]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2010/01/13 01:40:16
[openssh.git] / servconf.c
CommitLineData
04b061c4 1/* $OpenBSD: servconf.c,v 1.201 2010/01/10 03:51:17 dtucker Exp $ */
8efc0c15 2/*
5260325f 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
6ae2364d 5 *
bcbf86ec 6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
5260325f 11 */
8efc0c15 12
13#include "includes.h"
8efc0c15 14
5b04a8bf 15#include <sys/types.h>
16#include <sys/socket.h>
17
28cb0a43 18#include <netdb.h>
fa47fe3c 19#include <pwd.h>
cf851879 20#include <stdio.h>
ffa517a8 21#include <stdlib.h>
00146caa 22#include <string.h>
31652869 23#include <signal.h>
5188ba17 24#include <unistd.h>
31652869 25#include <stdarg.h>
1760c982 26#include <errno.h>
c8dfff33 27
3593bdc0 28#include "openbsd-compat/sys-queue.h"
31652869 29#include "xmalloc.h"
8efc0c15 30#include "ssh.h"
42f11eb2 31#include "log.h"
31652869 32#include "buffer.h"
8efc0c15 33#include "servconf.h"
a8be9f80 34#include "compat.h"
42f11eb2 35#include "pathnames.h"
42f11eb2 36#include "misc.h"
37#include "cipher.h"
31652869 38#include "key.h"
b2552997 39#include "kex.h"
40#include "mac.h"
d231781a 41#include "match.h"
2fefbadf 42#include "channels.h"
fa47fe3c 43#include "groupaccess.h"
42f11eb2 44
5134115d 45static void add_listen_addr(ServerOptions *, char *, int);
46static void add_one_listen_addr(ServerOptions *, char *, int);
48e671d5 47
1853d1ef 48/* Use of privilege separation or not */
49extern int use_privsep;
d231781a 50extern Buffer cfg;
42f11eb2 51
8efc0c15 52/* Initializes the server options to their default values. */
53
6ae2364d 54void
5260325f 55initialize_server_options(ServerOptions *options)
8efc0c15 56{
5260325f 57 memset(options, 0, sizeof(*options));
e15895cd 58
59 /* Portable-specific options */
7fceb20d 60 options->use_pam = -1;
e15895cd 61
62 /* Standard Options */
48e671d5 63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
31b41ceb 66 options->address_family = -1;
fa08c86b 67 options->num_host_key_files = 0;
0fbe8c74 68 options->pid_file = NULL;
5260325f 69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
15853e93 72 options->permit_root_login = PERMIT_NOT_SET;
5260325f 73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
4f4648f9 76 options->print_lastlog = -1;
5260325f 77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
e6e573bd 79 options->x11_use_localhost = -1;
fa649821 80 options->xauth_location = NULL;
5260325f 81 options->strict_modes = -1;
fd573618 82 options->tcp_keep_alive = -1;
5eaf8578 83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 85 options->rhosts_rsa_authentication = -1;
8002af61 86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
5260325f 88 options->rsa_authentication = -1;
fa08c86b 89 options->pubkey_authentication = -1;
5260325f 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
a1e30b47 93 options->kerberos_get_afs_token = -1;
7364bd04 94 options->gss_authentication=-1;
95 options->gss_cleanup_creds = -1;
5260325f 96 options->password_authentication = -1;
94ec8c6b 97 options->kbd_interactive_authentication = -1;
5ba55ada 98 options->challenge_response_authentication = -1;
5260325f 99 options->permit_empty_passwd = -1;
f00bab84 100 options->permit_user_env = -1;
5260325f 101 options->use_login = -1;
636f76ca 102 options->compression = -1;
33de75a3 103 options->allow_tcp_forwarding = -1;
43c3f85c 104 options->allow_agent_forwarding = -1;
5260325f 105 options->num_allow_users = 0;
106 options->num_deny_users = 0;
107 options->num_allow_groups = 0;
108 options->num_deny_groups = 0;
a8be9f80 109 options->ciphers = NULL;
b2552997 110 options->macs = NULL;
a8be9f80 111 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 112 options->gateway_ports = -1;
38c295d6 113 options->num_subsystems = 0;
c345cf9d 114 options->max_startups_begin = -1;
115 options->max_startups_rate = -1;
089fbbd2 116 options->max_startups = -1;
af4bd935 117 options->max_authtries = -1;
c6dca55e 118 options->max_sessions = -1;
eea39c02 119 options->banner = NULL;
c5a7d788 120 options->use_dns = -1;
3ffc6336 121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
c8445989 123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
61a2c1da 125 options->num_accept_env = 0;
d20f3c9e 126 options->permit_tun = -1;
ea46e550 127 options->num_permitted_opens = -1;
e7259e8d 128 options->adm_forced_command = NULL;
db49deeb 129 options->chroot_directory = NULL;
5adf6b9a 130 options->zero_knowledge_password_authentication = -1;
8efc0c15 131}
132
6ae2364d 133void
5260325f 134fill_default_server_options(ServerOptions *options)
8efc0c15 135{
e15895cd 136 /* Portable-specific options */
7fceb20d 137 if (options->use_pam == -1)
0a23d79f 138 options->use_pam = 0;
e15895cd 139
140 /* Standard Options */
fa08c86b 141 if (options->protocol == SSH_PROTO_UNKNOWN)
21af5fc4 142 options->protocol = SSH_PROTO_2;
fa08c86b 143 if (options->num_host_key_files == 0) {
144 /* fill default hostkeys for protocols */
145 if (options->protocol & SSH_PROTO_1)
0f84fe37 146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_KEY_FILE;
148 if (options->protocol & SSH_PROTO_2) {
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_RSA_KEY_FILE;
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_DSA_KEY_FILE;
153 }
fa08c86b 154 }
48e671d5 155 if (options->num_ports == 0)
156 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
157 if (options->listen_addrs == NULL)
2d2a2c65 158 add_listen_addr(options, NULL, 0);
0fbe8c74 159 if (options->pid_file == NULL)
42f11eb2 160 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 161 if (options->server_key_bits == -1)
39ceddb7 162 options->server_key_bits = 1024;
5260325f 163 if (options->login_grace_time == -1)
3445ca02 164 options->login_grace_time = 120;
5260325f 165 if (options->key_regeneration_time == -1)
166 options->key_regeneration_time = 3600;
15853e93 167 if (options->permit_root_login == PERMIT_NOT_SET)
168 options->permit_root_login = PERMIT_YES;
5260325f 169 if (options->ignore_rhosts == -1)
c8d54615 170 options->ignore_rhosts = 1;
5260325f 171 if (options->ignore_user_known_hosts == -1)
172 options->ignore_user_known_hosts = 0;
5260325f 173 if (options->print_motd == -1)
174 options->print_motd = 1;
4f4648f9 175 if (options->print_lastlog == -1)
176 options->print_lastlog = 1;
5260325f 177 if (options->x11_forwarding == -1)
c8d54615 178 options->x11_forwarding = 0;
5260325f 179 if (options->x11_display_offset == -1)
c8d54615 180 options->x11_display_offset = 10;
e6e573bd 181 if (options->x11_use_localhost == -1)
182 options->x11_use_localhost = 1;
fa649821 183 if (options->xauth_location == NULL)
fd9ede94 184 options->xauth_location = _PATH_XAUTH;
5260325f 185 if (options->strict_modes == -1)
186 options->strict_modes = 1;
fd573618 187 if (options->tcp_keep_alive == -1)
188 options->tcp_keep_alive = 1;
5eaf8578 189 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 190 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 191 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 192 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 193 if (options->rhosts_rsa_authentication == -1)
c8d54615 194 options->rhosts_rsa_authentication = 0;
8002af61 195 if (options->hostbased_authentication == -1)
196 options->hostbased_authentication = 0;
197 if (options->hostbased_uses_name_from_packet_only == -1)
198 options->hostbased_uses_name_from_packet_only = 0;
5260325f 199 if (options->rsa_authentication == -1)
200 options->rsa_authentication = 1;
fa08c86b 201 if (options->pubkey_authentication == -1)
202 options->pubkey_authentication = 1;
5260325f 203 if (options->kerberos_authentication == -1)
eadc806d 204 options->kerberos_authentication = 0;
5260325f 205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
a1e30b47 209 if (options->kerberos_get_afs_token == -1)
210 options->kerberos_get_afs_token = 0;
7364bd04 211 if (options->gss_authentication == -1)
212 options->gss_authentication = 0;
213 if (options->gss_cleanup_creds == -1)
214 options->gss_cleanup_creds = 1;
5260325f 215 if (options->password_authentication == -1)
216 options->password_authentication = 1;
94ec8c6b 217 if (options->kbd_interactive_authentication == -1)
218 options->kbd_interactive_authentication = 0;
5ba55ada 219 if (options->challenge_response_authentication == -1)
220 options->challenge_response_authentication = 1;
5260325f 221 if (options->permit_empty_passwd == -1)
c8d54615 222 options->permit_empty_passwd = 0;
f00bab84 223 if (options->permit_user_env == -1)
224 options->permit_user_env = 0;
5260325f 225 if (options->use_login == -1)
226 options->use_login = 0;
636f76ca 227 if (options->compression == -1)
07200973 228 options->compression = COMP_DELAYED;
33de75a3 229 if (options->allow_tcp_forwarding == -1)
230 options->allow_tcp_forwarding = 1;
43c3f85c 231 if (options->allow_agent_forwarding == -1)
232 options->allow_agent_forwarding = 1;
1d1ffb87 233 if (options->gateway_ports == -1)
234 options->gateway_ports = 0;
089fbbd2 235 if (options->max_startups == -1)
236 options->max_startups = 10;
c345cf9d 237 if (options->max_startups_rate == -1)
238 options->max_startups_rate = 100; /* 100% */
239 if (options->max_startups_begin == -1)
240 options->max_startups_begin = options->max_startups;
af4bd935 241 if (options->max_authtries == -1)
242 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c6dca55e 243 if (options->max_sessions == -1)
244 options->max_sessions = DEFAULT_SESSIONS_MAX;
c5a7d788 245 if (options->use_dns == -1)
246 options->use_dns = 1;
3ffc6336 247 if (options->client_alive_interval == -1)
184eed6a 248 options->client_alive_interval = 0;
3ffc6336 249 if (options->client_alive_count_max == -1)
250 options->client_alive_count_max = 3;
5df83e07 251 if (options->authorized_keys_file2 == NULL) {
252 /* authorized_keys_file2 falls back to authorized_keys_file */
253 if (options->authorized_keys_file != NULL)
254 options->authorized_keys_file2 = options->authorized_keys_file;
255 else
256 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
257 }
258 if (options->authorized_keys_file == NULL)
259 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
d20f3c9e 260 if (options->permit_tun == -1)
a4f24bf8 261 options->permit_tun = SSH_TUNMODE_NO;
5adf6b9a 262 if (options->zero_knowledge_password_authentication == -1)
263 options->zero_knowledge_password_authentication = 0;
1853d1ef 264
2ee1b704 265 /* Turn privilege separation on by default */
1853d1ef 266 if (use_privsep == -1)
2ee1b704 267 use_privsep = 1;
e299a298 268
4165b82e 269#ifndef HAVE_MMAP
e299a298 270 if (use_privsep && options->compression == 1) {
271 error("This platform does not support both privilege "
272 "separation and compression");
273 error("Compression disabled");
274 options->compression = 0;
275 }
276#endif
277
8efc0c15 278}
279
8efc0c15 280/* Keyword tokens. */
5260325f 281typedef enum {
282 sBadOption, /* == unknown option */
e15895cd 283 /* Portable-specific options */
7fceb20d 284 sUsePAM,
e15895cd 285 /* Standard Options */
5260325f 286 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
287 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 288 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 289 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 290 sKerberosGetAFSToken,
1c590258 291 sKerberosTgtPassing, sChallengeResponseAuthentication,
31b41ceb 292 sPasswordAuthentication, sKbdInteractiveAuthentication,
293 sListenAddress, sAddressFamily,
4f4648f9 294 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 295 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 296 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 297 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 298 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 299 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 300 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
c6dca55e 301 sMaxStartups, sMaxAuthTries, sMaxSessions,
c5a7d788 302 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 303 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 304 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
d20f3c9e 305 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
db49deeb 306 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
16d64584 307 sUsePrivilegeSeparation, sAllowAgentForwarding,
5adf6b9a 308 sZeroKnowledgePasswordAuthentication,
a2144546 309 sDeprecated, sUnsupported
8efc0c15 310} ServerOpCodes;
311
d231781a 312#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
313#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
314#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
315
8efc0c15 316/* Textual representation of the tokens. */
5260325f 317static struct {
318 const char *name;
319 ServerOpCodes opcode;
d231781a 320 u_int flags;
5260325f 321} keywords[] = {
e15895cd 322 /* Portable-specific options */
b06b11ad 323#ifdef USE_PAM
d231781a 324 { "usepam", sUsePAM, SSHCFG_GLOBAL },
b06b11ad 325#else
d231781a 326 { "usepam", sUnsupported, SSHCFG_GLOBAL },
b06b11ad 327#endif
d231781a 328 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
e15895cd 329 /* Standard Options */
d231781a 330 { "port", sPort, SSHCFG_GLOBAL },
331 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
332 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
333 { "pidfile", sPidFile, SSHCFG_GLOBAL },
334 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
335 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
336 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
2ef741a3 337 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
d231781a 338 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
339 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
340 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
03bcbf84 341 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
342 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
d231781a 343 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
03bcbf84 344 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
345 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
c8dc0909 346 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
1c590258 347#ifdef KRB5
03bcbf84 348 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
d231781a 349 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
350 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
bcfcc5f9 351#ifdef USE_AFS
d231781a 352 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
309af4e5 353#else
d231781a 354 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
309af4e5 355#endif
a2144546 356#else
03bcbf84 357 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
d231781a 358 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
359 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
360 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
a2144546 361#endif
d231781a 362 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
363 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
7364bd04 364#ifdef GSSAPI
03bcbf84 365 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
d231781a 366 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
7364bd04 367#else
03bcbf84 368 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
d231781a 369 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
7364bd04 370#endif
03bcbf84 371 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
372 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
121c4a34 373 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
d231781a 374 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
5adf6b9a 375#ifdef JPAKE
376 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
377#else
378 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
379#endif
d231781a 380 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
381 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
382 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
383 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
384 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
385 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
386 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
691712e0 387 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
388 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
389 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
d231781a 390 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
391 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
e68868a1 392 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
d231781a 393 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
394 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
395 { "compression", sCompression, SSHCFG_GLOBAL },
396 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
397 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
398 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
43c3f85c 399 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
d231781a 400 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
401 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
402 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
403 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
404 { "ciphers", sCiphers, SSHCFG_GLOBAL },
405 { "macs", sMacs, SSHCFG_GLOBAL },
406 { "protocol", sProtocol, SSHCFG_GLOBAL },
407 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
408 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
409 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
8086aeb2 410 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
c6dca55e 411 { "maxsessions", sMaxSessions, SSHCFG_ALL },
03bcbf84 412 { "banner", sBanner, SSHCFG_ALL },
d231781a 413 { "usedns", sUseDNS, SSHCFG_GLOBAL },
414 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
415 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
416 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
417 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
418 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
419 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
c8dc0909 420 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
d231781a 421 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
422 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
c8dc0909 423 { "match", sMatch, SSHCFG_ALL },
2fefbadf 424 { "permitopen", sPermitOpen, SSHCFG_ALL },
e7259e8d 425 { "forcecommand", sForceCommand, SSHCFG_ALL },
db49deeb 426 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
d231781a 427 { NULL, sBadOption, 0 }
8efc0c15 428};
429
1760c982 430static struct {
431 int val;
432 char *text;
433} tunmode_desc[] = {
434 { SSH_TUNMODE_NO, "no" },
435 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
436 { SSH_TUNMODE_ETHERNET, "ethernet" },
437 { SSH_TUNMODE_YES, "yes" },
438 { -1, NULL }
439};
440
aa3378df 441/*
6be9a5e8 442 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 443 */
8efc0c15 444
6ae2364d 445static ServerOpCodes
5260325f 446parse_token(const char *cp, const char *filename,
d231781a 447 int linenum, u_int *flags)
8efc0c15 448{
1e3b8b07 449 u_int i;
8efc0c15 450
5260325f 451 for (i = 0; keywords[i].name; i++)
d231781a 452 if (strcasecmp(cp, keywords[i].name) == 0) {
453 *flags = keywords[i].flags;
5260325f 454 return keywords[i].opcode;
d231781a 455 }
8efc0c15 456
b7c70970 457 error("%s: line %d: Bad configuration option: %s",
458 filename, linenum, cp);
5260325f 459 return sBadOption;
8efc0c15 460}
461
396c147e 462static void
5134115d 463add_listen_addr(ServerOptions *options, char *addr, int port)
48e671d5 464{
2ceb8101 465 u_int i;
48e671d5 466
467 if (options->num_ports == 0)
468 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
31b41ceb 469 if (options->address_family == -1)
470 options->address_family = AF_UNSPEC;
2d2a2c65 471 if (port == 0)
d11c1288 472 for (i = 0; i < options->num_ports; i++)
473 add_one_listen_addr(options, addr, options->ports[i]);
474 else
2d2a2c65 475 add_one_listen_addr(options, addr, port);
d11c1288 476}
477
396c147e 478static void
5134115d 479add_one_listen_addr(ServerOptions *options, char *addr, int port)
d11c1288 480{
481 struct addrinfo hints, *ai, *aitop;
482 char strport[NI_MAXSERV];
483 int gaierr;
484
485 memset(&hints, 0, sizeof(hints));
31b41ceb 486 hints.ai_family = options->address_family;
d11c1288 487 hints.ai_socktype = SOCK_STREAM;
488 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
5134115d 489 snprintf(strport, sizeof strport, "%d", port);
d11c1288 490 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
491 fatal("bad addr or host: %s (%s)",
492 addr ? addr : "<NULL>",
bb4626fe 493 ssh_gai_strerror(gaierr));
d11c1288 494 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
495 ;
496 ai->ai_next = options->listen_addrs;
497 options->listen_addrs = aitop;
48e671d5 498}
499
d231781a 500/*
501 * The strategy for the Match blocks is that the config file is parsed twice.
502 *
503 * The first time is at startup. activep is initialized to 1 and the
504 * directives in the global context are processed and acted on. Hitting a
505 * Match directive unsets activep and the directives inside the block are
506 * checked for syntax only.
507 *
508 * The second time is after a connection has been established but before
509 * authentication. activep is initialized to 2 and global config directives
510 * are ignored since they have already been processed. If the criteria in a
511 * Match block is met, activep is set and the subsequent directives
512 * processed and actioned until EOF or another Match block unsets it. Any
513 * options set are copied into the main server config.
514 *
515 * Potential additions/improvements:
516 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
517 *
518 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
519 * Match Address 192.168.0.*
520 * Tag trusted
521 * Match Group wheel
522 * Tag trusted
523 * Match Tag trusted
524 * AllowTcpForwarding yes
525 * GatewayPorts clientspecified
526 * [...]
527 *
528 * - Add a PermittedChannelRequests directive
529 * Match Group shell
530 * PermittedChannelRequests session,forwarded-tcpip
531 */
532
fa47fe3c 533static int
534match_cfg_line_group(const char *grps, int line, const char *user)
535{
536 int result = 0;
fa47fe3c 537 struct passwd *pw;
538
fa47fe3c 539 if (user == NULL)
540 goto out;
541
542 if ((pw = getpwnam(user)) == NULL) {
543 debug("Can't match group at line %d because user %.100s does "
544 "not exist", line, user);
545 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
546 debug("Can't Match group because user %.100s not in any group "
547 "at line %d", user, line);
cece208b 548 } else if (ga_match_pattern_list(grps) != 1) {
549 debug("user %.100s does not match group list %.100s at line %d",
550 user, grps, line);
fa47fe3c 551 } else {
cece208b 552 debug("user %.100s matched group list %.100s at line %d", user,
553 grps, line);
fa47fe3c 554 result = 1;
555 }
556out:
557 ga_free();
fa47fe3c 558 return result;
559}
560
d231781a 561static int
562match_cfg_line(char **condition, int line, const char *user, const char *host,
563 const char *address)
564{
565 int result = 1;
566 char *arg, *attrib, *cp = *condition;
567 size_t len;
568
569 if (user == NULL)
570 debug3("checking syntax for 'Match %s'", cp);
571 else
572 debug3("checking match for '%s' user %s host %s addr %s", cp,
573 user ? user : "(null)", host ? host : "(null)",
574 address ? address : "(null)");
575
576 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
577 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
578 error("Missing Match criteria for %s", attrib);
579 return -1;
580 }
581 len = strlen(arg);
582 if (strcasecmp(attrib, "user") == 0) {
583 if (!user) {
584 result = 0;
585 continue;
586 }
587 if (match_pattern_list(user, arg, len, 0) != 1)
588 result = 0;
589 else
590 debug("user %.100s matched 'User %.100s' at "
591 "line %d", user, arg, line);
fa47fe3c 592 } else if (strcasecmp(attrib, "group") == 0) {
593 switch (match_cfg_line_group(arg, line, user)) {
594 case -1:
595 return -1;
596 case 0:
597 result = 0;
598 }
d231781a 599 } else if (strcasecmp(attrib, "host") == 0) {
600 if (!host) {
601 result = 0;
602 continue;
603 }
604 if (match_hostname(host, arg, len) != 1)
605 result = 0;
606 else
607 debug("connection from %.100s matched 'Host "
608 "%.100s' at line %d", host, arg, line);
609 } else if (strcasecmp(attrib, "address") == 0) {
15b5fa9b 610 switch (addr_match_list(address, arg)) {
611 case 1:
d231781a 612 debug("connection from %.100s matched 'Address "
613 "%.100s' at line %d", address, arg, line);
15b5fa9b 614 break;
615 case 0:
b3b048d6 616 case -1:
15b5fa9b 617 result = 0;
618 break;
b3b048d6 619 case -2:
15b5fa9b 620 return -1;
621 }
d231781a 622 } else {
623 error("Unsupported Match attribute %s", attrib);
624 return -1;
625 }
626 }
627 if (user != NULL)
628 debug3("match %sfound", result ? "" : "not ");
629 *condition = cp;
630 return result;
631}
632
e7259e8d 633#define WHITESPACE " \t\r\n"
634
2717fa0f 635int
636process_server_config_line(ServerOptions *options, char *line,
d231781a 637 const char *filename, int linenum, int *activep, const char *user,
638 const char *host, const char *address)
8efc0c15 639{
d11c1288 640 char *cp, **charptr, *arg, *p;
d231781a 641 int cmdline = 0, *intptr, value, n;
2a72bc03 642 SyslogFacility *log_facility_ptr;
643 LogLevel *log_level_ptr;
5260325f 644 ServerOpCodes opcode;
5134115d 645 int port;
d231781a 646 u_int i, flags = 0;
d66ce1a1 647 size_t len;
5260325f 648
2717fa0f 649 cp = line;
0f8cd5a6 650 if ((arg = strdelim(&cp)) == NULL)
88299971 651 return 0;
2717fa0f 652 /* Ignore leading whitespace */
653 if (*arg == '\0')
704b1659 654 arg = strdelim(&cp);
2717fa0f 655 if (!arg || !*arg || *arg == '#')
656 return 0;
657 intptr = NULL;
658 charptr = NULL;
d231781a 659 opcode = parse_token(arg, filename, linenum, &flags);
660
661 if (activep == NULL) { /* We are processing a command line directive */
662 cmdline = 1;
663 activep = &cmdline;
664 }
665 if (*activep && opcode != sMatch)
666 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
667 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
668 if (user == NULL) {
669 fatal("%s line %d: Directive '%s' is not allowed "
670 "within a Match block", filename, linenum, arg);
671 } else { /* this is a directive we have already processed */
672 while (arg)
673 arg = strdelim(&cp);
674 return 0;
675 }
676 }
677
2717fa0f 678 switch (opcode) {
679 /* Portable-specific options */
7fceb20d 680 case sUsePAM:
681 intptr = &options->use_pam;
2717fa0f 682 goto parse_flag;
48e671d5 683
2717fa0f 684 /* Standard Options */
685 case sBadOption:
686 return -1;
687 case sPort:
688 /* ignore ports from configfile if cmdline specifies ports */
689 if (options->ports_from_cmdline)
690 return 0;
691 if (options->listen_addrs != NULL)
692 fatal("%s line %d: ports must be specified before "
3a454b6a 693 "ListenAddress.", filename, linenum);
2717fa0f 694 if (options->num_ports >= MAX_PORTS)
695 fatal("%s line %d: too many ports.",
696 filename, linenum);
697 arg = strdelim(&cp);
698 if (!arg || *arg == '\0')
699 fatal("%s line %d: missing port number.",
700 filename, linenum);
701 options->ports[options->num_ports++] = a2port(arg);
5134115d 702 if (options->ports[options->num_ports-1] <= 0)
2717fa0f 703 fatal("%s line %d: Badly formatted port number.",
704 filename, linenum);
705 break;
706
707 case sServerKeyBits:
708 intptr = &options->server_key_bits;
c6dca55e 709 parse_int:
2717fa0f 710 arg = strdelim(&cp);
711 if (!arg || *arg == '\0')
712 fatal("%s line %d: missing integer value.",
713 filename, linenum);
714 value = atoi(arg);
d231781a 715 if (*activep && *intptr == -1)
2717fa0f 716 *intptr = value;
717 break;
718
719 case sLoginGraceTime:
720 intptr = &options->login_grace_time;
c6dca55e 721 parse_time:
2717fa0f 722 arg = strdelim(&cp);
723 if (!arg || *arg == '\0')
724 fatal("%s line %d: missing time value.",
725 filename, linenum);
726 if ((value = convtime(arg)) == -1)
727 fatal("%s line %d: invalid time value.",
728 filename, linenum);
729 if (*intptr == -1)
730 *intptr = value;
731 break;
732
733 case sKeyRegenerationTime:
734 intptr = &options->key_regeneration_time;
735 goto parse_time;
736
737 case sListenAddress:
738 arg = strdelim(&cp);
3867aa0a 739 if (arg == NULL || *arg == '\0')
740 fatal("%s line %d: missing address",
2717fa0f 741 filename, linenum);
91135a0e 742 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
743 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
744 && strchr(p+1, ':') != NULL) {
745 add_listen_addr(options, arg, 0);
746 break;
747 }
3867aa0a 748 p = hpdelim(&arg);
749 if (p == NULL)
750 fatal("%s line %d: bad address:port usage",
2717fa0f 751 filename, linenum);
3867aa0a 752 p = cleanhostname(p);
753 if (arg == NULL)
754 port = 0;
5134115d 755 else if ((port = a2port(arg)) <= 0)
3867aa0a 756 fatal("%s line %d: bad port number", filename, linenum);
757
758 add_listen_addr(options, p, port);
759
2717fa0f 760 break;
761
31b41ceb 762 case sAddressFamily:
763 arg = strdelim(&cp);
38634ff6 764 if (!arg || *arg == '\0')
765 fatal("%s line %d: missing address family.",
766 filename, linenum);
31b41ceb 767 intptr = &options->address_family;
768 if (options->listen_addrs != NULL)
769 fatal("%s line %d: address family must be specified before "
770 "ListenAddress.", filename, linenum);
771 if (strcasecmp(arg, "inet") == 0)
772 value = AF_INET;
773 else if (strcasecmp(arg, "inet6") == 0)
774 value = AF_INET6;
775 else if (strcasecmp(arg, "any") == 0)
776 value = AF_UNSPEC;
777 else
778 fatal("%s line %d: unsupported address family \"%s\".",
779 filename, linenum, arg);
780 if (*intptr == -1)
781 *intptr = value;
782 break;
783
2717fa0f 784 case sHostKeyFile:
785 intptr = &options->num_host_key_files;
786 if (*intptr >= MAX_HOSTKEYS)
787 fatal("%s line %d: too many host keys specified (max %d).",
788 filename, linenum, MAX_HOSTKEYS);
789 charptr = &options->host_key_files[*intptr];
c6dca55e 790 parse_filename:
2717fa0f 791 arg = strdelim(&cp);
792 if (!arg || *arg == '\0')
793 fatal("%s line %d: missing file name.",
794 filename, linenum);
d231781a 795 if (*activep && *charptr == NULL) {
2717fa0f 796 *charptr = tilde_expand_filename(arg, getuid());
797 /* increase optional counter */
798 if (intptr != NULL)
799 *intptr = *intptr + 1;
800 }
801 break;
0fbe8c74 802
2717fa0f 803 case sPidFile:
804 charptr = &options->pid_file;
805 goto parse_filename;
5260325f 806
2717fa0f 807 case sPermitRootLogin:
808 intptr = &options->permit_root_login;
809 arg = strdelim(&cp);
810 if (!arg || *arg == '\0')
811 fatal("%s line %d: missing yes/"
812 "without-password/forced-commands-only/no "
813 "argument.", filename, linenum);
814 value = 0; /* silence compiler */
815 if (strcmp(arg, "without-password") == 0)
816 value = PERMIT_NO_PASSWD;
817 else if (strcmp(arg, "forced-commands-only") == 0)
818 value = PERMIT_FORCED_ONLY;
819 else if (strcmp(arg, "yes") == 0)
820 value = PERMIT_YES;
821 else if (strcmp(arg, "no") == 0)
822 value = PERMIT_NO;
823 else
824 fatal("%s line %d: Bad yes/"
825 "without-password/forced-commands-only/no "
826 "argument: %s", filename, linenum, arg);
2ef741a3 827 if (*activep && *intptr == -1)
2717fa0f 828 *intptr = value;
829 break;
830
831 case sIgnoreRhosts:
832 intptr = &options->ignore_rhosts;
c6dca55e 833 parse_flag:
2717fa0f 834 arg = strdelim(&cp);
835 if (!arg || *arg == '\0')
836 fatal("%s line %d: missing yes/no argument.",
837 filename, linenum);
838 value = 0; /* silence compiler */
839 if (strcmp(arg, "yes") == 0)
840 value = 1;
841 else if (strcmp(arg, "no") == 0)
842 value = 0;
843 else
844 fatal("%s line %d: Bad yes/no argument: %s",
845 filename, linenum, arg);
d231781a 846 if (*activep && *intptr == -1)
2717fa0f 847 *intptr = value;
848 break;
849
850 case sIgnoreUserKnownHosts:
851 intptr = &options->ignore_user_known_hosts;
852 goto parse_flag;
853
2717fa0f 854 case sRhostsRSAAuthentication:
855 intptr = &options->rhosts_rsa_authentication;
856 goto parse_flag;
857
858 case sHostbasedAuthentication:
859 intptr = &options->hostbased_authentication;
860 goto parse_flag;
861
862 case sHostbasedUsesNameFromPacketOnly:
863 intptr = &options->hostbased_uses_name_from_packet_only;
864 goto parse_flag;
865
866 case sRSAAuthentication:
867 intptr = &options->rsa_authentication;
868 goto parse_flag;
869
870 case sPubkeyAuthentication:
871 intptr = &options->pubkey_authentication;
872 goto parse_flag;
d0ec7f42 873
2717fa0f 874 case sKerberosAuthentication:
875 intptr = &options->kerberos_authentication;
876 goto parse_flag;
5260325f 877
2717fa0f 878 case sKerberosOrLocalPasswd:
879 intptr = &options->kerberos_or_local_passwd;
880 goto parse_flag;
5260325f 881
2717fa0f 882 case sKerberosTicketCleanup:
883 intptr = &options->kerberos_ticket_cleanup;
884 goto parse_flag;
d0ec7f42 885
a1e30b47 886 case sKerberosGetAFSToken:
887 intptr = &options->kerberos_get_afs_token;
888 goto parse_flag;
889
7364bd04 890 case sGssAuthentication:
891 intptr = &options->gss_authentication;
892 goto parse_flag;
893
894 case sGssCleanupCreds:
895 intptr = &options->gss_cleanup_creds;
896 goto parse_flag;
897
2717fa0f 898 case sPasswordAuthentication:
899 intptr = &options->password_authentication;
900 goto parse_flag;
5260325f 901
5adf6b9a 902 case sZeroKnowledgePasswordAuthentication:
903 intptr = &options->zero_knowledge_password_authentication;
904 goto parse_flag;
905
2717fa0f 906 case sKbdInteractiveAuthentication:
907 intptr = &options->kbd_interactive_authentication;
908 goto parse_flag;
8002af61 909
2717fa0f 910 case sChallengeResponseAuthentication:
911 intptr = &options->challenge_response_authentication;
912 goto parse_flag;
8002af61 913
2717fa0f 914 case sPrintMotd:
915 intptr = &options->print_motd;
916 goto parse_flag;
5260325f 917
2717fa0f 918 case sPrintLastLog:
919 intptr = &options->print_lastlog;
920 goto parse_flag;
5260325f 921
2717fa0f 922 case sX11Forwarding:
923 intptr = &options->x11_forwarding;
924 goto parse_flag;
5260325f 925
2717fa0f 926 case sX11DisplayOffset:
927 intptr = &options->x11_display_offset;
928 goto parse_int;
8efc0c15 929
e6e573bd 930 case sX11UseLocalhost:
931 intptr = &options->x11_use_localhost;
932 goto parse_flag;
933
2717fa0f 934 case sXAuthLocation:
935 charptr = &options->xauth_location;
936 goto parse_filename;
5260325f 937
2717fa0f 938 case sStrictModes:
939 intptr = &options->strict_modes;
940 goto parse_flag;
5260325f 941
fd573618 942 case sTCPKeepAlive:
943 intptr = &options->tcp_keep_alive;
2717fa0f 944 goto parse_flag;
33de75a3 945
2717fa0f 946 case sEmptyPasswd:
947 intptr = &options->permit_empty_passwd;
948 goto parse_flag;
5260325f 949
f00bab84 950 case sPermitUserEnvironment:
951 intptr = &options->permit_user_env;
952 goto parse_flag;
953
2717fa0f 954 case sUseLogin:
955 intptr = &options->use_login;
956 goto parse_flag;
5260325f 957
636f76ca 958 case sCompression:
959 intptr = &options->compression;
07200973 960 arg = strdelim(&cp);
961 if (!arg || *arg == '\0')
962 fatal("%s line %d: missing yes/no/delayed "
963 "argument.", filename, linenum);
964 value = 0; /* silence compiler */
965 if (strcmp(arg, "delayed") == 0)
966 value = COMP_DELAYED;
967 else if (strcmp(arg, "yes") == 0)
968 value = COMP_ZLIB;
969 else if (strcmp(arg, "no") == 0)
970 value = COMP_NONE;
971 else
972 fatal("%s line %d: Bad yes/no/delayed "
973 "argument: %s", filename, linenum, arg);
974 if (*intptr == -1)
975 *intptr = value;
976 break;
636f76ca 977
2717fa0f 978 case sGatewayPorts:
979 intptr = &options->gateway_ports;
3867aa0a 980 arg = strdelim(&cp);
981 if (!arg || *arg == '\0')
982 fatal("%s line %d: missing yes/no/clientspecified "
983 "argument.", filename, linenum);
984 value = 0; /* silence compiler */
985 if (strcmp(arg, "clientspecified") == 0)
986 value = 2;
987 else if (strcmp(arg, "yes") == 0)
988 value = 1;
989 else if (strcmp(arg, "no") == 0)
990 value = 0;
991 else
992 fatal("%s line %d: Bad yes/no/clientspecified "
993 "argument: %s", filename, linenum, arg);
f3e3d6ce 994 if (*activep && *intptr == -1)
3867aa0a 995 *intptr = value;
996 break;
5260325f 997
c5a7d788 998 case sUseDNS:
999 intptr = &options->use_dns;
2717fa0f 1000 goto parse_flag;
5260325f 1001
2717fa0f 1002 case sLogFacility:
2a72bc03 1003 log_facility_ptr = &options->log_facility;
2717fa0f 1004 arg = strdelim(&cp);
1005 value = log_facility_number(arg);
5eaf8578 1006 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 1007 fatal("%.200s line %d: unsupported log facility '%s'",
1008 filename, linenum, arg ? arg : "<NONE>");
2a72bc03 1009 if (*log_facility_ptr == -1)
1010 *log_facility_ptr = (SyslogFacility) value;
2717fa0f 1011 break;
1012
1013 case sLogLevel:
2a72bc03 1014 log_level_ptr = &options->log_level;
2717fa0f 1015 arg = strdelim(&cp);
1016 value = log_level_number(arg);
5eaf8578 1017 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 1018 fatal("%.200s line %d: unsupported log level '%s'",
1019 filename, linenum, arg ? arg : "<NONE>");
2a72bc03 1020 if (*log_level_ptr == -1)
1021 *log_level_ptr = (LogLevel) value;
2717fa0f 1022 break;
1023
1024 case sAllowTcpForwarding:
1025 intptr = &options->allow_tcp_forwarding;
1026 goto parse_flag;
1027
43c3f85c 1028 case sAllowAgentForwarding:
1029 intptr = &options->allow_agent_forwarding;
1030 goto parse_flag;
1031
1853d1ef 1032 case sUsePrivilegeSeparation:
1033 intptr = &use_privsep;
1034 goto parse_flag;
1035
2717fa0f 1036 case sAllowUsers:
1037 while ((arg = strdelim(&cp)) && *arg != '\0') {
1038 if (options->num_allow_users >= MAX_ALLOW_USERS)
1039 fatal("%s line %d: too many allow users.",
1040 filename, linenum);
7528d467 1041 options->allow_users[options->num_allow_users++] =
1042 xstrdup(arg);
2717fa0f 1043 }
1044 break;
a8be9f80 1045
2717fa0f 1046 case sDenyUsers:
1047 while ((arg = strdelim(&cp)) && *arg != '\0') {
1048 if (options->num_deny_users >= MAX_DENY_USERS)
d4f40d92 1049 fatal("%s line %d: too many deny users.",
2717fa0f 1050 filename, linenum);
7528d467 1051 options->deny_users[options->num_deny_users++] =
1052 xstrdup(arg);
2717fa0f 1053 }
1054 break;
b2552997 1055
2717fa0f 1056 case sAllowGroups:
1057 while ((arg = strdelim(&cp)) && *arg != '\0') {
1058 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1059 fatal("%s line %d: too many allow groups.",
1060 filename, linenum);
7528d467 1061 options->allow_groups[options->num_allow_groups++] =
1062 xstrdup(arg);
2717fa0f 1063 }
1064 break;
a8be9f80 1065
2717fa0f 1066 case sDenyGroups:
1067 while ((arg = strdelim(&cp)) && *arg != '\0') {
1068 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1069 fatal("%s line %d: too many deny groups.",
1070 filename, linenum);
1071 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1072 }
1073 break;
38c295d6 1074
2717fa0f 1075 case sCiphers:
1076 arg = strdelim(&cp);
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: Missing argument.", filename, linenum);
1079 if (!ciphers_valid(arg))
1080 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1081 filename, linenum, arg ? arg : "<NONE>");
1082 if (options->ciphers == NULL)
1083 options->ciphers = xstrdup(arg);
1084 break;
1085
1086 case sMacs:
1087 arg = strdelim(&cp);
1088 if (!arg || *arg == '\0')
1089 fatal("%s line %d: Missing argument.", filename, linenum);
1090 if (!mac_valid(arg))
1091 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1092 filename, linenum, arg ? arg : "<NONE>");
1093 if (options->macs == NULL)
1094 options->macs = xstrdup(arg);
1095 break;
1096
1097 case sProtocol:
1098 intptr = &options->protocol;
1099 arg = strdelim(&cp);
1100 if (!arg || *arg == '\0')
1101 fatal("%s line %d: Missing argument.", filename, linenum);
1102 value = proto_spec(arg);
1103 if (value == SSH_PROTO_UNKNOWN)
1104 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 1105 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 1106 if (*intptr == SSH_PROTO_UNKNOWN)
1107 *intptr = value;
1108 break;
1109
1110 case sSubsystem:
1111 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1112 fatal("%s line %d: too many subsystems defined.",
184eed6a 1113 filename, linenum);
2717fa0f 1114 }
1115 arg = strdelim(&cp);
1116 if (!arg || *arg == '\0')
1117 fatal("%s line %d: Missing subsystem name.",
184eed6a 1118 filename, linenum);
d231781a 1119 if (!*activep) {
1120 arg = strdelim(&cp);
1121 break;
1122 }
2717fa0f 1123 for (i = 0; i < options->num_subsystems; i++)
1124 if (strcmp(arg, options->subsystem_name[i]) == 0)
1125 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 1126 filename, linenum, arg);
2717fa0f 1127 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1128 arg = strdelim(&cp);
1129 if (!arg || *arg == '\0')
1130 fatal("%s line %d: Missing subsystem command.",
184eed6a 1131 filename, linenum);
2717fa0f 1132 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
d66ce1a1 1133
1134 /* Collect arguments (separate to executable) */
1135 p = xstrdup(arg);
1136 len = strlen(p) + 1;
1137 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1138 len += 1 + strlen(arg);
1139 p = xrealloc(p, 1, len);
1140 strlcat(p, " ", len);
1141 strlcat(p, arg, len);
1142 }
1143 options->subsystem_args[options->num_subsystems] = p;
2717fa0f 1144 options->num_subsystems++;
1145 break;
1146
1147 case sMaxStartups:
1148 arg = strdelim(&cp);
1149 if (!arg || *arg == '\0')
1150 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 1151 filename, linenum);
2717fa0f 1152 if ((n = sscanf(arg, "%d:%d:%d",
1153 &options->max_startups_begin,
1154 &options->max_startups_rate,
1155 &options->max_startups)) == 3) {
1156 if (options->max_startups_begin >
1157 options->max_startups ||
1158 options->max_startups_rate > 100 ||
1159 options->max_startups_rate < 1)
c345cf9d 1160 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 1161 filename, linenum);
2717fa0f 1162 } else if (n != 1)
1163 fatal("%s line %d: Illegal MaxStartups spec.",
1164 filename, linenum);
1165 else
1166 options->max_startups = options->max_startups_begin;
1167 break;
1168
af4bd935 1169 case sMaxAuthTries:
1170 intptr = &options->max_authtries;
1171 goto parse_int;
1172
c6dca55e 1173 case sMaxSessions:
1174 intptr = &options->max_sessions;
1175 goto parse_int;
1176
2717fa0f 1177 case sBanner:
1178 charptr = &options->banner;
1179 goto parse_filename;
db49deeb 1180
2717fa0f 1181 /*
1182 * These options can contain %X options expanded at
1183 * connect time, so that you can specify paths like:
1184 *
1185 * AuthorizedKeysFile /etc/ssh_keys/%u
1186 */
1187 case sAuthorizedKeysFile:
1188 case sAuthorizedKeysFile2:
d4f40d92 1189 charptr = (opcode == sAuthorizedKeysFile) ?
2717fa0f 1190 &options->authorized_keys_file :
1191 &options->authorized_keys_file2;
1192 goto parse_filename;
1193
1194 case sClientAliveInterval:
1195 intptr = &options->client_alive_interval;
1196 goto parse_time;
1197
1198 case sClientAliveCountMax:
1199 intptr = &options->client_alive_count_max;
1200 goto parse_int;
1201
61a2c1da 1202 case sAcceptEnv:
1203 while ((arg = strdelim(&cp)) && *arg != '\0') {
1204 if (strchr(arg, '=') != NULL)
1205 fatal("%s line %d: Invalid environment name.",
1206 filename, linenum);
1207 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1208 fatal("%s line %d: too many allow env.",
1209 filename, linenum);
d231781a 1210 if (!*activep)
1211 break;
61a2c1da 1212 options->accept_env[options->num_accept_env++] =
1213 xstrdup(arg);
1214 }
1215 break;
1216
d20f3c9e 1217 case sPermitTunnel:
1218 intptr = &options->permit_tun;
a4f24bf8 1219 arg = strdelim(&cp);
1220 if (!arg || *arg == '\0')
1221 fatal("%s line %d: Missing yes/point-to-point/"
1222 "ethernet/no argument.", filename, linenum);
1760c982 1223 value = -1;
1224 for (i = 0; tunmode_desc[i].val != -1; i++)
1225 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1226 value = tunmode_desc[i].val;
1227 break;
1228 }
1229 if (value == -1)
a4f24bf8 1230 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1231 "no argument: %s", filename, linenum, arg);
1232 if (*intptr == -1)
1233 *intptr = value;
1234 break;
d20f3c9e 1235
d231781a 1236 case sMatch:
1237 if (cmdline)
1238 fatal("Match directive not supported as a command-line "
1239 "option");
1240 value = match_cfg_line(&cp, linenum, user, host, address);
1241 if (value < 0)
1242 fatal("%s line %d: Bad Match condition", filename,
1243 linenum);
1244 *activep = value;
1245 break;
1246
2fefbadf 1247 case sPermitOpen:
1248 arg = strdelim(&cp);
1249 if (!arg || *arg == '\0')
1250 fatal("%s line %d: missing PermitOpen specification",
1251 filename, linenum);
38757197 1252 n = options->num_permitted_opens; /* modified later */
2fefbadf 1253 if (strcmp(arg, "any") == 0) {
38757197 1254 if (*activep && n == -1) {
2fefbadf 1255 channel_clear_adm_permitted_opens();
ea46e550 1256 options->num_permitted_opens = 0;
1257 }
2fefbadf 1258 break;
1259 }
75b6d52c 1260 if (*activep && n == -1)
1261 channel_clear_adm_permitted_opens();
ea46e550 1262 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1263 p = hpdelim(&arg);
1264 if (p == NULL)
1265 fatal("%s line %d: missing host in PermitOpen",
1266 filename, linenum);
1267 p = cleanhostname(p);
5134115d 1268 if (arg == NULL || (port = a2port(arg)) <= 0)
ea46e550 1269 fatal("%s line %d: bad port number in "
1270 "PermitOpen", filename, linenum);
75b6d52c 1271 if (*activep && n == -1)
ea46e550 1272 options->num_permitted_opens =
1273 channel_add_adm_permitted_opens(p, port);
ea46e550 1274 }
2fefbadf 1275 break;
1276
e7259e8d 1277 case sForceCommand:
1278 if (cp == NULL)
1279 fatal("%.200s line %d: Missing argument.", filename,
1280 linenum);
1281 len = strspn(cp, WHITESPACE);
1282 if (*activep && options->adm_forced_command == NULL)
1283 options->adm_forced_command = xstrdup(cp + len);
1284 return 0;
1285
db49deeb 1286 case sChrootDirectory:
1287 charptr = &options->chroot_directory;
c5bf32e6 1288
1289 arg = strdelim(&cp);
1290 if (!arg || *arg == '\0')
1291 fatal("%s line %d: missing file name.",
1292 filename, linenum);
1293 if (*activep && *charptr == NULL)
1294 *charptr = xstrdup(arg);
1295 break;
db49deeb 1296
2717fa0f 1297 case sDeprecated:
bbe88b6d 1298 logit("%s line %d: Deprecated option %s",
2717fa0f 1299 filename, linenum, arg);
1300 while (arg)
1301 arg = strdelim(&cp);
1302 break;
1303
a2144546 1304 case sUnsupported:
1305 logit("%s line %d: Unsupported option %s",
1306 filename, linenum, arg);
1307 while (arg)
1308 arg = strdelim(&cp);
1309 break;
1310
2717fa0f 1311 default:
1312 fatal("%s line %d: Missing handler for opcode %s (%d)",
1313 filename, linenum, arg, opcode);
1314 }
1315 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1316 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1317 filename, linenum, arg);
1318 return 0;
1319}
089fbbd2 1320
2717fa0f 1321/* Reads the server configuration file. */
5c53a31e 1322
2717fa0f 1323void
b9a549d7 1324load_server_config(const char *filename, Buffer *conf)
2717fa0f 1325{
b9a549d7 1326 char line[1024], *cp;
7528d467 1327 FILE *f;
2717fa0f 1328
b9a549d7 1329 debug2("%s: filename %s", __func__, filename);
1330 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 1331 perror(filename);
1332 exit(1);
1333 }
b9a549d7 1334 buffer_clear(conf);
2717fa0f 1335 while (fgets(line, sizeof(line), f)) {
b9a549d7 1336 /*
1337 * Trim out comments and strip whitespace
f2107e97 1338 * NB - preserve newlines, they are needed to reproduce
b9a549d7 1339 * line numbers later for error messages
1340 */
1341 if ((cp = strchr(line, '#')) != NULL)
1342 memcpy(cp, "\n", 2);
1343 cp = line + strspn(line, " \t\r");
1344
1345 buffer_append(conf, cp, strlen(cp));
8efc0c15 1346 }
b9a549d7 1347 buffer_append(conf, "\0", 1);
5260325f 1348 fclose(f);
b9a549d7 1349 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1350}
1351
1352void
d231781a 1353parse_server_match_config(ServerOptions *options, const char *user,
1354 const char *host, const char *address)
1355{
1356 ServerOptions mo;
1357
1358 initialize_server_options(&mo);
1359 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
03bcbf84 1360 copy_set_server_options(options, &mo, 0);
d231781a 1361}
1362
03bcbf84 1363/* Helper macros */
1364#define M_CP_INTOPT(n) do {\
1365 if (src->n != -1) \
1366 dst->n = src->n; \
1367} while (0)
1368#define M_CP_STROPT(n) do {\
1369 if (src->n != NULL) { \
1370 if (dst->n != NULL) \
1371 xfree(dst->n); \
1372 dst->n = src->n; \
1373 } \
1374} while(0)
1375
1376/*
1377 * Copy any supported values that are set.
1378 *
3e576dfe 1379 * If the preauth flag is set, we do not bother copying the string or
03bcbf84 1380 * array values that are not used pre-authentication, because any that we
1381 * do use must be explictly sent in mm_getpwnamallow().
1382 */
d231781a 1383void
03bcbf84 1384copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
d231781a 1385{
03bcbf84 1386 M_CP_INTOPT(password_authentication);
1387 M_CP_INTOPT(gss_authentication);
1388 M_CP_INTOPT(rsa_authentication);
1389 M_CP_INTOPT(pubkey_authentication);
1390 M_CP_INTOPT(kerberos_authentication);
1391 M_CP_INTOPT(hostbased_authentication);
1392 M_CP_INTOPT(kbd_interactive_authentication);
5adf6b9a 1393 M_CP_INTOPT(zero_knowledge_password_authentication);
2ef741a3 1394 M_CP_INTOPT(permit_root_login);
e68868a1 1395 M_CP_INTOPT(permit_empty_passwd);
03bcbf84 1396
1397 M_CP_INTOPT(allow_tcp_forwarding);
43c3f85c 1398 M_CP_INTOPT(allow_agent_forwarding);
03bcbf84 1399 M_CP_INTOPT(gateway_ports);
1400 M_CP_INTOPT(x11_display_offset);
1401 M_CP_INTOPT(x11_forwarding);
1402 M_CP_INTOPT(x11_use_localhost);
c6dca55e 1403 M_CP_INTOPT(max_sessions);
8086aeb2 1404 M_CP_INTOPT(max_authtries);
03bcbf84 1405
1406 M_CP_STROPT(banner);
1407 if (preauth)
1408 return;
1409 M_CP_STROPT(adm_forced_command);
db49deeb 1410 M_CP_STROPT(chroot_directory);
d231781a 1411}
1412
03bcbf84 1413#undef M_CP_INTOPT
1414#undef M_CP_STROPT
1415
d231781a 1416void
1417parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1418 const char *user, const char *host, const char *address)
b9a549d7 1419{
d231781a 1420 int active, linenum, bad_options = 0;
16acb158 1421 char *cp, *obuf, *cbuf;
b9a549d7 1422
1423 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1424
16acb158 1425 obuf = cbuf = xstrdup(buffer_ptr(conf));
d231781a 1426 active = user ? 0 : 1;
861cc543 1427 linenum = 1;
f8cc7664 1428 while ((cp = strsep(&cbuf, "\n")) != NULL) {
b9a549d7 1429 if (process_server_config_line(options, cp, filename,
d231781a 1430 linenum++, &active, user, host, address) != 0)
b9a549d7 1431 bad_options++;
1432 }
16acb158 1433 xfree(obuf);
b7c70970 1434 if (bad_options > 0)
1435 fatal("%s: terminating, %d bad configuration options",
1436 filename, bad_options);
8efc0c15 1437}
1760c982 1438
1439static const char *
1440fmt_intarg(ServerOpCodes code, int val)
1441{
1442 if (code == sAddressFamily) {
1443 switch (val) {
1444 case AF_INET:
1445 return "inet";
1446 case AF_INET6:
1447 return "inet6";
1448 case AF_UNSPEC:
1449 return "any";
1450 default:
1451 return "UNKNOWN";
1452 }
1453 }
1454 if (code == sPermitRootLogin) {
1455 switch (val) {
1456 case PERMIT_NO_PASSWD:
0bd3332c 1457 return "without-password";
1760c982 1458 case PERMIT_FORCED_ONLY:
1459 return "forced-commands-only";
1460 case PERMIT_YES:
1461 return "yes";
1462 }
1463 }
1464 if (code == sProtocol) {
1465 switch (val) {
1466 case SSH_PROTO_1:
1467 return "1";
1468 case SSH_PROTO_2:
1469 return "2";
1470 case (SSH_PROTO_1|SSH_PROTO_2):
1471 return "2,1";
1472 default:
1473 return "UNKNOWN";
1474 }
1475 }
1476 if (code == sGatewayPorts && val == 2)
1477 return "clientspecified";
1478 if (code == sCompression && val == COMP_DELAYED)
1479 return "delayed";
1480 switch (val) {
1481 case -1:
1482 return "unset";
1483 case 0:
1484 return "no";
1485 case 1:
1486 return "yes";
1487 }
1488 return "UNKNOWN";
1489}
1490
1491static const char *
1492lookup_opcode_name(ServerOpCodes code)
1493{
1494 u_int i;
1495
1496 for (i = 0; keywords[i].name != NULL; i++)
1497 if (keywords[i].opcode == code)
1498 return(keywords[i].name);
1499 return "UNKNOWN";
1500}
1501
1502static void
1503dump_cfg_int(ServerOpCodes code, int val)
1504{
1505 printf("%s %d\n", lookup_opcode_name(code), val);
1506}
1507
1508static void
1509dump_cfg_fmtint(ServerOpCodes code, int val)
1510{
1511 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1512}
1513
1514static void
1515dump_cfg_string(ServerOpCodes code, const char *val)
1516{
1517 if (val == NULL)
1518 return;
1519 printf("%s %s\n", lookup_opcode_name(code), val);
1520}
1521
1522static void
1523dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1524{
1525 u_int i;
1526
1527 for (i = 0; i < count; i++)
1528 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1529}
1530
1531void
1532dump_config(ServerOptions *o)
1533{
1534 u_int i;
1535 int ret;
1536 struct addrinfo *ai;
1537 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1538
1539 /* these are usually at the top of the config */
1540 for (i = 0; i < o->num_ports; i++)
1541 printf("port %d\n", o->ports[i]);
1542 dump_cfg_fmtint(sProtocol, o->protocol);
1543 dump_cfg_fmtint(sAddressFamily, o->address_family);
1544
1545 /* ListenAddress must be after Port */
1546 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1547 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1548 sizeof(addr), port, sizeof(port),
1549 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1550 error("getnameinfo failed: %.100s",
1551 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1552 strerror(errno));
1553 } else {
1554 if (ai->ai_family == AF_INET6)
1555 printf("listenaddress [%s]:%s\n", addr, port);
1556 else
1557 printf("listenaddress %s:%s\n", addr, port);
1558 }
1559 }
1560
1561 /* integer arguments */
cee47c9f 1562#ifdef USE_PAM
1563 dump_cfg_int(sUsePAM, o->use_pam);
1564#endif
1760c982 1565 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1566 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1567 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1568 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1569 dump_cfg_int(sMaxAuthTries, o->max_authtries);
39aa8698 1570 dump_cfg_int(sMaxSessions, o->max_sessions);
1760c982 1571 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1572 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1573
1574 /* formatted integer arguments */
1575 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1576 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1577 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1578 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1579 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1580 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1581 o->hostbased_uses_name_from_packet_only);
1582 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1583 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
e888d981 1584#ifdef KRB5
1760c982 1585 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1586 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1587 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
e888d981 1588# ifdef USE_AFS
1760c982 1589 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
e888d981 1590# endif
1591#endif
1592#ifdef GSSAPI
1760c982 1593 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1594 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
5adf6b9a 1595#endif
1596#ifdef JPAKE
1597 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1598 o->zero_knowledge_password_authentication);
e888d981 1599#endif
1760c982 1600 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1601 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1602 o->kbd_interactive_authentication);
1603 dump_cfg_fmtint(sChallengeResponseAuthentication,
1604 o->challenge_response_authentication);
1605 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1606 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1607 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1608 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1609 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1610 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1611 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1612 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1613 dump_cfg_fmtint(sUseLogin, o->use_login);
1614 dump_cfg_fmtint(sCompression, o->compression);
1615 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1616 dump_cfg_fmtint(sUseDNS, o->use_dns);
1617 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1618 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1619
1620 /* string arguments */
1621 dump_cfg_string(sPidFile, o->pid_file);
1622 dump_cfg_string(sXAuthLocation, o->xauth_location);
1623 dump_cfg_string(sCiphers, o->ciphers);
1624 dump_cfg_string(sMacs, o->macs);
1625 dump_cfg_string(sBanner, o->banner);
1626 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1627 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1628 dump_cfg_string(sForceCommand, o->adm_forced_command);
04b061c4 1629 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1760c982 1630
1631 /* string arguments requiring a lookup */
1632 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1633 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1634
1635 /* string array arguments */
1636 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1637 o->host_key_files);
1638 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1639 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1640 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1641 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1642 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1643
1644 /* other arguments */
1645 for (i = 0; i < o->num_subsystems; i++)
1646 printf("subsystem %s %s\n", o->subsystem_name[i],
1647 o->subsystem_args[i]);
1648
1649 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1650 o->max_startups_rate, o->max_startups);
1651
1652 for (i = 0; tunmode_desc[i].val != -1; i++)
1653 if (tunmode_desc[i].val == o->permit_tun) {
1654 s = tunmode_desc[i].text;
1655 break;
1656 }
1657 dump_cfg_string(sPermitTunnel, s);
1658
1760c982 1659 channel_print_adm_permitted_opens();
1760c982 1660}
git-cvsimport mirror of OpenSSH
This page took 1.549046 seconds and 5 git commands to generate.