1 /* $OpenBSD: readconf.c,v 1.166 2008/06/11 21:01:35 grunk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
133 oDeprecated, oUnsupported
136 /* Textual representations of the tokens. */
142 { "forwardagent", oForwardAgent },
143 { "forwardx11", oForwardX11 },
144 { "forwardx11trusted", oForwardX11Trusted },
145 { "exitonforwardfailure", oExitOnForwardFailure },
146 { "xauthlocation", oXAuthLocation },
147 { "gatewayports", oGatewayPorts },
148 { "useprivilegedport", oUsePrivilegedPort },
149 { "rhostsauthentication", oDeprecated },
150 { "passwordauthentication", oPasswordAuthentication },
151 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
152 { "kbdinteractivedevices", oKbdInteractiveDevices },
153 { "rsaauthentication", oRSAAuthentication },
154 { "pubkeyauthentication", oPubkeyAuthentication },
155 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
156 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
157 { "hostbasedauthentication", oHostbasedAuthentication },
158 { "challengeresponseauthentication", oChallengeResponseAuthentication },
159 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
160 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
161 { "kerberosauthentication", oUnsupported },
162 { "kerberostgtpassing", oUnsupported },
163 { "afstokenpassing", oUnsupported },
165 { "gssapiauthentication", oGssAuthentication },
166 { "gssapidelegatecredentials", oGssDelegateCreds },
168 { "gssapiauthentication", oUnsupported },
169 { "gssapidelegatecredentials", oUnsupported },
171 { "fallbacktorsh", oDeprecated },
172 { "usersh", oDeprecated },
173 { "identityfile", oIdentityFile },
174 { "identityfile2", oIdentityFile }, /* alias */
175 { "identitiesonly", oIdentitiesOnly },
176 { "hostname", oHostName },
177 { "hostkeyalias", oHostKeyAlias },
178 { "proxycommand", oProxyCommand },
180 { "cipher", oCipher },
181 { "ciphers", oCiphers },
183 { "protocol", oProtocol },
184 { "remoteforward", oRemoteForward },
185 { "localforward", oLocalForward },
188 { "escapechar", oEscapeChar },
189 { "globalknownhostsfile", oGlobalKnownHostsFile },
190 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
191 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
192 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
193 { "connectionattempts", oConnectionAttempts },
194 { "batchmode", oBatchMode },
195 { "checkhostip", oCheckHostIP },
196 { "stricthostkeychecking", oStrictHostKeyChecking },
197 { "compression", oCompression },
198 { "compressionlevel", oCompressionLevel },
199 { "tcpkeepalive", oTCPKeepAlive },
200 { "keepalive", oTCPKeepAlive }, /* obsolete */
201 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
202 { "loglevel", oLogLevel },
203 { "dynamicforward", oDynamicForward },
204 { "preferredauthentications", oPreferredAuthentications },
205 { "hostkeyalgorithms", oHostKeyAlgorithms },
206 { "bindaddress", oBindAddress },
208 { "smartcarddevice", oSmartcardDevice },
210 { "smartcarddevice", oUnsupported },
212 { "clearallforwardings", oClearAllForwardings },
213 { "enablesshkeysign", oEnableSSHKeysign },
214 { "verifyhostkeydns", oVerifyHostKeyDNS },
215 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
216 { "rekeylimit", oRekeyLimit },
217 { "connecttimeout", oConnectTimeout },
218 { "addressfamily", oAddressFamily },
219 { "serveraliveinterval", oServerAliveInterval },
220 { "serveralivecountmax", oServerAliveCountMax },
221 { "sendenv", oSendEnv },
222 { "controlpath", oControlPath },
223 { "controlmaster", oControlMaster },
224 { "hashknownhosts", oHashKnownHosts },
225 { "tunnel", oTunnel },
226 { "tunneldevice", oTunnelDevice },
227 { "localcommand", oLocalCommand },
228 { "permitlocalcommand", oPermitLocalCommand },
233 * Adds a local TCP/IP port forward to options. Never returns if there is an
238 add_local_forward(Options *options, const Forward *newfwd)
241 #ifndef NO_IPPORT_RESERVED_CONCEPT
242 extern uid_t original_real_uid;
243 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
244 fatal("Privileged ports can only be forwarded by root.");
246 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
247 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
248 fwd = &options->local_forwards[options->num_local_forwards++];
250 fwd->listen_host = (newfwd->listen_host == NULL) ?
251 NULL : xstrdup(newfwd->listen_host);
252 fwd->listen_port = newfwd->listen_port;
253 fwd->connect_host = xstrdup(newfwd->connect_host);
254 fwd->connect_port = newfwd->connect_port;
258 * Adds a remote TCP/IP port forward to options. Never returns if there is
263 add_remote_forward(Options *options, const Forward *newfwd)
266 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
267 fatal("Too many remote forwards (max %d).",
268 SSH_MAX_FORWARDS_PER_DIRECTION);
269 fwd = &options->remote_forwards[options->num_remote_forwards++];
271 fwd->listen_host = (newfwd->listen_host == NULL) ?
272 NULL : xstrdup(newfwd->listen_host);
273 fwd->listen_port = newfwd->listen_port;
274 fwd->connect_host = xstrdup(newfwd->connect_host);
275 fwd->connect_port = newfwd->connect_port;
279 clear_forwardings(Options *options)
283 for (i = 0; i < options->num_local_forwards; i++) {
284 if (options->local_forwards[i].listen_host != NULL)
285 xfree(options->local_forwards[i].listen_host);
286 xfree(options->local_forwards[i].connect_host);
288 options->num_local_forwards = 0;
289 for (i = 0; i < options->num_remote_forwards; i++) {
290 if (options->remote_forwards[i].listen_host != NULL)
291 xfree(options->remote_forwards[i].listen_host);
292 xfree(options->remote_forwards[i].connect_host);
294 options->num_remote_forwards = 0;
295 options->tun_open = SSH_TUNMODE_NO;
299 * Returns the number of the token pointed to by cp or oBadOption.
303 parse_token(const char *cp, const char *filename, int linenum)
307 for (i = 0; keywords[i].name; i++)
308 if (strcasecmp(cp, keywords[i].name) == 0)
309 return keywords[i].opcode;
311 error("%s: line %d: Bad configuration option: %s",
312 filename, linenum, cp);
317 * Processes a single option line as used in the configuration files. This
318 * only sets those values that have not already been set.
320 #define WHITESPACE " \t\r\n"
323 process_config_line(Options *options, const char *host,
324 char *line, const char *filename, int linenum,
327 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
328 int opcode, *intptr, value, value2, scale;
329 LogLevel *log_level_ptr;
330 long long orig, val64;
334 /* Strip trailing whitespace */
335 for (len = strlen(line) - 1; len > 0; len--) {
336 if (strchr(WHITESPACE, line[len]) == NULL)
342 /* Get the keyword. (Each line is supposed to begin with a keyword). */
343 if ((keyword = strdelim(&s)) == NULL)
345 /* Ignore leading whitespace. */
346 if (*keyword == '\0')
347 keyword = strdelim(&s);
348 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
351 opcode = parse_token(keyword, filename, linenum);
355 /* don't panic, but count bad options */
358 case oConnectTimeout:
359 intptr = &options->connection_timeout;
362 if (!arg || *arg == '\0')
363 fatal("%s line %d: missing time value.",
365 if ((value = convtime(arg)) == -1)
366 fatal("%s line %d: invalid time value.",
368 if (*activep && *intptr == -1)
373 intptr = &options->forward_agent;
376 if (!arg || *arg == '\0')
377 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
378 value = 0; /* To avoid compiler warning... */
379 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
381 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
384 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
385 if (*activep && *intptr == -1)
390 intptr = &options->forward_x11;
393 case oForwardX11Trusted:
394 intptr = &options->forward_x11_trusted;
398 intptr = &options->gateway_ports;
401 case oExitOnForwardFailure:
402 intptr = &options->exit_on_forward_failure;
405 case oUsePrivilegedPort:
406 intptr = &options->use_privileged_port;
409 case oPasswordAuthentication:
410 intptr = &options->password_authentication;
413 case oKbdInteractiveAuthentication:
414 intptr = &options->kbd_interactive_authentication;
417 case oKbdInteractiveDevices:
418 charptr = &options->kbd_interactive_devices;
421 case oPubkeyAuthentication:
422 intptr = &options->pubkey_authentication;
425 case oRSAAuthentication:
426 intptr = &options->rsa_authentication;
429 case oRhostsRSAAuthentication:
430 intptr = &options->rhosts_rsa_authentication;
433 case oHostbasedAuthentication:
434 intptr = &options->hostbased_authentication;
437 case oChallengeResponseAuthentication:
438 intptr = &options->challenge_response_authentication;
441 case oGssAuthentication:
442 intptr = &options->gss_authentication;
445 case oGssDelegateCreds:
446 intptr = &options->gss_deleg_creds;
450 intptr = &options->batch_mode;
454 intptr = &options->check_host_ip;
456 if (!arg || *arg == '\0')
457 fatal("%.200s line %d: Missing CheckHostIP argument.",
459 value = 0; /* To avoid compiler warning... */
460 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
461 value = SSHCTL_CHECKHOSTIP_YES;
462 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
463 value = SSHCTL_CHECKHOSTIP_NO;
464 else if (strcmp(arg, "fingerprint") == 0)
465 value = SSHCTL_CHECKHOSTIP_FPR;
467 fatal("%.200s line %d: Bad CheckHostIP argument.",
469 if (*activep && *intptr == -1)
473 case oVerifyHostKeyDNS:
474 intptr = &options->verify_host_key_dns;
477 case oStrictHostKeyChecking:
478 intptr = &options->strict_host_key_checking;
481 if (!arg || *arg == '\0')
482 fatal("%.200s line %d: Missing yes/no/ask argument.",
484 value = 0; /* To avoid compiler warning... */
485 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
487 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
489 else if (strcmp(arg, "ask") == 0)
492 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
493 if (*activep && *intptr == -1)
498 intptr = &options->compression;
502 intptr = &options->tcp_keep_alive;
505 case oNoHostAuthenticationForLocalhost:
506 intptr = &options->no_host_authentication_for_localhost;
509 case oNumberOfPasswordPrompts:
510 intptr = &options->number_of_password_prompts;
513 case oCompressionLevel:
514 intptr = &options->compression_level;
519 if (!arg || *arg == '\0')
520 fatal("%.200s line %d: Missing argument.", filename, linenum);
521 if (arg[0] < '0' || arg[0] > '9')
522 fatal("%.200s line %d: Bad number.", filename, linenum);
523 orig = val64 = strtoll(arg, &endofnumber, 10);
524 if (arg == endofnumber)
525 fatal("%.200s line %d: Bad number.", filename, linenum);
526 switch (toupper(*endofnumber)) {
540 fatal("%.200s line %d: Invalid RekeyLimit suffix",
544 /* detect integer wrap and too-large limits */
545 if ((val64 / scale) != orig || val64 > UINT_MAX)
546 fatal("%.200s line %d: RekeyLimit too large",
549 fatal("%.200s line %d: RekeyLimit too small",
551 if (*activep && options->rekey_limit == -1)
552 options->rekey_limit = (u_int32_t)val64;
557 if (!arg || *arg == '\0')
558 fatal("%.200s line %d: Missing argument.", filename, linenum);
560 intptr = &options->num_identity_files;
561 if (*intptr >= SSH_MAX_IDENTITY_FILES)
562 fatal("%.200s line %d: Too many identity files specified (max %d).",
563 filename, linenum, SSH_MAX_IDENTITY_FILES);
564 charptr = &options->identity_files[*intptr];
565 *charptr = xstrdup(arg);
566 *intptr = *intptr + 1;
571 charptr=&options->xauth_location;
575 charptr = &options->user;
578 if (!arg || *arg == '\0')
579 fatal("%.200s line %d: Missing argument.", filename, linenum);
580 if (*activep && *charptr == NULL)
581 *charptr = xstrdup(arg);
584 case oGlobalKnownHostsFile:
585 charptr = &options->system_hostfile;
588 case oUserKnownHostsFile:
589 charptr = &options->user_hostfile;
592 case oGlobalKnownHostsFile2:
593 charptr = &options->system_hostfile2;
596 case oUserKnownHostsFile2:
597 charptr = &options->user_hostfile2;
601 charptr = &options->hostname;
605 charptr = &options->host_key_alias;
608 case oPreferredAuthentications:
609 charptr = &options->preferred_authentications;
613 charptr = &options->bind_address;
616 case oSmartcardDevice:
617 charptr = &options->smartcard_device;
621 charptr = &options->proxy_command;
624 fatal("%.200s line %d: Missing argument.", filename, linenum);
625 len = strspn(s, WHITESPACE "=");
626 if (*activep && *charptr == NULL)
627 *charptr = xstrdup(s + len);
631 intptr = &options->port;
634 if (!arg || *arg == '\0')
635 fatal("%.200s line %d: Missing argument.", filename, linenum);
636 if (arg[0] < '0' || arg[0] > '9')
637 fatal("%.200s line %d: Bad number.", filename, linenum);
639 /* Octal, decimal, or hex format? */
640 value = strtol(arg, &endofnumber, 0);
641 if (arg == endofnumber)
642 fatal("%.200s line %d: Bad number.", filename, linenum);
643 if (*activep && *intptr == -1)
647 case oConnectionAttempts:
648 intptr = &options->connection_attempts;
652 intptr = &options->cipher;
654 if (!arg || *arg == '\0')
655 fatal("%.200s line %d: Missing argument.", filename, linenum);
656 value = cipher_number(arg);
658 fatal("%.200s line %d: Bad cipher '%s'.",
659 filename, linenum, arg ? arg : "<NONE>");
660 if (*activep && *intptr == -1)
666 if (!arg || *arg == '\0')
667 fatal("%.200s line %d: Missing argument.", filename, linenum);
668 if (!ciphers_valid(arg))
669 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
670 filename, linenum, arg ? arg : "<NONE>");
671 if (*activep && options->ciphers == NULL)
672 options->ciphers = xstrdup(arg);
677 if (!arg || *arg == '\0')
678 fatal("%.200s line %d: Missing argument.", filename, linenum);
680 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
681 filename, linenum, arg ? arg : "<NONE>");
682 if (*activep && options->macs == NULL)
683 options->macs = xstrdup(arg);
686 case oHostKeyAlgorithms:
688 if (!arg || *arg == '\0')
689 fatal("%.200s line %d: Missing argument.", filename, linenum);
690 if (!key_names_valid2(arg))
691 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
692 filename, linenum, arg ? arg : "<NONE>");
693 if (*activep && options->hostkeyalgorithms == NULL)
694 options->hostkeyalgorithms = xstrdup(arg);
698 intptr = &options->protocol;
700 if (!arg || *arg == '\0')
701 fatal("%.200s line %d: Missing argument.", filename, linenum);
702 value = proto_spec(arg);
703 if (value == SSH_PROTO_UNKNOWN)
704 fatal("%.200s line %d: Bad protocol spec '%s'.",
705 filename, linenum, arg ? arg : "<NONE>");
706 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
711 log_level_ptr = &options->log_level;
713 value = log_level_number(arg);
714 if (value == SYSLOG_LEVEL_NOT_SET)
715 fatal("%.200s line %d: unsupported log level '%s'",
716 filename, linenum, arg ? arg : "<NONE>");
717 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
718 *log_level_ptr = (LogLevel) value;
724 if (arg == NULL || *arg == '\0')
725 fatal("%.200s line %d: Missing port argument.",
728 if (arg2 == NULL || *arg2 == '\0')
729 fatal("%.200s line %d: Missing target argument.",
732 /* construct a string for parse_forward */
733 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
735 if (parse_forward(&fwd, fwdarg) == 0)
736 fatal("%.200s line %d: Bad forwarding specification.",
740 if (opcode == oLocalForward)
741 add_local_forward(options, &fwd);
742 else if (opcode == oRemoteForward)
743 add_remote_forward(options, &fwd);
747 case oDynamicForward:
749 if (!arg || *arg == '\0')
750 fatal("%.200s line %d: Missing port argument.",
752 memset(&fwd, '\0', sizeof(fwd));
753 fwd.connect_host = "socks";
754 fwd.listen_host = hpdelim(&arg);
755 if (fwd.listen_host == NULL ||
756 strlen(fwd.listen_host) >= NI_MAXHOST)
757 fatal("%.200s line %d: Bad forwarding specification.",
760 fwd.listen_port = a2port(arg);
761 fwd.listen_host = cleanhostname(fwd.listen_host);
763 fwd.listen_port = a2port(fwd.listen_host);
764 fwd.listen_host = NULL;
766 if (fwd.listen_port == 0)
767 fatal("%.200s line %d: Badly formatted port number.",
770 add_local_forward(options, &fwd);
773 case oClearAllForwardings:
774 intptr = &options->clear_forwardings;
779 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
780 if (match_pattern(host, arg)) {
781 debug("Applying options for %.100s", arg);
785 /* Avoid garbage check below, as strdelim is done. */
789 intptr = &options->escape_char;
791 if (!arg || *arg == '\0')
792 fatal("%.200s line %d: Missing argument.", filename, linenum);
793 if (arg[0] == '^' && arg[2] == 0 &&
794 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
795 value = (u_char) arg[1] & 31;
796 else if (strlen(arg) == 1)
797 value = (u_char) arg[0];
798 else if (strcmp(arg, "none") == 0)
799 value = SSH_ESCAPECHAR_NONE;
801 fatal("%.200s line %d: Bad escape character.",
804 value = 0; /* Avoid compiler warning. */
806 if (*activep && *intptr == -1)
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: missing address family.",
815 intptr = &options->address_family;
816 if (strcasecmp(arg, "inet") == 0)
818 else if (strcasecmp(arg, "inet6") == 0)
820 else if (strcasecmp(arg, "any") == 0)
823 fatal("Unsupported AddressFamily \"%s\"", arg);
824 if (*activep && *intptr == -1)
828 case oEnableSSHKeysign:
829 intptr = &options->enable_ssh_keysign;
832 case oIdentitiesOnly:
833 intptr = &options->identities_only;
836 case oServerAliveInterval:
837 intptr = &options->server_alive_interval;
840 case oServerAliveCountMax:
841 intptr = &options->server_alive_count_max;
845 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
846 if (strchr(arg, '=') != NULL)
847 fatal("%s line %d: Invalid environment name.",
851 if (options->num_send_env >= MAX_SEND_ENV)
852 fatal("%s line %d: too many send env.",
854 options->send_env[options->num_send_env++] =
860 charptr = &options->control_path;
864 intptr = &options->control_master;
866 if (!arg || *arg == '\0')
867 fatal("%.200s line %d: Missing ControlMaster argument.",
869 value = 0; /* To avoid compiler warning... */
870 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
871 value = SSHCTL_MASTER_YES;
872 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
873 value = SSHCTL_MASTER_NO;
874 else if (strcmp(arg, "auto") == 0)
875 value = SSHCTL_MASTER_AUTO;
876 else if (strcmp(arg, "ask") == 0)
877 value = SSHCTL_MASTER_ASK;
878 else if (strcmp(arg, "autoask") == 0)
879 value = SSHCTL_MASTER_AUTO_ASK;
881 fatal("%.200s line %d: Bad ControlMaster argument.",
883 if (*activep && *intptr == -1)
887 case oHashKnownHosts:
888 intptr = &options->hash_known_hosts;
892 intptr = &options->tun_open;
894 if (!arg || *arg == '\0')
895 fatal("%s line %d: Missing yes/point-to-point/"
896 "ethernet/no argument.", filename, linenum);
897 value = 0; /* silence compiler */
898 if (strcasecmp(arg, "ethernet") == 0)
899 value = SSH_TUNMODE_ETHERNET;
900 else if (strcasecmp(arg, "point-to-point") == 0)
901 value = SSH_TUNMODE_POINTOPOINT;
902 else if (strcasecmp(arg, "yes") == 0)
903 value = SSH_TUNMODE_DEFAULT;
904 else if (strcasecmp(arg, "no") == 0)
905 value = SSH_TUNMODE_NO;
907 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
908 "no argument: %s", filename, linenum, arg);
915 if (!arg || *arg == '\0')
916 fatal("%.200s line %d: Missing argument.", filename, linenum);
917 value = a2tun(arg, &value2);
918 if (value == SSH_TUNID_ERR)
919 fatal("%.200s line %d: Bad tun device.", filename, linenum);
921 options->tun_local = value;
922 options->tun_remote = value2;
927 charptr = &options->local_command;
930 case oPermitLocalCommand:
931 intptr = &options->permit_local_command;
935 debug("%s line %d: Deprecated option \"%s\"",
936 filename, linenum, keyword);
940 error("%s line %d: Unsupported option \"%s\"",
941 filename, linenum, keyword);
945 fatal("process_config_line: Unimplemented opcode %d", opcode);
948 /* Check that there is no garbage at end of line. */
949 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
950 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
951 filename, linenum, arg);
958 * Reads the config file and modifies the options accordingly. Options
959 * should already be initialized before this call. This never returns if
960 * there is an error. If the file does not exist, this returns 0.
964 read_config_file(const char *filename, const char *host, Options *options,
973 if ((f = fopen(filename, "r")) == NULL)
979 if (fstat(fileno(f), &sb) == -1)
980 fatal("fstat %s: %s", filename, strerror(errno));
981 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
982 (sb.st_mode & 022) != 0))
983 fatal("Bad owner or permissions on %s", filename);
986 debug("Reading configuration data %.200s", filename);
989 * Mark that we are now processing the options. This flag is turned
990 * on/off by Host specifications.
994 while (fgets(line, sizeof(line), f)) {
995 /* Update line number counter. */
997 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1001 if (bad_options > 0)
1002 fatal("%s: terminating, %d bad configuration options",
1003 filename, bad_options);
1008 * Initializes options to special values that indicate that they have not yet
1009 * been set. Read_config_file will only set options with this value. Options
1010 * are processed in the following order: command line, user config file,
1011 * system config file. Last, fill_default_options is called.
1015 initialize_options(Options * options)
1017 memset(options, 'X', sizeof(*options));
1018 options->forward_agent = -1;
1019 options->forward_x11 = -1;
1020 options->forward_x11_trusted = -1;
1021 options->exit_on_forward_failure = -1;
1022 options->xauth_location = NULL;
1023 options->gateway_ports = -1;
1024 options->use_privileged_port = -1;
1025 options->rsa_authentication = -1;
1026 options->pubkey_authentication = -1;
1027 options->challenge_response_authentication = -1;
1028 options->gss_authentication = -1;
1029 options->gss_deleg_creds = -1;
1030 options->password_authentication = -1;
1031 options->kbd_interactive_authentication = -1;
1032 options->kbd_interactive_devices = NULL;
1033 options->rhosts_rsa_authentication = -1;
1034 options->hostbased_authentication = -1;
1035 options->batch_mode = -1;
1036 options->check_host_ip = -1;
1037 options->strict_host_key_checking = -1;
1038 options->compression = -1;
1039 options->tcp_keep_alive = -1;
1040 options->compression_level = -1;
1042 options->address_family = -1;
1043 options->connection_attempts = -1;
1044 options->connection_timeout = -1;
1045 options->number_of_password_prompts = -1;
1046 options->cipher = -1;
1047 options->ciphers = NULL;
1048 options->macs = NULL;
1049 options->hostkeyalgorithms = NULL;
1050 options->protocol = SSH_PROTO_UNKNOWN;
1051 options->num_identity_files = 0;
1052 options->hostname = NULL;
1053 options->host_key_alias = NULL;
1054 options->proxy_command = NULL;
1055 options->user = NULL;
1056 options->escape_char = -1;
1057 options->system_hostfile = NULL;
1058 options->user_hostfile = NULL;
1059 options->system_hostfile2 = NULL;
1060 options->user_hostfile2 = NULL;
1061 options->num_local_forwards = 0;
1062 options->num_remote_forwards = 0;
1063 options->clear_forwardings = -1;
1064 options->log_level = SYSLOG_LEVEL_NOT_SET;
1065 options->preferred_authentications = NULL;
1066 options->bind_address = NULL;
1067 options->smartcard_device = NULL;
1068 options->enable_ssh_keysign = - 1;
1069 options->no_host_authentication_for_localhost = - 1;
1070 options->identities_only = - 1;
1071 options->rekey_limit = - 1;
1072 options->verify_host_key_dns = -1;
1073 options->server_alive_interval = -1;
1074 options->server_alive_count_max = -1;
1075 options->num_send_env = 0;
1076 options->control_path = NULL;
1077 options->control_master = -1;
1078 options->hash_known_hosts = -1;
1079 options->tun_open = -1;
1080 options->tun_local = -1;
1081 options->tun_remote = -1;
1082 options->local_command = NULL;
1083 options->permit_local_command = -1;
1087 * Called after processing other sources of option data, this fills those
1088 * options for which no value has been specified with their default values.
1092 fill_default_options(Options * options)
1096 if (options->forward_agent == -1)
1097 options->forward_agent = 0;
1098 if (options->forward_x11 == -1)
1099 options->forward_x11 = 0;
1100 if (options->forward_x11_trusted == -1)
1101 options->forward_x11_trusted = 0;
1102 if (options->exit_on_forward_failure == -1)
1103 options->exit_on_forward_failure = 0;
1104 if (options->xauth_location == NULL)
1105 options->xauth_location = _PATH_XAUTH;
1106 if (options->gateway_ports == -1)
1107 options->gateway_ports = 0;
1108 if (options->use_privileged_port == -1)
1109 options->use_privileged_port = 0;
1110 if (options->rsa_authentication == -1)
1111 options->rsa_authentication = 1;
1112 if (options->pubkey_authentication == -1)
1113 options->pubkey_authentication = 1;
1114 if (options->challenge_response_authentication == -1)
1115 options->challenge_response_authentication = 1;
1116 if (options->gss_authentication == -1)
1117 options->gss_authentication = 0;
1118 if (options->gss_deleg_creds == -1)
1119 options->gss_deleg_creds = 0;
1120 if (options->password_authentication == -1)
1121 options->password_authentication = 1;
1122 if (options->kbd_interactive_authentication == -1)
1123 options->kbd_interactive_authentication = 1;
1124 if (options->rhosts_rsa_authentication == -1)
1125 options->rhosts_rsa_authentication = 0;
1126 if (options->hostbased_authentication == -1)
1127 options->hostbased_authentication = 0;
1128 if (options->batch_mode == -1)
1129 options->batch_mode = 0;
1130 if (options->check_host_ip == -1)
1131 options->check_host_ip = 1;
1132 if (options->strict_host_key_checking == -1)
1133 options->strict_host_key_checking = 2; /* 2 is default */
1134 if (options->compression == -1)
1135 options->compression = 0;
1136 if (options->tcp_keep_alive == -1)
1137 options->tcp_keep_alive = 1;
1138 if (options->compression_level == -1)
1139 options->compression_level = 6;
1140 if (options->port == -1)
1141 options->port = 0; /* Filled in ssh_connect. */
1142 if (options->address_family == -1)
1143 options->address_family = AF_UNSPEC;
1144 if (options->connection_attempts == -1)
1145 options->connection_attempts = 1;
1146 if (options->number_of_password_prompts == -1)
1147 options->number_of_password_prompts = 3;
1148 /* Selected in ssh_login(). */
1149 if (options->cipher == -1)
1150 options->cipher = SSH_CIPHER_NOT_SET;
1151 /* options->ciphers, default set in myproposals.h */
1152 /* options->macs, default set in myproposals.h */
1153 /* options->hostkeyalgorithms, default set in myproposals.h */
1154 if (options->protocol == SSH_PROTO_UNKNOWN)
1155 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1156 if (options->num_identity_files == 0) {
1157 if (options->protocol & SSH_PROTO_1) {
1158 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1159 options->identity_files[options->num_identity_files] =
1161 snprintf(options->identity_files[options->num_identity_files++],
1162 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1164 if (options->protocol & SSH_PROTO_2) {
1165 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1166 options->identity_files[options->num_identity_files] =
1168 snprintf(options->identity_files[options->num_identity_files++],
1169 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1171 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1172 options->identity_files[options->num_identity_files] =
1174 snprintf(options->identity_files[options->num_identity_files++],
1175 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1178 if (options->escape_char == -1)
1179 options->escape_char = '~';
1180 if (options->system_hostfile == NULL)
1181 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1182 if (options->user_hostfile == NULL)
1183 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1184 if (options->system_hostfile2 == NULL)
1185 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1186 if (options->user_hostfile2 == NULL)
1187 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1189 options->log_level = SYSLOG_LEVEL_INFO;
1190 if (options->clear_forwardings == 1)
1191 clear_forwardings(options);
1192 if (options->no_host_authentication_for_localhost == - 1)
1193 options->no_host_authentication_for_localhost = 0;
1194 if (options->identities_only == -1)
1195 options->identities_only = 0;
1196 if (options->enable_ssh_keysign == -1)
1197 options->enable_ssh_keysign = 0;
1198 if (options->rekey_limit == -1)
1199 options->rekey_limit = 0;
1200 if (options->verify_host_key_dns == -1)
1201 options->verify_host_key_dns = 0;
1202 if (options->server_alive_interval == -1)
1203 options->server_alive_interval = 0;
1204 if (options->server_alive_count_max == -1)
1205 options->server_alive_count_max = 3;
1206 if (options->control_master == -1)
1207 options->control_master = 0;
1208 if (options->hash_known_hosts == -1)
1209 options->hash_known_hosts = 0;
1210 if (options->tun_open == -1)
1211 options->tun_open = SSH_TUNMODE_NO;
1212 if (options->tun_local == -1)
1213 options->tun_local = SSH_TUNID_ANY;
1214 if (options->tun_remote == -1)
1215 options->tun_remote = SSH_TUNID_ANY;
1216 if (options->permit_local_command == -1)
1217 options->permit_local_command = 0;
1218 /* options->local_command should not be set by default */
1219 /* options->proxy_command should not be set by default */
1220 /* options->user will be set in the main program if appropriate */
1221 /* options->hostname will be set in the main program if appropriate */
1222 /* options->host_key_alias should not be set by default */
1223 /* options->preferred_authentications will be set in ssh */
1228 * parses a string containing a port forwarding specification of the form:
1229 * [listenhost:]listenport:connecthost:connectport
1230 * returns number of arguments parsed or zero on error
1233 parse_forward(Forward *fwd, const char *fwdspec)
1236 char *p, *cp, *fwdarg[4];
1238 memset(fwd, '\0', sizeof(*fwd));
1240 cp = p = xstrdup(fwdspec);
1242 /* skip leading spaces */
1243 while (isspace(*cp))
1246 for (i = 0; i < 4; ++i)
1247 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1250 /* Check for trailing garbage in 4-arg case*/
1252 i = 0; /* failure */
1256 fwd->listen_host = NULL;
1257 fwd->listen_port = a2port(fwdarg[0]);
1258 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1259 fwd->connect_port = a2port(fwdarg[2]);
1263 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1264 fwd->listen_port = a2port(fwdarg[1]);
1265 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1266 fwd->connect_port = a2port(fwdarg[3]);
1269 i = 0; /* failure */
1274 if (fwd->listen_port == 0 || fwd->connect_port == 0)
1277 if (fwd->connect_host != NULL &&
1278 strlen(fwd->connect_host) >= NI_MAXHOST)
1284 if (fwd->connect_host != NULL)
1285 xfree(fwd->connect_host);
1286 if (fwd->listen_host != NULL)
1287 xfree(fwd->listen_host);