2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
19 #include "pathnames.h"
25 static void add_listen_addr(ServerOptions *, char *, u_short);
26 static void add_one_listen_addr(ServerOptions *, char *, u_short);
28 /* Use of privilege separation or not */
29 extern int use_privsep;
31 /* Initializes the server options to their default values. */
34 initialize_server_options(ServerOptions *options)
36 memset(options, 0, sizeof(*options));
38 /* Portable-specific options */
39 options->use_pam = -1;
41 /* Standard Options */
42 options->num_ports = 0;
43 options->ports_from_cmdline = 0;
44 options->listen_addrs = NULL;
45 options->address_family = -1;
46 options->num_host_key_files = 0;
47 options->pid_file = NULL;
48 options->server_key_bits = -1;
49 options->login_grace_time = -1;
50 options->key_regeneration_time = -1;
51 options->permit_root_login = PERMIT_NOT_SET;
52 options->ignore_rhosts = -1;
53 options->ignore_user_known_hosts = -1;
54 options->print_motd = -1;
55 options->print_lastlog = -1;
56 options->x11_forwarding = -1;
57 options->x11_display_offset = -1;
58 options->x11_use_localhost = -1;
59 options->xauth_location = NULL;
60 options->strict_modes = -1;
61 options->tcp_keep_alive = -1;
62 options->log_facility = SYSLOG_FACILITY_NOT_SET;
63 options->log_level = SYSLOG_LEVEL_NOT_SET;
64 options->rhosts_rsa_authentication = -1;
65 options->hostbased_authentication = -1;
66 options->hostbased_uses_name_from_packet_only = -1;
67 options->rsa_authentication = -1;
68 options->pubkey_authentication = -1;
69 options->kerberos_authentication = -1;
70 options->kerberos_or_local_passwd = -1;
71 options->kerberos_ticket_cleanup = -1;
72 options->kerberos_get_afs_token = -1;
73 options->gss_authentication=-1;
74 options->gss_cleanup_creds = -1;
75 options->password_authentication = -1;
76 options->kbd_interactive_authentication = -1;
77 options->challenge_response_authentication = -1;
78 options->permit_empty_passwd = -1;
79 options->permit_user_env = -1;
80 options->use_login = -1;
81 options->compression = -1;
82 options->allow_tcp_forwarding = -1;
83 options->num_allow_users = 0;
84 options->num_deny_users = 0;
85 options->num_allow_groups = 0;
86 options->num_deny_groups = 0;
87 options->ciphers = NULL;
89 options->protocol = SSH_PROTO_UNKNOWN;
90 options->gateway_ports = -1;
91 options->num_subsystems = 0;
92 options->max_startups_begin = -1;
93 options->max_startups_rate = -1;
94 options->max_startups = -1;
95 options->max_authtries = -1;
96 options->banner = NULL;
97 options->use_dns = -1;
98 options->client_alive_interval = -1;
99 options->client_alive_count_max = -1;
100 options->authorized_keys_file = NULL;
101 options->authorized_keys_file2 = NULL;
102 options->num_accept_env = 0;
103 options->permit_tun = -1;
105 /* Needs to be accessable in many places */
110 fill_default_server_options(ServerOptions *options)
112 /* Portable-specific options */
113 if (options->use_pam == -1)
114 options->use_pam = 0;
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
122 options->host_key_files[options->num_host_key_files++] =
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
201 if (options->use_login == -1)
202 options->use_login = 0;
203 if (options->compression == -1)
204 options->compression = COMP_DELAYED;
205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
217 if (options->use_dns == -1)
218 options->use_dns = 1;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
232 if (options->permit_tun == -1)
233 options->permit_tun = SSH_TUNMODE_NO;
235 /* Turn privilege separation on by default */
236 if (use_privsep == -1)
240 if (use_privsep && options->compression == 1) {
241 error("This platform does not support both privilege "
242 "separation and compression");
243 error("Compression disabled");
244 options->compression = 0;
250 /* Keyword tokens. */
252 sBadOption, /* == unknown option */
253 /* Portable-specific options */
255 /* Standard Options */
256 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
257 sPermitRootLogin, sLogFacility, sLogLevel,
258 sRhostsRSAAuthentication, sRSAAuthentication,
259 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
260 sKerberosGetAFSToken,
261 sKerberosTgtPassing, sChallengeResponseAuthentication,
262 sPasswordAuthentication, sKbdInteractiveAuthentication,
263 sListenAddress, sAddressFamily,
264 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
265 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
266 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
267 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
268 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
269 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
270 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
271 sMaxStartups, sMaxAuthTries,
272 sBanner, sUseDNS, sHostbasedAuthentication,
273 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
274 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
275 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
276 sUsePrivilegeSeparation,
277 sDeprecated, sUnsupported
280 /* Textual representation of the tokens. */
283 ServerOpCodes opcode;
285 /* Portable-specific options */
287 { "usepam", sUsePAM },
289 { "usepam", sUnsupported },
291 { "pamauthenticationviakbdint", sDeprecated },
292 /* Standard Options */
294 { "hostkey", sHostKeyFile },
295 { "hostdsakey", sHostKeyFile }, /* alias */
296 { "pidfile", sPidFile },
297 { "serverkeybits", sServerKeyBits },
298 { "logingracetime", sLoginGraceTime },
299 { "keyregenerationinterval", sKeyRegenerationTime },
300 { "permitrootlogin", sPermitRootLogin },
301 { "syslogfacility", sLogFacility },
302 { "loglevel", sLogLevel },
303 { "rhostsauthentication", sDeprecated },
304 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
305 { "hostbasedauthentication", sHostbasedAuthentication },
306 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
307 { "rsaauthentication", sRSAAuthentication },
308 { "pubkeyauthentication", sPubkeyAuthentication },
309 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
311 { "kerberosauthentication", sKerberosAuthentication },
312 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
313 { "kerberosticketcleanup", sKerberosTicketCleanup },
315 { "kerberosgetafstoken", sKerberosGetAFSToken },
317 { "kerberosgetafstoken", sUnsupported },
320 { "kerberosauthentication", sUnsupported },
321 { "kerberosorlocalpasswd", sUnsupported },
322 { "kerberosticketcleanup", sUnsupported },
323 { "kerberosgetafstoken", sUnsupported },
325 { "kerberostgtpassing", sUnsupported },
326 { "afstokenpassing", sUnsupported },
328 { "gssapiauthentication", sGssAuthentication },
329 { "gssapicleanupcredentials", sGssCleanupCreds },
331 { "gssapiauthentication", sUnsupported },
332 { "gssapicleanupcredentials", sUnsupported },
334 { "passwordauthentication", sPasswordAuthentication },
335 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
336 { "challengeresponseauthentication", sChallengeResponseAuthentication },
337 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
338 { "checkmail", sDeprecated },
339 { "listenaddress", sListenAddress },
340 { "addressfamily", sAddressFamily },
341 { "printmotd", sPrintMotd },
342 { "printlastlog", sPrintLastLog },
343 { "ignorerhosts", sIgnoreRhosts },
344 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
345 { "x11forwarding", sX11Forwarding },
346 { "x11displayoffset", sX11DisplayOffset },
347 { "x11uselocalhost", sX11UseLocalhost },
348 { "xauthlocation", sXAuthLocation },
349 { "strictmodes", sStrictModes },
350 { "permitemptypasswords", sEmptyPasswd },
351 { "permituserenvironment", sPermitUserEnvironment },
352 { "uselogin", sUseLogin },
353 { "compression", sCompression },
354 { "tcpkeepalive", sTCPKeepAlive },
355 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
356 { "allowtcpforwarding", sAllowTcpForwarding },
357 { "allowusers", sAllowUsers },
358 { "denyusers", sDenyUsers },
359 { "allowgroups", sAllowGroups },
360 { "denygroups", sDenyGroups },
361 { "ciphers", sCiphers },
363 { "protocol", sProtocol },
364 { "gatewayports", sGatewayPorts },
365 { "subsystem", sSubsystem },
366 { "maxstartups", sMaxStartups },
367 { "maxauthtries", sMaxAuthTries },
368 { "banner", sBanner },
369 { "usedns", sUseDNS },
370 { "verifyreversemapping", sDeprecated },
371 { "reversemappingcheck", sDeprecated },
372 { "clientaliveinterval", sClientAliveInterval },
373 { "clientalivecountmax", sClientAliveCountMax },
374 { "authorizedkeysfile", sAuthorizedKeysFile },
375 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
376 { "useprivilegeseparation", sUsePrivilegeSeparation},
377 { "acceptenv", sAcceptEnv },
378 { "permittunnel", sPermitTunnel },
383 * Returns the number of the token pointed to by cp or sBadOption.
387 parse_token(const char *cp, const char *filename,
392 for (i = 0; keywords[i].name; i++)
393 if (strcasecmp(cp, keywords[i].name) == 0)
394 return keywords[i].opcode;
396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
402 add_listen_addr(ServerOptions *options, char *addr, u_short port)
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
408 if (options->address_family == -1)
409 options->address_family = AF_UNSPEC;
411 for (i = 0; i < options->num_ports; i++)
412 add_one_listen_addr(options, addr, options->ports[i]);
414 add_one_listen_addr(options, addr, port);
418 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
420 struct addrinfo hints, *ai, *aitop;
421 char strport[NI_MAXSERV];
424 memset(&hints, 0, sizeof(hints));
425 hints.ai_family = options->address_family;
426 hints.ai_socktype = SOCK_STREAM;
427 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
428 snprintf(strport, sizeof strport, "%u", port);
429 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
430 fatal("bad addr or host: %s (%s)",
431 addr ? addr : "<NULL>",
432 gai_strerror(gaierr));
433 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
435 ai->ai_next = options->listen_addrs;
436 options->listen_addrs = aitop;
440 process_server_config_line(ServerOptions *options, char *line,
441 const char *filename, int linenum)
443 char *cp, **charptr, *arg, *p;
444 int *intptr, value, n;
445 ServerOpCodes opcode;
450 if ((arg = strdelim(&cp)) != NULL)
452 /* Ignore leading whitespace */
455 if (!arg || !*arg || *arg == '#')
459 opcode = parse_token(arg, filename, linenum);
461 /* Portable-specific options */
463 intptr = &options->use_pam;
466 /* Standard Options */
470 /* ignore ports from configfile if cmdline specifies ports */
471 if (options->ports_from_cmdline)
473 if (options->listen_addrs != NULL)
474 fatal("%s line %d: ports must be specified before "
475 "ListenAddress.", filename, linenum);
476 if (options->num_ports >= MAX_PORTS)
477 fatal("%s line %d: too many ports.",
480 if (!arg || *arg == '\0')
481 fatal("%s line %d: missing port number.",
483 options->ports[options->num_ports++] = a2port(arg);
484 if (options->ports[options->num_ports-1] == 0)
485 fatal("%s line %d: Badly formatted port number.",
490 intptr = &options->server_key_bits;
493 if (!arg || *arg == '\0')
494 fatal("%s line %d: missing integer value.",
501 case sLoginGraceTime:
502 intptr = &options->login_grace_time;
505 if (!arg || *arg == '\0')
506 fatal("%s line %d: missing time value.",
508 if ((value = convtime(arg)) == -1)
509 fatal("%s line %d: invalid time value.",
515 case sKeyRegenerationTime:
516 intptr = &options->key_regeneration_time;
521 if (arg == NULL || *arg == '\0')
522 fatal("%s line %d: missing address",
524 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
525 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
526 && strchr(p+1, ':') != NULL) {
527 add_listen_addr(options, arg, 0);
532 fatal("%s line %d: bad address:port usage",
534 p = cleanhostname(p);
537 else if ((port = a2port(arg)) == 0)
538 fatal("%s line %d: bad port number", filename, linenum);
540 add_listen_addr(options, p, port);
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing address family.",
549 intptr = &options->address_family;
550 if (options->listen_addrs != NULL)
551 fatal("%s line %d: address family must be specified before "
552 "ListenAddress.", filename, linenum);
553 if (strcasecmp(arg, "inet") == 0)
555 else if (strcasecmp(arg, "inet6") == 0)
557 else if (strcasecmp(arg, "any") == 0)
560 fatal("%s line %d: unsupported address family \"%s\".",
561 filename, linenum, arg);
567 intptr = &options->num_host_key_files;
568 if (*intptr >= MAX_HOSTKEYS)
569 fatal("%s line %d: too many host keys specified (max %d).",
570 filename, linenum, MAX_HOSTKEYS);
571 charptr = &options->host_key_files[*intptr];
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing file name.",
577 if (*charptr == NULL) {
578 *charptr = tilde_expand_filename(arg, getuid());
579 /* increase optional counter */
581 *intptr = *intptr + 1;
586 charptr = &options->pid_file;
589 case sPermitRootLogin:
590 intptr = &options->permit_root_login;
592 if (!arg || *arg == '\0')
593 fatal("%s line %d: missing yes/"
594 "without-password/forced-commands-only/no "
595 "argument.", filename, linenum);
596 value = 0; /* silence compiler */
597 if (strcmp(arg, "without-password") == 0)
598 value = PERMIT_NO_PASSWD;
599 else if (strcmp(arg, "forced-commands-only") == 0)
600 value = PERMIT_FORCED_ONLY;
601 else if (strcmp(arg, "yes") == 0)
603 else if (strcmp(arg, "no") == 0)
606 fatal("%s line %d: Bad yes/"
607 "without-password/forced-commands-only/no "
608 "argument: %s", filename, linenum, arg);
614 intptr = &options->ignore_rhosts;
617 if (!arg || *arg == '\0')
618 fatal("%s line %d: missing yes/no argument.",
620 value = 0; /* silence compiler */
621 if (strcmp(arg, "yes") == 0)
623 else if (strcmp(arg, "no") == 0)
626 fatal("%s line %d: Bad yes/no argument: %s",
627 filename, linenum, arg);
632 case sIgnoreUserKnownHosts:
633 intptr = &options->ignore_user_known_hosts;
636 case sRhostsRSAAuthentication:
637 intptr = &options->rhosts_rsa_authentication;
640 case sHostbasedAuthentication:
641 intptr = &options->hostbased_authentication;
644 case sHostbasedUsesNameFromPacketOnly:
645 intptr = &options->hostbased_uses_name_from_packet_only;
648 case sRSAAuthentication:
649 intptr = &options->rsa_authentication;
652 case sPubkeyAuthentication:
653 intptr = &options->pubkey_authentication;
656 case sKerberosAuthentication:
657 intptr = &options->kerberos_authentication;
660 case sKerberosOrLocalPasswd:
661 intptr = &options->kerberos_or_local_passwd;
664 case sKerberosTicketCleanup:
665 intptr = &options->kerberos_ticket_cleanup;
668 case sKerberosGetAFSToken:
669 intptr = &options->kerberos_get_afs_token;
672 case sGssAuthentication:
673 intptr = &options->gss_authentication;
676 case sGssCleanupCreds:
677 intptr = &options->gss_cleanup_creds;
680 case sPasswordAuthentication:
681 intptr = &options->password_authentication;
684 case sKbdInteractiveAuthentication:
685 intptr = &options->kbd_interactive_authentication;
688 case sChallengeResponseAuthentication:
689 intptr = &options->challenge_response_authentication;
693 intptr = &options->print_motd;
697 intptr = &options->print_lastlog;
701 intptr = &options->x11_forwarding;
704 case sX11DisplayOffset:
705 intptr = &options->x11_display_offset;
708 case sX11UseLocalhost:
709 intptr = &options->x11_use_localhost;
713 charptr = &options->xauth_location;
717 intptr = &options->strict_modes;
721 intptr = &options->tcp_keep_alive;
725 intptr = &options->permit_empty_passwd;
728 case sPermitUserEnvironment:
729 intptr = &options->permit_user_env;
733 intptr = &options->use_login;
737 intptr = &options->compression;
739 if (!arg || *arg == '\0')
740 fatal("%s line %d: missing yes/no/delayed "
741 "argument.", filename, linenum);
742 value = 0; /* silence compiler */
743 if (strcmp(arg, "delayed") == 0)
744 value = COMP_DELAYED;
745 else if (strcmp(arg, "yes") == 0)
747 else if (strcmp(arg, "no") == 0)
750 fatal("%s line %d: Bad yes/no/delayed "
751 "argument: %s", filename, linenum, arg);
757 intptr = &options->gateway_ports;
759 if (!arg || *arg == '\0')
760 fatal("%s line %d: missing yes/no/clientspecified "
761 "argument.", filename, linenum);
762 value = 0; /* silence compiler */
763 if (strcmp(arg, "clientspecified") == 0)
765 else if (strcmp(arg, "yes") == 0)
767 else if (strcmp(arg, "no") == 0)
770 fatal("%s line %d: Bad yes/no/clientspecified "
771 "argument: %s", filename, linenum, arg);
777 intptr = &options->use_dns;
781 intptr = (int *) &options->log_facility;
783 value = log_facility_number(arg);
784 if (value == SYSLOG_FACILITY_NOT_SET)
785 fatal("%.200s line %d: unsupported log facility '%s'",
786 filename, linenum, arg ? arg : "<NONE>");
788 *intptr = (SyslogFacility) value;
792 intptr = (int *) &options->log_level;
794 value = log_level_number(arg);
795 if (value == SYSLOG_LEVEL_NOT_SET)
796 fatal("%.200s line %d: unsupported log level '%s'",
797 filename, linenum, arg ? arg : "<NONE>");
799 *intptr = (LogLevel) value;
802 case sAllowTcpForwarding:
803 intptr = &options->allow_tcp_forwarding;
806 case sUsePrivilegeSeparation:
807 intptr = &use_privsep;
811 while ((arg = strdelim(&cp)) && *arg != '\0') {
812 if (options->num_allow_users >= MAX_ALLOW_USERS)
813 fatal("%s line %d: too many allow users.",
815 options->allow_users[options->num_allow_users++] =
821 while ((arg = strdelim(&cp)) && *arg != '\0') {
822 if (options->num_deny_users >= MAX_DENY_USERS)
823 fatal( "%s line %d: too many deny users.",
825 options->deny_users[options->num_deny_users++] =
831 while ((arg = strdelim(&cp)) && *arg != '\0') {
832 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
833 fatal("%s line %d: too many allow groups.",
835 options->allow_groups[options->num_allow_groups++] =
841 while ((arg = strdelim(&cp)) && *arg != '\0') {
842 if (options->num_deny_groups >= MAX_DENY_GROUPS)
843 fatal("%s line %d: too many deny groups.",
845 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing argument.", filename, linenum);
853 if (!ciphers_valid(arg))
854 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
855 filename, linenum, arg ? arg : "<NONE>");
856 if (options->ciphers == NULL)
857 options->ciphers = xstrdup(arg);
862 if (!arg || *arg == '\0')
863 fatal("%s line %d: Missing argument.", filename, linenum);
865 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
866 filename, linenum, arg ? arg : "<NONE>");
867 if (options->macs == NULL)
868 options->macs = xstrdup(arg);
872 intptr = &options->protocol;
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing argument.", filename, linenum);
876 value = proto_spec(arg);
877 if (value == SSH_PROTO_UNKNOWN)
878 fatal("%s line %d: Bad protocol spec '%s'.",
879 filename, linenum, arg ? arg : "<NONE>");
880 if (*intptr == SSH_PROTO_UNKNOWN)
885 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
886 fatal("%s line %d: too many subsystems defined.",
890 if (!arg || *arg == '\0')
891 fatal("%s line %d: Missing subsystem name.",
893 for (i = 0; i < options->num_subsystems; i++)
894 if (strcmp(arg, options->subsystem_name[i]) == 0)
895 fatal("%s line %d: Subsystem '%s' already defined.",
896 filename, linenum, arg);
897 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
899 if (!arg || *arg == '\0')
900 fatal("%s line %d: Missing subsystem command.",
902 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
903 options->num_subsystems++;
908 if (!arg || *arg == '\0')
909 fatal("%s line %d: Missing MaxStartups spec.",
911 if ((n = sscanf(arg, "%d:%d:%d",
912 &options->max_startups_begin,
913 &options->max_startups_rate,
914 &options->max_startups)) == 3) {
915 if (options->max_startups_begin >
916 options->max_startups ||
917 options->max_startups_rate > 100 ||
918 options->max_startups_rate < 1)
919 fatal("%s line %d: Illegal MaxStartups spec.",
922 fatal("%s line %d: Illegal MaxStartups spec.",
925 options->max_startups = options->max_startups_begin;
929 intptr = &options->max_authtries;
933 charptr = &options->banner;
936 * These options can contain %X options expanded at
937 * connect time, so that you can specify paths like:
939 * AuthorizedKeysFile /etc/ssh_keys/%u
941 case sAuthorizedKeysFile:
942 case sAuthorizedKeysFile2:
943 charptr = (opcode == sAuthorizedKeysFile ) ?
944 &options->authorized_keys_file :
945 &options->authorized_keys_file2;
948 case sClientAliveInterval:
949 intptr = &options->client_alive_interval;
952 case sClientAliveCountMax:
953 intptr = &options->client_alive_count_max;
957 while ((arg = strdelim(&cp)) && *arg != '\0') {
958 if (strchr(arg, '=') != NULL)
959 fatal("%s line %d: Invalid environment name.",
961 if (options->num_accept_env >= MAX_ACCEPT_ENV)
962 fatal("%s line %d: too many allow env.",
964 options->accept_env[options->num_accept_env++] =
970 intptr = &options->permit_tun;
972 if (!arg || *arg == '\0')
973 fatal("%s line %d: Missing yes/point-to-point/"
974 "ethernet/no argument.", filename, linenum);
975 value = 0; /* silence compiler */
976 if (strcasecmp(arg, "ethernet") == 0)
977 value = SSH_TUNMODE_ETHERNET;
978 else if (strcasecmp(arg, "point-to-point") == 0)
979 value = SSH_TUNMODE_POINTOPOINT;
980 else if (strcasecmp(arg, "yes") == 0)
981 value = SSH_TUNMODE_YES;
982 else if (strcasecmp(arg, "no") == 0)
983 value = SSH_TUNMODE_NO;
985 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
986 "no argument: %s", filename, linenum, arg);
992 logit("%s line %d: Deprecated option %s",
993 filename, linenum, arg);
999 logit("%s line %d: Unsupported option %s",
1000 filename, linenum, arg);
1002 arg = strdelim(&cp);
1006 fatal("%s line %d: Missing handler for opcode %s (%d)",
1007 filename, linenum, arg, opcode);
1009 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1010 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1011 filename, linenum, arg);
1015 /* Reads the server configuration file. */
1018 load_server_config(const char *filename, Buffer *conf)
1020 char line[1024], *cp;
1023 debug2("%s: filename %s", __func__, filename);
1024 if ((f = fopen(filename, "r")) == NULL) {
1029 while (fgets(line, sizeof(line), f)) {
1031 * Trim out comments and strip whitespace
1032 * NB - preserve newlines, they are needed to reproduce
1033 * line numbers later for error messages
1035 if ((cp = strchr(line, '#')) != NULL)
1036 memcpy(cp, "\n", 2);
1037 cp = line + strspn(line, " \t\r");
1039 buffer_append(conf, cp, strlen(cp));
1041 buffer_append(conf, "\0", 1);
1043 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1047 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1049 int linenum, bad_options = 0;
1050 char *cp, *obuf, *cbuf;
1052 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1054 obuf = cbuf = xstrdup(buffer_ptr(conf));
1056 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1057 if (process_server_config_line(options, cp, filename,
1062 if (bad_options > 0)
1063 fatal("%s: terminating, %d bad configuration options",
1064 filename, bad_options);