]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (tim) [config.guess config.sub] Update to '2005-05-27' version.
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
38634ff6 13RCSID("$OpenBSD: servconf.c,v 1.141 2005/05/16 15:30:51 markus Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
42f11eb2 21#include "misc.h"
22#include "cipher.h"
b2552997 23#include "kex.h"
24#include "mac.h"
42f11eb2 25
396c147e 26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 28
1853d1ef 29/* Use of privilege separation or not */
30extern int use_privsep;
42f11eb2 31
8efc0c15 32/* Initializes the server options to their default values. */
33
6ae2364d 34void
5260325f 35initialize_server_options(ServerOptions *options)
8efc0c15 36{
5260325f 37 memset(options, 0, sizeof(*options));
e15895cd 38
39 /* Portable-specific options */
7fceb20d 40 options->use_pam = -1;
e15895cd 41
42 /* Standard Options */
48e671d5 43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
31b41ceb 46 options->address_family = -1;
fa08c86b 47 options->num_host_key_files = 0;
0fbe8c74 48 options->pid_file = NULL;
5260325f 49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
15853e93 52 options->permit_root_login = PERMIT_NOT_SET;
5260325f 53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
4f4648f9 56 options->print_lastlog = -1;
5260325f 57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e6e573bd 59 options->x11_use_localhost = -1;
fa649821 60 options->xauth_location = NULL;
5260325f 61 options->strict_modes = -1;
fd573618 62 options->tcp_keep_alive = -1;
5eaf8578 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 65 options->rhosts_rsa_authentication = -1;
8002af61 66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
5260325f 68 options->rsa_authentication = -1;
fa08c86b 69 options->pubkey_authentication = -1;
5260325f 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
a1e30b47 73 options->kerberos_get_afs_token = -1;
7364bd04 74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
5260325f 76 options->password_authentication = -1;
94ec8c6b 77 options->kbd_interactive_authentication = -1;
5ba55ada 78 options->challenge_response_authentication = -1;
5260325f 79 options->permit_empty_passwd = -1;
f00bab84 80 options->permit_user_env = -1;
5260325f 81 options->use_login = -1;
636f76ca 82 options->compression = -1;
33de75a3 83 options->allow_tcp_forwarding = -1;
5260325f 84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
a8be9f80 88 options->ciphers = NULL;
b2552997 89 options->macs = NULL;
a8be9f80 90 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 91 options->gateway_ports = -1;
38c295d6 92 options->num_subsystems = 0;
c345cf9d 93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
089fbbd2 95 options->max_startups = -1;
af4bd935 96 options->max_authtries = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
61a2c1da 103 options->num_accept_env = 0;
1853d1ef 104
1853d1ef 105 /* Needs to be accessable in many places */
106 use_privsep = -1;
8efc0c15 107}
108
6ae2364d 109void
5260325f 110fill_default_server_options(ServerOptions *options)
8efc0c15 111{
e15895cd 112 /* Portable-specific options */
7fceb20d 113 if (options->use_pam == -1)
0a23d79f 114 options->use_pam = 0;
e15895cd 115
116 /* Standard Options */
fa08c86b 117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
0f84fe37 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
fa08c86b 130 }
48e671d5 131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
2d2a2c65 134 add_listen_addr(options, NULL, 0);
0fbe8c74 135 if (options->pid_file == NULL)
42f11eb2 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
3445ca02 140 options->login_grace_time = 120;
5260325f 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
15853e93 143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
5260325f 145 if (options->ignore_rhosts == -1)
c8d54615 146 options->ignore_rhosts = 1;
5260325f 147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
5260325f 149 if (options->print_motd == -1)
150 options->print_motd = 1;
4f4648f9 151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
5260325f 153 if (options->x11_forwarding == -1)
c8d54615 154 options->x11_forwarding = 0;
5260325f 155 if (options->x11_display_offset == -1)
c8d54615 156 options->x11_display_offset = 10;
e6e573bd 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
fa649821 159 if (options->xauth_location == NULL)
fd9ede94 160 options->xauth_location = _PATH_XAUTH;
5260325f 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
fd573618 163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
5eaf8578 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 166 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 168 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 169 if (options->rhosts_rsa_authentication == -1)
c8d54615 170 options->rhosts_rsa_authentication = 0;
8002af61 171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
5260325f 175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
fa08c86b 177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
5260325f 179 if (options->kerberos_authentication == -1)
eadc806d 180 options->kerberos_authentication = 0;
5260325f 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
a1e30b47 185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
7364bd04 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
5260325f 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
94ec8c6b 193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
5ba55ada 195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
5260325f 197 if (options->permit_empty_passwd == -1)
c8d54615 198 options->permit_empty_passwd = 0;
f00bab84 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
5260325f 201 if (options->use_login == -1)
202 options->use_login = 0;
636f76ca 203 if (options->compression == -1)
204 options->compression = 1;
33de75a3 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
1d1ffb87 207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
089fbbd2 209 if (options->max_startups == -1)
210 options->max_startups = 10;
c345cf9d 211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
af4bd935 215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c5a7d788 217 if (options->use_dns == -1)
218 options->use_dns = 1;
3ffc6336 219 if (options->client_alive_interval == -1)
184eed6a 220 options->client_alive_interval = 0;
3ffc6336 221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
5df83e07 223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
227 else
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 }
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 232
2ee1b704 233 /* Turn privilege separation on by default */
1853d1ef 234 if (use_privsep == -1)
2ee1b704 235 use_privsep = 1;
e299a298 236
4165b82e 237#ifndef HAVE_MMAP
e299a298 238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
243 }
244#endif
245
8efc0c15 246}
247
8efc0c15 248/* Keyword tokens. */
5260325f 249typedef enum {
250 sBadOption, /* == unknown option */
e15895cd 251 /* Portable-specific options */
7fceb20d 252 sUsePAM,
e15895cd 253 /* Standard Options */
5260325f 254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 256 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 258 sKerberosGetAFSToken,
1c590258 259 sKerberosTgtPassing, sChallengeResponseAuthentication,
31b41ceb 260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
4f4648f9 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
c5a7d788 270 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
61a2c1da 273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
2ea6de2b 274 sUsePrivilegeSeparation,
a2144546 275 sDeprecated, sUnsupported
8efc0c15 276} ServerOpCodes;
277
278/* Textual representation of the tokens. */
5260325f 279static struct {
280 const char *name;
281 ServerOpCodes opcode;
282} keywords[] = {
e15895cd 283 /* Portable-specific options */
b06b11ad 284#ifdef USE_PAM
fe46678b 285 { "usepam", sUsePAM },
b06b11ad 286#else
fe46678b 287 { "usepam", sUnsupported },
b06b11ad 288#endif
fe46678b 289 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 290 /* Standard Options */
5260325f 291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
fa08c86b 293 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 294 { "pidfile", sPidFile },
5260325f 295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
0598d99d 301 { "rhostsauthentication", sDeprecated },
5260325f 302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 305 { "rsaauthentication", sRSAAuthentication },
fa08c86b 306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 308#ifdef KRB5
5260325f 309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 312#ifdef USE_AFS
a1e30b47 313 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 314#else
315 { "kerberosgetafstoken", sUnsupported },
316#endif
a2144546 317#else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
a1e30b47 321 { "kerberosgetafstoken", sUnsupported },
a2144546 322#endif
8f73f7bb 323 { "kerberostgtpassing", sUnsupported },
a2144546 324 { "afstokenpassing", sUnsupported },
7364bd04 325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
e377c083 327 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 328#else
329 { "gssapiauthentication", sUnsupported },
e377c083 330 { "gssapicleanupcredentials", sUnsupported },
7364bd04 331#endif
5260325f 332 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 336 { "checkmail", sDeprecated },
5260325f 337 { "listenaddress", sListenAddress },
31b41ceb 338 { "addressfamily", sAddressFamily },
5260325f 339 { "printmotd", sPrintMotd },
4f4648f9 340 { "printlastlog", sPrintLastLog },
5260325f 341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 345 { "x11uselocalhost", sX11UseLocalhost },
fa649821 346 { "xauthlocation", sXAuthLocation },
5260325f 347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
f00bab84 349 { "permituserenvironment", sPermitUserEnvironment },
5260325f 350 { "uselogin", sUseLogin },
636f76ca 351 { "compression", sCompression },
fd573618 352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 354 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
a8be9f80 359 { "ciphers", sCiphers },
b2552997 360 { "macs", sMacs },
a8be9f80 361 { "protocol", sProtocol },
1d1ffb87 362 { "gatewayports", sGatewayPorts },
38c295d6 363 { "subsystem", sSubsystem },
089fbbd2 364 { "maxstartups", sMaxStartups },
af4bd935 365 { "maxauthtries", sMaxAuthTries },
eea39c02 366 { "banner", sBanner },
c5a7d788 367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
3ffc6336 370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
c8445989 372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 374 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 375 { "acceptenv", sAcceptEnv },
17a3011c 376 { NULL, sBadOption }
8efc0c15 377};
378
aa3378df 379/*
6be9a5e8 380 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 381 */
8efc0c15 382
6ae2364d 383static ServerOpCodes
5260325f 384parse_token(const char *cp, const char *filename,
385 int linenum)
8efc0c15 386{
1e3b8b07 387 u_int i;
8efc0c15 388
5260325f 389 for (i = 0; keywords[i].name; i++)
aa3378df 390 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 391 return keywords[i].opcode;
8efc0c15 392
b7c70970 393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
5260325f 395 return sBadOption;
8efc0c15 396}
397
396c147e 398static void
2d2a2c65 399add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 400{
48e671d5 401 int i;
402
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
31b41ceb 405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
2d2a2c65 407 if (port == 0)
d11c1288 408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
410 else
2d2a2c65 411 add_one_listen_addr(options, addr, port);
d11c1288 412}
413
396c147e 414static void
d11c1288 415add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
416{
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
419 int gaierr;
420
421 memset(&hints, 0, sizeof(hints));
31b41ceb 422 hints.ai_family = options->address_family;
d11c1288 423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 425 snprintf(strport, sizeof strport, "%u", port);
d11c1288 426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
431 ;
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
48e671d5 434}
435
2717fa0f 436int
437process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
8efc0c15 439{
d11c1288 440 char *cp, **charptr, *arg, *p;
7528d467 441 int *intptr, value, i, n;
5260325f 442 ServerOpCodes opcode;
3867aa0a 443 u_short port;
5260325f 444
2717fa0f 445 cp = line;
446 arg = strdelim(&cp);
447 /* Ignore leading whitespace */
448 if (*arg == '\0')
704b1659 449 arg = strdelim(&cp);
2717fa0f 450 if (!arg || !*arg || *arg == '#')
451 return 0;
452 intptr = NULL;
453 charptr = NULL;
454 opcode = parse_token(arg, filename, linenum);
455 switch (opcode) {
456 /* Portable-specific options */
7fceb20d 457 case sUsePAM:
458 intptr = &options->use_pam;
2717fa0f 459 goto parse_flag;
48e671d5 460
2717fa0f 461 /* Standard Options */
462 case sBadOption:
463 return -1;
464 case sPort:
465 /* ignore ports from configfile if cmdline specifies ports */
466 if (options->ports_from_cmdline)
467 return 0;
468 if (options->listen_addrs != NULL)
469 fatal("%s line %d: ports must be specified before "
3a454b6a 470 "ListenAddress.", filename, linenum);
2717fa0f 471 if (options->num_ports >= MAX_PORTS)
472 fatal("%s line %d: too many ports.",
473 filename, linenum);
474 arg = strdelim(&cp);
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing port number.",
477 filename, linenum);
478 options->ports[options->num_ports++] = a2port(arg);
479 if (options->ports[options->num_ports-1] == 0)
480 fatal("%s line %d: Badly formatted port number.",
481 filename, linenum);
482 break;
483
484 case sServerKeyBits:
485 intptr = &options->server_key_bits;
5260325f 486parse_int:
2717fa0f 487 arg = strdelim(&cp);
488 if (!arg || *arg == '\0')
489 fatal("%s line %d: missing integer value.",
490 filename, linenum);
491 value = atoi(arg);
492 if (*intptr == -1)
493 *intptr = value;
494 break;
495
496 case sLoginGraceTime:
497 intptr = &options->login_grace_time;
e2b1fb42 498parse_time:
2717fa0f 499 arg = strdelim(&cp);
500 if (!arg || *arg == '\0')
501 fatal("%s line %d: missing time value.",
502 filename, linenum);
503 if ((value = convtime(arg)) == -1)
504 fatal("%s line %d: invalid time value.",
505 filename, linenum);
506 if (*intptr == -1)
507 *intptr = value;
508 break;
509
510 case sKeyRegenerationTime:
511 intptr = &options->key_regeneration_time;
512 goto parse_time;
513
514 case sListenAddress:
515 arg = strdelim(&cp);
3867aa0a 516 if (arg == NULL || *arg == '\0')
517 fatal("%s line %d: missing address",
2717fa0f 518 filename, linenum);
3867aa0a 519 p = hpdelim(&arg);
520 if (p == NULL)
521 fatal("%s line %d: bad address:port usage",
2717fa0f 522 filename, linenum);
3867aa0a 523 p = cleanhostname(p);
524 if (arg == NULL)
525 port = 0;
526 else if ((port = a2port(arg)) == 0)
527 fatal("%s line %d: bad port number", filename, linenum);
528
529 add_listen_addr(options, p, port);
530
2717fa0f 531 break;
532
31b41ceb 533 case sAddressFamily:
534 arg = strdelim(&cp);
38634ff6 535 if (!arg || *arg == '\0')
536 fatal("%s line %d: missing address family.",
537 filename, linenum);
31b41ceb 538 intptr = &options->address_family;
539 if (options->listen_addrs != NULL)
540 fatal("%s line %d: address family must be specified before "
541 "ListenAddress.", filename, linenum);
542 if (strcasecmp(arg, "inet") == 0)
543 value = AF_INET;
544 else if (strcasecmp(arg, "inet6") == 0)
545 value = AF_INET6;
546 else if (strcasecmp(arg, "any") == 0)
547 value = AF_UNSPEC;
548 else
549 fatal("%s line %d: unsupported address family \"%s\".",
550 filename, linenum, arg);
551 if (*intptr == -1)
552 *intptr = value;
553 break;
554
2717fa0f 555 case sHostKeyFile:
556 intptr = &options->num_host_key_files;
557 if (*intptr >= MAX_HOSTKEYS)
558 fatal("%s line %d: too many host keys specified (max %d).",
559 filename, linenum, MAX_HOSTKEYS);
560 charptr = &options->host_key_files[*intptr];
fa649821 561parse_filename:
2717fa0f 562 arg = strdelim(&cp);
563 if (!arg || *arg == '\0')
564 fatal("%s line %d: missing file name.",
565 filename, linenum);
566 if (*charptr == NULL) {
567 *charptr = tilde_expand_filename(arg, getuid());
568 /* increase optional counter */
569 if (intptr != NULL)
570 *intptr = *intptr + 1;
571 }
572 break;
0fbe8c74 573
2717fa0f 574 case sPidFile:
575 charptr = &options->pid_file;
576 goto parse_filename;
5260325f 577
2717fa0f 578 case sPermitRootLogin:
579 intptr = &options->permit_root_login;
580 arg = strdelim(&cp);
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/"
583 "without-password/forced-commands-only/no "
584 "argument.", filename, linenum);
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "without-password") == 0)
587 value = PERMIT_NO_PASSWD;
588 else if (strcmp(arg, "forced-commands-only") == 0)
589 value = PERMIT_FORCED_ONLY;
590 else if (strcmp(arg, "yes") == 0)
591 value = PERMIT_YES;
592 else if (strcmp(arg, "no") == 0)
593 value = PERMIT_NO;
594 else
595 fatal("%s line %d: Bad yes/"
596 "without-password/forced-commands-only/no "
597 "argument: %s", filename, linenum, arg);
598 if (*intptr == -1)
599 *intptr = value;
600 break;
601
602 case sIgnoreRhosts:
603 intptr = &options->ignore_rhosts;
5260325f 604parse_flag:
2717fa0f 605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/no argument.",
608 filename, linenum);
609 value = 0; /* silence compiler */
610 if (strcmp(arg, "yes") == 0)
611 value = 1;
612 else if (strcmp(arg, "no") == 0)
613 value = 0;
614 else
615 fatal("%s line %d: Bad yes/no argument: %s",
616 filename, linenum, arg);
617 if (*intptr == -1)
618 *intptr = value;
619 break;
620
621 case sIgnoreUserKnownHosts:
622 intptr = &options->ignore_user_known_hosts;
623 goto parse_flag;
624
2717fa0f 625 case sRhostsRSAAuthentication:
626 intptr = &options->rhosts_rsa_authentication;
627 goto parse_flag;
628
629 case sHostbasedAuthentication:
630 intptr = &options->hostbased_authentication;
631 goto parse_flag;
632
633 case sHostbasedUsesNameFromPacketOnly:
634 intptr = &options->hostbased_uses_name_from_packet_only;
635 goto parse_flag;
636
637 case sRSAAuthentication:
638 intptr = &options->rsa_authentication;
639 goto parse_flag;
640
641 case sPubkeyAuthentication:
642 intptr = &options->pubkey_authentication;
643 goto parse_flag;
d0ec7f42 644
2717fa0f 645 case sKerberosAuthentication:
646 intptr = &options->kerberos_authentication;
647 goto parse_flag;
5260325f 648
2717fa0f 649 case sKerberosOrLocalPasswd:
650 intptr = &options->kerberos_or_local_passwd;
651 goto parse_flag;
5260325f 652
2717fa0f 653 case sKerberosTicketCleanup:
654 intptr = &options->kerberos_ticket_cleanup;
655 goto parse_flag;
d0ec7f42 656
a1e30b47 657 case sKerberosGetAFSToken:
658 intptr = &options->kerberos_get_afs_token;
659 goto parse_flag;
660
7364bd04 661 case sGssAuthentication:
662 intptr = &options->gss_authentication;
663 goto parse_flag;
664
665 case sGssCleanupCreds:
666 intptr = &options->gss_cleanup_creds;
667 goto parse_flag;
668
2717fa0f 669 case sPasswordAuthentication:
670 intptr = &options->password_authentication;
671 goto parse_flag;
5260325f 672
2717fa0f 673 case sKbdInteractiveAuthentication:
674 intptr = &options->kbd_interactive_authentication;
675 goto parse_flag;
8002af61 676
2717fa0f 677 case sChallengeResponseAuthentication:
678 intptr = &options->challenge_response_authentication;
679 goto parse_flag;
8002af61 680
2717fa0f 681 case sPrintMotd:
682 intptr = &options->print_motd;
683 goto parse_flag;
5260325f 684
2717fa0f 685 case sPrintLastLog:
686 intptr = &options->print_lastlog;
687 goto parse_flag;
5260325f 688
2717fa0f 689 case sX11Forwarding:
690 intptr = &options->x11_forwarding;
691 goto parse_flag;
5260325f 692
2717fa0f 693 case sX11DisplayOffset:
694 intptr = &options->x11_display_offset;
695 goto parse_int;
8efc0c15 696
e6e573bd 697 case sX11UseLocalhost:
698 intptr = &options->x11_use_localhost;
699 goto parse_flag;
700
2717fa0f 701 case sXAuthLocation:
702 charptr = &options->xauth_location;
703 goto parse_filename;
5260325f 704
2717fa0f 705 case sStrictModes:
706 intptr = &options->strict_modes;
707 goto parse_flag;
5260325f 708
fd573618 709 case sTCPKeepAlive:
710 intptr = &options->tcp_keep_alive;
2717fa0f 711 goto parse_flag;
33de75a3 712
2717fa0f 713 case sEmptyPasswd:
714 intptr = &options->permit_empty_passwd;
715 goto parse_flag;
5260325f 716
f00bab84 717 case sPermitUserEnvironment:
718 intptr = &options->permit_user_env;
719 goto parse_flag;
720
2717fa0f 721 case sUseLogin:
722 intptr = &options->use_login;
723 goto parse_flag;
5260325f 724
636f76ca 725 case sCompression:
726 intptr = &options->compression;
727 goto parse_flag;
728
2717fa0f 729 case sGatewayPorts:
730 intptr = &options->gateway_ports;
3867aa0a 731 arg = strdelim(&cp);
732 if (!arg || *arg == '\0')
733 fatal("%s line %d: missing yes/no/clientspecified "
734 "argument.", filename, linenum);
735 value = 0; /* silence compiler */
736 if (strcmp(arg, "clientspecified") == 0)
737 value = 2;
738 else if (strcmp(arg, "yes") == 0)
739 value = 1;
740 else if (strcmp(arg, "no") == 0)
741 value = 0;
742 else
743 fatal("%s line %d: Bad yes/no/clientspecified "
744 "argument: %s", filename, linenum, arg);
745 if (*intptr == -1)
746 *intptr = value;
747 break;
5260325f 748
c5a7d788 749 case sUseDNS:
750 intptr = &options->use_dns;
2717fa0f 751 goto parse_flag;
5260325f 752
2717fa0f 753 case sLogFacility:
754 intptr = (int *) &options->log_facility;
755 arg = strdelim(&cp);
756 value = log_facility_number(arg);
5eaf8578 757 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 758 fatal("%.200s line %d: unsupported log facility '%s'",
759 filename, linenum, arg ? arg : "<NONE>");
760 if (*intptr == -1)
761 *intptr = (SyslogFacility) value;
762 break;
763
764 case sLogLevel:
765 intptr = (int *) &options->log_level;
766 arg = strdelim(&cp);
767 value = log_level_number(arg);
5eaf8578 768 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 769 fatal("%.200s line %d: unsupported log level '%s'",
770 filename, linenum, arg ? arg : "<NONE>");
771 if (*intptr == -1)
772 *intptr = (LogLevel) value;
773 break;
774
775 case sAllowTcpForwarding:
776 intptr = &options->allow_tcp_forwarding;
777 goto parse_flag;
778
1853d1ef 779 case sUsePrivilegeSeparation:
780 intptr = &use_privsep;
781 goto parse_flag;
782
2717fa0f 783 case sAllowUsers:
784 while ((arg = strdelim(&cp)) && *arg != '\0') {
785 if (options->num_allow_users >= MAX_ALLOW_USERS)
786 fatal("%s line %d: too many allow users.",
787 filename, linenum);
7528d467 788 options->allow_users[options->num_allow_users++] =
789 xstrdup(arg);
2717fa0f 790 }
791 break;
a8be9f80 792
2717fa0f 793 case sDenyUsers:
794 while ((arg = strdelim(&cp)) && *arg != '\0') {
795 if (options->num_deny_users >= MAX_DENY_USERS)
796 fatal( "%s line %d: too many deny users.",
797 filename, linenum);
7528d467 798 options->deny_users[options->num_deny_users++] =
799 xstrdup(arg);
2717fa0f 800 }
801 break;
b2552997 802
2717fa0f 803 case sAllowGroups:
804 while ((arg = strdelim(&cp)) && *arg != '\0') {
805 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
806 fatal("%s line %d: too many allow groups.",
807 filename, linenum);
7528d467 808 options->allow_groups[options->num_allow_groups++] =
809 xstrdup(arg);
2717fa0f 810 }
811 break;
a8be9f80 812
2717fa0f 813 case sDenyGroups:
814 while ((arg = strdelim(&cp)) && *arg != '\0') {
815 if (options->num_deny_groups >= MAX_DENY_GROUPS)
816 fatal("%s line %d: too many deny groups.",
817 filename, linenum);
818 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
819 }
820 break;
38c295d6 821
2717fa0f 822 case sCiphers:
823 arg = strdelim(&cp);
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: Missing argument.", filename, linenum);
826 if (!ciphers_valid(arg))
827 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
828 filename, linenum, arg ? arg : "<NONE>");
829 if (options->ciphers == NULL)
830 options->ciphers = xstrdup(arg);
831 break;
832
833 case sMacs:
834 arg = strdelim(&cp);
835 if (!arg || *arg == '\0')
836 fatal("%s line %d: Missing argument.", filename, linenum);
837 if (!mac_valid(arg))
838 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
839 filename, linenum, arg ? arg : "<NONE>");
840 if (options->macs == NULL)
841 options->macs = xstrdup(arg);
842 break;
843
844 case sProtocol:
845 intptr = &options->protocol;
846 arg = strdelim(&cp);
847 if (!arg || *arg == '\0')
848 fatal("%s line %d: Missing argument.", filename, linenum);
849 value = proto_spec(arg);
850 if (value == SSH_PROTO_UNKNOWN)
851 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 852 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 853 if (*intptr == SSH_PROTO_UNKNOWN)
854 *intptr = value;
855 break;
856
857 case sSubsystem:
858 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
859 fatal("%s line %d: too many subsystems defined.",
184eed6a 860 filename, linenum);
2717fa0f 861 }
862 arg = strdelim(&cp);
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing subsystem name.",
184eed6a 865 filename, linenum);
2717fa0f 866 for (i = 0; i < options->num_subsystems; i++)
867 if (strcmp(arg, options->subsystem_name[i]) == 0)
868 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 869 filename, linenum, arg);
2717fa0f 870 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
871 arg = strdelim(&cp);
872 if (!arg || *arg == '\0')
873 fatal("%s line %d: Missing subsystem command.",
184eed6a 874 filename, linenum);
2717fa0f 875 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
876 options->num_subsystems++;
877 break;
878
879 case sMaxStartups:
880 arg = strdelim(&cp);
881 if (!arg || *arg == '\0')
882 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 883 filename, linenum);
2717fa0f 884 if ((n = sscanf(arg, "%d:%d:%d",
885 &options->max_startups_begin,
886 &options->max_startups_rate,
887 &options->max_startups)) == 3) {
888 if (options->max_startups_begin >
889 options->max_startups ||
890 options->max_startups_rate > 100 ||
891 options->max_startups_rate < 1)
c345cf9d 892 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 893 filename, linenum);
2717fa0f 894 } else if (n != 1)
895 fatal("%s line %d: Illegal MaxStartups spec.",
896 filename, linenum);
897 else
898 options->max_startups = options->max_startups_begin;
899 break;
900
af4bd935 901 case sMaxAuthTries:
902 intptr = &options->max_authtries;
903 goto parse_int;
904
2717fa0f 905 case sBanner:
906 charptr = &options->banner;
907 goto parse_filename;
908 /*
909 * These options can contain %X options expanded at
910 * connect time, so that you can specify paths like:
911 *
912 * AuthorizedKeysFile /etc/ssh_keys/%u
913 */
914 case sAuthorizedKeysFile:
915 case sAuthorizedKeysFile2:
916 charptr = (opcode == sAuthorizedKeysFile ) ?
917 &options->authorized_keys_file :
918 &options->authorized_keys_file2;
919 goto parse_filename;
920
921 case sClientAliveInterval:
922 intptr = &options->client_alive_interval;
923 goto parse_time;
924
925 case sClientAliveCountMax:
926 intptr = &options->client_alive_count_max;
927 goto parse_int;
928
61a2c1da 929 case sAcceptEnv:
930 while ((arg = strdelim(&cp)) && *arg != '\0') {
931 if (strchr(arg, '=') != NULL)
932 fatal("%s line %d: Invalid environment name.",
933 filename, linenum);
934 if (options->num_accept_env >= MAX_ACCEPT_ENV)
935 fatal("%s line %d: too many allow env.",
936 filename, linenum);
937 options->accept_env[options->num_accept_env++] =
938 xstrdup(arg);
939 }
940 break;
941
2717fa0f 942 case sDeprecated:
bbe88b6d 943 logit("%s line %d: Deprecated option %s",
2717fa0f 944 filename, linenum, arg);
945 while (arg)
946 arg = strdelim(&cp);
947 break;
948
a2144546 949 case sUnsupported:
950 logit("%s line %d: Unsupported option %s",
951 filename, linenum, arg);
952 while (arg)
953 arg = strdelim(&cp);
954 break;
955
2717fa0f 956 default:
957 fatal("%s line %d: Missing handler for opcode %s (%d)",
958 filename, linenum, arg, opcode);
959 }
960 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
961 fatal("%s line %d: garbage at end of line; \"%.200s\".",
962 filename, linenum, arg);
963 return 0;
964}
089fbbd2 965
2717fa0f 966/* Reads the server configuration file. */
5c53a31e 967
2717fa0f 968void
b9a549d7 969load_server_config(const char *filename, Buffer *conf)
2717fa0f 970{
b9a549d7 971 char line[1024], *cp;
7528d467 972 FILE *f;
2717fa0f 973
b9a549d7 974 debug2("%s: filename %s", __func__, filename);
975 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 976 perror(filename);
977 exit(1);
978 }
b9a549d7 979 buffer_clear(conf);
2717fa0f 980 while (fgets(line, sizeof(line), f)) {
b9a549d7 981 /*
982 * Trim out comments and strip whitespace
f2107e97 983 * NB - preserve newlines, they are needed to reproduce
b9a549d7 984 * line numbers later for error messages
985 */
986 if ((cp = strchr(line, '#')) != NULL)
987 memcpy(cp, "\n", 2);
988 cp = line + strspn(line, " \t\r");
989
990 buffer_append(conf, cp, strlen(cp));
8efc0c15 991 }
b9a549d7 992 buffer_append(conf, "\0", 1);
5260325f 993 fclose(f);
b9a549d7 994 debug2("%s: done config len = %d", __func__, buffer_len(conf));
995}
996
997void
998parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
999{
1000 int linenum, bad_options = 0;
16acb158 1001 char *cp, *obuf, *cbuf;
b9a549d7 1002
1003 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1004
16acb158 1005 obuf = cbuf = xstrdup(buffer_ptr(conf));
861cc543 1006 linenum = 1;
f8cc7664 1007 while ((cp = strsep(&cbuf, "\n")) != NULL) {
b9a549d7 1008 if (process_server_config_line(options, cp, filename,
1009 linenum++) != 0)
1010 bad_options++;
1011 }
16acb158 1012 xfree(obuf);
b7c70970 1013 if (bad_options > 0)
1014 fatal("%s: terminating, %d bad configuration options",
1015 filename, bad_options);
8efc0c15 1016}
git-cvsimport mirror of OpenSSH
This page took 0.406424 seconds and 5 git commands to generate.