2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.138 2004/12/23 23:11:00 djm Exp $");
20 #include "pathnames.h"
26 static void add_listen_addr(ServerOptions *, char *, u_short);
27 static void add_one_listen_addr(ServerOptions *, char *, u_short);
29 /* Use of privilege separation or not */
30 extern int use_privsep;
32 /* Initializes the server options to their default values. */
35 initialize_server_options(ServerOptions *options)
37 memset(options, 0, sizeof(*options));
39 /* Portable-specific options */
40 options->use_pam = -1;
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
46 options->address_family = -1;
47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
59 options->x11_use_localhost = -1;
60 options->xauth_location = NULL;
61 options->strict_modes = -1;
62 options->tcp_keep_alive = -1;
63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->max_authtries = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0;
105 /* Needs to be accessable in many places */
110 fill_default_server_options(ServerOptions *options)
112 /* Portable-specific options */
113 if (options->use_pam == -1)
114 options->use_pam = 0;
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
122 options->host_key_files[options->num_host_key_files++] =
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
201 if (options->use_login == -1)
202 options->use_login = 0;
203 if (options->compression == -1)
204 options->compression = 1;
205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
217 if (options->use_dns == -1)
218 options->use_dns = 1;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233 /* Turn privilege separation on by default */
234 if (use_privsep == -1)
238 if (use_privsep && options->compression == 1) {
239 error("This platform does not support both privilege "
240 "separation and compression");
241 error("Compression disabled");
242 options->compression = 0;
248 /* Keyword tokens. */
250 sBadOption, /* == unknown option */
251 /* Portable-specific options */
253 /* Standard Options */
254 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
255 sPermitRootLogin, sLogFacility, sLogLevel,
256 sRhostsRSAAuthentication, sRSAAuthentication,
257 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
258 sKerberosGetAFSToken,
259 sKerberosTgtPassing, sChallengeResponseAuthentication,
260 sPasswordAuthentication, sKbdInteractiveAuthentication,
261 sListenAddress, sAddressFamily,
262 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
263 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
264 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
265 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
266 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
267 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
268 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
269 sMaxStartups, sMaxAuthTries,
270 sBanner, sUseDNS, sHostbasedAuthentication,
271 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
272 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
273 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
274 sUsePrivilegeSeparation,
275 sDeprecated, sUnsupported
278 /* Textual representation of the tokens. */
281 ServerOpCodes opcode;
283 /* Portable-specific options */
285 { "usepam", sUsePAM },
287 { "usepam", sUnsupported },
289 { "pamauthenticationviakbdint", sDeprecated },
290 /* Standard Options */
292 { "hostkey", sHostKeyFile },
293 { "hostdsakey", sHostKeyFile }, /* alias */
294 { "pidfile", sPidFile },
295 { "serverkeybits", sServerKeyBits },
296 { "logingracetime", sLoginGraceTime },
297 { "keyregenerationinterval", sKeyRegenerationTime },
298 { "permitrootlogin", sPermitRootLogin },
299 { "syslogfacility", sLogFacility },
300 { "loglevel", sLogLevel },
301 { "rhostsauthentication", sDeprecated },
302 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
303 { "hostbasedauthentication", sHostbasedAuthentication },
304 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
305 { "rsaauthentication", sRSAAuthentication },
306 { "pubkeyauthentication", sPubkeyAuthentication },
307 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
309 { "kerberosauthentication", sKerberosAuthentication },
310 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
311 { "kerberosticketcleanup", sKerberosTicketCleanup },
313 { "kerberosgetafstoken", sKerberosGetAFSToken },
315 { "kerberosgetafstoken", sUnsupported },
318 { "kerberosauthentication", sUnsupported },
319 { "kerberosorlocalpasswd", sUnsupported },
320 { "kerberosticketcleanup", sUnsupported },
321 { "kerberosgetafstoken", sUnsupported },
323 { "kerberostgtpassing", sUnsupported },
324 { "afstokenpassing", sUnsupported },
326 { "gssapiauthentication", sGssAuthentication },
327 { "gssapicleanupcredentials", sGssCleanupCreds },
329 { "gssapiauthentication", sUnsupported },
330 { "gssapicleanupcredentials", sUnsupported },
332 { "passwordauthentication", sPasswordAuthentication },
333 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
334 { "challengeresponseauthentication", sChallengeResponseAuthentication },
335 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
336 { "checkmail", sDeprecated },
337 { "listenaddress", sListenAddress },
338 { "addressfamily", sAddressFamily },
339 { "printmotd", sPrintMotd },
340 { "printlastlog", sPrintLastLog },
341 { "ignorerhosts", sIgnoreRhosts },
342 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
343 { "x11forwarding", sX11Forwarding },
344 { "x11displayoffset", sX11DisplayOffset },
345 { "x11uselocalhost", sX11UseLocalhost },
346 { "xauthlocation", sXAuthLocation },
347 { "strictmodes", sStrictModes },
348 { "permitemptypasswords", sEmptyPasswd },
349 { "permituserenvironment", sPermitUserEnvironment },
350 { "uselogin", sUseLogin },
351 { "compression", sCompression },
352 { "tcpkeepalive", sTCPKeepAlive },
353 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
354 { "allowtcpforwarding", sAllowTcpForwarding },
355 { "allowusers", sAllowUsers },
356 { "denyusers", sDenyUsers },
357 { "allowgroups", sAllowGroups },
358 { "denygroups", sDenyGroups },
359 { "ciphers", sCiphers },
361 { "protocol", sProtocol },
362 { "gatewayports", sGatewayPorts },
363 { "subsystem", sSubsystem },
364 { "maxstartups", sMaxStartups },
365 { "maxauthtries", sMaxAuthTries },
366 { "banner", sBanner },
367 { "usedns", sUseDNS },
368 { "verifyreversemapping", sDeprecated },
369 { "reversemappingcheck", sDeprecated },
370 { "clientaliveinterval", sClientAliveInterval },
371 { "clientalivecountmax", sClientAliveCountMax },
372 { "authorizedkeysfile", sAuthorizedKeysFile },
373 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
374 { "useprivilegeseparation", sUsePrivilegeSeparation},
375 { "acceptenv", sAcceptEnv },
380 * Returns the number of the token pointed to by cp or sBadOption.
384 parse_token(const char *cp, const char *filename,
389 for (i = 0; keywords[i].name; i++)
390 if (strcasecmp(cp, keywords[i].name) == 0)
391 return keywords[i].opcode;
393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
399 add_listen_addr(ServerOptions *options, char *addr, u_short port)
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
405 if (options->address_family == -1)
406 options->address_family = AF_UNSPEC;
408 for (i = 0; i < options->num_ports; i++)
409 add_one_listen_addr(options, addr, options->ports[i]);
411 add_one_listen_addr(options, addr, port);
415 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
417 struct addrinfo hints, *ai, *aitop;
418 char strport[NI_MAXSERV];
421 memset(&hints, 0, sizeof(hints));
422 hints.ai_family = options->address_family;
423 hints.ai_socktype = SOCK_STREAM;
424 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
425 snprintf(strport, sizeof strport, "%u", port);
426 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
427 fatal("bad addr or host: %s (%s)",
428 addr ? addr : "<NULL>",
429 gai_strerror(gaierr));
430 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
432 ai->ai_next = options->listen_addrs;
433 options->listen_addrs = aitop;
437 process_server_config_line(ServerOptions *options, char *line,
438 const char *filename, int linenum)
440 char *cp, **charptr, *arg, *p;
441 int *intptr, value, i, n;
442 ServerOpCodes opcode;
446 /* Ignore leading whitespace */
449 if (!arg || !*arg || *arg == '#')
453 opcode = parse_token(arg, filename, linenum);
455 /* Portable-specific options */
457 intptr = &options->use_pam;
460 /* Standard Options */
464 /* ignore ports from configfile if cmdline specifies ports */
465 if (options->ports_from_cmdline)
467 if (options->listen_addrs != NULL)
468 fatal("%s line %d: ports must be specified before "
469 "ListenAddress.", filename, linenum);
470 if (options->num_ports >= MAX_PORTS)
471 fatal("%s line %d: too many ports.",
474 if (!arg || *arg == '\0')
475 fatal("%s line %d: missing port number.",
477 options->ports[options->num_ports++] = a2port(arg);
478 if (options->ports[options->num_ports-1] == 0)
479 fatal("%s line %d: Badly formatted port number.",
484 intptr = &options->server_key_bits;
487 if (!arg || *arg == '\0')
488 fatal("%s line %d: missing integer value.",
495 case sLoginGraceTime:
496 intptr = &options->login_grace_time;
499 if (!arg || *arg == '\0')
500 fatal("%s line %d: missing time value.",
502 if ((value = convtime(arg)) == -1)
503 fatal("%s line %d: invalid time value.",
509 case sKeyRegenerationTime:
510 intptr = &options->key_regeneration_time;
515 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
516 fatal("%s line %d: missing inet addr.",
519 if ((p = strchr(arg, ']')) == NULL)
520 fatal("%s line %d: bad ipv6 inet addr usage.",
523 memmove(p, p+1, strlen(p+1)+1);
524 } else if (((p = strchr(arg, ':')) == NULL) ||
525 (strchr(p+1, ':') != NULL)) {
526 add_listen_addr(options, arg, 0);
534 fatal("%s line %d: bad inet addr:port usage.",
538 if ((port = a2port(p)) == 0)
539 fatal("%s line %d: bad port number.",
541 add_listen_addr(options, arg, port);
543 } else if (*p == '\0')
544 add_listen_addr(options, arg, 0);
546 fatal("%s line %d: bad inet addr usage.",
552 intptr = &options->address_family;
553 if (options->listen_addrs != NULL)
554 fatal("%s line %d: address family must be specified before "
555 "ListenAddress.", filename, linenum);
556 if (strcasecmp(arg, "inet") == 0)
558 else if (strcasecmp(arg, "inet6") == 0)
560 else if (strcasecmp(arg, "any") == 0)
563 fatal("%s line %d: unsupported address family \"%s\".",
564 filename, linenum, arg);
570 intptr = &options->num_host_key_files;
571 if (*intptr >= MAX_HOSTKEYS)
572 fatal("%s line %d: too many host keys specified (max %d).",
573 filename, linenum, MAX_HOSTKEYS);
574 charptr = &options->host_key_files[*intptr];
577 if (!arg || *arg == '\0')
578 fatal("%s line %d: missing file name.",
580 if (*charptr == NULL) {
581 *charptr = tilde_expand_filename(arg, getuid());
582 /* increase optional counter */
584 *intptr = *intptr + 1;
589 charptr = &options->pid_file;
592 case sPermitRootLogin:
593 intptr = &options->permit_root_login;
595 if (!arg || *arg == '\0')
596 fatal("%s line %d: missing yes/"
597 "without-password/forced-commands-only/no "
598 "argument.", filename, linenum);
599 value = 0; /* silence compiler */
600 if (strcmp(arg, "without-password") == 0)
601 value = PERMIT_NO_PASSWD;
602 else if (strcmp(arg, "forced-commands-only") == 0)
603 value = PERMIT_FORCED_ONLY;
604 else if (strcmp(arg, "yes") == 0)
606 else if (strcmp(arg, "no") == 0)
609 fatal("%s line %d: Bad yes/"
610 "without-password/forced-commands-only/no "
611 "argument: %s", filename, linenum, arg);
617 intptr = &options->ignore_rhosts;
620 if (!arg || *arg == '\0')
621 fatal("%s line %d: missing yes/no argument.",
623 value = 0; /* silence compiler */
624 if (strcmp(arg, "yes") == 0)
626 else if (strcmp(arg, "no") == 0)
629 fatal("%s line %d: Bad yes/no argument: %s",
630 filename, linenum, arg);
635 case sIgnoreUserKnownHosts:
636 intptr = &options->ignore_user_known_hosts;
639 case sRhostsRSAAuthentication:
640 intptr = &options->rhosts_rsa_authentication;
643 case sHostbasedAuthentication:
644 intptr = &options->hostbased_authentication;
647 case sHostbasedUsesNameFromPacketOnly:
648 intptr = &options->hostbased_uses_name_from_packet_only;
651 case sRSAAuthentication:
652 intptr = &options->rsa_authentication;
655 case sPubkeyAuthentication:
656 intptr = &options->pubkey_authentication;
659 case sKerberosAuthentication:
660 intptr = &options->kerberos_authentication;
663 case sKerberosOrLocalPasswd:
664 intptr = &options->kerberos_or_local_passwd;
667 case sKerberosTicketCleanup:
668 intptr = &options->kerberos_ticket_cleanup;
671 case sKerberosGetAFSToken:
672 intptr = &options->kerberos_get_afs_token;
675 case sGssAuthentication:
676 intptr = &options->gss_authentication;
679 case sGssCleanupCreds:
680 intptr = &options->gss_cleanup_creds;
683 case sPasswordAuthentication:
684 intptr = &options->password_authentication;
687 case sKbdInteractiveAuthentication:
688 intptr = &options->kbd_interactive_authentication;
691 case sChallengeResponseAuthentication:
692 intptr = &options->challenge_response_authentication;
696 intptr = &options->print_motd;
700 intptr = &options->print_lastlog;
704 intptr = &options->x11_forwarding;
707 case sX11DisplayOffset:
708 intptr = &options->x11_display_offset;
711 case sX11UseLocalhost:
712 intptr = &options->x11_use_localhost;
716 charptr = &options->xauth_location;
720 intptr = &options->strict_modes;
724 intptr = &options->tcp_keep_alive;
728 intptr = &options->permit_empty_passwd;
731 case sPermitUserEnvironment:
732 intptr = &options->permit_user_env;
736 intptr = &options->use_login;
740 intptr = &options->compression;
744 intptr = &options->gateway_ports;
748 intptr = &options->use_dns;
752 intptr = (int *) &options->log_facility;
754 value = log_facility_number(arg);
755 if (value == SYSLOG_FACILITY_NOT_SET)
756 fatal("%.200s line %d: unsupported log facility '%s'",
757 filename, linenum, arg ? arg : "<NONE>");
759 *intptr = (SyslogFacility) value;
763 intptr = (int *) &options->log_level;
765 value = log_level_number(arg);
766 if (value == SYSLOG_LEVEL_NOT_SET)
767 fatal("%.200s line %d: unsupported log level '%s'",
768 filename, linenum, arg ? arg : "<NONE>");
770 *intptr = (LogLevel) value;
773 case sAllowTcpForwarding:
774 intptr = &options->allow_tcp_forwarding;
777 case sUsePrivilegeSeparation:
778 intptr = &use_privsep;
782 while ((arg = strdelim(&cp)) && *arg != '\0') {
783 if (options->num_allow_users >= MAX_ALLOW_USERS)
784 fatal("%s line %d: too many allow users.",
786 options->allow_users[options->num_allow_users++] =
792 while ((arg = strdelim(&cp)) && *arg != '\0') {
793 if (options->num_deny_users >= MAX_DENY_USERS)
794 fatal( "%s line %d: too many deny users.",
796 options->deny_users[options->num_deny_users++] =
802 while ((arg = strdelim(&cp)) && *arg != '\0') {
803 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
804 fatal("%s line %d: too many allow groups.",
806 options->allow_groups[options->num_allow_groups++] =
812 while ((arg = strdelim(&cp)) && *arg != '\0') {
813 if (options->num_deny_groups >= MAX_DENY_GROUPS)
814 fatal("%s line %d: too many deny groups.",
816 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing argument.", filename, linenum);
824 if (!ciphers_valid(arg))
825 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
826 filename, linenum, arg ? arg : "<NONE>");
827 if (options->ciphers == NULL)
828 options->ciphers = xstrdup(arg);
833 if (!arg || *arg == '\0')
834 fatal("%s line %d: Missing argument.", filename, linenum);
836 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
837 filename, linenum, arg ? arg : "<NONE>");
838 if (options->macs == NULL)
839 options->macs = xstrdup(arg);
843 intptr = &options->protocol;
845 if (!arg || *arg == '\0')
846 fatal("%s line %d: Missing argument.", filename, linenum);
847 value = proto_spec(arg);
848 if (value == SSH_PROTO_UNKNOWN)
849 fatal("%s line %d: Bad protocol spec '%s'.",
850 filename, linenum, arg ? arg : "<NONE>");
851 if (*intptr == SSH_PROTO_UNKNOWN)
856 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
857 fatal("%s line %d: too many subsystems defined.",
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: Missing subsystem name.",
864 for (i = 0; i < options->num_subsystems; i++)
865 if (strcmp(arg, options->subsystem_name[i]) == 0)
866 fatal("%s line %d: Subsystem '%s' already defined.",
867 filename, linenum, arg);
868 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
870 if (!arg || *arg == '\0')
871 fatal("%s line %d: Missing subsystem command.",
873 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
874 options->num_subsystems++;
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: Missing MaxStartups spec.",
882 if ((n = sscanf(arg, "%d:%d:%d",
883 &options->max_startups_begin,
884 &options->max_startups_rate,
885 &options->max_startups)) == 3) {
886 if (options->max_startups_begin >
887 options->max_startups ||
888 options->max_startups_rate > 100 ||
889 options->max_startups_rate < 1)
890 fatal("%s line %d: Illegal MaxStartups spec.",
893 fatal("%s line %d: Illegal MaxStartups spec.",
896 options->max_startups = options->max_startups_begin;
900 intptr = &options->max_authtries;
904 charptr = &options->banner;
907 * These options can contain %X options expanded at
908 * connect time, so that you can specify paths like:
910 * AuthorizedKeysFile /etc/ssh_keys/%u
912 case sAuthorizedKeysFile:
913 case sAuthorizedKeysFile2:
914 charptr = (opcode == sAuthorizedKeysFile ) ?
915 &options->authorized_keys_file :
916 &options->authorized_keys_file2;
919 case sClientAliveInterval:
920 intptr = &options->client_alive_interval;
923 case sClientAliveCountMax:
924 intptr = &options->client_alive_count_max;
928 while ((arg = strdelim(&cp)) && *arg != '\0') {
929 if (strchr(arg, '=') != NULL)
930 fatal("%s line %d: Invalid environment name.",
932 if (options->num_accept_env >= MAX_ACCEPT_ENV)
933 fatal("%s line %d: too many allow env.",
935 options->accept_env[options->num_accept_env++] =
941 logit("%s line %d: Deprecated option %s",
942 filename, linenum, arg);
948 logit("%s line %d: Unsupported option %s",
949 filename, linenum, arg);
955 fatal("%s line %d: Missing handler for opcode %s (%d)",
956 filename, linenum, arg, opcode);
958 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
959 fatal("%s line %d: garbage at end of line; \"%.200s\".",
960 filename, linenum, arg);
964 /* Reads the server configuration file. */
967 load_server_config(const char *filename, Buffer *conf)
969 char line[1024], *cp;
972 debug2("%s: filename %s", __func__, filename);
973 if ((f = fopen(filename, "r")) == NULL) {
978 while (fgets(line, sizeof(line), f)) {
980 * Trim out comments and strip whitespace
981 * NB - preserve newlines, they are needed to reproduce
982 * line numbers later for error messages
984 if ((cp = strchr(line, '#')) != NULL)
986 cp = line + strspn(line, " \t\r");
988 buffer_append(conf, cp, strlen(cp));
990 buffer_append(conf, "\0", 1);
992 debug2("%s: done config len = %d", __func__, buffer_len(conf));
996 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
998 int linenum, bad_options = 0;
999 char *cp, *obuf, *cbuf;
1001 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1003 obuf = cbuf = xstrdup(buffer_ptr(conf));
1005 while((cp = strsep(&cbuf, "\n")) != NULL) {
1006 if (process_server_config_line(options, cp, filename,
1011 if (bad_options > 0)
1012 fatal("%s: terminating, %d bad configuration options",
1013 filename, bad_options);