1 /* $OpenBSD: readconf.c,v 1.169 2008/11/03 01:07:02 stevesk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
36 #include "pathnames.h"
46 /* Format of the configuration file:
48 # Configuration data is parsed as follows:
49 # 1. command line options
50 # 2. user-specific file
52 # Any configuration value is only changed the first time it is set.
53 # Thus, host-specific definitions should be at the beginning of the
54 # configuration file, and defaults at the end.
56 # Host-specific declarations. These may override anything above. A single
57 # host may match multiple declarations; these are processed in the order
58 # that they are given in.
64 HostName another.host.name.real.org
71 RemoteForward 9999 shadows.cs.hut.fi:9999
77 PasswordAuthentication no
81 ProxyCommand ssh-proxy %h %p
84 PublicKeyAuthentication no
88 PasswordAuthentication no
94 # Defaults for various options
98 PasswordAuthentication yes
100 RhostsRSAAuthentication yes
101 StrictHostKeyChecking yes
103 IdentityFile ~/.ssh/identity
109 /* Keyword tokens. */
113 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
114 oExitOnForwardFailure,
115 oPasswordAuthentication, oRSAAuthentication,
116 oChallengeResponseAuthentication, oXAuthLocation,
117 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
118 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
119 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
120 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
121 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
122 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
123 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
124 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
125 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
126 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
127 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
128 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
129 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
130 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
131 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
132 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
134 oDeprecated, oUnsupported
137 /* Textual representations of the tokens. */
143 { "forwardagent", oForwardAgent },
144 { "forwardx11", oForwardX11 },
145 { "forwardx11trusted", oForwardX11Trusted },
146 { "exitonforwardfailure", oExitOnForwardFailure },
147 { "xauthlocation", oXAuthLocation },
148 { "gatewayports", oGatewayPorts },
149 { "useprivilegedport", oUsePrivilegedPort },
150 { "rhostsauthentication", oDeprecated },
151 { "passwordauthentication", oPasswordAuthentication },
152 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
153 { "kbdinteractivedevices", oKbdInteractiveDevices },
154 { "rsaauthentication", oRSAAuthentication },
155 { "pubkeyauthentication", oPubkeyAuthentication },
156 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
157 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
158 { "hostbasedauthentication", oHostbasedAuthentication },
159 { "challengeresponseauthentication", oChallengeResponseAuthentication },
160 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
161 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
162 { "kerberosauthentication", oUnsupported },
163 { "kerberostgtpassing", oUnsupported },
164 { "afstokenpassing", oUnsupported },
166 { "gssapiauthentication", oGssAuthentication },
167 { "gssapidelegatecredentials", oGssDelegateCreds },
169 { "gssapiauthentication", oUnsupported },
170 { "gssapidelegatecredentials", oUnsupported },
172 { "fallbacktorsh", oDeprecated },
173 { "usersh", oDeprecated },
174 { "identityfile", oIdentityFile },
175 { "identityfile2", oIdentityFile }, /* alias */
176 { "identitiesonly", oIdentitiesOnly },
177 { "hostname", oHostName },
178 { "hostkeyalias", oHostKeyAlias },
179 { "proxycommand", oProxyCommand },
181 { "cipher", oCipher },
182 { "ciphers", oCiphers },
184 { "protocol", oProtocol },
185 { "remoteforward", oRemoteForward },
186 { "localforward", oLocalForward },
189 { "escapechar", oEscapeChar },
190 { "globalknownhostsfile", oGlobalKnownHostsFile },
191 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
192 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
193 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
194 { "connectionattempts", oConnectionAttempts },
195 { "batchmode", oBatchMode },
196 { "checkhostip", oCheckHostIP },
197 { "stricthostkeychecking", oStrictHostKeyChecking },
198 { "compression", oCompression },
199 { "compressionlevel", oCompressionLevel },
200 { "tcpkeepalive", oTCPKeepAlive },
201 { "keepalive", oTCPKeepAlive }, /* obsolete */
202 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
203 { "loglevel", oLogLevel },
204 { "dynamicforward", oDynamicForward },
205 { "preferredauthentications", oPreferredAuthentications },
206 { "hostkeyalgorithms", oHostKeyAlgorithms },
207 { "bindaddress", oBindAddress },
209 { "smartcarddevice", oSmartcardDevice },
211 { "smartcarddevice", oUnsupported },
213 { "clearallforwardings", oClearAllForwardings },
214 { "enablesshkeysign", oEnableSSHKeysign },
215 { "verifyhostkeydns", oVerifyHostKeyDNS },
216 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
217 { "rekeylimit", oRekeyLimit },
218 { "connecttimeout", oConnectTimeout },
219 { "addressfamily", oAddressFamily },
220 { "serveraliveinterval", oServerAliveInterval },
221 { "serveralivecountmax", oServerAliveCountMax },
222 { "sendenv", oSendEnv },
223 { "controlpath", oControlPath },
224 { "controlmaster", oControlMaster },
225 { "hashknownhosts", oHashKnownHosts },
226 { "tunnel", oTunnel },
227 { "tunneldevice", oTunnelDevice },
228 { "localcommand", oLocalCommand },
229 { "permitlocalcommand", oPermitLocalCommand },
230 { "visualhostkey", oVisualHostKey },
235 * Adds a local TCP/IP port forward to options. Never returns if there is an
240 add_local_forward(Options *options, const Forward *newfwd)
243 #ifndef NO_IPPORT_RESERVED_CONCEPT
244 extern uid_t original_real_uid;
245 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
246 fatal("Privileged ports can only be forwarded by root.");
248 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
249 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
250 fwd = &options->local_forwards[options->num_local_forwards++];
252 fwd->listen_host = (newfwd->listen_host == NULL) ?
253 NULL : xstrdup(newfwd->listen_host);
254 fwd->listen_port = newfwd->listen_port;
255 fwd->connect_host = xstrdup(newfwd->connect_host);
256 fwd->connect_port = newfwd->connect_port;
260 * Adds a remote TCP/IP port forward to options. Never returns if there is
265 add_remote_forward(Options *options, const Forward *newfwd)
268 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
269 fatal("Too many remote forwards (max %d).",
270 SSH_MAX_FORWARDS_PER_DIRECTION);
271 fwd = &options->remote_forwards[options->num_remote_forwards++];
273 fwd->listen_host = (newfwd->listen_host == NULL) ?
274 NULL : xstrdup(newfwd->listen_host);
275 fwd->listen_port = newfwd->listen_port;
276 fwd->connect_host = xstrdup(newfwd->connect_host);
277 fwd->connect_port = newfwd->connect_port;
281 clear_forwardings(Options *options)
285 for (i = 0; i < options->num_local_forwards; i++) {
286 if (options->local_forwards[i].listen_host != NULL)
287 xfree(options->local_forwards[i].listen_host);
288 xfree(options->local_forwards[i].connect_host);
290 options->num_local_forwards = 0;
291 for (i = 0; i < options->num_remote_forwards; i++) {
292 if (options->remote_forwards[i].listen_host != NULL)
293 xfree(options->remote_forwards[i].listen_host);
294 xfree(options->remote_forwards[i].connect_host);
296 options->num_remote_forwards = 0;
297 options->tun_open = SSH_TUNMODE_NO;
301 * Returns the number of the token pointed to by cp or oBadOption.
305 parse_token(const char *cp, const char *filename, int linenum)
309 for (i = 0; keywords[i].name; i++)
310 if (strcasecmp(cp, keywords[i].name) == 0)
311 return keywords[i].opcode;
313 error("%s: line %d: Bad configuration option: %s",
314 filename, linenum, cp);
319 * Processes a single option line as used in the configuration files. This
320 * only sets those values that have not already been set.
322 #define WHITESPACE " \t\r\n"
325 process_config_line(Options *options, const char *host,
326 char *line, const char *filename, int linenum,
329 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
330 int opcode, *intptr, value, value2, scale;
331 LogLevel *log_level_ptr;
332 long long orig, val64;
336 /* Strip trailing whitespace */
337 for (len = strlen(line) - 1; len > 0; len--) {
338 if (strchr(WHITESPACE, line[len]) == NULL)
344 /* Get the keyword. (Each line is supposed to begin with a keyword). */
345 if ((keyword = strdelim(&s)) == NULL)
347 /* Ignore leading whitespace. */
348 if (*keyword == '\0')
349 keyword = strdelim(&s);
350 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
353 opcode = parse_token(keyword, filename, linenum);
357 /* don't panic, but count bad options */
360 case oConnectTimeout:
361 intptr = &options->connection_timeout;
364 if (!arg || *arg == '\0')
365 fatal("%s line %d: missing time value.",
367 if ((value = convtime(arg)) == -1)
368 fatal("%s line %d: invalid time value.",
370 if (*activep && *intptr == -1)
375 intptr = &options->forward_agent;
378 if (!arg || *arg == '\0')
379 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
380 value = 0; /* To avoid compiler warning... */
381 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
383 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
386 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
387 if (*activep && *intptr == -1)
392 intptr = &options->forward_x11;
395 case oForwardX11Trusted:
396 intptr = &options->forward_x11_trusted;
400 intptr = &options->gateway_ports;
403 case oExitOnForwardFailure:
404 intptr = &options->exit_on_forward_failure;
407 case oUsePrivilegedPort:
408 intptr = &options->use_privileged_port;
411 case oPasswordAuthentication:
412 intptr = &options->password_authentication;
415 case oKbdInteractiveAuthentication:
416 intptr = &options->kbd_interactive_authentication;
419 case oKbdInteractiveDevices:
420 charptr = &options->kbd_interactive_devices;
423 case oPubkeyAuthentication:
424 intptr = &options->pubkey_authentication;
427 case oRSAAuthentication:
428 intptr = &options->rsa_authentication;
431 case oRhostsRSAAuthentication:
432 intptr = &options->rhosts_rsa_authentication;
435 case oHostbasedAuthentication:
436 intptr = &options->hostbased_authentication;
439 case oChallengeResponseAuthentication:
440 intptr = &options->challenge_response_authentication;
443 case oGssAuthentication:
444 intptr = &options->gss_authentication;
447 case oGssDelegateCreds:
448 intptr = &options->gss_deleg_creds;
452 intptr = &options->batch_mode;
456 intptr = &options->check_host_ip;
459 case oVerifyHostKeyDNS:
460 intptr = &options->verify_host_key_dns;
463 case oStrictHostKeyChecking:
464 intptr = &options->strict_host_key_checking;
467 if (!arg || *arg == '\0')
468 fatal("%.200s line %d: Missing yes/no/ask argument.",
470 value = 0; /* To avoid compiler warning... */
471 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
473 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
475 else if (strcmp(arg, "ask") == 0)
478 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
479 if (*activep && *intptr == -1)
484 intptr = &options->compression;
488 intptr = &options->tcp_keep_alive;
491 case oNoHostAuthenticationForLocalhost:
492 intptr = &options->no_host_authentication_for_localhost;
495 case oNumberOfPasswordPrompts:
496 intptr = &options->number_of_password_prompts;
499 case oCompressionLevel:
500 intptr = &options->compression_level;
505 if (!arg || *arg == '\0')
506 fatal("%.200s line %d: Missing argument.", filename, linenum);
507 if (arg[0] < '0' || arg[0] > '9')
508 fatal("%.200s line %d: Bad number.", filename, linenum);
509 orig = val64 = strtoll(arg, &endofnumber, 10);
510 if (arg == endofnumber)
511 fatal("%.200s line %d: Bad number.", filename, linenum);
512 switch (toupper(*endofnumber)) {
526 fatal("%.200s line %d: Invalid RekeyLimit suffix",
530 /* detect integer wrap and too-large limits */
531 if ((val64 / scale) != orig || val64 > UINT_MAX)
532 fatal("%.200s line %d: RekeyLimit too large",
535 fatal("%.200s line %d: RekeyLimit too small",
537 if (*activep && options->rekey_limit == -1)
538 options->rekey_limit = (u_int32_t)val64;
543 if (!arg || *arg == '\0')
544 fatal("%.200s line %d: Missing argument.", filename, linenum);
546 intptr = &options->num_identity_files;
547 if (*intptr >= SSH_MAX_IDENTITY_FILES)
548 fatal("%.200s line %d: Too many identity files specified (max %d).",
549 filename, linenum, SSH_MAX_IDENTITY_FILES);
550 charptr = &options->identity_files[*intptr];
551 *charptr = xstrdup(arg);
552 *intptr = *intptr + 1;
557 charptr=&options->xauth_location;
561 charptr = &options->user;
564 if (!arg || *arg == '\0')
565 fatal("%.200s line %d: Missing argument.", filename, linenum);
566 if (*activep && *charptr == NULL)
567 *charptr = xstrdup(arg);
570 case oGlobalKnownHostsFile:
571 charptr = &options->system_hostfile;
574 case oUserKnownHostsFile:
575 charptr = &options->user_hostfile;
578 case oGlobalKnownHostsFile2:
579 charptr = &options->system_hostfile2;
582 case oUserKnownHostsFile2:
583 charptr = &options->user_hostfile2;
587 charptr = &options->hostname;
591 charptr = &options->host_key_alias;
594 case oPreferredAuthentications:
595 charptr = &options->preferred_authentications;
599 charptr = &options->bind_address;
602 case oSmartcardDevice:
603 charptr = &options->smartcard_device;
607 charptr = &options->proxy_command;
610 fatal("%.200s line %d: Missing argument.", filename, linenum);
611 len = strspn(s, WHITESPACE "=");
612 if (*activep && *charptr == NULL)
613 *charptr = xstrdup(s + len);
617 intptr = &options->port;
620 if (!arg || *arg == '\0')
621 fatal("%.200s line %d: Missing argument.", filename, linenum);
622 if (arg[0] < '0' || arg[0] > '9')
623 fatal("%.200s line %d: Bad number.", filename, linenum);
625 /* Octal, decimal, or hex format? */
626 value = strtol(arg, &endofnumber, 0);
627 if (arg == endofnumber)
628 fatal("%.200s line %d: Bad number.", filename, linenum);
629 if (*activep && *intptr == -1)
633 case oConnectionAttempts:
634 intptr = &options->connection_attempts;
638 intptr = &options->cipher;
640 if (!arg || *arg == '\0')
641 fatal("%.200s line %d: Missing argument.", filename, linenum);
642 value = cipher_number(arg);
644 fatal("%.200s line %d: Bad cipher '%s'.",
645 filename, linenum, arg ? arg : "<NONE>");
646 if (*activep && *intptr == -1)
652 if (!arg || *arg == '\0')
653 fatal("%.200s line %d: Missing argument.", filename, linenum);
654 if (!ciphers_valid(arg))
655 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
656 filename, linenum, arg ? arg : "<NONE>");
657 if (*activep && options->ciphers == NULL)
658 options->ciphers = xstrdup(arg);
663 if (!arg || *arg == '\0')
664 fatal("%.200s line %d: Missing argument.", filename, linenum);
666 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
667 filename, linenum, arg ? arg : "<NONE>");
668 if (*activep && options->macs == NULL)
669 options->macs = xstrdup(arg);
672 case oHostKeyAlgorithms:
674 if (!arg || *arg == '\0')
675 fatal("%.200s line %d: Missing argument.", filename, linenum);
676 if (!key_names_valid2(arg))
677 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
678 filename, linenum, arg ? arg : "<NONE>");
679 if (*activep && options->hostkeyalgorithms == NULL)
680 options->hostkeyalgorithms = xstrdup(arg);
684 intptr = &options->protocol;
686 if (!arg || *arg == '\0')
687 fatal("%.200s line %d: Missing argument.", filename, linenum);
688 value = proto_spec(arg);
689 if (value == SSH_PROTO_UNKNOWN)
690 fatal("%.200s line %d: Bad protocol spec '%s'.",
691 filename, linenum, arg ? arg : "<NONE>");
692 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
697 log_level_ptr = &options->log_level;
699 value = log_level_number(arg);
700 if (value == SYSLOG_LEVEL_NOT_SET)
701 fatal("%.200s line %d: unsupported log level '%s'",
702 filename, linenum, arg ? arg : "<NONE>");
703 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
704 *log_level_ptr = (LogLevel) value;
709 case oDynamicForward:
711 if (arg == NULL || *arg == '\0')
712 fatal("%.200s line %d: Missing port argument.",
715 if (opcode == oLocalForward ||
716 opcode == oRemoteForward) {
718 if (arg2 == NULL || *arg2 == '\0')
719 fatal("%.200s line %d: Missing target argument.",
722 /* construct a string for parse_forward */
723 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
724 } else if (opcode == oDynamicForward) {
725 strlcpy(fwdarg, arg, sizeof(fwdarg));
728 if (parse_forward(&fwd, fwdarg,
729 opcode == oDynamicForward ? 1 : 0) == 0)
730 fatal("%.200s line %d: Bad forwarding specification.",
734 if (opcode == oLocalForward ||
735 opcode == oDynamicForward)
736 add_local_forward(options, &fwd);
737 else if (opcode == oRemoteForward)
738 add_remote_forward(options, &fwd);
742 case oClearAllForwardings:
743 intptr = &options->clear_forwardings;
748 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
749 if (match_pattern(host, arg)) {
750 debug("Applying options for %.100s", arg);
754 /* Avoid garbage check below, as strdelim is done. */
758 intptr = &options->escape_char;
760 if (!arg || *arg == '\0')
761 fatal("%.200s line %d: Missing argument.", filename, linenum);
762 if (arg[0] == '^' && arg[2] == 0 &&
763 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
764 value = (u_char) arg[1] & 31;
765 else if (strlen(arg) == 1)
766 value = (u_char) arg[0];
767 else if (strcmp(arg, "none") == 0)
768 value = SSH_ESCAPECHAR_NONE;
770 fatal("%.200s line %d: Bad escape character.",
773 value = 0; /* Avoid compiler warning. */
775 if (*activep && *intptr == -1)
781 if (!arg || *arg == '\0')
782 fatal("%s line %d: missing address family.",
784 intptr = &options->address_family;
785 if (strcasecmp(arg, "inet") == 0)
787 else if (strcasecmp(arg, "inet6") == 0)
789 else if (strcasecmp(arg, "any") == 0)
792 fatal("Unsupported AddressFamily \"%s\"", arg);
793 if (*activep && *intptr == -1)
797 case oEnableSSHKeysign:
798 intptr = &options->enable_ssh_keysign;
801 case oIdentitiesOnly:
802 intptr = &options->identities_only;
805 case oServerAliveInterval:
806 intptr = &options->server_alive_interval;
809 case oServerAliveCountMax:
810 intptr = &options->server_alive_count_max;
814 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
815 if (strchr(arg, '=') != NULL)
816 fatal("%s line %d: Invalid environment name.",
820 if (options->num_send_env >= MAX_SEND_ENV)
821 fatal("%s line %d: too many send env.",
823 options->send_env[options->num_send_env++] =
829 charptr = &options->control_path;
833 intptr = &options->control_master;
835 if (!arg || *arg == '\0')
836 fatal("%.200s line %d: Missing ControlMaster argument.",
838 value = 0; /* To avoid compiler warning... */
839 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
840 value = SSHCTL_MASTER_YES;
841 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
842 value = SSHCTL_MASTER_NO;
843 else if (strcmp(arg, "auto") == 0)
844 value = SSHCTL_MASTER_AUTO;
845 else if (strcmp(arg, "ask") == 0)
846 value = SSHCTL_MASTER_ASK;
847 else if (strcmp(arg, "autoask") == 0)
848 value = SSHCTL_MASTER_AUTO_ASK;
850 fatal("%.200s line %d: Bad ControlMaster argument.",
852 if (*activep && *intptr == -1)
856 case oHashKnownHosts:
857 intptr = &options->hash_known_hosts;
861 intptr = &options->tun_open;
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing yes/point-to-point/"
865 "ethernet/no argument.", filename, linenum);
866 value = 0; /* silence compiler */
867 if (strcasecmp(arg, "ethernet") == 0)
868 value = SSH_TUNMODE_ETHERNET;
869 else if (strcasecmp(arg, "point-to-point") == 0)
870 value = SSH_TUNMODE_POINTOPOINT;
871 else if (strcasecmp(arg, "yes") == 0)
872 value = SSH_TUNMODE_DEFAULT;
873 else if (strcasecmp(arg, "no") == 0)
874 value = SSH_TUNMODE_NO;
876 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
877 "no argument: %s", filename, linenum, arg);
884 if (!arg || *arg == '\0')
885 fatal("%.200s line %d: Missing argument.", filename, linenum);
886 value = a2tun(arg, &value2);
887 if (value == SSH_TUNID_ERR)
888 fatal("%.200s line %d: Bad tun device.", filename, linenum);
890 options->tun_local = value;
891 options->tun_remote = value2;
896 charptr = &options->local_command;
899 case oPermitLocalCommand:
900 intptr = &options->permit_local_command;
904 intptr = &options->visual_host_key;
908 debug("%s line %d: Deprecated option \"%s\"",
909 filename, linenum, keyword);
913 error("%s line %d: Unsupported option \"%s\"",
914 filename, linenum, keyword);
918 fatal("process_config_line: Unimplemented opcode %d", opcode);
921 /* Check that there is no garbage at end of line. */
922 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
923 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
924 filename, linenum, arg);
931 * Reads the config file and modifies the options accordingly. Options
932 * should already be initialized before this call. This never returns if
933 * there is an error. If the file does not exist, this returns 0.
937 read_config_file(const char *filename, const char *host, Options *options,
945 if ((f = fopen(filename, "r")) == NULL)
951 if (fstat(fileno(f), &sb) == -1)
952 fatal("fstat %s: %s", filename, strerror(errno));
953 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
954 (sb.st_mode & 022) != 0))
955 fatal("Bad owner or permissions on %s", filename);
958 debug("Reading configuration data %.200s", filename);
961 * Mark that we are now processing the options. This flag is turned
962 * on/off by Host specifications.
966 while (fgets(line, sizeof(line), f)) {
967 /* Update line number counter. */
969 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
974 fatal("%s: terminating, %d bad configuration options",
975 filename, bad_options);
980 * Initializes options to special values that indicate that they have not yet
981 * been set. Read_config_file will only set options with this value. Options
982 * are processed in the following order: command line, user config file,
983 * system config file. Last, fill_default_options is called.
987 initialize_options(Options * options)
989 memset(options, 'X', sizeof(*options));
990 options->forward_agent = -1;
991 options->forward_x11 = -1;
992 options->forward_x11_trusted = -1;
993 options->exit_on_forward_failure = -1;
994 options->xauth_location = NULL;
995 options->gateway_ports = -1;
996 options->use_privileged_port = -1;
997 options->rsa_authentication = -1;
998 options->pubkey_authentication = -1;
999 options->challenge_response_authentication = -1;
1000 options->gss_authentication = -1;
1001 options->gss_deleg_creds = -1;
1002 options->password_authentication = -1;
1003 options->kbd_interactive_authentication = -1;
1004 options->kbd_interactive_devices = NULL;
1005 options->rhosts_rsa_authentication = -1;
1006 options->hostbased_authentication = -1;
1007 options->batch_mode = -1;
1008 options->check_host_ip = -1;
1009 options->strict_host_key_checking = -1;
1010 options->compression = -1;
1011 options->tcp_keep_alive = -1;
1012 options->compression_level = -1;
1014 options->address_family = -1;
1015 options->connection_attempts = -1;
1016 options->connection_timeout = -1;
1017 options->number_of_password_prompts = -1;
1018 options->cipher = -1;
1019 options->ciphers = NULL;
1020 options->macs = NULL;
1021 options->hostkeyalgorithms = NULL;
1022 options->protocol = SSH_PROTO_UNKNOWN;
1023 options->num_identity_files = 0;
1024 options->hostname = NULL;
1025 options->host_key_alias = NULL;
1026 options->proxy_command = NULL;
1027 options->user = NULL;
1028 options->escape_char = -1;
1029 options->system_hostfile = NULL;
1030 options->user_hostfile = NULL;
1031 options->system_hostfile2 = NULL;
1032 options->user_hostfile2 = NULL;
1033 options->num_local_forwards = 0;
1034 options->num_remote_forwards = 0;
1035 options->clear_forwardings = -1;
1036 options->log_level = SYSLOG_LEVEL_NOT_SET;
1037 options->preferred_authentications = NULL;
1038 options->bind_address = NULL;
1039 options->smartcard_device = NULL;
1040 options->enable_ssh_keysign = - 1;
1041 options->no_host_authentication_for_localhost = - 1;
1042 options->identities_only = - 1;
1043 options->rekey_limit = - 1;
1044 options->verify_host_key_dns = -1;
1045 options->server_alive_interval = -1;
1046 options->server_alive_count_max = -1;
1047 options->num_send_env = 0;
1048 options->control_path = NULL;
1049 options->control_master = -1;
1050 options->hash_known_hosts = -1;
1051 options->tun_open = -1;
1052 options->tun_local = -1;
1053 options->tun_remote = -1;
1054 options->local_command = NULL;
1055 options->permit_local_command = -1;
1056 options->visual_host_key = -1;
1060 * Called after processing other sources of option data, this fills those
1061 * options for which no value has been specified with their default values.
1065 fill_default_options(Options * options)
1069 if (options->forward_agent == -1)
1070 options->forward_agent = 0;
1071 if (options->forward_x11 == -1)
1072 options->forward_x11 = 0;
1073 if (options->forward_x11_trusted == -1)
1074 options->forward_x11_trusted = 0;
1075 if (options->exit_on_forward_failure == -1)
1076 options->exit_on_forward_failure = 0;
1077 if (options->xauth_location == NULL)
1078 options->xauth_location = _PATH_XAUTH;
1079 if (options->gateway_ports == -1)
1080 options->gateway_ports = 0;
1081 if (options->use_privileged_port == -1)
1082 options->use_privileged_port = 0;
1083 if (options->rsa_authentication == -1)
1084 options->rsa_authentication = 1;
1085 if (options->pubkey_authentication == -1)
1086 options->pubkey_authentication = 1;
1087 if (options->challenge_response_authentication == -1)
1088 options->challenge_response_authentication = 1;
1089 if (options->gss_authentication == -1)
1090 options->gss_authentication = 0;
1091 if (options->gss_deleg_creds == -1)
1092 options->gss_deleg_creds = 0;
1093 if (options->password_authentication == -1)
1094 options->password_authentication = 1;
1095 if (options->kbd_interactive_authentication == -1)
1096 options->kbd_interactive_authentication = 1;
1097 if (options->rhosts_rsa_authentication == -1)
1098 options->rhosts_rsa_authentication = 0;
1099 if (options->hostbased_authentication == -1)
1100 options->hostbased_authentication = 0;
1101 if (options->batch_mode == -1)
1102 options->batch_mode = 0;
1103 if (options->check_host_ip == -1)
1104 options->check_host_ip = 1;
1105 if (options->strict_host_key_checking == -1)
1106 options->strict_host_key_checking = 2; /* 2 is default */
1107 if (options->compression == -1)
1108 options->compression = 0;
1109 if (options->tcp_keep_alive == -1)
1110 options->tcp_keep_alive = 1;
1111 if (options->compression_level == -1)
1112 options->compression_level = 6;
1113 if (options->port == -1)
1114 options->port = 0; /* Filled in ssh_connect. */
1115 if (options->address_family == -1)
1116 options->address_family = AF_UNSPEC;
1117 if (options->connection_attempts == -1)
1118 options->connection_attempts = 1;
1119 if (options->number_of_password_prompts == -1)
1120 options->number_of_password_prompts = 3;
1121 /* Selected in ssh_login(). */
1122 if (options->cipher == -1)
1123 options->cipher = SSH_CIPHER_NOT_SET;
1124 /* options->ciphers, default set in myproposals.h */
1125 /* options->macs, default set in myproposals.h */
1126 /* options->hostkeyalgorithms, default set in myproposals.h */
1127 if (options->protocol == SSH_PROTO_UNKNOWN)
1128 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1129 if (options->num_identity_files == 0) {
1130 if (options->protocol & SSH_PROTO_1) {
1131 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1132 options->identity_files[options->num_identity_files] =
1134 snprintf(options->identity_files[options->num_identity_files++],
1135 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1137 if (options->protocol & SSH_PROTO_2) {
1138 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1139 options->identity_files[options->num_identity_files] =
1141 snprintf(options->identity_files[options->num_identity_files++],
1142 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1144 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1145 options->identity_files[options->num_identity_files] =
1147 snprintf(options->identity_files[options->num_identity_files++],
1148 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1151 if (options->escape_char == -1)
1152 options->escape_char = '~';
1153 if (options->system_hostfile == NULL)
1154 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1155 if (options->user_hostfile == NULL)
1156 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1157 if (options->system_hostfile2 == NULL)
1158 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1159 if (options->user_hostfile2 == NULL)
1160 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1161 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1162 options->log_level = SYSLOG_LEVEL_INFO;
1163 if (options->clear_forwardings == 1)
1164 clear_forwardings(options);
1165 if (options->no_host_authentication_for_localhost == - 1)
1166 options->no_host_authentication_for_localhost = 0;
1167 if (options->identities_only == -1)
1168 options->identities_only = 0;
1169 if (options->enable_ssh_keysign == -1)
1170 options->enable_ssh_keysign = 0;
1171 if (options->rekey_limit == -1)
1172 options->rekey_limit = 0;
1173 if (options->verify_host_key_dns == -1)
1174 options->verify_host_key_dns = 0;
1175 if (options->server_alive_interval == -1)
1176 options->server_alive_interval = 0;
1177 if (options->server_alive_count_max == -1)
1178 options->server_alive_count_max = 3;
1179 if (options->control_master == -1)
1180 options->control_master = 0;
1181 if (options->hash_known_hosts == -1)
1182 options->hash_known_hosts = 0;
1183 if (options->tun_open == -1)
1184 options->tun_open = SSH_TUNMODE_NO;
1185 if (options->tun_local == -1)
1186 options->tun_local = SSH_TUNID_ANY;
1187 if (options->tun_remote == -1)
1188 options->tun_remote = SSH_TUNID_ANY;
1189 if (options->permit_local_command == -1)
1190 options->permit_local_command = 0;
1191 if (options->visual_host_key == -1)
1192 options->visual_host_key = 0;
1193 /* options->local_command should not be set by default */
1194 /* options->proxy_command should not be set by default */
1195 /* options->user will be set in the main program if appropriate */
1196 /* options->hostname will be set in the main program if appropriate */
1197 /* options->host_key_alias should not be set by default */
1198 /* options->preferred_authentications will be set in ssh */
1203 * parses a string containing a port forwarding specification of the form:
1205 * [listenhost:]listenport:connecthost:connectport
1207 * [listenhost:]listenport
1208 * returns number of arguments parsed or zero on error
1211 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd)
1214 char *p, *cp, *fwdarg[4];
1216 memset(fwd, '\0', sizeof(*fwd));
1218 cp = p = xstrdup(fwdspec);
1220 /* skip leading spaces */
1221 while (isspace(*cp))
1224 for (i = 0; i < 4; ++i)
1225 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1228 /* Check for trailing garbage in 4-arg case*/
1230 i = 0; /* failure */
1234 fwd->listen_host = NULL;
1235 fwd->listen_port = a2port(fwdarg[0]);
1236 fwd->connect_host = xstrdup("socks");
1240 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1241 fwd->listen_port = a2port(fwdarg[1]);
1242 fwd->connect_host = xstrdup("socks");
1246 fwd->listen_host = NULL;
1247 fwd->listen_port = a2port(fwdarg[0]);
1248 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1249 fwd->connect_port = a2port(fwdarg[2]);
1253 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1254 fwd->listen_port = a2port(fwdarg[1]);
1255 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1256 fwd->connect_port = a2port(fwdarg[3]);
1259 i = 0; /* failure */
1265 if (!(i == 1 || i == 2))
1268 if (!(i == 3 || i == 4))
1270 if (fwd->connect_port == 0)
1274 if (fwd->listen_port == 0)
1277 if (fwd->connect_host != NULL &&
1278 strlen(fwd->connect_host) >= NI_MAXHOST)
1284 if (fwd->connect_host != NULL)
1285 xfree(fwd->connect_host);
1286 if (fwd->listen_host != NULL)
1287 xfree(fwd->listen_host);