]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- stevesk@cvs.openbsd.org 2002/03/20 19:12:25
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
2ea6de2b 13RCSID("$OpenBSD: servconf.c,v 1.105 2002/03/20 19:12:24 stevesk Exp $");
42f11eb2 14
46d738cd 15#if defined(KRB4) || defined(KRB5)
42f11eb2 16#include <krb.h>
17#endif
83f46621 18#ifdef AFS
19#include <kafs.h>
20#endif
8efc0c15 21
22#include "ssh.h"
42f11eb2 23#include "log.h"
8efc0c15 24#include "servconf.h"
25#include "xmalloc.h"
a8be9f80 26#include "compat.h"
42f11eb2 27#include "pathnames.h"
28#include "tildexpand.h"
29#include "misc.h"
30#include "cipher.h"
b2552997 31#include "kex.h"
32#include "mac.h"
42f11eb2 33
396c147e 34static void add_listen_addr(ServerOptions *, char *, u_short);
35static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 36
42f11eb2 37/* AF_UNSPEC or AF_INET or AF_INET6 */
38extern int IPv4or6;
1853d1ef 39/* Use of privilege separation or not */
40extern int use_privsep;
42f11eb2 41
8efc0c15 42/* Initializes the server options to their default values. */
43
6ae2364d 44void
5260325f 45initialize_server_options(ServerOptions *options)
8efc0c15 46{
5260325f 47 memset(options, 0, sizeof(*options));
e15895cd 48
49 /* Portable-specific options */
50 options->pam_authentication_via_kbd_int = -1;
51
52 /* Standard Options */
48e671d5 53 options->num_ports = 0;
54 options->ports_from_cmdline = 0;
55 options->listen_addrs = NULL;
fa08c86b 56 options->num_host_key_files = 0;
0fbe8c74 57 options->pid_file = NULL;
5260325f 58 options->server_key_bits = -1;
59 options->login_grace_time = -1;
60 options->key_regeneration_time = -1;
15853e93 61 options->permit_root_login = PERMIT_NOT_SET;
5260325f 62 options->ignore_rhosts = -1;
63 options->ignore_user_known_hosts = -1;
64 options->print_motd = -1;
4f4648f9 65 options->print_lastlog = -1;
5260325f 66 options->x11_forwarding = -1;
67 options->x11_display_offset = -1;
e6e573bd 68 options->x11_use_localhost = -1;
fa649821 69 options->xauth_location = NULL;
5260325f 70 options->strict_modes = -1;
71 options->keepalives = -1;
5eaf8578 72 options->log_facility = SYSLOG_FACILITY_NOT_SET;
73 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 74 options->rhosts_authentication = -1;
75 options->rhosts_rsa_authentication = -1;
8002af61 76 options->hostbased_authentication = -1;
77 options->hostbased_uses_name_from_packet_only = -1;
5260325f 78 options->rsa_authentication = -1;
fa08c86b 79 options->pubkey_authentication = -1;
ced49be2 80#if defined(KRB4) || defined(KRB5)
5260325f 81 options->kerberos_authentication = -1;
82 options->kerberos_or_local_passwd = -1;
83 options->kerberos_ticket_cleanup = -1;
8efc0c15 84#endif
ced49be2 85#if defined(AFS) || defined(KRB5)
5260325f 86 options->kerberos_tgt_passing = -1;
ced49be2 87#endif
88#ifdef AFS
5260325f 89 options->afs_token_passing = -1;
8efc0c15 90#endif
5260325f 91 options->password_authentication = -1;
94ec8c6b 92 options->kbd_interactive_authentication = -1;
5ba55ada 93 options->challenge_response_authentication = -1;
5260325f 94 options->permit_empty_passwd = -1;
95 options->use_login = -1;
33de75a3 96 options->allow_tcp_forwarding = -1;
5260325f 97 options->num_allow_users = 0;
98 options->num_deny_users = 0;
99 options->num_allow_groups = 0;
100 options->num_deny_groups = 0;
a8be9f80 101 options->ciphers = NULL;
b2552997 102 options->macs = NULL;
a8be9f80 103 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 104 options->gateway_ports = -1;
38c295d6 105 options->num_subsystems = 0;
c345cf9d 106 options->max_startups_begin = -1;
107 options->max_startups_rate = -1;
089fbbd2 108 options->max_startups = -1;
eea39c02 109 options->banner = NULL;
bf4c5edc 110 options->verify_reverse_mapping = -1;
3ffc6336 111 options->client_alive_interval = -1;
112 options->client_alive_count_max = -1;
c8445989 113 options->authorized_keys_file = NULL;
114 options->authorized_keys_file2 = NULL;
1853d1ef 115
1853d1ef 116 /* Needs to be accessable in many places */
117 use_privsep = -1;
8efc0c15 118}
119
6ae2364d 120void
5260325f 121fill_default_server_options(ServerOptions *options)
8efc0c15 122{
e15895cd 123 /* Portable-specific options */
124 if (options->pam_authentication_via_kbd_int == -1)
125 options->pam_authentication_via_kbd_int = 0;
126
127 /* Standard Options */
fa08c86b 128 if (options->protocol == SSH_PROTO_UNKNOWN)
129 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
130 if (options->num_host_key_files == 0) {
131 /* fill default hostkeys for protocols */
132 if (options->protocol & SSH_PROTO_1)
0f84fe37 133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_KEY_FILE;
135 if (options->protocol & SSH_PROTO_2) {
136 options->host_key_files[options->num_host_key_files++] =
137 _PATH_HOST_RSA_KEY_FILE;
138 options->host_key_files[options->num_host_key_files++] =
139 _PATH_HOST_DSA_KEY_FILE;
140 }
fa08c86b 141 }
48e671d5 142 if (options->num_ports == 0)
143 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
144 if (options->listen_addrs == NULL)
2d2a2c65 145 add_listen_addr(options, NULL, 0);
0fbe8c74 146 if (options->pid_file == NULL)
42f11eb2 147 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 148 if (options->server_key_bits == -1)
149 options->server_key_bits = 768;
150 if (options->login_grace_time == -1)
151 options->login_grace_time = 600;
152 if (options->key_regeneration_time == -1)
153 options->key_regeneration_time = 3600;
15853e93 154 if (options->permit_root_login == PERMIT_NOT_SET)
155 options->permit_root_login = PERMIT_YES;
5260325f 156 if (options->ignore_rhosts == -1)
c8d54615 157 options->ignore_rhosts = 1;
5260325f 158 if (options->ignore_user_known_hosts == -1)
159 options->ignore_user_known_hosts = 0;
5260325f 160 if (options->print_motd == -1)
161 options->print_motd = 1;
4f4648f9 162 if (options->print_lastlog == -1)
163 options->print_lastlog = 1;
5260325f 164 if (options->x11_forwarding == -1)
c8d54615 165 options->x11_forwarding = 0;
5260325f 166 if (options->x11_display_offset == -1)
c8d54615 167 options->x11_display_offset = 10;
e6e573bd 168 if (options->x11_use_localhost == -1)
169 options->x11_use_localhost = 1;
fa649821 170 if (options->xauth_location == NULL)
fd9ede94 171 options->xauth_location = _PATH_XAUTH;
5260325f 172 if (options->strict_modes == -1)
173 options->strict_modes = 1;
174 if (options->keepalives == -1)
175 options->keepalives = 1;
5eaf8578 176 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 177 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 178 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 179 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 180 if (options->rhosts_authentication == -1)
181 options->rhosts_authentication = 0;
182 if (options->rhosts_rsa_authentication == -1)
c8d54615 183 options->rhosts_rsa_authentication = 0;
8002af61 184 if (options->hostbased_authentication == -1)
185 options->hostbased_authentication = 0;
186 if (options->hostbased_uses_name_from_packet_only == -1)
187 options->hostbased_uses_name_from_packet_only = 0;
5260325f 188 if (options->rsa_authentication == -1)
189 options->rsa_authentication = 1;
fa08c86b 190 if (options->pubkey_authentication == -1)
191 options->pubkey_authentication = 1;
ced49be2 192#if defined(KRB4) || defined(KRB5)
5260325f 193 if (options->kerberos_authentication == -1)
194 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
195 if (options->kerberos_or_local_passwd == -1)
196 options->kerberos_or_local_passwd = 1;
197 if (options->kerberos_ticket_cleanup == -1)
198 options->kerberos_ticket_cleanup = 1;
ced49be2 199#endif
200#if defined(AFS) || defined(KRB5)
5260325f 201 if (options->kerberos_tgt_passing == -1)
202 options->kerberos_tgt_passing = 0;
ced49be2 203#endif
184eed6a 204#ifdef AFS
5260325f 205 if (options->afs_token_passing == -1)
206 options->afs_token_passing = k_hasafs();
ced49be2 207#endif
5260325f 208 if (options->password_authentication == -1)
209 options->password_authentication = 1;
94ec8c6b 210 if (options->kbd_interactive_authentication == -1)
211 options->kbd_interactive_authentication = 0;
5ba55ada 212 if (options->challenge_response_authentication == -1)
213 options->challenge_response_authentication = 1;
5260325f 214 if (options->permit_empty_passwd == -1)
c8d54615 215 options->permit_empty_passwd = 0;
5260325f 216 if (options->use_login == -1)
217 options->use_login = 0;
33de75a3 218 if (options->allow_tcp_forwarding == -1)
219 options->allow_tcp_forwarding = 1;
1d1ffb87 220 if (options->gateway_ports == -1)
221 options->gateway_ports = 0;
089fbbd2 222 if (options->max_startups == -1)
223 options->max_startups = 10;
c345cf9d 224 if (options->max_startups_rate == -1)
225 options->max_startups_rate = 100; /* 100% */
226 if (options->max_startups_begin == -1)
227 options->max_startups_begin = options->max_startups;
bf4c5edc 228 if (options->verify_reverse_mapping == -1)
229 options->verify_reverse_mapping = 0;
3ffc6336 230 if (options->client_alive_interval == -1)
184eed6a 231 options->client_alive_interval = 0;
3ffc6336 232 if (options->client_alive_count_max == -1)
233 options->client_alive_count_max = 3;
5df83e07 234 if (options->authorized_keys_file2 == NULL) {
235 /* authorized_keys_file2 falls back to authorized_keys_file */
236 if (options->authorized_keys_file != NULL)
237 options->authorized_keys_file2 = options->authorized_keys_file;
238 else
239 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
240 }
241 if (options->authorized_keys_file == NULL)
242 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 243
244 /* Turn privilege separation _off_ by default */
245 if (use_privsep == -1)
246 use_privsep = 0;
8efc0c15 247}
248
8efc0c15 249/* Keyword tokens. */
5260325f 250typedef enum {
251 sBadOption, /* == unknown option */
e15895cd 252 /* Portable-specific options */
253 sPAMAuthenticationViaKbdInt,
254 /* Standard Options */
5260325f 255 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
256 sPermitRootLogin, sLogFacility, sLogLevel,
257 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 258#if defined(KRB4) || defined(KRB5)
5260325f 259 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 260#endif
ced49be2 261#if defined(AFS) || defined(KRB5)
262 sKerberosTgtPassing,
263#endif
8efc0c15 264#ifdef AFS
ced49be2 265 sAFSTokenPassing,
8efc0c15 266#endif
d464095c 267 sChallengeResponseAuthentication,
94ec8c6b 268 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 269 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 270 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 271 sStrictModes, sEmptyPasswd, sKeepAlives,
33de75a3 272 sUseLogin, sAllowTcpForwarding,
273 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 274 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 275 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 276 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 277 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 278 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 279 sUsePrivilegeSeparation,
2717fa0f 280 sDeprecated
8efc0c15 281} ServerOpCodes;
282
283/* Textual representation of the tokens. */
5260325f 284static struct {
285 const char *name;
286 ServerOpCodes opcode;
287} keywords[] = {
e15895cd 288 /* Portable-specific options */
289 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
290 /* Standard Options */
5260325f 291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
fa08c86b 293 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 294 { "pidfile", sPidFile },
5260325f 295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
301 { "rhostsauthentication", sRhostsAuthentication },
302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 305 { "rsaauthentication", sRSAAuthentication },
fa08c86b 306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 308#if defined(KRB4) || defined(KRB5)
5260325f 309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 312#endif
ced49be2 313#if defined(AFS) || defined(KRB5)
5260325f 314 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 315#endif
316#ifdef AFS
5260325f 317 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 318#endif
5260325f 319 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 320 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 321 { "challengeresponseauthentication", sChallengeResponseAuthentication },
322 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 323 { "checkmail", sDeprecated },
5260325f 324 { "listenaddress", sListenAddress },
325 { "printmotd", sPrintMotd },
4f4648f9 326 { "printlastlog", sPrintLastLog },
5260325f 327 { "ignorerhosts", sIgnoreRhosts },
328 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
329 { "x11forwarding", sX11Forwarding },
330 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 331 { "x11uselocalhost", sX11UseLocalhost },
fa649821 332 { "xauthlocation", sXAuthLocation },
5260325f 333 { "strictmodes", sStrictModes },
334 { "permitemptypasswords", sEmptyPasswd },
335 { "uselogin", sUseLogin },
5260325f 336 { "keepalive", sKeepAlives },
33de75a3 337 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 338 { "allowusers", sAllowUsers },
339 { "denyusers", sDenyUsers },
340 { "allowgroups", sAllowGroups },
341 { "denygroups", sDenyGroups },
a8be9f80 342 { "ciphers", sCiphers },
b2552997 343 { "macs", sMacs },
a8be9f80 344 { "protocol", sProtocol },
1d1ffb87 345 { "gatewayports", sGatewayPorts },
38c295d6 346 { "subsystem", sSubsystem },
089fbbd2 347 { "maxstartups", sMaxStartups },
eea39c02 348 { "banner", sBanner },
bf4c5edc 349 { "verifyreversemapping", sVerifyReverseMapping },
350 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 351 { "clientaliveinterval", sClientAliveInterval },
352 { "clientalivecountmax", sClientAliveCountMax },
c8445989 353 { "authorizedkeysfile", sAuthorizedKeysFile },
354 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 355 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 356 { NULL, sBadOption }
8efc0c15 357};
358
aa3378df 359/*
6be9a5e8 360 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 361 */
8efc0c15 362
6ae2364d 363static ServerOpCodes
5260325f 364parse_token(const char *cp, const char *filename,
365 int linenum)
8efc0c15 366{
1e3b8b07 367 u_int i;
8efc0c15 368
5260325f 369 for (i = 0; keywords[i].name; i++)
aa3378df 370 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 371 return keywords[i].opcode;
8efc0c15 372
b7c70970 373 error("%s: line %d: Bad configuration option: %s",
374 filename, linenum, cp);
5260325f 375 return sBadOption;
8efc0c15 376}
377
396c147e 378static void
2d2a2c65 379add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 380{
48e671d5 381 int i;
382
383 if (options->num_ports == 0)
384 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 385 if (port == 0)
d11c1288 386 for (i = 0; i < options->num_ports; i++)
387 add_one_listen_addr(options, addr, options->ports[i]);
388 else
2d2a2c65 389 add_one_listen_addr(options, addr, port);
d11c1288 390}
391
396c147e 392static void
d11c1288 393add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
394{
395 struct addrinfo hints, *ai, *aitop;
396 char strport[NI_MAXSERV];
397 int gaierr;
398
399 memset(&hints, 0, sizeof(hints));
400 hints.ai_family = IPv4or6;
401 hints.ai_socktype = SOCK_STREAM;
402 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
403 snprintf(strport, sizeof strport, "%d", port);
404 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
405 fatal("bad addr or host: %s (%s)",
406 addr ? addr : "<NULL>",
407 gai_strerror(gaierr));
408 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
409 ;
410 ai->ai_next = options->listen_addrs;
411 options->listen_addrs = aitop;
48e671d5 412}
413
2717fa0f 414int
415process_server_config_line(ServerOptions *options, char *line,
416 const char *filename, int linenum)
8efc0c15 417{
d11c1288 418 char *cp, **charptr, *arg, *p;
2717fa0f 419 int *intptr, value;
5260325f 420 ServerOpCodes opcode;
97de229c 421 int i, n;
5260325f 422
2717fa0f 423 cp = line;
424 arg = strdelim(&cp);
425 /* Ignore leading whitespace */
426 if (*arg == '\0')
704b1659 427 arg = strdelim(&cp);
2717fa0f 428 if (!arg || !*arg || *arg == '#')
429 return 0;
430 intptr = NULL;
431 charptr = NULL;
432 opcode = parse_token(arg, filename, linenum);
433 switch (opcode) {
434 /* Portable-specific options */
435 case sPAMAuthenticationViaKbdInt:
436 intptr = &options->pam_authentication_via_kbd_int;
437 goto parse_flag;
48e671d5 438
2717fa0f 439 /* Standard Options */
440 case sBadOption:
441 return -1;
442 case sPort:
443 /* ignore ports from configfile if cmdline specifies ports */
444 if (options->ports_from_cmdline)
445 return 0;
446 if (options->listen_addrs != NULL)
447 fatal("%s line %d: ports must be specified before "
3a454b6a 448 "ListenAddress.", filename, linenum);
2717fa0f 449 if (options->num_ports >= MAX_PORTS)
450 fatal("%s line %d: too many ports.",
451 filename, linenum);
452 arg = strdelim(&cp);
453 if (!arg || *arg == '\0')
454 fatal("%s line %d: missing port number.",
455 filename, linenum);
456 options->ports[options->num_ports++] = a2port(arg);
457 if (options->ports[options->num_ports-1] == 0)
458 fatal("%s line %d: Badly formatted port number.",
459 filename, linenum);
460 break;
461
462 case sServerKeyBits:
463 intptr = &options->server_key_bits;
5260325f 464parse_int:
2717fa0f 465 arg = strdelim(&cp);
466 if (!arg || *arg == '\0')
467 fatal("%s line %d: missing integer value.",
468 filename, linenum);
469 value = atoi(arg);
470 if (*intptr == -1)
471 *intptr = value;
472 break;
473
474 case sLoginGraceTime:
475 intptr = &options->login_grace_time;
e2b1fb42 476parse_time:
2717fa0f 477 arg = strdelim(&cp);
478 if (!arg || *arg == '\0')
479 fatal("%s line %d: missing time value.",
480 filename, linenum);
481 if ((value = convtime(arg)) == -1)
482 fatal("%s line %d: invalid time value.",
483 filename, linenum);
484 if (*intptr == -1)
485 *intptr = value;
486 break;
487
488 case sKeyRegenerationTime:
489 intptr = &options->key_regeneration_time;
490 goto parse_time;
491
492 case sListenAddress:
493 arg = strdelim(&cp);
494 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
495 fatal("%s line %d: missing inet addr.",
496 filename, linenum);
497 if (*arg == '[') {
498 if ((p = strchr(arg, ']')) == NULL)
499 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 500 filename, linenum);
2717fa0f 501 arg++;
502 memmove(p, p+1, strlen(p+1)+1);
503 } else if (((p = strchr(arg, ':')) == NULL) ||
504 (strchr(p+1, ':') != NULL)) {
505 add_listen_addr(options, arg, 0);
e2b1fb42 506 break;
2717fa0f 507 }
508 if (*p == ':') {
509 u_short port;
5260325f 510
2717fa0f 511 p++;
512 if (*p == '\0')
513 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 514 filename, linenum);
2717fa0f 515 else {
516 *(p-1) = '\0';
517 if ((port = a2port(p)) == 0)
518 fatal("%s line %d: bad port number.",
d11c1288 519 filename, linenum);
2717fa0f 520 add_listen_addr(options, arg, port);
d11c1288 521 }
2717fa0f 522 } else if (*p == '\0')
523 add_listen_addr(options, arg, 0);
524 else
525 fatal("%s line %d: bad inet addr usage.",
526 filename, linenum);
527 break;
528
529 case sHostKeyFile:
530 intptr = &options->num_host_key_files;
531 if (*intptr >= MAX_HOSTKEYS)
532 fatal("%s line %d: too many host keys specified (max %d).",
533 filename, linenum, MAX_HOSTKEYS);
534 charptr = &options->host_key_files[*intptr];
fa649821 535parse_filename:
2717fa0f 536 arg = strdelim(&cp);
537 if (!arg || *arg == '\0')
538 fatal("%s line %d: missing file name.",
539 filename, linenum);
540 if (*charptr == NULL) {
541 *charptr = tilde_expand_filename(arg, getuid());
542 /* increase optional counter */
543 if (intptr != NULL)
544 *intptr = *intptr + 1;
545 }
546 break;
0fbe8c74 547
2717fa0f 548 case sPidFile:
549 charptr = &options->pid_file;
550 goto parse_filename;
5260325f 551
2717fa0f 552 case sPermitRootLogin:
553 intptr = &options->permit_root_login;
554 arg = strdelim(&cp);
555 if (!arg || *arg == '\0')
556 fatal("%s line %d: missing yes/"
557 "without-password/forced-commands-only/no "
558 "argument.", filename, linenum);
559 value = 0; /* silence compiler */
560 if (strcmp(arg, "without-password") == 0)
561 value = PERMIT_NO_PASSWD;
562 else if (strcmp(arg, "forced-commands-only") == 0)
563 value = PERMIT_FORCED_ONLY;
564 else if (strcmp(arg, "yes") == 0)
565 value = PERMIT_YES;
566 else if (strcmp(arg, "no") == 0)
567 value = PERMIT_NO;
568 else
569 fatal("%s line %d: Bad yes/"
570 "without-password/forced-commands-only/no "
571 "argument: %s", filename, linenum, arg);
572 if (*intptr == -1)
573 *intptr = value;
574 break;
575
576 case sIgnoreRhosts:
577 intptr = &options->ignore_rhosts;
5260325f 578parse_flag:
2717fa0f 579 arg = strdelim(&cp);
580 if (!arg || *arg == '\0')
581 fatal("%s line %d: missing yes/no argument.",
582 filename, linenum);
583 value = 0; /* silence compiler */
584 if (strcmp(arg, "yes") == 0)
585 value = 1;
586 else if (strcmp(arg, "no") == 0)
587 value = 0;
588 else
589 fatal("%s line %d: Bad yes/no argument: %s",
590 filename, linenum, arg);
591 if (*intptr == -1)
592 *intptr = value;
593 break;
594
595 case sIgnoreUserKnownHosts:
596 intptr = &options->ignore_user_known_hosts;
597 goto parse_flag;
598
599 case sRhostsAuthentication:
600 intptr = &options->rhosts_authentication;
601 goto parse_flag;
602
603 case sRhostsRSAAuthentication:
604 intptr = &options->rhosts_rsa_authentication;
605 goto parse_flag;
606
607 case sHostbasedAuthentication:
608 intptr = &options->hostbased_authentication;
609 goto parse_flag;
610
611 case sHostbasedUsesNameFromPacketOnly:
612 intptr = &options->hostbased_uses_name_from_packet_only;
613 goto parse_flag;
614
615 case sRSAAuthentication:
616 intptr = &options->rsa_authentication;
617 goto parse_flag;
618
619 case sPubkeyAuthentication:
620 intptr = &options->pubkey_authentication;
621 goto parse_flag;
622#if defined(KRB4) || defined(KRB5)
623 case sKerberosAuthentication:
624 intptr = &options->kerberos_authentication;
625 goto parse_flag;
5260325f 626
2717fa0f 627 case sKerberosOrLocalPasswd:
628 intptr = &options->kerberos_or_local_passwd;
629 goto parse_flag;
5260325f 630
2717fa0f 631 case sKerberosTicketCleanup:
632 intptr = &options->kerberos_ticket_cleanup;
633 goto parse_flag;
634#endif
635#if defined(AFS) || defined(KRB5)
636 case sKerberosTgtPassing:
637 intptr = &options->kerberos_tgt_passing;
638 goto parse_flag;
639#endif
640#ifdef AFS
641 case sAFSTokenPassing:
642 intptr = &options->afs_token_passing;
643 goto parse_flag;
644#endif
5260325f 645
2717fa0f 646 case sPasswordAuthentication:
647 intptr = &options->password_authentication;
648 goto parse_flag;
5260325f 649
2717fa0f 650 case sKbdInteractiveAuthentication:
651 intptr = &options->kbd_interactive_authentication;
652 goto parse_flag;
8002af61 653
2717fa0f 654 case sChallengeResponseAuthentication:
655 intptr = &options->challenge_response_authentication;
656 goto parse_flag;
8002af61 657
2717fa0f 658 case sPrintMotd:
659 intptr = &options->print_motd;
660 goto parse_flag;
5260325f 661
2717fa0f 662 case sPrintLastLog:
663 intptr = &options->print_lastlog;
664 goto parse_flag;
5260325f 665
2717fa0f 666 case sX11Forwarding:
667 intptr = &options->x11_forwarding;
668 goto parse_flag;
5260325f 669
2717fa0f 670 case sX11DisplayOffset:
671 intptr = &options->x11_display_offset;
672 goto parse_int;
8efc0c15 673
e6e573bd 674 case sX11UseLocalhost:
675 intptr = &options->x11_use_localhost;
676 goto parse_flag;
677
2717fa0f 678 case sXAuthLocation:
679 charptr = &options->xauth_location;
680 goto parse_filename;
5260325f 681
2717fa0f 682 case sStrictModes:
683 intptr = &options->strict_modes;
684 goto parse_flag;
5260325f 685
2717fa0f 686 case sKeepAlives:
687 intptr = &options->keepalives;
688 goto parse_flag;
33de75a3 689
2717fa0f 690 case sEmptyPasswd:
691 intptr = &options->permit_empty_passwd;
692 goto parse_flag;
5260325f 693
2717fa0f 694 case sUseLogin:
695 intptr = &options->use_login;
696 goto parse_flag;
5260325f 697
2717fa0f 698 case sGatewayPorts:
699 intptr = &options->gateway_ports;
700 goto parse_flag;
5260325f 701
bf4c5edc 702 case sVerifyReverseMapping:
703 intptr = &options->verify_reverse_mapping;
2717fa0f 704 goto parse_flag;
5260325f 705
2717fa0f 706 case sLogFacility:
707 intptr = (int *) &options->log_facility;
708 arg = strdelim(&cp);
709 value = log_facility_number(arg);
5eaf8578 710 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 711 fatal("%.200s line %d: unsupported log facility '%s'",
712 filename, linenum, arg ? arg : "<NONE>");
713 if (*intptr == -1)
714 *intptr = (SyslogFacility) value;
715 break;
716
717 case sLogLevel:
718 intptr = (int *) &options->log_level;
719 arg = strdelim(&cp);
720 value = log_level_number(arg);
5eaf8578 721 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 722 fatal("%.200s line %d: unsupported log level '%s'",
723 filename, linenum, arg ? arg : "<NONE>");
724 if (*intptr == -1)
725 *intptr = (LogLevel) value;
726 break;
727
728 case sAllowTcpForwarding:
729 intptr = &options->allow_tcp_forwarding;
730 goto parse_flag;
731
1853d1ef 732 case sUsePrivilegeSeparation:
733 intptr = &use_privsep;
734 goto parse_flag;
735
2717fa0f 736 case sAllowUsers:
737 while ((arg = strdelim(&cp)) && *arg != '\0') {
738 if (options->num_allow_users >= MAX_ALLOW_USERS)
739 fatal("%s line %d: too many allow users.",
740 filename, linenum);
741 options->allow_users[options->num_allow_users++] = xstrdup(arg);
742 }
743 break;
a8be9f80 744
2717fa0f 745 case sDenyUsers:
746 while ((arg = strdelim(&cp)) && *arg != '\0') {
747 if (options->num_deny_users >= MAX_DENY_USERS)
748 fatal( "%s line %d: too many deny users.",
749 filename, linenum);
750 options->deny_users[options->num_deny_users++] = xstrdup(arg);
751 }
752 break;
b2552997 753
2717fa0f 754 case sAllowGroups:
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
757 fatal("%s line %d: too many allow groups.",
758 filename, linenum);
759 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
760 }
761 break;
a8be9f80 762
2717fa0f 763 case sDenyGroups:
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_deny_groups >= MAX_DENY_GROUPS)
766 fatal("%s line %d: too many deny groups.",
767 filename, linenum);
768 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
769 }
770 break;
38c295d6 771
2717fa0f 772 case sCiphers:
773 arg = strdelim(&cp);
774 if (!arg || *arg == '\0')
775 fatal("%s line %d: Missing argument.", filename, linenum);
776 if (!ciphers_valid(arg))
777 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
778 filename, linenum, arg ? arg : "<NONE>");
779 if (options->ciphers == NULL)
780 options->ciphers = xstrdup(arg);
781 break;
782
783 case sMacs:
784 arg = strdelim(&cp);
785 if (!arg || *arg == '\0')
786 fatal("%s line %d: Missing argument.", filename, linenum);
787 if (!mac_valid(arg))
788 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
789 filename, linenum, arg ? arg : "<NONE>");
790 if (options->macs == NULL)
791 options->macs = xstrdup(arg);
792 break;
793
794 case sProtocol:
795 intptr = &options->protocol;
796 arg = strdelim(&cp);
797 if (!arg || *arg == '\0')
798 fatal("%s line %d: Missing argument.", filename, linenum);
799 value = proto_spec(arg);
800 if (value == SSH_PROTO_UNKNOWN)
801 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 802 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 803 if (*intptr == SSH_PROTO_UNKNOWN)
804 *intptr = value;
805 break;
806
807 case sSubsystem:
808 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
809 fatal("%s line %d: too many subsystems defined.",
184eed6a 810 filename, linenum);
2717fa0f 811 }
812 arg = strdelim(&cp);
813 if (!arg || *arg == '\0')
814 fatal("%s line %d: Missing subsystem name.",
184eed6a 815 filename, linenum);
2717fa0f 816 for (i = 0; i < options->num_subsystems; i++)
817 if (strcmp(arg, options->subsystem_name[i]) == 0)
818 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 819 filename, linenum, arg);
2717fa0f 820 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing subsystem command.",
184eed6a 824 filename, linenum);
2717fa0f 825 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
826 options->num_subsystems++;
827 break;
828
829 case sMaxStartups:
830 arg = strdelim(&cp);
831 if (!arg || *arg == '\0')
832 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 833 filename, linenum);
2717fa0f 834 if ((n = sscanf(arg, "%d:%d:%d",
835 &options->max_startups_begin,
836 &options->max_startups_rate,
837 &options->max_startups)) == 3) {
838 if (options->max_startups_begin >
839 options->max_startups ||
840 options->max_startups_rate > 100 ||
841 options->max_startups_rate < 1)
c345cf9d 842 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 843 filename, linenum);
2717fa0f 844 } else if (n != 1)
845 fatal("%s line %d: Illegal MaxStartups spec.",
846 filename, linenum);
847 else
848 options->max_startups = options->max_startups_begin;
849 break;
850
851 case sBanner:
852 charptr = &options->banner;
853 goto parse_filename;
854 /*
855 * These options can contain %X options expanded at
856 * connect time, so that you can specify paths like:
857 *
858 * AuthorizedKeysFile /etc/ssh_keys/%u
859 */
860 case sAuthorizedKeysFile:
861 case sAuthorizedKeysFile2:
862 charptr = (opcode == sAuthorizedKeysFile ) ?
863 &options->authorized_keys_file :
864 &options->authorized_keys_file2;
865 goto parse_filename;
866
867 case sClientAliveInterval:
868 intptr = &options->client_alive_interval;
869 goto parse_time;
870
871 case sClientAliveCountMax:
872 intptr = &options->client_alive_count_max;
873 goto parse_int;
874
875 case sDeprecated:
876 log("%s line %d: Deprecated option %s",
877 filename, linenum, arg);
878 while (arg)
879 arg = strdelim(&cp);
880 break;
881
882 default:
883 fatal("%s line %d: Missing handler for opcode %s (%d)",
884 filename, linenum, arg, opcode);
885 }
886 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
887 fatal("%s line %d: garbage at end of line; \"%.200s\".",
888 filename, linenum, arg);
889 return 0;
890}
089fbbd2 891
2717fa0f 892/* Reads the server configuration file. */
5c53a31e 893
2717fa0f 894void
895read_server_config(ServerOptions *options, const char *filename)
896{
897 FILE *f;
898 char line[1024];
899 int linenum;
900 int bad_options = 0;
901
902 f = fopen(filename, "r");
903 if (!f) {
904 perror(filename);
905 exit(1);
906 }
907 linenum = 0;
908 while (fgets(line, sizeof(line), f)) {
909 /* Update line number counter. */
910 linenum++;
911 if (process_server_config_line(options, line, filename, linenum) != 0)
912 bad_options++;
8efc0c15 913 }
5260325f 914 fclose(f);
b7c70970 915 if (bad_options > 0)
916 fatal("%s: terminating, %d bad configuration options",
917 filename, bad_options);
8efc0c15 918}
git-cvsimport mirror of OpenSSH
This page took 0.294084 seconds and 5 git commands to generate.