]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
07d80252 13RCSID("$OpenBSD: servconf.c,v 1.132 2004/05/08 00:01:37 deraadt Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
42f11eb2 21#include "misc.h"
22#include "cipher.h"
b2552997 23#include "kex.h"
24#include "mac.h"
42f11eb2 25
396c147e 26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 28
42f11eb2 29/* AF_UNSPEC or AF_INET or AF_INET6 */
30extern int IPv4or6;
1853d1ef 31/* Use of privilege separation or not */
32extern int use_privsep;
42f11eb2 33
8efc0c15 34/* Initializes the server options to their default values. */
35
6ae2364d 36void
5260325f 37initialize_server_options(ServerOptions *options)
8efc0c15 38{
5260325f 39 memset(options, 0, sizeof(*options));
e15895cd 40
41 /* Portable-specific options */
7fceb20d 42 options->use_pam = -1;
e15895cd 43
44 /* Standard Options */
48e671d5 45 options->num_ports = 0;
46 options->ports_from_cmdline = 0;
47 options->listen_addrs = NULL;
fa08c86b 48 options->num_host_key_files = 0;
0fbe8c74 49 options->pid_file = NULL;
5260325f 50 options->server_key_bits = -1;
51 options->login_grace_time = -1;
52 options->key_regeneration_time = -1;
15853e93 53 options->permit_root_login = PERMIT_NOT_SET;
5260325f 54 options->ignore_rhosts = -1;
55 options->ignore_user_known_hosts = -1;
56 options->print_motd = -1;
4f4648f9 57 options->print_lastlog = -1;
5260325f 58 options->x11_forwarding = -1;
59 options->x11_display_offset = -1;
e6e573bd 60 options->x11_use_localhost = -1;
fa649821 61 options->xauth_location = NULL;
5260325f 62 options->strict_modes = -1;
fd573618 63 options->tcp_keep_alive = -1;
5eaf8578 64 options->log_facility = SYSLOG_FACILITY_NOT_SET;
65 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 66 options->rhosts_rsa_authentication = -1;
8002af61 67 options->hostbased_authentication = -1;
68 options->hostbased_uses_name_from_packet_only = -1;
5260325f 69 options->rsa_authentication = -1;
fa08c86b 70 options->pubkey_authentication = -1;
5260325f 71 options->kerberos_authentication = -1;
72 options->kerberos_or_local_passwd = -1;
73 options->kerberos_ticket_cleanup = -1;
a1e30b47 74 options->kerberos_get_afs_token = -1;
7364bd04 75 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1;
5260325f 77 options->password_authentication = -1;
94ec8c6b 78 options->kbd_interactive_authentication = -1;
5ba55ada 79 options->challenge_response_authentication = -1;
5260325f 80 options->permit_empty_passwd = -1;
f00bab84 81 options->permit_user_env = -1;
5260325f 82 options->use_login = -1;
636f76ca 83 options->compression = -1;
33de75a3 84 options->allow_tcp_forwarding = -1;
5260325f 85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
a8be9f80 89 options->ciphers = NULL;
b2552997 90 options->macs = NULL;
a8be9f80 91 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 92 options->gateway_ports = -1;
38c295d6 93 options->num_subsystems = 0;
c345cf9d 94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
089fbbd2 96 options->max_startups = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
61a2c1da 103 options->num_accept_env = 0;
1853d1ef 104
1853d1ef 105 /* Needs to be accessable in many places */
106 use_privsep = -1;
8efc0c15 107}
108
6ae2364d 109void
5260325f 110fill_default_server_options(ServerOptions *options)
8efc0c15 111{
e15895cd 112 /* Portable-specific options */
7fceb20d 113 if (options->use_pam == -1)
0a23d79f 114 options->use_pam = 0;
e15895cd 115
116 /* Standard Options */
fa08c86b 117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
0f84fe37 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
fa08c86b 130 }
48e671d5 131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
2d2a2c65 134 add_listen_addr(options, NULL, 0);
0fbe8c74 135 if (options->pid_file == NULL)
42f11eb2 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
3445ca02 140 options->login_grace_time = 120;
5260325f 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
15853e93 143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
5260325f 145 if (options->ignore_rhosts == -1)
c8d54615 146 options->ignore_rhosts = 1;
5260325f 147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
5260325f 149 if (options->print_motd == -1)
150 options->print_motd = 1;
4f4648f9 151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
5260325f 153 if (options->x11_forwarding == -1)
c8d54615 154 options->x11_forwarding = 0;
5260325f 155 if (options->x11_display_offset == -1)
c8d54615 156 options->x11_display_offset = 10;
e6e573bd 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
fa649821 159 if (options->xauth_location == NULL)
fd9ede94 160 options->xauth_location = _PATH_XAUTH;
5260325f 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
fd573618 163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
5eaf8578 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 166 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 168 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 169 if (options->rhosts_rsa_authentication == -1)
c8d54615 170 options->rhosts_rsa_authentication = 0;
8002af61 171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
5260325f 175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
fa08c86b 177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
5260325f 179 if (options->kerberos_authentication == -1)
eadc806d 180 options->kerberos_authentication = 0;
5260325f 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
a1e30b47 185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
7364bd04 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
5260325f 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
94ec8c6b 193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
5ba55ada 195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
5260325f 197 if (options->permit_empty_passwd == -1)
c8d54615 198 options->permit_empty_passwd = 0;
f00bab84 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
5260325f 201 if (options->use_login == -1)
202 options->use_login = 0;
636f76ca 203 if (options->compression == -1)
204 options->compression = 1;
33de75a3 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
1d1ffb87 207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
089fbbd2 209 if (options->max_startups == -1)
210 options->max_startups = 10;
c345cf9d 211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
c5a7d788 215 if (options->use_dns == -1)
216 options->use_dns = 1;
3ffc6336 217 if (options->client_alive_interval == -1)
184eed6a 218 options->client_alive_interval = 0;
3ffc6336 219 if (options->client_alive_count_max == -1)
220 options->client_alive_count_max = 3;
5df83e07 221 if (options->authorized_keys_file2 == NULL) {
222 /* authorized_keys_file2 falls back to authorized_keys_file */
223 if (options->authorized_keys_file != NULL)
224 options->authorized_keys_file2 = options->authorized_keys_file;
225 else
226 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
227 }
228 if (options->authorized_keys_file == NULL)
229 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 230
2ee1b704 231 /* Turn privilege separation on by default */
1853d1ef 232 if (use_privsep == -1)
2ee1b704 233 use_privsep = 1;
e299a298 234
4165b82e 235#ifndef HAVE_MMAP
e299a298 236 if (use_privsep && options->compression == 1) {
237 error("This platform does not support both privilege "
238 "separation and compression");
239 error("Compression disabled");
240 options->compression = 0;
241 }
242#endif
243
8efc0c15 244}
245
8efc0c15 246/* Keyword tokens. */
5260325f 247typedef enum {
248 sBadOption, /* == unknown option */
e15895cd 249 /* Portable-specific options */
7fceb20d 250 sUsePAM,
e15895cd 251 /* Standard Options */
5260325f 252 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
253 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 254 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 255 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 256 sKerberosGetAFSToken,
1c590258 257 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 258 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 259 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 260 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 261 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 262 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 263 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 264 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 265 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 266 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 267 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 268 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
61a2c1da 269 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
2ea6de2b 270 sUsePrivilegeSeparation,
a2144546 271 sDeprecated, sUnsupported
8efc0c15 272} ServerOpCodes;
273
274/* Textual representation of the tokens. */
5260325f 275static struct {
276 const char *name;
277 ServerOpCodes opcode;
278} keywords[] = {
e15895cd 279 /* Portable-specific options */
b06b11ad 280#ifdef USE_PAM
fe46678b 281 { "usepam", sUsePAM },
b06b11ad 282#else
fe46678b 283 { "usepam", sUnsupported },
b06b11ad 284#endif
fe46678b 285 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 286 /* Standard Options */
5260325f 287 { "port", sPort },
288 { "hostkey", sHostKeyFile },
fa08c86b 289 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 290 { "pidfile", sPidFile },
5260325f 291 { "serverkeybits", sServerKeyBits },
292 { "logingracetime", sLoginGraceTime },
293 { "keyregenerationinterval", sKeyRegenerationTime },
294 { "permitrootlogin", sPermitRootLogin },
295 { "syslogfacility", sLogFacility },
296 { "loglevel", sLogLevel },
0598d99d 297 { "rhostsauthentication", sDeprecated },
5260325f 298 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 299 { "hostbasedauthentication", sHostbasedAuthentication },
300 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 301 { "rsaauthentication", sRSAAuthentication },
fa08c86b 302 { "pubkeyauthentication", sPubkeyAuthentication },
303 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 304#ifdef KRB5
5260325f 305 { "kerberosauthentication", sKerberosAuthentication },
306 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
307 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 308#ifdef USE_AFS
a1e30b47 309 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 310#else
311 { "kerberosgetafstoken", sUnsupported },
312#endif
a2144546 313#else
314 { "kerberosauthentication", sUnsupported },
315 { "kerberosorlocalpasswd", sUnsupported },
316 { "kerberosticketcleanup", sUnsupported },
a1e30b47 317 { "kerberosgetafstoken", sUnsupported },
a2144546 318#endif
8f73f7bb 319 { "kerberostgtpassing", sUnsupported },
a2144546 320 { "afstokenpassing", sUnsupported },
7364bd04 321#ifdef GSSAPI
322 { "gssapiauthentication", sGssAuthentication },
e377c083 323 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 324#else
325 { "gssapiauthentication", sUnsupported },
e377c083 326 { "gssapicleanupcredentials", sUnsupported },
7364bd04 327#endif
5260325f 328 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 329 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 330 { "challengeresponseauthentication", sChallengeResponseAuthentication },
331 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 332 { "checkmail", sDeprecated },
5260325f 333 { "listenaddress", sListenAddress },
334 { "printmotd", sPrintMotd },
4f4648f9 335 { "printlastlog", sPrintLastLog },
5260325f 336 { "ignorerhosts", sIgnoreRhosts },
337 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
338 { "x11forwarding", sX11Forwarding },
339 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 340 { "x11uselocalhost", sX11UseLocalhost },
fa649821 341 { "xauthlocation", sXAuthLocation },
5260325f 342 { "strictmodes", sStrictModes },
343 { "permitemptypasswords", sEmptyPasswd },
f00bab84 344 { "permituserenvironment", sPermitUserEnvironment },
5260325f 345 { "uselogin", sUseLogin },
636f76ca 346 { "compression", sCompression },
fd573618 347 { "tcpkeepalive", sTCPKeepAlive },
348 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 349 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 350 { "allowusers", sAllowUsers },
351 { "denyusers", sDenyUsers },
352 { "allowgroups", sAllowGroups },
353 { "denygroups", sDenyGroups },
a8be9f80 354 { "ciphers", sCiphers },
b2552997 355 { "macs", sMacs },
a8be9f80 356 { "protocol", sProtocol },
1d1ffb87 357 { "gatewayports", sGatewayPorts },
38c295d6 358 { "subsystem", sSubsystem },
089fbbd2 359 { "maxstartups", sMaxStartups },
eea39c02 360 { "banner", sBanner },
c5a7d788 361 { "usedns", sUseDNS },
362 { "verifyreversemapping", sDeprecated },
363 { "reversemappingcheck", sDeprecated },
3ffc6336 364 { "clientaliveinterval", sClientAliveInterval },
365 { "clientalivecountmax", sClientAliveCountMax },
c8445989 366 { "authorizedkeysfile", sAuthorizedKeysFile },
367 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 368 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 369 { "acceptenv", sAcceptEnv },
17a3011c 370 { NULL, sBadOption }
8efc0c15 371};
372
aa3378df 373/*
6be9a5e8 374 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 375 */
8efc0c15 376
6ae2364d 377static ServerOpCodes
5260325f 378parse_token(const char *cp, const char *filename,
379 int linenum)
8efc0c15 380{
1e3b8b07 381 u_int i;
8efc0c15 382
5260325f 383 for (i = 0; keywords[i].name; i++)
aa3378df 384 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 385 return keywords[i].opcode;
8efc0c15 386
b7c70970 387 error("%s: line %d: Bad configuration option: %s",
388 filename, linenum, cp);
5260325f 389 return sBadOption;
8efc0c15 390}
391
396c147e 392static void
2d2a2c65 393add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 394{
48e671d5 395 int i;
396
397 if (options->num_ports == 0)
398 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 399 if (port == 0)
d11c1288 400 for (i = 0; i < options->num_ports; i++)
401 add_one_listen_addr(options, addr, options->ports[i]);
402 else
2d2a2c65 403 add_one_listen_addr(options, addr, port);
d11c1288 404}
405
396c147e 406static void
d11c1288 407add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
408{
409 struct addrinfo hints, *ai, *aitop;
410 char strport[NI_MAXSERV];
411 int gaierr;
412
413 memset(&hints, 0, sizeof(hints));
414 hints.ai_family = IPv4or6;
415 hints.ai_socktype = SOCK_STREAM;
416 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 417 snprintf(strport, sizeof strport, "%u", port);
d11c1288 418 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
419 fatal("bad addr or host: %s (%s)",
420 addr ? addr : "<NULL>",
421 gai_strerror(gaierr));
422 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
423 ;
424 ai->ai_next = options->listen_addrs;
425 options->listen_addrs = aitop;
48e671d5 426}
427
2717fa0f 428int
429process_server_config_line(ServerOptions *options, char *line,
430 const char *filename, int linenum)
8efc0c15 431{
d11c1288 432 char *cp, **charptr, *arg, *p;
7528d467 433 int *intptr, value, i, n;
5260325f 434 ServerOpCodes opcode;
435
2717fa0f 436 cp = line;
437 arg = strdelim(&cp);
438 /* Ignore leading whitespace */
439 if (*arg == '\0')
704b1659 440 arg = strdelim(&cp);
2717fa0f 441 if (!arg || !*arg || *arg == '#')
442 return 0;
443 intptr = NULL;
444 charptr = NULL;
445 opcode = parse_token(arg, filename, linenum);
446 switch (opcode) {
447 /* Portable-specific options */
7fceb20d 448 case sUsePAM:
449 intptr = &options->use_pam;
2717fa0f 450 goto parse_flag;
48e671d5 451
2717fa0f 452 /* Standard Options */
453 case sBadOption:
454 return -1;
455 case sPort:
456 /* ignore ports from configfile if cmdline specifies ports */
457 if (options->ports_from_cmdline)
458 return 0;
459 if (options->listen_addrs != NULL)
460 fatal("%s line %d: ports must be specified before "
3a454b6a 461 "ListenAddress.", filename, linenum);
2717fa0f 462 if (options->num_ports >= MAX_PORTS)
463 fatal("%s line %d: too many ports.",
464 filename, linenum);
465 arg = strdelim(&cp);
466 if (!arg || *arg == '\0')
467 fatal("%s line %d: missing port number.",
468 filename, linenum);
469 options->ports[options->num_ports++] = a2port(arg);
470 if (options->ports[options->num_ports-1] == 0)
471 fatal("%s line %d: Badly formatted port number.",
472 filename, linenum);
473 break;
474
475 case sServerKeyBits:
476 intptr = &options->server_key_bits;
5260325f 477parse_int:
2717fa0f 478 arg = strdelim(&cp);
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing integer value.",
481 filename, linenum);
482 value = atoi(arg);
483 if (*intptr == -1)
484 *intptr = value;
485 break;
486
487 case sLoginGraceTime:
488 intptr = &options->login_grace_time;
e2b1fb42 489parse_time:
2717fa0f 490 arg = strdelim(&cp);
491 if (!arg || *arg == '\0')
492 fatal("%s line %d: missing time value.",
493 filename, linenum);
494 if ((value = convtime(arg)) == -1)
495 fatal("%s line %d: invalid time value.",
496 filename, linenum);
497 if (*intptr == -1)
498 *intptr = value;
499 break;
500
501 case sKeyRegenerationTime:
502 intptr = &options->key_regeneration_time;
503 goto parse_time;
504
505 case sListenAddress:
506 arg = strdelim(&cp);
507 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
508 fatal("%s line %d: missing inet addr.",
509 filename, linenum);
510 if (*arg == '[') {
511 if ((p = strchr(arg, ']')) == NULL)
512 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 513 filename, linenum);
2717fa0f 514 arg++;
515 memmove(p, p+1, strlen(p+1)+1);
516 } else if (((p = strchr(arg, ':')) == NULL) ||
517 (strchr(p+1, ':') != NULL)) {
518 add_listen_addr(options, arg, 0);
e2b1fb42 519 break;
2717fa0f 520 }
521 if (*p == ':') {
522 u_short port;
5260325f 523
2717fa0f 524 p++;
525 if (*p == '\0')
526 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 527 filename, linenum);
2717fa0f 528 else {
529 *(p-1) = '\0';
530 if ((port = a2port(p)) == 0)
531 fatal("%s line %d: bad port number.",
d11c1288 532 filename, linenum);
2717fa0f 533 add_listen_addr(options, arg, port);
d11c1288 534 }
2717fa0f 535 } else if (*p == '\0')
536 add_listen_addr(options, arg, 0);
537 else
538 fatal("%s line %d: bad inet addr usage.",
539 filename, linenum);
540 break;
541
542 case sHostKeyFile:
543 intptr = &options->num_host_key_files;
544 if (*intptr >= MAX_HOSTKEYS)
545 fatal("%s line %d: too many host keys specified (max %d).",
546 filename, linenum, MAX_HOSTKEYS);
547 charptr = &options->host_key_files[*intptr];
fa649821 548parse_filename:
2717fa0f 549 arg = strdelim(&cp);
550 if (!arg || *arg == '\0')
551 fatal("%s line %d: missing file name.",
552 filename, linenum);
553 if (*charptr == NULL) {
554 *charptr = tilde_expand_filename(arg, getuid());
555 /* increase optional counter */
556 if (intptr != NULL)
557 *intptr = *intptr + 1;
558 }
559 break;
0fbe8c74 560
2717fa0f 561 case sPidFile:
562 charptr = &options->pid_file;
563 goto parse_filename;
5260325f 564
2717fa0f 565 case sPermitRootLogin:
566 intptr = &options->permit_root_login;
567 arg = strdelim(&cp);
568 if (!arg || *arg == '\0')
569 fatal("%s line %d: missing yes/"
570 "without-password/forced-commands-only/no "
571 "argument.", filename, linenum);
572 value = 0; /* silence compiler */
573 if (strcmp(arg, "without-password") == 0)
574 value = PERMIT_NO_PASSWD;
575 else if (strcmp(arg, "forced-commands-only") == 0)
576 value = PERMIT_FORCED_ONLY;
577 else if (strcmp(arg, "yes") == 0)
578 value = PERMIT_YES;
579 else if (strcmp(arg, "no") == 0)
580 value = PERMIT_NO;
581 else
582 fatal("%s line %d: Bad yes/"
583 "without-password/forced-commands-only/no "
584 "argument: %s", filename, linenum, arg);
585 if (*intptr == -1)
586 *intptr = value;
587 break;
588
589 case sIgnoreRhosts:
590 intptr = &options->ignore_rhosts;
5260325f 591parse_flag:
2717fa0f 592 arg = strdelim(&cp);
593 if (!arg || *arg == '\0')
594 fatal("%s line %d: missing yes/no argument.",
595 filename, linenum);
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "yes") == 0)
598 value = 1;
599 else if (strcmp(arg, "no") == 0)
600 value = 0;
601 else
602 fatal("%s line %d: Bad yes/no argument: %s",
603 filename, linenum, arg);
604 if (*intptr == -1)
605 *intptr = value;
606 break;
607
608 case sIgnoreUserKnownHosts:
609 intptr = &options->ignore_user_known_hosts;
610 goto parse_flag;
611
2717fa0f 612 case sRhostsRSAAuthentication:
613 intptr = &options->rhosts_rsa_authentication;
614 goto parse_flag;
615
616 case sHostbasedAuthentication:
617 intptr = &options->hostbased_authentication;
618 goto parse_flag;
619
620 case sHostbasedUsesNameFromPacketOnly:
621 intptr = &options->hostbased_uses_name_from_packet_only;
622 goto parse_flag;
623
624 case sRSAAuthentication:
625 intptr = &options->rsa_authentication;
626 goto parse_flag;
627
628 case sPubkeyAuthentication:
629 intptr = &options->pubkey_authentication;
630 goto parse_flag;
d0ec7f42 631
2717fa0f 632 case sKerberosAuthentication:
633 intptr = &options->kerberos_authentication;
634 goto parse_flag;
5260325f 635
2717fa0f 636 case sKerberosOrLocalPasswd:
637 intptr = &options->kerberos_or_local_passwd;
638 goto parse_flag;
5260325f 639
2717fa0f 640 case sKerberosTicketCleanup:
641 intptr = &options->kerberos_ticket_cleanup;
642 goto parse_flag;
d0ec7f42 643
a1e30b47 644 case sKerberosGetAFSToken:
645 intptr = &options->kerberos_get_afs_token;
646 goto parse_flag;
647
7364bd04 648 case sGssAuthentication:
649 intptr = &options->gss_authentication;
650 goto parse_flag;
651
652 case sGssCleanupCreds:
653 intptr = &options->gss_cleanup_creds;
654 goto parse_flag;
655
2717fa0f 656 case sPasswordAuthentication:
657 intptr = &options->password_authentication;
658 goto parse_flag;
5260325f 659
2717fa0f 660 case sKbdInteractiveAuthentication:
661 intptr = &options->kbd_interactive_authentication;
662 goto parse_flag;
8002af61 663
2717fa0f 664 case sChallengeResponseAuthentication:
665 intptr = &options->challenge_response_authentication;
666 goto parse_flag;
8002af61 667
2717fa0f 668 case sPrintMotd:
669 intptr = &options->print_motd;
670 goto parse_flag;
5260325f 671
2717fa0f 672 case sPrintLastLog:
673 intptr = &options->print_lastlog;
674 goto parse_flag;
5260325f 675
2717fa0f 676 case sX11Forwarding:
677 intptr = &options->x11_forwarding;
678 goto parse_flag;
5260325f 679
2717fa0f 680 case sX11DisplayOffset:
681 intptr = &options->x11_display_offset;
682 goto parse_int;
8efc0c15 683
e6e573bd 684 case sX11UseLocalhost:
685 intptr = &options->x11_use_localhost;
686 goto parse_flag;
687
2717fa0f 688 case sXAuthLocation:
689 charptr = &options->xauth_location;
690 goto parse_filename;
5260325f 691
2717fa0f 692 case sStrictModes:
693 intptr = &options->strict_modes;
694 goto parse_flag;
5260325f 695
fd573618 696 case sTCPKeepAlive:
697 intptr = &options->tcp_keep_alive;
2717fa0f 698 goto parse_flag;
33de75a3 699
2717fa0f 700 case sEmptyPasswd:
701 intptr = &options->permit_empty_passwd;
702 goto parse_flag;
5260325f 703
f00bab84 704 case sPermitUserEnvironment:
705 intptr = &options->permit_user_env;
706 goto parse_flag;
707
2717fa0f 708 case sUseLogin:
709 intptr = &options->use_login;
710 goto parse_flag;
5260325f 711
636f76ca 712 case sCompression:
713 intptr = &options->compression;
714 goto parse_flag;
715
2717fa0f 716 case sGatewayPorts:
717 intptr = &options->gateway_ports;
718 goto parse_flag;
5260325f 719
c5a7d788 720 case sUseDNS:
721 intptr = &options->use_dns;
2717fa0f 722 goto parse_flag;
5260325f 723
2717fa0f 724 case sLogFacility:
725 intptr = (int *) &options->log_facility;
726 arg = strdelim(&cp);
727 value = log_facility_number(arg);
5eaf8578 728 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 729 fatal("%.200s line %d: unsupported log facility '%s'",
730 filename, linenum, arg ? arg : "<NONE>");
731 if (*intptr == -1)
732 *intptr = (SyslogFacility) value;
733 break;
734
735 case sLogLevel:
736 intptr = (int *) &options->log_level;
737 arg = strdelim(&cp);
738 value = log_level_number(arg);
5eaf8578 739 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 740 fatal("%.200s line %d: unsupported log level '%s'",
741 filename, linenum, arg ? arg : "<NONE>");
742 if (*intptr == -1)
743 *intptr = (LogLevel) value;
744 break;
745
746 case sAllowTcpForwarding:
747 intptr = &options->allow_tcp_forwarding;
748 goto parse_flag;
749
1853d1ef 750 case sUsePrivilegeSeparation:
751 intptr = &use_privsep;
752 goto parse_flag;
753
2717fa0f 754 case sAllowUsers:
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_allow_users >= MAX_ALLOW_USERS)
757 fatal("%s line %d: too many allow users.",
758 filename, linenum);
7528d467 759 options->allow_users[options->num_allow_users++] =
760 xstrdup(arg);
2717fa0f 761 }
762 break;
a8be9f80 763
2717fa0f 764 case sDenyUsers:
765 while ((arg = strdelim(&cp)) && *arg != '\0') {
766 if (options->num_deny_users >= MAX_DENY_USERS)
767 fatal( "%s line %d: too many deny users.",
768 filename, linenum);
7528d467 769 options->deny_users[options->num_deny_users++] =
770 xstrdup(arg);
2717fa0f 771 }
772 break;
b2552997 773
2717fa0f 774 case sAllowGroups:
775 while ((arg = strdelim(&cp)) && *arg != '\0') {
776 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
777 fatal("%s line %d: too many allow groups.",
778 filename, linenum);
7528d467 779 options->allow_groups[options->num_allow_groups++] =
780 xstrdup(arg);
2717fa0f 781 }
782 break;
a8be9f80 783
2717fa0f 784 case sDenyGroups:
785 while ((arg = strdelim(&cp)) && *arg != '\0') {
786 if (options->num_deny_groups >= MAX_DENY_GROUPS)
787 fatal("%s line %d: too many deny groups.",
788 filename, linenum);
789 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
790 }
791 break;
38c295d6 792
2717fa0f 793 case sCiphers:
794 arg = strdelim(&cp);
795 if (!arg || *arg == '\0')
796 fatal("%s line %d: Missing argument.", filename, linenum);
797 if (!ciphers_valid(arg))
798 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
799 filename, linenum, arg ? arg : "<NONE>");
800 if (options->ciphers == NULL)
801 options->ciphers = xstrdup(arg);
802 break;
803
804 case sMacs:
805 arg = strdelim(&cp);
806 if (!arg || *arg == '\0')
807 fatal("%s line %d: Missing argument.", filename, linenum);
808 if (!mac_valid(arg))
809 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
810 filename, linenum, arg ? arg : "<NONE>");
811 if (options->macs == NULL)
812 options->macs = xstrdup(arg);
813 break;
814
815 case sProtocol:
816 intptr = &options->protocol;
817 arg = strdelim(&cp);
818 if (!arg || *arg == '\0')
819 fatal("%s line %d: Missing argument.", filename, linenum);
820 value = proto_spec(arg);
821 if (value == SSH_PROTO_UNKNOWN)
822 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 823 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 824 if (*intptr == SSH_PROTO_UNKNOWN)
825 *intptr = value;
826 break;
827
828 case sSubsystem:
829 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
830 fatal("%s line %d: too many subsystems defined.",
184eed6a 831 filename, linenum);
2717fa0f 832 }
833 arg = strdelim(&cp);
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing subsystem name.",
184eed6a 836 filename, linenum);
2717fa0f 837 for (i = 0; i < options->num_subsystems; i++)
838 if (strcmp(arg, options->subsystem_name[i]) == 0)
839 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 840 filename, linenum, arg);
2717fa0f 841 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
842 arg = strdelim(&cp);
843 if (!arg || *arg == '\0')
844 fatal("%s line %d: Missing subsystem command.",
184eed6a 845 filename, linenum);
2717fa0f 846 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
847 options->num_subsystems++;
848 break;
849
850 case sMaxStartups:
851 arg = strdelim(&cp);
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 854 filename, linenum);
2717fa0f 855 if ((n = sscanf(arg, "%d:%d:%d",
856 &options->max_startups_begin,
857 &options->max_startups_rate,
858 &options->max_startups)) == 3) {
859 if (options->max_startups_begin >
860 options->max_startups ||
861 options->max_startups_rate > 100 ||
862 options->max_startups_rate < 1)
c345cf9d 863 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 864 filename, linenum);
2717fa0f 865 } else if (n != 1)
866 fatal("%s line %d: Illegal MaxStartups spec.",
867 filename, linenum);
868 else
869 options->max_startups = options->max_startups_begin;
870 break;
871
872 case sBanner:
873 charptr = &options->banner;
874 goto parse_filename;
875 /*
876 * These options can contain %X options expanded at
877 * connect time, so that you can specify paths like:
878 *
879 * AuthorizedKeysFile /etc/ssh_keys/%u
880 */
881 case sAuthorizedKeysFile:
882 case sAuthorizedKeysFile2:
883 charptr = (opcode == sAuthorizedKeysFile ) ?
884 &options->authorized_keys_file :
885 &options->authorized_keys_file2;
886 goto parse_filename;
887
888 case sClientAliveInterval:
889 intptr = &options->client_alive_interval;
890 goto parse_time;
891
892 case sClientAliveCountMax:
893 intptr = &options->client_alive_count_max;
894 goto parse_int;
895
61a2c1da 896 case sAcceptEnv:
897 while ((arg = strdelim(&cp)) && *arg != '\0') {
898 if (strchr(arg, '=') != NULL)
899 fatal("%s line %d: Invalid environment name.",
900 filename, linenum);
901 if (options->num_accept_env >= MAX_ACCEPT_ENV)
902 fatal("%s line %d: too many allow env.",
903 filename, linenum);
904 options->accept_env[options->num_accept_env++] =
905 xstrdup(arg);
906 }
907 break;
908
2717fa0f 909 case sDeprecated:
bbe88b6d 910 logit("%s line %d: Deprecated option %s",
2717fa0f 911 filename, linenum, arg);
912 while (arg)
913 arg = strdelim(&cp);
914 break;
915
a2144546 916 case sUnsupported:
917 logit("%s line %d: Unsupported option %s",
918 filename, linenum, arg);
919 while (arg)
920 arg = strdelim(&cp);
921 break;
922
2717fa0f 923 default:
924 fatal("%s line %d: Missing handler for opcode %s (%d)",
925 filename, linenum, arg, opcode);
926 }
927 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
928 fatal("%s line %d: garbage at end of line; \"%.200s\".",
929 filename, linenum, arg);
930 return 0;
931}
089fbbd2 932
2717fa0f 933/* Reads the server configuration file. */
5c53a31e 934
2717fa0f 935void
936read_server_config(ServerOptions *options, const char *filename)
937{
7528d467 938 int linenum, bad_options = 0;
2717fa0f 939 char line[1024];
7528d467 940 FILE *f;
2717fa0f 941
34934506 942 debug2("read_server_config: filename %s", filename);
2717fa0f 943 f = fopen(filename, "r");
944 if (!f) {
945 perror(filename);
946 exit(1);
947 }
948 linenum = 0;
949 while (fgets(line, sizeof(line), f)) {
950 /* Update line number counter. */
951 linenum++;
952 if (process_server_config_line(options, line, filename, linenum) != 0)
953 bad_options++;
8efc0c15 954 }
5260325f 955 fclose(f);
b7c70970 956 if (bad_options > 0)
957 fatal("%s: terminating, %d bad configuration options",
958 filename, bad_options);
8efc0c15 959}
git-cvsimport mirror of OpenSSH
This page took 0.404314 seconds and 5 git commands to generate.