2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.88 2001/07/11 00:24:53 itojun Exp $");
15 #if defined(KRB4) || defined(KRB5)
27 #include "pathnames.h"
28 #include "tildexpand.h"
34 static void add_listen_addr(ServerOptions *, char *, u_short);
35 static void add_one_listen_addr(ServerOptions *, char *, u_short);
37 /* AF_UNSPEC or AF_INET or AF_INET6 */
40 /* Initializes the server options to their default values. */
43 initialize_server_options(ServerOptions *options)
45 memset(options, 0, sizeof(*options));
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->check_mail = -1;
60 options->x11_forwarding = -1;
61 options->x11_display_offset = -1;
62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->keepalives = -1;
65 options->log_facility = (SyslogFacility) - 1;
66 options->log_level = (LogLevel) - 1;
67 options->rhosts_authentication = -1;
68 options->rhosts_rsa_authentication = -1;
69 options->hostbased_authentication = -1;
70 options->hostbased_uses_name_from_packet_only = -1;
71 options->rsa_authentication = -1;
72 options->pubkey_authentication = -1;
73 #if defined(KRB4) || defined(KRB5)
74 options->kerberos_authentication = -1;
75 options->kerberos_or_local_passwd = -1;
76 options->kerberos_ticket_cleanup = -1;
78 #if defined(AFS) || defined(KRB5)
79 options->kerberos_tgt_passing = -1;
82 options->afs_token_passing = -1;
84 options->password_authentication = -1;
85 options->kbd_interactive_authentication = -1;
86 options->challenge_response_authentication = -1;
87 options->permit_empty_passwd = -1;
88 options->use_login = -1;
89 options->allow_tcp_forwarding = -1;
90 options->num_allow_users = 0;
91 options->num_deny_users = 0;
92 options->num_allow_groups = 0;
93 options->num_deny_groups = 0;
94 options->ciphers = NULL;
96 options->protocol = SSH_PROTO_UNKNOWN;
97 options->gateway_ports = -1;
98 options->num_subsystems = 0;
99 options->max_startups_begin = -1;
100 options->max_startups_rate = -1;
101 options->max_startups = -1;
102 options->banner = NULL;
103 options->reverse_mapping_check = -1;
104 options->client_alive_interval = -1;
105 options->client_alive_count_max = -1;
106 options->authorized_keys_file = NULL;
107 options->authorized_keys_file2 = NULL;
108 options->pam_authentication_via_kbd_int = -1;
112 fill_default_server_options(ServerOptions *options)
114 if (options->protocol == SSH_PROTO_UNKNOWN)
115 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
116 if (options->num_host_key_files == 0) {
117 /* fill default hostkeys for protocols */
118 if (options->protocol & SSH_PROTO_1)
119 options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE;
120 if (options->protocol & SSH_PROTO_2)
121 options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE;
123 if (options->num_ports == 0)
124 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
125 if (options->listen_addrs == NULL)
126 add_listen_addr(options, NULL, 0);
127 if (options->pid_file == NULL)
128 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
129 if (options->server_key_bits == -1)
130 options->server_key_bits = 768;
131 if (options->login_grace_time == -1)
132 options->login_grace_time = 600;
133 if (options->key_regeneration_time == -1)
134 options->key_regeneration_time = 3600;
135 if (options->permit_root_login == PERMIT_NOT_SET)
136 options->permit_root_login = PERMIT_YES;
137 if (options->ignore_rhosts == -1)
138 options->ignore_rhosts = 1;
139 if (options->ignore_user_known_hosts == -1)
140 options->ignore_user_known_hosts = 0;
141 if (options->check_mail == -1)
142 options->check_mail = 0;
143 if (options->print_motd == -1)
144 options->print_motd = 1;
145 if (options->print_lastlog == -1)
146 options->print_lastlog = 1;
147 if (options->x11_forwarding == -1)
148 options->x11_forwarding = 0;
149 if (options->x11_display_offset == -1)
150 options->x11_display_offset = 10;
152 if (options->xauth_location == NULL)
153 options->xauth_location = _PATH_XAUTH;
155 if (options->strict_modes == -1)
156 options->strict_modes = 1;
157 if (options->keepalives == -1)
158 options->keepalives = 1;
159 if (options->log_facility == (SyslogFacility) (-1))
160 options->log_facility = SYSLOG_FACILITY_AUTH;
161 if (options->log_level == (LogLevel) (-1))
162 options->log_level = SYSLOG_LEVEL_INFO;
163 if (options->rhosts_authentication == -1)
164 options->rhosts_authentication = 0;
165 if (options->rhosts_rsa_authentication == -1)
166 options->rhosts_rsa_authentication = 0;
167 if (options->hostbased_authentication == -1)
168 options->hostbased_authentication = 0;
169 if (options->hostbased_uses_name_from_packet_only == -1)
170 options->hostbased_uses_name_from_packet_only = 0;
171 if (options->rsa_authentication == -1)
172 options->rsa_authentication = 1;
173 if (options->pubkey_authentication == -1)
174 options->pubkey_authentication = 1;
175 #if defined(KRB4) || defined(KRB5)
176 if (options->kerberos_authentication == -1)
177 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
178 if (options->kerberos_or_local_passwd == -1)
179 options->kerberos_or_local_passwd = 1;
180 if (options->kerberos_ticket_cleanup == -1)
181 options->kerberos_ticket_cleanup = 1;
183 #if defined(AFS) || defined(KRB5)
184 if (options->kerberos_tgt_passing == -1)
185 options->kerberos_tgt_passing = 0;
188 if (options->afs_token_passing == -1)
189 options->afs_token_passing = k_hasafs();
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->use_login == -1)
200 options->use_login = 0;
201 if (options->allow_tcp_forwarding == -1)
202 options->allow_tcp_forwarding = 1;
203 if (options->gateway_ports == -1)
204 options->gateway_ports = 0;
205 if (options->max_startups == -1)
206 options->max_startups = 10;
207 if (options->max_startups_rate == -1)
208 options->max_startups_rate = 100; /* 100% */
209 if (options->max_startups_begin == -1)
210 options->max_startups_begin = options->max_startups;
211 if (options->reverse_mapping_check == -1)
212 options->reverse_mapping_check = 0;
213 if (options->client_alive_interval == -1)
214 options->client_alive_interval = 0;
215 if (options->client_alive_count_max == -1)
216 options->client_alive_count_max = 3;
217 if (options->authorized_keys_file == NULL)
218 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
219 if (options->authorized_keys_file2 == NULL)
220 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
221 if (options->pam_authentication_via_kbd_int == -1)
222 options->pam_authentication_via_kbd_int = 0;
225 /* Keyword tokens. */
227 sBadOption, /* == unknown option */
228 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
229 sPermitRootLogin, sLogFacility, sLogLevel,
230 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
231 #if defined(KRB4) || defined(KRB5)
232 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
234 #if defined(AFS) || defined(KRB5)
240 sChallengeResponseAuthentication,
241 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
242 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
243 sX11Forwarding, sX11DisplayOffset,
244 sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail,
245 sUseLogin, sAllowTcpForwarding,
246 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
247 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
248 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
249 sBanner, sReverseMappingCheck, sHostbasedAuthentication,
250 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
251 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
252 sPAMAuthenticationViaKbdInt
255 /* Textual representation of the tokens. */
258 ServerOpCodes opcode;
261 { "hostkey", sHostKeyFile },
262 { "hostdsakey", sHostKeyFile }, /* alias */
263 { "pidfile", sPidFile },
264 { "serverkeybits", sServerKeyBits },
265 { "logingracetime", sLoginGraceTime },
266 { "keyregenerationinterval", sKeyRegenerationTime },
267 { "permitrootlogin", sPermitRootLogin },
268 { "syslogfacility", sLogFacility },
269 { "loglevel", sLogLevel },
270 { "rhostsauthentication", sRhostsAuthentication },
271 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
272 { "hostbasedauthentication", sHostbasedAuthentication },
273 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
274 { "rsaauthentication", sRSAAuthentication },
275 { "pubkeyauthentication", sPubkeyAuthentication },
276 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
277 #if defined(KRB4) || defined(KRB5)
278 { "kerberosauthentication", sKerberosAuthentication },
279 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
280 { "kerberosticketcleanup", sKerberosTicketCleanup },
282 #if defined(AFS) || defined(KRB5)
283 { "kerberostgtpassing", sKerberosTgtPassing },
286 { "afstokenpassing", sAFSTokenPassing },
288 { "passwordauthentication", sPasswordAuthentication },
289 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
290 { "challengeresponseauthentication", sChallengeResponseAuthentication },
291 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
292 { "checkmail", sCheckMail },
293 { "listenaddress", sListenAddress },
294 { "printmotd", sPrintMotd },
295 { "printlastlog", sPrintLastLog },
296 { "ignorerhosts", sIgnoreRhosts },
297 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
298 { "x11forwarding", sX11Forwarding },
299 { "x11displayoffset", sX11DisplayOffset },
300 { "xauthlocation", sXAuthLocation },
301 { "strictmodes", sStrictModes },
302 { "permitemptypasswords", sEmptyPasswd },
303 { "uselogin", sUseLogin },
304 { "keepalive", sKeepAlives },
305 { "allowtcpforwarding", sAllowTcpForwarding },
306 { "allowusers", sAllowUsers },
307 { "denyusers", sDenyUsers },
308 { "allowgroups", sAllowGroups },
309 { "denygroups", sDenyGroups },
310 { "ciphers", sCiphers },
312 { "protocol", sProtocol },
313 { "gatewayports", sGatewayPorts },
314 { "subsystem", sSubsystem },
315 { "maxstartups", sMaxStartups },
316 { "banner", sBanner },
317 { "reversemappingcheck", sReverseMappingCheck },
318 { "clientaliveinterval", sClientAliveInterval },
319 { "clientalivecountmax", sClientAliveCountMax },
320 { "authorizedkeysfile", sAuthorizedKeysFile },
321 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
322 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
327 * Returns the number of the token pointed to by cp or sBadOption.
331 parse_token(const char *cp, const char *filename,
336 for (i = 0; keywords[i].name; i++)
337 if (strcasecmp(cp, keywords[i].name) == 0)
338 return keywords[i].opcode;
340 error("%s: line %d: Bad configuration option: %s",
341 filename, linenum, cp);
346 add_listen_addr(ServerOptions *options, char *addr, u_short port)
350 if (options->num_ports == 0)
351 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
353 for (i = 0; i < options->num_ports; i++)
354 add_one_listen_addr(options, addr, options->ports[i]);
356 add_one_listen_addr(options, addr, port);
360 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
362 struct addrinfo hints, *ai, *aitop;
363 char strport[NI_MAXSERV];
366 memset(&hints, 0, sizeof(hints));
367 hints.ai_family = IPv4or6;
368 hints.ai_socktype = SOCK_STREAM;
369 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
370 snprintf(strport, sizeof strport, "%d", port);
371 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
372 fatal("bad addr or host: %s (%s)",
373 addr ? addr : "<NULL>",
374 gai_strerror(gaierr));
375 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
377 ai->ai_next = options->listen_addrs;
378 options->listen_addrs = aitop;
381 /* Reads the server configuration file. */
384 read_server_config(ServerOptions *options, const char *filename)
388 char *cp, **charptr, *arg, *p;
389 int linenum, *intptr, value;
391 ServerOpCodes opcode;
394 f = fopen(filename, "r");
400 while (fgets(line, sizeof(line), f)) {
404 /* Ignore leading whitespace */
407 if (!arg || !*arg || *arg == '#')
411 opcode = parse_token(arg, filename, linenum);
417 /* ignore ports from configfile if cmdline specifies ports */
418 if (options->ports_from_cmdline)
420 if (options->listen_addrs != NULL)
421 fatal("%s line %d: ports must be specified before "
422 "ListenAdress.", filename, linenum);
423 if (options->num_ports >= MAX_PORTS)
424 fatal("%s line %d: too many ports.",
427 if (!arg || *arg == '\0')
428 fatal("%s line %d: missing port number.",
430 options->ports[options->num_ports++] = a2port(arg);
431 if (options->ports[options->num_ports-1] == 0)
432 fatal("%s line %d: Badly formatted port number.",
437 intptr = &options->server_key_bits;
440 if (!arg || *arg == '\0')
441 fatal("%s line %d: missing integer value.",
448 case sLoginGraceTime:
449 intptr = &options->login_grace_time;
452 if (!arg || *arg == '\0')
453 fatal("%s line %d: missing time value.",
455 if ((value = convtime(arg)) == -1)
456 fatal("%s line %d: invalid time value.",
462 case sKeyRegenerationTime:
463 intptr = &options->key_regeneration_time;
468 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
469 fatal("%s line %d: missing inet addr.",
472 if ((p = strchr(arg, ']')) == NULL)
473 fatal("%s line %d: bad ipv6 inet addr usage.",
476 memmove(p, p+1, strlen(p+1)+1);
477 } else if (((p = strchr(arg, ':')) == NULL) ||
478 (strchr(p+1, ':') != NULL)) {
479 add_listen_addr(options, arg, 0);
487 fatal("%s line %d: bad inet addr:port usage.",
491 if ((port = a2port(p)) == 0)
492 fatal("%s line %d: bad port number.",
494 add_listen_addr(options, arg, port);
496 } else if (*p == '\0')
497 add_listen_addr(options, arg, 0);
499 fatal("%s line %d: bad inet addr usage.",
504 intptr = &options->num_host_key_files;
505 if (*intptr >= MAX_HOSTKEYS)
506 fatal("%s line %d: too many host keys specified (max %d).",
507 filename, linenum, MAX_HOSTKEYS);
508 charptr = &options->host_key_files[*intptr];
511 if (!arg || *arg == '\0')
512 fatal("%s line %d: missing file name.",
514 if (*charptr == NULL) {
515 *charptr = tilde_expand_filename(arg, getuid());
516 /* increase optional counter */
518 *intptr = *intptr + 1;
523 charptr = &options->pid_file;
526 case sPermitRootLogin:
527 intptr = &options->permit_root_login;
529 if (!arg || *arg == '\0')
530 fatal("%s line %d: missing yes/"
531 "without-password/forced-commands-only/no "
532 "argument.", filename, linenum);
533 value = 0; /* silence compiler */
534 if (strcmp(arg, "without-password") == 0)
535 value = PERMIT_NO_PASSWD;
536 else if (strcmp(arg, "forced-commands-only") == 0)
537 value = PERMIT_FORCED_ONLY;
538 else if (strcmp(arg, "yes") == 0)
540 else if (strcmp(arg, "no") == 0)
543 fatal("%s line %d: Bad yes/"
544 "without-password/forced-commands-only/no "
545 "argument: %s", filename, linenum, arg);
551 intptr = &options->ignore_rhosts;
554 if (!arg || *arg == '\0')
555 fatal("%s line %d: missing yes/no argument.",
557 value = 0; /* silence compiler */
558 if (strcmp(arg, "yes") == 0)
560 else if (strcmp(arg, "no") == 0)
563 fatal("%s line %d: Bad yes/no argument: %s",
564 filename, linenum, arg);
569 case sIgnoreUserKnownHosts:
570 intptr = &options->ignore_user_known_hosts;
573 case sRhostsAuthentication:
574 intptr = &options->rhosts_authentication;
577 case sRhostsRSAAuthentication:
578 intptr = &options->rhosts_rsa_authentication;
581 case sHostbasedAuthentication:
582 intptr = &options->hostbased_authentication;
585 case sHostbasedUsesNameFromPacketOnly:
586 intptr = &options->hostbased_uses_name_from_packet_only;
589 case sRSAAuthentication:
590 intptr = &options->rsa_authentication;
593 case sPubkeyAuthentication:
594 intptr = &options->pubkey_authentication;
596 #if defined(KRB4) || defined(KRB5)
597 case sKerberosAuthentication:
598 intptr = &options->kerberos_authentication;
601 case sKerberosOrLocalPasswd:
602 intptr = &options->kerberos_or_local_passwd;
605 case sKerberosTicketCleanup:
606 intptr = &options->kerberos_ticket_cleanup;
609 #if defined(AFS) || defined(KRB5)
610 case sKerberosTgtPassing:
611 intptr = &options->kerberos_tgt_passing;
615 case sAFSTokenPassing:
616 intptr = &options->afs_token_passing;
620 case sPasswordAuthentication:
621 intptr = &options->password_authentication;
624 case sKbdInteractiveAuthentication:
625 intptr = &options->kbd_interactive_authentication;
629 intptr = &options->check_mail;
632 case sChallengeResponseAuthentication:
633 intptr = &options->challenge_response_authentication;
637 intptr = &options->print_motd;
641 intptr = &options->print_lastlog;
645 intptr = &options->x11_forwarding;
648 case sX11DisplayOffset:
649 intptr = &options->x11_display_offset;
653 charptr = &options->xauth_location;
657 intptr = &options->strict_modes;
661 intptr = &options->keepalives;
665 intptr = &options->permit_empty_passwd;
669 intptr = &options->use_login;
673 intptr = &options->gateway_ports;
676 case sReverseMappingCheck:
677 intptr = &options->reverse_mapping_check;
681 intptr = (int *) &options->log_facility;
683 value = log_facility_number(arg);
684 if (value == (SyslogFacility) - 1)
685 fatal("%.200s line %d: unsupported log facility '%s'",
686 filename, linenum, arg ? arg : "<NONE>");
688 *intptr = (SyslogFacility) value;
692 intptr = (int *) &options->log_level;
694 value = log_level_number(arg);
695 if (value == (LogLevel) - 1)
696 fatal("%.200s line %d: unsupported log level '%s'",
697 filename, linenum, arg ? arg : "<NONE>");
699 *intptr = (LogLevel) value;
702 case sAllowTcpForwarding:
703 intptr = &options->allow_tcp_forwarding;
707 while ((arg = strdelim(&cp)) && *arg != '\0') {
708 if (options->num_allow_users >= MAX_ALLOW_USERS)
709 fatal("%s line %d: too many allow users.",
711 options->allow_users[options->num_allow_users++] = xstrdup(arg);
716 while ((arg = strdelim(&cp)) && *arg != '\0') {
717 if (options->num_deny_users >= MAX_DENY_USERS)
718 fatal( "%s line %d: too many deny users.",
720 options->deny_users[options->num_deny_users++] = xstrdup(arg);
725 while ((arg = strdelim(&cp)) && *arg != '\0') {
726 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
727 fatal("%s line %d: too many allow groups.",
729 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
734 while ((arg = strdelim(&cp)) && *arg != '\0') {
735 if (options->num_deny_groups >= MAX_DENY_GROUPS)
736 fatal("%s line %d: too many deny groups.",
738 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
744 if (!arg || *arg == '\0')
745 fatal("%s line %d: Missing argument.", filename, linenum);
746 if (!ciphers_valid(arg))
747 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
748 filename, linenum, arg ? arg : "<NONE>");
749 if (options->ciphers == NULL)
750 options->ciphers = xstrdup(arg);
755 if (!arg || *arg == '\0')
756 fatal("%s line %d: Missing argument.", filename, linenum);
758 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
759 filename, linenum, arg ? arg : "<NONE>");
760 if (options->macs == NULL)
761 options->macs = xstrdup(arg);
765 intptr = &options->protocol;
767 if (!arg || *arg == '\0')
768 fatal("%s line %d: Missing argument.", filename, linenum);
769 value = proto_spec(arg);
770 if (value == SSH_PROTO_UNKNOWN)
771 fatal("%s line %d: Bad protocol spec '%s'.",
772 filename, linenum, arg ? arg : "<NONE>");
773 if (*intptr == SSH_PROTO_UNKNOWN)
778 if(options->num_subsystems >= MAX_SUBSYSTEMS) {
779 fatal("%s line %d: too many subsystems defined.",
783 if (!arg || *arg == '\0')
784 fatal("%s line %d: Missing subsystem name.",
786 for (i = 0; i < options->num_subsystems; i++)
787 if(strcmp(arg, options->subsystem_name[i]) == 0)
788 fatal("%s line %d: Subsystem '%s' already defined.",
789 filename, linenum, arg);
790 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
792 if (!arg || *arg == '\0')
793 fatal("%s line %d: Missing subsystem command.",
795 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
796 options->num_subsystems++;
801 if (!arg || *arg == '\0')
802 fatal("%s line %d: Missing MaxStartups spec.",
804 if ((n = sscanf(arg, "%d:%d:%d",
805 &options->max_startups_begin,
806 &options->max_startups_rate,
807 &options->max_startups)) == 3) {
808 if (options->max_startups_begin >
809 options->max_startups ||
810 options->max_startups_rate > 100 ||
811 options->max_startups_rate < 1)
812 fatal("%s line %d: Illegal MaxStartups spec.",
815 fatal("%s line %d: Illegal MaxStartups spec.",
818 options->max_startups = options->max_startups_begin;
822 charptr = &options->banner;
825 * These options can contain %X options expanded at
826 * connect time, so that you can specify paths like:
828 * AuthorizedKeysFile /etc/ssh_keys/%u
830 case sAuthorizedKeysFile:
831 case sAuthorizedKeysFile2:
832 charptr = (opcode == sAuthorizedKeysFile ) ?
833 &options->authorized_keys_file :
834 &options->authorized_keys_file2;
837 case sClientAliveInterval:
838 intptr = &options->client_alive_interval;
841 case sClientAliveCountMax:
842 intptr = &options->client_alive_count_max;
845 case sPAMAuthenticationViaKbdInt:
846 intptr = &options->pam_authentication_via_kbd_int;
850 fatal("%s line %d: Missing handler for opcode %s (%d)",
851 filename, linenum, arg, opcode);
853 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
854 fatal("%s line %d: garbage at end of line; \"%.200s\".",
855 filename, linenum, arg);
859 fatal("%s: terminating, %d bad configuration options",
860 filename, bad_options);