]> andersk Git - openssh.git/blame_incremental - servconf.c
andersk / openssh.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
- djm@cvs.openbsd.org 2006/03/19 07:41:30
[openssh.git] / servconf.c
... / ...
CommitLineData
1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
13
14#include "ssh.h"
15#include "log.h"
16#include "servconf.h"
17#include "xmalloc.h"
18#include "compat.h"
19#include "pathnames.h"
20#include "misc.h"
21#include "cipher.h"
22#include "kex.h"
23#include "mac.h"
24
25static void add_listen_addr(ServerOptions *, char *, u_short);
26static void add_one_listen_addr(ServerOptions *, char *, u_short);
27
28/* Use of privilege separation or not */
29extern int use_privsep;
30
31/* Initializes the server options to their default values. */
32
33void
34initialize_server_options(ServerOptions *options)
35{
36 memset(options, 0, sizeof(*options));
37
38 /* Portable-specific options */
39 options->use_pam = -1;
40
41 /* Standard Options */
42 options->num_ports = 0;
43 options->ports_from_cmdline = 0;
44 options->listen_addrs = NULL;
45 options->address_family = -1;
46 options->num_host_key_files = 0;
47 options->pid_file = NULL;
48 options->server_key_bits = -1;
49 options->login_grace_time = -1;
50 options->key_regeneration_time = -1;
51 options->permit_root_login = PERMIT_NOT_SET;
52 options->ignore_rhosts = -1;
53 options->ignore_user_known_hosts = -1;
54 options->print_motd = -1;
55 options->print_lastlog = -1;
56 options->x11_forwarding = -1;
57 options->x11_display_offset = -1;
58 options->x11_use_localhost = -1;
59 options->xauth_location = NULL;
60 options->strict_modes = -1;
61 options->tcp_keep_alive = -1;
62 options->log_facility = SYSLOG_FACILITY_NOT_SET;
63 options->log_level = SYSLOG_LEVEL_NOT_SET;
64 options->rhosts_rsa_authentication = -1;
65 options->hostbased_authentication = -1;
66 options->hostbased_uses_name_from_packet_only = -1;
67 options->rsa_authentication = -1;
68 options->pubkey_authentication = -1;
69 options->kerberos_authentication = -1;
70 options->kerberos_or_local_passwd = -1;
71 options->kerberos_ticket_cleanup = -1;
72 options->kerberos_get_afs_token = -1;
73 options->gss_authentication=-1;
74 options->gss_cleanup_creds = -1;
75 options->password_authentication = -1;
76 options->kbd_interactive_authentication = -1;
77 options->challenge_response_authentication = -1;
78 options->permit_empty_passwd = -1;
79 options->permit_user_env = -1;
80 options->use_login = -1;
81 options->compression = -1;
82 options->allow_tcp_forwarding = -1;
83 options->num_allow_users = 0;
84 options->num_deny_users = 0;
85 options->num_allow_groups = 0;
86 options->num_deny_groups = 0;
87 options->ciphers = NULL;
88 options->macs = NULL;
89 options->protocol = SSH_PROTO_UNKNOWN;
90 options->gateway_ports = -1;
91 options->num_subsystems = 0;
92 options->max_startups_begin = -1;
93 options->max_startups_rate = -1;
94 options->max_startups = -1;
95 options->max_authtries = -1;
96 options->banner = NULL;
97 options->use_dns = -1;
98 options->client_alive_interval = -1;
99 options->client_alive_count_max = -1;
100 options->authorized_keys_file = NULL;
101 options->authorized_keys_file2 = NULL;
102 options->num_accept_env = 0;
103 options->permit_tun = -1;
104
105 /* Needs to be accessable in many places */
106 use_privsep = -1;
107}
108
109void
110fill_default_server_options(ServerOptions *options)
111{
112 /* Portable-specific options */
113 if (options->use_pam == -1)
114 options->use_pam = 0;
115
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
122 options->host_key_files[options->num_host_key_files++] =
123 _PATH_HOST_KEY_FILE;
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
129 }
130 }
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
201 if (options->use_login == -1)
202 options->use_login = 0;
203 if (options->compression == -1)
204 options->compression = COMP_DELAYED;
205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
217 if (options->use_dns == -1)
218 options->use_dns = 1;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
227 else
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 }
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
232 if (options->permit_tun == -1)
233 options->permit_tun = SSH_TUNMODE_NO;
234
235 /* Turn privilege separation on by default */
236 if (use_privsep == -1)
237 use_privsep = 1;
238
239#ifndef HAVE_MMAP
240 if (use_privsep && options->compression == 1) {
241 error("This platform does not support both privilege "
242 "separation and compression");
243 error("Compression disabled");
244 options->compression = 0;
245 }
246#endif
247
248}
249
250/* Keyword tokens. */
251typedef enum {
252 sBadOption, /* == unknown option */
253 /* Portable-specific options */
254 sUsePAM,
255 /* Standard Options */
256 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
257 sPermitRootLogin, sLogFacility, sLogLevel,
258 sRhostsRSAAuthentication, sRSAAuthentication,
259 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
260 sKerberosGetAFSToken,
261 sKerberosTgtPassing, sChallengeResponseAuthentication,
262 sPasswordAuthentication, sKbdInteractiveAuthentication,
263 sListenAddress, sAddressFamily,
264 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
265 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
266 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
267 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
268 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
269 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
270 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
271 sMaxStartups, sMaxAuthTries,
272 sBanner, sUseDNS, sHostbasedAuthentication,
273 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
274 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
275 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
276 sUsePrivilegeSeparation,
277 sDeprecated, sUnsupported
278} ServerOpCodes;
279
280/* Textual representation of the tokens. */
281static struct {
282 const char *name;
283 ServerOpCodes opcode;
284} keywords[] = {
285 /* Portable-specific options */
286#ifdef USE_PAM
287 { "usepam", sUsePAM },
288#else
289 { "usepam", sUnsupported },
290#endif
291 { "pamauthenticationviakbdint", sDeprecated },
292 /* Standard Options */
293 { "port", sPort },
294 { "hostkey", sHostKeyFile },
295 { "hostdsakey", sHostKeyFile }, /* alias */
296 { "pidfile", sPidFile },
297 { "serverkeybits", sServerKeyBits },
298 { "logingracetime", sLoginGraceTime },
299 { "keyregenerationinterval", sKeyRegenerationTime },
300 { "permitrootlogin", sPermitRootLogin },
301 { "syslogfacility", sLogFacility },
302 { "loglevel", sLogLevel },
303 { "rhostsauthentication", sDeprecated },
304 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
305 { "hostbasedauthentication", sHostbasedAuthentication },
306 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
307 { "rsaauthentication", sRSAAuthentication },
308 { "pubkeyauthentication", sPubkeyAuthentication },
309 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
310#ifdef KRB5
311 { "kerberosauthentication", sKerberosAuthentication },
312 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
313 { "kerberosticketcleanup", sKerberosTicketCleanup },
314#ifdef USE_AFS
315 { "kerberosgetafstoken", sKerberosGetAFSToken },
316#else
317 { "kerberosgetafstoken", sUnsupported },
318#endif
319#else
320 { "kerberosauthentication", sUnsupported },
321 { "kerberosorlocalpasswd", sUnsupported },
322 { "kerberosticketcleanup", sUnsupported },
323 { "kerberosgetafstoken", sUnsupported },
324#endif
325 { "kerberostgtpassing", sUnsupported },
326 { "afstokenpassing", sUnsupported },
327#ifdef GSSAPI
328 { "gssapiauthentication", sGssAuthentication },
329 { "gssapicleanupcredentials", sGssCleanupCreds },
330#else
331 { "gssapiauthentication", sUnsupported },
332 { "gssapicleanupcredentials", sUnsupported },
333#endif
334 { "passwordauthentication", sPasswordAuthentication },
335 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
336 { "challengeresponseauthentication", sChallengeResponseAuthentication },
337 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
338 { "checkmail", sDeprecated },
339 { "listenaddress", sListenAddress },
340 { "addressfamily", sAddressFamily },
341 { "printmotd", sPrintMotd },
342 { "printlastlog", sPrintLastLog },
343 { "ignorerhosts", sIgnoreRhosts },
344 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
345 { "x11forwarding", sX11Forwarding },
346 { "x11displayoffset", sX11DisplayOffset },
347 { "x11uselocalhost", sX11UseLocalhost },
348 { "xauthlocation", sXAuthLocation },
349 { "strictmodes", sStrictModes },
350 { "permitemptypasswords", sEmptyPasswd },
351 { "permituserenvironment", sPermitUserEnvironment },
352 { "uselogin", sUseLogin },
353 { "compression", sCompression },
354 { "tcpkeepalive", sTCPKeepAlive },
355 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
356 { "allowtcpforwarding", sAllowTcpForwarding },
357 { "allowusers", sAllowUsers },
358 { "denyusers", sDenyUsers },
359 { "allowgroups", sAllowGroups },
360 { "denygroups", sDenyGroups },
361 { "ciphers", sCiphers },
362 { "macs", sMacs },
363 { "protocol", sProtocol },
364 { "gatewayports", sGatewayPorts },
365 { "subsystem", sSubsystem },
366 { "maxstartups", sMaxStartups },
367 { "maxauthtries", sMaxAuthTries },
368 { "banner", sBanner },
369 { "usedns", sUseDNS },
370 { "verifyreversemapping", sDeprecated },
371 { "reversemappingcheck", sDeprecated },
372 { "clientaliveinterval", sClientAliveInterval },
373 { "clientalivecountmax", sClientAliveCountMax },
374 { "authorizedkeysfile", sAuthorizedKeysFile },
375 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
376 { "useprivilegeseparation", sUsePrivilegeSeparation},
377 { "acceptenv", sAcceptEnv },
378 { "permittunnel", sPermitTunnel },
379 { NULL, sBadOption }
380};
381
382/*
383 * Returns the number of the token pointed to by cp or sBadOption.
384 */
385
386static ServerOpCodes
387parse_token(const char *cp, const char *filename,
388 int linenum)
389{
390 u_int i;
391
392 for (i = 0; keywords[i].name; i++)
393 if (strcasecmp(cp, keywords[i].name) == 0)
394 return keywords[i].opcode;
395
396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
398 return sBadOption;
399}
400
401static void
402add_listen_addr(ServerOptions *options, char *addr, u_short port)
403{
404 u_int i;
405
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
408 if (options->address_family == -1)
409 options->address_family = AF_UNSPEC;
410 if (port == 0)
411 for (i = 0; i < options->num_ports; i++)
412 add_one_listen_addr(options, addr, options->ports[i]);
413 else
414 add_one_listen_addr(options, addr, port);
415}
416
417static void
418add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
419{
420 struct addrinfo hints, *ai, *aitop;
421 char strport[NI_MAXSERV];
422 int gaierr;
423
424 memset(&hints, 0, sizeof(hints));
425 hints.ai_family = options->address_family;
426 hints.ai_socktype = SOCK_STREAM;
427 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
428 snprintf(strport, sizeof strport, "%u", port);
429 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
430 fatal("bad addr or host: %s (%s)",
431 addr ? addr : "<NULL>",
432 gai_strerror(gaierr));
433 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
434 ;
435 ai->ai_next = options->listen_addrs;
436 options->listen_addrs = aitop;
437}
438
439int
440process_server_config_line(ServerOptions *options, char *line,
441 const char *filename, int linenum)
442{
443 char *cp, **charptr, *arg, *p;
444 int *intptr, value, n;
445 ServerOpCodes opcode;
446 u_short port;
447 u_int i;
448
449 cp = line;
450 if ((arg = strdelim(&cp)) != NULL)
451 return 0;
452 /* Ignore leading whitespace */
453 if (*arg == '\0')
454 arg = strdelim(&cp);
455 if (!arg || !*arg || *arg == '#')
456 return 0;
457 intptr = NULL;
458 charptr = NULL;
459 opcode = parse_token(arg, filename, linenum);
460 switch (opcode) {
461 /* Portable-specific options */
462 case sUsePAM:
463 intptr = &options->use_pam;
464 goto parse_flag;
465
466 /* Standard Options */
467 case sBadOption:
468 return -1;
469 case sPort:
470 /* ignore ports from configfile if cmdline specifies ports */
471 if (options->ports_from_cmdline)
472 return 0;
473 if (options->listen_addrs != NULL)
474 fatal("%s line %d: ports must be specified before "
475 "ListenAddress.", filename, linenum);
476 if (options->num_ports >= MAX_PORTS)
477 fatal("%s line %d: too many ports.",
478 filename, linenum);
479 arg = strdelim(&cp);
480 if (!arg || *arg == '\0')
481 fatal("%s line %d: missing port number.",
482 filename, linenum);
483 options->ports[options->num_ports++] = a2port(arg);
484 if (options->ports[options->num_ports-1] == 0)
485 fatal("%s line %d: Badly formatted port number.",
486 filename, linenum);
487 break;
488
489 case sServerKeyBits:
490 intptr = &options->server_key_bits;
491parse_int:
492 arg = strdelim(&cp);
493 if (!arg || *arg == '\0')
494 fatal("%s line %d: missing integer value.",
495 filename, linenum);
496 value = atoi(arg);
497 if (*intptr == -1)
498 *intptr = value;
499 break;
500
501 case sLoginGraceTime:
502 intptr = &options->login_grace_time;
503parse_time:
504 arg = strdelim(&cp);
505 if (!arg || *arg == '\0')
506 fatal("%s line %d: missing time value.",
507 filename, linenum);
508 if ((value = convtime(arg)) == -1)
509 fatal("%s line %d: invalid time value.",
510 filename, linenum);
511 if (*intptr == -1)
512 *intptr = value;
513 break;
514
515 case sKeyRegenerationTime:
516 intptr = &options->key_regeneration_time;
517 goto parse_time;
518
519 case sListenAddress:
520 arg = strdelim(&cp);
521 if (arg == NULL || *arg == '\0')
522 fatal("%s line %d: missing address",
523 filename, linenum);
524 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
525 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
526 && strchr(p+1, ':') != NULL) {
527 add_listen_addr(options, arg, 0);
528 break;
529 }
530 p = hpdelim(&arg);
531 if (p == NULL)
532 fatal("%s line %d: bad address:port usage",
533 filename, linenum);
534 p = cleanhostname(p);
535 if (arg == NULL)
536 port = 0;
537 else if ((port = a2port(arg)) == 0)
538 fatal("%s line %d: bad port number", filename, linenum);
539
540 add_listen_addr(options, p, port);
541
542 break;
543
544 case sAddressFamily:
545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing address family.",
548 filename, linenum);
549 intptr = &options->address_family;
550 if (options->listen_addrs != NULL)
551 fatal("%s line %d: address family must be specified before "
552 "ListenAddress.", filename, linenum);
553 if (strcasecmp(arg, "inet") == 0)
554 value = AF_INET;
555 else if (strcasecmp(arg, "inet6") == 0)
556 value = AF_INET6;
557 else if (strcasecmp(arg, "any") == 0)
558 value = AF_UNSPEC;
559 else
560 fatal("%s line %d: unsupported address family \"%s\".",
561 filename, linenum, arg);
562 if (*intptr == -1)
563 *intptr = value;
564 break;
565
566 case sHostKeyFile:
567 intptr = &options->num_host_key_files;
568 if (*intptr >= MAX_HOSTKEYS)
569 fatal("%s line %d: too many host keys specified (max %d).",
570 filename, linenum, MAX_HOSTKEYS);
571 charptr = &options->host_key_files[*intptr];
572parse_filename:
573 arg = strdelim(&cp);
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing file name.",
576 filename, linenum);
577 if (*charptr == NULL) {
578 *charptr = tilde_expand_filename(arg, getuid());
579 /* increase optional counter */
580 if (intptr != NULL)
581 *intptr = *intptr + 1;
582 }
583 break;
584
585 case sPidFile:
586 charptr = &options->pid_file;
587 goto parse_filename;
588
589 case sPermitRootLogin:
590 intptr = &options->permit_root_login;
591 arg = strdelim(&cp);
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/"
594 "without-password/forced-commands-only/no "
595 "argument.", filename, linenum);
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "without-password") == 0)
598 value = PERMIT_NO_PASSWD;
599 else if (strcmp(arg, "forced-commands-only") == 0)
600 value = PERMIT_FORCED_ONLY;
601 else if (strcmp(arg, "yes") == 0)
602 value = PERMIT_YES;
603 else if (strcmp(arg, "no") == 0)
604 value = PERMIT_NO;
605 else
606 fatal("%s line %d: Bad yes/"
607 "without-password/forced-commands-only/no "
608 "argument: %s", filename, linenum, arg);
609 if (*intptr == -1)
610 *intptr = value;
611 break;
612
613 case sIgnoreRhosts:
614 intptr = &options->ignore_rhosts;
615parse_flag:
616 arg = strdelim(&cp);
617 if (!arg || *arg == '\0')
618 fatal("%s line %d: missing yes/no argument.",
619 filename, linenum);
620 value = 0; /* silence compiler */
621 if (strcmp(arg, "yes") == 0)
622 value = 1;
623 else if (strcmp(arg, "no") == 0)
624 value = 0;
625 else
626 fatal("%s line %d: Bad yes/no argument: %s",
627 filename, linenum, arg);
628 if (*intptr == -1)
629 *intptr = value;
630 break;
631
632 case sIgnoreUserKnownHosts:
633 intptr = &options->ignore_user_known_hosts;
634 goto parse_flag;
635
636 case sRhostsRSAAuthentication:
637 intptr = &options->rhosts_rsa_authentication;
638 goto parse_flag;
639
640 case sHostbasedAuthentication:
641 intptr = &options->hostbased_authentication;
642 goto parse_flag;
643
644 case sHostbasedUsesNameFromPacketOnly:
645 intptr = &options->hostbased_uses_name_from_packet_only;
646 goto parse_flag;
647
648 case sRSAAuthentication:
649 intptr = &options->rsa_authentication;
650 goto parse_flag;
651
652 case sPubkeyAuthentication:
653 intptr = &options->pubkey_authentication;
654 goto parse_flag;
655
656 case sKerberosAuthentication:
657 intptr = &options->kerberos_authentication;
658 goto parse_flag;
659
660 case sKerberosOrLocalPasswd:
661 intptr = &options->kerberos_or_local_passwd;
662 goto parse_flag;
663
664 case sKerberosTicketCleanup:
665 intptr = &options->kerberos_ticket_cleanup;
666 goto parse_flag;
667
668 case sKerberosGetAFSToken:
669 intptr = &options->kerberos_get_afs_token;
670 goto parse_flag;
671
672 case sGssAuthentication:
673 intptr = &options->gss_authentication;
674 goto parse_flag;
675
676 case sGssCleanupCreds:
677 intptr = &options->gss_cleanup_creds;
678 goto parse_flag;
679
680 case sPasswordAuthentication:
681 intptr = &options->password_authentication;
682 goto parse_flag;
683
684 case sKbdInteractiveAuthentication:
685 intptr = &options->kbd_interactive_authentication;
686 goto parse_flag;
687
688 case sChallengeResponseAuthentication:
689 intptr = &options->challenge_response_authentication;
690 goto parse_flag;
691
692 case sPrintMotd:
693 intptr = &options->print_motd;
694 goto parse_flag;
695
696 case sPrintLastLog:
697 intptr = &options->print_lastlog;
698 goto parse_flag;
699
700 case sX11Forwarding:
701 intptr = &options->x11_forwarding;
702 goto parse_flag;
703
704 case sX11DisplayOffset:
705 intptr = &options->x11_display_offset;
706 goto parse_int;
707
708 case sX11UseLocalhost:
709 intptr = &options->x11_use_localhost;
710 goto parse_flag;
711
712 case sXAuthLocation:
713 charptr = &options->xauth_location;
714 goto parse_filename;
715
716 case sStrictModes:
717 intptr = &options->strict_modes;
718 goto parse_flag;
719
720 case sTCPKeepAlive:
721 intptr = &options->tcp_keep_alive;
722 goto parse_flag;
723
724 case sEmptyPasswd:
725 intptr = &options->permit_empty_passwd;
726 goto parse_flag;
727
728 case sPermitUserEnvironment:
729 intptr = &options->permit_user_env;
730 goto parse_flag;
731
732 case sUseLogin:
733 intptr = &options->use_login;
734 goto parse_flag;
735
736 case sCompression:
737 intptr = &options->compression;
738 arg = strdelim(&cp);
739 if (!arg || *arg == '\0')
740 fatal("%s line %d: missing yes/no/delayed "
741 "argument.", filename, linenum);
742 value = 0; /* silence compiler */
743 if (strcmp(arg, "delayed") == 0)
744 value = COMP_DELAYED;
745 else if (strcmp(arg, "yes") == 0)
746 value = COMP_ZLIB;
747 else if (strcmp(arg, "no") == 0)
748 value = COMP_NONE;
749 else
750 fatal("%s line %d: Bad yes/no/delayed "
751 "argument: %s", filename, linenum, arg);
752 if (*intptr == -1)
753 *intptr = value;
754 break;
755
756 case sGatewayPorts:
757 intptr = &options->gateway_ports;
758 arg = strdelim(&cp);
759 if (!arg || *arg == '\0')
760 fatal("%s line %d: missing yes/no/clientspecified "
761 "argument.", filename, linenum);
762 value = 0; /* silence compiler */
763 if (strcmp(arg, "clientspecified") == 0)
764 value = 2;
765 else if (strcmp(arg, "yes") == 0)
766 value = 1;
767 else if (strcmp(arg, "no") == 0)
768 value = 0;
769 else
770 fatal("%s line %d: Bad yes/no/clientspecified "
771 "argument: %s", filename, linenum, arg);
772 if (*intptr == -1)
773 *intptr = value;
774 break;
775
776 case sUseDNS:
777 intptr = &options->use_dns;
778 goto parse_flag;
779
780 case sLogFacility:
781 intptr = (int *) &options->log_facility;
782 arg = strdelim(&cp);
783 value = log_facility_number(arg);
784 if (value == SYSLOG_FACILITY_NOT_SET)
785 fatal("%.200s line %d: unsupported log facility '%s'",
786 filename, linenum, arg ? arg : "<NONE>");
787 if (*intptr == -1)
788 *intptr = (SyslogFacility) value;
789 break;
790
791 case sLogLevel:
792 intptr = (int *) &options->log_level;
793 arg = strdelim(&cp);
794 value = log_level_number(arg);
795 if (value == SYSLOG_LEVEL_NOT_SET)
796 fatal("%.200s line %d: unsupported log level '%s'",
797 filename, linenum, arg ? arg : "<NONE>");
798 if (*intptr == -1)
799 *intptr = (LogLevel) value;
800 break;
801
802 case sAllowTcpForwarding:
803 intptr = &options->allow_tcp_forwarding;
804 goto parse_flag;
805
806 case sUsePrivilegeSeparation:
807 intptr = &use_privsep;
808 goto parse_flag;
809
810 case sAllowUsers:
811 while ((arg = strdelim(&cp)) && *arg != '\0') {
812 if (options->num_allow_users >= MAX_ALLOW_USERS)
813 fatal("%s line %d: too many allow users.",
814 filename, linenum);
815 options->allow_users[options->num_allow_users++] =
816 xstrdup(arg);
817 }
818 break;
819
820 case sDenyUsers:
821 while ((arg = strdelim(&cp)) && *arg != '\0') {
822 if (options->num_deny_users >= MAX_DENY_USERS)
823 fatal( "%s line %d: too many deny users.",
824 filename, linenum);
825 options->deny_users[options->num_deny_users++] =
826 xstrdup(arg);
827 }
828 break;
829
830 case sAllowGroups:
831 while ((arg = strdelim(&cp)) && *arg != '\0') {
832 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
833 fatal("%s line %d: too many allow groups.",
834 filename, linenum);
835 options->allow_groups[options->num_allow_groups++] =
836 xstrdup(arg);
837 }
838 break;
839
840 case sDenyGroups:
841 while ((arg = strdelim(&cp)) && *arg != '\0') {
842 if (options->num_deny_groups >= MAX_DENY_GROUPS)
843 fatal("%s line %d: too many deny groups.",
844 filename, linenum);
845 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
846 }
847 break;
848
849 case sCiphers:
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing argument.", filename, linenum);
853 if (!ciphers_valid(arg))
854 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
855 filename, linenum, arg ? arg : "<NONE>");
856 if (options->ciphers == NULL)
857 options->ciphers = xstrdup(arg);
858 break;
859
860 case sMacs:
861 arg = strdelim(&cp);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing argument.", filename, linenum);
864 if (!mac_valid(arg))
865 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
866 filename, linenum, arg ? arg : "<NONE>");
867 if (options->macs == NULL)
868 options->macs = xstrdup(arg);
869 break;
870
871 case sProtocol:
872 intptr = &options->protocol;
873 arg = strdelim(&cp);
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing argument.", filename, linenum);
876 value = proto_spec(arg);
877 if (value == SSH_PROTO_UNKNOWN)
878 fatal("%s line %d: Bad protocol spec '%s'.",
879 filename, linenum, arg ? arg : "<NONE>");
880 if (*intptr == SSH_PROTO_UNKNOWN)
881 *intptr = value;
882 break;
883
884 case sSubsystem:
885 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
886 fatal("%s line %d: too many subsystems defined.",
887 filename, linenum);
888 }
889 arg = strdelim(&cp);
890 if (!arg || *arg == '\0')
891 fatal("%s line %d: Missing subsystem name.",
892 filename, linenum);
893 for (i = 0; i < options->num_subsystems; i++)
894 if (strcmp(arg, options->subsystem_name[i]) == 0)
895 fatal("%s line %d: Subsystem '%s' already defined.",
896 filename, linenum, arg);
897 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
898 arg = strdelim(&cp);
899 if (!arg || *arg == '\0')
900 fatal("%s line %d: Missing subsystem command.",
901 filename, linenum);
902 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
903 options->num_subsystems++;
904 break;
905
906 case sMaxStartups:
907 arg = strdelim(&cp);
908 if (!arg || *arg == '\0')
909 fatal("%s line %d: Missing MaxStartups spec.",
910 filename, linenum);
911 if ((n = sscanf(arg, "%d:%d:%d",
912 &options->max_startups_begin,
913 &options->max_startups_rate,
914 &options->max_startups)) == 3) {
915 if (options->max_startups_begin >
916 options->max_startups ||
917 options->max_startups_rate > 100 ||
918 options->max_startups_rate < 1)
919 fatal("%s line %d: Illegal MaxStartups spec.",
920 filename, linenum);
921 } else if (n != 1)
922 fatal("%s line %d: Illegal MaxStartups spec.",
923 filename, linenum);
924 else
925 options->max_startups = options->max_startups_begin;
926 break;
927
928 case sMaxAuthTries:
929 intptr = &options->max_authtries;
930 goto parse_int;
931
932 case sBanner:
933 charptr = &options->banner;
934 goto parse_filename;
935 /*
936 * These options can contain %X options expanded at
937 * connect time, so that you can specify paths like:
938 *
939 * AuthorizedKeysFile /etc/ssh_keys/%u
940 */
941 case sAuthorizedKeysFile:
942 case sAuthorizedKeysFile2:
943 charptr = (opcode == sAuthorizedKeysFile ) ?
944 &options->authorized_keys_file :
945 &options->authorized_keys_file2;
946 goto parse_filename;
947
948 case sClientAliveInterval:
949 intptr = &options->client_alive_interval;
950 goto parse_time;
951
952 case sClientAliveCountMax:
953 intptr = &options->client_alive_count_max;
954 goto parse_int;
955
956 case sAcceptEnv:
957 while ((arg = strdelim(&cp)) && *arg != '\0') {
958 if (strchr(arg, '=') != NULL)
959 fatal("%s line %d: Invalid environment name.",
960 filename, linenum);
961 if (options->num_accept_env >= MAX_ACCEPT_ENV)
962 fatal("%s line %d: too many allow env.",
963 filename, linenum);
964 options->accept_env[options->num_accept_env++] =
965 xstrdup(arg);
966 }
967 break;
968
969 case sPermitTunnel:
970 intptr = &options->permit_tun;
971 arg = strdelim(&cp);
972 if (!arg || *arg == '\0')
973 fatal("%s line %d: Missing yes/point-to-point/"
974 "ethernet/no argument.", filename, linenum);
975 value = 0; /* silence compiler */
976 if (strcasecmp(arg, "ethernet") == 0)
977 value = SSH_TUNMODE_ETHERNET;
978 else if (strcasecmp(arg, "point-to-point") == 0)
979 value = SSH_TUNMODE_POINTOPOINT;
980 else if (strcasecmp(arg, "yes") == 0)
981 value = SSH_TUNMODE_YES;
982 else if (strcasecmp(arg, "no") == 0)
983 value = SSH_TUNMODE_NO;
984 else
985 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
986 "no argument: %s", filename, linenum, arg);
987 if (*intptr == -1)
988 *intptr = value;
989 break;
990
991 case sDeprecated:
992 logit("%s line %d: Deprecated option %s",
993 filename, linenum, arg);
994 while (arg)
995 arg = strdelim(&cp);
996 break;
997
998 case sUnsupported:
999 logit("%s line %d: Unsupported option %s",
1000 filename, linenum, arg);
1001 while (arg)
1002 arg = strdelim(&cp);
1003 break;
1004
1005 default:
1006 fatal("%s line %d: Missing handler for opcode %s (%d)",
1007 filename, linenum, arg, opcode);
1008 }
1009 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1010 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1011 filename, linenum, arg);
1012 return 0;
1013}
1014
1015/* Reads the server configuration file. */
1016
1017void
1018load_server_config(const char *filename, Buffer *conf)
1019{
1020 char line[1024], *cp;
1021 FILE *f;
1022
1023 debug2("%s: filename %s", __func__, filename);
1024 if ((f = fopen(filename, "r")) == NULL) {
1025 perror(filename);
1026 exit(1);
1027 }
1028 buffer_clear(conf);
1029 while (fgets(line, sizeof(line), f)) {
1030 /*
1031 * Trim out comments and strip whitespace
1032 * NB - preserve newlines, they are needed to reproduce
1033 * line numbers later for error messages
1034 */
1035 if ((cp = strchr(line, '#')) != NULL)
1036 memcpy(cp, "\n", 2);
1037 cp = line + strspn(line, " \t\r");
1038
1039 buffer_append(conf, cp, strlen(cp));
1040 }
1041 buffer_append(conf, "\0", 1);
1042 fclose(f);
1043 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1044}
1045
1046void
1047parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1048{
1049 int linenum, bad_options = 0;
1050 char *cp, *obuf, *cbuf;
1051
1052 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1053
1054 obuf = cbuf = xstrdup(buffer_ptr(conf));
1055 linenum = 1;
1056 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1057 if (process_server_config_line(options, cp, filename,
1058 linenum++) != 0)
1059 bad_options++;
1060 }
1061 xfree(obuf);
1062 if (bad_options > 0)
1063 fatal("%s: terminating, %d bad configuration options",
1064 filename, bad_options);
1065}
git-cvsimport mirror of OpenSSH
This page took 0.054356 seconds and 5 git commands to generate.