5 * Author: Tatu Ylonen <ylo@cs.hut.fi>
7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 * Created: Mon Aug 21 15:48:58 1995 ylo
15 RCSID("$OpenBSD: servconf.c,v 1.49 2000/07/14 22:59:46 markus Exp $");
22 /* add listen address */
23 void add_listen_addr(ServerOptions *options, char *addr);
25 /* Initializes the server options to their default values. */
28 initialize_server_options(ServerOptions *options)
30 memset(options, 0, sizeof(*options));
31 options->num_ports = 0;
32 options->ports_from_cmdline = 0;
33 options->listen_addrs = NULL;
34 options->host_key_file = NULL;
35 options->host_dsa_key_file = NULL;
36 options->pid_file = NULL;
37 options->server_key_bits = -1;
38 options->login_grace_time = -1;
39 options->key_regeneration_time = -1;
40 options->permit_root_login = -1;
41 options->ignore_rhosts = -1;
42 options->ignore_user_known_hosts = -1;
43 options->print_motd = -1;
44 options->check_mail = -1;
45 options->x11_forwarding = -1;
46 options->x11_display_offset = -1;
47 options->xauth_location = NULL;
48 options->strict_modes = -1;
49 options->keepalives = -1;
50 options->log_facility = (SyslogFacility) - 1;
51 options->log_level = (LogLevel) - 1;
52 options->rhosts_authentication = -1;
53 options->rhosts_rsa_authentication = -1;
54 options->rsa_authentication = -1;
55 options->dsa_authentication = -1;
57 options->kerberos_authentication = -1;
58 options->kerberos_or_local_passwd = -1;
59 options->kerberos_ticket_cleanup = -1;
62 options->kerberos_tgt_passing = -1;
63 options->afs_token_passing = -1;
65 options->password_authentication = -1;
67 options->skey_authentication = -1;
69 options->permit_empty_passwd = -1;
70 options->use_login = -1;
71 options->num_allow_users = 0;
72 options->num_deny_users = 0;
73 options->num_allow_groups = 0;
74 options->num_deny_groups = 0;
75 options->ciphers = NULL;
76 options->protocol = SSH_PROTO_UNKNOWN;
77 options->gateway_ports = -1;
78 options->num_subsystems = 0;
79 options->max_startups = -1;
83 fill_default_server_options(ServerOptions *options)
85 if (options->num_ports == 0)
86 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
87 if (options->listen_addrs == NULL)
88 add_listen_addr(options, NULL);
89 if (options->host_key_file == NULL)
90 options->host_key_file = HOST_KEY_FILE;
91 if (options->host_dsa_key_file == NULL)
92 options->host_dsa_key_file = HOST_DSA_KEY_FILE;
93 if (options->pid_file == NULL)
94 options->pid_file = SSH_DAEMON_PID_FILE;
95 if (options->server_key_bits == -1)
96 options->server_key_bits = 768;
97 if (options->login_grace_time == -1)
98 options->login_grace_time = 600;
99 if (options->key_regeneration_time == -1)
100 options->key_regeneration_time = 3600;
101 if (options->permit_root_login == -1)
102 options->permit_root_login = 1; /* yes */
103 if (options->ignore_rhosts == -1)
104 options->ignore_rhosts = 1;
105 if (options->ignore_user_known_hosts == -1)
106 options->ignore_user_known_hosts = 0;
107 if (options->check_mail == -1)
108 options->check_mail = 0;
109 if (options->print_motd == -1)
110 options->print_motd = 1;
111 if (options->x11_forwarding == -1)
112 options->x11_forwarding = 0;
113 if (options->x11_display_offset == -1)
114 options->x11_display_offset = 10;
116 if (options->xauth_location == NULL)
117 options->xauth_location = XAUTH_PATH;
118 #endif /* XAUTH_PATH */
119 if (options->strict_modes == -1)
120 options->strict_modes = 1;
121 if (options->keepalives == -1)
122 options->keepalives = 1;
123 if (options->log_facility == (SyslogFacility) (-1))
124 options->log_facility = SYSLOG_FACILITY_AUTH;
125 if (options->log_level == (LogLevel) (-1))
126 options->log_level = SYSLOG_LEVEL_INFO;
127 if (options->rhosts_authentication == -1)
128 options->rhosts_authentication = 0;
129 if (options->rhosts_rsa_authentication == -1)
130 options->rhosts_rsa_authentication = 0;
131 if (options->rsa_authentication == -1)
132 options->rsa_authentication = 1;
133 if (options->dsa_authentication == -1)
134 options->dsa_authentication = 1;
136 if (options->kerberos_authentication == -1)
137 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
138 if (options->kerberos_or_local_passwd == -1)
139 options->kerberos_or_local_passwd = 1;
140 if (options->kerberos_ticket_cleanup == -1)
141 options->kerberos_ticket_cleanup = 1;
144 if (options->kerberos_tgt_passing == -1)
145 options->kerberos_tgt_passing = 0;
146 if (options->afs_token_passing == -1)
147 options->afs_token_passing = k_hasafs();
149 if (options->password_authentication == -1)
150 options->password_authentication = 1;
152 if (options->skey_authentication == -1)
153 options->skey_authentication = 1;
155 if (options->permit_empty_passwd == -1)
156 options->permit_empty_passwd = 0;
157 if (options->use_login == -1)
158 options->use_login = 0;
159 if (options->protocol == SSH_PROTO_UNKNOWN)
160 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
161 if (options->gateway_ports == -1)
162 options->gateway_ports = 0;
163 if (options->max_startups == -1)
164 options->max_startups = 10;
167 /* Keyword tokens. */
169 sBadOption, /* == unknown option */
170 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
171 sPermitRootLogin, sLogFacility, sLogLevel,
172 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
174 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
177 sKerberosTgtPassing, sAFSTokenPassing,
182 sPasswordAuthentication, sListenAddress,
183 sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
184 sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
185 sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
186 sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile,
187 sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups
190 /* Textual representation of the tokens. */
193 ServerOpCodes opcode;
196 { "hostkey", sHostKeyFile },
197 { "hostdsakey", sHostDSAKeyFile },
198 { "pidfile", sPidFile },
199 { "serverkeybits", sServerKeyBits },
200 { "logingracetime", sLoginGraceTime },
201 { "keyregenerationinterval", sKeyRegenerationTime },
202 { "permitrootlogin", sPermitRootLogin },
203 { "syslogfacility", sLogFacility },
204 { "loglevel", sLogLevel },
205 { "rhostsauthentication", sRhostsAuthentication },
206 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
207 { "rsaauthentication", sRSAAuthentication },
208 { "dsaauthentication", sDSAAuthentication },
210 { "kerberosauthentication", sKerberosAuthentication },
211 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
212 { "kerberosticketcleanup", sKerberosTicketCleanup },
215 { "kerberostgtpassing", sKerberosTgtPassing },
216 { "afstokenpassing", sAFSTokenPassing },
218 { "passwordauthentication", sPasswordAuthentication },
220 { "skeyauthentication", sSkeyAuthentication },
222 { "checkmail", sCheckMail },
223 { "listenaddress", sListenAddress },
224 { "printmotd", sPrintMotd },
225 { "ignorerhosts", sIgnoreRhosts },
226 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
227 { "x11forwarding", sX11Forwarding },
228 { "x11displayoffset", sX11DisplayOffset },
229 { "xauthlocation", sXAuthLocation },
230 { "strictmodes", sStrictModes },
231 { "permitemptypasswords", sEmptyPasswd },
232 { "uselogin", sUseLogin },
233 { "randomseed", sRandomSeedFile },
234 { "keepalive", sKeepAlives },
235 { "allowusers", sAllowUsers },
236 { "denyusers", sDenyUsers },
237 { "allowgroups", sAllowGroups },
238 { "denygroups", sDenyGroups },
239 { "ciphers", sCiphers },
240 { "protocol", sProtocol },
241 { "gatewayports", sGatewayPorts },
242 { "subsystem", sSubsystem },
243 { "maxstartups", sMaxStartups },
248 * Returns the number of the token pointed to by cp of length len. Never
249 * returns if the token is not known.
253 parse_token(const char *cp, const char *filename,
258 for (i = 0; keywords[i].name; i++)
259 if (strcasecmp(cp, keywords[i].name) == 0)
260 return keywords[i].opcode;
262 fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
263 filename, linenum, cp);
271 add_listen_addr(ServerOptions *options, char *addr)
274 struct addrinfo hints, *ai, *aitop;
275 char strport[NI_MAXSERV];
279 if (options->num_ports == 0)
280 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
281 for (i = 0; i < options->num_ports; i++) {
282 memset(&hints, 0, sizeof(hints));
283 hints.ai_family = IPv4or6;
284 hints.ai_socktype = SOCK_STREAM;
285 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
286 snprintf(strport, sizeof strport, "%d", options->ports[i]);
287 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
288 fatal("bad addr or host: %s (%s)\n",
289 addr ? addr : "<NULL>",
290 gai_strerror(gaierr));
291 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
293 ai->ai_next = options->listen_addrs;
294 options->listen_addrs = aitop;
298 /* Reads the server configuration file. */
301 read_server_config(ServerOptions *options, const char *filename)
305 char *cp, **charptr, *arg;
306 int linenum, *intptr, value;
308 ServerOpCodes opcode;
311 f = fopen(filename, "r");
317 while (fgets(line, sizeof(line), f)) {
321 /* Ignore leading whitespace */
324 if (!*arg || *arg == '#')
326 opcode = parse_token(arg, filename, linenum);
332 /* ignore ports from configfile if cmdline specifies ports */
333 if (options->ports_from_cmdline)
335 if (options->listen_addrs != NULL)
336 fatal("%s line %d: ports must be specified before "
337 "ListenAdress.\n", filename, linenum);
338 if (options->num_ports >= MAX_PORTS)
339 fatal("%s line %d: too many ports.\n",
342 if (!arg || *arg == '\0')
343 fatal("%s line %d: missing port number.\n",
345 options->ports[options->num_ports++] = atoi(arg);
349 intptr = &options->server_key_bits;
352 if (!arg || *arg == '\0') {
353 fprintf(stderr, "%s line %d: missing integer value.\n",
362 case sLoginGraceTime:
363 intptr = &options->login_grace_time;
366 case sKeyRegenerationTime:
367 intptr = &options->key_regeneration_time;
372 if (!arg || *arg == '\0')
373 fatal("%s line %d: missing inet addr.\n",
375 add_listen_addr(options, arg);
379 case sHostDSAKeyFile:
380 charptr = (opcode == sHostKeyFile ) ?
381 &options->host_key_file : &options->host_dsa_key_file;
384 if (!arg || *arg == '\0') {
385 fprintf(stderr, "%s line %d: missing file name.\n",
389 if (*charptr == NULL)
390 *charptr = tilde_expand_filename(arg, getuid());
394 charptr = &options->pid_file;
397 case sRandomSeedFile:
398 fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
403 case sPermitRootLogin:
404 intptr = &options->permit_root_login;
406 if (!arg || *arg == '\0') {
407 fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
411 if (strcmp(arg, "without-password") == 0)
413 else if (strcmp(arg, "yes") == 0)
415 else if (strcmp(arg, "no") == 0)
418 fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
419 filename, linenum, arg);
427 intptr = &options->ignore_rhosts;
430 if (!arg || *arg == '\0') {
431 fprintf(stderr, "%s line %d: missing yes/no argument.\n",
435 if (strcmp(arg, "yes") == 0)
437 else if (strcmp(arg, "no") == 0)
440 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
441 filename, linenum, arg);
448 case sIgnoreUserKnownHosts:
449 intptr = &options->ignore_user_known_hosts;
452 case sRhostsAuthentication:
453 intptr = &options->rhosts_authentication;
456 case sRhostsRSAAuthentication:
457 intptr = &options->rhosts_rsa_authentication;
460 case sRSAAuthentication:
461 intptr = &options->rsa_authentication;
464 case sDSAAuthentication:
465 intptr = &options->dsa_authentication;
469 case sKerberosAuthentication:
470 intptr = &options->kerberos_authentication;
473 case sKerberosOrLocalPasswd:
474 intptr = &options->kerberos_or_local_passwd;
477 case sKerberosTicketCleanup:
478 intptr = &options->kerberos_ticket_cleanup;
483 case sKerberosTgtPassing:
484 intptr = &options->kerberos_tgt_passing;
487 case sAFSTokenPassing:
488 intptr = &options->afs_token_passing;
492 case sPasswordAuthentication:
493 intptr = &options->password_authentication;
497 intptr = &options->check_mail;
501 case sSkeyAuthentication:
502 intptr = &options->skey_authentication;
507 intptr = &options->print_motd;
511 intptr = &options->x11_forwarding;
514 case sX11DisplayOffset:
515 intptr = &options->x11_display_offset;
519 charptr = &options->xauth_location;
523 intptr = &options->strict_modes;
527 intptr = &options->keepalives;
531 intptr = &options->permit_empty_passwd;
535 intptr = &options->use_login;
539 intptr = &options->gateway_ports;
543 intptr = (int *) &options->log_facility;
545 value = log_facility_number(arg);
546 if (value == (SyslogFacility) - 1)
547 fatal("%.200s line %d: unsupported log facility '%s'\n",
548 filename, linenum, arg ? arg : "<NONE>");
550 *intptr = (SyslogFacility) value;
554 intptr = (int *) &options->log_level;
556 value = log_level_number(arg);
557 if (value == (LogLevel) - 1)
558 fatal("%.200s line %d: unsupported log level '%s'\n",
559 filename, linenum, arg ? arg : "<NONE>");
561 *intptr = (LogLevel) value;
565 while ((arg = strdelim(&cp)) && *arg != '\0') {
566 if (options->num_allow_users >= MAX_ALLOW_USERS)
567 fatal("%s line %d: too many allow users.\n",
569 options->allow_users[options->num_allow_users++] = xstrdup(arg);
574 while ((arg = strdelim(&cp)) && *arg != '\0') {
575 if (options->num_deny_users >= MAX_DENY_USERS)
576 fatal( "%s line %d: too many deny users.\n",
578 options->deny_users[options->num_deny_users++] = xstrdup(arg);
583 while ((arg = strdelim(&cp)) && *arg != '\0') {
584 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
585 fatal("%s line %d: too many allow groups.\n",
587 options->allow_groups[options->num_allow_groups++] = xstrdup(arg);
592 while ((arg = strdelim(&cp)) && *arg != '\0') {
593 if (options->num_deny_groups >= MAX_DENY_GROUPS)
594 fatal("%s line %d: too many deny groups.\n",
596 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
602 if (!arg || *arg == '\0')
603 fatal("%s line %d: Missing argument.", filename, linenum);
604 if (!ciphers_valid(arg))
605 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
606 filename, linenum, arg ? arg : "<NONE>");
607 if (options->ciphers == NULL)
608 options->ciphers = xstrdup(arg);
612 intptr = &options->protocol;
614 if (!arg || *arg == '\0')
615 fatal("%s line %d: Missing argument.", filename, linenum);
616 value = proto_spec(arg);
617 if (value == SSH_PROTO_UNKNOWN)
618 fatal("%s line %d: Bad protocol spec '%s'.",
619 filename, linenum, arg ? arg : "<NONE>");
620 if (*intptr == SSH_PROTO_UNKNOWN)
625 if(options->num_subsystems >= MAX_SUBSYSTEMS) {
626 fatal("%s line %d: too many subsystems defined.",
630 if (!arg || *arg == '\0')
631 fatal("%s line %d: Missing subsystem name.",
633 for (i = 0; i < options->num_subsystems; i++)
634 if(strcmp(arg, options->subsystem_name[i]) == 0)
635 fatal("%s line %d: Subsystem '%s' already defined.",
636 filename, linenum, arg);
637 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
639 if (!arg || *arg == '\0')
640 fatal("%s line %d: Missing subsystem command.",
642 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
643 options->num_subsystems++;
647 intptr = &options->max_startups;
651 fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
652 filename, linenum, arg, opcode);
655 if ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
657 "%s line %d: garbage at end of line; \"%.200s\".\n",
658 filename, linenum, arg);
663 if (bad_options > 0) {
664 fprintf(stderr, "%s: terminating, %d bad configuration options\n",
665 filename, bad_options);