]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- markus@cvs.openbsd.org 2003/08/28 12:54:34
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
8f73f7bb 13RCSID("$OpenBSD: servconf.c,v 1.126 2003/08/28 12:54:34 markus Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
64 options->keepalives = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_rsa_authentication = -1;
8002af61 68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
5260325f 70 options->rsa_authentication = -1;
fa08c86b 71 options->pubkey_authentication = -1;
5260325f 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
5260325f 75 options->kerberos_tgt_passing = -1;
7364bd04 76 options->gss_authentication=-1;
77 options->gss_cleanup_creds = -1;
5260325f 78 options->password_authentication = -1;
94ec8c6b 79 options->kbd_interactive_authentication = -1;
5ba55ada 80 options->challenge_response_authentication = -1;
5260325f 81 options->permit_empty_passwd = -1;
f00bab84 82 options->permit_user_env = -1;
5260325f 83 options->use_login = -1;
636f76ca 84 options->compression = -1;
33de75a3 85 options->allow_tcp_forwarding = -1;
5260325f 86 options->num_allow_users = 0;
87 options->num_deny_users = 0;
88 options->num_allow_groups = 0;
89 options->num_deny_groups = 0;
a8be9f80 90 options->ciphers = NULL;
b2552997 91 options->macs = NULL;
a8be9f80 92 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 93 options->gateway_ports = -1;
38c295d6 94 options->num_subsystems = 0;
c345cf9d 95 options->max_startups_begin = -1;
96 options->max_startups_rate = -1;
089fbbd2 97 options->max_startups = -1;
eea39c02 98 options->banner = NULL;
c5a7d788 99 options->use_dns = -1;
3ffc6336 100 options->client_alive_interval = -1;
101 options->client_alive_count_max = -1;
c8445989 102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL;
1853d1ef 104
1853d1ef 105 /* Needs to be accessable in many places */
106 use_privsep = -1;
8efc0c15 107}
108
6ae2364d 109void
5260325f 110fill_default_server_options(ServerOptions *options)
8efc0c15 111{
e15895cd 112 /* Portable-specific options */
7fceb20d 113 if (options->use_pam == -1)
1457e7ff 114 options->use_pam = 1;
e15895cd 115
116 /* Standard Options */
fa08c86b 117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
0f84fe37 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
fa08c86b 130 }
48e671d5 131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
2d2a2c65 134 add_listen_addr(options, NULL, 0);
0fbe8c74 135 if (options->pid_file == NULL)
42f11eb2 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
3445ca02 140 options->login_grace_time = 120;
5260325f 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
15853e93 143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
5260325f 145 if (options->ignore_rhosts == -1)
c8d54615 146 options->ignore_rhosts = 1;
5260325f 147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
5260325f 149 if (options->print_motd == -1)
150 options->print_motd = 1;
4f4648f9 151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
5260325f 153 if (options->x11_forwarding == -1)
c8d54615 154 options->x11_forwarding = 0;
5260325f 155 if (options->x11_display_offset == -1)
c8d54615 156 options->x11_display_offset = 10;
e6e573bd 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
fa649821 159 if (options->xauth_location == NULL)
fd9ede94 160 options->xauth_location = _PATH_XAUTH;
5260325f 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->keepalives == -1)
164 options->keepalives = 1;
5eaf8578 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 166 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 168 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 169 if (options->rhosts_rsa_authentication == -1)
c8d54615 170 options->rhosts_rsa_authentication = 0;
8002af61 171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
5260325f 175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
fa08c86b 177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
5260325f 179 if (options->kerberos_authentication == -1)
eadc806d 180 options->kerberos_authentication = 0;
5260325f 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
5260325f 185 if (options->kerberos_tgt_passing == -1)
186 options->kerberos_tgt_passing = 0;
7364bd04 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
5260325f 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
94ec8c6b 193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
5ba55ada 195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
5260325f 197 if (options->permit_empty_passwd == -1)
c8d54615 198 options->permit_empty_passwd = 0;
f00bab84 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
5260325f 201 if (options->use_login == -1)
202 options->use_login = 0;
636f76ca 203 if (options->compression == -1)
204 options->compression = 1;
33de75a3 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
1d1ffb87 207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
089fbbd2 209 if (options->max_startups == -1)
210 options->max_startups = 10;
c345cf9d 211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
c5a7d788 215 if (options->use_dns == -1)
216 options->use_dns = 1;
3ffc6336 217 if (options->client_alive_interval == -1)
184eed6a 218 options->client_alive_interval = 0;
3ffc6336 219 if (options->client_alive_count_max == -1)
220 options->client_alive_count_max = 3;
5df83e07 221 if (options->authorized_keys_file2 == NULL) {
222 /* authorized_keys_file2 falls back to authorized_keys_file */
223 if (options->authorized_keys_file != NULL)
224 options->authorized_keys_file2 = options->authorized_keys_file;
225 else
226 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
227 }
228 if (options->authorized_keys_file == NULL)
229 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 230
2ee1b704 231 /* Turn privilege separation on by default */
1853d1ef 232 if (use_privsep == -1)
2ee1b704 233 use_privsep = 1;
e299a298 234
4165b82e 235#ifndef HAVE_MMAP
e299a298 236 if (use_privsep && options->compression == 1) {
237 error("This platform does not support both privilege "
238 "separation and compression");
239 error("Compression disabled");
240 options->compression = 0;
241 }
242#endif
243
8efc0c15 244}
245
8efc0c15 246/* Keyword tokens. */
5260325f 247typedef enum {
248 sBadOption, /* == unknown option */
e15895cd 249 /* Portable-specific options */
7fceb20d 250 sUsePAM,
e15895cd 251 /* Standard Options */
5260325f 252 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
253 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 254 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 255 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1c590258 256 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 257 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 258 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 259 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 260 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 261 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 262 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 263 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 264 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 265 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 266 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 267 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
7364bd04 268 sGssAuthentication, sGssCleanupCreds,
2ea6de2b 269 sUsePrivilegeSeparation,
a2144546 270 sDeprecated, sUnsupported
8efc0c15 271} ServerOpCodes;
272
273/* Textual representation of the tokens. */
5260325f 274static struct {
275 const char *name;
276 ServerOpCodes opcode;
277} keywords[] = {
e15895cd 278 /* Portable-specific options */
b06b11ad 279#ifdef USE_PAM
fe46678b 280 { "usepam", sUsePAM },
b06b11ad 281#else
fe46678b 282 { "usepam", sUnsupported },
b06b11ad 283#endif
fe46678b 284 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 285 /* Standard Options */
5260325f 286 { "port", sPort },
287 { "hostkey", sHostKeyFile },
fa08c86b 288 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 289 { "pidfile", sPidFile },
5260325f 290 { "serverkeybits", sServerKeyBits },
291 { "logingracetime", sLoginGraceTime },
292 { "keyregenerationinterval", sKeyRegenerationTime },
293 { "permitrootlogin", sPermitRootLogin },
294 { "syslogfacility", sLogFacility },
295 { "loglevel", sLogLevel },
0598d99d 296 { "rhostsauthentication", sDeprecated },
5260325f 297 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 298 { "hostbasedauthentication", sHostbasedAuthentication },
299 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 300 { "rsaauthentication", sRSAAuthentication },
fa08c86b 301 { "pubkeyauthentication", sPubkeyAuthentication },
302 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 303#ifdef KRB5
5260325f 304 { "kerberosauthentication", sKerberosAuthentication },
305 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
306 { "kerberosticketcleanup", sKerberosTicketCleanup },
a2144546 307#else
308 { "kerberosauthentication", sUnsupported },
309 { "kerberosorlocalpasswd", sUnsupported },
310 { "kerberosticketcleanup", sUnsupported },
a2144546 311#endif
8f73f7bb 312 { "kerberostgtpassing", sUnsupported },
a2144546 313 { "afstokenpassing", sUnsupported },
7364bd04 314#ifdef GSSAPI
315 { "gssapiauthentication", sGssAuthentication },
316 { "gssapicleanupcreds", sGssCleanupCreds },
317#else
318 { "gssapiauthentication", sUnsupported },
319 { "gssapicleanupcreds", sUnsupported },
320#endif
5260325f 321 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 322 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 323 { "challengeresponseauthentication", sChallengeResponseAuthentication },
324 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 325 { "checkmail", sDeprecated },
5260325f 326 { "listenaddress", sListenAddress },
327 { "printmotd", sPrintMotd },
4f4648f9 328 { "printlastlog", sPrintLastLog },
5260325f 329 { "ignorerhosts", sIgnoreRhosts },
330 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
331 { "x11forwarding", sX11Forwarding },
332 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 333 { "x11uselocalhost", sX11UseLocalhost },
fa649821 334 { "xauthlocation", sXAuthLocation },
5260325f 335 { "strictmodes", sStrictModes },
336 { "permitemptypasswords", sEmptyPasswd },
f00bab84 337 { "permituserenvironment", sPermitUserEnvironment },
5260325f 338 { "uselogin", sUseLogin },
636f76ca 339 { "compression", sCompression },
5260325f 340 { "keepalive", sKeepAlives },
33de75a3 341 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 342 { "allowusers", sAllowUsers },
343 { "denyusers", sDenyUsers },
344 { "allowgroups", sAllowGroups },
345 { "denygroups", sDenyGroups },
a8be9f80 346 { "ciphers", sCiphers },
b2552997 347 { "macs", sMacs },
a8be9f80 348 { "protocol", sProtocol },
1d1ffb87 349 { "gatewayports", sGatewayPorts },
38c295d6 350 { "subsystem", sSubsystem },
089fbbd2 351 { "maxstartups", sMaxStartups },
eea39c02 352 { "banner", sBanner },
c5a7d788 353 { "usedns", sUseDNS },
354 { "verifyreversemapping", sDeprecated },
355 { "reversemappingcheck", sDeprecated },
3ffc6336 356 { "clientaliveinterval", sClientAliveInterval },
357 { "clientalivecountmax", sClientAliveCountMax },
c8445989 358 { "authorizedkeysfile", sAuthorizedKeysFile },
359 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 360 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 361 { NULL, sBadOption }
8efc0c15 362};
363
aa3378df 364/*
6be9a5e8 365 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 366 */
8efc0c15 367
6ae2364d 368static ServerOpCodes
5260325f 369parse_token(const char *cp, const char *filename,
370 int linenum)
8efc0c15 371{
1e3b8b07 372 u_int i;
8efc0c15 373
5260325f 374 for (i = 0; keywords[i].name; i++)
aa3378df 375 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 376 return keywords[i].opcode;
8efc0c15 377
b7c70970 378 error("%s: line %d: Bad configuration option: %s",
379 filename, linenum, cp);
5260325f 380 return sBadOption;
8efc0c15 381}
382
396c147e 383static void
2d2a2c65 384add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 385{
48e671d5 386 int i;
387
388 if (options->num_ports == 0)
389 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 390 if (port == 0)
d11c1288 391 for (i = 0; i < options->num_ports; i++)
392 add_one_listen_addr(options, addr, options->ports[i]);
393 else
2d2a2c65 394 add_one_listen_addr(options, addr, port);
d11c1288 395}
396
396c147e 397static void
d11c1288 398add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
399{
400 struct addrinfo hints, *ai, *aitop;
401 char strport[NI_MAXSERV];
402 int gaierr;
403
404 memset(&hints, 0, sizeof(hints));
405 hints.ai_family = IPv4or6;
406 hints.ai_socktype = SOCK_STREAM;
407 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 408 snprintf(strport, sizeof strport, "%u", port);
d11c1288 409 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
410 fatal("bad addr or host: %s (%s)",
411 addr ? addr : "<NULL>",
412 gai_strerror(gaierr));
413 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
414 ;
415 ai->ai_next = options->listen_addrs;
416 options->listen_addrs = aitop;
48e671d5 417}
418
2717fa0f 419int
420process_server_config_line(ServerOptions *options, char *line,
421 const char *filename, int linenum)
8efc0c15 422{
d11c1288 423 char *cp, **charptr, *arg, *p;
7528d467 424 int *intptr, value, i, n;
5260325f 425 ServerOpCodes opcode;
426
2717fa0f 427 cp = line;
428 arg = strdelim(&cp);
429 /* Ignore leading whitespace */
430 if (*arg == '\0')
704b1659 431 arg = strdelim(&cp);
2717fa0f 432 if (!arg || !*arg || *arg == '#')
433 return 0;
434 intptr = NULL;
435 charptr = NULL;
436 opcode = parse_token(arg, filename, linenum);
437 switch (opcode) {
438 /* Portable-specific options */
7fceb20d 439 case sUsePAM:
440 intptr = &options->use_pam;
2717fa0f 441 goto parse_flag;
48e671d5 442
2717fa0f 443 /* Standard Options */
444 case sBadOption:
445 return -1;
446 case sPort:
447 /* ignore ports from configfile if cmdline specifies ports */
448 if (options->ports_from_cmdline)
449 return 0;
450 if (options->listen_addrs != NULL)
451 fatal("%s line %d: ports must be specified before "
3a454b6a 452 "ListenAddress.", filename, linenum);
2717fa0f 453 if (options->num_ports >= MAX_PORTS)
454 fatal("%s line %d: too many ports.",
455 filename, linenum);
456 arg = strdelim(&cp);
457 if (!arg || *arg == '\0')
458 fatal("%s line %d: missing port number.",
459 filename, linenum);
460 options->ports[options->num_ports++] = a2port(arg);
461 if (options->ports[options->num_ports-1] == 0)
462 fatal("%s line %d: Badly formatted port number.",
463 filename, linenum);
464 break;
465
466 case sServerKeyBits:
467 intptr = &options->server_key_bits;
5260325f 468parse_int:
2717fa0f 469 arg = strdelim(&cp);
470 if (!arg || *arg == '\0')
471 fatal("%s line %d: missing integer value.",
472 filename, linenum);
473 value = atoi(arg);
474 if (*intptr == -1)
475 *intptr = value;
476 break;
477
478 case sLoginGraceTime:
479 intptr = &options->login_grace_time;
e2b1fb42 480parse_time:
2717fa0f 481 arg = strdelim(&cp);
482 if (!arg || *arg == '\0')
483 fatal("%s line %d: missing time value.",
484 filename, linenum);
485 if ((value = convtime(arg)) == -1)
486 fatal("%s line %d: invalid time value.",
487 filename, linenum);
488 if (*intptr == -1)
489 *intptr = value;
490 break;
491
492 case sKeyRegenerationTime:
493 intptr = &options->key_regeneration_time;
494 goto parse_time;
495
496 case sListenAddress:
497 arg = strdelim(&cp);
498 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
499 fatal("%s line %d: missing inet addr.",
500 filename, linenum);
501 if (*arg == '[') {
502 if ((p = strchr(arg, ']')) == NULL)
503 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 504 filename, linenum);
2717fa0f 505 arg++;
506 memmove(p, p+1, strlen(p+1)+1);
507 } else if (((p = strchr(arg, ':')) == NULL) ||
508 (strchr(p+1, ':') != NULL)) {
509 add_listen_addr(options, arg, 0);
e2b1fb42 510 break;
2717fa0f 511 }
512 if (*p == ':') {
513 u_short port;
5260325f 514
2717fa0f 515 p++;
516 if (*p == '\0')
517 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 518 filename, linenum);
2717fa0f 519 else {
520 *(p-1) = '\0';
521 if ((port = a2port(p)) == 0)
522 fatal("%s line %d: bad port number.",
d11c1288 523 filename, linenum);
2717fa0f 524 add_listen_addr(options, arg, port);
d11c1288 525 }
2717fa0f 526 } else if (*p == '\0')
527 add_listen_addr(options, arg, 0);
528 else
529 fatal("%s line %d: bad inet addr usage.",
530 filename, linenum);
531 break;
532
533 case sHostKeyFile:
534 intptr = &options->num_host_key_files;
535 if (*intptr >= MAX_HOSTKEYS)
536 fatal("%s line %d: too many host keys specified (max %d).",
537 filename, linenum, MAX_HOSTKEYS);
538 charptr = &options->host_key_files[*intptr];
fa649821 539parse_filename:
2717fa0f 540 arg = strdelim(&cp);
541 if (!arg || *arg == '\0')
542 fatal("%s line %d: missing file name.",
543 filename, linenum);
544 if (*charptr == NULL) {
545 *charptr = tilde_expand_filename(arg, getuid());
546 /* increase optional counter */
547 if (intptr != NULL)
548 *intptr = *intptr + 1;
549 }
550 break;
0fbe8c74 551
2717fa0f 552 case sPidFile:
553 charptr = &options->pid_file;
554 goto parse_filename;
5260325f 555
2717fa0f 556 case sPermitRootLogin:
557 intptr = &options->permit_root_login;
558 arg = strdelim(&cp);
559 if (!arg || *arg == '\0')
560 fatal("%s line %d: missing yes/"
561 "without-password/forced-commands-only/no "
562 "argument.", filename, linenum);
563 value = 0; /* silence compiler */
564 if (strcmp(arg, "without-password") == 0)
565 value = PERMIT_NO_PASSWD;
566 else if (strcmp(arg, "forced-commands-only") == 0)
567 value = PERMIT_FORCED_ONLY;
568 else if (strcmp(arg, "yes") == 0)
569 value = PERMIT_YES;
570 else if (strcmp(arg, "no") == 0)
571 value = PERMIT_NO;
572 else
573 fatal("%s line %d: Bad yes/"
574 "without-password/forced-commands-only/no "
575 "argument: %s", filename, linenum, arg);
576 if (*intptr == -1)
577 *intptr = value;
578 break;
579
580 case sIgnoreRhosts:
581 intptr = &options->ignore_rhosts;
5260325f 582parse_flag:
2717fa0f 583 arg = strdelim(&cp);
584 if (!arg || *arg == '\0')
585 fatal("%s line %d: missing yes/no argument.",
586 filename, linenum);
587 value = 0; /* silence compiler */
588 if (strcmp(arg, "yes") == 0)
589 value = 1;
590 else if (strcmp(arg, "no") == 0)
591 value = 0;
592 else
593 fatal("%s line %d: Bad yes/no argument: %s",
594 filename, linenum, arg);
595 if (*intptr == -1)
596 *intptr = value;
597 break;
598
599 case sIgnoreUserKnownHosts:
600 intptr = &options->ignore_user_known_hosts;
601 goto parse_flag;
602
2717fa0f 603 case sRhostsRSAAuthentication:
604 intptr = &options->rhosts_rsa_authentication;
605 goto parse_flag;
606
607 case sHostbasedAuthentication:
608 intptr = &options->hostbased_authentication;
609 goto parse_flag;
610
611 case sHostbasedUsesNameFromPacketOnly:
612 intptr = &options->hostbased_uses_name_from_packet_only;
613 goto parse_flag;
614
615 case sRSAAuthentication:
616 intptr = &options->rsa_authentication;
617 goto parse_flag;
618
619 case sPubkeyAuthentication:
620 intptr = &options->pubkey_authentication;
621 goto parse_flag;
d0ec7f42 622
2717fa0f 623 case sKerberosAuthentication:
624 intptr = &options->kerberos_authentication;
625 goto parse_flag;
5260325f 626
2717fa0f 627 case sKerberosOrLocalPasswd:
628 intptr = &options->kerberos_or_local_passwd;
629 goto parse_flag;
5260325f 630
2717fa0f 631 case sKerberosTicketCleanup:
632 intptr = &options->kerberos_ticket_cleanup;
633 goto parse_flag;
d0ec7f42 634
2717fa0f 635 case sKerberosTgtPassing:
636 intptr = &options->kerberos_tgt_passing;
637 goto parse_flag;
d0ec7f42 638
7364bd04 639 case sGssAuthentication:
640 intptr = &options->gss_authentication;
641 goto parse_flag;
642
643 case sGssCleanupCreds:
644 intptr = &options->gss_cleanup_creds;
645 goto parse_flag;
646
2717fa0f 647 case sPasswordAuthentication:
648 intptr = &options->password_authentication;
649 goto parse_flag;
5260325f 650
2717fa0f 651 case sKbdInteractiveAuthentication:
652 intptr = &options->kbd_interactive_authentication;
653 goto parse_flag;
8002af61 654
2717fa0f 655 case sChallengeResponseAuthentication:
656 intptr = &options->challenge_response_authentication;
657 goto parse_flag;
8002af61 658
2717fa0f 659 case sPrintMotd:
660 intptr = &options->print_motd;
661 goto parse_flag;
5260325f 662
2717fa0f 663 case sPrintLastLog:
664 intptr = &options->print_lastlog;
665 goto parse_flag;
5260325f 666
2717fa0f 667 case sX11Forwarding:
668 intptr = &options->x11_forwarding;
669 goto parse_flag;
5260325f 670
2717fa0f 671 case sX11DisplayOffset:
672 intptr = &options->x11_display_offset;
673 goto parse_int;
8efc0c15 674
e6e573bd 675 case sX11UseLocalhost:
676 intptr = &options->x11_use_localhost;
677 goto parse_flag;
678
2717fa0f 679 case sXAuthLocation:
680 charptr = &options->xauth_location;
681 goto parse_filename;
5260325f 682
2717fa0f 683 case sStrictModes:
684 intptr = &options->strict_modes;
685 goto parse_flag;
5260325f 686
2717fa0f 687 case sKeepAlives:
688 intptr = &options->keepalives;
689 goto parse_flag;
33de75a3 690
2717fa0f 691 case sEmptyPasswd:
692 intptr = &options->permit_empty_passwd;
693 goto parse_flag;
5260325f 694
f00bab84 695 case sPermitUserEnvironment:
696 intptr = &options->permit_user_env;
697 goto parse_flag;
698
2717fa0f 699 case sUseLogin:
700 intptr = &options->use_login;
701 goto parse_flag;
5260325f 702
636f76ca 703 case sCompression:
704 intptr = &options->compression;
705 goto parse_flag;
706
2717fa0f 707 case sGatewayPorts:
708 intptr = &options->gateway_ports;
709 goto parse_flag;
5260325f 710
c5a7d788 711 case sUseDNS:
712 intptr = &options->use_dns;
2717fa0f 713 goto parse_flag;
5260325f 714
2717fa0f 715 case sLogFacility:
716 intptr = (int *) &options->log_facility;
717 arg = strdelim(&cp);
718 value = log_facility_number(arg);
5eaf8578 719 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 720 fatal("%.200s line %d: unsupported log facility '%s'",
721 filename, linenum, arg ? arg : "<NONE>");
722 if (*intptr == -1)
723 *intptr = (SyslogFacility) value;
724 break;
725
726 case sLogLevel:
727 intptr = (int *) &options->log_level;
728 arg = strdelim(&cp);
729 value = log_level_number(arg);
5eaf8578 730 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 731 fatal("%.200s line %d: unsupported log level '%s'",
732 filename, linenum, arg ? arg : "<NONE>");
733 if (*intptr == -1)
734 *intptr = (LogLevel) value;
735 break;
736
737 case sAllowTcpForwarding:
738 intptr = &options->allow_tcp_forwarding;
739 goto parse_flag;
740
1853d1ef 741 case sUsePrivilegeSeparation:
742 intptr = &use_privsep;
743 goto parse_flag;
744
2717fa0f 745 case sAllowUsers:
746 while ((arg = strdelim(&cp)) && *arg != '\0') {
747 if (options->num_allow_users >= MAX_ALLOW_USERS)
748 fatal("%s line %d: too many allow users.",
749 filename, linenum);
7528d467 750 options->allow_users[options->num_allow_users++] =
751 xstrdup(arg);
2717fa0f 752 }
753 break;
a8be9f80 754
2717fa0f 755 case sDenyUsers:
756 while ((arg = strdelim(&cp)) && *arg != '\0') {
757 if (options->num_deny_users >= MAX_DENY_USERS)
758 fatal( "%s line %d: too many deny users.",
759 filename, linenum);
7528d467 760 options->deny_users[options->num_deny_users++] =
761 xstrdup(arg);
2717fa0f 762 }
763 break;
b2552997 764
2717fa0f 765 case sAllowGroups:
766 while ((arg = strdelim(&cp)) && *arg != '\0') {
767 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
768 fatal("%s line %d: too many allow groups.",
769 filename, linenum);
7528d467 770 options->allow_groups[options->num_allow_groups++] =
771 xstrdup(arg);
2717fa0f 772 }
773 break;
a8be9f80 774
2717fa0f 775 case sDenyGroups:
776 while ((arg = strdelim(&cp)) && *arg != '\0') {
777 if (options->num_deny_groups >= MAX_DENY_GROUPS)
778 fatal("%s line %d: too many deny groups.",
779 filename, linenum);
780 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
781 }
782 break;
38c295d6 783
2717fa0f 784 case sCiphers:
785 arg = strdelim(&cp);
786 if (!arg || *arg == '\0')
787 fatal("%s line %d: Missing argument.", filename, linenum);
788 if (!ciphers_valid(arg))
789 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
790 filename, linenum, arg ? arg : "<NONE>");
791 if (options->ciphers == NULL)
792 options->ciphers = xstrdup(arg);
793 break;
794
795 case sMacs:
796 arg = strdelim(&cp);
797 if (!arg || *arg == '\0')
798 fatal("%s line %d: Missing argument.", filename, linenum);
799 if (!mac_valid(arg))
800 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
801 filename, linenum, arg ? arg : "<NONE>");
802 if (options->macs == NULL)
803 options->macs = xstrdup(arg);
804 break;
805
806 case sProtocol:
807 intptr = &options->protocol;
808 arg = strdelim(&cp);
809 if (!arg || *arg == '\0')
810 fatal("%s line %d: Missing argument.", filename, linenum);
811 value = proto_spec(arg);
812 if (value == SSH_PROTO_UNKNOWN)
813 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 814 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 815 if (*intptr == SSH_PROTO_UNKNOWN)
816 *intptr = value;
817 break;
818
819 case sSubsystem:
820 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
821 fatal("%s line %d: too many subsystems defined.",
184eed6a 822 filename, linenum);
2717fa0f 823 }
824 arg = strdelim(&cp);
825 if (!arg || *arg == '\0')
826 fatal("%s line %d: Missing subsystem name.",
184eed6a 827 filename, linenum);
2717fa0f 828 for (i = 0; i < options->num_subsystems; i++)
829 if (strcmp(arg, options->subsystem_name[i]) == 0)
830 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 831 filename, linenum, arg);
2717fa0f 832 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
833 arg = strdelim(&cp);
834 if (!arg || *arg == '\0')
835 fatal("%s line %d: Missing subsystem command.",
184eed6a 836 filename, linenum);
2717fa0f 837 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
838 options->num_subsystems++;
839 break;
840
841 case sMaxStartups:
842 arg = strdelim(&cp);
843 if (!arg || *arg == '\0')
844 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 845 filename, linenum);
2717fa0f 846 if ((n = sscanf(arg, "%d:%d:%d",
847 &options->max_startups_begin,
848 &options->max_startups_rate,
849 &options->max_startups)) == 3) {
850 if (options->max_startups_begin >
851 options->max_startups ||
852 options->max_startups_rate > 100 ||
853 options->max_startups_rate < 1)
c345cf9d 854 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 855 filename, linenum);
2717fa0f 856 } else if (n != 1)
857 fatal("%s line %d: Illegal MaxStartups spec.",
858 filename, linenum);
859 else
860 options->max_startups = options->max_startups_begin;
861 break;
862
863 case sBanner:
864 charptr = &options->banner;
865 goto parse_filename;
866 /*
867 * These options can contain %X options expanded at
868 * connect time, so that you can specify paths like:
869 *
870 * AuthorizedKeysFile /etc/ssh_keys/%u
871 */
872 case sAuthorizedKeysFile:
873 case sAuthorizedKeysFile2:
874 charptr = (opcode == sAuthorizedKeysFile ) ?
875 &options->authorized_keys_file :
876 &options->authorized_keys_file2;
877 goto parse_filename;
878
879 case sClientAliveInterval:
880 intptr = &options->client_alive_interval;
881 goto parse_time;
882
883 case sClientAliveCountMax:
884 intptr = &options->client_alive_count_max;
885 goto parse_int;
886
887 case sDeprecated:
bbe88b6d 888 logit("%s line %d: Deprecated option %s",
2717fa0f 889 filename, linenum, arg);
890 while (arg)
891 arg = strdelim(&cp);
892 break;
893
a2144546 894 case sUnsupported:
895 logit("%s line %d: Unsupported option %s",
896 filename, linenum, arg);
897 while (arg)
898 arg = strdelim(&cp);
899 break;
900
2717fa0f 901 default:
902 fatal("%s line %d: Missing handler for opcode %s (%d)",
903 filename, linenum, arg, opcode);
904 }
905 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
906 fatal("%s line %d: garbage at end of line; \"%.200s\".",
907 filename, linenum, arg);
908 return 0;
909}
089fbbd2 910
2717fa0f 911/* Reads the server configuration file. */
5c53a31e 912
2717fa0f 913void
914read_server_config(ServerOptions *options, const char *filename)
915{
7528d467 916 int linenum, bad_options = 0;
2717fa0f 917 char line[1024];
7528d467 918 FILE *f;
2717fa0f 919
34934506 920 debug2("read_server_config: filename %s", filename);
2717fa0f 921 f = fopen(filename, "r");
922 if (!f) {
923 perror(filename);
924 exit(1);
925 }
926 linenum = 0;
927 while (fgets(line, sizeof(line), f)) {
928 /* Update line number counter. */
929 linenum++;
930 if (process_server_config_line(options, line, filename, linenum) != 0)
931 bad_options++;
8efc0c15 932 }
5260325f 933 fclose(f);
b7c70970 934 if (bad_options > 0)
935 fatal("%s: terminating, %d bad configuration options",
936 filename, bad_options);
8efc0c15 937}
git-cvsimport mirror of OpenSSH
This page took 0.371785 seconds and 5 git commands to generate.