]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2006/03/25 13:17:03
[openssh.git] / servconf.c
CommitLineData
c1cb7bae 1/* $OpenBSD: servconf.c,v 1.150 2006/03/25 13:17:02 djm Exp $ */
8efc0c15 2/*
5260325f 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
6ae2364d 5 *
bcbf86ec 6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
5260325f 11 */
8efc0c15 12
13#include "includes.h"
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
42f11eb2 21#include "misc.h"
22#include "cipher.h"
b2552997 23#include "kex.h"
24#include "mac.h"
42f11eb2 25
396c147e 26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 28
1853d1ef 29/* Use of privilege separation or not */
30extern int use_privsep;
42f11eb2 31
8efc0c15 32/* Initializes the server options to their default values. */
33
6ae2364d 34void
5260325f 35initialize_server_options(ServerOptions *options)
8efc0c15 36{
5260325f 37 memset(options, 0, sizeof(*options));
e15895cd 38
39 /* Portable-specific options */
7fceb20d 40 options->use_pam = -1;
e15895cd 41
42 /* Standard Options */
48e671d5 43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
31b41ceb 46 options->address_family = -1;
fa08c86b 47 options->num_host_key_files = 0;
0fbe8c74 48 options->pid_file = NULL;
5260325f 49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
15853e93 52 options->permit_root_login = PERMIT_NOT_SET;
5260325f 53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
4f4648f9 56 options->print_lastlog = -1;
5260325f 57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
e6e573bd 59 options->x11_use_localhost = -1;
fa649821 60 options->xauth_location = NULL;
5260325f 61 options->strict_modes = -1;
fd573618 62 options->tcp_keep_alive = -1;
5eaf8578 63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 65 options->rhosts_rsa_authentication = -1;
8002af61 66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
5260325f 68 options->rsa_authentication = -1;
fa08c86b 69 options->pubkey_authentication = -1;
5260325f 70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
a1e30b47 73 options->kerberos_get_afs_token = -1;
7364bd04 74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
5260325f 76 options->password_authentication = -1;
94ec8c6b 77 options->kbd_interactive_authentication = -1;
5ba55ada 78 options->challenge_response_authentication = -1;
5260325f 79 options->permit_empty_passwd = -1;
f00bab84 80 options->permit_user_env = -1;
5260325f 81 options->use_login = -1;
636f76ca 82 options->compression = -1;
33de75a3 83 options->allow_tcp_forwarding = -1;
5260325f 84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
a8be9f80 88 options->ciphers = NULL;
b2552997 89 options->macs = NULL;
a8be9f80 90 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 91 options->gateway_ports = -1;
38c295d6 92 options->num_subsystems = 0;
c345cf9d 93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
089fbbd2 95 options->max_startups = -1;
af4bd935 96 options->max_authtries = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
61a2c1da 103 options->num_accept_env = 0;
d20f3c9e 104 options->permit_tun = -1;
1853d1ef 105
1853d1ef 106 /* Needs to be accessable in many places */
107 use_privsep = -1;
8efc0c15 108}
109
6ae2364d 110void
5260325f 111fill_default_server_options(ServerOptions *options)
8efc0c15 112{
e15895cd 113 /* Portable-specific options */
7fceb20d 114 if (options->use_pam == -1)
0a23d79f 115 options->use_pam = 0;
e15895cd 116
117 /* Standard Options */
fa08c86b 118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
0f84fe37 123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_KEY_FILE;
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
130 }
fa08c86b 131 }
48e671d5 132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
2d2a2c65 135 add_listen_addr(options, NULL, 0);
0fbe8c74 136 if (options->pid_file == NULL)
42f11eb2 137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
3445ca02 141 options->login_grace_time = 120;
5260325f 142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
15853e93 144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
5260325f 146 if (options->ignore_rhosts == -1)
c8d54615 147 options->ignore_rhosts = 1;
5260325f 148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
5260325f 150 if (options->print_motd == -1)
151 options->print_motd = 1;
4f4648f9 152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
5260325f 154 if (options->x11_forwarding == -1)
c8d54615 155 options->x11_forwarding = 0;
5260325f 156 if (options->x11_display_offset == -1)
c8d54615 157 options->x11_display_offset = 10;
e6e573bd 158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
fa649821 160 if (options->xauth_location == NULL)
fd9ede94 161 options->xauth_location = _PATH_XAUTH;
5260325f 162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
fd573618 164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
5eaf8578 166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 167 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 169 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 170 if (options->rhosts_rsa_authentication == -1)
c8d54615 171 options->rhosts_rsa_authentication = 0;
8002af61 172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
5260325f 176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
fa08c86b 178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
5260325f 180 if (options->kerberos_authentication == -1)
eadc806d 181 options->kerberos_authentication = 0;
5260325f 182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
a1e30b47 186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
7364bd04 188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
5260325f 192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
94ec8c6b 194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
5ba55ada 196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
5260325f 198 if (options->permit_empty_passwd == -1)
c8d54615 199 options->permit_empty_passwd = 0;
f00bab84 200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
5260325f 202 if (options->use_login == -1)
203 options->use_login = 0;
636f76ca 204 if (options->compression == -1)
07200973 205 options->compression = COMP_DELAYED;
33de75a3 206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
1d1ffb87 208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
089fbbd2 210 if (options->max_startups == -1)
211 options->max_startups = 10;
c345cf9d 212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
af4bd935 216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c5a7d788 218 if (options->use_dns == -1)
219 options->use_dns = 1;
3ffc6336 220 if (options->client_alive_interval == -1)
184eed6a 221 options->client_alive_interval = 0;
3ffc6336 222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
5df83e07 224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
228 else
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 }
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
d20f3c9e 233 if (options->permit_tun == -1)
a4f24bf8 234 options->permit_tun = SSH_TUNMODE_NO;
1853d1ef 235
2ee1b704 236 /* Turn privilege separation on by default */
1853d1ef 237 if (use_privsep == -1)
2ee1b704 238 use_privsep = 1;
e299a298 239
4165b82e 240#ifndef HAVE_MMAP
e299a298 241 if (use_privsep && options->compression == 1) {
242 error("This platform does not support both privilege "
243 "separation and compression");
244 error("Compression disabled");
245 options->compression = 0;
246 }
247#endif
248
8efc0c15 249}
250
8efc0c15 251/* Keyword tokens. */
5260325f 252typedef enum {
253 sBadOption, /* == unknown option */
e15895cd 254 /* Portable-specific options */
7fceb20d 255 sUsePAM,
e15895cd 256 /* Standard Options */
5260325f 257 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
258 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 259 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 260 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 261 sKerberosGetAFSToken,
1c590258 262 sKerberosTgtPassing, sChallengeResponseAuthentication,
31b41ceb 263 sPasswordAuthentication, sKbdInteractiveAuthentication,
264 sListenAddress, sAddressFamily,
4f4648f9 265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
c5a7d788 273 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
d20f3c9e 276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
2ea6de2b 277 sUsePrivilegeSeparation,
a2144546 278 sDeprecated, sUnsupported
8efc0c15 279} ServerOpCodes;
280
281/* Textual representation of the tokens. */
5260325f 282static struct {
283 const char *name;
284 ServerOpCodes opcode;
285} keywords[] = {
e15895cd 286 /* Portable-specific options */
b06b11ad 287#ifdef USE_PAM
fe46678b 288 { "usepam", sUsePAM },
b06b11ad 289#else
fe46678b 290 { "usepam", sUnsupported },
b06b11ad 291#endif
fe46678b 292 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 293 /* Standard Options */
5260325f 294 { "port", sPort },
295 { "hostkey", sHostKeyFile },
fa08c86b 296 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 297 { "pidfile", sPidFile },
5260325f 298 { "serverkeybits", sServerKeyBits },
299 { "logingracetime", sLoginGraceTime },
300 { "keyregenerationinterval", sKeyRegenerationTime },
301 { "permitrootlogin", sPermitRootLogin },
302 { "syslogfacility", sLogFacility },
303 { "loglevel", sLogLevel },
0598d99d 304 { "rhostsauthentication", sDeprecated },
5260325f 305 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 306 { "hostbasedauthentication", sHostbasedAuthentication },
307 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 308 { "rsaauthentication", sRSAAuthentication },
fa08c86b 309 { "pubkeyauthentication", sPubkeyAuthentication },
310 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 311#ifdef KRB5
5260325f 312 { "kerberosauthentication", sKerberosAuthentication },
313 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
314 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 315#ifdef USE_AFS
a1e30b47 316 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 317#else
318 { "kerberosgetafstoken", sUnsupported },
319#endif
a2144546 320#else
321 { "kerberosauthentication", sUnsupported },
322 { "kerberosorlocalpasswd", sUnsupported },
323 { "kerberosticketcleanup", sUnsupported },
a1e30b47 324 { "kerberosgetafstoken", sUnsupported },
a2144546 325#endif
8f73f7bb 326 { "kerberostgtpassing", sUnsupported },
a2144546 327 { "afstokenpassing", sUnsupported },
7364bd04 328#ifdef GSSAPI
329 { "gssapiauthentication", sGssAuthentication },
e377c083 330 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 331#else
332 { "gssapiauthentication", sUnsupported },
e377c083 333 { "gssapicleanupcredentials", sUnsupported },
7364bd04 334#endif
5260325f 335 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 336 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 337 { "challengeresponseauthentication", sChallengeResponseAuthentication },
338 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 339 { "checkmail", sDeprecated },
5260325f 340 { "listenaddress", sListenAddress },
31b41ceb 341 { "addressfamily", sAddressFamily },
5260325f 342 { "printmotd", sPrintMotd },
4f4648f9 343 { "printlastlog", sPrintLastLog },
5260325f 344 { "ignorerhosts", sIgnoreRhosts },
345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
346 { "x11forwarding", sX11Forwarding },
347 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 348 { "x11uselocalhost", sX11UseLocalhost },
fa649821 349 { "xauthlocation", sXAuthLocation },
5260325f 350 { "strictmodes", sStrictModes },
351 { "permitemptypasswords", sEmptyPasswd },
f00bab84 352 { "permituserenvironment", sPermitUserEnvironment },
5260325f 353 { "uselogin", sUseLogin },
636f76ca 354 { "compression", sCompression },
fd573618 355 { "tcpkeepalive", sTCPKeepAlive },
356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 357 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
a8be9f80 362 { "ciphers", sCiphers },
b2552997 363 { "macs", sMacs },
a8be9f80 364 { "protocol", sProtocol },
1d1ffb87 365 { "gatewayports", sGatewayPorts },
38c295d6 366 { "subsystem", sSubsystem },
089fbbd2 367 { "maxstartups", sMaxStartups },
af4bd935 368 { "maxauthtries", sMaxAuthTries },
eea39c02 369 { "banner", sBanner },
c5a7d788 370 { "usedns", sUseDNS },
371 { "verifyreversemapping", sDeprecated },
372 { "reversemappingcheck", sDeprecated },
3ffc6336 373 { "clientaliveinterval", sClientAliveInterval },
374 { "clientalivecountmax", sClientAliveCountMax },
c8445989 375 { "authorizedkeysfile", sAuthorizedKeysFile },
376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 377 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 378 { "acceptenv", sAcceptEnv },
d20f3c9e 379 { "permittunnel", sPermitTunnel },
17a3011c 380 { NULL, sBadOption }
8efc0c15 381};
382
aa3378df 383/*
6be9a5e8 384 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 385 */
8efc0c15 386
6ae2364d 387static ServerOpCodes
5260325f 388parse_token(const char *cp, const char *filename,
389 int linenum)
8efc0c15 390{
1e3b8b07 391 u_int i;
8efc0c15 392
5260325f 393 for (i = 0; keywords[i].name; i++)
aa3378df 394 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 395 return keywords[i].opcode;
8efc0c15 396
b7c70970 397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
5260325f 399 return sBadOption;
8efc0c15 400}
401
396c147e 402static void
2d2a2c65 403add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 404{
2ceb8101 405 u_int i;
48e671d5 406
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
31b41ceb 409 if (options->address_family == -1)
410 options->address_family = AF_UNSPEC;
2d2a2c65 411 if (port == 0)
d11c1288 412 for (i = 0; i < options->num_ports; i++)
413 add_one_listen_addr(options, addr, options->ports[i]);
414 else
2d2a2c65 415 add_one_listen_addr(options, addr, port);
d11c1288 416}
417
396c147e 418static void
d11c1288 419add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
420{
421 struct addrinfo hints, *ai, *aitop;
422 char strport[NI_MAXSERV];
423 int gaierr;
424
425 memset(&hints, 0, sizeof(hints));
31b41ceb 426 hints.ai_family = options->address_family;
d11c1288 427 hints.ai_socktype = SOCK_STREAM;
428 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 429 snprintf(strport, sizeof strport, "%u", port);
d11c1288 430 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
431 fatal("bad addr or host: %s (%s)",
432 addr ? addr : "<NULL>",
433 gai_strerror(gaierr));
434 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
435 ;
436 ai->ai_next = options->listen_addrs;
437 options->listen_addrs = aitop;
48e671d5 438}
439
2717fa0f 440int
441process_server_config_line(ServerOptions *options, char *line,
442 const char *filename, int linenum)
8efc0c15 443{
d11c1288 444 char *cp, **charptr, *arg, *p;
2ceb8101 445 int *intptr, value, n;
5260325f 446 ServerOpCodes opcode;
3867aa0a 447 u_short port;
2ceb8101 448 u_int i;
5260325f 449
2717fa0f 450 cp = line;
0f8cd5a6 451 if ((arg = strdelim(&cp)) == NULL)
88299971 452 return 0;
2717fa0f 453 /* Ignore leading whitespace */
454 if (*arg == '\0')
704b1659 455 arg = strdelim(&cp);
2717fa0f 456 if (!arg || !*arg || *arg == '#')
457 return 0;
458 intptr = NULL;
459 charptr = NULL;
460 opcode = parse_token(arg, filename, linenum);
461 switch (opcode) {
462 /* Portable-specific options */
7fceb20d 463 case sUsePAM:
464 intptr = &options->use_pam;
2717fa0f 465 goto parse_flag;
48e671d5 466
2717fa0f 467 /* Standard Options */
468 case sBadOption:
469 return -1;
470 case sPort:
471 /* ignore ports from configfile if cmdline specifies ports */
472 if (options->ports_from_cmdline)
473 return 0;
474 if (options->listen_addrs != NULL)
475 fatal("%s line %d: ports must be specified before "
3a454b6a 476 "ListenAddress.", filename, linenum);
2717fa0f 477 if (options->num_ports >= MAX_PORTS)
478 fatal("%s line %d: too many ports.",
479 filename, linenum);
480 arg = strdelim(&cp);
481 if (!arg || *arg == '\0')
482 fatal("%s line %d: missing port number.",
483 filename, linenum);
484 options->ports[options->num_ports++] = a2port(arg);
485 if (options->ports[options->num_ports-1] == 0)
486 fatal("%s line %d: Badly formatted port number.",
487 filename, linenum);
488 break;
489
490 case sServerKeyBits:
491 intptr = &options->server_key_bits;
5260325f 492parse_int:
2717fa0f 493 arg = strdelim(&cp);
494 if (!arg || *arg == '\0')
495 fatal("%s line %d: missing integer value.",
496 filename, linenum);
497 value = atoi(arg);
498 if (*intptr == -1)
499 *intptr = value;
500 break;
501
502 case sLoginGraceTime:
503 intptr = &options->login_grace_time;
e2b1fb42 504parse_time:
2717fa0f 505 arg = strdelim(&cp);
506 if (!arg || *arg == '\0')
507 fatal("%s line %d: missing time value.",
508 filename, linenum);
509 if ((value = convtime(arg)) == -1)
510 fatal("%s line %d: invalid time value.",
511 filename, linenum);
512 if (*intptr == -1)
513 *intptr = value;
514 break;
515
516 case sKeyRegenerationTime:
517 intptr = &options->key_regeneration_time;
518 goto parse_time;
519
520 case sListenAddress:
521 arg = strdelim(&cp);
3867aa0a 522 if (arg == NULL || *arg == '\0')
523 fatal("%s line %d: missing address",
2717fa0f 524 filename, linenum);
91135a0e 525 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
526 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
527 && strchr(p+1, ':') != NULL) {
528 add_listen_addr(options, arg, 0);
529 break;
530 }
3867aa0a 531 p = hpdelim(&arg);
532 if (p == NULL)
533 fatal("%s line %d: bad address:port usage",
2717fa0f 534 filename, linenum);
3867aa0a 535 p = cleanhostname(p);
536 if (arg == NULL)
537 port = 0;
538 else if ((port = a2port(arg)) == 0)
539 fatal("%s line %d: bad port number", filename, linenum);
540
541 add_listen_addr(options, p, port);
542
2717fa0f 543 break;
544
31b41ceb 545 case sAddressFamily:
546 arg = strdelim(&cp);
38634ff6 547 if (!arg || *arg == '\0')
548 fatal("%s line %d: missing address family.",
549 filename, linenum);
31b41ceb 550 intptr = &options->address_family;
551 if (options->listen_addrs != NULL)
552 fatal("%s line %d: address family must be specified before "
553 "ListenAddress.", filename, linenum);
554 if (strcasecmp(arg, "inet") == 0)
555 value = AF_INET;
556 else if (strcasecmp(arg, "inet6") == 0)
557 value = AF_INET6;
558 else if (strcasecmp(arg, "any") == 0)
559 value = AF_UNSPEC;
560 else
561 fatal("%s line %d: unsupported address family \"%s\".",
562 filename, linenum, arg);
563 if (*intptr == -1)
564 *intptr = value;
565 break;
566
2717fa0f 567 case sHostKeyFile:
568 intptr = &options->num_host_key_files;
569 if (*intptr >= MAX_HOSTKEYS)
570 fatal("%s line %d: too many host keys specified (max %d).",
571 filename, linenum, MAX_HOSTKEYS);
572 charptr = &options->host_key_files[*intptr];
fa649821 573parse_filename:
2717fa0f 574 arg = strdelim(&cp);
575 if (!arg || *arg == '\0')
576 fatal("%s line %d: missing file name.",
577 filename, linenum);
578 if (*charptr == NULL) {
579 *charptr = tilde_expand_filename(arg, getuid());
580 /* increase optional counter */
581 if (intptr != NULL)
582 *intptr = *intptr + 1;
583 }
584 break;
0fbe8c74 585
2717fa0f 586 case sPidFile:
587 charptr = &options->pid_file;
588 goto parse_filename;
5260325f 589
2717fa0f 590 case sPermitRootLogin:
591 intptr = &options->permit_root_login;
592 arg = strdelim(&cp);
593 if (!arg || *arg == '\0')
594 fatal("%s line %d: missing yes/"
595 "without-password/forced-commands-only/no "
596 "argument.", filename, linenum);
597 value = 0; /* silence compiler */
598 if (strcmp(arg, "without-password") == 0)
599 value = PERMIT_NO_PASSWD;
600 else if (strcmp(arg, "forced-commands-only") == 0)
601 value = PERMIT_FORCED_ONLY;
602 else if (strcmp(arg, "yes") == 0)
603 value = PERMIT_YES;
604 else if (strcmp(arg, "no") == 0)
605 value = PERMIT_NO;
606 else
607 fatal("%s line %d: Bad yes/"
608 "without-password/forced-commands-only/no "
609 "argument: %s", filename, linenum, arg);
610 if (*intptr == -1)
611 *intptr = value;
612 break;
613
614 case sIgnoreRhosts:
615 intptr = &options->ignore_rhosts;
5260325f 616parse_flag:
2717fa0f 617 arg = strdelim(&cp);
618 if (!arg || *arg == '\0')
619 fatal("%s line %d: missing yes/no argument.",
620 filename, linenum);
621 value = 0; /* silence compiler */
622 if (strcmp(arg, "yes") == 0)
623 value = 1;
624 else if (strcmp(arg, "no") == 0)
625 value = 0;
626 else
627 fatal("%s line %d: Bad yes/no argument: %s",
628 filename, linenum, arg);
629 if (*intptr == -1)
630 *intptr = value;
631 break;
632
633 case sIgnoreUserKnownHosts:
634 intptr = &options->ignore_user_known_hosts;
635 goto parse_flag;
636
2717fa0f 637 case sRhostsRSAAuthentication:
638 intptr = &options->rhosts_rsa_authentication;
639 goto parse_flag;
640
641 case sHostbasedAuthentication:
642 intptr = &options->hostbased_authentication;
643 goto parse_flag;
644
645 case sHostbasedUsesNameFromPacketOnly:
646 intptr = &options->hostbased_uses_name_from_packet_only;
647 goto parse_flag;
648
649 case sRSAAuthentication:
650 intptr = &options->rsa_authentication;
651 goto parse_flag;
652
653 case sPubkeyAuthentication:
654 intptr = &options->pubkey_authentication;
655 goto parse_flag;
d0ec7f42 656
2717fa0f 657 case sKerberosAuthentication:
658 intptr = &options->kerberos_authentication;
659 goto parse_flag;
5260325f 660
2717fa0f 661 case sKerberosOrLocalPasswd:
662 intptr = &options->kerberos_or_local_passwd;
663 goto parse_flag;
5260325f 664
2717fa0f 665 case sKerberosTicketCleanup:
666 intptr = &options->kerberos_ticket_cleanup;
667 goto parse_flag;
d0ec7f42 668
a1e30b47 669 case sKerberosGetAFSToken:
670 intptr = &options->kerberos_get_afs_token;
671 goto parse_flag;
672
7364bd04 673 case sGssAuthentication:
674 intptr = &options->gss_authentication;
675 goto parse_flag;
676
677 case sGssCleanupCreds:
678 intptr = &options->gss_cleanup_creds;
679 goto parse_flag;
680
2717fa0f 681 case sPasswordAuthentication:
682 intptr = &options->password_authentication;
683 goto parse_flag;
5260325f 684
2717fa0f 685 case sKbdInteractiveAuthentication:
686 intptr = &options->kbd_interactive_authentication;
687 goto parse_flag;
8002af61 688
2717fa0f 689 case sChallengeResponseAuthentication:
690 intptr = &options->challenge_response_authentication;
691 goto parse_flag;
8002af61 692
2717fa0f 693 case sPrintMotd:
694 intptr = &options->print_motd;
695 goto parse_flag;
5260325f 696
2717fa0f 697 case sPrintLastLog:
698 intptr = &options->print_lastlog;
699 goto parse_flag;
5260325f 700
2717fa0f 701 case sX11Forwarding:
702 intptr = &options->x11_forwarding;
703 goto parse_flag;
5260325f 704
2717fa0f 705 case sX11DisplayOffset:
706 intptr = &options->x11_display_offset;
707 goto parse_int;
8efc0c15 708
e6e573bd 709 case sX11UseLocalhost:
710 intptr = &options->x11_use_localhost;
711 goto parse_flag;
712
2717fa0f 713 case sXAuthLocation:
714 charptr = &options->xauth_location;
715 goto parse_filename;
5260325f 716
2717fa0f 717 case sStrictModes:
718 intptr = &options->strict_modes;
719 goto parse_flag;
5260325f 720
fd573618 721 case sTCPKeepAlive:
722 intptr = &options->tcp_keep_alive;
2717fa0f 723 goto parse_flag;
33de75a3 724
2717fa0f 725 case sEmptyPasswd:
726 intptr = &options->permit_empty_passwd;
727 goto parse_flag;
5260325f 728
f00bab84 729 case sPermitUserEnvironment:
730 intptr = &options->permit_user_env;
731 goto parse_flag;
732
2717fa0f 733 case sUseLogin:
734 intptr = &options->use_login;
735 goto parse_flag;
5260325f 736
636f76ca 737 case sCompression:
738 intptr = &options->compression;
07200973 739 arg = strdelim(&cp);
740 if (!arg || *arg == '\0')
741 fatal("%s line %d: missing yes/no/delayed "
742 "argument.", filename, linenum);
743 value = 0; /* silence compiler */
744 if (strcmp(arg, "delayed") == 0)
745 value = COMP_DELAYED;
746 else if (strcmp(arg, "yes") == 0)
747 value = COMP_ZLIB;
748 else if (strcmp(arg, "no") == 0)
749 value = COMP_NONE;
750 else
751 fatal("%s line %d: Bad yes/no/delayed "
752 "argument: %s", filename, linenum, arg);
753 if (*intptr == -1)
754 *intptr = value;
755 break;
636f76ca 756
2717fa0f 757 case sGatewayPorts:
758 intptr = &options->gateway_ports;
3867aa0a 759 arg = strdelim(&cp);
760 if (!arg || *arg == '\0')
761 fatal("%s line %d: missing yes/no/clientspecified "
762 "argument.", filename, linenum);
763 value = 0; /* silence compiler */
764 if (strcmp(arg, "clientspecified") == 0)
765 value = 2;
766 else if (strcmp(arg, "yes") == 0)
767 value = 1;
768 else if (strcmp(arg, "no") == 0)
769 value = 0;
770 else
771 fatal("%s line %d: Bad yes/no/clientspecified "
772 "argument: %s", filename, linenum, arg);
773 if (*intptr == -1)
774 *intptr = value;
775 break;
5260325f 776
c5a7d788 777 case sUseDNS:
778 intptr = &options->use_dns;
2717fa0f 779 goto parse_flag;
5260325f 780
2717fa0f 781 case sLogFacility:
782 intptr = (int *) &options->log_facility;
783 arg = strdelim(&cp);
784 value = log_facility_number(arg);
5eaf8578 785 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 786 fatal("%.200s line %d: unsupported log facility '%s'",
787 filename, linenum, arg ? arg : "<NONE>");
788 if (*intptr == -1)
789 *intptr = (SyslogFacility) value;
790 break;
791
792 case sLogLevel:
793 intptr = (int *) &options->log_level;
794 arg = strdelim(&cp);
795 value = log_level_number(arg);
5eaf8578 796 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 797 fatal("%.200s line %d: unsupported log level '%s'",
798 filename, linenum, arg ? arg : "<NONE>");
799 if (*intptr == -1)
800 *intptr = (LogLevel) value;
801 break;
802
803 case sAllowTcpForwarding:
804 intptr = &options->allow_tcp_forwarding;
805 goto parse_flag;
806
1853d1ef 807 case sUsePrivilegeSeparation:
808 intptr = &use_privsep;
809 goto parse_flag;
810
2717fa0f 811 case sAllowUsers:
812 while ((arg = strdelim(&cp)) && *arg != '\0') {
813 if (options->num_allow_users >= MAX_ALLOW_USERS)
814 fatal("%s line %d: too many allow users.",
815 filename, linenum);
7528d467 816 options->allow_users[options->num_allow_users++] =
817 xstrdup(arg);
2717fa0f 818 }
819 break;
a8be9f80 820
2717fa0f 821 case sDenyUsers:
822 while ((arg = strdelim(&cp)) && *arg != '\0') {
823 if (options->num_deny_users >= MAX_DENY_USERS)
824 fatal( "%s line %d: too many deny users.",
825 filename, linenum);
7528d467 826 options->deny_users[options->num_deny_users++] =
827 xstrdup(arg);
2717fa0f 828 }
829 break;
b2552997 830
2717fa0f 831 case sAllowGroups:
832 while ((arg = strdelim(&cp)) && *arg != '\0') {
833 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
834 fatal("%s line %d: too many allow groups.",
835 filename, linenum);
7528d467 836 options->allow_groups[options->num_allow_groups++] =
837 xstrdup(arg);
2717fa0f 838 }
839 break;
a8be9f80 840
2717fa0f 841 case sDenyGroups:
842 while ((arg = strdelim(&cp)) && *arg != '\0') {
843 if (options->num_deny_groups >= MAX_DENY_GROUPS)
844 fatal("%s line %d: too many deny groups.",
845 filename, linenum);
846 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
847 }
848 break;
38c295d6 849
2717fa0f 850 case sCiphers:
851 arg = strdelim(&cp);
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing argument.", filename, linenum);
854 if (!ciphers_valid(arg))
855 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
856 filename, linenum, arg ? arg : "<NONE>");
857 if (options->ciphers == NULL)
858 options->ciphers = xstrdup(arg);
859 break;
860
861 case sMacs:
862 arg = strdelim(&cp);
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing argument.", filename, linenum);
865 if (!mac_valid(arg))
866 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
867 filename, linenum, arg ? arg : "<NONE>");
868 if (options->macs == NULL)
869 options->macs = xstrdup(arg);
870 break;
871
872 case sProtocol:
873 intptr = &options->protocol;
874 arg = strdelim(&cp);
875 if (!arg || *arg == '\0')
876 fatal("%s line %d: Missing argument.", filename, linenum);
877 value = proto_spec(arg);
878 if (value == SSH_PROTO_UNKNOWN)
879 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 880 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 881 if (*intptr == SSH_PROTO_UNKNOWN)
882 *intptr = value;
883 break;
884
885 case sSubsystem:
886 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
887 fatal("%s line %d: too many subsystems defined.",
184eed6a 888 filename, linenum);
2717fa0f 889 }
890 arg = strdelim(&cp);
891 if (!arg || *arg == '\0')
892 fatal("%s line %d: Missing subsystem name.",
184eed6a 893 filename, linenum);
2717fa0f 894 for (i = 0; i < options->num_subsystems; i++)
895 if (strcmp(arg, options->subsystem_name[i]) == 0)
896 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 897 filename, linenum, arg);
2717fa0f 898 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
899 arg = strdelim(&cp);
900 if (!arg || *arg == '\0')
901 fatal("%s line %d: Missing subsystem command.",
184eed6a 902 filename, linenum);
2717fa0f 903 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
904 options->num_subsystems++;
905 break;
906
907 case sMaxStartups:
908 arg = strdelim(&cp);
909 if (!arg || *arg == '\0')
910 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 911 filename, linenum);
2717fa0f 912 if ((n = sscanf(arg, "%d:%d:%d",
913 &options->max_startups_begin,
914 &options->max_startups_rate,
915 &options->max_startups)) == 3) {
916 if (options->max_startups_begin >
917 options->max_startups ||
918 options->max_startups_rate > 100 ||
919 options->max_startups_rate < 1)
c345cf9d 920 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 921 filename, linenum);
2717fa0f 922 } else if (n != 1)
923 fatal("%s line %d: Illegal MaxStartups spec.",
924 filename, linenum);
925 else
926 options->max_startups = options->max_startups_begin;
927 break;
928
af4bd935 929 case sMaxAuthTries:
930 intptr = &options->max_authtries;
931 goto parse_int;
932
2717fa0f 933 case sBanner:
934 charptr = &options->banner;
935 goto parse_filename;
936 /*
937 * These options can contain %X options expanded at
938 * connect time, so that you can specify paths like:
939 *
940 * AuthorizedKeysFile /etc/ssh_keys/%u
941 */
942 case sAuthorizedKeysFile:
943 case sAuthorizedKeysFile2:
944 charptr = (opcode == sAuthorizedKeysFile ) ?
945 &options->authorized_keys_file :
946 &options->authorized_keys_file2;
947 goto parse_filename;
948
949 case sClientAliveInterval:
950 intptr = &options->client_alive_interval;
951 goto parse_time;
952
953 case sClientAliveCountMax:
954 intptr = &options->client_alive_count_max;
955 goto parse_int;
956
61a2c1da 957 case sAcceptEnv:
958 while ((arg = strdelim(&cp)) && *arg != '\0') {
959 if (strchr(arg, '=') != NULL)
960 fatal("%s line %d: Invalid environment name.",
961 filename, linenum);
962 if (options->num_accept_env >= MAX_ACCEPT_ENV)
963 fatal("%s line %d: too many allow env.",
964 filename, linenum);
965 options->accept_env[options->num_accept_env++] =
966 xstrdup(arg);
967 }
968 break;
969
d20f3c9e 970 case sPermitTunnel:
971 intptr = &options->permit_tun;
a4f24bf8 972 arg = strdelim(&cp);
973 if (!arg || *arg == '\0')
974 fatal("%s line %d: Missing yes/point-to-point/"
975 "ethernet/no argument.", filename, linenum);
976 value = 0; /* silence compiler */
977 if (strcasecmp(arg, "ethernet") == 0)
978 value = SSH_TUNMODE_ETHERNET;
979 else if (strcasecmp(arg, "point-to-point") == 0)
980 value = SSH_TUNMODE_POINTOPOINT;
981 else if (strcasecmp(arg, "yes") == 0)
982 value = SSH_TUNMODE_YES;
983 else if (strcasecmp(arg, "no") == 0)
984 value = SSH_TUNMODE_NO;
985 else
986 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
987 "no argument: %s", filename, linenum, arg);
988 if (*intptr == -1)
989 *intptr = value;
990 break;
d20f3c9e 991
2717fa0f 992 case sDeprecated:
bbe88b6d 993 logit("%s line %d: Deprecated option %s",
2717fa0f 994 filename, linenum, arg);
995 while (arg)
996 arg = strdelim(&cp);
997 break;
998
a2144546 999 case sUnsupported:
1000 logit("%s line %d: Unsupported option %s",
1001 filename, linenum, arg);
1002 while (arg)
1003 arg = strdelim(&cp);
1004 break;
1005
2717fa0f 1006 default:
1007 fatal("%s line %d: Missing handler for opcode %s (%d)",
1008 filename, linenum, arg, opcode);
1009 }
1010 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1011 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1012 filename, linenum, arg);
1013 return 0;
1014}
089fbbd2 1015
2717fa0f 1016/* Reads the server configuration file. */
5c53a31e 1017
2717fa0f 1018void
b9a549d7 1019load_server_config(const char *filename, Buffer *conf)
2717fa0f 1020{
b9a549d7 1021 char line[1024], *cp;
7528d467 1022 FILE *f;
2717fa0f 1023
b9a549d7 1024 debug2("%s: filename %s", __func__, filename);
1025 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 1026 perror(filename);
1027 exit(1);
1028 }
b9a549d7 1029 buffer_clear(conf);
2717fa0f 1030 while (fgets(line, sizeof(line), f)) {
b9a549d7 1031 /*
1032 * Trim out comments and strip whitespace
f2107e97 1033 * NB - preserve newlines, they are needed to reproduce
b9a549d7 1034 * line numbers later for error messages
1035 */
1036 if ((cp = strchr(line, '#')) != NULL)
1037 memcpy(cp, "\n", 2);
1038 cp = line + strspn(line, " \t\r");
1039
1040 buffer_append(conf, cp, strlen(cp));
8efc0c15 1041 }
b9a549d7 1042 buffer_append(conf, "\0", 1);
5260325f 1043 fclose(f);
b9a549d7 1044 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1045}
1046
1047void
1048parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1049{
1050 int linenum, bad_options = 0;
16acb158 1051 char *cp, *obuf, *cbuf;
b9a549d7 1052
1053 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1054
16acb158 1055 obuf = cbuf = xstrdup(buffer_ptr(conf));
861cc543 1056 linenum = 1;
f8cc7664 1057 while ((cp = strsep(&cbuf, "\n")) != NULL) {
b9a549d7 1058 if (process_server_config_line(options, cp, filename,
1059 linenum++) != 0)
1060 bad_options++;
1061 }
16acb158 1062 xfree(obuf);
b7c70970 1063 if (bad_options > 0)
1064 fatal("%s: terminating, %d bad configuration options",
1065 filename, bad_options);
8efc0c15 1066}
git-cvsimport mirror of OpenSSH
This page took 0.432741 seconds and 5 git commands to generate.