]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- markus@cvs.openbsd.org 2002/06/26 14:51:33
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
7528d467 13RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
12928e80 18#if defined(KRB5)
19#ifdef HEIMDAL
20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
26#endif
83f46621 27#ifdef AFS
28#include <kafs.h>
29#endif
8efc0c15 30
31#include "ssh.h"
42f11eb2 32#include "log.h"
8efc0c15 33#include "servconf.h"
34#include "xmalloc.h"
a8be9f80 35#include "compat.h"
42f11eb2 36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
b2552997 40#include "kex.h"
41#include "mac.h"
42f11eb2 42
396c147e 43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 45
42f11eb2 46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
1853d1ef 48/* Use of privilege separation or not */
49extern int use_privsep;
42f11eb2 50
8efc0c15 51/* Initializes the server options to their default values. */
52
6ae2364d 53void
5260325f 54initialize_server_options(ServerOptions *options)
8efc0c15 55{
5260325f 56 memset(options, 0, sizeof(*options));
e15895cd 57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
48e671d5 62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
fa08c86b 65 options->num_host_key_files = 0;
0fbe8c74 66 options->pid_file = NULL;
5260325f 67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
15853e93 70 options->permit_root_login = PERMIT_NOT_SET;
5260325f 71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
4f4648f9 74 options->print_lastlog = -1;
5260325f 75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e6e573bd 77 options->x11_use_localhost = -1;
fa649821 78 options->xauth_location = NULL;
5260325f 79 options->strict_modes = -1;
80 options->keepalives = -1;
5eaf8578 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
8002af61 85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
5260325f 87 options->rsa_authentication = -1;
fa08c86b 88 options->pubkey_authentication = -1;
ced49be2 89#if defined(KRB4) || defined(KRB5)
5260325f 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
8efc0c15 93#endif
ced49be2 94#if defined(AFS) || defined(KRB5)
5260325f 95 options->kerberos_tgt_passing = -1;
ced49be2 96#endif
97#ifdef AFS
5260325f 98 options->afs_token_passing = -1;
8efc0c15 99#endif
5260325f 100 options->password_authentication = -1;
94ec8c6b 101 options->kbd_interactive_authentication = -1;
5ba55ada 102 options->challenge_response_authentication = -1;
5260325f 103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
636f76ca 105 options->compression = -1;
33de75a3 106 options->allow_tcp_forwarding = -1;
5260325f 107 options->num_allow_users = 0;
108 options->num_deny_users = 0;
109 options->num_allow_groups = 0;
110 options->num_deny_groups = 0;
a8be9f80 111 options->ciphers = NULL;
b2552997 112 options->macs = NULL;
a8be9f80 113 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 114 options->gateway_ports = -1;
38c295d6 115 options->num_subsystems = 0;
c345cf9d 116 options->max_startups_begin = -1;
117 options->max_startups_rate = -1;
089fbbd2 118 options->max_startups = -1;
eea39c02 119 options->banner = NULL;
bf4c5edc 120 options->verify_reverse_mapping = -1;
3ffc6336 121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
c8445989 123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
1853d1ef 125
1853d1ef 126 /* Needs to be accessable in many places */
127 use_privsep = -1;
8efc0c15 128}
129
6ae2364d 130void
5260325f 131fill_default_server_options(ServerOptions *options)
8efc0c15 132{
e15895cd 133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
136
137 /* Standard Options */
fa08c86b 138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
0f84fe37 143 options->host_key_files[options->num_host_key_files++] =
144 _PATH_HOST_KEY_FILE;
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
150 }
fa08c86b 151 }
48e671d5 152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
2d2a2c65 155 add_listen_addr(options, NULL, 0);
0fbe8c74 156 if (options->pid_file == NULL)
42f11eb2 157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
15853e93 164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
5260325f 166 if (options->ignore_rhosts == -1)
c8d54615 167 options->ignore_rhosts = 1;
5260325f 168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
5260325f 170 if (options->print_motd == -1)
171 options->print_motd = 1;
4f4648f9 172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
5260325f 174 if (options->x11_forwarding == -1)
c8d54615 175 options->x11_forwarding = 0;
5260325f 176 if (options->x11_display_offset == -1)
c8d54615 177 options->x11_display_offset = 10;
e6e573bd 178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
fa649821 180 if (options->xauth_location == NULL)
fd9ede94 181 options->xauth_location = _PATH_XAUTH;
5260325f 182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
5eaf8578 186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 187 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 189 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
c8d54615 193 options->rhosts_rsa_authentication = 0;
8002af61 194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
5260325f 198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
fa08c86b 200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
ced49be2 202#if defined(KRB4) || defined(KRB5)
5260325f 203 if (options->kerberos_authentication == -1)
eadc806d 204 options->kerberos_authentication = 0;
5260325f 205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
ced49be2 209#endif
210#if defined(AFS) || defined(KRB5)
5260325f 211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
ced49be2 213#endif
184eed6a 214#ifdef AFS
5260325f 215 if (options->afs_token_passing == -1)
1c3454e7 216 options->afs_token_passing = 0;
ced49be2 217#endif
5260325f 218 if (options->password_authentication == -1)
219 options->password_authentication = 1;
94ec8c6b 220 if (options->kbd_interactive_authentication == -1)
221 options->kbd_interactive_authentication = 0;
5ba55ada 222 if (options->challenge_response_authentication == -1)
223 options->challenge_response_authentication = 1;
5260325f 224 if (options->permit_empty_passwd == -1)
c8d54615 225 options->permit_empty_passwd = 0;
5260325f 226 if (options->use_login == -1)
227 options->use_login = 0;
636f76ca 228 if (options->compression == -1)
229 options->compression = 1;
33de75a3 230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
1d1ffb87 232 if (options->gateway_ports == -1)
233 options->gateway_ports = 0;
089fbbd2 234 if (options->max_startups == -1)
235 options->max_startups = 10;
c345cf9d 236 if (options->max_startups_rate == -1)
237 options->max_startups_rate = 100; /* 100% */
238 if (options->max_startups_begin == -1)
239 options->max_startups_begin = options->max_startups;
bf4c5edc 240 if (options->verify_reverse_mapping == -1)
241 options->verify_reverse_mapping = 0;
3ffc6336 242 if (options->client_alive_interval == -1)
184eed6a 243 options->client_alive_interval = 0;
3ffc6336 244 if (options->client_alive_count_max == -1)
245 options->client_alive_count_max = 3;
5df83e07 246 if (options->authorized_keys_file2 == NULL) {
247 /* authorized_keys_file2 falls back to authorized_keys_file */
248 if (options->authorized_keys_file != NULL)
249 options->authorized_keys_file2 = options->authorized_keys_file;
250 else
251 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
252 }
253 if (options->authorized_keys_file == NULL)
254 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 255
2ee1b704 256 /* Turn privilege separation on by default */
1853d1ef 257 if (use_privsep == -1)
2ee1b704 258 use_privsep = 1;
e299a298 259
1c6249af 260#if !defined(HAVE_MMAP_ANON_SHARED)
e299a298 261 if (use_privsep && options->compression == 1) {
262 error("This platform does not support both privilege "
263 "separation and compression");
264 error("Compression disabled");
265 options->compression = 0;
266 }
267#endif
268
8efc0c15 269}
270
8efc0c15 271/* Keyword tokens. */
5260325f 272typedef enum {
273 sBadOption, /* == unknown option */
e15895cd 274 /* Portable-specific options */
275 sPAMAuthenticationViaKbdInt,
276 /* Standard Options */
5260325f 277 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
278 sPermitRootLogin, sLogFacility, sLogLevel,
279 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 280#if defined(KRB4) || defined(KRB5)
5260325f 281 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 282#endif
ced49be2 283#if defined(AFS) || defined(KRB5)
284 sKerberosTgtPassing,
285#endif
8efc0c15 286#ifdef AFS
ced49be2 287 sAFSTokenPassing,
8efc0c15 288#endif
d464095c 289 sChallengeResponseAuthentication,
94ec8c6b 290 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 291 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 292 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 293 sStrictModes, sEmptyPasswd, sKeepAlives,
636f76ca 294 sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 295 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 296 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 297 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 298 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 299 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 300 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 301 sUsePrivilegeSeparation,
2717fa0f 302 sDeprecated
8efc0c15 303} ServerOpCodes;
304
305/* Textual representation of the tokens. */
5260325f 306static struct {
307 const char *name;
308 ServerOpCodes opcode;
309} keywords[] = {
e15895cd 310 /* Portable-specific options */
311 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
312 /* Standard Options */
5260325f 313 { "port", sPort },
314 { "hostkey", sHostKeyFile },
fa08c86b 315 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 316 { "pidfile", sPidFile },
5260325f 317 { "serverkeybits", sServerKeyBits },
318 { "logingracetime", sLoginGraceTime },
319 { "keyregenerationinterval", sKeyRegenerationTime },
320 { "permitrootlogin", sPermitRootLogin },
321 { "syslogfacility", sLogFacility },
322 { "loglevel", sLogLevel },
323 { "rhostsauthentication", sRhostsAuthentication },
324 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 325 { "hostbasedauthentication", sHostbasedAuthentication },
326 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 327 { "rsaauthentication", sRSAAuthentication },
fa08c86b 328 { "pubkeyauthentication", sPubkeyAuthentication },
329 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 330#if defined(KRB4) || defined(KRB5)
5260325f 331 { "kerberosauthentication", sKerberosAuthentication },
332 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
333 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 334#endif
ced49be2 335#if defined(AFS) || defined(KRB5)
5260325f 336 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 337#endif
338#ifdef AFS
5260325f 339 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 340#endif
5260325f 341 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 342 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 343 { "challengeresponseauthentication", sChallengeResponseAuthentication },
344 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 345 { "checkmail", sDeprecated },
5260325f 346 { "listenaddress", sListenAddress },
347 { "printmotd", sPrintMotd },
4f4648f9 348 { "printlastlog", sPrintLastLog },
5260325f 349 { "ignorerhosts", sIgnoreRhosts },
350 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
351 { "x11forwarding", sX11Forwarding },
352 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 353 { "x11uselocalhost", sX11UseLocalhost },
fa649821 354 { "xauthlocation", sXAuthLocation },
5260325f 355 { "strictmodes", sStrictModes },
356 { "permitemptypasswords", sEmptyPasswd },
357 { "uselogin", sUseLogin },
636f76ca 358 { "compression", sCompression },
5260325f 359 { "keepalive", sKeepAlives },
33de75a3 360 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 361 { "allowusers", sAllowUsers },
362 { "denyusers", sDenyUsers },
363 { "allowgroups", sAllowGroups },
364 { "denygroups", sDenyGroups },
a8be9f80 365 { "ciphers", sCiphers },
b2552997 366 { "macs", sMacs },
a8be9f80 367 { "protocol", sProtocol },
1d1ffb87 368 { "gatewayports", sGatewayPorts },
38c295d6 369 { "subsystem", sSubsystem },
089fbbd2 370 { "maxstartups", sMaxStartups },
eea39c02 371 { "banner", sBanner },
bf4c5edc 372 { "verifyreversemapping", sVerifyReverseMapping },
373 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 374 { "clientaliveinterval", sClientAliveInterval },
375 { "clientalivecountmax", sClientAliveCountMax },
c8445989 376 { "authorizedkeysfile", sAuthorizedKeysFile },
377 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 378 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 379 { NULL, sBadOption }
8efc0c15 380};
381
aa3378df 382/*
6be9a5e8 383 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 384 */
8efc0c15 385
6ae2364d 386static ServerOpCodes
5260325f 387parse_token(const char *cp, const char *filename,
388 int linenum)
8efc0c15 389{
1e3b8b07 390 u_int i;
8efc0c15 391
5260325f 392 for (i = 0; keywords[i].name; i++)
aa3378df 393 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 394 return keywords[i].opcode;
8efc0c15 395
b7c70970 396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
5260325f 398 return sBadOption;
8efc0c15 399}
400
396c147e 401static void
2d2a2c65 402add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 403{
48e671d5 404 int i;
405
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 408 if (port == 0)
d11c1288 409 for (i = 0; i < options->num_ports; i++)
410 add_one_listen_addr(options, addr, options->ports[i]);
411 else
2d2a2c65 412 add_one_listen_addr(options, addr, port);
d11c1288 413}
414
396c147e 415static void
d11c1288 416add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
417{
418 struct addrinfo hints, *ai, *aitop;
419 char strport[NI_MAXSERV];
420 int gaierr;
421
422 memset(&hints, 0, sizeof(hints));
423 hints.ai_family = IPv4or6;
424 hints.ai_socktype = SOCK_STREAM;
425 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 426 snprintf(strport, sizeof strport, "%u", port);
d11c1288 427 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
428 fatal("bad addr or host: %s (%s)",
429 addr ? addr : "<NULL>",
430 gai_strerror(gaierr));
431 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
432 ;
433 ai->ai_next = options->listen_addrs;
434 options->listen_addrs = aitop;
48e671d5 435}
436
2717fa0f 437int
438process_server_config_line(ServerOptions *options, char *line,
439 const char *filename, int linenum)
8efc0c15 440{
d11c1288 441 char *cp, **charptr, *arg, *p;
7528d467 442 int *intptr, value, i, n;
5260325f 443 ServerOpCodes opcode;
444
2717fa0f 445 cp = line;
446 arg = strdelim(&cp);
447 /* Ignore leading whitespace */
448 if (*arg == '\0')
704b1659 449 arg = strdelim(&cp);
2717fa0f 450 if (!arg || !*arg || *arg == '#')
451 return 0;
452 intptr = NULL;
453 charptr = NULL;
454 opcode = parse_token(arg, filename, linenum);
455 switch (opcode) {
456 /* Portable-specific options */
457 case sPAMAuthenticationViaKbdInt:
458 intptr = &options->pam_authentication_via_kbd_int;
459 goto parse_flag;
48e671d5 460
2717fa0f 461 /* Standard Options */
462 case sBadOption:
463 return -1;
464 case sPort:
465 /* ignore ports from configfile if cmdline specifies ports */
466 if (options->ports_from_cmdline)
467 return 0;
468 if (options->listen_addrs != NULL)
469 fatal("%s line %d: ports must be specified before "
3a454b6a 470 "ListenAddress.", filename, linenum);
2717fa0f 471 if (options->num_ports >= MAX_PORTS)
472 fatal("%s line %d: too many ports.",
473 filename, linenum);
474 arg = strdelim(&cp);
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing port number.",
477 filename, linenum);
478 options->ports[options->num_ports++] = a2port(arg);
479 if (options->ports[options->num_ports-1] == 0)
480 fatal("%s line %d: Badly formatted port number.",
481 filename, linenum);
482 break;
483
484 case sServerKeyBits:
485 intptr = &options->server_key_bits;
5260325f 486parse_int:
2717fa0f 487 arg = strdelim(&cp);
488 if (!arg || *arg == '\0')
489 fatal("%s line %d: missing integer value.",
490 filename, linenum);
491 value = atoi(arg);
492 if (*intptr == -1)
493 *intptr = value;
494 break;
495
496 case sLoginGraceTime:
497 intptr = &options->login_grace_time;
e2b1fb42 498parse_time:
2717fa0f 499 arg = strdelim(&cp);
500 if (!arg || *arg == '\0')
501 fatal("%s line %d: missing time value.",
502 filename, linenum);
503 if ((value = convtime(arg)) == -1)
504 fatal("%s line %d: invalid time value.",
505 filename, linenum);
506 if (*intptr == -1)
507 *intptr = value;
508 break;
509
510 case sKeyRegenerationTime:
511 intptr = &options->key_regeneration_time;
512 goto parse_time;
513
514 case sListenAddress:
515 arg = strdelim(&cp);
516 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
517 fatal("%s line %d: missing inet addr.",
518 filename, linenum);
519 if (*arg == '[') {
520 if ((p = strchr(arg, ']')) == NULL)
521 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 522 filename, linenum);
2717fa0f 523 arg++;
524 memmove(p, p+1, strlen(p+1)+1);
525 } else if (((p = strchr(arg, ':')) == NULL) ||
526 (strchr(p+1, ':') != NULL)) {
527 add_listen_addr(options, arg, 0);
e2b1fb42 528 break;
2717fa0f 529 }
530 if (*p == ':') {
531 u_short port;
5260325f 532
2717fa0f 533 p++;
534 if (*p == '\0')
535 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 536 filename, linenum);
2717fa0f 537 else {
538 *(p-1) = '\0';
539 if ((port = a2port(p)) == 0)
540 fatal("%s line %d: bad port number.",
d11c1288 541 filename, linenum);
2717fa0f 542 add_listen_addr(options, arg, port);
d11c1288 543 }
2717fa0f 544 } else if (*p == '\0')
545 add_listen_addr(options, arg, 0);
546 else
547 fatal("%s line %d: bad inet addr usage.",
548 filename, linenum);
549 break;
550
551 case sHostKeyFile:
552 intptr = &options->num_host_key_files;
553 if (*intptr >= MAX_HOSTKEYS)
554 fatal("%s line %d: too many host keys specified (max %d).",
555 filename, linenum, MAX_HOSTKEYS);
556 charptr = &options->host_key_files[*intptr];
fa649821 557parse_filename:
2717fa0f 558 arg = strdelim(&cp);
559 if (!arg || *arg == '\0')
560 fatal("%s line %d: missing file name.",
561 filename, linenum);
562 if (*charptr == NULL) {
563 *charptr = tilde_expand_filename(arg, getuid());
564 /* increase optional counter */
565 if (intptr != NULL)
566 *intptr = *intptr + 1;
567 }
568 break;
0fbe8c74 569
2717fa0f 570 case sPidFile:
571 charptr = &options->pid_file;
572 goto parse_filename;
5260325f 573
2717fa0f 574 case sPermitRootLogin:
575 intptr = &options->permit_root_login;
576 arg = strdelim(&cp);
577 if (!arg || *arg == '\0')
578 fatal("%s line %d: missing yes/"
579 "without-password/forced-commands-only/no "
580 "argument.", filename, linenum);
581 value = 0; /* silence compiler */
582 if (strcmp(arg, "without-password") == 0)
583 value = PERMIT_NO_PASSWD;
584 else if (strcmp(arg, "forced-commands-only") == 0)
585 value = PERMIT_FORCED_ONLY;
586 else if (strcmp(arg, "yes") == 0)
587 value = PERMIT_YES;
588 else if (strcmp(arg, "no") == 0)
589 value = PERMIT_NO;
590 else
591 fatal("%s line %d: Bad yes/"
592 "without-password/forced-commands-only/no "
593 "argument: %s", filename, linenum, arg);
594 if (*intptr == -1)
595 *intptr = value;
596 break;
597
598 case sIgnoreRhosts:
599 intptr = &options->ignore_rhosts;
5260325f 600parse_flag:
2717fa0f 601 arg = strdelim(&cp);
602 if (!arg || *arg == '\0')
603 fatal("%s line %d: missing yes/no argument.",
604 filename, linenum);
605 value = 0; /* silence compiler */
606 if (strcmp(arg, "yes") == 0)
607 value = 1;
608 else if (strcmp(arg, "no") == 0)
609 value = 0;
610 else
611 fatal("%s line %d: Bad yes/no argument: %s",
612 filename, linenum, arg);
613 if (*intptr == -1)
614 *intptr = value;
615 break;
616
617 case sIgnoreUserKnownHosts:
618 intptr = &options->ignore_user_known_hosts;
619 goto parse_flag;
620
621 case sRhostsAuthentication:
622 intptr = &options->rhosts_authentication;
623 goto parse_flag;
624
625 case sRhostsRSAAuthentication:
626 intptr = &options->rhosts_rsa_authentication;
627 goto parse_flag;
628
629 case sHostbasedAuthentication:
630 intptr = &options->hostbased_authentication;
631 goto parse_flag;
632
633 case sHostbasedUsesNameFromPacketOnly:
634 intptr = &options->hostbased_uses_name_from_packet_only;
635 goto parse_flag;
636
637 case sRSAAuthentication:
638 intptr = &options->rsa_authentication;
639 goto parse_flag;
640
641 case sPubkeyAuthentication:
642 intptr = &options->pubkey_authentication;
643 goto parse_flag;
644#if defined(KRB4) || defined(KRB5)
645 case sKerberosAuthentication:
646 intptr = &options->kerberos_authentication;
647 goto parse_flag;
5260325f 648
2717fa0f 649 case sKerberosOrLocalPasswd:
650 intptr = &options->kerberos_or_local_passwd;
651 goto parse_flag;
5260325f 652
2717fa0f 653 case sKerberosTicketCleanup:
654 intptr = &options->kerberos_ticket_cleanup;
655 goto parse_flag;
656#endif
657#if defined(AFS) || defined(KRB5)
658 case sKerberosTgtPassing:
659 intptr = &options->kerberos_tgt_passing;
660 goto parse_flag;
661#endif
662#ifdef AFS
663 case sAFSTokenPassing:
664 intptr = &options->afs_token_passing;
665 goto parse_flag;
666#endif
5260325f 667
2717fa0f 668 case sPasswordAuthentication:
669 intptr = &options->password_authentication;
670 goto parse_flag;
5260325f 671
2717fa0f 672 case sKbdInteractiveAuthentication:
673 intptr = &options->kbd_interactive_authentication;
674 goto parse_flag;
8002af61 675
2717fa0f 676 case sChallengeResponseAuthentication:
677 intptr = &options->challenge_response_authentication;
678 goto parse_flag;
8002af61 679
2717fa0f 680 case sPrintMotd:
681 intptr = &options->print_motd;
682 goto parse_flag;
5260325f 683
2717fa0f 684 case sPrintLastLog:
685 intptr = &options->print_lastlog;
686 goto parse_flag;
5260325f 687
2717fa0f 688 case sX11Forwarding:
689 intptr = &options->x11_forwarding;
690 goto parse_flag;
5260325f 691
2717fa0f 692 case sX11DisplayOffset:
693 intptr = &options->x11_display_offset;
694 goto parse_int;
8efc0c15 695
e6e573bd 696 case sX11UseLocalhost:
697 intptr = &options->x11_use_localhost;
698 goto parse_flag;
699
2717fa0f 700 case sXAuthLocation:
701 charptr = &options->xauth_location;
702 goto parse_filename;
5260325f 703
2717fa0f 704 case sStrictModes:
705 intptr = &options->strict_modes;
706 goto parse_flag;
5260325f 707
2717fa0f 708 case sKeepAlives:
709 intptr = &options->keepalives;
710 goto parse_flag;
33de75a3 711
2717fa0f 712 case sEmptyPasswd:
713 intptr = &options->permit_empty_passwd;
714 goto parse_flag;
5260325f 715
2717fa0f 716 case sUseLogin:
717 intptr = &options->use_login;
718 goto parse_flag;
5260325f 719
636f76ca 720 case sCompression:
721 intptr = &options->compression;
722 goto parse_flag;
723
2717fa0f 724 case sGatewayPorts:
725 intptr = &options->gateway_ports;
726 goto parse_flag;
5260325f 727
bf4c5edc 728 case sVerifyReverseMapping:
729 intptr = &options->verify_reverse_mapping;
2717fa0f 730 goto parse_flag;
5260325f 731
2717fa0f 732 case sLogFacility:
733 intptr = (int *) &options->log_facility;
734 arg = strdelim(&cp);
735 value = log_facility_number(arg);
5eaf8578 736 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 737 fatal("%.200s line %d: unsupported log facility '%s'",
738 filename, linenum, arg ? arg : "<NONE>");
739 if (*intptr == -1)
740 *intptr = (SyslogFacility) value;
741 break;
742
743 case sLogLevel:
744 intptr = (int *) &options->log_level;
745 arg = strdelim(&cp);
746 value = log_level_number(arg);
5eaf8578 747 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 748 fatal("%.200s line %d: unsupported log level '%s'",
749 filename, linenum, arg ? arg : "<NONE>");
750 if (*intptr == -1)
751 *intptr = (LogLevel) value;
752 break;
753
754 case sAllowTcpForwarding:
755 intptr = &options->allow_tcp_forwarding;
756 goto parse_flag;
757
1853d1ef 758 case sUsePrivilegeSeparation:
759 intptr = &use_privsep;
760 goto parse_flag;
761
2717fa0f 762 case sAllowUsers:
763 while ((arg = strdelim(&cp)) && *arg != '\0') {
764 if (options->num_allow_users >= MAX_ALLOW_USERS)
765 fatal("%s line %d: too many allow users.",
766 filename, linenum);
7528d467 767 options->allow_users[options->num_allow_users++] =
768 xstrdup(arg);
2717fa0f 769 }
770 break;
a8be9f80 771
2717fa0f 772 case sDenyUsers:
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_users >= MAX_DENY_USERS)
775 fatal( "%s line %d: too many deny users.",
776 filename, linenum);
7528d467 777 options->deny_users[options->num_deny_users++] =
778 xstrdup(arg);
2717fa0f 779 }
780 break;
b2552997 781
2717fa0f 782 case sAllowGroups:
783 while ((arg = strdelim(&cp)) && *arg != '\0') {
784 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
785 fatal("%s line %d: too many allow groups.",
786 filename, linenum);
7528d467 787 options->allow_groups[options->num_allow_groups++] =
788 xstrdup(arg);
2717fa0f 789 }
790 break;
a8be9f80 791
2717fa0f 792 case sDenyGroups:
793 while ((arg = strdelim(&cp)) && *arg != '\0') {
794 if (options->num_deny_groups >= MAX_DENY_GROUPS)
795 fatal("%s line %d: too many deny groups.",
796 filename, linenum);
797 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
798 }
799 break;
38c295d6 800
2717fa0f 801 case sCiphers:
802 arg = strdelim(&cp);
803 if (!arg || *arg == '\0')
804 fatal("%s line %d: Missing argument.", filename, linenum);
805 if (!ciphers_valid(arg))
806 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
807 filename, linenum, arg ? arg : "<NONE>");
808 if (options->ciphers == NULL)
809 options->ciphers = xstrdup(arg);
810 break;
811
812 case sMacs:
813 arg = strdelim(&cp);
814 if (!arg || *arg == '\0')
815 fatal("%s line %d: Missing argument.", filename, linenum);
816 if (!mac_valid(arg))
817 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
818 filename, linenum, arg ? arg : "<NONE>");
819 if (options->macs == NULL)
820 options->macs = xstrdup(arg);
821 break;
822
823 case sProtocol:
824 intptr = &options->protocol;
825 arg = strdelim(&cp);
826 if (!arg || *arg == '\0')
827 fatal("%s line %d: Missing argument.", filename, linenum);
828 value = proto_spec(arg);
829 if (value == SSH_PROTO_UNKNOWN)
830 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 831 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 832 if (*intptr == SSH_PROTO_UNKNOWN)
833 *intptr = value;
834 break;
835
836 case sSubsystem:
837 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
838 fatal("%s line %d: too many subsystems defined.",
184eed6a 839 filename, linenum);
2717fa0f 840 }
841 arg = strdelim(&cp);
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing subsystem name.",
184eed6a 844 filename, linenum);
2717fa0f 845 for (i = 0; i < options->num_subsystems; i++)
846 if (strcmp(arg, options->subsystem_name[i]) == 0)
847 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 848 filename, linenum, arg);
2717fa0f 849 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing subsystem command.",
184eed6a 853 filename, linenum);
2717fa0f 854 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
855 options->num_subsystems++;
856 break;
857
858 case sMaxStartups:
859 arg = strdelim(&cp);
860 if (!arg || *arg == '\0')
861 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 862 filename, linenum);
2717fa0f 863 if ((n = sscanf(arg, "%d:%d:%d",
864 &options->max_startups_begin,
865 &options->max_startups_rate,
866 &options->max_startups)) == 3) {
867 if (options->max_startups_begin >
868 options->max_startups ||
869 options->max_startups_rate > 100 ||
870 options->max_startups_rate < 1)
c345cf9d 871 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 872 filename, linenum);
2717fa0f 873 } else if (n != 1)
874 fatal("%s line %d: Illegal MaxStartups spec.",
875 filename, linenum);
876 else
877 options->max_startups = options->max_startups_begin;
878 break;
879
880 case sBanner:
881 charptr = &options->banner;
882 goto parse_filename;
883 /*
884 * These options can contain %X options expanded at
885 * connect time, so that you can specify paths like:
886 *
887 * AuthorizedKeysFile /etc/ssh_keys/%u
888 */
889 case sAuthorizedKeysFile:
890 case sAuthorizedKeysFile2:
891 charptr = (opcode == sAuthorizedKeysFile ) ?
892 &options->authorized_keys_file :
893 &options->authorized_keys_file2;
894 goto parse_filename;
895
896 case sClientAliveInterval:
897 intptr = &options->client_alive_interval;
898 goto parse_time;
899
900 case sClientAliveCountMax:
901 intptr = &options->client_alive_count_max;
902 goto parse_int;
903
904 case sDeprecated:
905 log("%s line %d: Deprecated option %s",
906 filename, linenum, arg);
907 while (arg)
908 arg = strdelim(&cp);
909 break;
910
911 default:
912 fatal("%s line %d: Missing handler for opcode %s (%d)",
913 filename, linenum, arg, opcode);
914 }
915 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
916 fatal("%s line %d: garbage at end of line; \"%.200s\".",
917 filename, linenum, arg);
918 return 0;
919}
089fbbd2 920
2717fa0f 921/* Reads the server configuration file. */
5c53a31e 922
2717fa0f 923void
924read_server_config(ServerOptions *options, const char *filename)
925{
7528d467 926 int linenum, bad_options = 0;
2717fa0f 927 char line[1024];
7528d467 928 FILE *f;
2717fa0f 929
930 f = fopen(filename, "r");
931 if (!f) {
932 perror(filename);
933 exit(1);
934 }
935 linenum = 0;
936 while (fgets(line, sizeof(line), f)) {
937 /* Update line number counter. */
938 linenum++;
939 if (process_server_config_line(options, line, filename, linenum) != 0)
940 bad_options++;
8efc0c15 941 }
5260325f 942 fclose(f);
b7c70970 943 if (bad_options > 0)
944 fatal("%s: terminating, %d bad configuration options",
945 filename, bad_options);
8efc0c15 946}
git-cvsimport mirror of OpenSSH
This page took 0.302603 seconds and 5 git commands to generate.