]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- markus@cvs.openbsd.org 2003/05/15 00:28:28
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
0608f8a7 13RCSID("$OpenBSD: servconf.c,v 1.118 2003/04/09 08:23:52 hin Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
0608f8a7 18
12928e80 19#if defined(KRB5)
0608f8a7 20# ifdef HEIMDAL
21# include <krb.h>
22# else
23/*
24 * XXX: Bodge - but then, so is using the kerberos IV KEYFILE to get a
25 * Kerberos V keytab
26 */
27# define KEYFILE "/etc/krb5.keytab"
28# endif
12928e80 29#endif
0608f8a7 30
83f46621 31#ifdef AFS
32#include <kafs.h>
33#endif
8efc0c15 34
35#include "ssh.h"
42f11eb2 36#include "log.h"
8efc0c15 37#include "servconf.h"
38#include "xmalloc.h"
a8be9f80 39#include "compat.h"
42f11eb2 40#include "pathnames.h"
41#include "tildexpand.h"
42#include "misc.h"
43#include "cipher.h"
b2552997 44#include "kex.h"
45#include "mac.h"
42f11eb2 46
396c147e 47static void add_listen_addr(ServerOptions *, char *, u_short);
48static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 49
42f11eb2 50/* AF_UNSPEC or AF_INET or AF_INET6 */
51extern int IPv4or6;
1853d1ef 52/* Use of privilege separation or not */
53extern int use_privsep;
42f11eb2 54
8efc0c15 55/* Initializes the server options to their default values. */
56
6ae2364d 57void
5260325f 58initialize_server_options(ServerOptions *options)
8efc0c15 59{
5260325f 60 memset(options, 0, sizeof(*options));
e15895cd 61
7fceb20d 62#ifdef USE_PAM
e15895cd 63 /* Portable-specific options */
7fceb20d 64 options->use_pam = -1;
65#endif
e15895cd 66
67 /* Standard Options */
48e671d5 68 options->num_ports = 0;
69 options->ports_from_cmdline = 0;
70 options->listen_addrs = NULL;
fa08c86b 71 options->num_host_key_files = 0;
0fbe8c74 72 options->pid_file = NULL;
5260325f 73 options->server_key_bits = -1;
74 options->login_grace_time = -1;
75 options->key_regeneration_time = -1;
15853e93 76 options->permit_root_login = PERMIT_NOT_SET;
5260325f 77 options->ignore_rhosts = -1;
78 options->ignore_user_known_hosts = -1;
79 options->print_motd = -1;
4f4648f9 80 options->print_lastlog = -1;
5260325f 81 options->x11_forwarding = -1;
82 options->x11_display_offset = -1;
e6e573bd 83 options->x11_use_localhost = -1;
fa649821 84 options->xauth_location = NULL;
5260325f 85 options->strict_modes = -1;
86 options->keepalives = -1;
5eaf8578 87 options->log_facility = SYSLOG_FACILITY_NOT_SET;
88 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 89 options->rhosts_authentication = -1;
90 options->rhosts_rsa_authentication = -1;
8002af61 91 options->hostbased_authentication = -1;
92 options->hostbased_uses_name_from_packet_only = -1;
5260325f 93 options->rsa_authentication = -1;
fa08c86b 94 options->pubkey_authentication = -1;
ced49be2 95#if defined(KRB4) || defined(KRB5)
5260325f 96 options->kerberos_authentication = -1;
97 options->kerberos_or_local_passwd = -1;
98 options->kerberos_ticket_cleanup = -1;
8efc0c15 99#endif
ced49be2 100#if defined(AFS) || defined(KRB5)
5260325f 101 options->kerberos_tgt_passing = -1;
ced49be2 102#endif
103#ifdef AFS
5260325f 104 options->afs_token_passing = -1;
8efc0c15 105#endif
5260325f 106 options->password_authentication = -1;
94ec8c6b 107 options->kbd_interactive_authentication = -1;
5ba55ada 108 options->challenge_response_authentication = -1;
5260325f 109 options->permit_empty_passwd = -1;
f00bab84 110 options->permit_user_env = -1;
5260325f 111 options->use_login = -1;
636f76ca 112 options->compression = -1;
33de75a3 113 options->allow_tcp_forwarding = -1;
5260325f 114 options->num_allow_users = 0;
115 options->num_deny_users = 0;
116 options->num_allow_groups = 0;
117 options->num_deny_groups = 0;
a8be9f80 118 options->ciphers = NULL;
b2552997 119 options->macs = NULL;
a8be9f80 120 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 121 options->gateway_ports = -1;
38c295d6 122 options->num_subsystems = 0;
c345cf9d 123 options->max_startups_begin = -1;
124 options->max_startups_rate = -1;
089fbbd2 125 options->max_startups = -1;
eea39c02 126 options->banner = NULL;
bf4c5edc 127 options->verify_reverse_mapping = -1;
3ffc6336 128 options->client_alive_interval = -1;
129 options->client_alive_count_max = -1;
c8445989 130 options->authorized_keys_file = NULL;
131 options->authorized_keys_file2 = NULL;
1853d1ef 132
1853d1ef 133 /* Needs to be accessable in many places */
134 use_privsep = -1;
8efc0c15 135}
136
6ae2364d 137void
5260325f 138fill_default_server_options(ServerOptions *options)
8efc0c15 139{
e15895cd 140 /* Portable-specific options */
7fceb20d 141#ifdef USE_PAM
142 if (options->use_pam == -1)
143 options->use_pam = 1;
144#endif
e15895cd 145
146 /* Standard Options */
fa08c86b 147 if (options->protocol == SSH_PROTO_UNKNOWN)
148 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
149 if (options->num_host_key_files == 0) {
150 /* fill default hostkeys for protocols */
151 if (options->protocol & SSH_PROTO_1)
0f84fe37 152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_KEY_FILE;
154 if (options->protocol & SSH_PROTO_2) {
155 options->host_key_files[options->num_host_key_files++] =
156 _PATH_HOST_RSA_KEY_FILE;
157 options->host_key_files[options->num_host_key_files++] =
158 _PATH_HOST_DSA_KEY_FILE;
159 }
fa08c86b 160 }
48e671d5 161 if (options->num_ports == 0)
162 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
163 if (options->listen_addrs == NULL)
2d2a2c65 164 add_listen_addr(options, NULL, 0);
0fbe8c74 165 if (options->pid_file == NULL)
42f11eb2 166 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 167 if (options->server_key_bits == -1)
168 options->server_key_bits = 768;
169 if (options->login_grace_time == -1)
3445ca02 170 options->login_grace_time = 120;
5260325f 171 if (options->key_regeneration_time == -1)
172 options->key_regeneration_time = 3600;
15853e93 173 if (options->permit_root_login == PERMIT_NOT_SET)
174 options->permit_root_login = PERMIT_YES;
5260325f 175 if (options->ignore_rhosts == -1)
c8d54615 176 options->ignore_rhosts = 1;
5260325f 177 if (options->ignore_user_known_hosts == -1)
178 options->ignore_user_known_hosts = 0;
5260325f 179 if (options->print_motd == -1)
180 options->print_motd = 1;
4f4648f9 181 if (options->print_lastlog == -1)
182 options->print_lastlog = 1;
5260325f 183 if (options->x11_forwarding == -1)
c8d54615 184 options->x11_forwarding = 0;
5260325f 185 if (options->x11_display_offset == -1)
c8d54615 186 options->x11_display_offset = 10;
e6e573bd 187 if (options->x11_use_localhost == -1)
188 options->x11_use_localhost = 1;
fa649821 189 if (options->xauth_location == NULL)
fd9ede94 190 options->xauth_location = _PATH_XAUTH;
5260325f 191 if (options->strict_modes == -1)
192 options->strict_modes = 1;
193 if (options->keepalives == -1)
194 options->keepalives = 1;
5eaf8578 195 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 196 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 197 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 198 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 199 if (options->rhosts_authentication == -1)
200 options->rhosts_authentication = 0;
201 if (options->rhosts_rsa_authentication == -1)
c8d54615 202 options->rhosts_rsa_authentication = 0;
8002af61 203 if (options->hostbased_authentication == -1)
204 options->hostbased_authentication = 0;
205 if (options->hostbased_uses_name_from_packet_only == -1)
206 options->hostbased_uses_name_from_packet_only = 0;
5260325f 207 if (options->rsa_authentication == -1)
208 options->rsa_authentication = 1;
fa08c86b 209 if (options->pubkey_authentication == -1)
210 options->pubkey_authentication = 1;
ced49be2 211#if defined(KRB4) || defined(KRB5)
5260325f 212 if (options->kerberos_authentication == -1)
eadc806d 213 options->kerberos_authentication = 0;
5260325f 214 if (options->kerberos_or_local_passwd == -1)
215 options->kerberos_or_local_passwd = 1;
216 if (options->kerberos_ticket_cleanup == -1)
217 options->kerberos_ticket_cleanup = 1;
ced49be2 218#endif
219#if defined(AFS) || defined(KRB5)
5260325f 220 if (options->kerberos_tgt_passing == -1)
221 options->kerberos_tgt_passing = 0;
ced49be2 222#endif
184eed6a 223#ifdef AFS
5260325f 224 if (options->afs_token_passing == -1)
1c3454e7 225 options->afs_token_passing = 0;
ced49be2 226#endif
5260325f 227 if (options->password_authentication == -1)
228 options->password_authentication = 1;
94ec8c6b 229 if (options->kbd_interactive_authentication == -1)
230 options->kbd_interactive_authentication = 0;
5ba55ada 231 if (options->challenge_response_authentication == -1)
232 options->challenge_response_authentication = 1;
5260325f 233 if (options->permit_empty_passwd == -1)
c8d54615 234 options->permit_empty_passwd = 0;
f00bab84 235 if (options->permit_user_env == -1)
236 options->permit_user_env = 0;
5260325f 237 if (options->use_login == -1)
238 options->use_login = 0;
636f76ca 239 if (options->compression == -1)
240 options->compression = 1;
33de75a3 241 if (options->allow_tcp_forwarding == -1)
242 options->allow_tcp_forwarding = 1;
1d1ffb87 243 if (options->gateway_ports == -1)
244 options->gateway_ports = 0;
089fbbd2 245 if (options->max_startups == -1)
246 options->max_startups = 10;
c345cf9d 247 if (options->max_startups_rate == -1)
248 options->max_startups_rate = 100; /* 100% */
249 if (options->max_startups_begin == -1)
250 options->max_startups_begin = options->max_startups;
bf4c5edc 251 if (options->verify_reverse_mapping == -1)
252 options->verify_reverse_mapping = 0;
3ffc6336 253 if (options->client_alive_interval == -1)
184eed6a 254 options->client_alive_interval = 0;
3ffc6336 255 if (options->client_alive_count_max == -1)
256 options->client_alive_count_max = 3;
5df83e07 257 if (options->authorized_keys_file2 == NULL) {
258 /* authorized_keys_file2 falls back to authorized_keys_file */
259 if (options->authorized_keys_file != NULL)
260 options->authorized_keys_file2 = options->authorized_keys_file;
261 else
262 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
263 }
264 if (options->authorized_keys_file == NULL)
265 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 266
2ee1b704 267 /* Turn privilege separation on by default */
1853d1ef 268 if (use_privsep == -1)
2ee1b704 269 use_privsep = 1;
e299a298 270
4165b82e 271#ifndef HAVE_MMAP
e299a298 272 if (use_privsep && options->compression == 1) {
273 error("This platform does not support both privilege "
274 "separation and compression");
275 error("Compression disabled");
276 options->compression = 0;
277 }
278#endif
279
8efc0c15 280}
281
8efc0c15 282/* Keyword tokens. */
5260325f 283typedef enum {
284 sBadOption, /* == unknown option */
e15895cd 285 /* Portable-specific options */
7fceb20d 286 sUsePAM,
e15895cd 287 /* Standard Options */
5260325f 288 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
289 sPermitRootLogin, sLogFacility, sLogLevel,
290 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
ced49be2 291#if defined(KRB4) || defined(KRB5)
5260325f 292 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15 293#endif
ced49be2 294#if defined(AFS) || defined(KRB5)
295 sKerberosTgtPassing,
296#endif
8efc0c15 297#ifdef AFS
ced49be2 298 sAFSTokenPassing,
8efc0c15 299#endif
d464095c 300 sChallengeResponseAuthentication,
94ec8c6b 301 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 302 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 303 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 304 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 305 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 306 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 307 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 308 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 309 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 310 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 311 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 312 sUsePrivilegeSeparation,
2717fa0f 313 sDeprecated
8efc0c15 314} ServerOpCodes;
315
316/* Textual representation of the tokens. */
5260325f 317static struct {
318 const char *name;
319 ServerOpCodes opcode;
320} keywords[] = {
e15895cd 321 /* Portable-specific options */
7fceb20d 322 { "UsePAM", sUsePAM },
e15895cd 323 /* Standard Options */
5260325f 324 { "port", sPort },
325 { "hostkey", sHostKeyFile },
fa08c86b 326 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 327 { "pidfile", sPidFile },
5260325f 328 { "serverkeybits", sServerKeyBits },
329 { "logingracetime", sLoginGraceTime },
330 { "keyregenerationinterval", sKeyRegenerationTime },
331 { "permitrootlogin", sPermitRootLogin },
332 { "syslogfacility", sLogFacility },
333 { "loglevel", sLogLevel },
334 { "rhostsauthentication", sRhostsAuthentication },
335 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 336 { "hostbasedauthentication", sHostbasedAuthentication },
337 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 338 { "rsaauthentication", sRSAAuthentication },
fa08c86b 339 { "pubkeyauthentication", sPubkeyAuthentication },
340 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
ced49be2 341#if defined(KRB4) || defined(KRB5)
5260325f 342 { "kerberosauthentication", sKerberosAuthentication },
343 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
344 { "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15 345#endif
ced49be2 346#if defined(AFS) || defined(KRB5)
5260325f 347 { "kerberostgtpassing", sKerberosTgtPassing },
ced49be2 348#endif
349#ifdef AFS
5260325f 350 { "afstokenpassing", sAFSTokenPassing },
8efc0c15 351#endif
5260325f 352 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 353 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 354 { "challengeresponseauthentication", sChallengeResponseAuthentication },
355 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 356 { "checkmail", sDeprecated },
5260325f 357 { "listenaddress", sListenAddress },
358 { "printmotd", sPrintMotd },
4f4648f9 359 { "printlastlog", sPrintLastLog },
5260325f 360 { "ignorerhosts", sIgnoreRhosts },
361 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
362 { "x11forwarding", sX11Forwarding },
363 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 364 { "x11uselocalhost", sX11UseLocalhost },
fa649821 365 { "xauthlocation", sXAuthLocation },
5260325f 366 { "strictmodes", sStrictModes },
367 { "permitemptypasswords", sEmptyPasswd },
f00bab84 368 { "permituserenvironment", sPermitUserEnvironment },
5260325f 369 { "uselogin", sUseLogin },
636f76ca 370 { "compression", sCompression },
5260325f 371 { "keepalive", sKeepAlives },
33de75a3 372 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 373 { "allowusers", sAllowUsers },
374 { "denyusers", sDenyUsers },
375 { "allowgroups", sAllowGroups },
376 { "denygroups", sDenyGroups },
a8be9f80 377 { "ciphers", sCiphers },
b2552997 378 { "macs", sMacs },
a8be9f80 379 { "protocol", sProtocol },
1d1ffb87 380 { "gatewayports", sGatewayPorts },
38c295d6 381 { "subsystem", sSubsystem },
089fbbd2 382 { "maxstartups", sMaxStartups },
eea39c02 383 { "banner", sBanner },
bf4c5edc 384 { "verifyreversemapping", sVerifyReverseMapping },
385 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 386 { "clientaliveinterval", sClientAliveInterval },
387 { "clientalivecountmax", sClientAliveCountMax },
c8445989 388 { "authorizedkeysfile", sAuthorizedKeysFile },
389 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 390 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 391 { NULL, sBadOption }
8efc0c15 392};
393
aa3378df 394/*
6be9a5e8 395 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 396 */
8efc0c15 397
6ae2364d 398static ServerOpCodes
5260325f 399parse_token(const char *cp, const char *filename,
400 int linenum)
8efc0c15 401{
1e3b8b07 402 u_int i;
8efc0c15 403
5260325f 404 for (i = 0; keywords[i].name; i++)
aa3378df 405 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 406 return keywords[i].opcode;
8efc0c15 407
b7c70970 408 error("%s: line %d: Bad configuration option: %s",
409 filename, linenum, cp);
5260325f 410 return sBadOption;
8efc0c15 411}
412
396c147e 413static void
2d2a2c65 414add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 415{
48e671d5 416 int i;
417
418 if (options->num_ports == 0)
419 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 420 if (port == 0)
d11c1288 421 for (i = 0; i < options->num_ports; i++)
422 add_one_listen_addr(options, addr, options->ports[i]);
423 else
2d2a2c65 424 add_one_listen_addr(options, addr, port);
d11c1288 425}
426
396c147e 427static void
d11c1288 428add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
429{
430 struct addrinfo hints, *ai, *aitop;
431 char strport[NI_MAXSERV];
432 int gaierr;
433
434 memset(&hints, 0, sizeof(hints));
435 hints.ai_family = IPv4or6;
436 hints.ai_socktype = SOCK_STREAM;
437 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 438 snprintf(strport, sizeof strport, "%u", port);
d11c1288 439 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
440 fatal("bad addr or host: %s (%s)",
441 addr ? addr : "<NULL>",
442 gai_strerror(gaierr));
443 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
444 ;
445 ai->ai_next = options->listen_addrs;
446 options->listen_addrs = aitop;
48e671d5 447}
448
2717fa0f 449int
450process_server_config_line(ServerOptions *options, char *line,
451 const char *filename, int linenum)
8efc0c15 452{
d11c1288 453 char *cp, **charptr, *arg, *p;
7528d467 454 int *intptr, value, i, n;
5260325f 455 ServerOpCodes opcode;
456
2717fa0f 457 cp = line;
458 arg = strdelim(&cp);
459 /* Ignore leading whitespace */
460 if (*arg == '\0')
704b1659 461 arg = strdelim(&cp);
2717fa0f 462 if (!arg || !*arg || *arg == '#')
463 return 0;
464 intptr = NULL;
465 charptr = NULL;
466 opcode = parse_token(arg, filename, linenum);
467 switch (opcode) {
468 /* Portable-specific options */
7fceb20d 469 case sUsePAM:
470 intptr = &options->use_pam;
2717fa0f 471 goto parse_flag;
48e671d5 472
2717fa0f 473 /* Standard Options */
474 case sBadOption:
475 return -1;
476 case sPort:
477 /* ignore ports from configfile if cmdline specifies ports */
478 if (options->ports_from_cmdline)
479 return 0;
480 if (options->listen_addrs != NULL)
481 fatal("%s line %d: ports must be specified before "
3a454b6a 482 "ListenAddress.", filename, linenum);
2717fa0f 483 if (options->num_ports >= MAX_PORTS)
484 fatal("%s line %d: too many ports.",
485 filename, linenum);
486 arg = strdelim(&cp);
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing port number.",
489 filename, linenum);
490 options->ports[options->num_ports++] = a2port(arg);
491 if (options->ports[options->num_ports-1] == 0)
492 fatal("%s line %d: Badly formatted port number.",
493 filename, linenum);
494 break;
495
496 case sServerKeyBits:
497 intptr = &options->server_key_bits;
5260325f 498parse_int:
2717fa0f 499 arg = strdelim(&cp);
500 if (!arg || *arg == '\0')
501 fatal("%s line %d: missing integer value.",
502 filename, linenum);
503 value = atoi(arg);
504 if (*intptr == -1)
505 *intptr = value;
506 break;
507
508 case sLoginGraceTime:
509 intptr = &options->login_grace_time;
e2b1fb42 510parse_time:
2717fa0f 511 arg = strdelim(&cp);
512 if (!arg || *arg == '\0')
513 fatal("%s line %d: missing time value.",
514 filename, linenum);
515 if ((value = convtime(arg)) == -1)
516 fatal("%s line %d: invalid time value.",
517 filename, linenum);
518 if (*intptr == -1)
519 *intptr = value;
520 break;
521
522 case sKeyRegenerationTime:
523 intptr = &options->key_regeneration_time;
524 goto parse_time;
525
526 case sListenAddress:
527 arg = strdelim(&cp);
528 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
529 fatal("%s line %d: missing inet addr.",
530 filename, linenum);
531 if (*arg == '[') {
532 if ((p = strchr(arg, ']')) == NULL)
533 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 534 filename, linenum);
2717fa0f 535 arg++;
536 memmove(p, p+1, strlen(p+1)+1);
537 } else if (((p = strchr(arg, ':')) == NULL) ||
538 (strchr(p+1, ':') != NULL)) {
539 add_listen_addr(options, arg, 0);
e2b1fb42 540 break;
2717fa0f 541 }
542 if (*p == ':') {
543 u_short port;
5260325f 544
2717fa0f 545 p++;
546 if (*p == '\0')
547 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 548 filename, linenum);
2717fa0f 549 else {
550 *(p-1) = '\0';
551 if ((port = a2port(p)) == 0)
552 fatal("%s line %d: bad port number.",
d11c1288 553 filename, linenum);
2717fa0f 554 add_listen_addr(options, arg, port);
d11c1288 555 }
2717fa0f 556 } else if (*p == '\0')
557 add_listen_addr(options, arg, 0);
558 else
559 fatal("%s line %d: bad inet addr usage.",
560 filename, linenum);
561 break;
562
563 case sHostKeyFile:
564 intptr = &options->num_host_key_files;
565 if (*intptr >= MAX_HOSTKEYS)
566 fatal("%s line %d: too many host keys specified (max %d).",
567 filename, linenum, MAX_HOSTKEYS);
568 charptr = &options->host_key_files[*intptr];
fa649821 569parse_filename:
2717fa0f 570 arg = strdelim(&cp);
571 if (!arg || *arg == '\0')
572 fatal("%s line %d: missing file name.",
573 filename, linenum);
574 if (*charptr == NULL) {
575 *charptr = tilde_expand_filename(arg, getuid());
576 /* increase optional counter */
577 if (intptr != NULL)
578 *intptr = *intptr + 1;
579 }
580 break;
0fbe8c74 581
2717fa0f 582 case sPidFile:
583 charptr = &options->pid_file;
584 goto parse_filename;
5260325f 585
2717fa0f 586 case sPermitRootLogin:
587 intptr = &options->permit_root_login;
588 arg = strdelim(&cp);
589 if (!arg || *arg == '\0')
590 fatal("%s line %d: missing yes/"
591 "without-password/forced-commands-only/no "
592 "argument.", filename, linenum);
593 value = 0; /* silence compiler */
594 if (strcmp(arg, "without-password") == 0)
595 value = PERMIT_NO_PASSWD;
596 else if (strcmp(arg, "forced-commands-only") == 0)
597 value = PERMIT_FORCED_ONLY;
598 else if (strcmp(arg, "yes") == 0)
599 value = PERMIT_YES;
600 else if (strcmp(arg, "no") == 0)
601 value = PERMIT_NO;
602 else
603 fatal("%s line %d: Bad yes/"
604 "without-password/forced-commands-only/no "
605 "argument: %s", filename, linenum, arg);
606 if (*intptr == -1)
607 *intptr = value;
608 break;
609
610 case sIgnoreRhosts:
611 intptr = &options->ignore_rhosts;
5260325f 612parse_flag:
2717fa0f 613 arg = strdelim(&cp);
614 if (!arg || *arg == '\0')
615 fatal("%s line %d: missing yes/no argument.",
616 filename, linenum);
617 value = 0; /* silence compiler */
618 if (strcmp(arg, "yes") == 0)
619 value = 1;
620 else if (strcmp(arg, "no") == 0)
621 value = 0;
622 else
623 fatal("%s line %d: Bad yes/no argument: %s",
624 filename, linenum, arg);
625 if (*intptr == -1)
626 *intptr = value;
627 break;
628
629 case sIgnoreUserKnownHosts:
630 intptr = &options->ignore_user_known_hosts;
631 goto parse_flag;
632
633 case sRhostsAuthentication:
634 intptr = &options->rhosts_authentication;
635 goto parse_flag;
636
637 case sRhostsRSAAuthentication:
638 intptr = &options->rhosts_rsa_authentication;
639 goto parse_flag;
640
641 case sHostbasedAuthentication:
642 intptr = &options->hostbased_authentication;
643 goto parse_flag;
644
645 case sHostbasedUsesNameFromPacketOnly:
646 intptr = &options->hostbased_uses_name_from_packet_only;
647 goto parse_flag;
648
649 case sRSAAuthentication:
650 intptr = &options->rsa_authentication;
651 goto parse_flag;
652
653 case sPubkeyAuthentication:
654 intptr = &options->pubkey_authentication;
655 goto parse_flag;
656#if defined(KRB4) || defined(KRB5)
657 case sKerberosAuthentication:
658 intptr = &options->kerberos_authentication;
659 goto parse_flag;
5260325f 660
2717fa0f 661 case sKerberosOrLocalPasswd:
662 intptr = &options->kerberos_or_local_passwd;
663 goto parse_flag;
5260325f 664
2717fa0f 665 case sKerberosTicketCleanup:
666 intptr = &options->kerberos_ticket_cleanup;
667 goto parse_flag;
668#endif
669#if defined(AFS) || defined(KRB5)
670 case sKerberosTgtPassing:
671 intptr = &options->kerberos_tgt_passing;
672 goto parse_flag;
673#endif
674#ifdef AFS
675 case sAFSTokenPassing:
676 intptr = &options->afs_token_passing;
677 goto parse_flag;
678#endif
5260325f 679
2717fa0f 680 case sPasswordAuthentication:
681 intptr = &options->password_authentication;
682 goto parse_flag;
5260325f 683
2717fa0f 684 case sKbdInteractiveAuthentication:
685 intptr = &options->kbd_interactive_authentication;
686 goto parse_flag;
8002af61 687
2717fa0f 688 case sChallengeResponseAuthentication:
689 intptr = &options->challenge_response_authentication;
690 goto parse_flag;
8002af61 691
2717fa0f 692 case sPrintMotd:
693 intptr = &options->print_motd;
694 goto parse_flag;
5260325f 695
2717fa0f 696 case sPrintLastLog:
697 intptr = &options->print_lastlog;
698 goto parse_flag;
5260325f 699
2717fa0f 700 case sX11Forwarding:
701 intptr = &options->x11_forwarding;
702 goto parse_flag;
5260325f 703
2717fa0f 704 case sX11DisplayOffset:
705 intptr = &options->x11_display_offset;
706 goto parse_int;
8efc0c15 707
e6e573bd 708 case sX11UseLocalhost:
709 intptr = &options->x11_use_localhost;
710 goto parse_flag;
711
2717fa0f 712 case sXAuthLocation:
713 charptr = &options->xauth_location;
714 goto parse_filename;
5260325f 715
2717fa0f 716 case sStrictModes:
717 intptr = &options->strict_modes;
718 goto parse_flag;
5260325f 719
2717fa0f 720 case sKeepAlives:
721 intptr = &options->keepalives;
722 goto parse_flag;
33de75a3 723
2717fa0f 724 case sEmptyPasswd:
725 intptr = &options->permit_empty_passwd;
726 goto parse_flag;
5260325f 727
f00bab84 728 case sPermitUserEnvironment:
729 intptr = &options->permit_user_env;
730 goto parse_flag;
731
2717fa0f 732 case sUseLogin:
733 intptr = &options->use_login;
734 goto parse_flag;
5260325f 735
636f76ca 736 case sCompression:
737 intptr = &options->compression;
738 goto parse_flag;
739
2717fa0f 740 case sGatewayPorts:
741 intptr = &options->gateway_ports;
742 goto parse_flag;
5260325f 743
bf4c5edc 744 case sVerifyReverseMapping:
745 intptr = &options->verify_reverse_mapping;
2717fa0f 746 goto parse_flag;
5260325f 747
2717fa0f 748 case sLogFacility:
749 intptr = (int *) &options->log_facility;
750 arg = strdelim(&cp);
751 value = log_facility_number(arg);
5eaf8578 752 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 753 fatal("%.200s line %d: unsupported log facility '%s'",
754 filename, linenum, arg ? arg : "<NONE>");
755 if (*intptr == -1)
756 *intptr = (SyslogFacility) value;
757 break;
758
759 case sLogLevel:
760 intptr = (int *) &options->log_level;
761 arg = strdelim(&cp);
762 value = log_level_number(arg);
5eaf8578 763 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 764 fatal("%.200s line %d: unsupported log level '%s'",
765 filename, linenum, arg ? arg : "<NONE>");
766 if (*intptr == -1)
767 *intptr = (LogLevel) value;
768 break;
769
770 case sAllowTcpForwarding:
771 intptr = &options->allow_tcp_forwarding;
772 goto parse_flag;
773
1853d1ef 774 case sUsePrivilegeSeparation:
775 intptr = &use_privsep;
776 goto parse_flag;
777
2717fa0f 778 case sAllowUsers:
779 while ((arg = strdelim(&cp)) && *arg != '\0') {
780 if (options->num_allow_users >= MAX_ALLOW_USERS)
781 fatal("%s line %d: too many allow users.",
782 filename, linenum);
7528d467 783 options->allow_users[options->num_allow_users++] =
784 xstrdup(arg);
2717fa0f 785 }
786 break;
a8be9f80 787
2717fa0f 788 case sDenyUsers:
789 while ((arg = strdelim(&cp)) && *arg != '\0') {
790 if (options->num_deny_users >= MAX_DENY_USERS)
791 fatal( "%s line %d: too many deny users.",
792 filename, linenum);
7528d467 793 options->deny_users[options->num_deny_users++] =
794 xstrdup(arg);
2717fa0f 795 }
796 break;
b2552997 797
2717fa0f 798 case sAllowGroups:
799 while ((arg = strdelim(&cp)) && *arg != '\0') {
800 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
801 fatal("%s line %d: too many allow groups.",
802 filename, linenum);
7528d467 803 options->allow_groups[options->num_allow_groups++] =
804 xstrdup(arg);
2717fa0f 805 }
806 break;
a8be9f80 807
2717fa0f 808 case sDenyGroups:
809 while ((arg = strdelim(&cp)) && *arg != '\0') {
810 if (options->num_deny_groups >= MAX_DENY_GROUPS)
811 fatal("%s line %d: too many deny groups.",
812 filename, linenum);
813 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
814 }
815 break;
38c295d6 816
2717fa0f 817 case sCiphers:
818 arg = strdelim(&cp);
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing argument.", filename, linenum);
821 if (!ciphers_valid(arg))
822 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
823 filename, linenum, arg ? arg : "<NONE>");
824 if (options->ciphers == NULL)
825 options->ciphers = xstrdup(arg);
826 break;
827
828 case sMacs:
829 arg = strdelim(&cp);
830 if (!arg || *arg == '\0')
831 fatal("%s line %d: Missing argument.", filename, linenum);
832 if (!mac_valid(arg))
833 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
834 filename, linenum, arg ? arg : "<NONE>");
835 if (options->macs == NULL)
836 options->macs = xstrdup(arg);
837 break;
838
839 case sProtocol:
840 intptr = &options->protocol;
841 arg = strdelim(&cp);
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing argument.", filename, linenum);
844 value = proto_spec(arg);
845 if (value == SSH_PROTO_UNKNOWN)
846 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 847 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 848 if (*intptr == SSH_PROTO_UNKNOWN)
849 *intptr = value;
850 break;
851
852 case sSubsystem:
853 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
854 fatal("%s line %d: too many subsystems defined.",
184eed6a 855 filename, linenum);
2717fa0f 856 }
857 arg = strdelim(&cp);
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing subsystem name.",
184eed6a 860 filename, linenum);
2717fa0f 861 for (i = 0; i < options->num_subsystems; i++)
862 if (strcmp(arg, options->subsystem_name[i]) == 0)
863 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 864 filename, linenum, arg);
2717fa0f 865 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
866 arg = strdelim(&cp);
867 if (!arg || *arg == '\0')
868 fatal("%s line %d: Missing subsystem command.",
184eed6a 869 filename, linenum);
2717fa0f 870 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
871 options->num_subsystems++;
872 break;
873
874 case sMaxStartups:
875 arg = strdelim(&cp);
876 if (!arg || *arg == '\0')
877 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 878 filename, linenum);
2717fa0f 879 if ((n = sscanf(arg, "%d:%d:%d",
880 &options->max_startups_begin,
881 &options->max_startups_rate,
882 &options->max_startups)) == 3) {
883 if (options->max_startups_begin >
884 options->max_startups ||
885 options->max_startups_rate > 100 ||
886 options->max_startups_rate < 1)
c345cf9d 887 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 888 filename, linenum);
2717fa0f 889 } else if (n != 1)
890 fatal("%s line %d: Illegal MaxStartups spec.",
891 filename, linenum);
892 else
893 options->max_startups = options->max_startups_begin;
894 break;
895
896 case sBanner:
897 charptr = &options->banner;
898 goto parse_filename;
899 /*
900 * These options can contain %X options expanded at
901 * connect time, so that you can specify paths like:
902 *
903 * AuthorizedKeysFile /etc/ssh_keys/%u
904 */
905 case sAuthorizedKeysFile:
906 case sAuthorizedKeysFile2:
907 charptr = (opcode == sAuthorizedKeysFile ) ?
908 &options->authorized_keys_file :
909 &options->authorized_keys_file2;
910 goto parse_filename;
911
912 case sClientAliveInterval:
913 intptr = &options->client_alive_interval;
914 goto parse_time;
915
916 case sClientAliveCountMax:
917 intptr = &options->client_alive_count_max;
918 goto parse_int;
919
920 case sDeprecated:
bbe88b6d 921 logit("%s line %d: Deprecated option %s",
2717fa0f 922 filename, linenum, arg);
923 while (arg)
924 arg = strdelim(&cp);
925 break;
926
927 default:
928 fatal("%s line %d: Missing handler for opcode %s (%d)",
929 filename, linenum, arg, opcode);
930 }
931 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
932 fatal("%s line %d: garbage at end of line; \"%.200s\".",
933 filename, linenum, arg);
934 return 0;
935}
089fbbd2 936
2717fa0f 937/* Reads the server configuration file. */
5c53a31e 938
2717fa0f 939void
940read_server_config(ServerOptions *options, const char *filename)
941{
7528d467 942 int linenum, bad_options = 0;
2717fa0f 943 char line[1024];
7528d467 944 FILE *f;
2717fa0f 945
34934506 946 debug2("read_server_config: filename %s", filename);
2717fa0f 947 f = fopen(filename, "r");
948 if (!f) {
949 perror(filename);
950 exit(1);
951 }
952 linenum = 0;
953 while (fgets(line, sizeof(line), f)) {
954 /* Update line number counter. */
955 linenum++;
956 if (process_server_config_line(options, line, filename, linenum) != 0)
957 bad_options++;
8efc0c15 958 }
5260325f 959 fclose(f);
b7c70970 960 if (bad_options > 0)
961 fatal("%s: terminating, %d bad configuration options",
962 filename, bad_options);
8efc0c15 963}
git-cvsimport mirror of OpenSSH
This page took 0.379516 seconds and 5 git commands to generate.