]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (djm) Avoid uuencode.c warnings
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
d0ec7f42 13RCSID("$OpenBSD: servconf.c,v 1.119 2003/05/15 01:48:10 jakob Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
0608f8a7 18
12928e80 19#if defined(KRB5)
0608f8a7 20# ifdef HEIMDAL
21# include <krb.h>
22# else
23/*
24 * XXX: Bodge - but then, so is using the kerberos IV KEYFILE to get a
25 * Kerberos V keytab
26 */
27# define KEYFILE "/etc/krb5.keytab"
28# endif
12928e80 29#endif
0608f8a7 30
83f46621 31#ifdef AFS
32#include <kafs.h>
33#endif
8efc0c15 34
35#include "ssh.h"
42f11eb2 36#include "log.h"
8efc0c15 37#include "servconf.h"
38#include "xmalloc.h"
a8be9f80 39#include "compat.h"
42f11eb2 40#include "pathnames.h"
41#include "tildexpand.h"
42#include "misc.h"
43#include "cipher.h"
b2552997 44#include "kex.h"
45#include "mac.h"
42f11eb2 46
396c147e 47static void add_listen_addr(ServerOptions *, char *, u_short);
48static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 49
42f11eb2 50/* AF_UNSPEC or AF_INET or AF_INET6 */
51extern int IPv4or6;
1853d1ef 52/* Use of privilege separation or not */
53extern int use_privsep;
42f11eb2 54
8efc0c15 55/* Initializes the server options to their default values. */
56
6ae2364d 57void
5260325f 58initialize_server_options(ServerOptions *options)
8efc0c15 59{
5260325f 60 memset(options, 0, sizeof(*options));
e15895cd 61
62 /* Portable-specific options */
7fceb20d 63 options->use_pam = -1;
e15895cd 64
65 /* Standard Options */
48e671d5 66 options->num_ports = 0;
67 options->ports_from_cmdline = 0;
68 options->listen_addrs = NULL;
fa08c86b 69 options->num_host_key_files = 0;
0fbe8c74 70 options->pid_file = NULL;
5260325f 71 options->server_key_bits = -1;
72 options->login_grace_time = -1;
73 options->key_regeneration_time = -1;
15853e93 74 options->permit_root_login = PERMIT_NOT_SET;
5260325f 75 options->ignore_rhosts = -1;
76 options->ignore_user_known_hosts = -1;
77 options->print_motd = -1;
4f4648f9 78 options->print_lastlog = -1;
5260325f 79 options->x11_forwarding = -1;
80 options->x11_display_offset = -1;
e6e573bd 81 options->x11_use_localhost = -1;
fa649821 82 options->xauth_location = NULL;
5260325f 83 options->strict_modes = -1;
84 options->keepalives = -1;
5eaf8578 85 options->log_facility = SYSLOG_FACILITY_NOT_SET;
86 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 87 options->rhosts_authentication = -1;
88 options->rhosts_rsa_authentication = -1;
8002af61 89 options->hostbased_authentication = -1;
90 options->hostbased_uses_name_from_packet_only = -1;
5260325f 91 options->rsa_authentication = -1;
fa08c86b 92 options->pubkey_authentication = -1;
5260325f 93 options->kerberos_authentication = -1;
94 options->kerberos_or_local_passwd = -1;
95 options->kerberos_ticket_cleanup = -1;
5260325f 96 options->kerberos_tgt_passing = -1;
97 options->afs_token_passing = -1;
5260325f 98 options->password_authentication = -1;
94ec8c6b 99 options->kbd_interactive_authentication = -1;
5ba55ada 100 options->challenge_response_authentication = -1;
5260325f 101 options->permit_empty_passwd = -1;
f00bab84 102 options->permit_user_env = -1;
5260325f 103 options->use_login = -1;
636f76ca 104 options->compression = -1;
33de75a3 105 options->allow_tcp_forwarding = -1;
5260325f 106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
a8be9f80 110 options->ciphers = NULL;
b2552997 111 options->macs = NULL;
a8be9f80 112 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 113 options->gateway_ports = -1;
38c295d6 114 options->num_subsystems = 0;
c345cf9d 115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
089fbbd2 117 options->max_startups = -1;
eea39c02 118 options->banner = NULL;
bf4c5edc 119 options->verify_reverse_mapping = -1;
3ffc6336 120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
c8445989 122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
1853d1ef 124
1853d1ef 125 /* Needs to be accessable in many places */
126 use_privsep = -1;
8efc0c15 127}
128
6ae2364d 129void
5260325f 130fill_default_server_options(ServerOptions *options)
8efc0c15 131{
e15895cd 132 /* Portable-specific options */
7fceb20d 133 if (options->use_pam == -1)
d0ec7f42 134 options->use_pam = 0;
e15895cd 135
136 /* Standard Options */
fa08c86b 137 if (options->protocol == SSH_PROTO_UNKNOWN)
138 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
139 if (options->num_host_key_files == 0) {
140 /* fill default hostkeys for protocols */
141 if (options->protocol & SSH_PROTO_1)
0f84fe37 142 options->host_key_files[options->num_host_key_files++] =
143 _PATH_HOST_KEY_FILE;
144 if (options->protocol & SSH_PROTO_2) {
145 options->host_key_files[options->num_host_key_files++] =
146 _PATH_HOST_RSA_KEY_FILE;
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_DSA_KEY_FILE;
149 }
fa08c86b 150 }
48e671d5 151 if (options->num_ports == 0)
152 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
153 if (options->listen_addrs == NULL)
2d2a2c65 154 add_listen_addr(options, NULL, 0);
0fbe8c74 155 if (options->pid_file == NULL)
42f11eb2 156 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 157 if (options->server_key_bits == -1)
158 options->server_key_bits = 768;
159 if (options->login_grace_time == -1)
3445ca02 160 options->login_grace_time = 120;
5260325f 161 if (options->key_regeneration_time == -1)
162 options->key_regeneration_time = 3600;
15853e93 163 if (options->permit_root_login == PERMIT_NOT_SET)
164 options->permit_root_login = PERMIT_YES;
5260325f 165 if (options->ignore_rhosts == -1)
c8d54615 166 options->ignore_rhosts = 1;
5260325f 167 if (options->ignore_user_known_hosts == -1)
168 options->ignore_user_known_hosts = 0;
5260325f 169 if (options->print_motd == -1)
170 options->print_motd = 1;
4f4648f9 171 if (options->print_lastlog == -1)
172 options->print_lastlog = 1;
5260325f 173 if (options->x11_forwarding == -1)
c8d54615 174 options->x11_forwarding = 0;
5260325f 175 if (options->x11_display_offset == -1)
c8d54615 176 options->x11_display_offset = 10;
e6e573bd 177 if (options->x11_use_localhost == -1)
178 options->x11_use_localhost = 1;
fa649821 179 if (options->xauth_location == NULL)
fd9ede94 180 options->xauth_location = _PATH_XAUTH;
5260325f 181 if (options->strict_modes == -1)
182 options->strict_modes = 1;
183 if (options->keepalives == -1)
184 options->keepalives = 1;
5eaf8578 185 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 186 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 187 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 188 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 189 if (options->rhosts_authentication == -1)
190 options->rhosts_authentication = 0;
191 if (options->rhosts_rsa_authentication == -1)
c8d54615 192 options->rhosts_rsa_authentication = 0;
8002af61 193 if (options->hostbased_authentication == -1)
194 options->hostbased_authentication = 0;
195 if (options->hostbased_uses_name_from_packet_only == -1)
196 options->hostbased_uses_name_from_packet_only = 0;
5260325f 197 if (options->rsa_authentication == -1)
198 options->rsa_authentication = 1;
fa08c86b 199 if (options->pubkey_authentication == -1)
200 options->pubkey_authentication = 1;
5260325f 201 if (options->kerberos_authentication == -1)
eadc806d 202 options->kerberos_authentication = 0;
5260325f 203 if (options->kerberos_or_local_passwd == -1)
204 options->kerberos_or_local_passwd = 1;
205 if (options->kerberos_ticket_cleanup == -1)
206 options->kerberos_ticket_cleanup = 1;
5260325f 207 if (options->kerberos_tgt_passing == -1)
208 options->kerberos_tgt_passing = 0;
209 if (options->afs_token_passing == -1)
1c3454e7 210 options->afs_token_passing = 0;
5260325f 211 if (options->password_authentication == -1)
212 options->password_authentication = 1;
94ec8c6b 213 if (options->kbd_interactive_authentication == -1)
214 options->kbd_interactive_authentication = 0;
5ba55ada 215 if (options->challenge_response_authentication == -1)
216 options->challenge_response_authentication = 1;
5260325f 217 if (options->permit_empty_passwd == -1)
c8d54615 218 options->permit_empty_passwd = 0;
f00bab84 219 if (options->permit_user_env == -1)
220 options->permit_user_env = 0;
5260325f 221 if (options->use_login == -1)
222 options->use_login = 0;
636f76ca 223 if (options->compression == -1)
224 options->compression = 1;
33de75a3 225 if (options->allow_tcp_forwarding == -1)
226 options->allow_tcp_forwarding = 1;
1d1ffb87 227 if (options->gateway_ports == -1)
228 options->gateway_ports = 0;
089fbbd2 229 if (options->max_startups == -1)
230 options->max_startups = 10;
c345cf9d 231 if (options->max_startups_rate == -1)
232 options->max_startups_rate = 100; /* 100% */
233 if (options->max_startups_begin == -1)
234 options->max_startups_begin = options->max_startups;
bf4c5edc 235 if (options->verify_reverse_mapping == -1)
236 options->verify_reverse_mapping = 0;
3ffc6336 237 if (options->client_alive_interval == -1)
184eed6a 238 options->client_alive_interval = 0;
3ffc6336 239 if (options->client_alive_count_max == -1)
240 options->client_alive_count_max = 3;
5df83e07 241 if (options->authorized_keys_file2 == NULL) {
242 /* authorized_keys_file2 falls back to authorized_keys_file */
243 if (options->authorized_keys_file != NULL)
244 options->authorized_keys_file2 = options->authorized_keys_file;
245 else
246 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
247 }
248 if (options->authorized_keys_file == NULL)
249 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 250
2ee1b704 251 /* Turn privilege separation on by default */
1853d1ef 252 if (use_privsep == -1)
2ee1b704 253 use_privsep = 1;
e299a298 254
4165b82e 255#ifndef HAVE_MMAP
e299a298 256 if (use_privsep && options->compression == 1) {
257 error("This platform does not support both privilege "
258 "separation and compression");
259 error("Compression disabled");
260 options->compression = 0;
261 }
262#endif
263
8efc0c15 264}
265
8efc0c15 266/* Keyword tokens. */
5260325f 267typedef enum {
268 sBadOption, /* == unknown option */
e15895cd 269 /* Portable-specific options */
7fceb20d 270 sUsePAM,
e15895cd 271 /* Standard Options */
5260325f 272 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
273 sPermitRootLogin, sLogFacility, sLogLevel,
274 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 275 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
d0ec7f42 276 sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
94ec8c6b 277 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 278 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 279 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 280 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 281 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 282 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 283 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 284 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 285 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 286 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 287 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 288 sUsePrivilegeSeparation,
2717fa0f 289 sDeprecated
8efc0c15 290} ServerOpCodes;
291
292/* Textual representation of the tokens. */
5260325f 293static struct {
294 const char *name;
295 ServerOpCodes opcode;
296} keywords[] = {
e15895cd 297 /* Portable-specific options */
7fceb20d 298 { "UsePAM", sUsePAM },
e15895cd 299 /* Standard Options */
5260325f 300 { "port", sPort },
301 { "hostkey", sHostKeyFile },
fa08c86b 302 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 303 { "pidfile", sPidFile },
5260325f 304 { "serverkeybits", sServerKeyBits },
305 { "logingracetime", sLoginGraceTime },
306 { "keyregenerationinterval", sKeyRegenerationTime },
307 { "permitrootlogin", sPermitRootLogin },
308 { "syslogfacility", sLogFacility },
309 { "loglevel", sLogLevel },
310 { "rhostsauthentication", sRhostsAuthentication },
311 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 312 { "hostbasedauthentication", sHostbasedAuthentication },
313 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 314 { "rsaauthentication", sRSAAuthentication },
fa08c86b 315 { "pubkeyauthentication", sPubkeyAuthentication },
316 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
5260325f 317 { "kerberosauthentication", sKerberosAuthentication },
318 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
319 { "kerberosticketcleanup", sKerberosTicketCleanup },
5260325f 320 { "kerberostgtpassing", sKerberosTgtPassing },
321 { "afstokenpassing", sAFSTokenPassing },
5260325f 322 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 323 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 324 { "challengeresponseauthentication", sChallengeResponseAuthentication },
325 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 326 { "checkmail", sDeprecated },
5260325f 327 { "listenaddress", sListenAddress },
328 { "printmotd", sPrintMotd },
4f4648f9 329 { "printlastlog", sPrintLastLog },
5260325f 330 { "ignorerhosts", sIgnoreRhosts },
331 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
332 { "x11forwarding", sX11Forwarding },
333 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 334 { "x11uselocalhost", sX11UseLocalhost },
fa649821 335 { "xauthlocation", sXAuthLocation },
5260325f 336 { "strictmodes", sStrictModes },
337 { "permitemptypasswords", sEmptyPasswd },
f00bab84 338 { "permituserenvironment", sPermitUserEnvironment },
5260325f 339 { "uselogin", sUseLogin },
636f76ca 340 { "compression", sCompression },
5260325f 341 { "keepalive", sKeepAlives },
33de75a3 342 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 343 { "allowusers", sAllowUsers },
344 { "denyusers", sDenyUsers },
345 { "allowgroups", sAllowGroups },
346 { "denygroups", sDenyGroups },
a8be9f80 347 { "ciphers", sCiphers },
b2552997 348 { "macs", sMacs },
a8be9f80 349 { "protocol", sProtocol },
1d1ffb87 350 { "gatewayports", sGatewayPorts },
38c295d6 351 { "subsystem", sSubsystem },
089fbbd2 352 { "maxstartups", sMaxStartups },
eea39c02 353 { "banner", sBanner },
bf4c5edc 354 { "verifyreversemapping", sVerifyReverseMapping },
355 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 356 { "clientaliveinterval", sClientAliveInterval },
357 { "clientalivecountmax", sClientAliveCountMax },
c8445989 358 { "authorizedkeysfile", sAuthorizedKeysFile },
359 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 360 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 361 { NULL, sBadOption }
8efc0c15 362};
363
aa3378df 364/*
6be9a5e8 365 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 366 */
8efc0c15 367
6ae2364d 368static ServerOpCodes
5260325f 369parse_token(const char *cp, const char *filename,
370 int linenum)
8efc0c15 371{
1e3b8b07 372 u_int i;
8efc0c15 373
5260325f 374 for (i = 0; keywords[i].name; i++)
aa3378df 375 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 376 return keywords[i].opcode;
8efc0c15 377
b7c70970 378 error("%s: line %d: Bad configuration option: %s",
379 filename, linenum, cp);
5260325f 380 return sBadOption;
8efc0c15 381}
382
396c147e 383static void
2d2a2c65 384add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 385{
48e671d5 386 int i;
387
388 if (options->num_ports == 0)
389 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 390 if (port == 0)
d11c1288 391 for (i = 0; i < options->num_ports; i++)
392 add_one_listen_addr(options, addr, options->ports[i]);
393 else
2d2a2c65 394 add_one_listen_addr(options, addr, port);
d11c1288 395}
396
396c147e 397static void
d11c1288 398add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
399{
400 struct addrinfo hints, *ai, *aitop;
401 char strport[NI_MAXSERV];
402 int gaierr;
403
404 memset(&hints, 0, sizeof(hints));
405 hints.ai_family = IPv4or6;
406 hints.ai_socktype = SOCK_STREAM;
407 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 408 snprintf(strport, sizeof strport, "%u", port);
d11c1288 409 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
410 fatal("bad addr or host: %s (%s)",
411 addr ? addr : "<NULL>",
412 gai_strerror(gaierr));
413 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
414 ;
415 ai->ai_next = options->listen_addrs;
416 options->listen_addrs = aitop;
48e671d5 417}
418
2717fa0f 419int
420process_server_config_line(ServerOptions *options, char *line,
421 const char *filename, int linenum)
8efc0c15 422{
d11c1288 423 char *cp, **charptr, *arg, *p;
7528d467 424 int *intptr, value, i, n;
5260325f 425 ServerOpCodes opcode;
426
2717fa0f 427 cp = line;
428 arg = strdelim(&cp);
429 /* Ignore leading whitespace */
430 if (*arg == '\0')
704b1659 431 arg = strdelim(&cp);
2717fa0f 432 if (!arg || !*arg || *arg == '#')
433 return 0;
434 intptr = NULL;
435 charptr = NULL;
436 opcode = parse_token(arg, filename, linenum);
437 switch (opcode) {
438 /* Portable-specific options */
7fceb20d 439 case sUsePAM:
440 intptr = &options->use_pam;
2717fa0f 441 goto parse_flag;
48e671d5 442
2717fa0f 443 /* Standard Options */
444 case sBadOption:
445 return -1;
446 case sPort:
447 /* ignore ports from configfile if cmdline specifies ports */
448 if (options->ports_from_cmdline)
449 return 0;
450 if (options->listen_addrs != NULL)
451 fatal("%s line %d: ports must be specified before "
3a454b6a 452 "ListenAddress.", filename, linenum);
2717fa0f 453 if (options->num_ports >= MAX_PORTS)
454 fatal("%s line %d: too many ports.",
455 filename, linenum);
456 arg = strdelim(&cp);
457 if (!arg || *arg == '\0')
458 fatal("%s line %d: missing port number.",
459 filename, linenum);
460 options->ports[options->num_ports++] = a2port(arg);
461 if (options->ports[options->num_ports-1] == 0)
462 fatal("%s line %d: Badly formatted port number.",
463 filename, linenum);
464 break;
465
466 case sServerKeyBits:
467 intptr = &options->server_key_bits;
5260325f 468parse_int:
2717fa0f 469 arg = strdelim(&cp);
470 if (!arg || *arg == '\0')
471 fatal("%s line %d: missing integer value.",
472 filename, linenum);
473 value = atoi(arg);
474 if (*intptr == -1)
475 *intptr = value;
476 break;
477
478 case sLoginGraceTime:
479 intptr = &options->login_grace_time;
e2b1fb42 480parse_time:
2717fa0f 481 arg = strdelim(&cp);
482 if (!arg || *arg == '\0')
483 fatal("%s line %d: missing time value.",
484 filename, linenum);
485 if ((value = convtime(arg)) == -1)
486 fatal("%s line %d: invalid time value.",
487 filename, linenum);
488 if (*intptr == -1)
489 *intptr = value;
490 break;
491
492 case sKeyRegenerationTime:
493 intptr = &options->key_regeneration_time;
494 goto parse_time;
495
496 case sListenAddress:
497 arg = strdelim(&cp);
498 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
499 fatal("%s line %d: missing inet addr.",
500 filename, linenum);
501 if (*arg == '[') {
502 if ((p = strchr(arg, ']')) == NULL)
503 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 504 filename, linenum);
2717fa0f 505 arg++;
506 memmove(p, p+1, strlen(p+1)+1);
507 } else if (((p = strchr(arg, ':')) == NULL) ||
508 (strchr(p+1, ':') != NULL)) {
509 add_listen_addr(options, arg, 0);
e2b1fb42 510 break;
2717fa0f 511 }
512 if (*p == ':') {
513 u_short port;
5260325f 514
2717fa0f 515 p++;
516 if (*p == '\0')
517 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 518 filename, linenum);
2717fa0f 519 else {
520 *(p-1) = '\0';
521 if ((port = a2port(p)) == 0)
522 fatal("%s line %d: bad port number.",
d11c1288 523 filename, linenum);
2717fa0f 524 add_listen_addr(options, arg, port);
d11c1288 525 }
2717fa0f 526 } else if (*p == '\0')
527 add_listen_addr(options, arg, 0);
528 else
529 fatal("%s line %d: bad inet addr usage.",
530 filename, linenum);
531 break;
532
533 case sHostKeyFile:
534 intptr = &options->num_host_key_files;
535 if (*intptr >= MAX_HOSTKEYS)
536 fatal("%s line %d: too many host keys specified (max %d).",
537 filename, linenum, MAX_HOSTKEYS);
538 charptr = &options->host_key_files[*intptr];
fa649821 539parse_filename:
2717fa0f 540 arg = strdelim(&cp);
541 if (!arg || *arg == '\0')
542 fatal("%s line %d: missing file name.",
543 filename, linenum);
544 if (*charptr == NULL) {
545 *charptr = tilde_expand_filename(arg, getuid());
546 /* increase optional counter */
547 if (intptr != NULL)
548 *intptr = *intptr + 1;
549 }
550 break;
0fbe8c74 551
2717fa0f 552 case sPidFile:
553 charptr = &options->pid_file;
554 goto parse_filename;
5260325f 555
2717fa0f 556 case sPermitRootLogin:
557 intptr = &options->permit_root_login;
558 arg = strdelim(&cp);
559 if (!arg || *arg == '\0')
560 fatal("%s line %d: missing yes/"
561 "without-password/forced-commands-only/no "
562 "argument.", filename, linenum);
563 value = 0; /* silence compiler */
564 if (strcmp(arg, "without-password") == 0)
565 value = PERMIT_NO_PASSWD;
566 else if (strcmp(arg, "forced-commands-only") == 0)
567 value = PERMIT_FORCED_ONLY;
568 else if (strcmp(arg, "yes") == 0)
569 value = PERMIT_YES;
570 else if (strcmp(arg, "no") == 0)
571 value = PERMIT_NO;
572 else
573 fatal("%s line %d: Bad yes/"
574 "without-password/forced-commands-only/no "
575 "argument: %s", filename, linenum, arg);
576 if (*intptr == -1)
577 *intptr = value;
578 break;
579
580 case sIgnoreRhosts:
581 intptr = &options->ignore_rhosts;
5260325f 582parse_flag:
2717fa0f 583 arg = strdelim(&cp);
584 if (!arg || *arg == '\0')
585 fatal("%s line %d: missing yes/no argument.",
586 filename, linenum);
587 value = 0; /* silence compiler */
588 if (strcmp(arg, "yes") == 0)
589 value = 1;
590 else if (strcmp(arg, "no") == 0)
591 value = 0;
592 else
593 fatal("%s line %d: Bad yes/no argument: %s",
594 filename, linenum, arg);
595 if (*intptr == -1)
596 *intptr = value;
597 break;
598
599 case sIgnoreUserKnownHosts:
600 intptr = &options->ignore_user_known_hosts;
601 goto parse_flag;
602
603 case sRhostsAuthentication:
604 intptr = &options->rhosts_authentication;
605 goto parse_flag;
606
607 case sRhostsRSAAuthentication:
608 intptr = &options->rhosts_rsa_authentication;
609 goto parse_flag;
610
611 case sHostbasedAuthentication:
612 intptr = &options->hostbased_authentication;
613 goto parse_flag;
614
615 case sHostbasedUsesNameFromPacketOnly:
616 intptr = &options->hostbased_uses_name_from_packet_only;
617 goto parse_flag;
618
619 case sRSAAuthentication:
620 intptr = &options->rsa_authentication;
621 goto parse_flag;
622
623 case sPubkeyAuthentication:
624 intptr = &options->pubkey_authentication;
625 goto parse_flag;
d0ec7f42 626
2717fa0f 627 case sKerberosAuthentication:
628 intptr = &options->kerberos_authentication;
629 goto parse_flag;
5260325f 630
2717fa0f 631 case sKerberosOrLocalPasswd:
632 intptr = &options->kerberos_or_local_passwd;
633 goto parse_flag;
5260325f 634
2717fa0f 635 case sKerberosTicketCleanup:
636 intptr = &options->kerberos_ticket_cleanup;
637 goto parse_flag;
d0ec7f42 638
2717fa0f 639 case sKerberosTgtPassing:
640 intptr = &options->kerberos_tgt_passing;
641 goto parse_flag;
d0ec7f42 642
2717fa0f 643 case sAFSTokenPassing:
644 intptr = &options->afs_token_passing;
645 goto parse_flag;
5260325f 646
2717fa0f 647 case sPasswordAuthentication:
648 intptr = &options->password_authentication;
649 goto parse_flag;
5260325f 650
2717fa0f 651 case sKbdInteractiveAuthentication:
652 intptr = &options->kbd_interactive_authentication;
653 goto parse_flag;
8002af61 654
2717fa0f 655 case sChallengeResponseAuthentication:
656 intptr = &options->challenge_response_authentication;
657 goto parse_flag;
8002af61 658
2717fa0f 659 case sPrintMotd:
660 intptr = &options->print_motd;
661 goto parse_flag;
5260325f 662
2717fa0f 663 case sPrintLastLog:
664 intptr = &options->print_lastlog;
665 goto parse_flag;
5260325f 666
2717fa0f 667 case sX11Forwarding:
668 intptr = &options->x11_forwarding;
669 goto parse_flag;
5260325f 670
2717fa0f 671 case sX11DisplayOffset:
672 intptr = &options->x11_display_offset;
673 goto parse_int;
8efc0c15 674
e6e573bd 675 case sX11UseLocalhost:
676 intptr = &options->x11_use_localhost;
677 goto parse_flag;
678
2717fa0f 679 case sXAuthLocation:
680 charptr = &options->xauth_location;
681 goto parse_filename;
5260325f 682
2717fa0f 683 case sStrictModes:
684 intptr = &options->strict_modes;
685 goto parse_flag;
5260325f 686
2717fa0f 687 case sKeepAlives:
688 intptr = &options->keepalives;
689 goto parse_flag;
33de75a3 690
2717fa0f 691 case sEmptyPasswd:
692 intptr = &options->permit_empty_passwd;
693 goto parse_flag;
5260325f 694
f00bab84 695 case sPermitUserEnvironment:
696 intptr = &options->permit_user_env;
697 goto parse_flag;
698
2717fa0f 699 case sUseLogin:
700 intptr = &options->use_login;
701 goto parse_flag;
5260325f 702
636f76ca 703 case sCompression:
704 intptr = &options->compression;
705 goto parse_flag;
706
2717fa0f 707 case sGatewayPorts:
708 intptr = &options->gateway_ports;
709 goto parse_flag;
5260325f 710
bf4c5edc 711 case sVerifyReverseMapping:
712 intptr = &options->verify_reverse_mapping;
2717fa0f 713 goto parse_flag;
5260325f 714
2717fa0f 715 case sLogFacility:
716 intptr = (int *) &options->log_facility;
717 arg = strdelim(&cp);
718 value = log_facility_number(arg);
5eaf8578 719 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 720 fatal("%.200s line %d: unsupported log facility '%s'",
721 filename, linenum, arg ? arg : "<NONE>");
722 if (*intptr == -1)
723 *intptr = (SyslogFacility) value;
724 break;
725
726 case sLogLevel:
727 intptr = (int *) &options->log_level;
728 arg = strdelim(&cp);
729 value = log_level_number(arg);
5eaf8578 730 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 731 fatal("%.200s line %d: unsupported log level '%s'",
732 filename, linenum, arg ? arg : "<NONE>");
733 if (*intptr == -1)
734 *intptr = (LogLevel) value;
735 break;
736
737 case sAllowTcpForwarding:
738 intptr = &options->allow_tcp_forwarding;
739 goto parse_flag;
740
1853d1ef 741 case sUsePrivilegeSeparation:
742 intptr = &use_privsep;
743 goto parse_flag;
744
2717fa0f 745 case sAllowUsers:
746 while ((arg = strdelim(&cp)) && *arg != '\0') {
747 if (options->num_allow_users >= MAX_ALLOW_USERS)
748 fatal("%s line %d: too many allow users.",
749 filename, linenum);
7528d467 750 options->allow_users[options->num_allow_users++] =
751 xstrdup(arg);
2717fa0f 752 }
753 break;
a8be9f80 754
2717fa0f 755 case sDenyUsers:
756 while ((arg = strdelim(&cp)) && *arg != '\0') {
757 if (options->num_deny_users >= MAX_DENY_USERS)
758 fatal( "%s line %d: too many deny users.",
759 filename, linenum);
7528d467 760 options->deny_users[options->num_deny_users++] =
761 xstrdup(arg);
2717fa0f 762 }
763 break;
b2552997 764
2717fa0f 765 case sAllowGroups:
766 while ((arg = strdelim(&cp)) && *arg != '\0') {
767 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
768 fatal("%s line %d: too many allow groups.",
769 filename, linenum);
7528d467 770 options->allow_groups[options->num_allow_groups++] =
771 xstrdup(arg);
2717fa0f 772 }
773 break;
a8be9f80 774
2717fa0f 775 case sDenyGroups:
776 while ((arg = strdelim(&cp)) && *arg != '\0') {
777 if (options->num_deny_groups >= MAX_DENY_GROUPS)
778 fatal("%s line %d: too many deny groups.",
779 filename, linenum);
780 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
781 }
782 break;
38c295d6 783
2717fa0f 784 case sCiphers:
785 arg = strdelim(&cp);
786 if (!arg || *arg == '\0')
787 fatal("%s line %d: Missing argument.", filename, linenum);
788 if (!ciphers_valid(arg))
789 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
790 filename, linenum, arg ? arg : "<NONE>");
791 if (options->ciphers == NULL)
792 options->ciphers = xstrdup(arg);
793 break;
794
795 case sMacs:
796 arg = strdelim(&cp);
797 if (!arg || *arg == '\0')
798 fatal("%s line %d: Missing argument.", filename, linenum);
799 if (!mac_valid(arg))
800 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
801 filename, linenum, arg ? arg : "<NONE>");
802 if (options->macs == NULL)
803 options->macs = xstrdup(arg);
804 break;
805
806 case sProtocol:
807 intptr = &options->protocol;
808 arg = strdelim(&cp);
809 if (!arg || *arg == '\0')
810 fatal("%s line %d: Missing argument.", filename, linenum);
811 value = proto_spec(arg);
812 if (value == SSH_PROTO_UNKNOWN)
813 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 814 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 815 if (*intptr == SSH_PROTO_UNKNOWN)
816 *intptr = value;
817 break;
818
819 case sSubsystem:
820 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
821 fatal("%s line %d: too many subsystems defined.",
184eed6a 822 filename, linenum);
2717fa0f 823 }
824 arg = strdelim(&cp);
825 if (!arg || *arg == '\0')
826 fatal("%s line %d: Missing subsystem name.",
184eed6a 827 filename, linenum);
2717fa0f 828 for (i = 0; i < options->num_subsystems; i++)
829 if (strcmp(arg, options->subsystem_name[i]) == 0)
830 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 831 filename, linenum, arg);
2717fa0f 832 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
833 arg = strdelim(&cp);
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing subsystem command.",
184eed6a 836 filename, linenum);
2717fa0f 837 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
838 options->num_subsystems++;
839 break;
840
841 case sMaxStartups:
842 arg = strdelim(&cp);
843 if (!arg || *arg == '\0')
844 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 845 filename, linenum);
2717fa0f 846 if ((n = sscanf(arg, "%d:%d:%d",
847 &options->max_startups_begin,
848 &options->max_startups_rate,
849 &options->max_startups)) == 3) {
850 if (options->max_startups_begin >
851 options->max_startups ||
852 options->max_startups_rate > 100 ||
853 options->max_startups_rate < 1)
c345cf9d 854 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 855 filename, linenum);
2717fa0f 856 } else if (n != 1)
857 fatal("%s line %d: Illegal MaxStartups spec.",
858 filename, linenum);
859 else
860 options->max_startups = options->max_startups_begin;
861 break;
862
863 case sBanner:
864 charptr = &options->banner;
865 goto parse_filename;
866 /*
867 * These options can contain %X options expanded at
868 * connect time, so that you can specify paths like:
869 *
870 * AuthorizedKeysFile /etc/ssh_keys/%u
871 */
872 case sAuthorizedKeysFile:
873 case sAuthorizedKeysFile2:
874 charptr = (opcode == sAuthorizedKeysFile ) ?
875 &options->authorized_keys_file :
876 &options->authorized_keys_file2;
877 goto parse_filename;
878
879 case sClientAliveInterval:
880 intptr = &options->client_alive_interval;
881 goto parse_time;
882
883 case sClientAliveCountMax:
884 intptr = &options->client_alive_count_max;
885 goto parse_int;
886
887 case sDeprecated:
bbe88b6d 888 logit("%s line %d: Deprecated option %s",
2717fa0f 889 filename, linenum, arg);
890 while (arg)
891 arg = strdelim(&cp);
892 break;
893
894 default:
895 fatal("%s line %d: Missing handler for opcode %s (%d)",
896 filename, linenum, arg, opcode);
897 }
898 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
899 fatal("%s line %d: garbage at end of line; \"%.200s\".",
900 filename, linenum, arg);
901 return 0;
902}
089fbbd2 903
2717fa0f 904/* Reads the server configuration file. */
5c53a31e 905
2717fa0f 906void
907read_server_config(ServerOptions *options, const char *filename)
908{
7528d467 909 int linenum, bad_options = 0;
2717fa0f 910 char line[1024];
7528d467 911 FILE *f;
2717fa0f 912
34934506 913 debug2("read_server_config: filename %s", filename);
2717fa0f 914 f = fopen(filename, "r");
915 if (!f) {
916 perror(filename);
917 exit(1);
918 }
919 linenum = 0;
920 while (fgets(line, sizeof(line), f)) {
921 /* Update line number counter. */
922 linenum++;
923 if (process_server_config_line(options, line, filename, linenum) != 0)
924 bad_options++;
8efc0c15 925 }
5260325f 926 fclose(f);
b7c70970 927 if (bad_options > 0)
928 fatal("%s: terminating, %d bad configuration options",
929 filename, bad_options);
8efc0c15 930}
git-cvsimport mirror of OpenSSH
This page took 5.66325 seconds and 5 git commands to generate.