]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2003/05/15 14:55:25
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
a2144546 13RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
0608f8a7 18
12928e80 19#if defined(KRB5)
0608f8a7 20# ifdef HEIMDAL
21# include <krb.h>
22# else
23/*
24 * XXX: Bodge - but then, so is using the kerberos IV KEYFILE to get a
25 * Kerberos V keytab
26 */
27# define KEYFILE "/etc/krb5.keytab"
28# endif
12928e80 29#endif
0608f8a7 30
83f46621 31#ifdef AFS
32#include <kafs.h>
33#endif
8efc0c15 34
35#include "ssh.h"
42f11eb2 36#include "log.h"
8efc0c15 37#include "servconf.h"
38#include "xmalloc.h"
a8be9f80 39#include "compat.h"
42f11eb2 40#include "pathnames.h"
41#include "tildexpand.h"
42#include "misc.h"
43#include "cipher.h"
b2552997 44#include "kex.h"
45#include "mac.h"
42f11eb2 46
396c147e 47static void add_listen_addr(ServerOptions *, char *, u_short);
48static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 49
42f11eb2 50/* AF_UNSPEC or AF_INET or AF_INET6 */
51extern int IPv4or6;
1853d1ef 52/* Use of privilege separation or not */
53extern int use_privsep;
42f11eb2 54
8efc0c15 55/* Initializes the server options to their default values. */
56
6ae2364d 57void
5260325f 58initialize_server_options(ServerOptions *options)
8efc0c15 59{
5260325f 60 memset(options, 0, sizeof(*options));
e15895cd 61
62 /* Portable-specific options */
7fceb20d 63 options->use_pam = -1;
e15895cd 64
65 /* Standard Options */
48e671d5 66 options->num_ports = 0;
67 options->ports_from_cmdline = 0;
68 options->listen_addrs = NULL;
fa08c86b 69 options->num_host_key_files = 0;
0fbe8c74 70 options->pid_file = NULL;
5260325f 71 options->server_key_bits = -1;
72 options->login_grace_time = -1;
73 options->key_regeneration_time = -1;
15853e93 74 options->permit_root_login = PERMIT_NOT_SET;
5260325f 75 options->ignore_rhosts = -1;
76 options->ignore_user_known_hosts = -1;
77 options->print_motd = -1;
4f4648f9 78 options->print_lastlog = -1;
5260325f 79 options->x11_forwarding = -1;
80 options->x11_display_offset = -1;
e6e573bd 81 options->x11_use_localhost = -1;
fa649821 82 options->xauth_location = NULL;
5260325f 83 options->strict_modes = -1;
84 options->keepalives = -1;
5eaf8578 85 options->log_facility = SYSLOG_FACILITY_NOT_SET;
86 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 87 options->rhosts_authentication = -1;
88 options->rhosts_rsa_authentication = -1;
8002af61 89 options->hostbased_authentication = -1;
90 options->hostbased_uses_name_from_packet_only = -1;
5260325f 91 options->rsa_authentication = -1;
fa08c86b 92 options->pubkey_authentication = -1;
5260325f 93 options->kerberos_authentication = -1;
94 options->kerberos_or_local_passwd = -1;
95 options->kerberos_ticket_cleanup = -1;
5260325f 96 options->kerberos_tgt_passing = -1;
97 options->afs_token_passing = -1;
5260325f 98 options->password_authentication = -1;
94ec8c6b 99 options->kbd_interactive_authentication = -1;
5ba55ada 100 options->challenge_response_authentication = -1;
5260325f 101 options->permit_empty_passwd = -1;
f00bab84 102 options->permit_user_env = -1;
5260325f 103 options->use_login = -1;
636f76ca 104 options->compression = -1;
33de75a3 105 options->allow_tcp_forwarding = -1;
5260325f 106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
a8be9f80 110 options->ciphers = NULL;
b2552997 111 options->macs = NULL;
a8be9f80 112 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 113 options->gateway_ports = -1;
38c295d6 114 options->num_subsystems = 0;
c345cf9d 115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
089fbbd2 117 options->max_startups = -1;
eea39c02 118 options->banner = NULL;
bf4c5edc 119 options->verify_reverse_mapping = -1;
3ffc6336 120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
c8445989 122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
1853d1ef 124
1853d1ef 125 /* Needs to be accessable in many places */
126 use_privsep = -1;
8efc0c15 127}
128
6ae2364d 129void
5260325f 130fill_default_server_options(ServerOptions *options)
8efc0c15 131{
e15895cd 132 /* Portable-specific options */
7fceb20d 133 if (options->use_pam == -1)
1457e7ff 134#ifdef USE_PAM
135 options->use_pam = 1;
136#else
d0ec7f42 137 options->use_pam = 0;
1457e7ff 138#endif
e15895cd 139
140 /* Standard Options */
fa08c86b 141 if (options->protocol == SSH_PROTO_UNKNOWN)
142 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
143 if (options->num_host_key_files == 0) {
144 /* fill default hostkeys for protocols */
145 if (options->protocol & SSH_PROTO_1)
0f84fe37 146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_KEY_FILE;
148 if (options->protocol & SSH_PROTO_2) {
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_RSA_KEY_FILE;
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_DSA_KEY_FILE;
153 }
fa08c86b 154 }
48e671d5 155 if (options->num_ports == 0)
156 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
157 if (options->listen_addrs == NULL)
2d2a2c65 158 add_listen_addr(options, NULL, 0);
0fbe8c74 159 if (options->pid_file == NULL)
42f11eb2 160 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 161 if (options->server_key_bits == -1)
162 options->server_key_bits = 768;
163 if (options->login_grace_time == -1)
3445ca02 164 options->login_grace_time = 120;
5260325f 165 if (options->key_regeneration_time == -1)
166 options->key_regeneration_time = 3600;
15853e93 167 if (options->permit_root_login == PERMIT_NOT_SET)
168 options->permit_root_login = PERMIT_YES;
5260325f 169 if (options->ignore_rhosts == -1)
c8d54615 170 options->ignore_rhosts = 1;
5260325f 171 if (options->ignore_user_known_hosts == -1)
172 options->ignore_user_known_hosts = 0;
5260325f 173 if (options->print_motd == -1)
174 options->print_motd = 1;
4f4648f9 175 if (options->print_lastlog == -1)
176 options->print_lastlog = 1;
5260325f 177 if (options->x11_forwarding == -1)
c8d54615 178 options->x11_forwarding = 0;
5260325f 179 if (options->x11_display_offset == -1)
c8d54615 180 options->x11_display_offset = 10;
e6e573bd 181 if (options->x11_use_localhost == -1)
182 options->x11_use_localhost = 1;
fa649821 183 if (options->xauth_location == NULL)
fd9ede94 184 options->xauth_location = _PATH_XAUTH;
5260325f 185 if (options->strict_modes == -1)
186 options->strict_modes = 1;
187 if (options->keepalives == -1)
188 options->keepalives = 1;
5eaf8578 189 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 190 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 191 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 192 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 193 if (options->rhosts_authentication == -1)
194 options->rhosts_authentication = 0;
195 if (options->rhosts_rsa_authentication == -1)
c8d54615 196 options->rhosts_rsa_authentication = 0;
8002af61 197 if (options->hostbased_authentication == -1)
198 options->hostbased_authentication = 0;
199 if (options->hostbased_uses_name_from_packet_only == -1)
200 options->hostbased_uses_name_from_packet_only = 0;
5260325f 201 if (options->rsa_authentication == -1)
202 options->rsa_authentication = 1;
fa08c86b 203 if (options->pubkey_authentication == -1)
204 options->pubkey_authentication = 1;
5260325f 205 if (options->kerberos_authentication == -1)
eadc806d 206 options->kerberos_authentication = 0;
5260325f 207 if (options->kerberos_or_local_passwd == -1)
208 options->kerberos_or_local_passwd = 1;
209 if (options->kerberos_ticket_cleanup == -1)
210 options->kerberos_ticket_cleanup = 1;
5260325f 211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
213 if (options->afs_token_passing == -1)
1c3454e7 214 options->afs_token_passing = 0;
5260325f 215 if (options->password_authentication == -1)
216 options->password_authentication = 1;
94ec8c6b 217 if (options->kbd_interactive_authentication == -1)
218 options->kbd_interactive_authentication = 0;
5ba55ada 219 if (options->challenge_response_authentication == -1)
220 options->challenge_response_authentication = 1;
5260325f 221 if (options->permit_empty_passwd == -1)
c8d54615 222 options->permit_empty_passwd = 0;
f00bab84 223 if (options->permit_user_env == -1)
224 options->permit_user_env = 0;
5260325f 225 if (options->use_login == -1)
226 options->use_login = 0;
636f76ca 227 if (options->compression == -1)
228 options->compression = 1;
33de75a3 229 if (options->allow_tcp_forwarding == -1)
230 options->allow_tcp_forwarding = 1;
1d1ffb87 231 if (options->gateway_ports == -1)
232 options->gateway_ports = 0;
089fbbd2 233 if (options->max_startups == -1)
234 options->max_startups = 10;
c345cf9d 235 if (options->max_startups_rate == -1)
236 options->max_startups_rate = 100; /* 100% */
237 if (options->max_startups_begin == -1)
238 options->max_startups_begin = options->max_startups;
bf4c5edc 239 if (options->verify_reverse_mapping == -1)
240 options->verify_reverse_mapping = 0;
3ffc6336 241 if (options->client_alive_interval == -1)
184eed6a 242 options->client_alive_interval = 0;
3ffc6336 243 if (options->client_alive_count_max == -1)
244 options->client_alive_count_max = 3;
5df83e07 245 if (options->authorized_keys_file2 == NULL) {
246 /* authorized_keys_file2 falls back to authorized_keys_file */
247 if (options->authorized_keys_file != NULL)
248 options->authorized_keys_file2 = options->authorized_keys_file;
249 else
250 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
251 }
252 if (options->authorized_keys_file == NULL)
253 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 254
2ee1b704 255 /* Turn privilege separation on by default */
1853d1ef 256 if (use_privsep == -1)
2ee1b704 257 use_privsep = 1;
e299a298 258
4165b82e 259#ifndef HAVE_MMAP
e299a298 260 if (use_privsep && options->compression == 1) {
261 error("This platform does not support both privilege "
262 "separation and compression");
263 error("Compression disabled");
264 options->compression = 0;
265 }
266#endif
267
8efc0c15 268}
269
8efc0c15 270/* Keyword tokens. */
5260325f 271typedef enum {
272 sBadOption, /* == unknown option */
e15895cd 273 /* Portable-specific options */
7fceb20d 274 sUsePAM,
e15895cd 275 /* Standard Options */
5260325f 276 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
277 sPermitRootLogin, sLogFacility, sLogLevel,
278 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 279 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
d0ec7f42 280 sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
94ec8c6b 281 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 282 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 283 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 284 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 285 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 286 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 287 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 288 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 289 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 290 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 291 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 292 sUsePrivilegeSeparation,
a2144546 293 sDeprecated, sUnsupported
8efc0c15 294} ServerOpCodes;
295
296/* Textual representation of the tokens. */
5260325f 297static struct {
298 const char *name;
299 ServerOpCodes opcode;
300} keywords[] = {
e15895cd 301 /* Portable-specific options */
7fceb20d 302 { "UsePAM", sUsePAM },
e15895cd 303 /* Standard Options */
5260325f 304 { "port", sPort },
305 { "hostkey", sHostKeyFile },
fa08c86b 306 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 307 { "pidfile", sPidFile },
5260325f 308 { "serverkeybits", sServerKeyBits },
309 { "logingracetime", sLoginGraceTime },
310 { "keyregenerationinterval", sKeyRegenerationTime },
311 { "permitrootlogin", sPermitRootLogin },
312 { "syslogfacility", sLogFacility },
313 { "loglevel", sLogLevel },
314 { "rhostsauthentication", sRhostsAuthentication },
315 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 316 { "hostbasedauthentication", sHostbasedAuthentication },
317 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 318 { "rsaauthentication", sRSAAuthentication },
fa08c86b 319 { "pubkeyauthentication", sPubkeyAuthentication },
320 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
a2144546 321#if defined(KRB4) || defined(KRB5)
5260325f 322 { "kerberosauthentication", sKerberosAuthentication },
323 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
324 { "kerberosticketcleanup", sKerberosTicketCleanup },
5260325f 325 { "kerberostgtpassing", sKerberosTgtPassing },
a2144546 326#else
327 { "kerberosauthentication", sUnsupported },
328 { "kerberosorlocalpasswd", sUnsupported },
329 { "kerberosticketcleanup", sUnsupported },
330 { "kerberostgtpassing", sUnsupported },
331#endif
332#if defined(AFS)
5260325f 333 { "afstokenpassing", sAFSTokenPassing },
a2144546 334#else
335 { "afstokenpassing", sUnsupported },
336#endif
5260325f 337 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 338 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 339 { "challengeresponseauthentication", sChallengeResponseAuthentication },
340 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 341 { "checkmail", sDeprecated },
5260325f 342 { "listenaddress", sListenAddress },
343 { "printmotd", sPrintMotd },
4f4648f9 344 { "printlastlog", sPrintLastLog },
5260325f 345 { "ignorerhosts", sIgnoreRhosts },
346 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
347 { "x11forwarding", sX11Forwarding },
348 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 349 { "x11uselocalhost", sX11UseLocalhost },
fa649821 350 { "xauthlocation", sXAuthLocation },
5260325f 351 { "strictmodes", sStrictModes },
352 { "permitemptypasswords", sEmptyPasswd },
f00bab84 353 { "permituserenvironment", sPermitUserEnvironment },
5260325f 354 { "uselogin", sUseLogin },
636f76ca 355 { "compression", sCompression },
5260325f 356 { "keepalive", sKeepAlives },
33de75a3 357 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
a8be9f80 362 { "ciphers", sCiphers },
b2552997 363 { "macs", sMacs },
a8be9f80 364 { "protocol", sProtocol },
1d1ffb87 365 { "gatewayports", sGatewayPorts },
38c295d6 366 { "subsystem", sSubsystem },
089fbbd2 367 { "maxstartups", sMaxStartups },
eea39c02 368 { "banner", sBanner },
bf4c5edc 369 { "verifyreversemapping", sVerifyReverseMapping },
370 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 371 { "clientaliveinterval", sClientAliveInterval },
372 { "clientalivecountmax", sClientAliveCountMax },
c8445989 373 { "authorizedkeysfile", sAuthorizedKeysFile },
374 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 375 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 376 { NULL, sBadOption }
8efc0c15 377};
378
aa3378df 379/*
6be9a5e8 380 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 381 */
8efc0c15 382
6ae2364d 383static ServerOpCodes
5260325f 384parse_token(const char *cp, const char *filename,
385 int linenum)
8efc0c15 386{
1e3b8b07 387 u_int i;
8efc0c15 388
5260325f 389 for (i = 0; keywords[i].name; i++)
aa3378df 390 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 391 return keywords[i].opcode;
8efc0c15 392
b7c70970 393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
5260325f 395 return sBadOption;
8efc0c15 396}
397
396c147e 398static void
2d2a2c65 399add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 400{
48e671d5 401 int i;
402
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 405 if (port == 0)
d11c1288 406 for (i = 0; i < options->num_ports; i++)
407 add_one_listen_addr(options, addr, options->ports[i]);
408 else
2d2a2c65 409 add_one_listen_addr(options, addr, port);
d11c1288 410}
411
396c147e 412static void
d11c1288 413add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
414{
415 struct addrinfo hints, *ai, *aitop;
416 char strport[NI_MAXSERV];
417 int gaierr;
418
419 memset(&hints, 0, sizeof(hints));
420 hints.ai_family = IPv4or6;
421 hints.ai_socktype = SOCK_STREAM;
422 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 423 snprintf(strport, sizeof strport, "%u", port);
d11c1288 424 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
425 fatal("bad addr or host: %s (%s)",
426 addr ? addr : "<NULL>",
427 gai_strerror(gaierr));
428 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
429 ;
430 ai->ai_next = options->listen_addrs;
431 options->listen_addrs = aitop;
48e671d5 432}
433
2717fa0f 434int
435process_server_config_line(ServerOptions *options, char *line,
436 const char *filename, int linenum)
8efc0c15 437{
d11c1288 438 char *cp, **charptr, *arg, *p;
7528d467 439 int *intptr, value, i, n;
5260325f 440 ServerOpCodes opcode;
441
2717fa0f 442 cp = line;
443 arg = strdelim(&cp);
444 /* Ignore leading whitespace */
445 if (*arg == '\0')
704b1659 446 arg = strdelim(&cp);
2717fa0f 447 if (!arg || !*arg || *arg == '#')
448 return 0;
449 intptr = NULL;
450 charptr = NULL;
451 opcode = parse_token(arg, filename, linenum);
452 switch (opcode) {
453 /* Portable-specific options */
7fceb20d 454 case sUsePAM:
455 intptr = &options->use_pam;
2717fa0f 456 goto parse_flag;
48e671d5 457
2717fa0f 458 /* Standard Options */
459 case sBadOption:
460 return -1;
461 case sPort:
462 /* ignore ports from configfile if cmdline specifies ports */
463 if (options->ports_from_cmdline)
464 return 0;
465 if (options->listen_addrs != NULL)
466 fatal("%s line %d: ports must be specified before "
3a454b6a 467 "ListenAddress.", filename, linenum);
2717fa0f 468 if (options->num_ports >= MAX_PORTS)
469 fatal("%s line %d: too many ports.",
470 filename, linenum);
471 arg = strdelim(&cp);
472 if (!arg || *arg == '\0')
473 fatal("%s line %d: missing port number.",
474 filename, linenum);
475 options->ports[options->num_ports++] = a2port(arg);
476 if (options->ports[options->num_ports-1] == 0)
477 fatal("%s line %d: Badly formatted port number.",
478 filename, linenum);
479 break;
480
481 case sServerKeyBits:
482 intptr = &options->server_key_bits;
5260325f 483parse_int:
2717fa0f 484 arg = strdelim(&cp);
485 if (!arg || *arg == '\0')
486 fatal("%s line %d: missing integer value.",
487 filename, linenum);
488 value = atoi(arg);
489 if (*intptr == -1)
490 *intptr = value;
491 break;
492
493 case sLoginGraceTime:
494 intptr = &options->login_grace_time;
e2b1fb42 495parse_time:
2717fa0f 496 arg = strdelim(&cp);
497 if (!arg || *arg == '\0')
498 fatal("%s line %d: missing time value.",
499 filename, linenum);
500 if ((value = convtime(arg)) == -1)
501 fatal("%s line %d: invalid time value.",
502 filename, linenum);
503 if (*intptr == -1)
504 *intptr = value;
505 break;
506
507 case sKeyRegenerationTime:
508 intptr = &options->key_regeneration_time;
509 goto parse_time;
510
511 case sListenAddress:
512 arg = strdelim(&cp);
513 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
514 fatal("%s line %d: missing inet addr.",
515 filename, linenum);
516 if (*arg == '[') {
517 if ((p = strchr(arg, ']')) == NULL)
518 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 519 filename, linenum);
2717fa0f 520 arg++;
521 memmove(p, p+1, strlen(p+1)+1);
522 } else if (((p = strchr(arg, ':')) == NULL) ||
523 (strchr(p+1, ':') != NULL)) {
524 add_listen_addr(options, arg, 0);
e2b1fb42 525 break;
2717fa0f 526 }
527 if (*p == ':') {
528 u_short port;
5260325f 529
2717fa0f 530 p++;
531 if (*p == '\0')
532 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 533 filename, linenum);
2717fa0f 534 else {
535 *(p-1) = '\0';
536 if ((port = a2port(p)) == 0)
537 fatal("%s line %d: bad port number.",
d11c1288 538 filename, linenum);
2717fa0f 539 add_listen_addr(options, arg, port);
d11c1288 540 }
2717fa0f 541 } else if (*p == '\0')
542 add_listen_addr(options, arg, 0);
543 else
544 fatal("%s line %d: bad inet addr usage.",
545 filename, linenum);
546 break;
547
548 case sHostKeyFile:
549 intptr = &options->num_host_key_files;
550 if (*intptr >= MAX_HOSTKEYS)
551 fatal("%s line %d: too many host keys specified (max %d).",
552 filename, linenum, MAX_HOSTKEYS);
553 charptr = &options->host_key_files[*intptr];
fa649821 554parse_filename:
2717fa0f 555 arg = strdelim(&cp);
556 if (!arg || *arg == '\0')
557 fatal("%s line %d: missing file name.",
558 filename, linenum);
559 if (*charptr == NULL) {
560 *charptr = tilde_expand_filename(arg, getuid());
561 /* increase optional counter */
562 if (intptr != NULL)
563 *intptr = *intptr + 1;
564 }
565 break;
0fbe8c74 566
2717fa0f 567 case sPidFile:
568 charptr = &options->pid_file;
569 goto parse_filename;
5260325f 570
2717fa0f 571 case sPermitRootLogin:
572 intptr = &options->permit_root_login;
573 arg = strdelim(&cp);
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing yes/"
576 "without-password/forced-commands-only/no "
577 "argument.", filename, linenum);
578 value = 0; /* silence compiler */
579 if (strcmp(arg, "without-password") == 0)
580 value = PERMIT_NO_PASSWD;
581 else if (strcmp(arg, "forced-commands-only") == 0)
582 value = PERMIT_FORCED_ONLY;
583 else if (strcmp(arg, "yes") == 0)
584 value = PERMIT_YES;
585 else if (strcmp(arg, "no") == 0)
586 value = PERMIT_NO;
587 else
588 fatal("%s line %d: Bad yes/"
589 "without-password/forced-commands-only/no "
590 "argument: %s", filename, linenum, arg);
591 if (*intptr == -1)
592 *intptr = value;
593 break;
594
595 case sIgnoreRhosts:
596 intptr = &options->ignore_rhosts;
5260325f 597parse_flag:
2717fa0f 598 arg = strdelim(&cp);
599 if (!arg || *arg == '\0')
600 fatal("%s line %d: missing yes/no argument.",
601 filename, linenum);
602 value = 0; /* silence compiler */
603 if (strcmp(arg, "yes") == 0)
604 value = 1;
605 else if (strcmp(arg, "no") == 0)
606 value = 0;
607 else
608 fatal("%s line %d: Bad yes/no argument: %s",
609 filename, linenum, arg);
610 if (*intptr == -1)
611 *intptr = value;
612 break;
613
614 case sIgnoreUserKnownHosts:
615 intptr = &options->ignore_user_known_hosts;
616 goto parse_flag;
617
618 case sRhostsAuthentication:
619 intptr = &options->rhosts_authentication;
620 goto parse_flag;
621
622 case sRhostsRSAAuthentication:
623 intptr = &options->rhosts_rsa_authentication;
624 goto parse_flag;
625
626 case sHostbasedAuthentication:
627 intptr = &options->hostbased_authentication;
628 goto parse_flag;
629
630 case sHostbasedUsesNameFromPacketOnly:
631 intptr = &options->hostbased_uses_name_from_packet_only;
632 goto parse_flag;
633
634 case sRSAAuthentication:
635 intptr = &options->rsa_authentication;
636 goto parse_flag;
637
638 case sPubkeyAuthentication:
639 intptr = &options->pubkey_authentication;
640 goto parse_flag;
d0ec7f42 641
2717fa0f 642 case sKerberosAuthentication:
643 intptr = &options->kerberos_authentication;
644 goto parse_flag;
5260325f 645
2717fa0f 646 case sKerberosOrLocalPasswd:
647 intptr = &options->kerberos_or_local_passwd;
648 goto parse_flag;
5260325f 649
2717fa0f 650 case sKerberosTicketCleanup:
651 intptr = &options->kerberos_ticket_cleanup;
652 goto parse_flag;
d0ec7f42 653
2717fa0f 654 case sKerberosTgtPassing:
655 intptr = &options->kerberos_tgt_passing;
656 goto parse_flag;
d0ec7f42 657
2717fa0f 658 case sAFSTokenPassing:
659 intptr = &options->afs_token_passing;
660 goto parse_flag;
5260325f 661
2717fa0f 662 case sPasswordAuthentication:
663 intptr = &options->password_authentication;
664 goto parse_flag;
5260325f 665
2717fa0f 666 case sKbdInteractiveAuthentication:
667 intptr = &options->kbd_interactive_authentication;
668 goto parse_flag;
8002af61 669
2717fa0f 670 case sChallengeResponseAuthentication:
671 intptr = &options->challenge_response_authentication;
672 goto parse_flag;
8002af61 673
2717fa0f 674 case sPrintMotd:
675 intptr = &options->print_motd;
676 goto parse_flag;
5260325f 677
2717fa0f 678 case sPrintLastLog:
679 intptr = &options->print_lastlog;
680 goto parse_flag;
5260325f 681
2717fa0f 682 case sX11Forwarding:
683 intptr = &options->x11_forwarding;
684 goto parse_flag;
5260325f 685
2717fa0f 686 case sX11DisplayOffset:
687 intptr = &options->x11_display_offset;
688 goto parse_int;
8efc0c15 689
e6e573bd 690 case sX11UseLocalhost:
691 intptr = &options->x11_use_localhost;
692 goto parse_flag;
693
2717fa0f 694 case sXAuthLocation:
695 charptr = &options->xauth_location;
696 goto parse_filename;
5260325f 697
2717fa0f 698 case sStrictModes:
699 intptr = &options->strict_modes;
700 goto parse_flag;
5260325f 701
2717fa0f 702 case sKeepAlives:
703 intptr = &options->keepalives;
704 goto parse_flag;
33de75a3 705
2717fa0f 706 case sEmptyPasswd:
707 intptr = &options->permit_empty_passwd;
708 goto parse_flag;
5260325f 709
f00bab84 710 case sPermitUserEnvironment:
711 intptr = &options->permit_user_env;
712 goto parse_flag;
713
2717fa0f 714 case sUseLogin:
715 intptr = &options->use_login;
716 goto parse_flag;
5260325f 717
636f76ca 718 case sCompression:
719 intptr = &options->compression;
720 goto parse_flag;
721
2717fa0f 722 case sGatewayPorts:
723 intptr = &options->gateway_ports;
724 goto parse_flag;
5260325f 725
bf4c5edc 726 case sVerifyReverseMapping:
727 intptr = &options->verify_reverse_mapping;
2717fa0f 728 goto parse_flag;
5260325f 729
2717fa0f 730 case sLogFacility:
731 intptr = (int *) &options->log_facility;
732 arg = strdelim(&cp);
733 value = log_facility_number(arg);
5eaf8578 734 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 735 fatal("%.200s line %d: unsupported log facility '%s'",
736 filename, linenum, arg ? arg : "<NONE>");
737 if (*intptr == -1)
738 *intptr = (SyslogFacility) value;
739 break;
740
741 case sLogLevel:
742 intptr = (int *) &options->log_level;
743 arg = strdelim(&cp);
744 value = log_level_number(arg);
5eaf8578 745 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 746 fatal("%.200s line %d: unsupported log level '%s'",
747 filename, linenum, arg ? arg : "<NONE>");
748 if (*intptr == -1)
749 *intptr = (LogLevel) value;
750 break;
751
752 case sAllowTcpForwarding:
753 intptr = &options->allow_tcp_forwarding;
754 goto parse_flag;
755
1853d1ef 756 case sUsePrivilegeSeparation:
757 intptr = &use_privsep;
758 goto parse_flag;
759
2717fa0f 760 case sAllowUsers:
761 while ((arg = strdelim(&cp)) && *arg != '\0') {
762 if (options->num_allow_users >= MAX_ALLOW_USERS)
763 fatal("%s line %d: too many allow users.",
764 filename, linenum);
7528d467 765 options->allow_users[options->num_allow_users++] =
766 xstrdup(arg);
2717fa0f 767 }
768 break;
a8be9f80 769
2717fa0f 770 case sDenyUsers:
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_deny_users >= MAX_DENY_USERS)
773 fatal( "%s line %d: too many deny users.",
774 filename, linenum);
7528d467 775 options->deny_users[options->num_deny_users++] =
776 xstrdup(arg);
2717fa0f 777 }
778 break;
b2552997 779
2717fa0f 780 case sAllowGroups:
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
783 fatal("%s line %d: too many allow groups.",
784 filename, linenum);
7528d467 785 options->allow_groups[options->num_allow_groups++] =
786 xstrdup(arg);
2717fa0f 787 }
788 break;
a8be9f80 789
2717fa0f 790 case sDenyGroups:
791 while ((arg = strdelim(&cp)) && *arg != '\0') {
792 if (options->num_deny_groups >= MAX_DENY_GROUPS)
793 fatal("%s line %d: too many deny groups.",
794 filename, linenum);
795 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
796 }
797 break;
38c295d6 798
2717fa0f 799 case sCiphers:
800 arg = strdelim(&cp);
801 if (!arg || *arg == '\0')
802 fatal("%s line %d: Missing argument.", filename, linenum);
803 if (!ciphers_valid(arg))
804 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
805 filename, linenum, arg ? arg : "<NONE>");
806 if (options->ciphers == NULL)
807 options->ciphers = xstrdup(arg);
808 break;
809
810 case sMacs:
811 arg = strdelim(&cp);
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: Missing argument.", filename, linenum);
814 if (!mac_valid(arg))
815 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
816 filename, linenum, arg ? arg : "<NONE>");
817 if (options->macs == NULL)
818 options->macs = xstrdup(arg);
819 break;
820
821 case sProtocol:
822 intptr = &options->protocol;
823 arg = strdelim(&cp);
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: Missing argument.", filename, linenum);
826 value = proto_spec(arg);
827 if (value == SSH_PROTO_UNKNOWN)
828 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 829 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 830 if (*intptr == SSH_PROTO_UNKNOWN)
831 *intptr = value;
832 break;
833
834 case sSubsystem:
835 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
836 fatal("%s line %d: too many subsystems defined.",
184eed6a 837 filename, linenum);
2717fa0f 838 }
839 arg = strdelim(&cp);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing subsystem name.",
184eed6a 842 filename, linenum);
2717fa0f 843 for (i = 0; i < options->num_subsystems; i++)
844 if (strcmp(arg, options->subsystem_name[i]) == 0)
845 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 846 filename, linenum, arg);
2717fa0f 847 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
848 arg = strdelim(&cp);
849 if (!arg || *arg == '\0')
850 fatal("%s line %d: Missing subsystem command.",
184eed6a 851 filename, linenum);
2717fa0f 852 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
853 options->num_subsystems++;
854 break;
855
856 case sMaxStartups:
857 arg = strdelim(&cp);
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 860 filename, linenum);
2717fa0f 861 if ((n = sscanf(arg, "%d:%d:%d",
862 &options->max_startups_begin,
863 &options->max_startups_rate,
864 &options->max_startups)) == 3) {
865 if (options->max_startups_begin >
866 options->max_startups ||
867 options->max_startups_rate > 100 ||
868 options->max_startups_rate < 1)
c345cf9d 869 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 870 filename, linenum);
2717fa0f 871 } else if (n != 1)
872 fatal("%s line %d: Illegal MaxStartups spec.",
873 filename, linenum);
874 else
875 options->max_startups = options->max_startups_begin;
876 break;
877
878 case sBanner:
879 charptr = &options->banner;
880 goto parse_filename;
881 /*
882 * These options can contain %X options expanded at
883 * connect time, so that you can specify paths like:
884 *
885 * AuthorizedKeysFile /etc/ssh_keys/%u
886 */
887 case sAuthorizedKeysFile:
888 case sAuthorizedKeysFile2:
889 charptr = (opcode == sAuthorizedKeysFile ) ?
890 &options->authorized_keys_file :
891 &options->authorized_keys_file2;
892 goto parse_filename;
893
894 case sClientAliveInterval:
895 intptr = &options->client_alive_interval;
896 goto parse_time;
897
898 case sClientAliveCountMax:
899 intptr = &options->client_alive_count_max;
900 goto parse_int;
901
902 case sDeprecated:
bbe88b6d 903 logit("%s line %d: Deprecated option %s",
2717fa0f 904 filename, linenum, arg);
905 while (arg)
906 arg = strdelim(&cp);
907 break;
908
a2144546 909 case sUnsupported:
910 logit("%s line %d: Unsupported option %s",
911 filename, linenum, arg);
912 while (arg)
913 arg = strdelim(&cp);
914 break;
915
2717fa0f 916 default:
917 fatal("%s line %d: Missing handler for opcode %s (%d)",
918 filename, linenum, arg, opcode);
919 }
920 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
921 fatal("%s line %d: garbage at end of line; \"%.200s\".",
922 filename, linenum, arg);
923 return 0;
924}
089fbbd2 925
2717fa0f 926/* Reads the server configuration file. */
5c53a31e 927
2717fa0f 928void
929read_server_config(ServerOptions *options, const char *filename)
930{
7528d467 931 int linenum, bad_options = 0;
2717fa0f 932 char line[1024];
7528d467 933 FILE *f;
2717fa0f 934
34934506 935 debug2("read_server_config: filename %s", filename);
2717fa0f 936 f = fopen(filename, "r");
937 if (!f) {
938 perror(filename);
939 exit(1);
940 }
941 linenum = 0;
942 while (fgets(line, sizeof(line), f)) {
943 /* Update line number counter. */
944 linenum++;
945 if (process_server_config_line(options, line, filename, linenum) != 0)
946 bad_options++;
8efc0c15 947 }
5260325f 948 fclose(f);
b7c70970 949 if (bad_options > 0)
950 fatal("%s: terminating, %d bad configuration options",
951 filename, bad_options);
8efc0c15 952}
git-cvsimport mirror of OpenSSH
This page took 4.882364 seconds and 5 git commands to generate.