5 * Author: Tatu Ylonen <ylo@cs.hut.fi>
7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 * Created: Mon Aug 21 15:48:58 1995 ylo
22 /* add listen address */
23 void add_listen_addr(ServerOptions *options, char *addr);
25 /* Initializes the server options to their default values. */
28 initialize_server_options(ServerOptions *options)
30 memset(options, 0, sizeof(*options));
31 options->num_ports = 0;
32 options->ports_from_cmdline = 0;
33 options->listen_addrs = NULL;
34 options->host_key_file = NULL;
35 options->dsa_key_file = NULL;
36 options->server_key_bits = -1;
37 options->login_grace_time = -1;
38 options->key_regeneration_time = -1;
39 options->permit_root_login = -1;
40 options->ignore_rhosts = -1;
41 options->ignore_user_known_hosts = -1;
42 options->print_motd = -1;
43 options->check_mail = -1;
44 options->x11_forwarding = -1;
45 options->x11_display_offset = -1;
46 options->strict_modes = -1;
47 options->keepalives = -1;
48 options->log_facility = (SyslogFacility) - 1;
49 options->log_level = (LogLevel) - 1;
50 options->rhosts_authentication = -1;
51 options->rhosts_rsa_authentication = -1;
52 options->rsa_authentication = -1;
54 options->kerberos_authentication = -1;
55 options->kerberos_or_local_passwd = -1;
56 options->kerberos_ticket_cleanup = -1;
59 options->kerberos_tgt_passing = -1;
60 options->afs_token_passing = -1;
62 options->password_authentication = -1;
64 options->skey_authentication = -1;
66 options->permit_empty_passwd = -1;
67 options->use_login = -1;
68 options->num_allow_users = 0;
69 options->num_deny_users = 0;
70 options->num_allow_groups = 0;
71 options->num_deny_groups = 0;
72 options->ciphers = NULL;
73 options->protocol = SSH_PROTO_UNKNOWN;
77 fill_default_server_options(ServerOptions *options)
79 if (options->num_ports == 0)
80 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
81 if (options->listen_addrs == NULL)
82 add_listen_addr(options, NULL);
83 if (options->host_key_file == NULL)
84 options->host_key_file = HOST_KEY_FILE;
85 if (options->dsa_key_file == NULL)
86 options->dsa_key_file = DSA_KEY_FILE;
87 if (options->server_key_bits == -1)
88 options->server_key_bits = 768;
89 if (options->login_grace_time == -1)
90 options->login_grace_time = 600;
91 if (options->key_regeneration_time == -1)
92 options->key_regeneration_time = 3600;
93 if (options->permit_root_login == -1)
94 options->permit_root_login = 1; /* yes */
95 if (options->ignore_rhosts == -1)
96 options->ignore_rhosts = 1;
97 if (options->ignore_user_known_hosts == -1)
98 options->ignore_user_known_hosts = 0;
99 if (options->check_mail == -1)
100 options->check_mail = 0;
101 if (options->print_motd == -1)
102 options->print_motd = 1;
103 if (options->x11_forwarding == -1)
104 options->x11_forwarding = 0;
105 if (options->x11_display_offset == -1)
106 options->x11_display_offset = 10;
107 if (options->strict_modes == -1)
108 options->strict_modes = 1;
109 if (options->keepalives == -1)
110 options->keepalives = 1;
111 if (options->log_facility == (SyslogFacility) (-1))
112 options->log_facility = SYSLOG_FACILITY_AUTH;
113 if (options->log_level == (LogLevel) (-1))
114 options->log_level = SYSLOG_LEVEL_INFO;
115 if (options->rhosts_authentication == -1)
116 options->rhosts_authentication = 0;
117 if (options->rhosts_rsa_authentication == -1)
118 options->rhosts_rsa_authentication = 0;
119 if (options->rsa_authentication == -1)
120 options->rsa_authentication = 1;
122 if (options->kerberos_authentication == -1)
123 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
124 if (options->kerberos_or_local_passwd == -1)
125 options->kerberos_or_local_passwd = 1;
126 if (options->kerberos_ticket_cleanup == -1)
127 options->kerberos_ticket_cleanup = 1;
130 if (options->kerberos_tgt_passing == -1)
131 options->kerberos_tgt_passing = 0;
132 if (options->afs_token_passing == -1)
133 options->afs_token_passing = k_hasafs();
135 if (options->password_authentication == -1)
136 options->password_authentication = 1;
138 if (options->skey_authentication == -1)
139 options->skey_authentication = 1;
141 if (options->permit_empty_passwd == -1)
142 options->permit_empty_passwd = 0;
143 if (options->use_login == -1)
144 options->use_login = 0;
145 if (options->protocol == SSH_PROTO_UNKNOWN)
146 options->protocol = SSH_PROTO_1;
149 #define WHITESPACE " \t\r\n"
151 /* Keyword tokens. */
153 sBadOption, /* == unknown option */
154 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
155 sPermitRootLogin, sLogFacility, sLogLevel,
156 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
158 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
161 sKerberosTgtPassing, sAFSTokenPassing,
166 sPasswordAuthentication, sListenAddress,
167 sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
168 sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
169 sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
170 sIgnoreUserKnownHosts, sDSAKeyFile, sCiphers, sProtocol
173 /* Textual representation of the tokens. */
176 ServerOpCodes opcode;
179 { "hostkey", sHostKeyFile },
180 { "dsakey", sDSAKeyFile },
181 { "serverkeybits", sServerKeyBits },
182 { "logingracetime", sLoginGraceTime },
183 { "keyregenerationinterval", sKeyRegenerationTime },
184 { "permitrootlogin", sPermitRootLogin },
185 { "syslogfacility", sLogFacility },
186 { "loglevel", sLogLevel },
187 { "rhostsauthentication", sRhostsAuthentication },
188 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
189 { "rsaauthentication", sRSAAuthentication },
191 { "kerberosauthentication", sKerberosAuthentication },
192 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
193 { "kerberosticketcleanup", sKerberosTicketCleanup },
196 { "kerberostgtpassing", sKerberosTgtPassing },
197 { "afstokenpassing", sAFSTokenPassing },
199 { "passwordauthentication", sPasswordAuthentication },
201 { "skeyauthentication", sSkeyAuthentication },
203 { "checkmail", sCheckMail },
204 { "listenaddress", sListenAddress },
205 { "printmotd", sPrintMotd },
206 { "ignorerhosts", sIgnoreRhosts },
207 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
208 { "x11forwarding", sX11Forwarding },
209 { "x11displayoffset", sX11DisplayOffset },
210 { "strictmodes", sStrictModes },
211 { "permitemptypasswords", sEmptyPasswd },
212 { "uselogin", sUseLogin },
213 { "randomseed", sRandomSeedFile },
214 { "keepalive", sKeepAlives },
215 { "allowusers", sAllowUsers },
216 { "denyusers", sDenyUsers },
217 { "allowgroups", sAllowGroups },
218 { "denygroups", sDenyGroups },
219 { "ciphers", sCiphers },
220 { "protocol", sProtocol },
225 * Returns the number of the token pointed to by cp of length len. Never
226 * returns if the token is not known.
230 parse_token(const char *cp, const char *filename,
235 for (i = 0; keywords[i].name; i++)
236 if (strcasecmp(cp, keywords[i].name) == 0)
237 return keywords[i].opcode;
239 fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
240 filename, linenum, cp);
248 add_listen_addr(ServerOptions *options, char *addr)
251 struct addrinfo hints, *ai, *aitop;
252 char strport[NI_MAXSERV];
256 if (options->num_ports == 0)
257 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
258 for (i = 0; i < options->num_ports; i++) {
259 memset(&hints, 0, sizeof(hints));
260 hints.ai_family = IPv4or6;
261 hints.ai_socktype = SOCK_STREAM;
262 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
263 snprintf(strport, sizeof strport, "%d", options->ports[i]);
264 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
265 fatal("bad addr or host: %s (%s)\n",
266 addr ? addr : "<NULL>",
267 gai_strerror(gaierr));
268 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
270 ai->ai_next = options->listen_addrs;
271 options->listen_addrs = aitop;
275 /* Reads the server configuration file. */
278 read_server_config(ServerOptions *options, const char *filename)
283 int linenum, *intptr, value;
285 ServerOpCodes opcode;
287 f = fopen(filename, "r");
293 while (fgets(line, sizeof(line), f)) {
295 cp = line + strspn(line, WHITESPACE);
296 if (!*cp || *cp == '#')
298 cp = strtok(cp, WHITESPACE);
299 opcode = parse_token(cp, filename, linenum);
305 /* ignore ports from configfile if cmdline specifies ports */
306 if (options->ports_from_cmdline)
308 if (options->listen_addrs != NULL)
309 fatal("%s line %d: ports must be specified before "
310 "ListenAdress.\n", filename, linenum);
311 if (options->num_ports >= MAX_PORTS)
312 fatal("%s line %d: too many ports.\n",
314 cp = strtok(NULL, WHITESPACE);
316 fatal("%s line %d: missing port number.\n",
318 options->ports[options->num_ports++] = atoi(cp);
322 intptr = &options->server_key_bits;
324 cp = strtok(NULL, WHITESPACE);
326 fprintf(stderr, "%s line %d: missing integer value.\n",
335 case sLoginGraceTime:
336 intptr = &options->login_grace_time;
339 case sKeyRegenerationTime:
340 intptr = &options->key_regeneration_time;
344 cp = strtok(NULL, WHITESPACE);
346 fatal("%s line %d: missing inet addr.\n",
348 add_listen_addr(options, cp);
353 charptr = (opcode == sHostKeyFile ) ?
354 &options->host_key_file : &options->dsa_key_file;
355 cp = strtok(NULL, WHITESPACE);
357 fprintf(stderr, "%s line %d: missing file name.\n",
361 if (*charptr == NULL)
362 *charptr = tilde_expand_filename(cp, getuid());
365 case sRandomSeedFile:
366 fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
368 cp = strtok(NULL, WHITESPACE);
371 case sPermitRootLogin:
372 intptr = &options->permit_root_login;
373 cp = strtok(NULL, WHITESPACE);
375 fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
379 if (strcmp(cp, "without-password") == 0)
381 else if (strcmp(cp, "yes") == 0)
383 else if (strcmp(cp, "no") == 0)
386 fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
387 filename, linenum, cp);
395 intptr = &options->ignore_rhosts;
397 cp = strtok(NULL, WHITESPACE);
399 fprintf(stderr, "%s line %d: missing yes/no argument.\n",
403 if (strcmp(cp, "yes") == 0)
405 else if (strcmp(cp, "no") == 0)
408 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
409 filename, linenum, cp);
416 case sIgnoreUserKnownHosts:
417 intptr = &options->ignore_user_known_hosts;
420 case sRhostsAuthentication:
421 intptr = &options->rhosts_authentication;
424 case sRhostsRSAAuthentication:
425 intptr = &options->rhosts_rsa_authentication;
428 case sRSAAuthentication:
429 intptr = &options->rsa_authentication;
433 case sKerberosAuthentication:
434 intptr = &options->kerberos_authentication;
437 case sKerberosOrLocalPasswd:
438 intptr = &options->kerberos_or_local_passwd;
441 case sKerberosTicketCleanup:
442 intptr = &options->kerberos_ticket_cleanup;
447 case sKerberosTgtPassing:
448 intptr = &options->kerberos_tgt_passing;
451 case sAFSTokenPassing:
452 intptr = &options->afs_token_passing;
456 case sPasswordAuthentication:
457 intptr = &options->password_authentication;
461 intptr = &options->check_mail;
465 case sSkeyAuthentication:
466 intptr = &options->skey_authentication;
471 intptr = &options->print_motd;
475 intptr = &options->x11_forwarding;
478 case sX11DisplayOffset:
479 intptr = &options->x11_display_offset;
483 intptr = &options->strict_modes;
487 intptr = &options->keepalives;
491 intptr = &options->permit_empty_passwd;
495 intptr = &options->use_login;
499 intptr = (int *) &options->log_facility;
500 cp = strtok(NULL, WHITESPACE);
501 value = log_facility_number(cp);
502 if (value == (SyslogFacility) - 1)
503 fatal("%.200s line %d: unsupported log facility '%s'\n",
504 filename, linenum, cp ? cp : "<NONE>");
506 *intptr = (SyslogFacility) value;
510 intptr = (int *) &options->log_level;
511 cp = strtok(NULL, WHITESPACE);
512 value = log_level_number(cp);
513 if (value == (LogLevel) - 1)
514 fatal("%.200s line %d: unsupported log level '%s'\n",
515 filename, linenum, cp ? cp : "<NONE>");
517 *intptr = (LogLevel) value;
521 while ((cp = strtok(NULL, WHITESPACE))) {
522 if (options->num_allow_users >= MAX_ALLOW_USERS)
523 fatal("%s line %d: too many allow users.\n",
525 options->allow_users[options->num_allow_users++] = xstrdup(cp);
530 while ((cp = strtok(NULL, WHITESPACE))) {
531 if (options->num_deny_users >= MAX_DENY_USERS)
532 fatal( "%s line %d: too many deny users.\n",
534 options->deny_users[options->num_deny_users++] = xstrdup(cp);
539 while ((cp = strtok(NULL, WHITESPACE))) {
540 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
541 fatal("%s line %d: too many allow groups.\n",
543 options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
548 while ((cp = strtok(NULL, WHITESPACE))) {
549 if (options->num_deny_groups >= MAX_DENY_GROUPS)
550 fatal("%s line %d: too many deny groups.\n",
552 options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
557 cp = strtok(NULL, WHITESPACE);
558 if (!ciphers_valid(cp))
559 fatal("%s line %d: Bad cipher spec '%s'.",
560 filename, linenum, cp ? cp : "<NONE>");
561 if (options->ciphers == NULL)
562 options->ciphers = xstrdup(cp);
566 intptr = &options->protocol;
567 cp = strtok(NULL, WHITESPACE);
568 value = proto_spec(cp);
569 if (value == SSH_PROTO_UNKNOWN)
570 fatal("%s line %d: Bad protocol spec '%s'.",
571 filename, linenum, cp ? cp : "<NONE>");
572 if (*intptr == SSH_PROTO_UNKNOWN)
577 fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
578 filename, linenum, cp, opcode);
581 if (strtok(NULL, WHITESPACE) != NULL) {
582 fprintf(stderr, "%s line %d: garbage at end of line.\n",
588 if (bad_options > 0) {
589 fprintf(stderr, "%s: terminating, %d bad configuration options\n",
590 filename, bad_options);