intptr = &options->strict_modes;
goto parse_flag;
- case sKeepAlives:
- intptr = &options->keepalives;
+ case sTCPKeepAlive:
+ intptr = &options->tcp_keep_alive;
goto parse_flag;
case sEmptyPasswd:
intptr = &options->gateway_ports;
goto parse_flag;
- case sVerifyReverseMapping:
- intptr = &options->verify_reverse_mapping;
+ case sUseDNS:
+ intptr = &options->use_dns;
goto parse_flag;
case sLogFacility:
goto parse_int;
case sDeprecated:
- log("%s line %d: Deprecated option %s",
+ logit("%s line %d: Deprecated option %s",
+ filename, linenum, arg);
+ while (arg)
+ arg = strdelim(&cp);
+ break;
+
+ case sUnsupported:
+ logit("%s line %d: Unsupported option %s",
filename, linenum, arg);
while (arg)
arg = strdelim(&cp);