]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint"
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
0598d99d 13RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
64 options->keepalives = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_rsa_authentication = -1;
8002af61 68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
5260325f 70 options->rsa_authentication = -1;
fa08c86b 71 options->pubkey_authentication = -1;
5260325f 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
5260325f 75 options->kerberos_tgt_passing = -1;
5260325f 76 options->password_authentication = -1;
94ec8c6b 77 options->kbd_interactive_authentication = -1;
5ba55ada 78 options->challenge_response_authentication = -1;
5260325f 79 options->permit_empty_passwd = -1;
f00bab84 80 options->permit_user_env = -1;
5260325f 81 options->use_login = -1;
636f76ca 82 options->compression = -1;
33de75a3 83 options->allow_tcp_forwarding = -1;
5260325f 84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
a8be9f80 88 options->ciphers = NULL;
b2552997 89 options->macs = NULL;
a8be9f80 90 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 91 options->gateway_ports = -1;
38c295d6 92 options->num_subsystems = 0;
c345cf9d 93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
089fbbd2 95 options->max_startups = -1;
eea39c02 96 options->banner = NULL;
c5a7d788 97 options->use_dns = -1;
3ffc6336 98 options->client_alive_interval = -1;
99 options->client_alive_count_max = -1;
c8445989 100 options->authorized_keys_file = NULL;
101 options->authorized_keys_file2 = NULL;
1853d1ef 102
1853d1ef 103 /* Needs to be accessable in many places */
104 use_privsep = -1;
8efc0c15 105}
106
6ae2364d 107void
5260325f 108fill_default_server_options(ServerOptions *options)
8efc0c15 109{
e15895cd 110 /* Portable-specific options */
7fceb20d 111 if (options->use_pam == -1)
1457e7ff 112 options->use_pam = 1;
e15895cd 113
114 /* Standard Options */
fa08c86b 115 if (options->protocol == SSH_PROTO_UNKNOWN)
116 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
117 if (options->num_host_key_files == 0) {
118 /* fill default hostkeys for protocols */
119 if (options->protocol & SSH_PROTO_1)
0f84fe37 120 options->host_key_files[options->num_host_key_files++] =
121 _PATH_HOST_KEY_FILE;
122 if (options->protocol & SSH_PROTO_2) {
123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_RSA_KEY_FILE;
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_DSA_KEY_FILE;
127 }
fa08c86b 128 }
48e671d5 129 if (options->num_ports == 0)
130 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
131 if (options->listen_addrs == NULL)
2d2a2c65 132 add_listen_addr(options, NULL, 0);
0fbe8c74 133 if (options->pid_file == NULL)
42f11eb2 134 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 135 if (options->server_key_bits == -1)
136 options->server_key_bits = 768;
137 if (options->login_grace_time == -1)
3445ca02 138 options->login_grace_time = 120;
5260325f 139 if (options->key_regeneration_time == -1)
140 options->key_regeneration_time = 3600;
15853e93 141 if (options->permit_root_login == PERMIT_NOT_SET)
142 options->permit_root_login = PERMIT_YES;
5260325f 143 if (options->ignore_rhosts == -1)
c8d54615 144 options->ignore_rhosts = 1;
5260325f 145 if (options->ignore_user_known_hosts == -1)
146 options->ignore_user_known_hosts = 0;
5260325f 147 if (options->print_motd == -1)
148 options->print_motd = 1;
4f4648f9 149 if (options->print_lastlog == -1)
150 options->print_lastlog = 1;
5260325f 151 if (options->x11_forwarding == -1)
c8d54615 152 options->x11_forwarding = 0;
5260325f 153 if (options->x11_display_offset == -1)
c8d54615 154 options->x11_display_offset = 10;
e6e573bd 155 if (options->x11_use_localhost == -1)
156 options->x11_use_localhost = 1;
fa649821 157 if (options->xauth_location == NULL)
fd9ede94 158 options->xauth_location = _PATH_XAUTH;
5260325f 159 if (options->strict_modes == -1)
160 options->strict_modes = 1;
161 if (options->keepalives == -1)
162 options->keepalives = 1;
5eaf8578 163 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 164 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 165 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 166 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 167 if (options->rhosts_rsa_authentication == -1)
c8d54615 168 options->rhosts_rsa_authentication = 0;
8002af61 169 if (options->hostbased_authentication == -1)
170 options->hostbased_authentication = 0;
171 if (options->hostbased_uses_name_from_packet_only == -1)
172 options->hostbased_uses_name_from_packet_only = 0;
5260325f 173 if (options->rsa_authentication == -1)
174 options->rsa_authentication = 1;
fa08c86b 175 if (options->pubkey_authentication == -1)
176 options->pubkey_authentication = 1;
5260325f 177 if (options->kerberos_authentication == -1)
eadc806d 178 options->kerberos_authentication = 0;
5260325f 179 if (options->kerberos_or_local_passwd == -1)
180 options->kerberos_or_local_passwd = 1;
181 if (options->kerberos_ticket_cleanup == -1)
182 options->kerberos_ticket_cleanup = 1;
5260325f 183 if (options->kerberos_tgt_passing == -1)
184 options->kerberos_tgt_passing = 0;
5260325f 185 if (options->password_authentication == -1)
186 options->password_authentication = 1;
94ec8c6b 187 if (options->kbd_interactive_authentication == -1)
188 options->kbd_interactive_authentication = 0;
5ba55ada 189 if (options->challenge_response_authentication == -1)
190 options->challenge_response_authentication = 1;
5260325f 191 if (options->permit_empty_passwd == -1)
c8d54615 192 options->permit_empty_passwd = 0;
f00bab84 193 if (options->permit_user_env == -1)
194 options->permit_user_env = 0;
5260325f 195 if (options->use_login == -1)
196 options->use_login = 0;
636f76ca 197 if (options->compression == -1)
198 options->compression = 1;
33de75a3 199 if (options->allow_tcp_forwarding == -1)
200 options->allow_tcp_forwarding = 1;
1d1ffb87 201 if (options->gateway_ports == -1)
202 options->gateway_ports = 0;
089fbbd2 203 if (options->max_startups == -1)
204 options->max_startups = 10;
c345cf9d 205 if (options->max_startups_rate == -1)
206 options->max_startups_rate = 100; /* 100% */
207 if (options->max_startups_begin == -1)
208 options->max_startups_begin = options->max_startups;
c5a7d788 209 if (options->use_dns == -1)
210 options->use_dns = 1;
3ffc6336 211 if (options->client_alive_interval == -1)
184eed6a 212 options->client_alive_interval = 0;
3ffc6336 213 if (options->client_alive_count_max == -1)
214 options->client_alive_count_max = 3;
5df83e07 215 if (options->authorized_keys_file2 == NULL) {
216 /* authorized_keys_file2 falls back to authorized_keys_file */
217 if (options->authorized_keys_file != NULL)
218 options->authorized_keys_file2 = options->authorized_keys_file;
219 else
220 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
221 }
222 if (options->authorized_keys_file == NULL)
223 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 224
2ee1b704 225 /* Turn privilege separation on by default */
1853d1ef 226 if (use_privsep == -1)
2ee1b704 227 use_privsep = 1;
e299a298 228
4165b82e 229#ifndef HAVE_MMAP
e299a298 230 if (use_privsep && options->compression == 1) {
231 error("This platform does not support both privilege "
232 "separation and compression");
233 error("Compression disabled");
234 options->compression = 0;
235 }
236#endif
237
8efc0c15 238}
239
8efc0c15 240/* Keyword tokens. */
5260325f 241typedef enum {
242 sBadOption, /* == unknown option */
e15895cd 243 /* Portable-specific options */
7fceb20d 244 sUsePAM,
e15895cd 245 /* Standard Options */
5260325f 246 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
247 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 248 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 249 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
1c590258 250 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 251 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 252 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 253 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
5c53a31e 254 sStrictModes, sEmptyPasswd, sKeepAlives,
f00bab84 255 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 256 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 257 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 258 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 259 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 260 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 261 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
2ea6de2b 262 sUsePrivilegeSeparation,
a2144546 263 sDeprecated, sUnsupported
8efc0c15 264} ServerOpCodes;
265
266/* Textual representation of the tokens. */
5260325f 267static struct {
268 const char *name;
269 ServerOpCodes opcode;
270} keywords[] = {
e15895cd 271 /* Portable-specific options */
b06b11ad 272#ifdef USE_PAM
fe46678b 273 { "usepam", sUsePAM },
b06b11ad 274#else
fe46678b 275 { "usepam", sUnsupported },
b06b11ad 276#endif
fe46678b 277 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 278 /* Standard Options */
5260325f 279 { "port", sPort },
280 { "hostkey", sHostKeyFile },
fa08c86b 281 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 282 { "pidfile", sPidFile },
5260325f 283 { "serverkeybits", sServerKeyBits },
284 { "logingracetime", sLoginGraceTime },
285 { "keyregenerationinterval", sKeyRegenerationTime },
286 { "permitrootlogin", sPermitRootLogin },
287 { "syslogfacility", sLogFacility },
288 { "loglevel", sLogLevel },
0598d99d 289 { "rhostsauthentication", sDeprecated },
5260325f 290 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 291 { "hostbasedauthentication", sHostbasedAuthentication },
292 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 293 { "rsaauthentication", sRSAAuthentication },
fa08c86b 294 { "pubkeyauthentication", sPubkeyAuthentication },
295 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 296#ifdef KRB5
5260325f 297 { "kerberosauthentication", sKerberosAuthentication },
298 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
299 { "kerberosticketcleanup", sKerberosTicketCleanup },
5260325f 300 { "kerberostgtpassing", sKerberosTgtPassing },
a2144546 301#else
302 { "kerberosauthentication", sUnsupported },
303 { "kerberosorlocalpasswd", sUnsupported },
304 { "kerberosticketcleanup", sUnsupported },
305 { "kerberostgtpassing", sUnsupported },
306#endif
a2144546 307 { "afstokenpassing", sUnsupported },
5260325f 308 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 309 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 310 { "challengeresponseauthentication", sChallengeResponseAuthentication },
311 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 312 { "checkmail", sDeprecated },
5260325f 313 { "listenaddress", sListenAddress },
314 { "printmotd", sPrintMotd },
4f4648f9 315 { "printlastlog", sPrintLastLog },
5260325f 316 { "ignorerhosts", sIgnoreRhosts },
317 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
318 { "x11forwarding", sX11Forwarding },
319 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 320 { "x11uselocalhost", sX11UseLocalhost },
fa649821 321 { "xauthlocation", sXAuthLocation },
5260325f 322 { "strictmodes", sStrictModes },
323 { "permitemptypasswords", sEmptyPasswd },
f00bab84 324 { "permituserenvironment", sPermitUserEnvironment },
5260325f 325 { "uselogin", sUseLogin },
636f76ca 326 { "compression", sCompression },
5260325f 327 { "keepalive", sKeepAlives },
33de75a3 328 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 329 { "allowusers", sAllowUsers },
330 { "denyusers", sDenyUsers },
331 { "allowgroups", sAllowGroups },
332 { "denygroups", sDenyGroups },
a8be9f80 333 { "ciphers", sCiphers },
b2552997 334 { "macs", sMacs },
a8be9f80 335 { "protocol", sProtocol },
1d1ffb87 336 { "gatewayports", sGatewayPorts },
38c295d6 337 { "subsystem", sSubsystem },
089fbbd2 338 { "maxstartups", sMaxStartups },
eea39c02 339 { "banner", sBanner },
c5a7d788 340 { "usedns", sUseDNS },
341 { "verifyreversemapping", sDeprecated },
342 { "reversemappingcheck", sDeprecated },
3ffc6336 343 { "clientaliveinterval", sClientAliveInterval },
344 { "clientalivecountmax", sClientAliveCountMax },
c8445989 345 { "authorizedkeysfile", sAuthorizedKeysFile },
346 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 347 { "useprivilegeseparation", sUsePrivilegeSeparation},
17a3011c 348 { NULL, sBadOption }
8efc0c15 349};
350
aa3378df 351/*
6be9a5e8 352 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 353 */
8efc0c15 354
6ae2364d 355static ServerOpCodes
5260325f 356parse_token(const char *cp, const char *filename,
357 int linenum)
8efc0c15 358{
1e3b8b07 359 u_int i;
8efc0c15 360
5260325f 361 for (i = 0; keywords[i].name; i++)
aa3378df 362 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 363 return keywords[i].opcode;
8efc0c15 364
b7c70970 365 error("%s: line %d: Bad configuration option: %s",
366 filename, linenum, cp);
5260325f 367 return sBadOption;
8efc0c15 368}
369
396c147e 370static void
2d2a2c65 371add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 372{
48e671d5 373 int i;
374
375 if (options->num_ports == 0)
376 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 377 if (port == 0)
d11c1288 378 for (i = 0; i < options->num_ports; i++)
379 add_one_listen_addr(options, addr, options->ports[i]);
380 else
2d2a2c65 381 add_one_listen_addr(options, addr, port);
d11c1288 382}
383
396c147e 384static void
d11c1288 385add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
386{
387 struct addrinfo hints, *ai, *aitop;
388 char strport[NI_MAXSERV];
389 int gaierr;
390
391 memset(&hints, 0, sizeof(hints));
392 hints.ai_family = IPv4or6;
393 hints.ai_socktype = SOCK_STREAM;
394 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 395 snprintf(strport, sizeof strport, "%u", port);
d11c1288 396 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
397 fatal("bad addr or host: %s (%s)",
398 addr ? addr : "<NULL>",
399 gai_strerror(gaierr));
400 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
401 ;
402 ai->ai_next = options->listen_addrs;
403 options->listen_addrs = aitop;
48e671d5 404}
405
2717fa0f 406int
407process_server_config_line(ServerOptions *options, char *line,
408 const char *filename, int linenum)
8efc0c15 409{
d11c1288 410 char *cp, **charptr, *arg, *p;
7528d467 411 int *intptr, value, i, n;
5260325f 412 ServerOpCodes opcode;
413
2717fa0f 414 cp = line;
415 arg = strdelim(&cp);
416 /* Ignore leading whitespace */
417 if (*arg == '\0')
704b1659 418 arg = strdelim(&cp);
2717fa0f 419 if (!arg || !*arg || *arg == '#')
420 return 0;
421 intptr = NULL;
422 charptr = NULL;
423 opcode = parse_token(arg, filename, linenum);
424 switch (opcode) {
425 /* Portable-specific options */
7fceb20d 426 case sUsePAM:
427 intptr = &options->use_pam;
2717fa0f 428 goto parse_flag;
48e671d5 429
2717fa0f 430 /* Standard Options */
431 case sBadOption:
432 return -1;
433 case sPort:
434 /* ignore ports from configfile if cmdline specifies ports */
435 if (options->ports_from_cmdline)
436 return 0;
437 if (options->listen_addrs != NULL)
438 fatal("%s line %d: ports must be specified before "
3a454b6a 439 "ListenAddress.", filename, linenum);
2717fa0f 440 if (options->num_ports >= MAX_PORTS)
441 fatal("%s line %d: too many ports.",
442 filename, linenum);
443 arg = strdelim(&cp);
444 if (!arg || *arg == '\0')
445 fatal("%s line %d: missing port number.",
446 filename, linenum);
447 options->ports[options->num_ports++] = a2port(arg);
448 if (options->ports[options->num_ports-1] == 0)
449 fatal("%s line %d: Badly formatted port number.",
450 filename, linenum);
451 break;
452
453 case sServerKeyBits:
454 intptr = &options->server_key_bits;
5260325f 455parse_int:
2717fa0f 456 arg = strdelim(&cp);
457 if (!arg || *arg == '\0')
458 fatal("%s line %d: missing integer value.",
459 filename, linenum);
460 value = atoi(arg);
461 if (*intptr == -1)
462 *intptr = value;
463 break;
464
465 case sLoginGraceTime:
466 intptr = &options->login_grace_time;
e2b1fb42 467parse_time:
2717fa0f 468 arg = strdelim(&cp);
469 if (!arg || *arg == '\0')
470 fatal("%s line %d: missing time value.",
471 filename, linenum);
472 if ((value = convtime(arg)) == -1)
473 fatal("%s line %d: invalid time value.",
474 filename, linenum);
475 if (*intptr == -1)
476 *intptr = value;
477 break;
478
479 case sKeyRegenerationTime:
480 intptr = &options->key_regeneration_time;
481 goto parse_time;
482
483 case sListenAddress:
484 arg = strdelim(&cp);
485 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
486 fatal("%s line %d: missing inet addr.",
487 filename, linenum);
488 if (*arg == '[') {
489 if ((p = strchr(arg, ']')) == NULL)
490 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 491 filename, linenum);
2717fa0f 492 arg++;
493 memmove(p, p+1, strlen(p+1)+1);
494 } else if (((p = strchr(arg, ':')) == NULL) ||
495 (strchr(p+1, ':') != NULL)) {
496 add_listen_addr(options, arg, 0);
e2b1fb42 497 break;
2717fa0f 498 }
499 if (*p == ':') {
500 u_short port;
5260325f 501
2717fa0f 502 p++;
503 if (*p == '\0')
504 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 505 filename, linenum);
2717fa0f 506 else {
507 *(p-1) = '\0';
508 if ((port = a2port(p)) == 0)
509 fatal("%s line %d: bad port number.",
d11c1288 510 filename, linenum);
2717fa0f 511 add_listen_addr(options, arg, port);
d11c1288 512 }
2717fa0f 513 } else if (*p == '\0')
514 add_listen_addr(options, arg, 0);
515 else
516 fatal("%s line %d: bad inet addr usage.",
517 filename, linenum);
518 break;
519
520 case sHostKeyFile:
521 intptr = &options->num_host_key_files;
522 if (*intptr >= MAX_HOSTKEYS)
523 fatal("%s line %d: too many host keys specified (max %d).",
524 filename, linenum, MAX_HOSTKEYS);
525 charptr = &options->host_key_files[*intptr];
fa649821 526parse_filename:
2717fa0f 527 arg = strdelim(&cp);
528 if (!arg || *arg == '\0')
529 fatal("%s line %d: missing file name.",
530 filename, linenum);
531 if (*charptr == NULL) {
532 *charptr = tilde_expand_filename(arg, getuid());
533 /* increase optional counter */
534 if (intptr != NULL)
535 *intptr = *intptr + 1;
536 }
537 break;
0fbe8c74 538
2717fa0f 539 case sPidFile:
540 charptr = &options->pid_file;
541 goto parse_filename;
5260325f 542
2717fa0f 543 case sPermitRootLogin:
544 intptr = &options->permit_root_login;
545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing yes/"
548 "without-password/forced-commands-only/no "
549 "argument.", filename, linenum);
550 value = 0; /* silence compiler */
551 if (strcmp(arg, "without-password") == 0)
552 value = PERMIT_NO_PASSWD;
553 else if (strcmp(arg, "forced-commands-only") == 0)
554 value = PERMIT_FORCED_ONLY;
555 else if (strcmp(arg, "yes") == 0)
556 value = PERMIT_YES;
557 else if (strcmp(arg, "no") == 0)
558 value = PERMIT_NO;
559 else
560 fatal("%s line %d: Bad yes/"
561 "without-password/forced-commands-only/no "
562 "argument: %s", filename, linenum, arg);
563 if (*intptr == -1)
564 *intptr = value;
565 break;
566
567 case sIgnoreRhosts:
568 intptr = &options->ignore_rhosts;
5260325f 569parse_flag:
2717fa0f 570 arg = strdelim(&cp);
571 if (!arg || *arg == '\0')
572 fatal("%s line %d: missing yes/no argument.",
573 filename, linenum);
574 value = 0; /* silence compiler */
575 if (strcmp(arg, "yes") == 0)
576 value = 1;
577 else if (strcmp(arg, "no") == 0)
578 value = 0;
579 else
580 fatal("%s line %d: Bad yes/no argument: %s",
581 filename, linenum, arg);
582 if (*intptr == -1)
583 *intptr = value;
584 break;
585
586 case sIgnoreUserKnownHosts:
587 intptr = &options->ignore_user_known_hosts;
588 goto parse_flag;
589
2717fa0f 590 case sRhostsRSAAuthentication:
591 intptr = &options->rhosts_rsa_authentication;
592 goto parse_flag;
593
594 case sHostbasedAuthentication:
595 intptr = &options->hostbased_authentication;
596 goto parse_flag;
597
598 case sHostbasedUsesNameFromPacketOnly:
599 intptr = &options->hostbased_uses_name_from_packet_only;
600 goto parse_flag;
601
602 case sRSAAuthentication:
603 intptr = &options->rsa_authentication;
604 goto parse_flag;
605
606 case sPubkeyAuthentication:
607 intptr = &options->pubkey_authentication;
608 goto parse_flag;
d0ec7f42 609
2717fa0f 610 case sKerberosAuthentication:
611 intptr = &options->kerberos_authentication;
612 goto parse_flag;
5260325f 613
2717fa0f 614 case sKerberosOrLocalPasswd:
615 intptr = &options->kerberos_or_local_passwd;
616 goto parse_flag;
5260325f 617
2717fa0f 618 case sKerberosTicketCleanup:
619 intptr = &options->kerberos_ticket_cleanup;
620 goto parse_flag;
d0ec7f42 621
2717fa0f 622 case sKerberosTgtPassing:
623 intptr = &options->kerberos_tgt_passing;
624 goto parse_flag;
d0ec7f42 625
2717fa0f 626 case sPasswordAuthentication:
627 intptr = &options->password_authentication;
628 goto parse_flag;
5260325f 629
2717fa0f 630 case sKbdInteractiveAuthentication:
631 intptr = &options->kbd_interactive_authentication;
632 goto parse_flag;
8002af61 633
2717fa0f 634 case sChallengeResponseAuthentication:
635 intptr = &options->challenge_response_authentication;
636 goto parse_flag;
8002af61 637
2717fa0f 638 case sPrintMotd:
639 intptr = &options->print_motd;
640 goto parse_flag;
5260325f 641
2717fa0f 642 case sPrintLastLog:
643 intptr = &options->print_lastlog;
644 goto parse_flag;
5260325f 645
2717fa0f 646 case sX11Forwarding:
647 intptr = &options->x11_forwarding;
648 goto parse_flag;
5260325f 649
2717fa0f 650 case sX11DisplayOffset:
651 intptr = &options->x11_display_offset;
652 goto parse_int;
8efc0c15 653
e6e573bd 654 case sX11UseLocalhost:
655 intptr = &options->x11_use_localhost;
656 goto parse_flag;
657
2717fa0f 658 case sXAuthLocation:
659 charptr = &options->xauth_location;
660 goto parse_filename;
5260325f 661
2717fa0f 662 case sStrictModes:
663 intptr = &options->strict_modes;
664 goto parse_flag;
5260325f 665
2717fa0f 666 case sKeepAlives:
667 intptr = &options->keepalives;
668 goto parse_flag;
33de75a3 669
2717fa0f 670 case sEmptyPasswd:
671 intptr = &options->permit_empty_passwd;
672 goto parse_flag;
5260325f 673
f00bab84 674 case sPermitUserEnvironment:
675 intptr = &options->permit_user_env;
676 goto parse_flag;
677
2717fa0f 678 case sUseLogin:
679 intptr = &options->use_login;
680 goto parse_flag;
5260325f 681
636f76ca 682 case sCompression:
683 intptr = &options->compression;
684 goto parse_flag;
685
2717fa0f 686 case sGatewayPorts:
687 intptr = &options->gateway_ports;
688 goto parse_flag;
5260325f 689
c5a7d788 690 case sUseDNS:
691 intptr = &options->use_dns;
2717fa0f 692 goto parse_flag;
5260325f 693
2717fa0f 694 case sLogFacility:
695 intptr = (int *) &options->log_facility;
696 arg = strdelim(&cp);
697 value = log_facility_number(arg);
5eaf8578 698 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 699 fatal("%.200s line %d: unsupported log facility '%s'",
700 filename, linenum, arg ? arg : "<NONE>");
701 if (*intptr == -1)
702 *intptr = (SyslogFacility) value;
703 break;
704
705 case sLogLevel:
706 intptr = (int *) &options->log_level;
707 arg = strdelim(&cp);
708 value = log_level_number(arg);
5eaf8578 709 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 710 fatal("%.200s line %d: unsupported log level '%s'",
711 filename, linenum, arg ? arg : "<NONE>");
712 if (*intptr == -1)
713 *intptr = (LogLevel) value;
714 break;
715
716 case sAllowTcpForwarding:
717 intptr = &options->allow_tcp_forwarding;
718 goto parse_flag;
719
1853d1ef 720 case sUsePrivilegeSeparation:
721 intptr = &use_privsep;
722 goto parse_flag;
723
2717fa0f 724 case sAllowUsers:
725 while ((arg = strdelim(&cp)) && *arg != '\0') {
726 if (options->num_allow_users >= MAX_ALLOW_USERS)
727 fatal("%s line %d: too many allow users.",
728 filename, linenum);
7528d467 729 options->allow_users[options->num_allow_users++] =
730 xstrdup(arg);
2717fa0f 731 }
732 break;
a8be9f80 733
2717fa0f 734 case sDenyUsers:
735 while ((arg = strdelim(&cp)) && *arg != '\0') {
736 if (options->num_deny_users >= MAX_DENY_USERS)
737 fatal( "%s line %d: too many deny users.",
738 filename, linenum);
7528d467 739 options->deny_users[options->num_deny_users++] =
740 xstrdup(arg);
2717fa0f 741 }
742 break;
b2552997 743
2717fa0f 744 case sAllowGroups:
745 while ((arg = strdelim(&cp)) && *arg != '\0') {
746 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
747 fatal("%s line %d: too many allow groups.",
748 filename, linenum);
7528d467 749 options->allow_groups[options->num_allow_groups++] =
750 xstrdup(arg);
2717fa0f 751 }
752 break;
a8be9f80 753
2717fa0f 754 case sDenyGroups:
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_deny_groups >= MAX_DENY_GROUPS)
757 fatal("%s line %d: too many deny groups.",
758 filename, linenum);
759 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
760 }
761 break;
38c295d6 762
2717fa0f 763 case sCiphers:
764 arg = strdelim(&cp);
765 if (!arg || *arg == '\0')
766 fatal("%s line %d: Missing argument.", filename, linenum);
767 if (!ciphers_valid(arg))
768 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
769 filename, linenum, arg ? arg : "<NONE>");
770 if (options->ciphers == NULL)
771 options->ciphers = xstrdup(arg);
772 break;
773
774 case sMacs:
775 arg = strdelim(&cp);
776 if (!arg || *arg == '\0')
777 fatal("%s line %d: Missing argument.", filename, linenum);
778 if (!mac_valid(arg))
779 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
780 filename, linenum, arg ? arg : "<NONE>");
781 if (options->macs == NULL)
782 options->macs = xstrdup(arg);
783 break;
784
785 case sProtocol:
786 intptr = &options->protocol;
787 arg = strdelim(&cp);
788 if (!arg || *arg == '\0')
789 fatal("%s line %d: Missing argument.", filename, linenum);
790 value = proto_spec(arg);
791 if (value == SSH_PROTO_UNKNOWN)
792 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 793 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 794 if (*intptr == SSH_PROTO_UNKNOWN)
795 *intptr = value;
796 break;
797
798 case sSubsystem:
799 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
800 fatal("%s line %d: too many subsystems defined.",
184eed6a 801 filename, linenum);
2717fa0f 802 }
803 arg = strdelim(&cp);
804 if (!arg || *arg == '\0')
805 fatal("%s line %d: Missing subsystem name.",
184eed6a 806 filename, linenum);
2717fa0f 807 for (i = 0; i < options->num_subsystems; i++)
808 if (strcmp(arg, options->subsystem_name[i]) == 0)
809 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 810 filename, linenum, arg);
2717fa0f 811 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
812 arg = strdelim(&cp);
813 if (!arg || *arg == '\0')
814 fatal("%s line %d: Missing subsystem command.",
184eed6a 815 filename, linenum);
2717fa0f 816 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
817 options->num_subsystems++;
818 break;
819
820 case sMaxStartups:
821 arg = strdelim(&cp);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 824 filename, linenum);
2717fa0f 825 if ((n = sscanf(arg, "%d:%d:%d",
826 &options->max_startups_begin,
827 &options->max_startups_rate,
828 &options->max_startups)) == 3) {
829 if (options->max_startups_begin >
830 options->max_startups ||
831 options->max_startups_rate > 100 ||
832 options->max_startups_rate < 1)
c345cf9d 833 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 834 filename, linenum);
2717fa0f 835 } else if (n != 1)
836 fatal("%s line %d: Illegal MaxStartups spec.",
837 filename, linenum);
838 else
839 options->max_startups = options->max_startups_begin;
840 break;
841
842 case sBanner:
843 charptr = &options->banner;
844 goto parse_filename;
845 /*
846 * These options can contain %X options expanded at
847 * connect time, so that you can specify paths like:
848 *
849 * AuthorizedKeysFile /etc/ssh_keys/%u
850 */
851 case sAuthorizedKeysFile:
852 case sAuthorizedKeysFile2:
853 charptr = (opcode == sAuthorizedKeysFile ) ?
854 &options->authorized_keys_file :
855 &options->authorized_keys_file2;
856 goto parse_filename;
857
858 case sClientAliveInterval:
859 intptr = &options->client_alive_interval;
860 goto parse_time;
861
862 case sClientAliveCountMax:
863 intptr = &options->client_alive_count_max;
864 goto parse_int;
865
866 case sDeprecated:
bbe88b6d 867 logit("%s line %d: Deprecated option %s",
2717fa0f 868 filename, linenum, arg);
869 while (arg)
870 arg = strdelim(&cp);
871 break;
872
a2144546 873 case sUnsupported:
874 logit("%s line %d: Unsupported option %s",
875 filename, linenum, arg);
876 while (arg)
877 arg = strdelim(&cp);
878 break;
879
2717fa0f 880 default:
881 fatal("%s line %d: Missing handler for opcode %s (%d)",
882 filename, linenum, arg, opcode);
883 }
884 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
885 fatal("%s line %d: garbage at end of line; \"%.200s\".",
886 filename, linenum, arg);
887 return 0;
888}
089fbbd2 889
2717fa0f 890/* Reads the server configuration file. */
5c53a31e 891
2717fa0f 892void
893read_server_config(ServerOptions *options, const char *filename)
894{
7528d467 895 int linenum, bad_options = 0;
2717fa0f 896 char line[1024];
7528d467 897 FILE *f;
2717fa0f 898
34934506 899 debug2("read_server_config: filename %s", filename);
2717fa0f 900 f = fopen(filename, "r");
901 if (!f) {
902 perror(filename);
903 exit(1);
904 }
905 linenum = 0;
906 while (fgets(line, sizeof(line), f)) {
907 /* Update line number counter. */
908 linenum++;
909 if (process_server_config_line(options, line, filename, linenum) != 0)
910 bad_options++;
8efc0c15 911 }
5260325f 912 fclose(f);
b7c70970 913 if (bad_options > 0)
914 fatal("%s: terminating, %d bad configuration options",
915 filename, bad_options);
8efc0c15 916}
git-cvsimport mirror of OpenSSH
This page took 1.058006 seconds and 5 git commands to generate.