5 * Author: Tatu Ylonen <ylo@cs.hut.fi>
7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 * Created: Mon Aug 21 15:48:58 1995 ylo
22 /* add listen address */
23 void add_listen_addr(ServerOptions *options, char *addr);
25 /* Initializes the server options to their default values. */
28 initialize_server_options(ServerOptions *options)
30 memset(options, 0, sizeof(*options));
31 options->num_ports = 0;
32 options->ports_from_cmdline = 0;
33 options->listen_addrs = NULL;
34 options->host_key_file = NULL;
35 options->host_dsa_key_file = NULL;
36 options->pid_file = NULL;
37 options->server_key_bits = -1;
38 options->login_grace_time = -1;
39 options->key_regeneration_time = -1;
40 options->permit_root_login = -1;
41 options->ignore_rhosts = -1;
42 options->ignore_user_known_hosts = -1;
43 options->print_motd = -1;
44 options->check_mail = -1;
45 options->x11_forwarding = -1;
46 options->x11_display_offset = -1;
47 options->xauth_location = NULL;
48 options->strict_modes = -1;
49 options->keepalives = -1;
50 options->log_facility = (SyslogFacility) - 1;
51 options->log_level = (LogLevel) - 1;
52 options->rhosts_authentication = -1;
53 options->rhosts_rsa_authentication = -1;
54 options->rsa_authentication = -1;
55 options->dsa_authentication = -1;
57 options->kerberos_authentication = -1;
58 options->kerberos_or_local_passwd = -1;
59 options->kerberos_ticket_cleanup = -1;
62 options->kerberos_tgt_passing = -1;
63 options->afs_token_passing = -1;
65 options->password_authentication = -1;
67 options->skey_authentication = -1;
69 options->permit_empty_passwd = -1;
70 options->use_login = -1;
71 options->num_allow_users = 0;
72 options->num_deny_users = 0;
73 options->num_allow_groups = 0;
74 options->num_deny_groups = 0;
75 options->ciphers = NULL;
76 options->protocol = SSH_PROTO_UNKNOWN;
77 options->gateway_ports = -1;
78 options->num_subsystems = 0;
82 fill_default_server_options(ServerOptions *options)
84 if (options->num_ports == 0)
85 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
86 if (options->listen_addrs == NULL)
87 add_listen_addr(options, NULL);
88 if (options->host_key_file == NULL)
89 options->host_key_file = HOST_KEY_FILE;
90 if (options->host_dsa_key_file == NULL)
91 options->host_dsa_key_file = HOST_DSA_KEY_FILE;
92 if (options->pid_file == NULL)
93 options->pid_file = SSH_DAEMON_PID_FILE;
94 if (options->server_key_bits == -1)
95 options->server_key_bits = 768;
96 if (options->login_grace_time == -1)
97 options->login_grace_time = 600;
98 if (options->key_regeneration_time == -1)
99 options->key_regeneration_time = 3600;
100 if (options->permit_root_login == -1)
101 options->permit_root_login = 1; /* yes */
102 if (options->ignore_rhosts == -1)
103 options->ignore_rhosts = 1;
104 if (options->ignore_user_known_hosts == -1)
105 options->ignore_user_known_hosts = 0;
106 if (options->check_mail == -1)
107 options->check_mail = 0;
108 if (options->print_motd == -1)
109 options->print_motd = 1;
110 if (options->x11_forwarding == -1)
111 options->x11_forwarding = 0;
112 if (options->x11_display_offset == -1)
113 options->x11_display_offset = 10;
115 if (options->xauth_location == NULL)
116 options->xauth_location = XAUTH_PATH;
117 #endif /* XAUTH_PATH */
118 if (options->strict_modes == -1)
119 options->strict_modes = 1;
120 if (options->keepalives == -1)
121 options->keepalives = 1;
122 if (options->log_facility == (SyslogFacility) (-1))
123 options->log_facility = SYSLOG_FACILITY_AUTH;
124 if (options->log_level == (LogLevel) (-1))
125 options->log_level = SYSLOG_LEVEL_INFO;
126 if (options->rhosts_authentication == -1)
127 options->rhosts_authentication = 0;
128 if (options->rhosts_rsa_authentication == -1)
129 options->rhosts_rsa_authentication = 0;
130 if (options->rsa_authentication == -1)
131 options->rsa_authentication = 1;
132 if (options->dsa_authentication == -1)
133 options->dsa_authentication = 1;
135 if (options->kerberos_authentication == -1)
136 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
137 if (options->kerberos_or_local_passwd == -1)
138 options->kerberos_or_local_passwd = 1;
139 if (options->kerberos_ticket_cleanup == -1)
140 options->kerberos_ticket_cleanup = 1;
143 if (options->kerberos_tgt_passing == -1)
144 options->kerberos_tgt_passing = 0;
145 if (options->afs_token_passing == -1)
146 options->afs_token_passing = k_hasafs();
148 if (options->password_authentication == -1)
149 options->password_authentication = 1;
151 if (options->skey_authentication == -1)
152 options->skey_authentication = 1;
154 if (options->permit_empty_passwd == -1)
155 options->permit_empty_passwd = 0;
156 if (options->use_login == -1)
157 options->use_login = 0;
158 if (options->protocol == SSH_PROTO_UNKNOWN)
159 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
160 if (options->gateway_ports == -1)
161 options->gateway_ports = 0;
164 #define WHITESPACE " \t\r\n="
166 /* Keyword tokens. */
168 sBadOption, /* == unknown option */
169 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
170 sPermitRootLogin, sLogFacility, sLogLevel,
171 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
173 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
176 sKerberosTgtPassing, sAFSTokenPassing,
181 sPasswordAuthentication, sListenAddress,
182 sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
183 sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
184 sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
185 sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
186 sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem
189 /* Textual representation of the tokens. */
192 ServerOpCodes opcode;
195 { "hostkey", sHostKeyFile },
196 { "hostdsakey", sHostDSAKeyFile },
197 { "pidfile", sPidFile },
198 { "serverkeybits", sServerKeyBits },
199 { "logingracetime", sLoginGraceTime },
200 { "keyregenerationinterval", sKeyRegenerationTime },
201 { "permitrootlogin", sPermitRootLogin },
202 { "syslogfacility", sLogFacility },
203 { "loglevel", sLogLevel },
204 { "rhostsauthentication", sRhostsAuthentication },
205 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
206 { "rsaauthentication", sRSAAuthentication },
207 { "dsaauthentication", sDSAAuthentication },
209 { "kerberosauthentication", sKerberosAuthentication },
210 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
211 { "kerberosticketcleanup", sKerberosTicketCleanup },
214 { "kerberostgtpassing", sKerberosTgtPassing },
215 { "afstokenpassing", sAFSTokenPassing },
217 { "passwordauthentication", sPasswordAuthentication },
219 { "skeyauthentication", sSkeyAuthentication },
221 { "checkmail", sCheckMail },
222 { "listenaddress", sListenAddress },
223 { "printmotd", sPrintMotd },
224 { "ignorerhosts", sIgnoreRhosts },
225 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
226 { "x11forwarding", sX11Forwarding },
227 { "x11displayoffset", sX11DisplayOffset },
228 { "xauthlocation", sXAuthLocation },
229 { "strictmodes", sStrictModes },
230 { "permitemptypasswords", sEmptyPasswd },
231 { "uselogin", sUseLogin },
232 { "randomseed", sRandomSeedFile },
233 { "keepalive", sKeepAlives },
234 { "allowusers", sAllowUsers },
235 { "denyusers", sDenyUsers },
236 { "allowgroups", sAllowGroups },
237 { "denygroups", sDenyGroups },
238 { "ciphers", sCiphers },
239 { "protocol", sProtocol },
240 { "gatewayports", sGatewayPorts },
241 { "subsystem", sSubsystem },
246 * Returns the number of the token pointed to by cp of length len. Never
247 * returns if the token is not known.
251 parse_token(const char *cp, const char *filename,
256 for (i = 0; keywords[i].name; i++)
257 if (strcasecmp(cp, keywords[i].name) == 0)
258 return keywords[i].opcode;
260 fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
261 filename, linenum, cp);
269 add_listen_addr(ServerOptions *options, char *addr)
272 struct addrinfo hints, *ai, *aitop;
273 char strport[NI_MAXSERV];
277 if (options->num_ports == 0)
278 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
279 for (i = 0; i < options->num_ports; i++) {
280 memset(&hints, 0, sizeof(hints));
281 hints.ai_family = IPv4or6;
282 hints.ai_socktype = SOCK_STREAM;
283 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
284 snprintf(strport, sizeof strport, "%d", options->ports[i]);
285 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
286 fatal("bad addr or host: %s (%s)\n",
287 addr ? addr : "<NULL>",
288 gai_strerror(gaierr));
289 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
291 ai->ai_next = options->listen_addrs;
292 options->listen_addrs = aitop;
296 /* Reads the server configuration file. */
299 read_server_config(ServerOptions *options, const char *filename)
304 int linenum, *intptr, value;
306 ServerOpCodes opcode;
309 f = fopen(filename, "r");
315 while (fgets(line, sizeof(line), f)) {
317 cp = line + strspn(line, WHITESPACE);
318 if (!*cp || *cp == '#')
320 cp = strtok(cp, WHITESPACE);
321 opcode = parse_token(cp, filename, linenum);
327 /* ignore ports from configfile if cmdline specifies ports */
328 if (options->ports_from_cmdline)
330 if (options->listen_addrs != NULL)
331 fatal("%s line %d: ports must be specified before "
332 "ListenAdress.\n", filename, linenum);
333 if (options->num_ports >= MAX_PORTS)
334 fatal("%s line %d: too many ports.\n",
336 cp = strtok(NULL, WHITESPACE);
338 fatal("%s line %d: missing port number.\n",
340 options->ports[options->num_ports++] = atoi(cp);
344 intptr = &options->server_key_bits;
346 cp = strtok(NULL, WHITESPACE);
348 fprintf(stderr, "%s line %d: missing integer value.\n",
357 case sLoginGraceTime:
358 intptr = &options->login_grace_time;
361 case sKeyRegenerationTime:
362 intptr = &options->key_regeneration_time;
366 cp = strtok(NULL, WHITESPACE);
368 fatal("%s line %d: missing inet addr.\n",
370 add_listen_addr(options, cp);
374 case sHostDSAKeyFile:
375 charptr = (opcode == sHostKeyFile ) ?
376 &options->host_key_file : &options->host_dsa_key_file;
378 cp = strtok(NULL, WHITESPACE);
380 fprintf(stderr, "%s line %d: missing file name.\n",
384 if (*charptr == NULL)
385 *charptr = tilde_expand_filename(cp, getuid());
389 charptr = &options->pid_file;
392 case sRandomSeedFile:
393 fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
395 cp = strtok(NULL, WHITESPACE);
398 case sPermitRootLogin:
399 intptr = &options->permit_root_login;
400 cp = strtok(NULL, WHITESPACE);
402 fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
406 if (strcmp(cp, "without-password") == 0)
408 else if (strcmp(cp, "yes") == 0)
410 else if (strcmp(cp, "no") == 0)
413 fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
414 filename, linenum, cp);
422 intptr = &options->ignore_rhosts;
424 cp = strtok(NULL, WHITESPACE);
426 fprintf(stderr, "%s line %d: missing yes/no argument.\n",
430 if (strcmp(cp, "yes") == 0)
432 else if (strcmp(cp, "no") == 0)
435 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
436 filename, linenum, cp);
443 case sIgnoreUserKnownHosts:
444 intptr = &options->ignore_user_known_hosts;
447 case sRhostsAuthentication:
448 intptr = &options->rhosts_authentication;
451 case sRhostsRSAAuthentication:
452 intptr = &options->rhosts_rsa_authentication;
455 case sRSAAuthentication:
456 intptr = &options->rsa_authentication;
459 case sDSAAuthentication:
460 intptr = &options->dsa_authentication;
464 case sKerberosAuthentication:
465 intptr = &options->kerberos_authentication;
468 case sKerberosOrLocalPasswd:
469 intptr = &options->kerberos_or_local_passwd;
472 case sKerberosTicketCleanup:
473 intptr = &options->kerberos_ticket_cleanup;
478 case sKerberosTgtPassing:
479 intptr = &options->kerberos_tgt_passing;
482 case sAFSTokenPassing:
483 intptr = &options->afs_token_passing;
487 case sPasswordAuthentication:
488 intptr = &options->password_authentication;
492 intptr = &options->check_mail;
496 case sSkeyAuthentication:
497 intptr = &options->skey_authentication;
502 intptr = &options->print_motd;
506 intptr = &options->x11_forwarding;
509 case sX11DisplayOffset:
510 intptr = &options->x11_display_offset;
514 charptr = &options->xauth_location;
518 intptr = &options->strict_modes;
522 intptr = &options->keepalives;
526 intptr = &options->permit_empty_passwd;
530 intptr = &options->use_login;
534 intptr = &options->gateway_ports;
538 intptr = (int *) &options->log_facility;
539 cp = strtok(NULL, WHITESPACE);
540 value = log_facility_number(cp);
541 if (value == (SyslogFacility) - 1)
542 fatal("%.200s line %d: unsupported log facility '%s'\n",
543 filename, linenum, cp ? cp : "<NONE>");
545 *intptr = (SyslogFacility) value;
549 intptr = (int *) &options->log_level;
550 cp = strtok(NULL, WHITESPACE);
551 value = log_level_number(cp);
552 if (value == (LogLevel) - 1)
553 fatal("%.200s line %d: unsupported log level '%s'\n",
554 filename, linenum, cp ? cp : "<NONE>");
556 *intptr = (LogLevel) value;
560 while ((cp = strtok(NULL, WHITESPACE))) {
561 if (options->num_allow_users >= MAX_ALLOW_USERS)
562 fatal("%s line %d: too many allow users.\n",
564 options->allow_users[options->num_allow_users++] = xstrdup(cp);
569 while ((cp = strtok(NULL, WHITESPACE))) {
570 if (options->num_deny_users >= MAX_DENY_USERS)
571 fatal( "%s line %d: too many deny users.\n",
573 options->deny_users[options->num_deny_users++] = xstrdup(cp);
578 while ((cp = strtok(NULL, WHITESPACE))) {
579 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
580 fatal("%s line %d: too many allow groups.\n",
582 options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
587 while ((cp = strtok(NULL, WHITESPACE))) {
588 if (options->num_deny_groups >= MAX_DENY_GROUPS)
589 fatal("%s line %d: too many deny groups.\n",
591 options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
596 cp = strtok(NULL, WHITESPACE);
598 fatal("%s line %d: Missing argument.", filename, linenum);
599 if (!ciphers_valid(cp))
600 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
601 filename, linenum, cp ? cp : "<NONE>");
602 if (options->ciphers == NULL)
603 options->ciphers = xstrdup(cp);
607 intptr = &options->protocol;
608 cp = strtok(NULL, WHITESPACE);
610 fatal("%s line %d: Missing argument.", filename, linenum);
611 value = proto_spec(cp);
612 if (value == SSH_PROTO_UNKNOWN)
613 fatal("%s line %d: Bad protocol spec '%s'.",
614 filename, linenum, cp ? cp : "<NONE>");
615 if (*intptr == SSH_PROTO_UNKNOWN)
620 if(options->num_subsystems >= MAX_SUBSYSTEMS) {
621 fatal("%s line %d: too many subsystems defined.",
624 cp = strtok(NULL, WHITESPACE);
626 fatal("%s line %d: Missing subsystem name.",
628 for (i = 0; i < options->num_subsystems; i++)
629 if(strcmp(cp, options->subsystem_name[i]) == 0)
630 fatal("%s line %d: Subsystem '%s' already defined.",
631 filename, linenum, cp);
632 options->subsystem_name[options->num_subsystems] = xstrdup(cp);
633 cp = strtok(NULL, WHITESPACE);
635 fatal("%s line %d: Missing subsystem command.",
637 options->subsystem_command[options->num_subsystems] = xstrdup(cp);
638 options->num_subsystems++;
642 fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
643 filename, linenum, cp, opcode);
646 if (strtok(NULL, WHITESPACE) != NULL) {
647 fprintf(stderr, "%s line %d: garbage at end of line.\n",
653 if (bad_options > 0) {
654 fprintf(stderr, "%s: terminating, %d bad configuration options\n",
655 filename, bad_options);