2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.142 2005/06/17 02:44:33 djm Exp $");
20 #include "pathnames.h"
26 static void add_listen_addr(ServerOptions *, char *, u_short);
27 static void add_one_listen_addr(ServerOptions *, char *, u_short);
29 /* Use of privilege separation or not */
30 extern int use_privsep;
32 /* Initializes the server options to their default values. */
35 initialize_server_options(ServerOptions *options)
37 memset(options, 0, sizeof(*options));
39 /* Portable-specific options */
40 options->use_pam = -1;
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
46 options->address_family = -1;
47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
59 options->x11_use_localhost = -1;
60 options->xauth_location = NULL;
61 options->strict_modes = -1;
62 options->tcp_keep_alive = -1;
63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->max_authtries = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0;
105 /* Needs to be accessable in many places */
110 fill_default_server_options(ServerOptions *options)
112 /* Portable-specific options */
113 if (options->use_pam == -1)
114 options->use_pam = 0;
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
122 options->host_key_files[options->num_host_key_files++] =
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
201 if (options->use_login == -1)
202 options->use_login = 0;
203 if (options->compression == -1)
204 options->compression = 1;
205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
217 if (options->use_dns == -1)
218 options->use_dns = 1;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233 /* Turn privilege separation on by default */
234 if (use_privsep == -1)
238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
248 /* Keyword tokens. */
250 sBadOption, /* == unknown option */
251 /* Portable-specific options */
253 /* Standard Options */
254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
256 sRhostsRSAAuthentication, sRSAAuthentication,
257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
258 sKerberosGetAFSToken,
259 sKerberosTgtPassing, sChallengeResponseAuthentication,
260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
270 sBanner, sUseDNS, sHostbasedAuthentication,
271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
274 sUsePrivilegeSeparation,
275 sDeprecated, sUnsupported
278 /* Textual representation of the tokens. */
281 ServerOpCodes opcode;
283 /* Portable-specific options */
285 { "usepam", sUsePAM },
287 { "usepam", sUnsupported },
289 { "pamauthenticationviakbdint", sDeprecated },
290 /* Standard Options */
292 { "hostkey", sHostKeyFile },
293 { "hostdsakey", sHostKeyFile }, /* alias */
294 { "pidfile", sPidFile },
295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
301 { "rhostsauthentication", sDeprecated },
302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
305 { "rsaauthentication", sRSAAuthentication },
306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
313 { "kerberosgetafstoken", sKerberosGetAFSToken },
315 { "kerberosgetafstoken", sUnsupported },
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
321 { "kerberosgetafstoken", sUnsupported },
323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
326 { "gssapiauthentication", sGssAuthentication },
327 { "gssapicleanupcredentials", sGssCleanupCreds },
329 { "gssapiauthentication", sUnsupported },
330 { "gssapicleanupcredentials", sUnsupported },
332 { "passwordauthentication", sPasswordAuthentication },
333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
336 { "checkmail", sDeprecated },
337 { "listenaddress", sListenAddress },
338 { "addressfamily", sAddressFamily },
339 { "printmotd", sPrintMotd },
340 { "printlastlog", sPrintLastLog },
341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
345 { "x11uselocalhost", sX11UseLocalhost },
346 { "xauthlocation", sXAuthLocation },
347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
349 { "permituserenvironment", sPermitUserEnvironment },
350 { "uselogin", sUseLogin },
351 { "compression", sCompression },
352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
354 { "allowtcpforwarding", sAllowTcpForwarding },
355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
359 { "ciphers", sCiphers },
361 { "protocol", sProtocol },
362 { "gatewayports", sGatewayPorts },
363 { "subsystem", sSubsystem },
364 { "maxstartups", sMaxStartups },
365 { "maxauthtries", sMaxAuthTries },
366 { "banner", sBanner },
367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
374 { "useprivilegeseparation", sUsePrivilegeSeparation},
375 { "acceptenv", sAcceptEnv },
380 * Returns the number of the token pointed to by cp or sBadOption.
384 parse_token(const char *cp, const char *filename,
389 for (i = 0; keywords[i].name; i++)
390 if (strcasecmp(cp, keywords[i].name) == 0)
391 return keywords[i].opcode;
393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
399 add_listen_addr(ServerOptions *options, char *addr, u_short port)
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
411 add_one_listen_addr(options, addr, port);
415 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
421 memset(&hints, 0, sizeof(hints));
422 hints.ai_family = options->address_family;
423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
425 snprintf(strport, sizeof strport, "%u", port);
426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
437 process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
440 char *cp, **charptr, *arg, *p;
441 int *intptr, value, n;
442 ServerOpCodes opcode;
448 /* Ignore leading whitespace */
451 if (!arg || !*arg || *arg == '#')
455 opcode = parse_token(arg, filename, linenum);
457 /* Portable-specific options */
459 intptr = &options->use_pam;
462 /* Standard Options */
466 /* ignore ports from configfile if cmdline specifies ports */
467 if (options->ports_from_cmdline)
469 if (options->listen_addrs != NULL)
470 fatal("%s line %d: ports must be specified before "
471 "ListenAddress.", filename, linenum);
472 if (options->num_ports >= MAX_PORTS)
473 fatal("%s line %d: too many ports.",
476 if (!arg || *arg == '\0')
477 fatal("%s line %d: missing port number.",
479 options->ports[options->num_ports++] = a2port(arg);
480 if (options->ports[options->num_ports-1] == 0)
481 fatal("%s line %d: Badly formatted port number.",
486 intptr = &options->server_key_bits;
489 if (!arg || *arg == '\0')
490 fatal("%s line %d: missing integer value.",
497 case sLoginGraceTime:
498 intptr = &options->login_grace_time;
501 if (!arg || *arg == '\0')
502 fatal("%s line %d: missing time value.",
504 if ((value = convtime(arg)) == -1)
505 fatal("%s line %d: invalid time value.",
511 case sKeyRegenerationTime:
512 intptr = &options->key_regeneration_time;
517 if (arg == NULL || *arg == '\0')
518 fatal("%s line %d: missing address",
522 fatal("%s line %d: bad address:port usage",
524 p = cleanhostname(p);
527 else if ((port = a2port(arg)) == 0)
528 fatal("%s line %d: bad port number", filename, linenum);
530 add_listen_addr(options, p, port);
536 if (!arg || *arg == '\0')
537 fatal("%s line %d: missing address family.",
539 intptr = &options->address_family;
540 if (options->listen_addrs != NULL)
541 fatal("%s line %d: address family must be specified before "
542 "ListenAddress.", filename, linenum);
543 if (strcasecmp(arg, "inet") == 0)
545 else if (strcasecmp(arg, "inet6") == 0)
547 else if (strcasecmp(arg, "any") == 0)
550 fatal("%s line %d: unsupported address family \"%s\".",
551 filename, linenum, arg);
557 intptr = &options->num_host_key_files;
558 if (*intptr >= MAX_HOSTKEYS)
559 fatal("%s line %d: too many host keys specified (max %d).",
560 filename, linenum, MAX_HOSTKEYS);
561 charptr = &options->host_key_files[*intptr];
564 if (!arg || *arg == '\0')
565 fatal("%s line %d: missing file name.",
567 if (*charptr == NULL) {
568 *charptr = tilde_expand_filename(arg, getuid());
569 /* increase optional counter */
571 *intptr = *intptr + 1;
576 charptr = &options->pid_file;
579 case sPermitRootLogin:
580 intptr = &options->permit_root_login;
582 if (!arg || *arg == '\0')
583 fatal("%s line %d: missing yes/"
584 "without-password/forced-commands-only/no "
585 "argument.", filename, linenum);
586 value = 0; /* silence compiler */
587 if (strcmp(arg, "without-password") == 0)
588 value = PERMIT_NO_PASSWD;
589 else if (strcmp(arg, "forced-commands-only") == 0)
590 value = PERMIT_FORCED_ONLY;
591 else if (strcmp(arg, "yes") == 0)
593 else if (strcmp(arg, "no") == 0)
596 fatal("%s line %d: Bad yes/"
597 "without-password/forced-commands-only/no "
598 "argument: %s", filename, linenum, arg);
604 intptr = &options->ignore_rhosts;
607 if (!arg || *arg == '\0')
608 fatal("%s line %d: missing yes/no argument.",
610 value = 0; /* silence compiler */
611 if (strcmp(arg, "yes") == 0)
613 else if (strcmp(arg, "no") == 0)
616 fatal("%s line %d: Bad yes/no argument: %s",
617 filename, linenum, arg);
622 case sIgnoreUserKnownHosts:
623 intptr = &options->ignore_user_known_hosts;
626 case sRhostsRSAAuthentication:
627 intptr = &options->rhosts_rsa_authentication;
630 case sHostbasedAuthentication:
631 intptr = &options->hostbased_authentication;
634 case sHostbasedUsesNameFromPacketOnly:
635 intptr = &options->hostbased_uses_name_from_packet_only;
638 case sRSAAuthentication:
639 intptr = &options->rsa_authentication;
642 case sPubkeyAuthentication:
643 intptr = &options->pubkey_authentication;
646 case sKerberosAuthentication:
647 intptr = &options->kerberos_authentication;
650 case sKerberosOrLocalPasswd:
651 intptr = &options->kerberos_or_local_passwd;
654 case sKerberosTicketCleanup:
655 intptr = &options->kerberos_ticket_cleanup;
658 case sKerberosGetAFSToken:
659 intptr = &options->kerberos_get_afs_token;
662 case sGssAuthentication:
663 intptr = &options->gss_authentication;
666 case sGssCleanupCreds:
667 intptr = &options->gss_cleanup_creds;
670 case sPasswordAuthentication:
671 intptr = &options->password_authentication;
674 case sKbdInteractiveAuthentication:
675 intptr = &options->kbd_interactive_authentication;
678 case sChallengeResponseAuthentication:
679 intptr = &options->challenge_response_authentication;
683 intptr = &options->print_motd;
687 intptr = &options->print_lastlog;
691 intptr = &options->x11_forwarding;
694 case sX11DisplayOffset:
695 intptr = &options->x11_display_offset;
698 case sX11UseLocalhost:
699 intptr = &options->x11_use_localhost;
703 charptr = &options->xauth_location;
707 intptr = &options->strict_modes;
711 intptr = &options->tcp_keep_alive;
715 intptr = &options->permit_empty_passwd;
718 case sPermitUserEnvironment:
719 intptr = &options->permit_user_env;
723 intptr = &options->use_login;
727 intptr = &options->compression;
731 intptr = &options->gateway_ports;
733 if (!arg || *arg == '\0')
734 fatal("%s line %d: missing yes/no/clientspecified "
735 "argument.", filename, linenum);
736 value = 0; /* silence compiler */
737 if (strcmp(arg, "clientspecified") == 0)
739 else if (strcmp(arg, "yes") == 0)
741 else if (strcmp(arg, "no") == 0)
744 fatal("%s line %d: Bad yes/no/clientspecified "
745 "argument: %s", filename, linenum, arg);
751 intptr = &options->use_dns;
755 intptr = (int *) &options->log_facility;
757 value = log_facility_number(arg);
758 if (value == SYSLOG_FACILITY_NOT_SET)
759 fatal("%.200s line %d: unsupported log facility '%s'",
760 filename, linenum, arg ? arg : "<NONE>");
762 *intptr = (SyslogFacility) value;
766 intptr = (int *) &options->log_level;
768 value = log_level_number(arg);
769 if (value == SYSLOG_LEVEL_NOT_SET)
770 fatal("%.200s line %d: unsupported log level '%s'",
771 filename, linenum, arg ? arg : "<NONE>");
773 *intptr = (LogLevel) value;
776 case sAllowTcpForwarding:
777 intptr = &options->allow_tcp_forwarding;
780 case sUsePrivilegeSeparation:
781 intptr = &use_privsep;
785 while ((arg = strdelim(&cp)) && *arg != '\0') {
786 if (options->num_allow_users >= MAX_ALLOW_USERS)
787 fatal("%s line %d: too many allow users.",
789 options->allow_users[options->num_allow_users++] =
795 while ((arg = strdelim(&cp)) && *arg != '\0') {
796 if (options->num_deny_users >= MAX_DENY_USERS)
797 fatal( "%s line %d: too many deny users.",
799 options->deny_users[options->num_deny_users++] =
805 while ((arg = strdelim(&cp)) && *arg != '\0') {
806 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
807 fatal("%s line %d: too many allow groups.",
809 options->allow_groups[options->num_allow_groups++] =
815 while ((arg = strdelim(&cp)) && *arg != '\0') {
816 if (options->num_deny_groups >= MAX_DENY_GROUPS)
817 fatal("%s line %d: too many deny groups.",
819 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
825 if (!arg || *arg == '\0')
826 fatal("%s line %d: Missing argument.", filename, linenum);
827 if (!ciphers_valid(arg))
828 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
829 filename, linenum, arg ? arg : "<NONE>");
830 if (options->ciphers == NULL)
831 options->ciphers = xstrdup(arg);
836 if (!arg || *arg == '\0')
837 fatal("%s line %d: Missing argument.", filename, linenum);
839 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
840 filename, linenum, arg ? arg : "<NONE>");
841 if (options->macs == NULL)
842 options->macs = xstrdup(arg);
846 intptr = &options->protocol;
848 if (!arg || *arg == '\0')
849 fatal("%s line %d: Missing argument.", filename, linenum);
850 value = proto_spec(arg);
851 if (value == SSH_PROTO_UNKNOWN)
852 fatal("%s line %d: Bad protocol spec '%s'.",
853 filename, linenum, arg ? arg : "<NONE>");
854 if (*intptr == SSH_PROTO_UNKNOWN)
859 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
860 fatal("%s line %d: too many subsystems defined.",
864 if (!arg || *arg == '\0')
865 fatal("%s line %d: Missing subsystem name.",
867 for (i = 0; i < options->num_subsystems; i++)
868 if (strcmp(arg, options->subsystem_name[i]) == 0)
869 fatal("%s line %d: Subsystem '%s' already defined.",
870 filename, linenum, arg);
871 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: Missing subsystem command.",
876 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
877 options->num_subsystems++;
882 if (!arg || *arg == '\0')
883 fatal("%s line %d: Missing MaxStartups spec.",
885 if ((n = sscanf(arg, "%d:%d:%d",
886 &options->max_startups_begin,
887 &options->max_startups_rate,
888 &options->max_startups)) == 3) {
889 if (options->max_startups_begin >
890 options->max_startups ||
891 options->max_startups_rate > 100 ||
892 options->max_startups_rate < 1)
893 fatal("%s line %d: Illegal MaxStartups spec.",
896 fatal("%s line %d: Illegal MaxStartups spec.",
899 options->max_startups = options->max_startups_begin;
903 intptr = &options->max_authtries;
907 charptr = &options->banner;
910 * These options can contain %X options expanded at
911 * connect time, so that you can specify paths like:
913 * AuthorizedKeysFile /etc/ssh_keys/%u
915 case sAuthorizedKeysFile:
916 case sAuthorizedKeysFile2:
917 charptr = (opcode == sAuthorizedKeysFile ) ?
918 &options->authorized_keys_file :
919 &options->authorized_keys_file2;
922 case sClientAliveInterval:
923 intptr = &options->client_alive_interval;
926 case sClientAliveCountMax:
927 intptr = &options->client_alive_count_max;
931 while ((arg = strdelim(&cp)) && *arg != '\0') {
932 if (strchr(arg, '=') != NULL)
933 fatal("%s line %d: Invalid environment name.",
935 if (options->num_accept_env >= MAX_ACCEPT_ENV)
936 fatal("%s line %d: too many allow env.",
938 options->accept_env[options->num_accept_env++] =
944 logit("%s line %d: Deprecated option %s",
945 filename, linenum, arg);
951 logit("%s line %d: Unsupported option %s",
952 filename, linenum, arg);
958 fatal("%s line %d: Missing handler for opcode %s (%d)",
959 filename, linenum, arg, opcode);
961 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
962 fatal("%s line %d: garbage at end of line; \"%.200s\".",
963 filename, linenum, arg);
967 /* Reads the server configuration file. */
970 load_server_config(const char *filename, Buffer *conf)
972 char line[1024], *cp;
975 debug2("%s: filename %s", __func__, filename);
976 if ((f = fopen(filename, "r")) == NULL) {
981 while (fgets(line, sizeof(line), f)) {
983 * Trim out comments and strip whitespace
984 * NB - preserve newlines, they are needed to reproduce
985 * line numbers later for error messages
987 if ((cp = strchr(line, '#')) != NULL)
989 cp = line + strspn(line, " \t\r");
991 buffer_append(conf, cp, strlen(cp));
993 buffer_append(conf, "\0", 1);
995 debug2("%s: done config len = %d", __func__, buffer_len(conf));
999 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1001 int linenum, bad_options = 0;
1002 char *cp, *obuf, *cbuf;
1004 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1006 obuf = cbuf = xstrdup(buffer_ptr(conf));
1008 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1009 if (process_server_config_line(options, cp, filename,
1014 if (bad_options > 0)
1015 fatal("%s: terminating, %d bad configuration options",
1016 filename, bad_options);
andersk / openssh.git / blob