]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- markus@cvs.openbsd.org 2003/08/13 08:46:31
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
0598d99d 13RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
64 options->keepalives = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_rsa_authentication = -1;
8002af61 68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
5260325f 70 options->rsa_authentication = -1;
fa08c86b 71 options->pubkey_authentication = -1;
5260325f 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
5260325f 75 options->kerberos_tgt_passing = -1;
5260325f 76 options->password_authentication = -1;
94ec8c6b 77 options->kbd_interactive_authentication = -1;
5ba55ada 78 options->challenge_response_authentication = -1;
5260325f 79 options->permit_empty_passwd = -1;
f00bab84 80 options->permit_user_env = -1;
5260325f 81 options->use_login = -1;
636f76ca 82 options->compression = -1;
33de75a3 83 options->allow_tcp_forwarding = -1;
5260325f 84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
a8be9f80 88 options->ciphers = NULL;
b2552997 89 options->macs = NULL;
a8be9f80 90 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 91 options->gateway_ports = -1;
38c295d6 92 options->num_subsystems = 0;
c345cf9d 93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
089fbbd2 95 options->max_startups = -1;
eea39c02 96 options->banner = NULL;
c5a7d788 97 options->use_dns = -1;
3ffc6336 98 options->client_alive_interval = -1;
99 options->client_alive_count_max = -1;
c8445989 100 options->authorized_keys_file = NULL;
101 options->authorized_keys_file2 = NULL;
1853d1ef 102
1853d1ef 103 /* Needs to be accessable in many places */
104 use_privsep = -1;
8efc0c15 105}
106
6ae2364d 107void
5260325f 108fill_default_server_options(ServerOptions *options)
8efc0c15 109{
e15895cd 110 /* Portable-specific options */
7fceb20d 111 if (options->use_pam == -1)
1457e7ff 112 options->use_pam = 1;
e15895cd 113
114 /* Standard Options */
fa08c86b 115 if (options->protocol == SSH_PROTO_UNKNOWN)
116 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
117 if (options->num_host_key_files == 0) {
118 /* fill default hostkeys for protocols */
119 if (options->protocol & SSH_PROTO_1)
0f84fe37 120 options->host_key_files[options->num_host_key_files++] =
121 _PATH_HOST_KEY_FILE;
122 if (options->protocol & SSH_PROTO_2) {
123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_RSA_KEY_FILE;
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_DSA_KEY_FILE;
127 }
fa08c86b 128 }
48e671d5 129 if (options->num_ports == 0)
130 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
131 if (options->listen_addrs == NULL)
2d2a2c65 132 add_listen_addr(options, NULL, 0);
0fbe8c74 133 if (options->pid_file == NULL)
42f11eb2 134 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 135 if (options->server_key_bits == -1)
136 options->server_key_bits = 768;
137 if (options->login_grace_time == -1)
3445ca02 138 options->login_grace_time = 120;
5260325f 139 if (options->key_regeneration_time == -1)
140 options->key_regeneration_time = 3600;
15853e93 141 if (options->permit_root_login == PERMIT_NOT_SET)
142 options->permit_root_login = PERMIT_YES;
5260325f 143 if (options->ignore_rhosts == -1)
c8d54615 144 options->ignore_rhosts = 1;
5260325f 145 if (options->ignore_user_known_hosts == -1)
146 options->ignore_user_known_hosts = 0;
5260325f 147 if (options->print_motd == -1)
148 options->print_motd = 1;
4f4648f9 149 if (options->print_lastlog == -1)
150 options->print_lastlog = 1;
5260325f 151 if (options->x11_forwarding == -1)
c8d54615 152 options->x11_forwarding = 0;
5260325f 153 if (options->x11_display_offset == -1)
c8d54615 154 options->x11_display_offset = 10;
e6e573bd 155 if (options->x11_use_localhost == -1)
156 options->x11_use_localhost = 1;
fa649821 157 if (options->xauth_location == NULL)
fd9ede94 158 options->xauth_location = _PATH_XAUTH;
5260325f 159 if (options->strict_modes == -1)
160 options->strict_modes = 1;
161 if (options->keepalives == -1)
162 options->keepalives = 1;
5eaf8578 163 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 164 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 165 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 166 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 167 if (options->rhosts_rsa_authentication == -1)
c8d54615 168 options->rhosts_rsa_authentication = 0;
8002af61 169 if (options->hostbased_authentication == -1)
170 options->hostbased_authentication = 0;
171 if (options->hostbased_uses_name_from_packet_only == -1)
172 options->hostbased_uses_name_from_packet_only = 0;
5260325f 173 if (options->rsa_authentication == -1)
174 options->rsa_authentication = 1;
fa08c86b 175 if (options->pubkey_authentication == -1)
176 options->pubkey_authentication = 1;
5260325f 177 if (options->kerberos_authentication == -1)
eadc806d 178 options->kerberos_authentication = 0;
5260325f 179 if (options->kerberos_or_local_passwd == -1)
180 options->kerberos_or_local_passwd = 1;
181 if (options->kerberos_ticket_cleanup == -1)
182 options->kerberos_ticket_cleanup = 1;
5260325f 183 if (options->kerberos_tgt_passing == -1)
184 options->kerberos_tgt_passing = 0;
5260325f 185 if (options->password_authentication == -1)
186 options->password_authentication = 1;
94ec8c6b 187 if (options->kbd_interactive_authentication == -1)
188 options->kbd_interactive_authentication = 0;
5ba55ada 189 if (options->challenge_response_authentication == -1)
190 options->challenge_response_authentication = 1;
5260325f 191 if (options->permit_empty_passwd == -1)
c8d54615 192 options->permit_empty_passwd = 0;
f00bab84 193 if (options->permit_user_env == -1)
194 options->permit_user_env = 0;
5260325f 195 if (options->use_login == -1)
196 options->use_login = 0;
636f76ca 197 if (options->compression == -1)
198 options->compression = 1;
33de75a3 199 if (options->allow_tcp_forwarding == -1)
200 options->allow_tcp_forwarding = 1;
1d1ffb87 201 if (options->gateway_ports == -1)
202 options->gateway_ports = 0;
089fbbd2 203 if (options->max_startups == -1)
204 options->max_startups = 10;
c345cf9d 205 if (options->max_startups_rate == -1)
206 options->max_startups_rate = 100; /* 100% */
207 if (options->max_startups_begin == -1)
208 options->max_startups_begin = options->max_startups;
c5a7d788 209 if (options->use_dns == -1)
210 options->use_dns = 1;
3ffc6336 211 if (options->client_alive_interval == -1)
184eed6a 212 options->client_alive_interval = 0;
3ffc6336 213 if (options->client_alive_count_max == -1)
214 options->client_alive_count_max = 3;
5df83e07 215 if (options->authorized_keys_file2 == NULL) {
216 /* authorized_keys_file2 falls back to authorized_keys_file */
217 if (options->authorized_keys_file != NULL)
218 options->authorized_keys_file2 = options->authorized_keys_file;
219 else
220 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
221 }
222 if (options->authorized_keys_file == NULL)
223 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 224
2ee1b704 225 /* Turn privilege separation on by default */
1853d1ef 226 if (use_privsep == -1)
2ee1b704 227 use_privsep = 1;
e299a298 228
4165b82e 229#ifndef HAVE_MMAP
e299a298 230 if (use_privsep && options->compression == 1) {
231 error("This platform does not support both privilege "
232 "separation and compression");
233 error("Compression disabled");
234 options->compression = 0;
235 }
236#endif
237
8efc0c15 238}
239
8efc0c15 240/* Keyword tokens. */
5260325f 241typedef enum {
242 sBadOption, /* == unknown option */
e15895cd 243 /* Portable-specific options */
7fceb20d 244 sUsePAM,
e15895cd 245 /* Standard Options */
5260325f 246 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
247 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 248 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 249 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1c590258 250 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 251 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 252 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 253 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 254 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 255 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 256 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 257 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 258 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 259 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 260 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 261 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 262 sUsePrivilegeSeparation,
a2144546 263 sDeprecated, sUnsupported
8efc0c15 264} ServerOpCodes;
265
266/* Textual representation of the tokens. */
5260325f 267static struct {
268 const char *name;
269 ServerOpCodes opcode;
270} keywords[] = {
e15895cd 271 /* Portable-specific options */
b06b11ad 272#ifdef USE_PAM
7fceb20d 273 { "UsePAM", sUsePAM },
b06b11ad 274#else
275 { "UsePAM", sUnsupported },
276#endif
e15895cd 277 /* Standard Options */
5260325f 278 { "port", sPort },
279 { "hostkey", sHostKeyFile },
fa08c86b 280 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 281 { "pidfile", sPidFile },
5260325f 282 { "serverkeybits", sServerKeyBits },
283 { "logingracetime", sLoginGraceTime },
284 { "keyregenerationinterval", sKeyRegenerationTime },
285 { "permitrootlogin", sPermitRootLogin },
286 { "syslogfacility", sLogFacility },
287 { "loglevel", sLogLevel },
0598d99d 288 { "rhostsauthentication", sDeprecated },
5260325f 289 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 290 { "hostbasedauthentication", sHostbasedAuthentication },
291 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 292 { "rsaauthentication", sRSAAuthentication },
fa08c86b 293 { "pubkeyauthentication", sPubkeyAuthentication },
294 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 295#ifdef KRB5
5260325f 296 { "kerberosauthentication", sKerberosAuthentication },
297 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
298 { "kerberosticketcleanup", sKerberosTicketCleanup },
5260325f 299 { "kerberostgtpassing", sKerberosTgtPassing },
a2144546 300#else
301 { "kerberosauthentication", sUnsupported },
302 { "kerberosorlocalpasswd", sUnsupported },
303 { "kerberosticketcleanup", sUnsupported },
304 { "kerberostgtpassing", sUnsupported },
305#endif
a2144546 306 { "afstokenpassing", sUnsupported },
5260325f 307 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 308 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 309 { "challengeresponseauthentication", sChallengeResponseAuthentication },
310 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 311 { "checkmail", sDeprecated },
5260325f 312 { "listenaddress", sListenAddress },
313 { "printmotd", sPrintMotd },
4f4648f9 314 { "printlastlog", sPrintLastLog },
5260325f 315 { "ignorerhosts", sIgnoreRhosts },
316 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
317 { "x11forwarding", sX11Forwarding },
318 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 319 { "x11uselocalhost", sX11UseLocalhost },
fa649821 320 { "xauthlocation", sXAuthLocation },
5260325f 321 { "strictmodes", sStrictModes },
322 { "permitemptypasswords", sEmptyPasswd },
f00bab84 323 { "permituserenvironment", sPermitUserEnvironment },
5260325f 324 { "uselogin", sUseLogin },
636f76ca 325 { "compression", sCompression },
5260325f 326 { "keepalive", sKeepAlives },
33de75a3 327 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 328 { "allowusers", sAllowUsers },
329 { "denyusers", sDenyUsers },
330 { "allowgroups", sAllowGroups },
331 { "denygroups", sDenyGroups },
a8be9f80 332 { "ciphers", sCiphers },
b2552997 333 { "macs", sMacs },
a8be9f80 334 { "protocol", sProtocol },
1d1ffb87 335 { "gatewayports", sGatewayPorts },
38c295d6 336 { "subsystem", sSubsystem },
089fbbd2 337 { "maxstartups", sMaxStartups },
eea39c02 338 { "banner", sBanner },
c5a7d788 339 { "usedns", sUseDNS },
340 { "verifyreversemapping", sDeprecated },
341 { "reversemappingcheck", sDeprecated },
3ffc6336 342 { "clientaliveinterval", sClientAliveInterval },
343 { "clientalivecountmax", sClientAliveCountMax },
c8445989 344 { "authorizedkeysfile", sAuthorizedKeysFile },
345 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 346 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 347 { NULL, sBadOption }
8efc0c15 348};
349
aa3378df 350/*
6be9a5e8 351 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 352 */
8efc0c15 353
6ae2364d 354static ServerOpCodes
5260325f 355parse_token(const char *cp, const char *filename,
356 int linenum)
8efc0c15 357{
1e3b8b07 358 u_int i;
8efc0c15 359
5260325f 360 for (i = 0; keywords[i].name; i++)
aa3378df 361 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 362 return keywords[i].opcode;
8efc0c15 363
b7c70970 364 error("%s: line %d: Bad configuration option: %s",
365 filename, linenum, cp);
5260325f 366 return sBadOption;
8efc0c15 367}
368
396c147e 369static void
2d2a2c65 370add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 371{
48e671d5 372 int i;
373
374 if (options->num_ports == 0)
375 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 376 if (port == 0)
d11c1288 377 for (i = 0; i < options->num_ports; i++)
378 add_one_listen_addr(options, addr, options->ports[i]);
379 else
2d2a2c65 380 add_one_listen_addr(options, addr, port);
d11c1288 381}
382
396c147e 383static void
d11c1288 384add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
385{
386 struct addrinfo hints, *ai, *aitop;
387 char strport[NI_MAXSERV];
388 int gaierr;
389
390 memset(&hints, 0, sizeof(hints));
391 hints.ai_family = IPv4or6;
392 hints.ai_socktype = SOCK_STREAM;
393 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 394 snprintf(strport, sizeof strport, "%u", port);
d11c1288 395 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
396 fatal("bad addr or host: %s (%s)",
397 addr ? addr : "<NULL>",
398 gai_strerror(gaierr));
399 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
400 ;
401 ai->ai_next = options->listen_addrs;
402 options->listen_addrs = aitop;
48e671d5 403}
404
2717fa0f 405int
406process_server_config_line(ServerOptions *options, char *line,
407 const char *filename, int linenum)
8efc0c15 408{
d11c1288 409 char *cp, **charptr, *arg, *p;
7528d467 410 int *intptr, value, i, n;
5260325f 411 ServerOpCodes opcode;
412
2717fa0f 413 cp = line;
414 arg = strdelim(&cp);
415 /* Ignore leading whitespace */
416 if (*arg == '\0')
704b1659 417 arg = strdelim(&cp);
2717fa0f 418 if (!arg || !*arg || *arg == '#')
419 return 0;
420 intptr = NULL;
421 charptr = NULL;
422 opcode = parse_token(arg, filename, linenum);
423 switch (opcode) {
424 /* Portable-specific options */
7fceb20d 425 case sUsePAM:
426 intptr = &options->use_pam;
2717fa0f 427 goto parse_flag;
48e671d5 428
2717fa0f 429 /* Standard Options */
430 case sBadOption:
431 return -1;
432 case sPort:
433 /* ignore ports from configfile if cmdline specifies ports */
434 if (options->ports_from_cmdline)
435 return 0;
436 if (options->listen_addrs != NULL)
437 fatal("%s line %d: ports must be specified before "
3a454b6a 438 "ListenAddress.", filename, linenum);
2717fa0f 439 if (options->num_ports >= MAX_PORTS)
440 fatal("%s line %d: too many ports.",
441 filename, linenum);
442 arg = strdelim(&cp);
443 if (!arg || *arg == '\0')
444 fatal("%s line %d: missing port number.",
445 filename, linenum);
446 options->ports[options->num_ports++] = a2port(arg);
447 if (options->ports[options->num_ports-1] == 0)
448 fatal("%s line %d: Badly formatted port number.",
449 filename, linenum);
450 break;
451
452 case sServerKeyBits:
453 intptr = &options->server_key_bits;
5260325f 454parse_int:
2717fa0f 455 arg = strdelim(&cp);
456 if (!arg || *arg == '\0')
457 fatal("%s line %d: missing integer value.",
458 filename, linenum);
459 value = atoi(arg);
460 if (*intptr == -1)
461 *intptr = value;
462 break;
463
464 case sLoginGraceTime:
465 intptr = &options->login_grace_time;
e2b1fb42 466parse_time:
2717fa0f 467 arg = strdelim(&cp);
468 if (!arg || *arg == '\0')
469 fatal("%s line %d: missing time value.",
470 filename, linenum);
471 if ((value = convtime(arg)) == -1)
472 fatal("%s line %d: invalid time value.",
473 filename, linenum);
474 if (*intptr == -1)
475 *intptr = value;
476 break;
477
478 case sKeyRegenerationTime:
479 intptr = &options->key_regeneration_time;
480 goto parse_time;
481
482 case sListenAddress:
483 arg = strdelim(&cp);
484 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
485 fatal("%s line %d: missing inet addr.",
486 filename, linenum);
487 if (*arg == '[') {
488 if ((p = strchr(arg, ']')) == NULL)
489 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 490 filename, linenum);
2717fa0f 491 arg++;
492 memmove(p, p+1, strlen(p+1)+1);
493 } else if (((p = strchr(arg, ':')) == NULL) ||
494 (strchr(p+1, ':') != NULL)) {
495 add_listen_addr(options, arg, 0);
e2b1fb42 496 break;
2717fa0f 497 }
498 if (*p == ':') {
499 u_short port;
5260325f 500
2717fa0f 501 p++;
502 if (*p == '\0')
503 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 504 filename, linenum);
2717fa0f 505 else {
506 *(p-1) = '\0';
507 if ((port = a2port(p)) == 0)
508 fatal("%s line %d: bad port number.",
d11c1288 509 filename, linenum);
2717fa0f 510 add_listen_addr(options, arg, port);
d11c1288 511 }
2717fa0f 512 } else if (*p == '\0')
513 add_listen_addr(options, arg, 0);
514 else
515 fatal("%s line %d: bad inet addr usage.",
516 filename, linenum);
517 break;
518
519 case sHostKeyFile:
520 intptr = &options->num_host_key_files;
521 if (*intptr >= MAX_HOSTKEYS)
522 fatal("%s line %d: too many host keys specified (max %d).",
523 filename, linenum, MAX_HOSTKEYS);
524 charptr = &options->host_key_files[*intptr];
fa649821 525parse_filename:
2717fa0f 526 arg = strdelim(&cp);
527 if (!arg || *arg == '\0')
528 fatal("%s line %d: missing file name.",
529 filename, linenum);
530 if (*charptr == NULL) {
531 *charptr = tilde_expand_filename(arg, getuid());
532 /* increase optional counter */
533 if (intptr != NULL)
534 *intptr = *intptr + 1;
535 }
536 break;
0fbe8c74 537
2717fa0f 538 case sPidFile:
539 charptr = &options->pid_file;
540 goto parse_filename;
5260325f 541
2717fa0f 542 case sPermitRootLogin:
543 intptr = &options->permit_root_login;
544 arg = strdelim(&cp);
545 if (!arg || *arg == '\0')
546 fatal("%s line %d: missing yes/"
547 "without-password/forced-commands-only/no "
548 "argument.", filename, linenum);
549 value = 0; /* silence compiler */
550 if (strcmp(arg, "without-password") == 0)
551 value = PERMIT_NO_PASSWD;
552 else if (strcmp(arg, "forced-commands-only") == 0)
553 value = PERMIT_FORCED_ONLY;
554 else if (strcmp(arg, "yes") == 0)
555 value = PERMIT_YES;
556 else if (strcmp(arg, "no") == 0)
557 value = PERMIT_NO;
558 else
559 fatal("%s line %d: Bad yes/"
560 "without-password/forced-commands-only/no "
561 "argument: %s", filename, linenum, arg);
562 if (*intptr == -1)
563 *intptr = value;
564 break;
565
566 case sIgnoreRhosts:
567 intptr = &options->ignore_rhosts;
5260325f 568parse_flag:
2717fa0f 569 arg = strdelim(&cp);
570 if (!arg || *arg == '\0')
571 fatal("%s line %d: missing yes/no argument.",
572 filename, linenum);
573 value = 0; /* silence compiler */
574 if (strcmp(arg, "yes") == 0)
575 value = 1;
576 else if (strcmp(arg, "no") == 0)
577 value = 0;
578 else
579 fatal("%s line %d: Bad yes/no argument: %s",
580 filename, linenum, arg);
581 if (*intptr == -1)
582 *intptr = value;
583 break;
584
585 case sIgnoreUserKnownHosts:
586 intptr = &options->ignore_user_known_hosts;
587 goto parse_flag;
588
2717fa0f 589 case sRhostsRSAAuthentication:
590 intptr = &options->rhosts_rsa_authentication;
591 goto parse_flag;
592
593 case sHostbasedAuthentication:
594 intptr = &options->hostbased_authentication;
595 goto parse_flag;
596
597 case sHostbasedUsesNameFromPacketOnly:
598 intptr = &options->hostbased_uses_name_from_packet_only;
599 goto parse_flag;
600
601 case sRSAAuthentication:
602 intptr = &options->rsa_authentication;
603 goto parse_flag;
604
605 case sPubkeyAuthentication:
606 intptr = &options->pubkey_authentication;
607 goto parse_flag;
d0ec7f42 608
2717fa0f 609 case sKerberosAuthentication:
610 intptr = &options->kerberos_authentication;
611 goto parse_flag;
5260325f 612
2717fa0f 613 case sKerberosOrLocalPasswd:
614 intptr = &options->kerberos_or_local_passwd;
615 goto parse_flag;
5260325f 616
2717fa0f 617 case sKerberosTicketCleanup:
618 intptr = &options->kerberos_ticket_cleanup;
619 goto parse_flag;
d0ec7f42 620
2717fa0f 621 case sKerberosTgtPassing:
622 intptr = &options->kerberos_tgt_passing;
623 goto parse_flag;
d0ec7f42 624
2717fa0f 625 case sPasswordAuthentication:
626 intptr = &options->password_authentication;
627 goto parse_flag;
5260325f 628
2717fa0f 629 case sKbdInteractiveAuthentication:
630 intptr = &options->kbd_interactive_authentication;
631 goto parse_flag;
8002af61 632
2717fa0f 633 case sChallengeResponseAuthentication:
634 intptr = &options->challenge_response_authentication;
635 goto parse_flag;
8002af61 636
2717fa0f 637 case sPrintMotd:
638 intptr = &options->print_motd;
639 goto parse_flag;
5260325f 640
2717fa0f 641 case sPrintLastLog:
642 intptr = &options->print_lastlog;
643 goto parse_flag;
5260325f 644
2717fa0f 645 case sX11Forwarding:
646 intptr = &options->x11_forwarding;
647 goto parse_flag;
5260325f 648
2717fa0f 649 case sX11DisplayOffset:
650 intptr = &options->x11_display_offset;
651 goto parse_int;
8efc0c15 652
e6e573bd 653 case sX11UseLocalhost:
654 intptr = &options->x11_use_localhost;
655 goto parse_flag;
656
2717fa0f 657 case sXAuthLocation:
658 charptr = &options->xauth_location;
659 goto parse_filename;
5260325f 660
2717fa0f 661 case sStrictModes:
662 intptr = &options->strict_modes;
663 goto parse_flag;
5260325f 664
2717fa0f 665 case sKeepAlives:
666 intptr = &options->keepalives;
667 goto parse_flag;
33de75a3 668
2717fa0f 669 case sEmptyPasswd:
670 intptr = &options->permit_empty_passwd;
671 goto parse_flag;
5260325f 672
f00bab84 673 case sPermitUserEnvironment:
674 intptr = &options->permit_user_env;
675 goto parse_flag;
676
2717fa0f 677 case sUseLogin:
678 intptr = &options->use_login;
679 goto parse_flag;
5260325f 680
636f76ca 681 case sCompression:
682 intptr = &options->compression;
683 goto parse_flag;
684
2717fa0f 685 case sGatewayPorts:
686 intptr = &options->gateway_ports;
687 goto parse_flag;
5260325f 688
c5a7d788 689 case sUseDNS:
690 intptr = &options->use_dns;
2717fa0f 691 goto parse_flag;
5260325f 692
2717fa0f 693 case sLogFacility:
694 intptr = (int *) &options->log_facility;
695 arg = strdelim(&cp);
696 value = log_facility_number(arg);
5eaf8578 697 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 698 fatal("%.200s line %d: unsupported log facility '%s'",
699 filename, linenum, arg ? arg : "<NONE>");
700 if (*intptr == -1)
701 *intptr = (SyslogFacility) value;
702 break;
703
704 case sLogLevel:
705 intptr = (int *) &options->log_level;
706 arg = strdelim(&cp);
707 value = log_level_number(arg);
5eaf8578 708 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 709 fatal("%.200s line %d: unsupported log level '%s'",
710 filename, linenum, arg ? arg : "<NONE>");
711 if (*intptr == -1)
712 *intptr = (LogLevel) value;
713 break;
714
715 case sAllowTcpForwarding:
716 intptr = &options->allow_tcp_forwarding;
717 goto parse_flag;
718
1853d1ef 719 case sUsePrivilegeSeparation:
720 intptr = &use_privsep;
721 goto parse_flag;
722
2717fa0f 723 case sAllowUsers:
724 while ((arg = strdelim(&cp)) && *arg != '\0') {
725 if (options->num_allow_users >= MAX_ALLOW_USERS)
726 fatal("%s line %d: too many allow users.",
727 filename, linenum);
7528d467 728 options->allow_users[options->num_allow_users++] =
729 xstrdup(arg);
2717fa0f 730 }
731 break;
a8be9f80 732
2717fa0f 733 case sDenyUsers:
734 while ((arg = strdelim(&cp)) && *arg != '\0') {
735 if (options->num_deny_users >= MAX_DENY_USERS)
736 fatal( "%s line %d: too many deny users.",
737 filename, linenum);
7528d467 738 options->deny_users[options->num_deny_users++] =
739 xstrdup(arg);
2717fa0f 740 }
741 break;
b2552997 742
2717fa0f 743 case sAllowGroups:
744 while ((arg = strdelim(&cp)) && *arg != '\0') {
745 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
746 fatal("%s line %d: too many allow groups.",
747 filename, linenum);
7528d467 748 options->allow_groups[options->num_allow_groups++] =
749 xstrdup(arg);
2717fa0f 750 }
751 break;
a8be9f80 752
2717fa0f 753 case sDenyGroups:
754 while ((arg = strdelim(&cp)) && *arg != '\0') {
755 if (options->num_deny_groups >= MAX_DENY_GROUPS)
756 fatal("%s line %d: too many deny groups.",
757 filename, linenum);
758 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
759 }
760 break;
38c295d6 761
2717fa0f 762 case sCiphers:
763 arg = strdelim(&cp);
764 if (!arg || *arg == '\0')
765 fatal("%s line %d: Missing argument.", filename, linenum);
766 if (!ciphers_valid(arg))
767 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
768 filename, linenum, arg ? arg : "<NONE>");
769 if (options->ciphers == NULL)
770 options->ciphers = xstrdup(arg);
771 break;
772
773 case sMacs:
774 arg = strdelim(&cp);
775 if (!arg || *arg == '\0')
776 fatal("%s line %d: Missing argument.", filename, linenum);
777 if (!mac_valid(arg))
778 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
779 filename, linenum, arg ? arg : "<NONE>");
780 if (options->macs == NULL)
781 options->macs = xstrdup(arg);
782 break;
783
784 case sProtocol:
785 intptr = &options->protocol;
786 arg = strdelim(&cp);
787 if (!arg || *arg == '\0')
788 fatal("%s line %d: Missing argument.", filename, linenum);
789 value = proto_spec(arg);
790 if (value == SSH_PROTO_UNKNOWN)
791 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 792 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 793 if (*intptr == SSH_PROTO_UNKNOWN)
794 *intptr = value;
795 break;
796
797 case sSubsystem:
798 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
799 fatal("%s line %d: too many subsystems defined.",
184eed6a 800 filename, linenum);
2717fa0f 801 }
802 arg = strdelim(&cp);
803 if (!arg || *arg == '\0')
804 fatal("%s line %d: Missing subsystem name.",
184eed6a 805 filename, linenum);
2717fa0f 806 for (i = 0; i < options->num_subsystems; i++)
807 if (strcmp(arg, options->subsystem_name[i]) == 0)
808 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 809 filename, linenum, arg);
2717fa0f 810 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
811 arg = strdelim(&cp);
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: Missing subsystem command.",
184eed6a 814 filename, linenum);
2717fa0f 815 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
816 options->num_subsystems++;
817 break;
818
819 case sMaxStartups:
820 arg = strdelim(&cp);
821 if (!arg || *arg == '\0')
822 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 823 filename, linenum);
2717fa0f 824 if ((n = sscanf(arg, "%d:%d:%d",
825 &options->max_startups_begin,
826 &options->max_startups_rate,
827 &options->max_startups)) == 3) {
828 if (options->max_startups_begin >
829 options->max_startups ||
830 options->max_startups_rate > 100 ||
831 options->max_startups_rate < 1)
c345cf9d 832 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 833 filename, linenum);
2717fa0f 834 } else if (n != 1)
835 fatal("%s line %d: Illegal MaxStartups spec.",
836 filename, linenum);
837 else
838 options->max_startups = options->max_startups_begin;
839 break;
840
841 case sBanner:
842 charptr = &options->banner;
843 goto parse_filename;
844 /*
845 * These options can contain %X options expanded at
846 * connect time, so that you can specify paths like:
847 *
848 * AuthorizedKeysFile /etc/ssh_keys/%u
849 */
850 case sAuthorizedKeysFile:
851 case sAuthorizedKeysFile2:
852 charptr = (opcode == sAuthorizedKeysFile ) ?
853 &options->authorized_keys_file :
854 &options->authorized_keys_file2;
855 goto parse_filename;
856
857 case sClientAliveInterval:
858 intptr = &options->client_alive_interval;
859 goto parse_time;
860
861 case sClientAliveCountMax:
862 intptr = &options->client_alive_count_max;
863 goto parse_int;
864
865 case sDeprecated:
bbe88b6d 866 logit("%s line %d: Deprecated option %s",
2717fa0f 867 filename, linenum, arg);
868 while (arg)
869 arg = strdelim(&cp);
870 break;
871
a2144546 872 case sUnsupported:
873 logit("%s line %d: Unsupported option %s",
874 filename, linenum, arg);
875 while (arg)
876 arg = strdelim(&cp);
877 break;
878
2717fa0f 879 default:
880 fatal("%s line %d: Missing handler for opcode %s (%d)",
881 filename, linenum, arg, opcode);
882 }
883 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
884 fatal("%s line %d: garbage at end of line; \"%.200s\".",
885 filename, linenum, arg);
886 return 0;
887}
089fbbd2 888
2717fa0f 889/* Reads the server configuration file. */
5c53a31e 890
2717fa0f 891void
892read_server_config(ServerOptions *options, const char *filename)
893{
7528d467 894 int linenum, bad_options = 0;
2717fa0f 895 char line[1024];
7528d467 896 FILE *f;
2717fa0f 897
34934506 898 debug2("read_server_config: filename %s", filename);
2717fa0f 899 f = fopen(filename, "r");
900 if (!f) {
901 perror(filename);
902 exit(1);
903 }
904 linenum = 0;
905 while (fgets(line, sizeof(line), f)) {
906 /* Update line number counter. */
907 linenum++;
908 if (process_server_config_line(options, line, filename, linenum) != 0)
909 bad_options++;
8efc0c15 910 }
5260325f 911 fclose(f);
b7c70970 912 if (bad_options > 0)
913 fatal("%s: terminating, %d bad configuration options",
914 filename, bad_options);
8efc0c15 915}
git-cvsimport mirror of OpenSSH
This page took 0.357732 seconds and 5 git commands to generate.