2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.92 2001/11/17 19:14:34 stevesk Exp $");
15 #if defined(KRB4) || defined(KRB5)
27 #include "pathnames.h"
28 #include "tildexpand.h"
34 static void add_listen_addr(ServerOptions *, char *, u_short);
35 static void add_one_listen_addr(ServerOptions *, char *, u_short);
37 /* AF_UNSPEC or AF_INET or AF_INET6 */
40 /* Initializes the server options to their default values. */
43 initialize_server_options(ServerOptions *options)
45 memset(options, 0, sizeof(*options));
47 /* Portable-specific options */
48 options->pam_authentication_via_kbd_int = -1;
50 /* Standard Options */
51 options->num_ports = 0;
52 options->ports_from_cmdline = 0;
53 options->listen_addrs = NULL;
54 options->num_host_key_files = 0;
55 options->pid_file = NULL;
56 options->server_key_bits = -1;
57 options->login_grace_time = -1;
58 options->key_regeneration_time = -1;
59 options->permit_root_login = PERMIT_NOT_SET;
60 options->ignore_rhosts = -1;
61 options->ignore_user_known_hosts = -1;
62 options->print_motd = -1;
63 options->print_lastlog = -1;
64 options->x11_forwarding = -1;
65 options->x11_display_offset = -1;
66 options->xauth_location = NULL;
67 options->strict_modes = -1;
68 options->keepalives = -1;
69 options->log_facility = (SyslogFacility) - 1;
70 options->log_level = (LogLevel) - 1;
71 options->rhosts_authentication = -1;
72 options->rhosts_rsa_authentication = -1;
73 options->hostbased_authentication = -1;
74 options->hostbased_uses_name_from_packet_only = -1;
75 options->rsa_authentication = -1;
76 options->pubkey_authentication = -1;
77 #if defined(KRB4) || defined(KRB5)
78 options->kerberos_authentication = -1;
79 options->kerberos_or_local_passwd = -1;
80 options->kerberos_ticket_cleanup = -1;
82 #if defined(AFS) || defined(KRB5)
83 options->kerberos_tgt_passing = -1;
86 options->afs_token_passing = -1;
88 options->password_authentication = -1;
89 options->kbd_interactive_authentication = -1;
90 options->challenge_response_authentication = -1;
91 options->permit_empty_passwd = -1;
92 options->use_login = -1;
93 options->allow_tcp_forwarding = -1;
94 options->num_allow_users = 0;
95 options->num_deny_users = 0;
96 options->num_allow_groups = 0;
97 options->num_deny_groups = 0;
98 options->ciphers = NULL;
100 options->protocol = SSH_PROTO_UNKNOWN;
101 options->gateway_ports = -1;
102 options->num_subsystems = 0;
103 options->max_startups_begin = -1;
104 options->max_startups_rate = -1;
105 options->max_startups = -1;
106 options->banner = NULL;
107 options->reverse_mapping_check = -1;
108 options->client_alive_interval = -1;
109 options->client_alive_count_max = -1;
110 options->authorized_keys_file = NULL;
111 options->authorized_keys_file2 = NULL;
115 fill_default_server_options(ServerOptions *options)
117 /* Portable-specific options */
118 if (options->pam_authentication_via_kbd_int == -1)
119 options->pam_authentication_via_kbd_int = 0;
121 /* Standard Options */
122 if (options->protocol == SSH_PROTO_UNKNOWN)
123 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
124 if (options->num_host_key_files == 0) {
125 /* fill default hostkeys for protocols */
126 if (options->protocol & SSH_PROTO_1)
127 options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE;
128 if (options->protocol & SSH_PROTO_2)
129 options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE;
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 600;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
158 if (options->xauth_location == NULL)
159 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->keepalives == -1)
164 options->keepalives = 1;
165 if (options->log_facility == (SyslogFacility) (-1))
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == (LogLevel) (-1))
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_authentication == -1)
170 options->rhosts_authentication = 0;
171 if (options->rhosts_rsa_authentication == -1)
172 options->rhosts_rsa_authentication = 0;
173 if (options->hostbased_authentication == -1)
174 options->hostbased_authentication = 0;
175 if (options->hostbased_uses_name_from_packet_only == -1)
176 options->hostbased_uses_name_from_packet_only = 0;
177 if (options->rsa_authentication == -1)
178 options->rsa_authentication = 1;
179 if (options->pubkey_authentication == -1)
180 options->pubkey_authentication = 1;
181 #if defined(KRB4) || defined(KRB5)
182 if (options->kerberos_authentication == -1)
183 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
184 if (options->kerberos_or_local_passwd == -1)
185 options->kerberos_or_local_passwd = 1;
186 if (options->kerberos_ticket_cleanup == -1)
187 options->kerberos_ticket_cleanup = 1;
189 #if defined(AFS) || defined(KRB5)
190 if (options->kerberos_tgt_passing == -1)
191 options->kerberos_tgt_passing = 0;
194 if (options->afs_token_passing == -1)
195 options->afs_token_passing = k_hasafs();
197 if (options->password_authentication == -1)
198 options->password_authentication = 1;
199 if (options->kbd_interactive_authentication == -1)
200 options->kbd_interactive_authentication = 0;
201 if (options->challenge_response_authentication == -1)
202 options->challenge_response_authentication = 1;
203 if (options->permit_empty_passwd == -1)
204 options->permit_empty_passwd = 0;
205 if (options->use_login == -1)
206 options->use_login = 0;
207 if (options->allow_tcp_forwarding == -1)
208 options->allow_tcp_forwarding = 1;
209 if (options->gateway_ports == -1)
210 options->gateway_ports = 0;
211 if (options->max_startups == -1)
212 options->max_startups = 10;
213 if (options->max_startups_rate == -1)
214 options->max_startups_rate = 100; /* 100% */
215 if (options->max_startups_begin == -1)
216 options->max_startups_begin = options->max_startups;
217 if (options->reverse_mapping_check == -1)
218 options->reverse_mapping_check = 0;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
234 /* Keyword tokens. */
236 sBadOption, /* == unknown option */
237 /* Portable-specific options */
238 sPAMAuthenticationViaKbdInt,
239 /* Standard Options */
240 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
241 sPermitRootLogin, sLogFacility, sLogLevel,
242 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
243 #if defined(KRB4) || defined(KRB5)
244 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
246 #if defined(AFS) || defined(KRB5)
252 sChallengeResponseAuthentication,
253 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
254 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
255 sX11Forwarding, sX11DisplayOffset,
256 sStrictModes, sEmptyPasswd, sKeepAlives,
257 sUseLogin, sAllowTcpForwarding,
258 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
259 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
260 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
261 sBanner, sReverseMappingCheck, sHostbasedAuthentication,
262 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
263 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
267 /* Textual representation of the tokens. */
270 ServerOpCodes opcode;
272 /* Portable-specific options */
273 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
274 /* Standard Options */
276 { "hostkey", sHostKeyFile },
277 { "hostdsakey", sHostKeyFile }, /* alias */
278 { "pidfile", sPidFile },
279 { "serverkeybits", sServerKeyBits },
280 { "logingracetime", sLoginGraceTime },
281 { "keyregenerationinterval", sKeyRegenerationTime },
282 { "permitrootlogin", sPermitRootLogin },
283 { "syslogfacility", sLogFacility },
284 { "loglevel", sLogLevel },
285 { "rhostsauthentication", sRhostsAuthentication },
286 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
287 { "hostbasedauthentication", sHostbasedAuthentication },
288 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
289 { "rsaauthentication", sRSAAuthentication },
290 { "pubkeyauthentication", sPubkeyAuthentication },
291 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
292 #if defined(KRB4) || defined(KRB5)
293 { "kerberosauthentication", sKerberosAuthentication },
294 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
295 { "kerberosticketcleanup", sKerberosTicketCleanup },
297 #if defined(AFS) || defined(KRB5)
298 { "kerberostgtpassing", sKerberosTgtPassing },
301 { "afstokenpassing", sAFSTokenPassing },
303 { "passwordauthentication", sPasswordAuthentication },
304 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
305 { "challengeresponseauthentication", sChallengeResponseAuthentication },
306 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
307 { "checkmail", sDeprecated },
308 { "listenaddress", sListenAddress },
309 { "printmotd", sPrintMotd },
310 { "printlastlog", sPrintLastLog },
311 { "ignorerhosts", sIgnoreRhosts },
312 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
313 { "x11forwarding", sX11Forwarding },
314 { "x11displayoffset", sX11DisplayOffset },
315 { "xauthlocation", sXAuthLocation },
316 { "strictmodes", sStrictModes },
317 { "permitemptypasswords", sEmptyPasswd },
318 { "uselogin", sUseLogin },
319 { "keepalive", sKeepAlives },
320 { "allowtcpforwarding", sAllowTcpForwarding },
321 { "allowusers", sAllowUsers },
322 { "denyusers", sDenyUsers },
323 { "allowgroups", sAllowGroups },
324 { "denygroups", sDenyGroups },
325 { "ciphers", sCiphers },
327 { "protocol", sProtocol },
328 { "gatewayports", sGatewayPorts },
329 { "subsystem", sSubsystem },
330 { "maxstartups", sMaxStartups },
331 { "banner", sBanner },
332 { "reversemappingcheck", sReverseMappingCheck },
333 { "clientaliveinterval", sClientAliveInterval },
334 { "clientalivecountmax", sClientAliveCountMax },
335 { "authorizedkeysfile", sAuthorizedKeysFile },
336 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
341 * Returns the number of the token pointed to by cp or sBadOption.
345 parse_token(const char *cp, const char *filename,
350 for (i = 0; keywords[i].name; i++)
351 if (strcasecmp(cp, keywords[i].name) == 0)
352 return keywords[i].opcode;
354 error("%s: line %d: Bad configuration option: %s",
355 filename, linenum, cp);
360 add_listen_addr(ServerOptions *options, char *addr, u_short port)
364 if (options->num_ports == 0)
365 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
367 for (i = 0; i < options->num_ports; i++)
368 add_one_listen_addr(options, addr, options->ports[i]);
370 add_one_listen_addr(options, addr, port);
374 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
376 struct addrinfo hints, *ai, *aitop;
377 char strport[NI_MAXSERV];
380 memset(&hints, 0, sizeof(hints));
381 hints.ai_family = IPv4or6;
382 hints.ai_socktype = SOCK_STREAM;
383 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
384 snprintf(strport, sizeof strport, "%d", port);
385 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
386 fatal("bad addr or host: %s (%s)",
387 addr ? addr : "<NULL>",
388 gai_strerror(gaierr));
389 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
391 ai->ai_next = options->listen_addrs;
392 options->listen_addrs = aitop;
395 /* Reads the server configuration file. */
398 read_server_config(ServerOptions *options, const char *filename)
402 char *cp, **charptr, *arg, *p;
403 int linenum, *intptr, value;
405 ServerOpCodes opcode;
408 f = fopen(filename, "r");
414 while (fgets(line, sizeof(line), f)) {
418 /* Ignore leading whitespace */
421 if (!arg || !*arg || *arg == '#')
425 opcode = parse_token(arg, filename, linenum);
431 /* Portable-specific options */
432 case sPAMAuthenticationViaKbdInt:
433 intptr = &options->pam_authentication_via_kbd_int;
436 /* Standard Options */
438 /* ignore ports from configfile if cmdline specifies ports */
439 if (options->ports_from_cmdline)
441 if (options->listen_addrs != NULL)
442 fatal("%s line %d: ports must be specified before "
443 "ListenAdress.", filename, linenum);
444 if (options->num_ports >= MAX_PORTS)
445 fatal("%s line %d: too many ports.",
448 if (!arg || *arg == '\0')
449 fatal("%s line %d: missing port number.",
451 options->ports[options->num_ports++] = a2port(arg);
452 if (options->ports[options->num_ports-1] == 0)
453 fatal("%s line %d: Badly formatted port number.",
458 intptr = &options->server_key_bits;
461 if (!arg || *arg == '\0')
462 fatal("%s line %d: missing integer value.",
469 case sLoginGraceTime:
470 intptr = &options->login_grace_time;
473 if (!arg || *arg == '\0')
474 fatal("%s line %d: missing time value.",
476 if ((value = convtime(arg)) == -1)
477 fatal("%s line %d: invalid time value.",
483 case sKeyRegenerationTime:
484 intptr = &options->key_regeneration_time;
489 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
490 fatal("%s line %d: missing inet addr.",
493 if ((p = strchr(arg, ']')) == NULL)
494 fatal("%s line %d: bad ipv6 inet addr usage.",
497 memmove(p, p+1, strlen(p+1)+1);
498 } else if (((p = strchr(arg, ':')) == NULL) ||
499 (strchr(p+1, ':') != NULL)) {
500 add_listen_addr(options, arg, 0);
508 fatal("%s line %d: bad inet addr:port usage.",
512 if ((port = a2port(p)) == 0)
513 fatal("%s line %d: bad port number.",
515 add_listen_addr(options, arg, port);
517 } else if (*p == '\0')
518 add_listen_addr(options, arg, 0);
520 fatal("%s line %d: bad inet addr usage.",
525 intptr = &options->num_host_key_files;
526 if (*intptr >= MAX_HOSTKEYS)
527 fatal("%s line %d: too many host keys specified (max %d).",
528 filename, linenum, MAX_HOSTKEYS);
529 charptr = &options->host_key_files[*intptr];
532 if (!arg || *arg == '\0')
533 fatal("%s line %d: missing file name.",
535 if (*charptr == NULL) {
536 *charptr = tilde_expand_filename(arg, getuid());
537 /* increase optional counter */
539 *intptr = *intptr + 1;
544 charptr = &options->pid_file;
547 case sPermitRootLogin:
548 intptr = &options->permit_root_login;
550 if (!arg || *arg == '\0')
551 fatal("%s line %d: missing yes/"
552 "without-password/forced-commands-only/no "
553 "argument.", filename, linenum);
554 value = 0; /* silence compiler */
555 if (strcmp(arg, "without-password") == 0)
556 value = PERMIT_NO_PASSWD;
557 else if (strcmp(arg, "forced-commands-only") == 0)
558 value = PERMIT_FORCED_ONLY;
559 else if (strcmp(arg, "yes") == 0)
561 else if (strcmp(arg, "no") == 0)
564 fatal("%s line %d: Bad yes/"
565 "without-password/forced-commands-only/no "
566 "argument: %s", filename, linenum, arg);
572 intptr = &options->ignore_rhosts;
575 if (!arg || *arg == '\0')
576 fatal("%s line %d: missing yes/no argument.",
578 value = 0; /* silence compiler */
579 if (strcmp(arg, "yes") == 0)
581 else if (strcmp(arg, "no") == 0)
584 fatal("%s line %d: Bad yes/no argument: %s",
585 filename, linenum, arg);
590 case sIgnoreUserKnownHosts:
591 intptr = &options->ignore_user_known_hosts;
594 case sRhostsAuthentication:
595 intptr = &options->rhosts_authentication;
598 case sRhostsRSAAuthentication:
599 intptr = &options->rhosts_rsa_authentication;
602 case sHostbasedAuthentication:
603 intptr = &options->hostbased_authentication;
606 case sHostbasedUsesNameFromPacketOnly:
607 intptr = &options->hostbased_uses_name_from_packet_only;
610 case sRSAAuthentication:
611 intptr = &options->rsa_authentication;
614 case sPubkeyAuthentication:
615 intptr = &options->pubkey_authentication;
617 #if defined(KRB4) || defined(KRB5)
618 case sKerberosAuthentication:
619 intptr = &options->kerberos_authentication;
622 case sKerberosOrLocalPasswd:
623 intptr = &options->kerberos_or_local_passwd;
626 case sKerberosTicketCleanup:
627 intptr = &options->kerberos_ticket_cleanup;
630 #if defined(AFS) || defined(KRB5)
631 case sKerberosTgtPassing:
632 intptr = &options->kerberos_tgt_passing;
636 case sAFSTokenPassing:
637 intptr = &options->afs_token_passing;
641 case sPasswordAuthentication:
642 intptr = &options->password_authentication;
645 case sKbdInteractiveAuthentication:
646 intptr = &options->kbd_interactive_authentication;
649 case sChallengeResponseAuthentication:
650 intptr = &options->challenge_response_authentication;
654 intptr = &options->print_motd;
658 intptr = &options->print_lastlog;
662 intptr = &options->x11_forwarding;
665 case sX11DisplayOffset:
666 intptr = &options->x11_display_offset;
670 charptr = &options->xauth_location;
674 intptr = &options->strict_modes;
678 intptr = &options->keepalives;
682 intptr = &options->permit_empty_passwd;
686 intptr = &options->use_login;
690 intptr = &options->gateway_ports;
693 case sReverseMappingCheck:
694 intptr = &options->reverse_mapping_check;
698 intptr = (int *) &options->log_facility;
700 value = log_facility_number(arg);
701 if (value == (SyslogFacility) - 1)
702 fatal("%.200s line %d: unsupported log facility '%s'",
703 filename, linenum, arg ? arg : "<NONE>");
705 *intptr = (SyslogFacility) value;
709 intptr = (int *) &options->log_level;
711 value = log_level_number(arg);
712 if (value == (LogLevel) - 1)
713 fatal("%.200s line %d: unsupported log level '%s'",
714 filename, linenum, arg ? arg : "<NONE>");
716 *intptr = (LogLevel) value;
719 case sAllowTcpForwarding:
720 intptr = &options->allow_tcp_forwarding;
724 while ((arg = strdelim(&cp)) && *arg != '\0') {
725 if (options->num_allow_users >= MAX_ALLOW_USERS)
726 fatal("%s line %d: too many allow users.",
728 options->allow_users[options->num_allow_users++] = xstrdup(arg);
733 while ((arg = strdelim(&cp)) && *arg != '\0') {
734 if (options->num_deny_users >= MAX_DENY_USERS)
735 fatal( "%s line %d: too many deny users.",
737 options->deny_users[options->num_deny_users++] = xstrdup(arg);
742 while ((arg = strdelim(&cp)) && *arg != '\0') {
743 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
744 fatal("%s line %d: too many allow groups.",
746 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
751 while ((arg = strdelim(&cp)) && *arg != '\0') {
752 if (options->num_deny_groups >= MAX_DENY_GROUPS)
753 fatal("%s line %d: too many deny groups.",
755 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
761 if (!arg || *arg == '\0')
762 fatal("%s line %d: Missing argument.", filename, linenum);
763 if (!ciphers_valid(arg))
764 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
765 filename, linenum, arg ? arg : "<NONE>");
766 if (options->ciphers == NULL)
767 options->ciphers = xstrdup(arg);
772 if (!arg || *arg == '\0')
773 fatal("%s line %d: Missing argument.", filename, linenum);
775 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
776 filename, linenum, arg ? arg : "<NONE>");
777 if (options->macs == NULL)
778 options->macs = xstrdup(arg);
782 intptr = &options->protocol;
784 if (!arg || *arg == '\0')
785 fatal("%s line %d: Missing argument.", filename, linenum);
786 value = proto_spec(arg);
787 if (value == SSH_PROTO_UNKNOWN)
788 fatal("%s line %d: Bad protocol spec '%s'.",
789 filename, linenum, arg ? arg : "<NONE>");
790 if (*intptr == SSH_PROTO_UNKNOWN)
795 if(options->num_subsystems >= MAX_SUBSYSTEMS) {
796 fatal("%s line %d: too many subsystems defined.",
800 if (!arg || *arg == '\0')
801 fatal("%s line %d: Missing subsystem name.",
803 for (i = 0; i < options->num_subsystems; i++)
804 if(strcmp(arg, options->subsystem_name[i]) == 0)
805 fatal("%s line %d: Subsystem '%s' already defined.",
806 filename, linenum, arg);
807 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
809 if (!arg || *arg == '\0')
810 fatal("%s line %d: Missing subsystem command.",
812 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
813 options->num_subsystems++;
818 if (!arg || *arg == '\0')
819 fatal("%s line %d: Missing MaxStartups spec.",
821 if ((n = sscanf(arg, "%d:%d:%d",
822 &options->max_startups_begin,
823 &options->max_startups_rate,
824 &options->max_startups)) == 3) {
825 if (options->max_startups_begin >
826 options->max_startups ||
827 options->max_startups_rate > 100 ||
828 options->max_startups_rate < 1)
829 fatal("%s line %d: Illegal MaxStartups spec.",
832 fatal("%s line %d: Illegal MaxStartups spec.",
835 options->max_startups = options->max_startups_begin;
839 charptr = &options->banner;
842 * These options can contain %X options expanded at
843 * connect time, so that you can specify paths like:
845 * AuthorizedKeysFile /etc/ssh_keys/%u
847 case sAuthorizedKeysFile:
848 case sAuthorizedKeysFile2:
849 charptr = (opcode == sAuthorizedKeysFile ) ?
850 &options->authorized_keys_file :
851 &options->authorized_keys_file2;
854 case sClientAliveInterval:
855 intptr = &options->client_alive_interval;
858 case sClientAliveCountMax:
859 intptr = &options->client_alive_count_max;
863 log("%s line %d: Deprecated option %s",
864 filename, linenum, arg);
870 fatal("%s line %d: Missing handler for opcode %s (%d)",
871 filename, linenum, arg, opcode);
873 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
874 fatal("%s line %d: garbage at end of line; \"%.200s\".",
875 filename, linenum, arg);
879 fatal("%s: terminating, %d bad configuration options",
880 filename, bad_options);