]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (dtucker) OpenBSD CVS Sync
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
1c590258 13RCSID("$OpenBSD: servconf.c,v 1.123 2003/07/22 13:35:22 markus Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
64 options->keepalives = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_authentication = -1;
68 options->rhosts_rsa_authentication = -1;
8002af61 69 options->hostbased_authentication = -1;
70 options->hostbased_uses_name_from_packet_only = -1;
5260325f 71 options->rsa_authentication = -1;
fa08c86b 72 options->pubkey_authentication = -1;
5260325f 73 options->kerberos_authentication = -1;
74 options->kerberos_or_local_passwd = -1;
75 options->kerberos_ticket_cleanup = -1;
5260325f 76 options->kerberos_tgt_passing = -1;
5260325f 77 options->password_authentication = -1;
94ec8c6b 78 options->kbd_interactive_authentication = -1;
5ba55ada 79 options->challenge_response_authentication = -1;
5260325f 80 options->permit_empty_passwd = -1;
f00bab84 81 options->permit_user_env = -1;
5260325f 82 options->use_login = -1;
636f76ca 83 options->compression = -1;
33de75a3 84 options->allow_tcp_forwarding = -1;
5260325f 85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
a8be9f80 89 options->ciphers = NULL;
b2552997 90 options->macs = NULL;
a8be9f80 91 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 92 options->gateway_ports = -1;
38c295d6 93 options->num_subsystems = 0;
c345cf9d 94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
089fbbd2 96 options->max_startups = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
1853d1ef 103
1853d1ef 104 /* Needs to be accessable in many places */
105 use_privsep = -1;
8efc0c15 106}
107
6ae2364d 108void
5260325f 109fill_default_server_options(ServerOptions *options)
8efc0c15 110{
e15895cd 111 /* Portable-specific options */
7fceb20d 112 if (options->use_pam == -1)
1457e7ff 113 options->use_pam = 1;
e15895cd 114
115 /* Standard Options */
fa08c86b 116 if (options->protocol == SSH_PROTO_UNKNOWN)
117 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
118 if (options->num_host_key_files == 0) {
119 /* fill default hostkeys for protocols */
120 if (options->protocol & SSH_PROTO_1)
0f84fe37 121 options->host_key_files[options->num_host_key_files++] =
122 _PATH_HOST_KEY_FILE;
123 if (options->protocol & SSH_PROTO_2) {
124 options->host_key_files[options->num_host_key_files++] =
125 _PATH_HOST_RSA_KEY_FILE;
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_DSA_KEY_FILE;
128 }
fa08c86b 129 }
48e671d5 130 if (options->num_ports == 0)
131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
132 if (options->listen_addrs == NULL)
2d2a2c65 133 add_listen_addr(options, NULL, 0);
0fbe8c74 134 if (options->pid_file == NULL)
42f11eb2 135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 136 if (options->server_key_bits == -1)
137 options->server_key_bits = 768;
138 if (options->login_grace_time == -1)
3445ca02 139 options->login_grace_time = 120;
5260325f 140 if (options->key_regeneration_time == -1)
141 options->key_regeneration_time = 3600;
15853e93 142 if (options->permit_root_login == PERMIT_NOT_SET)
143 options->permit_root_login = PERMIT_YES;
5260325f 144 if (options->ignore_rhosts == -1)
c8d54615 145 options->ignore_rhosts = 1;
5260325f 146 if (options->ignore_user_known_hosts == -1)
147 options->ignore_user_known_hosts = 0;
5260325f 148 if (options->print_motd == -1)
149 options->print_motd = 1;
4f4648f9 150 if (options->print_lastlog == -1)
151 options->print_lastlog = 1;
5260325f 152 if (options->x11_forwarding == -1)
c8d54615 153 options->x11_forwarding = 0;
5260325f 154 if (options->x11_display_offset == -1)
c8d54615 155 options->x11_display_offset = 10;
e6e573bd 156 if (options->x11_use_localhost == -1)
157 options->x11_use_localhost = 1;
fa649821 158 if (options->xauth_location == NULL)
fd9ede94 159 options->xauth_location = _PATH_XAUTH;
5260325f 160 if (options->strict_modes == -1)
161 options->strict_modes = 1;
162 if (options->keepalives == -1)
163 options->keepalives = 1;
5eaf8578 164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 165 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 166 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 167 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 168 if (options->rhosts_authentication == -1)
169 options->rhosts_authentication = 0;
170 if (options->rhosts_rsa_authentication == -1)
c8d54615 171 options->rhosts_rsa_authentication = 0;
8002af61 172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
5260325f 176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
fa08c86b 178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
5260325f 180 if (options->kerberos_authentication == -1)
eadc806d 181 options->kerberos_authentication = 0;
5260325f 182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
5260325f 186 if (options->kerberos_tgt_passing == -1)
187 options->kerberos_tgt_passing = 0;
5260325f 188 if (options->password_authentication == -1)
189 options->password_authentication = 1;
94ec8c6b 190 if (options->kbd_interactive_authentication == -1)
191 options->kbd_interactive_authentication = 0;
5ba55ada 192 if (options->challenge_response_authentication == -1)
193 options->challenge_response_authentication = 1;
5260325f 194 if (options->permit_empty_passwd == -1)
c8d54615 195 options->permit_empty_passwd = 0;
f00bab84 196 if (options->permit_user_env == -1)
197 options->permit_user_env = 0;
5260325f 198 if (options->use_login == -1)
199 options->use_login = 0;
636f76ca 200 if (options->compression == -1)
201 options->compression = 1;
33de75a3 202 if (options->allow_tcp_forwarding == -1)
203 options->allow_tcp_forwarding = 1;
1d1ffb87 204 if (options->gateway_ports == -1)
205 options->gateway_ports = 0;
089fbbd2 206 if (options->max_startups == -1)
207 options->max_startups = 10;
c345cf9d 208 if (options->max_startups_rate == -1)
209 options->max_startups_rate = 100; /* 100% */
210 if (options->max_startups_begin == -1)
211 options->max_startups_begin = options->max_startups;
c5a7d788 212 if (options->use_dns == -1)
213 options->use_dns = 1;
3ffc6336 214 if (options->client_alive_interval == -1)
184eed6a 215 options->client_alive_interval = 0;
3ffc6336 216 if (options->client_alive_count_max == -1)
217 options->client_alive_count_max = 3;
5df83e07 218 if (options->authorized_keys_file2 == NULL) {
219 /* authorized_keys_file2 falls back to authorized_keys_file */
220 if (options->authorized_keys_file != NULL)
221 options->authorized_keys_file2 = options->authorized_keys_file;
222 else
223 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
224 }
225 if (options->authorized_keys_file == NULL)
226 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 227
2ee1b704 228 /* Turn privilege separation on by default */
1853d1ef 229 if (use_privsep == -1)
2ee1b704 230 use_privsep = 1;
e299a298 231
4165b82e 232#ifndef HAVE_MMAP
e299a298 233 if (use_privsep && options->compression == 1) {
234 error("This platform does not support both privilege "
235 "separation and compression");
236 error("Compression disabled");
237 options->compression = 0;
238 }
239#endif
240
8efc0c15 241}
242
8efc0c15 243/* Keyword tokens. */
5260325f 244typedef enum {
245 sBadOption, /* == unknown option */
e15895cd 246 /* Portable-specific options */
7fceb20d 247 sUsePAM,
e15895cd 248 /* Standard Options */
5260325f 249 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
250 sPermitRootLogin, sLogFacility, sLogLevel,
251 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1c590258 253 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 254 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 255 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 256 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 257 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 258 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 259 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 260 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 261 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 262 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 263 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 264 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 265 sUsePrivilegeSeparation,
a2144546 266 sDeprecated, sUnsupported
8efc0c15 267} ServerOpCodes;
268
269/* Textual representation of the tokens. */
5260325f 270static struct {
271 const char *name;
272 ServerOpCodes opcode;
273} keywords[] = {
e15895cd 274 /* Portable-specific options */
b06b11ad 275#ifdef USE_PAM
7fceb20d 276 { "UsePAM", sUsePAM },
b06b11ad 277#else
278 { "UsePAM", sUnsupported },
279#endif
e15895cd 280 /* Standard Options */
5260325f 281 { "port", sPort },
282 { "hostkey", sHostKeyFile },
fa08c86b 283 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 284 { "pidfile", sPidFile },
5260325f 285 { "serverkeybits", sServerKeyBits },
286 { "logingracetime", sLoginGraceTime },
287 { "keyregenerationinterval", sKeyRegenerationTime },
288 { "permitrootlogin", sPermitRootLogin },
289 { "syslogfacility", sLogFacility },
290 { "loglevel", sLogLevel },
291 { "rhostsauthentication", sRhostsAuthentication },
292 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 293 { "hostbasedauthentication", sHostbasedAuthentication },
294 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 295 { "rsaauthentication", sRSAAuthentication },
fa08c86b 296 { "pubkeyauthentication", sPubkeyAuthentication },
297 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 298#ifdef KRB5
5260325f 299 { "kerberosauthentication", sKerberosAuthentication },
300 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
301 { "kerberosticketcleanup", sKerberosTicketCleanup },
5260325f 302 { "kerberostgtpassing", sKerberosTgtPassing },
a2144546 303#else
304 { "kerberosauthentication", sUnsupported },
305 { "kerberosorlocalpasswd", sUnsupported },
306 { "kerberosticketcleanup", sUnsupported },
307 { "kerberostgtpassing", sUnsupported },
308#endif
a2144546 309 { "afstokenpassing", sUnsupported },
5260325f 310 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 311 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 312 { "challengeresponseauthentication", sChallengeResponseAuthentication },
313 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 314 { "checkmail", sDeprecated },
5260325f 315 { "listenaddress", sListenAddress },
316 { "printmotd", sPrintMotd },
4f4648f9 317 { "printlastlog", sPrintLastLog },
5260325f 318 { "ignorerhosts", sIgnoreRhosts },
319 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
320 { "x11forwarding", sX11Forwarding },
321 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 322 { "x11uselocalhost", sX11UseLocalhost },
fa649821 323 { "xauthlocation", sXAuthLocation },
5260325f 324 { "strictmodes", sStrictModes },
325 { "permitemptypasswords", sEmptyPasswd },
f00bab84 326 { "permituserenvironment", sPermitUserEnvironment },
5260325f 327 { "uselogin", sUseLogin },
636f76ca 328 { "compression", sCompression },
5260325f 329 { "keepalive", sKeepAlives },
33de75a3 330 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 331 { "allowusers", sAllowUsers },
332 { "denyusers", sDenyUsers },
333 { "allowgroups", sAllowGroups },
334 { "denygroups", sDenyGroups },
a8be9f80 335 { "ciphers", sCiphers },
b2552997 336 { "macs", sMacs },
a8be9f80 337 { "protocol", sProtocol },
1d1ffb87 338 { "gatewayports", sGatewayPorts },
38c295d6 339 { "subsystem", sSubsystem },
089fbbd2 340 { "maxstartups", sMaxStartups },
eea39c02 341 { "banner", sBanner },
c5a7d788 342 { "usedns", sUseDNS },
343 { "verifyreversemapping", sDeprecated },
344 { "reversemappingcheck", sDeprecated },
3ffc6336 345 { "clientaliveinterval", sClientAliveInterval },
346 { "clientalivecountmax", sClientAliveCountMax },
c8445989 347 { "authorizedkeysfile", sAuthorizedKeysFile },
348 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 349 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 350 { NULL, sBadOption }
8efc0c15 351};
352
aa3378df 353/*
6be9a5e8 354 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 355 */
8efc0c15 356
6ae2364d 357static ServerOpCodes
5260325f 358parse_token(const char *cp, const char *filename,
359 int linenum)
8efc0c15 360{
1e3b8b07 361 u_int i;
8efc0c15 362
5260325f 363 for (i = 0; keywords[i].name; i++)
aa3378df 364 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 365 return keywords[i].opcode;
8efc0c15 366
b7c70970 367 error("%s: line %d: Bad configuration option: %s",
368 filename, linenum, cp);
5260325f 369 return sBadOption;
8efc0c15 370}
371
396c147e 372static void
2d2a2c65 373add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 374{
48e671d5 375 int i;
376
377 if (options->num_ports == 0)
378 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 379 if (port == 0)
d11c1288 380 for (i = 0; i < options->num_ports; i++)
381 add_one_listen_addr(options, addr, options->ports[i]);
382 else
2d2a2c65 383 add_one_listen_addr(options, addr, port);
d11c1288 384}
385
396c147e 386static void
d11c1288 387add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
388{
389 struct addrinfo hints, *ai, *aitop;
390 char strport[NI_MAXSERV];
391 int gaierr;
392
393 memset(&hints, 0, sizeof(hints));
394 hints.ai_family = IPv4or6;
395 hints.ai_socktype = SOCK_STREAM;
396 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 397 snprintf(strport, sizeof strport, "%u", port);
d11c1288 398 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
399 fatal("bad addr or host: %s (%s)",
400 addr ? addr : "<NULL>",
401 gai_strerror(gaierr));
402 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
403 ;
404 ai->ai_next = options->listen_addrs;
405 options->listen_addrs = aitop;
48e671d5 406}
407
2717fa0f 408int
409process_server_config_line(ServerOptions *options, char *line,
410 const char *filename, int linenum)
8efc0c15 411{
d11c1288 412 char *cp, **charptr, *arg, *p;
7528d467 413 int *intptr, value, i, n;
5260325f 414 ServerOpCodes opcode;
415
2717fa0f 416 cp = line;
417 arg = strdelim(&cp);
418 /* Ignore leading whitespace */
419 if (*arg == '\0')
704b1659 420 arg = strdelim(&cp);
2717fa0f 421 if (!arg || !*arg || *arg == '#')
422 return 0;
423 intptr = NULL;
424 charptr = NULL;
425 opcode = parse_token(arg, filename, linenum);
426 switch (opcode) {
427 /* Portable-specific options */
7fceb20d 428 case sUsePAM:
429 intptr = &options->use_pam;
2717fa0f 430 goto parse_flag;
48e671d5 431
2717fa0f 432 /* Standard Options */
433 case sBadOption:
434 return -1;
435 case sPort:
436 /* ignore ports from configfile if cmdline specifies ports */
437 if (options->ports_from_cmdline)
438 return 0;
439 if (options->listen_addrs != NULL)
440 fatal("%s line %d: ports must be specified before "
3a454b6a 441 "ListenAddress.", filename, linenum);
2717fa0f 442 if (options->num_ports >= MAX_PORTS)
443 fatal("%s line %d: too many ports.",
444 filename, linenum);
445 arg = strdelim(&cp);
446 if (!arg || *arg == '\0')
447 fatal("%s line %d: missing port number.",
448 filename, linenum);
449 options->ports[options->num_ports++] = a2port(arg);
450 if (options->ports[options->num_ports-1] == 0)
451 fatal("%s line %d: Badly formatted port number.",
452 filename, linenum);
453 break;
454
455 case sServerKeyBits:
456 intptr = &options->server_key_bits;
5260325f 457parse_int:
2717fa0f 458 arg = strdelim(&cp);
459 if (!arg || *arg == '\0')
460 fatal("%s line %d: missing integer value.",
461 filename, linenum);
462 value = atoi(arg);
463 if (*intptr == -1)
464 *intptr = value;
465 break;
466
467 case sLoginGraceTime:
468 intptr = &options->login_grace_time;
e2b1fb42 469parse_time:
2717fa0f 470 arg = strdelim(&cp);
471 if (!arg || *arg == '\0')
472 fatal("%s line %d: missing time value.",
473 filename, linenum);
474 if ((value = convtime(arg)) == -1)
475 fatal("%s line %d: invalid time value.",
476 filename, linenum);
477 if (*intptr == -1)
478 *intptr = value;
479 break;
480
481 case sKeyRegenerationTime:
482 intptr = &options->key_regeneration_time;
483 goto parse_time;
484
485 case sListenAddress:
486 arg = strdelim(&cp);
487 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
488 fatal("%s line %d: missing inet addr.",
489 filename, linenum);
490 if (*arg == '[') {
491 if ((p = strchr(arg, ']')) == NULL)
492 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 493 filename, linenum);
2717fa0f 494 arg++;
495 memmove(p, p+1, strlen(p+1)+1);
496 } else if (((p = strchr(arg, ':')) == NULL) ||
497 (strchr(p+1, ':') != NULL)) {
498 add_listen_addr(options, arg, 0);
e2b1fb42 499 break;
2717fa0f 500 }
501 if (*p == ':') {
502 u_short port;
5260325f 503
2717fa0f 504 p++;
505 if (*p == '\0')
506 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 507 filename, linenum);
2717fa0f 508 else {
509 *(p-1) = '\0';
510 if ((port = a2port(p)) == 0)
511 fatal("%s line %d: bad port number.",
d11c1288 512 filename, linenum);
2717fa0f 513 add_listen_addr(options, arg, port);
d11c1288 514 }
2717fa0f 515 } else if (*p == '\0')
516 add_listen_addr(options, arg, 0);
517 else
518 fatal("%s line %d: bad inet addr usage.",
519 filename, linenum);
520 break;
521
522 case sHostKeyFile:
523 intptr = &options->num_host_key_files;
524 if (*intptr >= MAX_HOSTKEYS)
525 fatal("%s line %d: too many host keys specified (max %d).",
526 filename, linenum, MAX_HOSTKEYS);
527 charptr = &options->host_key_files[*intptr];
fa649821 528parse_filename:
2717fa0f 529 arg = strdelim(&cp);
530 if (!arg || *arg == '\0')
531 fatal("%s line %d: missing file name.",
532 filename, linenum);
533 if (*charptr == NULL) {
534 *charptr = tilde_expand_filename(arg, getuid());
535 /* increase optional counter */
536 if (intptr != NULL)
537 *intptr = *intptr + 1;
538 }
539 break;
0fbe8c74 540
2717fa0f 541 case sPidFile:
542 charptr = &options->pid_file;
543 goto parse_filename;
5260325f 544
2717fa0f 545 case sPermitRootLogin:
546 intptr = &options->permit_root_login;
547 arg = strdelim(&cp);
548 if (!arg || *arg == '\0')
549 fatal("%s line %d: missing yes/"
550 "without-password/forced-commands-only/no "
551 "argument.", filename, linenum);
552 value = 0; /* silence compiler */
553 if (strcmp(arg, "without-password") == 0)
554 value = PERMIT_NO_PASSWD;
555 else if (strcmp(arg, "forced-commands-only") == 0)
556 value = PERMIT_FORCED_ONLY;
557 else if (strcmp(arg, "yes") == 0)
558 value = PERMIT_YES;
559 else if (strcmp(arg, "no") == 0)
560 value = PERMIT_NO;
561 else
562 fatal("%s line %d: Bad yes/"
563 "without-password/forced-commands-only/no "
564 "argument: %s", filename, linenum, arg);
565 if (*intptr == -1)
566 *intptr = value;
567 break;
568
569 case sIgnoreRhosts:
570 intptr = &options->ignore_rhosts;
5260325f 571parse_flag:
2717fa0f 572 arg = strdelim(&cp);
573 if (!arg || *arg == '\0')
574 fatal("%s line %d: missing yes/no argument.",
575 filename, linenum);
576 value = 0; /* silence compiler */
577 if (strcmp(arg, "yes") == 0)
578 value = 1;
579 else if (strcmp(arg, "no") == 0)
580 value = 0;
581 else
582 fatal("%s line %d: Bad yes/no argument: %s",
583 filename, linenum, arg);
584 if (*intptr == -1)
585 *intptr = value;
586 break;
587
588 case sIgnoreUserKnownHosts:
589 intptr = &options->ignore_user_known_hosts;
590 goto parse_flag;
591
592 case sRhostsAuthentication:
593 intptr = &options->rhosts_authentication;
594 goto parse_flag;
595
596 case sRhostsRSAAuthentication:
597 intptr = &options->rhosts_rsa_authentication;
598 goto parse_flag;
599
600 case sHostbasedAuthentication:
601 intptr = &options->hostbased_authentication;
602 goto parse_flag;
603
604 case sHostbasedUsesNameFromPacketOnly:
605 intptr = &options->hostbased_uses_name_from_packet_only;
606 goto parse_flag;
607
608 case sRSAAuthentication:
609 intptr = &options->rsa_authentication;
610 goto parse_flag;
611
612 case sPubkeyAuthentication:
613 intptr = &options->pubkey_authentication;
614 goto parse_flag;
d0ec7f42 615
2717fa0f 616 case sKerberosAuthentication:
617 intptr = &options->kerberos_authentication;
618 goto parse_flag;
5260325f 619
2717fa0f 620 case sKerberosOrLocalPasswd:
621 intptr = &options->kerberos_or_local_passwd;
622 goto parse_flag;
5260325f 623
2717fa0f 624 case sKerberosTicketCleanup:
625 intptr = &options->kerberos_ticket_cleanup;
626 goto parse_flag;
d0ec7f42 627
2717fa0f 628 case sKerberosTgtPassing:
629 intptr = &options->kerberos_tgt_passing;
630 goto parse_flag;
d0ec7f42 631
2717fa0f 632 case sPasswordAuthentication:
633 intptr = &options->password_authentication;
634 goto parse_flag;
5260325f 635
2717fa0f 636 case sKbdInteractiveAuthentication:
637 intptr = &options->kbd_interactive_authentication;
638 goto parse_flag;
8002af61 639
2717fa0f 640 case sChallengeResponseAuthentication:
641 intptr = &options->challenge_response_authentication;
642 goto parse_flag;
8002af61 643
2717fa0f 644 case sPrintMotd:
645 intptr = &options->print_motd;
646 goto parse_flag;
5260325f 647
2717fa0f 648 case sPrintLastLog:
649 intptr = &options->print_lastlog;
650 goto parse_flag;
5260325f 651
2717fa0f 652 case sX11Forwarding:
653 intptr = &options->x11_forwarding;
654 goto parse_flag;
5260325f 655
2717fa0f 656 case sX11DisplayOffset:
657 intptr = &options->x11_display_offset;
658 goto parse_int;
8efc0c15 659
e6e573bd 660 case sX11UseLocalhost:
661 intptr = &options->x11_use_localhost;
662 goto parse_flag;
663
2717fa0f 664 case sXAuthLocation:
665 charptr = &options->xauth_location;
666 goto parse_filename;
5260325f 667
2717fa0f 668 case sStrictModes:
669 intptr = &options->strict_modes;
670 goto parse_flag;
5260325f 671
2717fa0f 672 case sKeepAlives:
673 intptr = &options->keepalives;
674 goto parse_flag;
33de75a3 675
2717fa0f 676 case sEmptyPasswd:
677 intptr = &options->permit_empty_passwd;
678 goto parse_flag;
5260325f 679
f00bab84 680 case sPermitUserEnvironment:
681 intptr = &options->permit_user_env;
682 goto parse_flag;
683
2717fa0f 684 case sUseLogin:
685 intptr = &options->use_login;
686 goto parse_flag;
5260325f 687
636f76ca 688 case sCompression:
689 intptr = &options->compression;
690 goto parse_flag;
691
2717fa0f 692 case sGatewayPorts:
693 intptr = &options->gateway_ports;
694 goto parse_flag;
5260325f 695
c5a7d788 696 case sUseDNS:
697 intptr = &options->use_dns;
2717fa0f 698 goto parse_flag;
5260325f 699
2717fa0f 700 case sLogFacility:
701 intptr = (int *) &options->log_facility;
702 arg = strdelim(&cp);
703 value = log_facility_number(arg);
5eaf8578 704 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 705 fatal("%.200s line %d: unsupported log facility '%s'",
706 filename, linenum, arg ? arg : "<NONE>");
707 if (*intptr == -1)
708 *intptr = (SyslogFacility) value;
709 break;
710
711 case sLogLevel:
712 intptr = (int *) &options->log_level;
713 arg = strdelim(&cp);
714 value = log_level_number(arg);
5eaf8578 715 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 716 fatal("%.200s line %d: unsupported log level '%s'",
717 filename, linenum, arg ? arg : "<NONE>");
718 if (*intptr == -1)
719 *intptr = (LogLevel) value;
720 break;
721
722 case sAllowTcpForwarding:
723 intptr = &options->allow_tcp_forwarding;
724 goto parse_flag;
725
1853d1ef 726 case sUsePrivilegeSeparation:
727 intptr = &use_privsep;
728 goto parse_flag;
729
2717fa0f 730 case sAllowUsers:
731 while ((arg = strdelim(&cp)) && *arg != '\0') {
732 if (options->num_allow_users >= MAX_ALLOW_USERS)
733 fatal("%s line %d: too many allow users.",
734 filename, linenum);
7528d467 735 options->allow_users[options->num_allow_users++] =
736 xstrdup(arg);
2717fa0f 737 }
738 break;
a8be9f80 739
2717fa0f 740 case sDenyUsers:
741 while ((arg = strdelim(&cp)) && *arg != '\0') {
742 if (options->num_deny_users >= MAX_DENY_USERS)
743 fatal( "%s line %d: too many deny users.",
744 filename, linenum);
7528d467 745 options->deny_users[options->num_deny_users++] =
746 xstrdup(arg);
2717fa0f 747 }
748 break;
b2552997 749
2717fa0f 750 case sAllowGroups:
751 while ((arg = strdelim(&cp)) && *arg != '\0') {
752 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
753 fatal("%s line %d: too many allow groups.",
754 filename, linenum);
7528d467 755 options->allow_groups[options->num_allow_groups++] =
756 xstrdup(arg);
2717fa0f 757 }
758 break;
a8be9f80 759
2717fa0f 760 case sDenyGroups:
761 while ((arg = strdelim(&cp)) && *arg != '\0') {
762 if (options->num_deny_groups >= MAX_DENY_GROUPS)
763 fatal("%s line %d: too many deny groups.",
764 filename, linenum);
765 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
766 }
767 break;
38c295d6 768
2717fa0f 769 case sCiphers:
770 arg = strdelim(&cp);
771 if (!arg || *arg == '\0')
772 fatal("%s line %d: Missing argument.", filename, linenum);
773 if (!ciphers_valid(arg))
774 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
775 filename, linenum, arg ? arg : "<NONE>");
776 if (options->ciphers == NULL)
777 options->ciphers = xstrdup(arg);
778 break;
779
780 case sMacs:
781 arg = strdelim(&cp);
782 if (!arg || *arg == '\0')
783 fatal("%s line %d: Missing argument.", filename, linenum);
784 if (!mac_valid(arg))
785 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
786 filename, linenum, arg ? arg : "<NONE>");
787 if (options->macs == NULL)
788 options->macs = xstrdup(arg);
789 break;
790
791 case sProtocol:
792 intptr = &options->protocol;
793 arg = strdelim(&cp);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: Missing argument.", filename, linenum);
796 value = proto_spec(arg);
797 if (value == SSH_PROTO_UNKNOWN)
798 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 799 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 800 if (*intptr == SSH_PROTO_UNKNOWN)
801 *intptr = value;
802 break;
803
804 case sSubsystem:
805 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
806 fatal("%s line %d: too many subsystems defined.",
184eed6a 807 filename, linenum);
2717fa0f 808 }
809 arg = strdelim(&cp);
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: Missing subsystem name.",
184eed6a 812 filename, linenum);
2717fa0f 813 for (i = 0; i < options->num_subsystems; i++)
814 if (strcmp(arg, options->subsystem_name[i]) == 0)
815 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 816 filename, linenum, arg);
2717fa0f 817 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
818 arg = strdelim(&cp);
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing subsystem command.",
184eed6a 821 filename, linenum);
2717fa0f 822 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
823 options->num_subsystems++;
824 break;
825
826 case sMaxStartups:
827 arg = strdelim(&cp);
828 if (!arg || *arg == '\0')
829 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 830 filename, linenum);
2717fa0f 831 if ((n = sscanf(arg, "%d:%d:%d",
832 &options->max_startups_begin,
833 &options->max_startups_rate,
834 &options->max_startups)) == 3) {
835 if (options->max_startups_begin >
836 options->max_startups ||
837 options->max_startups_rate > 100 ||
838 options->max_startups_rate < 1)
c345cf9d 839 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 840 filename, linenum);
2717fa0f 841 } else if (n != 1)
842 fatal("%s line %d: Illegal MaxStartups spec.",
843 filename, linenum);
844 else
845 options->max_startups = options->max_startups_begin;
846 break;
847
848 case sBanner:
849 charptr = &options->banner;
850 goto parse_filename;
851 /*
852 * These options can contain %X options expanded at
853 * connect time, so that you can specify paths like:
854 *
855 * AuthorizedKeysFile /etc/ssh_keys/%u
856 */
857 case sAuthorizedKeysFile:
858 case sAuthorizedKeysFile2:
859 charptr = (opcode == sAuthorizedKeysFile ) ?
860 &options->authorized_keys_file :
861 &options->authorized_keys_file2;
862 goto parse_filename;
863
864 case sClientAliveInterval:
865 intptr = &options->client_alive_interval;
866 goto parse_time;
867
868 case sClientAliveCountMax:
869 intptr = &options->client_alive_count_max;
870 goto parse_int;
871
872 case sDeprecated:
bbe88b6d 873 logit("%s line %d: Deprecated option %s",
2717fa0f 874 filename, linenum, arg);
875 while (arg)
876 arg = strdelim(&cp);
877 break;
878
a2144546 879 case sUnsupported:
880 logit("%s line %d: Unsupported option %s",
881 filename, linenum, arg);
882 while (arg)
883 arg = strdelim(&cp);
884 break;
885
2717fa0f 886 default:
887 fatal("%s line %d: Missing handler for opcode %s (%d)",
888 filename, linenum, arg, opcode);
889 }
890 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
891 fatal("%s line %d: garbage at end of line; \"%.200s\".",
892 filename, linenum, arg);
893 return 0;
894}
089fbbd2 895
2717fa0f 896/* Reads the server configuration file. */
5c53a31e 897
2717fa0f 898void
899read_server_config(ServerOptions *options, const char *filename)
900{
7528d467 901 int linenum, bad_options = 0;
2717fa0f 902 char line[1024];
7528d467 903 FILE *f;
2717fa0f 904
34934506 905 debug2("read_server_config: filename %s", filename);
2717fa0f 906 f = fopen(filename, "r");
907 if (!f) {
908 perror(filename);
909 exit(1);
910 }
911 linenum = 0;
912 while (fgets(line, sizeof(line), f)) {
913 /* Update line number counter. */
914 linenum++;
915 if (process_server_config_line(options, line, filename, linenum) != 0)
916 bad_options++;
8efc0c15 917 }
5260325f 918 fclose(f);
b7c70970 919 if (bad_options > 0)
920 fatal("%s: terminating, %d bad configuration options",
921 filename, bad_options);
8efc0c15 922}
git-cvsimport mirror of OpenSSH
This page took 1.476534 seconds and 5 git commands to generate.