2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.111 2002/06/20 23:05:55 markus Exp $");
22 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
24 #define KEYFILE "/etc/krb5.keytab"
36 #include "pathnames.h"
37 #include "tildexpand.h"
43 static void add_listen_addr(ServerOptions *, char *, u_short);
44 static void add_one_listen_addr(ServerOptions *, char *, u_short);
46 /* AF_UNSPEC or AF_INET or AF_INET6 */
48 /* Use of privilege separation or not */
49 extern int use_privsep;
51 /* Initializes the server options to their default values. */
54 initialize_server_options(ServerOptions *options)
56 memset(options, 0, sizeof(*options));
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
77 options->x11_use_localhost = -1;
78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89 #if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
94 #if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
98 options->afs_token_passing = -1;
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
105 options->compression = -1;
106 options->allow_tcp_forwarding = -1;
107 options->num_allow_users = 0;
108 options->num_deny_users = 0;
109 options->num_allow_groups = 0;
110 options->num_deny_groups = 0;
111 options->ciphers = NULL;
112 options->macs = NULL;
113 options->protocol = SSH_PROTO_UNKNOWN;
114 options->gateway_ports = -1;
115 options->num_subsystems = 0;
116 options->max_startups_begin = -1;
117 options->max_startups_rate = -1;
118 options->max_startups = -1;
119 options->banner = NULL;
120 options->verify_reverse_mapping = -1;
121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
126 /* Needs to be accessable in many places */
131 fill_default_server_options(ServerOptions *options)
133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
137 /* Standard Options */
138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
143 options->host_key_files[options->num_host_key_files++] =
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
155 add_listen_addr(options, NULL, 0);
156 if (options->pid_file == NULL)
157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
166 if (options->ignore_rhosts == -1)
167 options->ignore_rhosts = 1;
168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
170 if (options->print_motd == -1)
171 options->print_motd = 1;
172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
174 if (options->x11_forwarding == -1)
175 options->x11_forwarding = 0;
176 if (options->x11_display_offset == -1)
177 options->x11_display_offset = 10;
178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
180 if (options->xauth_location == NULL)
181 options->xauth_location = _PATH_XAUTH;
182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
187 options->log_facility = SYSLOG_FACILITY_AUTH;
188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
189 options->log_level = SYSLOG_LEVEL_INFO;
190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
193 options->rhosts_rsa_authentication = 0;
194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
202 #if defined(KRB4) || defined(KRB5)
203 if (options->kerberos_authentication == -1)
204 options->kerberos_authentication = 0;
205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
210 #if defined(AFS) || defined(KRB5)
211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
215 if (options->afs_token_passing == -1)
216 options->afs_token_passing = 0;
218 if (options->password_authentication == -1)
219 options->password_authentication = 1;
220 if (options->kbd_interactive_authentication == -1)
221 options->kbd_interactive_authentication = 0;
222 if (options->challenge_response_authentication == -1)
223 options->challenge_response_authentication = 1;
224 if (options->permit_empty_passwd == -1)
225 options->permit_empty_passwd = 0;
226 if (options->use_login == -1)
227 options->use_login = 0;
228 if (options->compression == -1)
229 options->compression = 1;
230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
232 if (options->gateway_ports == -1)
233 options->gateway_ports = 0;
234 if (options->max_startups == -1)
235 options->max_startups = 10;
236 if (options->max_startups_rate == -1)
237 options->max_startups_rate = 100; /* 100% */
238 if (options->max_startups_begin == -1)
239 options->max_startups_begin = options->max_startups;
240 if (options->verify_reverse_mapping == -1)
241 options->verify_reverse_mapping = 0;
242 if (options->client_alive_interval == -1)
243 options->client_alive_interval = 0;
244 if (options->client_alive_count_max == -1)
245 options->client_alive_count_max = 3;
246 if (options->authorized_keys_file2 == NULL) {
247 /* authorized_keys_file2 falls back to authorized_keys_file */
248 if (options->authorized_keys_file != NULL)
249 options->authorized_keys_file2 = options->authorized_keys_file;
251 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
253 if (options->authorized_keys_file == NULL)
254 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
256 /* Turn privilege separation on by default */
257 if (use_privsep == -1)
261 /* Keyword tokens. */
263 sBadOption, /* == unknown option */
264 /* Portable-specific options */
265 sPAMAuthenticationViaKbdInt,
266 /* Standard Options */
267 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
268 sPermitRootLogin, sLogFacility, sLogLevel,
269 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
270 #if defined(KRB4) || defined(KRB5)
271 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
273 #if defined(AFS) || defined(KRB5)
279 sChallengeResponseAuthentication,
280 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
281 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
282 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
283 sStrictModes, sEmptyPasswd, sKeepAlives,
284 sUseLogin, sAllowTcpForwarding, sCompression,
285 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
286 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
287 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
288 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
289 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
290 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
291 sUsePrivilegeSeparation,
295 /* Textual representation of the tokens. */
298 ServerOpCodes opcode;
300 /* Portable-specific options */
301 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
302 /* Standard Options */
304 { "hostkey", sHostKeyFile },
305 { "hostdsakey", sHostKeyFile }, /* alias */
306 { "pidfile", sPidFile },
307 { "serverkeybits", sServerKeyBits },
308 { "logingracetime", sLoginGraceTime },
309 { "keyregenerationinterval", sKeyRegenerationTime },
310 { "permitrootlogin", sPermitRootLogin },
311 { "syslogfacility", sLogFacility },
312 { "loglevel", sLogLevel },
313 { "rhostsauthentication", sRhostsAuthentication },
314 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
315 { "hostbasedauthentication", sHostbasedAuthentication },
316 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
317 { "rsaauthentication", sRSAAuthentication },
318 { "pubkeyauthentication", sPubkeyAuthentication },
319 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
320 #if defined(KRB4) || defined(KRB5)
321 { "kerberosauthentication", sKerberosAuthentication },
322 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
323 { "kerberosticketcleanup", sKerberosTicketCleanup },
325 #if defined(AFS) || defined(KRB5)
326 { "kerberostgtpassing", sKerberosTgtPassing },
329 { "afstokenpassing", sAFSTokenPassing },
331 { "passwordauthentication", sPasswordAuthentication },
332 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
333 { "challengeresponseauthentication", sChallengeResponseAuthentication },
334 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
335 { "checkmail", sDeprecated },
336 { "listenaddress", sListenAddress },
337 { "printmotd", sPrintMotd },
338 { "printlastlog", sPrintLastLog },
339 { "ignorerhosts", sIgnoreRhosts },
340 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
341 { "x11forwarding", sX11Forwarding },
342 { "x11displayoffset", sX11DisplayOffset },
343 { "x11uselocalhost", sX11UseLocalhost },
344 { "xauthlocation", sXAuthLocation },
345 { "strictmodes", sStrictModes },
346 { "permitemptypasswords", sEmptyPasswd },
347 { "uselogin", sUseLogin },
348 { "compression", sCompression },
349 { "keepalive", sKeepAlives },
350 { "allowtcpforwarding", sAllowTcpForwarding },
351 { "allowusers", sAllowUsers },
352 { "denyusers", sDenyUsers },
353 { "allowgroups", sAllowGroups },
354 { "denygroups", sDenyGroups },
355 { "ciphers", sCiphers },
357 { "protocol", sProtocol },
358 { "gatewayports", sGatewayPorts },
359 { "subsystem", sSubsystem },
360 { "maxstartups", sMaxStartups },
361 { "banner", sBanner },
362 { "verifyreversemapping", sVerifyReverseMapping },
363 { "reversemappingcheck", sVerifyReverseMapping },
364 { "clientaliveinterval", sClientAliveInterval },
365 { "clientalivecountmax", sClientAliveCountMax },
366 { "authorizedkeysfile", sAuthorizedKeysFile },
367 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
368 { "useprivilegeseparation", sUsePrivilegeSeparation},
373 * Returns the number of the token pointed to by cp or sBadOption.
377 parse_token(const char *cp, const char *filename,
382 for (i = 0; keywords[i].name; i++)
383 if (strcasecmp(cp, keywords[i].name) == 0)
384 return keywords[i].opcode;
386 error("%s: line %d: Bad configuration option: %s",
387 filename, linenum, cp);
392 add_listen_addr(ServerOptions *options, char *addr, u_short port)
396 if (options->num_ports == 0)
397 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
399 for (i = 0; i < options->num_ports; i++)
400 add_one_listen_addr(options, addr, options->ports[i]);
402 add_one_listen_addr(options, addr, port);
406 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
408 struct addrinfo hints, *ai, *aitop;
409 char strport[NI_MAXSERV];
412 memset(&hints, 0, sizeof(hints));
413 hints.ai_family = IPv4or6;
414 hints.ai_socktype = SOCK_STREAM;
415 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
416 snprintf(strport, sizeof strport, "%d", port);
417 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
418 fatal("bad addr or host: %s (%s)",
419 addr ? addr : "<NULL>",
420 gai_strerror(gaierr));
421 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
423 ai->ai_next = options->listen_addrs;
424 options->listen_addrs = aitop;
428 process_server_config_line(ServerOptions *options, char *line,
429 const char *filename, int linenum)
431 char *cp, **charptr, *arg, *p;
433 ServerOpCodes opcode;
438 /* Ignore leading whitespace */
441 if (!arg || !*arg || *arg == '#')
445 opcode = parse_token(arg, filename, linenum);
447 /* Portable-specific options */
448 case sPAMAuthenticationViaKbdInt:
449 intptr = &options->pam_authentication_via_kbd_int;
452 /* Standard Options */
456 /* ignore ports from configfile if cmdline specifies ports */
457 if (options->ports_from_cmdline)
459 if (options->listen_addrs != NULL)
460 fatal("%s line %d: ports must be specified before "
461 "ListenAddress.", filename, linenum);
462 if (options->num_ports >= MAX_PORTS)
463 fatal("%s line %d: too many ports.",
466 if (!arg || *arg == '\0')
467 fatal("%s line %d: missing port number.",
469 options->ports[options->num_ports++] = a2port(arg);
470 if (options->ports[options->num_ports-1] == 0)
471 fatal("%s line %d: Badly formatted port number.",
476 intptr = &options->server_key_bits;
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing integer value.",
487 case sLoginGraceTime:
488 intptr = &options->login_grace_time;
491 if (!arg || *arg == '\0')
492 fatal("%s line %d: missing time value.",
494 if ((value = convtime(arg)) == -1)
495 fatal("%s line %d: invalid time value.",
501 case sKeyRegenerationTime:
502 intptr = &options->key_regeneration_time;
507 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
508 fatal("%s line %d: missing inet addr.",
511 if ((p = strchr(arg, ']')) == NULL)
512 fatal("%s line %d: bad ipv6 inet addr usage.",
515 memmove(p, p+1, strlen(p+1)+1);
516 } else if (((p = strchr(arg, ':')) == NULL) ||
517 (strchr(p+1, ':') != NULL)) {
518 add_listen_addr(options, arg, 0);
526 fatal("%s line %d: bad inet addr:port usage.",
530 if ((port = a2port(p)) == 0)
531 fatal("%s line %d: bad port number.",
533 add_listen_addr(options, arg, port);
535 } else if (*p == '\0')
536 add_listen_addr(options, arg, 0);
538 fatal("%s line %d: bad inet addr usage.",
543 intptr = &options->num_host_key_files;
544 if (*intptr >= MAX_HOSTKEYS)
545 fatal("%s line %d: too many host keys specified (max %d).",
546 filename, linenum, MAX_HOSTKEYS);
547 charptr = &options->host_key_files[*intptr];
550 if (!arg || *arg == '\0')
551 fatal("%s line %d: missing file name.",
553 if (*charptr == NULL) {
554 *charptr = tilde_expand_filename(arg, getuid());
555 /* increase optional counter */
557 *intptr = *intptr + 1;
562 charptr = &options->pid_file;
565 case sPermitRootLogin:
566 intptr = &options->permit_root_login;
568 if (!arg || *arg == '\0')
569 fatal("%s line %d: missing yes/"
570 "without-password/forced-commands-only/no "
571 "argument.", filename, linenum);
572 value = 0; /* silence compiler */
573 if (strcmp(arg, "without-password") == 0)
574 value = PERMIT_NO_PASSWD;
575 else if (strcmp(arg, "forced-commands-only") == 0)
576 value = PERMIT_FORCED_ONLY;
577 else if (strcmp(arg, "yes") == 0)
579 else if (strcmp(arg, "no") == 0)
582 fatal("%s line %d: Bad yes/"
583 "without-password/forced-commands-only/no "
584 "argument: %s", filename, linenum, arg);
590 intptr = &options->ignore_rhosts;
593 if (!arg || *arg == '\0')
594 fatal("%s line %d: missing yes/no argument.",
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "yes") == 0)
599 else if (strcmp(arg, "no") == 0)
602 fatal("%s line %d: Bad yes/no argument: %s",
603 filename, linenum, arg);
608 case sIgnoreUserKnownHosts:
609 intptr = &options->ignore_user_known_hosts;
612 case sRhostsAuthentication:
613 intptr = &options->rhosts_authentication;
616 case sRhostsRSAAuthentication:
617 intptr = &options->rhosts_rsa_authentication;
620 case sHostbasedAuthentication:
621 intptr = &options->hostbased_authentication;
624 case sHostbasedUsesNameFromPacketOnly:
625 intptr = &options->hostbased_uses_name_from_packet_only;
628 case sRSAAuthentication:
629 intptr = &options->rsa_authentication;
632 case sPubkeyAuthentication:
633 intptr = &options->pubkey_authentication;
635 #if defined(KRB4) || defined(KRB5)
636 case sKerberosAuthentication:
637 intptr = &options->kerberos_authentication;
640 case sKerberosOrLocalPasswd:
641 intptr = &options->kerberos_or_local_passwd;
644 case sKerberosTicketCleanup:
645 intptr = &options->kerberos_ticket_cleanup;
648 #if defined(AFS) || defined(KRB5)
649 case sKerberosTgtPassing:
650 intptr = &options->kerberos_tgt_passing;
654 case sAFSTokenPassing:
655 intptr = &options->afs_token_passing;
659 case sPasswordAuthentication:
660 intptr = &options->password_authentication;
663 case sKbdInteractiveAuthentication:
664 intptr = &options->kbd_interactive_authentication;
667 case sChallengeResponseAuthentication:
668 intptr = &options->challenge_response_authentication;
672 intptr = &options->print_motd;
676 intptr = &options->print_lastlog;
680 intptr = &options->x11_forwarding;
683 case sX11DisplayOffset:
684 intptr = &options->x11_display_offset;
687 case sX11UseLocalhost:
688 intptr = &options->x11_use_localhost;
692 charptr = &options->xauth_location;
696 intptr = &options->strict_modes;
700 intptr = &options->keepalives;
704 intptr = &options->permit_empty_passwd;
708 intptr = &options->use_login;
712 intptr = &options->compression;
716 intptr = &options->gateway_ports;
719 case sVerifyReverseMapping:
720 intptr = &options->verify_reverse_mapping;
724 intptr = (int *) &options->log_facility;
726 value = log_facility_number(arg);
727 if (value == SYSLOG_FACILITY_NOT_SET)
728 fatal("%.200s line %d: unsupported log facility '%s'",
729 filename, linenum, arg ? arg : "<NONE>");
731 *intptr = (SyslogFacility) value;
735 intptr = (int *) &options->log_level;
737 value = log_level_number(arg);
738 if (value == SYSLOG_LEVEL_NOT_SET)
739 fatal("%.200s line %d: unsupported log level '%s'",
740 filename, linenum, arg ? arg : "<NONE>");
742 *intptr = (LogLevel) value;
745 case sAllowTcpForwarding:
746 intptr = &options->allow_tcp_forwarding;
749 case sUsePrivilegeSeparation:
750 intptr = &use_privsep;
754 while ((arg = strdelim(&cp)) && *arg != '\0') {
755 if (options->num_allow_users >= MAX_ALLOW_USERS)
756 fatal("%s line %d: too many allow users.",
758 options->allow_users[options->num_allow_users++] = xstrdup(arg);
763 while ((arg = strdelim(&cp)) && *arg != '\0') {
764 if (options->num_deny_users >= MAX_DENY_USERS)
765 fatal( "%s line %d: too many deny users.",
767 options->deny_users[options->num_deny_users++] = xstrdup(arg);
772 while ((arg = strdelim(&cp)) && *arg != '\0') {
773 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
774 fatal("%s line %d: too many allow groups.",
776 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_deny_groups >= MAX_DENY_GROUPS)
783 fatal("%s line %d: too many deny groups.",
785 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: Missing argument.", filename, linenum);
793 if (!ciphers_valid(arg))
794 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
795 filename, linenum, arg ? arg : "<NONE>");
796 if (options->ciphers == NULL)
797 options->ciphers = xstrdup(arg);
802 if (!arg || *arg == '\0')
803 fatal("%s line %d: Missing argument.", filename, linenum);
805 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
806 filename, linenum, arg ? arg : "<NONE>");
807 if (options->macs == NULL)
808 options->macs = xstrdup(arg);
812 intptr = &options->protocol;
814 if (!arg || *arg == '\0')
815 fatal("%s line %d: Missing argument.", filename, linenum);
816 value = proto_spec(arg);
817 if (value == SSH_PROTO_UNKNOWN)
818 fatal("%s line %d: Bad protocol spec '%s'.",
819 filename, linenum, arg ? arg : "<NONE>");
820 if (*intptr == SSH_PROTO_UNKNOWN)
825 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
826 fatal("%s line %d: too many subsystems defined.",
830 if (!arg || *arg == '\0')
831 fatal("%s line %d: Missing subsystem name.",
833 for (i = 0; i < options->num_subsystems; i++)
834 if (strcmp(arg, options->subsystem_name[i]) == 0)
835 fatal("%s line %d: Subsystem '%s' already defined.",
836 filename, linenum, arg);
837 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
839 if (!arg || *arg == '\0')
840 fatal("%s line %d: Missing subsystem command.",
842 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
843 options->num_subsystems++;
848 if (!arg || *arg == '\0')
849 fatal("%s line %d: Missing MaxStartups spec.",
851 if ((n = sscanf(arg, "%d:%d:%d",
852 &options->max_startups_begin,
853 &options->max_startups_rate,
854 &options->max_startups)) == 3) {
855 if (options->max_startups_begin >
856 options->max_startups ||
857 options->max_startups_rate > 100 ||
858 options->max_startups_rate < 1)
859 fatal("%s line %d: Illegal MaxStartups spec.",
862 fatal("%s line %d: Illegal MaxStartups spec.",
865 options->max_startups = options->max_startups_begin;
869 charptr = &options->banner;
872 * These options can contain %X options expanded at
873 * connect time, so that you can specify paths like:
875 * AuthorizedKeysFile /etc/ssh_keys/%u
877 case sAuthorizedKeysFile:
878 case sAuthorizedKeysFile2:
879 charptr = (opcode == sAuthorizedKeysFile ) ?
880 &options->authorized_keys_file :
881 &options->authorized_keys_file2;
884 case sClientAliveInterval:
885 intptr = &options->client_alive_interval;
888 case sClientAliveCountMax:
889 intptr = &options->client_alive_count_max;
893 log("%s line %d: Deprecated option %s",
894 filename, linenum, arg);
900 fatal("%s line %d: Missing handler for opcode %s (%d)",
901 filename, linenum, arg, opcode);
903 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
904 fatal("%s line %d: garbage at end of line; \"%.200s\".",
905 filename, linenum, arg);
909 /* Reads the server configuration file. */
912 read_server_config(ServerOptions *options, const char *filename)
919 f = fopen(filename, "r");
925 while (fgets(line, sizeof(line), f)) {
926 /* Update line number counter. */
928 if (process_server_config_line(options, line, filename, linenum) != 0)
933 fatal("%s: terminating, %d bad configuration options",
934 filename, bad_options);