[openssh.git] / servconf.c

/*
 *
 * servconf.c
 *
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 *
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 *
 * Created: Mon Aug 21 15:48:58 1995 ylo
 *
 */

#include "includes.h"
RCSID("$Id$");

#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"
#include "compat.h"

/* add listen address */
void add_listen_addr(ServerOptions *options, char *addr);

/* Initializes the server options to their default values. */

void
initialize_server_options(ServerOptions *options)
{
	memset(options, 0, sizeof(*options));
	options->num_ports = 0;
	options->ports_from_cmdline = 0;
	options->listen_addrs = NULL;
	options->host_key_file = NULL;
	options->host_dsa_key_file = NULL;
	options->pid_file = NULL;
	options->server_key_bits = -1;
	options->login_grace_time = -1;
	options->key_regeneration_time = -1;
	options->permit_root_login = -1;
	options->ignore_rhosts = -1;
	options->ignore_user_known_hosts = -1;
	options->print_motd = -1;
	options->check_mail = -1;
	options->x11_forwarding = -1;
	options->x11_display_offset = -1;
	options->xauth_location = NULL;
	options->strict_modes = -1;
	options->keepalives = -1;
	options->log_facility = (SyslogFacility) - 1;
	options->log_level = (LogLevel) - 1;
	options->rhosts_authentication = -1;
	options->rhosts_rsa_authentication = -1;
	options->rsa_authentication = -1;
	options->dsa_authentication = -1;
#ifdef KRB4
	options->kerberos_authentication = -1;
	options->kerberos_or_local_passwd = -1;
	options->kerberos_ticket_cleanup = -1;
#endif
#ifdef AFS
	options->kerberos_tgt_passing = -1;
	options->afs_token_passing = -1;
#endif
	options->password_authentication = -1;
#ifdef SKEY
	options->skey_authentication = -1;
#endif
	options->permit_empty_passwd = -1;
	options->use_login = -1;
	options->num_allow_users = 0;
	options->num_deny_users = 0;
	options->num_allow_groups = 0;
	options->num_deny_groups = 0;
	options->ciphers = NULL;
	options->protocol = SSH_PROTO_UNKNOWN;
	options->gateway_ports = -1;
}

void
fill_default_server_options(ServerOptions *options)
{
	if (options->num_ports == 0)
		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	if (options->listen_addrs == NULL)
		add_listen_addr(options, NULL);
	if (options->host_key_file == NULL)
		options->host_key_file = HOST_KEY_FILE;
	if (options->host_dsa_key_file == NULL)
		options->host_dsa_key_file = HOST_DSA_KEY_FILE;
	if (options->pid_file == NULL)
		options->pid_file = SSH_DAEMON_PID_FILE;
	if (options->server_key_bits == -1)
		options->server_key_bits = 768;
	if (options->login_grace_time == -1)
		options->login_grace_time = 600;
	if (options->key_regeneration_time == -1)
		options->key_regeneration_time = 3600;
	if (options->permit_root_login == -1)
		options->permit_root_login = 1;			/* yes */
	if (options->ignore_rhosts == -1)
		options->ignore_rhosts = 1;
	if (options->ignore_user_known_hosts == -1)
		options->ignore_user_known_hosts = 0;
	if (options->check_mail == -1)
		options->check_mail = 0;
	if (options->print_motd == -1)
		options->print_motd = 1;
	if (options->x11_forwarding == -1)
		options->x11_forwarding = 0;
	if (options->x11_display_offset == -1)
		options->x11_display_offset = 10;
#ifdef XAUTH_PATH
	if (options->xauth_location == NULL)
		options->xauth_location = XAUTH_PATH;
#endif /* XAUTH_PATH */
	if (options->strict_modes == -1)
		options->strict_modes = 1;
	if (options->keepalives == -1)
		options->keepalives = 1;
	if (options->log_facility == (SyslogFacility) (-1))
		options->log_facility = SYSLOG_FACILITY_AUTH;
	if (options->log_level == (LogLevel) (-1))
		options->log_level = SYSLOG_LEVEL_INFO;
	if (options->rhosts_authentication == -1)
		options->rhosts_authentication = 0;
	if (options->rhosts_rsa_authentication == -1)
		options->rhosts_rsa_authentication = 0;
	if (options->rsa_authentication == -1)
		options->rsa_authentication = 1;
	if (options->dsa_authentication == -1)
		options->dsa_authentication = 1;
#ifdef KRB4
	if (options->kerberos_authentication == -1)
		options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
	if (options->kerberos_or_local_passwd == -1)
		options->kerberos_or_local_passwd = 1;
	if (options->kerberos_ticket_cleanup == -1)
		options->kerberos_ticket_cleanup = 1;
#endif /* KRB4 */
#ifdef AFS
	if (options->kerberos_tgt_passing == -1)
		options->kerberos_tgt_passing = 0;
	if (options->afs_token_passing == -1)
		options->afs_token_passing = k_hasafs();
#endif /* AFS */
	if (options->password_authentication == -1)
		options->password_authentication = 1;
#ifdef SKEY
	if (options->skey_authentication == -1)
		options->skey_authentication = 1;
#endif
	if (options->permit_empty_passwd == -1)
		options->permit_empty_passwd = 0;
	if (options->use_login == -1)
		options->use_login = 0;
	if (options->protocol == SSH_PROTO_UNKNOWN)
		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
	if (options->gateway_ports == -1)
		options->gateway_ports = 0;
}

#define WHITESPACE " \t\r\n"

/* Keyword tokens. */
typedef enum {
	sBadOption,		/* == unknown option */
	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	sPermitRootLogin, sLogFacility, sLogLevel,
	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
#ifdef KRB4
	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
#endif
#ifdef AFS
	sKerberosTgtPassing, sAFSTokenPassing,
#endif
#ifdef SKEY
	sSkeyAuthentication,
#endif
	sPasswordAuthentication, sListenAddress,
	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
	sGatewayPorts, sDSAAuthentication, sXAuthLocation
} ServerOpCodes;

/* Textual representation of the tokens. */
static struct {
	const char *name;
	ServerOpCodes opcode;
} keywords[] = {
	{ "port", sPort },
	{ "hostkey", sHostKeyFile },
	{ "hostdsakey", sHostDSAKeyFile },
 	{ "pidfile", sPidFile },
	{ "serverkeybits", sServerKeyBits },
	{ "logingracetime", sLoginGraceTime },
	{ "keyregenerationinterval", sKeyRegenerationTime },
	{ "permitrootlogin", sPermitRootLogin },
	{ "syslogfacility", sLogFacility },
	{ "loglevel", sLogLevel },
	{ "rhostsauthentication", sRhostsAuthentication },
	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
	{ "rsaauthentication", sRSAAuthentication },
	{ "dsaauthentication", sDSAAuthentication },
#ifdef KRB4
	{ "kerberosauthentication", sKerberosAuthentication },
	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
	{ "kerberosticketcleanup", sKerberosTicketCleanup },
#endif
#ifdef AFS
	{ "kerberostgtpassing", sKerberosTgtPassing },
	{ "afstokenpassing", sAFSTokenPassing },
#endif
	{ "passwordauthentication", sPasswordAuthentication },
#ifdef SKEY
	{ "skeyauthentication", sSkeyAuthentication },
#endif
	{ "checkmail", sCheckMail },
	{ "listenaddress", sListenAddress },
	{ "printmotd", sPrintMotd },
	{ "ignorerhosts", sIgnoreRhosts },
	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
	{ "x11forwarding", sX11Forwarding },
	{ "x11displayoffset", sX11DisplayOffset },
	{ "xauthlocation", sXAuthLocation },
	{ "strictmodes", sStrictModes },
	{ "permitemptypasswords", sEmptyPasswd },
	{ "uselogin", sUseLogin },
	{ "randomseed", sRandomSeedFile },
	{ "keepalive", sKeepAlives },
	{ "allowusers", sAllowUsers },
	{ "denyusers", sDenyUsers },
	{ "allowgroups", sAllowGroups },
	{ "denygroups", sDenyGroups },
	{ "ciphers", sCiphers },
	{ "protocol", sProtocol },
	{ "gatewayports", sGatewayPorts },
	{ NULL, 0 }
};

/*
 * Returns the number of the token pointed to by cp of length len. Never
 * returns if the token is not known.
 */

static ServerOpCodes
parse_token(const char *cp, const char *filename,
	    int linenum)
{
	unsigned int i;

	for (i = 0; keywords[i].name; i++)
		if (strcasecmp(cp, keywords[i].name) == 0)
			return keywords[i].opcode;

	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
		filename, linenum, cp);
	return sBadOption;
}

/*
 * add listen address
 */
void
add_listen_addr(ServerOptions *options, char *addr)
{
	extern int IPv4or6;
	struct addrinfo hints, *ai, *aitop;
	char strport[NI_MAXSERV];
	int gaierr;
	int i;

	if (options->num_ports == 0)
		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	for (i = 0; i < options->num_ports; i++) {
		memset(&hints, 0, sizeof(hints));
		hints.ai_family = IPv4or6;
		hints.ai_socktype = SOCK_STREAM;
		hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
		snprintf(strport, sizeof strport, "%d", options->ports[i]);
		if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
			fatal("bad addr or host: %s (%s)\n",
			    addr ? addr : "<NULL>",
			    gai_strerror(gaierr));
		for (ai = aitop; ai->ai_next; ai = ai->ai_next)
			;
		ai->ai_next = options->listen_addrs;
		options->listen_addrs = aitop;
	}
}

/* Reads the server configuration file. */

void
read_server_config(ServerOptions *options, const char *filename)
{
	FILE *f;
	char line[1024];
	char *cp, **charptr;
	int linenum, *intptr, value;
	int bad_options = 0;
	ServerOpCodes opcode;

	f = fopen(filename, "r");
	if (!f) {
		perror(filename);
		exit(1);
	}
	linenum = 0;
	while (fgets(line, sizeof(line), f)) {
		linenum++;
		cp = line + strspn(line, WHITESPACE);
		if (!*cp || *cp == '#')
			continue;
		cp = strtok(cp, WHITESPACE);
		opcode = parse_token(cp, filename, linenum);
		switch (opcode) {
		case sBadOption:
			bad_options++;
			continue;
		case sPort:
			/* ignore ports from configfile if cmdline specifies ports */
			if (options->ports_from_cmdline)
				continue;
			if (options->listen_addrs != NULL)
				fatal("%s line %d: ports must be specified before "
				    "ListenAdress.\n", filename, linenum);
			if (options->num_ports >= MAX_PORTS)
				fatal("%s line %d: too many ports.\n",
				    filename, linenum);
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: missing port number.\n",
				    filename, linenum);
			options->ports[options->num_ports++] = atoi(cp);
			break;

		case sServerKeyBits:
			intptr = &options->server_key_bits;
parse_int:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing integer value.\n",
					filename, linenum);
				exit(1);
			}
			value = atoi(cp);
			if (*intptr == -1)
				*intptr = value;
			break;

		case sLoginGraceTime:
			intptr = &options->login_grace_time;
			goto parse_int;

		case sKeyRegenerationTime:
			intptr = &options->key_regeneration_time;
			goto parse_int;

		case sListenAddress:
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: missing inet addr.\n",
				    filename, linenum);
			add_listen_addr(options, cp);
			break;

		case sHostKeyFile:
		case sHostDSAKeyFile:
			charptr = (opcode == sHostKeyFile ) ?
			    &options->host_key_file : &options->host_dsa_key_file;
parse_filename:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing file name.\n",
				    filename, linenum);
				exit(1);
			}
			if (*charptr == NULL)
				*charptr = tilde_expand_filename(cp, getuid());
			break;

		case sPidFile:
			charptr = &options->pid_file;
			goto parse_filename;

		case sRandomSeedFile:
			fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
				filename, linenum);
			cp = strtok(NULL, WHITESPACE);
			break;

		case sPermitRootLogin:
			intptr = &options->permit_root_login;
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
					filename, linenum);
				exit(1);
			}
			if (strcmp(cp, "without-password") == 0)
				value = 2;
			else if (strcmp(cp, "yes") == 0)
				value = 1;
			else if (strcmp(cp, "no") == 0)
				value = 0;
			else {
				fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
					filename, linenum, cp);
				exit(1);
			}
			if (*intptr == -1)
				*intptr = value;
			break;

		case sIgnoreRhosts:
			intptr = &options->ignore_rhosts;
parse_flag:
			cp = strtok(NULL, WHITESPACE);
			if (!cp) {
				fprintf(stderr, "%s line %d: missing yes/no argument.\n",
					filename, linenum);
				exit(1);
			}
			if (strcmp(cp, "yes") == 0)
				value = 1;
			else if (strcmp(cp, "no") == 0)
				value = 0;
			else {
				fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
					filename, linenum, cp);
				exit(1);
			}
			if (*intptr == -1)
				*intptr = value;
			break;

		case sIgnoreUserKnownHosts:
			intptr = &options->ignore_user_known_hosts;
			goto parse_flag;

		case sRhostsAuthentication:
			intptr = &options->rhosts_authentication;
			goto parse_flag;

		case sRhostsRSAAuthentication:
			intptr = &options->rhosts_rsa_authentication;
			goto parse_flag;

		case sRSAAuthentication:
			intptr = &options->rsa_authentication;
			goto parse_flag;

		case sDSAAuthentication:
			intptr = &options->dsa_authentication;
			goto parse_flag;

#ifdef KRB4
		case sKerberosAuthentication:
			intptr = &options->kerberos_authentication;
			goto parse_flag;

		case sKerberosOrLocalPasswd:
			intptr = &options->kerberos_or_local_passwd;
			goto parse_flag;

		case sKerberosTicketCleanup:
			intptr = &options->kerberos_ticket_cleanup;
			goto parse_flag;
#endif

#ifdef AFS
		case sKerberosTgtPassing:
			intptr = &options->kerberos_tgt_passing;
			goto parse_flag;

		case sAFSTokenPassing:
			intptr = &options->afs_token_passing;
			goto parse_flag;
#endif

		case sPasswordAuthentication:
			intptr = &options->password_authentication;
			goto parse_flag;

		case sCheckMail:
			intptr = &options->check_mail;
			goto parse_flag;

#ifdef SKEY
		case sSkeyAuthentication:
			intptr = &options->skey_authentication;
			goto parse_flag;
#endif

		case sPrintMotd:
			intptr = &options->print_motd;
			goto parse_flag;

		case sX11Forwarding:
			intptr = &options->x11_forwarding;
			goto parse_flag;

		case sX11DisplayOffset:
			intptr = &options->x11_display_offset;
			goto parse_int;

		case sXAuthLocation:
			charptr = &options->xauth_location;
			goto parse_filename;
			
		case sStrictModes:
			intptr = &options->strict_modes;
			goto parse_flag;

		case sKeepAlives:
			intptr = &options->keepalives;
			goto parse_flag;

		case sEmptyPasswd:
			intptr = &options->permit_empty_passwd;
			goto parse_flag;

		case sUseLogin:
			intptr = &options->use_login;
			goto parse_flag;

		case sGatewayPorts:
			intptr = &options->gateway_ports;
			goto parse_flag;

		case sLogFacility:
			intptr = (int *) &options->log_facility;
			cp = strtok(NULL, WHITESPACE);
			value = log_facility_number(cp);
			if (value == (SyslogFacility) - 1)
				fatal("%.200s line %d: unsupported log facility '%s'\n",
				    filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == -1)
				*intptr = (SyslogFacility) value;
			break;

		case sLogLevel:
			intptr = (int *) &options->log_level;
			cp = strtok(NULL, WHITESPACE);
			value = log_level_number(cp);
			if (value == (LogLevel) - 1)
				fatal("%.200s line %d: unsupported log level '%s'\n",
				    filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == -1)
				*intptr = (LogLevel) value;
			break;

		case sAllowUsers:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_allow_users >= MAX_ALLOW_USERS)
					fatal("%s line %d: too many allow users.\n",
					    filename, linenum);
				options->allow_users[options->num_allow_users++] = xstrdup(cp);
			}
			break;

		case sDenyUsers:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_deny_users >= MAX_DENY_USERS)
					fatal( "%s line %d: too many deny users.\n",
					    filename, linenum);
				options->deny_users[options->num_deny_users++] = xstrdup(cp);
			}
			break;

		case sAllowGroups:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
					fatal("%s line %d: too many allow groups.\n",
					    filename, linenum);
				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
			}
			break;

		case sDenyGroups:
			while ((cp = strtok(NULL, WHITESPACE))) {
				if (options->num_deny_groups >= MAX_DENY_GROUPS)
					fatal("%s line %d: too many deny groups.\n",
					    filename, linenum);
				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
			}
			break;

		case sCiphers:
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: Missing argument.", filename, linenum);
			if (!ciphers_valid(cp))
				fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
				    filename, linenum, cp ? cp : "<NONE>");
			if (options->ciphers == NULL)
				options->ciphers = xstrdup(cp);
			break;

		case sProtocol:
			intptr = &options->protocol;
			cp = strtok(NULL, WHITESPACE);
			if (!cp)
				fatal("%s line %d: Missing argument.", filename, linenum);
			value = proto_spec(cp);
			if (value == SSH_PROTO_UNKNOWN)
				fatal("%s line %d: Bad protocol spec '%s'.",
				      filename, linenum, cp ? cp : "<NONE>");
			if (*intptr == SSH_PROTO_UNKNOWN)
				*intptr = value;
			break;

		default:
			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
				filename, linenum, cp, opcode);
			exit(1);
		}
		if (strtok(NULL, WHITESPACE) != NULL) {
			fprintf(stderr, "%s line %d: garbage at end of line.\n",
				filename, linenum);
			exit(1);
		}
	}
	fclose(f);
	if (bad_options > 0) {
		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
			filename, bad_options);
		exit(1);
	}
}
Commit	Line	Data
8efc0c15	1	/*
6ae2364d	2	*
5260325f	3	* servconf.c
6ae2364d	4	*
5260325f	5	* Author: Tatu Ylonen <ylo@cs.hut.fi>
6ae2364d	6	*
5260325f	7	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5260325f	8	* All rights reserved
6ae2364d	9	*
5260325f	10	* Created: Mon Aug 21 15:48:58 1995 ylo
6ae2364d	11	*
5260325f	12	*/
8efc0c15	13
	14	#include "includes.h"
	15	RCSID("$Id$");
	16
	17	#include "ssh.h"
	18	#include "servconf.h"
	19	#include "xmalloc.h"
a8be9f80	20	#include "compat.h"
8efc0c15	21
48e671d5	22	/* add listen address */
	23	void add_listen_addr(ServerOptions options, char addr);
	24
8efc0c15	25	/* Initializes the server options to their default values. */
8efc0c15	26
6ae2364d	27	void
5260325f	28	initialize_server_options(ServerOptions *options)
8efc0c15	29	{
5260325f	30	memset(options, 0, sizeof(*options));
48e671d5	31	options->num_ports = 0;
	32	options->ports_from_cmdline = 0;
	33	options->listen_addrs = NULL;
5260325f	34	options->host_key_file = NULL;
1d1ffb87	35	options->host_dsa_key_file = NULL;
0fbe8c74	36	options->pid_file = NULL;
5260325f	37	options->server_key_bits = -1;
	38	options->login_grace_time = -1;
	39	options->key_regeneration_time = -1;
	40	options->permit_root_login = -1;
	41	options->ignore_rhosts = -1;
	42	options->ignore_user_known_hosts = -1;
	43	options->print_motd = -1;
	44	options->check_mail = -1;
	45	options->x11_forwarding = -1;
	46	options->x11_display_offset = -1;
fa649821	47	options->xauth_location = NULL;
5260325f	48	options->strict_modes = -1;
	49	options->keepalives = -1;
	50	options->log_facility = (SyslogFacility) - 1;
	51	options->log_level = (LogLevel) - 1;
	52	options->rhosts_authentication = -1;
	53	options->rhosts_rsa_authentication = -1;
	54	options->rsa_authentication = -1;
1d1ffb87	55	options->dsa_authentication = -1;
8efc0c15	56	#ifdef KRB4
5260325f	57	options->kerberos_authentication = -1;
	58	options->kerberos_or_local_passwd = -1;
	59	options->kerberos_ticket_cleanup = -1;
8efc0c15	60	#endif
8efc0c15	61	#ifdef AFS
5260325f	62	options->kerberos_tgt_passing = -1;
5260325f	63	options->afs_token_passing = -1;
8efc0c15	64	#endif
5260325f	65	options->password_authentication = -1;
8efc0c15	66	#ifdef SKEY
5260325f	67	options->skey_authentication = -1;
8efc0c15	68	#endif
5260325f	69	options->permit_empty_passwd = -1;
	70	options->use_login = -1;
	71	options->num_allow_users = 0;
	72	options->num_deny_users = 0;
	73	options->num_allow_groups = 0;
	74	options->num_deny_groups = 0;
a8be9f80	75	options->ciphers = NULL;
a8be9f80	76	options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87	77	options->gateway_ports = -1;
8efc0c15	78	}
8efc0c15	79
6ae2364d	80	void
5260325f	81	fill_default_server_options(ServerOptions *options)
8efc0c15	82	{
48e671d5	83	if (options->num_ports == 0)
	84	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	85	if (options->listen_addrs == NULL)
	86	add_listen_addr(options, NULL);
5260325f	87	if (options->host_key_file == NULL)
5260325f	88	options->host_key_file = HOST_KEY_FILE;
1d1ffb87	89	if (options->host_dsa_key_file == NULL)
1d1ffb87	90	options->host_dsa_key_file = HOST_DSA_KEY_FILE;
0fbe8c74	91	if (options->pid_file == NULL)
0fbe8c74	92	options->pid_file = SSH_DAEMON_PID_FILE;
5260325f	93	if (options->server_key_bits == -1)
	94	options->server_key_bits = 768;
	95	if (options->login_grace_time == -1)
	96	options->login_grace_time = 600;
	97	if (options->key_regeneration_time == -1)
	98	options->key_regeneration_time = 3600;
	99	if (options->permit_root_login == -1)
	100	options->permit_root_login = 1; /* yes */
	101	if (options->ignore_rhosts == -1)
c8d54615	102	options->ignore_rhosts = 1;
5260325f	103	if (options->ignore_user_known_hosts == -1)
	104	options->ignore_user_known_hosts = 0;
	105	if (options->check_mail == -1)
	106	options->check_mail = 0;
	107	if (options->print_motd == -1)
	108	options->print_motd = 1;
	109	if (options->x11_forwarding == -1)
c8d54615	110	options->x11_forwarding = 0;
5260325f	111	if (options->x11_display_offset == -1)
c8d54615	112	options->x11_display_offset = 10;
fa649821	113	#ifdef XAUTH_PATH
	114	if (options->xauth_location == NULL)
	115	options->xauth_location = XAUTH_PATH;
	116	#endif /* XAUTH_PATH */
5260325f	117	if (options->strict_modes == -1)
	118	options->strict_modes = 1;
	119	if (options->keepalives == -1)
	120	options->keepalives = 1;
	121	if (options->log_facility == (SyslogFacility) (-1))
	122	options->log_facility = SYSLOG_FACILITY_AUTH;
	123	if (options->log_level == (LogLevel) (-1))
	124	options->log_level = SYSLOG_LEVEL_INFO;
	125	if (options->rhosts_authentication == -1)
	126	options->rhosts_authentication = 0;
	127	if (options->rhosts_rsa_authentication == -1)
c8d54615	128	options->rhosts_rsa_authentication = 0;
5260325f	129	if (options->rsa_authentication == -1)
5260325f	130	options->rsa_authentication = 1;
1d1ffb87	131	if (options->dsa_authentication == -1)
1d1ffb87	132	options->dsa_authentication = 1;
8efc0c15	133	#ifdef KRB4
5260325f	134	if (options->kerberos_authentication == -1)
	135	options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
	136	if (options->kerberos_or_local_passwd == -1)
	137	options->kerberos_or_local_passwd = 1;
	138	if (options->kerberos_ticket_cleanup == -1)
	139	options->kerberos_ticket_cleanup = 1;
8efc0c15	140	#endif /* KRB4 */
8efc0c15	141	#ifdef AFS
5260325f	142	if (options->kerberos_tgt_passing == -1)
	143	options->kerberos_tgt_passing = 0;
	144	if (options->afs_token_passing == -1)
	145	options->afs_token_passing = k_hasafs();
8efc0c15	146	#endif /* AFS */
5260325f	147	if (options->password_authentication == -1)
5260325f	148	options->password_authentication = 1;
8efc0c15	149	#ifdef SKEY
5260325f	150	if (options->skey_authentication == -1)
5260325f	151	options->skey_authentication = 1;
8efc0c15	152	#endif
5260325f	153	if (options->permit_empty_passwd == -1)
c8d54615	154	options->permit_empty_passwd = 0;
5260325f	155	if (options->use_login == -1)
5260325f	156	options->use_login = 0;
a8be9f80	157	if (options->protocol == SSH_PROTO_UNKNOWN)
a306f2dd	158	options->protocol = SSH_PROTO_1\|SSH_PROTO_2;
1d1ffb87	159	if (options->gateway_ports == -1)
1d1ffb87	160	options->gateway_ports = 0;
8efc0c15	161	}
	162
	163	#define WHITESPACE " \t\r\n"
	164
	165	/* Keyword tokens. */
5260325f	166	typedef enum {
	167	sBadOption, /* == unknown option */
	168	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
	169	sPermitRootLogin, sLogFacility, sLogLevel,
	170	sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
8efc0c15	171	#ifdef KRB4
5260325f	172	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
8efc0c15	173	#endif
8efc0c15	174	#ifdef AFS
5260325f	175	sKerberosTgtPassing, sAFSTokenPassing,
8efc0c15	176	#endif
8efc0c15	177	#ifdef SKEY
5260325f	178	sSkeyAuthentication,
8efc0c15	179	#endif
5260325f	180	sPasswordAuthentication, sListenAddress,
	181	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
	182	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
	183	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
1d1ffb87	184	sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
fa649821	185	sGatewayPorts, sDSAAuthentication, sXAuthLocation
8efc0c15	186	} ServerOpCodes;
	187
	188	/* Textual representation of the tokens. */
5260325f	189	static struct {
	190	const char *name;
	191	ServerOpCodes opcode;
	192	} keywords[] = {
	193	{ "port", sPort },
	194	{ "hostkey", sHostKeyFile },
1d1ffb87	195	{ "hostdsakey", sHostDSAKeyFile },
0fbe8c74	196	{ "pidfile", sPidFile },
5260325f	197	{ "serverkeybits", sServerKeyBits },
	198	{ "logingracetime", sLoginGraceTime },
	199	{ "keyregenerationinterval", sKeyRegenerationTime },
	200	{ "permitrootlogin", sPermitRootLogin },
	201	{ "syslogfacility", sLogFacility },
	202	{ "loglevel", sLogLevel },
	203	{ "rhostsauthentication", sRhostsAuthentication },
	204	{ "rhostsrsaauthentication", sRhostsRSAAuthentication },
	205	{ "rsaauthentication", sRSAAuthentication },
1d1ffb87	206	{ "dsaauthentication", sDSAAuthentication },
8efc0c15	207	#ifdef KRB4
5260325f	208	{ "kerberosauthentication", sKerberosAuthentication },
	209	{ "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
	210	{ "kerberosticketcleanup", sKerberosTicketCleanup },
8efc0c15	211	#endif
8efc0c15	212	#ifdef AFS
5260325f	213	{ "kerberostgtpassing", sKerberosTgtPassing },
5260325f	214	{ "afstokenpassing", sAFSTokenPassing },
8efc0c15	215	#endif
5260325f	216	{ "passwordauthentication", sPasswordAuthentication },
8efc0c15	217	#ifdef SKEY
5260325f	218	{ "skeyauthentication", sSkeyAuthentication },
8efc0c15	219	#endif
5260325f	220	{ "checkmail", sCheckMail },
	221	{ "listenaddress", sListenAddress },
	222	{ "printmotd", sPrintMotd },
	223	{ "ignorerhosts", sIgnoreRhosts },
	224	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
	225	{ "x11forwarding", sX11Forwarding },
	226	{ "x11displayoffset", sX11DisplayOffset },
fa649821	227	{ "xauthlocation", sXAuthLocation },
5260325f	228	{ "strictmodes", sStrictModes },
	229	{ "permitemptypasswords", sEmptyPasswd },
	230	{ "uselogin", sUseLogin },
	231	{ "randomseed", sRandomSeedFile },
	232	{ "keepalive", sKeepAlives },
	233	{ "allowusers", sAllowUsers },
	234	{ "denyusers", sDenyUsers },
	235	{ "allowgroups", sAllowGroups },
	236	{ "denygroups", sDenyGroups },
a8be9f80	237	{ "ciphers", sCiphers },
a8be9f80	238	{ "protocol", sProtocol },
1d1ffb87	239	{ "gatewayports", sGatewayPorts },
5260325f	240	{ NULL, 0 }
8efc0c15	241	};
8efc0c15	242
aa3378df	243	/*
	244	* Returns the number of the token pointed to by cp of length len. Never
	245	* returns if the token is not known.
	246	*/
8efc0c15	247
6ae2364d	248	static ServerOpCodes
5260325f	249	parse_token(const char cp, const char filename,
5260325f	250	int linenum)
8efc0c15	251	{
5260325f	252	unsigned int i;
8efc0c15	253
5260325f	254	for (i = 0; keywords[i].name; i++)
aa3378df	255	if (strcasecmp(cp, keywords[i].name) == 0)
5260325f	256	return keywords[i].opcode;
8efc0c15	257
5260325f	258	fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
	259	filename, linenum, cp);
	260	return sBadOption;
8efc0c15	261	}
8efc0c15	262
48e671d5	263	/*
	264	* add listen address
	265	*/
6ae2364d	266	void
48e671d5	267	add_listen_addr(ServerOptions options, char addr)
	268	{
	269	extern int IPv4or6;
	270	struct addrinfo hints, ai, aitop;
	271	char strport[NI_MAXSERV];
	272	int gaierr;
	273	int i;
	274
	275	if (options->num_ports == 0)
	276	options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
	277	for (i = 0; i < options->num_ports; i++) {
	278	memset(&hints, 0, sizeof(hints));
	279	hints.ai_family = IPv4or6;
	280	hints.ai_socktype = SOCK_STREAM;
	281	hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
	282	snprintf(strport, sizeof strport, "%d", options->ports[i]);
	283	if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
	284	fatal("bad addr or host: %s (%s)\n",
	285	addr ? addr : "<NULL>",
	286	gai_strerror(gaierr));
	287	for (ai = aitop; ai->ai_next; ai = ai->ai_next)
	288	;
	289	ai->ai_next = options->listen_addrs;
	290	options->listen_addrs = aitop;
	291	}
	292	}
	293
8efc0c15	294	/* Reads the server configuration file. */
8efc0c15	295
6ae2364d	296	void
5260325f	297	read_server_config(ServerOptions options, const char filename)
8efc0c15	298	{
5260325f	299	FILE *f;
	300	char line[1024];
	301	char cp, *charptr;
	302	int linenum, *intptr, value;
	303	int bad_options = 0;
	304	ServerOpCodes opcode;
	305
	306	f = fopen(filename, "r");
	307	if (!f) {
	308	perror(filename);
8efc0c15	309	exit(1);
5260325f	310	}
	311	linenum = 0;
	312	while (fgets(line, sizeof(line), f)) {
	313	linenum++;
	314	cp = line + strspn(line, WHITESPACE);
	315	if (!cp \|\| cp == '#')
	316	continue;
	317	cp = strtok(cp, WHITESPACE);
5260325f	318	opcode = parse_token(cp, filename, linenum);
	319	switch (opcode) {
	320	case sBadOption:
	321	bad_options++;
	322	continue;
	323	case sPort:
48e671d5	324	/* ignore ports from configfile if cmdline specifies ports */
	325	if (options->ports_from_cmdline)
	326	continue;
	327	if (options->listen_addrs != NULL)
	328	fatal("%s line %d: ports must be specified before "
	329	"ListenAdress.\n", filename, linenum);
	330	if (options->num_ports >= MAX_PORTS)
	331	fatal("%s line %d: too many ports.\n",
6ae2364d	332	filename, linenum);
48e671d5	333	cp = strtok(NULL, WHITESPACE);
	334	if (!cp)
	335	fatal("%s line %d: missing port number.\n",
	336	filename, linenum);
	337	options->ports[options->num_ports++] = atoi(cp);
	338	break;
	339
	340	case sServerKeyBits:
	341	intptr = &options->server_key_bits;
5260325f	342	parse_int:
	343	cp = strtok(NULL, WHITESPACE);
	344	if (!cp) {
	345	fprintf(stderr, "%s line %d: missing integer value.\n",
	346	filename, linenum);
	347	exit(1);
	348	}
	349	value = atoi(cp);
	350	if (*intptr == -1)
	351	*intptr = value;
	352	break;
	353
5260325f	354	case sLoginGraceTime:
	355	intptr = &options->login_grace_time;
	356	goto parse_int;
	357
	358	case sKeyRegenerationTime:
	359	intptr = &options->key_regeneration_time;
	360	goto parse_int;
	361
	362	case sListenAddress:
	363	cp = strtok(NULL, WHITESPACE);
48e671d5	364	if (!cp)
	365	fatal("%s line %d: missing inet addr.\n",
	366	filename, linenum);
	367	add_listen_addr(options, cp);
5260325f	368	break;
	369
	370	case sHostKeyFile:
1d1ffb87	371	case sHostDSAKeyFile:
e78a59f5	372	charptr = (opcode == sHostKeyFile ) ?
1d1ffb87	373	&options->host_key_file : &options->host_dsa_key_file;
fa649821	374	parse_filename:
5260325f	375	cp = strtok(NULL, WHITESPACE);
	376	if (!cp) {
	377	fprintf(stderr, "%s line %d: missing file name.\n",
0fbe8c74	378	filename, linenum);
	379	exit(1);
	380	}
	381	if (*charptr == NULL)
	382	*charptr = tilde_expand_filename(cp, getuid());
	383	break;
	384
	385	case sPidFile:
	386	charptr = &options->pid_file;
fa649821	387	goto parse_filename;
5260325f	388
	389	case sRandomSeedFile:
	390	fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
	391	filename, linenum);
	392	cp = strtok(NULL, WHITESPACE);
	393	break;
	394
	395	case sPermitRootLogin:
	396	intptr = &options->permit_root_login;
	397	cp = strtok(NULL, WHITESPACE);
	398	if (!cp) {
	399	fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
	400	filename, linenum);
	401	exit(1);
	402	}
	403	if (strcmp(cp, "without-password") == 0)
	404	value = 2;
	405	else if (strcmp(cp, "yes") == 0)
	406	value = 1;
	407	else if (strcmp(cp, "no") == 0)
	408	value = 0;
	409	else {
	410	fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
	411	filename, linenum, cp);
	412	exit(1);
	413	}
	414	if (*intptr == -1)
	415	*intptr = value;
	416	break;
	417
	418	case sIgnoreRhosts:
	419	intptr = &options->ignore_rhosts;
	420	parse_flag:
	421	cp = strtok(NULL, WHITESPACE);
	422	if (!cp) {
	423	fprintf(stderr, "%s line %d: missing yes/no argument.\n",
	424	filename, linenum);
	425	exit(1);
	426	}
	427	if (strcmp(cp, "yes") == 0)
	428	value = 1;
	429	else if (strcmp(cp, "no") == 0)
	430	value = 0;
	431	else {
	432	fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
	433	filename, linenum, cp);
	434	exit(1);
	435	}
	436	if (*intptr == -1)
	437	*intptr = value;
	438	break;
	439
	440	case sIgnoreUserKnownHosts:
	441	intptr = &options->ignore_user_known_hosts;
c8d54615	442	goto parse_flag;
5260325f	443
	444	case sRhostsAuthentication:
	445	intptr = &options->rhosts_authentication;
	446	goto parse_flag;
	447
	448	case sRhostsRSAAuthentication:
	449	intptr = &options->rhosts_rsa_authentication;
	450	goto parse_flag;
	451
	452	case sRSAAuthentication:
	453	intptr = &options->rsa_authentication;
	454	goto parse_flag;
	455
1d1ffb87	456	case sDSAAuthentication:
	457	intptr = &options->dsa_authentication;
	458	goto parse_flag;
	459
8efc0c15	460	#ifdef KRB4
5260325f	461	case sKerberosAuthentication:
	462	intptr = &options->kerberos_authentication;
	463	goto parse_flag;
	464
	465	case sKerberosOrLocalPasswd:
	466	intptr = &options->kerberos_or_local_passwd;
	467	goto parse_flag;
	468
	469	case sKerberosTicketCleanup:
	470	intptr = &options->kerberos_ticket_cleanup;
	471	goto parse_flag;
8efc0c15	472	#endif
5260325f	473
8efc0c15	474	#ifdef AFS
5260325f	475	case sKerberosTgtPassing:
	476	intptr = &options->kerberos_tgt_passing;
	477	goto parse_flag;
8efc0c15	478
5260325f	479	case sAFSTokenPassing:
	480	intptr = &options->afs_token_passing;
	481	goto parse_flag;
8efc0c15	482	#endif
8efc0c15	483
5260325f	484	case sPasswordAuthentication:
	485	intptr = &options->password_authentication;
	486	goto parse_flag;
8efc0c15	487
5260325f	488	case sCheckMail:
	489	intptr = &options->check_mail;
	490	goto parse_flag;
8efc0c15	491
8efc0c15	492	#ifdef SKEY
5260325f	493	case sSkeyAuthentication:
	494	intptr = &options->skey_authentication;
	495	goto parse_flag;
8efc0c15	496	#endif
8efc0c15	497
5260325f	498	case sPrintMotd:
	499	intptr = &options->print_motd;
	500	goto parse_flag;
	501
	502	case sX11Forwarding:
	503	intptr = &options->x11_forwarding;
	504	goto parse_flag;
	505
	506	case sX11DisplayOffset:
	507	intptr = &options->x11_display_offset;
	508	goto parse_int;
	509
fa649821	510	case sXAuthLocation:
	511	charptr = &options->xauth_location;
	512	goto parse_filename;
	513
5260325f	514	case sStrictModes:
	515	intptr = &options->strict_modes;
	516	goto parse_flag;
	517
	518	case sKeepAlives:
	519	intptr = &options->keepalives;
	520	goto parse_flag;
	521
	522	case sEmptyPasswd:
	523	intptr = &options->permit_empty_passwd;
	524	goto parse_flag;
	525
	526	case sUseLogin:
	527	intptr = &options->use_login;
	528	goto parse_flag;
	529
1d1ffb87	530	case sGatewayPorts:
	531	intptr = &options->gateway_ports;
	532	goto parse_flag;
	533
5260325f	534	case sLogFacility:
	535	intptr = (int *) &options->log_facility;
	536	cp = strtok(NULL, WHITESPACE);
	537	value = log_facility_number(cp);
	538	if (value == (SyslogFacility) - 1)
	539	fatal("%.200s line %d: unsupported log facility '%s'\n",
a8be9f80	540	filename, linenum, cp ? cp : "<NONE>");
5260325f	541	if (*intptr == -1)
	542	*intptr = (SyslogFacility) value;
	543	break;
	544
	545	case sLogLevel:
	546	intptr = (int *) &options->log_level;
	547	cp = strtok(NULL, WHITESPACE);
	548	value = log_level_number(cp);
	549	if (value == (LogLevel) - 1)
	550	fatal("%.200s line %d: unsupported log level '%s'\n",
a8be9f80	551	filename, linenum, cp ? cp : "<NONE>");
5260325f	552	if (*intptr == -1)
	553	*intptr = (LogLevel) value;
	554	break;
	555
	556	case sAllowUsers:
	557	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	558	if (options->num_allow_users >= MAX_ALLOW_USERS)
	559	fatal("%s line %d: too many allow users.\n",
	560	filename, linenum);
5260325f	561	options->allow_users[options->num_allow_users++] = xstrdup(cp);
	562	}
	563	break;
	564
	565	case sDenyUsers:
	566	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	567	if (options->num_deny_users >= MAX_DENY_USERS)
	568	fatal( "%s line %d: too many deny users.\n",
	569	filename, linenum);
5260325f	570	options->deny_users[options->num_deny_users++] = xstrdup(cp);
	571	}
	572	break;
	573
	574	case sAllowGroups:
	575	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	576	if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
	577	fatal("%s line %d: too many allow groups.\n",
	578	filename, linenum);
5260325f	579	options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
	580	}
	581	break;
	582
	583	case sDenyGroups:
	584	while ((cp = strtok(NULL, WHITESPACE))) {
a8be9f80	585	if (options->num_deny_groups >= MAX_DENY_GROUPS)
	586	fatal("%s line %d: too many deny groups.\n",
	587	filename, linenum);
5260325f	588	options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
	589	}
	590	break;
	591
a8be9f80	592	case sCiphers:
a8be9f80	593	cp = strtok(NULL, WHITESPACE);
71276795	594	if (!cp)
71276795	595	fatal("%s line %d: Missing argument.", filename, linenum);
a8be9f80	596	if (!ciphers_valid(cp))
d0c832f3	597	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
a8be9f80	598	filename, linenum, cp ? cp : "<NONE>");
	599	if (options->ciphers == NULL)
	600	options->ciphers = xstrdup(cp);
	601	break;
	602
	603	case sProtocol:
	604	intptr = &options->protocol;
	605	cp = strtok(NULL, WHITESPACE);
71276795	606	if (!cp)
71276795	607	fatal("%s line %d: Missing argument.", filename, linenum);
a8be9f80	608	value = proto_spec(cp);
	609	if (value == SSH_PROTO_UNKNOWN)
	610	fatal("%s line %d: Bad protocol spec '%s'.",
	611	filename, linenum, cp ? cp : "<NONE>");
	612	if (*intptr == SSH_PROTO_UNKNOWN)
	613	*intptr = value;
	614	break;
	615
5260325f	616	default:
	617	fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
	618	filename, linenum, cp, opcode);
	619	exit(1);
8efc0c15	620	}
5260325f	621	if (strtok(NULL, WHITESPACE) != NULL) {
	622	fprintf(stderr, "%s line %d: garbage at end of line.\n",
	623	filename, linenum);
	624	exit(1);
8efc0c15	625	}
8efc0c15	626	}
5260325f	627	fclose(f);
	628	if (bad_options > 0) {
	629	fprintf(stderr, "%s: terminating, %d bad configuration options\n",
	630	filename, bad_options);
	631	exit(1);
8efc0c15	632	}
8efc0c15	633	}