]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- markus@cvs.openbsd.org 2002/02/04 12:15:25
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
5eaf8578 13RCSID("$OpenBSD: servconf.c,v 1.101 2002/02/04 12:15:25 markus Exp $");
42f11eb2 14
46d738cd 15#if defined(KRB4) || defined(KRB5)
42f11eb2 16#include <krb.h>
17#endif
83f46621 18#ifdef AFS
19#include <kafs.h>
20#endif
8efc0c15 21
22#include "ssh.h"
42f11eb2 23#include "log.h"
8efc0c15 24#include "servconf.h"
25#include "xmalloc.h"
a8be9f80 26#include "compat.h"
42f11eb2 27#include "pathnames.h"
28#include "tildexpand.h"
29#include "misc.h"
30#include "cipher.h"
b2552997 31#include "kex.h"
32#include "mac.h"
42f11eb2 33
396c147e 34static void add_listen_addr(ServerOptions *, char *, u_short);
35static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 36
42f11eb2 37/* AF_UNSPEC or AF_INET or AF_INET6 */
38extern int IPv4or6;
39
8efc0c15 40/* Initializes the server options to their default values. */
41
6ae2364d 42void
5260325f 43initialize_server_options(ServerOptions *options)
8efc0c15 44{
5260325f 45 memset(options, 0, sizeof(*options));
e15895cd 46
47 /* Portable-specific options */
48 options->pam_authentication_via_kbd_int = -1;
49
50 /* Standard Options */
48e671d5 51 options->num_ports = 0;
52 options->ports_from_cmdline = 0;
53 options->listen_addrs = NULL;
fa08c86b 54 options->num_host_key_files = 0;
0fbe8c74 55 options->pid_file = NULL;
5260325f 56 options->server_key_bits = -1;
57 options->login_grace_time = -1;
58 options->key_regeneration_time = -1;
15853e93 59 options->permit_root_login = PERMIT_NOT_SET;
5260325f 60 options->ignore_rhosts = -1;
61 options->ignore_user_known_hosts = -1;
62 options->print_motd = -1;
4f4648f9 63 options->print_lastlog = -1;
5260325f 64 options->x11_forwarding = -1;
65 options->x11_display_offset = -1;
e6e573bd 66 options->x11_use_localhost = -1;
fa649821 67 options->xauth_location = NULL;
5260325f 68 options->strict_modes = -1;
69 options->keepalives = -1;
5eaf8578 70 options->log_facility = SYSLOG_FACILITY_NOT_SET;
71 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 72 options->rhosts_authentication = -1;
73 options->rhosts_rsa_authentication = -1;
8002af61 74 options->hostbased_authentication = -1;
75 options->hostbased_uses_name_from_packet_only = -1;
5260325f 76 options->rsa_authentication = -1;
fa08c86b 77 options->pubkey_authentication = -1;
ced49be2 78#if defined(KRB4) || defined(KRB5)
5260325f 79 options->kerberos_authentication = -1;
80 options->kerberos_or_local_passwd = -1;
81 options->kerberos_ticket_cleanup = -1;
8efc0c15 82#endif
ced49be2 83#if defined(AFS) || defined(KRB5)
5260325f 84 options->kerberos_tgt_passing = -1;
ced49be2 85#endif
86#ifdef AFS
5260325f 87 options->afs_token_passing = -1;
8efc0c15 88#endif
5260325f 89 options->password_authentication = -1;
94ec8c6b 90 options->kbd_interactive_authentication = -1;
5ba55ada 91 options->challenge_response_authentication = -1;
5260325f 92 options->permit_empty_passwd = -1;
93 options->use_login = -1;
33de75a3 94 options->allow_tcp_forwarding = -1;
5260325f 95 options->num_allow_users = 0;
96 options->num_deny_users = 0;
97 options->num_allow_groups = 0;
98 options->num_deny_groups = 0;
a8be9f80 99 options->ciphers = NULL;
b2552997 100 options->macs = NULL;
a8be9f80 101 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 102 options->gateway_ports = -1;
38c295d6 103 options->num_subsystems = 0;
c345cf9d 104 options->max_startups_begin = -1;
105 options->max_startups_rate = -1;
089fbbd2 106 options->max_startups = -1;
eea39c02 107 options->banner = NULL;
bf4c5edc 108 options->verify_reverse_mapping = -1;
3ffc6336 109 options->client_alive_interval = -1;
110 options->client_alive_count_max = -1;
c8445989 111 options->authorized_keys_file = NULL;
112 options->authorized_keys_file2 = NULL;
8efc0c15 113}
114
6ae2364d 115void
5260325f 116fill_default_server_options(ServerOptions *options)
8efc0c15 117{
e15895cd 118 /* Portable-specific options */
119 if (options->pam_authentication_via_kbd_int == -1)
120 options->pam_authentication_via_kbd_int = 0;
121
122 /* Standard Options */
fa08c86b 123 if (options->protocol == SSH_PROTO_UNKNOWN)
124 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
125 if (options->num_host_key_files == 0) {
126 /* fill default hostkeys for protocols */
127 if (options->protocol & SSH_PROTO_1)
0f84fe37 128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_KEY_FILE;
130 if (options->protocol & SSH_PROTO_2) {
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_RSA_KEY_FILE;
133 options->host_key_files[options->num_host_key_files++] =
134 _PATH_HOST_DSA_KEY_FILE;
135 }
fa08c86b 136 }
48e671d5 137 if (options->num_ports == 0)
138 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
139 if (options->listen_addrs == NULL)
2d2a2c65 140 add_listen_addr(options, NULL, 0);
0fbe8c74 141 if (options->pid_file == NULL)
42f11eb2 142 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 143 if (options->server_key_bits == -1)
144 options->server_key_bits = 768;
145 if (options->login_grace_time == -1)
146 options->login_grace_time = 600;
147 if (options->key_regeneration_time == -1)
148 options->key_regeneration_time = 3600;
15853e93 149 if (options->permit_root_login == PERMIT_NOT_SET)
150 options->permit_root_login = PERMIT_YES;
5260325f 151 if (options->ignore_rhosts == -1)
c8d54615 152 options->ignore_rhosts = 1;
5260325f 153 if (options->ignore_user_known_hosts == -1)
154 options->ignore_user_known_hosts = 0;
5260325f 155 if (options->print_motd == -1)
156 options->print_motd = 1;
4f4648f9 157 if (options->print_lastlog == -1)
158 options->print_lastlog = 1;
5260325f 159 if (options->x11_forwarding == -1)
c8d54615 160 options->x11_forwarding = 0;
5260325f 161 if (options->x11_display_offset == -1)
c8d54615 162 options->x11_display_offset = 10;
e6e573bd 163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
fa649821 165 if (options->xauth_location == NULL)
fd9ede94 166 options->xauth_location = _PATH_XAUTH;
5260325f 167 if (options->strict_modes == -1)
168 options->strict_modes = 1;
169 if (options->keepalives == -1)
170 options->keepalives = 1;
5eaf8578 171 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 172 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 174 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 175 if (options->rhosts_authentication == -1)
176 options->rhosts_authentication = 0;
177 if (options->rhosts_rsa_authentication == -1)
c8d54615 178 options->rhosts_rsa_authentication = 0;
8002af61 179 if (options->hostbased_authentication == -1)
180 options->hostbased_authentication = 0;
181 if (options->hostbased_uses_name_from_packet_only == -1)
182 options->hostbased_uses_name_from_packet_only = 0;
5260325f 183 if (options->rsa_authentication == -1)
184 options->rsa_authentication = 1;
fa08c86b 185 if (options->pubkey_authentication == -1)
186 options->pubkey_authentication = 1;
ced49be2 187#if defined(KRB4) || defined(KRB5)
5260325f 188 if (options->kerberos_authentication == -1)
189 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
190 if (options->kerberos_or_local_passwd == -1)
191 options->kerberos_or_local_passwd = 1;
192 if (options->kerberos_ticket_cleanup == -1)
193 options->kerberos_ticket_cleanup = 1;
ced49be2 194#endif
195#if defined(AFS) || defined(KRB5)
5260325f 196 if (options->kerberos_tgt_passing == -1)
197 options->kerberos_tgt_passing = 0;
ced49be2 198#endif
184eed6a 199#ifdef AFS
5260325f 200 if (options->afs_token_passing == -1)
201 options->afs_token_passing = k_hasafs();
ced49be2 202#endif
5260325f 203 if (options->password_authentication == -1)
204 options->password_authentication = 1;
94ec8c6b 205 if (options->kbd_interactive_authentication == -1)
206 options->kbd_interactive_authentication = 0;
5ba55ada 207 if (options->challenge_response_authentication == -1)
208 options->challenge_response_authentication = 1;
5260325f 209 if (options->permit_empty_passwd == -1)
c8d54615 210 options->permit_empty_passwd = 0;
5260325f 211 if (options->use_login == -1)
212 options->use_login = 0;
33de75a3 213 if (options->allow_tcp_forwarding == -1)
214 options->allow_tcp_forwarding = 1;
1d1ffb87 215 if (options->gateway_ports == -1)
216 options->gateway_ports = 0;
089fbbd2 217 if (options->max_startups == -1)
218 options->max_startups = 10;
c345cf9d 219 if (options->max_startups_rate == -1)
220 options->max_startups_rate = 100; /* 100% */
221 if (options->max_startups_begin == -1)
222 options->max_startups_begin = options->max_startups;
bf4c5edc 223 if (options->verify_reverse_mapping == -1)
224 options->verify_reverse_mapping = 0;
3ffc6336 225 if (options->client_alive_interval == -1)
184eed6a 226 options->client_alive_interval = 0;
3ffc6336 227 if (options->client_alive_count_max == -1)
228 options->client_alive_count_max = 3;
5df83e07 229 if (options->authorized_keys_file2 == NULL) {
230 /* authorized_keys_file2 falls back to authorized_keys_file */
231 if (options->authorized_keys_file != NULL)
232 options->authorized_keys_file2 = options->authorized_keys_file;
233 else
234 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
235 }
236 if (options->authorized_keys_file == NULL)
237 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
8efc0c15 238}
239
8efc0c15 240/* Keyword tokens. */
5260325f 241typedef enum {
242 sBadOption, /* == unknown option */
e15895cd 243 /* Portable-specific options */
244 sPAMAuthenticationViaKbdInt,
245 /* Standard Options */
5260325f 246 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
247 sPermitRootLogin, sLogFacility, sLogLevel,
248 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 249#if defined(KRB4) || defined(KRB5)
5260325f 250 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 251#endif
ced49be2 252#if defined(AFS) || defined(KRB5)
253 sKerberosTgtPassing,
254#endif
8efc0c15 255#ifdef AFS
ced49be2 256 sAFSTokenPassing,
8efc0c15 257#endif
d464095c 258 sChallengeResponseAuthentication,
94ec8c6b 259 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 260 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 261 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 262 sStrictModes, sEmptyPasswd, sKeepAlives,
33de75a3 263 sUseLogin, sAllowTcpForwarding,
264 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 265 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 266 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 267 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 268 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 269 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2717fa0f 270 sDeprecated
8efc0c15 271} ServerOpCodes;
272
273/* Textual representation of the tokens. */
5260325f 274static struct {
275 const char *name;
276 ServerOpCodes opcode;
277} keywords[] = {
e15895cd 278 /* Portable-specific options */
279 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
280 /* Standard Options */
5260325f 281 { "port", sPort },
282 { "hostkey", sHostKeyFile },
fa08c86b 283 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 284 { "pidfile", sPidFile },
5260325f 285 { "serverkeybits", sServerKeyBits },
286 { "logingracetime", sLoginGraceTime },
287 { "keyregenerationinterval", sKeyRegenerationTime },
288 { "permitrootlogin", sPermitRootLogin },
289 { "syslogfacility", sLogFacility },
290 { "loglevel", sLogLevel },
291 { "rhostsauthentication", sRhostsAuthentication },
292 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 293 { "hostbasedauthentication", sHostbasedAuthentication },
294 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 295 { "rsaauthentication", sRSAAuthentication },
fa08c86b 296 { "pubkeyauthentication", sPubkeyAuthentication },
297 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 298#if defined(KRB4) || defined(KRB5)
5260325f 299 { "kerberosauthentication", sKerberosAuthentication },
300 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
301 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 302#endif
ced49be2 303#if defined(AFS) || defined(KRB5)
5260325f 304 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 305#endif
306#ifdef AFS
5260325f 307 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 308#endif
5260325f 309 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 310 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 311 { "challengeresponseauthentication", sChallengeResponseAuthentication },
312 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 313 { "checkmail", sDeprecated },
5260325f 314 { "listenaddress", sListenAddress },
315 { "printmotd", sPrintMotd },
4f4648f9 316 { "printlastlog", sPrintLastLog },
5260325f 317 { "ignorerhosts", sIgnoreRhosts },
318 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
319 { "x11forwarding", sX11Forwarding },
320 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 321 { "x11uselocalhost", sX11UseLocalhost },
fa649821 322 { "xauthlocation", sXAuthLocation },
5260325f 323 { "strictmodes", sStrictModes },
324 { "permitemptypasswords", sEmptyPasswd },
325 { "uselogin", sUseLogin },
5260325f 326 { "keepalive", sKeepAlives },
33de75a3 327 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 328 { "allowusers", sAllowUsers },
329 { "denyusers", sDenyUsers },
330 { "allowgroups", sAllowGroups },
331 { "denygroups", sDenyGroups },
a8be9f80 332 { "ciphers", sCiphers },
b2552997 333 { "macs", sMacs },
a8be9f80 334 { "protocol", sProtocol },
1d1ffb87 335 { "gatewayports", sGatewayPorts },
38c295d6 336 { "subsystem", sSubsystem },
089fbbd2 337 { "maxstartups", sMaxStartups },
eea39c02 338 { "banner", sBanner },
bf4c5edc 339 { "verifyreversemapping", sVerifyReverseMapping },
340 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 341 { "clientaliveinterval", sClientAliveInterval },
342 { "clientalivecountmax", sClientAliveCountMax },
c8445989 343 { "authorizedkeysfile", sAuthorizedKeysFile },
344 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
17a3011c 345 { NULL, sBadOption }
8efc0c15 346};
347
aa3378df 348/*
6be9a5e8 349 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 350 */
8efc0c15 351
6ae2364d 352static ServerOpCodes
5260325f 353parse_token(const char *cp, const char *filename,
354 int linenum)
8efc0c15 355{
1e3b8b07 356 u_int i;
8efc0c15 357
5260325f 358 for (i = 0; keywords[i].name; i++)
aa3378df 359 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 360 return keywords[i].opcode;
8efc0c15 361
b7c70970 362 error("%s: line %d: Bad configuration option: %s",
363 filename, linenum, cp);
5260325f 364 return sBadOption;
8efc0c15 365}
366
396c147e 367static void
2d2a2c65 368add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 369{
48e671d5 370 int i;
371
372 if (options->num_ports == 0)
373 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 374 if (port == 0)
d11c1288 375 for (i = 0; i < options->num_ports; i++)
376 add_one_listen_addr(options, addr, options->ports[i]);
377 else
2d2a2c65 378 add_one_listen_addr(options, addr, port);
d11c1288 379}
380
396c147e 381static void
d11c1288 382add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
383{
384 struct addrinfo hints, *ai, *aitop;
385 char strport[NI_MAXSERV];
386 int gaierr;
387
388 memset(&hints, 0, sizeof(hints));
389 hints.ai_family = IPv4or6;
390 hints.ai_socktype = SOCK_STREAM;
391 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
392 snprintf(strport, sizeof strport, "%d", port);
393 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
394 fatal("bad addr or host: %s (%s)",
395 addr ? addr : "<NULL>",
396 gai_strerror(gaierr));
397 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
398 ;
399 ai->ai_next = options->listen_addrs;
400 options->listen_addrs = aitop;
48e671d5 401}
402
2717fa0f 403int
404process_server_config_line(ServerOptions *options, char *line,
405 const char *filename, int linenum)
8efc0c15 406{
d11c1288 407 char *cp, **charptr, *arg, *p;
2717fa0f 408 int *intptr, value;
5260325f 409 ServerOpCodes opcode;
97de229c 410 int i, n;
5260325f 411
2717fa0f 412 cp = line;
413 arg = strdelim(&cp);
414 /* Ignore leading whitespace */
415 if (*arg == '\0')
704b1659 416 arg = strdelim(&cp);
2717fa0f 417 if (!arg || !*arg || *arg == '#')
418 return 0;
419 intptr = NULL;
420 charptr = NULL;
421 opcode = parse_token(arg, filename, linenum);
422 switch (opcode) {
423 /* Portable-specific options */
424 case sPAMAuthenticationViaKbdInt:
425 intptr = &options->pam_authentication_via_kbd_int;
426 goto parse_flag;
48e671d5 427
2717fa0f 428 /* Standard Options */
429 case sBadOption:
430 return -1;
431 case sPort:
432 /* ignore ports from configfile if cmdline specifies ports */
433 if (options->ports_from_cmdline)
434 return 0;
435 if (options->listen_addrs != NULL)
436 fatal("%s line %d: ports must be specified before "
3a454b6a 437 "ListenAddress.", filename, linenum);
2717fa0f 438 if (options->num_ports >= MAX_PORTS)
439 fatal("%s line %d: too many ports.",
440 filename, linenum);
441 arg = strdelim(&cp);
442 if (!arg || *arg == '\0')
443 fatal("%s line %d: missing port number.",
444 filename, linenum);
445 options->ports[options->num_ports++] = a2port(arg);
446 if (options->ports[options->num_ports-1] == 0)
447 fatal("%s line %d: Badly formatted port number.",
448 filename, linenum);
449 break;
450
451 case sServerKeyBits:
452 intptr = &options->server_key_bits;
5260325f 453parse_int:
2717fa0f 454 arg = strdelim(&cp);
455 if (!arg || *arg == '\0')
456 fatal("%s line %d: missing integer value.",
457 filename, linenum);
458 value = atoi(arg);
459 if (*intptr == -1)
460 *intptr = value;
461 break;
462
463 case sLoginGraceTime:
464 intptr = &options->login_grace_time;
e2b1fb42 465parse_time:
2717fa0f 466 arg = strdelim(&cp);
467 if (!arg || *arg == '\0')
468 fatal("%s line %d: missing time value.",
469 filename, linenum);
470 if ((value = convtime(arg)) == -1)
471 fatal("%s line %d: invalid time value.",
472 filename, linenum);
473 if (*intptr == -1)
474 *intptr = value;
475 break;
476
477 case sKeyRegenerationTime:
478 intptr = &options->key_regeneration_time;
479 goto parse_time;
480
481 case sListenAddress:
482 arg = strdelim(&cp);
483 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
484 fatal("%s line %d: missing inet addr.",
485 filename, linenum);
486 if (*arg == '[') {
487 if ((p = strchr(arg, ']')) == NULL)
488 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 489 filename, linenum);
2717fa0f 490 arg++;
491 memmove(p, p+1, strlen(p+1)+1);
492 } else if (((p = strchr(arg, ':')) == NULL) ||
493 (strchr(p+1, ':') != NULL)) {
494 add_listen_addr(options, arg, 0);
e2b1fb42 495 break;
2717fa0f 496 }
497 if (*p == ':') {
498 u_short port;
5260325f 499
2717fa0f 500 p++;
501 if (*p == '\0')
502 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 503 filename, linenum);
2717fa0f 504 else {
505 *(p-1) = '\0';
506 if ((port = a2port(p)) == 0)
507 fatal("%s line %d: bad port number.",
d11c1288 508 filename, linenum);
2717fa0f 509 add_listen_addr(options, arg, port);
d11c1288 510 }
2717fa0f 511 } else if (*p == '\0')
512 add_listen_addr(options, arg, 0);
513 else
514 fatal("%s line %d: bad inet addr usage.",
515 filename, linenum);
516 break;
517
518 case sHostKeyFile:
519 intptr = &options->num_host_key_files;
520 if (*intptr >= MAX_HOSTKEYS)
521 fatal("%s line %d: too many host keys specified (max %d).",
522 filename, linenum, MAX_HOSTKEYS);
523 charptr = &options->host_key_files[*intptr];
fa649821 524parse_filename:
2717fa0f 525 arg = strdelim(&cp);
526 if (!arg || *arg == '\0')
527 fatal("%s line %d: missing file name.",
528 filename, linenum);
529 if (*charptr == NULL) {
530 *charptr = tilde_expand_filename(arg, getuid());
531 /* increase optional counter */
532 if (intptr != NULL)
533 *intptr = *intptr + 1;
534 }
535 break;
0fbe8c74 536
2717fa0f 537 case sPidFile:
538 charptr = &options->pid_file;
539 goto parse_filename;
5260325f 540
2717fa0f 541 case sPermitRootLogin:
542 intptr = &options->permit_root_login;
543 arg = strdelim(&cp);
544 if (!arg || *arg == '\0')
545 fatal("%s line %d: missing yes/"
546 "without-password/forced-commands-only/no "
547 "argument.", filename, linenum);
548 value = 0; /* silence compiler */
549 if (strcmp(arg, "without-password") == 0)
550 value = PERMIT_NO_PASSWD;
551 else if (strcmp(arg, "forced-commands-only") == 0)
552 value = PERMIT_FORCED_ONLY;
553 else if (strcmp(arg, "yes") == 0)
554 value = PERMIT_YES;
555 else if (strcmp(arg, "no") == 0)
556 value = PERMIT_NO;
557 else
558 fatal("%s line %d: Bad yes/"
559 "without-password/forced-commands-only/no "
560 "argument: %s", filename, linenum, arg);
561 if (*intptr == -1)
562 *intptr = value;
563 break;
564
565 case sIgnoreRhosts:
566 intptr = &options->ignore_rhosts;
5260325f 567parse_flag:
2717fa0f 568 arg = strdelim(&cp);
569 if (!arg || *arg == '\0')
570 fatal("%s line %d: missing yes/no argument.",
571 filename, linenum);
572 value = 0; /* silence compiler */
573 if (strcmp(arg, "yes") == 0)
574 value = 1;
575 else if (strcmp(arg, "no") == 0)
576 value = 0;
577 else
578 fatal("%s line %d: Bad yes/no argument: %s",
579 filename, linenum, arg);
580 if (*intptr == -1)
581 *intptr = value;
582 break;
583
584 case sIgnoreUserKnownHosts:
585 intptr = &options->ignore_user_known_hosts;
586 goto parse_flag;
587
588 case sRhostsAuthentication:
589 intptr = &options->rhosts_authentication;
590 goto parse_flag;
591
592 case sRhostsRSAAuthentication:
593 intptr = &options->rhosts_rsa_authentication;
594 goto parse_flag;
595
596 case sHostbasedAuthentication:
597 intptr = &options->hostbased_authentication;
598 goto parse_flag;
599
600 case sHostbasedUsesNameFromPacketOnly:
601 intptr = &options->hostbased_uses_name_from_packet_only;
602 goto parse_flag;
603
604 case sRSAAuthentication:
605 intptr = &options->rsa_authentication;
606 goto parse_flag;
607
608 case sPubkeyAuthentication:
609 intptr = &options->pubkey_authentication;
610 goto parse_flag;
611#if defined(KRB4) || defined(KRB5)
612 case sKerberosAuthentication:
613 intptr = &options->kerberos_authentication;
614 goto parse_flag;
5260325f 615
2717fa0f 616 case sKerberosOrLocalPasswd:
617 intptr = &options->kerberos_or_local_passwd;
618 goto parse_flag;
5260325f 619
2717fa0f 620 case sKerberosTicketCleanup:
621 intptr = &options->kerberos_ticket_cleanup;
622 goto parse_flag;
623#endif
624#if defined(AFS) || defined(KRB5)
625 case sKerberosTgtPassing:
626 intptr = &options->kerberos_tgt_passing;
627 goto parse_flag;
628#endif
629#ifdef AFS
630 case sAFSTokenPassing:
631 intptr = &options->afs_token_passing;
632 goto parse_flag;
633#endif
5260325f 634
2717fa0f 635 case sPasswordAuthentication:
636 intptr = &options->password_authentication;
637 goto parse_flag;
5260325f 638
2717fa0f 639 case sKbdInteractiveAuthentication:
640 intptr = &options->kbd_interactive_authentication;
641 goto parse_flag;
8002af61 642
2717fa0f 643 case sChallengeResponseAuthentication:
644 intptr = &options->challenge_response_authentication;
645 goto parse_flag;
8002af61 646
2717fa0f 647 case sPrintMotd:
648 intptr = &options->print_motd;
649 goto parse_flag;
5260325f 650
2717fa0f 651 case sPrintLastLog:
652 intptr = &options->print_lastlog;
653 goto parse_flag;
5260325f 654
2717fa0f 655 case sX11Forwarding:
656 intptr = &options->x11_forwarding;
657 goto parse_flag;
5260325f 658
2717fa0f 659 case sX11DisplayOffset:
660 intptr = &options->x11_display_offset;
661 goto parse_int;
8efc0c15 662
e6e573bd 663 case sX11UseLocalhost:
664 intptr = &options->x11_use_localhost;
665 goto parse_flag;
666
2717fa0f 667 case sXAuthLocation:
668 charptr = &options->xauth_location;
669 goto parse_filename;
5260325f 670
2717fa0f 671 case sStrictModes:
672 intptr = &options->strict_modes;
673 goto parse_flag;
5260325f 674
2717fa0f 675 case sKeepAlives:
676 intptr = &options->keepalives;
677 goto parse_flag;
33de75a3 678
2717fa0f 679 case sEmptyPasswd:
680 intptr = &options->permit_empty_passwd;
681 goto parse_flag;
5260325f 682
2717fa0f 683 case sUseLogin:
684 intptr = &options->use_login;
685 goto parse_flag;
5260325f 686
2717fa0f 687 case sGatewayPorts:
688 intptr = &options->gateway_ports;
689 goto parse_flag;
5260325f 690
bf4c5edc 691 case sVerifyReverseMapping:
692 intptr = &options->verify_reverse_mapping;
2717fa0f 693 goto parse_flag;
5260325f 694
2717fa0f 695 case sLogFacility:
696 intptr = (int *) &options->log_facility;
697 arg = strdelim(&cp);
698 value = log_facility_number(arg);
5eaf8578 699 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 700 fatal("%.200s line %d: unsupported log facility '%s'",
701 filename, linenum, arg ? arg : "<NONE>");
702 if (*intptr == -1)
703 *intptr = (SyslogFacility) value;
704 break;
705
706 case sLogLevel:
707 intptr = (int *) &options->log_level;
708 arg = strdelim(&cp);
709 value = log_level_number(arg);
5eaf8578 710 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 711 fatal("%.200s line %d: unsupported log level '%s'",
712 filename, linenum, arg ? arg : "<NONE>");
713 if (*intptr == -1)
714 *intptr = (LogLevel) value;
715 break;
716
717 case sAllowTcpForwarding:
718 intptr = &options->allow_tcp_forwarding;
719 goto parse_flag;
720
721 case sAllowUsers:
722 while ((arg = strdelim(&cp)) && *arg != '\0') {
723 if (options->num_allow_users >= MAX_ALLOW_USERS)
724 fatal("%s line %d: too many allow users.",
725 filename, linenum);
726 options->allow_users[options->num_allow_users++] = xstrdup(arg);
727 }
728 break;
a8be9f80 729
2717fa0f 730 case sDenyUsers:
731 while ((arg = strdelim(&cp)) && *arg != '\0') {
732 if (options->num_deny_users >= MAX_DENY_USERS)
733 fatal( "%s line %d: too many deny users.",
734 filename, linenum);
735 options->deny_users[options->num_deny_users++] = xstrdup(arg);
736 }
737 break;
b2552997 738
2717fa0f 739 case sAllowGroups:
740 while ((arg = strdelim(&cp)) && *arg != '\0') {
741 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
742 fatal("%s line %d: too many allow groups.",
743 filename, linenum);
744 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
745 }
746 break;
a8be9f80 747
2717fa0f 748 case sDenyGroups:
749 while ((arg = strdelim(&cp)) && *arg != '\0') {
750 if (options->num_deny_groups >= MAX_DENY_GROUPS)
751 fatal("%s line %d: too many deny groups.",
752 filename, linenum);
753 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
754 }
755 break;
38c295d6 756
2717fa0f 757 case sCiphers:
758 arg = strdelim(&cp);
759 if (!arg || *arg == '\0')
760 fatal("%s line %d: Missing argument.", filename, linenum);
761 if (!ciphers_valid(arg))
762 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
763 filename, linenum, arg ? arg : "<NONE>");
764 if (options->ciphers == NULL)
765 options->ciphers = xstrdup(arg);
766 break;
767
768 case sMacs:
769 arg = strdelim(&cp);
770 if (!arg || *arg == '\0')
771 fatal("%s line %d: Missing argument.", filename, linenum);
772 if (!mac_valid(arg))
773 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
774 filename, linenum, arg ? arg : "<NONE>");
775 if (options->macs == NULL)
776 options->macs = xstrdup(arg);
777 break;
778
779 case sProtocol:
780 intptr = &options->protocol;
781 arg = strdelim(&cp);
782 if (!arg || *arg == '\0')
783 fatal("%s line %d: Missing argument.", filename, linenum);
784 value = proto_spec(arg);
785 if (value == SSH_PROTO_UNKNOWN)
786 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 787 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 788 if (*intptr == SSH_PROTO_UNKNOWN)
789 *intptr = value;
790 break;
791
792 case sSubsystem:
793 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
794 fatal("%s line %d: too many subsystems defined.",
184eed6a 795 filename, linenum);
2717fa0f 796 }
797 arg = strdelim(&cp);
798 if (!arg || *arg == '\0')
799 fatal("%s line %d: Missing subsystem name.",
184eed6a 800 filename, linenum);
2717fa0f 801 for (i = 0; i < options->num_subsystems; i++)
802 if (strcmp(arg, options->subsystem_name[i]) == 0)
803 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 804 filename, linenum, arg);
2717fa0f 805 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
806 arg = strdelim(&cp);
807 if (!arg || *arg == '\0')
808 fatal("%s line %d: Missing subsystem command.",
184eed6a 809 filename, linenum);
2717fa0f 810 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
811 options->num_subsystems++;
812 break;
813
814 case sMaxStartups:
815 arg = strdelim(&cp);
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 818 filename, linenum);
2717fa0f 819 if ((n = sscanf(arg, "%d:%d:%d",
820 &options->max_startups_begin,
821 &options->max_startups_rate,
822 &options->max_startups)) == 3) {
823 if (options->max_startups_begin >
824 options->max_startups ||
825 options->max_startups_rate > 100 ||
826 options->max_startups_rate < 1)
c345cf9d 827 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 828 filename, linenum);
2717fa0f 829 } else if (n != 1)
830 fatal("%s line %d: Illegal MaxStartups spec.",
831 filename, linenum);
832 else
833 options->max_startups = options->max_startups_begin;
834 break;
835
836 case sBanner:
837 charptr = &options->banner;
838 goto parse_filename;
839 /*
840 * These options can contain %X options expanded at
841 * connect time, so that you can specify paths like:
842 *
843 * AuthorizedKeysFile /etc/ssh_keys/%u
844 */
845 case sAuthorizedKeysFile:
846 case sAuthorizedKeysFile2:
847 charptr = (opcode == sAuthorizedKeysFile ) ?
848 &options->authorized_keys_file :
849 &options->authorized_keys_file2;
850 goto parse_filename;
851
852 case sClientAliveInterval:
853 intptr = &options->client_alive_interval;
854 goto parse_time;
855
856 case sClientAliveCountMax:
857 intptr = &options->client_alive_count_max;
858 goto parse_int;
859
860 case sDeprecated:
861 log("%s line %d: Deprecated option %s",
862 filename, linenum, arg);
863 while (arg)
864 arg = strdelim(&cp);
865 break;
866
867 default:
868 fatal("%s line %d: Missing handler for opcode %s (%d)",
869 filename, linenum, arg, opcode);
870 }
871 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
872 fatal("%s line %d: garbage at end of line; \"%.200s\".",
873 filename, linenum, arg);
874 return 0;
875}
089fbbd2 876
2717fa0f 877/* Reads the server configuration file. */
5c53a31e 878
2717fa0f 879void
880read_server_config(ServerOptions *options, const char *filename)
881{
882 FILE *f;
883 char line[1024];
884 int linenum;
885 int bad_options = 0;
886
887 f = fopen(filename, "r");
888 if (!f) {
889 perror(filename);
890 exit(1);
891 }
892 linenum = 0;
893 while (fgets(line, sizeof(line), f)) {
894 /* Update line number counter. */
895 linenum++;
896 if (process_server_config_line(options, line, filename, linenum) != 0)
897 bad_options++;
8efc0c15 898 }
5260325f 899 fclose(f);
b7c70970 900 if (bad_options > 0)
901 fatal("%s: terminating, %d bad configuration options",
902 filename, bad_options);
8efc0c15 903}
git-cvsimport mirror of OpenSSH
This page took 0.286214 seconds and 5 git commands to generate.