]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[configure.ac] add --disable-etc-default-login option. ok djm
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
cc4d7cb6 13RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
64 options->keepalives = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_rsa_authentication = -1;
8002af61 68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
5260325f 70 options->rsa_authentication = -1;
fa08c86b 71 options->pubkey_authentication = -1;
5260325f 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
7364bd04 75 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1;
5260325f 77 options->password_authentication = -1;
94ec8c6b 78 options->kbd_interactive_authentication = -1;
5ba55ada 79 options->challenge_response_authentication = -1;
5260325f 80 options->permit_empty_passwd = -1;
f00bab84 81 options->permit_user_env = -1;
5260325f 82 options->use_login = -1;
636f76ca 83 options->compression = -1;
33de75a3 84 options->allow_tcp_forwarding = -1;
5260325f 85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
a8be9f80 89 options->ciphers = NULL;
b2552997 90 options->macs = NULL;
a8be9f80 91 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 92 options->gateway_ports = -1;
38c295d6 93 options->num_subsystems = 0;
c345cf9d 94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
089fbbd2 96 options->max_startups = -1;
eea39c02 97 options->banner = NULL;
c5a7d788 98 options->use_dns = -1;
3ffc6336 99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
c8445989 101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
1853d1ef 103
1853d1ef 104 /* Needs to be accessable in many places */
105 use_privsep = -1;
8efc0c15 106}
107
6ae2364d 108void
5260325f 109fill_default_server_options(ServerOptions *options)
8efc0c15 110{
e15895cd 111 /* Portable-specific options */
7fceb20d 112 if (options->use_pam == -1)
1457e7ff 113 options->use_pam = 1;
e15895cd 114
115 /* Standard Options */
fa08c86b 116 if (options->protocol == SSH_PROTO_UNKNOWN)
117 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
118 if (options->num_host_key_files == 0) {
119 /* fill default hostkeys for protocols */
120 if (options->protocol & SSH_PROTO_1)
0f84fe37 121 options->host_key_files[options->num_host_key_files++] =
122 _PATH_HOST_KEY_FILE;
123 if (options->protocol & SSH_PROTO_2) {
124 options->host_key_files[options->num_host_key_files++] =
125 _PATH_HOST_RSA_KEY_FILE;
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_DSA_KEY_FILE;
128 }
fa08c86b 129 }
48e671d5 130 if (options->num_ports == 0)
131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
132 if (options->listen_addrs == NULL)
2d2a2c65 133 add_listen_addr(options, NULL, 0);
0fbe8c74 134 if (options->pid_file == NULL)
42f11eb2 135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 136 if (options->server_key_bits == -1)
137 options->server_key_bits = 768;
138 if (options->login_grace_time == -1)
3445ca02 139 options->login_grace_time = 120;
5260325f 140 if (options->key_regeneration_time == -1)
141 options->key_regeneration_time = 3600;
15853e93 142 if (options->permit_root_login == PERMIT_NOT_SET)
143 options->permit_root_login = PERMIT_YES;
5260325f 144 if (options->ignore_rhosts == -1)
c8d54615 145 options->ignore_rhosts = 1;
5260325f 146 if (options->ignore_user_known_hosts == -1)
147 options->ignore_user_known_hosts = 0;
5260325f 148 if (options->print_motd == -1)
149 options->print_motd = 1;
4f4648f9 150 if (options->print_lastlog == -1)
151 options->print_lastlog = 1;
5260325f 152 if (options->x11_forwarding == -1)
c8d54615 153 options->x11_forwarding = 0;
5260325f 154 if (options->x11_display_offset == -1)
c8d54615 155 options->x11_display_offset = 10;
e6e573bd 156 if (options->x11_use_localhost == -1)
157 options->x11_use_localhost = 1;
fa649821 158 if (options->xauth_location == NULL)
fd9ede94 159 options->xauth_location = _PATH_XAUTH;
5260325f 160 if (options->strict_modes == -1)
161 options->strict_modes = 1;
162 if (options->keepalives == -1)
163 options->keepalives = 1;
5eaf8578 164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 165 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 166 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 167 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 168 if (options->rhosts_rsa_authentication == -1)
c8d54615 169 options->rhosts_rsa_authentication = 0;
8002af61 170 if (options->hostbased_authentication == -1)
171 options->hostbased_authentication = 0;
172 if (options->hostbased_uses_name_from_packet_only == -1)
173 options->hostbased_uses_name_from_packet_only = 0;
5260325f 174 if (options->rsa_authentication == -1)
175 options->rsa_authentication = 1;
fa08c86b 176 if (options->pubkey_authentication == -1)
177 options->pubkey_authentication = 1;
5260325f 178 if (options->kerberos_authentication == -1)
eadc806d 179 options->kerberos_authentication = 0;
5260325f 180 if (options->kerberos_or_local_passwd == -1)
181 options->kerberos_or_local_passwd = 1;
182 if (options->kerberos_ticket_cleanup == -1)
183 options->kerberos_ticket_cleanup = 1;
7364bd04 184 if (options->gss_authentication == -1)
185 options->gss_authentication = 0;
186 if (options->gss_cleanup_creds == -1)
187 options->gss_cleanup_creds = 1;
5260325f 188 if (options->password_authentication == -1)
189 options->password_authentication = 1;
94ec8c6b 190 if (options->kbd_interactive_authentication == -1)
191 options->kbd_interactive_authentication = 0;
5ba55ada 192 if (options->challenge_response_authentication == -1)
193 options->challenge_response_authentication = 1;
5260325f 194 if (options->permit_empty_passwd == -1)
c8d54615 195 options->permit_empty_passwd = 0;
f00bab84 196 if (options->permit_user_env == -1)
197 options->permit_user_env = 0;
5260325f 198 if (options->use_login == -1)
199 options->use_login = 0;
636f76ca 200 if (options->compression == -1)
201 options->compression = 1;
33de75a3 202 if (options->allow_tcp_forwarding == -1)
203 options->allow_tcp_forwarding = 1;
1d1ffb87 204 if (options->gateway_ports == -1)
205 options->gateway_ports = 0;
089fbbd2 206 if (options->max_startups == -1)
207 options->max_startups = 10;
c345cf9d 208 if (options->max_startups_rate == -1)
209 options->max_startups_rate = 100; /* 100% */
210 if (options->max_startups_begin == -1)
211 options->max_startups_begin = options->max_startups;
c5a7d788 212 if (options->use_dns == -1)
213 options->use_dns = 1;
3ffc6336 214 if (options->client_alive_interval == -1)
184eed6a 215 options->client_alive_interval = 0;
3ffc6336 216 if (options->client_alive_count_max == -1)
217 options->client_alive_count_max = 3;
5df83e07 218 if (options->authorized_keys_file2 == NULL) {
219 /* authorized_keys_file2 falls back to authorized_keys_file */
220 if (options->authorized_keys_file != NULL)
221 options->authorized_keys_file2 = options->authorized_keys_file;
222 else
223 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
224 }
225 if (options->authorized_keys_file == NULL)
226 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 227
2ee1b704 228 /* Turn privilege separation on by default */
1853d1ef 229 if (use_privsep == -1)
2ee1b704 230 use_privsep = 1;
e299a298 231
4165b82e 232#ifndef HAVE_MMAP
e299a298 233 if (use_privsep && options->compression == 1) {
234 error("This platform does not support both privilege "
235 "separation and compression");
236 error("Compression disabled");
237 options->compression = 0;
238 }
239#endif
240
8efc0c15 241}
242
8efc0c15 243/* Keyword tokens. */
5260325f 244typedef enum {
245 sBadOption, /* == unknown option */
e15895cd 246 /* Portable-specific options */
7fceb20d 247 sUsePAM,
e15895cd 248 /* Standard Options */
5260325f 249 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
250 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 251 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1c590258 253 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 254 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 255 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 256 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 257 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 258 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 259 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 260 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 261 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 262 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 263 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 264 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
7364bd04 265 sGssAuthentication, sGssCleanupCreds,
2ea6de2b 266 sUsePrivilegeSeparation,
a2144546 267 sDeprecated, sUnsupported
8efc0c15 268} ServerOpCodes;
269
270/* Textual representation of the tokens. */
5260325f 271static struct {
272 const char *name;
273 ServerOpCodes opcode;
274} keywords[] = {
e15895cd 275 /* Portable-specific options */
b06b11ad 276#ifdef USE_PAM
fe46678b 277 { "usepam", sUsePAM },
b06b11ad 278#else
fe46678b 279 { "usepam", sUnsupported },
b06b11ad 280#endif
fe46678b 281 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 282 /* Standard Options */
5260325f 283 { "port", sPort },
284 { "hostkey", sHostKeyFile },
fa08c86b 285 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 286 { "pidfile", sPidFile },
5260325f 287 { "serverkeybits", sServerKeyBits },
288 { "logingracetime", sLoginGraceTime },
289 { "keyregenerationinterval", sKeyRegenerationTime },
290 { "permitrootlogin", sPermitRootLogin },
291 { "syslogfacility", sLogFacility },
292 { "loglevel", sLogLevel },
0598d99d 293 { "rhostsauthentication", sDeprecated },
5260325f 294 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 295 { "hostbasedauthentication", sHostbasedAuthentication },
296 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 297 { "rsaauthentication", sRSAAuthentication },
fa08c86b 298 { "pubkeyauthentication", sPubkeyAuthentication },
299 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 300#ifdef KRB5
5260325f 301 { "kerberosauthentication", sKerberosAuthentication },
302 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
303 { "kerberosticketcleanup", sKerberosTicketCleanup },
a2144546 304#else
305 { "kerberosauthentication", sUnsupported },
306 { "kerberosorlocalpasswd", sUnsupported },
307 { "kerberosticketcleanup", sUnsupported },
a2144546 308#endif
8f73f7bb 309 { "kerberostgtpassing", sUnsupported },
a2144546 310 { "afstokenpassing", sUnsupported },
7364bd04 311#ifdef GSSAPI
312 { "gssapiauthentication", sGssAuthentication },
313 { "gssapicleanupcreds", sGssCleanupCreds },
314#else
315 { "gssapiauthentication", sUnsupported },
316 { "gssapicleanupcreds", sUnsupported },
317#endif
5260325f 318 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 319 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 320 { "challengeresponseauthentication", sChallengeResponseAuthentication },
321 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 322 { "checkmail", sDeprecated },
5260325f 323 { "listenaddress", sListenAddress },
324 { "printmotd", sPrintMotd },
4f4648f9 325 { "printlastlog", sPrintLastLog },
5260325f 326 { "ignorerhosts", sIgnoreRhosts },
327 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
328 { "x11forwarding", sX11Forwarding },
329 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 330 { "x11uselocalhost", sX11UseLocalhost },
fa649821 331 { "xauthlocation", sXAuthLocation },
5260325f 332 { "strictmodes", sStrictModes },
333 { "permitemptypasswords", sEmptyPasswd },
f00bab84 334 { "permituserenvironment", sPermitUserEnvironment },
5260325f 335 { "uselogin", sUseLogin },
636f76ca 336 { "compression", sCompression },
5260325f 337 { "keepalive", sKeepAlives },
33de75a3 338 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 339 { "allowusers", sAllowUsers },
340 { "denyusers", sDenyUsers },
341 { "allowgroups", sAllowGroups },
342 { "denygroups", sDenyGroups },
a8be9f80 343 { "ciphers", sCiphers },
b2552997 344 { "macs", sMacs },
a8be9f80 345 { "protocol", sProtocol },
1d1ffb87 346 { "gatewayports", sGatewayPorts },
38c295d6 347 { "subsystem", sSubsystem },
089fbbd2 348 { "maxstartups", sMaxStartups },
eea39c02 349 { "banner", sBanner },
c5a7d788 350 { "usedns", sUseDNS },
351 { "verifyreversemapping", sDeprecated },
352 { "reversemappingcheck", sDeprecated },
3ffc6336 353 { "clientaliveinterval", sClientAliveInterval },
354 { "clientalivecountmax", sClientAliveCountMax },
c8445989 355 { "authorizedkeysfile", sAuthorizedKeysFile },
356 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 357 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 358 { NULL, sBadOption }
8efc0c15 359};
360
aa3378df 361/*
6be9a5e8 362 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 363 */
8efc0c15 364
6ae2364d 365static ServerOpCodes
5260325f 366parse_token(const char *cp, const char *filename,
367 int linenum)
8efc0c15 368{
1e3b8b07 369 u_int i;
8efc0c15 370
5260325f 371 for (i = 0; keywords[i].name; i++)
aa3378df 372 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 373 return keywords[i].opcode;
8efc0c15 374
b7c70970 375 error("%s: line %d: Bad configuration option: %s",
376 filename, linenum, cp);
5260325f 377 return sBadOption;
8efc0c15 378}
379
396c147e 380static void
2d2a2c65 381add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 382{
48e671d5 383 int i;
384
385 if (options->num_ports == 0)
386 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 387 if (port == 0)
d11c1288 388 for (i = 0; i < options->num_ports; i++)
389 add_one_listen_addr(options, addr, options->ports[i]);
390 else
2d2a2c65 391 add_one_listen_addr(options, addr, port);
d11c1288 392}
393
396c147e 394static void
d11c1288 395add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
396{
397 struct addrinfo hints, *ai, *aitop;
398 char strport[NI_MAXSERV];
399 int gaierr;
400
401 memset(&hints, 0, sizeof(hints));
402 hints.ai_family = IPv4or6;
403 hints.ai_socktype = SOCK_STREAM;
404 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 405 snprintf(strport, sizeof strport, "%u", port);
d11c1288 406 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
407 fatal("bad addr or host: %s (%s)",
408 addr ? addr : "<NULL>",
409 gai_strerror(gaierr));
410 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
411 ;
412 ai->ai_next = options->listen_addrs;
413 options->listen_addrs = aitop;
48e671d5 414}
415
2717fa0f 416int
417process_server_config_line(ServerOptions *options, char *line,
418 const char *filename, int linenum)
8efc0c15 419{
d11c1288 420 char *cp, **charptr, *arg, *p;
7528d467 421 int *intptr, value, i, n;
5260325f 422 ServerOpCodes opcode;
423
2717fa0f 424 cp = line;
425 arg = strdelim(&cp);
426 /* Ignore leading whitespace */
427 if (*arg == '\0')
704b1659 428 arg = strdelim(&cp);
2717fa0f 429 if (!arg || !*arg || *arg == '#')
430 return 0;
431 intptr = NULL;
432 charptr = NULL;
433 opcode = parse_token(arg, filename, linenum);
434 switch (opcode) {
435 /* Portable-specific options */
7fceb20d 436 case sUsePAM:
437 intptr = &options->use_pam;
2717fa0f 438 goto parse_flag;
48e671d5 439
2717fa0f 440 /* Standard Options */
441 case sBadOption:
442 return -1;
443 case sPort:
444 /* ignore ports from configfile if cmdline specifies ports */
445 if (options->ports_from_cmdline)
446 return 0;
447 if (options->listen_addrs != NULL)
448 fatal("%s line %d: ports must be specified before "
3a454b6a 449 "ListenAddress.", filename, linenum);
2717fa0f 450 if (options->num_ports >= MAX_PORTS)
451 fatal("%s line %d: too many ports.",
452 filename, linenum);
453 arg = strdelim(&cp);
454 if (!arg || *arg == '\0')
455 fatal("%s line %d: missing port number.",
456 filename, linenum);
457 options->ports[options->num_ports++] = a2port(arg);
458 if (options->ports[options->num_ports-1] == 0)
459 fatal("%s line %d: Badly formatted port number.",
460 filename, linenum);
461 break;
462
463 case sServerKeyBits:
464 intptr = &options->server_key_bits;
5260325f 465parse_int:
2717fa0f 466 arg = strdelim(&cp);
467 if (!arg || *arg == '\0')
468 fatal("%s line %d: missing integer value.",
469 filename, linenum);
470 value = atoi(arg);
471 if (*intptr == -1)
472 *intptr = value;
473 break;
474
475 case sLoginGraceTime:
476 intptr = &options->login_grace_time;
e2b1fb42 477parse_time:
2717fa0f 478 arg = strdelim(&cp);
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing time value.",
481 filename, linenum);
482 if ((value = convtime(arg)) == -1)
483 fatal("%s line %d: invalid time value.",
484 filename, linenum);
485 if (*intptr == -1)
486 *intptr = value;
487 break;
488
489 case sKeyRegenerationTime:
490 intptr = &options->key_regeneration_time;
491 goto parse_time;
492
493 case sListenAddress:
494 arg = strdelim(&cp);
495 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
496 fatal("%s line %d: missing inet addr.",
497 filename, linenum);
498 if (*arg == '[') {
499 if ((p = strchr(arg, ']')) == NULL)
500 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 501 filename, linenum);
2717fa0f 502 arg++;
503 memmove(p, p+1, strlen(p+1)+1);
504 } else if (((p = strchr(arg, ':')) == NULL) ||
505 (strchr(p+1, ':') != NULL)) {
506 add_listen_addr(options, arg, 0);
e2b1fb42 507 break;
2717fa0f 508 }
509 if (*p == ':') {
510 u_short port;
5260325f 511
2717fa0f 512 p++;
513 if (*p == '\0')
514 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 515 filename, linenum);
2717fa0f 516 else {
517 *(p-1) = '\0';
518 if ((port = a2port(p)) == 0)
519 fatal("%s line %d: bad port number.",
d11c1288 520 filename, linenum);
2717fa0f 521 add_listen_addr(options, arg, port);
d11c1288 522 }
2717fa0f 523 } else if (*p == '\0')
524 add_listen_addr(options, arg, 0);
525 else
526 fatal("%s line %d: bad inet addr usage.",
527 filename, linenum);
528 break;
529
530 case sHostKeyFile:
531 intptr = &options->num_host_key_files;
532 if (*intptr >= MAX_HOSTKEYS)
533 fatal("%s line %d: too many host keys specified (max %d).",
534 filename, linenum, MAX_HOSTKEYS);
535 charptr = &options->host_key_files[*intptr];
fa649821 536parse_filename:
2717fa0f 537 arg = strdelim(&cp);
538 if (!arg || *arg == '\0')
539 fatal("%s line %d: missing file name.",
540 filename, linenum);
541 if (*charptr == NULL) {
542 *charptr = tilde_expand_filename(arg, getuid());
543 /* increase optional counter */
544 if (intptr != NULL)
545 *intptr = *intptr + 1;
546 }
547 break;
0fbe8c74 548
2717fa0f 549 case sPidFile:
550 charptr = &options->pid_file;
551 goto parse_filename;
5260325f 552
2717fa0f 553 case sPermitRootLogin:
554 intptr = &options->permit_root_login;
555 arg = strdelim(&cp);
556 if (!arg || *arg == '\0')
557 fatal("%s line %d: missing yes/"
558 "without-password/forced-commands-only/no "
559 "argument.", filename, linenum);
560 value = 0; /* silence compiler */
561 if (strcmp(arg, "without-password") == 0)
562 value = PERMIT_NO_PASSWD;
563 else if (strcmp(arg, "forced-commands-only") == 0)
564 value = PERMIT_FORCED_ONLY;
565 else if (strcmp(arg, "yes") == 0)
566 value = PERMIT_YES;
567 else if (strcmp(arg, "no") == 0)
568 value = PERMIT_NO;
569 else
570 fatal("%s line %d: Bad yes/"
571 "without-password/forced-commands-only/no "
572 "argument: %s", filename, linenum, arg);
573 if (*intptr == -1)
574 *intptr = value;
575 break;
576
577 case sIgnoreRhosts:
578 intptr = &options->ignore_rhosts;
5260325f 579parse_flag:
2717fa0f 580 arg = strdelim(&cp);
581 if (!arg || *arg == '\0')
582 fatal("%s line %d: missing yes/no argument.",
583 filename, linenum);
584 value = 0; /* silence compiler */
585 if (strcmp(arg, "yes") == 0)
586 value = 1;
587 else if (strcmp(arg, "no") == 0)
588 value = 0;
589 else
590 fatal("%s line %d: Bad yes/no argument: %s",
591 filename, linenum, arg);
592 if (*intptr == -1)
593 *intptr = value;
594 break;
595
596 case sIgnoreUserKnownHosts:
597 intptr = &options->ignore_user_known_hosts;
598 goto parse_flag;
599
2717fa0f 600 case sRhostsRSAAuthentication:
601 intptr = &options->rhosts_rsa_authentication;
602 goto parse_flag;
603
604 case sHostbasedAuthentication:
605 intptr = &options->hostbased_authentication;
606 goto parse_flag;
607
608 case sHostbasedUsesNameFromPacketOnly:
609 intptr = &options->hostbased_uses_name_from_packet_only;
610 goto parse_flag;
611
612 case sRSAAuthentication:
613 intptr = &options->rsa_authentication;
614 goto parse_flag;
615
616 case sPubkeyAuthentication:
617 intptr = &options->pubkey_authentication;
618 goto parse_flag;
d0ec7f42 619
2717fa0f 620 case sKerberosAuthentication:
621 intptr = &options->kerberos_authentication;
622 goto parse_flag;
5260325f 623
2717fa0f 624 case sKerberosOrLocalPasswd:
625 intptr = &options->kerberos_or_local_passwd;
626 goto parse_flag;
5260325f 627
2717fa0f 628 case sKerberosTicketCleanup:
629 intptr = &options->kerberos_ticket_cleanup;
630 goto parse_flag;
d0ec7f42 631
7364bd04 632 case sGssAuthentication:
633 intptr = &options->gss_authentication;
634 goto parse_flag;
635
636 case sGssCleanupCreds:
637 intptr = &options->gss_cleanup_creds;
638 goto parse_flag;
639
2717fa0f 640 case sPasswordAuthentication:
641 intptr = &options->password_authentication;
642 goto parse_flag;
5260325f 643
2717fa0f 644 case sKbdInteractiveAuthentication:
645 intptr = &options->kbd_interactive_authentication;
646 goto parse_flag;
8002af61 647
2717fa0f 648 case sChallengeResponseAuthentication:
649 intptr = &options->challenge_response_authentication;
650 goto parse_flag;
8002af61 651
2717fa0f 652 case sPrintMotd:
653 intptr = &options->print_motd;
654 goto parse_flag;
5260325f 655
2717fa0f 656 case sPrintLastLog:
657 intptr = &options->print_lastlog;
658 goto parse_flag;
5260325f 659
2717fa0f 660 case sX11Forwarding:
661 intptr = &options->x11_forwarding;
662 goto parse_flag;
5260325f 663
2717fa0f 664 case sX11DisplayOffset:
665 intptr = &options->x11_display_offset;
666 goto parse_int;
8efc0c15 667
e6e573bd 668 case sX11UseLocalhost:
669 intptr = &options->x11_use_localhost;
670 goto parse_flag;
671
2717fa0f 672 case sXAuthLocation:
673 charptr = &options->xauth_location;
674 goto parse_filename;
5260325f 675
2717fa0f 676 case sStrictModes:
677 intptr = &options->strict_modes;
678 goto parse_flag;
5260325f 679
2717fa0f 680 case sKeepAlives:
681 intptr = &options->keepalives;
682 goto parse_flag;
33de75a3 683
2717fa0f 684 case sEmptyPasswd:
685 intptr = &options->permit_empty_passwd;
686 goto parse_flag;
5260325f 687
f00bab84 688 case sPermitUserEnvironment:
689 intptr = &options->permit_user_env;
690 goto parse_flag;
691
2717fa0f 692 case sUseLogin:
693 intptr = &options->use_login;
694 goto parse_flag;
5260325f 695
636f76ca 696 case sCompression:
697 intptr = &options->compression;
698 goto parse_flag;
699
2717fa0f 700 case sGatewayPorts:
701 intptr = &options->gateway_ports;
702 goto parse_flag;
5260325f 703
c5a7d788 704 case sUseDNS:
705 intptr = &options->use_dns;
2717fa0f 706 goto parse_flag;
5260325f 707
2717fa0f 708 case sLogFacility:
709 intptr = (int *) &options->log_facility;
710 arg = strdelim(&cp);
711 value = log_facility_number(arg);
5eaf8578 712 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 713 fatal("%.200s line %d: unsupported log facility '%s'",
714 filename, linenum, arg ? arg : "<NONE>");
715 if (*intptr == -1)
716 *intptr = (SyslogFacility) value;
717 break;
718
719 case sLogLevel:
720 intptr = (int *) &options->log_level;
721 arg = strdelim(&cp);
722 value = log_level_number(arg);
5eaf8578 723 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 724 fatal("%.200s line %d: unsupported log level '%s'",
725 filename, linenum, arg ? arg : "<NONE>");
726 if (*intptr == -1)
727 *intptr = (LogLevel) value;
728 break;
729
730 case sAllowTcpForwarding:
731 intptr = &options->allow_tcp_forwarding;
732 goto parse_flag;
733
1853d1ef 734 case sUsePrivilegeSeparation:
735 intptr = &use_privsep;
736 goto parse_flag;
737
2717fa0f 738 case sAllowUsers:
739 while ((arg = strdelim(&cp)) && *arg != '\0') {
740 if (options->num_allow_users >= MAX_ALLOW_USERS)
741 fatal("%s line %d: too many allow users.",
742 filename, linenum);
7528d467 743 options->allow_users[options->num_allow_users++] =
744 xstrdup(arg);
2717fa0f 745 }
746 break;
a8be9f80 747
2717fa0f 748 case sDenyUsers:
749 while ((arg = strdelim(&cp)) && *arg != '\0') {
750 if (options->num_deny_users >= MAX_DENY_USERS)
751 fatal( "%s line %d: too many deny users.",
752 filename, linenum);
7528d467 753 options->deny_users[options->num_deny_users++] =
754 xstrdup(arg);
2717fa0f 755 }
756 break;
b2552997 757
2717fa0f 758 case sAllowGroups:
759 while ((arg = strdelim(&cp)) && *arg != '\0') {
760 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
761 fatal("%s line %d: too many allow groups.",
762 filename, linenum);
7528d467 763 options->allow_groups[options->num_allow_groups++] =
764 xstrdup(arg);
2717fa0f 765 }
766 break;
a8be9f80 767
2717fa0f 768 case sDenyGroups:
769 while ((arg = strdelim(&cp)) && *arg != '\0') {
770 if (options->num_deny_groups >= MAX_DENY_GROUPS)
771 fatal("%s line %d: too many deny groups.",
772 filename, linenum);
773 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
774 }
775 break;
38c295d6 776
2717fa0f 777 case sCiphers:
778 arg = strdelim(&cp);
779 if (!arg || *arg == '\0')
780 fatal("%s line %d: Missing argument.", filename, linenum);
781 if (!ciphers_valid(arg))
782 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
783 filename, linenum, arg ? arg : "<NONE>");
784 if (options->ciphers == NULL)
785 options->ciphers = xstrdup(arg);
786 break;
787
788 case sMacs:
789 arg = strdelim(&cp);
790 if (!arg || *arg == '\0')
791 fatal("%s line %d: Missing argument.", filename, linenum);
792 if (!mac_valid(arg))
793 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
794 filename, linenum, arg ? arg : "<NONE>");
795 if (options->macs == NULL)
796 options->macs = xstrdup(arg);
797 break;
798
799 case sProtocol:
800 intptr = &options->protocol;
801 arg = strdelim(&cp);
802 if (!arg || *arg == '\0')
803 fatal("%s line %d: Missing argument.", filename, linenum);
804 value = proto_spec(arg);
805 if (value == SSH_PROTO_UNKNOWN)
806 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 807 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 808 if (*intptr == SSH_PROTO_UNKNOWN)
809 *intptr = value;
810 break;
811
812 case sSubsystem:
813 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
814 fatal("%s line %d: too many subsystems defined.",
184eed6a 815 filename, linenum);
2717fa0f 816 }
817 arg = strdelim(&cp);
818 if (!arg || *arg == '\0')
819 fatal("%s line %d: Missing subsystem name.",
184eed6a 820 filename, linenum);
2717fa0f 821 for (i = 0; i < options->num_subsystems; i++)
822 if (strcmp(arg, options->subsystem_name[i]) == 0)
823 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 824 filename, linenum, arg);
2717fa0f 825 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
826 arg = strdelim(&cp);
827 if (!arg || *arg == '\0')
828 fatal("%s line %d: Missing subsystem command.",
184eed6a 829 filename, linenum);
2717fa0f 830 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
831 options->num_subsystems++;
832 break;
833
834 case sMaxStartups:
835 arg = strdelim(&cp);
836 if (!arg || *arg == '\0')
837 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 838 filename, linenum);
2717fa0f 839 if ((n = sscanf(arg, "%d:%d:%d",
840 &options->max_startups_begin,
841 &options->max_startups_rate,
842 &options->max_startups)) == 3) {
843 if (options->max_startups_begin >
844 options->max_startups ||
845 options->max_startups_rate > 100 ||
846 options->max_startups_rate < 1)
c345cf9d 847 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 848 filename, linenum);
2717fa0f 849 } else if (n != 1)
850 fatal("%s line %d: Illegal MaxStartups spec.",
851 filename, linenum);
852 else
853 options->max_startups = options->max_startups_begin;
854 break;
855
856 case sBanner:
857 charptr = &options->banner;
858 goto parse_filename;
859 /*
860 * These options can contain %X options expanded at
861 * connect time, so that you can specify paths like:
862 *
863 * AuthorizedKeysFile /etc/ssh_keys/%u
864 */
865 case sAuthorizedKeysFile:
866 case sAuthorizedKeysFile2:
867 charptr = (opcode == sAuthorizedKeysFile ) ?
868 &options->authorized_keys_file :
869 &options->authorized_keys_file2;
870 goto parse_filename;
871
872 case sClientAliveInterval:
873 intptr = &options->client_alive_interval;
874 goto parse_time;
875
876 case sClientAliveCountMax:
877 intptr = &options->client_alive_count_max;
878 goto parse_int;
879
880 case sDeprecated:
bbe88b6d 881 logit("%s line %d: Deprecated option %s",
2717fa0f 882 filename, linenum, arg);
883 while (arg)
884 arg = strdelim(&cp);
885 break;
886
a2144546 887 case sUnsupported:
888 logit("%s line %d: Unsupported option %s",
889 filename, linenum, arg);
890 while (arg)
891 arg = strdelim(&cp);
892 break;
893
2717fa0f 894 default:
895 fatal("%s line %d: Missing handler for opcode %s (%d)",
896 filename, linenum, arg, opcode);
897 }
898 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
899 fatal("%s line %d: garbage at end of line; \"%.200s\".",
900 filename, linenum, arg);
901 return 0;
902}
089fbbd2 903
2717fa0f 904/* Reads the server configuration file. */
5c53a31e 905
2717fa0f 906void
907read_server_config(ServerOptions *options, const char *filename)
908{
7528d467 909 int linenum, bad_options = 0;
2717fa0f 910 char line[1024];
7528d467 911 FILE *f;
2717fa0f 912
34934506 913 debug2("read_server_config: filename %s", filename);
2717fa0f 914 f = fopen(filename, "r");
915 if (!f) {
916 perror(filename);
917 exit(1);
918 }
919 linenum = 0;
920 while (fgets(line, sizeof(line), f)) {
921 /* Update line number counter. */
922 linenum++;
923 if (process_server_config_line(options, line, filename, linenum) != 0)
924 bad_options++;
8efc0c15 925 }
5260325f 926 fclose(f);
b7c70970 927 if (bad_options > 0)
928 fatal("%s: terminating, %d bad configuration options",
929 filename, bad_options);
8efc0c15 930}
git-cvsimport mirror of OpenSSH
This page took 5.723192 seconds and 5 git commands to generate.