]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- stevesk@cvs.openbsd.org 2002/06/20 20:03:34
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
2ee1b704 13RCSID("$OpenBSD: servconf.c,v 1.110 2002/05/15 21:56:38 markus Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
12928e80 18#if defined(KRB5)
19#ifdef HEIMDAL
20#include <krb.h>
21#else
22/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
23 * keytab */
24#define KEYFILE "/etc/krb5.keytab"
25#endif
26#endif
83f46621 27#ifdef AFS
28#include <kafs.h>
29#endif
8efc0c15 30
31#include "ssh.h"
42f11eb2 32#include "log.h"
8efc0c15 33#include "servconf.h"
34#include "xmalloc.h"
a8be9f80 35#include "compat.h"
42f11eb2 36#include "pathnames.h"
37#include "tildexpand.h"
38#include "misc.h"
39#include "cipher.h"
b2552997 40#include "kex.h"
41#include "mac.h"
42f11eb2 42
396c147e 43static void add_listen_addr(ServerOptions *, char *, u_short);
44static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 45
42f11eb2 46/* AF_UNSPEC or AF_INET or AF_INET6 */
47extern int IPv4or6;
1853d1ef 48/* Use of privilege separation or not */
49extern int use_privsep;
42f11eb2 50
8efc0c15 51/* Initializes the server options to their default values. */
52
6ae2364d 53void
5260325f 54initialize_server_options(ServerOptions *options)
8efc0c15 55{
5260325f 56 memset(options, 0, sizeof(*options));
e15895cd 57
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
60
61 /* Standard Options */
48e671d5 62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
fa08c86b 65 options->num_host_key_files = 0;
0fbe8c74 66 options->pid_file = NULL;
5260325f 67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
15853e93 70 options->permit_root_login = PERMIT_NOT_SET;
5260325f 71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
4f4648f9 74 options->print_lastlog = -1;
5260325f 75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
e6e573bd 77 options->x11_use_localhost = -1;
fa649821 78 options->xauth_location = NULL;
5260325f 79 options->strict_modes = -1;
80 options->keepalives = -1;
5eaf8578 81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
8002af61 85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
5260325f 87 options->rsa_authentication = -1;
fa08c86b 88 options->pubkey_authentication = -1;
ced49be2 89#if defined(KRB4) || defined(KRB5)
5260325f 90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
8efc0c15 93#endif
ced49be2 94#if defined(AFS) || defined(KRB5)
5260325f 95 options->kerberos_tgt_passing = -1;
ced49be2 96#endif
97#ifdef AFS
5260325f 98 options->afs_token_passing = -1;
8efc0c15 99#endif
5260325f 100 options->password_authentication = -1;
94ec8c6b 101 options->kbd_interactive_authentication = -1;
5ba55ada 102 options->challenge_response_authentication = -1;
5260325f 103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
33de75a3 105 options->allow_tcp_forwarding = -1;
5260325f 106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
a8be9f80 110 options->ciphers = NULL;
b2552997 111 options->macs = NULL;
a8be9f80 112 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 113 options->gateway_ports = -1;
38c295d6 114 options->num_subsystems = 0;
c345cf9d 115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
089fbbd2 117 options->max_startups = -1;
eea39c02 118 options->banner = NULL;
bf4c5edc 119 options->verify_reverse_mapping = -1;
3ffc6336 120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
c8445989 122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
1853d1ef 124
1853d1ef 125 /* Needs to be accessable in many places */
126 use_privsep = -1;
8efc0c15 127}
128
6ae2364d 129void
5260325f 130fill_default_server_options(ServerOptions *options)
8efc0c15 131{
e15895cd 132 /* Portable-specific options */
133 if (options->pam_authentication_via_kbd_int == -1)
134 options->pam_authentication_via_kbd_int = 0;
135
136 /* Standard Options */
fa08c86b 137 if (options->protocol == SSH_PROTO_UNKNOWN)
138 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
139 if (options->num_host_key_files == 0) {
140 /* fill default hostkeys for protocols */
141 if (options->protocol & SSH_PROTO_1)
0f84fe37 142 options->host_key_files[options->num_host_key_files++] =
143 _PATH_HOST_KEY_FILE;
144 if (options->protocol & SSH_PROTO_2) {
145 options->host_key_files[options->num_host_key_files++] =
146 _PATH_HOST_RSA_KEY_FILE;
147 options->host_key_files[options->num_host_key_files++] =
148 _PATH_HOST_DSA_KEY_FILE;
149 }
fa08c86b 150 }
48e671d5 151 if (options->num_ports == 0)
152 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
153 if (options->listen_addrs == NULL)
2d2a2c65 154 add_listen_addr(options, NULL, 0);
0fbe8c74 155 if (options->pid_file == NULL)
42f11eb2 156 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 157 if (options->server_key_bits == -1)
158 options->server_key_bits = 768;
159 if (options->login_grace_time == -1)
160 options->login_grace_time = 600;
161 if (options->key_regeneration_time == -1)
162 options->key_regeneration_time = 3600;
15853e93 163 if (options->permit_root_login == PERMIT_NOT_SET)
164 options->permit_root_login = PERMIT_YES;
5260325f 165 if (options->ignore_rhosts == -1)
c8d54615 166 options->ignore_rhosts = 1;
5260325f 167 if (options->ignore_user_known_hosts == -1)
168 options->ignore_user_known_hosts = 0;
5260325f 169 if (options->print_motd == -1)
170 options->print_motd = 1;
4f4648f9 171 if (options->print_lastlog == -1)
172 options->print_lastlog = 1;
5260325f 173 if (options->x11_forwarding == -1)
c8d54615 174 options->x11_forwarding = 0;
5260325f 175 if (options->x11_display_offset == -1)
c8d54615 176 options->x11_display_offset = 10;
e6e573bd 177 if (options->x11_use_localhost == -1)
178 options->x11_use_localhost = 1;
fa649821 179 if (options->xauth_location == NULL)
fd9ede94 180 options->xauth_location = _PATH_XAUTH;
5260325f 181 if (options->strict_modes == -1)
182 options->strict_modes = 1;
183 if (options->keepalives == -1)
184 options->keepalives = 1;
5eaf8578 185 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 186 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 187 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 188 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 189 if (options->rhosts_authentication == -1)
190 options->rhosts_authentication = 0;
191 if (options->rhosts_rsa_authentication == -1)
c8d54615 192 options->rhosts_rsa_authentication = 0;
8002af61 193 if (options->hostbased_authentication == -1)
194 options->hostbased_authentication = 0;
195 if (options->hostbased_uses_name_from_packet_only == -1)
196 options->hostbased_uses_name_from_packet_only = 0;
5260325f 197 if (options->rsa_authentication == -1)
198 options->rsa_authentication = 1;
fa08c86b 199 if (options->pubkey_authentication == -1)
200 options->pubkey_authentication = 1;
ced49be2 201#if defined(KRB4) || defined(KRB5)
5260325f 202 if (options->kerberos_authentication == -1)
eadc806d 203 options->kerberos_authentication = 0;
5260325f 204 if (options->kerberos_or_local_passwd == -1)
205 options->kerberos_or_local_passwd = 1;
206 if (options->kerberos_ticket_cleanup == -1)
207 options->kerberos_ticket_cleanup = 1;
ced49be2 208#endif
209#if defined(AFS) || defined(KRB5)
5260325f 210 if (options->kerberos_tgt_passing == -1)
211 options->kerberos_tgt_passing = 0;
ced49be2 212#endif
184eed6a 213#ifdef AFS
5260325f 214 if (options->afs_token_passing == -1)
1c3454e7 215 options->afs_token_passing = 0;
ced49be2 216#endif
5260325f 217 if (options->password_authentication == -1)
218 options->password_authentication = 1;
94ec8c6b 219 if (options->kbd_interactive_authentication == -1)
220 options->kbd_interactive_authentication = 0;
5ba55ada 221 if (options->challenge_response_authentication == -1)
222 options->challenge_response_authentication = 1;
5260325f 223 if (options->permit_empty_passwd == -1)
c8d54615 224 options->permit_empty_passwd = 0;
5260325f 225 if (options->use_login == -1)
226 options->use_login = 0;
33de75a3 227 if (options->allow_tcp_forwarding == -1)
228 options->allow_tcp_forwarding = 1;
1d1ffb87 229 if (options->gateway_ports == -1)
230 options->gateway_ports = 0;
089fbbd2 231 if (options->max_startups == -1)
232 options->max_startups = 10;
c345cf9d 233 if (options->max_startups_rate == -1)
234 options->max_startups_rate = 100; /* 100% */
235 if (options->max_startups_begin == -1)
236 options->max_startups_begin = options->max_startups;
bf4c5edc 237 if (options->verify_reverse_mapping == -1)
238 options->verify_reverse_mapping = 0;
3ffc6336 239 if (options->client_alive_interval == -1)
184eed6a 240 options->client_alive_interval = 0;
3ffc6336 241 if (options->client_alive_count_max == -1)
242 options->client_alive_count_max = 3;
5df83e07 243 if (options->authorized_keys_file2 == NULL) {
244 /* authorized_keys_file2 falls back to authorized_keys_file */
245 if (options->authorized_keys_file != NULL)
246 options->authorized_keys_file2 = options->authorized_keys_file;
247 else
248 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
249 }
250 if (options->authorized_keys_file == NULL)
251 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 252
2ee1b704 253 /* Turn privilege separation on by default */
1853d1ef 254 if (use_privsep == -1)
2ee1b704 255 use_privsep = 1;
8efc0c15 256}
257
8efc0c15 258/* Keyword tokens. */
5260325f 259typedef enum {
260 sBadOption, /* == unknown option */
e15895cd 261 /* Portable-specific options */
262 sPAMAuthenticationViaKbdInt,
263 /* Standard Options */
5260325f 264 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
265 sPermitRootLogin, sLogFacility, sLogLevel,
266 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 267#if defined(KRB4) || defined(KRB5)
5260325f 268 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 269#endif
ced49be2 270#if defined(AFS) || defined(KRB5)
271 sKerberosTgtPassing,
272#endif
8efc0c15 273#ifdef AFS
ced49be2 274 sAFSTokenPassing,
8efc0c15 275#endif
d464095c 276 sChallengeResponseAuthentication,
94ec8c6b 277 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 278 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 279 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 280 sStrictModes, sEmptyPasswd, sKeepAlives,
33de75a3 281 sUseLogin, sAllowTcpForwarding,
282 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 283 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 284 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 285 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 286 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 287 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 288 sUsePrivilegeSeparation,
2717fa0f 289 sDeprecated
8efc0c15 290} ServerOpCodes;
291
292/* Textual representation of the tokens. */
5260325f 293static struct {
294 const char *name;
295 ServerOpCodes opcode;
296} keywords[] = {
e15895cd 297 /* Portable-specific options */
298 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
299 /* Standard Options */
5260325f 300 { "port", sPort },
301 { "hostkey", sHostKeyFile },
fa08c86b 302 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 303 { "pidfile", sPidFile },
5260325f 304 { "serverkeybits", sServerKeyBits },
305 { "logingracetime", sLoginGraceTime },
306 { "keyregenerationinterval", sKeyRegenerationTime },
307 { "permitrootlogin", sPermitRootLogin },
308 { "syslogfacility", sLogFacility },
309 { "loglevel", sLogLevel },
310 { "rhostsauthentication", sRhostsAuthentication },
311 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 312 { "hostbasedauthentication", sHostbasedAuthentication },
313 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 314 { "rsaauthentication", sRSAAuthentication },
fa08c86b 315 { "pubkeyauthentication", sPubkeyAuthentication },
316 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 317#if defined(KRB4) || defined(KRB5)
5260325f 318 { "kerberosauthentication", sKerberosAuthentication },
319 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
320 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 321#endif
ced49be2 322#if defined(AFS) || defined(KRB5)
5260325f 323 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 324#endif
325#ifdef AFS
5260325f 326 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 327#endif
5260325f 328 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 329 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 330 { "challengeresponseauthentication", sChallengeResponseAuthentication },
331 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 332 { "checkmail", sDeprecated },
5260325f 333 { "listenaddress", sListenAddress },
334 { "printmotd", sPrintMotd },
4f4648f9 335 { "printlastlog", sPrintLastLog },
5260325f 336 { "ignorerhosts", sIgnoreRhosts },
337 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
338 { "x11forwarding", sX11Forwarding },
339 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 340 { "x11uselocalhost", sX11UseLocalhost },
fa649821 341 { "xauthlocation", sXAuthLocation },
5260325f 342 { "strictmodes", sStrictModes },
343 { "permitemptypasswords", sEmptyPasswd },
344 { "uselogin", sUseLogin },
5260325f 345 { "keepalive", sKeepAlives },
33de75a3 346 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 347 { "allowusers", sAllowUsers },
348 { "denyusers", sDenyUsers },
349 { "allowgroups", sAllowGroups },
350 { "denygroups", sDenyGroups },
a8be9f80 351 { "ciphers", sCiphers },
b2552997 352 { "macs", sMacs },
a8be9f80 353 { "protocol", sProtocol },
1d1ffb87 354 { "gatewayports", sGatewayPorts },
38c295d6 355 { "subsystem", sSubsystem },
089fbbd2 356 { "maxstartups", sMaxStartups },
eea39c02 357 { "banner", sBanner },
bf4c5edc 358 { "verifyreversemapping", sVerifyReverseMapping },
359 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 360 { "clientaliveinterval", sClientAliveInterval },
361 { "clientalivecountmax", sClientAliveCountMax },
c8445989 362 { "authorizedkeysfile", sAuthorizedKeysFile },
363 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 364 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 365 { NULL, sBadOption }
8efc0c15 366};
367
aa3378df 368/*
6be9a5e8 369 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 370 */
8efc0c15 371
6ae2364d 372static ServerOpCodes
5260325f 373parse_token(const char *cp, const char *filename,
374 int linenum)
8efc0c15 375{
1e3b8b07 376 u_int i;
8efc0c15 377
5260325f 378 for (i = 0; keywords[i].name; i++)
aa3378df 379 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 380 return keywords[i].opcode;
8efc0c15 381
b7c70970 382 error("%s: line %d: Bad configuration option: %s",
383 filename, linenum, cp);
5260325f 384 return sBadOption;
8efc0c15 385}
386
396c147e 387static void
2d2a2c65 388add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 389{
48e671d5 390 int i;
391
392 if (options->num_ports == 0)
393 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 394 if (port == 0)
d11c1288 395 for (i = 0; i < options->num_ports; i++)
396 add_one_listen_addr(options, addr, options->ports[i]);
397 else
2d2a2c65 398 add_one_listen_addr(options, addr, port);
d11c1288 399}
400
396c147e 401static void
d11c1288 402add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
403{
404 struct addrinfo hints, *ai, *aitop;
405 char strport[NI_MAXSERV];
406 int gaierr;
407
408 memset(&hints, 0, sizeof(hints));
409 hints.ai_family = IPv4or6;
410 hints.ai_socktype = SOCK_STREAM;
411 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
412 snprintf(strport, sizeof strport, "%d", port);
413 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
414 fatal("bad addr or host: %s (%s)",
415 addr ? addr : "<NULL>",
416 gai_strerror(gaierr));
417 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
418 ;
419 ai->ai_next = options->listen_addrs;
420 options->listen_addrs = aitop;
48e671d5 421}
422
2717fa0f 423int
424process_server_config_line(ServerOptions *options, char *line,
425 const char *filename, int linenum)
8efc0c15 426{
d11c1288 427 char *cp, **charptr, *arg, *p;
2717fa0f 428 int *intptr, value;
5260325f 429 ServerOpCodes opcode;
97de229c 430 int i, n;
5260325f 431
2717fa0f 432 cp = line;
433 arg = strdelim(&cp);
434 /* Ignore leading whitespace */
435 if (*arg == '\0')
704b1659 436 arg = strdelim(&cp);
2717fa0f 437 if (!arg || !*arg || *arg == '#')
438 return 0;
439 intptr = NULL;
440 charptr = NULL;
441 opcode = parse_token(arg, filename, linenum);
442 switch (opcode) {
443 /* Portable-specific options */
444 case sPAMAuthenticationViaKbdInt:
445 intptr = &options->pam_authentication_via_kbd_int;
446 goto parse_flag;
48e671d5 447
2717fa0f 448 /* Standard Options */
449 case sBadOption:
450 return -1;
451 case sPort:
452 /* ignore ports from configfile if cmdline specifies ports */
453 if (options->ports_from_cmdline)
454 return 0;
455 if (options->listen_addrs != NULL)
456 fatal("%s line %d: ports must be specified before "
3a454b6a 457 "ListenAddress.", filename, linenum);
2717fa0f 458 if (options->num_ports >= MAX_PORTS)
459 fatal("%s line %d: too many ports.",
460 filename, linenum);
461 arg = strdelim(&cp);
462 if (!arg || *arg == '\0')
463 fatal("%s line %d: missing port number.",
464 filename, linenum);
465 options->ports[options->num_ports++] = a2port(arg);
466 if (options->ports[options->num_ports-1] == 0)
467 fatal("%s line %d: Badly formatted port number.",
468 filename, linenum);
469 break;
470
471 case sServerKeyBits:
472 intptr = &options->server_key_bits;
5260325f 473parse_int:
2717fa0f 474 arg = strdelim(&cp);
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing integer value.",
477 filename, linenum);
478 value = atoi(arg);
479 if (*intptr == -1)
480 *intptr = value;
481 break;
482
483 case sLoginGraceTime:
484 intptr = &options->login_grace_time;
e2b1fb42 485parse_time:
2717fa0f 486 arg = strdelim(&cp);
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing time value.",
489 filename, linenum);
490 if ((value = convtime(arg)) == -1)
491 fatal("%s line %d: invalid time value.",
492 filename, linenum);
493 if (*intptr == -1)
494 *intptr = value;
495 break;
496
497 case sKeyRegenerationTime:
498 intptr = &options->key_regeneration_time;
499 goto parse_time;
500
501 case sListenAddress:
502 arg = strdelim(&cp);
503 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
504 fatal("%s line %d: missing inet addr.",
505 filename, linenum);
506 if (*arg == '[') {
507 if ((p = strchr(arg, ']')) == NULL)
508 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 509 filename, linenum);
2717fa0f 510 arg++;
511 memmove(p, p+1, strlen(p+1)+1);
512 } else if (((p = strchr(arg, ':')) == NULL) ||
513 (strchr(p+1, ':') != NULL)) {
514 add_listen_addr(options, arg, 0);
e2b1fb42 515 break;
2717fa0f 516 }
517 if (*p == ':') {
518 u_short port;
5260325f 519
2717fa0f 520 p++;
521 if (*p == '\0')
522 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 523 filename, linenum);
2717fa0f 524 else {
525 *(p-1) = '\0';
526 if ((port = a2port(p)) == 0)
527 fatal("%s line %d: bad port number.",
d11c1288 528 filename, linenum);
2717fa0f 529 add_listen_addr(options, arg, port);
d11c1288 530 }
2717fa0f 531 } else if (*p == '\0')
532 add_listen_addr(options, arg, 0);
533 else
534 fatal("%s line %d: bad inet addr usage.",
535 filename, linenum);
536 break;
537
538 case sHostKeyFile:
539 intptr = &options->num_host_key_files;
540 if (*intptr >= MAX_HOSTKEYS)
541 fatal("%s line %d: too many host keys specified (max %d).",
542 filename, linenum, MAX_HOSTKEYS);
543 charptr = &options->host_key_files[*intptr];
fa649821 544parse_filename:
2717fa0f 545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing file name.",
548 filename, linenum);
549 if (*charptr == NULL) {
550 *charptr = tilde_expand_filename(arg, getuid());
551 /* increase optional counter */
552 if (intptr != NULL)
553 *intptr = *intptr + 1;
554 }
555 break;
0fbe8c74 556
2717fa0f 557 case sPidFile:
558 charptr = &options->pid_file;
559 goto parse_filename;
5260325f 560
2717fa0f 561 case sPermitRootLogin:
562 intptr = &options->permit_root_login;
563 arg = strdelim(&cp);
564 if (!arg || *arg == '\0')
565 fatal("%s line %d: missing yes/"
566 "without-password/forced-commands-only/no "
567 "argument.", filename, linenum);
568 value = 0; /* silence compiler */
569 if (strcmp(arg, "without-password") == 0)
570 value = PERMIT_NO_PASSWD;
571 else if (strcmp(arg, "forced-commands-only") == 0)
572 value = PERMIT_FORCED_ONLY;
573 else if (strcmp(arg, "yes") == 0)
574 value = PERMIT_YES;
575 else if (strcmp(arg, "no") == 0)
576 value = PERMIT_NO;
577 else
578 fatal("%s line %d: Bad yes/"
579 "without-password/forced-commands-only/no "
580 "argument: %s", filename, linenum, arg);
581 if (*intptr == -1)
582 *intptr = value;
583 break;
584
585 case sIgnoreRhosts:
586 intptr = &options->ignore_rhosts;
5260325f 587parse_flag:
2717fa0f 588 arg = strdelim(&cp);
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing yes/no argument.",
591 filename, linenum);
592 value = 0; /* silence compiler */
593 if (strcmp(arg, "yes") == 0)
594 value = 1;
595 else if (strcmp(arg, "no") == 0)
596 value = 0;
597 else
598 fatal("%s line %d: Bad yes/no argument: %s",
599 filename, linenum, arg);
600 if (*intptr == -1)
601 *intptr = value;
602 break;
603
604 case sIgnoreUserKnownHosts:
605 intptr = &options->ignore_user_known_hosts;
606 goto parse_flag;
607
608 case sRhostsAuthentication:
609 intptr = &options->rhosts_authentication;
610 goto parse_flag;
611
612 case sRhostsRSAAuthentication:
613 intptr = &options->rhosts_rsa_authentication;
614 goto parse_flag;
615
616 case sHostbasedAuthentication:
617 intptr = &options->hostbased_authentication;
618 goto parse_flag;
619
620 case sHostbasedUsesNameFromPacketOnly:
621 intptr = &options->hostbased_uses_name_from_packet_only;
622 goto parse_flag;
623
624 case sRSAAuthentication:
625 intptr = &options->rsa_authentication;
626 goto parse_flag;
627
628 case sPubkeyAuthentication:
629 intptr = &options->pubkey_authentication;
630 goto parse_flag;
631#if defined(KRB4) || defined(KRB5)
632 case sKerberosAuthentication:
633 intptr = &options->kerberos_authentication;
634 goto parse_flag;
5260325f 635
2717fa0f 636 case sKerberosOrLocalPasswd:
637 intptr = &options->kerberos_or_local_passwd;
638 goto parse_flag;
5260325f 639
2717fa0f 640 case sKerberosTicketCleanup:
641 intptr = &options->kerberos_ticket_cleanup;
642 goto parse_flag;
643#endif
644#if defined(AFS) || defined(KRB5)
645 case sKerberosTgtPassing:
646 intptr = &options->kerberos_tgt_passing;
647 goto parse_flag;
648#endif
649#ifdef AFS
650 case sAFSTokenPassing:
651 intptr = &options->afs_token_passing;
652 goto parse_flag;
653#endif
5260325f 654
2717fa0f 655 case sPasswordAuthentication:
656 intptr = &options->password_authentication;
657 goto parse_flag;
5260325f 658
2717fa0f 659 case sKbdInteractiveAuthentication:
660 intptr = &options->kbd_interactive_authentication;
661 goto parse_flag;
8002af61 662
2717fa0f 663 case sChallengeResponseAuthentication:
664 intptr = &options->challenge_response_authentication;
665 goto parse_flag;
8002af61 666
2717fa0f 667 case sPrintMotd:
668 intptr = &options->print_motd;
669 goto parse_flag;
5260325f 670
2717fa0f 671 case sPrintLastLog:
672 intptr = &options->print_lastlog;
673 goto parse_flag;
5260325f 674
2717fa0f 675 case sX11Forwarding:
676 intptr = &options->x11_forwarding;
677 goto parse_flag;
5260325f 678
2717fa0f 679 case sX11DisplayOffset:
680 intptr = &options->x11_display_offset;
681 goto parse_int;
8efc0c15 682
e6e573bd 683 case sX11UseLocalhost:
684 intptr = &options->x11_use_localhost;
685 goto parse_flag;
686
2717fa0f 687 case sXAuthLocation:
688 charptr = &options->xauth_location;
689 goto parse_filename;
5260325f 690
2717fa0f 691 case sStrictModes:
692 intptr = &options->strict_modes;
693 goto parse_flag;
5260325f 694
2717fa0f 695 case sKeepAlives:
696 intptr = &options->keepalives;
697 goto parse_flag;
33de75a3 698
2717fa0f 699 case sEmptyPasswd:
700 intptr = &options->permit_empty_passwd;
701 goto parse_flag;
5260325f 702
2717fa0f 703 case sUseLogin:
704 intptr = &options->use_login;
705 goto parse_flag;
5260325f 706
2717fa0f 707 case sGatewayPorts:
708 intptr = &options->gateway_ports;
709 goto parse_flag;
5260325f 710
bf4c5edc 711 case sVerifyReverseMapping:
712 intptr = &options->verify_reverse_mapping;
2717fa0f 713 goto parse_flag;
5260325f 714
2717fa0f 715 case sLogFacility:
716 intptr = (int *) &options->log_facility;
717 arg = strdelim(&cp);
718 value = log_facility_number(arg);
5eaf8578 719 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 720 fatal("%.200s line %d: unsupported log facility '%s'",
721 filename, linenum, arg ? arg : "<NONE>");
722 if (*intptr == -1)
723 *intptr = (SyslogFacility) value;
724 break;
725
726 case sLogLevel:
727 intptr = (int *) &options->log_level;
728 arg = strdelim(&cp);
729 value = log_level_number(arg);
5eaf8578 730 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 731 fatal("%.200s line %d: unsupported log level '%s'",
732 filename, linenum, arg ? arg : "<NONE>");
733 if (*intptr == -1)
734 *intptr = (LogLevel) value;
735 break;
736
737 case sAllowTcpForwarding:
738 intptr = &options->allow_tcp_forwarding;
739 goto parse_flag;
740
1853d1ef 741 case sUsePrivilegeSeparation:
742 intptr = &use_privsep;
743 goto parse_flag;
744
2717fa0f 745 case sAllowUsers:
746 while ((arg = strdelim(&cp)) && *arg != '\0') {
747 if (options->num_allow_users >= MAX_ALLOW_USERS)
748 fatal("%s line %d: too many allow users.",
749 filename, linenum);
750 options->allow_users[options->num_allow_users++] = xstrdup(arg);
751 }
752 break;
a8be9f80 753
2717fa0f 754 case sDenyUsers:
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_deny_users >= MAX_DENY_USERS)
757 fatal( "%s line %d: too many deny users.",
758 filename, linenum);
759 options->deny_users[options->num_deny_users++] = xstrdup(arg);
760 }
761 break;
b2552997 762
2717fa0f 763 case sAllowGroups:
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
766 fatal("%s line %d: too many allow groups.",
767 filename, linenum);
768 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
769 }
770 break;
a8be9f80 771
2717fa0f 772 case sDenyGroups:
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_groups >= MAX_DENY_GROUPS)
775 fatal("%s line %d: too many deny groups.",
776 filename, linenum);
777 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
778 }
779 break;
38c295d6 780
2717fa0f 781 case sCiphers:
782 arg = strdelim(&cp);
783 if (!arg || *arg == '\0')
784 fatal("%s line %d: Missing argument.", filename, linenum);
785 if (!ciphers_valid(arg))
786 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
787 filename, linenum, arg ? arg : "<NONE>");
788 if (options->ciphers == NULL)
789 options->ciphers = xstrdup(arg);
790 break;
791
792 case sMacs:
793 arg = strdelim(&cp);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: Missing argument.", filename, linenum);
796 if (!mac_valid(arg))
797 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
798 filename, linenum, arg ? arg : "<NONE>");
799 if (options->macs == NULL)
800 options->macs = xstrdup(arg);
801 break;
802
803 case sProtocol:
804 intptr = &options->protocol;
805 arg = strdelim(&cp);
806 if (!arg || *arg == '\0')
807 fatal("%s line %d: Missing argument.", filename, linenum);
808 value = proto_spec(arg);
809 if (value == SSH_PROTO_UNKNOWN)
810 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 811 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 812 if (*intptr == SSH_PROTO_UNKNOWN)
813 *intptr = value;
814 break;
815
816 case sSubsystem:
817 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
818 fatal("%s line %d: too many subsystems defined.",
184eed6a 819 filename, linenum);
2717fa0f 820 }
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing subsystem name.",
184eed6a 824 filename, linenum);
2717fa0f 825 for (i = 0; i < options->num_subsystems; i++)
826 if (strcmp(arg, options->subsystem_name[i]) == 0)
827 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 828 filename, linenum, arg);
2717fa0f 829 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
830 arg = strdelim(&cp);
831 if (!arg || *arg == '\0')
832 fatal("%s line %d: Missing subsystem command.",
184eed6a 833 filename, linenum);
2717fa0f 834 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
835 options->num_subsystems++;
836 break;
837
838 case sMaxStartups:
839 arg = strdelim(&cp);
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 842 filename, linenum);
2717fa0f 843 if ((n = sscanf(arg, "%d:%d:%d",
844 &options->max_startups_begin,
845 &options->max_startups_rate,
846 &options->max_startups)) == 3) {
847 if (options->max_startups_begin >
848 options->max_startups ||
849 options->max_startups_rate > 100 ||
850 options->max_startups_rate < 1)
c345cf9d 851 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 852 filename, linenum);
2717fa0f 853 } else if (n != 1)
854 fatal("%s line %d: Illegal MaxStartups spec.",
855 filename, linenum);
856 else
857 options->max_startups = options->max_startups_begin;
858 break;
859
860 case sBanner:
861 charptr = &options->banner;
862 goto parse_filename;
863 /*
864 * These options can contain %X options expanded at
865 * connect time, so that you can specify paths like:
866 *
867 * AuthorizedKeysFile /etc/ssh_keys/%u
868 */
869 case sAuthorizedKeysFile:
870 case sAuthorizedKeysFile2:
871 charptr = (opcode == sAuthorizedKeysFile ) ?
872 &options->authorized_keys_file :
873 &options->authorized_keys_file2;
874 goto parse_filename;
875
876 case sClientAliveInterval:
877 intptr = &options->client_alive_interval;
878 goto parse_time;
879
880 case sClientAliveCountMax:
881 intptr = &options->client_alive_count_max;
882 goto parse_int;
883
884 case sDeprecated:
885 log("%s line %d: Deprecated option %s",
886 filename, linenum, arg);
887 while (arg)
888 arg = strdelim(&cp);
889 break;
890
891 default:
892 fatal("%s line %d: Missing handler for opcode %s (%d)",
893 filename, linenum, arg, opcode);
894 }
895 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
896 fatal("%s line %d: garbage at end of line; \"%.200s\".",
897 filename, linenum, arg);
898 return 0;
899}
089fbbd2 900
2717fa0f 901/* Reads the server configuration file. */
5c53a31e 902
2717fa0f 903void
904read_server_config(ServerOptions *options, const char *filename)
905{
906 FILE *f;
907 char line[1024];
908 int linenum;
909 int bad_options = 0;
910
911 f = fopen(filename, "r");
912 if (!f) {
913 perror(filename);
914 exit(1);
915 }
916 linenum = 0;
917 while (fgets(line, sizeof(line), f)) {
918 /* Update line number counter. */
919 linenum++;
920 if (process_server_config_line(options, line, filename, linenum) != 0)
921 bad_options++;
8efc0c15 922 }
5260325f 923 fclose(f);
b7c70970 924 if (bad_options > 0)
925 fatal("%s: terminating, %d bad configuration options",
926 filename, bad_options);
8efc0c15 927}
git-cvsimport mirror of OpenSSH
This page took 0.335084 seconds and 5 git commands to generate.