2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.121 2003/05/15 14:02:47 jakob Exp $");
24 * XXX: Bodge - but then, so is using the kerberos IV KEYFILE to get a
27 # define KEYFILE "/etc/krb5.keytab"
40 #include "pathnames.h"
41 #include "tildexpand.h"
47 static void add_listen_addr(ServerOptions *, char *, u_short);
48 static void add_one_listen_addr(ServerOptions *, char *, u_short);
50 /* AF_UNSPEC or AF_INET or AF_INET6 */
52 /* Use of privilege separation or not */
53 extern int use_privsep;
55 /* Initializes the server options to their default values. */
58 initialize_server_options(ServerOptions *options)
60 memset(options, 0, sizeof(*options));
62 /* Portable-specific options */
63 options->use_pam = -1;
65 /* Standard Options */
66 options->num_ports = 0;
67 options->ports_from_cmdline = 0;
68 options->listen_addrs = NULL;
69 options->num_host_key_files = 0;
70 options->pid_file = NULL;
71 options->server_key_bits = -1;
72 options->login_grace_time = -1;
73 options->key_regeneration_time = -1;
74 options->permit_root_login = PERMIT_NOT_SET;
75 options->ignore_rhosts = -1;
76 options->ignore_user_known_hosts = -1;
77 options->print_motd = -1;
78 options->print_lastlog = -1;
79 options->x11_forwarding = -1;
80 options->x11_display_offset = -1;
81 options->x11_use_localhost = -1;
82 options->xauth_location = NULL;
83 options->strict_modes = -1;
84 options->keepalives = -1;
85 options->log_facility = SYSLOG_FACILITY_NOT_SET;
86 options->log_level = SYSLOG_LEVEL_NOT_SET;
87 options->rhosts_authentication = -1;
88 options->rhosts_rsa_authentication = -1;
89 options->hostbased_authentication = -1;
90 options->hostbased_uses_name_from_packet_only = -1;
91 options->rsa_authentication = -1;
92 options->pubkey_authentication = -1;
93 options->kerberos_authentication = -1;
94 options->kerberos_or_local_passwd = -1;
95 options->kerberos_ticket_cleanup = -1;
96 options->kerberos_tgt_passing = -1;
97 options->afs_token_passing = -1;
98 options->password_authentication = -1;
99 options->kbd_interactive_authentication = -1;
100 options->challenge_response_authentication = -1;
101 options->permit_empty_passwd = -1;
102 options->permit_user_env = -1;
103 options->use_login = -1;
104 options->compression = -1;
105 options->allow_tcp_forwarding = -1;
106 options->num_allow_users = 0;
107 options->num_deny_users = 0;
108 options->num_allow_groups = 0;
109 options->num_deny_groups = 0;
110 options->ciphers = NULL;
111 options->macs = NULL;
112 options->protocol = SSH_PROTO_UNKNOWN;
113 options->gateway_ports = -1;
114 options->num_subsystems = 0;
115 options->max_startups_begin = -1;
116 options->max_startups_rate = -1;
117 options->max_startups = -1;
118 options->banner = NULL;
119 options->verify_reverse_mapping = -1;
120 options->client_alive_interval = -1;
121 options->client_alive_count_max = -1;
122 options->authorized_keys_file = NULL;
123 options->authorized_keys_file2 = NULL;
125 /* Needs to be accessable in many places */
130 fill_default_server_options(ServerOptions *options)
132 /* Portable-specific options */
133 if (options->use_pam == -1)
135 options->use_pam = 1;
137 options->use_pam = 0;
140 /* Standard Options */
141 if (options->protocol == SSH_PROTO_UNKNOWN)
142 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
143 if (options->num_host_key_files == 0) {
144 /* fill default hostkeys for protocols */
145 if (options->protocol & SSH_PROTO_1)
146 options->host_key_files[options->num_host_key_files++] =
148 if (options->protocol & SSH_PROTO_2) {
149 options->host_key_files[options->num_host_key_files++] =
150 _PATH_HOST_RSA_KEY_FILE;
151 options->host_key_files[options->num_host_key_files++] =
152 _PATH_HOST_DSA_KEY_FILE;
155 if (options->num_ports == 0)
156 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
157 if (options->listen_addrs == NULL)
158 add_listen_addr(options, NULL, 0);
159 if (options->pid_file == NULL)
160 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
161 if (options->server_key_bits == -1)
162 options->server_key_bits = 768;
163 if (options->login_grace_time == -1)
164 options->login_grace_time = 120;
165 if (options->key_regeneration_time == -1)
166 options->key_regeneration_time = 3600;
167 if (options->permit_root_login == PERMIT_NOT_SET)
168 options->permit_root_login = PERMIT_YES;
169 if (options->ignore_rhosts == -1)
170 options->ignore_rhosts = 1;
171 if (options->ignore_user_known_hosts == -1)
172 options->ignore_user_known_hosts = 0;
173 if (options->print_motd == -1)
174 options->print_motd = 1;
175 if (options->print_lastlog == -1)
176 options->print_lastlog = 1;
177 if (options->x11_forwarding == -1)
178 options->x11_forwarding = 0;
179 if (options->x11_display_offset == -1)
180 options->x11_display_offset = 10;
181 if (options->x11_use_localhost == -1)
182 options->x11_use_localhost = 1;
183 if (options->xauth_location == NULL)
184 options->xauth_location = _PATH_XAUTH;
185 if (options->strict_modes == -1)
186 options->strict_modes = 1;
187 if (options->keepalives == -1)
188 options->keepalives = 1;
189 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
190 options->log_facility = SYSLOG_FACILITY_AUTH;
191 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
192 options->log_level = SYSLOG_LEVEL_INFO;
193 if (options->rhosts_authentication == -1)
194 options->rhosts_authentication = 0;
195 if (options->rhosts_rsa_authentication == -1)
196 options->rhosts_rsa_authentication = 0;
197 if (options->hostbased_authentication == -1)
198 options->hostbased_authentication = 0;
199 if (options->hostbased_uses_name_from_packet_only == -1)
200 options->hostbased_uses_name_from_packet_only = 0;
201 if (options->rsa_authentication == -1)
202 options->rsa_authentication = 1;
203 if (options->pubkey_authentication == -1)
204 options->pubkey_authentication = 1;
205 if (options->kerberos_authentication == -1)
206 options->kerberos_authentication = 0;
207 if (options->kerberos_or_local_passwd == -1)
208 options->kerberos_or_local_passwd = 1;
209 if (options->kerberos_ticket_cleanup == -1)
210 options->kerberos_ticket_cleanup = 1;
211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
213 if (options->afs_token_passing == -1)
214 options->afs_token_passing = 0;
215 if (options->password_authentication == -1)
216 options->password_authentication = 1;
217 if (options->kbd_interactive_authentication == -1)
218 options->kbd_interactive_authentication = 0;
219 if (options->challenge_response_authentication == -1)
220 options->challenge_response_authentication = 1;
221 if (options->permit_empty_passwd == -1)
222 options->permit_empty_passwd = 0;
223 if (options->permit_user_env == -1)
224 options->permit_user_env = 0;
225 if (options->use_login == -1)
226 options->use_login = 0;
227 if (options->compression == -1)
228 options->compression = 1;
229 if (options->allow_tcp_forwarding == -1)
230 options->allow_tcp_forwarding = 1;
231 if (options->gateway_ports == -1)
232 options->gateway_ports = 0;
233 if (options->max_startups == -1)
234 options->max_startups = 10;
235 if (options->max_startups_rate == -1)
236 options->max_startups_rate = 100; /* 100% */
237 if (options->max_startups_begin == -1)
238 options->max_startups_begin = options->max_startups;
239 if (options->verify_reverse_mapping == -1)
240 options->verify_reverse_mapping = 0;
241 if (options->client_alive_interval == -1)
242 options->client_alive_interval = 0;
243 if (options->client_alive_count_max == -1)
244 options->client_alive_count_max = 3;
245 if (options->authorized_keys_file2 == NULL) {
246 /* authorized_keys_file2 falls back to authorized_keys_file */
247 if (options->authorized_keys_file != NULL)
248 options->authorized_keys_file2 = options->authorized_keys_file;
250 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
252 if (options->authorized_keys_file == NULL)
253 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
255 /* Turn privilege separation on by default */
256 if (use_privsep == -1)
260 if (use_privsep && options->compression == 1) {
261 error("This platform does not support both privilege "
262 "separation and compression");
263 error("Compression disabled");
264 options->compression = 0;
270 /* Keyword tokens. */
272 sBadOption, /* == unknown option */
273 /* Portable-specific options */
275 /* Standard Options */
276 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
277 sPermitRootLogin, sLogFacility, sLogLevel,
278 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
279 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
280 sKerberosTgtPassing, sAFSTokenPassing, sChallengeResponseAuthentication,
281 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
282 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
283 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
284 sStrictModes, sEmptyPasswd, sKeepAlives,
285 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
286 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
287 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
288 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
289 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
290 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
291 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
292 sUsePrivilegeSeparation,
293 sDeprecated, sUnsupported
296 /* Textual representation of the tokens. */
299 ServerOpCodes opcode;
301 /* Portable-specific options */
302 { "UsePAM", sUsePAM },
303 /* Standard Options */
305 { "hostkey", sHostKeyFile },
306 { "hostdsakey", sHostKeyFile }, /* alias */
307 { "pidfile", sPidFile },
308 { "serverkeybits", sServerKeyBits },
309 { "logingracetime", sLoginGraceTime },
310 { "keyregenerationinterval", sKeyRegenerationTime },
311 { "permitrootlogin", sPermitRootLogin },
312 { "syslogfacility", sLogFacility },
313 { "loglevel", sLogLevel },
314 { "rhostsauthentication", sRhostsAuthentication },
315 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
316 { "hostbasedauthentication", sHostbasedAuthentication },
317 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
318 { "rsaauthentication", sRSAAuthentication },
319 { "pubkeyauthentication", sPubkeyAuthentication },
320 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
321 #if defined(KRB4) || defined(KRB5)
322 { "kerberosauthentication", sKerberosAuthentication },
323 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
324 { "kerberosticketcleanup", sKerberosTicketCleanup },
325 { "kerberostgtpassing", sKerberosTgtPassing },
327 { "kerberosauthentication", sUnsupported },
328 { "kerberosorlocalpasswd", sUnsupported },
329 { "kerberosticketcleanup", sUnsupported },
330 { "kerberostgtpassing", sUnsupported },
333 { "afstokenpassing", sAFSTokenPassing },
335 { "afstokenpassing", sUnsupported },
337 { "passwordauthentication", sPasswordAuthentication },
338 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
339 { "challengeresponseauthentication", sChallengeResponseAuthentication },
340 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
341 { "checkmail", sDeprecated },
342 { "listenaddress", sListenAddress },
343 { "printmotd", sPrintMotd },
344 { "printlastlog", sPrintLastLog },
345 { "ignorerhosts", sIgnoreRhosts },
346 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
347 { "x11forwarding", sX11Forwarding },
348 { "x11displayoffset", sX11DisplayOffset },
349 { "x11uselocalhost", sX11UseLocalhost },
350 { "xauthlocation", sXAuthLocation },
351 { "strictmodes", sStrictModes },
352 { "permitemptypasswords", sEmptyPasswd },
353 { "permituserenvironment", sPermitUserEnvironment },
354 { "uselogin", sUseLogin },
355 { "compression", sCompression },
356 { "keepalive", sKeepAlives },
357 { "allowtcpforwarding", sAllowTcpForwarding },
358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
362 { "ciphers", sCiphers },
364 { "protocol", sProtocol },
365 { "gatewayports", sGatewayPorts },
366 { "subsystem", sSubsystem },
367 { "maxstartups", sMaxStartups },
368 { "banner", sBanner },
369 { "verifyreversemapping", sVerifyReverseMapping },
370 { "reversemappingcheck", sVerifyReverseMapping },
371 { "clientaliveinterval", sClientAliveInterval },
372 { "clientalivecountmax", sClientAliveCountMax },
373 { "authorizedkeysfile", sAuthorizedKeysFile },
374 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
375 { "useprivilegeseparation", sUsePrivilegeSeparation},
380 * Returns the number of the token pointed to by cp or sBadOption.
384 parse_token(const char *cp, const char *filename,
389 for (i = 0; keywords[i].name; i++)
390 if (strcasecmp(cp, keywords[i].name) == 0)
391 return keywords[i].opcode;
393 error("%s: line %d: Bad configuration option: %s",
394 filename, linenum, cp);
399 add_listen_addr(ServerOptions *options, char *addr, u_short port)
403 if (options->num_ports == 0)
404 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
406 for (i = 0; i < options->num_ports; i++)
407 add_one_listen_addr(options, addr, options->ports[i]);
409 add_one_listen_addr(options, addr, port);
413 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
415 struct addrinfo hints, *ai, *aitop;
416 char strport[NI_MAXSERV];
419 memset(&hints, 0, sizeof(hints));
420 hints.ai_family = IPv4or6;
421 hints.ai_socktype = SOCK_STREAM;
422 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
423 snprintf(strport, sizeof strport, "%u", port);
424 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
425 fatal("bad addr or host: %s (%s)",
426 addr ? addr : "<NULL>",
427 gai_strerror(gaierr));
428 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
430 ai->ai_next = options->listen_addrs;
431 options->listen_addrs = aitop;
435 process_server_config_line(ServerOptions *options, char *line,
436 const char *filename, int linenum)
438 char *cp, **charptr, *arg, *p;
439 int *intptr, value, i, n;
440 ServerOpCodes opcode;
444 /* Ignore leading whitespace */
447 if (!arg || !*arg || *arg == '#')
451 opcode = parse_token(arg, filename, linenum);
453 /* Portable-specific options */
455 intptr = &options->use_pam;
458 /* Standard Options */
462 /* ignore ports from configfile if cmdline specifies ports */
463 if (options->ports_from_cmdline)
465 if (options->listen_addrs != NULL)
466 fatal("%s line %d: ports must be specified before "
467 "ListenAddress.", filename, linenum);
468 if (options->num_ports >= MAX_PORTS)
469 fatal("%s line %d: too many ports.",
472 if (!arg || *arg == '\0')
473 fatal("%s line %d: missing port number.",
475 options->ports[options->num_ports++] = a2port(arg);
476 if (options->ports[options->num_ports-1] == 0)
477 fatal("%s line %d: Badly formatted port number.",
482 intptr = &options->server_key_bits;
485 if (!arg || *arg == '\0')
486 fatal("%s line %d: missing integer value.",
493 case sLoginGraceTime:
494 intptr = &options->login_grace_time;
497 if (!arg || *arg == '\0')
498 fatal("%s line %d: missing time value.",
500 if ((value = convtime(arg)) == -1)
501 fatal("%s line %d: invalid time value.",
507 case sKeyRegenerationTime:
508 intptr = &options->key_regeneration_time;
513 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
514 fatal("%s line %d: missing inet addr.",
517 if ((p = strchr(arg, ']')) == NULL)
518 fatal("%s line %d: bad ipv6 inet addr usage.",
521 memmove(p, p+1, strlen(p+1)+1);
522 } else if (((p = strchr(arg, ':')) == NULL) ||
523 (strchr(p+1, ':') != NULL)) {
524 add_listen_addr(options, arg, 0);
532 fatal("%s line %d: bad inet addr:port usage.",
536 if ((port = a2port(p)) == 0)
537 fatal("%s line %d: bad port number.",
539 add_listen_addr(options, arg, port);
541 } else if (*p == '\0')
542 add_listen_addr(options, arg, 0);
544 fatal("%s line %d: bad inet addr usage.",
549 intptr = &options->num_host_key_files;
550 if (*intptr >= MAX_HOSTKEYS)
551 fatal("%s line %d: too many host keys specified (max %d).",
552 filename, linenum, MAX_HOSTKEYS);
553 charptr = &options->host_key_files[*intptr];
556 if (!arg || *arg == '\0')
557 fatal("%s line %d: missing file name.",
559 if (*charptr == NULL) {
560 *charptr = tilde_expand_filename(arg, getuid());
561 /* increase optional counter */
563 *intptr = *intptr + 1;
568 charptr = &options->pid_file;
571 case sPermitRootLogin:
572 intptr = &options->permit_root_login;
574 if (!arg || *arg == '\0')
575 fatal("%s line %d: missing yes/"
576 "without-password/forced-commands-only/no "
577 "argument.", filename, linenum);
578 value = 0; /* silence compiler */
579 if (strcmp(arg, "without-password") == 0)
580 value = PERMIT_NO_PASSWD;
581 else if (strcmp(arg, "forced-commands-only") == 0)
582 value = PERMIT_FORCED_ONLY;
583 else if (strcmp(arg, "yes") == 0)
585 else if (strcmp(arg, "no") == 0)
588 fatal("%s line %d: Bad yes/"
589 "without-password/forced-commands-only/no "
590 "argument: %s", filename, linenum, arg);
596 intptr = &options->ignore_rhosts;
599 if (!arg || *arg == '\0')
600 fatal("%s line %d: missing yes/no argument.",
602 value = 0; /* silence compiler */
603 if (strcmp(arg, "yes") == 0)
605 else if (strcmp(arg, "no") == 0)
608 fatal("%s line %d: Bad yes/no argument: %s",
609 filename, linenum, arg);
614 case sIgnoreUserKnownHosts:
615 intptr = &options->ignore_user_known_hosts;
618 case sRhostsAuthentication:
619 intptr = &options->rhosts_authentication;
622 case sRhostsRSAAuthentication:
623 intptr = &options->rhosts_rsa_authentication;
626 case sHostbasedAuthentication:
627 intptr = &options->hostbased_authentication;
630 case sHostbasedUsesNameFromPacketOnly:
631 intptr = &options->hostbased_uses_name_from_packet_only;
634 case sRSAAuthentication:
635 intptr = &options->rsa_authentication;
638 case sPubkeyAuthentication:
639 intptr = &options->pubkey_authentication;
642 case sKerberosAuthentication:
643 intptr = &options->kerberos_authentication;
646 case sKerberosOrLocalPasswd:
647 intptr = &options->kerberos_or_local_passwd;
650 case sKerberosTicketCleanup:
651 intptr = &options->kerberos_ticket_cleanup;
654 case sKerberosTgtPassing:
655 intptr = &options->kerberos_tgt_passing;
658 case sAFSTokenPassing:
659 intptr = &options->afs_token_passing;
662 case sPasswordAuthentication:
663 intptr = &options->password_authentication;
666 case sKbdInteractiveAuthentication:
667 intptr = &options->kbd_interactive_authentication;
670 case sChallengeResponseAuthentication:
671 intptr = &options->challenge_response_authentication;
675 intptr = &options->print_motd;
679 intptr = &options->print_lastlog;
683 intptr = &options->x11_forwarding;
686 case sX11DisplayOffset:
687 intptr = &options->x11_display_offset;
690 case sX11UseLocalhost:
691 intptr = &options->x11_use_localhost;
695 charptr = &options->xauth_location;
699 intptr = &options->strict_modes;
703 intptr = &options->keepalives;
707 intptr = &options->permit_empty_passwd;
710 case sPermitUserEnvironment:
711 intptr = &options->permit_user_env;
715 intptr = &options->use_login;
719 intptr = &options->compression;
723 intptr = &options->gateway_ports;
726 case sVerifyReverseMapping:
727 intptr = &options->verify_reverse_mapping;
731 intptr = (int *) &options->log_facility;
733 value = log_facility_number(arg);
734 if (value == SYSLOG_FACILITY_NOT_SET)
735 fatal("%.200s line %d: unsupported log facility '%s'",
736 filename, linenum, arg ? arg : "<NONE>");
738 *intptr = (SyslogFacility) value;
742 intptr = (int *) &options->log_level;
744 value = log_level_number(arg);
745 if (value == SYSLOG_LEVEL_NOT_SET)
746 fatal("%.200s line %d: unsupported log level '%s'",
747 filename, linenum, arg ? arg : "<NONE>");
749 *intptr = (LogLevel) value;
752 case sAllowTcpForwarding:
753 intptr = &options->allow_tcp_forwarding;
756 case sUsePrivilegeSeparation:
757 intptr = &use_privsep;
761 while ((arg = strdelim(&cp)) && *arg != '\0') {
762 if (options->num_allow_users >= MAX_ALLOW_USERS)
763 fatal("%s line %d: too many allow users.",
765 options->allow_users[options->num_allow_users++] =
771 while ((arg = strdelim(&cp)) && *arg != '\0') {
772 if (options->num_deny_users >= MAX_DENY_USERS)
773 fatal( "%s line %d: too many deny users.",
775 options->deny_users[options->num_deny_users++] =
781 while ((arg = strdelim(&cp)) && *arg != '\0') {
782 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
783 fatal("%s line %d: too many allow groups.",
785 options->allow_groups[options->num_allow_groups++] =
791 while ((arg = strdelim(&cp)) && *arg != '\0') {
792 if (options->num_deny_groups >= MAX_DENY_GROUPS)
793 fatal("%s line %d: too many deny groups.",
795 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
801 if (!arg || *arg == '\0')
802 fatal("%s line %d: Missing argument.", filename, linenum);
803 if (!ciphers_valid(arg))
804 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
805 filename, linenum, arg ? arg : "<NONE>");
806 if (options->ciphers == NULL)
807 options->ciphers = xstrdup(arg);
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: Missing argument.", filename, linenum);
815 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
816 filename, linenum, arg ? arg : "<NONE>");
817 if (options->macs == NULL)
818 options->macs = xstrdup(arg);
822 intptr = &options->protocol;
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: Missing argument.", filename, linenum);
826 value = proto_spec(arg);
827 if (value == SSH_PROTO_UNKNOWN)
828 fatal("%s line %d: Bad protocol spec '%s'.",
829 filename, linenum, arg ? arg : "<NONE>");
830 if (*intptr == SSH_PROTO_UNKNOWN)
835 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
836 fatal("%s line %d: too many subsystems defined.",
840 if (!arg || *arg == '\0')
841 fatal("%s line %d: Missing subsystem name.",
843 for (i = 0; i < options->num_subsystems; i++)
844 if (strcmp(arg, options->subsystem_name[i]) == 0)
845 fatal("%s line %d: Subsystem '%s' already defined.",
846 filename, linenum, arg);
847 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
849 if (!arg || *arg == '\0')
850 fatal("%s line %d: Missing subsystem command.",
852 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
853 options->num_subsystems++;
858 if (!arg || *arg == '\0')
859 fatal("%s line %d: Missing MaxStartups spec.",
861 if ((n = sscanf(arg, "%d:%d:%d",
862 &options->max_startups_begin,
863 &options->max_startups_rate,
864 &options->max_startups)) == 3) {
865 if (options->max_startups_begin >
866 options->max_startups ||
867 options->max_startups_rate > 100 ||
868 options->max_startups_rate < 1)
869 fatal("%s line %d: Illegal MaxStartups spec.",
872 fatal("%s line %d: Illegal MaxStartups spec.",
875 options->max_startups = options->max_startups_begin;
879 charptr = &options->banner;
882 * These options can contain %X options expanded at
883 * connect time, so that you can specify paths like:
885 * AuthorizedKeysFile /etc/ssh_keys/%u
887 case sAuthorizedKeysFile:
888 case sAuthorizedKeysFile2:
889 charptr = (opcode == sAuthorizedKeysFile ) ?
890 &options->authorized_keys_file :
891 &options->authorized_keys_file2;
894 case sClientAliveInterval:
895 intptr = &options->client_alive_interval;
898 case sClientAliveCountMax:
899 intptr = &options->client_alive_count_max;
903 logit("%s line %d: Deprecated option %s",
904 filename, linenum, arg);
910 logit("%s line %d: Unsupported option %s",
911 filename, linenum, arg);
917 fatal("%s line %d: Missing handler for opcode %s (%d)",
918 filename, linenum, arg, opcode);
920 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
921 fatal("%s line %d: garbage at end of line; \"%.200s\".",
922 filename, linenum, arg);
926 /* Reads the server configuration file. */
929 read_server_config(ServerOptions *options, const char *filename)
931 int linenum, bad_options = 0;
935 debug2("read_server_config: filename %s", filename);
936 f = fopen(filename, "r");
942 while (fgets(line, sizeof(line), f)) {
943 /* Update line number counter. */
945 if (process_server_config_line(options, line, filename, linenum) != 0)
950 fatal("%s: terminating, %d bad configuration options",
951 filename, bad_options);