2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.131 2004/04/27 09:46:37 djm Exp $");
20 #include "pathnames.h"
21 #include "tildexpand.h"
27 static void add_listen_addr(ServerOptions *, char *, u_short);
28 static void add_one_listen_addr(ServerOptions *, char *, u_short);
30 /* AF_UNSPEC or AF_INET or AF_INET6 */
32 /* Use of privilege separation or not */
33 extern int use_privsep;
35 /* Initializes the server options to their default values. */
38 initialize_server_options(ServerOptions *options)
40 memset(options, 0, sizeof(*options));
42 /* Portable-specific options */
43 options->use_pam = -1;
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
61 options->x11_use_localhost = -1;
62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->tcp_keep_alive = -1;
65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
75 options->kerberos_get_afs_token = -1;
76 options->gss_authentication=-1;
77 options->gss_cleanup_creds = -1;
78 options->password_authentication = -1;
79 options->kbd_interactive_authentication = -1;
80 options->challenge_response_authentication = -1;
81 options->permit_empty_passwd = -1;
82 options->permit_user_env = -1;
83 options->use_login = -1;
84 options->compression = -1;
85 options->allow_tcp_forwarding = -1;
86 options->num_allow_users = 0;
87 options->num_deny_users = 0;
88 options->num_allow_groups = 0;
89 options->num_deny_groups = 0;
90 options->ciphers = NULL;
92 options->protocol = SSH_PROTO_UNKNOWN;
93 options->gateway_ports = -1;
94 options->num_subsystems = 0;
95 options->max_startups_begin = -1;
96 options->max_startups_rate = -1;
97 options->max_startups = -1;
98 options->banner = NULL;
99 options->use_dns = -1;
100 options->client_alive_interval = -1;
101 options->client_alive_count_max = -1;
102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL;
104 options->num_accept_env = 0;
106 /* Needs to be accessable in many places */
111 fill_default_server_options(ServerOptions *options)
113 /* Portable-specific options */
114 if (options->use_pam == -1)
115 options->use_pam = 0;
117 /* Standard Options */
118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
123 options->host_key_files[options->num_host_key_files++] =
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
135 add_listen_addr(options, NULL, 0);
136 if (options->pid_file == NULL)
137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
141 options->login_grace_time = 120;
142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
146 if (options->ignore_rhosts == -1)
147 options->ignore_rhosts = 1;
148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
150 if (options->print_motd == -1)
151 options->print_motd = 1;
152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
154 if (options->x11_forwarding == -1)
155 options->x11_forwarding = 0;
156 if (options->x11_display_offset == -1)
157 options->x11_display_offset = 10;
158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
160 if (options->xauth_location == NULL)
161 options->xauth_location = _PATH_XAUTH;
162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
167 options->log_facility = SYSLOG_FACILITY_AUTH;
168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
169 options->log_level = SYSLOG_LEVEL_INFO;
170 if (options->rhosts_rsa_authentication == -1)
171 options->rhosts_rsa_authentication = 0;
172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
180 if (options->kerberos_authentication == -1)
181 options->kerberos_authentication = 0;
182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
198 if (options->permit_empty_passwd == -1)
199 options->permit_empty_passwd = 0;
200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
202 if (options->use_login == -1)
203 options->use_login = 0;
204 if (options->compression == -1)
205 options->compression = 1;
206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
210 if (options->max_startups == -1)
211 options->max_startups = 10;
212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
216 if (options->use_dns == -1)
217 options->use_dns = 1;
218 if (options->client_alive_interval == -1)
219 options->client_alive_interval = 0;
220 if (options->client_alive_count_max == -1)
221 options->client_alive_count_max = 3;
222 if (options->authorized_keys_file2 == NULL) {
223 /* authorized_keys_file2 falls back to authorized_keys_file */
224 if (options->authorized_keys_file != NULL)
225 options->authorized_keys_file2 = options->authorized_keys_file;
227 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
229 if (options->authorized_keys_file == NULL)
230 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
232 /* Turn privilege separation on by default */
233 if (use_privsep == -1)
237 if (use_privsep && options->compression == 1) {
238 error("This platform does not support both privilege "
239 "separation and compression");
240 error("Compression disabled");
241 options->compression = 0;
247 /* Keyword tokens. */
249 sBadOption, /* == unknown option */
250 /* Portable-specific options */
252 /* Standard Options */
253 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
254 sPermitRootLogin, sLogFacility, sLogLevel,
255 sRhostsRSAAuthentication, sRSAAuthentication,
256 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
257 sKerberosGetAFSToken,
258 sKerberosTgtPassing, sChallengeResponseAuthentication,
259 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
260 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
261 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
262 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
263 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
264 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
265 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
266 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
267 sBanner, sUseDNS, sHostbasedAuthentication,
268 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
269 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
270 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
271 sUsePrivilegeSeparation,
272 sDeprecated, sUnsupported
275 /* Textual representation of the tokens. */
278 ServerOpCodes opcode;
280 /* Portable-specific options */
282 { "usepam", sUsePAM },
284 { "usepam", sUnsupported },
286 { "pamauthenticationviakbdint", sDeprecated },
287 /* Standard Options */
289 { "hostkey", sHostKeyFile },
290 { "hostdsakey", sHostKeyFile }, /* alias */
291 { "pidfile", sPidFile },
292 { "serverkeybits", sServerKeyBits },
293 { "logingracetime", sLoginGraceTime },
294 { "keyregenerationinterval", sKeyRegenerationTime },
295 { "permitrootlogin", sPermitRootLogin },
296 { "syslogfacility", sLogFacility },
297 { "loglevel", sLogLevel },
298 { "rhostsauthentication", sDeprecated },
299 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
300 { "hostbasedauthentication", sHostbasedAuthentication },
301 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
302 { "rsaauthentication", sRSAAuthentication },
303 { "pubkeyauthentication", sPubkeyAuthentication },
304 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
306 { "kerberosauthentication", sKerberosAuthentication },
307 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
308 { "kerberosticketcleanup", sKerberosTicketCleanup },
310 { "kerberosgetafstoken", sKerberosGetAFSToken },
312 { "kerberosgetafstoken", sUnsupported },
315 { "kerberosauthentication", sUnsupported },
316 { "kerberosorlocalpasswd", sUnsupported },
317 { "kerberosticketcleanup", sUnsupported },
318 { "kerberosgetafstoken", sUnsupported },
320 { "kerberostgtpassing", sUnsupported },
321 { "afstokenpassing", sUnsupported },
323 { "gssapiauthentication", sGssAuthentication },
324 { "gssapicleanupcredentials", sGssCleanupCreds },
326 { "gssapiauthentication", sUnsupported },
327 { "gssapicleanupcredentials", sUnsupported },
329 { "passwordauthentication", sPasswordAuthentication },
330 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
331 { "challengeresponseauthentication", sChallengeResponseAuthentication },
332 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
333 { "checkmail", sDeprecated },
334 { "listenaddress", sListenAddress },
335 { "printmotd", sPrintMotd },
336 { "printlastlog", sPrintLastLog },
337 { "ignorerhosts", sIgnoreRhosts },
338 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
339 { "x11forwarding", sX11Forwarding },
340 { "x11displayoffset", sX11DisplayOffset },
341 { "x11uselocalhost", sX11UseLocalhost },
342 { "xauthlocation", sXAuthLocation },
343 { "strictmodes", sStrictModes },
344 { "permitemptypasswords", sEmptyPasswd },
345 { "permituserenvironment", sPermitUserEnvironment },
346 { "uselogin", sUseLogin },
347 { "compression", sCompression },
348 { "tcpkeepalive", sTCPKeepAlive },
349 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
350 { "allowtcpforwarding", sAllowTcpForwarding },
351 { "allowusers", sAllowUsers },
352 { "denyusers", sDenyUsers },
353 { "allowgroups", sAllowGroups },
354 { "denygroups", sDenyGroups },
355 { "ciphers", sCiphers },
357 { "protocol", sProtocol },
358 { "gatewayports", sGatewayPorts },
359 { "subsystem", sSubsystem },
360 { "maxstartups", sMaxStartups },
361 { "banner", sBanner },
362 { "usedns", sUseDNS },
363 { "verifyreversemapping", sDeprecated },
364 { "reversemappingcheck", sDeprecated },
365 { "clientaliveinterval", sClientAliveInterval },
366 { "clientalivecountmax", sClientAliveCountMax },
367 { "authorizedkeysfile", sAuthorizedKeysFile },
368 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
369 { "useprivilegeseparation", sUsePrivilegeSeparation},
370 { "acceptenv", sAcceptEnv },
375 * Returns the number of the token pointed to by cp or sBadOption.
379 parse_token(const char *cp, const char *filename,
384 for (i = 0; keywords[i].name; i++)
385 if (strcasecmp(cp, keywords[i].name) == 0)
386 return keywords[i].opcode;
388 error("%s: line %d: Bad configuration option: %s",
389 filename, linenum, cp);
394 add_listen_addr(ServerOptions *options, char *addr, u_short port)
398 if (options->num_ports == 0)
399 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
401 for (i = 0; i < options->num_ports; i++)
402 add_one_listen_addr(options, addr, options->ports[i]);
404 add_one_listen_addr(options, addr, port);
408 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
410 struct addrinfo hints, *ai, *aitop;
411 char strport[NI_MAXSERV];
414 memset(&hints, 0, sizeof(hints));
415 hints.ai_family = IPv4or6;
416 hints.ai_socktype = SOCK_STREAM;
417 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
418 snprintf(strport, sizeof strport, "%u", port);
419 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
420 fatal("bad addr or host: %s (%s)",
421 addr ? addr : "<NULL>",
422 gai_strerror(gaierr));
423 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
425 ai->ai_next = options->listen_addrs;
426 options->listen_addrs = aitop;
430 process_server_config_line(ServerOptions *options, char *line,
431 const char *filename, int linenum)
433 char *cp, **charptr, *arg, *p;
434 int *intptr, value, i, n;
435 ServerOpCodes opcode;
439 /* Ignore leading whitespace */
442 if (!arg || !*arg || *arg == '#')
446 opcode = parse_token(arg, filename, linenum);
448 /* Portable-specific options */
450 intptr = &options->use_pam;
453 /* Standard Options */
457 /* ignore ports from configfile if cmdline specifies ports */
458 if (options->ports_from_cmdline)
460 if (options->listen_addrs != NULL)
461 fatal("%s line %d: ports must be specified before "
462 "ListenAddress.", filename, linenum);
463 if (options->num_ports >= MAX_PORTS)
464 fatal("%s line %d: too many ports.",
467 if (!arg || *arg == '\0')
468 fatal("%s line %d: missing port number.",
470 options->ports[options->num_ports++] = a2port(arg);
471 if (options->ports[options->num_ports-1] == 0)
472 fatal("%s line %d: Badly formatted port number.",
477 intptr = &options->server_key_bits;
480 if (!arg || *arg == '\0')
481 fatal("%s line %d: missing integer value.",
488 case sLoginGraceTime:
489 intptr = &options->login_grace_time;
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing time value.",
495 if ((value = convtime(arg)) == -1)
496 fatal("%s line %d: invalid time value.",
502 case sKeyRegenerationTime:
503 intptr = &options->key_regeneration_time;
508 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
509 fatal("%s line %d: missing inet addr.",
512 if ((p = strchr(arg, ']')) == NULL)
513 fatal("%s line %d: bad ipv6 inet addr usage.",
516 memmove(p, p+1, strlen(p+1)+1);
517 } else if (((p = strchr(arg, ':')) == NULL) ||
518 (strchr(p+1, ':') != NULL)) {
519 add_listen_addr(options, arg, 0);
527 fatal("%s line %d: bad inet addr:port usage.",
531 if ((port = a2port(p)) == 0)
532 fatal("%s line %d: bad port number.",
534 add_listen_addr(options, arg, port);
536 } else if (*p == '\0')
537 add_listen_addr(options, arg, 0);
539 fatal("%s line %d: bad inet addr usage.",
544 intptr = &options->num_host_key_files;
545 if (*intptr >= MAX_HOSTKEYS)
546 fatal("%s line %d: too many host keys specified (max %d).",
547 filename, linenum, MAX_HOSTKEYS);
548 charptr = &options->host_key_files[*intptr];
551 if (!arg || *arg == '\0')
552 fatal("%s line %d: missing file name.",
554 if (*charptr == NULL) {
555 *charptr = tilde_expand_filename(arg, getuid());
556 /* increase optional counter */
558 *intptr = *intptr + 1;
563 charptr = &options->pid_file;
566 case sPermitRootLogin:
567 intptr = &options->permit_root_login;
569 if (!arg || *arg == '\0')
570 fatal("%s line %d: missing yes/"
571 "without-password/forced-commands-only/no "
572 "argument.", filename, linenum);
573 value = 0; /* silence compiler */
574 if (strcmp(arg, "without-password") == 0)
575 value = PERMIT_NO_PASSWD;
576 else if (strcmp(arg, "forced-commands-only") == 0)
577 value = PERMIT_FORCED_ONLY;
578 else if (strcmp(arg, "yes") == 0)
580 else if (strcmp(arg, "no") == 0)
583 fatal("%s line %d: Bad yes/"
584 "without-password/forced-commands-only/no "
585 "argument: %s", filename, linenum, arg);
591 intptr = &options->ignore_rhosts;
594 if (!arg || *arg == '\0')
595 fatal("%s line %d: missing yes/no argument.",
597 value = 0; /* silence compiler */
598 if (strcmp(arg, "yes") == 0)
600 else if (strcmp(arg, "no") == 0)
603 fatal("%s line %d: Bad yes/no argument: %s",
604 filename, linenum, arg);
609 case sIgnoreUserKnownHosts:
610 intptr = &options->ignore_user_known_hosts;
613 case sRhostsRSAAuthentication:
614 intptr = &options->rhosts_rsa_authentication;
617 case sHostbasedAuthentication:
618 intptr = &options->hostbased_authentication;
621 case sHostbasedUsesNameFromPacketOnly:
622 intptr = &options->hostbased_uses_name_from_packet_only;
625 case sRSAAuthentication:
626 intptr = &options->rsa_authentication;
629 case sPubkeyAuthentication:
630 intptr = &options->pubkey_authentication;
633 case sKerberosAuthentication:
634 intptr = &options->kerberos_authentication;
637 case sKerberosOrLocalPasswd:
638 intptr = &options->kerberos_or_local_passwd;
641 case sKerberosTicketCleanup:
642 intptr = &options->kerberos_ticket_cleanup;
645 case sKerberosGetAFSToken:
646 intptr = &options->kerberos_get_afs_token;
649 case sGssAuthentication:
650 intptr = &options->gss_authentication;
653 case sGssCleanupCreds:
654 intptr = &options->gss_cleanup_creds;
657 case sPasswordAuthentication:
658 intptr = &options->password_authentication;
661 case sKbdInteractiveAuthentication:
662 intptr = &options->kbd_interactive_authentication;
665 case sChallengeResponseAuthentication:
666 intptr = &options->challenge_response_authentication;
670 intptr = &options->print_motd;
674 intptr = &options->print_lastlog;
678 intptr = &options->x11_forwarding;
681 case sX11DisplayOffset:
682 intptr = &options->x11_display_offset;
685 case sX11UseLocalhost:
686 intptr = &options->x11_use_localhost;
690 charptr = &options->xauth_location;
694 intptr = &options->strict_modes;
698 intptr = &options->tcp_keep_alive;
702 intptr = &options->permit_empty_passwd;
705 case sPermitUserEnvironment:
706 intptr = &options->permit_user_env;
710 intptr = &options->use_login;
714 intptr = &options->compression;
718 intptr = &options->gateway_ports;
722 intptr = &options->use_dns;
726 intptr = (int *) &options->log_facility;
728 value = log_facility_number(arg);
729 if (value == SYSLOG_FACILITY_NOT_SET)
730 fatal("%.200s line %d: unsupported log facility '%s'",
731 filename, linenum, arg ? arg : "<NONE>");
733 *intptr = (SyslogFacility) value;
737 intptr = (int *) &options->log_level;
739 value = log_level_number(arg);
740 if (value == SYSLOG_LEVEL_NOT_SET)
741 fatal("%.200s line %d: unsupported log level '%s'",
742 filename, linenum, arg ? arg : "<NONE>");
744 *intptr = (LogLevel) value;
747 case sAllowTcpForwarding:
748 intptr = &options->allow_tcp_forwarding;
751 case sUsePrivilegeSeparation:
752 intptr = &use_privsep;
756 while ((arg = strdelim(&cp)) && *arg != '\0') {
757 if (options->num_allow_users >= MAX_ALLOW_USERS)
758 fatal("%s line %d: too many allow users.",
760 options->allow_users[options->num_allow_users++] =
766 while ((arg = strdelim(&cp)) && *arg != '\0') {
767 if (options->num_deny_users >= MAX_DENY_USERS)
768 fatal( "%s line %d: too many deny users.",
770 options->deny_users[options->num_deny_users++] =
776 while ((arg = strdelim(&cp)) && *arg != '\0') {
777 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
778 fatal("%s line %d: too many allow groups.",
780 options->allow_groups[options->num_allow_groups++] =
786 while ((arg = strdelim(&cp)) && *arg != '\0') {
787 if (options->num_deny_groups >= MAX_DENY_GROUPS)
788 fatal("%s line %d: too many deny groups.",
790 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
796 if (!arg || *arg == '\0')
797 fatal("%s line %d: Missing argument.", filename, linenum);
798 if (!ciphers_valid(arg))
799 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
800 filename, linenum, arg ? arg : "<NONE>");
801 if (options->ciphers == NULL)
802 options->ciphers = xstrdup(arg);
807 if (!arg || *arg == '\0')
808 fatal("%s line %d: Missing argument.", filename, linenum);
810 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
811 filename, linenum, arg ? arg : "<NONE>");
812 if (options->macs == NULL)
813 options->macs = xstrdup(arg);
817 intptr = &options->protocol;
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing argument.", filename, linenum);
821 value = proto_spec(arg);
822 if (value == SSH_PROTO_UNKNOWN)
823 fatal("%s line %d: Bad protocol spec '%s'.",
824 filename, linenum, arg ? arg : "<NONE>");
825 if (*intptr == SSH_PROTO_UNKNOWN)
830 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
831 fatal("%s line %d: too many subsystems defined.",
835 if (!arg || *arg == '\0')
836 fatal("%s line %d: Missing subsystem name.",
838 for (i = 0; i < options->num_subsystems; i++)
839 if (strcmp(arg, options->subsystem_name[i]) == 0)
840 fatal("%s line %d: Subsystem '%s' already defined.",
841 filename, linenum, arg);
842 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
844 if (!arg || *arg == '\0')
845 fatal("%s line %d: Missing subsystem command.",
847 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
848 options->num_subsystems++;
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: Missing MaxStartups spec.",
856 if ((n = sscanf(arg, "%d:%d:%d",
857 &options->max_startups_begin,
858 &options->max_startups_rate,
859 &options->max_startups)) == 3) {
860 if (options->max_startups_begin >
861 options->max_startups ||
862 options->max_startups_rate > 100 ||
863 options->max_startups_rate < 1)
864 fatal("%s line %d: Illegal MaxStartups spec.",
867 fatal("%s line %d: Illegal MaxStartups spec.",
870 options->max_startups = options->max_startups_begin;
874 charptr = &options->banner;
877 * These options can contain %X options expanded at
878 * connect time, so that you can specify paths like:
880 * AuthorizedKeysFile /etc/ssh_keys/%u
882 case sAuthorizedKeysFile:
883 case sAuthorizedKeysFile2:
884 charptr = (opcode == sAuthorizedKeysFile ) ?
885 &options->authorized_keys_file :
886 &options->authorized_keys_file2;
889 case sClientAliveInterval:
890 intptr = &options->client_alive_interval;
893 case sClientAliveCountMax:
894 intptr = &options->client_alive_count_max;
898 while ((arg = strdelim(&cp)) && *arg != '\0') {
899 if (strchr(arg, '=') != NULL)
900 fatal("%s line %d: Invalid environment name.",
902 if (options->num_accept_env >= MAX_ACCEPT_ENV)
903 fatal("%s line %d: too many allow env.",
905 options->accept_env[options->num_accept_env++] =
911 logit("%s line %d: Deprecated option %s",
912 filename, linenum, arg);
918 logit("%s line %d: Unsupported option %s",
919 filename, linenum, arg);
925 fatal("%s line %d: Missing handler for opcode %s (%d)",
926 filename, linenum, arg, opcode);
928 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
929 fatal("%s line %d: garbage at end of line; \"%.200s\".",
930 filename, linenum, arg);
934 /* Reads the server configuration file. */
937 read_server_config(ServerOptions *options, const char *filename)
939 int linenum, bad_options = 0;
943 debug2("read_server_config: filename %s", filename);
944 f = fopen(filename, "r");
950 while (fgets(line, sizeof(line), f)) {
951 /* Update line number counter. */
953 if (process_server_config_line(options, line, filename, linenum) != 0)
958 fatal("%s: terminating, %d bad configuration options",
959 filename, bad_options);