]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- jmc@cvs.openbsd.org 2005/11/30 11:45:20
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
91135a0e 13RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
42f11eb2 21#include "misc.h"
22#include "cipher.h"
b2552997 23#include "kex.h"
24#include "mac.h"
42f11eb2 25
396c147e 26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 28
1853d1ef 29/* Use of privilege separation or not */
30extern int use_privsep;
42f11eb2 31
8efc0c15 32/* Initializes the server options to their default values. */
33
6ae2364d 34void
5260325f 35initialize_server_options(ServerOptions *options)
8efc0c15 36{
5260325f 37 memset(options, 0, sizeof(*options));
e15895cd 38
39 /* Portable-specific options */
7fceb20d 40 options->use_pam = -1;
e15895cd 41
42 /* Standard Options */
48e671d5 43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
31b41ceb 46 options->address_family = -1;
fa08c86b 47 options->num_host_key_files = 0;
0fbe8c74 48 options->pid_file = NULL;
5260325f 49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
15853e93 52 options->permit_root_login = PERMIT_NOT_SET;
5260325f 53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
4f4648f9 56 options->print_lastlog = -1;
5260325f 57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e6e573bd 59 options->x11_use_localhost = -1;
fa649821 60 options->xauth_location = NULL;
5260325f 61 options->strict_modes = -1;
fd573618 62 options->tcp_keep_alive = -1;
5eaf8578 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 65 options->rhosts_rsa_authentication = -1;
8002af61 66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
5260325f 68 options->rsa_authentication = -1;
fa08c86b 69 options->pubkey_authentication = -1;
5260325f 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
a1e30b47 73 options->kerberos_get_afs_token = -1;
7364bd04 74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
5260325f 76 options->password_authentication = -1;
94ec8c6b 77 options->kbd_interactive_authentication = -1;
5ba55ada 78 options->challenge_response_authentication = -1;
5260325f 79 options->permit_empty_passwd = -1;
f00bab84 80 options->permit_user_env = -1;
5260325f 81 options->use_login = -1;
636f76ca 82 options->compression = -1;
33de75a3 83 options->allow_tcp_forwarding = -1;
5260325f 84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
a8be9f80 88 options->ciphers = NULL;
b2552997 89 options->macs = NULL;
a8be9f80 90 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 91 options->gateway_ports = -1;
38c295d6 92 options->num_subsystems = 0;
c345cf9d 93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
089fbbd2 95 options->max_startups = -1;
af4bd935 96 options->max_authtries = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
61a2c1da 103 options->num_accept_env = 0;
1853d1ef 104
1853d1ef 105 /* Needs to be accessable in many places */
106 use_privsep = -1;
8efc0c15 107}
108
6ae2364d 109void
5260325f 110fill_default_server_options(ServerOptions *options)
8efc0c15 111{
e15895cd 112 /* Portable-specific options */
7fceb20d 113 if (options->use_pam == -1)
0a23d79f 114 options->use_pam = 0;
e15895cd 115
116 /* Standard Options */
fa08c86b 117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
0f84fe37 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
fa08c86b 130 }
48e671d5 131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
2d2a2c65 134 add_listen_addr(options, NULL, 0);
0fbe8c74 135 if (options->pid_file == NULL)
42f11eb2 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
3445ca02 140 options->login_grace_time = 120;
5260325f 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
15853e93 143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
5260325f 145 if (options->ignore_rhosts == -1)
c8d54615 146 options->ignore_rhosts = 1;
5260325f 147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
5260325f 149 if (options->print_motd == -1)
150 options->print_motd = 1;
4f4648f9 151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
5260325f 153 if (options->x11_forwarding == -1)
c8d54615 154 options->x11_forwarding = 0;
5260325f 155 if (options->x11_display_offset == -1)
c8d54615 156 options->x11_display_offset = 10;
e6e573bd 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
fa649821 159 if (options->xauth_location == NULL)
fd9ede94 160 options->xauth_location = _PATH_XAUTH;
5260325f 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
fd573618 163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
5eaf8578 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 166 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 168 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 169 if (options->rhosts_rsa_authentication == -1)
c8d54615 170 options->rhosts_rsa_authentication = 0;
8002af61 171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
5260325f 175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
fa08c86b 177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
5260325f 179 if (options->kerberos_authentication == -1)
eadc806d 180 options->kerberos_authentication = 0;
5260325f 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
a1e30b47 185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
7364bd04 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
5260325f 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
94ec8c6b 193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
5ba55ada 195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
5260325f 197 if (options->permit_empty_passwd == -1)
c8d54615 198 options->permit_empty_passwd = 0;
f00bab84 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
5260325f 201 if (options->use_login == -1)
202 options->use_login = 0;
636f76ca 203 if (options->compression == -1)
07200973 204 options->compression = COMP_DELAYED;
33de75a3 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
1d1ffb87 207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
089fbbd2 209 if (options->max_startups == -1)
210 options->max_startups = 10;
c345cf9d 211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
af4bd935 215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c5a7d788 217 if (options->use_dns == -1)
218 options->use_dns = 1;
3ffc6336 219 if (options->client_alive_interval == -1)
184eed6a 220 options->client_alive_interval = 0;
3ffc6336 221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
5df83e07 223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
227 else
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 }
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 232
2ee1b704 233 /* Turn privilege separation on by default */
1853d1ef 234 if (use_privsep == -1)
2ee1b704 235 use_privsep = 1;
e299a298 236
4165b82e 237#ifndef HAVE_MMAP
e299a298 238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
243 }
244#endif
245
8efc0c15 246}
247
8efc0c15 248/* Keyword tokens. */
5260325f 249typedef enum {
250 sBadOption, /* == unknown option */
e15895cd 251 /* Portable-specific options */
7fceb20d 252 sUsePAM,
e15895cd 253 /* Standard Options */
5260325f 254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 256 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 258 sKerberosGetAFSToken,
1c590258 259 sKerberosTgtPassing, sChallengeResponseAuthentication,
31b41ceb 260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
4f4648f9 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
c5a7d788 270 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
61a2c1da 273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
2ea6de2b 274 sUsePrivilegeSeparation,
a2144546 275 sDeprecated, sUnsupported
8efc0c15 276} ServerOpCodes;
277
278/* Textual representation of the tokens. */
5260325f 279static struct {
280 const char *name;
281 ServerOpCodes opcode;
282} keywords[] = {
e15895cd 283 /* Portable-specific options */
b06b11ad 284#ifdef USE_PAM
fe46678b 285 { "usepam", sUsePAM },
b06b11ad 286#else
fe46678b 287 { "usepam", sUnsupported },
b06b11ad 288#endif
fe46678b 289 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 290 /* Standard Options */
5260325f 291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
fa08c86b 293 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 294 { "pidfile", sPidFile },
5260325f 295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
0598d99d 301 { "rhostsauthentication", sDeprecated },
5260325f 302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 305 { "rsaauthentication", sRSAAuthentication },
fa08c86b 306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 308#ifdef KRB5
5260325f 309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 312#ifdef USE_AFS
a1e30b47 313 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 314#else
315 { "kerberosgetafstoken", sUnsupported },
316#endif
a2144546 317#else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
a1e30b47 321 { "kerberosgetafstoken", sUnsupported },
a2144546 322#endif
8f73f7bb 323 { "kerberostgtpassing", sUnsupported },
a2144546 324 { "afstokenpassing", sUnsupported },
7364bd04 325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
e377c083 327 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 328#else
329 { "gssapiauthentication", sUnsupported },
e377c083 330 { "gssapicleanupcredentials", sUnsupported },
7364bd04 331#endif
5260325f 332 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 336 { "checkmail", sDeprecated },
5260325f 337 { "listenaddress", sListenAddress },
31b41ceb 338 { "addressfamily", sAddressFamily },
5260325f 339 { "printmotd", sPrintMotd },
4f4648f9 340 { "printlastlog", sPrintLastLog },
5260325f 341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 345 { "x11uselocalhost", sX11UseLocalhost },
fa649821 346 { "xauthlocation", sXAuthLocation },
5260325f 347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
f00bab84 349 { "permituserenvironment", sPermitUserEnvironment },
5260325f 350 { "uselogin", sUseLogin },
636f76ca 351 { "compression", sCompression },
fd573618 352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 354 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
a8be9f80 359 { "ciphers", sCiphers },
b2552997 360 { "macs", sMacs },
a8be9f80 361 { "protocol", sProtocol },
1d1ffb87 362 { "gatewayports", sGatewayPorts },
38c295d6 363 { "subsystem", sSubsystem },
089fbbd2 364 { "maxstartups", sMaxStartups },
af4bd935 365 { "maxauthtries", sMaxAuthTries },
eea39c02 366 { "banner", sBanner },
c5a7d788 367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
3ffc6336 370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
c8445989 372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 374 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 375 { "acceptenv", sAcceptEnv },
17a3011c 376 { NULL, sBadOption }
8efc0c15 377};
378
aa3378df 379/*
6be9a5e8 380 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 381 */
8efc0c15 382
6ae2364d 383static ServerOpCodes
5260325f 384parse_token(const char *cp, const char *filename,
385 int linenum)
8efc0c15 386{
1e3b8b07 387 u_int i;
8efc0c15 388
5260325f 389 for (i = 0; keywords[i].name; i++)
aa3378df 390 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 391 return keywords[i].opcode;
8efc0c15 392
b7c70970 393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
5260325f 395 return sBadOption;
8efc0c15 396}
397
396c147e 398static void
2d2a2c65 399add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 400{
2ceb8101 401 u_int i;
48e671d5 402
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
31b41ceb 405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
2d2a2c65 407 if (port == 0)
d11c1288 408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
410 else
2d2a2c65 411 add_one_listen_addr(options, addr, port);
d11c1288 412}
413
396c147e 414static void
d11c1288 415add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
416{
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
419 int gaierr;
420
421 memset(&hints, 0, sizeof(hints));
31b41ceb 422 hints.ai_family = options->address_family;
d11c1288 423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 425 snprintf(strport, sizeof strport, "%u", port);
d11c1288 426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
431 ;
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
48e671d5 434}
435
2717fa0f 436int
437process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
8efc0c15 439{
d11c1288 440 char *cp, **charptr, *arg, *p;
2ceb8101 441 int *intptr, value, n;
5260325f 442 ServerOpCodes opcode;
3867aa0a 443 u_short port;
2ceb8101 444 u_int i;
5260325f 445
2717fa0f 446 cp = line;
447 arg = strdelim(&cp);
448 /* Ignore leading whitespace */
449 if (*arg == '\0')
704b1659 450 arg = strdelim(&cp);
2717fa0f 451 if (!arg || !*arg || *arg == '#')
452 return 0;
453 intptr = NULL;
454 charptr = NULL;
455 opcode = parse_token(arg, filename, linenum);
456 switch (opcode) {
457 /* Portable-specific options */
7fceb20d 458 case sUsePAM:
459 intptr = &options->use_pam;
2717fa0f 460 goto parse_flag;
48e671d5 461
2717fa0f 462 /* Standard Options */
463 case sBadOption:
464 return -1;
465 case sPort:
466 /* ignore ports from configfile if cmdline specifies ports */
467 if (options->ports_from_cmdline)
468 return 0;
469 if (options->listen_addrs != NULL)
470 fatal("%s line %d: ports must be specified before "
3a454b6a 471 "ListenAddress.", filename, linenum);
2717fa0f 472 if (options->num_ports >= MAX_PORTS)
473 fatal("%s line %d: too many ports.",
474 filename, linenum);
475 arg = strdelim(&cp);
476 if (!arg || *arg == '\0')
477 fatal("%s line %d: missing port number.",
478 filename, linenum);
479 options->ports[options->num_ports++] = a2port(arg);
480 if (options->ports[options->num_ports-1] == 0)
481 fatal("%s line %d: Badly formatted port number.",
482 filename, linenum);
483 break;
484
485 case sServerKeyBits:
486 intptr = &options->server_key_bits;
5260325f 487parse_int:
2717fa0f 488 arg = strdelim(&cp);
489 if (!arg || *arg == '\0')
490 fatal("%s line %d: missing integer value.",
491 filename, linenum);
492 value = atoi(arg);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sLoginGraceTime:
498 intptr = &options->login_grace_time;
e2b1fb42 499parse_time:
2717fa0f 500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing time value.",
503 filename, linenum);
504 if ((value = convtime(arg)) == -1)
505 fatal("%s line %d: invalid time value.",
506 filename, linenum);
507 if (*intptr == -1)
508 *intptr = value;
509 break;
510
511 case sKeyRegenerationTime:
512 intptr = &options->key_regeneration_time;
513 goto parse_time;
514
515 case sListenAddress:
516 arg = strdelim(&cp);
3867aa0a 517 if (arg == NULL || *arg == '\0')
518 fatal("%s line %d: missing address",
2717fa0f 519 filename, linenum);
91135a0e 520 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
521 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
522 && strchr(p+1, ':') != NULL) {
523 add_listen_addr(options, arg, 0);
524 break;
525 }
3867aa0a 526 p = hpdelim(&arg);
527 if (p == NULL)
528 fatal("%s line %d: bad address:port usage",
2717fa0f 529 filename, linenum);
3867aa0a 530 p = cleanhostname(p);
531 if (arg == NULL)
532 port = 0;
533 else if ((port = a2port(arg)) == 0)
534 fatal("%s line %d: bad port number", filename, linenum);
535
536 add_listen_addr(options, p, port);
537
2717fa0f 538 break;
539
31b41ceb 540 case sAddressFamily:
541 arg = strdelim(&cp);
38634ff6 542 if (!arg || *arg == '\0')
543 fatal("%s line %d: missing address family.",
544 filename, linenum);
31b41ceb 545 intptr = &options->address_family;
546 if (options->listen_addrs != NULL)
547 fatal("%s line %d: address family must be specified before "
548 "ListenAddress.", filename, linenum);
549 if (strcasecmp(arg, "inet") == 0)
550 value = AF_INET;
551 else if (strcasecmp(arg, "inet6") == 0)
552 value = AF_INET6;
553 else if (strcasecmp(arg, "any") == 0)
554 value = AF_UNSPEC;
555 else
556 fatal("%s line %d: unsupported address family \"%s\".",
557 filename, linenum, arg);
558 if (*intptr == -1)
559 *intptr = value;
560 break;
561
2717fa0f 562 case sHostKeyFile:
563 intptr = &options->num_host_key_files;
564 if (*intptr >= MAX_HOSTKEYS)
565 fatal("%s line %d: too many host keys specified (max %d).",
566 filename, linenum, MAX_HOSTKEYS);
567 charptr = &options->host_key_files[*intptr];
fa649821 568parse_filename:
2717fa0f 569 arg = strdelim(&cp);
570 if (!arg || *arg == '\0')
571 fatal("%s line %d: missing file name.",
572 filename, linenum);
573 if (*charptr == NULL) {
574 *charptr = tilde_expand_filename(arg, getuid());
575 /* increase optional counter */
576 if (intptr != NULL)
577 *intptr = *intptr + 1;
578 }
579 break;
0fbe8c74 580
2717fa0f 581 case sPidFile:
582 charptr = &options->pid_file;
583 goto parse_filename;
5260325f 584
2717fa0f 585 case sPermitRootLogin:
586 intptr = &options->permit_root_login;
587 arg = strdelim(&cp);
588 if (!arg || *arg == '\0')
589 fatal("%s line %d: missing yes/"
590 "without-password/forced-commands-only/no "
591 "argument.", filename, linenum);
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "without-password") == 0)
594 value = PERMIT_NO_PASSWD;
595 else if (strcmp(arg, "forced-commands-only") == 0)
596 value = PERMIT_FORCED_ONLY;
597 else if (strcmp(arg, "yes") == 0)
598 value = PERMIT_YES;
599 else if (strcmp(arg, "no") == 0)
600 value = PERMIT_NO;
601 else
602 fatal("%s line %d: Bad yes/"
603 "without-password/forced-commands-only/no "
604 "argument: %s", filename, linenum, arg);
605 if (*intptr == -1)
606 *intptr = value;
607 break;
608
609 case sIgnoreRhosts:
610 intptr = &options->ignore_rhosts;
5260325f 611parse_flag:
2717fa0f 612 arg = strdelim(&cp);
613 if (!arg || *arg == '\0')
614 fatal("%s line %d: missing yes/no argument.",
615 filename, linenum);
616 value = 0; /* silence compiler */
617 if (strcmp(arg, "yes") == 0)
618 value = 1;
619 else if (strcmp(arg, "no") == 0)
620 value = 0;
621 else
622 fatal("%s line %d: Bad yes/no argument: %s",
623 filename, linenum, arg);
624 if (*intptr == -1)
625 *intptr = value;
626 break;
627
628 case sIgnoreUserKnownHosts:
629 intptr = &options->ignore_user_known_hosts;
630 goto parse_flag;
631
2717fa0f 632 case sRhostsRSAAuthentication:
633 intptr = &options->rhosts_rsa_authentication;
634 goto parse_flag;
635
636 case sHostbasedAuthentication:
637 intptr = &options->hostbased_authentication;
638 goto parse_flag;
639
640 case sHostbasedUsesNameFromPacketOnly:
641 intptr = &options->hostbased_uses_name_from_packet_only;
642 goto parse_flag;
643
644 case sRSAAuthentication:
645 intptr = &options->rsa_authentication;
646 goto parse_flag;
647
648 case sPubkeyAuthentication:
649 intptr = &options->pubkey_authentication;
650 goto parse_flag;
d0ec7f42 651
2717fa0f 652 case sKerberosAuthentication:
653 intptr = &options->kerberos_authentication;
654 goto parse_flag;
5260325f 655
2717fa0f 656 case sKerberosOrLocalPasswd:
657 intptr = &options->kerberos_or_local_passwd;
658 goto parse_flag;
5260325f 659
2717fa0f 660 case sKerberosTicketCleanup:
661 intptr = &options->kerberos_ticket_cleanup;
662 goto parse_flag;
d0ec7f42 663
a1e30b47 664 case sKerberosGetAFSToken:
665 intptr = &options->kerberos_get_afs_token;
666 goto parse_flag;
667
7364bd04 668 case sGssAuthentication:
669 intptr = &options->gss_authentication;
670 goto parse_flag;
671
672 case sGssCleanupCreds:
673 intptr = &options->gss_cleanup_creds;
674 goto parse_flag;
675
2717fa0f 676 case sPasswordAuthentication:
677 intptr = &options->password_authentication;
678 goto parse_flag;
5260325f 679
2717fa0f 680 case sKbdInteractiveAuthentication:
681 intptr = &options->kbd_interactive_authentication;
682 goto parse_flag;
8002af61 683
2717fa0f 684 case sChallengeResponseAuthentication:
685 intptr = &options->challenge_response_authentication;
686 goto parse_flag;
8002af61 687
2717fa0f 688 case sPrintMotd:
689 intptr = &options->print_motd;
690 goto parse_flag;
5260325f 691
2717fa0f 692 case sPrintLastLog:
693 intptr = &options->print_lastlog;
694 goto parse_flag;
5260325f 695
2717fa0f 696 case sX11Forwarding:
697 intptr = &options->x11_forwarding;
698 goto parse_flag;
5260325f 699
2717fa0f 700 case sX11DisplayOffset:
701 intptr = &options->x11_display_offset;
702 goto parse_int;
8efc0c15 703
e6e573bd 704 case sX11UseLocalhost:
705 intptr = &options->x11_use_localhost;
706 goto parse_flag;
707
2717fa0f 708 case sXAuthLocation:
709 charptr = &options->xauth_location;
710 goto parse_filename;
5260325f 711
2717fa0f 712 case sStrictModes:
713 intptr = &options->strict_modes;
714 goto parse_flag;
5260325f 715
fd573618 716 case sTCPKeepAlive:
717 intptr = &options->tcp_keep_alive;
2717fa0f 718 goto parse_flag;
33de75a3 719
2717fa0f 720 case sEmptyPasswd:
721 intptr = &options->permit_empty_passwd;
722 goto parse_flag;
5260325f 723
f00bab84 724 case sPermitUserEnvironment:
725 intptr = &options->permit_user_env;
726 goto parse_flag;
727
2717fa0f 728 case sUseLogin:
729 intptr = &options->use_login;
730 goto parse_flag;
5260325f 731
636f76ca 732 case sCompression:
733 intptr = &options->compression;
07200973 734 arg = strdelim(&cp);
735 if (!arg || *arg == '\0')
736 fatal("%s line %d: missing yes/no/delayed "
737 "argument.", filename, linenum);
738 value = 0; /* silence compiler */
739 if (strcmp(arg, "delayed") == 0)
740 value = COMP_DELAYED;
741 else if (strcmp(arg, "yes") == 0)
742 value = COMP_ZLIB;
743 else if (strcmp(arg, "no") == 0)
744 value = COMP_NONE;
745 else
746 fatal("%s line %d: Bad yes/no/delayed "
747 "argument: %s", filename, linenum, arg);
748 if (*intptr == -1)
749 *intptr = value;
750 break;
636f76ca 751
2717fa0f 752 case sGatewayPorts:
753 intptr = &options->gateway_ports;
3867aa0a 754 arg = strdelim(&cp);
755 if (!arg || *arg == '\0')
756 fatal("%s line %d: missing yes/no/clientspecified "
757 "argument.", filename, linenum);
758 value = 0; /* silence compiler */
759 if (strcmp(arg, "clientspecified") == 0)
760 value = 2;
761 else if (strcmp(arg, "yes") == 0)
762 value = 1;
763 else if (strcmp(arg, "no") == 0)
764 value = 0;
765 else
766 fatal("%s line %d: Bad yes/no/clientspecified "
767 "argument: %s", filename, linenum, arg);
768 if (*intptr == -1)
769 *intptr = value;
770 break;
5260325f 771
c5a7d788 772 case sUseDNS:
773 intptr = &options->use_dns;
2717fa0f 774 goto parse_flag;
5260325f 775
2717fa0f 776 case sLogFacility:
777 intptr = (int *) &options->log_facility;
778 arg = strdelim(&cp);
779 value = log_facility_number(arg);
5eaf8578 780 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 781 fatal("%.200s line %d: unsupported log facility '%s'",
782 filename, linenum, arg ? arg : "<NONE>");
783 if (*intptr == -1)
784 *intptr = (SyslogFacility) value;
785 break;
786
787 case sLogLevel:
788 intptr = (int *) &options->log_level;
789 arg = strdelim(&cp);
790 value = log_level_number(arg);
5eaf8578 791 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 792 fatal("%.200s line %d: unsupported log level '%s'",
793 filename, linenum, arg ? arg : "<NONE>");
794 if (*intptr == -1)
795 *intptr = (LogLevel) value;
796 break;
797
798 case sAllowTcpForwarding:
799 intptr = &options->allow_tcp_forwarding;
800 goto parse_flag;
801
1853d1ef 802 case sUsePrivilegeSeparation:
803 intptr = &use_privsep;
804 goto parse_flag;
805
2717fa0f 806 case sAllowUsers:
807 while ((arg = strdelim(&cp)) && *arg != '\0') {
808 if (options->num_allow_users >= MAX_ALLOW_USERS)
809 fatal("%s line %d: too many allow users.",
810 filename, linenum);
7528d467 811 options->allow_users[options->num_allow_users++] =
812 xstrdup(arg);
2717fa0f 813 }
814 break;
a8be9f80 815
2717fa0f 816 case sDenyUsers:
817 while ((arg = strdelim(&cp)) && *arg != '\0') {
818 if (options->num_deny_users >= MAX_DENY_USERS)
819 fatal( "%s line %d: too many deny users.",
820 filename, linenum);
7528d467 821 options->deny_users[options->num_deny_users++] =
822 xstrdup(arg);
2717fa0f 823 }
824 break;
b2552997 825
2717fa0f 826 case sAllowGroups:
827 while ((arg = strdelim(&cp)) && *arg != '\0') {
828 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
829 fatal("%s line %d: too many allow groups.",
830 filename, linenum);
7528d467 831 options->allow_groups[options->num_allow_groups++] =
832 xstrdup(arg);
2717fa0f 833 }
834 break;
a8be9f80 835
2717fa0f 836 case sDenyGroups:
837 while ((arg = strdelim(&cp)) && *arg != '\0') {
838 if (options->num_deny_groups >= MAX_DENY_GROUPS)
839 fatal("%s line %d: too many deny groups.",
840 filename, linenum);
841 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
842 }
843 break;
38c295d6 844
2717fa0f 845 case sCiphers:
846 arg = strdelim(&cp);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing argument.", filename, linenum);
849 if (!ciphers_valid(arg))
850 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
851 filename, linenum, arg ? arg : "<NONE>");
852 if (options->ciphers == NULL)
853 options->ciphers = xstrdup(arg);
854 break;
855
856 case sMacs:
857 arg = strdelim(&cp);
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing argument.", filename, linenum);
860 if (!mac_valid(arg))
861 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
862 filename, linenum, arg ? arg : "<NONE>");
863 if (options->macs == NULL)
864 options->macs = xstrdup(arg);
865 break;
866
867 case sProtocol:
868 intptr = &options->protocol;
869 arg = strdelim(&cp);
870 if (!arg || *arg == '\0')
871 fatal("%s line %d: Missing argument.", filename, linenum);
872 value = proto_spec(arg);
873 if (value == SSH_PROTO_UNKNOWN)
874 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 875 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 876 if (*intptr == SSH_PROTO_UNKNOWN)
877 *intptr = value;
878 break;
879
880 case sSubsystem:
881 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
882 fatal("%s line %d: too many subsystems defined.",
184eed6a 883 filename, linenum);
2717fa0f 884 }
885 arg = strdelim(&cp);
886 if (!arg || *arg == '\0')
887 fatal("%s line %d: Missing subsystem name.",
184eed6a 888 filename, linenum);
2717fa0f 889 for (i = 0; i < options->num_subsystems; i++)
890 if (strcmp(arg, options->subsystem_name[i]) == 0)
891 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 892 filename, linenum, arg);
2717fa0f 893 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
894 arg = strdelim(&cp);
895 if (!arg || *arg == '\0')
896 fatal("%s line %d: Missing subsystem command.",
184eed6a 897 filename, linenum);
2717fa0f 898 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
899 options->num_subsystems++;
900 break;
901
902 case sMaxStartups:
903 arg = strdelim(&cp);
904 if (!arg || *arg == '\0')
905 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 906 filename, linenum);
2717fa0f 907 if ((n = sscanf(arg, "%d:%d:%d",
908 &options->max_startups_begin,
909 &options->max_startups_rate,
910 &options->max_startups)) == 3) {
911 if (options->max_startups_begin >
912 options->max_startups ||
913 options->max_startups_rate > 100 ||
914 options->max_startups_rate < 1)
c345cf9d 915 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 916 filename, linenum);
2717fa0f 917 } else if (n != 1)
918 fatal("%s line %d: Illegal MaxStartups spec.",
919 filename, linenum);
920 else
921 options->max_startups = options->max_startups_begin;
922 break;
923
af4bd935 924 case sMaxAuthTries:
925 intptr = &options->max_authtries;
926 goto parse_int;
927
2717fa0f 928 case sBanner:
929 charptr = &options->banner;
930 goto parse_filename;
931 /*
932 * These options can contain %X options expanded at
933 * connect time, so that you can specify paths like:
934 *
935 * AuthorizedKeysFile /etc/ssh_keys/%u
936 */
937 case sAuthorizedKeysFile:
938 case sAuthorizedKeysFile2:
939 charptr = (opcode == sAuthorizedKeysFile ) ?
940 &options->authorized_keys_file :
941 &options->authorized_keys_file2;
942 goto parse_filename;
943
944 case sClientAliveInterval:
945 intptr = &options->client_alive_interval;
946 goto parse_time;
947
948 case sClientAliveCountMax:
949 intptr = &options->client_alive_count_max;
950 goto parse_int;
951
61a2c1da 952 case sAcceptEnv:
953 while ((arg = strdelim(&cp)) && *arg != '\0') {
954 if (strchr(arg, '=') != NULL)
955 fatal("%s line %d: Invalid environment name.",
956 filename, linenum);
957 if (options->num_accept_env >= MAX_ACCEPT_ENV)
958 fatal("%s line %d: too many allow env.",
959 filename, linenum);
960 options->accept_env[options->num_accept_env++] =
961 xstrdup(arg);
962 }
963 break;
964
2717fa0f 965 case sDeprecated:
bbe88b6d 966 logit("%s line %d: Deprecated option %s",
2717fa0f 967 filename, linenum, arg);
968 while (arg)
969 arg = strdelim(&cp);
970 break;
971
a2144546 972 case sUnsupported:
973 logit("%s line %d: Unsupported option %s",
974 filename, linenum, arg);
975 while (arg)
976 arg = strdelim(&cp);
977 break;
978
2717fa0f 979 default:
980 fatal("%s line %d: Missing handler for opcode %s (%d)",
981 filename, linenum, arg, opcode);
982 }
983 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
984 fatal("%s line %d: garbage at end of line; \"%.200s\".",
985 filename, linenum, arg);
986 return 0;
987}
089fbbd2 988
2717fa0f 989/* Reads the server configuration file. */
5c53a31e 990
2717fa0f 991void
b9a549d7 992load_server_config(const char *filename, Buffer *conf)
2717fa0f 993{
b9a549d7 994 char line[1024], *cp;
7528d467 995 FILE *f;
2717fa0f 996
b9a549d7 997 debug2("%s: filename %s", __func__, filename);
998 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 999 perror(filename);
1000 exit(1);
1001 }
b9a549d7 1002 buffer_clear(conf);
2717fa0f 1003 while (fgets(line, sizeof(line), f)) {
b9a549d7 1004 /*
1005 * Trim out comments and strip whitespace
f2107e97 1006 * NB - preserve newlines, they are needed to reproduce
b9a549d7 1007 * line numbers later for error messages
1008 */
1009 if ((cp = strchr(line, '#')) != NULL)
1010 memcpy(cp, "\n", 2);
1011 cp = line + strspn(line, " \t\r");
1012
1013 buffer_append(conf, cp, strlen(cp));
8efc0c15 1014 }
b9a549d7 1015 buffer_append(conf, "\0", 1);
5260325f 1016 fclose(f);
b9a549d7 1017 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1018}
1019
1020void
1021parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1022{
1023 int linenum, bad_options = 0;
16acb158 1024 char *cp, *obuf, *cbuf;
b9a549d7 1025
1026 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1027
16acb158 1028 obuf = cbuf = xstrdup(buffer_ptr(conf));
861cc543 1029 linenum = 1;
f8cc7664 1030 while ((cp = strsep(&cbuf, "\n")) != NULL) {
b9a549d7 1031 if (process_server_config_line(options, cp, filename,
1032 linenum++) != 0)
1033 bad_options++;
1034 }
16acb158 1035 xfree(obuf);
b7c70970 1036 if (bad_options > 0)
1037 fatal("%s: terminating, %d bad configuration options",
1038 filename, bad_options);
8efc0c15 1039}
git-cvsimport mirror of OpenSSH
This page took 0.51305 seconds and 5 git commands to generate.