]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2005/02/28 00:54:10
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
31b41ceb 13RCSID("$OpenBSD: servconf.c,v 1.138 2004/12/23 23:11:00 djm Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
42f11eb2 21#include "misc.h"
22#include "cipher.h"
b2552997 23#include "kex.h"
24#include "mac.h"
42f11eb2 25
396c147e 26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 28
1853d1ef 29/* Use of privilege separation or not */
30extern int use_privsep;
42f11eb2 31
8efc0c15 32/* Initializes the server options to their default values. */
33
6ae2364d 34void
5260325f 35initialize_server_options(ServerOptions *options)
8efc0c15 36{
5260325f 37 memset(options, 0, sizeof(*options));
e15895cd 38
39 /* Portable-specific options */
7fceb20d 40 options->use_pam = -1;
e15895cd 41
42 /* Standard Options */
48e671d5 43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
31b41ceb 46 options->address_family = -1;
fa08c86b 47 options->num_host_key_files = 0;
0fbe8c74 48 options->pid_file = NULL;
5260325f 49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
15853e93 52 options->permit_root_login = PERMIT_NOT_SET;
5260325f 53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
4f4648f9 56 options->print_lastlog = -1;
5260325f 57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e6e573bd 59 options->x11_use_localhost = -1;
fa649821 60 options->xauth_location = NULL;
5260325f 61 options->strict_modes = -1;
fd573618 62 options->tcp_keep_alive = -1;
5eaf8578 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 65 options->rhosts_rsa_authentication = -1;
8002af61 66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
5260325f 68 options->rsa_authentication = -1;
fa08c86b 69 options->pubkey_authentication = -1;
5260325f 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
a1e30b47 73 options->kerberos_get_afs_token = -1;
7364bd04 74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
5260325f 76 options->password_authentication = -1;
94ec8c6b 77 options->kbd_interactive_authentication = -1;
5ba55ada 78 options->challenge_response_authentication = -1;
5260325f 79 options->permit_empty_passwd = -1;
f00bab84 80 options->permit_user_env = -1;
5260325f 81 options->use_login = -1;
636f76ca 82 options->compression = -1;
33de75a3 83 options->allow_tcp_forwarding = -1;
5260325f 84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
a8be9f80 88 options->ciphers = NULL;
b2552997 89 options->macs = NULL;
a8be9f80 90 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 91 options->gateway_ports = -1;
38c295d6 92 options->num_subsystems = 0;
c345cf9d 93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
089fbbd2 95 options->max_startups = -1;
af4bd935 96 options->max_authtries = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
61a2c1da 103 options->num_accept_env = 0;
1853d1ef 104
1853d1ef 105 /* Needs to be accessable in many places */
106 use_privsep = -1;
8efc0c15 107}
108
6ae2364d 109void
5260325f 110fill_default_server_options(ServerOptions *options)
8efc0c15 111{
e15895cd 112 /* Portable-specific options */
7fceb20d 113 if (options->use_pam == -1)
0a23d79f 114 options->use_pam = 0;
e15895cd 115
116 /* Standard Options */
fa08c86b 117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
0f84fe37 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
fa08c86b 130 }
48e671d5 131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
2d2a2c65 134 add_listen_addr(options, NULL, 0);
0fbe8c74 135 if (options->pid_file == NULL)
42f11eb2 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
3445ca02 140 options->login_grace_time = 120;
5260325f 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
15853e93 143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
5260325f 145 if (options->ignore_rhosts == -1)
c8d54615 146 options->ignore_rhosts = 1;
5260325f 147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
5260325f 149 if (options->print_motd == -1)
150 options->print_motd = 1;
4f4648f9 151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
5260325f 153 if (options->x11_forwarding == -1)
c8d54615 154 options->x11_forwarding = 0;
5260325f 155 if (options->x11_display_offset == -1)
c8d54615 156 options->x11_display_offset = 10;
e6e573bd 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
fa649821 159 if (options->xauth_location == NULL)
fd9ede94 160 options->xauth_location = _PATH_XAUTH;
5260325f 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
fd573618 163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
5eaf8578 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 166 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 168 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 169 if (options->rhosts_rsa_authentication == -1)
c8d54615 170 options->rhosts_rsa_authentication = 0;
8002af61 171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
5260325f 175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
fa08c86b 177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
5260325f 179 if (options->kerberos_authentication == -1)
eadc806d 180 options->kerberos_authentication = 0;
5260325f 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
a1e30b47 185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
7364bd04 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
5260325f 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
94ec8c6b 193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
5ba55ada 195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
5260325f 197 if (options->permit_empty_passwd == -1)
c8d54615 198 options->permit_empty_passwd = 0;
f00bab84 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
5260325f 201 if (options->use_login == -1)
202 options->use_login = 0;
636f76ca 203 if (options->compression == -1)
204 options->compression = 1;
33de75a3 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
1d1ffb87 207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
089fbbd2 209 if (options->max_startups == -1)
210 options->max_startups = 10;
c345cf9d 211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
af4bd935 215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c5a7d788 217 if (options->use_dns == -1)
218 options->use_dns = 1;
3ffc6336 219 if (options->client_alive_interval == -1)
184eed6a 220 options->client_alive_interval = 0;
3ffc6336 221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
5df83e07 223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
227 else
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 }
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 232
2ee1b704 233 /* Turn privilege separation on by default */
1853d1ef 234 if (use_privsep == -1)
2ee1b704 235 use_privsep = 1;
e299a298 236
4165b82e 237#ifndef HAVE_MMAP
e299a298 238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
243 }
244#endif
245
8efc0c15 246}
247
8efc0c15 248/* Keyword tokens. */
5260325f 249typedef enum {
250 sBadOption, /* == unknown option */
e15895cd 251 /* Portable-specific options */
7fceb20d 252 sUsePAM,
e15895cd 253 /* Standard Options */
5260325f 254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 256 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 258 sKerberosGetAFSToken,
1c590258 259 sKerberosTgtPassing, sChallengeResponseAuthentication,
31b41ceb 260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
4f4648f9 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
c5a7d788 270 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
61a2c1da 273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
2ea6de2b 274 sUsePrivilegeSeparation,
a2144546 275 sDeprecated, sUnsupported
8efc0c15 276} ServerOpCodes;
277
278/* Textual representation of the tokens. */
5260325f 279static struct {
280 const char *name;
281 ServerOpCodes opcode;
282} keywords[] = {
e15895cd 283 /* Portable-specific options */
b06b11ad 284#ifdef USE_PAM
fe46678b 285 { "usepam", sUsePAM },
b06b11ad 286#else
fe46678b 287 { "usepam", sUnsupported },
b06b11ad 288#endif
fe46678b 289 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 290 /* Standard Options */
5260325f 291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
fa08c86b 293 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 294 { "pidfile", sPidFile },
5260325f 295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
0598d99d 301 { "rhostsauthentication", sDeprecated },
5260325f 302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 305 { "rsaauthentication", sRSAAuthentication },
fa08c86b 306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 308#ifdef KRB5
5260325f 309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 312#ifdef USE_AFS
a1e30b47 313 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 314#else
315 { "kerberosgetafstoken", sUnsupported },
316#endif
a2144546 317#else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
a1e30b47 321 { "kerberosgetafstoken", sUnsupported },
a2144546 322#endif
8f73f7bb 323 { "kerberostgtpassing", sUnsupported },
a2144546 324 { "afstokenpassing", sUnsupported },
7364bd04 325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
e377c083 327 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 328#else
329 { "gssapiauthentication", sUnsupported },
e377c083 330 { "gssapicleanupcredentials", sUnsupported },
7364bd04 331#endif
5260325f 332 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 336 { "checkmail", sDeprecated },
5260325f 337 { "listenaddress", sListenAddress },
31b41ceb 338 { "addressfamily", sAddressFamily },
5260325f 339 { "printmotd", sPrintMotd },
4f4648f9 340 { "printlastlog", sPrintLastLog },
5260325f 341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 345 { "x11uselocalhost", sX11UseLocalhost },
fa649821 346 { "xauthlocation", sXAuthLocation },
5260325f 347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
f00bab84 349 { "permituserenvironment", sPermitUserEnvironment },
5260325f 350 { "uselogin", sUseLogin },
636f76ca 351 { "compression", sCompression },
fd573618 352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 354 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
a8be9f80 359 { "ciphers", sCiphers },
b2552997 360 { "macs", sMacs },
a8be9f80 361 { "protocol", sProtocol },
1d1ffb87 362 { "gatewayports", sGatewayPorts },
38c295d6 363 { "subsystem", sSubsystem },
089fbbd2 364 { "maxstartups", sMaxStartups },
af4bd935 365 { "maxauthtries", sMaxAuthTries },
eea39c02 366 { "banner", sBanner },
c5a7d788 367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
3ffc6336 370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
c8445989 372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 374 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 375 { "acceptenv", sAcceptEnv },
17a3011c 376 { NULL, sBadOption }
8efc0c15 377};
378
aa3378df 379/*
6be9a5e8 380 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 381 */
8efc0c15 382
6ae2364d 383static ServerOpCodes
5260325f 384parse_token(const char *cp, const char *filename,
385 int linenum)
8efc0c15 386{
1e3b8b07 387 u_int i;
8efc0c15 388
5260325f 389 for (i = 0; keywords[i].name; i++)
aa3378df 390 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 391 return keywords[i].opcode;
8efc0c15 392
b7c70970 393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
5260325f 395 return sBadOption;
8efc0c15 396}
397
396c147e 398static void
2d2a2c65 399add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 400{
48e671d5 401 int i;
402
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
31b41ceb 405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
2d2a2c65 407 if (port == 0)
d11c1288 408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
410 else
2d2a2c65 411 add_one_listen_addr(options, addr, port);
d11c1288 412}
413
396c147e 414static void
d11c1288 415add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
416{
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
419 int gaierr;
420
421 memset(&hints, 0, sizeof(hints));
31b41ceb 422 hints.ai_family = options->address_family;
d11c1288 423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 425 snprintf(strport, sizeof strport, "%u", port);
d11c1288 426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
431 ;
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
48e671d5 434}
435
2717fa0f 436int
437process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
8efc0c15 439{
d11c1288 440 char *cp, **charptr, *arg, *p;
7528d467 441 int *intptr, value, i, n;
5260325f 442 ServerOpCodes opcode;
443
2717fa0f 444 cp = line;
445 arg = strdelim(&cp);
446 /* Ignore leading whitespace */
447 if (*arg == '\0')
704b1659 448 arg = strdelim(&cp);
2717fa0f 449 if (!arg || !*arg || *arg == '#')
450 return 0;
451 intptr = NULL;
452 charptr = NULL;
453 opcode = parse_token(arg, filename, linenum);
454 switch (opcode) {
455 /* Portable-specific options */
7fceb20d 456 case sUsePAM:
457 intptr = &options->use_pam;
2717fa0f 458 goto parse_flag;
48e671d5 459
2717fa0f 460 /* Standard Options */
461 case sBadOption:
462 return -1;
463 case sPort:
464 /* ignore ports from configfile if cmdline specifies ports */
465 if (options->ports_from_cmdline)
466 return 0;
467 if (options->listen_addrs != NULL)
468 fatal("%s line %d: ports must be specified before "
3a454b6a 469 "ListenAddress.", filename, linenum);
2717fa0f 470 if (options->num_ports >= MAX_PORTS)
471 fatal("%s line %d: too many ports.",
472 filename, linenum);
473 arg = strdelim(&cp);
474 if (!arg || *arg == '\0')
475 fatal("%s line %d: missing port number.",
476 filename, linenum);
477 options->ports[options->num_ports++] = a2port(arg);
478 if (options->ports[options->num_ports-1] == 0)
479 fatal("%s line %d: Badly formatted port number.",
480 filename, linenum);
481 break;
482
483 case sServerKeyBits:
484 intptr = &options->server_key_bits;
5260325f 485parse_int:
2717fa0f 486 arg = strdelim(&cp);
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing integer value.",
489 filename, linenum);
490 value = atoi(arg);
491 if (*intptr == -1)
492 *intptr = value;
493 break;
494
495 case sLoginGraceTime:
496 intptr = &options->login_grace_time;
e2b1fb42 497parse_time:
2717fa0f 498 arg = strdelim(&cp);
499 if (!arg || *arg == '\0')
500 fatal("%s line %d: missing time value.",
501 filename, linenum);
502 if ((value = convtime(arg)) == -1)
503 fatal("%s line %d: invalid time value.",
504 filename, linenum);
505 if (*intptr == -1)
506 *intptr = value;
507 break;
508
509 case sKeyRegenerationTime:
510 intptr = &options->key_regeneration_time;
511 goto parse_time;
512
513 case sListenAddress:
514 arg = strdelim(&cp);
515 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
516 fatal("%s line %d: missing inet addr.",
517 filename, linenum);
518 if (*arg == '[') {
519 if ((p = strchr(arg, ']')) == NULL)
520 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 521 filename, linenum);
2717fa0f 522 arg++;
523 memmove(p, p+1, strlen(p+1)+1);
524 } else if (((p = strchr(arg, ':')) == NULL) ||
525 (strchr(p+1, ':') != NULL)) {
526 add_listen_addr(options, arg, 0);
e2b1fb42 527 break;
2717fa0f 528 }
529 if (*p == ':') {
530 u_short port;
5260325f 531
2717fa0f 532 p++;
533 if (*p == '\0')
534 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 535 filename, linenum);
2717fa0f 536 else {
537 *(p-1) = '\0';
538 if ((port = a2port(p)) == 0)
539 fatal("%s line %d: bad port number.",
d11c1288 540 filename, linenum);
2717fa0f 541 add_listen_addr(options, arg, port);
d11c1288 542 }
2717fa0f 543 } else if (*p == '\0')
544 add_listen_addr(options, arg, 0);
545 else
546 fatal("%s line %d: bad inet addr usage.",
547 filename, linenum);
548 break;
549
31b41ceb 550 case sAddressFamily:
551 arg = strdelim(&cp);
552 intptr = &options->address_family;
553 if (options->listen_addrs != NULL)
554 fatal("%s line %d: address family must be specified before "
555 "ListenAddress.", filename, linenum);
556 if (strcasecmp(arg, "inet") == 0)
557 value = AF_INET;
558 else if (strcasecmp(arg, "inet6") == 0)
559 value = AF_INET6;
560 else if (strcasecmp(arg, "any") == 0)
561 value = AF_UNSPEC;
562 else
563 fatal("%s line %d: unsupported address family \"%s\".",
564 filename, linenum, arg);
565 if (*intptr == -1)
566 *intptr = value;
567 break;
568
2717fa0f 569 case sHostKeyFile:
570 intptr = &options->num_host_key_files;
571 if (*intptr >= MAX_HOSTKEYS)
572 fatal("%s line %d: too many host keys specified (max %d).",
573 filename, linenum, MAX_HOSTKEYS);
574 charptr = &options->host_key_files[*intptr];
fa649821 575parse_filename:
2717fa0f 576 arg = strdelim(&cp);
577 if (!arg || *arg == '\0')
578 fatal("%s line %d: missing file name.",
579 filename, linenum);
580 if (*charptr == NULL) {
581 *charptr = tilde_expand_filename(arg, getuid());
582 /* increase optional counter */
583 if (intptr != NULL)
584 *intptr = *intptr + 1;
585 }
586 break;
0fbe8c74 587
2717fa0f 588 case sPidFile:
589 charptr = &options->pid_file;
590 goto parse_filename;
5260325f 591
2717fa0f 592 case sPermitRootLogin:
593 intptr = &options->permit_root_login;
594 arg = strdelim(&cp);
595 if (!arg || *arg == '\0')
596 fatal("%s line %d: missing yes/"
597 "without-password/forced-commands-only/no "
598 "argument.", filename, linenum);
599 value = 0; /* silence compiler */
600 if (strcmp(arg, "without-password") == 0)
601 value = PERMIT_NO_PASSWD;
602 else if (strcmp(arg, "forced-commands-only") == 0)
603 value = PERMIT_FORCED_ONLY;
604 else if (strcmp(arg, "yes") == 0)
605 value = PERMIT_YES;
606 else if (strcmp(arg, "no") == 0)
607 value = PERMIT_NO;
608 else
609 fatal("%s line %d: Bad yes/"
610 "without-password/forced-commands-only/no "
611 "argument: %s", filename, linenum, arg);
612 if (*intptr == -1)
613 *intptr = value;
614 break;
615
616 case sIgnoreRhosts:
617 intptr = &options->ignore_rhosts;
5260325f 618parse_flag:
2717fa0f 619 arg = strdelim(&cp);
620 if (!arg || *arg == '\0')
621 fatal("%s line %d: missing yes/no argument.",
622 filename, linenum);
623 value = 0; /* silence compiler */
624 if (strcmp(arg, "yes") == 0)
625 value = 1;
626 else if (strcmp(arg, "no") == 0)
627 value = 0;
628 else
629 fatal("%s line %d: Bad yes/no argument: %s",
630 filename, linenum, arg);
631 if (*intptr == -1)
632 *intptr = value;
633 break;
634
635 case sIgnoreUserKnownHosts:
636 intptr = &options->ignore_user_known_hosts;
637 goto parse_flag;
638
2717fa0f 639 case sRhostsRSAAuthentication:
640 intptr = &options->rhosts_rsa_authentication;
641 goto parse_flag;
642
643 case sHostbasedAuthentication:
644 intptr = &options->hostbased_authentication;
645 goto parse_flag;
646
647 case sHostbasedUsesNameFromPacketOnly:
648 intptr = &options->hostbased_uses_name_from_packet_only;
649 goto parse_flag;
650
651 case sRSAAuthentication:
652 intptr = &options->rsa_authentication;
653 goto parse_flag;
654
655 case sPubkeyAuthentication:
656 intptr = &options->pubkey_authentication;
657 goto parse_flag;
d0ec7f42 658
2717fa0f 659 case sKerberosAuthentication:
660 intptr = &options->kerberos_authentication;
661 goto parse_flag;
5260325f 662
2717fa0f 663 case sKerberosOrLocalPasswd:
664 intptr = &options->kerberos_or_local_passwd;
665 goto parse_flag;
5260325f 666
2717fa0f 667 case sKerberosTicketCleanup:
668 intptr = &options->kerberos_ticket_cleanup;
669 goto parse_flag;
d0ec7f42 670
a1e30b47 671 case sKerberosGetAFSToken:
672 intptr = &options->kerberos_get_afs_token;
673 goto parse_flag;
674
7364bd04 675 case sGssAuthentication:
676 intptr = &options->gss_authentication;
677 goto parse_flag;
678
679 case sGssCleanupCreds:
680 intptr = &options->gss_cleanup_creds;
681 goto parse_flag;
682
2717fa0f 683 case sPasswordAuthentication:
684 intptr = &options->password_authentication;
685 goto parse_flag;
5260325f 686
2717fa0f 687 case sKbdInteractiveAuthentication:
688 intptr = &options->kbd_interactive_authentication;
689 goto parse_flag;
8002af61 690
2717fa0f 691 case sChallengeResponseAuthentication:
692 intptr = &options->challenge_response_authentication;
693 goto parse_flag;
8002af61 694
2717fa0f 695 case sPrintMotd:
696 intptr = &options->print_motd;
697 goto parse_flag;
5260325f 698
2717fa0f 699 case sPrintLastLog:
700 intptr = &options->print_lastlog;
701 goto parse_flag;
5260325f 702
2717fa0f 703 case sX11Forwarding:
704 intptr = &options->x11_forwarding;
705 goto parse_flag;
5260325f 706
2717fa0f 707 case sX11DisplayOffset:
708 intptr = &options->x11_display_offset;
709 goto parse_int;
8efc0c15 710
e6e573bd 711 case sX11UseLocalhost:
712 intptr = &options->x11_use_localhost;
713 goto parse_flag;
714
2717fa0f 715 case sXAuthLocation:
716 charptr = &options->xauth_location;
717 goto parse_filename;
5260325f 718
2717fa0f 719 case sStrictModes:
720 intptr = &options->strict_modes;
721 goto parse_flag;
5260325f 722
fd573618 723 case sTCPKeepAlive:
724 intptr = &options->tcp_keep_alive;
2717fa0f 725 goto parse_flag;
33de75a3 726
2717fa0f 727 case sEmptyPasswd:
728 intptr = &options->permit_empty_passwd;
729 goto parse_flag;
5260325f 730
f00bab84 731 case sPermitUserEnvironment:
732 intptr = &options->permit_user_env;
733 goto parse_flag;
734
2717fa0f 735 case sUseLogin:
736 intptr = &options->use_login;
737 goto parse_flag;
5260325f 738
636f76ca 739 case sCompression:
740 intptr = &options->compression;
741 goto parse_flag;
742
2717fa0f 743 case sGatewayPorts:
744 intptr = &options->gateway_ports;
745 goto parse_flag;
5260325f 746
c5a7d788 747 case sUseDNS:
748 intptr = &options->use_dns;
2717fa0f 749 goto parse_flag;
5260325f 750
2717fa0f 751 case sLogFacility:
752 intptr = (int *) &options->log_facility;
753 arg = strdelim(&cp);
754 value = log_facility_number(arg);
5eaf8578 755 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 756 fatal("%.200s line %d: unsupported log facility '%s'",
757 filename, linenum, arg ? arg : "<NONE>");
758 if (*intptr == -1)
759 *intptr = (SyslogFacility) value;
760 break;
761
762 case sLogLevel:
763 intptr = (int *) &options->log_level;
764 arg = strdelim(&cp);
765 value = log_level_number(arg);
5eaf8578 766 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 767 fatal("%.200s line %d: unsupported log level '%s'",
768 filename, linenum, arg ? arg : "<NONE>");
769 if (*intptr == -1)
770 *intptr = (LogLevel) value;
771 break;
772
773 case sAllowTcpForwarding:
774 intptr = &options->allow_tcp_forwarding;
775 goto parse_flag;
776
1853d1ef 777 case sUsePrivilegeSeparation:
778 intptr = &use_privsep;
779 goto parse_flag;
780
2717fa0f 781 case sAllowUsers:
782 while ((arg = strdelim(&cp)) && *arg != '\0') {
783 if (options->num_allow_users >= MAX_ALLOW_USERS)
784 fatal("%s line %d: too many allow users.",
785 filename, linenum);
7528d467 786 options->allow_users[options->num_allow_users++] =
787 xstrdup(arg);
2717fa0f 788 }
789 break;
a8be9f80 790
2717fa0f 791 case sDenyUsers:
792 while ((arg = strdelim(&cp)) && *arg != '\0') {
793 if (options->num_deny_users >= MAX_DENY_USERS)
794 fatal( "%s line %d: too many deny users.",
795 filename, linenum);
7528d467 796 options->deny_users[options->num_deny_users++] =
797 xstrdup(arg);
2717fa0f 798 }
799 break;
b2552997 800
2717fa0f 801 case sAllowGroups:
802 while ((arg = strdelim(&cp)) && *arg != '\0') {
803 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
804 fatal("%s line %d: too many allow groups.",
805 filename, linenum);
7528d467 806 options->allow_groups[options->num_allow_groups++] =
807 xstrdup(arg);
2717fa0f 808 }
809 break;
a8be9f80 810
2717fa0f 811 case sDenyGroups:
812 while ((arg = strdelim(&cp)) && *arg != '\0') {
813 if (options->num_deny_groups >= MAX_DENY_GROUPS)
814 fatal("%s line %d: too many deny groups.",
815 filename, linenum);
816 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
817 }
818 break;
38c295d6 819
2717fa0f 820 case sCiphers:
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
824 if (!ciphers_valid(arg))
825 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
826 filename, linenum, arg ? arg : "<NONE>");
827 if (options->ciphers == NULL)
828 options->ciphers = xstrdup(arg);
829 break;
830
831 case sMacs:
832 arg = strdelim(&cp);
833 if (!arg || *arg == '\0')
834 fatal("%s line %d: Missing argument.", filename, linenum);
835 if (!mac_valid(arg))
836 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
837 filename, linenum, arg ? arg : "<NONE>");
838 if (options->macs == NULL)
839 options->macs = xstrdup(arg);
840 break;
841
842 case sProtocol:
843 intptr = &options->protocol;
844 arg = strdelim(&cp);
845 if (!arg || *arg == '\0')
846 fatal("%s line %d: Missing argument.", filename, linenum);
847 value = proto_spec(arg);
848 if (value == SSH_PROTO_UNKNOWN)
849 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 850 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 851 if (*intptr == SSH_PROTO_UNKNOWN)
852 *intptr = value;
853 break;
854
855 case sSubsystem:
856 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
857 fatal("%s line %d: too many subsystems defined.",
184eed6a 858 filename, linenum);
2717fa0f 859 }
860 arg = strdelim(&cp);
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: Missing subsystem name.",
184eed6a 863 filename, linenum);
2717fa0f 864 for (i = 0; i < options->num_subsystems; i++)
865 if (strcmp(arg, options->subsystem_name[i]) == 0)
866 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 867 filename, linenum, arg);
2717fa0f 868 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
869 arg = strdelim(&cp);
870 if (!arg || *arg == '\0')
871 fatal("%s line %d: Missing subsystem command.",
184eed6a 872 filename, linenum);
2717fa0f 873 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
874 options->num_subsystems++;
875 break;
876
877 case sMaxStartups:
878 arg = strdelim(&cp);
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 881 filename, linenum);
2717fa0f 882 if ((n = sscanf(arg, "%d:%d:%d",
883 &options->max_startups_begin,
884 &options->max_startups_rate,
885 &options->max_startups)) == 3) {
886 if (options->max_startups_begin >
887 options->max_startups ||
888 options->max_startups_rate > 100 ||
889 options->max_startups_rate < 1)
c345cf9d 890 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 891 filename, linenum);
2717fa0f 892 } else if (n != 1)
893 fatal("%s line %d: Illegal MaxStartups spec.",
894 filename, linenum);
895 else
896 options->max_startups = options->max_startups_begin;
897 break;
898
af4bd935 899 case sMaxAuthTries:
900 intptr = &options->max_authtries;
901 goto parse_int;
902
2717fa0f 903 case sBanner:
904 charptr = &options->banner;
905 goto parse_filename;
906 /*
907 * These options can contain %X options expanded at
908 * connect time, so that you can specify paths like:
909 *
910 * AuthorizedKeysFile /etc/ssh_keys/%u
911 */
912 case sAuthorizedKeysFile:
913 case sAuthorizedKeysFile2:
914 charptr = (opcode == sAuthorizedKeysFile ) ?
915 &options->authorized_keys_file :
916 &options->authorized_keys_file2;
917 goto parse_filename;
918
919 case sClientAliveInterval:
920 intptr = &options->client_alive_interval;
921 goto parse_time;
922
923 case sClientAliveCountMax:
924 intptr = &options->client_alive_count_max;
925 goto parse_int;
926
61a2c1da 927 case sAcceptEnv:
928 while ((arg = strdelim(&cp)) && *arg != '\0') {
929 if (strchr(arg, '=') != NULL)
930 fatal("%s line %d: Invalid environment name.",
931 filename, linenum);
932 if (options->num_accept_env >= MAX_ACCEPT_ENV)
933 fatal("%s line %d: too many allow env.",
934 filename, linenum);
935 options->accept_env[options->num_accept_env++] =
936 xstrdup(arg);
937 }
938 break;
939
2717fa0f 940 case sDeprecated:
bbe88b6d 941 logit("%s line %d: Deprecated option %s",
2717fa0f 942 filename, linenum, arg);
943 while (arg)
944 arg = strdelim(&cp);
945 break;
946
a2144546 947 case sUnsupported:
948 logit("%s line %d: Unsupported option %s",
949 filename, linenum, arg);
950 while (arg)
951 arg = strdelim(&cp);
952 break;
953
2717fa0f 954 default:
955 fatal("%s line %d: Missing handler for opcode %s (%d)",
956 filename, linenum, arg, opcode);
957 }
958 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
959 fatal("%s line %d: garbage at end of line; \"%.200s\".",
960 filename, linenum, arg);
961 return 0;
962}
089fbbd2 963
2717fa0f 964/* Reads the server configuration file. */
5c53a31e 965
2717fa0f 966void
b9a549d7 967load_server_config(const char *filename, Buffer *conf)
2717fa0f 968{
b9a549d7 969 char line[1024], *cp;
7528d467 970 FILE *f;
2717fa0f 971
b9a549d7 972 debug2("%s: filename %s", __func__, filename);
973 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 974 perror(filename);
975 exit(1);
976 }
b9a549d7 977 buffer_clear(conf);
2717fa0f 978 while (fgets(line, sizeof(line), f)) {
b9a549d7 979 /*
980 * Trim out comments and strip whitespace
f2107e97 981 * NB - preserve newlines, they are needed to reproduce
b9a549d7 982 * line numbers later for error messages
983 */
984 if ((cp = strchr(line, '#')) != NULL)
985 memcpy(cp, "\n", 2);
986 cp = line + strspn(line, " \t\r");
987
988 buffer_append(conf, cp, strlen(cp));
8efc0c15 989 }
b9a549d7 990 buffer_append(conf, "\0", 1);
5260325f 991 fclose(f);
b9a549d7 992 debug2("%s: done config len = %d", __func__, buffer_len(conf));
993}
994
995void
996parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
997{
998 int linenum, bad_options = 0;
16acb158 999 char *cp, *obuf, *cbuf;
b9a549d7 1000
1001 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1002
16acb158 1003 obuf = cbuf = xstrdup(buffer_ptr(conf));
861cc543 1004 linenum = 1;
b9a549d7 1005 while((cp = strsep(&cbuf, "\n")) != NULL) {
1006 if (process_server_config_line(options, cp, filename,
1007 linenum++) != 0)
1008 bad_options++;
1009 }
16acb158 1010 xfree(obuf);
b7c70970 1011 if (bad_options > 0)
1012 fatal("%s: terminating, %d bad configuration options",
1013 filename, bad_options);
8efc0c15 1014}
git-cvsimport mirror of OpenSSH
This page took 0.424228 seconds and 5 git commands to generate.