]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (djm) Make portable build with MIT krb5 (some issues remain)
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
0608f8a7 13RCSID("$OpenBSD: servconf.c,v 1.118 2003/04/09 08:23:52 hin Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
0608f8a7 18
12928e80 19#if defined(KRB5)
0608f8a7 20# ifdef HEIMDAL
21# include <krb.h>
22# else
23/*
24 * XXX: Bodge - but then, so is using the kerberos IV KEYFILE to get a
25 * Kerberos V keytab
26 */
27# define KEYFILE "/etc/krb5.keytab"
28# endif
12928e80 29#endif
0608f8a7 30
83f46621 31#ifdef AFS
32#include <kafs.h>
33#endif
8efc0c15 34
35#include "ssh.h"
42f11eb2 36#include "log.h"
8efc0c15 37#include "servconf.h"
38#include "xmalloc.h"
a8be9f80 39#include "compat.h"
42f11eb2 40#include "pathnames.h"
41#include "tildexpand.h"
42#include "misc.h"
43#include "cipher.h"
b2552997 44#include "kex.h"
45#include "mac.h"
42f11eb2 46
396c147e 47static void add_listen_addr(ServerOptions *, char *, u_short);
48static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 49
42f11eb2 50/* AF_UNSPEC or AF_INET or AF_INET6 */
51extern int IPv4or6;
1853d1ef 52/* Use of privilege separation or not */
53extern int use_privsep;
42f11eb2 54
8efc0c15 55/* Initializes the server options to their default values. */
56
6ae2364d 57void
5260325f 58initialize_server_options(ServerOptions *options)
8efc0c15 59{
5260325f 60 memset(options, 0, sizeof(*options));
e15895cd 61
62 /* Portable-specific options */
63 options->pam_authentication_via_kbd_int = -1;
64
65 /* Standard Options */
48e671d5 66 options->num_ports = 0;
67 options->ports_from_cmdline = 0;
68 options->listen_addrs = NULL;
fa08c86b 69 options->num_host_key_files = 0;
0fbe8c74 70 options->pid_file = NULL;
5260325f 71 options->server_key_bits = -1;
72 options->login_grace_time = -1;
73 options->key_regeneration_time = -1;
15853e93 74 options->permit_root_login = PERMIT_NOT_SET;
5260325f 75 options->ignore_rhosts = -1;
76 options->ignore_user_known_hosts = -1;
77 options->print_motd = -1;
4f4648f9 78 options->print_lastlog = -1;
5260325f 79 options->x11_forwarding = -1;
80 options->x11_display_offset = -1;
e6e573bd 81 options->x11_use_localhost = -1;
fa649821 82 options->xauth_location = NULL;
5260325f 83 options->strict_modes = -1;
84 options->keepalives = -1;
5eaf8578 85 options->log_facility = SYSLOG_FACILITY_NOT_SET;
86 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 87 options->rhosts_authentication = -1;
88 options->rhosts_rsa_authentication = -1;
8002af61 89 options->hostbased_authentication = -1;
90 options->hostbased_uses_name_from_packet_only = -1;
5260325f 91 options->rsa_authentication = -1;
fa08c86b 92 options->pubkey_authentication = -1;
ced49be2 93#if defined(KRB4) || defined(KRB5)
5260325f 94 options->kerberos_authentication = -1;
95 options->kerberos_or_local_passwd = -1;
96 options->kerberos_ticket_cleanup = -1;
8efc0c15 97#endif
ced49be2 98#if defined(AFS) || defined(KRB5)
5260325f 99 options->kerberos_tgt_passing = -1;
ced49be2 100#endif
101#ifdef AFS
5260325f 102 options->afs_token_passing = -1;
8efc0c15 103#endif
5260325f 104 options->password_authentication = -1;
94ec8c6b 105 options->kbd_interactive_authentication = -1;
5ba55ada 106 options->challenge_response_authentication = -1;
5260325f 107 options->permit_empty_passwd = -1;
f00bab84 108 options->permit_user_env = -1;
5260325f 109 options->use_login = -1;
636f76ca 110 options->compression = -1;
33de75a3 111 options->allow_tcp_forwarding = -1;
5260325f 112 options->num_allow_users = 0;
113 options->num_deny_users = 0;
114 options->num_allow_groups = 0;
115 options->num_deny_groups = 0;
a8be9f80 116 options->ciphers = NULL;
b2552997 117 options->macs = NULL;
a8be9f80 118 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 119 options->gateway_ports = -1;
38c295d6 120 options->num_subsystems = 0;
c345cf9d 121 options->max_startups_begin = -1;
122 options->max_startups_rate = -1;
089fbbd2 123 options->max_startups = -1;
eea39c02 124 options->banner = NULL;
bf4c5edc 125 options->verify_reverse_mapping = -1;
3ffc6336 126 options->client_alive_interval = -1;
127 options->client_alive_count_max = -1;
c8445989 128 options->authorized_keys_file = NULL;
129 options->authorized_keys_file2 = NULL;
1853d1ef 130
1853d1ef 131 /* Needs to be accessable in many places */
132 use_privsep = -1;
8efc0c15 133}
134
6ae2364d 135void
5260325f 136fill_default_server_options(ServerOptions *options)
8efc0c15 137{
e15895cd 138 /* Portable-specific options */
139 if (options->pam_authentication_via_kbd_int == -1)
140 options->pam_authentication_via_kbd_int = 0;
141
142 /* Standard Options */
fa08c86b 143 if (options->protocol == SSH_PROTO_UNKNOWN)
144 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
145 if (options->num_host_key_files == 0) {
146 /* fill default hostkeys for protocols */
147 if (options->protocol & SSH_PROTO_1)
0f84fe37 148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_KEY_FILE;
150 if (options->protocol & SSH_PROTO_2) {
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_RSA_KEY_FILE;
153 options->host_key_files[options->num_host_key_files++] =
154 _PATH_HOST_DSA_KEY_FILE;
155 }
fa08c86b 156 }
48e671d5 157 if (options->num_ports == 0)
158 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
159 if (options->listen_addrs == NULL)
2d2a2c65 160 add_listen_addr(options, NULL, 0);
0fbe8c74 161 if (options->pid_file == NULL)
42f11eb2 162 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 163 if (options->server_key_bits == -1)
164 options->server_key_bits = 768;
165 if (options->login_grace_time == -1)
3445ca02 166 options->login_grace_time = 120;
5260325f 167 if (options->key_regeneration_time == -1)
168 options->key_regeneration_time = 3600;
15853e93 169 if (options->permit_root_login == PERMIT_NOT_SET)
170 options->permit_root_login = PERMIT_YES;
5260325f 171 if (options->ignore_rhosts == -1)
c8d54615 172 options->ignore_rhosts = 1;
5260325f 173 if (options->ignore_user_known_hosts == -1)
174 options->ignore_user_known_hosts = 0;
5260325f 175 if (options->print_motd == -1)
176 options->print_motd = 1;
4f4648f9 177 if (options->print_lastlog == -1)
178 options->print_lastlog = 1;
5260325f 179 if (options->x11_forwarding == -1)
c8d54615 180 options->x11_forwarding = 0;
5260325f 181 if (options->x11_display_offset == -1)
c8d54615 182 options->x11_display_offset = 10;
e6e573bd 183 if (options->x11_use_localhost == -1)
184 options->x11_use_localhost = 1;
fa649821 185 if (options->xauth_location == NULL)
fd9ede94 186 options->xauth_location = _PATH_XAUTH;
5260325f 187 if (options->strict_modes == -1)
188 options->strict_modes = 1;
189 if (options->keepalives == -1)
190 options->keepalives = 1;
5eaf8578 191 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 192 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 193 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 194 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 195 if (options->rhosts_authentication == -1)
196 options->rhosts_authentication = 0;
197 if (options->rhosts_rsa_authentication == -1)
c8d54615 198 options->rhosts_rsa_authentication = 0;
8002af61 199 if (options->hostbased_authentication == -1)
200 options->hostbased_authentication = 0;
201 if (options->hostbased_uses_name_from_packet_only == -1)
202 options->hostbased_uses_name_from_packet_only = 0;
5260325f 203 if (options->rsa_authentication == -1)
204 options->rsa_authentication = 1;
fa08c86b 205 if (options->pubkey_authentication == -1)
206 options->pubkey_authentication = 1;
ced49be2 207#if defined(KRB4) || defined(KRB5)
5260325f 208 if (options->kerberos_authentication == -1)
eadc806d 209 options->kerberos_authentication = 0;
5260325f 210 if (options->kerberos_or_local_passwd == -1)
211 options->kerberos_or_local_passwd = 1;
212 if (options->kerberos_ticket_cleanup == -1)
213 options->kerberos_ticket_cleanup = 1;
ced49be2 214#endif
215#if defined(AFS) || defined(KRB5)
5260325f 216 if (options->kerberos_tgt_passing == -1)
217 options->kerberos_tgt_passing = 0;
ced49be2 218#endif
184eed6a 219#ifdef AFS
5260325f 220 if (options->afs_token_passing == -1)
1c3454e7 221 options->afs_token_passing = 0;
ced49be2 222#endif
5260325f 223 if (options->password_authentication == -1)
224 options->password_authentication = 1;
94ec8c6b 225 if (options->kbd_interactive_authentication == -1)
226 options->kbd_interactive_authentication = 0;
5ba55ada 227 if (options->challenge_response_authentication == -1)
228 options->challenge_response_authentication = 1;
5260325f 229 if (options->permit_empty_passwd == -1)
c8d54615 230 options->permit_empty_passwd = 0;
f00bab84 231 if (options->permit_user_env == -1)
232 options->permit_user_env = 0;
5260325f 233 if (options->use_login == -1)
234 options->use_login = 0;
636f76ca 235 if (options->compression == -1)
236 options->compression = 1;
33de75a3 237 if (options->allow_tcp_forwarding == -1)
238 options->allow_tcp_forwarding = 1;
1d1ffb87 239 if (options->gateway_ports == -1)
240 options->gateway_ports = 0;
089fbbd2 241 if (options->max_startups == -1)
242 options->max_startups = 10;
c345cf9d 243 if (options->max_startups_rate == -1)
244 options->max_startups_rate = 100; /* 100% */
245 if (options->max_startups_begin == -1)
246 options->max_startups_begin = options->max_startups;
bf4c5edc 247 if (options->verify_reverse_mapping == -1)
248 options->verify_reverse_mapping = 0;
3ffc6336 249 if (options->client_alive_interval == -1)
184eed6a 250 options->client_alive_interval = 0;
3ffc6336 251 if (options->client_alive_count_max == -1)
252 options->client_alive_count_max = 3;
5df83e07 253 if (options->authorized_keys_file2 == NULL) {
254 /* authorized_keys_file2 falls back to authorized_keys_file */
255 if (options->authorized_keys_file != NULL)
256 options->authorized_keys_file2 = options->authorized_keys_file;
257 else
258 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
259 }
260 if (options->authorized_keys_file == NULL)
261 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 262
2ee1b704 263 /* Turn privilege separation on by default */
1853d1ef 264 if (use_privsep == -1)
2ee1b704 265 use_privsep = 1;
e299a298 266
4165b82e 267#ifndef HAVE_MMAP
e299a298 268 if (use_privsep && options->compression == 1) {
269 error("This platform does not support both privilege "
270 "separation and compression");
271 error("Compression disabled");
272 options->compression = 0;
273 }
274#endif
275
8efc0c15 276}
277
8efc0c15 278/* Keyword tokens. */
5260325f 279typedef enum {
280 sBadOption, /* == unknown option */
e15895cd 281 /* Portable-specific options */
282 sPAMAuthenticationViaKbdInt,
283 /* Standard Options */
5260325f 284 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
285 sPermitRootLogin, sLogFacility, sLogLevel,
286 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 287#if defined(KRB4) || defined(KRB5)
5260325f 288 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 289#endif
ced49be2 290#if defined(AFS) || defined(KRB5)
291 sKerberosTgtPassing,
292#endif
8efc0c15 293#ifdef AFS
ced49be2 294 sAFSTokenPassing,
8efc0c15 295#endif
d464095c 296 sChallengeResponseAuthentication,
94ec8c6b 297 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 298 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 299 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 300 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 301 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 302 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 303 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 304 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 305 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 306 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 307 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 308 sUsePrivilegeSeparation,
2717fa0f 309 sDeprecated
8efc0c15 310} ServerOpCodes;
311
312/* Textual representation of the tokens. */
5260325f 313static struct {
314 const char *name;
315 ServerOpCodes opcode;
316} keywords[] = {
e15895cd 317 /* Portable-specific options */
318 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
319 /* Standard Options */
5260325f 320 { "port", sPort },
321 { "hostkey", sHostKeyFile },
fa08c86b 322 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 323 { "pidfile", sPidFile },
5260325f 324 { "serverkeybits", sServerKeyBits },
325 { "logingracetime", sLoginGraceTime },
326 { "keyregenerationinterval", sKeyRegenerationTime },
327 { "permitrootlogin", sPermitRootLogin },
328 { "syslogfacility", sLogFacility },
329 { "loglevel", sLogLevel },
330 { "rhostsauthentication", sRhostsAuthentication },
331 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 332 { "hostbasedauthentication", sHostbasedAuthentication },
333 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 334 { "rsaauthentication", sRSAAuthentication },
fa08c86b 335 { "pubkeyauthentication", sPubkeyAuthentication },
336 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 337#if defined(KRB4) || defined(KRB5)
5260325f 338 { "kerberosauthentication", sKerberosAuthentication },
339 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
340 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 341#endif
ced49be2 342#if defined(AFS) || defined(KRB5)
5260325f 343 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 344#endif
345#ifdef AFS
5260325f 346 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 347#endif
5260325f 348 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 349 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 350 { "challengeresponseauthentication", sChallengeResponseAuthentication },
351 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 352 { "checkmail", sDeprecated },
5260325f 353 { "listenaddress", sListenAddress },
354 { "printmotd", sPrintMotd },
4f4648f9 355 { "printlastlog", sPrintLastLog },
5260325f 356 { "ignorerhosts", sIgnoreRhosts },
357 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
358 { "x11forwarding", sX11Forwarding },
359 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 360 { "x11uselocalhost", sX11UseLocalhost },
fa649821 361 { "xauthlocation", sXAuthLocation },
5260325f 362 { "strictmodes", sStrictModes },
363 { "permitemptypasswords", sEmptyPasswd },
f00bab84 364 { "permituserenvironment", sPermitUserEnvironment },
5260325f 365 { "uselogin", sUseLogin },
636f76ca 366 { "compression", sCompression },
5260325f 367 { "keepalive", sKeepAlives },
33de75a3 368 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 369 { "allowusers", sAllowUsers },
370 { "denyusers", sDenyUsers },
371 { "allowgroups", sAllowGroups },
372 { "denygroups", sDenyGroups },
a8be9f80 373 { "ciphers", sCiphers },
b2552997 374 { "macs", sMacs },
a8be9f80 375 { "protocol", sProtocol },
1d1ffb87 376 { "gatewayports", sGatewayPorts },
38c295d6 377 { "subsystem", sSubsystem },
089fbbd2 378 { "maxstartups", sMaxStartups },
eea39c02 379 { "banner", sBanner },
bf4c5edc 380 { "verifyreversemapping", sVerifyReverseMapping },
381 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 382 { "clientaliveinterval", sClientAliveInterval },
383 { "clientalivecountmax", sClientAliveCountMax },
c8445989 384 { "authorizedkeysfile", sAuthorizedKeysFile },
385 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 386 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 387 { NULL, sBadOption }
8efc0c15 388};
389
aa3378df 390/*
6be9a5e8 391 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 392 */
8efc0c15 393
6ae2364d 394static ServerOpCodes
5260325f 395parse_token(const char *cp, const char *filename,
396 int linenum)
8efc0c15 397{
1e3b8b07 398 u_int i;
8efc0c15 399
5260325f 400 for (i = 0; keywords[i].name; i++)
aa3378df 401 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 402 return keywords[i].opcode;
8efc0c15 403
b7c70970 404 error("%s: line %d: Bad configuration option: %s",
405 filename, linenum, cp);
5260325f 406 return sBadOption;
8efc0c15 407}
408
396c147e 409static void
2d2a2c65 410add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 411{
48e671d5 412 int i;
413
414 if (options->num_ports == 0)
415 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 416 if (port == 0)
d11c1288 417 for (i = 0; i < options->num_ports; i++)
418 add_one_listen_addr(options, addr, options->ports[i]);
419 else
2d2a2c65 420 add_one_listen_addr(options, addr, port);
d11c1288 421}
422
396c147e 423static void
d11c1288 424add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
425{
426 struct addrinfo hints, *ai, *aitop;
427 char strport[NI_MAXSERV];
428 int gaierr;
429
430 memset(&hints, 0, sizeof(hints));
431 hints.ai_family = IPv4or6;
432 hints.ai_socktype = SOCK_STREAM;
433 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 434 snprintf(strport, sizeof strport, "%u", port);
d11c1288 435 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
436 fatal("bad addr or host: %s (%s)",
437 addr ? addr : "<NULL>",
438 gai_strerror(gaierr));
439 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
440 ;
441 ai->ai_next = options->listen_addrs;
442 options->listen_addrs = aitop;
48e671d5 443}
444
2717fa0f 445int
446process_server_config_line(ServerOptions *options, char *line,
447 const char *filename, int linenum)
8efc0c15 448{
d11c1288 449 char *cp, **charptr, *arg, *p;
7528d467 450 int *intptr, value, i, n;
5260325f 451 ServerOpCodes opcode;
452
2717fa0f 453 cp = line;
454 arg = strdelim(&cp);
455 /* Ignore leading whitespace */
456 if (*arg == '\0')
704b1659 457 arg = strdelim(&cp);
2717fa0f 458 if (!arg || !*arg || *arg == '#')
459 return 0;
460 intptr = NULL;
461 charptr = NULL;
462 opcode = parse_token(arg, filename, linenum);
463 switch (opcode) {
464 /* Portable-specific options */
465 case sPAMAuthenticationViaKbdInt:
466 intptr = &options->pam_authentication_via_kbd_int;
467 goto parse_flag;
48e671d5 468
2717fa0f 469 /* Standard Options */
470 case sBadOption:
471 return -1;
472 case sPort:
473 /* ignore ports from configfile if cmdline specifies ports */
474 if (options->ports_from_cmdline)
475 return 0;
476 if (options->listen_addrs != NULL)
477 fatal("%s line %d: ports must be specified before "
3a454b6a 478 "ListenAddress.", filename, linenum);
2717fa0f 479 if (options->num_ports >= MAX_PORTS)
480 fatal("%s line %d: too many ports.",
481 filename, linenum);
482 arg = strdelim(&cp);
483 if (!arg || *arg == '\0')
484 fatal("%s line %d: missing port number.",
485 filename, linenum);
486 options->ports[options->num_ports++] = a2port(arg);
487 if (options->ports[options->num_ports-1] == 0)
488 fatal("%s line %d: Badly formatted port number.",
489 filename, linenum);
490 break;
491
492 case sServerKeyBits:
493 intptr = &options->server_key_bits;
5260325f 494parse_int:
2717fa0f 495 arg = strdelim(&cp);
496 if (!arg || *arg == '\0')
497 fatal("%s line %d: missing integer value.",
498 filename, linenum);
499 value = atoi(arg);
500 if (*intptr == -1)
501 *intptr = value;
502 break;
503
504 case sLoginGraceTime:
505 intptr = &options->login_grace_time;
e2b1fb42 506parse_time:
2717fa0f 507 arg = strdelim(&cp);
508 if (!arg || *arg == '\0')
509 fatal("%s line %d: missing time value.",
510 filename, linenum);
511 if ((value = convtime(arg)) == -1)
512 fatal("%s line %d: invalid time value.",
513 filename, linenum);
514 if (*intptr == -1)
515 *intptr = value;
516 break;
517
518 case sKeyRegenerationTime:
519 intptr = &options->key_regeneration_time;
520 goto parse_time;
521
522 case sListenAddress:
523 arg = strdelim(&cp);
524 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
525 fatal("%s line %d: missing inet addr.",
526 filename, linenum);
527 if (*arg == '[') {
528 if ((p = strchr(arg, ']')) == NULL)
529 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 530 filename, linenum);
2717fa0f 531 arg++;
532 memmove(p, p+1, strlen(p+1)+1);
533 } else if (((p = strchr(arg, ':')) == NULL) ||
534 (strchr(p+1, ':') != NULL)) {
535 add_listen_addr(options, arg, 0);
e2b1fb42 536 break;
2717fa0f 537 }
538 if (*p == ':') {
539 u_short port;
5260325f 540
2717fa0f 541 p++;
542 if (*p == '\0')
543 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 544 filename, linenum);
2717fa0f 545 else {
546 *(p-1) = '\0';
547 if ((port = a2port(p)) == 0)
548 fatal("%s line %d: bad port number.",
d11c1288 549 filename, linenum);
2717fa0f 550 add_listen_addr(options, arg, port);
d11c1288 551 }
2717fa0f 552 } else if (*p == '\0')
553 add_listen_addr(options, arg, 0);
554 else
555 fatal("%s line %d: bad inet addr usage.",
556 filename, linenum);
557 break;
558
559 case sHostKeyFile:
560 intptr = &options->num_host_key_files;
561 if (*intptr >= MAX_HOSTKEYS)
562 fatal("%s line %d: too many host keys specified (max %d).",
563 filename, linenum, MAX_HOSTKEYS);
564 charptr = &options->host_key_files[*intptr];
fa649821 565parse_filename:
2717fa0f 566 arg = strdelim(&cp);
567 if (!arg || *arg == '\0')
568 fatal("%s line %d: missing file name.",
569 filename, linenum);
570 if (*charptr == NULL) {
571 *charptr = tilde_expand_filename(arg, getuid());
572 /* increase optional counter */
573 if (intptr != NULL)
574 *intptr = *intptr + 1;
575 }
576 break;
0fbe8c74 577
2717fa0f 578 case sPidFile:
579 charptr = &options->pid_file;
580 goto parse_filename;
5260325f 581
2717fa0f 582 case sPermitRootLogin:
583 intptr = &options->permit_root_login;
584 arg = strdelim(&cp);
585 if (!arg || *arg == '\0')
586 fatal("%s line %d: missing yes/"
587 "without-password/forced-commands-only/no "
588 "argument.", filename, linenum);
589 value = 0; /* silence compiler */
590 if (strcmp(arg, "without-password") == 0)
591 value = PERMIT_NO_PASSWD;
592 else if (strcmp(arg, "forced-commands-only") == 0)
593 value = PERMIT_FORCED_ONLY;
594 else if (strcmp(arg, "yes") == 0)
595 value = PERMIT_YES;
596 else if (strcmp(arg, "no") == 0)
597 value = PERMIT_NO;
598 else
599 fatal("%s line %d: Bad yes/"
600 "without-password/forced-commands-only/no "
601 "argument: %s", filename, linenum, arg);
602 if (*intptr == -1)
603 *intptr = value;
604 break;
605
606 case sIgnoreRhosts:
607 intptr = &options->ignore_rhosts;
5260325f 608parse_flag:
2717fa0f 609 arg = strdelim(&cp);
610 if (!arg || *arg == '\0')
611 fatal("%s line %d: missing yes/no argument.",
612 filename, linenum);
613 value = 0; /* silence compiler */
614 if (strcmp(arg, "yes") == 0)
615 value = 1;
616 else if (strcmp(arg, "no") == 0)
617 value = 0;
618 else
619 fatal("%s line %d: Bad yes/no argument: %s",
620 filename, linenum, arg);
621 if (*intptr == -1)
622 *intptr = value;
623 break;
624
625 case sIgnoreUserKnownHosts:
626 intptr = &options->ignore_user_known_hosts;
627 goto parse_flag;
628
629 case sRhostsAuthentication:
630 intptr = &options->rhosts_authentication;
631 goto parse_flag;
632
633 case sRhostsRSAAuthentication:
634 intptr = &options->rhosts_rsa_authentication;
635 goto parse_flag;
636
637 case sHostbasedAuthentication:
638 intptr = &options->hostbased_authentication;
639 goto parse_flag;
640
641 case sHostbasedUsesNameFromPacketOnly:
642 intptr = &options->hostbased_uses_name_from_packet_only;
643 goto parse_flag;
644
645 case sRSAAuthentication:
646 intptr = &options->rsa_authentication;
647 goto parse_flag;
648
649 case sPubkeyAuthentication:
650 intptr = &options->pubkey_authentication;
651 goto parse_flag;
652#if defined(KRB4) || defined(KRB5)
653 case sKerberosAuthentication:
654 intptr = &options->kerberos_authentication;
655 goto parse_flag;
5260325f 656
2717fa0f 657 case sKerberosOrLocalPasswd:
658 intptr = &options->kerberos_or_local_passwd;
659 goto parse_flag;
5260325f 660
2717fa0f 661 case sKerberosTicketCleanup:
662 intptr = &options->kerberos_ticket_cleanup;
663 goto parse_flag;
664#endif
665#if defined(AFS) || defined(KRB5)
666 case sKerberosTgtPassing:
667 intptr = &options->kerberos_tgt_passing;
668 goto parse_flag;
669#endif
670#ifdef AFS
671 case sAFSTokenPassing:
672 intptr = &options->afs_token_passing;
673 goto parse_flag;
674#endif
5260325f 675
2717fa0f 676 case sPasswordAuthentication:
677 intptr = &options->password_authentication;
678 goto parse_flag;
5260325f 679
2717fa0f 680 case sKbdInteractiveAuthentication:
681 intptr = &options->kbd_interactive_authentication;
682 goto parse_flag;
8002af61 683
2717fa0f 684 case sChallengeResponseAuthentication:
685 intptr = &options->challenge_response_authentication;
686 goto parse_flag;
8002af61 687
2717fa0f 688 case sPrintMotd:
689 intptr = &options->print_motd;
690 goto parse_flag;
5260325f 691
2717fa0f 692 case sPrintLastLog:
693 intptr = &options->print_lastlog;
694 goto parse_flag;
5260325f 695
2717fa0f 696 case sX11Forwarding:
697 intptr = &options->x11_forwarding;
698 goto parse_flag;
5260325f 699
2717fa0f 700 case sX11DisplayOffset:
701 intptr = &options->x11_display_offset;
702 goto parse_int;
8efc0c15 703
e6e573bd 704 case sX11UseLocalhost:
705 intptr = &options->x11_use_localhost;
706 goto parse_flag;
707
2717fa0f 708 case sXAuthLocation:
709 charptr = &options->xauth_location;
710 goto parse_filename;
5260325f 711
2717fa0f 712 case sStrictModes:
713 intptr = &options->strict_modes;
714 goto parse_flag;
5260325f 715
2717fa0f 716 case sKeepAlives:
717 intptr = &options->keepalives;
718 goto parse_flag;
33de75a3 719
2717fa0f 720 case sEmptyPasswd:
721 intptr = &options->permit_empty_passwd;
722 goto parse_flag;
5260325f 723
f00bab84 724 case sPermitUserEnvironment:
725 intptr = &options->permit_user_env;
726 goto parse_flag;
727
2717fa0f 728 case sUseLogin:
729 intptr = &options->use_login;
730 goto parse_flag;
5260325f 731
636f76ca 732 case sCompression:
733 intptr = &options->compression;
734 goto parse_flag;
735
2717fa0f 736 case sGatewayPorts:
737 intptr = &options->gateway_ports;
738 goto parse_flag;
5260325f 739
bf4c5edc 740 case sVerifyReverseMapping:
741 intptr = &options->verify_reverse_mapping;
2717fa0f 742 goto parse_flag;
5260325f 743
2717fa0f 744 case sLogFacility:
745 intptr = (int *) &options->log_facility;
746 arg = strdelim(&cp);
747 value = log_facility_number(arg);
5eaf8578 748 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 749 fatal("%.200s line %d: unsupported log facility '%s'",
750 filename, linenum, arg ? arg : "<NONE>");
751 if (*intptr == -1)
752 *intptr = (SyslogFacility) value;
753 break;
754
755 case sLogLevel:
756 intptr = (int *) &options->log_level;
757 arg = strdelim(&cp);
758 value = log_level_number(arg);
5eaf8578 759 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 760 fatal("%.200s line %d: unsupported log level '%s'",
761 filename, linenum, arg ? arg : "<NONE>");
762 if (*intptr == -1)
763 *intptr = (LogLevel) value;
764 break;
765
766 case sAllowTcpForwarding:
767 intptr = &options->allow_tcp_forwarding;
768 goto parse_flag;
769
1853d1ef 770 case sUsePrivilegeSeparation:
771 intptr = &use_privsep;
772 goto parse_flag;
773
2717fa0f 774 case sAllowUsers:
775 while ((arg = strdelim(&cp)) && *arg != '\0') {
776 if (options->num_allow_users >= MAX_ALLOW_USERS)
777 fatal("%s line %d: too many allow users.",
778 filename, linenum);
7528d467 779 options->allow_users[options->num_allow_users++] =
780 xstrdup(arg);
2717fa0f 781 }
782 break;
a8be9f80 783
2717fa0f 784 case sDenyUsers:
785 while ((arg = strdelim(&cp)) && *arg != '\0') {
786 if (options->num_deny_users >= MAX_DENY_USERS)
787 fatal( "%s line %d: too many deny users.",
788 filename, linenum);
7528d467 789 options->deny_users[options->num_deny_users++] =
790 xstrdup(arg);
2717fa0f 791 }
792 break;
b2552997 793
2717fa0f 794 case sAllowGroups:
795 while ((arg = strdelim(&cp)) && *arg != '\0') {
796 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
797 fatal("%s line %d: too many allow groups.",
798 filename, linenum);
7528d467 799 options->allow_groups[options->num_allow_groups++] =
800 xstrdup(arg);
2717fa0f 801 }
802 break;
a8be9f80 803
2717fa0f 804 case sDenyGroups:
805 while ((arg = strdelim(&cp)) && *arg != '\0') {
806 if (options->num_deny_groups >= MAX_DENY_GROUPS)
807 fatal("%s line %d: too many deny groups.",
808 filename, linenum);
809 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
810 }
811 break;
38c295d6 812
2717fa0f 813 case sCiphers:
814 arg = strdelim(&cp);
815 if (!arg || *arg == '\0')
816 fatal("%s line %d: Missing argument.", filename, linenum);
817 if (!ciphers_valid(arg))
818 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
819 filename, linenum, arg ? arg : "<NONE>");
820 if (options->ciphers == NULL)
821 options->ciphers = xstrdup(arg);
822 break;
823
824 case sMacs:
825 arg = strdelim(&cp);
826 if (!arg || *arg == '\0')
827 fatal("%s line %d: Missing argument.", filename, linenum);
828 if (!mac_valid(arg))
829 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
830 filename, linenum, arg ? arg : "<NONE>");
831 if (options->macs == NULL)
832 options->macs = xstrdup(arg);
833 break;
834
835 case sProtocol:
836 intptr = &options->protocol;
837 arg = strdelim(&cp);
838 if (!arg || *arg == '\0')
839 fatal("%s line %d: Missing argument.", filename, linenum);
840 value = proto_spec(arg);
841 if (value == SSH_PROTO_UNKNOWN)
842 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 843 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 844 if (*intptr == SSH_PROTO_UNKNOWN)
845 *intptr = value;
846 break;
847
848 case sSubsystem:
849 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
850 fatal("%s line %d: too many subsystems defined.",
184eed6a 851 filename, linenum);
2717fa0f 852 }
853 arg = strdelim(&cp);
854 if (!arg || *arg == '\0')
855 fatal("%s line %d: Missing subsystem name.",
184eed6a 856 filename, linenum);
2717fa0f 857 for (i = 0; i < options->num_subsystems; i++)
858 if (strcmp(arg, options->subsystem_name[i]) == 0)
859 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 860 filename, linenum, arg);
2717fa0f 861 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
862 arg = strdelim(&cp);
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing subsystem command.",
184eed6a 865 filename, linenum);
2717fa0f 866 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
867 options->num_subsystems++;
868 break;
869
870 case sMaxStartups:
871 arg = strdelim(&cp);
872 if (!arg || *arg == '\0')
873 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 874 filename, linenum);
2717fa0f 875 if ((n = sscanf(arg, "%d:%d:%d",
876 &options->max_startups_begin,
877 &options->max_startups_rate,
878 &options->max_startups)) == 3) {
879 if (options->max_startups_begin >
880 options->max_startups ||
881 options->max_startups_rate > 100 ||
882 options->max_startups_rate < 1)
c345cf9d 883 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 884 filename, linenum);
2717fa0f 885 } else if (n != 1)
886 fatal("%s line %d: Illegal MaxStartups spec.",
887 filename, linenum);
888 else
889 options->max_startups = options->max_startups_begin;
890 break;
891
892 case sBanner:
893 charptr = &options->banner;
894 goto parse_filename;
895 /*
896 * These options can contain %X options expanded at
897 * connect time, so that you can specify paths like:
898 *
899 * AuthorizedKeysFile /etc/ssh_keys/%u
900 */
901 case sAuthorizedKeysFile:
902 case sAuthorizedKeysFile2:
903 charptr = (opcode == sAuthorizedKeysFile ) ?
904 &options->authorized_keys_file :
905 &options->authorized_keys_file2;
906 goto parse_filename;
907
908 case sClientAliveInterval:
909 intptr = &options->client_alive_interval;
910 goto parse_time;
911
912 case sClientAliveCountMax:
913 intptr = &options->client_alive_count_max;
914 goto parse_int;
915
916 case sDeprecated:
bbe88b6d 917 logit("%s line %d: Deprecated option %s",
2717fa0f 918 filename, linenum, arg);
919 while (arg)
920 arg = strdelim(&cp);
921 break;
922
923 default:
924 fatal("%s line %d: Missing handler for opcode %s (%d)",
925 filename, linenum, arg, opcode);
926 }
927 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
928 fatal("%s line %d: garbage at end of line; \"%.200s\".",
929 filename, linenum, arg);
930 return 0;
931}
089fbbd2 932
2717fa0f 933/* Reads the server configuration file. */
5c53a31e 934
2717fa0f 935void
936read_server_config(ServerOptions *options, const char *filename)
937{
7528d467 938 int linenum, bad_options = 0;
2717fa0f 939 char line[1024];
7528d467 940 FILE *f;
2717fa0f 941
34934506 942 debug2("read_server_config: filename %s", filename);
2717fa0f 943 f = fopen(filename, "r");
944 if (!f) {
945 perror(filename);
946 exit(1);
947 }
948 linenum = 0;
949 while (fgets(line, sizeof(line), f)) {
950 /* Update line number counter. */
951 linenum++;
952 if (process_server_config_line(options, line, filename, linenum) != 0)
953 bad_options++;
8efc0c15 954 }
5260325f 955 fclose(f);
b7c70970 956 if (bad_options > 0)
957 fatal("%s: terminating, %d bad configuration options",
958 filename, bad_options);
8efc0c15 959}
git-cvsimport mirror of OpenSSH
This page took 0.363021 seconds and 5 git commands to generate.