1 /* $OpenBSD: servconf.c,v 1.199 2009/12/29 16:38:41 stevesk Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
79 options->x11_use_localhost = -1;
80 options->xauth_location = NULL;
81 options->strict_modes = -1;
82 options->tcp_keep_alive = -1;
83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93 options->kerberos_get_afs_token = -1;
94 options->gss_authentication=-1;
95 options->gss_cleanup_creds = -1;
96 options->password_authentication = -1;
97 options->kbd_interactive_authentication = -1;
98 options->challenge_response_authentication = -1;
99 options->permit_empty_passwd = -1;
100 options->permit_user_env = -1;
101 options->use_login = -1;
102 options->compression = -1;
103 options->allow_tcp_forwarding = -1;
104 options->allow_agent_forwarding = -1;
105 options->num_allow_users = 0;
106 options->num_deny_users = 0;
107 options->num_allow_groups = 0;
108 options->num_deny_groups = 0;
109 options->ciphers = NULL;
110 options->macs = NULL;
111 options->protocol = SSH_PROTO_UNKNOWN;
112 options->gateway_ports = -1;
113 options->num_subsystems = 0;
114 options->max_startups_begin = -1;
115 options->max_startups_rate = -1;
116 options->max_startups = -1;
117 options->max_authtries = -1;
118 options->max_sessions = -1;
119 options->banner = NULL;
120 options->use_dns = -1;
121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
125 options->num_accept_env = 0;
126 options->permit_tun = -1;
127 options->num_permitted_opens = -1;
128 options->adm_forced_command = NULL;
129 options->chroot_directory = NULL;
130 options->zero_knowledge_password_authentication = -1;
131 options->rdomain = -1;
135 fill_default_server_options(ServerOptions *options)
137 /* Portable-specific options */
138 if (options->use_pam == -1)
139 options->use_pam = 0;
141 /* Standard Options */
142 if (options->protocol == SSH_PROTO_UNKNOWN)
143 options->protocol = SSH_PROTO_2;
144 if (options->num_host_key_files == 0) {
145 /* fill default hostkeys for protocols */
146 if (options->protocol & SSH_PROTO_1)
147 options->host_key_files[options->num_host_key_files++] =
149 if (options->protocol & SSH_PROTO_2) {
150 options->host_key_files[options->num_host_key_files++] =
151 _PATH_HOST_RSA_KEY_FILE;
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_DSA_KEY_FILE;
156 if (options->num_ports == 0)
157 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
158 if (options->listen_addrs == NULL)
159 add_listen_addr(options, NULL, 0);
160 if (options->pid_file == NULL)
161 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
162 if (options->server_key_bits == -1)
163 options->server_key_bits = 1024;
164 if (options->login_grace_time == -1)
165 options->login_grace_time = 120;
166 if (options->key_regeneration_time == -1)
167 options->key_regeneration_time = 3600;
168 if (options->permit_root_login == PERMIT_NOT_SET)
169 options->permit_root_login = PERMIT_YES;
170 if (options->ignore_rhosts == -1)
171 options->ignore_rhosts = 1;
172 if (options->ignore_user_known_hosts == -1)
173 options->ignore_user_known_hosts = 0;
174 if (options->print_motd == -1)
175 options->print_motd = 1;
176 if (options->print_lastlog == -1)
177 options->print_lastlog = 1;
178 if (options->x11_forwarding == -1)
179 options->x11_forwarding = 0;
180 if (options->x11_display_offset == -1)
181 options->x11_display_offset = 10;
182 if (options->x11_use_localhost == -1)
183 options->x11_use_localhost = 1;
184 if (options->xauth_location == NULL)
185 options->xauth_location = _PATH_XAUTH;
186 if (options->strict_modes == -1)
187 options->strict_modes = 1;
188 if (options->tcp_keep_alive == -1)
189 options->tcp_keep_alive = 1;
190 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
191 options->log_facility = SYSLOG_FACILITY_AUTH;
192 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
193 options->log_level = SYSLOG_LEVEL_INFO;
194 if (options->rhosts_rsa_authentication == -1)
195 options->rhosts_rsa_authentication = 0;
196 if (options->hostbased_authentication == -1)
197 options->hostbased_authentication = 0;
198 if (options->hostbased_uses_name_from_packet_only == -1)
199 options->hostbased_uses_name_from_packet_only = 0;
200 if (options->rsa_authentication == -1)
201 options->rsa_authentication = 1;
202 if (options->pubkey_authentication == -1)
203 options->pubkey_authentication = 1;
204 if (options->kerberos_authentication == -1)
205 options->kerberos_authentication = 0;
206 if (options->kerberos_or_local_passwd == -1)
207 options->kerberos_or_local_passwd = 1;
208 if (options->kerberos_ticket_cleanup == -1)
209 options->kerberos_ticket_cleanup = 1;
210 if (options->kerberos_get_afs_token == -1)
211 options->kerberos_get_afs_token = 0;
212 if (options->gss_authentication == -1)
213 options->gss_authentication = 0;
214 if (options->gss_cleanup_creds == -1)
215 options->gss_cleanup_creds = 1;
216 if (options->password_authentication == -1)
217 options->password_authentication = 1;
218 if (options->kbd_interactive_authentication == -1)
219 options->kbd_interactive_authentication = 0;
220 if (options->challenge_response_authentication == -1)
221 options->challenge_response_authentication = 1;
222 if (options->permit_empty_passwd == -1)
223 options->permit_empty_passwd = 0;
224 if (options->permit_user_env == -1)
225 options->permit_user_env = 0;
226 if (options->use_login == -1)
227 options->use_login = 0;
228 if (options->compression == -1)
229 options->compression = COMP_DELAYED;
230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
232 if (options->allow_agent_forwarding == -1)
233 options->allow_agent_forwarding = 1;
234 if (options->gateway_ports == -1)
235 options->gateway_ports = 0;
236 if (options->max_startups == -1)
237 options->max_startups = 10;
238 if (options->max_startups_rate == -1)
239 options->max_startups_rate = 100; /* 100% */
240 if (options->max_startups_begin == -1)
241 options->max_startups_begin = options->max_startups;
242 if (options->max_authtries == -1)
243 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
244 if (options->max_sessions == -1)
245 options->max_sessions = DEFAULT_SESSIONS_MAX;
246 if (options->use_dns == -1)
247 options->use_dns = 1;
248 if (options->client_alive_interval == -1)
249 options->client_alive_interval = 0;
250 if (options->client_alive_count_max == -1)
251 options->client_alive_count_max = 3;
252 if (options->authorized_keys_file2 == NULL) {
253 /* authorized_keys_file2 falls back to authorized_keys_file */
254 if (options->authorized_keys_file != NULL)
255 options->authorized_keys_file2 = options->authorized_keys_file;
257 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
259 if (options->authorized_keys_file == NULL)
260 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
261 if (options->permit_tun == -1)
262 options->permit_tun = SSH_TUNMODE_NO;
263 if (options->zero_knowledge_password_authentication == -1)
264 options->zero_knowledge_password_authentication = 0;
266 /* Turn privilege separation on by default */
267 if (use_privsep == -1)
271 if (use_privsep && options->compression == 1) {
272 error("This platform does not support both privilege "
273 "separation and compression");
274 error("Compression disabled");
275 options->compression = 0;
281 /* Keyword tokens. */
283 sBadOption, /* == unknown option */
284 /* Portable-specific options */
286 /* Standard Options */
287 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
288 sPermitRootLogin, sLogFacility, sLogLevel,
289 sRhostsRSAAuthentication, sRSAAuthentication,
290 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
291 sKerberosGetAFSToken,
292 sKerberosTgtPassing, sChallengeResponseAuthentication,
293 sPasswordAuthentication, sKbdInteractiveAuthentication,
294 sListenAddress, sAddressFamily,
295 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
296 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
297 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
298 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
299 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
300 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
301 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
302 sMaxStartups, sMaxAuthTries, sMaxSessions,
303 sBanner, sUseDNS, sHostbasedAuthentication,
304 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
305 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
306 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
307 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
308 sUsePrivilegeSeparation, sAllowAgentForwarding, sRDomain,
309 sZeroKnowledgePasswordAuthentication,
310 sDeprecated, sUnsupported
313 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
314 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
315 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
317 /* Textual representation of the tokens. */
320 ServerOpCodes opcode;
323 /* Portable-specific options */
325 { "usepam", sUsePAM, SSHCFG_GLOBAL },
327 { "usepam", sUnsupported, SSHCFG_GLOBAL },
329 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
330 /* Standard Options */
331 { "port", sPort, SSHCFG_GLOBAL },
332 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
333 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
334 { "pidfile", sPidFile, SSHCFG_GLOBAL },
335 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
336 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
337 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
338 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
339 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
340 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
341 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
342 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
343 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
344 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
345 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
346 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
347 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
349 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
350 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
351 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
353 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
355 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
358 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
359 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
360 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
361 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
363 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
364 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
366 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
367 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
369 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
370 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
372 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
373 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
374 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
375 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
377 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
379 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
381 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
382 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
383 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
384 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
385 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
386 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
387 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
388 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
389 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
390 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
391 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
392 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
393 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
394 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
395 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
396 { "compression", sCompression, SSHCFG_GLOBAL },
397 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
398 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
399 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
400 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
401 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
402 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
403 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
404 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
405 { "ciphers", sCiphers, SSHCFG_GLOBAL },
406 { "macs", sMacs, SSHCFG_GLOBAL },
407 { "protocol", sProtocol, SSHCFG_GLOBAL },
408 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
409 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
410 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
411 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
412 { "maxsessions", sMaxSessions, SSHCFG_ALL },
413 { "banner", sBanner, SSHCFG_ALL },
414 { "usedns", sUseDNS, SSHCFG_GLOBAL },
415 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
416 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
417 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
418 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
419 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
420 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
421 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
422 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
423 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
424 { "match", sMatch, SSHCFG_ALL },
425 { "permitopen", sPermitOpen, SSHCFG_ALL },
426 { "forcecommand", sForceCommand, SSHCFG_ALL },
427 #ifdef USE_ROUTINGDOMAIN
428 { "routingdomain", sRDomain, SSHCFG_GLOBAL },
430 { "routingdomain", sUnsupported, SSHCFG_GLOBAL },
432 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
433 { NULL, sBadOption, 0 }
440 { SSH_TUNMODE_NO, "no" },
441 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
442 { SSH_TUNMODE_ETHERNET, "ethernet" },
443 { SSH_TUNMODE_YES, "yes" },
448 * Returns the number of the token pointed to by cp or sBadOption.
452 parse_token(const char *cp, const char *filename,
453 int linenum, u_int *flags)
457 for (i = 0; keywords[i].name; i++)
458 if (strcasecmp(cp, keywords[i].name) == 0) {
459 *flags = keywords[i].flags;
460 return keywords[i].opcode;
463 error("%s: line %d: Bad configuration option: %s",
464 filename, linenum, cp);
469 add_listen_addr(ServerOptions *options, char *addr, int port)
473 if (options->num_ports == 0)
474 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
475 if (options->address_family == -1)
476 options->address_family = AF_UNSPEC;
478 for (i = 0; i < options->num_ports; i++)
479 add_one_listen_addr(options, addr, options->ports[i]);
481 add_one_listen_addr(options, addr, port);
485 add_one_listen_addr(ServerOptions *options, char *addr, int port)
487 struct addrinfo hints, *ai, *aitop;
488 char strport[NI_MAXSERV];
491 memset(&hints, 0, sizeof(hints));
492 hints.ai_family = options->address_family;
493 hints.ai_socktype = SOCK_STREAM;
494 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
495 snprintf(strport, sizeof strport, "%d", port);
496 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
497 fatal("bad addr or host: %s (%s)",
498 addr ? addr : "<NULL>",
499 ssh_gai_strerror(gaierr));
500 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
502 ai->ai_next = options->listen_addrs;
503 options->listen_addrs = aitop;
507 * The strategy for the Match blocks is that the config file is parsed twice.
509 * The first time is at startup. activep is initialized to 1 and the
510 * directives in the global context are processed and acted on. Hitting a
511 * Match directive unsets activep and the directives inside the block are
512 * checked for syntax only.
514 * The second time is after a connection has been established but before
515 * authentication. activep is initialized to 2 and global config directives
516 * are ignored since they have already been processed. If the criteria in a
517 * Match block is met, activep is set and the subsequent directives
518 * processed and actioned until EOF or another Match block unsets it. Any
519 * options set are copied into the main server config.
521 * Potential additions/improvements:
522 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
524 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
525 * Match Address 192.168.0.*
530 * AllowTcpForwarding yes
531 * GatewayPorts clientspecified
534 * - Add a PermittedChannelRequests directive
536 * PermittedChannelRequests session,forwarded-tcpip
540 match_cfg_line_group(const char *grps, int line, const char *user)
548 if ((pw = getpwnam(user)) == NULL) {
549 debug("Can't match group at line %d because user %.100s does "
550 "not exist", line, user);
551 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
552 debug("Can't Match group because user %.100s not in any group "
553 "at line %d", user, line);
554 } else if (ga_match_pattern_list(grps) != 1) {
555 debug("user %.100s does not match group list %.100s at line %d",
558 debug("user %.100s matched group list %.100s at line %d", user,
568 match_cfg_line(char **condition, int line, const char *user, const char *host,
572 char *arg, *attrib, *cp = *condition;
576 debug3("checking syntax for 'Match %s'", cp);
578 debug3("checking match for '%s' user %s host %s addr %s", cp,
579 user ? user : "(null)", host ? host : "(null)",
580 address ? address : "(null)");
582 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
583 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
584 error("Missing Match criteria for %s", attrib);
588 if (strcasecmp(attrib, "user") == 0) {
593 if (match_pattern_list(user, arg, len, 0) != 1)
596 debug("user %.100s matched 'User %.100s' at "
597 "line %d", user, arg, line);
598 } else if (strcasecmp(attrib, "group") == 0) {
599 switch (match_cfg_line_group(arg, line, user)) {
605 } else if (strcasecmp(attrib, "host") == 0) {
610 if (match_hostname(host, arg, len) != 1)
613 debug("connection from %.100s matched 'Host "
614 "%.100s' at line %d", host, arg, line);
615 } else if (strcasecmp(attrib, "address") == 0) {
616 switch (addr_match_list(address, arg)) {
618 debug("connection from %.100s matched 'Address "
619 "%.100s' at line %d", address, arg, line);
629 error("Unsupported Match attribute %s", attrib);
634 debug3("match %sfound", result ? "" : "not ");
639 #define WHITESPACE " \t\r\n"
642 process_server_config_line(ServerOptions *options, char *line,
643 const char *filename, int linenum, int *activep, const char *user,
644 const char *host, const char *address)
646 char *cp, **charptr, *arg, *p;
647 int cmdline = 0, *intptr, value, n;
648 SyslogFacility *log_facility_ptr;
649 LogLevel *log_level_ptr;
650 ServerOpCodes opcode;
656 if ((arg = strdelim(&cp)) == NULL)
658 /* Ignore leading whitespace */
661 if (!arg || !*arg || *arg == '#')
665 opcode = parse_token(arg, filename, linenum, &flags);
667 if (activep == NULL) { /* We are processing a command line directive */
671 if (*activep && opcode != sMatch)
672 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
673 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
675 fatal("%s line %d: Directive '%s' is not allowed "
676 "within a Match block", filename, linenum, arg);
677 } else { /* this is a directive we have already processed */
685 /* Portable-specific options */
687 intptr = &options->use_pam;
690 /* Standard Options */
694 /* ignore ports from configfile if cmdline specifies ports */
695 if (options->ports_from_cmdline)
697 if (options->listen_addrs != NULL)
698 fatal("%s line %d: ports must be specified before "
699 "ListenAddress.", filename, linenum);
700 if (options->num_ports >= MAX_PORTS)
701 fatal("%s line %d: too many ports.",
704 if (!arg || *arg == '\0')
705 fatal("%s line %d: missing port number.",
707 options->ports[options->num_ports++] = a2port(arg);
708 if (options->ports[options->num_ports-1] <= 0)
709 fatal("%s line %d: Badly formatted port number.",
714 intptr = &options->server_key_bits;
717 if (!arg || *arg == '\0')
718 fatal("%s line %d: missing integer value.",
721 if (*activep && *intptr == -1)
725 case sLoginGraceTime:
726 intptr = &options->login_grace_time;
729 if (!arg || *arg == '\0')
730 fatal("%s line %d: missing time value.",
732 if ((value = convtime(arg)) == -1)
733 fatal("%s line %d: invalid time value.",
739 case sKeyRegenerationTime:
740 intptr = &options->key_regeneration_time;
745 if (arg == NULL || *arg == '\0')
746 fatal("%s line %d: missing address",
748 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
749 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
750 && strchr(p+1, ':') != NULL) {
751 add_listen_addr(options, arg, 0);
756 fatal("%s line %d: bad address:port usage",
758 p = cleanhostname(p);
761 else if ((port = a2port(arg)) <= 0)
762 fatal("%s line %d: bad port number", filename, linenum);
764 add_listen_addr(options, p, port);
770 if (!arg || *arg == '\0')
771 fatal("%s line %d: missing address family.",
773 intptr = &options->address_family;
774 if (options->listen_addrs != NULL)
775 fatal("%s line %d: address family must be specified before "
776 "ListenAddress.", filename, linenum);
777 if (strcasecmp(arg, "inet") == 0)
779 else if (strcasecmp(arg, "inet6") == 0)
781 else if (strcasecmp(arg, "any") == 0)
784 fatal("%s line %d: unsupported address family \"%s\".",
785 filename, linenum, arg);
791 intptr = &options->num_host_key_files;
792 if (*intptr >= MAX_HOSTKEYS)
793 fatal("%s line %d: too many host keys specified (max %d).",
794 filename, linenum, MAX_HOSTKEYS);
795 charptr = &options->host_key_files[*intptr];
798 if (!arg || *arg == '\0')
799 fatal("%s line %d: missing file name.",
801 if (*activep && *charptr == NULL) {
802 *charptr = tilde_expand_filename(arg, getuid());
803 /* increase optional counter */
805 *intptr = *intptr + 1;
810 charptr = &options->pid_file;
813 case sPermitRootLogin:
814 intptr = &options->permit_root_login;
816 if (!arg || *arg == '\0')
817 fatal("%s line %d: missing yes/"
818 "without-password/forced-commands-only/no "
819 "argument.", filename, linenum);
820 value = 0; /* silence compiler */
821 if (strcmp(arg, "without-password") == 0)
822 value = PERMIT_NO_PASSWD;
823 else if (strcmp(arg, "forced-commands-only") == 0)
824 value = PERMIT_FORCED_ONLY;
825 else if (strcmp(arg, "yes") == 0)
827 else if (strcmp(arg, "no") == 0)
830 fatal("%s line %d: Bad yes/"
831 "without-password/forced-commands-only/no "
832 "argument: %s", filename, linenum, arg);
833 if (*activep && *intptr == -1)
838 intptr = &options->ignore_rhosts;
841 if (!arg || *arg == '\0')
842 fatal("%s line %d: missing yes/no argument.",
844 value = 0; /* silence compiler */
845 if (strcmp(arg, "yes") == 0)
847 else if (strcmp(arg, "no") == 0)
850 fatal("%s line %d: Bad yes/no argument: %s",
851 filename, linenum, arg);
852 if (*activep && *intptr == -1)
856 case sIgnoreUserKnownHosts:
857 intptr = &options->ignore_user_known_hosts;
860 case sRhostsRSAAuthentication:
861 intptr = &options->rhosts_rsa_authentication;
864 case sHostbasedAuthentication:
865 intptr = &options->hostbased_authentication;
868 case sHostbasedUsesNameFromPacketOnly:
869 intptr = &options->hostbased_uses_name_from_packet_only;
872 case sRSAAuthentication:
873 intptr = &options->rsa_authentication;
876 case sPubkeyAuthentication:
877 intptr = &options->pubkey_authentication;
880 case sKerberosAuthentication:
881 intptr = &options->kerberos_authentication;
884 case sKerberosOrLocalPasswd:
885 intptr = &options->kerberos_or_local_passwd;
888 case sKerberosTicketCleanup:
889 intptr = &options->kerberos_ticket_cleanup;
892 case sKerberosGetAFSToken:
893 intptr = &options->kerberos_get_afs_token;
896 case sGssAuthentication:
897 intptr = &options->gss_authentication;
900 case sGssCleanupCreds:
901 intptr = &options->gss_cleanup_creds;
904 case sPasswordAuthentication:
905 intptr = &options->password_authentication;
908 case sZeroKnowledgePasswordAuthentication:
909 intptr = &options->zero_knowledge_password_authentication;
912 case sKbdInteractiveAuthentication:
913 intptr = &options->kbd_interactive_authentication;
916 case sChallengeResponseAuthentication:
917 intptr = &options->challenge_response_authentication;
921 intptr = &options->print_motd;
925 intptr = &options->print_lastlog;
929 intptr = &options->x11_forwarding;
932 case sX11DisplayOffset:
933 intptr = &options->x11_display_offset;
936 case sX11UseLocalhost:
937 intptr = &options->x11_use_localhost;
941 charptr = &options->xauth_location;
945 intptr = &options->strict_modes;
949 intptr = &options->tcp_keep_alive;
953 intptr = &options->permit_empty_passwd;
956 case sPermitUserEnvironment:
957 intptr = &options->permit_user_env;
961 intptr = &options->use_login;
965 intptr = &options->compression;
967 if (!arg || *arg == '\0')
968 fatal("%s line %d: missing yes/no/delayed "
969 "argument.", filename, linenum);
970 value = 0; /* silence compiler */
971 if (strcmp(arg, "delayed") == 0)
972 value = COMP_DELAYED;
973 else if (strcmp(arg, "yes") == 0)
975 else if (strcmp(arg, "no") == 0)
978 fatal("%s line %d: Bad yes/no/delayed "
979 "argument: %s", filename, linenum, arg);
985 intptr = &options->gateway_ports;
987 if (!arg || *arg == '\0')
988 fatal("%s line %d: missing yes/no/clientspecified "
989 "argument.", filename, linenum);
990 value = 0; /* silence compiler */
991 if (strcmp(arg, "clientspecified") == 0)
993 else if (strcmp(arg, "yes") == 0)
995 else if (strcmp(arg, "no") == 0)
998 fatal("%s line %d: Bad yes/no/clientspecified "
999 "argument: %s", filename, linenum, arg);
1000 if (*activep && *intptr == -1)
1005 intptr = &options->use_dns;
1009 log_facility_ptr = &options->log_facility;
1010 arg = strdelim(&cp);
1011 value = log_facility_number(arg);
1012 if (value == SYSLOG_FACILITY_NOT_SET)
1013 fatal("%.200s line %d: unsupported log facility '%s'",
1014 filename, linenum, arg ? arg : "<NONE>");
1015 if (*log_facility_ptr == -1)
1016 *log_facility_ptr = (SyslogFacility) value;
1020 log_level_ptr = &options->log_level;
1021 arg = strdelim(&cp);
1022 value = log_level_number(arg);
1023 if (value == SYSLOG_LEVEL_NOT_SET)
1024 fatal("%.200s line %d: unsupported log level '%s'",
1025 filename, linenum, arg ? arg : "<NONE>");
1026 if (*log_level_ptr == -1)
1027 *log_level_ptr = (LogLevel) value;
1030 case sAllowTcpForwarding:
1031 intptr = &options->allow_tcp_forwarding;
1034 case sAllowAgentForwarding:
1035 intptr = &options->allow_agent_forwarding;
1038 case sUsePrivilegeSeparation:
1039 intptr = &use_privsep;
1043 while ((arg = strdelim(&cp)) && *arg != '\0') {
1044 if (options->num_allow_users >= MAX_ALLOW_USERS)
1045 fatal("%s line %d: too many allow users.",
1047 options->allow_users[options->num_allow_users++] =
1053 while ((arg = strdelim(&cp)) && *arg != '\0') {
1054 if (options->num_deny_users >= MAX_DENY_USERS)
1055 fatal("%s line %d: too many deny users.",
1057 options->deny_users[options->num_deny_users++] =
1063 while ((arg = strdelim(&cp)) && *arg != '\0') {
1064 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1065 fatal("%s line %d: too many allow groups.",
1067 options->allow_groups[options->num_allow_groups++] =
1073 while ((arg = strdelim(&cp)) && *arg != '\0') {
1074 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1075 fatal("%s line %d: too many deny groups.",
1077 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1082 arg = strdelim(&cp);
1083 if (!arg || *arg == '\0')
1084 fatal("%s line %d: Missing argument.", filename, linenum);
1085 if (!ciphers_valid(arg))
1086 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1087 filename, linenum, arg ? arg : "<NONE>");
1088 if (options->ciphers == NULL)
1089 options->ciphers = xstrdup(arg);
1093 arg = strdelim(&cp);
1094 if (!arg || *arg == '\0')
1095 fatal("%s line %d: Missing argument.", filename, linenum);
1096 if (!mac_valid(arg))
1097 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1098 filename, linenum, arg ? arg : "<NONE>");
1099 if (options->macs == NULL)
1100 options->macs = xstrdup(arg);
1104 intptr = &options->protocol;
1105 arg = strdelim(&cp);
1106 if (!arg || *arg == '\0')
1107 fatal("%s line %d: Missing argument.", filename, linenum);
1108 value = proto_spec(arg);
1109 if (value == SSH_PROTO_UNKNOWN)
1110 fatal("%s line %d: Bad protocol spec '%s'.",
1111 filename, linenum, arg ? arg : "<NONE>");
1112 if (*intptr == SSH_PROTO_UNKNOWN)
1117 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1118 fatal("%s line %d: too many subsystems defined.",
1121 arg = strdelim(&cp);
1122 if (!arg || *arg == '\0')
1123 fatal("%s line %d: Missing subsystem name.",
1126 arg = strdelim(&cp);
1129 for (i = 0; i < options->num_subsystems; i++)
1130 if (strcmp(arg, options->subsystem_name[i]) == 0)
1131 fatal("%s line %d: Subsystem '%s' already defined.",
1132 filename, linenum, arg);
1133 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1134 arg = strdelim(&cp);
1135 if (!arg || *arg == '\0')
1136 fatal("%s line %d: Missing subsystem command.",
1138 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1140 /* Collect arguments (separate to executable) */
1142 len = strlen(p) + 1;
1143 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1144 len += 1 + strlen(arg);
1145 p = xrealloc(p, 1, len);
1146 strlcat(p, " ", len);
1147 strlcat(p, arg, len);
1149 options->subsystem_args[options->num_subsystems] = p;
1150 options->num_subsystems++;
1154 arg = strdelim(&cp);
1155 if (!arg || *arg == '\0')
1156 fatal("%s line %d: Missing MaxStartups spec.",
1158 if ((n = sscanf(arg, "%d:%d:%d",
1159 &options->max_startups_begin,
1160 &options->max_startups_rate,
1161 &options->max_startups)) == 3) {
1162 if (options->max_startups_begin >
1163 options->max_startups ||
1164 options->max_startups_rate > 100 ||
1165 options->max_startups_rate < 1)
1166 fatal("%s line %d: Illegal MaxStartups spec.",
1169 fatal("%s line %d: Illegal MaxStartups spec.",
1172 options->max_startups = options->max_startups_begin;
1176 intptr = &options->max_authtries;
1180 intptr = &options->max_sessions;
1184 charptr = &options->banner;
1185 goto parse_filename;
1188 * These options can contain %X options expanded at
1189 * connect time, so that you can specify paths like:
1191 * AuthorizedKeysFile /etc/ssh_keys/%u
1193 case sAuthorizedKeysFile:
1194 case sAuthorizedKeysFile2:
1195 charptr = (opcode == sAuthorizedKeysFile) ?
1196 &options->authorized_keys_file :
1197 &options->authorized_keys_file2;
1198 goto parse_filename;
1200 case sClientAliveInterval:
1201 intptr = &options->client_alive_interval;
1204 case sClientAliveCountMax:
1205 intptr = &options->client_alive_count_max;
1209 while ((arg = strdelim(&cp)) && *arg != '\0') {
1210 if (strchr(arg, '=') != NULL)
1211 fatal("%s line %d: Invalid environment name.",
1213 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1214 fatal("%s line %d: too many allow env.",
1218 options->accept_env[options->num_accept_env++] =
1224 intptr = &options->permit_tun;
1225 arg = strdelim(&cp);
1226 if (!arg || *arg == '\0')
1227 fatal("%s line %d: Missing yes/point-to-point/"
1228 "ethernet/no argument.", filename, linenum);
1230 for (i = 0; tunmode_desc[i].val != -1; i++)
1231 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1232 value = tunmode_desc[i].val;
1236 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1237 "no argument: %s", filename, linenum, arg);
1244 fatal("Match directive not supported as a command-line "
1246 value = match_cfg_line(&cp, linenum, user, host, address);
1248 fatal("%s line %d: Bad Match condition", filename,
1254 arg = strdelim(&cp);
1255 if (!arg || *arg == '\0')
1256 fatal("%s line %d: missing PermitOpen specification",
1258 n = options->num_permitted_opens; /* modified later */
1259 if (strcmp(arg, "any") == 0) {
1260 if (*activep && n == -1) {
1261 channel_clear_adm_permitted_opens();
1262 options->num_permitted_opens = 0;
1266 if (*activep && n == -1)
1267 channel_clear_adm_permitted_opens();
1268 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1271 fatal("%s line %d: missing host in PermitOpen",
1273 p = cleanhostname(p);
1274 if (arg == NULL || (port = a2port(arg)) <= 0)
1275 fatal("%s line %d: bad port number in "
1276 "PermitOpen", filename, linenum);
1277 if (*activep && n == -1)
1278 options->num_permitted_opens =
1279 channel_add_adm_permitted_opens(p, port);
1285 fatal("%.200s line %d: Missing argument.", filename,
1287 len = strspn(cp, WHITESPACE);
1288 if (*activep && options->adm_forced_command == NULL)
1289 options->adm_forced_command = xstrdup(cp + len);
1292 case sChrootDirectory:
1293 charptr = &options->chroot_directory;
1295 arg = strdelim(&cp);
1296 if (!arg || *arg == '\0')
1297 fatal("%s line %d: missing file name.",
1299 if (*activep && *charptr == NULL)
1300 *charptr = xstrdup(arg);
1303 #ifdef USE_ROUTINGDOMAIN
1305 intptr = &options->rdomain;
1306 arg = strdelim(&cp);
1307 if (!arg || *arg == '\0')
1308 fatal("%s line %d: missing rdomain value.",
1310 if ((value = a2rdomain(arg)) == -1)
1311 fatal("%s line %d: invalid rdomain value.",
1319 logit("%s line %d: Deprecated option %s",
1320 filename, linenum, arg);
1322 arg = strdelim(&cp);
1326 logit("%s line %d: Unsupported option %s",
1327 filename, linenum, arg);
1329 arg = strdelim(&cp);
1333 fatal("%s line %d: Missing handler for opcode %s (%d)",
1334 filename, linenum, arg, opcode);
1336 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1337 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1338 filename, linenum, arg);
1342 /* Reads the server configuration file. */
1345 load_server_config(const char *filename, Buffer *conf)
1347 char line[1024], *cp;
1350 debug2("%s: filename %s", __func__, filename);
1351 if ((f = fopen(filename, "r")) == NULL) {
1356 while (fgets(line, sizeof(line), f)) {
1358 * Trim out comments and strip whitespace
1359 * NB - preserve newlines, they are needed to reproduce
1360 * line numbers later for error messages
1362 if ((cp = strchr(line, '#')) != NULL)
1363 memcpy(cp, "\n", 2);
1364 cp = line + strspn(line, " \t\r");
1366 buffer_append(conf, cp, strlen(cp));
1368 buffer_append(conf, "\0", 1);
1370 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1374 parse_server_match_config(ServerOptions *options, const char *user,
1375 const char *host, const char *address)
1379 initialize_server_options(&mo);
1380 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1381 copy_set_server_options(options, &mo, 0);
1385 #define M_CP_INTOPT(n) do {\
1389 #define M_CP_STROPT(n) do {\
1390 if (src->n != NULL) { \
1391 if (dst->n != NULL) \
1398 * Copy any supported values that are set.
1400 * If the preauth flag is set, we do not bother copying the string or
1401 * array values that are not used pre-authentication, because any that we
1402 * do use must be explictly sent in mm_getpwnamallow().
1405 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1407 M_CP_INTOPT(password_authentication);
1408 M_CP_INTOPT(gss_authentication);
1409 M_CP_INTOPT(rsa_authentication);
1410 M_CP_INTOPT(pubkey_authentication);
1411 M_CP_INTOPT(kerberos_authentication);
1412 M_CP_INTOPT(hostbased_authentication);
1413 M_CP_INTOPT(kbd_interactive_authentication);
1414 M_CP_INTOPT(zero_knowledge_password_authentication);
1415 M_CP_INTOPT(permit_root_login);
1416 M_CP_INTOPT(permit_empty_passwd);
1418 M_CP_INTOPT(allow_tcp_forwarding);
1419 M_CP_INTOPT(allow_agent_forwarding);
1420 M_CP_INTOPT(gateway_ports);
1421 M_CP_INTOPT(x11_display_offset);
1422 M_CP_INTOPT(x11_forwarding);
1423 M_CP_INTOPT(x11_use_localhost);
1424 M_CP_INTOPT(max_sessions);
1425 M_CP_INTOPT(max_authtries);
1427 M_CP_STROPT(banner);
1430 M_CP_STROPT(adm_forced_command);
1431 M_CP_STROPT(chroot_directory);
1438 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1439 const char *user, const char *host, const char *address)
1441 int active, linenum, bad_options = 0;
1442 char *cp, *obuf, *cbuf;
1444 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1446 obuf = cbuf = xstrdup(buffer_ptr(conf));
1447 active = user ? 0 : 1;
1449 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1450 if (process_server_config_line(options, cp, filename,
1451 linenum++, &active, user, host, address) != 0)
1455 if (bad_options > 0)
1456 fatal("%s: terminating, %d bad configuration options",
1457 filename, bad_options);
1461 fmt_intarg(ServerOpCodes code, int val)
1463 if (code == sAddressFamily) {
1475 if (code == sPermitRootLogin) {
1477 case PERMIT_NO_PASSWD:
1478 return "without-password";
1479 case PERMIT_FORCED_ONLY:
1480 return "forced-commands-only";
1485 if (code == sProtocol) {
1491 case (SSH_PROTO_1|SSH_PROTO_2):
1497 if (code == sGatewayPorts && val == 2)
1498 return "clientspecified";
1499 if (code == sCompression && val == COMP_DELAYED)
1513 lookup_opcode_name(ServerOpCodes code)
1517 for (i = 0; keywords[i].name != NULL; i++)
1518 if (keywords[i].opcode == code)
1519 return(keywords[i].name);
1524 dump_cfg_int(ServerOpCodes code, int val)
1526 printf("%s %d\n", lookup_opcode_name(code), val);
1530 dump_cfg_fmtint(ServerOpCodes code, int val)
1532 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1536 dump_cfg_string(ServerOpCodes code, const char *val)
1540 printf("%s %s\n", lookup_opcode_name(code), val);
1544 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1548 for (i = 0; i < count; i++)
1549 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1553 dump_config(ServerOptions *o)
1557 struct addrinfo *ai;
1558 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1560 /* these are usually at the top of the config */
1561 for (i = 0; i < o->num_ports; i++)
1562 printf("port %d\n", o->ports[i]);
1563 dump_cfg_fmtint(sProtocol, o->protocol);
1564 dump_cfg_fmtint(sAddressFamily, o->address_family);
1566 /* ListenAddress must be after Port */
1567 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1568 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1569 sizeof(addr), port, sizeof(port),
1570 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1571 error("getnameinfo failed: %.100s",
1572 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1575 if (ai->ai_family == AF_INET6)
1576 printf("listenaddress [%s]:%s\n", addr, port);
1578 printf("listenaddress %s:%s\n", addr, port);
1582 /* integer arguments */
1584 dump_cfg_int(sUsePAM, o->use_pam);
1586 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1587 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1588 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1589 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1590 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1591 dump_cfg_int(sMaxSessions, o->max_sessions);
1592 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1593 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1594 dump_cfg_int(sRDomain, o->rdomain);
1596 /* formatted integer arguments */
1597 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1598 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1599 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1600 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1601 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1602 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1603 o->hostbased_uses_name_from_packet_only);
1604 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1605 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1607 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1608 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1609 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1611 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1615 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1616 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1619 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1620 o->zero_knowledge_password_authentication);
1622 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1623 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1624 o->kbd_interactive_authentication);
1625 dump_cfg_fmtint(sChallengeResponseAuthentication,
1626 o->challenge_response_authentication);
1627 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1628 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1629 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1630 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1631 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1632 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1633 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1634 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1635 dump_cfg_fmtint(sUseLogin, o->use_login);
1636 dump_cfg_fmtint(sCompression, o->compression);
1637 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1638 dump_cfg_fmtint(sUseDNS, o->use_dns);
1639 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1640 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1642 /* string arguments */
1643 dump_cfg_string(sPidFile, o->pid_file);
1644 dump_cfg_string(sXAuthLocation, o->xauth_location);
1645 dump_cfg_string(sCiphers, o->ciphers);
1646 dump_cfg_string(sMacs, o->macs);
1647 dump_cfg_string(sBanner, o->banner);
1648 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1649 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1650 dump_cfg_string(sForceCommand, o->adm_forced_command);
1652 /* string arguments requiring a lookup */
1653 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1654 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1656 /* string array arguments */
1657 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1659 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1660 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1661 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1662 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1663 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1665 /* other arguments */
1666 for (i = 0; i < o->num_subsystems; i++)
1667 printf("subsystem %s %s\n", o->subsystem_name[i],
1668 o->subsystem_args[i]);
1670 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1671 o->max_startups_rate, o->max_startups);
1673 for (i = 0; tunmode_desc[i].val != -1; i++)
1674 if (tunmode_desc[i].val == o->permit_tun) {
1675 s = tunmode_desc[i].text;
1678 dump_cfg_string(sPermitTunnel, s);
1680 channel_print_adm_permitted_opens();