]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2004/04/22 11:56:57
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
a1e30b47 13RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
fd573618 64 options->tcp_keep_alive = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_rsa_authentication = -1;
8002af61 68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
5260325f 70 options->rsa_authentication = -1;
fa08c86b 71 options->pubkey_authentication = -1;
5260325f 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
a1e30b47 75 options->kerberos_get_afs_token = -1;
7364bd04 76 options->gss_authentication=-1;
77 options->gss_cleanup_creds = -1;
5260325f 78 options->password_authentication = -1;
94ec8c6b 79 options->kbd_interactive_authentication = -1;
5ba55ada 80 options->challenge_response_authentication = -1;
5260325f 81 options->permit_empty_passwd = -1;
f00bab84 82 options->permit_user_env = -1;
5260325f 83 options->use_login = -1;
636f76ca 84 options->compression = -1;
33de75a3 85 options->allow_tcp_forwarding = -1;
5260325f 86 options->num_allow_users = 0;
87 options->num_deny_users = 0;
88 options->num_allow_groups = 0;
89 options->num_deny_groups = 0;
a8be9f80 90 options->ciphers = NULL;
b2552997 91 options->macs = NULL;
a8be9f80 92 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 93 options->gateway_ports = -1;
38c295d6 94 options->num_subsystems = 0;
c345cf9d 95 options->max_startups_begin = -1;
96 options->max_startups_rate = -1;
089fbbd2 97 options->max_startups = -1;
eea39c02 98 options->banner = NULL;
c5a7d788 99 options->use_dns = -1;
3ffc6336 100 options->client_alive_interval = -1;
101 options->client_alive_count_max = -1;
c8445989 102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL;
1853d1ef 104
1853d1ef 105 /* Needs to be accessable in many places */
106 use_privsep = -1;
8efc0c15 107}
108
6ae2364d 109void
5260325f 110fill_default_server_options(ServerOptions *options)
8efc0c15 111{
e15895cd 112 /* Portable-specific options */
7fceb20d 113 if (options->use_pam == -1)
0a23d79f 114 options->use_pam = 0;
e15895cd 115
116 /* Standard Options */
fa08c86b 117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
0f84fe37 122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
fa08c86b 130 }
48e671d5 131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
2d2a2c65 134 add_listen_addr(options, NULL, 0);
0fbe8c74 135 if (options->pid_file == NULL)
42f11eb2 136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
3445ca02 140 options->login_grace_time = 120;
5260325f 141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
15853e93 143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
5260325f 145 if (options->ignore_rhosts == -1)
c8d54615 146 options->ignore_rhosts = 1;
5260325f 147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
5260325f 149 if (options->print_motd == -1)
150 options->print_motd = 1;
4f4648f9 151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
5260325f 153 if (options->x11_forwarding == -1)
c8d54615 154 options->x11_forwarding = 0;
5260325f 155 if (options->x11_display_offset == -1)
c8d54615 156 options->x11_display_offset = 10;
e6e573bd 157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
fa649821 159 if (options->xauth_location == NULL)
fd9ede94 160 options->xauth_location = _PATH_XAUTH;
5260325f 161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
fd573618 163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
5eaf8578 165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 166 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 168 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 169 if (options->rhosts_rsa_authentication == -1)
c8d54615 170 options->rhosts_rsa_authentication = 0;
8002af61 171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
5260325f 175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
fa08c86b 177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
5260325f 179 if (options->kerberos_authentication == -1)
eadc806d 180 options->kerberos_authentication = 0;
5260325f 181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
a1e30b47 185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
7364bd04 187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
5260325f 191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
94ec8c6b 193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
5ba55ada 195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
5260325f 197 if (options->permit_empty_passwd == -1)
c8d54615 198 options->permit_empty_passwd = 0;
f00bab84 199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
5260325f 201 if (options->use_login == -1)
202 options->use_login = 0;
636f76ca 203 if (options->compression == -1)
204 options->compression = 1;
33de75a3 205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
1d1ffb87 207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
089fbbd2 209 if (options->max_startups == -1)
210 options->max_startups = 10;
c345cf9d 211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
c5a7d788 215 if (options->use_dns == -1)
216 options->use_dns = 1;
3ffc6336 217 if (options->client_alive_interval == -1)
184eed6a 218 options->client_alive_interval = 0;
3ffc6336 219 if (options->client_alive_count_max == -1)
220 options->client_alive_count_max = 3;
5df83e07 221 if (options->authorized_keys_file2 == NULL) {
222 /* authorized_keys_file2 falls back to authorized_keys_file */
223 if (options->authorized_keys_file != NULL)
224 options->authorized_keys_file2 = options->authorized_keys_file;
225 else
226 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
227 }
228 if (options->authorized_keys_file == NULL)
229 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 230
2ee1b704 231 /* Turn privilege separation on by default */
1853d1ef 232 if (use_privsep == -1)
2ee1b704 233 use_privsep = 1;
e299a298 234
4165b82e 235#ifndef HAVE_MMAP
e299a298 236 if (use_privsep && options->compression == 1) {
237 error("This platform does not support both privilege "
238 "separation and compression");
239 error("Compression disabled");
240 options->compression = 0;
241 }
242#endif
243
8efc0c15 244}
245
8efc0c15 246/* Keyword tokens. */
5260325f 247typedef enum {
248 sBadOption, /* == unknown option */
e15895cd 249 /* Portable-specific options */
7fceb20d 250 sUsePAM,
e15895cd 251 /* Standard Options */
5260325f 252 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
253 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 254 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 255 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 256 sKerberosGetAFSToken,
1c590258 257 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 258 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 259 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 260 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 261 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 262 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 263 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 264 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 265 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 266 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 267 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 268 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
7364bd04 269 sGssAuthentication, sGssCleanupCreds,
2ea6de2b 270 sUsePrivilegeSeparation,
a2144546 271 sDeprecated, sUnsupported
8efc0c15 272} ServerOpCodes;
273
274/* Textual representation of the tokens. */
5260325f 275static struct {
276 const char *name;
277 ServerOpCodes opcode;
278} keywords[] = {
e15895cd 279 /* Portable-specific options */
b06b11ad 280#ifdef USE_PAM
fe46678b 281 { "usepam", sUsePAM },
b06b11ad 282#else
fe46678b 283 { "usepam", sUnsupported },
b06b11ad 284#endif
fe46678b 285 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 286 /* Standard Options */
5260325f 287 { "port", sPort },
288 { "hostkey", sHostKeyFile },
fa08c86b 289 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 290 { "pidfile", sPidFile },
5260325f 291 { "serverkeybits", sServerKeyBits },
292 { "logingracetime", sLoginGraceTime },
293 { "keyregenerationinterval", sKeyRegenerationTime },
294 { "permitrootlogin", sPermitRootLogin },
295 { "syslogfacility", sLogFacility },
296 { "loglevel", sLogLevel },
0598d99d 297 { "rhostsauthentication", sDeprecated },
5260325f 298 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 299 { "hostbasedauthentication", sHostbasedAuthentication },
300 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 301 { "rsaauthentication", sRSAAuthentication },
fa08c86b 302 { "pubkeyauthentication", sPubkeyAuthentication },
303 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 304#ifdef KRB5
5260325f 305 { "kerberosauthentication", sKerberosAuthentication },
306 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
307 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 308#ifdef USE_AFS
a1e30b47 309 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 310#else
311 { "kerberosgetafstoken", sUnsupported },
312#endif
a2144546 313#else
314 { "kerberosauthentication", sUnsupported },
315 { "kerberosorlocalpasswd", sUnsupported },
316 { "kerberosticketcleanup", sUnsupported },
a1e30b47 317 { "kerberosgetafstoken", sUnsupported },
a2144546 318#endif
8f73f7bb 319 { "kerberostgtpassing", sUnsupported },
a2144546 320 { "afstokenpassing", sUnsupported },
7364bd04 321#ifdef GSSAPI
322 { "gssapiauthentication", sGssAuthentication },
e377c083 323 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 324#else
325 { "gssapiauthentication", sUnsupported },
e377c083 326 { "gssapicleanupcredentials", sUnsupported },
7364bd04 327#endif
5260325f 328 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 329 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 330 { "challengeresponseauthentication", sChallengeResponseAuthentication },
331 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 332 { "checkmail", sDeprecated },
5260325f 333 { "listenaddress", sListenAddress },
334 { "printmotd", sPrintMotd },
4f4648f9 335 { "printlastlog", sPrintLastLog },
5260325f 336 { "ignorerhosts", sIgnoreRhosts },
337 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
338 { "x11forwarding", sX11Forwarding },
339 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 340 { "x11uselocalhost", sX11UseLocalhost },
fa649821 341 { "xauthlocation", sXAuthLocation },
5260325f 342 { "strictmodes", sStrictModes },
343 { "permitemptypasswords", sEmptyPasswd },
f00bab84 344 { "permituserenvironment", sPermitUserEnvironment },
5260325f 345 { "uselogin", sUseLogin },
636f76ca 346 { "compression", sCompression },
fd573618 347 { "tcpkeepalive", sTCPKeepAlive },
348 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 349 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 350 { "allowusers", sAllowUsers },
351 { "denyusers", sDenyUsers },
352 { "allowgroups", sAllowGroups },
353 { "denygroups", sDenyGroups },
a8be9f80 354 { "ciphers", sCiphers },
b2552997 355 { "macs", sMacs },
a8be9f80 356 { "protocol", sProtocol },
1d1ffb87 357 { "gatewayports", sGatewayPorts },
38c295d6 358 { "subsystem", sSubsystem },
089fbbd2 359 { "maxstartups", sMaxStartups },
eea39c02 360 { "banner", sBanner },
c5a7d788 361 { "usedns", sUseDNS },
362 { "verifyreversemapping", sDeprecated },
363 { "reversemappingcheck", sDeprecated },
3ffc6336 364 { "clientaliveinterval", sClientAliveInterval },
365 { "clientalivecountmax", sClientAliveCountMax },
c8445989 366 { "authorizedkeysfile", sAuthorizedKeysFile },
367 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 368 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 369 { NULL, sBadOption }
8efc0c15 370};
371
aa3378df 372/*
6be9a5e8 373 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 374 */
8efc0c15 375
6ae2364d 376static ServerOpCodes
5260325f 377parse_token(const char *cp, const char *filename,
378 int linenum)
8efc0c15 379{
1e3b8b07 380 u_int i;
8efc0c15 381
5260325f 382 for (i = 0; keywords[i].name; i++)
aa3378df 383 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 384 return keywords[i].opcode;
8efc0c15 385
b7c70970 386 error("%s: line %d: Bad configuration option: %s",
387 filename, linenum, cp);
5260325f 388 return sBadOption;
8efc0c15 389}
390
396c147e 391static void
2d2a2c65 392add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 393{
48e671d5 394 int i;
395
396 if (options->num_ports == 0)
397 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 398 if (port == 0)
d11c1288 399 for (i = 0; i < options->num_ports; i++)
400 add_one_listen_addr(options, addr, options->ports[i]);
401 else
2d2a2c65 402 add_one_listen_addr(options, addr, port);
d11c1288 403}
404
396c147e 405static void
d11c1288 406add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
407{
408 struct addrinfo hints, *ai, *aitop;
409 char strport[NI_MAXSERV];
410 int gaierr;
411
412 memset(&hints, 0, sizeof(hints));
413 hints.ai_family = IPv4or6;
414 hints.ai_socktype = SOCK_STREAM;
415 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 416 snprintf(strport, sizeof strport, "%u", port);
d11c1288 417 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
418 fatal("bad addr or host: %s (%s)",
419 addr ? addr : "<NULL>",
420 gai_strerror(gaierr));
421 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
422 ;
423 ai->ai_next = options->listen_addrs;
424 options->listen_addrs = aitop;
48e671d5 425}
426
2717fa0f 427int
428process_server_config_line(ServerOptions *options, char *line,
429 const char *filename, int linenum)
8efc0c15 430{
d11c1288 431 char *cp, **charptr, *arg, *p;
7528d467 432 int *intptr, value, i, n;
5260325f 433 ServerOpCodes opcode;
434
2717fa0f 435 cp = line;
436 arg = strdelim(&cp);
437 /* Ignore leading whitespace */
438 if (*arg == '\0')
704b1659 439 arg = strdelim(&cp);
2717fa0f 440 if (!arg || !*arg || *arg == '#')
441 return 0;
442 intptr = NULL;
443 charptr = NULL;
444 opcode = parse_token(arg, filename, linenum);
445 switch (opcode) {
446 /* Portable-specific options */
7fceb20d 447 case sUsePAM:
448 intptr = &options->use_pam;
2717fa0f 449 goto parse_flag;
48e671d5 450
2717fa0f 451 /* Standard Options */
452 case sBadOption:
453 return -1;
454 case sPort:
455 /* ignore ports from configfile if cmdline specifies ports */
456 if (options->ports_from_cmdline)
457 return 0;
458 if (options->listen_addrs != NULL)
459 fatal("%s line %d: ports must be specified before "
3a454b6a 460 "ListenAddress.", filename, linenum);
2717fa0f 461 if (options->num_ports >= MAX_PORTS)
462 fatal("%s line %d: too many ports.",
463 filename, linenum);
464 arg = strdelim(&cp);
465 if (!arg || *arg == '\0')
466 fatal("%s line %d: missing port number.",
467 filename, linenum);
468 options->ports[options->num_ports++] = a2port(arg);
469 if (options->ports[options->num_ports-1] == 0)
470 fatal("%s line %d: Badly formatted port number.",
471 filename, linenum);
472 break;
473
474 case sServerKeyBits:
475 intptr = &options->server_key_bits;
5260325f 476parse_int:
2717fa0f 477 arg = strdelim(&cp);
478 if (!arg || *arg == '\0')
479 fatal("%s line %d: missing integer value.",
480 filename, linenum);
481 value = atoi(arg);
482 if (*intptr == -1)
483 *intptr = value;
484 break;
485
486 case sLoginGraceTime:
487 intptr = &options->login_grace_time;
e2b1fb42 488parse_time:
2717fa0f 489 arg = strdelim(&cp);
490 if (!arg || *arg == '\0')
491 fatal("%s line %d: missing time value.",
492 filename, linenum);
493 if ((value = convtime(arg)) == -1)
494 fatal("%s line %d: invalid time value.",
495 filename, linenum);
496 if (*intptr == -1)
497 *intptr = value;
498 break;
499
500 case sKeyRegenerationTime:
501 intptr = &options->key_regeneration_time;
502 goto parse_time;
503
504 case sListenAddress:
505 arg = strdelim(&cp);
506 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
507 fatal("%s line %d: missing inet addr.",
508 filename, linenum);
509 if (*arg == '[') {
510 if ((p = strchr(arg, ']')) == NULL)
511 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 512 filename, linenum);
2717fa0f 513 arg++;
514 memmove(p, p+1, strlen(p+1)+1);
515 } else if (((p = strchr(arg, ':')) == NULL) ||
516 (strchr(p+1, ':') != NULL)) {
517 add_listen_addr(options, arg, 0);
e2b1fb42 518 break;
2717fa0f 519 }
520 if (*p == ':') {
521 u_short port;
5260325f 522
2717fa0f 523 p++;
524 if (*p == '\0')
525 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 526 filename, linenum);
2717fa0f 527 else {
528 *(p-1) = '\0';
529 if ((port = a2port(p)) == 0)
530 fatal("%s line %d: bad port number.",
d11c1288 531 filename, linenum);
2717fa0f 532 add_listen_addr(options, arg, port);
d11c1288 533 }
2717fa0f 534 } else if (*p == '\0')
535 add_listen_addr(options, arg, 0);
536 else
537 fatal("%s line %d: bad inet addr usage.",
538 filename, linenum);
539 break;
540
541 case sHostKeyFile:
542 intptr = &options->num_host_key_files;
543 if (*intptr >= MAX_HOSTKEYS)
544 fatal("%s line %d: too many host keys specified (max %d).",
545 filename, linenum, MAX_HOSTKEYS);
546 charptr = &options->host_key_files[*intptr];
fa649821 547parse_filename:
2717fa0f 548 arg = strdelim(&cp);
549 if (!arg || *arg == '\0')
550 fatal("%s line %d: missing file name.",
551 filename, linenum);
552 if (*charptr == NULL) {
553 *charptr = tilde_expand_filename(arg, getuid());
554 /* increase optional counter */
555 if (intptr != NULL)
556 *intptr = *intptr + 1;
557 }
558 break;
0fbe8c74 559
2717fa0f 560 case sPidFile:
561 charptr = &options->pid_file;
562 goto parse_filename;
5260325f 563
2717fa0f 564 case sPermitRootLogin:
565 intptr = &options->permit_root_login;
566 arg = strdelim(&cp);
567 if (!arg || *arg == '\0')
568 fatal("%s line %d: missing yes/"
569 "without-password/forced-commands-only/no "
570 "argument.", filename, linenum);
571 value = 0; /* silence compiler */
572 if (strcmp(arg, "without-password") == 0)
573 value = PERMIT_NO_PASSWD;
574 else if (strcmp(arg, "forced-commands-only") == 0)
575 value = PERMIT_FORCED_ONLY;
576 else if (strcmp(arg, "yes") == 0)
577 value = PERMIT_YES;
578 else if (strcmp(arg, "no") == 0)
579 value = PERMIT_NO;
580 else
581 fatal("%s line %d: Bad yes/"
582 "without-password/forced-commands-only/no "
583 "argument: %s", filename, linenum, arg);
584 if (*intptr == -1)
585 *intptr = value;
586 break;
587
588 case sIgnoreRhosts:
589 intptr = &options->ignore_rhosts;
5260325f 590parse_flag:
2717fa0f 591 arg = strdelim(&cp);
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/no argument.",
594 filename, linenum);
595 value = 0; /* silence compiler */
596 if (strcmp(arg, "yes") == 0)
597 value = 1;
598 else if (strcmp(arg, "no") == 0)
599 value = 0;
600 else
601 fatal("%s line %d: Bad yes/no argument: %s",
602 filename, linenum, arg);
603 if (*intptr == -1)
604 *intptr = value;
605 break;
606
607 case sIgnoreUserKnownHosts:
608 intptr = &options->ignore_user_known_hosts;
609 goto parse_flag;
610
2717fa0f 611 case sRhostsRSAAuthentication:
612 intptr = &options->rhosts_rsa_authentication;
613 goto parse_flag;
614
615 case sHostbasedAuthentication:
616 intptr = &options->hostbased_authentication;
617 goto parse_flag;
618
619 case sHostbasedUsesNameFromPacketOnly:
620 intptr = &options->hostbased_uses_name_from_packet_only;
621 goto parse_flag;
622
623 case sRSAAuthentication:
624 intptr = &options->rsa_authentication;
625 goto parse_flag;
626
627 case sPubkeyAuthentication:
628 intptr = &options->pubkey_authentication;
629 goto parse_flag;
d0ec7f42 630
2717fa0f 631 case sKerberosAuthentication:
632 intptr = &options->kerberos_authentication;
633 goto parse_flag;
5260325f 634
2717fa0f 635 case sKerberosOrLocalPasswd:
636 intptr = &options->kerberos_or_local_passwd;
637 goto parse_flag;
5260325f 638
2717fa0f 639 case sKerberosTicketCleanup:
640 intptr = &options->kerberos_ticket_cleanup;
641 goto parse_flag;
d0ec7f42 642
a1e30b47 643 case sKerberosGetAFSToken:
644 intptr = &options->kerberos_get_afs_token;
645 goto parse_flag;
646
7364bd04 647 case sGssAuthentication:
648 intptr = &options->gss_authentication;
649 goto parse_flag;
650
651 case sGssCleanupCreds:
652 intptr = &options->gss_cleanup_creds;
653 goto parse_flag;
654
2717fa0f 655 case sPasswordAuthentication:
656 intptr = &options->password_authentication;
657 goto parse_flag;
5260325f 658
2717fa0f 659 case sKbdInteractiveAuthentication:
660 intptr = &options->kbd_interactive_authentication;
661 goto parse_flag;
8002af61 662
2717fa0f 663 case sChallengeResponseAuthentication:
664 intptr = &options->challenge_response_authentication;
665 goto parse_flag;
8002af61 666
2717fa0f 667 case sPrintMotd:
668 intptr = &options->print_motd;
669 goto parse_flag;
5260325f 670
2717fa0f 671 case sPrintLastLog:
672 intptr = &options->print_lastlog;
673 goto parse_flag;
5260325f 674
2717fa0f 675 case sX11Forwarding:
676 intptr = &options->x11_forwarding;
677 goto parse_flag;
5260325f 678
2717fa0f 679 case sX11DisplayOffset:
680 intptr = &options->x11_display_offset;
681 goto parse_int;
8efc0c15 682
e6e573bd 683 case sX11UseLocalhost:
684 intptr = &options->x11_use_localhost;
685 goto parse_flag;
686
2717fa0f 687 case sXAuthLocation:
688 charptr = &options->xauth_location;
689 goto parse_filename;
5260325f 690
2717fa0f 691 case sStrictModes:
692 intptr = &options->strict_modes;
693 goto parse_flag;
5260325f 694
fd573618 695 case sTCPKeepAlive:
696 intptr = &options->tcp_keep_alive;
2717fa0f 697 goto parse_flag;
33de75a3 698
2717fa0f 699 case sEmptyPasswd:
700 intptr = &options->permit_empty_passwd;
701 goto parse_flag;
5260325f 702
f00bab84 703 case sPermitUserEnvironment:
704 intptr = &options->permit_user_env;
705 goto parse_flag;
706
2717fa0f 707 case sUseLogin:
708 intptr = &options->use_login;
709 goto parse_flag;
5260325f 710
636f76ca 711 case sCompression:
712 intptr = &options->compression;
713 goto parse_flag;
714
2717fa0f 715 case sGatewayPorts:
716 intptr = &options->gateway_ports;
717 goto parse_flag;
5260325f 718
c5a7d788 719 case sUseDNS:
720 intptr = &options->use_dns;
2717fa0f 721 goto parse_flag;
5260325f 722
2717fa0f 723 case sLogFacility:
724 intptr = (int *) &options->log_facility;
725 arg = strdelim(&cp);
726 value = log_facility_number(arg);
5eaf8578 727 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 728 fatal("%.200s line %d: unsupported log facility '%s'",
729 filename, linenum, arg ? arg : "<NONE>");
730 if (*intptr == -1)
731 *intptr = (SyslogFacility) value;
732 break;
733
734 case sLogLevel:
735 intptr = (int *) &options->log_level;
736 arg = strdelim(&cp);
737 value = log_level_number(arg);
5eaf8578 738 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 739 fatal("%.200s line %d: unsupported log level '%s'",
740 filename, linenum, arg ? arg : "<NONE>");
741 if (*intptr == -1)
742 *intptr = (LogLevel) value;
743 break;
744
745 case sAllowTcpForwarding:
746 intptr = &options->allow_tcp_forwarding;
747 goto parse_flag;
748
1853d1ef 749 case sUsePrivilegeSeparation:
750 intptr = &use_privsep;
751 goto parse_flag;
752
2717fa0f 753 case sAllowUsers:
754 while ((arg = strdelim(&cp)) && *arg != '\0') {
755 if (options->num_allow_users >= MAX_ALLOW_USERS)
756 fatal("%s line %d: too many allow users.",
757 filename, linenum);
7528d467 758 options->allow_users[options->num_allow_users++] =
759 xstrdup(arg);
2717fa0f 760 }
761 break;
a8be9f80 762
2717fa0f 763 case sDenyUsers:
764 while ((arg = strdelim(&cp)) && *arg != '\0') {
765 if (options->num_deny_users >= MAX_DENY_USERS)
766 fatal( "%s line %d: too many deny users.",
767 filename, linenum);
7528d467 768 options->deny_users[options->num_deny_users++] =
769 xstrdup(arg);
2717fa0f 770 }
771 break;
b2552997 772
2717fa0f 773 case sAllowGroups:
774 while ((arg = strdelim(&cp)) && *arg != '\0') {
775 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
776 fatal("%s line %d: too many allow groups.",
777 filename, linenum);
7528d467 778 options->allow_groups[options->num_allow_groups++] =
779 xstrdup(arg);
2717fa0f 780 }
781 break;
a8be9f80 782
2717fa0f 783 case sDenyGroups:
784 while ((arg = strdelim(&cp)) && *arg != '\0') {
785 if (options->num_deny_groups >= MAX_DENY_GROUPS)
786 fatal("%s line %d: too many deny groups.",
787 filename, linenum);
788 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
789 }
790 break;
38c295d6 791
2717fa0f 792 case sCiphers:
793 arg = strdelim(&cp);
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: Missing argument.", filename, linenum);
796 if (!ciphers_valid(arg))
797 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
798 filename, linenum, arg ? arg : "<NONE>");
799 if (options->ciphers == NULL)
800 options->ciphers = xstrdup(arg);
801 break;
802
803 case sMacs:
804 arg = strdelim(&cp);
805 if (!arg || *arg == '\0')
806 fatal("%s line %d: Missing argument.", filename, linenum);
807 if (!mac_valid(arg))
808 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
809 filename, linenum, arg ? arg : "<NONE>");
810 if (options->macs == NULL)
811 options->macs = xstrdup(arg);
812 break;
813
814 case sProtocol:
815 intptr = &options->protocol;
816 arg = strdelim(&cp);
817 if (!arg || *arg == '\0')
818 fatal("%s line %d: Missing argument.", filename, linenum);
819 value = proto_spec(arg);
820 if (value == SSH_PROTO_UNKNOWN)
821 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 822 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 823 if (*intptr == SSH_PROTO_UNKNOWN)
824 *intptr = value;
825 break;
826
827 case sSubsystem:
828 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
829 fatal("%s line %d: too many subsystems defined.",
184eed6a 830 filename, linenum);
2717fa0f 831 }
832 arg = strdelim(&cp);
833 if (!arg || *arg == '\0')
834 fatal("%s line %d: Missing subsystem name.",
184eed6a 835 filename, linenum);
2717fa0f 836 for (i = 0; i < options->num_subsystems; i++)
837 if (strcmp(arg, options->subsystem_name[i]) == 0)
838 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 839 filename, linenum, arg);
2717fa0f 840 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
841 arg = strdelim(&cp);
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing subsystem command.",
184eed6a 844 filename, linenum);
2717fa0f 845 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
846 options->num_subsystems++;
847 break;
848
849 case sMaxStartups:
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 853 filename, linenum);
2717fa0f 854 if ((n = sscanf(arg, "%d:%d:%d",
855 &options->max_startups_begin,
856 &options->max_startups_rate,
857 &options->max_startups)) == 3) {
858 if (options->max_startups_begin >
859 options->max_startups ||
860 options->max_startups_rate > 100 ||
861 options->max_startups_rate < 1)
c345cf9d 862 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 863 filename, linenum);
2717fa0f 864 } else if (n != 1)
865 fatal("%s line %d: Illegal MaxStartups spec.",
866 filename, linenum);
867 else
868 options->max_startups = options->max_startups_begin;
869 break;
870
871 case sBanner:
872 charptr = &options->banner;
873 goto parse_filename;
874 /*
875 * These options can contain %X options expanded at
876 * connect time, so that you can specify paths like:
877 *
878 * AuthorizedKeysFile /etc/ssh_keys/%u
879 */
880 case sAuthorizedKeysFile:
881 case sAuthorizedKeysFile2:
882 charptr = (opcode == sAuthorizedKeysFile ) ?
883 &options->authorized_keys_file :
884 &options->authorized_keys_file2;
885 goto parse_filename;
886
887 case sClientAliveInterval:
888 intptr = &options->client_alive_interval;
889 goto parse_time;
890
891 case sClientAliveCountMax:
892 intptr = &options->client_alive_count_max;
893 goto parse_int;
894
895 case sDeprecated:
bbe88b6d 896 logit("%s line %d: Deprecated option %s",
2717fa0f 897 filename, linenum, arg);
898 while (arg)
899 arg = strdelim(&cp);
900 break;
901
a2144546 902 case sUnsupported:
903 logit("%s line %d: Unsupported option %s",
904 filename, linenum, arg);
905 while (arg)
906 arg = strdelim(&cp);
907 break;
908
2717fa0f 909 default:
910 fatal("%s line %d: Missing handler for opcode %s (%d)",
911 filename, linenum, arg, opcode);
912 }
913 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
914 fatal("%s line %d: garbage at end of line; \"%.200s\".",
915 filename, linenum, arg);
916 return 0;
917}
089fbbd2 918
2717fa0f 919/* Reads the server configuration file. */
5c53a31e 920
2717fa0f 921void
922read_server_config(ServerOptions *options, const char *filename)
923{
7528d467 924 int linenum, bad_options = 0;
2717fa0f 925 char line[1024];
7528d467 926 FILE *f;
2717fa0f 927
34934506 928 debug2("read_server_config: filename %s", filename);
2717fa0f 929 f = fopen(filename, "r");
930 if (!f) {
931 perror(filename);
932 exit(1);
933 }
934 linenum = 0;
935 while (fgets(line, sizeof(line), f)) {
936 /* Update line number counter. */
937 linenum++;
938 if (process_server_config_line(options, line, filename, linenum) != 0)
939 bad_options++;
8efc0c15 940 }
5260325f 941 fclose(f);
b7c70970 942 if (bad_options > 0)
943 fatal("%s: terminating, %d bad configuration options",
944 filename, bad_options);
8efc0c15 945}
git-cvsimport mirror of OpenSSH
This page took 0.415156 seconds and 5 git commands to generate.