1 /* $OpenBSD: readconf.c,v 1.164 2007/12/31 10:41:31 dtucker Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
133 oDeprecated, oUnsupported
136 /* Textual representations of the tokens. */
142 { "forwardagent", oForwardAgent },
143 { "forwardx11", oForwardX11 },
144 { "forwardx11trusted", oForwardX11Trusted },
145 { "exitonforwardfailure", oExitOnForwardFailure },
146 { "xauthlocation", oXAuthLocation },
147 { "gatewayports", oGatewayPorts },
148 { "useprivilegedport", oUsePrivilegedPort },
149 { "rhostsauthentication", oDeprecated },
150 { "passwordauthentication", oPasswordAuthentication },
151 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
152 { "kbdinteractivedevices", oKbdInteractiveDevices },
153 { "rsaauthentication", oRSAAuthentication },
154 { "pubkeyauthentication", oPubkeyAuthentication },
155 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
156 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
157 { "hostbasedauthentication", oHostbasedAuthentication },
158 { "challengeresponseauthentication", oChallengeResponseAuthentication },
159 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
160 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
161 { "kerberosauthentication", oUnsupported },
162 { "kerberostgtpassing", oUnsupported },
163 { "afstokenpassing", oUnsupported },
165 { "gssapiauthentication", oGssAuthentication },
166 { "gssapidelegatecredentials", oGssDelegateCreds },
168 { "gssapiauthentication", oUnsupported },
169 { "gssapidelegatecredentials", oUnsupported },
171 { "fallbacktorsh", oDeprecated },
172 { "usersh", oDeprecated },
173 { "identityfile", oIdentityFile },
174 { "identityfile2", oIdentityFile }, /* alias */
175 { "identitiesonly", oIdentitiesOnly },
176 { "hostname", oHostName },
177 { "hostkeyalias", oHostKeyAlias },
178 { "proxycommand", oProxyCommand },
180 { "cipher", oCipher },
181 { "ciphers", oCiphers },
183 { "protocol", oProtocol },
184 { "remoteforward", oRemoteForward },
185 { "localforward", oLocalForward },
188 { "escapechar", oEscapeChar },
189 { "globalknownhostsfile", oGlobalKnownHostsFile },
190 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
191 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
192 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
193 { "connectionattempts", oConnectionAttempts },
194 { "batchmode", oBatchMode },
195 { "checkhostip", oCheckHostIP },
196 { "stricthostkeychecking", oStrictHostKeyChecking },
197 { "compression", oCompression },
198 { "compressionlevel", oCompressionLevel },
199 { "tcpkeepalive", oTCPKeepAlive },
200 { "keepalive", oTCPKeepAlive }, /* obsolete */
201 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
202 { "loglevel", oLogLevel },
203 { "dynamicforward", oDynamicForward },
204 { "preferredauthentications", oPreferredAuthentications },
205 { "hostkeyalgorithms", oHostKeyAlgorithms },
206 { "bindaddress", oBindAddress },
208 { "smartcarddevice", oSmartcardDevice },
210 { "smartcarddevice", oUnsupported },
212 { "clearallforwardings", oClearAllForwardings },
213 { "enablesshkeysign", oEnableSSHKeysign },
214 { "verifyhostkeydns", oVerifyHostKeyDNS },
215 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
216 { "rekeylimit", oRekeyLimit },
217 { "connecttimeout", oConnectTimeout },
218 { "addressfamily", oAddressFamily },
219 { "serveraliveinterval", oServerAliveInterval },
220 { "serveralivecountmax", oServerAliveCountMax },
221 { "sendenv", oSendEnv },
222 { "controlpath", oControlPath },
223 { "controlmaster", oControlMaster },
224 { "hashknownhosts", oHashKnownHosts },
225 { "tunnel", oTunnel },
226 { "tunneldevice", oTunnelDevice },
227 { "localcommand", oLocalCommand },
228 { "permitlocalcommand", oPermitLocalCommand },
233 * Adds a local TCP/IP port forward to options. Never returns if there is an
238 add_local_forward(Options *options, const Forward *newfwd)
241 #ifndef NO_IPPORT_RESERVED_CONCEPT
242 extern uid_t original_real_uid;
243 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
244 fatal("Privileged ports can only be forwarded by root.");
246 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
247 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
248 fwd = &options->local_forwards[options->num_local_forwards++];
250 fwd->listen_host = (newfwd->listen_host == NULL) ?
251 NULL : xstrdup(newfwd->listen_host);
252 fwd->listen_port = newfwd->listen_port;
253 fwd->connect_host = xstrdup(newfwd->connect_host);
254 fwd->connect_port = newfwd->connect_port;
258 * Adds a remote TCP/IP port forward to options. Never returns if there is
263 add_remote_forward(Options *options, const Forward *newfwd)
266 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
267 fatal("Too many remote forwards (max %d).",
268 SSH_MAX_FORWARDS_PER_DIRECTION);
269 fwd = &options->remote_forwards[options->num_remote_forwards++];
271 fwd->listen_host = (newfwd->listen_host == NULL) ?
272 NULL : xstrdup(newfwd->listen_host);
273 fwd->listen_port = newfwd->listen_port;
274 fwd->connect_host = xstrdup(newfwd->connect_host);
275 fwd->connect_port = newfwd->connect_port;
279 clear_forwardings(Options *options)
283 for (i = 0; i < options->num_local_forwards; i++) {
284 if (options->local_forwards[i].listen_host != NULL)
285 xfree(options->local_forwards[i].listen_host);
286 xfree(options->local_forwards[i].connect_host);
288 options->num_local_forwards = 0;
289 for (i = 0; i < options->num_remote_forwards; i++) {
290 if (options->remote_forwards[i].listen_host != NULL)
291 xfree(options->remote_forwards[i].listen_host);
292 xfree(options->remote_forwards[i].connect_host);
294 options->num_remote_forwards = 0;
295 options->tun_open = SSH_TUNMODE_NO;
299 * Returns the number of the token pointed to by cp or oBadOption.
303 parse_token(const char *cp, const char *filename, int linenum)
307 for (i = 0; keywords[i].name; i++)
308 if (strcasecmp(cp, keywords[i].name) == 0)
309 return keywords[i].opcode;
311 error("%s: line %d: Bad configuration option: %s",
312 filename, linenum, cp);
317 * Processes a single option line as used in the configuration files. This
318 * only sets those values that have not already been set.
320 #define WHITESPACE " \t\r\n"
323 process_config_line(Options *options, const char *host,
324 char *line, const char *filename, int linenum,
327 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
328 int opcode, *intptr, value, value2, scale;
329 LogLevel *log_level_ptr;
330 long long orig, val64;
334 /* Strip trailing whitespace */
335 for (len = strlen(line) - 1; len > 0; len--) {
336 if (strchr(WHITESPACE, line[len]) == NULL)
342 /* Get the keyword. (Each line is supposed to begin with a keyword). */
343 if ((keyword = strdelim(&s)) == NULL)
345 /* Ignore leading whitespace. */
346 if (*keyword == '\0')
347 keyword = strdelim(&s);
348 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
351 opcode = parse_token(keyword, filename, linenum);
355 /* don't panic, but count bad options */
358 case oConnectTimeout:
359 intptr = &options->connection_timeout;
362 if (!arg || *arg == '\0')
363 fatal("%s line %d: missing time value.",
365 if ((value = convtime(arg)) == -1)
366 fatal("%s line %d: invalid time value.",
368 if (*activep && *intptr == -1)
373 intptr = &options->forward_agent;
376 if (!arg || *arg == '\0')
377 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
378 value = 0; /* To avoid compiler warning... */
379 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
381 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
384 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
385 if (*activep && *intptr == -1)
390 intptr = &options->forward_x11;
393 case oForwardX11Trusted:
394 intptr = &options->forward_x11_trusted;
398 intptr = &options->gateway_ports;
401 case oExitOnForwardFailure:
402 intptr = &options->exit_on_forward_failure;
405 case oUsePrivilegedPort:
406 intptr = &options->use_privileged_port;
409 case oPasswordAuthentication:
410 intptr = &options->password_authentication;
413 case oKbdInteractiveAuthentication:
414 intptr = &options->kbd_interactive_authentication;
417 case oKbdInteractiveDevices:
418 charptr = &options->kbd_interactive_devices;
421 case oPubkeyAuthentication:
422 intptr = &options->pubkey_authentication;
425 case oRSAAuthentication:
426 intptr = &options->rsa_authentication;
429 case oRhostsRSAAuthentication:
430 intptr = &options->rhosts_rsa_authentication;
433 case oHostbasedAuthentication:
434 intptr = &options->hostbased_authentication;
437 case oChallengeResponseAuthentication:
438 intptr = &options->challenge_response_authentication;
441 case oGssAuthentication:
442 intptr = &options->gss_authentication;
445 case oGssDelegateCreds:
446 intptr = &options->gss_deleg_creds;
450 intptr = &options->batch_mode;
454 intptr = &options->check_host_ip;
457 case oVerifyHostKeyDNS:
458 intptr = &options->verify_host_key_dns;
461 case oStrictHostKeyChecking:
462 intptr = &options->strict_host_key_checking;
465 if (!arg || *arg == '\0')
466 fatal("%.200s line %d: Missing yes/no/ask argument.",
468 value = 0; /* To avoid compiler warning... */
469 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
471 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
473 else if (strcmp(arg, "ask") == 0)
476 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
477 if (*activep && *intptr == -1)
482 intptr = &options->compression;
486 intptr = &options->tcp_keep_alive;
489 case oNoHostAuthenticationForLocalhost:
490 intptr = &options->no_host_authentication_for_localhost;
493 case oNumberOfPasswordPrompts:
494 intptr = &options->number_of_password_prompts;
497 case oCompressionLevel:
498 intptr = &options->compression_level;
502 intptr = &options->rekey_limit;
504 if (!arg || *arg == '\0')
505 fatal("%.200s line %d: Missing argument.", filename, linenum);
506 if (arg[0] < '0' || arg[0] > '9')
507 fatal("%.200s line %d: Bad number.", filename, linenum);
508 orig = val64 = strtoll(arg, &endofnumber, 10);
509 if (arg == endofnumber)
510 fatal("%.200s line %d: Bad number.", filename, linenum);
511 switch (toupper(*endofnumber)) {
525 fatal("%.200s line %d: Invalid RekeyLimit suffix",
529 /* detect integer wrap and too-large limits */
530 if ((val64 / scale) != orig || val64 > INT_MAX)
531 fatal("%.200s line %d: RekeyLimit too large",
534 fatal("%.200s line %d: RekeyLimit too small",
536 if (*activep && *intptr == -1)
537 *intptr = (int)val64;
542 if (!arg || *arg == '\0')
543 fatal("%.200s line %d: Missing argument.", filename, linenum);
545 intptr = &options->num_identity_files;
546 if (*intptr >= SSH_MAX_IDENTITY_FILES)
547 fatal("%.200s line %d: Too many identity files specified (max %d).",
548 filename, linenum, SSH_MAX_IDENTITY_FILES);
549 charptr = &options->identity_files[*intptr];
550 *charptr = xstrdup(arg);
551 *intptr = *intptr + 1;
556 charptr=&options->xauth_location;
560 charptr = &options->user;
563 if (!arg || *arg == '\0')
564 fatal("%.200s line %d: Missing argument.", filename, linenum);
565 if (*activep && *charptr == NULL)
566 *charptr = xstrdup(arg);
569 case oGlobalKnownHostsFile:
570 charptr = &options->system_hostfile;
573 case oUserKnownHostsFile:
574 charptr = &options->user_hostfile;
577 case oGlobalKnownHostsFile2:
578 charptr = &options->system_hostfile2;
581 case oUserKnownHostsFile2:
582 charptr = &options->user_hostfile2;
586 charptr = &options->hostname;
590 charptr = &options->host_key_alias;
593 case oPreferredAuthentications:
594 charptr = &options->preferred_authentications;
598 charptr = &options->bind_address;
601 case oSmartcardDevice:
602 charptr = &options->smartcard_device;
606 charptr = &options->proxy_command;
609 fatal("%.200s line %d: Missing argument.", filename, linenum);
610 len = strspn(s, WHITESPACE "=");
611 if (*activep && *charptr == NULL)
612 *charptr = xstrdup(s + len);
616 intptr = &options->port;
619 if (!arg || *arg == '\0')
620 fatal("%.200s line %d: Missing argument.", filename, linenum);
621 if (arg[0] < '0' || arg[0] > '9')
622 fatal("%.200s line %d: Bad number.", filename, linenum);
624 /* Octal, decimal, or hex format? */
625 value = strtol(arg, &endofnumber, 0);
626 if (arg == endofnumber)
627 fatal("%.200s line %d: Bad number.", filename, linenum);
628 if (*activep && *intptr == -1)
632 case oConnectionAttempts:
633 intptr = &options->connection_attempts;
637 intptr = &options->cipher;
639 if (!arg || *arg == '\0')
640 fatal("%.200s line %d: Missing argument.", filename, linenum);
641 value = cipher_number(arg);
643 fatal("%.200s line %d: Bad cipher '%s'.",
644 filename, linenum, arg ? arg : "<NONE>");
645 if (*activep && *intptr == -1)
651 if (!arg || *arg == '\0')
652 fatal("%.200s line %d: Missing argument.", filename, linenum);
653 if (!ciphers_valid(arg))
654 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
655 filename, linenum, arg ? arg : "<NONE>");
656 if (*activep && options->ciphers == NULL)
657 options->ciphers = xstrdup(arg);
662 if (!arg || *arg == '\0')
663 fatal("%.200s line %d: Missing argument.", filename, linenum);
665 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
666 filename, linenum, arg ? arg : "<NONE>");
667 if (*activep && options->macs == NULL)
668 options->macs = xstrdup(arg);
671 case oHostKeyAlgorithms:
673 if (!arg || *arg == '\0')
674 fatal("%.200s line %d: Missing argument.", filename, linenum);
675 if (!key_names_valid2(arg))
676 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
677 filename, linenum, arg ? arg : "<NONE>");
678 if (*activep && options->hostkeyalgorithms == NULL)
679 options->hostkeyalgorithms = xstrdup(arg);
683 intptr = &options->protocol;
685 if (!arg || *arg == '\0')
686 fatal("%.200s line %d: Missing argument.", filename, linenum);
687 value = proto_spec(arg);
688 if (value == SSH_PROTO_UNKNOWN)
689 fatal("%.200s line %d: Bad protocol spec '%s'.",
690 filename, linenum, arg ? arg : "<NONE>");
691 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
696 log_level_ptr = &options->log_level;
698 value = log_level_number(arg);
699 if (value == SYSLOG_LEVEL_NOT_SET)
700 fatal("%.200s line %d: unsupported log level '%s'",
701 filename, linenum, arg ? arg : "<NONE>");
702 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
703 *log_level_ptr = (LogLevel) value;
709 if (arg == NULL || *arg == '\0')
710 fatal("%.200s line %d: Missing port argument.",
713 if (arg2 == NULL || *arg2 == '\0')
714 fatal("%.200s line %d: Missing target argument.",
717 /* construct a string for parse_forward */
718 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
720 if (parse_forward(&fwd, fwdarg) == 0)
721 fatal("%.200s line %d: Bad forwarding specification.",
725 if (opcode == oLocalForward)
726 add_local_forward(options, &fwd);
727 else if (opcode == oRemoteForward)
728 add_remote_forward(options, &fwd);
732 case oDynamicForward:
734 if (!arg || *arg == '\0')
735 fatal("%.200s line %d: Missing port argument.",
737 memset(&fwd, '\0', sizeof(fwd));
738 fwd.connect_host = "socks";
739 fwd.listen_host = hpdelim(&arg);
740 if (fwd.listen_host == NULL ||
741 strlen(fwd.listen_host) >= NI_MAXHOST)
742 fatal("%.200s line %d: Bad forwarding specification.",
745 fwd.listen_port = a2port(arg);
746 fwd.listen_host = cleanhostname(fwd.listen_host);
748 fwd.listen_port = a2port(fwd.listen_host);
749 fwd.listen_host = NULL;
751 if (fwd.listen_port == 0)
752 fatal("%.200s line %d: Badly formatted port number.",
755 add_local_forward(options, &fwd);
758 case oClearAllForwardings:
759 intptr = &options->clear_forwardings;
764 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
765 if (match_pattern(host, arg)) {
766 debug("Applying options for %.100s", arg);
770 /* Avoid garbage check below, as strdelim is done. */
774 intptr = &options->escape_char;
776 if (!arg || *arg == '\0')
777 fatal("%.200s line %d: Missing argument.", filename, linenum);
778 if (arg[0] == '^' && arg[2] == 0 &&
779 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
780 value = (u_char) arg[1] & 31;
781 else if (strlen(arg) == 1)
782 value = (u_char) arg[0];
783 else if (strcmp(arg, "none") == 0)
784 value = SSH_ESCAPECHAR_NONE;
786 fatal("%.200s line %d: Bad escape character.",
789 value = 0; /* Avoid compiler warning. */
791 if (*activep && *intptr == -1)
797 if (!arg || *arg == '\0')
798 fatal("%s line %d: missing address family.",
800 intptr = &options->address_family;
801 if (strcasecmp(arg, "inet") == 0)
803 else if (strcasecmp(arg, "inet6") == 0)
805 else if (strcasecmp(arg, "any") == 0)
808 fatal("Unsupported AddressFamily \"%s\"", arg);
809 if (*activep && *intptr == -1)
813 case oEnableSSHKeysign:
814 intptr = &options->enable_ssh_keysign;
817 case oIdentitiesOnly:
818 intptr = &options->identities_only;
821 case oServerAliveInterval:
822 intptr = &options->server_alive_interval;
825 case oServerAliveCountMax:
826 intptr = &options->server_alive_count_max;
830 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
831 if (strchr(arg, '=') != NULL)
832 fatal("%s line %d: Invalid environment name.",
836 if (options->num_send_env >= MAX_SEND_ENV)
837 fatal("%s line %d: too many send env.",
839 options->send_env[options->num_send_env++] =
845 charptr = &options->control_path;
849 intptr = &options->control_master;
851 if (!arg || *arg == '\0')
852 fatal("%.200s line %d: Missing ControlMaster argument.",
854 value = 0; /* To avoid compiler warning... */
855 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
856 value = SSHCTL_MASTER_YES;
857 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
858 value = SSHCTL_MASTER_NO;
859 else if (strcmp(arg, "auto") == 0)
860 value = SSHCTL_MASTER_AUTO;
861 else if (strcmp(arg, "ask") == 0)
862 value = SSHCTL_MASTER_ASK;
863 else if (strcmp(arg, "autoask") == 0)
864 value = SSHCTL_MASTER_AUTO_ASK;
866 fatal("%.200s line %d: Bad ControlMaster argument.",
868 if (*activep && *intptr == -1)
872 case oHashKnownHosts:
873 intptr = &options->hash_known_hosts;
877 intptr = &options->tun_open;
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: Missing yes/point-to-point/"
881 "ethernet/no argument.", filename, linenum);
882 value = 0; /* silence compiler */
883 if (strcasecmp(arg, "ethernet") == 0)
884 value = SSH_TUNMODE_ETHERNET;
885 else if (strcasecmp(arg, "point-to-point") == 0)
886 value = SSH_TUNMODE_POINTOPOINT;
887 else if (strcasecmp(arg, "yes") == 0)
888 value = SSH_TUNMODE_DEFAULT;
889 else if (strcasecmp(arg, "no") == 0)
890 value = SSH_TUNMODE_NO;
892 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
893 "no argument: %s", filename, linenum, arg);
900 if (!arg || *arg == '\0')
901 fatal("%.200s line %d: Missing argument.", filename, linenum);
902 value = a2tun(arg, &value2);
903 if (value == SSH_TUNID_ERR)
904 fatal("%.200s line %d: Bad tun device.", filename, linenum);
906 options->tun_local = value;
907 options->tun_remote = value2;
912 charptr = &options->local_command;
915 case oPermitLocalCommand:
916 intptr = &options->permit_local_command;
920 debug("%s line %d: Deprecated option \"%s\"",
921 filename, linenum, keyword);
925 error("%s line %d: Unsupported option \"%s\"",
926 filename, linenum, keyword);
930 fatal("process_config_line: Unimplemented opcode %d", opcode);
933 /* Check that there is no garbage at end of line. */
934 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
935 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
936 filename, linenum, arg);
943 * Reads the config file and modifies the options accordingly. Options
944 * should already be initialized before this call. This never returns if
945 * there is an error. If the file does not exist, this returns 0.
949 read_config_file(const char *filename, const char *host, Options *options,
958 if ((f = fopen(filename, "r")) == NULL)
964 if (fstat(fileno(f), &sb) == -1)
965 fatal("fstat %s: %s", filename, strerror(errno));
966 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
967 (sb.st_mode & 022) != 0))
968 fatal("Bad owner or permissions on %s", filename);
971 debug("Reading configuration data %.200s", filename);
974 * Mark that we are now processing the options. This flag is turned
975 * on/off by Host specifications.
979 while (fgets(line, sizeof(line), f)) {
980 /* Update line number counter. */
982 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
987 fatal("%s: terminating, %d bad configuration options",
988 filename, bad_options);
993 * Initializes options to special values that indicate that they have not yet
994 * been set. Read_config_file will only set options with this value. Options
995 * are processed in the following order: command line, user config file,
996 * system config file. Last, fill_default_options is called.
1000 initialize_options(Options * options)
1002 memset(options, 'X', sizeof(*options));
1003 options->forward_agent = -1;
1004 options->forward_x11 = -1;
1005 options->forward_x11_trusted = -1;
1006 options->exit_on_forward_failure = -1;
1007 options->xauth_location = NULL;
1008 options->gateway_ports = -1;
1009 options->use_privileged_port = -1;
1010 options->rsa_authentication = -1;
1011 options->pubkey_authentication = -1;
1012 options->challenge_response_authentication = -1;
1013 options->gss_authentication = -1;
1014 options->gss_deleg_creds = -1;
1015 options->password_authentication = -1;
1016 options->kbd_interactive_authentication = -1;
1017 options->kbd_interactive_devices = NULL;
1018 options->rhosts_rsa_authentication = -1;
1019 options->hostbased_authentication = -1;
1020 options->batch_mode = -1;
1021 options->check_host_ip = -1;
1022 options->strict_host_key_checking = -1;
1023 options->compression = -1;
1024 options->tcp_keep_alive = -1;
1025 options->compression_level = -1;
1027 options->address_family = -1;
1028 options->connection_attempts = -1;
1029 options->connection_timeout = -1;
1030 options->number_of_password_prompts = -1;
1031 options->cipher = -1;
1032 options->ciphers = NULL;
1033 options->macs = NULL;
1034 options->hostkeyalgorithms = NULL;
1035 options->protocol = SSH_PROTO_UNKNOWN;
1036 options->num_identity_files = 0;
1037 options->hostname = NULL;
1038 options->host_key_alias = NULL;
1039 options->proxy_command = NULL;
1040 options->user = NULL;
1041 options->escape_char = -1;
1042 options->system_hostfile = NULL;
1043 options->user_hostfile = NULL;
1044 options->system_hostfile2 = NULL;
1045 options->user_hostfile2 = NULL;
1046 options->num_local_forwards = 0;
1047 options->num_remote_forwards = 0;
1048 options->clear_forwardings = -1;
1049 options->log_level = SYSLOG_LEVEL_NOT_SET;
1050 options->preferred_authentications = NULL;
1051 options->bind_address = NULL;
1052 options->smartcard_device = NULL;
1053 options->enable_ssh_keysign = - 1;
1054 options->no_host_authentication_for_localhost = - 1;
1055 options->identities_only = - 1;
1056 options->rekey_limit = - 1;
1057 options->verify_host_key_dns = -1;
1058 options->server_alive_interval = -1;
1059 options->server_alive_count_max = -1;
1060 options->num_send_env = 0;
1061 options->control_path = NULL;
1062 options->control_master = -1;
1063 options->hash_known_hosts = -1;
1064 options->tun_open = -1;
1065 options->tun_local = -1;
1066 options->tun_remote = -1;
1067 options->local_command = NULL;
1068 options->permit_local_command = -1;
1072 * Called after processing other sources of option data, this fills those
1073 * options for which no value has been specified with their default values.
1077 fill_default_options(Options * options)
1081 if (options->forward_agent == -1)
1082 options->forward_agent = 0;
1083 if (options->forward_x11 == -1)
1084 options->forward_x11 = 0;
1085 if (options->forward_x11_trusted == -1)
1086 options->forward_x11_trusted = 0;
1087 if (options->exit_on_forward_failure == -1)
1088 options->exit_on_forward_failure = 0;
1089 if (options->xauth_location == NULL)
1090 options->xauth_location = _PATH_XAUTH;
1091 if (options->gateway_ports == -1)
1092 options->gateway_ports = 0;
1093 if (options->use_privileged_port == -1)
1094 options->use_privileged_port = 0;
1095 if (options->rsa_authentication == -1)
1096 options->rsa_authentication = 1;
1097 if (options->pubkey_authentication == -1)
1098 options->pubkey_authentication = 1;
1099 if (options->challenge_response_authentication == -1)
1100 options->challenge_response_authentication = 1;
1101 if (options->gss_authentication == -1)
1102 options->gss_authentication = 0;
1103 if (options->gss_deleg_creds == -1)
1104 options->gss_deleg_creds = 0;
1105 if (options->password_authentication == -1)
1106 options->password_authentication = 1;
1107 if (options->kbd_interactive_authentication == -1)
1108 options->kbd_interactive_authentication = 1;
1109 if (options->rhosts_rsa_authentication == -1)
1110 options->rhosts_rsa_authentication = 0;
1111 if (options->hostbased_authentication == -1)
1112 options->hostbased_authentication = 0;
1113 if (options->batch_mode == -1)
1114 options->batch_mode = 0;
1115 if (options->check_host_ip == -1)
1116 options->check_host_ip = 1;
1117 if (options->strict_host_key_checking == -1)
1118 options->strict_host_key_checking = 2; /* 2 is default */
1119 if (options->compression == -1)
1120 options->compression = 0;
1121 if (options->tcp_keep_alive == -1)
1122 options->tcp_keep_alive = 1;
1123 if (options->compression_level == -1)
1124 options->compression_level = 6;
1125 if (options->port == -1)
1126 options->port = 0; /* Filled in ssh_connect. */
1127 if (options->address_family == -1)
1128 options->address_family = AF_UNSPEC;
1129 if (options->connection_attempts == -1)
1130 options->connection_attempts = 1;
1131 if (options->number_of_password_prompts == -1)
1132 options->number_of_password_prompts = 3;
1133 /* Selected in ssh_login(). */
1134 if (options->cipher == -1)
1135 options->cipher = SSH_CIPHER_NOT_SET;
1136 /* options->ciphers, default set in myproposals.h */
1137 /* options->macs, default set in myproposals.h */
1138 /* options->hostkeyalgorithms, default set in myproposals.h */
1139 if (options->protocol == SSH_PROTO_UNKNOWN)
1140 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1141 if (options->num_identity_files == 0) {
1142 if (options->protocol & SSH_PROTO_1) {
1143 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1144 options->identity_files[options->num_identity_files] =
1146 snprintf(options->identity_files[options->num_identity_files++],
1147 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1149 if (options->protocol & SSH_PROTO_2) {
1150 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1151 options->identity_files[options->num_identity_files] =
1153 snprintf(options->identity_files[options->num_identity_files++],
1154 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1156 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1157 options->identity_files[options->num_identity_files] =
1159 snprintf(options->identity_files[options->num_identity_files++],
1160 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1163 if (options->escape_char == -1)
1164 options->escape_char = '~';
1165 if (options->system_hostfile == NULL)
1166 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1167 if (options->user_hostfile == NULL)
1168 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1169 if (options->system_hostfile2 == NULL)
1170 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1171 if (options->user_hostfile2 == NULL)
1172 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1173 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1174 options->log_level = SYSLOG_LEVEL_INFO;
1175 if (options->clear_forwardings == 1)
1176 clear_forwardings(options);
1177 if (options->no_host_authentication_for_localhost == - 1)
1178 options->no_host_authentication_for_localhost = 0;
1179 if (options->identities_only == -1)
1180 options->identities_only = 0;
1181 if (options->enable_ssh_keysign == -1)
1182 options->enable_ssh_keysign = 0;
1183 if (options->rekey_limit == -1)
1184 options->rekey_limit = 0;
1185 if (options->verify_host_key_dns == -1)
1186 options->verify_host_key_dns = 0;
1187 if (options->server_alive_interval == -1)
1188 options->server_alive_interval = 0;
1189 if (options->server_alive_count_max == -1)
1190 options->server_alive_count_max = 3;
1191 if (options->control_master == -1)
1192 options->control_master = 0;
1193 if (options->hash_known_hosts == -1)
1194 options->hash_known_hosts = 0;
1195 if (options->tun_open == -1)
1196 options->tun_open = SSH_TUNMODE_NO;
1197 if (options->tun_local == -1)
1198 options->tun_local = SSH_TUNID_ANY;
1199 if (options->tun_remote == -1)
1200 options->tun_remote = SSH_TUNID_ANY;
1201 if (options->permit_local_command == -1)
1202 options->permit_local_command = 0;
1203 /* options->local_command should not be set by default */
1204 /* options->proxy_command should not be set by default */
1205 /* options->user will be set in the main program if appropriate */
1206 /* options->hostname will be set in the main program if appropriate */
1207 /* options->host_key_alias should not be set by default */
1208 /* options->preferred_authentications will be set in ssh */
1213 * parses a string containing a port forwarding specification of the form:
1214 * [listenhost:]listenport:connecthost:connectport
1215 * returns number of arguments parsed or zero on error
1218 parse_forward(Forward *fwd, const char *fwdspec)
1221 char *p, *cp, *fwdarg[4];
1223 memset(fwd, '\0', sizeof(*fwd));
1225 cp = p = xstrdup(fwdspec);
1227 /* skip leading spaces */
1228 while (isspace(*cp))
1231 for (i = 0; i < 4; ++i)
1232 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1235 /* Check for trailing garbage in 4-arg case*/
1237 i = 0; /* failure */
1241 fwd->listen_host = NULL;
1242 fwd->listen_port = a2port(fwdarg[0]);
1243 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1244 fwd->connect_port = a2port(fwdarg[2]);
1248 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1249 fwd->listen_port = a2port(fwdarg[1]);
1250 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1251 fwd->connect_port = a2port(fwdarg[3]);
1254 i = 0; /* failure */
1259 if (fwd->listen_port == 0 || fwd->connect_port == 0)
1262 if (fwd->connect_host != NULL &&
1263 strlen(fwd->connect_host) >= NI_MAXHOST)
1269 if (fwd->connect_host != NULL)
1270 xfree(fwd->connect_host);
1271 if (fwd->listen_host != NULL)
1272 xfree(fwd->listen_host);