]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- deraadt@cvs.openbsd.org 2002/06/23 09:39:55
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
636f76ca 13RCSID("$OpenBSD: servconf.c,v 1.111 2002/06/20 23:05:55 markus Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
12928e80 18#if defined(KRB5)
19#ifdef HEIMDAL
20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
26#endif
83f46621 27#ifdef AFS
28#include <kafs.h>
29#endif
8efc0c15 30
31#include "ssh.h"
42f11eb2 32#include "log.h"
8efc0c15 33#include "servconf.h"
34#include "xmalloc.h"
a8be9f80 35#include "compat.h"
42f11eb2 36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
b2552997 40#include "kex.h"
41#include "mac.h"
42f11eb2 42
396c147e 43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 45
42f11eb2 46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
1853d1ef 48/* Use of privilege separation or not */
49extern int use_privsep;
42f11eb2 50
8efc0c15 51/* Initializes the server options to their default values. */
52
6ae2364d 53void
5260325f 54initialize_server_options(ServerOptions *options)
8efc0c15 55{
5260325f 56 memset(options, 0, sizeof(*options));
e15895cd 57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
48e671d5 62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
fa08c86b 65 options->num_host_key_files = 0;
0fbe8c74 66 options->pid_file = NULL;
5260325f 67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
15853e93 70 options->permit_root_login = PERMIT_NOT_SET;
5260325f 71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
4f4648f9 74 options->print_lastlog = -1;
5260325f 75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e6e573bd 77 options->x11_use_localhost = -1;
fa649821 78 options->xauth_location = NULL;
5260325f 79 options->strict_modes = -1;
80 options->keepalives = -1;
5eaf8578 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
8002af61 85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
5260325f 87 options->rsa_authentication = -1;
fa08c86b 88 options->pubkey_authentication = -1;
ced49be2 89#if defined(KRB4) || defined(KRB5)
5260325f 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
8efc0c15 93#endif
ced49be2 94#if defined(AFS) || defined(KRB5)
5260325f 95 options->kerberos_tgt_passing = -1;
ced49be2 96#endif
97#ifdef AFS
5260325f 98 options->afs_token_passing = -1;
8efc0c15 99#endif
5260325f 100 options->password_authentication = -1;
94ec8c6b 101 options->kbd_interactive_authentication = -1;
5ba55ada 102 options->challenge_response_authentication = -1;
5260325f 103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
636f76ca 105 options->compression = -1;
33de75a3 106 options->allow_tcp_forwarding = -1;
5260325f 107 options->num_allow_users = 0;
108 options->num_deny_users = 0;
109 options->num_allow_groups = 0;
110 options->num_deny_groups = 0;
a8be9f80 111 options->ciphers = NULL;
b2552997 112 options->macs = NULL;
a8be9f80 113 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 114 options->gateway_ports = -1;
38c295d6 115 options->num_subsystems = 0;
c345cf9d 116 options->max_startups_begin = -1;
117 options->max_startups_rate = -1;
089fbbd2 118 options->max_startups = -1;
eea39c02 119 options->banner = NULL;
bf4c5edc 120 options->verify_reverse_mapping = -1;
3ffc6336 121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
c8445989 123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
1853d1ef 125
1853d1ef 126 /* Needs to be accessable in many places */
127 use_privsep = -1;
8efc0c15 128}
129
6ae2364d 130void
5260325f 131fill_default_server_options(ServerOptions *options)
8efc0c15 132{
e15895cd 133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
136
137 /* Standard Options */
fa08c86b 138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
0f84fe37 143 options->host_key_files[options->num_host_key_files++] =
144 _PATH_HOST_KEY_FILE;
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
150 }
fa08c86b 151 }
48e671d5 152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
2d2a2c65 155 add_listen_addr(options, NULL, 0);
0fbe8c74 156 if (options->pid_file == NULL)
42f11eb2 157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
15853e93 164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
5260325f 166 if (options->ignore_rhosts == -1)
c8d54615 167 options->ignore_rhosts = 1;
5260325f 168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
5260325f 170 if (options->print_motd == -1)
171 options->print_motd = 1;
4f4648f9 172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
5260325f 174 if (options->x11_forwarding == -1)
c8d54615 175 options->x11_forwarding = 0;
5260325f 176 if (options->x11_display_offset == -1)
c8d54615 177 options->x11_display_offset = 10;
e6e573bd 178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
fa649821 180 if (options->xauth_location == NULL)
fd9ede94 181 options->xauth_location = _PATH_XAUTH;
5260325f 182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
5eaf8578 186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 187 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 189 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
c8d54615 193 options->rhosts_rsa_authentication = 0;
8002af61 194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
5260325f 198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
fa08c86b 200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
ced49be2 202#if defined(KRB4) || defined(KRB5)
5260325f 203 if (options->kerberos_authentication == -1)
eadc806d 204 options->kerberos_authentication = 0;
5260325f 205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
ced49be2 209#endif
210#if defined(AFS) || defined(KRB5)
5260325f 211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
ced49be2 213#endif
184eed6a 214#ifdef AFS
5260325f 215 if (options->afs_token_passing == -1)
1c3454e7 216 options->afs_token_passing = 0;
ced49be2 217#endif
5260325f 218 if (options->password_authentication == -1)
219 options->password_authentication = 1;
94ec8c6b 220 if (options->kbd_interactive_authentication == -1)
221 options->kbd_interactive_authentication = 0;
5ba55ada 222 if (options->challenge_response_authentication == -1)
223 options->challenge_response_authentication = 1;
5260325f 224 if (options->permit_empty_passwd == -1)
c8d54615 225 options->permit_empty_passwd = 0;
5260325f 226 if (options->use_login == -1)
227 options->use_login = 0;
636f76ca 228 if (options->compression == -1)
229 options->compression = 1;
33de75a3 230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
1d1ffb87 232 if (options->gateway_ports == -1)
233 options->gateway_ports = 0;
089fbbd2 234 if (options->max_startups == -1)
235 options->max_startups = 10;
c345cf9d 236 if (options->max_startups_rate == -1)
237 options->max_startups_rate = 100; /* 100% */
238 if (options->max_startups_begin == -1)
239 options->max_startups_begin = options->max_startups;
bf4c5edc 240 if (options->verify_reverse_mapping == -1)
241 options->verify_reverse_mapping = 0;
3ffc6336 242 if (options->client_alive_interval == -1)
184eed6a 243 options->client_alive_interval = 0;
3ffc6336 244 if (options->client_alive_count_max == -1)
245 options->client_alive_count_max = 3;
5df83e07 246 if (options->authorized_keys_file2 == NULL) {
247 /* authorized_keys_file2 falls back to authorized_keys_file */
248 if (options->authorized_keys_file != NULL)
249 options->authorized_keys_file2 = options->authorized_keys_file;
250 else
251 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
252 }
253 if (options->authorized_keys_file == NULL)
254 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 255
2ee1b704 256 /* Turn privilege separation on by default */
1853d1ef 257 if (use_privsep == -1)
2ee1b704 258 use_privsep = 1;
e299a298 259
260#if !defined(HAVE_MMAP) || !defined(MAP_ANON)
261 if (use_privsep && options->compression == 1) {
262 error("This platform does not support both privilege "
263 "separation and compression");
264 error("Compression disabled");
265 options->compression = 0;
266 }
267#endif
268
8efc0c15 269}
270
8efc0c15 271/* Keyword tokens. */
5260325f 272typedef enum {
273 sBadOption, /* == unknown option */
e15895cd 274 /* Portable-specific options */
275 sPAMAuthenticationViaKbdInt,
276 /* Standard Options */
5260325f 277 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
278 sPermitRootLogin, sLogFacility, sLogLevel,
279 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 280#if defined(KRB4) || defined(KRB5)
5260325f 281 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 282#endif
ced49be2 283#if defined(AFS) || defined(KRB5)
284 sKerberosTgtPassing,
285#endif
8efc0c15 286#ifdef AFS
ced49be2 287 sAFSTokenPassing,
8efc0c15 288#endif
d464095c 289 sChallengeResponseAuthentication,
94ec8c6b 290 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 291 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 292 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 293 sStrictModes, sEmptyPasswd, sKeepAlives,
636f76ca 294 sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 295 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 296 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 297 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 298 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 299 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 300 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 301 sUsePrivilegeSeparation,
2717fa0f 302 sDeprecated
8efc0c15 303} ServerOpCodes;
304
305/* Textual representation of the tokens. */
5260325f 306static struct {
307 const char *name;
308 ServerOpCodes opcode;
309} keywords[] = {
e15895cd 310 /* Portable-specific options */
311 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
312 /* Standard Options */
5260325f 313 { "port", sPort },
314 { "hostkey", sHostKeyFile },
fa08c86b 315 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 316 { "pidfile", sPidFile },
5260325f 317 { "serverkeybits", sServerKeyBits },
318 { "logingracetime", sLoginGraceTime },
319 { "keyregenerationinterval", sKeyRegenerationTime },
320 { "permitrootlogin", sPermitRootLogin },
321 { "syslogfacility", sLogFacility },
322 { "loglevel", sLogLevel },
323 { "rhostsauthentication", sRhostsAuthentication },
324 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 325 { "hostbasedauthentication", sHostbasedAuthentication },
326 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 327 { "rsaauthentication", sRSAAuthentication },
fa08c86b 328 { "pubkeyauthentication", sPubkeyAuthentication },
329 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 330#if defined(KRB4) || defined(KRB5)
5260325f 331 { "kerberosauthentication", sKerberosAuthentication },
332 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
333 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 334#endif
ced49be2 335#if defined(AFS) || defined(KRB5)
5260325f 336 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 337#endif
338#ifdef AFS
5260325f 339 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 340#endif
5260325f 341 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 342 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 343 { "challengeresponseauthentication", sChallengeResponseAuthentication },
344 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 345 { "checkmail", sDeprecated },
5260325f 346 { "listenaddress", sListenAddress },
347 { "printmotd", sPrintMotd },
4f4648f9 348 { "printlastlog", sPrintLastLog },
5260325f 349 { "ignorerhosts", sIgnoreRhosts },
350 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
351 { "x11forwarding", sX11Forwarding },
352 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 353 { "x11uselocalhost", sX11UseLocalhost },
fa649821 354 { "xauthlocation", sXAuthLocation },
5260325f 355 { "strictmodes", sStrictModes },
356 { "permitemptypasswords", sEmptyPasswd },
357 { "uselogin", sUseLogin },
636f76ca 358 { "compression", sCompression },
5260325f 359 { "keepalive", sKeepAlives },
33de75a3 360 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 361 { "allowusers", sAllowUsers },
362 { "denyusers", sDenyUsers },
363 { "allowgroups", sAllowGroups },
364 { "denygroups", sDenyGroups },
a8be9f80 365 { "ciphers", sCiphers },
b2552997 366 { "macs", sMacs },
a8be9f80 367 { "protocol", sProtocol },
1d1ffb87 368 { "gatewayports", sGatewayPorts },
38c295d6 369 { "subsystem", sSubsystem },
089fbbd2 370 { "maxstartups", sMaxStartups },
eea39c02 371 { "banner", sBanner },
bf4c5edc 372 { "verifyreversemapping", sVerifyReverseMapping },
373 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 374 { "clientaliveinterval", sClientAliveInterval },
375 { "clientalivecountmax", sClientAliveCountMax },
c8445989 376 { "authorizedkeysfile", sAuthorizedKeysFile },
377 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 378 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 379 { NULL, sBadOption }
8efc0c15 380};
381
aa3378df 382/*
6be9a5e8 383 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 384 */
8efc0c15 385
6ae2364d 386static ServerOpCodes
5260325f 387parse_token(const char *cp, const char *filename,
388 int linenum)
8efc0c15 389{
1e3b8b07 390 u_int i;
8efc0c15 391
5260325f 392 for (i = 0; keywords[i].name; i++)
aa3378df 393 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 394 return keywords[i].opcode;
8efc0c15 395
b7c70970 396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
5260325f 398 return sBadOption;
8efc0c15 399}
400
396c147e 401static void
2d2a2c65 402add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 403{
48e671d5 404 int i;
405
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 408 if (port == 0)
d11c1288 409 for (i = 0; i < options->num_ports; i++)
410 add_one_listen_addr(options, addr, options->ports[i]);
411 else
2d2a2c65 412 add_one_listen_addr(options, addr, port);
d11c1288 413}
414
396c147e 415static void
d11c1288 416add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
417{
418 struct addrinfo hints, *ai, *aitop;
419 char strport[NI_MAXSERV];
420 int gaierr;
421
422 memset(&hints, 0, sizeof(hints));
423 hints.ai_family = IPv4or6;
424 hints.ai_socktype = SOCK_STREAM;
425 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
426 snprintf(strport, sizeof strport, "%d", port);
427 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
428 fatal("bad addr or host: %s (%s)",
429 addr ? addr : "<NULL>",
430 gai_strerror(gaierr));
431 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
432 ;
433 ai->ai_next = options->listen_addrs;
434 options->listen_addrs = aitop;
48e671d5 435}
436
2717fa0f 437int
438process_server_config_line(ServerOptions *options, char *line,
439 const char *filename, int linenum)
8efc0c15 440{
d11c1288 441 char *cp, **charptr, *arg, *p;
2717fa0f 442 int *intptr, value;
5260325f 443 ServerOpCodes opcode;
97de229c 444 int i, n;
5260325f 445
2717fa0f 446 cp = line;
447 arg = strdelim(&cp);
448 /* Ignore leading whitespace */
449 if (*arg == '\0')
704b1659 450 arg = strdelim(&cp);
2717fa0f 451 if (!arg || !*arg || *arg == '#')
452 return 0;
453 intptr = NULL;
454 charptr = NULL;
455 opcode = parse_token(arg, filename, linenum);
456 switch (opcode) {
457 /* Portable-specific options */
458 case sPAMAuthenticationViaKbdInt:
459 intptr = &options->pam_authentication_via_kbd_int;
460 goto parse_flag;
48e671d5 461
2717fa0f 462 /* Standard Options */
463 case sBadOption:
464 return -1;
465 case sPort:
466 /* ignore ports from configfile if cmdline specifies ports */
467 if (options->ports_from_cmdline)
468 return 0;
469 if (options->listen_addrs != NULL)
470 fatal("%s line %d: ports must be specified before "
3a454b6a 471 "ListenAddress.", filename, linenum);
2717fa0f 472 if (options->num_ports >= MAX_PORTS)
473 fatal("%s line %d: too many ports.",
474 filename, linenum);
475 arg = strdelim(&cp);
476 if (!arg || *arg == '\0')
477 fatal("%s line %d: missing port number.",
478 filename, linenum);
479 options->ports[options->num_ports++] = a2port(arg);
480 if (options->ports[options->num_ports-1] == 0)
481 fatal("%s line %d: Badly formatted port number.",
482 filename, linenum);
483 break;
484
485 case sServerKeyBits:
486 intptr = &options->server_key_bits;
5260325f 487parse_int:
2717fa0f 488 arg = strdelim(&cp);
489 if (!arg || *arg == '\0')
490 fatal("%s line %d: missing integer value.",
491 filename, linenum);
492 value = atoi(arg);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sLoginGraceTime:
498 intptr = &options->login_grace_time;
e2b1fb42 499parse_time:
2717fa0f 500 arg = strdelim(&cp);
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing time value.",
503 filename, linenum);
504 if ((value = convtime(arg)) == -1)
505 fatal("%s line %d: invalid time value.",
506 filename, linenum);
507 if (*intptr == -1)
508 *intptr = value;
509 break;
510
511 case sKeyRegenerationTime:
512 intptr = &options->key_regeneration_time;
513 goto parse_time;
514
515 case sListenAddress:
516 arg = strdelim(&cp);
517 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
518 fatal("%s line %d: missing inet addr.",
519 filename, linenum);
520 if (*arg == '[') {
521 if ((p = strchr(arg, ']')) == NULL)
522 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 523 filename, linenum);
2717fa0f 524 arg++;
525 memmove(p, p+1, strlen(p+1)+1);
526 } else if (((p = strchr(arg, ':')) == NULL) ||
527 (strchr(p+1, ':') != NULL)) {
528 add_listen_addr(options, arg, 0);
e2b1fb42 529 break;
2717fa0f 530 }
531 if (*p == ':') {
532 u_short port;
5260325f 533
2717fa0f 534 p++;
535 if (*p == '\0')
536 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 537 filename, linenum);
2717fa0f 538 else {
539 *(p-1) = '\0';
540 if ((port = a2port(p)) == 0)
541 fatal("%s line %d: bad port number.",
d11c1288 542 filename, linenum);
2717fa0f 543 add_listen_addr(options, arg, port);
d11c1288 544 }
2717fa0f 545 } else if (*p == '\0')
546 add_listen_addr(options, arg, 0);
547 else
548 fatal("%s line %d: bad inet addr usage.",
549 filename, linenum);
550 break;
551
552 case sHostKeyFile:
553 intptr = &options->num_host_key_files;
554 if (*intptr >= MAX_HOSTKEYS)
555 fatal("%s line %d: too many host keys specified (max %d).",
556 filename, linenum, MAX_HOSTKEYS);
557 charptr = &options->host_key_files[*intptr];
fa649821 558parse_filename:
2717fa0f 559 arg = strdelim(&cp);
560 if (!arg || *arg == '\0')
561 fatal("%s line %d: missing file name.",
562 filename, linenum);
563 if (*charptr == NULL) {
564 *charptr = tilde_expand_filename(arg, getuid());
565 /* increase optional counter */
566 if (intptr != NULL)
567 *intptr = *intptr + 1;
568 }
569 break;
0fbe8c74 570
2717fa0f 571 case sPidFile:
572 charptr = &options->pid_file;
573 goto parse_filename;
5260325f 574
2717fa0f 575 case sPermitRootLogin:
576 intptr = &options->permit_root_login;
577 arg = strdelim(&cp);
578 if (!arg || *arg == '\0')
579 fatal("%s line %d: missing yes/"
580 "without-password/forced-commands-only/no "
581 "argument.", filename, linenum);
582 value = 0; /* silence compiler */
583 if (strcmp(arg, "without-password") == 0)
584 value = PERMIT_NO_PASSWD;
585 else if (strcmp(arg, "forced-commands-only") == 0)
586 value = PERMIT_FORCED_ONLY;
587 else if (strcmp(arg, "yes") == 0)
588 value = PERMIT_YES;
589 else if (strcmp(arg, "no") == 0)
590 value = PERMIT_NO;
591 else
592 fatal("%s line %d: Bad yes/"
593 "without-password/forced-commands-only/no "
594 "argument: %s", filename, linenum, arg);
595 if (*intptr == -1)
596 *intptr = value;
597 break;
598
599 case sIgnoreRhosts:
600 intptr = &options->ignore_rhosts;
5260325f 601parse_flag:
2717fa0f 602 arg = strdelim(&cp);
603 if (!arg || *arg == '\0')
604 fatal("%s line %d: missing yes/no argument.",
605 filename, linenum);
606 value = 0; /* silence compiler */
607 if (strcmp(arg, "yes") == 0)
608 value = 1;
609 else if (strcmp(arg, "no") == 0)
610 value = 0;
611 else
612 fatal("%s line %d: Bad yes/no argument: %s",
613 filename, linenum, arg);
614 if (*intptr == -1)
615 *intptr = value;
616 break;
617
618 case sIgnoreUserKnownHosts:
619 intptr = &options->ignore_user_known_hosts;
620 goto parse_flag;
621
622 case sRhostsAuthentication:
623 intptr = &options->rhosts_authentication;
624 goto parse_flag;
625
626 case sRhostsRSAAuthentication:
627 intptr = &options->rhosts_rsa_authentication;
628 goto parse_flag;
629
630 case sHostbasedAuthentication:
631 intptr = &options->hostbased_authentication;
632 goto parse_flag;
633
634 case sHostbasedUsesNameFromPacketOnly:
635 intptr = &options->hostbased_uses_name_from_packet_only;
636 goto parse_flag;
637
638 case sRSAAuthentication:
639 intptr = &options->rsa_authentication;
640 goto parse_flag;
641
642 case sPubkeyAuthentication:
643 intptr = &options->pubkey_authentication;
644 goto parse_flag;
645#if defined(KRB4) || defined(KRB5)
646 case sKerberosAuthentication:
647 intptr = &options->kerberos_authentication;
648 goto parse_flag;
5260325f 649
2717fa0f 650 case sKerberosOrLocalPasswd:
651 intptr = &options->kerberos_or_local_passwd;
652 goto parse_flag;
5260325f 653
2717fa0f 654 case sKerberosTicketCleanup:
655 intptr = &options->kerberos_ticket_cleanup;
656 goto parse_flag;
657#endif
658#if defined(AFS) || defined(KRB5)
659 case sKerberosTgtPassing:
660 intptr = &options->kerberos_tgt_passing;
661 goto parse_flag;
662#endif
663#ifdef AFS
664 case sAFSTokenPassing:
665 intptr = &options->afs_token_passing;
666 goto parse_flag;
667#endif
5260325f 668
2717fa0f 669 case sPasswordAuthentication:
670 intptr = &options->password_authentication;
671 goto parse_flag;
5260325f 672
2717fa0f 673 case sKbdInteractiveAuthentication:
674 intptr = &options->kbd_interactive_authentication;
675 goto parse_flag;
8002af61 676
2717fa0f 677 case sChallengeResponseAuthentication:
678 intptr = &options->challenge_response_authentication;
679 goto parse_flag;
8002af61 680
2717fa0f 681 case sPrintMotd:
682 intptr = &options->print_motd;
683 goto parse_flag;
5260325f 684
2717fa0f 685 case sPrintLastLog:
686 intptr = &options->print_lastlog;
687 goto parse_flag;
5260325f 688
2717fa0f 689 case sX11Forwarding:
690 intptr = &options->x11_forwarding;
691 goto parse_flag;
5260325f 692
2717fa0f 693 case sX11DisplayOffset:
694 intptr = &options->x11_display_offset;
695 goto parse_int;
8efc0c15 696
e6e573bd 697 case sX11UseLocalhost:
698 intptr = &options->x11_use_localhost;
699 goto parse_flag;
700
2717fa0f 701 case sXAuthLocation:
702 charptr = &options->xauth_location;
703 goto parse_filename;
5260325f 704
2717fa0f 705 case sStrictModes:
706 intptr = &options->strict_modes;
707 goto parse_flag;
5260325f 708
2717fa0f 709 case sKeepAlives:
710 intptr = &options->keepalives;
711 goto parse_flag;
33de75a3 712
2717fa0f 713 case sEmptyPasswd:
714 intptr = &options->permit_empty_passwd;
715 goto parse_flag;
5260325f 716
2717fa0f 717 case sUseLogin:
718 intptr = &options->use_login;
719 goto parse_flag;
5260325f 720
636f76ca 721 case sCompression:
722 intptr = &options->compression;
723 goto parse_flag;
724
2717fa0f 725 case sGatewayPorts:
726 intptr = &options->gateway_ports;
727 goto parse_flag;
5260325f 728
bf4c5edc 729 case sVerifyReverseMapping:
730 intptr = &options->verify_reverse_mapping;
2717fa0f 731 goto parse_flag;
5260325f 732
2717fa0f 733 case sLogFacility:
734 intptr = (int *) &options->log_facility;
735 arg = strdelim(&cp);
736 value = log_facility_number(arg);
5eaf8578 737 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 738 fatal("%.200s line %d: unsupported log facility '%s'",
739 filename, linenum, arg ? arg : "<NONE>");
740 if (*intptr == -1)
741 *intptr = (SyslogFacility) value;
742 break;
743
744 case sLogLevel:
745 intptr = (int *) &options->log_level;
746 arg = strdelim(&cp);
747 value = log_level_number(arg);
5eaf8578 748 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 749 fatal("%.200s line %d: unsupported log level '%s'",
750 filename, linenum, arg ? arg : "<NONE>");
751 if (*intptr == -1)
752 *intptr = (LogLevel) value;
753 break;
754
755 case sAllowTcpForwarding:
756 intptr = &options->allow_tcp_forwarding;
757 goto parse_flag;
758
1853d1ef 759 case sUsePrivilegeSeparation:
760 intptr = &use_privsep;
761 goto parse_flag;
762
2717fa0f 763 case sAllowUsers:
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_allow_users >= MAX_ALLOW_USERS)
766 fatal("%s line %d: too many allow users.",
767 filename, linenum);
768 options->allow_users[options->num_allow_users++] = xstrdup(arg);
769 }
770 break;
a8be9f80 771
2717fa0f 772 case sDenyUsers:
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_users >= MAX_DENY_USERS)
775 fatal( "%s line %d: too many deny users.",
776 filename, linenum);
777 options->deny_users[options->num_deny_users++] = xstrdup(arg);
778 }
779 break;
b2552997 780
2717fa0f 781 case sAllowGroups:
782 while ((arg = strdelim(&cp)) && *arg != '\0') {
783 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
784 fatal("%s line %d: too many allow groups.",
785 filename, linenum);
786 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
787 }
788 break;
a8be9f80 789
2717fa0f 790 case sDenyGroups:
791 while ((arg = strdelim(&cp)) && *arg != '\0') {
792 if (options->num_deny_groups >= MAX_DENY_GROUPS)
793 fatal("%s line %d: too many deny groups.",
794 filename, linenum);
795 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
796 }
797 break;
38c295d6 798
2717fa0f 799 case sCiphers:
800 arg = strdelim(&cp);
801 if (!arg || *arg == '\0')
802 fatal("%s line %d: Missing argument.", filename, linenum);
803 if (!ciphers_valid(arg))
804 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
805 filename, linenum, arg ? arg : "<NONE>");
806 if (options->ciphers == NULL)
807 options->ciphers = xstrdup(arg);
808 break;
809
810 case sMacs:
811 arg = strdelim(&cp);
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: Missing argument.", filename, linenum);
814 if (!mac_valid(arg))
815 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
816 filename, linenum, arg ? arg : "<NONE>");
817 if (options->macs == NULL)
818 options->macs = xstrdup(arg);
819 break;
820
821 case sProtocol:
822 intptr = &options->protocol;
823 arg = strdelim(&cp);
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: Missing argument.", filename, linenum);
826 value = proto_spec(arg);
827 if (value == SSH_PROTO_UNKNOWN)
828 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 829 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 830 if (*intptr == SSH_PROTO_UNKNOWN)
831 *intptr = value;
832 break;
833
834 case sSubsystem:
835 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
836 fatal("%s line %d: too many subsystems defined.",
184eed6a 837 filename, linenum);
2717fa0f 838 }
839 arg = strdelim(&cp);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing subsystem name.",
184eed6a 842 filename, linenum);
2717fa0f 843 for (i = 0; i < options->num_subsystems; i++)
844 if (strcmp(arg, options->subsystem_name[i]) == 0)
845 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 846 filename, linenum, arg);
2717fa0f 847 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
848 arg = strdelim(&cp);
849 if (!arg || *arg == '\0')
850 fatal("%s line %d: Missing subsystem command.",
184eed6a 851 filename, linenum);
2717fa0f 852 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
853 options->num_subsystems++;
854 break;
855
856 case sMaxStartups:
857 arg = strdelim(&cp);
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 860 filename, linenum);
2717fa0f 861 if ((n = sscanf(arg, "%d:%d:%d",
862 &options->max_startups_begin,
863 &options->max_startups_rate,
864 &options->max_startups)) == 3) {
865 if (options->max_startups_begin >
866 options->max_startups ||
867 options->max_startups_rate > 100 ||
868 options->max_startups_rate < 1)
c345cf9d 869 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 870 filename, linenum);
2717fa0f 871 } else if (n != 1)
872 fatal("%s line %d: Illegal MaxStartups spec.",
873 filename, linenum);
874 else
875 options->max_startups = options->max_startups_begin;
876 break;
877
878 case sBanner:
879 charptr = &options->banner;
880 goto parse_filename;
881 /*
882 * These options can contain %X options expanded at
883 * connect time, so that you can specify paths like:
884 *
885 * AuthorizedKeysFile /etc/ssh_keys/%u
886 */
887 case sAuthorizedKeysFile:
888 case sAuthorizedKeysFile2:
889 charptr = (opcode == sAuthorizedKeysFile ) ?
890 &options->authorized_keys_file :
891 &options->authorized_keys_file2;
892 goto parse_filename;
893
894 case sClientAliveInterval:
895 intptr = &options->client_alive_interval;
896 goto parse_time;
897
898 case sClientAliveCountMax:
899 intptr = &options->client_alive_count_max;
900 goto parse_int;
901
902 case sDeprecated:
903 log("%s line %d: Deprecated option %s",
904 filename, linenum, arg);
905 while (arg)
906 arg = strdelim(&cp);
907 break;
908
909 default:
910 fatal("%s line %d: Missing handler for opcode %s (%d)",
911 filename, linenum, arg, opcode);
912 }
913 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
914 fatal("%s line %d: garbage at end of line; \"%.200s\".",
915 filename, linenum, arg);
916 return 0;
917}
089fbbd2 918
2717fa0f 919/* Reads the server configuration file. */
5c53a31e 920
2717fa0f 921void
922read_server_config(ServerOptions *options, const char *filename)
923{
924 FILE *f;
925 char line[1024];
926 int linenum;
927 int bad_options = 0;
928
929 f = fopen(filename, "r");
930 if (!f) {
931 perror(filename);
932 exit(1);
933 }
934 linenum = 0;
935 while (fgets(line, sizeof(line), f)) {
936 /* Update line number counter. */
937 linenum++;
938 if (process_server_config_line(options, line, filename, linenum) != 0)
939 bad_options++;
8efc0c15 940 }
5260325f 941 fclose(f);
b7c70970 942 if (bad_options > 0)
943 fatal("%s: terminating, %d bad configuration options",
944 filename, bad_options);
8efc0c15 945}
git-cvsimport mirror of OpenSSH
This page took 0.510467 seconds and 5 git commands to generate.