[openssh.git] / servconf.c

/*
 *
 * servconf.c
 *
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 *
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * Created: Mon Aug 21 15:48:58 1995 ylo
 *
 */

#include "includes.h"
RCSID("$Id$");

#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"
#include "compat.h"

/* add listen address */
void add_listen_addr(ServerOptions *options, char *addr);

/* Initializes the server options to their default values. */

void
initialize_server_options(ServerOptions *options)
{
	memset(options, 0, sizeof(*options));
	options->num_ports = 0;
	options->ports_from_cmdline = 0;
	options->listen_addrs = NULL;
	options->host_key_file = NULL;
	options->dsa_key_file = NULL;
	options->server_key_bits = -1;
	options->login_grace_time = -1;
	options->key_regeneration_time = -1;
	options->permit_root_login = -1;
	options->ignore_rhosts = -1;
	options->ignore_user_known_hosts = -1;
	options->print_motd = -1;
	options->check_mail = -1;
	options->x11_forwarding = -1;
	options->x11_display_offset = -1;
	options->strict_modes = -1;
	options->keepalives = -1;
	options->log_facility = (SyslogFacility) - 1;
	options->log_level = (LogLevel) - 1;
	options->rhosts_authentication = -1;
	options->rhosts_rsa_authentication = -1;
	options->rsa_authentication = -1;
#ifdef KRB4
	options->kerberos_authentication = -1;
	options->kerberos_or_local_passwd = -1;
	options->kerberos_ticket_cleanup = -1;
#endif
#ifdef AFS
	options->kerberos_tgt_passing = -1;
	options->afs_token_passing = -1;
#endif
	options->password_authentication = -1;
#ifdef SKEY
	options->skey_authentication = -1;
#endif
	options->permit_empty_passwd = -1;
	options->use_login = -1;
	options->num_allow_users = 0;
	options->num_deny_users = 0;
	options->num_allow_groups = 0;
	options->num_deny_groups = 0;
	options->ciphers = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
}

void
fill_default_server_options(ServerOptions *options)
{
	if (options->num_ports == 0)
		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	if (options->listen_addrs == NULL)
		add_listen_addr(options, NULL);
	if (options->host_key_file == NULL)
		options->host_key_file = HOST_KEY_FILE;
	if (options->dsa_key_file == NULL)
		options->dsa_key_file = DSA_KEY_FILE;
	if (options->server_key_bits == -1)
		options->server_key_bits = 768;
	if (options->login_grace_time == -1)
		options->login_grace_time = 600;
	if (options->key_regeneration_time == -1)
		options->key_regeneration_time = 3600;
	if (options->permit_root_login == -1)
		options->permit_root_login = 1;			/* yes */
	if (options->ignore_rhosts == -1)
		options->ignore_rhosts = 1;
	if (options->ignore_user_known_hosts == -1)
		options->ignore_user_known_hosts = 0;
	if (options->check_mail == -1)
		options->check_mail = 0;
	if (options->print_motd == -1)
		options->print_motd = 1;
	if (options->x11_forwarding == -1)
		options->x11_forwarding = 0;
	if (options->x11_display_offset == -1)
		options->x11_display_offset = 10;
	if (options->strict_modes == -1)
		options->strict_modes = 1;
	if (options->keepalives == -1)
		options->keepalives = 1;
	if (options->log_facility == (SyslogFacility) (-1))
		options->log_facility = SYSLOG_FACILITY_AUTH;
	if (options->log_level == (LogLevel) (-1))
		options->log_level = SYSLOG_LEVEL_INFO;
	if (options->rhosts_authentication == -1)
		options->rhosts_authentication = 0;
	if (options->rhosts_rsa_authentication == -1)
		options->rhosts_rsa_authentication = 0;
	if (options->rsa_authentication == -1)
		options->rsa_authentication = 1;
#ifdef KRB4
	if (options->kerberos_authentication == -1)
		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
	if (options->kerberos_or_local_passwd == -1)
		options->kerberos_or_local_passwd = 1;
	if (options->kerberos_ticket_cleanup == -1)
		options->kerberos_ticket_cleanup = 1;
#endif /* KRB4 */
#ifdef AFS
	if (options->kerberos_tgt_passing == -1)
		options->kerberos_tgt_passing = 0;
	if (options->afs_token_passing == -1)
		options->afs_token_passing = k_hasafs();
#endif /* AFS */
	if (options->password_authentication == -1)
		options->password_authentication = 1;
#ifdef SKEY
	if (options->skey_authentication == -1)
		options->skey_authentication = 1;
#endif
	if (options->permit_empty_passwd == -1)
		options->permit_empty_passwd = 0;
	if (options->use_login == -1)
		options->use_login = 0;
	if (options->protocol == SSH_PROTO_UNKNOWN)
		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
}

#define WHITESPACE " \t\r\n"

/* Keyword tokens. */
typedef enum {
	sBadOption,		/* == unknown option */
	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	sPermitRootLogin, sLogFacility, sLogLevel,
	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
#ifdef KRB4
	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
#endif
#ifdef AFS
	sKerberosTgtPassing, sAFSTokenPassing,
#endif
#ifdef SKEY
	sSkeyAuthentication,
#endif
	sPasswordAuthentication, sListenAddress,
	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
	sIgnoreUserKnownHosts, sDSAKeyFile, sCiphers, sProtocol
} ServerOpCodes;

/* Textual representation of the tokens. */
static struct {
	const char *name;
	ServerOpCodes opcode;
} keywords[] = {
	{ "port", sPort },
	{ "hostkey", sHostKeyFile },
	{ "dsakey", sDSAKeyFile },
	{ "serverkeybits", sServerKeyBits },
	{ "logingracetime", sLoginGraceTime },
	{ "keyregenerationinterval", sKeyRegenerationTime },
	{ "permitrootlogin", sPermitRootLogin },
	{ "syslogfacility", sLogFacility },
	{ "loglevel", sLogLevel },
	{ "rhostsauthentication", sRhostsAuthentication },
	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
	{ "rsaauthentication", sRSAAuthentication },
#ifdef KRB4
	{ "kerberosauthentication", sKerberosAuthentication },
	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
	{ "kerberosticketcleanup", sKerberosTicketCleanup },
#endif
#ifdef AFS
	{ "kerberostgtpassing", sKerberosTgtPassing },
	{ "afstokenpassing", sAFSTokenPassing },
#endif
	{ "passwordauthentication", sPasswordAuthentication },
#ifdef SKEY
	{ "skeyauthentication", sSkeyAuthentication },
#endif
	{ "checkmail", sCheckMail },
	{ "listenaddress", sListenAddress },
	{ "printmotd", sPrintMotd },
	{ "ignorerhosts", sIgnoreRhosts },
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
	{ "x11forwarding", sX11Forwarding },
	{ "x11displayoffset", sX11DisplayOffset },
	{ "strictmodes", sStrictModes },
	{ "permitemptypasswords", sEmptyPasswd },
	{ "uselogin", sUseLogin },
	{ "randomseed", sRandomSeedFile },
	{ "keepalive", sKeepAlives },
	{ "allowusers", sAllowUsers },
	{ "denyusers", sDenyUsers },
	{ "allowgroups", sAllowGroups },
	{ "denygroups", sDenyGroups },
	{ "ciphers", sCiphers },
	{ "protocol", sProtocol },
	{ NULL, 0 }
};

/*
 * Returns the number of the token pointed to by cp of length len. Never
 * returns if the token is not known.
 */

static ServerOpCodes
parse_token(const char *cp, const char *filename,
	    int linenum)
{
	unsigned int i;

	for (i = 0; keywords[i].name; i++)
		if (strcasecmp(cp, keywords[i].name) == 0)
			return keywords[i].opcode;

	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
		filename, linenum, cp);
	return sBadOption;
}

/*
 * add listen address
 */
void
add_listen_addr(ServerOptions *options, char *addr)
{
	extern int IPv4or6;
	struct addrinfo hints, *ai, *aitop;
	char strport[NI_MAXSERV];
	int gaierr;
	int i;

	if (options->num_ports == 0)
		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	for (i = 0; i < options->num_ports; i++) {
		memset(&hints, 0, sizeof(hints));
		hints.ai_family = IPv4or6;
		hints.ai_socktype = SOCK_STREAM;
		hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
		snprintf(strport, sizeof strport, "%d", options->ports[i]);
		if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
			fatal("bad addr or host: %s (%s)\n",
			    addr ? addr : "<NULL>",
			    gai_strerror(gaierr));
		for (ai = aitop; ai->ai_next; ai = ai->ai_next)
			;
		ai->ai_next = options->listen_addrs;
		options->listen_addrs = aitop;
	}
}

/* Reads the server configuration file. */

void
read_server_config(ServerOptions *options, const char *filename)
{
	FILE *f;
	char line[1024];
	char *cp, **charptr;
	int linenum, *intptr, value;
	int bad_options = 0;
	ServerOpCodes opcode;

	f = fopen(filename, "r");
	if (!f) {
		perror(filename);
		exit(1);
	}
	linenum = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		cp = line + strspn(line, WHITESPACE);
		if (!*cp || *cp == '#')
			continue;
		cp = strtok(cp, WHITESPACE);
		opcode = parse_token(cp, filename, linenum);
		switch (opcode) {
		case sBadOption:
			bad_options++;
			continue;
		case sPort:
			/* ignore ports from configfile if cmdline specifies ports */
			if (options->ports_from_cmdline)
				continue;
			if (options->listen_addrs != NULL)
				fatal("%s line %d: ports must be specified before "
				    "ListenAdress.\n", filename, linenum);
			if (options->num_ports >= MAX_PORTS)
				fatal("%s line %d: too many ports.\n",
				    filename, linenum);
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: missing port number.\n",
				    filename, linenum);
			options->ports[options->num_ports++] = atoi(cp);
			break;

		case sServerKeyBits:
			intptr = &options->server_key_bits;
parse_int:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing integer value.\n",
					filename, linenum);
				exit(1);
			}
			value = atoi(cp);
			if (*intptr == -1)
				*intptr = value;
			break;

		case sLoginGraceTime:
			intptr = &options->login_grace_time;
			goto parse_int;

		case sKeyRegenerationTime:
			intptr = &options->key_regeneration_time;
			goto parse_int;

		case sListenAddress:
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: missing inet addr.\n",
				    filename, linenum);
			add_listen_addr(options, cp);
			break;

		case sHostKeyFile:
		case sDSAKeyFile:
			charptr = (opcode == sHostKeyFile ) ?
			    &options->host_key_file : &options->dsa_key_file;
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing file name.\n",
					filename, linenum);
				exit(1);
			}
			if (*charptr == NULL)
				*charptr = tilde_expand_filename(cp, getuid());
			break;

		case sRandomSeedFile:
			fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
				filename, linenum);
			cp = strtok(NULL, WHITESPACE);
			break;

		case sPermitRootLogin:
			intptr = &options->permit_root_login;
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
					filename, linenum);
				exit(1);
			}
			if (strcmp(cp, "without-password") == 0)
				value = 2;
			else if (strcmp(cp, "yes") == 0)
				value = 1;
			else if (strcmp(cp, "no") == 0)
				value = 0;
			else {
				fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
					filename, linenum, cp);
				exit(1);
			}
			if (*intptr == -1)
				*intptr = value;
			break;

		case sIgnoreRhosts:
			intptr = &options->ignore_rhosts;
parse_flag:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing yes/no argument.\n",
					filename, linenum);
				exit(1);
			}
			if (strcmp(cp, "yes") == 0)
				value = 1;
			else if (strcmp(cp, "no") == 0)
				value = 0;
			else {
				fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
					filename, linenum, cp);
				exit(1);
			}
			if (*intptr == -1)
				*intptr = value;
			break;

		case sIgnoreUserKnownHosts:
			intptr = &options->ignore_user_known_hosts;
			goto parse_flag;

		case sRhostsAuthentication:
			intptr = &options->rhosts_authentication;
			goto parse_flag;

		case sRhostsRSAAuthentication:
			intptr = &options->rhosts_rsa_authentication;
			goto parse_flag;

		case sRSAAuthentication:
			intptr = &options->rsa_authentication;
			goto parse_flag;

#ifdef KRB4
		case sKerberosAuthentication:
			intptr = &options->kerberos_authentication;
			goto parse_flag;

		case sKerberosOrLocalPasswd:
			intptr = &options->kerberos_or_local_passwd;
			goto parse_flag;

		case sKerberosTicketCleanup:
			intptr = &options->kerberos_ticket_cleanup;
			goto parse_flag;
#endif

#ifdef AFS
		case sKerberosTgtPassing:
			intptr = &options->kerberos_tgt_passing;
			goto parse_flag;

		case sAFSTokenPassing:
			intptr = &options->afs_token_passing;
			goto parse_flag;
#endif

		case sPasswordAuthentication:
			intptr = &options->password_authentication;
			goto parse_flag;

		case sCheckMail:
			intptr = &options->check_mail;
			goto parse_flag;

#ifdef SKEY
		case sSkeyAuthentication:
			intptr = &options->skey_authentication;
			goto parse_flag;
#endif

		case sPrintMotd:
			intptr = &options->print_motd;
			goto parse_flag;

		case sX11Forwarding:
			intptr = &options->x11_forwarding;
			goto parse_flag;

		case sX11DisplayOffset:
			intptr = &options->x11_display_offset;
			goto parse_int;

		case sStrictModes:
			intptr = &options->strict_modes;
			goto parse_flag;

		case sKeepAlives:
			intptr = &options->keepalives;
			goto parse_flag;

		case sEmptyPasswd:
			intptr = &options->permit_empty_passwd;
			goto parse_flag;

		case sUseLogin:
			intptr = &options->use_login;
			goto parse_flag;

		case sLogFacility:
			intptr = (int *) &options->log_facility;
			cp = strtok(NULL, WHITESPACE);
			value = log_facility_number(cp);
			if (value == (SyslogFacility) - 1)
				fatal("%.200s line %d: unsupported log facility '%s'\n",
				    filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == -1)
				*intptr = (SyslogFacility) value;
			break;

		case sLogLevel:
			intptr = (int *) &options->log_level;
			cp = strtok(NULL, WHITESPACE);
			value = log_level_number(cp);
			if (value == (LogLevel) - 1)
				fatal("%.200s line %d: unsupported log level '%s'\n",
				    filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == -1)
				*intptr = (LogLevel) value;
			break;

		case sAllowUsers:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_allow_users >= MAX_ALLOW_USERS)
					fatal("%s line %d: too many allow users.\n",
					    filename, linenum);
				options->allow_users[options->num_allow_users++] = xstrdup(cp);
			}
			break;

		case sDenyUsers:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_deny_users >= MAX_DENY_USERS)
					fatal( "%s line %d: too many deny users.\n",
					    filename, linenum);
				options->deny_users[options->num_deny_users++] = xstrdup(cp);
			}
			break;

		case sAllowGroups:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
					fatal("%s line %d: too many allow groups.\n",
					    filename, linenum);
				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
			}
			break;

		case sDenyGroups:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_deny_groups >= MAX_DENY_GROUPS)
					fatal("%s line %d: too many deny groups.\n",
					    filename, linenum);
				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
			}
			break;

		case sCiphers:
			cp = strtok(NULL, WHITESPACE);
			if (!ciphers_valid(cp))
				fatal("%s line %d: Bad cipher spec '%s'.",
				    filename, linenum, cp ? cp : "<NONE>");
			if (options->ciphers == NULL)
				options->ciphers = xstrdup(cp);
			break;

		case sProtocol:
			intptr = &options->protocol;
			cp = strtok(NULL, WHITESPACE);
			value = proto_spec(cp);
			if (value == SSH_PROTO_UNKNOWN)
				fatal("%s line %d: Bad protocol spec '%s'.",
				      filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == SSH_PROTO_UNKNOWN)
				*intptr = value;
			break;

		default:
			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
				filename, linenum, cp, opcode);
			exit(1);
		}
		if (strtok(NULL, WHITESPACE) != NULL) {
			fprintf(stderr, "%s line %d: garbage at end of line.\n",
				filename, linenum);
			exit(1);
		}
	}
	fclose(f);
	if (bad_options > 0) {
		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
			filename, bad_options);
		exit(1);
	}
}
Commit	Line	Data
8efc0c15	1	/*
6ae2364d	2	*
5260325f	3	* servconf.c
6ae2364d	4	*
5260325f	5	* Author: Tatu Ylonen <ylo@cs.hut.fi>
6ae2364d	6	*
5260325f	7	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	8	* All rights reserved
6ae2364d	9	*
5260325f	10	* Created: Mon Aug 21 15:48:58 1995 ylo
6ae2364d	11	*
5260325f	12	*/
8efc0c15	13
	14	#include "includes.h"
	15	RCSID("$Id$");
	16
	17	#include "ssh.h"
	18	#include "servconf.h"
	19	#include "xmalloc.h"
a8be9f80	20	#include "compat.h"
8efc0c15	21
48e671d5	22	/* add listen address */
	23	void add_listen_addr(ServerOptions options, char addr);
	24
8efc0c15	25	/* Initializes the server options to their default values. */
8efc0c15	26
6ae2364d	27	void
5260325f	28	initialize_server_options(ServerOptions *options)
8efc0c15	29	{
5260325f	30	memset(options, 0, sizeof(*options));
48e671d5	31	options->num_ports = 0;
	32	options->ports_from_cmdline = 0;
	33	options->listen_addrs = NULL;
5260325f	34	options->host_key_file = NULL;
e78a59f5	35	options->dsa_key_file = NULL;
5260325f	36	options->server_key_bits = -1;
	37	options->login_grace_time = -1;
	38	options->key_regeneration_time = -1;
	39	options->permit_root_login = -1;
	40	options->ignore_rhosts = -1;
	41	options->ignore_user_known_hosts = -1;
	42	options->print_motd = -1;
	43	options->check_mail = -1;
	44	options->x11_forwarding = -1;
	45	options->x11_display_offset = -1;
	46	options->strict_modes = -1;
	47	options->keepalives = -1;
	48	options->log_facility = (SyslogFacility) - 1;
	49	options->log_level = (LogLevel) - 1;
	50	options->rhosts_authentication = -1;
	51	options->rhosts_rsa_authentication = -1;
	52	options->rsa_authentication = -1;
8efc0c15	53	#ifdef KRB4
5260325f	54	options->kerberos_authentication = -1;
	55	options->kerberos_or_local_passwd = -1;
	56	options->kerberos_ticket_cleanup = -1;
8efc0c15	57	#endif
8efc0c15	58	#ifdef AFS
5260325f	59	options->kerberos_tgt_passing = -1;
5260325f	60	options->afs_token_passing = -1;
8efc0c15	61	#endif
5260325f	62	options->password_authentication = -1;
8efc0c15	63	#ifdef SKEY
5260325f	64	options->skey_authentication = -1;
8efc0c15	65	#endif
5260325f	66	options->permit_empty_passwd = -1;
	67	options->use_login = -1;
	68	options->num_allow_users = 0;
	69	options->num_deny_users = 0;
	70	options->num_allow_groups = 0;
	71	options->num_deny_groups = 0;
a8be9f80	72	options->ciphers = NULL;
a8be9f80	73	options->protocol = SSH_PROTO_UNKNOWN;
8efc0c15	74	}
8efc0c15	75
6ae2364d	76	void
5260325f	77	fill_default_server_options(ServerOptions *options)
8efc0c15	78	{
48e671d5	79	if (options->num_ports == 0)
	80	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	81	if (options->listen_addrs == NULL)
	82	add_listen_addr(options, NULL);
5260325f	83	if (options->host_key_file == NULL)
5260325f	84	options->host_key_file = HOST_KEY_FILE;
e78a59f5	85	if (options->dsa_key_file == NULL)
e78a59f5	86	options->dsa_key_file = DSA_KEY_FILE;
5260325f	87	if (options->server_key_bits == -1)
	88	options->server_key_bits = 768;
	89	if (options->login_grace_time == -1)
	90	options->login_grace_time = 600;
	91	if (options->key_regeneration_time == -1)
	92	options->key_regeneration_time = 3600;
	93	if (options->permit_root_login == -1)
	94	options->permit_root_login = 1; /* yes */
	95	if (options->ignore_rhosts == -1)
c8d54615	96	options->ignore_rhosts = 1;
5260325f	97	if (options->ignore_user_known_hosts == -1)
	98	options->ignore_user_known_hosts = 0;
	99	if (options->check_mail == -1)
	100	options->check_mail = 0;
	101	if (options->print_motd == -1)
	102	options->print_motd = 1;
	103	if (options->x11_forwarding == -1)
c8d54615	104	options->x11_forwarding = 0;
5260325f	105	if (options->x11_display_offset == -1)
c8d54615	106	options->x11_display_offset = 10;
5260325f	107	if (options->strict_modes == -1)
	108	options->strict_modes = 1;
	109	if (options->keepalives == -1)
	110	options->keepalives = 1;
	111	if (options->log_facility == (SyslogFacility) (-1))
	112	options->log_facility = SYSLOG_FACILITY_AUTH;
	113	if (options->log_level == (LogLevel) (-1))
	114	options->log_level = SYSLOG_LEVEL_INFO;
	115	if (options->rhosts_authentication == -1)
	116	options->rhosts_authentication = 0;
	117	if (options->rhosts_rsa_authentication == -1)
c8d54615	118	options->rhosts_rsa_authentication = 0;
5260325f	119	if (options->rsa_authentication == -1)
5260325f	120	options->rsa_authentication = 1;
8efc0c15	121	#ifdef KRB4
5260325f	122	if (options->kerberos_authentication == -1)
	123	options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
	124	if (options->kerberos_or_local_passwd == -1)
	125	options->kerberos_or_local_passwd = 1;
	126	if (options->kerberos_ticket_cleanup == -1)
	127	options->kerberos_ticket_cleanup = 1;
8efc0c15	128	#endif /* KRB4 */
8efc0c15	129	#ifdef AFS
5260325f	130	if (options->kerberos_tgt_passing == -1)
	131	options->kerberos_tgt_passing = 0;
	132	if (options->afs_token_passing == -1)
	133	options->afs_token_passing = k_hasafs();
8efc0c15	134	#endif /* AFS */
5260325f	135	if (options->password_authentication == -1)
5260325f	136	options->password_authentication = 1;
8efc0c15	137	#ifdef SKEY
5260325f	138	if (options->skey_authentication == -1)
5260325f	139	options->skey_authentication = 1;
8efc0c15	140	#endif
5260325f	141	if (options->permit_empty_passwd == -1)
c8d54615	142	options->permit_empty_passwd = 0;
5260325f	143	if (options->use_login == -1)
5260325f	144	options->use_login = 0;
a8be9f80	145	if (options->protocol == SSH_PROTO_UNKNOWN)
a306f2dd	146	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;
8efc0c15	147	}
	148
	149	#define WHITESPACE " \t\r\n"
	150
	151	/* Keyword tokens. */
5260325f	152	typedef enum {
	153	sBadOption, /* == unknown option */
	154	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	155	sPermitRootLogin, sLogFacility, sLogLevel,
	156	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
8efc0c15	157	#ifdef KRB4
5260325f	158	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15	159	#endif
8efc0c15	160	#ifdef AFS
5260325f	161	sKerberosTgtPassing, sAFSTokenPassing,
8efc0c15	162	#endif
8efc0c15	163	#ifdef SKEY
5260325f	164	sSkeyAuthentication,
8efc0c15	165	#endif
5260325f	166	sPasswordAuthentication, sListenAddress,
	167	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
	168	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
	169	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
a8be9f80	170	sIgnoreUserKnownHosts, sDSAKeyFile, sCiphers, sProtocol
8efc0c15	171	} ServerOpCodes;
	172
	173	/* Textual representation of the tokens. */
5260325f	174	static struct {
	175	const char *name;
	176	ServerOpCodes opcode;
	177	} keywords[] = {
	178	{ "port", sPort },
	179	{ "hostkey", sHostKeyFile },
e78a59f5	180	{ "dsakey", sDSAKeyFile },
5260325f	181	{ "serverkeybits", sServerKeyBits },
	182	{ "logingracetime", sLoginGraceTime },
	183	{ "keyregenerationinterval", sKeyRegenerationTime },
	184	{ "permitrootlogin", sPermitRootLogin },
	185	{ "syslogfacility", sLogFacility },
	186	{ "loglevel", sLogLevel },
	187	{ "rhostsauthentication", sRhostsAuthentication },
	188	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
	189	{ "rsaauthentication", sRSAAuthentication },
8efc0c15	190	#ifdef KRB4
5260325f	191	{ "kerberosauthentication", sKerberosAuthentication },
	192	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
	193	{ "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15	194	#endif
8efc0c15	195	#ifdef AFS
5260325f	196	{ "kerberostgtpassing", sKerberosTgtPassing },
5260325f	197	{ "afstokenpassing", sAFSTokenPassing },
8efc0c15	198	#endif
5260325f	199	{ "passwordauthentication", sPasswordAuthentication },
8efc0c15	200	#ifdef SKEY
5260325f	201	{ "skeyauthentication", sSkeyAuthentication },
8efc0c15	202	#endif
5260325f	203	{ "checkmail", sCheckMail },
	204	{ "listenaddress", sListenAddress },
	205	{ "printmotd", sPrintMotd },
	206	{ "ignorerhosts", sIgnoreRhosts },
	207	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
	208	{ "x11forwarding", sX11Forwarding },
	209	{ "x11displayoffset", sX11DisplayOffset },
	210	{ "strictmodes", sStrictModes },
	211	{ "permitemptypasswords", sEmptyPasswd },
	212	{ "uselogin", sUseLogin },
	213	{ "randomseed", sRandomSeedFile },
	214	{ "keepalive", sKeepAlives },
	215	{ "allowusers", sAllowUsers },
	216	{ "denyusers", sDenyUsers },
	217	{ "allowgroups", sAllowGroups },
	218	{ "denygroups", sDenyGroups },
a8be9f80	219	{ "ciphers", sCiphers },
a8be9f80	220	{ "protocol", sProtocol },
5260325f	221	{ NULL, 0 }
8efc0c15	222	};
8efc0c15	223
aa3378df	224	/*
	225	* Returns the number of the token pointed to by cp of length len. Never
	226	* returns if the token is not known.
	227	*/
8efc0c15	228
6ae2364d	229	static ServerOpCodes
5260325f	230	parse_token(const char cp, const char filename,
5260325f	231	int linenum)
8efc0c15	232	{
5260325f	233	unsigned int i;
8efc0c15	234
5260325f	235	for (i = 0; keywords[i].name; i++)
aa3378df	236	if (strcasecmp(cp, keywords[i].name) == 0)
5260325f	237	return keywords[i].opcode;
8efc0c15	238
5260325f	239	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
	240	filename, linenum, cp);
	241	return sBadOption;
8efc0c15	242	}
8efc0c15	243
48e671d5	244	/*
	245	* add listen address
	246	*/
6ae2364d	247	void
48e671d5	248	add_listen_addr(ServerOptions options, char addr)
	249	{
	250	extern int IPv4or6;
	251	struct addrinfo hints, ai, aitop;
	252	char strport[NI_MAXSERV];
	253	int gaierr;
	254	int i;
	255
	256	if (options->num_ports == 0)
	257	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	258	for (i = 0; i < options->num_ports; i++) {
	259	memset(&hints, 0, sizeof(hints));
	260	hints.ai_family = IPv4or6;
	261	hints.ai_socktype = SOCK_STREAM;
	262	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
	263	snprintf(strport, sizeof strport, "%d", options->ports[i]);
	264	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
	265	fatal("bad addr or host: %s (%s)\n",
	266	addr ? addr : "<NULL>",
	267	gai_strerror(gaierr));
	268	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
	269	;
	270	ai->ai_next = options->listen_addrs;
	271	options->listen_addrs = aitop;
	272	}
	273	}
	274
8efc0c15	275	/* Reads the server configuration file. */
8efc0c15	276
6ae2364d	277	void
5260325f	278	read_server_config(ServerOptions options, const char filename)
8efc0c15	279	{
5260325f	280	FILE *f;
	281	char line[1024];
	282	char cp, *charptr;
	283	int linenum, *intptr, value;
	284	int bad_options = 0;
	285	ServerOpCodes opcode;
	286
	287	f = fopen(filename, "r");
	288	if (!f) {
	289	perror(filename);
8efc0c15	290	exit(1);
5260325f	291	}
	292	linenum = 0;
	293	while (fgets(line, sizeof(line), f)) {
	294	linenum++;
	295	cp = line + strspn(line, WHITESPACE);
	296	if (!cp \|\| cp == '#')
	297	continue;
	298	cp = strtok(cp, WHITESPACE);
5260325f	299	opcode = parse_token(cp, filename, linenum);
	300	switch (opcode) {
	301	case sBadOption:
	302	bad_options++;
	303	continue;
	304	case sPort:
48e671d5	305	/* ignore ports from configfile if cmdline specifies ports */
	306	if (options->ports_from_cmdline)
	307	continue;
	308	if (options->listen_addrs != NULL)
	309	fatal("%s line %d: ports must be specified before "
	310	"ListenAdress.\n", filename, linenum);
	311	if (options->num_ports >= MAX_PORTS)
	312	fatal("%s line %d: too many ports.\n",
6ae2364d	313	filename, linenum);
48e671d5	314	cp = strtok(NULL, WHITESPACE);
	315	if (!cp)
	316	fatal("%s line %d: missing port number.\n",
	317	filename, linenum);
	318	options->ports[options->num_ports++] = atoi(cp);
	319	break;
	320
	321	case sServerKeyBits:
	322	intptr = &options->server_key_bits;
5260325f	323	parse_int:
	324	cp = strtok(NULL, WHITESPACE);
	325	if (!cp) {
	326	fprintf(stderr, "%s line %d: missing integer value.\n",
	327	filename, linenum);
	328	exit(1);
	329	}
	330	value = atoi(cp);
	331	if (*intptr == -1)
	332	*intptr = value;
	333	break;
	334
5260325f	335	case sLoginGraceTime:
	336	intptr = &options->login_grace_time;
	337	goto parse_int;
	338
	339	case sKeyRegenerationTime:
	340	intptr = &options->key_regeneration_time;
	341	goto parse_int;
	342
	343	case sListenAddress:
	344	cp = strtok(NULL, WHITESPACE);
48e671d5	345	if (!cp)
	346	fatal("%s line %d: missing inet addr.\n",
	347	filename, linenum);
	348	add_listen_addr(options, cp);
5260325f	349	break;
	350
	351	case sHostKeyFile:
e78a59f5	352	case sDSAKeyFile:
	353	charptr = (opcode == sHostKeyFile ) ?
	354	&options->host_key_file : &options->dsa_key_file;
5260325f	355	cp = strtok(NULL, WHITESPACE);
	356	if (!cp) {
	357	fprintf(stderr, "%s line %d: missing file name.\n",
	358	filename, linenum);
	359	exit(1);
	360	}
	361	if (*charptr == NULL)
	362	*charptr = tilde_expand_filename(cp, getuid());
	363	break;
	364
	365	case sRandomSeedFile:
	366	fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
	367	filename, linenum);
	368	cp = strtok(NULL, WHITESPACE);
	369	break;
	370
	371	case sPermitRootLogin:
	372	intptr = &options->permit_root_login;
	373	cp = strtok(NULL, WHITESPACE);
	374	if (!cp) {
	375	fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
	376	filename, linenum);
	377	exit(1);
	378	}
	379	if (strcmp(cp, "without-password") == 0)
	380	value = 2;
	381	else if (strcmp(cp, "yes") == 0)
	382	value = 1;
	383	else if (strcmp(cp, "no") == 0)
	384	value = 0;
	385	else {
	386	fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
	387	filename, linenum, cp);
	388	exit(1);
	389	}
	390	if (*intptr == -1)
	391	*intptr = value;
	392	break;
	393
	394	case sIgnoreRhosts:
	395	intptr = &options->ignore_rhosts;
	396	parse_flag:
	397	cp = strtok(NULL, WHITESPACE);
	398	if (!cp) {
	399	fprintf(stderr, "%s line %d: missing yes/no argument.\n",
	400	filename, linenum);
	401	exit(1);
	402	}
	403	if (strcmp(cp, "yes") == 0)
	404	value = 1;
	405	else if (strcmp(cp, "no") == 0)
	406	value = 0;
	407	else {
	408	fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
	409	filename, linenum, cp);
	410	exit(1);
	411	}
	412	if (*intptr == -1)
	413	*intptr = value;
	414	break;
	415
	416	case sIgnoreUserKnownHosts:
	417	intptr = &options->ignore_user_known_hosts;
c8d54615	418	goto parse_flag;
5260325f	419
	420	case sRhostsAuthentication:
	421	intptr = &options->rhosts_authentication;
	422	goto parse_flag;
	423
	424	case sRhostsRSAAuthentication:
	425	intptr = &options->rhosts_rsa_authentication;
	426	goto parse_flag;
	427
	428	case sRSAAuthentication:
	429	intptr = &options->rsa_authentication;
	430	goto parse_flag;
	431
8efc0c15	432	#ifdef KRB4
5260325f	433	case sKerberosAuthentication:
	434	intptr = &options->kerberos_authentication;
	435	goto parse_flag;
	436
	437	case sKerberosOrLocalPasswd:
	438	intptr = &options->kerberos_or_local_passwd;
	439	goto parse_flag;
	440
	441	case sKerberosTicketCleanup:
	442	intptr = &options->kerberos_ticket_cleanup;
	443	goto parse_flag;
8efc0c15	444	#endif
5260325f	445
8efc0c15	446	#ifdef AFS
5260325f	447	case sKerberosTgtPassing:
	448	intptr = &options->kerberos_tgt_passing;
	449	goto parse_flag;
8efc0c15	450
5260325f	451	case sAFSTokenPassing:
	452	intptr = &options->afs_token_passing;
	453	goto parse_flag;
8efc0c15	454	#endif
8efc0c15	455
5260325f	456	case sPasswordAuthentication:
	457	intptr = &options->password_authentication;
	458	goto parse_flag;
8efc0c15	459
5260325f	460	case sCheckMail:
	461	intptr = &options->check_mail;
	462	goto parse_flag;
8efc0c15	463
8efc0c15	464	#ifdef SKEY
5260325f	465	case sSkeyAuthentication:
	466	intptr = &options->skey_authentication;
	467	goto parse_flag;
8efc0c15	468	#endif
8efc0c15	469
5260325f	470	case sPrintMotd:
	471	intptr = &options->print_motd;
	472	goto parse_flag;
	473
	474	case sX11Forwarding:
	475	intptr = &options->x11_forwarding;
	476	goto parse_flag;
	477
	478	case sX11DisplayOffset:
	479	intptr = &options->x11_display_offset;
	480	goto parse_int;
	481
	482	case sStrictModes:
	483	intptr = &options->strict_modes;
	484	goto parse_flag;
	485
	486	case sKeepAlives:
	487	intptr = &options->keepalives;
	488	goto parse_flag;
	489
	490	case sEmptyPasswd:
	491	intptr = &options->permit_empty_passwd;
	492	goto parse_flag;
	493
	494	case sUseLogin:
	495	intptr = &options->use_login;
	496	goto parse_flag;
	497
	498	case sLogFacility:
	499	intptr = (int *) &options->log_facility;
	500	cp = strtok(NULL, WHITESPACE);
	501	value = log_facility_number(cp);
	502	if (value == (SyslogFacility) - 1)
	503	fatal("%.200s line %d: unsupported log facility '%s'\n",
a8be9f80	504	filename, linenum, cp ? cp : "<NONE>");
5260325f	505	if (*intptr == -1)
	506	*intptr = (SyslogFacility) value;
	507	break;
	508
	509	case sLogLevel:
	510	intptr = (int *) &options->log_level;
	511	cp = strtok(NULL, WHITESPACE);
	512	value = log_level_number(cp);
	513	if (value == (LogLevel) - 1)
	514	fatal("%.200s line %d: unsupported log level '%s'\n",
a8be9f80	515	filename, linenum, cp ? cp : "<NONE>");
5260325f	516	if (*intptr == -1)
	517	*intptr = (LogLevel) value;
	518	break;
	519
	520	case sAllowUsers:
	521	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	522	if (options->num_allow_users >= MAX_ALLOW_USERS)
	523	fatal("%s line %d: too many allow users.\n",
	524	filename, linenum);
5260325f	525	options->allow_users[options->num_allow_users++] = xstrdup(cp);
	526	}
	527	break;
	528
	529	case sDenyUsers:
	530	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	531	if (options->num_deny_users >= MAX_DENY_USERS)
	532	fatal( "%s line %d: too many deny users.\n",
	533	filename, linenum);
5260325f	534	options->deny_users[options->num_deny_users++] = xstrdup(cp);
	535	}
	536	break;
	537
	538	case sAllowGroups:
	539	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	540	if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
	541	fatal("%s line %d: too many allow groups.\n",
	542	filename, linenum);
5260325f	543	options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
	544	}
	545	break;
	546
	547	case sDenyGroups:
	548	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	549	if (options->num_deny_groups >= MAX_DENY_GROUPS)
	550	fatal("%s line %d: too many deny groups.\n",
	551	filename, linenum);
5260325f	552	options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
	553	}
	554	break;
	555
a8be9f80	556	case sCiphers:
	557	cp = strtok(NULL, WHITESPACE);
	558	if (!ciphers_valid(cp))
	559	fatal("%s line %d: Bad cipher spec '%s'.",
	560	filename, linenum, cp ? cp : "<NONE>");
	561	if (options->ciphers == NULL)
	562	options->ciphers = xstrdup(cp);
	563	break;
	564
	565	case sProtocol:
	566	intptr = &options->protocol;
	567	cp = strtok(NULL, WHITESPACE);
	568	value = proto_spec(cp);
	569	if (value == SSH_PROTO_UNKNOWN)
	570	fatal("%s line %d: Bad protocol spec '%s'.",
	571	filename, linenum, cp ? cp : "<NONE>");
	572	if (*intptr == SSH_PROTO_UNKNOWN)
	573	*intptr = value;
	574	break;
	575
5260325f	576	default:
	577	fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
	578	filename, linenum, cp, opcode);
	579	exit(1);
8efc0c15	580	}
5260325f	581	if (strtok(NULL, WHITESPACE) != NULL) {
	582	fprintf(stderr, "%s line %d: garbage at end of line.\n",
	583	filename, linenum);
	584	exit(1);
8efc0c15	585	}
8efc0c15	586	}
5260325f	587	fclose(f);
	588	if (bad_options > 0) {
	589	fprintf(stderr, "%s: terminating, %d bad configuration options\n",
	590	filename, bad_options);
	591	exit(1);
8efc0c15	592	}
8efc0c15	593	}