servconf.c

   1 /*
   2
   3 servconf.c
   4
   5 Author: Tatu Ylonen <ylo@cs.hut.fi>
   6
   7 Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   8                    All rights reserved
   9
  10 Created: Mon Aug 21 15:48:58 1995 ylo
  11
  12 */
  13
  14 #include "includes.h"
  15 RCSID("$Id$");
  16
  17 #include "ssh.h"
  18 #include "servconf.h"
  19 #include "xmalloc.h"
  20
  21 /* Initializes the server options to their default values. */
  22
  23 void initialize_server_options(ServerOptions *options)
  24 {
  25   memset(options, 0, sizeof(*options));
  26   options->port = -1;
  27   options->listen_addr.s_addr = htonl(INADDR_ANY);
  28   options->host_key_file = NULL;
  29   options->server_key_bits = -1;
  30   options->login_grace_time = -1;
  31   options->key_regeneration_time = -1;
  32   options->permit_root_login = -1;
  33   options->ignore_rhosts = -1;
  34   options->quiet_mode = -1;
  35   options->fascist_logging = -1;
  36   options->print_motd = -1;
  37   options->check_mail = -1;
  38   options->x11_forwarding = -1;
  39   options->x11_display_offset = -1;
  40   options->strict_modes = -1;
  41   options->keepalives = -1;
  42   options->log_facility = (SyslogFacility)-1;
  43   options->rhosts_authentication = -1;
  44   options->rhosts_rsa_authentication = -1;
  45   options->rsa_authentication = -1;
  46 #ifdef KRB4
  47   options->kerberos_authentication = -1;
  48   options->kerberos_or_local_passwd = -1;
  49   options->kerberos_ticket_cleanup = -1;
  50 #endif
  51 #ifdef AFS
  52   options->kerberos_tgt_passing = -1;
  53   options->afs_token_passing = -1;
  54 #endif
  55   options->password_authentication = -1;
  56 #ifdef SKEY
  57   options->skey_authentication = -1;
  58 #endif
  59   options->permit_empty_passwd = -1;
  60   options->use_login = -1;
  61   options->num_allow_users = 0;
  62   options->num_deny_users = 0;
  63   options->num_allow_groups = 0;
  64   options->num_deny_groups = 0;
  65 }
  66
  67 void fill_default_server_options(ServerOptions *options)
  68 {
  69   if (options->port == -1)
  70     {
  71       struct servent *sp;
  72
  73       sp = getservbyname(SSH_SERVICE_NAME, "tcp");
  74       if (sp)
  75         options->port = ntohs(sp->s_port);
  76       else
  77         options->port = SSH_DEFAULT_PORT;
  78       endservent();
  79     }
  80   if (options->host_key_file == NULL)
  81     options->host_key_file = HOST_KEY_FILE;
  82   if (options->server_key_bits == -1)
  83     options->server_key_bits = 768;
  84   if (options->login_grace_time == -1)
  85     options->login_grace_time = 600;
  86   if (options->key_regeneration_time == -1)
  87     options->key_regeneration_time = 3600;
  88   if (options->permit_root_login == -1)
  89     options->permit_root_login = 1;              /* yes */
  90   if (options->ignore_rhosts == -1)
  91     options->ignore_rhosts = 0;
  92   if (options->quiet_mode == -1)
  93     options->quiet_mode = 0;
  94   if (options->check_mail == -1)
  95     options->check_mail = 0;
  96   if (options->fascist_logging == -1)
  97     options->fascist_logging = 1;
  98   if (options->print_motd == -1)
  99     options->print_motd = 1;
 100   if (options->x11_forwarding == -1)
 101     options->x11_forwarding = 1;
 102   if (options->x11_display_offset == -1)
 103     options->x11_display_offset = 1;
 104   if (options->strict_modes == -1)
 105     options->strict_modes = 1;
 106   if (options->keepalives == -1)
 107     options->keepalives = 1;
 108   if (options->log_facility == (SyslogFacility)(-1))
 109     options->log_facility = SYSLOG_FACILITY_AUTH;
 110   if (options->rhosts_authentication == -1)
 111     options->rhosts_authentication = 0;
 112   if (options->rhosts_rsa_authentication == -1)
 113     options->rhosts_rsa_authentication = 1;
 114   if (options->rsa_authentication == -1)
 115     options->rsa_authentication = 1;
 116 #ifdef KRB4
 117   if (options->kerberos_authentication == -1)
 118     options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
 119   if (options->kerberos_or_local_passwd == -1)
 120     options->kerberos_or_local_passwd = 1;
 121   if (options->kerberos_ticket_cleanup == -1)
 122     options->kerberos_ticket_cleanup = 1;
 123 #endif /* KRB4 */
 124 #ifdef AFS
 125   if (options->kerberos_tgt_passing == -1)
 126     options->kerberos_tgt_passing = 0;
 127   if (options->afs_token_passing == -1)
 128     options->afs_token_passing = k_hasafs();
 129 #endif /* AFS */
 130   if (options->password_authentication == -1)
 131     options->password_authentication = 1;
 132 #ifdef SKEY
 133   if (options->skey_authentication == -1)
 134     options->skey_authentication = 1;
 135 #endif
 136   if (options->permit_empty_passwd == -1)
 137     options->permit_empty_passwd = 1;
 138   if (options->use_login == -1)
 139     options->use_login = 0;
 140 }
 141
 142 #define WHITESPACE " \t\r\n"
 143
 144 /* Keyword tokens. */
 145 typedef enum
 146 {
 147   sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
 148   sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility,
 149   sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
 150 #ifdef KRB4
 151   sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 152 #endif
 153 #ifdef AFS
 154   sKerberosTgtPassing, sAFSTokenPassing,
 155 #endif
 156 #ifdef SKEY
 157   sSkeyAuthentication,
 158 #endif
 159   sPasswordAuthentication, sListenAddress,
 160   sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 161   sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 162   sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups
 163
 164 } ServerOpCodes;
 165
 166 /* Textual representation of the tokens. */
 167 static struct
 168 {
 169   const char *name;
 170   ServerOpCodes opcode;
 171 } keywords[] =
 172 {
 173   { "port", sPort },
 174   { "hostkey", sHostKeyFile },
 175   { "serverkeybits", sServerKeyBits },
 176   { "logingracetime", sLoginGraceTime },
 177   { "keyregenerationinterval", sKeyRegenerationTime },
 178   { "permitrootlogin", sPermitRootLogin },
 179   { "quietmode", sQuietMode },
 180   { "fascistlogging", sFascistLogging },
 181   { "syslogfacility", sLogFacility },
 182   { "rhostsauthentication", sRhostsAuthentication },
 183   { "rhostsrsaauthentication", sRhostsRSAAuthentication },
 184   { "rsaauthentication", sRSAAuthentication },
 185 #ifdef KRB4
 186   { "kerberosauthentication", sKerberosAuthentication },
 187   { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
 188   { "kerberosticketcleanup", sKerberosTicketCleanup },
 189 #endif
 190 #ifdef AFS
 191   { "kerberostgtpassing", sKerberosTgtPassing },
 192   { "afstokenpassing", sAFSTokenPassing },
 193 #endif
 194   { "passwordauthentication", sPasswordAuthentication },
 195 #ifdef SKEY
 196   { "skeyauthentication", sSkeyAuthentication },
 197 #endif
 198   { "checkmail", sCheckMail },
 199   { "listenaddress", sListenAddress },
 200   { "printmotd", sPrintMotd },
 201   { "ignorerhosts", sIgnoreRhosts },
 202   { "x11forwarding", sX11Forwarding },
 203   { "x11displayoffset", sX11DisplayOffset },
 204   { "strictmodes", sStrictModes },
 205   { "permitemptypasswords", sEmptyPasswd },
 206   { "uselogin", sUseLogin },
 207   { "randomseed", sRandomSeedFile },
 208   { "keepalive", sKeepAlives },
 209   { "allowusers", sAllowUsers },
 210   { "denyusers", sDenyUsers },
 211   { "allowgroups", sAllowGroups },
 212   { "denygroups", sDenyGroups },
 213   { NULL, 0 }
 214 };
 215
 216 static struct
 217 {
 218   const char *name;
 219   SyslogFacility facility;
 220 } log_facilities[] =
 221 {
 222   { "DAEMON", SYSLOG_FACILITY_DAEMON },
 223   { "USER", SYSLOG_FACILITY_USER },
 224   { "AUTH", SYSLOG_FACILITY_AUTH },
 225   { "LOCAL0", SYSLOG_FACILITY_LOCAL0 },
 226   { "LOCAL1", SYSLOG_FACILITY_LOCAL1 },
 227   { "LOCAL2", SYSLOG_FACILITY_LOCAL2 },
 228   { "LOCAL3", SYSLOG_FACILITY_LOCAL3 },
 229   { "LOCAL4", SYSLOG_FACILITY_LOCAL4 },
 230   { "LOCAL5", SYSLOG_FACILITY_LOCAL5 },
 231   { "LOCAL6", SYSLOG_FACILITY_LOCAL6 },
 232   { "LOCAL7", SYSLOG_FACILITY_LOCAL7 },
 233   { NULL, 0 }
 234 };
 235
 236 /* Returns the number of the token pointed to by cp of length len.
 237    Never returns if the token is not known. */
 238
 239 static ServerOpCodes parse_token(const char *cp, const char *filename,
 240                                  int linenum)
 241 {
 242   unsigned int i;
 243
 244   for (i = 0; keywords[i].name; i++)
 245     if (strcmp(cp, keywords[i].name) == 0)
 246       return keywords[i].opcode;
 247
 248   fprintf(stderr, "%s line %d: Bad configuration option: %s\n",
 249           filename, linenum, cp);
 250   exit(1);
 251 }
 252
 253 /* Reads the server configuration file. */
 254
 255 void read_server_config(ServerOptions *options, const char *filename)
 256 {
 257   FILE *f;
 258   char line[1024];
 259   char *cp, **charptr;
 260   int linenum, *intptr, i, value;
 261   ServerOpCodes opcode;
 262
 263   f = fopen(filename, "r");
 264   if (!f)
 265     {
 266       perror(filename);
 267       exit(1);
 268     }
 269
 270   linenum = 0;
 271   while (fgets(line, sizeof(line), f))
 272     {
 273       linenum++;
 274       cp = line + strspn(line, WHITESPACE);
 275       if (!*cp || *cp == '#')
 276         continue;
 277       cp = strtok(cp, WHITESPACE);
 278       {
 279         char *t = cp;
 280         for (; *t != 0; t++)
 281           if ('A' <= *t && *t <= 'Z')
 282             *t = *t - 'A' + 'a';        /* tolower */
 283
 284       }
 285       opcode = parse_token(cp, filename, linenum);
 286       switch (opcode)
 287         {
 288         case sPort:
 289           intptr = &options->port;
 290         parse_int:
 291           cp = strtok(NULL, WHITESPACE);
 292           if (!cp)
 293             {
 294               fprintf(stderr, "%s line %d: missing integer value.\n",
 295                       filename, linenum);
 296               exit(1);
 297             }
 298           value = atoi(cp);
 299           if (*intptr == -1)
 300             *intptr = value;
 301           break;
 302
 303         case sServerKeyBits:
 304           intptr = &options->server_key_bits;
 305           goto parse_int;
 306
 307         case sLoginGraceTime:
 308           intptr = &options->login_grace_time;
 309           goto parse_int;
 310
 311         case sKeyRegenerationTime:
 312           intptr = &options->key_regeneration_time;
 313           goto parse_int;
 314
 315         case sListenAddress:
 316           cp = strtok(NULL, WHITESPACE);
 317           if (!cp)
 318             {
 319               fprintf(stderr, "%s line %d: missing inet addr.\n",
 320                       filename, linenum);
 321               exit(1);
 322             }
 323           options->listen_addr.s_addr = inet_addr(cp);
 324           break;
 325
 326         case sHostKeyFile:
 327           charptr = &options->host_key_file;
 328           cp = strtok(NULL, WHITESPACE);
 329           if (!cp)
 330             {
 331               fprintf(stderr, "%s line %d: missing file name.\n",
 332                       filename, linenum);
 333               exit(1);
 334             }
 335           if (*charptr == NULL)
 336             *charptr = tilde_expand_filename(cp, getuid());
 337           break;
 338
 339         case sRandomSeedFile:
 340           fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
 341                   filename, linenum);
 342           cp = strtok(NULL, WHITESPACE);
 343           break;
 344
 345         case sPermitRootLogin:
 346           intptr = &options->permit_root_login;
 347           cp = strtok(NULL, WHITESPACE);
 348           if (!cp)
 349             {
 350               fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
 351                       filename, linenum);
 352               exit(1);
 353             }
 354           if (strcmp(cp, "without-password") == 0)
 355             value = 2;
 356           else if (strcmp(cp, "yes") == 0)
 357             value = 1;
 358           else if (strcmp(cp, "no") == 0)
 359             value = 0;
 360           else
 361             {
 362               fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
 363                 filename, linenum, cp);
 364               exit(1);
 365             }
 366           if (*intptr == -1)
 367             *intptr = value;
 368           break;
 369
 370         case sIgnoreRhosts:
 371           intptr = &options->ignore_rhosts;
 372         parse_flag:
 373           cp = strtok(NULL, WHITESPACE);
 374           if (!cp)
 375             {
 376               fprintf(stderr, "%s line %d: missing yes/no argument.\n",
 377                       filename, linenum);
 378               exit(1);
 379             }
 380           if (strcmp(cp, "yes") == 0)
 381             value = 1;
 382           else
 383             if (strcmp(cp, "no") == 0)
 384               value = 0;
 385             else
 386               {
 387                 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
 388                         filename, linenum, cp);
 389                 exit(1);
 390               }
 391           if (*intptr == -1)
 392             *intptr = value;
 393           break;
 394
 395         case sQuietMode:
 396           intptr = &options->quiet_mode;
 397           goto parse_flag;
 398
 399         case sFascistLogging:
 400           intptr = &options->fascist_logging;
 401           goto parse_flag;
 402
 403         case sRhostsAuthentication:
 404           intptr = &options->rhosts_authentication;
 405           goto parse_flag;
 406
 407         case sRhostsRSAAuthentication:
 408           intptr = &options->rhosts_rsa_authentication;
 409           goto parse_flag;
 410
 411         case sRSAAuthentication:
 412           intptr = &options->rsa_authentication;
 413           goto parse_flag;
 414
 415 #ifdef KRB4
 416         case sKerberosAuthentication:
 417           intptr = &options->kerberos_authentication;
 418           goto parse_flag;
 419
 420         case sKerberosOrLocalPasswd:
 421           intptr = &options->kerberos_or_local_passwd;
 422           goto parse_flag;
 423
 424         case sKerberosTicketCleanup:
 425           intptr = &options->kerberos_ticket_cleanup;
 426           goto parse_flag;
 427 #endif
 428
 429 #ifdef AFS
 430         case sKerberosTgtPassing:
 431           intptr = &options->kerberos_tgt_passing;
 432           goto parse_flag;
 433
 434         case sAFSTokenPassing:
 435           intptr = &options->afs_token_passing;
 436           goto parse_flag;
 437 #endif
 438
 439         case sPasswordAuthentication:
 440           intptr = &options->password_authentication;
 441           goto parse_flag;
 442
 443         case sCheckMail:
 444           intptr = &options->check_mail;
 445           goto parse_flag;
 446
 447 #ifdef SKEY
 448         case sSkeyAuthentication:
 449           intptr = &options->skey_authentication;
 450           goto parse_flag;
 451 #endif
 452
 453         case sPrintMotd:
 454           intptr = &options->print_motd;
 455           goto parse_flag;
 456
 457         case sX11Forwarding:
 458           intptr = &options->x11_forwarding;
 459           goto parse_flag;
 460
 461         case sX11DisplayOffset:
 462           intptr = &options->x11_display_offset;
 463           goto parse_int;
 464
 465         case sStrictModes:
 466           intptr = &options->strict_modes;
 467           goto parse_flag;
 468
 469         case sKeepAlives:
 470           intptr = &options->keepalives;
 471           goto parse_flag;
 472
 473         case sEmptyPasswd:
 474           intptr = &options->permit_empty_passwd;
 475           goto parse_flag;
 476
 477         case sUseLogin:
 478           intptr = &options->use_login;
 479           goto parse_flag;
 480
 481         case sLogFacility:
 482           cp = strtok(NULL, WHITESPACE);
 483           if (!cp)
 484             {
 485               fprintf(stderr, "%s line %d: missing facility name.\n",
 486                       filename, linenum);
 487               exit(1);
 488             }
 489           for (i = 0; log_facilities[i].name; i++)
 490             if (strcmp(log_facilities[i].name, cp) == 0)
 491               break;
 492           if (!log_facilities[i].name)
 493             {
 494               fprintf(stderr, "%s line %d: unsupported log facility %s\n",
 495                       filename, linenum, cp);
 496               exit(1);
 497             }
 498           if (options->log_facility == (SyslogFacility)(-1))
 499             options->log_facility = log_facilities[i].facility;
 500           break;
 501
 502         case sAllowUsers:
 503           while ((cp = strtok(NULL, WHITESPACE)))
 504             {
 505               if (options->num_allow_users >= MAX_ALLOW_USERS)
 506                 {
 507                   fprintf(stderr, "%s line %d: too many allow users.\n",
 508                           filename, linenum);
 509                   exit(1);
 510                 }
 511               options->allow_users[options->num_allow_users++] = xstrdup(cp);
 512             }
 513           break;
 514
 515         case sDenyUsers:
 516           while ((cp = strtok(NULL, WHITESPACE)))
 517             {
 518               if (options->num_deny_users >= MAX_DENY_USERS)
 519                 {
 520                   fprintf(stderr, "%s line %d: too many deny users.\n",
 521                           filename, linenum);
 522                   exit(1);
 523                 }
 524               options->deny_users[options->num_deny_users++] = xstrdup(cp);
 525             }
 526           break;
 527
 528         case sAllowGroups:
 529           while ((cp = strtok(NULL, WHITESPACE)))
 530             {
 531               if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
 532                 {
 533                   fprintf(stderr, "%s line %d: too many allow groups.\n",
 534                           filename, linenum);
 535                   exit(1);
 536                 }
 537               options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
 538             }
 539           break;
 540
 541         case sDenyGroups:
 542           while ((cp = strtok(NULL, WHITESPACE)))
 543             {
 544               if (options->num_deny_groups >= MAX_DENY_GROUPS)
 545                 {
 546                   fprintf(stderr, "%s line %d: too many deny groups.\n",
 547                           filename, linenum);
 548                   exit(1);
 549                 }
 550               options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
 551             }
 552           break;
 553
 554         default:
 555           fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
 556                   filename, linenum, cp, opcode);
 557           exit(1);
 558         }
 559       if (strtok(NULL, WHITESPACE) != NULL)
 560         {
 561           fprintf(stderr, "%s line %d: garbage at end of line.\n",
 562                   filename, linenum);
 563           exit(1);
 564         }
 565     }
 566   fclose(f);
 567 }