]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- dtucker@cvs.openbsd.org 2010/01/09 11:17:56
[openssh.git] / servconf.c
CommitLineData
bad23583 1/* $OpenBSD: servconf.c,v 1.199 2009/12/29 16:38:41 stevesk Exp $ */
8efc0c15 2/*
5260325f 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
6ae2364d 5 *
bcbf86ec 6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
5260325f 11 */
8efc0c15 12
13#include "includes.h"
8efc0c15 14
5b04a8bf 15#include <sys/types.h>
16#include <sys/socket.h>
17
28cb0a43 18#include <netdb.h>
fa47fe3c 19#include <pwd.h>
cf851879 20#include <stdio.h>
ffa517a8 21#include <stdlib.h>
00146caa 22#include <string.h>
31652869 23#include <signal.h>
5188ba17 24#include <unistd.h>
31652869 25#include <stdarg.h>
1760c982 26#include <errno.h>
c8dfff33 27
3593bdc0 28#include "openbsd-compat/sys-queue.h"
31652869 29#include "xmalloc.h"
8efc0c15 30#include "ssh.h"
42f11eb2 31#include "log.h"
31652869 32#include "buffer.h"
8efc0c15 33#include "servconf.h"
a8be9f80 34#include "compat.h"
42f11eb2 35#include "pathnames.h"
42f11eb2 36#include "misc.h"
37#include "cipher.h"
31652869 38#include "key.h"
b2552997 39#include "kex.h"
40#include "mac.h"
d231781a 41#include "match.h"
2fefbadf 42#include "channels.h"
fa47fe3c 43#include "groupaccess.h"
42f11eb2 44
5134115d 45static void add_listen_addr(ServerOptions *, char *, int);
46static void add_one_listen_addr(ServerOptions *, char *, int);
48e671d5 47
1853d1ef 48/* Use of privilege separation or not */
49extern int use_privsep;
d231781a 50extern Buffer cfg;
42f11eb2 51
8efc0c15 52/* Initializes the server options to their default values. */
53
6ae2364d 54void
5260325f 55initialize_server_options(ServerOptions *options)
8efc0c15 56{
5260325f 57 memset(options, 0, sizeof(*options));
e15895cd 58
59 /* Portable-specific options */
7fceb20d 60 options->use_pam = -1;
e15895cd 61
62 /* Standard Options */
48e671d5 63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
31b41ceb 66 options->address_family = -1;
fa08c86b 67 options->num_host_key_files = 0;
0fbe8c74 68 options->pid_file = NULL;
5260325f 69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
15853e93 72 options->permit_root_login = PERMIT_NOT_SET;
5260325f 73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
4f4648f9 76 options->print_lastlog = -1;
5260325f 77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
e6e573bd 79 options->x11_use_localhost = -1;
fa649821 80 options->xauth_location = NULL;
5260325f 81 options->strict_modes = -1;
fd573618 82 options->tcp_keep_alive = -1;
5eaf8578 83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 85 options->rhosts_rsa_authentication = -1;
8002af61 86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
5260325f 88 options->rsa_authentication = -1;
fa08c86b 89 options->pubkey_authentication = -1;
5260325f 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
a1e30b47 93 options->kerberos_get_afs_token = -1;
7364bd04 94 options->gss_authentication=-1;
95 options->gss_cleanup_creds = -1;
5260325f 96 options->password_authentication = -1;
94ec8c6b 97 options->kbd_interactive_authentication = -1;
5ba55ada 98 options->challenge_response_authentication = -1;
5260325f 99 options->permit_empty_passwd = -1;
f00bab84 100 options->permit_user_env = -1;
5260325f 101 options->use_login = -1;
636f76ca 102 options->compression = -1;
33de75a3 103 options->allow_tcp_forwarding = -1;
43c3f85c 104 options->allow_agent_forwarding = -1;
5260325f 105 options->num_allow_users = 0;
106 options->num_deny_users = 0;
107 options->num_allow_groups = 0;
108 options->num_deny_groups = 0;
a8be9f80 109 options->ciphers = NULL;
b2552997 110 options->macs = NULL;
a8be9f80 111 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 112 options->gateway_ports = -1;
38c295d6 113 options->num_subsystems = 0;
c345cf9d 114 options->max_startups_begin = -1;
115 options->max_startups_rate = -1;
089fbbd2 116 options->max_startups = -1;
af4bd935 117 options->max_authtries = -1;
c6dca55e 118 options->max_sessions = -1;
eea39c02 119 options->banner = NULL;
c5a7d788 120 options->use_dns = -1;
3ffc6336 121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
c8445989 123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
61a2c1da 125 options->num_accept_env = 0;
d20f3c9e 126 options->permit_tun = -1;
ea46e550 127 options->num_permitted_opens = -1;
e7259e8d 128 options->adm_forced_command = NULL;
db49deeb 129 options->chroot_directory = NULL;
5adf6b9a 130 options->zero_knowledge_password_authentication = -1;
fe7dba42 131 options->rdomain = -1;
8efc0c15 132}
133
6ae2364d 134void
5260325f 135fill_default_server_options(ServerOptions *options)
8efc0c15 136{
e15895cd 137 /* Portable-specific options */
7fceb20d 138 if (options->use_pam == -1)
0a23d79f 139 options->use_pam = 0;
e15895cd 140
141 /* Standard Options */
fa08c86b 142 if (options->protocol == SSH_PROTO_UNKNOWN)
21af5fc4 143 options->protocol = SSH_PROTO_2;
fa08c86b 144 if (options->num_host_key_files == 0) {
145 /* fill default hostkeys for protocols */
146 if (options->protocol & SSH_PROTO_1)
0f84fe37 147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_KEY_FILE;
149 if (options->protocol & SSH_PROTO_2) {
150 options->host_key_files[options->num_host_key_files++] =
151 _PATH_HOST_RSA_KEY_FILE;
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_DSA_KEY_FILE;
154 }
fa08c86b 155 }
48e671d5 156 if (options->num_ports == 0)
157 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
158 if (options->listen_addrs == NULL)
2d2a2c65 159 add_listen_addr(options, NULL, 0);
0fbe8c74 160 if (options->pid_file == NULL)
42f11eb2 161 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 162 if (options->server_key_bits == -1)
39ceddb7 163 options->server_key_bits = 1024;
5260325f 164 if (options->login_grace_time == -1)
3445ca02 165 options->login_grace_time = 120;
5260325f 166 if (options->key_regeneration_time == -1)
167 options->key_regeneration_time = 3600;
15853e93 168 if (options->permit_root_login == PERMIT_NOT_SET)
169 options->permit_root_login = PERMIT_YES;
5260325f 170 if (options->ignore_rhosts == -1)
c8d54615 171 options->ignore_rhosts = 1;
5260325f 172 if (options->ignore_user_known_hosts == -1)
173 options->ignore_user_known_hosts = 0;
5260325f 174 if (options->print_motd == -1)
175 options->print_motd = 1;
4f4648f9 176 if (options->print_lastlog == -1)
177 options->print_lastlog = 1;
5260325f 178 if (options->x11_forwarding == -1)
c8d54615 179 options->x11_forwarding = 0;
5260325f 180 if (options->x11_display_offset == -1)
c8d54615 181 options->x11_display_offset = 10;
e6e573bd 182 if (options->x11_use_localhost == -1)
183 options->x11_use_localhost = 1;
fa649821 184 if (options->xauth_location == NULL)
fd9ede94 185 options->xauth_location = _PATH_XAUTH;
5260325f 186 if (options->strict_modes == -1)
187 options->strict_modes = 1;
fd573618 188 if (options->tcp_keep_alive == -1)
189 options->tcp_keep_alive = 1;
5eaf8578 190 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 191 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 192 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 193 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 194 if (options->rhosts_rsa_authentication == -1)
c8d54615 195 options->rhosts_rsa_authentication = 0;
8002af61 196 if (options->hostbased_authentication == -1)
197 options->hostbased_authentication = 0;
198 if (options->hostbased_uses_name_from_packet_only == -1)
199 options->hostbased_uses_name_from_packet_only = 0;
5260325f 200 if (options->rsa_authentication == -1)
201 options->rsa_authentication = 1;
fa08c86b 202 if (options->pubkey_authentication == -1)
203 options->pubkey_authentication = 1;
5260325f 204 if (options->kerberos_authentication == -1)
eadc806d 205 options->kerberos_authentication = 0;
5260325f 206 if (options->kerberos_or_local_passwd == -1)
207 options->kerberos_or_local_passwd = 1;
208 if (options->kerberos_ticket_cleanup == -1)
209 options->kerberos_ticket_cleanup = 1;
a1e30b47 210 if (options->kerberos_get_afs_token == -1)
211 options->kerberos_get_afs_token = 0;
7364bd04 212 if (options->gss_authentication == -1)
213 options->gss_authentication = 0;
214 if (options->gss_cleanup_creds == -1)
215 options->gss_cleanup_creds = 1;
5260325f 216 if (options->password_authentication == -1)
217 options->password_authentication = 1;
94ec8c6b 218 if (options->kbd_interactive_authentication == -1)
219 options->kbd_interactive_authentication = 0;
5ba55ada 220 if (options->challenge_response_authentication == -1)
221 options->challenge_response_authentication = 1;
5260325f 222 if (options->permit_empty_passwd == -1)
c8d54615 223 options->permit_empty_passwd = 0;
f00bab84 224 if (options->permit_user_env == -1)
225 options->permit_user_env = 0;
5260325f 226 if (options->use_login == -1)
227 options->use_login = 0;
636f76ca 228 if (options->compression == -1)
07200973 229 options->compression = COMP_DELAYED;
33de75a3 230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
43c3f85c 232 if (options->allow_agent_forwarding == -1)
233 options->allow_agent_forwarding = 1;
1d1ffb87 234 if (options->gateway_ports == -1)
235 options->gateway_ports = 0;
089fbbd2 236 if (options->max_startups == -1)
237 options->max_startups = 10;
c345cf9d 238 if (options->max_startups_rate == -1)
239 options->max_startups_rate = 100; /* 100% */
240 if (options->max_startups_begin == -1)
241 options->max_startups_begin = options->max_startups;
af4bd935 242 if (options->max_authtries == -1)
243 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c6dca55e 244 if (options->max_sessions == -1)
245 options->max_sessions = DEFAULT_SESSIONS_MAX;
c5a7d788 246 if (options->use_dns == -1)
247 options->use_dns = 1;
3ffc6336 248 if (options->client_alive_interval == -1)
184eed6a 249 options->client_alive_interval = 0;
3ffc6336 250 if (options->client_alive_count_max == -1)
251 options->client_alive_count_max = 3;
5df83e07 252 if (options->authorized_keys_file2 == NULL) {
253 /* authorized_keys_file2 falls back to authorized_keys_file */
254 if (options->authorized_keys_file != NULL)
255 options->authorized_keys_file2 = options->authorized_keys_file;
256 else
257 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
258 }
259 if (options->authorized_keys_file == NULL)
260 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
d20f3c9e 261 if (options->permit_tun == -1)
a4f24bf8 262 options->permit_tun = SSH_TUNMODE_NO;
5adf6b9a 263 if (options->zero_knowledge_password_authentication == -1)
264 options->zero_knowledge_password_authentication = 0;
1853d1ef 265
2ee1b704 266 /* Turn privilege separation on by default */
1853d1ef 267 if (use_privsep == -1)
2ee1b704 268 use_privsep = 1;
e299a298 269
4165b82e 270#ifndef HAVE_MMAP
e299a298 271 if (use_privsep && options->compression == 1) {
272 error("This platform does not support both privilege "
273 "separation and compression");
274 error("Compression disabled");
275 options->compression = 0;
276 }
277#endif
278
8efc0c15 279}
280
8efc0c15 281/* Keyword tokens. */
5260325f 282typedef enum {
283 sBadOption, /* == unknown option */
e15895cd 284 /* Portable-specific options */
7fceb20d 285 sUsePAM,
e15895cd 286 /* Standard Options */
5260325f 287 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
288 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 289 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 290 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 291 sKerberosGetAFSToken,
1c590258 292 sKerberosTgtPassing, sChallengeResponseAuthentication,
31b41ceb 293 sPasswordAuthentication, sKbdInteractiveAuthentication,
294 sListenAddress, sAddressFamily,
4f4648f9 295 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 296 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 297 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 298 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 299 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 300 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 301 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
c6dca55e 302 sMaxStartups, sMaxAuthTries, sMaxSessions,
c5a7d788 303 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 304 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 305 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
d20f3c9e 306 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
db49deeb 307 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
fe7dba42 308 sUsePrivilegeSeparation, sAllowAgentForwarding, sRDomain,
5adf6b9a 309 sZeroKnowledgePasswordAuthentication,
a2144546 310 sDeprecated, sUnsupported
8efc0c15 311} ServerOpCodes;
312
d231781a 313#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
314#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
315#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
316
8efc0c15 317/* Textual representation of the tokens. */
5260325f 318static struct {
319 const char *name;
320 ServerOpCodes opcode;
d231781a 321 u_int flags;
5260325f 322} keywords[] = {
e15895cd 323 /* Portable-specific options */
b06b11ad 324#ifdef USE_PAM
d231781a 325 { "usepam", sUsePAM, SSHCFG_GLOBAL },
b06b11ad 326#else
d231781a 327 { "usepam", sUnsupported, SSHCFG_GLOBAL },
b06b11ad 328#endif
d231781a 329 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
e15895cd 330 /* Standard Options */
d231781a 331 { "port", sPort, SSHCFG_GLOBAL },
332 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
333 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
334 { "pidfile", sPidFile, SSHCFG_GLOBAL },
335 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
336 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
337 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
2ef741a3 338 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
d231781a 339 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
340 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
341 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
03bcbf84 342 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
343 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
d231781a 344 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
03bcbf84 345 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
346 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
c8dc0909 347 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
1c590258 348#ifdef KRB5
03bcbf84 349 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
d231781a 350 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
351 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
bcfcc5f9 352#ifdef USE_AFS
d231781a 353 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
309af4e5 354#else
d231781a 355 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
309af4e5 356#endif
a2144546 357#else
03bcbf84 358 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
d231781a 359 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
360 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
361 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
a2144546 362#endif
d231781a 363 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
364 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
7364bd04 365#ifdef GSSAPI
03bcbf84 366 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
d231781a 367 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
7364bd04 368#else
03bcbf84 369 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
d231781a 370 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
7364bd04 371#endif
03bcbf84 372 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
373 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
121c4a34 374 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
d231781a 375 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
5adf6b9a 376#ifdef JPAKE
377 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
378#else
379 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
380#endif
d231781a 381 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
382 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
383 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
384 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
385 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
386 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
387 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
691712e0 388 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
389 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
390 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
d231781a 391 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
392 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
e68868a1 393 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
d231781a 394 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
395 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
396 { "compression", sCompression, SSHCFG_GLOBAL },
397 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
398 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
399 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
43c3f85c 400 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
d231781a 401 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
402 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
403 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
404 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
405 { "ciphers", sCiphers, SSHCFG_GLOBAL },
406 { "macs", sMacs, SSHCFG_GLOBAL },
407 { "protocol", sProtocol, SSHCFG_GLOBAL },
408 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
409 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
410 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
8086aeb2 411 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
c6dca55e 412 { "maxsessions", sMaxSessions, SSHCFG_ALL },
03bcbf84 413 { "banner", sBanner, SSHCFG_ALL },
d231781a 414 { "usedns", sUseDNS, SSHCFG_GLOBAL },
415 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
416 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
417 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
418 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
419 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
420 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
c8dc0909 421 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
d231781a 422 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
423 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
c8dc0909 424 { "match", sMatch, SSHCFG_ALL },
2fefbadf 425 { "permitopen", sPermitOpen, SSHCFG_ALL },
e7259e8d 426 { "forcecommand", sForceCommand, SSHCFG_ALL },
85fee9c0 427#ifdef USE_ROUTINGDOMAIN
bad23583 428 { "routingdomain", sRDomain, SSHCFG_GLOBAL },
85fee9c0 429#else
430 { "routingdomain", sUnsupported, SSHCFG_GLOBAL },
431#endif
db49deeb 432 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
d231781a 433 { NULL, sBadOption, 0 }
8efc0c15 434};
435
1760c982 436static struct {
437 int val;
438 char *text;
439} tunmode_desc[] = {
440 { SSH_TUNMODE_NO, "no" },
441 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
442 { SSH_TUNMODE_ETHERNET, "ethernet" },
443 { SSH_TUNMODE_YES, "yes" },
444 { -1, NULL }
445};
446
aa3378df 447/*
6be9a5e8 448 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 449 */
8efc0c15 450
6ae2364d 451static ServerOpCodes
5260325f 452parse_token(const char *cp, const char *filename,
d231781a 453 int linenum, u_int *flags)
8efc0c15 454{
1e3b8b07 455 u_int i;
8efc0c15 456
5260325f 457 for (i = 0; keywords[i].name; i++)
d231781a 458 if (strcasecmp(cp, keywords[i].name) == 0) {
459 *flags = keywords[i].flags;
5260325f 460 return keywords[i].opcode;
d231781a 461 }
8efc0c15 462
b7c70970 463 error("%s: line %d: Bad configuration option: %s",
464 filename, linenum, cp);
5260325f 465 return sBadOption;
8efc0c15 466}
467
396c147e 468static void
5134115d 469add_listen_addr(ServerOptions *options, char *addr, int port)
48e671d5 470{
2ceb8101 471 u_int i;
48e671d5 472
473 if (options->num_ports == 0)
474 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
31b41ceb 475 if (options->address_family == -1)
476 options->address_family = AF_UNSPEC;
2d2a2c65 477 if (port == 0)
d11c1288 478 for (i = 0; i < options->num_ports; i++)
479 add_one_listen_addr(options, addr, options->ports[i]);
480 else
2d2a2c65 481 add_one_listen_addr(options, addr, port);
d11c1288 482}
483
396c147e 484static void
5134115d 485add_one_listen_addr(ServerOptions *options, char *addr, int port)
d11c1288 486{
487 struct addrinfo hints, *ai, *aitop;
488 char strport[NI_MAXSERV];
489 int gaierr;
490
491 memset(&hints, 0, sizeof(hints));
31b41ceb 492 hints.ai_family = options->address_family;
d11c1288 493 hints.ai_socktype = SOCK_STREAM;
494 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
5134115d 495 snprintf(strport, sizeof strport, "%d", port);
d11c1288 496 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
497 fatal("bad addr or host: %s (%s)",
498 addr ? addr : "<NULL>",
bb4626fe 499 ssh_gai_strerror(gaierr));
d11c1288 500 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
501 ;
502 ai->ai_next = options->listen_addrs;
503 options->listen_addrs = aitop;
48e671d5 504}
505
d231781a 506/*
507 * The strategy for the Match blocks is that the config file is parsed twice.
508 *
509 * The first time is at startup. activep is initialized to 1 and the
510 * directives in the global context are processed and acted on. Hitting a
511 * Match directive unsets activep and the directives inside the block are
512 * checked for syntax only.
513 *
514 * The second time is after a connection has been established but before
515 * authentication. activep is initialized to 2 and global config directives
516 * are ignored since they have already been processed. If the criteria in a
517 * Match block is met, activep is set and the subsequent directives
518 * processed and actioned until EOF or another Match block unsets it. Any
519 * options set are copied into the main server config.
520 *
521 * Potential additions/improvements:
522 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
523 *
524 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
525 * Match Address 192.168.0.*
526 * Tag trusted
527 * Match Group wheel
528 * Tag trusted
529 * Match Tag trusted
530 * AllowTcpForwarding yes
531 * GatewayPorts clientspecified
532 * [...]
533 *
534 * - Add a PermittedChannelRequests directive
535 * Match Group shell
536 * PermittedChannelRequests session,forwarded-tcpip
537 */
538
fa47fe3c 539static int
540match_cfg_line_group(const char *grps, int line, const char *user)
541{
542 int result = 0;
fa47fe3c 543 struct passwd *pw;
544
fa47fe3c 545 if (user == NULL)
546 goto out;
547
548 if ((pw = getpwnam(user)) == NULL) {
549 debug("Can't match group at line %d because user %.100s does "
550 "not exist", line, user);
551 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
552 debug("Can't Match group because user %.100s not in any group "
553 "at line %d", user, line);
cece208b 554 } else if (ga_match_pattern_list(grps) != 1) {
555 debug("user %.100s does not match group list %.100s at line %d",
556 user, grps, line);
fa47fe3c 557 } else {
cece208b 558 debug("user %.100s matched group list %.100s at line %d", user,
559 grps, line);
fa47fe3c 560 result = 1;
561 }
562out:
563 ga_free();
fa47fe3c 564 return result;
565}
566
d231781a 567static int
568match_cfg_line(char **condition, int line, const char *user, const char *host,
569 const char *address)
570{
571 int result = 1;
572 char *arg, *attrib, *cp = *condition;
573 size_t len;
574
575 if (user == NULL)
576 debug3("checking syntax for 'Match %s'", cp);
577 else
578 debug3("checking match for '%s' user %s host %s addr %s", cp,
579 user ? user : "(null)", host ? host : "(null)",
580 address ? address : "(null)");
581
582 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
583 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
584 error("Missing Match criteria for %s", attrib);
585 return -1;
586 }
587 len = strlen(arg);
588 if (strcasecmp(attrib, "user") == 0) {
589 if (!user) {
590 result = 0;
591 continue;
592 }
593 if (match_pattern_list(user, arg, len, 0) != 1)
594 result = 0;
595 else
596 debug("user %.100s matched 'User %.100s' at "
597 "line %d", user, arg, line);
fa47fe3c 598 } else if (strcasecmp(attrib, "group") == 0) {
599 switch (match_cfg_line_group(arg, line, user)) {
600 case -1:
601 return -1;
602 case 0:
603 result = 0;
604 }
d231781a 605 } else if (strcasecmp(attrib, "host") == 0) {
606 if (!host) {
607 result = 0;
608 continue;
609 }
610 if (match_hostname(host, arg, len) != 1)
611 result = 0;
612 else
613 debug("connection from %.100s matched 'Host "
614 "%.100s' at line %d", host, arg, line);
615 } else if (strcasecmp(attrib, "address") == 0) {
15b5fa9b 616 switch (addr_match_list(address, arg)) {
617 case 1:
d231781a 618 debug("connection from %.100s matched 'Address "
619 "%.100s' at line %d", address, arg, line);
15b5fa9b 620 break;
621 case 0:
b3b048d6 622 case -1:
15b5fa9b 623 result = 0;
624 break;
b3b048d6 625 case -2:
15b5fa9b 626 return -1;
627 }
d231781a 628 } else {
629 error("Unsupported Match attribute %s", attrib);
630 return -1;
631 }
632 }
633 if (user != NULL)
634 debug3("match %sfound", result ? "" : "not ");
635 *condition = cp;
636 return result;
637}
638
e7259e8d 639#define WHITESPACE " \t\r\n"
640
2717fa0f 641int
642process_server_config_line(ServerOptions *options, char *line,
d231781a 643 const char *filename, int linenum, int *activep, const char *user,
644 const char *host, const char *address)
8efc0c15 645{
d11c1288 646 char *cp, **charptr, *arg, *p;
d231781a 647 int cmdline = 0, *intptr, value, n;
2a72bc03 648 SyslogFacility *log_facility_ptr;
649 LogLevel *log_level_ptr;
5260325f 650 ServerOpCodes opcode;
5134115d 651 int port;
d231781a 652 u_int i, flags = 0;
d66ce1a1 653 size_t len;
5260325f 654
2717fa0f 655 cp = line;
0f8cd5a6 656 if ((arg = strdelim(&cp)) == NULL)
88299971 657 return 0;
2717fa0f 658 /* Ignore leading whitespace */
659 if (*arg == '\0')
704b1659 660 arg = strdelim(&cp);
2717fa0f 661 if (!arg || !*arg || *arg == '#')
662 return 0;
663 intptr = NULL;
664 charptr = NULL;
d231781a 665 opcode = parse_token(arg, filename, linenum, &flags);
666
667 if (activep == NULL) { /* We are processing a command line directive */
668 cmdline = 1;
669 activep = &cmdline;
670 }
671 if (*activep && opcode != sMatch)
672 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
673 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
674 if (user == NULL) {
675 fatal("%s line %d: Directive '%s' is not allowed "
676 "within a Match block", filename, linenum, arg);
677 } else { /* this is a directive we have already processed */
678 while (arg)
679 arg = strdelim(&cp);
680 return 0;
681 }
682 }
683
2717fa0f 684 switch (opcode) {
685 /* Portable-specific options */
7fceb20d 686 case sUsePAM:
687 intptr = &options->use_pam;
2717fa0f 688 goto parse_flag;
48e671d5 689
2717fa0f 690 /* Standard Options */
691 case sBadOption:
692 return -1;
693 case sPort:
694 /* ignore ports from configfile if cmdline specifies ports */
695 if (options->ports_from_cmdline)
696 return 0;
697 if (options->listen_addrs != NULL)
698 fatal("%s line %d: ports must be specified before "
3a454b6a 699 "ListenAddress.", filename, linenum);
2717fa0f 700 if (options->num_ports >= MAX_PORTS)
701 fatal("%s line %d: too many ports.",
702 filename, linenum);
703 arg = strdelim(&cp);
704 if (!arg || *arg == '\0')
705 fatal("%s line %d: missing port number.",
706 filename, linenum);
707 options->ports[options->num_ports++] = a2port(arg);
5134115d 708 if (options->ports[options->num_ports-1] <= 0)
2717fa0f 709 fatal("%s line %d: Badly formatted port number.",
710 filename, linenum);
711 break;
712
713 case sServerKeyBits:
714 intptr = &options->server_key_bits;
c6dca55e 715 parse_int:
2717fa0f 716 arg = strdelim(&cp);
717 if (!arg || *arg == '\0')
718 fatal("%s line %d: missing integer value.",
719 filename, linenum);
720 value = atoi(arg);
d231781a 721 if (*activep && *intptr == -1)
2717fa0f 722 *intptr = value;
723 break;
724
725 case sLoginGraceTime:
726 intptr = &options->login_grace_time;
c6dca55e 727 parse_time:
2717fa0f 728 arg = strdelim(&cp);
729 if (!arg || *arg == '\0')
730 fatal("%s line %d: missing time value.",
731 filename, linenum);
732 if ((value = convtime(arg)) == -1)
733 fatal("%s line %d: invalid time value.",
734 filename, linenum);
735 if (*intptr == -1)
736 *intptr = value;
737 break;
738
739 case sKeyRegenerationTime:
740 intptr = &options->key_regeneration_time;
741 goto parse_time;
742
743 case sListenAddress:
744 arg = strdelim(&cp);
3867aa0a 745 if (arg == NULL || *arg == '\0')
746 fatal("%s line %d: missing address",
2717fa0f 747 filename, linenum);
91135a0e 748 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
749 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
750 && strchr(p+1, ':') != NULL) {
751 add_listen_addr(options, arg, 0);
752 break;
753 }
3867aa0a 754 p = hpdelim(&arg);
755 if (p == NULL)
756 fatal("%s line %d: bad address:port usage",
2717fa0f 757 filename, linenum);
3867aa0a 758 p = cleanhostname(p);
759 if (arg == NULL)
760 port = 0;
5134115d 761 else if ((port = a2port(arg)) <= 0)
3867aa0a 762 fatal("%s line %d: bad port number", filename, linenum);
763
764 add_listen_addr(options, p, port);
765
2717fa0f 766 break;
767
31b41ceb 768 case sAddressFamily:
769 arg = strdelim(&cp);
38634ff6 770 if (!arg || *arg == '\0')
771 fatal("%s line %d: missing address family.",
772 filename, linenum);
31b41ceb 773 intptr = &options->address_family;
774 if (options->listen_addrs != NULL)
775 fatal("%s line %d: address family must be specified before "
776 "ListenAddress.", filename, linenum);
777 if (strcasecmp(arg, "inet") == 0)
778 value = AF_INET;
779 else if (strcasecmp(arg, "inet6") == 0)
780 value = AF_INET6;
781 else if (strcasecmp(arg, "any") == 0)
782 value = AF_UNSPEC;
783 else
784 fatal("%s line %d: unsupported address family \"%s\".",
785 filename, linenum, arg);
786 if (*intptr == -1)
787 *intptr = value;
788 break;
789
2717fa0f 790 case sHostKeyFile:
791 intptr = &options->num_host_key_files;
792 if (*intptr >= MAX_HOSTKEYS)
793 fatal("%s line %d: too many host keys specified (max %d).",
794 filename, linenum, MAX_HOSTKEYS);
795 charptr = &options->host_key_files[*intptr];
c6dca55e 796 parse_filename:
2717fa0f 797 arg = strdelim(&cp);
798 if (!arg || *arg == '\0')
799 fatal("%s line %d: missing file name.",
800 filename, linenum);
d231781a 801 if (*activep && *charptr == NULL) {
2717fa0f 802 *charptr = tilde_expand_filename(arg, getuid());
803 /* increase optional counter */
804 if (intptr != NULL)
805 *intptr = *intptr + 1;
806 }
807 break;
0fbe8c74 808
2717fa0f 809 case sPidFile:
810 charptr = &options->pid_file;
811 goto parse_filename;
5260325f 812
2717fa0f 813 case sPermitRootLogin:
814 intptr = &options->permit_root_login;
815 arg = strdelim(&cp);
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: missing yes/"
818 "without-password/forced-commands-only/no "
819 "argument.", filename, linenum);
820 value = 0; /* silence compiler */
821 if (strcmp(arg, "without-password") == 0)
822 value = PERMIT_NO_PASSWD;
823 else if (strcmp(arg, "forced-commands-only") == 0)
824 value = PERMIT_FORCED_ONLY;
825 else if (strcmp(arg, "yes") == 0)
826 value = PERMIT_YES;
827 else if (strcmp(arg, "no") == 0)
828 value = PERMIT_NO;
829 else
830 fatal("%s line %d: Bad yes/"
831 "without-password/forced-commands-only/no "
832 "argument: %s", filename, linenum, arg);
2ef741a3 833 if (*activep && *intptr == -1)
2717fa0f 834 *intptr = value;
835 break;
836
837 case sIgnoreRhosts:
838 intptr = &options->ignore_rhosts;
c6dca55e 839 parse_flag:
2717fa0f 840 arg = strdelim(&cp);
841 if (!arg || *arg == '\0')
842 fatal("%s line %d: missing yes/no argument.",
843 filename, linenum);
844 value = 0; /* silence compiler */
845 if (strcmp(arg, "yes") == 0)
846 value = 1;
847 else if (strcmp(arg, "no") == 0)
848 value = 0;
849 else
850 fatal("%s line %d: Bad yes/no argument: %s",
851 filename, linenum, arg);
d231781a 852 if (*activep && *intptr == -1)
2717fa0f 853 *intptr = value;
854 break;
855
856 case sIgnoreUserKnownHosts:
857 intptr = &options->ignore_user_known_hosts;
858 goto parse_flag;
859
2717fa0f 860 case sRhostsRSAAuthentication:
861 intptr = &options->rhosts_rsa_authentication;
862 goto parse_flag;
863
864 case sHostbasedAuthentication:
865 intptr = &options->hostbased_authentication;
866 goto parse_flag;
867
868 case sHostbasedUsesNameFromPacketOnly:
869 intptr = &options->hostbased_uses_name_from_packet_only;
870 goto parse_flag;
871
872 case sRSAAuthentication:
873 intptr = &options->rsa_authentication;
874 goto parse_flag;
875
876 case sPubkeyAuthentication:
877 intptr = &options->pubkey_authentication;
878 goto parse_flag;
d0ec7f42 879
2717fa0f 880 case sKerberosAuthentication:
881 intptr = &options->kerberos_authentication;
882 goto parse_flag;
5260325f 883
2717fa0f 884 case sKerberosOrLocalPasswd:
885 intptr = &options->kerberos_or_local_passwd;
886 goto parse_flag;
5260325f 887
2717fa0f 888 case sKerberosTicketCleanup:
889 intptr = &options->kerberos_ticket_cleanup;
890 goto parse_flag;
d0ec7f42 891
a1e30b47 892 case sKerberosGetAFSToken:
893 intptr = &options->kerberos_get_afs_token;
894 goto parse_flag;
895
7364bd04 896 case sGssAuthentication:
897 intptr = &options->gss_authentication;
898 goto parse_flag;
899
900 case sGssCleanupCreds:
901 intptr = &options->gss_cleanup_creds;
902 goto parse_flag;
903
2717fa0f 904 case sPasswordAuthentication:
905 intptr = &options->password_authentication;
906 goto parse_flag;
5260325f 907
5adf6b9a 908 case sZeroKnowledgePasswordAuthentication:
909 intptr = &options->zero_knowledge_password_authentication;
910 goto parse_flag;
911
2717fa0f 912 case sKbdInteractiveAuthentication:
913 intptr = &options->kbd_interactive_authentication;
914 goto parse_flag;
8002af61 915
2717fa0f 916 case sChallengeResponseAuthentication:
917 intptr = &options->challenge_response_authentication;
918 goto parse_flag;
8002af61 919
2717fa0f 920 case sPrintMotd:
921 intptr = &options->print_motd;
922 goto parse_flag;
5260325f 923
2717fa0f 924 case sPrintLastLog:
925 intptr = &options->print_lastlog;
926 goto parse_flag;
5260325f 927
2717fa0f 928 case sX11Forwarding:
929 intptr = &options->x11_forwarding;
930 goto parse_flag;
5260325f 931
2717fa0f 932 case sX11DisplayOffset:
933 intptr = &options->x11_display_offset;
934 goto parse_int;
8efc0c15 935
e6e573bd 936 case sX11UseLocalhost:
937 intptr = &options->x11_use_localhost;
938 goto parse_flag;
939
2717fa0f 940 case sXAuthLocation:
941 charptr = &options->xauth_location;
942 goto parse_filename;
5260325f 943
2717fa0f 944 case sStrictModes:
945 intptr = &options->strict_modes;
946 goto parse_flag;
5260325f 947
fd573618 948 case sTCPKeepAlive:
949 intptr = &options->tcp_keep_alive;
2717fa0f 950 goto parse_flag;
33de75a3 951
2717fa0f 952 case sEmptyPasswd:
953 intptr = &options->permit_empty_passwd;
954 goto parse_flag;
5260325f 955
f00bab84 956 case sPermitUserEnvironment:
957 intptr = &options->permit_user_env;
958 goto parse_flag;
959
2717fa0f 960 case sUseLogin:
961 intptr = &options->use_login;
962 goto parse_flag;
5260325f 963
636f76ca 964 case sCompression:
965 intptr = &options->compression;
07200973 966 arg = strdelim(&cp);
967 if (!arg || *arg == '\0')
968 fatal("%s line %d: missing yes/no/delayed "
969 "argument.", filename, linenum);
970 value = 0; /* silence compiler */
971 if (strcmp(arg, "delayed") == 0)
972 value = COMP_DELAYED;
973 else if (strcmp(arg, "yes") == 0)
974 value = COMP_ZLIB;
975 else if (strcmp(arg, "no") == 0)
976 value = COMP_NONE;
977 else
978 fatal("%s line %d: Bad yes/no/delayed "
979 "argument: %s", filename, linenum, arg);
980 if (*intptr == -1)
981 *intptr = value;
982 break;
636f76ca 983
2717fa0f 984 case sGatewayPorts:
985 intptr = &options->gateway_ports;
3867aa0a 986 arg = strdelim(&cp);
987 if (!arg || *arg == '\0')
988 fatal("%s line %d: missing yes/no/clientspecified "
989 "argument.", filename, linenum);
990 value = 0; /* silence compiler */
991 if (strcmp(arg, "clientspecified") == 0)
992 value = 2;
993 else if (strcmp(arg, "yes") == 0)
994 value = 1;
995 else if (strcmp(arg, "no") == 0)
996 value = 0;
997 else
998 fatal("%s line %d: Bad yes/no/clientspecified "
999 "argument: %s", filename, linenum, arg);
f3e3d6ce 1000 if (*activep && *intptr == -1)
3867aa0a 1001 *intptr = value;
1002 break;
5260325f 1003
c5a7d788 1004 case sUseDNS:
1005 intptr = &options->use_dns;
2717fa0f 1006 goto parse_flag;
5260325f 1007
2717fa0f 1008 case sLogFacility:
2a72bc03 1009 log_facility_ptr = &options->log_facility;
2717fa0f 1010 arg = strdelim(&cp);
1011 value = log_facility_number(arg);
5eaf8578 1012 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 1013 fatal("%.200s line %d: unsupported log facility '%s'",
1014 filename, linenum, arg ? arg : "<NONE>");
2a72bc03 1015 if (*log_facility_ptr == -1)
1016 *log_facility_ptr = (SyslogFacility) value;
2717fa0f 1017 break;
1018
1019 case sLogLevel:
2a72bc03 1020 log_level_ptr = &options->log_level;
2717fa0f 1021 arg = strdelim(&cp);
1022 value = log_level_number(arg);
5eaf8578 1023 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 1024 fatal("%.200s line %d: unsupported log level '%s'",
1025 filename, linenum, arg ? arg : "<NONE>");
2a72bc03 1026 if (*log_level_ptr == -1)
1027 *log_level_ptr = (LogLevel) value;
2717fa0f 1028 break;
1029
1030 case sAllowTcpForwarding:
1031 intptr = &options->allow_tcp_forwarding;
1032 goto parse_flag;
1033
43c3f85c 1034 case sAllowAgentForwarding:
1035 intptr = &options->allow_agent_forwarding;
1036 goto parse_flag;
1037
1853d1ef 1038 case sUsePrivilegeSeparation:
1039 intptr = &use_privsep;
1040 goto parse_flag;
1041
2717fa0f 1042 case sAllowUsers:
1043 while ((arg = strdelim(&cp)) && *arg != '\0') {
1044 if (options->num_allow_users >= MAX_ALLOW_USERS)
1045 fatal("%s line %d: too many allow users.",
1046 filename, linenum);
7528d467 1047 options->allow_users[options->num_allow_users++] =
1048 xstrdup(arg);
2717fa0f 1049 }
1050 break;
a8be9f80 1051
2717fa0f 1052 case sDenyUsers:
1053 while ((arg = strdelim(&cp)) && *arg != '\0') {
1054 if (options->num_deny_users >= MAX_DENY_USERS)
d4f40d92 1055 fatal("%s line %d: too many deny users.",
2717fa0f 1056 filename, linenum);
7528d467 1057 options->deny_users[options->num_deny_users++] =
1058 xstrdup(arg);
2717fa0f 1059 }
1060 break;
b2552997 1061
2717fa0f 1062 case sAllowGroups:
1063 while ((arg = strdelim(&cp)) && *arg != '\0') {
1064 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1065 fatal("%s line %d: too many allow groups.",
1066 filename, linenum);
7528d467 1067 options->allow_groups[options->num_allow_groups++] =
1068 xstrdup(arg);
2717fa0f 1069 }
1070 break;
a8be9f80 1071
2717fa0f 1072 case sDenyGroups:
1073 while ((arg = strdelim(&cp)) && *arg != '\0') {
1074 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1075 fatal("%s line %d: too many deny groups.",
1076 filename, linenum);
1077 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1078 }
1079 break;
38c295d6 1080
2717fa0f 1081 case sCiphers:
1082 arg = strdelim(&cp);
1083 if (!arg || *arg == '\0')
1084 fatal("%s line %d: Missing argument.", filename, linenum);
1085 if (!ciphers_valid(arg))
1086 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1087 filename, linenum, arg ? arg : "<NONE>");
1088 if (options->ciphers == NULL)
1089 options->ciphers = xstrdup(arg);
1090 break;
1091
1092 case sMacs:
1093 arg = strdelim(&cp);
1094 if (!arg || *arg == '\0')
1095 fatal("%s line %d: Missing argument.", filename, linenum);
1096 if (!mac_valid(arg))
1097 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1098 filename, linenum, arg ? arg : "<NONE>");
1099 if (options->macs == NULL)
1100 options->macs = xstrdup(arg);
1101 break;
1102
1103 case sProtocol:
1104 intptr = &options->protocol;
1105 arg = strdelim(&cp);
1106 if (!arg || *arg == '\0')
1107 fatal("%s line %d: Missing argument.", filename, linenum);
1108 value = proto_spec(arg);
1109 if (value == SSH_PROTO_UNKNOWN)
1110 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 1111 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 1112 if (*intptr == SSH_PROTO_UNKNOWN)
1113 *intptr = value;
1114 break;
1115
1116 case sSubsystem:
1117 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1118 fatal("%s line %d: too many subsystems defined.",
184eed6a 1119 filename, linenum);
2717fa0f 1120 }
1121 arg = strdelim(&cp);
1122 if (!arg || *arg == '\0')
1123 fatal("%s line %d: Missing subsystem name.",
184eed6a 1124 filename, linenum);
d231781a 1125 if (!*activep) {
1126 arg = strdelim(&cp);
1127 break;
1128 }
2717fa0f 1129 for (i = 0; i < options->num_subsystems; i++)
1130 if (strcmp(arg, options->subsystem_name[i]) == 0)
1131 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 1132 filename, linenum, arg);
2717fa0f 1133 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1134 arg = strdelim(&cp);
1135 if (!arg || *arg == '\0')
1136 fatal("%s line %d: Missing subsystem command.",
184eed6a 1137 filename, linenum);
2717fa0f 1138 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
d66ce1a1 1139
1140 /* Collect arguments (separate to executable) */
1141 p = xstrdup(arg);
1142 len = strlen(p) + 1;
1143 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1144 len += 1 + strlen(arg);
1145 p = xrealloc(p, 1, len);
1146 strlcat(p, " ", len);
1147 strlcat(p, arg, len);
1148 }
1149 options->subsystem_args[options->num_subsystems] = p;
2717fa0f 1150 options->num_subsystems++;
1151 break;
1152
1153 case sMaxStartups:
1154 arg = strdelim(&cp);
1155 if (!arg || *arg == '\0')
1156 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 1157 filename, linenum);
2717fa0f 1158 if ((n = sscanf(arg, "%d:%d:%d",
1159 &options->max_startups_begin,
1160 &options->max_startups_rate,
1161 &options->max_startups)) == 3) {
1162 if (options->max_startups_begin >
1163 options->max_startups ||
1164 options->max_startups_rate > 100 ||
1165 options->max_startups_rate < 1)
c345cf9d 1166 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 1167 filename, linenum);
2717fa0f 1168 } else if (n != 1)
1169 fatal("%s line %d: Illegal MaxStartups spec.",
1170 filename, linenum);
1171 else
1172 options->max_startups = options->max_startups_begin;
1173 break;
1174
af4bd935 1175 case sMaxAuthTries:
1176 intptr = &options->max_authtries;
1177 goto parse_int;
1178
c6dca55e 1179 case sMaxSessions:
1180 intptr = &options->max_sessions;
1181 goto parse_int;
1182
2717fa0f 1183 case sBanner:
1184 charptr = &options->banner;
1185 goto parse_filename;
db49deeb 1186
2717fa0f 1187 /*
1188 * These options can contain %X options expanded at
1189 * connect time, so that you can specify paths like:
1190 *
1191 * AuthorizedKeysFile /etc/ssh_keys/%u
1192 */
1193 case sAuthorizedKeysFile:
1194 case sAuthorizedKeysFile2:
d4f40d92 1195 charptr = (opcode == sAuthorizedKeysFile) ?
2717fa0f 1196 &options->authorized_keys_file :
1197 &options->authorized_keys_file2;
1198 goto parse_filename;
1199
1200 case sClientAliveInterval:
1201 intptr = &options->client_alive_interval;
1202 goto parse_time;
1203
1204 case sClientAliveCountMax:
1205 intptr = &options->client_alive_count_max;
1206 goto parse_int;
1207
61a2c1da 1208 case sAcceptEnv:
1209 while ((arg = strdelim(&cp)) && *arg != '\0') {
1210 if (strchr(arg, '=') != NULL)
1211 fatal("%s line %d: Invalid environment name.",
1212 filename, linenum);
1213 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1214 fatal("%s line %d: too many allow env.",
1215 filename, linenum);
d231781a 1216 if (!*activep)
1217 break;
61a2c1da 1218 options->accept_env[options->num_accept_env++] =
1219 xstrdup(arg);
1220 }
1221 break;
1222
d20f3c9e 1223 case sPermitTunnel:
1224 intptr = &options->permit_tun;
a4f24bf8 1225 arg = strdelim(&cp);
1226 if (!arg || *arg == '\0')
1227 fatal("%s line %d: Missing yes/point-to-point/"
1228 "ethernet/no argument.", filename, linenum);
1760c982 1229 value = -1;
1230 for (i = 0; tunmode_desc[i].val != -1; i++)
1231 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1232 value = tunmode_desc[i].val;
1233 break;
1234 }
1235 if (value == -1)
a4f24bf8 1236 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1237 "no argument: %s", filename, linenum, arg);
1238 if (*intptr == -1)
1239 *intptr = value;
1240 break;
d20f3c9e 1241
d231781a 1242 case sMatch:
1243 if (cmdline)
1244 fatal("Match directive not supported as a command-line "
1245 "option");
1246 value = match_cfg_line(&cp, linenum, user, host, address);
1247 if (value < 0)
1248 fatal("%s line %d: Bad Match condition", filename,
1249 linenum);
1250 *activep = value;
1251 break;
1252
2fefbadf 1253 case sPermitOpen:
1254 arg = strdelim(&cp);
1255 if (!arg || *arg == '\0')
1256 fatal("%s line %d: missing PermitOpen specification",
1257 filename, linenum);
38757197 1258 n = options->num_permitted_opens; /* modified later */
2fefbadf 1259 if (strcmp(arg, "any") == 0) {
38757197 1260 if (*activep && n == -1) {
2fefbadf 1261 channel_clear_adm_permitted_opens();
ea46e550 1262 options->num_permitted_opens = 0;
1263 }
2fefbadf 1264 break;
1265 }
75b6d52c 1266 if (*activep && n == -1)
1267 channel_clear_adm_permitted_opens();
ea46e550 1268 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1269 p = hpdelim(&arg);
1270 if (p == NULL)
1271 fatal("%s line %d: missing host in PermitOpen",
1272 filename, linenum);
1273 p = cleanhostname(p);
5134115d 1274 if (arg == NULL || (port = a2port(arg)) <= 0)
ea46e550 1275 fatal("%s line %d: bad port number in "
1276 "PermitOpen", filename, linenum);
75b6d52c 1277 if (*activep && n == -1)
ea46e550 1278 options->num_permitted_opens =
1279 channel_add_adm_permitted_opens(p, port);
ea46e550 1280 }
2fefbadf 1281 break;
1282
e7259e8d 1283 case sForceCommand:
1284 if (cp == NULL)
1285 fatal("%.200s line %d: Missing argument.", filename,
1286 linenum);
1287 len = strspn(cp, WHITESPACE);
1288 if (*activep && options->adm_forced_command == NULL)
1289 options->adm_forced_command = xstrdup(cp + len);
1290 return 0;
1291
db49deeb 1292 case sChrootDirectory:
1293 charptr = &options->chroot_directory;
c5bf32e6 1294
1295 arg = strdelim(&cp);
1296 if (!arg || *arg == '\0')
1297 fatal("%s line %d: missing file name.",
1298 filename, linenum);
1299 if (*activep && *charptr == NULL)
1300 *charptr = xstrdup(arg);
1301 break;
db49deeb 1302
85fee9c0 1303#ifdef USE_ROUTINGDOMAIN
fe7dba42 1304 case sRDomain:
1305 intptr = &options->rdomain;
9e622dcd 1306 arg = strdelim(&cp);
1307 if (!arg || *arg == '\0')
1308 fatal("%s line %d: missing rdomain value.",
1309 filename, linenum);
1310 if ((value = a2rdomain(arg)) == -1)
1311 fatal("%s line %d: invalid rdomain value.",
1312 filename, linenum);
1313 if (*intptr == -1)
1314 *intptr = value;
1315 break;
85fee9c0 1316#endif
fe7dba42 1317
2717fa0f 1318 case sDeprecated:
bbe88b6d 1319 logit("%s line %d: Deprecated option %s",
2717fa0f 1320 filename, linenum, arg);
1321 while (arg)
1322 arg = strdelim(&cp);
1323 break;
1324
a2144546 1325 case sUnsupported:
1326 logit("%s line %d: Unsupported option %s",
1327 filename, linenum, arg);
1328 while (arg)
1329 arg = strdelim(&cp);
1330 break;
1331
2717fa0f 1332 default:
1333 fatal("%s line %d: Missing handler for opcode %s (%d)",
1334 filename, linenum, arg, opcode);
1335 }
1336 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1337 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1338 filename, linenum, arg);
1339 return 0;
1340}
089fbbd2 1341
2717fa0f 1342/* Reads the server configuration file. */
5c53a31e 1343
2717fa0f 1344void
b9a549d7 1345load_server_config(const char *filename, Buffer *conf)
2717fa0f 1346{
b9a549d7 1347 char line[1024], *cp;
7528d467 1348 FILE *f;
2717fa0f 1349
b9a549d7 1350 debug2("%s: filename %s", __func__, filename);
1351 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 1352 perror(filename);
1353 exit(1);
1354 }
b9a549d7 1355 buffer_clear(conf);
2717fa0f 1356 while (fgets(line, sizeof(line), f)) {
b9a549d7 1357 /*
1358 * Trim out comments and strip whitespace
f2107e97 1359 * NB - preserve newlines, they are needed to reproduce
b9a549d7 1360 * line numbers later for error messages
1361 */
1362 if ((cp = strchr(line, '#')) != NULL)
1363 memcpy(cp, "\n", 2);
1364 cp = line + strspn(line, " \t\r");
1365
1366 buffer_append(conf, cp, strlen(cp));
8efc0c15 1367 }
b9a549d7 1368 buffer_append(conf, "\0", 1);
5260325f 1369 fclose(f);
b9a549d7 1370 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1371}
1372
1373void
d231781a 1374parse_server_match_config(ServerOptions *options, const char *user,
1375 const char *host, const char *address)
1376{
1377 ServerOptions mo;
1378
1379 initialize_server_options(&mo);
1380 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
03bcbf84 1381 copy_set_server_options(options, &mo, 0);
d231781a 1382}
1383
03bcbf84 1384/* Helper macros */
1385#define M_CP_INTOPT(n) do {\
1386 if (src->n != -1) \
1387 dst->n = src->n; \
1388} while (0)
1389#define M_CP_STROPT(n) do {\
1390 if (src->n != NULL) { \
1391 if (dst->n != NULL) \
1392 xfree(dst->n); \
1393 dst->n = src->n; \
1394 } \
1395} while(0)
1396
1397/*
1398 * Copy any supported values that are set.
1399 *
3e576dfe 1400 * If the preauth flag is set, we do not bother copying the string or
03bcbf84 1401 * array values that are not used pre-authentication, because any that we
1402 * do use must be explictly sent in mm_getpwnamallow().
1403 */
d231781a 1404void
03bcbf84 1405copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
d231781a 1406{
03bcbf84 1407 M_CP_INTOPT(password_authentication);
1408 M_CP_INTOPT(gss_authentication);
1409 M_CP_INTOPT(rsa_authentication);
1410 M_CP_INTOPT(pubkey_authentication);
1411 M_CP_INTOPT(kerberos_authentication);
1412 M_CP_INTOPT(hostbased_authentication);
1413 M_CP_INTOPT(kbd_interactive_authentication);
5adf6b9a 1414 M_CP_INTOPT(zero_knowledge_password_authentication);
2ef741a3 1415 M_CP_INTOPT(permit_root_login);
e68868a1 1416 M_CP_INTOPT(permit_empty_passwd);
03bcbf84 1417
1418 M_CP_INTOPT(allow_tcp_forwarding);
43c3f85c 1419 M_CP_INTOPT(allow_agent_forwarding);
03bcbf84 1420 M_CP_INTOPT(gateway_ports);
1421 M_CP_INTOPT(x11_display_offset);
1422 M_CP_INTOPT(x11_forwarding);
1423 M_CP_INTOPT(x11_use_localhost);
c6dca55e 1424 M_CP_INTOPT(max_sessions);
8086aeb2 1425 M_CP_INTOPT(max_authtries);
03bcbf84 1426
1427 M_CP_STROPT(banner);
1428 if (preauth)
1429 return;
1430 M_CP_STROPT(adm_forced_command);
db49deeb 1431 M_CP_STROPT(chroot_directory);
d231781a 1432}
1433
03bcbf84 1434#undef M_CP_INTOPT
1435#undef M_CP_STROPT
1436
d231781a 1437void
1438parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1439 const char *user, const char *host, const char *address)
b9a549d7 1440{
d231781a 1441 int active, linenum, bad_options = 0;
16acb158 1442 char *cp, *obuf, *cbuf;
b9a549d7 1443
1444 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1445
16acb158 1446 obuf = cbuf = xstrdup(buffer_ptr(conf));
d231781a 1447 active = user ? 0 : 1;
861cc543 1448 linenum = 1;
f8cc7664 1449 while ((cp = strsep(&cbuf, "\n")) != NULL) {
b9a549d7 1450 if (process_server_config_line(options, cp, filename,
d231781a 1451 linenum++, &active, user, host, address) != 0)
b9a549d7 1452 bad_options++;
1453 }
16acb158 1454 xfree(obuf);
b7c70970 1455 if (bad_options > 0)
1456 fatal("%s: terminating, %d bad configuration options",
1457 filename, bad_options);
8efc0c15 1458}
1760c982 1459
1460static const char *
1461fmt_intarg(ServerOpCodes code, int val)
1462{
1463 if (code == sAddressFamily) {
1464 switch (val) {
1465 case AF_INET:
1466 return "inet";
1467 case AF_INET6:
1468 return "inet6";
1469 case AF_UNSPEC:
1470 return "any";
1471 default:
1472 return "UNKNOWN";
1473 }
1474 }
1475 if (code == sPermitRootLogin) {
1476 switch (val) {
1477 case PERMIT_NO_PASSWD:
0bd3332c 1478 return "without-password";
1760c982 1479 case PERMIT_FORCED_ONLY:
1480 return "forced-commands-only";
1481 case PERMIT_YES:
1482 return "yes";
1483 }
1484 }
1485 if (code == sProtocol) {
1486 switch (val) {
1487 case SSH_PROTO_1:
1488 return "1";
1489 case SSH_PROTO_2:
1490 return "2";
1491 case (SSH_PROTO_1|SSH_PROTO_2):
1492 return "2,1";
1493 default:
1494 return "UNKNOWN";
1495 }
1496 }
1497 if (code == sGatewayPorts && val == 2)
1498 return "clientspecified";
1499 if (code == sCompression && val == COMP_DELAYED)
1500 return "delayed";
1501 switch (val) {
1502 case -1:
1503 return "unset";
1504 case 0:
1505 return "no";
1506 case 1:
1507 return "yes";
1508 }
1509 return "UNKNOWN";
1510}
1511
1512static const char *
1513lookup_opcode_name(ServerOpCodes code)
1514{
1515 u_int i;
1516
1517 for (i = 0; keywords[i].name != NULL; i++)
1518 if (keywords[i].opcode == code)
1519 return(keywords[i].name);
1520 return "UNKNOWN";
1521}
1522
1523static void
1524dump_cfg_int(ServerOpCodes code, int val)
1525{
1526 printf("%s %d\n", lookup_opcode_name(code), val);
1527}
1528
1529static void
1530dump_cfg_fmtint(ServerOpCodes code, int val)
1531{
1532 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1533}
1534
1535static void
1536dump_cfg_string(ServerOpCodes code, const char *val)
1537{
1538 if (val == NULL)
1539 return;
1540 printf("%s %s\n", lookup_opcode_name(code), val);
1541}
1542
1543static void
1544dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1545{
1546 u_int i;
1547
1548 for (i = 0; i < count; i++)
1549 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1550}
1551
1552void
1553dump_config(ServerOptions *o)
1554{
1555 u_int i;
1556 int ret;
1557 struct addrinfo *ai;
1558 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1559
1560 /* these are usually at the top of the config */
1561 for (i = 0; i < o->num_ports; i++)
1562 printf("port %d\n", o->ports[i]);
1563 dump_cfg_fmtint(sProtocol, o->protocol);
1564 dump_cfg_fmtint(sAddressFamily, o->address_family);
1565
1566 /* ListenAddress must be after Port */
1567 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1568 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1569 sizeof(addr), port, sizeof(port),
1570 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1571 error("getnameinfo failed: %.100s",
1572 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1573 strerror(errno));
1574 } else {
1575 if (ai->ai_family == AF_INET6)
1576 printf("listenaddress [%s]:%s\n", addr, port);
1577 else
1578 printf("listenaddress %s:%s\n", addr, port);
1579 }
1580 }
1581
1582 /* integer arguments */
cee47c9f 1583#ifdef USE_PAM
1584 dump_cfg_int(sUsePAM, o->use_pam);
1585#endif
1760c982 1586 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1587 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1588 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1589 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1590 dump_cfg_int(sMaxAuthTries, o->max_authtries);
39aa8698 1591 dump_cfg_int(sMaxSessions, o->max_sessions);
1760c982 1592 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1593 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
fe7dba42 1594 dump_cfg_int(sRDomain, o->rdomain);
1760c982 1595
1596 /* formatted integer arguments */
1597 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1598 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1599 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1600 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1601 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1602 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1603 o->hostbased_uses_name_from_packet_only);
1604 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1605 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
e888d981 1606#ifdef KRB5
1760c982 1607 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1608 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1609 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
e888d981 1610# ifdef USE_AFS
1760c982 1611 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
e888d981 1612# endif
1613#endif
1614#ifdef GSSAPI
1760c982 1615 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1616 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
5adf6b9a 1617#endif
1618#ifdef JPAKE
1619 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1620 o->zero_knowledge_password_authentication);
e888d981 1621#endif
1760c982 1622 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1623 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1624 o->kbd_interactive_authentication);
1625 dump_cfg_fmtint(sChallengeResponseAuthentication,
1626 o->challenge_response_authentication);
1627 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1628 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1629 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1630 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1631 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1632 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1633 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1634 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1635 dump_cfg_fmtint(sUseLogin, o->use_login);
1636 dump_cfg_fmtint(sCompression, o->compression);
1637 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1638 dump_cfg_fmtint(sUseDNS, o->use_dns);
1639 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1640 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1641
1642 /* string arguments */
1643 dump_cfg_string(sPidFile, o->pid_file);
1644 dump_cfg_string(sXAuthLocation, o->xauth_location);
1645 dump_cfg_string(sCiphers, o->ciphers);
1646 dump_cfg_string(sMacs, o->macs);
1647 dump_cfg_string(sBanner, o->banner);
1648 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1649 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1650 dump_cfg_string(sForceCommand, o->adm_forced_command);
1651
1652 /* string arguments requiring a lookup */
1653 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1654 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1655
1656 /* string array arguments */
1657 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1658 o->host_key_files);
1659 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1660 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1661 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1662 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1663 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1664
1665 /* other arguments */
1666 for (i = 0; i < o->num_subsystems; i++)
1667 printf("subsystem %s %s\n", o->subsystem_name[i],
1668 o->subsystem_args[i]);
1669
1670 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1671 o->max_startups_rate, o->max_startups);
1672
1673 for (i = 0; tunmode_desc[i].val != -1; i++)
1674 if (tunmode_desc[i].val == o->permit_tun) {
1675 s = tunmode_desc[i].text;
1676 break;
1677 }
1678 dump_cfg_string(sPermitTunnel, s);
1679
1760c982 1680 channel_print_adm_permitted_opens();
1760c982 1681}
git-cvsimport mirror of OpenSSH
This page took 0.810472 seconds and 5 git commands to generate.