]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (djm) OpenBSD CVS Sync
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
e9cb5aa6 13RCSID("$OpenBSD: servconf.c,v 1.120 2003/05/15 04:08:44 jakob Exp $");
42f11eb2 14
12928e80 15#if defined(KRB4)
42f11eb2 16#include <krb.h>
17#endif
0608f8a7 18
12928e80 19#if defined(KRB5)
0608f8a7 20# ifdef HEIMDAL
21# include <krb.h>
22# else
23/*
24 * XXX: Bodge - but then, so is using the kerberos IV KEYFILE to get a
25 * Kerberos V keytab
26 */
27# define KEYFILE "/etc/krb5.keytab"
28# endif
12928e80 29#endif
0608f8a7 30
83f46621 31#ifdef AFS
32#include <kafs.h>
33#endif
8efc0c15 34
35#include "ssh.h"
42f11eb2 36#include "log.h"
8efc0c15 37#include "servconf.h"
38#include "xmalloc.h"
a8be9f80 39#include "compat.h"
42f11eb2 40#include "pathnames.h"
41#include "tildexpand.h"
42#include "misc.h"
43#include "cipher.h"
b2552997 44#include "kex.h"
45#include "mac.h"
42f11eb2 46
396c147e 47static void add_listen_addr(ServerOptions *, char *, u_short);
48static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 49
42f11eb2 50/* AF_UNSPEC or AF_INET or AF_INET6 */
51extern int IPv4or6;
1853d1ef 52/* Use of privilege separation or not */
53extern int use_privsep;
42f11eb2 54
8efc0c15 55/* Initializes the server options to their default values. */
56
6ae2364d 57void
5260325f 58initialize_server_options(ServerOptions *options)
8efc0c15 59{
5260325f 60 memset(options, 0, sizeof(*options));
e15895cd 61
62 /* Portable-specific options */
7fceb20d 63 options->use_pam = -1;
e15895cd 64
65 /* Standard Options */
48e671d5 66 options->num_ports = 0;
67 options->ports_from_cmdline = 0;
68 options->listen_addrs = NULL;
fa08c86b 69 options->num_host_key_files = 0;
0fbe8c74 70 options->pid_file = NULL;
5260325f 71 options->server_key_bits = -1;
72 options->login_grace_time = -1;
73 options->key_regeneration_time = -1;
15853e93 74 options->permit_root_login = PERMIT_NOT_SET;
5260325f 75 options->ignore_rhosts = -1;
76 options->ignore_user_known_hosts = -1;
77 options->print_motd = -1;
4f4648f9 78 options->print_lastlog = -1;
5260325f 79 options->x11_forwarding = -1;
80 options->x11_display_offset = -1;
e6e573bd 81 options->x11_use_localhost = -1;
fa649821 82 options->xauth_location = NULL;
5260325f 83 options->strict_modes = -1;
84 options->keepalives = -1;
5eaf8578 85 options->log_facility = SYSLOG_FACILITY_NOT_SET;
86 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 87 options->rhosts_authentication = -1;
88 options->rhosts_rsa_authentication = -1;
8002af61 89 options->hostbased_authentication = -1;
90 options->hostbased_uses_name_from_packet_only = -1;
5260325f 91 options->rsa_authentication = -1;
fa08c86b 92 options->pubkey_authentication = -1;
5260325f 93 options->kerberos_authentication = -1;
94 options->kerberos_or_local_passwd = -1;
95 options->kerberos_ticket_cleanup = -1;
5260325f 96 options->kerberos_tgt_passing = -1;
97 options->afs_token_passing = -1;
5260325f 98 options->password_authentication = -1;
94ec8c6b 99 options->kbd_interactive_authentication = -1;
5ba55ada 100 options->challenge_response_authentication = -1;
5260325f 101 options->permit_empty_passwd = -1;
f00bab84 102 options->permit_user_env = -1;
5260325f 103 options->use_login = -1;
636f76ca 104 options->compression = -1;
33de75a3 105 options->allow_tcp_forwarding = -1;
5260325f 106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
a8be9f80 110 options->ciphers = NULL;
b2552997 111 options->macs = NULL;
a8be9f80 112 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 113 options->gateway_ports = -1;
38c295d6 114 options->num_subsystems = 0;
c345cf9d 115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
089fbbd2 117 options->max_startups = -1;
eea39c02 118 options->banner = NULL;
bf4c5edc 119 options->verify_reverse_mapping = -1;
3ffc6336 120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
c8445989 122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
1853d1ef 124
1853d1ef 125 /* Needs to be accessable in many places */
126 use_privsep = -1;
8efc0c15 127}
128
6ae2364d 129void
5260325f 130fill_default_server_options(ServerOptions *options)
8efc0c15 131{
e15895cd 132 /* Portable-specific options */
7fceb20d 133 if (options->use_pam == -1)
1457e7ff 134#ifdef USE_PAM
135 options->use_pam = 1;
136#else
d0ec7f42 137 options->use_pam = 0;
1457e7ff 138#endif
e15895cd 139
140 /* Standard Options */
fa08c86b 141 if (options->protocol == SSH_PROTO_UNKNOWN)
142 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
143 if (options->num_host_key_files == 0) {
144 /* fill default hostkeys for protocols */
145 if (options->protocol & SSH_PROTO_1)
0f84fe37 146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_KEY_FILE;
148 if (options->protocol & SSH_PROTO_2) {
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_RSA_KEY_FILE;
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_DSA_KEY_FILE;
153 }
fa08c86b 154 }
48e671d5 155 if (options->num_ports == 0)
156 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
157 if (options->listen_addrs == NULL)
2d2a2c65 158 add_listen_addr(options, NULL, 0);
0fbe8c74 159 if (options->pid_file == NULL)
42f11eb2 160 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 161 if (options->server_key_bits == -1)
162 options->server_key_bits = 768;
163 if (options->login_grace_time == -1)
3445ca02 164 options->login_grace_time = 120;
5260325f 165 if (options->key_regeneration_time == -1)
166 options->key_regeneration_time = 3600;
15853e93 167 if (options->permit_root_login == PERMIT_NOT_SET)
168 options->permit_root_login = PERMIT_YES;
5260325f 169 if (options->ignore_rhosts == -1)
c8d54615 170 options->ignore_rhosts = 1;
5260325f 171 if (options->ignore_user_known_hosts == -1)
172 options->ignore_user_known_hosts = 0;
5260325f 173 if (options->print_motd == -1)
174 options->print_motd = 1;
4f4648f9 175 if (options->print_lastlog == -1)
176 options->print_lastlog = 1;
5260325f 177 if (options->x11_forwarding == -1)
c8d54615 178 options->x11_forwarding = 0;
5260325f 179 if (options->x11_display_offset == -1)
c8d54615 180 options->x11_display_offset = 10;
e6e573bd 181 if (options->x11_use_localhost == -1)
182 options->x11_use_localhost = 1;
fa649821 183 if (options->xauth_location == NULL)
fd9ede94 184 options->xauth_location = _PATH_XAUTH;
5260325f 185 if (options->strict_modes == -1)
186 options->strict_modes = 1;
187 if (options->keepalives == -1)
188 options->keepalives = 1;
5eaf8578 189 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 190 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 191 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 192 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 193 if (options->rhosts_authentication == -1)
194 options->rhosts_authentication = 0;
195 if (options->rhosts_rsa_authentication == -1)
c8d54615 196 options->rhosts_rsa_authentication = 0;
8002af61 197 if (options->hostbased_authentication == -1)
198 options->hostbased_authentication = 0;
199 if (options->hostbased_uses_name_from_packet_only == -1)
200 options->hostbased_uses_name_from_packet_only = 0;
5260325f 201 if (options->rsa_authentication == -1)
202 options->rsa_authentication = 1;
fa08c86b 203 if (options->pubkey_authentication == -1)
204 options->pubkey_authentication = 1;
5260325f 205 if (options->kerberos_authentication == -1)
eadc806d 206 options->kerberos_authentication = 0;
5260325f 207 if (options->kerberos_or_local_passwd == -1)
208 options->kerberos_or_local_passwd = 1;
209 if (options->kerberos_ticket_cleanup == -1)
e9cb5aa6 210#if defined(KRB4) || defined(KRB5)
5260325f 211 options->kerberos_ticket_cleanup = 1;
e9cb5aa6 212#else
213 options->kerberos_ticket_cleanup = 0;
214#endif
5260325f 215 if (options->kerberos_tgt_passing == -1)
216 options->kerberos_tgt_passing = 0;
217 if (options->afs_token_passing == -1)
1c3454e7 218 options->afs_token_passing = 0;
5260325f 219 if (options->password_authentication == -1)
220 options->password_authentication = 1;
94ec8c6b 221 if (options->kbd_interactive_authentication == -1)
222 options->kbd_interactive_authentication = 0;
5ba55ada 223 if (options->challenge_response_authentication == -1)
224 options->challenge_response_authentication = 1;
5260325f 225 if (options->permit_empty_passwd == -1)
c8d54615 226 options->permit_empty_passwd = 0;
f00bab84 227 if (options->permit_user_env == -1)
228 options->permit_user_env = 0;
5260325f 229 if (options->use_login == -1)
230 options->use_login = 0;
636f76ca 231 if (options->compression == -1)
232 options->compression = 1;
33de75a3 233 if (options->allow_tcp_forwarding == -1)
234 options->allow_tcp_forwarding = 1;
1d1ffb87 235 if (options->gateway_ports == -1)
236 options->gateway_ports = 0;
089fbbd2 237 if (options->max_startups == -1)
238 options->max_startups = 10;
c345cf9d 239 if (options->max_startups_rate == -1)
240 options->max_startups_rate = 100; /* 100% */
241 if (options->max_startups_begin == -1)
242 options->max_startups_begin = options->max_startups;
bf4c5edc 243 if (options->verify_reverse_mapping == -1)
244 options->verify_reverse_mapping = 0;
3ffc6336 245 if (options->client_alive_interval == -1)
184eed6a 246 options->client_alive_interval = 0;
3ffc6336 247 if (options->client_alive_count_max == -1)
248 options->client_alive_count_max = 3;
5df83e07 249 if (options->authorized_keys_file2 == NULL) {
250 /* authorized_keys_file2 falls back to authorized_keys_file */
251 if (options->authorized_keys_file != NULL)
252 options->authorized_keys_file2 = options->authorized_keys_file;
253 else
254 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
255 }
256 if (options->authorized_keys_file == NULL)
257 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 258
2ee1b704 259 /* Turn privilege separation on by default */
1853d1ef 260 if (use_privsep == -1)
2ee1b704 261 use_privsep = 1;
e299a298 262
4165b82e 263#ifndef HAVE_MMAP
e299a298 264 if (use_privsep && options->compression == 1) {
265 error("This platform does not support both privilege "
266 "separation and compression");
267 error("Compression disabled");
268 options->compression = 0;
269 }
270#endif
271
8efc0c15 272}
273
8efc0c15 274/* Keyword tokens. */
5260325f 275typedef enum {
276 sBadOption, /* == unknown option */
e15895cd 277 /* Portable-specific options */
7fceb20d 278 sUsePAM,
e15895cd 279 /* Standard Options */
5260325f 280 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
281 sPermitRootLogin, sLogFacility, sLogLevel,
282 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 283 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
d0ec7f42 284 sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
94ec8c6b 285 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 286 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 287 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 288 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 289 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 290 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 291 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 292 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
bf4c5edc 293 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
184eed6a 294 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 295 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 296 sUsePrivilegeSeparation,
2717fa0f 297 sDeprecated
8efc0c15 298} ServerOpCodes;
299
300/* Textual representation of the tokens. */
5260325f 301static struct {
302 const char *name;
303 ServerOpCodes opcode;
304} keywords[] = {
e15895cd 305 /* Portable-specific options */
7fceb20d 306 { "UsePAM", sUsePAM },
e15895cd 307 /* Standard Options */
5260325f 308 { "port", sPort },
309 { "hostkey", sHostKeyFile },
fa08c86b 310 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 311 { "pidfile", sPidFile },
5260325f 312 { "serverkeybits", sServerKeyBits },
313 { "logingracetime", sLoginGraceTime },
314 { "keyregenerationinterval", sKeyRegenerationTime },
315 { "permitrootlogin", sPermitRootLogin },
316 { "syslogfacility", sLogFacility },
317 { "loglevel", sLogLevel },
318 { "rhostsauthentication", sRhostsAuthentication },
319 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 320 { "hostbasedauthentication", sHostbasedAuthentication },
321 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 322 { "rsaauthentication", sRSAAuthentication },
fa08c86b 323 { "pubkeyauthentication", sPubkeyAuthentication },
324 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
5260325f 325 { "kerberosauthentication", sKerberosAuthentication },
326 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
327 { "kerberosticketcleanup", sKerberosTicketCleanup },
5260325f 328 { "kerberostgtpassing", sKerberosTgtPassing },
329 { "afstokenpassing", sAFSTokenPassing },
5260325f 330 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 331 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 332 { "challengeresponseauthentication", sChallengeResponseAuthentication },
333 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 334 { "checkmail", sDeprecated },
5260325f 335 { "listenaddress", sListenAddress },
336 { "printmotd", sPrintMotd },
4f4648f9 337 { "printlastlog", sPrintLastLog },
5260325f 338 { "ignorerhosts", sIgnoreRhosts },
339 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
340 { "x11forwarding", sX11Forwarding },
341 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 342 { "x11uselocalhost", sX11UseLocalhost },
fa649821 343 { "xauthlocation", sXAuthLocation },
5260325f 344 { "strictmodes", sStrictModes },
345 { "permitemptypasswords", sEmptyPasswd },
f00bab84 346 { "permituserenvironment", sPermitUserEnvironment },
5260325f 347 { "uselogin", sUseLogin },
636f76ca 348 { "compression", sCompression },
5260325f 349 { "keepalive", sKeepAlives },
33de75a3 350 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 351 { "allowusers", sAllowUsers },
352 { "denyusers", sDenyUsers },
353 { "allowgroups", sAllowGroups },
354 { "denygroups", sDenyGroups },
a8be9f80 355 { "ciphers", sCiphers },
b2552997 356 { "macs", sMacs },
a8be9f80 357 { "protocol", sProtocol },
1d1ffb87 358 { "gatewayports", sGatewayPorts },
38c295d6 359 { "subsystem", sSubsystem },
089fbbd2 360 { "maxstartups", sMaxStartups },
eea39c02 361 { "banner", sBanner },
bf4c5edc 362 { "verifyreversemapping", sVerifyReverseMapping },
363 { "reversemappingcheck", sVerifyReverseMapping },
3ffc6336 364 { "clientaliveinterval", sClientAliveInterval },
365 { "clientalivecountmax", sClientAliveCountMax },
c8445989 366 { "authorizedkeysfile", sAuthorizedKeysFile },
367 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 368 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 369 { NULL, sBadOption }
8efc0c15 370};
371
aa3378df 372/*
6be9a5e8 373 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 374 */
8efc0c15 375
6ae2364d 376static ServerOpCodes
5260325f 377parse_token(const char *cp, const char *filename,
378 int linenum)
8efc0c15 379{
1e3b8b07 380 u_int i;
8efc0c15 381
5260325f 382 for (i = 0; keywords[i].name; i++)
aa3378df 383 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 384 return keywords[i].opcode;
8efc0c15 385
b7c70970 386 error("%s: line %d: Bad configuration option: %s",
387 filename, linenum, cp);
5260325f 388 return sBadOption;
8efc0c15 389}
390
396c147e 391static void
2d2a2c65 392add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 393{
48e671d5 394 int i;
395
396 if (options->num_ports == 0)
397 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 398 if (port == 0)
d11c1288 399 for (i = 0; i < options->num_ports; i++)
400 add_one_listen_addr(options, addr, options->ports[i]);
401 else
2d2a2c65 402 add_one_listen_addr(options, addr, port);
d11c1288 403}
404
396c147e 405static void
d11c1288 406add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
407{
408 struct addrinfo hints, *ai, *aitop;
409 char strport[NI_MAXSERV];
410 int gaierr;
411
412 memset(&hints, 0, sizeof(hints));
413 hints.ai_family = IPv4or6;
414 hints.ai_socktype = SOCK_STREAM;
415 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 416 snprintf(strport, sizeof strport, "%u", port);
d11c1288 417 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
418 fatal("bad addr or host: %s (%s)",
419 addr ? addr : "<NULL>",
420 gai_strerror(gaierr));
421 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
422 ;
423 ai->ai_next = options->listen_addrs;
424 options->listen_addrs = aitop;
48e671d5 425}
426
2717fa0f 427int
428process_server_config_line(ServerOptions *options, char *line,
429 const char *filename, int linenum)
8efc0c15 430{
d11c1288 431 char *cp, **charptr, *arg, *p;
7528d467 432 int *intptr, value, i, n;
5260325f 433 ServerOpCodes opcode;
434
2717fa0f 435 cp = line;
436 arg = strdelim(&cp);
437 /* Ignore leading whitespace */
438 if (*arg == '\0')
704b1659 439 arg = strdelim(&cp);
2717fa0f 440 if (!arg || !*arg || *arg == '#')
441 return 0;
442 intptr = NULL;
443 charptr = NULL;
444 opcode = parse_token(arg, filename, linenum);
445 switch (opcode) {
446 /* Portable-specific options */
7fceb20d 447 case sUsePAM:
448 intptr = &options->use_pam;
2717fa0f 449 goto parse_flag;
48e671d5 450
2717fa0f 451 /* Standard Options */
452 case sBadOption:
453 return -1;
454 case sPort:
455 /* ignore ports from configfile if cmdline specifies ports */
456 if (options->ports_from_cmdline)
457 return 0;
458 if (options->listen_addrs != NULL)
459 fatal("%s line %d: ports must be specified before "
3a454b6a 460 "ListenAddress.", filename, linenum);
2717fa0f 461 if (options->num_ports >= MAX_PORTS)
462 fatal("%s line %d: too many ports.",
463 filename, linenum);
464 arg = strdelim(&cp);
465 if (!arg || *arg == '\0')
466 fatal("%s line %d: missing port number.",
467 filename, linenum);
468 options->ports[options->num_ports++] = a2port(arg);
469 if (options->ports[options->num_ports-1] == 0)
470 fatal("%s line %d: Badly formatted port number.",
471 filename, linenum);
472 break;
473
474 case sServerKeyBits:
475 intptr = &options->server_key_bits;
5260325f 476parse_int:
2717fa0f 477 arg = strdelim(&cp);
478 if (!arg || *arg == '\0')
479 fatal("%s line %d: missing integer value.",
480 filename, linenum);
481 value = atoi(arg);
482 if (*intptr == -1)
483 *intptr = value;
484 break;
485
486 case sLoginGraceTime:
487 intptr = &options->login_grace_time;
e2b1fb42 488parse_time:
2717fa0f 489 arg = strdelim(&cp);
490 if (!arg || *arg == '\0')
491 fatal("%s line %d: missing time value.",
492 filename, linenum);
493 if ((value = convtime(arg)) == -1)
494 fatal("%s line %d: invalid time value.",
495 filename, linenum);
496 if (*intptr == -1)
497 *intptr = value;
498 break;
499
500 case sKeyRegenerationTime:
501 intptr = &options->key_regeneration_time;
502 goto parse_time;
503
504 case sListenAddress:
505 arg = strdelim(&cp);
506 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
507 fatal("%s line %d: missing inet addr.",
508 filename, linenum);
509 if (*arg == '[') {
510 if ((p = strchr(arg, ']')) == NULL)
511 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 512 filename, linenum);
2717fa0f 513 arg++;
514 memmove(p, p+1, strlen(p+1)+1);
515 } else if (((p = strchr(arg, ':')) == NULL) ||
516 (strchr(p+1, ':') != NULL)) {
517 add_listen_addr(options, arg, 0);
e2b1fb42 518 break;
2717fa0f 519 }
520 if (*p == ':') {
521 u_short port;
5260325f 522
2717fa0f 523 p++;
524 if (*p == '\0')
525 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 526 filename, linenum);
2717fa0f 527 else {
528 *(p-1) = '\0';
529 if ((port = a2port(p)) == 0)
530 fatal("%s line %d: bad port number.",
d11c1288 531 filename, linenum);
2717fa0f 532 add_listen_addr(options, arg, port);
d11c1288 533 }
2717fa0f 534 } else if (*p == '\0')
535 add_listen_addr(options, arg, 0);
536 else
537 fatal("%s line %d: bad inet addr usage.",
538 filename, linenum);
539 break;
540
541 case sHostKeyFile:
542 intptr = &options->num_host_key_files;
543 if (*intptr >= MAX_HOSTKEYS)
544 fatal("%s line %d: too many host keys specified (max %d).",
545 filename, linenum, MAX_HOSTKEYS);
546 charptr = &options->host_key_files[*intptr];
fa649821 547parse_filename:
2717fa0f 548 arg = strdelim(&cp);
549 if (!arg || *arg == '\0')
550 fatal("%s line %d: missing file name.",
551 filename, linenum);
552 if (*charptr == NULL) {
553 *charptr = tilde_expand_filename(arg, getuid());
554 /* increase optional counter */
555 if (intptr != NULL)
556 *intptr = *intptr + 1;
557 }
558 break;
0fbe8c74 559
2717fa0f 560 case sPidFile:
561 charptr = &options->pid_file;
562 goto parse_filename;
5260325f 563
2717fa0f 564 case sPermitRootLogin:
565 intptr = &options->permit_root_login;
566 arg = strdelim(&cp);
567 if (!arg || *arg == '\0')
568 fatal("%s line %d: missing yes/"
569 "without-password/forced-commands-only/no "
570 "argument.", filename, linenum);
571 value = 0; /* silence compiler */
572 if (strcmp(arg, "without-password") == 0)
573 value = PERMIT_NO_PASSWD;
574 else if (strcmp(arg, "forced-commands-only") == 0)
575 value = PERMIT_FORCED_ONLY;
576 else if (strcmp(arg, "yes") == 0)
577 value = PERMIT_YES;
578 else if (strcmp(arg, "no") == 0)
579 value = PERMIT_NO;
580 else
581 fatal("%s line %d: Bad yes/"
582 "without-password/forced-commands-only/no "
583 "argument: %s", filename, linenum, arg);
584 if (*intptr == -1)
585 *intptr = value;
586 break;
587
588 case sIgnoreRhosts:
589 intptr = &options->ignore_rhosts;
5260325f 590parse_flag:
2717fa0f 591 arg = strdelim(&cp);
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/no argument.",
594 filename, linenum);
595 value = 0; /* silence compiler */
596 if (strcmp(arg, "yes") == 0)
597 value = 1;
598 else if (strcmp(arg, "no") == 0)
599 value = 0;
600 else
601 fatal("%s line %d: Bad yes/no argument: %s",
602 filename, linenum, arg);
603 if (*intptr == -1)
604 *intptr = value;
605 break;
606
607 case sIgnoreUserKnownHosts:
608 intptr = &options->ignore_user_known_hosts;
609 goto parse_flag;
610
611 case sRhostsAuthentication:
612 intptr = &options->rhosts_authentication;
613 goto parse_flag;
614
615 case sRhostsRSAAuthentication:
616 intptr = &options->rhosts_rsa_authentication;
617 goto parse_flag;
618
619 case sHostbasedAuthentication:
620 intptr = &options->hostbased_authentication;
621 goto parse_flag;
622
623 case sHostbasedUsesNameFromPacketOnly:
624 intptr = &options->hostbased_uses_name_from_packet_only;
625 goto parse_flag;
626
627 case sRSAAuthentication:
628 intptr = &options->rsa_authentication;
629 goto parse_flag;
630
631 case sPubkeyAuthentication:
632 intptr = &options->pubkey_authentication;
633 goto parse_flag;
d0ec7f42 634
2717fa0f 635 case sKerberosAuthentication:
636 intptr = &options->kerberos_authentication;
637 goto parse_flag;
5260325f 638
2717fa0f 639 case sKerberosOrLocalPasswd:
640 intptr = &options->kerberos_or_local_passwd;
641 goto parse_flag;
5260325f 642
2717fa0f 643 case sKerberosTicketCleanup:
644 intptr = &options->kerberos_ticket_cleanup;
645 goto parse_flag;
d0ec7f42 646
2717fa0f 647 case sKerberosTgtPassing:
648 intptr = &options->kerberos_tgt_passing;
649 goto parse_flag;
d0ec7f42 650
2717fa0f 651 case sAFSTokenPassing:
652 intptr = &options->afs_token_passing;
653 goto parse_flag;
5260325f 654
2717fa0f 655 case sPasswordAuthentication:
656 intptr = &options->password_authentication;
657 goto parse_flag;
5260325f 658
2717fa0f 659 case sKbdInteractiveAuthentication:
660 intptr = &options->kbd_interactive_authentication;
661 goto parse_flag;
8002af61 662
2717fa0f 663 case sChallengeResponseAuthentication:
664 intptr = &options->challenge_response_authentication;
665 goto parse_flag;
8002af61 666
2717fa0f 667 case sPrintMotd:
668 intptr = &options->print_motd;
669 goto parse_flag;
5260325f 670
2717fa0f 671 case sPrintLastLog:
672 intptr = &options->print_lastlog;
673 goto parse_flag;
5260325f 674
2717fa0f 675 case sX11Forwarding:
676 intptr = &options->x11_forwarding;
677 goto parse_flag;
5260325f 678
2717fa0f 679 case sX11DisplayOffset:
680 intptr = &options->x11_display_offset;
681 goto parse_int;
8efc0c15 682
e6e573bd 683 case sX11UseLocalhost:
684 intptr = &options->x11_use_localhost;
685 goto parse_flag;
686
2717fa0f 687 case sXAuthLocation:
688 charptr = &options->xauth_location;
689 goto parse_filename;
5260325f 690
2717fa0f 691 case sStrictModes:
692 intptr = &options->strict_modes;
693 goto parse_flag;
5260325f 694
2717fa0f 695 case sKeepAlives:
696 intptr = &options->keepalives;
697 goto parse_flag;
33de75a3 698
2717fa0f 699 case sEmptyPasswd:
700 intptr = &options->permit_empty_passwd;
701 goto parse_flag;
5260325f 702
f00bab84 703 case sPermitUserEnvironment:
704 intptr = &options->permit_user_env;
705 goto parse_flag;
706
2717fa0f 707 case sUseLogin:
708 intptr = &options->use_login;
709 goto parse_flag;
5260325f 710
636f76ca 711 case sCompression:
712 intptr = &options->compression;
713 goto parse_flag;
714
2717fa0f 715 case sGatewayPorts:
716 intptr = &options->gateway_ports;
717 goto parse_flag;
5260325f 718
bf4c5edc 719 case sVerifyReverseMapping:
720 intptr = &options->verify_reverse_mapping;
2717fa0f 721 goto parse_flag;
5260325f 722
2717fa0f 723 case sLogFacility:
724 intptr = (int *) &options->log_facility;
725 arg = strdelim(&cp);
726 value = log_facility_number(arg);
5eaf8578 727 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 728 fatal("%.200s line %d: unsupported log facility '%s'",
729 filename, linenum, arg ? arg : "<NONE>");
730 if (*intptr == -1)
731 *intptr = (SyslogFacility) value;
732 break;
733
734 case sLogLevel:
735 intptr = (int *) &options->log_level;
736 arg = strdelim(&cp);
737 value = log_level_number(arg);
5eaf8578 738 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 739 fatal("%.200s line %d: unsupported log level '%s'",
740 filename, linenum, arg ? arg : "<NONE>");
741 if (*intptr == -1)
742 *intptr = (LogLevel) value;
743 break;
744
745 case sAllowTcpForwarding:
746 intptr = &options->allow_tcp_forwarding;
747 goto parse_flag;
748
1853d1ef 749 case sUsePrivilegeSeparation:
750 intptr = &use_privsep;
751 goto parse_flag;
752
2717fa0f 753 case sAllowUsers:
754 while ((arg = strdelim(&cp)) && *arg != '\0') {
755 if (options->num_allow_users >= MAX_ALLOW_USERS)
756 fatal("%s line %d: too many allow users.",
757 filename, linenum);
7528d467 758 options->allow_users[options->num_allow_users++] =
759 xstrdup(arg);
2717fa0f 760 }
761 break;
a8be9f80 762
2717fa0f 763 case sDenyUsers:
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_deny_users >= MAX_DENY_USERS)
766 fatal( "%s line %d: too many deny users.",
767 filename, linenum);
7528d467 768 options->deny_users[options->num_deny_users++] =
769 xstrdup(arg);
2717fa0f 770 }
771 break;
b2552997 772
2717fa0f 773 case sAllowGroups:
774 while ((arg = strdelim(&cp)) && *arg != '\0') {
775 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
776 fatal("%s line %d: too many allow groups.",
777 filename, linenum);
7528d467 778 options->allow_groups[options->num_allow_groups++] =
779 xstrdup(arg);
2717fa0f 780 }
781 break;
a8be9f80 782
2717fa0f 783 case sDenyGroups:
784 while ((arg = strdelim(&cp)) && *arg != '\0') {
785 if (options->num_deny_groups >= MAX_DENY_GROUPS)
786 fatal("%s line %d: too many deny groups.",
787 filename, linenum);
788 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
789 }
790 break;
38c295d6 791
2717fa0f 792 case sCiphers:
793 arg = strdelim(&cp);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: Missing argument.", filename, linenum);
796 if (!ciphers_valid(arg))
797 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
798 filename, linenum, arg ? arg : "<NONE>");
799 if (options->ciphers == NULL)
800 options->ciphers = xstrdup(arg);
801 break;
802
803 case sMacs:
804 arg = strdelim(&cp);
805 if (!arg || *arg == '\0')
806 fatal("%s line %d: Missing argument.", filename, linenum);
807 if (!mac_valid(arg))
808 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
809 filename, linenum, arg ? arg : "<NONE>");
810 if (options->macs == NULL)
811 options->macs = xstrdup(arg);
812 break;
813
814 case sProtocol:
815 intptr = &options->protocol;
816 arg = strdelim(&cp);
817 if (!arg || *arg == '\0')
818 fatal("%s line %d: Missing argument.", filename, linenum);
819 value = proto_spec(arg);
820 if (value == SSH_PROTO_UNKNOWN)
821 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 822 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 823 if (*intptr == SSH_PROTO_UNKNOWN)
824 *intptr = value;
825 break;
826
827 case sSubsystem:
828 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
829 fatal("%s line %d: too many subsystems defined.",
184eed6a 830 filename, linenum);
2717fa0f 831 }
832 arg = strdelim(&cp);
833 if (!arg || *arg == '\0')
834 fatal("%s line %d: Missing subsystem name.",
184eed6a 835 filename, linenum);
2717fa0f 836 for (i = 0; i < options->num_subsystems; i++)
837 if (strcmp(arg, options->subsystem_name[i]) == 0)
838 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 839 filename, linenum, arg);
2717fa0f 840 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
841 arg = strdelim(&cp);
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing subsystem command.",
184eed6a 844 filename, linenum);
2717fa0f 845 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
846 options->num_subsystems++;
847 break;
848
849 case sMaxStartups:
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 853 filename, linenum);
2717fa0f 854 if ((n = sscanf(arg, "%d:%d:%d",
855 &options->max_startups_begin,
856 &options->max_startups_rate,
857 &options->max_startups)) == 3) {
858 if (options->max_startups_begin >
859 options->max_startups ||
860 options->max_startups_rate > 100 ||
861 options->max_startups_rate < 1)
c345cf9d 862 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 863 filename, linenum);
2717fa0f 864 } else if (n != 1)
865 fatal("%s line %d: Illegal MaxStartups spec.",
866 filename, linenum);
867 else
868 options->max_startups = options->max_startups_begin;
869 break;
870
871 case sBanner:
872 charptr = &options->banner;
873 goto parse_filename;
874 /*
875 * These options can contain %X options expanded at
876 * connect time, so that you can specify paths like:
877 *
878 * AuthorizedKeysFile /etc/ssh_keys/%u
879 */
880 case sAuthorizedKeysFile:
881 case sAuthorizedKeysFile2:
882 charptr = (opcode == sAuthorizedKeysFile ) ?
883 &options->authorized_keys_file :
884 &options->authorized_keys_file2;
885 goto parse_filename;
886
887 case sClientAliveInterval:
888 intptr = &options->client_alive_interval;
889 goto parse_time;
890
891 case sClientAliveCountMax:
892 intptr = &options->client_alive_count_max;
893 goto parse_int;
894
895 case sDeprecated:
bbe88b6d 896 logit("%s line %d: Deprecated option %s",
2717fa0f 897 filename, linenum, arg);
898 while (arg)
899 arg = strdelim(&cp);
900 break;
901
902 default:
903 fatal("%s line %d: Missing handler for opcode %s (%d)",
904 filename, linenum, arg, opcode);
905 }
906 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
907 fatal("%s line %d: garbage at end of line; \"%.200s\".",
908 filename, linenum, arg);
909 return 0;
910}
089fbbd2 911
2717fa0f 912/* Reads the server configuration file. */
5c53a31e 913
2717fa0f 914void
915read_server_config(ServerOptions *options, const char *filename)
916{
7528d467 917 int linenum, bad_options = 0;
2717fa0f 918 char line[1024];
7528d467 919 FILE *f;
2717fa0f 920
34934506 921 debug2("read_server_config: filename %s", filename);
2717fa0f 922 f = fopen(filename, "r");
923 if (!f) {
924 perror(filename);
925 exit(1);
926 }
927 linenum = 0;
928 while (fgets(line, sizeof(line), f)) {
929 /* Update line number counter. */
930 linenum++;
931 if (process_server_config_line(options, line, filename, linenum) != 0)
932 bad_options++;
8efc0c15 933 }
5260325f 934 fclose(f);
b7c70970 935 if (bad_options > 0)
936 fatal("%s: terminating, %d bad configuration options",
937 filename, bad_options);
8efc0c15 938}
git-cvsimport mirror of OpenSSH
This page took 4.390024 seconds and 5 git commands to generate.