servconf.c

   1 /*
   2
   3 servconf.c
   4
   5 Author: Tatu Ylonen <ylo@cs.hut.fi>
   6
   7 Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   8                    All rights reserved
   9
  10 Created: Mon Aug 21 15:48:58 1995 ylo
  11
  12 */
  13
  14 #include "includes.h"
  15 RCSID("$Id$");
  16
  17 #include "ssh.h"
  18 #include "servconf.h"
  19 #include "xmalloc.h"
  20
  21 /* Initializes the server options to their default values. */
  22
  23 void initialize_server_options(ServerOptions *options)
  24 {
  25   memset(options, 0, sizeof(*options));
  26   options->port = -1;
  27   options->listen_addr.s_addr = htonl(INADDR_ANY);
  28   options->host_key_file = NULL;
  29   options->server_key_bits = -1;
  30   options->login_grace_time = -1;
  31   options->key_regeneration_time = -1;
  32   options->permit_root_login = -1;
  33   options->ignore_rhosts = -1;
  34   options->print_motd = -1;
  35   options->check_mail = -1;
  36   options->x11_forwarding = -1;
  37   options->x11_display_offset = -1;
  38   options->strict_modes = -1;
  39   options->keepalives = -1;
  40   options->log_facility = (SyslogFacility)-1;
  41   options->log_level = (LogLevel)-1;
  42   options->rhosts_authentication = -1;
  43   options->rhosts_rsa_authentication = -1;
  44   options->rsa_authentication = -1;
  45 #ifdef KRB4
  46   options->kerberos_authentication = -1;
  47   options->kerberos_or_local_passwd = -1;
  48   options->kerberos_ticket_cleanup = -1;
  49 #endif
  50 #ifdef AFS
  51   options->kerberos_tgt_passing = -1;
  52   options->afs_token_passing = -1;
  53 #endif
  54   options->password_authentication = -1;
  55 #ifdef SKEY
  56   options->skey_authentication = -1;
  57 #endif
  58   options->permit_empty_passwd = -1;
  59   options->use_login = -1;
  60   options->num_allow_users = 0;
  61   options->num_deny_users = 0;
  62   options->num_allow_groups = 0;
  63   options->num_deny_groups = 0;
  64 }
  65
  66 void fill_default_server_options(ServerOptions *options)
  67 {
  68   if (options->port == -1)
  69     {
  70       struct servent *sp;
  71
  72       sp = getservbyname(SSH_SERVICE_NAME, "tcp");
  73       if (sp)
  74         options->port = ntohs(sp->s_port);
  75       else
  76         options->port = SSH_DEFAULT_PORT;
  77       endservent();
  78     }
  79   if (options->host_key_file == NULL)
  80     options->host_key_file = HOST_KEY_FILE;
  81   if (options->server_key_bits == -1)
  82     options->server_key_bits = 768;
  83   if (options->login_grace_time == -1)
  84     options->login_grace_time = 600;
  85   if (options->key_regeneration_time == -1)
  86     options->key_regeneration_time = 3600;
  87   if (options->permit_root_login == -1)
  88     options->permit_root_login = 1;              /* yes */
  89   if (options->ignore_rhosts == -1)
  90     options->ignore_rhosts = 0;
  91   if (options->check_mail == -1)
  92     options->check_mail = 0;
  93   if (options->print_motd == -1)
  94     options->print_motd = 1;
  95   if (options->x11_forwarding == -1)
  96     options->x11_forwarding = 1;
  97   if (options->x11_display_offset == -1)
  98     options->x11_display_offset = 1;
  99   if (options->strict_modes == -1)
 100     options->strict_modes = 1;
 101   if (options->keepalives == -1)
 102     options->keepalives = 1;
 103   if (options->log_facility == (SyslogFacility)(-1))
 104     options->log_facility = SYSLOG_FACILITY_AUTH;
 105   if (options->log_level == (LogLevel)(-1))
 106     options->log_level = SYSLOG_LEVEL_INFO;
 107   if (options->rhosts_authentication == -1)
 108     options->rhosts_authentication = 0;
 109   if (options->rhosts_rsa_authentication == -1)
 110     options->rhosts_rsa_authentication = 1;
 111   if (options->rsa_authentication == -1)
 112     options->rsa_authentication = 1;
 113 #ifdef KRB4
 114   if (options->kerberos_authentication == -1)
 115     options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
 116   if (options->kerberos_or_local_passwd == -1)
 117     options->kerberos_or_local_passwd = 1;
 118   if (options->kerberos_ticket_cleanup == -1)
 119     options->kerberos_ticket_cleanup = 1;
 120 #endif /* KRB4 */
 121 #ifdef AFS
 122   if (options->kerberos_tgt_passing == -1)
 123     options->kerberos_tgt_passing = 0;
 124   if (options->afs_token_passing == -1)
 125     options->afs_token_passing = k_hasafs();
 126 #endif /* AFS */
 127   if (options->password_authentication == -1)
 128     options->password_authentication = 1;
 129 #ifdef SKEY
 130   if (options->skey_authentication == -1)
 131     options->skey_authentication = 1;
 132 #endif
 133   if (options->permit_empty_passwd == -1)
 134     options->permit_empty_passwd = 1;
 135   if (options->use_login == -1)
 136     options->use_login = 0;
 137 }
 138
 139 #define WHITESPACE " \t\r\n"
 140
 141 /* Keyword tokens. */
 142 typedef enum
 143 {
 144   sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 145   sPermitRootLogin, sLogFacility, sLogLevel,
 146   sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
 147 #ifdef KRB4
 148   sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 149 #endif
 150 #ifdef AFS
 151   sKerberosTgtPassing, sAFSTokenPassing,
 152 #endif
 153 #ifdef SKEY
 154   sSkeyAuthentication,
 155 #endif
 156   sPasswordAuthentication, sListenAddress,
 157   sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 158   sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 159   sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
 160
 161 } ServerOpCodes;
 162
 163 /* Textual representation of the tokens. */
 164 static struct
 165 {
 166   const char *name;
 167   ServerOpCodes opcode;
 168 } keywords[] =
 169 {
 170   { "port", sPort },
 171   { "hostkey", sHostKeyFile },
 172   { "serverkeybits", sServerKeyBits },
 173   { "logingracetime", sLoginGraceTime },
 174   { "keyregenerationinterval", sKeyRegenerationTime },
 175   { "permitrootlogin", sPermitRootLogin },
 176   { "syslogfacility", sLogFacility },
 177   { "loglevel", sLogLevel },
 178   { "rhostsauthentication", sRhostsAuthentication },
 179   { "rhostsrsaauthentication", sRhostsRSAAuthentication },
 180   { "rsaauthentication", sRSAAuthentication },
 181 #ifdef KRB4
 182   { "kerberosauthentication", sKerberosAuthentication },
 183   { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
 184   { "kerberosticketcleanup", sKerberosTicketCleanup },
 185 #endif
 186 #ifdef AFS
 187   { "kerberostgtpassing", sKerberosTgtPassing },
 188   { "afstokenpassing", sAFSTokenPassing },
 189 #endif
 190   { "passwordauthentication", sPasswordAuthentication },
 191 #ifdef SKEY
 192   { "skeyauthentication", sSkeyAuthentication },
 193 #endif
 194   { "checkmail", sCheckMail },
 195   { "listenaddress", sListenAddress },
 196   { "printmotd", sPrintMotd },
 197   { "ignorerhosts", sIgnoreRhosts },
 198   { "x11forwarding", sX11Forwarding },
 199   { "x11displayoffset", sX11DisplayOffset },
 200   { "strictmodes", sStrictModes },
 201   { "permitemptypasswords", sEmptyPasswd },
 202   { "uselogin", sUseLogin },
 203   { "randomseed", sRandomSeedFile },
 204   { "keepalive", sKeepAlives },
 205   { "allowusers", sAllowUsers },
 206   { "denyusers", sDenyUsers },
 207   { "allowgroups", sAllowGroups },
 208   { "denygroups", sDenyGroups },
 209   { NULL, 0 }
 210 };
 211
 212 static struct
 213 {
 214   const char *name;
 215   SyslogFacility facility;
 216 } log_facilities[] =
 217 {
 218   { "DAEMON", SYSLOG_FACILITY_DAEMON },
 219   { "USER", SYSLOG_FACILITY_USER },
 220   { "AUTH", SYSLOG_FACILITY_AUTH },
 221   { "LOCAL0", SYSLOG_FACILITY_LOCAL0 },
 222   { "LOCAL1", SYSLOG_FACILITY_LOCAL1 },
 223   { "LOCAL2", SYSLOG_FACILITY_LOCAL2 },
 224   { "LOCAL3", SYSLOG_FACILITY_LOCAL3 },
 225   { "LOCAL4", SYSLOG_FACILITY_LOCAL4 },
 226   { "LOCAL5", SYSLOG_FACILITY_LOCAL5 },
 227   { "LOCAL6", SYSLOG_FACILITY_LOCAL6 },
 228   { "LOCAL7", SYSLOG_FACILITY_LOCAL7 },
 229   { NULL, 0 }
 230 };
 231
 232 static struct
 233 {
 234   const char *name;
 235   LogLevel level;
 236 } log_levels[] =
 237 {
 238   { "QUIET", SYSLOG_LEVEL_QUIET },
 239   { "FATAL", SYSLOG_LEVEL_FATAL },
 240   { "ERROR", SYSLOG_LEVEL_ERROR },
 241   { "INFO",  SYSLOG_LEVEL_INFO },
 242   { "CHAT",  SYSLOG_LEVEL_CHAT },
 243   { "DEBUG", SYSLOG_LEVEL_DEBUG },
 244   { NULL, 0 }
 245 };
 246
 247 /* Returns the number of the token pointed to by cp of length len.
 248    Never returns if the token is not known. */
 249
 250 static ServerOpCodes parse_token(const char *cp, const char *filename,
 251                                  int linenum)
 252 {
 253   unsigned int i;
 254
 255   for (i = 0; keywords[i].name; i++)
 256     if (strcmp(cp, keywords[i].name) == 0)
 257       return keywords[i].opcode;
 258
 259   fprintf(stderr, "%s line %d: Bad configuration option: %s\n",
 260           filename, linenum, cp);
 261   exit(1);
 262 }
 263
 264 /* Reads the server configuration file. */
 265
 266 void read_server_config(ServerOptions *options, const char *filename)
 267 {
 268   FILE *f;
 269   char line[1024];
 270   char *cp, **charptr;
 271   int linenum, *intptr, i, value;
 272   ServerOpCodes opcode;
 273
 274   f = fopen(filename, "r");
 275   if (!f)
 276     {
 277       perror(filename);
 278       exit(1);
 279     }
 280
 281   linenum = 0;
 282   while (fgets(line, sizeof(line), f))
 283     {
 284       linenum++;
 285       cp = line + strspn(line, WHITESPACE);
 286       if (!*cp || *cp == '#')
 287         continue;
 288       cp = strtok(cp, WHITESPACE);
 289       {
 290         char *t = cp;
 291         for (; *t != 0; t++)
 292           if ('A' <= *t && *t <= 'Z')
 293             *t = *t - 'A' + 'a';        /* tolower */
 294
 295       }
 296       opcode = parse_token(cp, filename, linenum);
 297       switch (opcode)
 298         {
 299         case sPort:
 300           intptr = &options->port;
 301         parse_int:
 302           cp = strtok(NULL, WHITESPACE);
 303           if (!cp)
 304             {
 305               fprintf(stderr, "%s line %d: missing integer value.\n",
 306                       filename, linenum);
 307               exit(1);
 308             }
 309           value = atoi(cp);
 310           if (*intptr == -1)
 311             *intptr = value;
 312           break;
 313
 314         case sServerKeyBits:
 315           intptr = &options->server_key_bits;
 316           goto parse_int;
 317
 318         case sLoginGraceTime:
 319           intptr = &options->login_grace_time;
 320           goto parse_int;
 321
 322         case sKeyRegenerationTime:
 323           intptr = &options->key_regeneration_time;
 324           goto parse_int;
 325
 326         case sListenAddress:
 327           cp = strtok(NULL, WHITESPACE);
 328           if (!cp)
 329             {
 330               fprintf(stderr, "%s line %d: missing inet addr.\n",
 331                       filename, linenum);
 332               exit(1);
 333             }
 334           options->listen_addr.s_addr = inet_addr(cp);
 335           break;
 336
 337         case sHostKeyFile:
 338           charptr = &options->host_key_file;
 339           cp = strtok(NULL, WHITESPACE);
 340           if (!cp)
 341             {
 342               fprintf(stderr, "%s line %d: missing file name.\n",
 343                       filename, linenum);
 344               exit(1);
 345             }
 346           if (*charptr == NULL)
 347             *charptr = tilde_expand_filename(cp, getuid());
 348           break;
 349
 350         case sRandomSeedFile:
 351           fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
 352                   filename, linenum);
 353           cp = strtok(NULL, WHITESPACE);
 354           break;
 355
 356         case sPermitRootLogin:
 357           intptr = &options->permit_root_login;
 358           cp = strtok(NULL, WHITESPACE);
 359           if (!cp)
 360             {
 361               fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
 362                       filename, linenum);
 363               exit(1);
 364             }
 365           if (strcmp(cp, "without-password") == 0)
 366             value = 2;
 367           else if (strcmp(cp, "yes") == 0)
 368             value = 1;
 369           else if (strcmp(cp, "no") == 0)
 370             value = 0;
 371           else
 372             {
 373               fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
 374                 filename, linenum, cp);
 375               exit(1);
 376             }
 377           if (*intptr == -1)
 378             *intptr = value;
 379           break;
 380
 381         case sIgnoreRhosts:
 382           intptr = &options->ignore_rhosts;
 383         parse_flag:
 384           cp = strtok(NULL, WHITESPACE);
 385           if (!cp)
 386             {
 387               fprintf(stderr, "%s line %d: missing yes/no argument.\n",
 388                       filename, linenum);
 389               exit(1);
 390             }
 391           if (strcmp(cp, "yes") == 0)
 392             value = 1;
 393           else
 394             if (strcmp(cp, "no") == 0)
 395               value = 0;
 396             else
 397               {
 398                 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
 399                         filename, linenum, cp);
 400                 exit(1);
 401               }
 402           if (*intptr == -1)
 403             *intptr = value;
 404           break;
 405
 406         case sRhostsAuthentication:
 407           intptr = &options->rhosts_authentication;
 408           goto parse_flag;
 409
 410         case sRhostsRSAAuthentication:
 411           intptr = &options->rhosts_rsa_authentication;
 412           goto parse_flag;
 413
 414         case sRSAAuthentication:
 415           intptr = &options->rsa_authentication;
 416           goto parse_flag;
 417
 418 #ifdef KRB4
 419         case sKerberosAuthentication:
 420           intptr = &options->kerberos_authentication;
 421           goto parse_flag;
 422
 423         case sKerberosOrLocalPasswd:
 424           intptr = &options->kerberos_or_local_passwd;
 425           goto parse_flag;
 426
 427         case sKerberosTicketCleanup:
 428           intptr = &options->kerberos_ticket_cleanup;
 429           goto parse_flag;
 430 #endif
 431
 432 #ifdef AFS
 433         case sKerberosTgtPassing:
 434           intptr = &options->kerberos_tgt_passing;
 435           goto parse_flag;
 436
 437         case sAFSTokenPassing:
 438           intptr = &options->afs_token_passing;
 439           goto parse_flag;
 440 #endif
 441
 442         case sPasswordAuthentication:
 443           intptr = &options->password_authentication;
 444           goto parse_flag;
 445
 446         case sCheckMail:
 447           intptr = &options->check_mail;
 448           goto parse_flag;
 449
 450 #ifdef SKEY
 451         case sSkeyAuthentication:
 452           intptr = &options->skey_authentication;
 453           goto parse_flag;
 454 #endif
 455
 456         case sPrintMotd:
 457           intptr = &options->print_motd;
 458           goto parse_flag;
 459
 460         case sX11Forwarding:
 461           intptr = &options->x11_forwarding;
 462           goto parse_flag;
 463
 464         case sX11DisplayOffset:
 465           intptr = &options->x11_display_offset;
 466           goto parse_int;
 467
 468         case sStrictModes:
 469           intptr = &options->strict_modes;
 470           goto parse_flag;
 471
 472         case sKeepAlives:
 473           intptr = &options->keepalives;
 474           goto parse_flag;
 475
 476         case sEmptyPasswd:
 477           intptr = &options->permit_empty_passwd;
 478           goto parse_flag;
 479
 480         case sUseLogin:
 481           intptr = &options->use_login;
 482           goto parse_flag;
 483
 484         case sLogFacility:
 485           cp = strtok(NULL, WHITESPACE);
 486           if (!cp)
 487             {
 488               fprintf(stderr, "%s line %d: missing facility name.\n",
 489                       filename, linenum);
 490               exit(1);
 491             }
 492           for (i = 0; log_facilities[i].name; i++)
 493             if (strcasecmp(log_facilities[i].name, cp) == 0)
 494               break;
 495           if (!log_facilities[i].name)
 496             {
 497               fprintf(stderr, "%s line %d: unsupported log facility %s\n",
 498                       filename, linenum, cp);
 499               exit(1);
 500             }
 501           if (options->log_facility == (SyslogFacility)(-1))
 502             options->log_facility = log_facilities[i].facility;
 503           break;
 504
 505         case sLogLevel:
 506           cp = strtok(NULL, WHITESPACE);
 507           if (!cp)
 508             {
 509               fprintf(stderr, "%s line %d: missing level name.\n",
 510                       filename, linenum);
 511               exit(1);
 512             }
 513           for (i = 0; log_levels[i].name; i++)
 514             if (strcasecmp(log_levels[i].name, cp) == 0)
 515               break;
 516           if (!log_levels[i].name)
 517             {
 518               fprintf(stderr, "%s line %d: unsupported log level %s\n",
 519                       filename, linenum, cp);
 520               exit(1);
 521             }
 522           if (options->log_level == (LogLevel)(-1))
 523             options->log_level = log_levels[i].level;
 524           break;
 525
 526         case sAllowUsers:
 527           while ((cp = strtok(NULL, WHITESPACE)))
 528             {
 529               if (options->num_allow_users >= MAX_ALLOW_USERS)
 530                 {
 531                   fprintf(stderr, "%s line %d: too many allow users.\n",
 532                           filename, linenum);
 533                   exit(1);
 534                 }
 535               options->allow_users[options->num_allow_users++] = xstrdup(cp);
 536             }
 537           break;
 538
 539         case sDenyUsers:
 540           while ((cp = strtok(NULL, WHITESPACE)))
 541             {
 542               if (options->num_deny_users >= MAX_DENY_USERS)
 543                 {
 544                   fprintf(stderr, "%s line %d: too many deny users.\n",
 545                           filename, linenum);
 546                   exit(1);
 547                 }
 548               options->deny_users[options->num_deny_users++] = xstrdup(cp);
 549             }
 550           break;
 551
 552         case sAllowGroups:
 553           while ((cp = strtok(NULL, WHITESPACE)))
 554             {
 555               if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
 556                 {
 557                   fprintf(stderr, "%s line %d: too many allow groups.\n",
 558                           filename, linenum);
 559                   exit(1);
 560                 }
 561               options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
 562             }
 563           break;
 564
 565         case sDenyGroups:
 566           while ((cp = strtok(NULL, WHITESPACE)))
 567             {
 568               if (options->num_deny_groups >= MAX_DENY_GROUPS)
 569                 {
 570                   fprintf(stderr, "%s line %d: too many deny groups.\n",
 571                           filename, linenum);
 572                   exit(1);
 573                 }
 574               options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
 575             }
 576           break;
 577
 578         default:
 579           fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
 580                   filename, linenum, cp, opcode);
 581           exit(1);
 582         }
 583       if (strtok(NULL, WHITESPACE) != NULL)
 584         {
 585           fprintf(stderr, "%s line %d: garbage at end of line.\n",
 586                   filename, linenum);
 587           exit(1);
 588         }
 589     }
 590   fclose(f);
 591 }