]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (djm) Patch from itojun@ for Darwin OS: test getaddrinfo, reorder libcrypt
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
6e0fbda1 13RCSID("$OpenBSD: servconf.c,v 1.114 2002/08/21 19:38:06 stevesk Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
12928e80 18#if defined(KRB5)
19#ifdef HEIMDAL
20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
26#endif
83f46621 27#ifdef AFS
28#include <kafs.h>
29#endif
8efc0c15 30
31#include "ssh.h"
42f11eb2 32#include "log.h"
8efc0c15 33#include "servconf.h"
34#include "xmalloc.h"
a8be9f80 35#include "compat.h"
42f11eb2 36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
b2552997 40#include "kex.h"
41#include "mac.h"
42f11eb2 42
396c147e 43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 45
42f11eb2 46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
1853d1ef 48/* Use of privilege separation or not */
49extern int use_privsep;
42f11eb2 50
8efc0c15 51/* Initializes the server options to their default values. */
52
6ae2364d 53void
5260325f 54initialize_server_options(ServerOptions *options)
8efc0c15 55{
5260325f 56 memset(options, 0, sizeof(*options));
e15895cd 57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
48e671d5 62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
fa08c86b 65 options->num_host_key_files = 0;
0fbe8c74 66 options->pid_file = NULL;
5260325f 67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
15853e93 70 options->permit_root_login = PERMIT_NOT_SET;
5260325f 71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
4f4648f9 74 options->print_lastlog = -1;
5260325f 75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e6e573bd 77 options->x11_use_localhost = -1;
fa649821 78 options->xauth_location = NULL;
5260325f 79 options->strict_modes = -1;
80 options->keepalives = -1;
5eaf8578 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
8002af61 85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
5260325f 87 options->rsa_authentication = -1;
fa08c86b 88 options->pubkey_authentication = -1;
ced49be2 89#if defined(KRB4) || defined(KRB5)
5260325f 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
8efc0c15 93#endif
ced49be2 94#if defined(AFS) || defined(KRB5)
5260325f 95 options->kerberos_tgt_passing = -1;
ced49be2 96#endif
97#ifdef AFS
5260325f 98 options->afs_token_passing = -1;
8efc0c15 99#endif
5260325f 100 options->password_authentication = -1;
94ec8c6b 101 options->kbd_interactive_authentication = -1;
5ba55ada 102 options->challenge_response_authentication = -1;
5260325f 103 options->permit_empty_passwd = -1;
f00bab84 104 options->permit_user_env = -1;
5260325f 105 options->use_login = -1;
636f76ca 106 options->compression = -1;
33de75a3 107 options->allow_tcp_forwarding = -1;
5260325f 108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
a8be9f80 112 options->ciphers = NULL;
b2552997 113 options->macs = NULL;
a8be9f80 114 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 115 options->gateway_ports = -1;
38c295d6 116 options->num_subsystems = 0;
c345cf9d 117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
089fbbd2 119 options->max_startups = -1;
eea39c02 120 options->banner = NULL;
bf4c5edc 121 options->verify_reverse_mapping = -1;
3ffc6336 122 options->client_alive_interval = -1;
123 options->client_alive_count_max = -1;
c8445989 124 options->authorized_keys_file = NULL;
125 options->authorized_keys_file2 = NULL;
1853d1ef 126
1853d1ef 127 /* Needs to be accessable in many places */
128 use_privsep = -1;
8efc0c15 129}
130
6ae2364d 131void
5260325f 132fill_default_server_options(ServerOptions *options)
8efc0c15 133{
e15895cd 134 /* Portable-specific options */
135 if (options->pam_authentication_via_kbd_int == -1)
136 options->pam_authentication_via_kbd_int = 0;
137
138 /* Standard Options */
fa08c86b 139 if (options->protocol == SSH_PROTO_UNKNOWN)
140 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
141 if (options->num_host_key_files == 0) {
142 /* fill default hostkeys for protocols */
143 if (options->protocol & SSH_PROTO_1)
0f84fe37 144 options->host_key_files[options->num_host_key_files++] =
145 _PATH_HOST_KEY_FILE;
146 if (options->protocol & SSH_PROTO_2) {
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_RSA_KEY_FILE;
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_DSA_KEY_FILE;
151 }
fa08c86b 152 }
48e671d5 153 if (options->num_ports == 0)
154 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
155 if (options->listen_addrs == NULL)
2d2a2c65 156 add_listen_addr(options, NULL, 0);
0fbe8c74 157 if (options->pid_file == NULL)
42f11eb2 158 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 159 if (options->server_key_bits == -1)
160 options->server_key_bits = 768;
161 if (options->login_grace_time == -1)
6e0fbda1 162 options->login_grace_time = 60;
5260325f 163 if (options->key_regeneration_time == -1)
164 options->key_regeneration_time = 3600;
15853e93 165 if (options->permit_root_login == PERMIT_NOT_SET)
166 options->permit_root_login = PERMIT_YES;
5260325f 167 if (options->ignore_rhosts == -1)
c8d54615 168 options->ignore_rhosts = 1;
5260325f 169 if (options->ignore_user_known_hosts == -1)
170 options->ignore_user_known_hosts = 0;
5260325f 171 if (options->print_motd == -1)
172 options->print_motd = 1;
4f4648f9 173 if (options->print_lastlog == -1)
174 options->print_lastlog = 1;
5260325f 175 if (options->x11_forwarding == -1)
c8d54615 176 options->x11_forwarding = 0;
5260325f 177 if (options->x11_display_offset == -1)
c8d54615 178 options->x11_display_offset = 10;
e6e573bd 179 if (options->x11_use_localhost == -1)
180 options->x11_use_localhost = 1;
fa649821 181 if (options->xauth_location == NULL)
fd9ede94 182 options->xauth_location = _PATH_XAUTH;
5260325f 183 if (options->strict_modes == -1)
184 options->strict_modes = 1;
185 if (options->keepalives == -1)
186 options->keepalives = 1;
5eaf8578 187 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 188 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 189 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 190 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 191 if (options->rhosts_authentication == -1)
192 options->rhosts_authentication = 0;
193 if (options->rhosts_rsa_authentication == -1)
c8d54615 194 options->rhosts_rsa_authentication = 0;
8002af61 195 if (options->hostbased_authentication == -1)
196 options->hostbased_authentication = 0;
197 if (options->hostbased_uses_name_from_packet_only == -1)
198 options->hostbased_uses_name_from_packet_only = 0;
5260325f 199 if (options->rsa_authentication == -1)
200 options->rsa_authentication = 1;
fa08c86b 201 if (options->pubkey_authentication == -1)
202 options->pubkey_authentication = 1;
ced49be2 203#if defined(KRB4) || defined(KRB5)
5260325f 204 if (options->kerberos_authentication == -1)
eadc806d 205 options->kerberos_authentication = 0;
5260325f 206 if (options->kerberos_or_local_passwd == -1)
207 options->kerberos_or_local_passwd = 1;
208 if (options->kerberos_ticket_cleanup == -1)
209 options->kerberos_ticket_cleanup = 1;
ced49be2 210#endif
211#if defined(AFS) || defined(KRB5)
5260325f 212 if (options->kerberos_tgt_passing == -1)
213 options->kerberos_tgt_passing = 0;
ced49be2 214#endif
184eed6a 215#ifdef AFS
5260325f 216 if (options->afs_token_passing == -1)
1c3454e7 217 options->afs_token_passing = 0;
ced49be2 218#endif
5260325f 219 if (options->password_authentication == -1)
220 options->password_authentication = 1;
94ec8c6b 221 if (options->kbd_interactive_authentication == -1)
222 options->kbd_interactive_authentication = 0;
5ba55ada 223 if (options->challenge_response_authentication == -1)
224 options->challenge_response_authentication = 1;
5260325f 225 if (options->permit_empty_passwd == -1)
c8d54615 226 options->permit_empty_passwd = 0;
f00bab84 227 if (options->permit_user_env == -1)
228 options->permit_user_env = 0;
5260325f 229 if (options->use_login == -1)
230 options->use_login = 0;
636f76ca 231 if (options->compression == -1)
232 options->compression = 1;
33de75a3 233 if (options->allow_tcp_forwarding == -1)
234 options->allow_tcp_forwarding = 1;
1d1ffb87 235 if (options->gateway_ports == -1)
236 options->gateway_ports = 0;
089fbbd2 237 if (options->max_startups == -1)
238 options->max_startups = 10;
c345cf9d 239 if (options->max_startups_rate == -1)
240 options->max_startups_rate = 100; /* 100% */
241 if (options->max_startups_begin == -1)
242 options->max_startups_begin = options->max_startups;
bf4c5edc 243 if (options->verify_reverse_mapping == -1)
244 options->verify_reverse_mapping = 0;
3ffc6336 245 if (options->client_alive_interval == -1)
184eed6a 246 options->client_alive_interval = 0;
3ffc6336 247 if (options->client_alive_count_max == -1)
248 options->client_alive_count_max = 3;
5df83e07 249 if (options->authorized_keys_file2 == NULL) {
250 /* authorized_keys_file2 falls back to authorized_keys_file */
251 if (options->authorized_keys_file != NULL)
252 options->authorized_keys_file2 = options->authorized_keys_file;
253 else
254 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
255 }
256 if (options->authorized_keys_file == NULL)
257 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 258
2ee1b704 259 /* Turn privilege separation on by default */
1853d1ef 260 if (use_privsep == -1)
2ee1b704 261 use_privsep = 1;
e299a298 262
4165b82e 263#ifndef HAVE_MMAP
e299a298 264 if (use_privsep && options->compression == 1) {
265 error("This platform does not support both privilege "
266 "separation and compression");
267 error("Compression disabled");
268 options->compression = 0;
269 }
270#endif
271
8efc0c15 272}
273
8efc0c15 274/* Keyword tokens. */
5260325f 275typedef enum {
276 sBadOption, /* == unknown option */
e15895cd 277 /* Portable-specific options */
278 sPAMAuthenticationViaKbdInt,
279 /* Standard Options */
5260325f 280 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
281 sPermitRootLogin, sLogFacility, sLogLevel,
282 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 283#if defined(KRB4) || defined(KRB5)
5260325f 284 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 285#endif
ced49be2 286#if defined(AFS) || defined(KRB5)
287 sKerberosTgtPassing,
288#endif
8efc0c15 289#ifdef AFS
ced49be2 290 sAFSTokenPassing,
8efc0c15 291#endif
d464095c 292 sChallengeResponseAuthentication,
94ec8c6b 293 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 294 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 295 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 296 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 297 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 298 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 299 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 300 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 301 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 302 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 303 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 304 sUsePrivilegeSeparation,
2717fa0f 305 sDeprecated
8efc0c15 306} ServerOpCodes;
307
308/* Textual representation of the tokens. */
5260325f 309static struct {
310 const char *name;
311 ServerOpCodes opcode;
312} keywords[] = {
e15895cd 313 /* Portable-specific options */
314 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
315 /* Standard Options */
5260325f 316 { "port", sPort },
317 { "hostkey", sHostKeyFile },
fa08c86b 318 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 319 { "pidfile", sPidFile },
5260325f 320 { "serverkeybits", sServerKeyBits },
321 { "logingracetime", sLoginGraceTime },
322 { "keyregenerationinterval", sKeyRegenerationTime },
323 { "permitrootlogin", sPermitRootLogin },
324 { "syslogfacility", sLogFacility },
325 { "loglevel", sLogLevel },
326 { "rhostsauthentication", sRhostsAuthentication },
327 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 328 { "hostbasedauthentication", sHostbasedAuthentication },
329 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 330 { "rsaauthentication", sRSAAuthentication },
fa08c86b 331 { "pubkeyauthentication", sPubkeyAuthentication },
332 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 333#if defined(KRB4) || defined(KRB5)
5260325f 334 { "kerberosauthentication", sKerberosAuthentication },
335 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
336 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 337#endif
ced49be2 338#if defined(AFS) || defined(KRB5)
5260325f 339 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 340#endif
341#ifdef AFS
5260325f 342 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 343#endif
5260325f 344 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 345 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 346 { "challengeresponseauthentication", sChallengeResponseAuthentication },
347 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 348 { "checkmail", sDeprecated },
5260325f 349 { "listenaddress", sListenAddress },
350 { "printmotd", sPrintMotd },
4f4648f9 351 { "printlastlog", sPrintLastLog },
5260325f 352 { "ignorerhosts", sIgnoreRhosts },
353 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
354 { "x11forwarding", sX11Forwarding },
355 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 356 { "x11uselocalhost", sX11UseLocalhost },
fa649821 357 { "xauthlocation", sXAuthLocation },
5260325f 358 { "strictmodes", sStrictModes },
359 { "permitemptypasswords", sEmptyPasswd },
f00bab84 360 { "permituserenvironment", sPermitUserEnvironment },
5260325f 361 { "uselogin", sUseLogin },
636f76ca 362 { "compression", sCompression },
5260325f 363 { "keepalive", sKeepAlives },
33de75a3 364 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 365 { "allowusers", sAllowUsers },
366 { "denyusers", sDenyUsers },
367 { "allowgroups", sAllowGroups },
368 { "denygroups", sDenyGroups },
a8be9f80 369 { "ciphers", sCiphers },
b2552997 370 { "macs", sMacs },
a8be9f80 371 { "protocol", sProtocol },
1d1ffb87 372 { "gatewayports", sGatewayPorts },
38c295d6 373 { "subsystem", sSubsystem },
089fbbd2 374 { "maxstartups", sMaxStartups },
eea39c02 375 { "banner", sBanner },
bf4c5edc 376 { "verifyreversemapping", sVerifyReverseMapping },
377 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 378 { "clientaliveinterval", sClientAliveInterval },
379 { "clientalivecountmax", sClientAliveCountMax },
c8445989 380 { "authorizedkeysfile", sAuthorizedKeysFile },
381 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 382 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 383 { NULL, sBadOption }
8efc0c15 384};
385
aa3378df 386/*
6be9a5e8 387 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 388 */
8efc0c15 389
6ae2364d 390static ServerOpCodes
5260325f 391parse_token(const char *cp, const char *filename,
392 int linenum)
8efc0c15 393{
1e3b8b07 394 u_int i;
8efc0c15 395
5260325f 396 for (i = 0; keywords[i].name; i++)
aa3378df 397 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 398 return keywords[i].opcode;
8efc0c15 399
b7c70970 400 error("%s: line %d: Bad configuration option: %s",
401 filename, linenum, cp);
5260325f 402 return sBadOption;
8efc0c15 403}
404
396c147e 405static void
2d2a2c65 406add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 407{
48e671d5 408 int i;
409
410 if (options->num_ports == 0)
411 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 412 if (port == 0)
d11c1288 413 for (i = 0; i < options->num_ports; i++)
414 add_one_listen_addr(options, addr, options->ports[i]);
415 else
2d2a2c65 416 add_one_listen_addr(options, addr, port);
d11c1288 417}
418
396c147e 419static void
d11c1288 420add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
421{
422 struct addrinfo hints, *ai, *aitop;
423 char strport[NI_MAXSERV];
424 int gaierr;
425
426 memset(&hints, 0, sizeof(hints));
427 hints.ai_family = IPv4or6;
428 hints.ai_socktype = SOCK_STREAM;
429 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 430 snprintf(strport, sizeof strport, "%u", port);
d11c1288 431 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
432 fatal("bad addr or host: %s (%s)",
433 addr ? addr : "<NULL>",
434 gai_strerror(gaierr));
435 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
436 ;
437 ai->ai_next = options->listen_addrs;
438 options->listen_addrs = aitop;
48e671d5 439}
440
2717fa0f 441int
442process_server_config_line(ServerOptions *options, char *line,
443 const char *filename, int linenum)
8efc0c15 444{
d11c1288 445 char *cp, **charptr, *arg, *p;
7528d467 446 int *intptr, value, i, n;
5260325f 447 ServerOpCodes opcode;
448
2717fa0f 449 cp = line;
450 arg = strdelim(&cp);
451 /* Ignore leading whitespace */
452 if (*arg == '\0')
704b1659 453 arg = strdelim(&cp);
2717fa0f 454 if (!arg || !*arg || *arg == '#')
455 return 0;
456 intptr = NULL;
457 charptr = NULL;
458 opcode = parse_token(arg, filename, linenum);
459 switch (opcode) {
460 /* Portable-specific options */
461 case sPAMAuthenticationViaKbdInt:
462 intptr = &options->pam_authentication_via_kbd_int;
463 goto parse_flag;
48e671d5 464
2717fa0f 465 /* Standard Options */
466 case sBadOption:
467 return -1;
468 case sPort:
469 /* ignore ports from configfile if cmdline specifies ports */
470 if (options->ports_from_cmdline)
471 return 0;
472 if (options->listen_addrs != NULL)
473 fatal("%s line %d: ports must be specified before "
3a454b6a 474 "ListenAddress.", filename, linenum);
2717fa0f 475 if (options->num_ports >= MAX_PORTS)
476 fatal("%s line %d: too many ports.",
477 filename, linenum);
478 arg = strdelim(&cp);
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing port number.",
481 filename, linenum);
482 options->ports[options->num_ports++] = a2port(arg);
483 if (options->ports[options->num_ports-1] == 0)
484 fatal("%s line %d: Badly formatted port number.",
485 filename, linenum);
486 break;
487
488 case sServerKeyBits:
489 intptr = &options->server_key_bits;
5260325f 490parse_int:
2717fa0f 491 arg = strdelim(&cp);
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing integer value.",
494 filename, linenum);
495 value = atoi(arg);
496 if (*intptr == -1)
497 *intptr = value;
498 break;
499
500 case sLoginGraceTime:
501 intptr = &options->login_grace_time;
e2b1fb42 502parse_time:
2717fa0f 503 arg = strdelim(&cp);
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing time value.",
506 filename, linenum);
507 if ((value = convtime(arg)) == -1)
508 fatal("%s line %d: invalid time value.",
509 filename, linenum);
510 if (*intptr == -1)
511 *intptr = value;
512 break;
513
514 case sKeyRegenerationTime:
515 intptr = &options->key_regeneration_time;
516 goto parse_time;
517
518 case sListenAddress:
519 arg = strdelim(&cp);
520 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
521 fatal("%s line %d: missing inet addr.",
522 filename, linenum);
523 if (*arg == '[') {
524 if ((p = strchr(arg, ']')) == NULL)
525 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 526 filename, linenum);
2717fa0f 527 arg++;
528 memmove(p, p+1, strlen(p+1)+1);
529 } else if (((p = strchr(arg, ':')) == NULL) ||
530 (strchr(p+1, ':') != NULL)) {
531 add_listen_addr(options, arg, 0);
e2b1fb42 532 break;
2717fa0f 533 }
534 if (*p == ':') {
535 u_short port;
5260325f 536
2717fa0f 537 p++;
538 if (*p == '\0')
539 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 540 filename, linenum);
2717fa0f 541 else {
542 *(p-1) = '\0';
543 if ((port = a2port(p)) == 0)
544 fatal("%s line %d: bad port number.",
d11c1288 545 filename, linenum);
2717fa0f 546 add_listen_addr(options, arg, port);
d11c1288 547 }
2717fa0f 548 } else if (*p == '\0')
549 add_listen_addr(options, arg, 0);
550 else
551 fatal("%s line %d: bad inet addr usage.",
552 filename, linenum);
553 break;
554
555 case sHostKeyFile:
556 intptr = &options->num_host_key_files;
557 if (*intptr >= MAX_HOSTKEYS)
558 fatal("%s line %d: too many host keys specified (max %d).",
559 filename, linenum, MAX_HOSTKEYS);
560 charptr = &options->host_key_files[*intptr];
fa649821 561parse_filename:
2717fa0f 562 arg = strdelim(&cp);
563 if (!arg || *arg == '\0')
564 fatal("%s line %d: missing file name.",
565 filename, linenum);
566 if (*charptr == NULL) {
567 *charptr = tilde_expand_filename(arg, getuid());
568 /* increase optional counter */
569 if (intptr != NULL)
570 *intptr = *intptr + 1;
571 }
572 break;
0fbe8c74 573
2717fa0f 574 case sPidFile:
575 charptr = &options->pid_file;
576 goto parse_filename;
5260325f 577
2717fa0f 578 case sPermitRootLogin:
579 intptr = &options->permit_root_login;
580 arg = strdelim(&cp);
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/"
583 "without-password/forced-commands-only/no "
584 "argument.", filename, linenum);
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "without-password") == 0)
587 value = PERMIT_NO_PASSWD;
588 else if (strcmp(arg, "forced-commands-only") == 0)
589 value = PERMIT_FORCED_ONLY;
590 else if (strcmp(arg, "yes") == 0)
591 value = PERMIT_YES;
592 else if (strcmp(arg, "no") == 0)
593 value = PERMIT_NO;
594 else
595 fatal("%s line %d: Bad yes/"
596 "without-password/forced-commands-only/no "
597 "argument: %s", filename, linenum, arg);
598 if (*intptr == -1)
599 *intptr = value;
600 break;
601
602 case sIgnoreRhosts:
603 intptr = &options->ignore_rhosts;
5260325f 604parse_flag:
2717fa0f 605 arg = strdelim(&cp);
606 if (!arg || *arg == '\0')
607 fatal("%s line %d: missing yes/no argument.",
608 filename, linenum);
609 value = 0; /* silence compiler */
610 if (strcmp(arg, "yes") == 0)
611 value = 1;
612 else if (strcmp(arg, "no") == 0)
613 value = 0;
614 else
615 fatal("%s line %d: Bad yes/no argument: %s",
616 filename, linenum, arg);
617 if (*intptr == -1)
618 *intptr = value;
619 break;
620
621 case sIgnoreUserKnownHosts:
622 intptr = &options->ignore_user_known_hosts;
623 goto parse_flag;
624
625 case sRhostsAuthentication:
626 intptr = &options->rhosts_authentication;
627 goto parse_flag;
628
629 case sRhostsRSAAuthentication:
630 intptr = &options->rhosts_rsa_authentication;
631 goto parse_flag;
632
633 case sHostbasedAuthentication:
634 intptr = &options->hostbased_authentication;
635 goto parse_flag;
636
637 case sHostbasedUsesNameFromPacketOnly:
638 intptr = &options->hostbased_uses_name_from_packet_only;
639 goto parse_flag;
640
641 case sRSAAuthentication:
642 intptr = &options->rsa_authentication;
643 goto parse_flag;
644
645 case sPubkeyAuthentication:
646 intptr = &options->pubkey_authentication;
647 goto parse_flag;
648#if defined(KRB4) || defined(KRB5)
649 case sKerberosAuthentication:
650 intptr = &options->kerberos_authentication;
651 goto parse_flag;
5260325f 652
2717fa0f 653 case sKerberosOrLocalPasswd:
654 intptr = &options->kerberos_or_local_passwd;
655 goto parse_flag;
5260325f 656
2717fa0f 657 case sKerberosTicketCleanup:
658 intptr = &options->kerberos_ticket_cleanup;
659 goto parse_flag;
660#endif
661#if defined(AFS) || defined(KRB5)
662 case sKerberosTgtPassing:
663 intptr = &options->kerberos_tgt_passing;
664 goto parse_flag;
665#endif
666#ifdef AFS
667 case sAFSTokenPassing:
668 intptr = &options->afs_token_passing;
669 goto parse_flag;
670#endif
5260325f 671
2717fa0f 672 case sPasswordAuthentication:
673 intptr = &options->password_authentication;
674 goto parse_flag;
5260325f 675
2717fa0f 676 case sKbdInteractiveAuthentication:
677 intptr = &options->kbd_interactive_authentication;
678 goto parse_flag;
8002af61 679
2717fa0f 680 case sChallengeResponseAuthentication:
681 intptr = &options->challenge_response_authentication;
682 goto parse_flag;
8002af61 683
2717fa0f 684 case sPrintMotd:
685 intptr = &options->print_motd;
686 goto parse_flag;
5260325f 687
2717fa0f 688 case sPrintLastLog:
689 intptr = &options->print_lastlog;
690 goto parse_flag;
5260325f 691
2717fa0f 692 case sX11Forwarding:
693 intptr = &options->x11_forwarding;
694 goto parse_flag;
5260325f 695
2717fa0f 696 case sX11DisplayOffset:
697 intptr = &options->x11_display_offset;
698 goto parse_int;
8efc0c15 699
e6e573bd 700 case sX11UseLocalhost:
701 intptr = &options->x11_use_localhost;
702 goto parse_flag;
703
2717fa0f 704 case sXAuthLocation:
705 charptr = &options->xauth_location;
706 goto parse_filename;
5260325f 707
2717fa0f 708 case sStrictModes:
709 intptr = &options->strict_modes;
710 goto parse_flag;
5260325f 711
2717fa0f 712 case sKeepAlives:
713 intptr = &options->keepalives;
714 goto parse_flag;
33de75a3 715
2717fa0f 716 case sEmptyPasswd:
717 intptr = &options->permit_empty_passwd;
718 goto parse_flag;
5260325f 719
f00bab84 720 case sPermitUserEnvironment:
721 intptr = &options->permit_user_env;
722 goto parse_flag;
723
2717fa0f 724 case sUseLogin:
725 intptr = &options->use_login;
726 goto parse_flag;
5260325f 727
636f76ca 728 case sCompression:
729 intptr = &options->compression;
730 goto parse_flag;
731
2717fa0f 732 case sGatewayPorts:
733 intptr = &options->gateway_ports;
734 goto parse_flag;
5260325f 735
bf4c5edc 736 case sVerifyReverseMapping:
737 intptr = &options->verify_reverse_mapping;
2717fa0f 738 goto parse_flag;
5260325f 739
2717fa0f 740 case sLogFacility:
741 intptr = (int *) &options->log_facility;
742 arg = strdelim(&cp);
743 value = log_facility_number(arg);
5eaf8578 744 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 745 fatal("%.200s line %d: unsupported log facility '%s'",
746 filename, linenum, arg ? arg : "<NONE>");
747 if (*intptr == -1)
748 *intptr = (SyslogFacility) value;
749 break;
750
751 case sLogLevel:
752 intptr = (int *) &options->log_level;
753 arg = strdelim(&cp);
754 value = log_level_number(arg);
5eaf8578 755 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 756 fatal("%.200s line %d: unsupported log level '%s'",
757 filename, linenum, arg ? arg : "<NONE>");
758 if (*intptr == -1)
759 *intptr = (LogLevel) value;
760 break;
761
762 case sAllowTcpForwarding:
763 intptr = &options->allow_tcp_forwarding;
764 goto parse_flag;
765
1853d1ef 766 case sUsePrivilegeSeparation:
767 intptr = &use_privsep;
768 goto parse_flag;
769
2717fa0f 770 case sAllowUsers:
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_allow_users >= MAX_ALLOW_USERS)
773 fatal("%s line %d: too many allow users.",
774 filename, linenum);
7528d467 775 options->allow_users[options->num_allow_users++] =
776 xstrdup(arg);
2717fa0f 777 }
778 break;
a8be9f80 779
2717fa0f 780 case sDenyUsers:
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_deny_users >= MAX_DENY_USERS)
783 fatal( "%s line %d: too many deny users.",
784 filename, linenum);
7528d467 785 options->deny_users[options->num_deny_users++] =
786 xstrdup(arg);
2717fa0f 787 }
788 break;
b2552997 789
2717fa0f 790 case sAllowGroups:
791 while ((arg = strdelim(&cp)) && *arg != '\0') {
792 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
793 fatal("%s line %d: too many allow groups.",
794 filename, linenum);
7528d467 795 options->allow_groups[options->num_allow_groups++] =
796 xstrdup(arg);
2717fa0f 797 }
798 break;
a8be9f80 799
2717fa0f 800 case sDenyGroups:
801 while ((arg = strdelim(&cp)) && *arg != '\0') {
802 if (options->num_deny_groups >= MAX_DENY_GROUPS)
803 fatal("%s line %d: too many deny groups.",
804 filename, linenum);
805 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
806 }
807 break;
38c295d6 808
2717fa0f 809 case sCiphers:
810 arg = strdelim(&cp);
811 if (!arg || *arg == '\0')
812 fatal("%s line %d: Missing argument.", filename, linenum);
813 if (!ciphers_valid(arg))
814 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
815 filename, linenum, arg ? arg : "<NONE>");
816 if (options->ciphers == NULL)
817 options->ciphers = xstrdup(arg);
818 break;
819
820 case sMacs:
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
824 if (!mac_valid(arg))
825 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
826 filename, linenum, arg ? arg : "<NONE>");
827 if (options->macs == NULL)
828 options->macs = xstrdup(arg);
829 break;
830
831 case sProtocol:
832 intptr = &options->protocol;
833 arg = strdelim(&cp);
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing argument.", filename, linenum);
836 value = proto_spec(arg);
837 if (value == SSH_PROTO_UNKNOWN)
838 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 839 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 840 if (*intptr == SSH_PROTO_UNKNOWN)
841 *intptr = value;
842 break;
843
844 case sSubsystem:
845 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
846 fatal("%s line %d: too many subsystems defined.",
184eed6a 847 filename, linenum);
2717fa0f 848 }
849 arg = strdelim(&cp);
850 if (!arg || *arg == '\0')
851 fatal("%s line %d: Missing subsystem name.",
184eed6a 852 filename, linenum);
2717fa0f 853 for (i = 0; i < options->num_subsystems; i++)
854 if (strcmp(arg, options->subsystem_name[i]) == 0)
855 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 856 filename, linenum, arg);
2717fa0f 857 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
858 arg = strdelim(&cp);
859 if (!arg || *arg == '\0')
860 fatal("%s line %d: Missing subsystem command.",
184eed6a 861 filename, linenum);
2717fa0f 862 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
863 options->num_subsystems++;
864 break;
865
866 case sMaxStartups:
867 arg = strdelim(&cp);
868 if (!arg || *arg == '\0')
869 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 870 filename, linenum);
2717fa0f 871 if ((n = sscanf(arg, "%d:%d:%d",
872 &options->max_startups_begin,
873 &options->max_startups_rate,
874 &options->max_startups)) == 3) {
875 if (options->max_startups_begin >
876 options->max_startups ||
877 options->max_startups_rate > 100 ||
878 options->max_startups_rate < 1)
c345cf9d 879 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 880 filename, linenum);
2717fa0f 881 } else if (n != 1)
882 fatal("%s line %d: Illegal MaxStartups spec.",
883 filename, linenum);
884 else
885 options->max_startups = options->max_startups_begin;
886 break;
887
888 case sBanner:
889 charptr = &options->banner;
890 goto parse_filename;
891 /*
892 * These options can contain %X options expanded at
893 * connect time, so that you can specify paths like:
894 *
895 * AuthorizedKeysFile /etc/ssh_keys/%u
896 */
897 case sAuthorizedKeysFile:
898 case sAuthorizedKeysFile2:
899 charptr = (opcode == sAuthorizedKeysFile ) ?
900 &options->authorized_keys_file :
901 &options->authorized_keys_file2;
902 goto parse_filename;
903
904 case sClientAliveInterval:
905 intptr = &options->client_alive_interval;
906 goto parse_time;
907
908 case sClientAliveCountMax:
909 intptr = &options->client_alive_count_max;
910 goto parse_int;
911
912 case sDeprecated:
913 log("%s line %d: Deprecated option %s",
914 filename, linenum, arg);
915 while (arg)
916 arg = strdelim(&cp);
917 break;
918
919 default:
920 fatal("%s line %d: Missing handler for opcode %s (%d)",
921 filename, linenum, arg, opcode);
922 }
923 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
924 fatal("%s line %d: garbage at end of line; \"%.200s\".",
925 filename, linenum, arg);
926 return 0;
927}
089fbbd2 928
2717fa0f 929/* Reads the server configuration file. */
5c53a31e 930
2717fa0f 931void
932read_server_config(ServerOptions *options, const char *filename)
933{
7528d467 934 int linenum, bad_options = 0;
2717fa0f 935 char line[1024];
7528d467 936 FILE *f;
2717fa0f 937
938 f = fopen(filename, "r");
939 if (!f) {
940 perror(filename);
941 exit(1);
942 }
943 linenum = 0;
944 while (fgets(line, sizeof(line), f)) {
945 /* Update line number counter. */
946 linenum++;
947 if (process_server_config_line(options, line, filename, linenum) != 0)
948 bad_options++;
8efc0c15 949 }
5260325f 950 fclose(f);
b7c70970 951 if (bad_options > 0)
952 fatal("%s: terminating, %d bad configuration options",
953 filename, bad_options);
8efc0c15 954}
git-cvsimport mirror of OpenSSH
This page took 1.730538 seconds and 5 git commands to generate.