1 /* $OpenBSD: readconf.c,v 1.156 2006/07/17 01:31:09 stevesk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
25 #if defined(HAVE_NETDB_H)
34 #include "pathnames.h"
42 /* Format of the configuration file:
44 # Configuration data is parsed as follows:
45 # 1. command line options
46 # 2. user-specific file
48 # Any configuration value is only changed the first time it is set.
49 # Thus, host-specific definitions should be at the beginning of the
50 # configuration file, and defaults at the end.
52 # Host-specific declarations. These may override anything above. A single
53 # host may match multiple declarations; these are processed in the order
54 # that they are given in.
60 HostName another.host.name.real.org
67 RemoteForward 9999 shadows.cs.hut.fi:9999
73 PasswordAuthentication no
77 ProxyCommand ssh-proxy %h %p
80 PublicKeyAuthentication no
84 PasswordAuthentication no
90 # Defaults for various options
94 PasswordAuthentication yes
96 RhostsRSAAuthentication yes
97 StrictHostKeyChecking yes
99 IdentityFile ~/.ssh/identity
105 /* Keyword tokens. */
109 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
110 oExitOnForwardFailure,
111 oPasswordAuthentication, oRSAAuthentication,
112 oChallengeResponseAuthentication, oXAuthLocation,
113 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
114 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
115 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
116 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
117 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
118 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
119 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
120 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
121 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
122 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
123 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
124 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
125 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
126 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
127 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
128 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
129 oDeprecated, oUnsupported
132 /* Textual representations of the tokens. */
138 { "forwardagent", oForwardAgent },
139 { "forwardx11", oForwardX11 },
140 { "forwardx11trusted", oForwardX11Trusted },
141 { "exitonforwardfailure", oExitOnForwardFailure },
142 { "xauthlocation", oXAuthLocation },
143 { "gatewayports", oGatewayPorts },
144 { "useprivilegedport", oUsePrivilegedPort },
145 { "rhostsauthentication", oDeprecated },
146 { "passwordauthentication", oPasswordAuthentication },
147 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
148 { "kbdinteractivedevices", oKbdInteractiveDevices },
149 { "rsaauthentication", oRSAAuthentication },
150 { "pubkeyauthentication", oPubkeyAuthentication },
151 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
152 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
153 { "hostbasedauthentication", oHostbasedAuthentication },
154 { "challengeresponseauthentication", oChallengeResponseAuthentication },
155 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
156 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
157 { "kerberosauthentication", oUnsupported },
158 { "kerberostgtpassing", oUnsupported },
159 { "afstokenpassing", oUnsupported },
161 { "gssapiauthentication", oGssAuthentication },
162 { "gssapidelegatecredentials", oGssDelegateCreds },
164 { "gssapiauthentication", oUnsupported },
165 { "gssapidelegatecredentials", oUnsupported },
167 { "fallbacktorsh", oDeprecated },
168 { "usersh", oDeprecated },
169 { "identityfile", oIdentityFile },
170 { "identityfile2", oIdentityFile }, /* alias */
171 { "identitiesonly", oIdentitiesOnly },
172 { "hostname", oHostName },
173 { "hostkeyalias", oHostKeyAlias },
174 { "proxycommand", oProxyCommand },
176 { "cipher", oCipher },
177 { "ciphers", oCiphers },
179 { "protocol", oProtocol },
180 { "remoteforward", oRemoteForward },
181 { "localforward", oLocalForward },
184 { "escapechar", oEscapeChar },
185 { "globalknownhostsfile", oGlobalKnownHostsFile },
186 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
187 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
188 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
189 { "connectionattempts", oConnectionAttempts },
190 { "batchmode", oBatchMode },
191 { "checkhostip", oCheckHostIP },
192 { "stricthostkeychecking", oStrictHostKeyChecking },
193 { "compression", oCompression },
194 { "compressionlevel", oCompressionLevel },
195 { "tcpkeepalive", oTCPKeepAlive },
196 { "keepalive", oTCPKeepAlive }, /* obsolete */
197 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
198 { "loglevel", oLogLevel },
199 { "dynamicforward", oDynamicForward },
200 { "preferredauthentications", oPreferredAuthentications },
201 { "hostkeyalgorithms", oHostKeyAlgorithms },
202 { "bindaddress", oBindAddress },
204 { "smartcarddevice", oSmartcardDevice },
206 { "smartcarddevice", oUnsupported },
208 { "clearallforwardings", oClearAllForwardings },
209 { "enablesshkeysign", oEnableSSHKeysign },
210 { "verifyhostkeydns", oVerifyHostKeyDNS },
211 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
212 { "rekeylimit", oRekeyLimit },
213 { "connecttimeout", oConnectTimeout },
214 { "addressfamily", oAddressFamily },
215 { "serveraliveinterval", oServerAliveInterval },
216 { "serveralivecountmax", oServerAliveCountMax },
217 { "sendenv", oSendEnv },
218 { "controlpath", oControlPath },
219 { "controlmaster", oControlMaster },
220 { "hashknownhosts", oHashKnownHosts },
221 { "tunnel", oTunnel },
222 { "tunneldevice", oTunnelDevice },
223 { "localcommand", oLocalCommand },
224 { "permitlocalcommand", oPermitLocalCommand },
229 * Adds a local TCP/IP port forward to options. Never returns if there is an
234 add_local_forward(Options *options, const Forward *newfwd)
237 #ifndef NO_IPPORT_RESERVED_CONCEPT
238 extern uid_t original_real_uid;
239 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
240 fatal("Privileged ports can only be forwarded by root.");
242 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
243 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
244 fwd = &options->local_forwards[options->num_local_forwards++];
246 fwd->listen_host = (newfwd->listen_host == NULL) ?
247 NULL : xstrdup(newfwd->listen_host);
248 fwd->listen_port = newfwd->listen_port;
249 fwd->connect_host = xstrdup(newfwd->connect_host);
250 fwd->connect_port = newfwd->connect_port;
254 * Adds a remote TCP/IP port forward to options. Never returns if there is
259 add_remote_forward(Options *options, const Forward *newfwd)
262 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
263 fatal("Too many remote forwards (max %d).",
264 SSH_MAX_FORWARDS_PER_DIRECTION);
265 fwd = &options->remote_forwards[options->num_remote_forwards++];
267 fwd->listen_host = (newfwd->listen_host == NULL) ?
268 NULL : xstrdup(newfwd->listen_host);
269 fwd->listen_port = newfwd->listen_port;
270 fwd->connect_host = xstrdup(newfwd->connect_host);
271 fwd->connect_port = newfwd->connect_port;
275 clear_forwardings(Options *options)
279 for (i = 0; i < options->num_local_forwards; i++) {
280 if (options->local_forwards[i].listen_host != NULL)
281 xfree(options->local_forwards[i].listen_host);
282 xfree(options->local_forwards[i].connect_host);
284 options->num_local_forwards = 0;
285 for (i = 0; i < options->num_remote_forwards; i++) {
286 if (options->remote_forwards[i].listen_host != NULL)
287 xfree(options->remote_forwards[i].listen_host);
288 xfree(options->remote_forwards[i].connect_host);
290 options->num_remote_forwards = 0;
291 options->tun_open = SSH_TUNMODE_NO;
295 * Returns the number of the token pointed to by cp or oBadOption.
299 parse_token(const char *cp, const char *filename, int linenum)
303 for (i = 0; keywords[i].name; i++)
304 if (strcasecmp(cp, keywords[i].name) == 0)
305 return keywords[i].opcode;
307 error("%s: line %d: Bad configuration option: %s",
308 filename, linenum, cp);
313 * Processes a single option line as used in the configuration files. This
314 * only sets those values that have not already been set.
316 #define WHITESPACE " \t\r\n"
319 process_config_line(Options *options, const char *host,
320 char *line, const char *filename, int linenum,
323 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
324 int opcode, *intptr, value, value2, scale;
325 long long orig, val64;
329 /* Strip trailing whitespace */
330 for (len = strlen(line) - 1; len > 0; len--) {
331 if (strchr(WHITESPACE, line[len]) == NULL)
337 /* Get the keyword. (Each line is supposed to begin with a keyword). */
338 if ((keyword = strdelim(&s)) == NULL)
340 /* Ignore leading whitespace. */
341 if (*keyword == '\0')
342 keyword = strdelim(&s);
343 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
346 opcode = parse_token(keyword, filename, linenum);
350 /* don't panic, but count bad options */
353 case oConnectTimeout:
354 intptr = &options->connection_timeout;
357 if (!arg || *arg == '\0')
358 fatal("%s line %d: missing time value.",
360 if ((value = convtime(arg)) == -1)
361 fatal("%s line %d: invalid time value.",
368 intptr = &options->forward_agent;
371 if (!arg || *arg == '\0')
372 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
373 value = 0; /* To avoid compiler warning... */
374 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
376 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
379 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
380 if (*activep && *intptr == -1)
385 intptr = &options->forward_x11;
388 case oForwardX11Trusted:
389 intptr = &options->forward_x11_trusted;
393 intptr = &options->gateway_ports;
396 case oExitOnForwardFailure:
397 intptr = &options->exit_on_forward_failure;
400 case oUsePrivilegedPort:
401 intptr = &options->use_privileged_port;
404 case oPasswordAuthentication:
405 intptr = &options->password_authentication;
408 case oKbdInteractiveAuthentication:
409 intptr = &options->kbd_interactive_authentication;
412 case oKbdInteractiveDevices:
413 charptr = &options->kbd_interactive_devices;
416 case oPubkeyAuthentication:
417 intptr = &options->pubkey_authentication;
420 case oRSAAuthentication:
421 intptr = &options->rsa_authentication;
424 case oRhostsRSAAuthentication:
425 intptr = &options->rhosts_rsa_authentication;
428 case oHostbasedAuthentication:
429 intptr = &options->hostbased_authentication;
432 case oChallengeResponseAuthentication:
433 intptr = &options->challenge_response_authentication;
436 case oGssAuthentication:
437 intptr = &options->gss_authentication;
440 case oGssDelegateCreds:
441 intptr = &options->gss_deleg_creds;
445 intptr = &options->batch_mode;
449 intptr = &options->check_host_ip;
452 case oVerifyHostKeyDNS:
453 intptr = &options->verify_host_key_dns;
456 case oStrictHostKeyChecking:
457 intptr = &options->strict_host_key_checking;
460 if (!arg || *arg == '\0')
461 fatal("%.200s line %d: Missing yes/no/ask argument.",
463 value = 0; /* To avoid compiler warning... */
464 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
466 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
468 else if (strcmp(arg, "ask") == 0)
471 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
472 if (*activep && *intptr == -1)
477 intptr = &options->compression;
481 intptr = &options->tcp_keep_alive;
484 case oNoHostAuthenticationForLocalhost:
485 intptr = &options->no_host_authentication_for_localhost;
488 case oNumberOfPasswordPrompts:
489 intptr = &options->number_of_password_prompts;
492 case oCompressionLevel:
493 intptr = &options->compression_level;
497 intptr = &options->rekey_limit;
499 if (!arg || *arg == '\0')
500 fatal("%.200s line %d: Missing argument.", filename, linenum);
501 if (arg[0] < '0' || arg[0] > '9')
502 fatal("%.200s line %d: Bad number.", filename, linenum);
503 orig = val64 = strtoll(arg, &endofnumber, 10);
504 if (arg == endofnumber)
505 fatal("%.200s line %d: Bad number.", filename, linenum);
506 switch (toupper(*endofnumber)) {
520 fatal("%.200s line %d: Invalid RekeyLimit suffix",
524 /* detect integer wrap and too-large limits */
525 if ((val64 / scale) != orig || val64 > INT_MAX)
526 fatal("%.200s line %d: RekeyLimit too large",
529 fatal("%.200s line %d: RekeyLimit too small",
531 if (*activep && *intptr == -1)
532 *intptr = (int)val64;
537 if (!arg || *arg == '\0')
538 fatal("%.200s line %d: Missing argument.", filename, linenum);
540 intptr = &options->num_identity_files;
541 if (*intptr >= SSH_MAX_IDENTITY_FILES)
542 fatal("%.200s line %d: Too many identity files specified (max %d).",
543 filename, linenum, SSH_MAX_IDENTITY_FILES);
544 charptr = &options->identity_files[*intptr];
545 *charptr = xstrdup(arg);
546 *intptr = *intptr + 1;
551 charptr=&options->xauth_location;
555 charptr = &options->user;
558 if (!arg || *arg == '\0')
559 fatal("%.200s line %d: Missing argument.", filename, linenum);
560 if (*activep && *charptr == NULL)
561 *charptr = xstrdup(arg);
564 case oGlobalKnownHostsFile:
565 charptr = &options->system_hostfile;
568 case oUserKnownHostsFile:
569 charptr = &options->user_hostfile;
572 case oGlobalKnownHostsFile2:
573 charptr = &options->system_hostfile2;
576 case oUserKnownHostsFile2:
577 charptr = &options->user_hostfile2;
581 charptr = &options->hostname;
585 charptr = &options->host_key_alias;
588 case oPreferredAuthentications:
589 charptr = &options->preferred_authentications;
593 charptr = &options->bind_address;
596 case oSmartcardDevice:
597 charptr = &options->smartcard_device;
601 charptr = &options->proxy_command;
604 fatal("%.200s line %d: Missing argument.", filename, linenum);
605 len = strspn(s, WHITESPACE "=");
606 if (*activep && *charptr == NULL)
607 *charptr = xstrdup(s + len);
611 intptr = &options->port;
614 if (!arg || *arg == '\0')
615 fatal("%.200s line %d: Missing argument.", filename, linenum);
616 if (arg[0] < '0' || arg[0] > '9')
617 fatal("%.200s line %d: Bad number.", filename, linenum);
619 /* Octal, decimal, or hex format? */
620 value = strtol(arg, &endofnumber, 0);
621 if (arg == endofnumber)
622 fatal("%.200s line %d: Bad number.", filename, linenum);
623 if (*activep && *intptr == -1)
627 case oConnectionAttempts:
628 intptr = &options->connection_attempts;
632 intptr = &options->cipher;
634 if (!arg || *arg == '\0')
635 fatal("%.200s line %d: Missing argument.", filename, linenum);
636 value = cipher_number(arg);
638 fatal("%.200s line %d: Bad cipher '%s'.",
639 filename, linenum, arg ? arg : "<NONE>");
640 if (*activep && *intptr == -1)
646 if (!arg || *arg == '\0')
647 fatal("%.200s line %d: Missing argument.", filename, linenum);
648 if (!ciphers_valid(arg))
649 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
650 filename, linenum, arg ? arg : "<NONE>");
651 if (*activep && options->ciphers == NULL)
652 options->ciphers = xstrdup(arg);
657 if (!arg || *arg == '\0')
658 fatal("%.200s line %d: Missing argument.", filename, linenum);
660 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
661 filename, linenum, arg ? arg : "<NONE>");
662 if (*activep && options->macs == NULL)
663 options->macs = xstrdup(arg);
666 case oHostKeyAlgorithms:
668 if (!arg || *arg == '\0')
669 fatal("%.200s line %d: Missing argument.", filename, linenum);
670 if (!key_names_valid2(arg))
671 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
672 filename, linenum, arg ? arg : "<NONE>");
673 if (*activep && options->hostkeyalgorithms == NULL)
674 options->hostkeyalgorithms = xstrdup(arg);
678 intptr = &options->protocol;
680 if (!arg || *arg == '\0')
681 fatal("%.200s line %d: Missing argument.", filename, linenum);
682 value = proto_spec(arg);
683 if (value == SSH_PROTO_UNKNOWN)
684 fatal("%.200s line %d: Bad protocol spec '%s'.",
685 filename, linenum, arg ? arg : "<NONE>");
686 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
691 intptr = (int *) &options->log_level;
693 value = log_level_number(arg);
694 if (value == SYSLOG_LEVEL_NOT_SET)
695 fatal("%.200s line %d: unsupported log level '%s'",
696 filename, linenum, arg ? arg : "<NONE>");
697 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
698 *intptr = (LogLevel) value;
704 if (arg == NULL || *arg == '\0')
705 fatal("%.200s line %d: Missing port argument.",
708 if (arg2 == NULL || *arg2 == '\0')
709 fatal("%.200s line %d: Missing target argument.",
712 /* construct a string for parse_forward */
713 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
715 if (parse_forward(&fwd, fwdarg) == 0)
716 fatal("%.200s line %d: Bad forwarding specification.",
720 if (opcode == oLocalForward)
721 add_local_forward(options, &fwd);
722 else if (opcode == oRemoteForward)
723 add_remote_forward(options, &fwd);
727 case oDynamicForward:
729 if (!arg || *arg == '\0')
730 fatal("%.200s line %d: Missing port argument.",
732 memset(&fwd, '\0', sizeof(fwd));
733 fwd.connect_host = "socks";
734 fwd.listen_host = hpdelim(&arg);
735 if (fwd.listen_host == NULL ||
736 strlen(fwd.listen_host) >= NI_MAXHOST)
737 fatal("%.200s line %d: Bad forwarding specification.",
740 fwd.listen_port = a2port(arg);
741 fwd.listen_host = cleanhostname(fwd.listen_host);
743 fwd.listen_port = a2port(fwd.listen_host);
744 fwd.listen_host = NULL;
746 if (fwd.listen_port == 0)
747 fatal("%.200s line %d: Badly formatted port number.",
750 add_local_forward(options, &fwd);
753 case oClearAllForwardings:
754 intptr = &options->clear_forwardings;
759 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
760 if (match_pattern(host, arg)) {
761 debug("Applying options for %.100s", arg);
765 /* Avoid garbage check below, as strdelim is done. */
769 intptr = &options->escape_char;
771 if (!arg || *arg == '\0')
772 fatal("%.200s line %d: Missing argument.", filename, linenum);
773 if (arg[0] == '^' && arg[2] == 0 &&
774 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
775 value = (u_char) arg[1] & 31;
776 else if (strlen(arg) == 1)
777 value = (u_char) arg[0];
778 else if (strcmp(arg, "none") == 0)
779 value = SSH_ESCAPECHAR_NONE;
781 fatal("%.200s line %d: Bad escape character.",
784 value = 0; /* Avoid compiler warning. */
786 if (*activep && *intptr == -1)
792 if (!arg || *arg == '\0')
793 fatal("%s line %d: missing address family.",
795 intptr = &options->address_family;
796 if (strcasecmp(arg, "inet") == 0)
798 else if (strcasecmp(arg, "inet6") == 0)
800 else if (strcasecmp(arg, "any") == 0)
803 fatal("Unsupported AddressFamily \"%s\"", arg);
804 if (*activep && *intptr == -1)
808 case oEnableSSHKeysign:
809 intptr = &options->enable_ssh_keysign;
812 case oIdentitiesOnly:
813 intptr = &options->identities_only;
816 case oServerAliveInterval:
817 intptr = &options->server_alive_interval;
820 case oServerAliveCountMax:
821 intptr = &options->server_alive_count_max;
825 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
826 if (strchr(arg, '=') != NULL)
827 fatal("%s line %d: Invalid environment name.",
831 if (options->num_send_env >= MAX_SEND_ENV)
832 fatal("%s line %d: too many send env.",
834 options->send_env[options->num_send_env++] =
840 charptr = &options->control_path;
844 intptr = &options->control_master;
846 if (!arg || *arg == '\0')
847 fatal("%.200s line %d: Missing ControlMaster argument.",
849 value = 0; /* To avoid compiler warning... */
850 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
851 value = SSHCTL_MASTER_YES;
852 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
853 value = SSHCTL_MASTER_NO;
854 else if (strcmp(arg, "auto") == 0)
855 value = SSHCTL_MASTER_AUTO;
856 else if (strcmp(arg, "ask") == 0)
857 value = SSHCTL_MASTER_ASK;
858 else if (strcmp(arg, "autoask") == 0)
859 value = SSHCTL_MASTER_AUTO_ASK;
861 fatal("%.200s line %d: Bad ControlMaster argument.",
863 if (*activep && *intptr == -1)
867 case oHashKnownHosts:
868 intptr = &options->hash_known_hosts;
872 intptr = &options->tun_open;
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing yes/point-to-point/"
876 "ethernet/no argument.", filename, linenum);
877 value = 0; /* silence compiler */
878 if (strcasecmp(arg, "ethernet") == 0)
879 value = SSH_TUNMODE_ETHERNET;
880 else if (strcasecmp(arg, "point-to-point") == 0)
881 value = SSH_TUNMODE_POINTOPOINT;
882 else if (strcasecmp(arg, "yes") == 0)
883 value = SSH_TUNMODE_DEFAULT;
884 else if (strcasecmp(arg, "no") == 0)
885 value = SSH_TUNMODE_NO;
887 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
888 "no argument: %s", filename, linenum, arg);
895 if (!arg || *arg == '\0')
896 fatal("%.200s line %d: Missing argument.", filename, linenum);
897 value = a2tun(arg, &value2);
898 if (value == SSH_TUNID_ERR)
899 fatal("%.200s line %d: Bad tun device.", filename, linenum);
901 options->tun_local = value;
902 options->tun_remote = value2;
907 charptr = &options->local_command;
910 case oPermitLocalCommand:
911 intptr = &options->permit_local_command;
915 debug("%s line %d: Deprecated option \"%s\"",
916 filename, linenum, keyword);
920 error("%s line %d: Unsupported option \"%s\"",
921 filename, linenum, keyword);
925 fatal("process_config_line: Unimplemented opcode %d", opcode);
928 /* Check that there is no garbage at end of line. */
929 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
930 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
931 filename, linenum, arg);
938 * Reads the config file and modifies the options accordingly. Options
939 * should already be initialized before this call. This never returns if
940 * there is an error. If the file does not exist, this returns 0.
944 read_config_file(const char *filename, const char *host, Options *options,
953 if ((f = fopen(filename, "r")) == NULL)
959 if (fstat(fileno(f), &sb) == -1)
960 fatal("fstat %s: %s", filename, strerror(errno));
961 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
962 (sb.st_mode & 022) != 0))
963 fatal("Bad owner or permissions on %s", filename);
966 debug("Reading configuration data %.200s", filename);
969 * Mark that we are now processing the options. This flag is turned
970 * on/off by Host specifications.
974 while (fgets(line, sizeof(line), f)) {
975 /* Update line number counter. */
977 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
982 fatal("%s: terminating, %d bad configuration options",
983 filename, bad_options);
988 * Initializes options to special values that indicate that they have not yet
989 * been set. Read_config_file will only set options with this value. Options
990 * are processed in the following order: command line, user config file,
991 * system config file. Last, fill_default_options is called.
995 initialize_options(Options * options)
997 memset(options, 'X', sizeof(*options));
998 options->forward_agent = -1;
999 options->forward_x11 = -1;
1000 options->forward_x11_trusted = -1;
1001 options->exit_on_forward_failure = -1;
1002 options->xauth_location = NULL;
1003 options->gateway_ports = -1;
1004 options->use_privileged_port = -1;
1005 options->rsa_authentication = -1;
1006 options->pubkey_authentication = -1;
1007 options->challenge_response_authentication = -1;
1008 options->gss_authentication = -1;
1009 options->gss_deleg_creds = -1;
1010 options->password_authentication = -1;
1011 options->kbd_interactive_authentication = -1;
1012 options->kbd_interactive_devices = NULL;
1013 options->rhosts_rsa_authentication = -1;
1014 options->hostbased_authentication = -1;
1015 options->batch_mode = -1;
1016 options->check_host_ip = -1;
1017 options->strict_host_key_checking = -1;
1018 options->compression = -1;
1019 options->tcp_keep_alive = -1;
1020 options->compression_level = -1;
1022 options->address_family = -1;
1023 options->connection_attempts = -1;
1024 options->connection_timeout = -1;
1025 options->number_of_password_prompts = -1;
1026 options->cipher = -1;
1027 options->ciphers = NULL;
1028 options->macs = NULL;
1029 options->hostkeyalgorithms = NULL;
1030 options->protocol = SSH_PROTO_UNKNOWN;
1031 options->num_identity_files = 0;
1032 options->hostname = NULL;
1033 options->host_key_alias = NULL;
1034 options->proxy_command = NULL;
1035 options->user = NULL;
1036 options->escape_char = -1;
1037 options->system_hostfile = NULL;
1038 options->user_hostfile = NULL;
1039 options->system_hostfile2 = NULL;
1040 options->user_hostfile2 = NULL;
1041 options->num_local_forwards = 0;
1042 options->num_remote_forwards = 0;
1043 options->clear_forwardings = -1;
1044 options->log_level = SYSLOG_LEVEL_NOT_SET;
1045 options->preferred_authentications = NULL;
1046 options->bind_address = NULL;
1047 options->smartcard_device = NULL;
1048 options->enable_ssh_keysign = - 1;
1049 options->no_host_authentication_for_localhost = - 1;
1050 options->identities_only = - 1;
1051 options->rekey_limit = - 1;
1052 options->verify_host_key_dns = -1;
1053 options->server_alive_interval = -1;
1054 options->server_alive_count_max = -1;
1055 options->num_send_env = 0;
1056 options->control_path = NULL;
1057 options->control_master = -1;
1058 options->hash_known_hosts = -1;
1059 options->tun_open = -1;
1060 options->tun_local = -1;
1061 options->tun_remote = -1;
1062 options->local_command = NULL;
1063 options->permit_local_command = -1;
1067 * Called after processing other sources of option data, this fills those
1068 * options for which no value has been specified with their default values.
1072 fill_default_options(Options * options)
1076 if (options->forward_agent == -1)
1077 options->forward_agent = 0;
1078 if (options->forward_x11 == -1)
1079 options->forward_x11 = 0;
1080 if (options->forward_x11_trusted == -1)
1081 options->forward_x11_trusted = 0;
1082 if (options->exit_on_forward_failure == -1)
1083 options->exit_on_forward_failure = 0;
1084 if (options->xauth_location == NULL)
1085 options->xauth_location = _PATH_XAUTH;
1086 if (options->gateway_ports == -1)
1087 options->gateway_ports = 0;
1088 if (options->use_privileged_port == -1)
1089 options->use_privileged_port = 0;
1090 if (options->rsa_authentication == -1)
1091 options->rsa_authentication = 1;
1092 if (options->pubkey_authentication == -1)
1093 options->pubkey_authentication = 1;
1094 if (options->challenge_response_authentication == -1)
1095 options->challenge_response_authentication = 1;
1096 if (options->gss_authentication == -1)
1097 options->gss_authentication = 0;
1098 if (options->gss_deleg_creds == -1)
1099 options->gss_deleg_creds = 0;
1100 if (options->password_authentication == -1)
1101 options->password_authentication = 1;
1102 if (options->kbd_interactive_authentication == -1)
1103 options->kbd_interactive_authentication = 1;
1104 if (options->rhosts_rsa_authentication == -1)
1105 options->rhosts_rsa_authentication = 0;
1106 if (options->hostbased_authentication == -1)
1107 options->hostbased_authentication = 0;
1108 if (options->batch_mode == -1)
1109 options->batch_mode = 0;
1110 if (options->check_host_ip == -1)
1111 options->check_host_ip = 1;
1112 if (options->strict_host_key_checking == -1)
1113 options->strict_host_key_checking = 2; /* 2 is default */
1114 if (options->compression == -1)
1115 options->compression = 0;
1116 if (options->tcp_keep_alive == -1)
1117 options->tcp_keep_alive = 1;
1118 if (options->compression_level == -1)
1119 options->compression_level = 6;
1120 if (options->port == -1)
1121 options->port = 0; /* Filled in ssh_connect. */
1122 if (options->address_family == -1)
1123 options->address_family = AF_UNSPEC;
1124 if (options->connection_attempts == -1)
1125 options->connection_attempts = 1;
1126 if (options->number_of_password_prompts == -1)
1127 options->number_of_password_prompts = 3;
1128 /* Selected in ssh_login(). */
1129 if (options->cipher == -1)
1130 options->cipher = SSH_CIPHER_NOT_SET;
1131 /* options->ciphers, default set in myproposals.h */
1132 /* options->macs, default set in myproposals.h */
1133 /* options->hostkeyalgorithms, default set in myproposals.h */
1134 if (options->protocol == SSH_PROTO_UNKNOWN)
1135 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1136 if (options->num_identity_files == 0) {
1137 if (options->protocol & SSH_PROTO_1) {
1138 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1139 options->identity_files[options->num_identity_files] =
1141 snprintf(options->identity_files[options->num_identity_files++],
1142 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1144 if (options->protocol & SSH_PROTO_2) {
1145 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1146 options->identity_files[options->num_identity_files] =
1148 snprintf(options->identity_files[options->num_identity_files++],
1149 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1151 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1152 options->identity_files[options->num_identity_files] =
1154 snprintf(options->identity_files[options->num_identity_files++],
1155 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1158 if (options->escape_char == -1)
1159 options->escape_char = '~';
1160 if (options->system_hostfile == NULL)
1161 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1162 if (options->user_hostfile == NULL)
1163 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1164 if (options->system_hostfile2 == NULL)
1165 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1166 if (options->user_hostfile2 == NULL)
1167 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1169 options->log_level = SYSLOG_LEVEL_INFO;
1170 if (options->clear_forwardings == 1)
1171 clear_forwardings(options);
1172 if (options->no_host_authentication_for_localhost == - 1)
1173 options->no_host_authentication_for_localhost = 0;
1174 if (options->identities_only == -1)
1175 options->identities_only = 0;
1176 if (options->enable_ssh_keysign == -1)
1177 options->enable_ssh_keysign = 0;
1178 if (options->rekey_limit == -1)
1179 options->rekey_limit = 0;
1180 if (options->verify_host_key_dns == -1)
1181 options->verify_host_key_dns = 0;
1182 if (options->server_alive_interval == -1)
1183 options->server_alive_interval = 0;
1184 if (options->server_alive_count_max == -1)
1185 options->server_alive_count_max = 3;
1186 if (options->control_master == -1)
1187 options->control_master = 0;
1188 if (options->hash_known_hosts == -1)
1189 options->hash_known_hosts = 0;
1190 if (options->tun_open == -1)
1191 options->tun_open = SSH_TUNMODE_NO;
1192 if (options->tun_local == -1)
1193 options->tun_local = SSH_TUNID_ANY;
1194 if (options->tun_remote == -1)
1195 options->tun_remote = SSH_TUNID_ANY;
1196 if (options->permit_local_command == -1)
1197 options->permit_local_command = 0;
1198 /* options->local_command should not be set by default */
1199 /* options->proxy_command should not be set by default */
1200 /* options->user will be set in the main program if appropriate */
1201 /* options->hostname will be set in the main program if appropriate */
1202 /* options->host_key_alias should not be set by default */
1203 /* options->preferred_authentications will be set in ssh */
1208 * parses a string containing a port forwarding specification of the form:
1209 * [listenhost:]listenport:connecthost:connectport
1210 * returns number of arguments parsed or zero on error
1213 parse_forward(Forward *fwd, const char *fwdspec)
1216 char *p, *cp, *fwdarg[4];
1218 memset(fwd, '\0', sizeof(*fwd));
1220 cp = p = xstrdup(fwdspec);
1222 /* skip leading spaces */
1223 while (*cp && isspace(*cp))
1226 for (i = 0; i < 4; ++i)
1227 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1230 /* Check for trailing garbage in 4-arg case*/
1232 i = 0; /* failure */
1236 fwd->listen_host = NULL;
1237 fwd->listen_port = a2port(fwdarg[0]);
1238 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1239 fwd->connect_port = a2port(fwdarg[2]);
1243 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1244 fwd->listen_port = a2port(fwdarg[1]);
1245 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1246 fwd->connect_port = a2port(fwdarg[3]);
1249 i = 0; /* failure */
1254 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1257 if (fwd->connect_host != NULL &&
1258 strlen(fwd->connect_host) >= NI_MAXHOST)
1264 if (fwd->connect_host != NULL)
1265 xfree(fwd->connect_host);
1266 if (fwd->listen_host != NULL)
1267 xfree(fwd->listen_host);