5 Author: Tatu Ylonen <ylo@cs.hut.fi>
7 Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
10 Created: Mon Aug 21 15:48:58 1995 ylo
21 /* Initializes the server options to their default values. */
23 void initialize_server_options(ServerOptions *options)
25 memset(options, 0, sizeof(*options));
27 options->listen_addr.s_addr = htonl(INADDR_ANY);
28 options->host_key_file = NULL;
29 options->server_key_bits = -1;
30 options->login_grace_time = -1;
31 options->key_regeneration_time = -1;
32 options->permit_root_login = -1;
33 options->ignore_rhosts = -1;
34 options->ignore_user_known_hosts = -1;
35 options->print_motd = -1;
36 options->check_mail = -1;
37 options->x11_forwarding = -1;
38 options->x11_display_offset = -1;
39 options->strict_modes = -1;
40 options->keepalives = -1;
41 options->log_facility = (SyslogFacility)-1;
42 options->log_level = (LogLevel)-1;
43 options->rhosts_authentication = -1;
44 options->rhosts_rsa_authentication = -1;
45 options->rsa_authentication = -1;
47 options->kerberos_authentication = -1;
48 options->kerberos_or_local_passwd = -1;
49 options->kerberos_ticket_cleanup = -1;
52 options->kerberos_tgt_passing = -1;
53 options->afs_token_passing = -1;
55 options->password_authentication = -1;
57 options->skey_authentication = -1;
59 options->permit_empty_passwd = -1;
60 options->use_login = -1;
61 options->num_allow_users = 0;
62 options->num_deny_users = 0;
63 options->num_allow_groups = 0;
64 options->num_deny_groups = 0;
67 void fill_default_server_options(ServerOptions *options)
69 if (options->port == -1)
73 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
75 options->port = ntohs(sp->s_port);
77 options->port = SSH_DEFAULT_PORT;
80 if (options->host_key_file == NULL)
81 options->host_key_file = HOST_KEY_FILE;
82 if (options->server_key_bits == -1)
83 options->server_key_bits = 768;
84 if (options->login_grace_time == -1)
85 options->login_grace_time = 600;
86 if (options->key_regeneration_time == -1)
87 options->key_regeneration_time = 3600;
88 if (options->permit_root_login == -1)
89 options->permit_root_login = 1; /* yes */
90 if (options->ignore_rhosts == -1)
91 options->ignore_rhosts = 0;
92 if (options->ignore_user_known_hosts == -1)
93 options->ignore_user_known_hosts = 0;
94 if (options->check_mail == -1)
95 options->check_mail = 0;
96 if (options->print_motd == -1)
97 options->print_motd = 1;
98 if (options->x11_forwarding == -1)
99 options->x11_forwarding = 1;
100 if (options->x11_display_offset == -1)
101 options->x11_display_offset = 1;
102 if (options->strict_modes == -1)
103 options->strict_modes = 1;
104 if (options->keepalives == -1)
105 options->keepalives = 1;
106 if (options->log_facility == (SyslogFacility)(-1))
107 options->log_facility = SYSLOG_FACILITY_AUTH;
108 if (options->log_level == (LogLevel)(-1))
109 options->log_level = SYSLOG_LEVEL_INFO;
110 if (options->rhosts_authentication == -1)
111 options->rhosts_authentication = 0;
112 if (options->rhosts_rsa_authentication == -1)
113 options->rhosts_rsa_authentication = 1;
114 if (options->rsa_authentication == -1)
115 options->rsa_authentication = 1;
117 if (options->kerberos_authentication == -1)
118 options->kerberos_authentication = (access(KEYFILE, R_OK) == 0);
119 if (options->kerberos_or_local_passwd == -1)
120 options->kerberos_or_local_passwd = 1;
121 if (options->kerberos_ticket_cleanup == -1)
122 options->kerberos_ticket_cleanup = 1;
125 if (options->kerberos_tgt_passing == -1)
126 options->kerberos_tgt_passing = 0;
127 if (options->afs_token_passing == -1)
128 options->afs_token_passing = k_hasafs();
130 if (options->password_authentication == -1)
131 options->password_authentication = 1;
133 if (options->skey_authentication == -1)
134 options->skey_authentication = 1;
136 if (options->permit_empty_passwd == -1)
137 options->permit_empty_passwd = 1;
138 if (options->use_login == -1)
139 options->use_login = 0;
142 #define WHITESPACE " \t\r\n"
144 /* Keyword tokens. */
147 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
148 sPermitRootLogin, sLogFacility, sLogLevel,
149 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
151 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
154 sKerberosTgtPassing, sAFSTokenPassing,
159 sPasswordAuthentication, sListenAddress,
160 sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
161 sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
162 sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
163 sIgnoreUserKnownHosts
166 /* Textual representation of the tokens. */
170 ServerOpCodes opcode;
174 { "hostkey", sHostKeyFile },
175 { "serverkeybits", sServerKeyBits },
176 { "logingracetime", sLoginGraceTime },
177 { "keyregenerationinterval", sKeyRegenerationTime },
178 { "permitrootlogin", sPermitRootLogin },
179 { "syslogfacility", sLogFacility },
180 { "loglevel", sLogLevel },
181 { "rhostsauthentication", sRhostsAuthentication },
182 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
183 { "rsaauthentication", sRSAAuthentication },
185 { "kerberosauthentication", sKerberosAuthentication },
186 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
187 { "kerberosticketcleanup", sKerberosTicketCleanup },
190 { "kerberostgtpassing", sKerberosTgtPassing },
191 { "afstokenpassing", sAFSTokenPassing },
193 { "passwordauthentication", sPasswordAuthentication },
195 { "skeyauthentication", sSkeyAuthentication },
197 { "checkmail", sCheckMail },
198 { "listenaddress", sListenAddress },
199 { "printmotd", sPrintMotd },
200 { "ignorerhosts", sIgnoreRhosts },
201 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
202 { "x11forwarding", sX11Forwarding },
203 { "x11displayoffset", sX11DisplayOffset },
204 { "strictmodes", sStrictModes },
205 { "permitemptypasswords", sEmptyPasswd },
206 { "uselogin", sUseLogin },
207 { "randomseed", sRandomSeedFile },
208 { "keepalive", sKeepAlives },
209 { "allowusers", sAllowUsers },
210 { "denyusers", sDenyUsers },
211 { "allowgroups", sAllowGroups },
212 { "denygroups", sDenyGroups },
219 SyslogFacility facility;
222 { "DAEMON", SYSLOG_FACILITY_DAEMON },
223 { "USER", SYSLOG_FACILITY_USER },
224 { "AUTH", SYSLOG_FACILITY_AUTH },
225 { "LOCAL0", SYSLOG_FACILITY_LOCAL0 },
226 { "LOCAL1", SYSLOG_FACILITY_LOCAL1 },
227 { "LOCAL2", SYSLOG_FACILITY_LOCAL2 },
228 { "LOCAL3", SYSLOG_FACILITY_LOCAL3 },
229 { "LOCAL4", SYSLOG_FACILITY_LOCAL4 },
230 { "LOCAL5", SYSLOG_FACILITY_LOCAL5 },
231 { "LOCAL6", SYSLOG_FACILITY_LOCAL6 },
232 { "LOCAL7", SYSLOG_FACILITY_LOCAL7 },
242 { "QUIET", SYSLOG_LEVEL_QUIET },
243 { "FATAL", SYSLOG_LEVEL_FATAL },
244 { "ERROR", SYSLOG_LEVEL_ERROR },
245 { "INFO", SYSLOG_LEVEL_INFO },
246 { "CHAT", SYSLOG_LEVEL_CHAT },
247 { "DEBUG", SYSLOG_LEVEL_DEBUG },
251 /* Returns the number of the token pointed to by cp of length len.
252 Never returns if the token is not known. */
254 static ServerOpCodes parse_token(const char *cp, const char *filename,
259 for (i = 0; keywords[i].name; i++)
260 if (strcmp(cp, keywords[i].name) == 0)
261 return keywords[i].opcode;
263 fprintf(stderr, "%s line %d: Bad configuration option: %s\n",
264 filename, linenum, cp);
268 /* Reads the server configuration file. */
270 void read_server_config(ServerOptions *options, const char *filename)
275 int linenum, *intptr, i, value;
276 ServerOpCodes opcode;
278 f = fopen(filename, "r");
286 while (fgets(line, sizeof(line), f))
289 cp = line + strspn(line, WHITESPACE);
290 if (!*cp || *cp == '#')
292 cp = strtok(cp, WHITESPACE);
296 if ('A' <= *t && *t <= 'Z')
297 *t = *t - 'A' + 'a'; /* tolower */
300 opcode = parse_token(cp, filename, linenum);
304 intptr = &options->port;
306 cp = strtok(NULL, WHITESPACE);
309 fprintf(stderr, "%s line %d: missing integer value.\n",
319 intptr = &options->server_key_bits;
322 case sLoginGraceTime:
323 intptr = &options->login_grace_time;
326 case sKeyRegenerationTime:
327 intptr = &options->key_regeneration_time;
331 cp = strtok(NULL, WHITESPACE);
334 fprintf(stderr, "%s line %d: missing inet addr.\n",
338 options->listen_addr.s_addr = inet_addr(cp);
342 charptr = &options->host_key_file;
343 cp = strtok(NULL, WHITESPACE);
346 fprintf(stderr, "%s line %d: missing file name.\n",
350 if (*charptr == NULL)
351 *charptr = tilde_expand_filename(cp, getuid());
354 case sRandomSeedFile:
355 fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n",
357 cp = strtok(NULL, WHITESPACE);
360 case sPermitRootLogin:
361 intptr = &options->permit_root_login;
362 cp = strtok(NULL, WHITESPACE);
365 fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n",
369 if (strcmp(cp, "without-password") == 0)
371 else if (strcmp(cp, "yes") == 0)
373 else if (strcmp(cp, "no") == 0)
377 fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n",
378 filename, linenum, cp);
386 intptr = &options->ignore_rhosts;
388 cp = strtok(NULL, WHITESPACE);
391 fprintf(stderr, "%s line %d: missing yes/no argument.\n",
395 if (strcmp(cp, "yes") == 0)
398 if (strcmp(cp, "no") == 0)
402 fprintf(stderr, "%s line %d: Bad yes/no argument: %s\n",
403 filename, linenum, cp);
410 case sIgnoreUserKnownHosts:
411 intptr = &options->ignore_user_known_hosts;
414 case sRhostsAuthentication:
415 intptr = &options->rhosts_authentication;
418 case sRhostsRSAAuthentication:
419 intptr = &options->rhosts_rsa_authentication;
422 case sRSAAuthentication:
423 intptr = &options->rsa_authentication;
427 case sKerberosAuthentication:
428 intptr = &options->kerberos_authentication;
431 case sKerberosOrLocalPasswd:
432 intptr = &options->kerberos_or_local_passwd;
435 case sKerberosTicketCleanup:
436 intptr = &options->kerberos_ticket_cleanup;
441 case sKerberosTgtPassing:
442 intptr = &options->kerberos_tgt_passing;
445 case sAFSTokenPassing:
446 intptr = &options->afs_token_passing;
450 case sPasswordAuthentication:
451 intptr = &options->password_authentication;
455 intptr = &options->check_mail;
459 case sSkeyAuthentication:
460 intptr = &options->skey_authentication;
465 intptr = &options->print_motd;
469 intptr = &options->x11_forwarding;
472 case sX11DisplayOffset:
473 intptr = &options->x11_display_offset;
477 intptr = &options->strict_modes;
481 intptr = &options->keepalives;
485 intptr = &options->permit_empty_passwd;
489 intptr = &options->use_login;
493 cp = strtok(NULL, WHITESPACE);
496 fprintf(stderr, "%s line %d: missing facility name.\n",
500 for (i = 0; log_facilities[i].name; i++)
501 if (strcasecmp(log_facilities[i].name, cp) == 0)
503 if (!log_facilities[i].name)
505 fprintf(stderr, "%s line %d: unsupported log facility %s\n",
506 filename, linenum, cp);
509 if (options->log_facility == (SyslogFacility)(-1))
510 options->log_facility = log_facilities[i].facility;
514 cp = strtok(NULL, WHITESPACE);
517 fprintf(stderr, "%s line %d: missing level name.\n",
521 for (i = 0; log_levels[i].name; i++)
522 if (strcasecmp(log_levels[i].name, cp) == 0)
524 if (!log_levels[i].name)
526 fprintf(stderr, "%s line %d: unsupported log level %s\n",
527 filename, linenum, cp);
530 if (options->log_level == (LogLevel)(-1))
531 options->log_level = log_levels[i].level;
535 while ((cp = strtok(NULL, WHITESPACE)))
537 if (options->num_allow_users >= MAX_ALLOW_USERS)
539 fprintf(stderr, "%s line %d: too many allow users.\n",
543 options->allow_users[options->num_allow_users++] = xstrdup(cp);
548 while ((cp = strtok(NULL, WHITESPACE)))
550 if (options->num_deny_users >= MAX_DENY_USERS)
552 fprintf(stderr, "%s line %d: too many deny users.\n",
556 options->deny_users[options->num_deny_users++] = xstrdup(cp);
561 while ((cp = strtok(NULL, WHITESPACE)))
563 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
565 fprintf(stderr, "%s line %d: too many allow groups.\n",
569 options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
574 while ((cp = strtok(NULL, WHITESPACE)))
576 if (options->num_deny_groups >= MAX_DENY_GROUPS)
578 fprintf(stderr, "%s line %d: too many deny groups.\n",
582 options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
587 fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
588 filename, linenum, cp, opcode);
591 if (strtok(NULL, WHITESPACE) != NULL)
593 fprintf(stderr, "%s line %d: garbage at end of line.\n",