[openssh.git] / servconf.c

/*
 *
 * servconf.c
 *
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 *
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * Created: Mon Aug 21 15:48:58 1995 ylo
 *
 */

#include "includes.h"
RCSID("$Id$");

#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"
#include "compat.h"

/* add listen address */
void add_listen_addr(ServerOptions *options, char *addr);

/* Initializes the server options to their default values. */

void
initialize_server_options(ServerOptions *options)
{
	memset(options, 0, sizeof(*options));
	options->num_ports = 0;
	options->ports_from_cmdline = 0;
	options->listen_addrs = NULL;
	options->host_key_file = NULL;
	options->host_dsa_key_file = NULL;
	options->pid_file = NULL;
	options->server_key_bits = -1;
	options->login_grace_time = -1;
	options->key_regeneration_time = -1;
	options->permit_root_login = -1;
	options->ignore_rhosts = -1;
	options->ignore_user_known_hosts = -1;
	options->print_motd = -1;
	options->check_mail = -1;
	options->x11_forwarding = -1;
	options->x11_display_offset = -1;
	options->strict_modes = -1;
	options->keepalives = -1;
	options->log_facility = (SyslogFacility) - 1;
	options->log_level = (LogLevel) - 1;
	options->rhosts_authentication = -1;
	options->rhosts_rsa_authentication = -1;
	options->rsa_authentication = -1;
	options->dsa_authentication = -1;
#ifdef KRB4
	options->kerberos_authentication = -1;
	options->kerberos_or_local_passwd = -1;
	options->kerberos_ticket_cleanup = -1;
#endif
#ifdef AFS
	options->kerberos_tgt_passing = -1;
	options->afs_token_passing = -1;
#endif
	options->password_authentication = -1;
#ifdef SKEY
	options->skey_authentication = -1;
#endif
	options->permit_empty_passwd = -1;
	options->use_login = -1;
	options->num_allow_users = 0;
	options->num_deny_users = 0;
	options->num_allow_groups = 0;
	options->num_deny_groups = 0;
	options->ciphers = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
	options->gateway_ports = -1;
}

void
fill_default_server_options(ServerOptions *options)
{
	if (options->num_ports == 0)
		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	if (options->listen_addrs == NULL)
		add_listen_addr(options, NULL);
	if (options->host_key_file == NULL)
		options->host_key_file = HOST_KEY_FILE;
	if (options->host_dsa_key_file == NULL)
		options->host_dsa_key_file = HOST_DSA_KEY_FILE;
	if (options->pid_file == NULL)
		options->pid_file = SSH_DAEMON_PID_FILE;
	if (options->server_key_bits == -1)
		options->server_key_bits = 768;
	if (options->login_grace_time == -1)
		options->login_grace_time = 600;
	if (options->key_regeneration_time == -1)
		options->key_regeneration_time = 3600;
	if (options->permit_root_login == -1)
		options->permit_root_login = 1;			/* yes */
	if (options->ignore_rhosts == -1)
		options->ignore_rhosts = 1;
	if (options->ignore_user_known_hosts == -1)
		options->ignore_user_known_hosts = 0;
	if (options->check_mail == -1)
		options->check_mail = 0;
	if (options->print_motd == -1)
		options->print_motd = 1;
	if (options->x11_forwarding == -1)
		options->x11_forwarding = 0;
	if (options->x11_display_offset == -1)
		options->x11_display_offset = 10;
	if (options->strict_modes == -1)
		options->strict_modes = 1;
	if (options->keepalives == -1)
		options->keepalives = 1;
	if (options->log_facility == (SyslogFacility) (-1))
		options->log_facility = SYSLOG_FACILITY_AUTH;
	if (options->log_level == (LogLevel) (-1))
		options->log_level = SYSLOG_LEVEL_INFO;
	if (options->rhosts_authentication == -1)
		options->rhosts_authentication = 0;
	if (options->rhosts_rsa_authentication == -1)
		options->rhosts_rsa_authentication = 0;
	if (options->rsa_authentication == -1)
		options->rsa_authentication = 1;
	if (options->dsa_authentication == -1)
		options->dsa_authentication = 1;
#ifdef KRB4
	if (options->kerberos_authentication == -1)
		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
	if (options->kerberos_or_local_passwd == -1)
		options->kerberos_or_local_passwd = 1;
	if (options->kerberos_ticket_cleanup == -1)
		options->kerberos_ticket_cleanup = 1;
#endif /* KRB4 */
#ifdef AFS
	if (options->kerberos_tgt_passing == -1)
		options->kerberos_tgt_passing = 0;
	if (options->afs_token_passing == -1)
		options->afs_token_passing = k_hasafs();
#endif /* AFS */
	if (options->password_authentication == -1)
		options->password_authentication = 1;
#ifdef SKEY
	if (options->skey_authentication == -1)
		options->skey_authentication = 1;
#endif
	if (options->permit_empty_passwd == -1)
		options->permit_empty_passwd = 0;
	if (options->use_login == -1)
		options->use_login = 0;
	if (options->protocol == SSH_PROTO_UNKNOWN)
		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
	if (options->gateway_ports == -1)
		options->gateway_ports = 0;
}

#define WHITESPACE " \t\r\n"

/* Keyword tokens. */
typedef enum {
	sBadOption,		/* == unknown option */
	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	sPermitRootLogin, sLogFacility, sLogLevel,
	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
#ifdef KRB4
	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
#endif
#ifdef AFS
	sKerberosTgtPassing, sAFSTokenPassing,
#endif
#ifdef SKEY
	sSkeyAuthentication,
#endif
	sPasswordAuthentication, sListenAddress,
	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
	sGatewayPorts, sDSAAuthentication
} ServerOpCodes;

/* Textual representation of the tokens. */
static struct {
	const char *name;
	ServerOpCodes opcode;
} keywords[] = {
	{ "port", sPort },
	{ "hostkey", sHostKeyFile },
	{ "hostdsakey", sHostDSAKeyFile },
 	{ "pidfile", sPidFile },
	{ "serverkeybits", sServerKeyBits },
	{ "logingracetime", sLoginGraceTime },
	{ "keyregenerationinterval", sKeyRegenerationTime },
	{ "permitrootlogin", sPermitRootLogin },
	{ "syslogfacility", sLogFacility },
	{ "loglevel", sLogLevel },
	{ "rhostsauthentication", sRhostsAuthentication },
	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
	{ "rsaauthentication", sRSAAuthentication },
	{ "dsaauthentication", sDSAAuthentication },
#ifdef KRB4
	{ "kerberosauthentication", sKerberosAuthentication },
	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
	{ "kerberosticketcleanup", sKerberosTicketCleanup },
#endif
#ifdef AFS
	{ "kerberostgtpassing", sKerberosTgtPassing },
	{ "afstokenpassing", sAFSTokenPassing },
#endif
	{ "passwordauthentication", sPasswordAuthentication },
#ifdef SKEY
	{ "skeyauthentication", sSkeyAuthentication },
#endif
	{ "checkmail", sCheckMail },
	{ "listenaddress", sListenAddress },
	{ "printmotd", sPrintMotd },
	{ "ignorerhosts", sIgnoreRhosts },
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
	{ "x11forwarding", sX11Forwarding },
	{ "x11displayoffset", sX11DisplayOffset },
	{ "strictmodes", sStrictModes },
	{ "permitemptypasswords", sEmptyPasswd },
	{ "uselogin", sUseLogin },
	{ "randomseed", sRandomSeedFile },
	{ "keepalive", sKeepAlives },
	{ "allowusers", sAllowUsers },
	{ "denyusers", sDenyUsers },
	{ "allowgroups", sAllowGroups },
	{ "denygroups", sDenyGroups },
	{ "ciphers", sCiphers },
	{ "protocol", sProtocol },
	{ "gatewayports", sGatewayPorts },
	{ NULL, 0 }
};

/*
 * Returns the number of the token pointed to by cp of length len. Never
 * returns if the token is not known.
 */

static ServerOpCodes
parse_token(const char *cp, const char *filename,
	    int linenum)
{
	unsigned int i;

	for (i = 0; keywords[i].name; i++)
		if (strcasecmp(cp, keywords[i].name) == 0)
			return keywords[i].opcode;

	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
		filename, linenum, cp);
	return sBadOption;
}

/*
 * add listen address
 */
void
add_listen_addr(ServerOptions *options, char *addr)
{
	extern int IPv4or6;
	struct addrinfo hints, *ai, *aitop;
	char strport[NI_MAXSERV];
	int gaierr;
	int i;

	if (options->num_ports == 0)
		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	for (i = 0; i < options->num_ports; i++) {
		memset(&hints, 0, sizeof(hints));
		hints.ai_family = IPv4or6;
		hints.ai_socktype = SOCK_STREAM;
		hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
		snprintf(strport, sizeof strport, "%d", options->ports[i]);
		if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
			fatal("bad addr or host: %s (%s)\n",
			    addr ? addr : "<NULL>",
			    gai_strerror(gaierr));
		for (ai = aitop; ai->ai_next; ai = ai->ai_next)
			;
		ai->ai_next = options->listen_addrs;
		options->listen_addrs = aitop;
	}
}

/* Reads the server configuration file. */

void
read_server_config(ServerOptions *options, const char *filename)
{
	FILE *f;
	char line[1024];
	char *cp, **charptr;
	int linenum, *intptr, value;
	int bad_options = 0;
	ServerOpCodes opcode;

	f = fopen(filename, "r");
	if (!f) {
		perror(filename);
		exit(1);
	}
	linenum = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		cp = line + strspn(line, WHITESPACE);
		if (!*cp || *cp == '#')
			continue;
		cp = strtok(cp, WHITESPACE);
		opcode = parse_token(cp, filename, linenum);
		switch (opcode) {
		case sBadOption:
			bad_options++;
			continue;
		case sPort:
			/* ignore ports from configfile if cmdline specifies ports */
			if (options->ports_from_cmdline)
				continue;
			if (options->listen_addrs != NULL)
				fatal("%s line %d: ports must be specified before "
				    "ListenAdress.\n", filename, linenum);
			if (options->num_ports >= MAX_PORTS)
				fatal("%s line %d: too many ports.\n",
				    filename, linenum);
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: missing port number.\n",
				    filename, linenum);
			options->ports[options->num_ports++] = atoi(cp);
			break;

		case sServerKeyBits:
			intptr = &options->server_key_bits;
parse_int:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing integer value.\n",
					filename, linenum);
				exit(1);
			}
			value = atoi(cp);
			if (*intptr == -1)
				*intptr = value;
			break;

		case sLoginGraceTime:
			intptr = &options->login_grace_time;
			goto parse_int;

		case sKeyRegenerationTime:
			intptr = &options->key_regeneration_time;
			goto parse_int;

		case sListenAddress:
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: missing inet addr.\n",
				    filename, linenum);
			add_listen_addr(options, cp);
			break;

		case sHostKeyFile:
		case sHostDSAKeyFile:
			charptr = (opcode == sHostKeyFile ) ?
			    &options->host_key_file : &options->host_dsa_key_file;
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing file name.\n",
				    filename, linenum);
				exit(1);
			}
			if (*charptr == NULL)
				*charptr = tilde_expand_filename(cp, getuid());
			break;

		case sPidFile:
			charptr = &options->pid_file;
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing file name.\n",
				    filename, linenum);
				exit(1);
			}
			if (*charptr == NULL)
				*charptr = tilde_expand_filename(cp, getuid());
			break;

		case sRandomSeedFile:
			fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
				filename, linenum);
			cp = strtok(NULL, WHITESPACE);
			break;

		case sPermitRootLogin:
			intptr = &options->permit_root_login;
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
					filename, linenum);
				exit(1);
			}
			if (strcmp(cp, "without-password") == 0)
				value = 2;
			else if (strcmp(cp, "yes") == 0)
				value = 1;
			else if (strcmp(cp, "no") == 0)
				value = 0;
			else {
				fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
					filename, linenum, cp);
				exit(1);
			}
			if (*intptr == -1)
				*intptr = value;
			break;

		case sIgnoreRhosts:
			intptr = &options->ignore_rhosts;
parse_flag:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing yes/no argument.\n",
					filename, linenum);
				exit(1);
			}
			if (strcmp(cp, "yes") == 0)
				value = 1;
			else if (strcmp(cp, "no") == 0)
				value = 0;
			else {
				fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
					filename, linenum, cp);
				exit(1);
			}
			if (*intptr == -1)
				*intptr = value;
			break;

		case sIgnoreUserKnownHosts:
			intptr = &options->ignore_user_known_hosts;
			goto parse_flag;

		case sRhostsAuthentication:
			intptr = &options->rhosts_authentication;
			goto parse_flag;

		case sRhostsRSAAuthentication:
			intptr = &options->rhosts_rsa_authentication;
			goto parse_flag;

		case sRSAAuthentication:
			intptr = &options->rsa_authentication;
			goto parse_flag;

		case sDSAAuthentication:
			intptr = &options->dsa_authentication;
			goto parse_flag;

#ifdef KRB4
		case sKerberosAuthentication:
			intptr = &options->kerberos_authentication;
			goto parse_flag;

		case sKerberosOrLocalPasswd:
			intptr = &options->kerberos_or_local_passwd;
			goto parse_flag;

		case sKerberosTicketCleanup:
			intptr = &options->kerberos_ticket_cleanup;
			goto parse_flag;
#endif

#ifdef AFS
		case sKerberosTgtPassing:
			intptr = &options->kerberos_tgt_passing;
			goto parse_flag;

		case sAFSTokenPassing:
			intptr = &options->afs_token_passing;
			goto parse_flag;
#endif

		case sPasswordAuthentication:
			intptr = &options->password_authentication;
			goto parse_flag;

		case sCheckMail:
			intptr = &options->check_mail;
			goto parse_flag;

#ifdef SKEY
		case sSkeyAuthentication:
			intptr = &options->skey_authentication;
			goto parse_flag;
#endif

		case sPrintMotd:
			intptr = &options->print_motd;
			goto parse_flag;

		case sX11Forwarding:
			intptr = &options->x11_forwarding;
			goto parse_flag;

		case sX11DisplayOffset:
			intptr = &options->x11_display_offset;
			goto parse_int;

		case sStrictModes:
			intptr = &options->strict_modes;
			goto parse_flag;

		case sKeepAlives:
			intptr = &options->keepalives;
			goto parse_flag;

		case sEmptyPasswd:
			intptr = &options->permit_empty_passwd;
			goto parse_flag;

		case sUseLogin:
			intptr = &options->use_login;
			goto parse_flag;

		case sGatewayPorts:
			intptr = &options->gateway_ports;
			goto parse_flag;

		case sLogFacility:
			intptr = (int *) &options->log_facility;
			cp = strtok(NULL, WHITESPACE);
			value = log_facility_number(cp);
			if (value == (SyslogFacility) - 1)
				fatal("%.200s line %d: unsupported log facility '%s'\n",
				    filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == -1)
				*intptr = (SyslogFacility) value;
			break;

		case sLogLevel:
			intptr = (int *) &options->log_level;
			cp = strtok(NULL, WHITESPACE);
			value = log_level_number(cp);
			if (value == (LogLevel) - 1)
				fatal("%.200s line %d: unsupported log level '%s'\n",
				    filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == -1)
				*intptr = (LogLevel) value;
			break;

		case sAllowUsers:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_allow_users >= MAX_ALLOW_USERS)
					fatal("%s line %d: too many allow users.\n",
					    filename, linenum);
				options->allow_users[options->num_allow_users++] = xstrdup(cp);
			}
			break;

		case sDenyUsers:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_deny_users >= MAX_DENY_USERS)
					fatal( "%s line %d: too many deny users.\n",
					    filename, linenum);
				options->deny_users[options->num_deny_users++] = xstrdup(cp);
			}
			break;

		case sAllowGroups:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
					fatal("%s line %d: too many allow groups.\n",
					    filename, linenum);
				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
			}
			break;

		case sDenyGroups:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_deny_groups >= MAX_DENY_GROUPS)
					fatal("%s line %d: too many deny groups.\n",
					    filename, linenum);
				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
			}
			break;

		case sCiphers:
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: Missing argument.", filename, linenum);
			if (!ciphers_valid(cp))
				fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
				    filename, linenum, cp ? cp : "<NONE>");
			if (options->ciphers == NULL)
				options->ciphers = xstrdup(cp);
			break;

		case sProtocol:
			intptr = &options->protocol;
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: Missing argument.", filename, linenum);
			value = proto_spec(cp);
			if (value == SSH_PROTO_UNKNOWN)
				fatal("%s line %d: Bad protocol spec '%s'.",
				      filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == SSH_PROTO_UNKNOWN)
				*intptr = value;
			break;

		default:
			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
				filename, linenum, cp, opcode);
			exit(1);
		}
		if (strtok(NULL, WHITESPACE) != NULL) {
			fprintf(stderr, "%s line %d: garbage at end of line.\n",
				filename, linenum);
			exit(1);
		}
	}
	fclose(f);
	if (bad_options > 0) {
		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
			filename, bad_options);
		exit(1);
	}
}
Commit	Line	Data
8efc0c15	1	/*
6ae2364d	2	*
5260325f	3	* servconf.c
6ae2364d	4	*
5260325f	5	* Author: Tatu Ylonen <ylo@cs.hut.fi>
6ae2364d	6	*
5260325f	7	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	8	* All rights reserved
6ae2364d	9	*
5260325f	10	* Created: Mon Aug 21 15:48:58 1995 ylo
6ae2364d	11	*
5260325f	12	*/
8efc0c15	13
	14	#include "includes.h"
	15	RCSID("$Id$");
	16
	17	#include "ssh.h"
	18	#include "servconf.h"
	19	#include "xmalloc.h"
a8be9f80	20	#include "compat.h"
8efc0c15	21
48e671d5	22	/* add listen address */
	23	void add_listen_addr(ServerOptions options, char addr);
	24
8efc0c15	25	/* Initializes the server options to their default values. */
8efc0c15	26
6ae2364d	27	void
5260325f	28	initialize_server_options(ServerOptions *options)
8efc0c15	29	{
5260325f	30	memset(options, 0, sizeof(*options));
48e671d5	31	options->num_ports = 0;
	32	options->ports_from_cmdline = 0;
	33	options->listen_addrs = NULL;
5260325f	34	options->host_key_file = NULL;
1d1ffb87	35	options->host_dsa_key_file = NULL;
0fbe8c74	36	options->pid_file = NULL;
5260325f	37	options->server_key_bits = -1;
	38	options->login_grace_time = -1;
	39	options->key_regeneration_time = -1;
	40	options->permit_root_login = -1;
	41	options->ignore_rhosts = -1;
	42	options->ignore_user_known_hosts = -1;
	43	options->print_motd = -1;
	44	options->check_mail = -1;
	45	options->x11_forwarding = -1;
	46	options->x11_display_offset = -1;
	47	options->strict_modes = -1;
	48	options->keepalives = -1;
	49	options->log_facility = (SyslogFacility) - 1;
	50	options->log_level = (LogLevel) - 1;
	51	options->rhosts_authentication = -1;
	52	options->rhosts_rsa_authentication = -1;
	53	options->rsa_authentication = -1;
1d1ffb87	54	options->dsa_authentication = -1;
8efc0c15	55	#ifdef KRB4
5260325f	56	options->kerberos_authentication = -1;
	57	options->kerberos_or_local_passwd = -1;
	58	options->kerberos_ticket_cleanup = -1;
8efc0c15	59	#endif
8efc0c15	60	#ifdef AFS
5260325f	61	options->kerberos_tgt_passing = -1;
5260325f	62	options->afs_token_passing = -1;
8efc0c15	63	#endif
5260325f	64	options->password_authentication = -1;
8efc0c15	65	#ifdef SKEY
5260325f	66	options->skey_authentication = -1;
8efc0c15	67	#endif
5260325f	68	options->permit_empty_passwd = -1;
	69	options->use_login = -1;
	70	options->num_allow_users = 0;
	71	options->num_deny_users = 0;
	72	options->num_allow_groups = 0;
	73	options->num_deny_groups = 0;
a8be9f80	74	options->ciphers = NULL;
a8be9f80	75	options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87	76	options->gateway_ports = -1;
8efc0c15	77	}
8efc0c15	78
6ae2364d	79	void
5260325f	80	fill_default_server_options(ServerOptions *options)
8efc0c15	81	{
48e671d5	82	if (options->num_ports == 0)
	83	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	84	if (options->listen_addrs == NULL)
	85	add_listen_addr(options, NULL);
5260325f	86	if (options->host_key_file == NULL)
5260325f	87	options->host_key_file = HOST_KEY_FILE;
1d1ffb87	88	if (options->host_dsa_key_file == NULL)
1d1ffb87	89	options->host_dsa_key_file = HOST_DSA_KEY_FILE;
0fbe8c74	90	if (options->pid_file == NULL)
0fbe8c74	91	options->pid_file = SSH_DAEMON_PID_FILE;
5260325f	92	if (options->server_key_bits == -1)
	93	options->server_key_bits = 768;
	94	if (options->login_grace_time == -1)
	95	options->login_grace_time = 600;
	96	if (options->key_regeneration_time == -1)
	97	options->key_regeneration_time = 3600;
	98	if (options->permit_root_login == -1)
	99	options->permit_root_login = 1; /* yes */
	100	if (options->ignore_rhosts == -1)
c8d54615	101	options->ignore_rhosts = 1;
5260325f	102	if (options->ignore_user_known_hosts == -1)
	103	options->ignore_user_known_hosts = 0;
	104	if (options->check_mail == -1)
	105	options->check_mail = 0;
	106	if (options->print_motd == -1)
	107	options->print_motd = 1;
	108	if (options->x11_forwarding == -1)
c8d54615	109	options->x11_forwarding = 0;
5260325f	110	if (options->x11_display_offset == -1)
c8d54615	111	options->x11_display_offset = 10;
5260325f	112	if (options->strict_modes == -1)
	113	options->strict_modes = 1;
	114	if (options->keepalives == -1)
	115	options->keepalives = 1;
	116	if (options->log_facility == (SyslogFacility) (-1))
	117	options->log_facility = SYSLOG_FACILITY_AUTH;
	118	if (options->log_level == (LogLevel) (-1))
	119	options->log_level = SYSLOG_LEVEL_INFO;
	120	if (options->rhosts_authentication == -1)
	121	options->rhosts_authentication = 0;
	122	if (options->rhosts_rsa_authentication == -1)
c8d54615	123	options->rhosts_rsa_authentication = 0;
5260325f	124	if (options->rsa_authentication == -1)
5260325f	125	options->rsa_authentication = 1;
1d1ffb87	126	if (options->dsa_authentication == -1)
1d1ffb87	127	options->dsa_authentication = 1;
8efc0c15	128	#ifdef KRB4
5260325f	129	if (options->kerberos_authentication == -1)
	130	options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
	131	if (options->kerberos_or_local_passwd == -1)
	132	options->kerberos_or_local_passwd = 1;
	133	if (options->kerberos_ticket_cleanup == -1)
	134	options->kerberos_ticket_cleanup = 1;
8efc0c15	135	#endif /* KRB4 */
8efc0c15	136	#ifdef AFS
5260325f	137	if (options->kerberos_tgt_passing == -1)
	138	options->kerberos_tgt_passing = 0;
	139	if (options->afs_token_passing == -1)
	140	options->afs_token_passing = k_hasafs();
8efc0c15	141	#endif /* AFS */
5260325f	142	if (options->password_authentication == -1)
5260325f	143	options->password_authentication = 1;
8efc0c15	144	#ifdef SKEY
5260325f	145	if (options->skey_authentication == -1)
5260325f	146	options->skey_authentication = 1;
8efc0c15	147	#endif
5260325f	148	if (options->permit_empty_passwd == -1)
c8d54615	149	options->permit_empty_passwd = 0;
5260325f	150	if (options->use_login == -1)
5260325f	151	options->use_login = 0;
a8be9f80	152	if (options->protocol == SSH_PROTO_UNKNOWN)
a306f2dd	153	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;
1d1ffb87	154	if (options->gateway_ports == -1)
1d1ffb87	155	options->gateway_ports = 0;
8efc0c15	156	}
	157
	158	#define WHITESPACE " \t\r\n"
	159
	160	/* Keyword tokens. */
5260325f	161	typedef enum {
	162	sBadOption, /* == unknown option */
	163	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	164	sPermitRootLogin, sLogFacility, sLogLevel,
	165	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
8efc0c15	166	#ifdef KRB4
5260325f	167	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15	168	#endif
8efc0c15	169	#ifdef AFS
5260325f	170	sKerberosTgtPassing, sAFSTokenPassing,
8efc0c15	171	#endif
8efc0c15	172	#ifdef SKEY
5260325f	173	sSkeyAuthentication,
8efc0c15	174	#endif
5260325f	175	sPasswordAuthentication, sListenAddress,
	176	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
	177	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
	178	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
1d1ffb87	179	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
1d1ffb87	180	sGatewayPorts, sDSAAuthentication
8efc0c15	181	} ServerOpCodes;
	182
	183	/* Textual representation of the tokens. */
5260325f	184	static struct {
	185	const char *name;
	186	ServerOpCodes opcode;
	187	} keywords[] = {
	188	{ "port", sPort },
	189	{ "hostkey", sHostKeyFile },
1d1ffb87	190	{ "hostdsakey", sHostDSAKeyFile },
0fbe8c74	191	{ "pidfile", sPidFile },
5260325f	192	{ "serverkeybits", sServerKeyBits },
	193	{ "logingracetime", sLoginGraceTime },
	194	{ "keyregenerationinterval", sKeyRegenerationTime },
	195	{ "permitrootlogin", sPermitRootLogin },
	196	{ "syslogfacility", sLogFacility },
	197	{ "loglevel", sLogLevel },
	198	{ "rhostsauthentication", sRhostsAuthentication },
	199	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
	200	{ "rsaauthentication", sRSAAuthentication },
1d1ffb87	201	{ "dsaauthentication", sDSAAuthentication },
8efc0c15	202	#ifdef KRB4
5260325f	203	{ "kerberosauthentication", sKerberosAuthentication },
	204	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
	205	{ "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15	206	#endif
8efc0c15	207	#ifdef AFS
5260325f	208	{ "kerberostgtpassing", sKerberosTgtPassing },
5260325f	209	{ "afstokenpassing", sAFSTokenPassing },
8efc0c15	210	#endif
5260325f	211	{ "passwordauthentication", sPasswordAuthentication },
8efc0c15	212	#ifdef SKEY
5260325f	213	{ "skeyauthentication", sSkeyAuthentication },
8efc0c15	214	#endif
5260325f	215	{ "checkmail", sCheckMail },
	216	{ "listenaddress", sListenAddress },
	217	{ "printmotd", sPrintMotd },
	218	{ "ignorerhosts", sIgnoreRhosts },
	219	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
	220	{ "x11forwarding", sX11Forwarding },
	221	{ "x11displayoffset", sX11DisplayOffset },
	222	{ "strictmodes", sStrictModes },
	223	{ "permitemptypasswords", sEmptyPasswd },
	224	{ "uselogin", sUseLogin },
	225	{ "randomseed", sRandomSeedFile },
	226	{ "keepalive", sKeepAlives },
	227	{ "allowusers", sAllowUsers },
	228	{ "denyusers", sDenyUsers },
	229	{ "allowgroups", sAllowGroups },
	230	{ "denygroups", sDenyGroups },
a8be9f80	231	{ "ciphers", sCiphers },
a8be9f80	232	{ "protocol", sProtocol },
1d1ffb87	233	{ "gatewayports", sGatewayPorts },
5260325f	234	{ NULL, 0 }
8efc0c15	235	};
8efc0c15	236
aa3378df	237	/*
	238	* Returns the number of the token pointed to by cp of length len. Never
	239	* returns if the token is not known.
	240	*/
8efc0c15	241
6ae2364d	242	static ServerOpCodes
5260325f	243	parse_token(const char cp, const char filename,
5260325f	244	int linenum)
8efc0c15	245	{
5260325f	246	unsigned int i;
8efc0c15	247
5260325f	248	for (i = 0; keywords[i].name; i++)
aa3378df	249	if (strcasecmp(cp, keywords[i].name) == 0)
5260325f	250	return keywords[i].opcode;
8efc0c15	251
5260325f	252	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
	253	filename, linenum, cp);
	254	return sBadOption;
8efc0c15	255	}
8efc0c15	256
48e671d5	257	/*
	258	* add listen address
	259	*/
6ae2364d	260	void
48e671d5	261	add_listen_addr(ServerOptions options, char addr)
	262	{
	263	extern int IPv4or6;
	264	struct addrinfo hints, ai, aitop;
	265	char strport[NI_MAXSERV];
	266	int gaierr;
	267	int i;
	268
	269	if (options->num_ports == 0)
	270	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	271	for (i = 0; i < options->num_ports; i++) {
	272	memset(&hints, 0, sizeof(hints));
	273	hints.ai_family = IPv4or6;
	274	hints.ai_socktype = SOCK_STREAM;
	275	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
	276	snprintf(strport, sizeof strport, "%d", options->ports[i]);
	277	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
	278	fatal("bad addr or host: %s (%s)\n",
	279	addr ? addr : "<NULL>",
	280	gai_strerror(gaierr));
	281	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
	282	;
	283	ai->ai_next = options->listen_addrs;
	284	options->listen_addrs = aitop;
	285	}
	286	}
	287
8efc0c15	288	/* Reads the server configuration file. */
8efc0c15	289
6ae2364d	290	void
5260325f	291	read_server_config(ServerOptions options, const char filename)
8efc0c15	292	{
5260325f	293	FILE *f;
	294	char line[1024];
	295	char cp, *charptr;
	296	int linenum, *intptr, value;
	297	int bad_options = 0;
	298	ServerOpCodes opcode;
	299
	300	f = fopen(filename, "r");
	301	if (!f) {
	302	perror(filename);
8efc0c15	303	exit(1);
5260325f	304	}
	305	linenum = 0;
	306	while (fgets(line, sizeof(line), f)) {
	307	linenum++;
	308	cp = line + strspn(line, WHITESPACE);
	309	if (!cp \|\| cp == '#')
	310	continue;
	311	cp = strtok(cp, WHITESPACE);
5260325f	312	opcode = parse_token(cp, filename, linenum);
	313	switch (opcode) {
	314	case sBadOption:
	315	bad_options++;
	316	continue;
	317	case sPort:
48e671d5	318	/* ignore ports from configfile if cmdline specifies ports */
	319	if (options->ports_from_cmdline)
	320	continue;
	321	if (options->listen_addrs != NULL)
	322	fatal("%s line %d: ports must be specified before "
	323	"ListenAdress.\n", filename, linenum);
	324	if (options->num_ports >= MAX_PORTS)
	325	fatal("%s line %d: too many ports.\n",
6ae2364d	326	filename, linenum);
48e671d5	327	cp = strtok(NULL, WHITESPACE);
	328	if (!cp)
	329	fatal("%s line %d: missing port number.\n",
	330	filename, linenum);
	331	options->ports[options->num_ports++] = atoi(cp);
	332	break;
	333
	334	case sServerKeyBits:
	335	intptr = &options->server_key_bits;
5260325f	336	parse_int:
	337	cp = strtok(NULL, WHITESPACE);
	338	if (!cp) {
	339	fprintf(stderr, "%s line %d: missing integer value.\n",
	340	filename, linenum);
	341	exit(1);
	342	}
	343	value = atoi(cp);
	344	if (*intptr == -1)
	345	*intptr = value;
	346	break;
	347
5260325f	348	case sLoginGraceTime:
	349	intptr = &options->login_grace_time;
	350	goto parse_int;
	351
	352	case sKeyRegenerationTime:
	353	intptr = &options->key_regeneration_time;
	354	goto parse_int;
	355
	356	case sListenAddress:
	357	cp = strtok(NULL, WHITESPACE);
48e671d5	358	if (!cp)
	359	fatal("%s line %d: missing inet addr.\n",
	360	filename, linenum);
	361	add_listen_addr(options, cp);
5260325f	362	break;
	363
	364	case sHostKeyFile:
1d1ffb87	365	case sHostDSAKeyFile:
e78a59f5	366	charptr = (opcode == sHostKeyFile ) ?
1d1ffb87	367	&options->host_key_file : &options->host_dsa_key_file;
5260325f	368	cp = strtok(NULL, WHITESPACE);
	369	if (!cp) {
	370	fprintf(stderr, "%s line %d: missing file name.\n",
0fbe8c74	371	filename, linenum);
	372	exit(1);
	373	}
	374	if (*charptr == NULL)
	375	*charptr = tilde_expand_filename(cp, getuid());
	376	break;
	377
	378	case sPidFile:
	379	charptr = &options->pid_file;
	380	cp = strtok(NULL, WHITESPACE);
	381	if (!cp) {
	382	fprintf(stderr, "%s line %d: missing file name.\n",
	383	filename, linenum);
5260325f	384	exit(1);
	385	}
	386	if (*charptr == NULL)
	387	*charptr = tilde_expand_filename(cp, getuid());
	388	break;
	389
	390	case sRandomSeedFile:
	391	fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
	392	filename, linenum);
	393	cp = strtok(NULL, WHITESPACE);
	394	break;
	395
	396	case sPermitRootLogin:
	397	intptr = &options->permit_root_login;
	398	cp = strtok(NULL, WHITESPACE);
	399	if (!cp) {
	400	fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
	401	filename, linenum);
	402	exit(1);
	403	}
	404	if (strcmp(cp, "without-password") == 0)
	405	value = 2;
	406	else if (strcmp(cp, "yes") == 0)
	407	value = 1;
	408	else if (strcmp(cp, "no") == 0)
	409	value = 0;
	410	else {
	411	fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
	412	filename, linenum, cp);
	413	exit(1);
	414	}
	415	if (*intptr == -1)
	416	*intptr = value;
	417	break;
	418
	419	case sIgnoreRhosts:
	420	intptr = &options->ignore_rhosts;
	421	parse_flag:
	422	cp = strtok(NULL, WHITESPACE);
	423	if (!cp) {
	424	fprintf(stderr, "%s line %d: missing yes/no argument.\n",
	425	filename, linenum);
	426	exit(1);
	427	}
	428	if (strcmp(cp, "yes") == 0)
	429	value = 1;
	430	else if (strcmp(cp, "no") == 0)
	431	value = 0;
	432	else {
	433	fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
	434	filename, linenum, cp);
	435	exit(1);
	436	}
	437	if (*intptr == -1)
	438	*intptr = value;
	439	break;
	440
	441	case sIgnoreUserKnownHosts:
	442	intptr = &options->ignore_user_known_hosts;
c8d54615	443	goto parse_flag;
5260325f	444
	445	case sRhostsAuthentication:
	446	intptr = &options->rhosts_authentication;
	447	goto parse_flag;
	448
	449	case sRhostsRSAAuthentication:
	450	intptr = &options->rhosts_rsa_authentication;
	451	goto parse_flag;
	452
	453	case sRSAAuthentication:
	454	intptr = &options->rsa_authentication;
	455	goto parse_flag;
	456
1d1ffb87	457	case sDSAAuthentication:
	458	intptr = &options->dsa_authentication;
	459	goto parse_flag;
	460
8efc0c15	461	#ifdef KRB4
5260325f	462	case sKerberosAuthentication:
	463	intptr = &options->kerberos_authentication;
	464	goto parse_flag;
	465
	466	case sKerberosOrLocalPasswd:
	467	intptr = &options->kerberos_or_local_passwd;
	468	goto parse_flag;
	469
	470	case sKerberosTicketCleanup:
	471	intptr = &options->kerberos_ticket_cleanup;
	472	goto parse_flag;
8efc0c15	473	#endif
5260325f	474
8efc0c15	475	#ifdef AFS
5260325f	476	case sKerberosTgtPassing:
	477	intptr = &options->kerberos_tgt_passing;
	478	goto parse_flag;
8efc0c15	479
5260325f	480	case sAFSTokenPassing:
	481	intptr = &options->afs_token_passing;
	482	goto parse_flag;
8efc0c15	483	#endif
8efc0c15	484
5260325f	485	case sPasswordAuthentication:
	486	intptr = &options->password_authentication;
	487	goto parse_flag;
8efc0c15	488
5260325f	489	case sCheckMail:
	490	intptr = &options->check_mail;
	491	goto parse_flag;
8efc0c15	492
8efc0c15	493	#ifdef SKEY
5260325f	494	case sSkeyAuthentication:
	495	intptr = &options->skey_authentication;
	496	goto parse_flag;
8efc0c15	497	#endif
8efc0c15	498
5260325f	499	case sPrintMotd:
	500	intptr = &options->print_motd;
	501	goto parse_flag;
	502
	503	case sX11Forwarding:
	504	intptr = &options->x11_forwarding;
	505	goto parse_flag;
	506
	507	case sX11DisplayOffset:
	508	intptr = &options->x11_display_offset;
	509	goto parse_int;
	510
	511	case sStrictModes:
	512	intptr = &options->strict_modes;
	513	goto parse_flag;
	514
	515	case sKeepAlives:
	516	intptr = &options->keepalives;
	517	goto parse_flag;
	518
	519	case sEmptyPasswd:
	520	intptr = &options->permit_empty_passwd;
	521	goto parse_flag;
	522
	523	case sUseLogin:
	524	intptr = &options->use_login;
	525	goto parse_flag;
	526
1d1ffb87	527	case sGatewayPorts:
	528	intptr = &options->gateway_ports;
	529	goto parse_flag;
	530
5260325f	531	case sLogFacility:
	532	intptr = (int *) &options->log_facility;
	533	cp = strtok(NULL, WHITESPACE);
	534	value = log_facility_number(cp);
	535	if (value == (SyslogFacility) - 1)
	536	fatal("%.200s line %d: unsupported log facility '%s'\n",
a8be9f80	537	filename, linenum, cp ? cp : "<NONE>");
5260325f	538	if (*intptr == -1)
	539	*intptr = (SyslogFacility) value;
	540	break;
	541
	542	case sLogLevel:
	543	intptr = (int *) &options->log_level;
	544	cp = strtok(NULL, WHITESPACE);
	545	value = log_level_number(cp);
	546	if (value == (LogLevel) - 1)
	547	fatal("%.200s line %d: unsupported log level '%s'\n",
a8be9f80	548	filename, linenum, cp ? cp : "<NONE>");
5260325f	549	if (*intptr == -1)
	550	*intptr = (LogLevel) value;
	551	break;
	552
	553	case sAllowUsers:
	554	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	555	if (options->num_allow_users >= MAX_ALLOW_USERS)
	556	fatal("%s line %d: too many allow users.\n",
	557	filename, linenum);
5260325f	558	options->allow_users[options->num_allow_users++] = xstrdup(cp);
	559	}
	560	break;
	561
	562	case sDenyUsers:
	563	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	564	if (options->num_deny_users >= MAX_DENY_USERS)
	565	fatal( "%s line %d: too many deny users.\n",
	566	filename, linenum);
5260325f	567	options->deny_users[options->num_deny_users++] = xstrdup(cp);
	568	}
	569	break;
	570
	571	case sAllowGroups:
	572	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	573	if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
	574	fatal("%s line %d: too many allow groups.\n",
	575	filename, linenum);
5260325f	576	options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
	577	}
	578	break;
	579
	580	case sDenyGroups:
	581	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	582	if (options->num_deny_groups >= MAX_DENY_GROUPS)
	583	fatal("%s line %d: too many deny groups.\n",
	584	filename, linenum);
5260325f	585	options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
	586	}
	587	break;
	588
a8be9f80	589	case sCiphers:
a8be9f80	590	cp = strtok(NULL, WHITESPACE);
71276795	591	if (!cp)
71276795	592	fatal("%s line %d: Missing argument.", filename, linenum);
a8be9f80	593	if (!ciphers_valid(cp))
d0c832f3	594	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
a8be9f80	595	filename, linenum, cp ? cp : "<NONE>");
	596	if (options->ciphers == NULL)
	597	options->ciphers = xstrdup(cp);
	598	break;
	599
	600	case sProtocol:
	601	intptr = &options->protocol;
	602	cp = strtok(NULL, WHITESPACE);
71276795	603	if (!cp)
71276795	604	fatal("%s line %d: Missing argument.", filename, linenum);
a8be9f80	605	value = proto_spec(cp);
	606	if (value == SSH_PROTO_UNKNOWN)
	607	fatal("%s line %d: Bad protocol spec '%s'.",
	608	filename, linenum, cp ? cp : "<NONE>");
	609	if (*intptr == SSH_PROTO_UNKNOWN)
	610	*intptr = value;
	611	break;
	612
5260325f	613	default:
	614	fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
	615	filename, linenum, cp, opcode);
	616	exit(1);
8efc0c15	617	}
5260325f	618	if (strtok(NULL, WHITESPACE) != NULL) {
	619	fprintf(stderr, "%s line %d: garbage at end of line.\n",
	620	filename, linenum);
	621	exit(1);
8efc0c15	622	}
8efc0c15	623	}
5260325f	624	fclose(f);
	625	if (bad_options > 0) {
	626	fprintf(stderr, "%s: terminating, %d bad configuration options\n",
	627	filename, bad_options);
	628	exit(1);
8efc0c15	629	}
8efc0c15	630	}