]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2004/08/13 02:51:48
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
16acb158 13RCSID("$OpenBSD: servconf.c,v 1.136 2004/08/11 11:09:54 dtucker Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
42f11eb2 21#include "misc.h"
22#include "cipher.h"
b2552997 23#include "kex.h"
24#include "mac.h"
42f11eb2 25
396c147e 26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 28
42f11eb2 29/* AF_UNSPEC or AF_INET or AF_INET6 */
30extern int IPv4or6;
1853d1ef 31/* Use of privilege separation or not */
32extern int use_privsep;
42f11eb2 33
8efc0c15 34/* Initializes the server options to their default values. */
35
6ae2364d 36void
5260325f 37initialize_server_options(ServerOptions *options)
8efc0c15 38{
5260325f 39 memset(options, 0, sizeof(*options));
e15895cd 40
41 /* Portable-specific options */
7fceb20d 42 options->use_pam = -1;
e15895cd 43
44 /* Standard Options */
48e671d5 45 options->num_ports = 0;
46 options->ports_from_cmdline = 0;
47 options->listen_addrs = NULL;
fa08c86b 48 options->num_host_key_files = 0;
0fbe8c74 49 options->pid_file = NULL;
5260325f 50 options->server_key_bits = -1;
51 options->login_grace_time = -1;
52 options->key_regeneration_time = -1;
15853e93 53 options->permit_root_login = PERMIT_NOT_SET;
5260325f 54 options->ignore_rhosts = -1;
55 options->ignore_user_known_hosts = -1;
56 options->print_motd = -1;
4f4648f9 57 options->print_lastlog = -1;
5260325f 58 options->x11_forwarding = -1;
59 options->x11_display_offset = -1;
e6e573bd 60 options->x11_use_localhost = -1;
fa649821 61 options->xauth_location = NULL;
5260325f 62 options->strict_modes = -1;
fd573618 63 options->tcp_keep_alive = -1;
5eaf8578 64 options->log_facility = SYSLOG_FACILITY_NOT_SET;
65 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 66 options->rhosts_rsa_authentication = -1;
8002af61 67 options->hostbased_authentication = -1;
68 options->hostbased_uses_name_from_packet_only = -1;
5260325f 69 options->rsa_authentication = -1;
fa08c86b 70 options->pubkey_authentication = -1;
5260325f 71 options->kerberos_authentication = -1;
72 options->kerberos_or_local_passwd = -1;
73 options->kerberos_ticket_cleanup = -1;
a1e30b47 74 options->kerberos_get_afs_token = -1;
7364bd04 75 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1;
5260325f 77 options->password_authentication = -1;
94ec8c6b 78 options->kbd_interactive_authentication = -1;
5ba55ada 79 options->challenge_response_authentication = -1;
5260325f 80 options->permit_empty_passwd = -1;
f00bab84 81 options->permit_user_env = -1;
5260325f 82 options->use_login = -1;
636f76ca 83 options->compression = -1;
33de75a3 84 options->allow_tcp_forwarding = -1;
5260325f 85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
a8be9f80 89 options->ciphers = NULL;
b2552997 90 options->macs = NULL;
a8be9f80 91 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 92 options->gateway_ports = -1;
38c295d6 93 options->num_subsystems = 0;
c345cf9d 94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
089fbbd2 96 options->max_startups = -1;
af4bd935 97 options->max_authtries = -1;
eea39c02 98 options->banner = NULL;
c5a7d788 99 options->use_dns = -1;
3ffc6336 100 options->client_alive_interval = -1;
101 options->client_alive_count_max = -1;
c8445989 102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL;
61a2c1da 104 options->num_accept_env = 0;
1853d1ef 105
1853d1ef 106 /* Needs to be accessable in many places */
107 use_privsep = -1;
8efc0c15 108}
109
6ae2364d 110void
5260325f 111fill_default_server_options(ServerOptions *options)
8efc0c15 112{
e15895cd 113 /* Portable-specific options */
7fceb20d 114 if (options->use_pam == -1)
0a23d79f 115 options->use_pam = 0;
e15895cd 116
117 /* Standard Options */
fa08c86b 118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
0f84fe37 123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_KEY_FILE;
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
130 }
fa08c86b 131 }
48e671d5 132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
2d2a2c65 135 add_listen_addr(options, NULL, 0);
0fbe8c74 136 if (options->pid_file == NULL)
42f11eb2 137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
3445ca02 141 options->login_grace_time = 120;
5260325f 142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
15853e93 144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
5260325f 146 if (options->ignore_rhosts == -1)
c8d54615 147 options->ignore_rhosts = 1;
5260325f 148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
5260325f 150 if (options->print_motd == -1)
151 options->print_motd = 1;
4f4648f9 152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
5260325f 154 if (options->x11_forwarding == -1)
c8d54615 155 options->x11_forwarding = 0;
5260325f 156 if (options->x11_display_offset == -1)
c8d54615 157 options->x11_display_offset = 10;
e6e573bd 158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
fa649821 160 if (options->xauth_location == NULL)
fd9ede94 161 options->xauth_location = _PATH_XAUTH;
5260325f 162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
fd573618 164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
5eaf8578 166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 167 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 169 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 170 if (options->rhosts_rsa_authentication == -1)
c8d54615 171 options->rhosts_rsa_authentication = 0;
8002af61 172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
5260325f 176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
fa08c86b 178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
5260325f 180 if (options->kerberos_authentication == -1)
eadc806d 181 options->kerberos_authentication = 0;
5260325f 182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
a1e30b47 186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
7364bd04 188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
5260325f 192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
94ec8c6b 194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
5ba55ada 196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
5260325f 198 if (options->permit_empty_passwd == -1)
c8d54615 199 options->permit_empty_passwd = 0;
f00bab84 200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
5260325f 202 if (options->use_login == -1)
203 options->use_login = 0;
636f76ca 204 if (options->compression == -1)
205 options->compression = 1;
33de75a3 206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
1d1ffb87 208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
089fbbd2 210 if (options->max_startups == -1)
211 options->max_startups = 10;
c345cf9d 212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
af4bd935 216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
c5a7d788 218 if (options->use_dns == -1)
219 options->use_dns = 1;
3ffc6336 220 if (options->client_alive_interval == -1)
184eed6a 221 options->client_alive_interval = 0;
3ffc6336 222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
5df83e07 224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
228 else
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 }
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 233
2ee1b704 234 /* Turn privilege separation on by default */
1853d1ef 235 if (use_privsep == -1)
2ee1b704 236 use_privsep = 1;
e299a298 237
4165b82e 238#ifndef HAVE_MMAP
e299a298 239 if (use_privsep && options->compression == 1) {
240 error("This platform does not support both privilege "
241 "separation and compression");
242 error("Compression disabled");
243 options->compression = 0;
244 }
245#endif
246
8efc0c15 247}
248
8efc0c15 249/* Keyword tokens. */
5260325f 250typedef enum {
251 sBadOption, /* == unknown option */
e15895cd 252 /* Portable-specific options */
7fceb20d 253 sUsePAM,
e15895cd 254 /* Standard Options */
5260325f 255 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
256 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 257 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 258 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 259 sKerberosGetAFSToken,
1c590258 260 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 261 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
af4bd935 268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
c5a7d788 270 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
61a2c1da 273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
2ea6de2b 274 sUsePrivilegeSeparation,
a2144546 275 sDeprecated, sUnsupported
8efc0c15 276} ServerOpCodes;
277
278/* Textual representation of the tokens. */
5260325f 279static struct {
280 const char *name;
281 ServerOpCodes opcode;
282} keywords[] = {
e15895cd 283 /* Portable-specific options */
b06b11ad 284#ifdef USE_PAM
fe46678b 285 { "usepam", sUsePAM },
b06b11ad 286#else
fe46678b 287 { "usepam", sUnsupported },
b06b11ad 288#endif
fe46678b 289 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 290 /* Standard Options */
5260325f 291 { "port", sPort },
292 { "hostkey", sHostKeyFile },
fa08c86b 293 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 294 { "pidfile", sPidFile },
5260325f 295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
0598d99d 301 { "rhostsauthentication", sDeprecated },
5260325f 302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 305 { "rsaauthentication", sRSAAuthentication },
fa08c86b 306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 308#ifdef KRB5
5260325f 309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 312#ifdef USE_AFS
a1e30b47 313 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 314#else
315 { "kerberosgetafstoken", sUnsupported },
316#endif
a2144546 317#else
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
a1e30b47 321 { "kerberosgetafstoken", sUnsupported },
a2144546 322#endif
8f73f7bb 323 { "kerberostgtpassing", sUnsupported },
a2144546 324 { "afstokenpassing", sUnsupported },
7364bd04 325#ifdef GSSAPI
326 { "gssapiauthentication", sGssAuthentication },
e377c083 327 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 328#else
329 { "gssapiauthentication", sUnsupported },
e377c083 330 { "gssapicleanupcredentials", sUnsupported },
7364bd04 331#endif
5260325f 332 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 336 { "checkmail", sDeprecated },
5260325f 337 { "listenaddress", sListenAddress },
338 { "printmotd", sPrintMotd },
4f4648f9 339 { "printlastlog", sPrintLastLog },
5260325f 340 { "ignorerhosts", sIgnoreRhosts },
341 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
342 { "x11forwarding", sX11Forwarding },
343 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 344 { "x11uselocalhost", sX11UseLocalhost },
fa649821 345 { "xauthlocation", sXAuthLocation },
5260325f 346 { "strictmodes", sStrictModes },
347 { "permitemptypasswords", sEmptyPasswd },
f00bab84 348 { "permituserenvironment", sPermitUserEnvironment },
5260325f 349 { "uselogin", sUseLogin },
636f76ca 350 { "compression", sCompression },
fd573618 351 { "tcpkeepalive", sTCPKeepAlive },
352 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 353 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 354 { "allowusers", sAllowUsers },
355 { "denyusers", sDenyUsers },
356 { "allowgroups", sAllowGroups },
357 { "denygroups", sDenyGroups },
a8be9f80 358 { "ciphers", sCiphers },
b2552997 359 { "macs", sMacs },
a8be9f80 360 { "protocol", sProtocol },
1d1ffb87 361 { "gatewayports", sGatewayPorts },
38c295d6 362 { "subsystem", sSubsystem },
089fbbd2 363 { "maxstartups", sMaxStartups },
af4bd935 364 { "maxauthtries", sMaxAuthTries },
eea39c02 365 { "banner", sBanner },
c5a7d788 366 { "usedns", sUseDNS },
367 { "verifyreversemapping", sDeprecated },
368 { "reversemappingcheck", sDeprecated },
3ffc6336 369 { "clientaliveinterval", sClientAliveInterval },
370 { "clientalivecountmax", sClientAliveCountMax },
c8445989 371 { "authorizedkeysfile", sAuthorizedKeysFile },
372 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 373 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 374 { "acceptenv", sAcceptEnv },
17a3011c 375 { NULL, sBadOption }
8efc0c15 376};
377
aa3378df 378/*
6be9a5e8 379 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 380 */
8efc0c15 381
6ae2364d 382static ServerOpCodes
5260325f 383parse_token(const char *cp, const char *filename,
384 int linenum)
8efc0c15 385{
1e3b8b07 386 u_int i;
8efc0c15 387
5260325f 388 for (i = 0; keywords[i].name; i++)
aa3378df 389 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 390 return keywords[i].opcode;
8efc0c15 391
b7c70970 392 error("%s: line %d: Bad configuration option: %s",
393 filename, linenum, cp);
5260325f 394 return sBadOption;
8efc0c15 395}
396
396c147e 397static void
2d2a2c65 398add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 399{
48e671d5 400 int i;
401
402 if (options->num_ports == 0)
403 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 404 if (port == 0)
d11c1288 405 for (i = 0; i < options->num_ports; i++)
406 add_one_listen_addr(options, addr, options->ports[i]);
407 else
2d2a2c65 408 add_one_listen_addr(options, addr, port);
d11c1288 409}
410
396c147e 411static void
d11c1288 412add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
413{
414 struct addrinfo hints, *ai, *aitop;
415 char strport[NI_MAXSERV];
416 int gaierr;
417
418 memset(&hints, 0, sizeof(hints));
419 hints.ai_family = IPv4or6;
420 hints.ai_socktype = SOCK_STREAM;
421 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 422 snprintf(strport, sizeof strport, "%u", port);
d11c1288 423 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
424 fatal("bad addr or host: %s (%s)",
425 addr ? addr : "<NULL>",
426 gai_strerror(gaierr));
427 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
428 ;
429 ai->ai_next = options->listen_addrs;
430 options->listen_addrs = aitop;
48e671d5 431}
432
2717fa0f 433int
434process_server_config_line(ServerOptions *options, char *line,
435 const char *filename, int linenum)
8efc0c15 436{
d11c1288 437 char *cp, **charptr, *arg, *p;
7528d467 438 int *intptr, value, i, n;
5260325f 439 ServerOpCodes opcode;
440
2717fa0f 441 cp = line;
442 arg = strdelim(&cp);
443 /* Ignore leading whitespace */
444 if (*arg == '\0')
704b1659 445 arg = strdelim(&cp);
2717fa0f 446 if (!arg || !*arg || *arg == '#')
447 return 0;
448 intptr = NULL;
449 charptr = NULL;
450 opcode = parse_token(arg, filename, linenum);
451 switch (opcode) {
452 /* Portable-specific options */
7fceb20d 453 case sUsePAM:
454 intptr = &options->use_pam;
2717fa0f 455 goto parse_flag;
48e671d5 456
2717fa0f 457 /* Standard Options */
458 case sBadOption:
459 return -1;
460 case sPort:
461 /* ignore ports from configfile if cmdline specifies ports */
462 if (options->ports_from_cmdline)
463 return 0;
464 if (options->listen_addrs != NULL)
465 fatal("%s line %d: ports must be specified before "
3a454b6a 466 "ListenAddress.", filename, linenum);
2717fa0f 467 if (options->num_ports >= MAX_PORTS)
468 fatal("%s line %d: too many ports.",
469 filename, linenum);
470 arg = strdelim(&cp);
471 if (!arg || *arg == '\0')
472 fatal("%s line %d: missing port number.",
473 filename, linenum);
474 options->ports[options->num_ports++] = a2port(arg);
475 if (options->ports[options->num_ports-1] == 0)
476 fatal("%s line %d: Badly formatted port number.",
477 filename, linenum);
478 break;
479
480 case sServerKeyBits:
481 intptr = &options->server_key_bits;
5260325f 482parse_int:
2717fa0f 483 arg = strdelim(&cp);
484 if (!arg || *arg == '\0')
485 fatal("%s line %d: missing integer value.",
486 filename, linenum);
487 value = atoi(arg);
488 if (*intptr == -1)
489 *intptr = value;
490 break;
491
492 case sLoginGraceTime:
493 intptr = &options->login_grace_time;
e2b1fb42 494parse_time:
2717fa0f 495 arg = strdelim(&cp);
496 if (!arg || *arg == '\0')
497 fatal("%s line %d: missing time value.",
498 filename, linenum);
499 if ((value = convtime(arg)) == -1)
500 fatal("%s line %d: invalid time value.",
501 filename, linenum);
502 if (*intptr == -1)
503 *intptr = value;
504 break;
505
506 case sKeyRegenerationTime:
507 intptr = &options->key_regeneration_time;
508 goto parse_time;
509
510 case sListenAddress:
511 arg = strdelim(&cp);
512 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
513 fatal("%s line %d: missing inet addr.",
514 filename, linenum);
515 if (*arg == '[') {
516 if ((p = strchr(arg, ']')) == NULL)
517 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 518 filename, linenum);
2717fa0f 519 arg++;
520 memmove(p, p+1, strlen(p+1)+1);
521 } else if (((p = strchr(arg, ':')) == NULL) ||
522 (strchr(p+1, ':') != NULL)) {
523 add_listen_addr(options, arg, 0);
e2b1fb42 524 break;
2717fa0f 525 }
526 if (*p == ':') {
527 u_short port;
5260325f 528
2717fa0f 529 p++;
530 if (*p == '\0')
531 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 532 filename, linenum);
2717fa0f 533 else {
534 *(p-1) = '\0';
535 if ((port = a2port(p)) == 0)
536 fatal("%s line %d: bad port number.",
d11c1288 537 filename, linenum);
2717fa0f 538 add_listen_addr(options, arg, port);
d11c1288 539 }
2717fa0f 540 } else if (*p == '\0')
541 add_listen_addr(options, arg, 0);
542 else
543 fatal("%s line %d: bad inet addr usage.",
544 filename, linenum);
545 break;
546
547 case sHostKeyFile:
548 intptr = &options->num_host_key_files;
549 if (*intptr >= MAX_HOSTKEYS)
550 fatal("%s line %d: too many host keys specified (max %d).",
551 filename, linenum, MAX_HOSTKEYS);
552 charptr = &options->host_key_files[*intptr];
fa649821 553parse_filename:
2717fa0f 554 arg = strdelim(&cp);
555 if (!arg || *arg == '\0')
556 fatal("%s line %d: missing file name.",
557 filename, linenum);
558 if (*charptr == NULL) {
559 *charptr = tilde_expand_filename(arg, getuid());
560 /* increase optional counter */
561 if (intptr != NULL)
562 *intptr = *intptr + 1;
563 }
564 break;
0fbe8c74 565
2717fa0f 566 case sPidFile:
567 charptr = &options->pid_file;
568 goto parse_filename;
5260325f 569
2717fa0f 570 case sPermitRootLogin:
571 intptr = &options->permit_root_login;
572 arg = strdelim(&cp);
573 if (!arg || *arg == '\0')
574 fatal("%s line %d: missing yes/"
575 "without-password/forced-commands-only/no "
576 "argument.", filename, linenum);
577 value = 0; /* silence compiler */
578 if (strcmp(arg, "without-password") == 0)
579 value = PERMIT_NO_PASSWD;
580 else if (strcmp(arg, "forced-commands-only") == 0)
581 value = PERMIT_FORCED_ONLY;
582 else if (strcmp(arg, "yes") == 0)
583 value = PERMIT_YES;
584 else if (strcmp(arg, "no") == 0)
585 value = PERMIT_NO;
586 else
587 fatal("%s line %d: Bad yes/"
588 "without-password/forced-commands-only/no "
589 "argument: %s", filename, linenum, arg);
590 if (*intptr == -1)
591 *intptr = value;
592 break;
593
594 case sIgnoreRhosts:
595 intptr = &options->ignore_rhosts;
5260325f 596parse_flag:
2717fa0f 597 arg = strdelim(&cp);
598 if (!arg || *arg == '\0')
599 fatal("%s line %d: missing yes/no argument.",
600 filename, linenum);
601 value = 0; /* silence compiler */
602 if (strcmp(arg, "yes") == 0)
603 value = 1;
604 else if (strcmp(arg, "no") == 0)
605 value = 0;
606 else
607 fatal("%s line %d: Bad yes/no argument: %s",
608 filename, linenum, arg);
609 if (*intptr == -1)
610 *intptr = value;
611 break;
612
613 case sIgnoreUserKnownHosts:
614 intptr = &options->ignore_user_known_hosts;
615 goto parse_flag;
616
2717fa0f 617 case sRhostsRSAAuthentication:
618 intptr = &options->rhosts_rsa_authentication;
619 goto parse_flag;
620
621 case sHostbasedAuthentication:
622 intptr = &options->hostbased_authentication;
623 goto parse_flag;
624
625 case sHostbasedUsesNameFromPacketOnly:
626 intptr = &options->hostbased_uses_name_from_packet_only;
627 goto parse_flag;
628
629 case sRSAAuthentication:
630 intptr = &options->rsa_authentication;
631 goto parse_flag;
632
633 case sPubkeyAuthentication:
634 intptr = &options->pubkey_authentication;
635 goto parse_flag;
d0ec7f42 636
2717fa0f 637 case sKerberosAuthentication:
638 intptr = &options->kerberos_authentication;
639 goto parse_flag;
5260325f 640
2717fa0f 641 case sKerberosOrLocalPasswd:
642 intptr = &options->kerberos_or_local_passwd;
643 goto parse_flag;
5260325f 644
2717fa0f 645 case sKerberosTicketCleanup:
646 intptr = &options->kerberos_ticket_cleanup;
647 goto parse_flag;
d0ec7f42 648
a1e30b47 649 case sKerberosGetAFSToken:
650 intptr = &options->kerberos_get_afs_token;
651 goto parse_flag;
652
7364bd04 653 case sGssAuthentication:
654 intptr = &options->gss_authentication;
655 goto parse_flag;
656
657 case sGssCleanupCreds:
658 intptr = &options->gss_cleanup_creds;
659 goto parse_flag;
660
2717fa0f 661 case sPasswordAuthentication:
662 intptr = &options->password_authentication;
663 goto parse_flag;
5260325f 664
2717fa0f 665 case sKbdInteractiveAuthentication:
666 intptr = &options->kbd_interactive_authentication;
667 goto parse_flag;
8002af61 668
2717fa0f 669 case sChallengeResponseAuthentication:
670 intptr = &options->challenge_response_authentication;
671 goto parse_flag;
8002af61 672
2717fa0f 673 case sPrintMotd:
674 intptr = &options->print_motd;
675 goto parse_flag;
5260325f 676
2717fa0f 677 case sPrintLastLog:
678 intptr = &options->print_lastlog;
679 goto parse_flag;
5260325f 680
2717fa0f 681 case sX11Forwarding:
682 intptr = &options->x11_forwarding;
683 goto parse_flag;
5260325f 684
2717fa0f 685 case sX11DisplayOffset:
686 intptr = &options->x11_display_offset;
687 goto parse_int;
8efc0c15 688
e6e573bd 689 case sX11UseLocalhost:
690 intptr = &options->x11_use_localhost;
691 goto parse_flag;
692
2717fa0f 693 case sXAuthLocation:
694 charptr = &options->xauth_location;
695 goto parse_filename;
5260325f 696
2717fa0f 697 case sStrictModes:
698 intptr = &options->strict_modes;
699 goto parse_flag;
5260325f 700
fd573618 701 case sTCPKeepAlive:
702 intptr = &options->tcp_keep_alive;
2717fa0f 703 goto parse_flag;
33de75a3 704
2717fa0f 705 case sEmptyPasswd:
706 intptr = &options->permit_empty_passwd;
707 goto parse_flag;
5260325f 708
f00bab84 709 case sPermitUserEnvironment:
710 intptr = &options->permit_user_env;
711 goto parse_flag;
712
2717fa0f 713 case sUseLogin:
714 intptr = &options->use_login;
715 goto parse_flag;
5260325f 716
636f76ca 717 case sCompression:
718 intptr = &options->compression;
719 goto parse_flag;
720
2717fa0f 721 case sGatewayPorts:
722 intptr = &options->gateway_ports;
723 goto parse_flag;
5260325f 724
c5a7d788 725 case sUseDNS:
726 intptr = &options->use_dns;
2717fa0f 727 goto parse_flag;
5260325f 728
2717fa0f 729 case sLogFacility:
730 intptr = (int *) &options->log_facility;
731 arg = strdelim(&cp);
732 value = log_facility_number(arg);
5eaf8578 733 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 734 fatal("%.200s line %d: unsupported log facility '%s'",
735 filename, linenum, arg ? arg : "<NONE>");
736 if (*intptr == -1)
737 *intptr = (SyslogFacility) value;
738 break;
739
740 case sLogLevel:
741 intptr = (int *) &options->log_level;
742 arg = strdelim(&cp);
743 value = log_level_number(arg);
5eaf8578 744 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 745 fatal("%.200s line %d: unsupported log level '%s'",
746 filename, linenum, arg ? arg : "<NONE>");
747 if (*intptr == -1)
748 *intptr = (LogLevel) value;
749 break;
750
751 case sAllowTcpForwarding:
752 intptr = &options->allow_tcp_forwarding;
753 goto parse_flag;
754
1853d1ef 755 case sUsePrivilegeSeparation:
756 intptr = &use_privsep;
757 goto parse_flag;
758
2717fa0f 759 case sAllowUsers:
760 while ((arg = strdelim(&cp)) && *arg != '\0') {
761 if (options->num_allow_users >= MAX_ALLOW_USERS)
762 fatal("%s line %d: too many allow users.",
763 filename, linenum);
7528d467 764 options->allow_users[options->num_allow_users++] =
765 xstrdup(arg);
2717fa0f 766 }
767 break;
a8be9f80 768
2717fa0f 769 case sDenyUsers:
770 while ((arg = strdelim(&cp)) && *arg != '\0') {
771 if (options->num_deny_users >= MAX_DENY_USERS)
772 fatal( "%s line %d: too many deny users.",
773 filename, linenum);
7528d467 774 options->deny_users[options->num_deny_users++] =
775 xstrdup(arg);
2717fa0f 776 }
777 break;
b2552997 778
2717fa0f 779 case sAllowGroups:
780 while ((arg = strdelim(&cp)) && *arg != '\0') {
781 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
782 fatal("%s line %d: too many allow groups.",
783 filename, linenum);
7528d467 784 options->allow_groups[options->num_allow_groups++] =
785 xstrdup(arg);
2717fa0f 786 }
787 break;
a8be9f80 788
2717fa0f 789 case sDenyGroups:
790 while ((arg = strdelim(&cp)) && *arg != '\0') {
791 if (options->num_deny_groups >= MAX_DENY_GROUPS)
792 fatal("%s line %d: too many deny groups.",
793 filename, linenum);
794 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
795 }
796 break;
38c295d6 797
2717fa0f 798 case sCiphers:
799 arg = strdelim(&cp);
800 if (!arg || *arg == '\0')
801 fatal("%s line %d: Missing argument.", filename, linenum);
802 if (!ciphers_valid(arg))
803 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
804 filename, linenum, arg ? arg : "<NONE>");
805 if (options->ciphers == NULL)
806 options->ciphers = xstrdup(arg);
807 break;
808
809 case sMacs:
810 arg = strdelim(&cp);
811 if (!arg || *arg == '\0')
812 fatal("%s line %d: Missing argument.", filename, linenum);
813 if (!mac_valid(arg))
814 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
815 filename, linenum, arg ? arg : "<NONE>");
816 if (options->macs == NULL)
817 options->macs = xstrdup(arg);
818 break;
819
820 case sProtocol:
821 intptr = &options->protocol;
822 arg = strdelim(&cp);
823 if (!arg || *arg == '\0')
824 fatal("%s line %d: Missing argument.", filename, linenum);
825 value = proto_spec(arg);
826 if (value == SSH_PROTO_UNKNOWN)
827 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 828 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 829 if (*intptr == SSH_PROTO_UNKNOWN)
830 *intptr = value;
831 break;
832
833 case sSubsystem:
834 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
835 fatal("%s line %d: too many subsystems defined.",
184eed6a 836 filename, linenum);
2717fa0f 837 }
838 arg = strdelim(&cp);
839 if (!arg || *arg == '\0')
840 fatal("%s line %d: Missing subsystem name.",
184eed6a 841 filename, linenum);
2717fa0f 842 for (i = 0; i < options->num_subsystems; i++)
843 if (strcmp(arg, options->subsystem_name[i]) == 0)
844 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 845 filename, linenum, arg);
2717fa0f 846 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
847 arg = strdelim(&cp);
848 if (!arg || *arg == '\0')
849 fatal("%s line %d: Missing subsystem command.",
184eed6a 850 filename, linenum);
2717fa0f 851 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
852 options->num_subsystems++;
853 break;
854
855 case sMaxStartups:
856 arg = strdelim(&cp);
857 if (!arg || *arg == '\0')
858 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 859 filename, linenum);
2717fa0f 860 if ((n = sscanf(arg, "%d:%d:%d",
861 &options->max_startups_begin,
862 &options->max_startups_rate,
863 &options->max_startups)) == 3) {
864 if (options->max_startups_begin >
865 options->max_startups ||
866 options->max_startups_rate > 100 ||
867 options->max_startups_rate < 1)
c345cf9d 868 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 869 filename, linenum);
2717fa0f 870 } else if (n != 1)
871 fatal("%s line %d: Illegal MaxStartups spec.",
872 filename, linenum);
873 else
874 options->max_startups = options->max_startups_begin;
875 break;
876
af4bd935 877 case sMaxAuthTries:
878 intptr = &options->max_authtries;
879 goto parse_int;
880
2717fa0f 881 case sBanner:
882 charptr = &options->banner;
883 goto parse_filename;
884 /*
885 * These options can contain %X options expanded at
886 * connect time, so that you can specify paths like:
887 *
888 * AuthorizedKeysFile /etc/ssh_keys/%u
889 */
890 case sAuthorizedKeysFile:
891 case sAuthorizedKeysFile2:
892 charptr = (opcode == sAuthorizedKeysFile ) ?
893 &options->authorized_keys_file :
894 &options->authorized_keys_file2;
895 goto parse_filename;
896
897 case sClientAliveInterval:
898 intptr = &options->client_alive_interval;
899 goto parse_time;
900
901 case sClientAliveCountMax:
902 intptr = &options->client_alive_count_max;
903 goto parse_int;
904
61a2c1da 905 case sAcceptEnv:
906 while ((arg = strdelim(&cp)) && *arg != '\0') {
907 if (strchr(arg, '=') != NULL)
908 fatal("%s line %d: Invalid environment name.",
909 filename, linenum);
910 if (options->num_accept_env >= MAX_ACCEPT_ENV)
911 fatal("%s line %d: too many allow env.",
912 filename, linenum);
913 options->accept_env[options->num_accept_env++] =
914 xstrdup(arg);
915 }
916 break;
917
2717fa0f 918 case sDeprecated:
bbe88b6d 919 logit("%s line %d: Deprecated option %s",
2717fa0f 920 filename, linenum, arg);
921 while (arg)
922 arg = strdelim(&cp);
923 break;
924
a2144546 925 case sUnsupported:
926 logit("%s line %d: Unsupported option %s",
927 filename, linenum, arg);
928 while (arg)
929 arg = strdelim(&cp);
930 break;
931
2717fa0f 932 default:
933 fatal("%s line %d: Missing handler for opcode %s (%d)",
934 filename, linenum, arg, opcode);
935 }
936 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
937 fatal("%s line %d: garbage at end of line; \"%.200s\".",
938 filename, linenum, arg);
939 return 0;
940}
089fbbd2 941
2717fa0f 942/* Reads the server configuration file. */
5c53a31e 943
2717fa0f 944void
b9a549d7 945load_server_config(const char *filename, Buffer *conf)
2717fa0f 946{
b9a549d7 947 char line[1024], *cp;
7528d467 948 FILE *f;
2717fa0f 949
b9a549d7 950 debug2("%s: filename %s", __func__, filename);
951 if ((f = fopen(filename, "r")) == NULL) {
2717fa0f 952 perror(filename);
953 exit(1);
954 }
b9a549d7 955 buffer_clear(conf);
2717fa0f 956 while (fgets(line, sizeof(line), f)) {
b9a549d7 957 /*
958 * Trim out comments and strip whitespace
f2107e97 959 * NB - preserve newlines, they are needed to reproduce
b9a549d7 960 * line numbers later for error messages
961 */
962 if ((cp = strchr(line, '#')) != NULL)
963 memcpy(cp, "\n", 2);
964 cp = line + strspn(line, " \t\r");
965
966 buffer_append(conf, cp, strlen(cp));
8efc0c15 967 }
b9a549d7 968 buffer_append(conf, "\0", 1);
5260325f 969 fclose(f);
b9a549d7 970 debug2("%s: done config len = %d", __func__, buffer_len(conf));
971}
972
973void
974parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
975{
976 int linenum, bad_options = 0;
16acb158 977 char *cp, *obuf, *cbuf;
b9a549d7 978
979 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
980
16acb158 981 obuf = cbuf = xstrdup(buffer_ptr(conf));
b9a549d7 982 linenum = 0;
983 while((cp = strsep(&cbuf, "\n")) != NULL) {
984 if (process_server_config_line(options, cp, filename,
985 linenum++) != 0)
986 bad_options++;
987 }
16acb158 988 xfree(obuf);
b7c70970 989 if (bad_options > 0)
990 fatal("%s: terminating, %d bad configuration options",
991 filename, bad_options);
8efc0c15 992}
git-cvsimport mirror of OpenSSH
This page took 0.385013 seconds and 5 git commands to generate.