]> andersk Git - openssh.git/blame_incremental - servconf.c
andersk / openssh.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
- jmc@cvs.openbsd.org 2006/01/06 13:29:10
[openssh.git] / servconf.c
... / ...
CommitLineData
1/*
2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
4 *
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
10 */
11
12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.146 2005/12/08 18:34:11 reyk Exp $");
14
15#include "ssh.h"
16#include "log.h"
17#include "servconf.h"
18#include "xmalloc.h"
19#include "compat.h"
20#include "pathnames.h"
21#include "misc.h"
22#include "cipher.h"
23#include "kex.h"
24#include "mac.h"
25
26static void add_listen_addr(ServerOptions *, char *, u_short);
27static void add_one_listen_addr(ServerOptions *, char *, u_short);
28
29/* Use of privilege separation or not */
30extern int use_privsep;
31
32/* Initializes the server options to their default values. */
33
34void
35initialize_server_options(ServerOptions *options)
36{
37 memset(options, 0, sizeof(*options));
38
39 /* Portable-specific options */
40 options->use_pam = -1;
41
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
46 options->address_family = -1;
47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
59 options->x11_use_localhost = -1;
60 options->xauth_location = NULL;
61 options->strict_modes = -1;
62 options->tcp_keep_alive = -1;
63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
89 options->macs = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->max_authtries = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0;
104 options->permit_tun = -1;
105
106 /* Needs to be accessable in many places */
107 use_privsep = -1;
108}
109
110void
111fill_default_server_options(ServerOptions *options)
112{
113 /* Portable-specific options */
114 if (options->use_pam == -1)
115 options->use_pam = 0;
116
117 /* Standard Options */
118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_KEY_FILE;
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
130 }
131 }
132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
135 add_listen_addr(options, NULL, 0);
136 if (options->pid_file == NULL)
137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
141 options->login_grace_time = 120;
142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
146 if (options->ignore_rhosts == -1)
147 options->ignore_rhosts = 1;
148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
150 if (options->print_motd == -1)
151 options->print_motd = 1;
152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
154 if (options->x11_forwarding == -1)
155 options->x11_forwarding = 0;
156 if (options->x11_display_offset == -1)
157 options->x11_display_offset = 10;
158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
160 if (options->xauth_location == NULL)
161 options->xauth_location = _PATH_XAUTH;
162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
167 options->log_facility = SYSLOG_FACILITY_AUTH;
168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
169 options->log_level = SYSLOG_LEVEL_INFO;
170 if (options->rhosts_rsa_authentication == -1)
171 options->rhosts_rsa_authentication = 0;
172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
180 if (options->kerberos_authentication == -1)
181 options->kerberos_authentication = 0;
182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
198 if (options->permit_empty_passwd == -1)
199 options->permit_empty_passwd = 0;
200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
202 if (options->use_login == -1)
203 options->use_login = 0;
204 if (options->compression == -1)
205 options->compression = COMP_DELAYED;
206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
210 if (options->max_startups == -1)
211 options->max_startups = 10;
212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
218 if (options->use_dns == -1)
219 options->use_dns = 1;
220 if (options->client_alive_interval == -1)
221 options->client_alive_interval = 0;
222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
228 else
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 }
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233 if (options->permit_tun == -1)
234 options->permit_tun = SSH_TUNMODE_NO;
235
236 /* Turn privilege separation on by default */
237 if (use_privsep == -1)
238 use_privsep = 1;
239
240#ifndef HAVE_MMAP
241 if (use_privsep && options->compression == 1) {
242 error("This platform does not support both privilege "
243 "separation and compression");
244 error("Compression disabled");
245 options->compression = 0;
246 }
247#endif
248
249}
250
251/* Keyword tokens. */
252typedef enum {
253 sBadOption, /* == unknown option */
254 /* Portable-specific options */
255 sUsePAM,
256 /* Standard Options */
257 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
258 sPermitRootLogin, sLogFacility, sLogLevel,
259 sRhostsRSAAuthentication, sRSAAuthentication,
260 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
261 sKerberosGetAFSToken,
262 sKerberosTgtPassing, sChallengeResponseAuthentication,
263 sPasswordAuthentication, sKbdInteractiveAuthentication,
264 sListenAddress, sAddressFamily,
265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
273 sBanner, sUseDNS, sHostbasedAuthentication,
274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
277 sUsePrivilegeSeparation,
278 sDeprecated, sUnsupported
279} ServerOpCodes;
280
281/* Textual representation of the tokens. */
282static struct {
283 const char *name;
284 ServerOpCodes opcode;
285} keywords[] = {
286 /* Portable-specific options */
287#ifdef USE_PAM
288 { "usepam", sUsePAM },
289#else
290 { "usepam", sUnsupported },
291#endif
292 { "pamauthenticationviakbdint", sDeprecated },
293 /* Standard Options */
294 { "port", sPort },
295 { "hostkey", sHostKeyFile },
296 { "hostdsakey", sHostKeyFile }, /* alias */
297 { "pidfile", sPidFile },
298 { "serverkeybits", sServerKeyBits },
299 { "logingracetime", sLoginGraceTime },
300 { "keyregenerationinterval", sKeyRegenerationTime },
301 { "permitrootlogin", sPermitRootLogin },
302 { "syslogfacility", sLogFacility },
303 { "loglevel", sLogLevel },
304 { "rhostsauthentication", sDeprecated },
305 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
306 { "hostbasedauthentication", sHostbasedAuthentication },
307 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
308 { "rsaauthentication", sRSAAuthentication },
309 { "pubkeyauthentication", sPubkeyAuthentication },
310 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
311#ifdef KRB5
312 { "kerberosauthentication", sKerberosAuthentication },
313 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
314 { "kerberosticketcleanup", sKerberosTicketCleanup },
315#ifdef USE_AFS
316 { "kerberosgetafstoken", sKerberosGetAFSToken },
317#else
318 { "kerberosgetafstoken", sUnsupported },
319#endif
320#else
321 { "kerberosauthentication", sUnsupported },
322 { "kerberosorlocalpasswd", sUnsupported },
323 { "kerberosticketcleanup", sUnsupported },
324 { "kerberosgetafstoken", sUnsupported },
325#endif
326 { "kerberostgtpassing", sUnsupported },
327 { "afstokenpassing", sUnsupported },
328#ifdef GSSAPI
329 { "gssapiauthentication", sGssAuthentication },
330 { "gssapicleanupcredentials", sGssCleanupCreds },
331#else
332 { "gssapiauthentication", sUnsupported },
333 { "gssapicleanupcredentials", sUnsupported },
334#endif
335 { "passwordauthentication", sPasswordAuthentication },
336 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
337 { "challengeresponseauthentication", sChallengeResponseAuthentication },
338 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
339 { "checkmail", sDeprecated },
340 { "listenaddress", sListenAddress },
341 { "addressfamily", sAddressFamily },
342 { "printmotd", sPrintMotd },
343 { "printlastlog", sPrintLastLog },
344 { "ignorerhosts", sIgnoreRhosts },
345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
346 { "x11forwarding", sX11Forwarding },
347 { "x11displayoffset", sX11DisplayOffset },
348 { "x11uselocalhost", sX11UseLocalhost },
349 { "xauthlocation", sXAuthLocation },
350 { "strictmodes", sStrictModes },
351 { "permitemptypasswords", sEmptyPasswd },
352 { "permituserenvironment", sPermitUserEnvironment },
353 { "uselogin", sUseLogin },
354 { "compression", sCompression },
355 { "tcpkeepalive", sTCPKeepAlive },
356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
357 { "allowtcpforwarding", sAllowTcpForwarding },
358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
362 { "ciphers", sCiphers },
363 { "macs", sMacs },
364 { "protocol", sProtocol },
365 { "gatewayports", sGatewayPorts },
366 { "subsystem", sSubsystem },
367 { "maxstartups", sMaxStartups },
368 { "maxauthtries", sMaxAuthTries },
369 { "banner", sBanner },
370 { "usedns", sUseDNS },
371 { "verifyreversemapping", sDeprecated },
372 { "reversemappingcheck", sDeprecated },
373 { "clientaliveinterval", sClientAliveInterval },
374 { "clientalivecountmax", sClientAliveCountMax },
375 { "authorizedkeysfile", sAuthorizedKeysFile },
376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
377 { "useprivilegeseparation", sUsePrivilegeSeparation},
378 { "acceptenv", sAcceptEnv },
379 { "permittunnel", sPermitTunnel },
380 { NULL, sBadOption }
381};
382
383/*
384 * Returns the number of the token pointed to by cp or sBadOption.
385 */
386
387static ServerOpCodes
388parse_token(const char *cp, const char *filename,
389 int linenum)
390{
391 u_int i;
392
393 for (i = 0; keywords[i].name; i++)
394 if (strcasecmp(cp, keywords[i].name) == 0)
395 return keywords[i].opcode;
396
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
399 return sBadOption;
400}
401
402static void
403add_listen_addr(ServerOptions *options, char *addr, u_short port)
404{
405 u_int i;
406
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
409 if (options->address_family == -1)
410 options->address_family = AF_UNSPEC;
411 if (port == 0)
412 for (i = 0; i < options->num_ports; i++)
413 add_one_listen_addr(options, addr, options->ports[i]);
414 else
415 add_one_listen_addr(options, addr, port);
416}
417
418static void
419add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
420{
421 struct addrinfo hints, *ai, *aitop;
422 char strport[NI_MAXSERV];
423 int gaierr;
424
425 memset(&hints, 0, sizeof(hints));
426 hints.ai_family = options->address_family;
427 hints.ai_socktype = SOCK_STREAM;
428 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
429 snprintf(strport, sizeof strport, "%u", port);
430 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
431 fatal("bad addr or host: %s (%s)",
432 addr ? addr : "<NULL>",
433 gai_strerror(gaierr));
434 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
435 ;
436 ai->ai_next = options->listen_addrs;
437 options->listen_addrs = aitop;
438}
439
440int
441process_server_config_line(ServerOptions *options, char *line,
442 const char *filename, int linenum)
443{
444 char *cp, **charptr, *arg, *p;
445 int *intptr, value, n;
446 ServerOpCodes opcode;
447 u_short port;
448 u_int i;
449
450 cp = line;
451 arg = strdelim(&cp);
452 /* Ignore leading whitespace */
453 if (*arg == '\0')
454 arg = strdelim(&cp);
455 if (!arg || !*arg || *arg == '#')
456 return 0;
457 intptr = NULL;
458 charptr = NULL;
459 opcode = parse_token(arg, filename, linenum);
460 switch (opcode) {
461 /* Portable-specific options */
462 case sUsePAM:
463 intptr = &options->use_pam;
464 goto parse_flag;
465
466 /* Standard Options */
467 case sBadOption:
468 return -1;
469 case sPort:
470 /* ignore ports from configfile if cmdline specifies ports */
471 if (options->ports_from_cmdline)
472 return 0;
473 if (options->listen_addrs != NULL)
474 fatal("%s line %d: ports must be specified before "
475 "ListenAddress.", filename, linenum);
476 if (options->num_ports >= MAX_PORTS)
477 fatal("%s line %d: too many ports.",
478 filename, linenum);
479 arg = strdelim(&cp);
480 if (!arg || *arg == '\0')
481 fatal("%s line %d: missing port number.",
482 filename, linenum);
483 options->ports[options->num_ports++] = a2port(arg);
484 if (options->ports[options->num_ports-1] == 0)
485 fatal("%s line %d: Badly formatted port number.",
486 filename, linenum);
487 break;
488
489 case sServerKeyBits:
490 intptr = &options->server_key_bits;
491parse_int:
492 arg = strdelim(&cp);
493 if (!arg || *arg == '\0')
494 fatal("%s line %d: missing integer value.",
495 filename, linenum);
496 value = atoi(arg);
497 if (*intptr == -1)
498 *intptr = value;
499 break;
500
501 case sLoginGraceTime:
502 intptr = &options->login_grace_time;
503parse_time:
504 arg = strdelim(&cp);
505 if (!arg || *arg == '\0')
506 fatal("%s line %d: missing time value.",
507 filename, linenum);
508 if ((value = convtime(arg)) == -1)
509 fatal("%s line %d: invalid time value.",
510 filename, linenum);
511 if (*intptr == -1)
512 *intptr = value;
513 break;
514
515 case sKeyRegenerationTime:
516 intptr = &options->key_regeneration_time;
517 goto parse_time;
518
519 case sListenAddress:
520 arg = strdelim(&cp);
521 if (arg == NULL || *arg == '\0')
522 fatal("%s line %d: missing address",
523 filename, linenum);
524 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
525 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
526 && strchr(p+1, ':') != NULL) {
527 add_listen_addr(options, arg, 0);
528 break;
529 }
530 p = hpdelim(&arg);
531 if (p == NULL)
532 fatal("%s line %d: bad address:port usage",
533 filename, linenum);
534 p = cleanhostname(p);
535 if (arg == NULL)
536 port = 0;
537 else if ((port = a2port(arg)) == 0)
538 fatal("%s line %d: bad port number", filename, linenum);
539
540 add_listen_addr(options, p, port);
541
542 break;
543
544 case sAddressFamily:
545 arg = strdelim(&cp);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing address family.",
548 filename, linenum);
549 intptr = &options->address_family;
550 if (options->listen_addrs != NULL)
551 fatal("%s line %d: address family must be specified before "
552 "ListenAddress.", filename, linenum);
553 if (strcasecmp(arg, "inet") == 0)
554 value = AF_INET;
555 else if (strcasecmp(arg, "inet6") == 0)
556 value = AF_INET6;
557 else if (strcasecmp(arg, "any") == 0)
558 value = AF_UNSPEC;
559 else
560 fatal("%s line %d: unsupported address family \"%s\".",
561 filename, linenum, arg);
562 if (*intptr == -1)
563 *intptr = value;
564 break;
565
566 case sHostKeyFile:
567 intptr = &options->num_host_key_files;
568 if (*intptr >= MAX_HOSTKEYS)
569 fatal("%s line %d: too many host keys specified (max %d).",
570 filename, linenum, MAX_HOSTKEYS);
571 charptr = &options->host_key_files[*intptr];
572parse_filename:
573 arg = strdelim(&cp);
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing file name.",
576 filename, linenum);
577 if (*charptr == NULL) {
578 *charptr = tilde_expand_filename(arg, getuid());
579 /* increase optional counter */
580 if (intptr != NULL)
581 *intptr = *intptr + 1;
582 }
583 break;
584
585 case sPidFile:
586 charptr = &options->pid_file;
587 goto parse_filename;
588
589 case sPermitRootLogin:
590 intptr = &options->permit_root_login;
591 arg = strdelim(&cp);
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/"
594 "without-password/forced-commands-only/no "
595 "argument.", filename, linenum);
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "without-password") == 0)
598 value = PERMIT_NO_PASSWD;
599 else if (strcmp(arg, "forced-commands-only") == 0)
600 value = PERMIT_FORCED_ONLY;
601 else if (strcmp(arg, "yes") == 0)
602 value = PERMIT_YES;
603 else if (strcmp(arg, "no") == 0)
604 value = PERMIT_NO;
605 else
606 fatal("%s line %d: Bad yes/"
607 "without-password/forced-commands-only/no "
608 "argument: %s", filename, linenum, arg);
609 if (*intptr == -1)
610 *intptr = value;
611 break;
612
613 case sIgnoreRhosts:
614 intptr = &options->ignore_rhosts;
615parse_flag:
616 arg = strdelim(&cp);
617 if (!arg || *arg == '\0')
618 fatal("%s line %d: missing yes/no argument.",
619 filename, linenum);
620 value = 0; /* silence compiler */
621 if (strcmp(arg, "yes") == 0)
622 value = 1;
623 else if (strcmp(arg, "no") == 0)
624 value = 0;
625 else
626 fatal("%s line %d: Bad yes/no argument: %s",
627 filename, linenum, arg);
628 if (*intptr == -1)
629 *intptr = value;
630 break;
631
632 case sIgnoreUserKnownHosts:
633 intptr = &options->ignore_user_known_hosts;
634 goto parse_flag;
635
636 case sRhostsRSAAuthentication:
637 intptr = &options->rhosts_rsa_authentication;
638 goto parse_flag;
639
640 case sHostbasedAuthentication:
641 intptr = &options->hostbased_authentication;
642 goto parse_flag;
643
644 case sHostbasedUsesNameFromPacketOnly:
645 intptr = &options->hostbased_uses_name_from_packet_only;
646 goto parse_flag;
647
648 case sRSAAuthentication:
649 intptr = &options->rsa_authentication;
650 goto parse_flag;
651
652 case sPubkeyAuthentication:
653 intptr = &options->pubkey_authentication;
654 goto parse_flag;
655
656 case sKerberosAuthentication:
657 intptr = &options->kerberos_authentication;
658 goto parse_flag;
659
660 case sKerberosOrLocalPasswd:
661 intptr = &options->kerberos_or_local_passwd;
662 goto parse_flag;
663
664 case sKerberosTicketCleanup:
665 intptr = &options->kerberos_ticket_cleanup;
666 goto parse_flag;
667
668 case sKerberosGetAFSToken:
669 intptr = &options->kerberos_get_afs_token;
670 goto parse_flag;
671
672 case sGssAuthentication:
673 intptr = &options->gss_authentication;
674 goto parse_flag;
675
676 case sGssCleanupCreds:
677 intptr = &options->gss_cleanup_creds;
678 goto parse_flag;
679
680 case sPasswordAuthentication:
681 intptr = &options->password_authentication;
682 goto parse_flag;
683
684 case sKbdInteractiveAuthentication:
685 intptr = &options->kbd_interactive_authentication;
686 goto parse_flag;
687
688 case sChallengeResponseAuthentication:
689 intptr = &options->challenge_response_authentication;
690 goto parse_flag;
691
692 case sPrintMotd:
693 intptr = &options->print_motd;
694 goto parse_flag;
695
696 case sPrintLastLog:
697 intptr = &options->print_lastlog;
698 goto parse_flag;
699
700 case sX11Forwarding:
701 intptr = &options->x11_forwarding;
702 goto parse_flag;
703
704 case sX11DisplayOffset:
705 intptr = &options->x11_display_offset;
706 goto parse_int;
707
708 case sX11UseLocalhost:
709 intptr = &options->x11_use_localhost;
710 goto parse_flag;
711
712 case sXAuthLocation:
713 charptr = &options->xauth_location;
714 goto parse_filename;
715
716 case sStrictModes:
717 intptr = &options->strict_modes;
718 goto parse_flag;
719
720 case sTCPKeepAlive:
721 intptr = &options->tcp_keep_alive;
722 goto parse_flag;
723
724 case sEmptyPasswd:
725 intptr = &options->permit_empty_passwd;
726 goto parse_flag;
727
728 case sPermitUserEnvironment:
729 intptr = &options->permit_user_env;
730 goto parse_flag;
731
732 case sUseLogin:
733 intptr = &options->use_login;
734 goto parse_flag;
735
736 case sCompression:
737 intptr = &options->compression;
738 arg = strdelim(&cp);
739 if (!arg || *arg == '\0')
740 fatal("%s line %d: missing yes/no/delayed "
741 "argument.", filename, linenum);
742 value = 0; /* silence compiler */
743 if (strcmp(arg, "delayed") == 0)
744 value = COMP_DELAYED;
745 else if (strcmp(arg, "yes") == 0)
746 value = COMP_ZLIB;
747 else if (strcmp(arg, "no") == 0)
748 value = COMP_NONE;
749 else
750 fatal("%s line %d: Bad yes/no/delayed "
751 "argument: %s", filename, linenum, arg);
752 if (*intptr == -1)
753 *intptr = value;
754 break;
755
756 case sGatewayPorts:
757 intptr = &options->gateway_ports;
758 arg = strdelim(&cp);
759 if (!arg || *arg == '\0')
760 fatal("%s line %d: missing yes/no/clientspecified "
761 "argument.", filename, linenum);
762 value = 0; /* silence compiler */
763 if (strcmp(arg, "clientspecified") == 0)
764 value = 2;
765 else if (strcmp(arg, "yes") == 0)
766 value = 1;
767 else if (strcmp(arg, "no") == 0)
768 value = 0;
769 else
770 fatal("%s line %d: Bad yes/no/clientspecified "
771 "argument: %s", filename, linenum, arg);
772 if (*intptr == -1)
773 *intptr = value;
774 break;
775
776 case sUseDNS:
777 intptr = &options->use_dns;
778 goto parse_flag;
779
780 case sLogFacility:
781 intptr = (int *) &options->log_facility;
782 arg = strdelim(&cp);
783 value = log_facility_number(arg);
784 if (value == SYSLOG_FACILITY_NOT_SET)
785 fatal("%.200s line %d: unsupported log facility '%s'",
786 filename, linenum, arg ? arg : "<NONE>");
787 if (*intptr == -1)
788 *intptr = (SyslogFacility) value;
789 break;
790
791 case sLogLevel:
792 intptr = (int *) &options->log_level;
793 arg = strdelim(&cp);
794 value = log_level_number(arg);
795 if (value == SYSLOG_LEVEL_NOT_SET)
796 fatal("%.200s line %d: unsupported log level '%s'",
797 filename, linenum, arg ? arg : "<NONE>");
798 if (*intptr == -1)
799 *intptr = (LogLevel) value;
800 break;
801
802 case sAllowTcpForwarding:
803 intptr = &options->allow_tcp_forwarding;
804 goto parse_flag;
805
806 case sUsePrivilegeSeparation:
807 intptr = &use_privsep;
808 goto parse_flag;
809
810 case sAllowUsers:
811 while ((arg = strdelim(&cp)) && *arg != '\0') {
812 if (options->num_allow_users >= MAX_ALLOW_USERS)
813 fatal("%s line %d: too many allow users.",
814 filename, linenum);
815 options->allow_users[options->num_allow_users++] =
816 xstrdup(arg);
817 }
818 break;
819
820 case sDenyUsers:
821 while ((arg = strdelim(&cp)) && *arg != '\0') {
822 if (options->num_deny_users >= MAX_DENY_USERS)
823 fatal( "%s line %d: too many deny users.",
824 filename, linenum);
825 options->deny_users[options->num_deny_users++] =
826 xstrdup(arg);
827 }
828 break;
829
830 case sAllowGroups:
831 while ((arg = strdelim(&cp)) && *arg != '\0') {
832 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
833 fatal("%s line %d: too many allow groups.",
834 filename, linenum);
835 options->allow_groups[options->num_allow_groups++] =
836 xstrdup(arg);
837 }
838 break;
839
840 case sDenyGroups:
841 while ((arg = strdelim(&cp)) && *arg != '\0') {
842 if (options->num_deny_groups >= MAX_DENY_GROUPS)
843 fatal("%s line %d: too many deny groups.",
844 filename, linenum);
845 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
846 }
847 break;
848
849 case sCiphers:
850 arg = strdelim(&cp);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing argument.", filename, linenum);
853 if (!ciphers_valid(arg))
854 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
855 filename, linenum, arg ? arg : "<NONE>");
856 if (options->ciphers == NULL)
857 options->ciphers = xstrdup(arg);
858 break;
859
860 case sMacs:
861 arg = strdelim(&cp);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing argument.", filename, linenum);
864 if (!mac_valid(arg))
865 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
866 filename, linenum, arg ? arg : "<NONE>");
867 if (options->macs == NULL)
868 options->macs = xstrdup(arg);
869 break;
870
871 case sProtocol:
872 intptr = &options->protocol;
873 arg = strdelim(&cp);
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing argument.", filename, linenum);
876 value = proto_spec(arg);
877 if (value == SSH_PROTO_UNKNOWN)
878 fatal("%s line %d: Bad protocol spec '%s'.",
879 filename, linenum, arg ? arg : "<NONE>");
880 if (*intptr == SSH_PROTO_UNKNOWN)
881 *intptr = value;
882 break;
883
884 case sSubsystem:
885 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
886 fatal("%s line %d: too many subsystems defined.",
887 filename, linenum);
888 }
889 arg = strdelim(&cp);
890 if (!arg || *arg == '\0')
891 fatal("%s line %d: Missing subsystem name.",
892 filename, linenum);
893 for (i = 0; i < options->num_subsystems; i++)
894 if (strcmp(arg, options->subsystem_name[i]) == 0)
895 fatal("%s line %d: Subsystem '%s' already defined.",
896 filename, linenum, arg);
897 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
898 arg = strdelim(&cp);
899 if (!arg || *arg == '\0')
900 fatal("%s line %d: Missing subsystem command.",
901 filename, linenum);
902 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
903 options->num_subsystems++;
904 break;
905
906 case sMaxStartups:
907 arg = strdelim(&cp);
908 if (!arg || *arg == '\0')
909 fatal("%s line %d: Missing MaxStartups spec.",
910 filename, linenum);
911 if ((n = sscanf(arg, "%d:%d:%d",
912 &options->max_startups_begin,
913 &options->max_startups_rate,
914 &options->max_startups)) == 3) {
915 if (options->max_startups_begin >
916 options->max_startups ||
917 options->max_startups_rate > 100 ||
918 options->max_startups_rate < 1)
919 fatal("%s line %d: Illegal MaxStartups spec.",
920 filename, linenum);
921 } else if (n != 1)
922 fatal("%s line %d: Illegal MaxStartups spec.",
923 filename, linenum);
924 else
925 options->max_startups = options->max_startups_begin;
926 break;
927
928 case sMaxAuthTries:
929 intptr = &options->max_authtries;
930 goto parse_int;
931
932 case sBanner:
933 charptr = &options->banner;
934 goto parse_filename;
935 /*
936 * These options can contain %X options expanded at
937 * connect time, so that you can specify paths like:
938 *
939 * AuthorizedKeysFile /etc/ssh_keys/%u
940 */
941 case sAuthorizedKeysFile:
942 case sAuthorizedKeysFile2:
943 charptr = (opcode == sAuthorizedKeysFile ) ?
944 &options->authorized_keys_file :
945 &options->authorized_keys_file2;
946 goto parse_filename;
947
948 case sClientAliveInterval:
949 intptr = &options->client_alive_interval;
950 goto parse_time;
951
952 case sClientAliveCountMax:
953 intptr = &options->client_alive_count_max;
954 goto parse_int;
955
956 case sAcceptEnv:
957 while ((arg = strdelim(&cp)) && *arg != '\0') {
958 if (strchr(arg, '=') != NULL)
959 fatal("%s line %d: Invalid environment name.",
960 filename, linenum);
961 if (options->num_accept_env >= MAX_ACCEPT_ENV)
962 fatal("%s line %d: too many allow env.",
963 filename, linenum);
964 options->accept_env[options->num_accept_env++] =
965 xstrdup(arg);
966 }
967 break;
968
969 case sPermitTunnel:
970 intptr = &options->permit_tun;
971 arg = strdelim(&cp);
972 if (!arg || *arg == '\0')
973 fatal("%s line %d: Missing yes/point-to-point/"
974 "ethernet/no argument.", filename, linenum);
975 value = 0; /* silence compiler */
976 if (strcasecmp(arg, "ethernet") == 0)
977 value = SSH_TUNMODE_ETHERNET;
978 else if (strcasecmp(arg, "point-to-point") == 0)
979 value = SSH_TUNMODE_POINTOPOINT;
980 else if (strcasecmp(arg, "yes") == 0)
981 value = SSH_TUNMODE_YES;
982 else if (strcasecmp(arg, "no") == 0)
983 value = SSH_TUNMODE_NO;
984 else
985 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
986 "no argument: %s", filename, linenum, arg);
987 if (*intptr == -1)
988 *intptr = value;
989 break;
990
991 case sDeprecated:
992 logit("%s line %d: Deprecated option %s",
993 filename, linenum, arg);
994 while (arg)
995 arg = strdelim(&cp);
996 break;
997
998 case sUnsupported:
999 logit("%s line %d: Unsupported option %s",
1000 filename, linenum, arg);
1001 while (arg)
1002 arg = strdelim(&cp);
1003 break;
1004
1005 default:
1006 fatal("%s line %d: Missing handler for opcode %s (%d)",
1007 filename, linenum, arg, opcode);
1008 }
1009 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1010 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1011 filename, linenum, arg);
1012 return 0;
1013}
1014
1015/* Reads the server configuration file. */
1016
1017void
1018load_server_config(const char *filename, Buffer *conf)
1019{
1020 char line[1024], *cp;
1021 FILE *f;
1022
1023 debug2("%s: filename %s", __func__, filename);
1024 if ((f = fopen(filename, "r")) == NULL) {
1025 perror(filename);
1026 exit(1);
1027 }
1028 buffer_clear(conf);
1029 while (fgets(line, sizeof(line), f)) {
1030 /*
1031 * Trim out comments and strip whitespace
1032 * NB - preserve newlines, they are needed to reproduce
1033 * line numbers later for error messages
1034 */
1035 if ((cp = strchr(line, '#')) != NULL)
1036 memcpy(cp, "\n", 2);
1037 cp = line + strspn(line, " \t\r");
1038
1039 buffer_append(conf, cp, strlen(cp));
1040 }
1041 buffer_append(conf, "\0", 1);
1042 fclose(f);
1043 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1044}
1045
1046void
1047parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1048{
1049 int linenum, bad_options = 0;
1050 char *cp, *obuf, *cbuf;
1051
1052 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1053
1054 obuf = cbuf = xstrdup(buffer_ptr(conf));
1055 linenum = 1;
1056 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1057 if (process_server_config_line(options, cp, filename,
1058 linenum++) != 0)
1059 bad_options++;
1060 }
1061 xfree(obuf);
1062 if (bad_options > 0)
1063 fatal("%s: terminating, %d bad configuration options",
1064 filename, bad_options);
1065}
git-cvsimport mirror of OpenSSH
This page took 0.053602 seconds and 5 git commands to generate.