]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- stevesk@cvs.openbsd.org 2002/03/19 03:03:43
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
1c352e97 13RCSID("$OpenBSD: servconf.c,v 1.104 2002/03/19 03:03:43 stevesk Exp $");
42f11eb2 14
46d738cd 15#if defined(KRB4) || defined(KRB5)
42f11eb2 16#include <krb.h>
17#endif
83f46621 18#ifdef AFS
19#include <kafs.h>
20#endif
8efc0c15 21
22#include "ssh.h"
42f11eb2 23#include "log.h"
8efc0c15 24#include "servconf.h"
25#include "xmalloc.h"
a8be9f80 26#include "compat.h"
42f11eb2 27#include "pathnames.h"
28#include "tildexpand.h"
29#include "misc.h"
30#include "cipher.h"
b2552997 31#include "kex.h"
32#include "mac.h"
42f11eb2 33
396c147e 34static void add_listen_addr(ServerOptions *, char *, u_short);
35static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 36
42f11eb2 37/* AF_UNSPEC or AF_INET or AF_INET6 */
38extern int IPv4or6;
1853d1ef 39/* Use of privilege separation or not */
40extern int use_privsep;
42f11eb2 41
8efc0c15 42/* Initializes the server options to their default values. */
43
6ae2364d 44void
5260325f 45initialize_server_options(ServerOptions *options)
8efc0c15 46{
5260325f 47 memset(options, 0, sizeof(*options));
e15895cd 48
49 /* Portable-specific options */
50 options->pam_authentication_via_kbd_int = -1;
51
52 /* Standard Options */
48e671d5 53 options->num_ports = 0;
54 options->ports_from_cmdline = 0;
55 options->listen_addrs = NULL;
fa08c86b 56 options->num_host_key_files = 0;
0fbe8c74 57 options->pid_file = NULL;
5260325f 58 options->server_key_bits = -1;
59 options->login_grace_time = -1;
60 options->key_regeneration_time = -1;
15853e93 61 options->permit_root_login = PERMIT_NOT_SET;
5260325f 62 options->ignore_rhosts = -1;
63 options->ignore_user_known_hosts = -1;
64 options->print_motd = -1;
4f4648f9 65 options->print_lastlog = -1;
5260325f 66 options->x11_forwarding = -1;
67 options->x11_display_offset = -1;
e6e573bd 68 options->x11_use_localhost = -1;
fa649821 69 options->xauth_location = NULL;
5260325f 70 options->strict_modes = -1;
71 options->keepalives = -1;
5eaf8578 72 options->log_facility = SYSLOG_FACILITY_NOT_SET;
73 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 74 options->rhosts_authentication = -1;
75 options->rhosts_rsa_authentication = -1;
8002af61 76 options->hostbased_authentication = -1;
77 options->hostbased_uses_name_from_packet_only = -1;
5260325f 78 options->rsa_authentication = -1;
fa08c86b 79 options->pubkey_authentication = -1;
ced49be2 80#if defined(KRB4) || defined(KRB5)
5260325f 81 options->kerberos_authentication = -1;
82 options->kerberos_or_local_passwd = -1;
83 options->kerberos_ticket_cleanup = -1;
8efc0c15 84#endif
ced49be2 85#if defined(AFS) || defined(KRB5)
5260325f 86 options->kerberos_tgt_passing = -1;
ced49be2 87#endif
88#ifdef AFS
5260325f 89 options->afs_token_passing = -1;
8efc0c15 90#endif
5260325f 91 options->password_authentication = -1;
94ec8c6b 92 options->kbd_interactive_authentication = -1;
5ba55ada 93 options->challenge_response_authentication = -1;
5260325f 94 options->permit_empty_passwd = -1;
95 options->use_login = -1;
33de75a3 96 options->allow_tcp_forwarding = -1;
5260325f 97 options->num_allow_users = 0;
98 options->num_deny_users = 0;
99 options->num_allow_groups = 0;
100 options->num_deny_groups = 0;
a8be9f80 101 options->ciphers = NULL;
b2552997 102 options->macs = NULL;
a8be9f80 103 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 104 options->gateway_ports = -1;
38c295d6 105 options->num_subsystems = 0;
c345cf9d 106 options->max_startups_begin = -1;
107 options->max_startups_rate = -1;
089fbbd2 108 options->max_startups = -1;
eea39c02 109 options->banner = NULL;
bf4c5edc 110 options->verify_reverse_mapping = -1;
3ffc6336 111 options->client_alive_interval = -1;
112 options->client_alive_count_max = -1;
c8445989 113 options->authorized_keys_file = NULL;
114 options->authorized_keys_file2 = NULL;
1853d1ef 115
116 options->unprivileged_user = -1;
117 options->unprivileged_group = -1;
1853d1ef 118
119 /* Needs to be accessable in many places */
120 use_privsep = -1;
8efc0c15 121}
122
6ae2364d 123void
5260325f 124fill_default_server_options(ServerOptions *options)
8efc0c15 125{
e15895cd 126 /* Portable-specific options */
127 if (options->pam_authentication_via_kbd_int == -1)
128 options->pam_authentication_via_kbd_int = 0;
129
130 /* Standard Options */
fa08c86b 131 if (options->protocol == SSH_PROTO_UNKNOWN)
132 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
133 if (options->num_host_key_files == 0) {
134 /* fill default hostkeys for protocols */
135 if (options->protocol & SSH_PROTO_1)
0f84fe37 136 options->host_key_files[options->num_host_key_files++] =
137 _PATH_HOST_KEY_FILE;
138 if (options->protocol & SSH_PROTO_2) {
139 options->host_key_files[options->num_host_key_files++] =
140 _PATH_HOST_RSA_KEY_FILE;
141 options->host_key_files[options->num_host_key_files++] =
142 _PATH_HOST_DSA_KEY_FILE;
143 }
fa08c86b 144 }
48e671d5 145 if (options->num_ports == 0)
146 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
147 if (options->listen_addrs == NULL)
2d2a2c65 148 add_listen_addr(options, NULL, 0);
0fbe8c74 149 if (options->pid_file == NULL)
42f11eb2 150 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 151 if (options->server_key_bits == -1)
152 options->server_key_bits = 768;
153 if (options->login_grace_time == -1)
154 options->login_grace_time = 600;
155 if (options->key_regeneration_time == -1)
156 options->key_regeneration_time = 3600;
15853e93 157 if (options->permit_root_login == PERMIT_NOT_SET)
158 options->permit_root_login = PERMIT_YES;
5260325f 159 if (options->ignore_rhosts == -1)
c8d54615 160 options->ignore_rhosts = 1;
5260325f 161 if (options->ignore_user_known_hosts == -1)
162 options->ignore_user_known_hosts = 0;
5260325f 163 if (options->print_motd == -1)
164 options->print_motd = 1;
4f4648f9 165 if (options->print_lastlog == -1)
166 options->print_lastlog = 1;
5260325f 167 if (options->x11_forwarding == -1)
c8d54615 168 options->x11_forwarding = 0;
5260325f 169 if (options->x11_display_offset == -1)
c8d54615 170 options->x11_display_offset = 10;
e6e573bd 171 if (options->x11_use_localhost == -1)
172 options->x11_use_localhost = 1;
fa649821 173 if (options->xauth_location == NULL)
fd9ede94 174 options->xauth_location = _PATH_XAUTH;
5260325f 175 if (options->strict_modes == -1)
176 options->strict_modes = 1;
177 if (options->keepalives == -1)
178 options->keepalives = 1;
5eaf8578 179 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 180 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 181 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 182 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 183 if (options->rhosts_authentication == -1)
184 options->rhosts_authentication = 0;
185 if (options->rhosts_rsa_authentication == -1)
c8d54615 186 options->rhosts_rsa_authentication = 0;
8002af61 187 if (options->hostbased_authentication == -1)
188 options->hostbased_authentication = 0;
189 if (options->hostbased_uses_name_from_packet_only == -1)
190 options->hostbased_uses_name_from_packet_only = 0;
5260325f 191 if (options->rsa_authentication == -1)
192 options->rsa_authentication = 1;
fa08c86b 193 if (options->pubkey_authentication == -1)
194 options->pubkey_authentication = 1;
ced49be2 195#if defined(KRB4) || defined(KRB5)
5260325f 196 if (options->kerberos_authentication == -1)
197 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
198 if (options->kerberos_or_local_passwd == -1)
199 options->kerberos_or_local_passwd = 1;
200 if (options->kerberos_ticket_cleanup == -1)
201 options->kerberos_ticket_cleanup = 1;
ced49be2 202#endif
203#if defined(AFS) || defined(KRB5)
5260325f 204 if (options->kerberos_tgt_passing == -1)
205 options->kerberos_tgt_passing = 0;
ced49be2 206#endif
184eed6a 207#ifdef AFS
5260325f 208 if (options->afs_token_passing == -1)
209 options->afs_token_passing = k_hasafs();
ced49be2 210#endif
5260325f 211 if (options->password_authentication == -1)
212 options->password_authentication = 1;
94ec8c6b 213 if (options->kbd_interactive_authentication == -1)
214 options->kbd_interactive_authentication = 0;
5ba55ada 215 if (options->challenge_response_authentication == -1)
216 options->challenge_response_authentication = 1;
5260325f 217 if (options->permit_empty_passwd == -1)
c8d54615 218 options->permit_empty_passwd = 0;
5260325f 219 if (options->use_login == -1)
220 options->use_login = 0;
33de75a3 221 if (options->allow_tcp_forwarding == -1)
222 options->allow_tcp_forwarding = 1;
1d1ffb87 223 if (options->gateway_ports == -1)
224 options->gateway_ports = 0;
089fbbd2 225 if (options->max_startups == -1)
226 options->max_startups = 10;
c345cf9d 227 if (options->max_startups_rate == -1)
228 options->max_startups_rate = 100; /* 100% */
229 if (options->max_startups_begin == -1)
230 options->max_startups_begin = options->max_startups;
bf4c5edc 231 if (options->verify_reverse_mapping == -1)
232 options->verify_reverse_mapping = 0;
3ffc6336 233 if (options->client_alive_interval == -1)
184eed6a 234 options->client_alive_interval = 0;
3ffc6336 235 if (options->client_alive_count_max == -1)
236 options->client_alive_count_max = 3;
5df83e07 237 if (options->authorized_keys_file2 == NULL) {
238 /* authorized_keys_file2 falls back to authorized_keys_file */
239 if (options->authorized_keys_file != NULL)
240 options->authorized_keys_file2 = options->authorized_keys_file;
241 else
242 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
243 }
244 if (options->authorized_keys_file == NULL)
245 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 246
247 /* Turn privilege separation _off_ by default */
248 if (use_privsep == -1)
249 use_privsep = 0;
250 if (options->unprivileged_user == -1)
251 options->unprivileged_user = 32767;
252 if (options->unprivileged_group == -1)
253 options->unprivileged_group = 32767;
8efc0c15 254}
255
8efc0c15 256/* Keyword tokens. */
5260325f 257typedef enum {
258 sBadOption, /* == unknown option */
e15895cd 259 /* Portable-specific options */
260 sPAMAuthenticationViaKbdInt,
261 /* Standard Options */
5260325f 262 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
263 sPermitRootLogin, sLogFacility, sLogLevel,
264 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 265#if defined(KRB4) || defined(KRB5)
5260325f 266 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 267#endif
ced49be2 268#if defined(AFS) || defined(KRB5)
269 sKerberosTgtPassing,
270#endif
8efc0c15 271#ifdef AFS
ced49be2 272 sAFSTokenPassing,
8efc0c15 273#endif
d464095c 274 sChallengeResponseAuthentication,
94ec8c6b 275 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 276 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 277 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 278 sStrictModes, sEmptyPasswd, sKeepAlives,
33de75a3 279 sUseLogin, sAllowTcpForwarding,
280 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 281 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 282 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 283 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 284 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 285 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
1c352e97 286 sUsePrivilegeSeparation, sUnprivUser, sUnprivGroup,
2717fa0f 287 sDeprecated
8efc0c15 288} ServerOpCodes;
289
290/* Textual representation of the tokens. */
5260325f 291static struct {
292 const char *name;
293 ServerOpCodes opcode;
294} keywords[] = {
e15895cd 295 /* Portable-specific options */
296 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
297 /* Standard Options */
5260325f 298 { "port", sPort },
299 { "hostkey", sHostKeyFile },
fa08c86b 300 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 301 { "pidfile", sPidFile },
5260325f 302 { "serverkeybits", sServerKeyBits },
303 { "logingracetime", sLoginGraceTime },
304 { "keyregenerationinterval", sKeyRegenerationTime },
305 { "permitrootlogin", sPermitRootLogin },
306 { "syslogfacility", sLogFacility },
307 { "loglevel", sLogLevel },
308 { "rhostsauthentication", sRhostsAuthentication },
309 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 310 { "hostbasedauthentication", sHostbasedAuthentication },
311 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 312 { "rsaauthentication", sRSAAuthentication },
fa08c86b 313 { "pubkeyauthentication", sPubkeyAuthentication },
314 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 315#if defined(KRB4) || defined(KRB5)
5260325f 316 { "kerberosauthentication", sKerberosAuthentication },
317 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
318 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 319#endif
ced49be2 320#if defined(AFS) || defined(KRB5)
5260325f 321 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 322#endif
323#ifdef AFS
5260325f 324 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 325#endif
5260325f 326 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 327 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 328 { "challengeresponseauthentication", sChallengeResponseAuthentication },
329 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 330 { "checkmail", sDeprecated },
5260325f 331 { "listenaddress", sListenAddress },
332 { "printmotd", sPrintMotd },
4f4648f9 333 { "printlastlog", sPrintLastLog },
5260325f 334 { "ignorerhosts", sIgnoreRhosts },
335 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
336 { "x11forwarding", sX11Forwarding },
337 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 338 { "x11uselocalhost", sX11UseLocalhost },
fa649821 339 { "xauthlocation", sXAuthLocation },
5260325f 340 { "strictmodes", sStrictModes },
341 { "permitemptypasswords", sEmptyPasswd },
342 { "uselogin", sUseLogin },
5260325f 343 { "keepalive", sKeepAlives },
33de75a3 344 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 345 { "allowusers", sAllowUsers },
346 { "denyusers", sDenyUsers },
347 { "allowgroups", sAllowGroups },
348 { "denygroups", sDenyGroups },
a8be9f80 349 { "ciphers", sCiphers },
b2552997 350 { "macs", sMacs },
a8be9f80 351 { "protocol", sProtocol },
1d1ffb87 352 { "gatewayports", sGatewayPorts },
38c295d6 353 { "subsystem", sSubsystem },
089fbbd2 354 { "maxstartups", sMaxStartups },
eea39c02 355 { "banner", sBanner },
bf4c5edc 356 { "verifyreversemapping", sVerifyReverseMapping },
357 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 358 { "clientaliveinterval", sClientAliveInterval },
359 { "clientalivecountmax", sClientAliveCountMax },
c8445989 360 { "authorizedkeysfile", sAuthorizedKeysFile },
361 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 362 { "useprivilegeseparation", sUsePrivilegeSeparation},
363 { "unprivuser", sUnprivUser},
364 { "unprivgroup", sUnprivGroup},
17a3011c 365 { NULL, sBadOption }
8efc0c15 366};
367
aa3378df 368/*
6be9a5e8 369 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 370 */
8efc0c15 371
6ae2364d 372static ServerOpCodes
5260325f 373parse_token(const char *cp, const char *filename,
374 int linenum)
8efc0c15 375{
1e3b8b07 376 u_int i;
8efc0c15 377
5260325f 378 for (i = 0; keywords[i].name; i++)
aa3378df 379 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 380 return keywords[i].opcode;
8efc0c15 381
b7c70970 382 error("%s: line %d: Bad configuration option: %s",
383 filename, linenum, cp);
5260325f 384 return sBadOption;
8efc0c15 385}
386
396c147e 387static void
2d2a2c65 388add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 389{
48e671d5 390 int i;
391
392 if (options->num_ports == 0)
393 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 394 if (port == 0)
d11c1288 395 for (i = 0; i < options->num_ports; i++)
396 add_one_listen_addr(options, addr, options->ports[i]);
397 else
2d2a2c65 398 add_one_listen_addr(options, addr, port);
d11c1288 399}
400
396c147e 401static void
d11c1288 402add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
403{
404 struct addrinfo hints, *ai, *aitop;
405 char strport[NI_MAXSERV];
406 int gaierr;
407
408 memset(&hints, 0, sizeof(hints));
409 hints.ai_family = IPv4or6;
410 hints.ai_socktype = SOCK_STREAM;
411 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
412 snprintf(strport, sizeof strport, "%d", port);
413 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
414 fatal("bad addr or host: %s (%s)",
415 addr ? addr : "<NULL>",
416 gai_strerror(gaierr));
417 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
418 ;
419 ai->ai_next = options->listen_addrs;
420 options->listen_addrs = aitop;
48e671d5 421}
422
2717fa0f 423int
424process_server_config_line(ServerOptions *options, char *line,
425 const char *filename, int linenum)
8efc0c15 426{
d11c1288 427 char *cp, **charptr, *arg, *p;
2717fa0f 428 int *intptr, value;
5260325f 429 ServerOpCodes opcode;
97de229c 430 int i, n;
5260325f 431
2717fa0f 432 cp = line;
433 arg = strdelim(&cp);
434 /* Ignore leading whitespace */
435 if (*arg == '\0')
704b1659 436 arg = strdelim(&cp);
2717fa0f 437 if (!arg || !*arg || *arg == '#')
438 return 0;
439 intptr = NULL;
440 charptr = NULL;
441 opcode = parse_token(arg, filename, linenum);
442 switch (opcode) {
443 /* Portable-specific options */
444 case sPAMAuthenticationViaKbdInt:
445 intptr = &options->pam_authentication_via_kbd_int;
446 goto parse_flag;
48e671d5 447
2717fa0f 448 /* Standard Options */
449 case sBadOption:
450 return -1;
451 case sPort:
452 /* ignore ports from configfile if cmdline specifies ports */
453 if (options->ports_from_cmdline)
454 return 0;
455 if (options->listen_addrs != NULL)
456 fatal("%s line %d: ports must be specified before "
3a454b6a 457 "ListenAddress.", filename, linenum);
2717fa0f 458 if (options->num_ports >= MAX_PORTS)
459 fatal("%s line %d: too many ports.",
460 filename, linenum);
461 arg = strdelim(&cp);
462 if (!arg || *arg == '\0')
463 fatal("%s line %d: missing port number.",
464 filename, linenum);
465 options->ports[options->num_ports++] = a2port(arg);
466 if (options->ports[options->num_ports-1] == 0)
467 fatal("%s line %d: Badly formatted port number.",
468 filename, linenum);
469 break;
470
471 case sServerKeyBits:
472 intptr = &options->server_key_bits;
5260325f 473parse_int:
2717fa0f 474 arg = strdelim(&cp);
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing integer value.",
477 filename, linenum);
478 value = atoi(arg);
479 if (*intptr == -1)
480 *intptr = value;
481 break;
482
483 case sLoginGraceTime:
484 intptr = &options->login_grace_time;
e2b1fb42 485parse_time:
2717fa0f 486 arg = strdelim(&cp);
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing time value.",
489 filename, linenum);
490 if ((value = convtime(arg)) == -1)
491 fatal("%s line %d: invalid time value.",
492 filename, linenum);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sKeyRegenerationTime:
498 intptr = &options->key_regeneration_time;
499 goto parse_time;
500
501 case sListenAddress:
502 arg = strdelim(&cp);
503 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
504 fatal("%s line %d: missing inet addr.",
505 filename, linenum);
506 if (*arg == '[') {
507 if ((p = strchr(arg, ']')) == NULL)
508 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 509 filename, linenum);
2717fa0f 510 arg++;
511 memmove(p, p+1, strlen(p+1)+1);
512 } else if (((p = strchr(arg, ':')) == NULL) ||
513 (strchr(p+1, ':') != NULL)) {
514 add_listen_addr(options, arg, 0);
e2b1fb42 515 break;
2717fa0f 516 }
517 if (*p == ':') {
518 u_short port;
5260325f 519
2717fa0f 520 p++;
521 if (*p == '\0')
522 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 523 filename, linenum);
2717fa0f 524 else {
525 *(p-1) = '\0';
526 if ((port = a2port(p)) == 0)
527 fatal("%s line %d: bad port number.",
d11c1288 528 filename, linenum);
2717fa0f 529 add_listen_addr(options, arg, port);
d11c1288 530 }
2717fa0f 531 } else if (*p == '\0')
532 add_listen_addr(options, arg, 0);
533 else
534 fatal("%s line %d: bad inet addr usage.",
535 filename, linenum);
536 break;
537
538 case sHostKeyFile:
539 intptr = &options->num_host_key_files;
540 if (*intptr >= MAX_HOSTKEYS)
541 fatal("%s line %d: too many host keys specified (max %d).",
542 filename, linenum, MAX_HOSTKEYS);
543 charptr = &options->host_key_files[*intptr];
fa649821 544parse_filename:
2717fa0f 545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing file name.",
548 filename, linenum);
549 if (*charptr == NULL) {
550 *charptr = tilde_expand_filename(arg, getuid());
551 /* increase optional counter */
552 if (intptr != NULL)
553 *intptr = *intptr + 1;
554 }
555 break;
0fbe8c74 556
2717fa0f 557 case sPidFile:
558 charptr = &options->pid_file;
559 goto parse_filename;
5260325f 560
2717fa0f 561 case sPermitRootLogin:
562 intptr = &options->permit_root_login;
563 arg = strdelim(&cp);
564 if (!arg || *arg == '\0')
565 fatal("%s line %d: missing yes/"
566 "without-password/forced-commands-only/no "
567 "argument.", filename, linenum);
568 value = 0; /* silence compiler */
569 if (strcmp(arg, "without-password") == 0)
570 value = PERMIT_NO_PASSWD;
571 else if (strcmp(arg, "forced-commands-only") == 0)
572 value = PERMIT_FORCED_ONLY;
573 else if (strcmp(arg, "yes") == 0)
574 value = PERMIT_YES;
575 else if (strcmp(arg, "no") == 0)
576 value = PERMIT_NO;
577 else
578 fatal("%s line %d: Bad yes/"
579 "without-password/forced-commands-only/no "
580 "argument: %s", filename, linenum, arg);
581 if (*intptr == -1)
582 *intptr = value;
583 break;
584
585 case sIgnoreRhosts:
586 intptr = &options->ignore_rhosts;
5260325f 587parse_flag:
2717fa0f 588 arg = strdelim(&cp);
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing yes/no argument.",
591 filename, linenum);
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "yes") == 0)
594 value = 1;
595 else if (strcmp(arg, "no") == 0)
596 value = 0;
597 else
598 fatal("%s line %d: Bad yes/no argument: %s",
599 filename, linenum, arg);
600 if (*intptr == -1)
601 *intptr = value;
602 break;
603
604 case sIgnoreUserKnownHosts:
605 intptr = &options->ignore_user_known_hosts;
606 goto parse_flag;
607
608 case sRhostsAuthentication:
609 intptr = &options->rhosts_authentication;
610 goto parse_flag;
611
612 case sRhostsRSAAuthentication:
613 intptr = &options->rhosts_rsa_authentication;
614 goto parse_flag;
615
616 case sHostbasedAuthentication:
617 intptr = &options->hostbased_authentication;
618 goto parse_flag;
619
620 case sHostbasedUsesNameFromPacketOnly:
621 intptr = &options->hostbased_uses_name_from_packet_only;
622 goto parse_flag;
623
624 case sRSAAuthentication:
625 intptr = &options->rsa_authentication;
626 goto parse_flag;
627
628 case sPubkeyAuthentication:
629 intptr = &options->pubkey_authentication;
630 goto parse_flag;
631#if defined(KRB4) || defined(KRB5)
632 case sKerberosAuthentication:
633 intptr = &options->kerberos_authentication;
634 goto parse_flag;
5260325f 635
2717fa0f 636 case sKerberosOrLocalPasswd:
637 intptr = &options->kerberos_or_local_passwd;
638 goto parse_flag;
5260325f 639
2717fa0f 640 case sKerberosTicketCleanup:
641 intptr = &options->kerberos_ticket_cleanup;
642 goto parse_flag;
643#endif
644#if defined(AFS) || defined(KRB5)
645 case sKerberosTgtPassing:
646 intptr = &options->kerberos_tgt_passing;
647 goto parse_flag;
648#endif
649#ifdef AFS
650 case sAFSTokenPassing:
651 intptr = &options->afs_token_passing;
652 goto parse_flag;
653#endif
5260325f 654
2717fa0f 655 case sPasswordAuthentication:
656 intptr = &options->password_authentication;
657 goto parse_flag;
5260325f 658
2717fa0f 659 case sKbdInteractiveAuthentication:
660 intptr = &options->kbd_interactive_authentication;
661 goto parse_flag;
8002af61 662
2717fa0f 663 case sChallengeResponseAuthentication:
664 intptr = &options->challenge_response_authentication;
665 goto parse_flag;
8002af61 666
2717fa0f 667 case sPrintMotd:
668 intptr = &options->print_motd;
669 goto parse_flag;
5260325f 670
2717fa0f 671 case sPrintLastLog:
672 intptr = &options->print_lastlog;
673 goto parse_flag;
5260325f 674
2717fa0f 675 case sX11Forwarding:
676 intptr = &options->x11_forwarding;
677 goto parse_flag;
5260325f 678
2717fa0f 679 case sX11DisplayOffset:
680 intptr = &options->x11_display_offset;
681 goto parse_int;
8efc0c15 682
e6e573bd 683 case sX11UseLocalhost:
684 intptr = &options->x11_use_localhost;
685 goto parse_flag;
686
2717fa0f 687 case sXAuthLocation:
688 charptr = &options->xauth_location;
689 goto parse_filename;
5260325f 690
2717fa0f 691 case sStrictModes:
692 intptr = &options->strict_modes;
693 goto parse_flag;
5260325f 694
2717fa0f 695 case sKeepAlives:
696 intptr = &options->keepalives;
697 goto parse_flag;
33de75a3 698
2717fa0f 699 case sEmptyPasswd:
700 intptr = &options->permit_empty_passwd;
701 goto parse_flag;
5260325f 702
2717fa0f 703 case sUseLogin:
704 intptr = &options->use_login;
705 goto parse_flag;
5260325f 706
2717fa0f 707 case sGatewayPorts:
708 intptr = &options->gateway_ports;
709 goto parse_flag;
5260325f 710
bf4c5edc 711 case sVerifyReverseMapping:
712 intptr = &options->verify_reverse_mapping;
2717fa0f 713 goto parse_flag;
5260325f 714
2717fa0f 715 case sLogFacility:
716 intptr = (int *) &options->log_facility;
717 arg = strdelim(&cp);
718 value = log_facility_number(arg);
5eaf8578 719 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 720 fatal("%.200s line %d: unsupported log facility '%s'",
721 filename, linenum, arg ? arg : "<NONE>");
722 if (*intptr == -1)
723 *intptr = (SyslogFacility) value;
724 break;
725
726 case sLogLevel:
727 intptr = (int *) &options->log_level;
728 arg = strdelim(&cp);
729 value = log_level_number(arg);
5eaf8578 730 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 731 fatal("%.200s line %d: unsupported log level '%s'",
732 filename, linenum, arg ? arg : "<NONE>");
733 if (*intptr == -1)
734 *intptr = (LogLevel) value;
735 break;
736
737 case sAllowTcpForwarding:
738 intptr = &options->allow_tcp_forwarding;
739 goto parse_flag;
740
1853d1ef 741 case sUsePrivilegeSeparation:
742 intptr = &use_privsep;
743 goto parse_flag;
744
745 case sUnprivUser:
746 intptr = &options->unprivileged_user;
73fbf637 747 goto parse_int;
1853d1ef 748
749 case sUnprivGroup:
750 intptr = &options->unprivileged_group;
73fbf637 751 goto parse_int;
1853d1ef 752
2717fa0f 753 case sAllowUsers:
754 while ((arg = strdelim(&cp)) && *arg != '\0') {
755 if (options->num_allow_users >= MAX_ALLOW_USERS)
756 fatal("%s line %d: too many allow users.",
757 filename, linenum);
758 options->allow_users[options->num_allow_users++] = xstrdup(arg);
759 }
760 break;
a8be9f80 761
2717fa0f 762 case sDenyUsers:
763 while ((arg = strdelim(&cp)) && *arg != '\0') {
764 if (options->num_deny_users >= MAX_DENY_USERS)
765 fatal( "%s line %d: too many deny users.",
766 filename, linenum);
767 options->deny_users[options->num_deny_users++] = xstrdup(arg);
768 }
769 break;
b2552997 770
2717fa0f 771 case sAllowGroups:
772 while ((arg = strdelim(&cp)) && *arg != '\0') {
773 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
774 fatal("%s line %d: too many allow groups.",
775 filename, linenum);
776 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
777 }
778 break;
a8be9f80 779
2717fa0f 780 case sDenyGroups:
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_deny_groups >= MAX_DENY_GROUPS)
783 fatal("%s line %d: too many deny groups.",
784 filename, linenum);
785 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
786 }
787 break;
38c295d6 788
2717fa0f 789 case sCiphers:
790 arg = strdelim(&cp);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: Missing argument.", filename, linenum);
793 if (!ciphers_valid(arg))
794 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
795 filename, linenum, arg ? arg : "<NONE>");
796 if (options->ciphers == NULL)
797 options->ciphers = xstrdup(arg);
798 break;
799
800 case sMacs:
801 arg = strdelim(&cp);
802 if (!arg || *arg == '\0')
803 fatal("%s line %d: Missing argument.", filename, linenum);
804 if (!mac_valid(arg))
805 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
806 filename, linenum, arg ? arg : "<NONE>");
807 if (options->macs == NULL)
808 options->macs = xstrdup(arg);
809 break;
810
811 case sProtocol:
812 intptr = &options->protocol;
813 arg = strdelim(&cp);
814 if (!arg || *arg == '\0')
815 fatal("%s line %d: Missing argument.", filename, linenum);
816 value = proto_spec(arg);
817 if (value == SSH_PROTO_UNKNOWN)
818 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 819 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 820 if (*intptr == SSH_PROTO_UNKNOWN)
821 *intptr = value;
822 break;
823
824 case sSubsystem:
825 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
826 fatal("%s line %d: too many subsystems defined.",
184eed6a 827 filename, linenum);
2717fa0f 828 }
829 arg = strdelim(&cp);
830 if (!arg || *arg == '\0')
831 fatal("%s line %d: Missing subsystem name.",
184eed6a 832 filename, linenum);
2717fa0f 833 for (i = 0; i < options->num_subsystems; i++)
834 if (strcmp(arg, options->subsystem_name[i]) == 0)
835 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 836 filename, linenum, arg);
2717fa0f 837 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
838 arg = strdelim(&cp);
839 if (!arg || *arg == '\0')
840 fatal("%s line %d: Missing subsystem command.",
184eed6a 841 filename, linenum);
2717fa0f 842 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
843 options->num_subsystems++;
844 break;
845
846 case sMaxStartups:
847 arg = strdelim(&cp);
848 if (!arg || *arg == '\0')
849 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 850 filename, linenum);
2717fa0f 851 if ((n = sscanf(arg, "%d:%d:%d",
852 &options->max_startups_begin,
853 &options->max_startups_rate,
854 &options->max_startups)) == 3) {
855 if (options->max_startups_begin >
856 options->max_startups ||
857 options->max_startups_rate > 100 ||
858 options->max_startups_rate < 1)
c345cf9d 859 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 860 filename, linenum);
2717fa0f 861 } else if (n != 1)
862 fatal("%s line %d: Illegal MaxStartups spec.",
863 filename, linenum);
864 else
865 options->max_startups = options->max_startups_begin;
866 break;
867
868 case sBanner:
869 charptr = &options->banner;
870 goto parse_filename;
871 /*
872 * These options can contain %X options expanded at
873 * connect time, so that you can specify paths like:
874 *
875 * AuthorizedKeysFile /etc/ssh_keys/%u
876 */
877 case sAuthorizedKeysFile:
878 case sAuthorizedKeysFile2:
879 charptr = (opcode == sAuthorizedKeysFile ) ?
880 &options->authorized_keys_file :
881 &options->authorized_keys_file2;
882 goto parse_filename;
883
884 case sClientAliveInterval:
885 intptr = &options->client_alive_interval;
886 goto parse_time;
887
888 case sClientAliveCountMax:
889 intptr = &options->client_alive_count_max;
890 goto parse_int;
891
892 case sDeprecated:
893 log("%s line %d: Deprecated option %s",
894 filename, linenum, arg);
895 while (arg)
896 arg = strdelim(&cp);
897 break;
898
899 default:
900 fatal("%s line %d: Missing handler for opcode %s (%d)",
901 filename, linenum, arg, opcode);
902 }
903 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
904 fatal("%s line %d: garbage at end of line; \"%.200s\".",
905 filename, linenum, arg);
906 return 0;
907}
089fbbd2 908
2717fa0f 909/* Reads the server configuration file. */
5c53a31e 910
2717fa0f 911void
912read_server_config(ServerOptions *options, const char *filename)
913{
914 FILE *f;
915 char line[1024];
916 int linenum;
917 int bad_options = 0;
918
919 f = fopen(filename, "r");
920 if (!f) {
921 perror(filename);
922 exit(1);
923 }
924 linenum = 0;
925 while (fgets(line, sizeof(line), f)) {
926 /* Update line number counter. */
927 linenum++;
928 if (process_server_config_line(options, line, filename, linenum) != 0)
929 bad_options++;
8efc0c15 930 }
5260325f 931 fclose(f);
b7c70970 932 if (bad_options > 0)
933 fatal("%s: terminating, %d bad configuration options",
934 filename, bad_options);
8efc0c15 935}
git-cvsimport mirror of OpenSSH
This page took 0.317163 seconds and 5 git commands to generate.