2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
22 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
24 #define KEYFILE "/etc/krb5.keytab"
36 #include "pathnames.h"
37 #include "tildexpand.h"
43 static void add_listen_addr(ServerOptions *, char *, u_short);
44 static void add_one_listen_addr(ServerOptions *, char *, u_short);
46 /* AF_UNSPEC or AF_INET or AF_INET6 */
48 /* Use of privilege separation or not */
49 extern int use_privsep;
51 /* Initializes the server options to their default values. */
54 initialize_server_options(ServerOptions *options)
56 memset(options, 0, sizeof(*options));
58 /* Portable-specific options */
59 options->pam_authentication_via_kbd_int = -1;
61 /* Standard Options */
62 options->num_ports = 0;
63 options->ports_from_cmdline = 0;
64 options->listen_addrs = NULL;
65 options->num_host_key_files = 0;
66 options->pid_file = NULL;
67 options->server_key_bits = -1;
68 options->login_grace_time = -1;
69 options->key_regeneration_time = -1;
70 options->permit_root_login = PERMIT_NOT_SET;
71 options->ignore_rhosts = -1;
72 options->ignore_user_known_hosts = -1;
73 options->print_motd = -1;
74 options->print_lastlog = -1;
75 options->x11_forwarding = -1;
76 options->x11_display_offset = -1;
77 options->x11_use_localhost = -1;
78 options->xauth_location = NULL;
79 options->strict_modes = -1;
80 options->keepalives = -1;
81 options->log_facility = SYSLOG_FACILITY_NOT_SET;
82 options->log_level = SYSLOG_LEVEL_NOT_SET;
83 options->rhosts_authentication = -1;
84 options->rhosts_rsa_authentication = -1;
85 options->hostbased_authentication = -1;
86 options->hostbased_uses_name_from_packet_only = -1;
87 options->rsa_authentication = -1;
88 options->pubkey_authentication = -1;
89 #if defined(KRB4) || defined(KRB5)
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
94 #if defined(AFS) || defined(KRB5)
95 options->kerberos_tgt_passing = -1;
98 options->afs_token_passing = -1;
100 options->password_authentication = -1;
101 options->kbd_interactive_authentication = -1;
102 options->challenge_response_authentication = -1;
103 options->permit_empty_passwd = -1;
104 options->use_login = -1;
105 options->compression = -1;
106 options->allow_tcp_forwarding = -1;
107 options->num_allow_users = 0;
108 options->num_deny_users = 0;
109 options->num_allow_groups = 0;
110 options->num_deny_groups = 0;
111 options->ciphers = NULL;
112 options->macs = NULL;
113 options->protocol = SSH_PROTO_UNKNOWN;
114 options->gateway_ports = -1;
115 options->num_subsystems = 0;
116 options->max_startups_begin = -1;
117 options->max_startups_rate = -1;
118 options->max_startups = -1;
119 options->banner = NULL;
120 options->verify_reverse_mapping = -1;
121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
126 /* Needs to be accessable in many places */
131 fill_default_server_options(ServerOptions *options)
133 /* Portable-specific options */
134 if (options->pam_authentication_via_kbd_int == -1)
135 options->pam_authentication_via_kbd_int = 0;
137 /* Standard Options */
138 if (options->protocol == SSH_PROTO_UNKNOWN)
139 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
140 if (options->num_host_key_files == 0) {
141 /* fill default hostkeys for protocols */
142 if (options->protocol & SSH_PROTO_1)
143 options->host_key_files[options->num_host_key_files++] =
145 if (options->protocol & SSH_PROTO_2) {
146 options->host_key_files[options->num_host_key_files++] =
147 _PATH_HOST_RSA_KEY_FILE;
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
155 add_listen_addr(options, NULL, 0);
156 if (options->pid_file == NULL)
157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 600;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_YES;
166 if (options->ignore_rhosts == -1)
167 options->ignore_rhosts = 1;
168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
170 if (options->print_motd == -1)
171 options->print_motd = 1;
172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
174 if (options->x11_forwarding == -1)
175 options->x11_forwarding = 0;
176 if (options->x11_display_offset == -1)
177 options->x11_display_offset = 10;
178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
180 if (options->xauth_location == NULL)
181 options->xauth_location = _PATH_XAUTH;
182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
187 options->log_facility = SYSLOG_FACILITY_AUTH;
188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
189 options->log_level = SYSLOG_LEVEL_INFO;
190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
193 options->rhosts_rsa_authentication = 0;
194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
202 #if defined(KRB4) || defined(KRB5)
203 if (options->kerberos_authentication == -1)
204 options->kerberos_authentication = 0;
205 if (options->kerberos_or_local_passwd == -1)
206 options->kerberos_or_local_passwd = 1;
207 if (options->kerberos_ticket_cleanup == -1)
208 options->kerberos_ticket_cleanup = 1;
210 #if defined(AFS) || defined(KRB5)
211 if (options->kerberos_tgt_passing == -1)
212 options->kerberos_tgt_passing = 0;
215 if (options->afs_token_passing == -1)
216 options->afs_token_passing = 0;
218 if (options->password_authentication == -1)
219 options->password_authentication = 1;
220 if (options->kbd_interactive_authentication == -1)
221 options->kbd_interactive_authentication = 0;
222 if (options->challenge_response_authentication == -1)
223 options->challenge_response_authentication = 1;
224 if (options->permit_empty_passwd == -1)
225 options->permit_empty_passwd = 0;
226 if (options->use_login == -1)
227 options->use_login = 0;
228 if (options->compression == -1)
229 options->compression = 1;
230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
232 if (options->gateway_ports == -1)
233 options->gateway_ports = 0;
234 if (options->max_startups == -1)
235 options->max_startups = 10;
236 if (options->max_startups_rate == -1)
237 options->max_startups_rate = 100; /* 100% */
238 if (options->max_startups_begin == -1)
239 options->max_startups_begin = options->max_startups;
240 if (options->verify_reverse_mapping == -1)
241 options->verify_reverse_mapping = 0;
242 if (options->client_alive_interval == -1)
243 options->client_alive_interval = 0;
244 if (options->client_alive_count_max == -1)
245 options->client_alive_count_max = 3;
246 if (options->authorized_keys_file2 == NULL) {
247 /* authorized_keys_file2 falls back to authorized_keys_file */
248 if (options->authorized_keys_file != NULL)
249 options->authorized_keys_file2 = options->authorized_keys_file;
251 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
253 if (options->authorized_keys_file == NULL)
254 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
256 /* Turn privilege separation on by default */
257 if (use_privsep == -1)
261 if (use_privsep && options->compression == 1) {
262 error("This platform does not support both privilege "
263 "separation and compression");
264 error("Compression disabled");
265 options->compression = 0;
271 /* Keyword tokens. */
273 sBadOption, /* == unknown option */
274 /* Portable-specific options */
275 sPAMAuthenticationViaKbdInt,
276 /* Standard Options */
277 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
278 sPermitRootLogin, sLogFacility, sLogLevel,
279 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
280 #if defined(KRB4) || defined(KRB5)
281 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
283 #if defined(AFS) || defined(KRB5)
289 sChallengeResponseAuthentication,
290 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
291 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
292 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
293 sStrictModes, sEmptyPasswd, sKeepAlives,
294 sUseLogin, sAllowTcpForwarding, sCompression,
295 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
296 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
297 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
298 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
299 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
300 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
301 sUsePrivilegeSeparation,
305 /* Textual representation of the tokens. */
308 ServerOpCodes opcode;
310 /* Portable-specific options */
311 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
312 /* Standard Options */
314 { "hostkey", sHostKeyFile },
315 { "hostdsakey", sHostKeyFile }, /* alias */
316 { "pidfile", sPidFile },
317 { "serverkeybits", sServerKeyBits },
318 { "logingracetime", sLoginGraceTime },
319 { "keyregenerationinterval", sKeyRegenerationTime },
320 { "permitrootlogin", sPermitRootLogin },
321 { "syslogfacility", sLogFacility },
322 { "loglevel", sLogLevel },
323 { "rhostsauthentication", sRhostsAuthentication },
324 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
325 { "hostbasedauthentication", sHostbasedAuthentication },
326 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
327 { "rsaauthentication", sRSAAuthentication },
328 { "pubkeyauthentication", sPubkeyAuthentication },
329 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
330 #if defined(KRB4) || defined(KRB5)
331 { "kerberosauthentication", sKerberosAuthentication },
332 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
333 { "kerberosticketcleanup", sKerberosTicketCleanup },
335 #if defined(AFS) || defined(KRB5)
336 { "kerberostgtpassing", sKerberosTgtPassing },
339 { "afstokenpassing", sAFSTokenPassing },
341 { "passwordauthentication", sPasswordAuthentication },
342 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
343 { "challengeresponseauthentication", sChallengeResponseAuthentication },
344 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
345 { "checkmail", sDeprecated },
346 { "listenaddress", sListenAddress },
347 { "printmotd", sPrintMotd },
348 { "printlastlog", sPrintLastLog },
349 { "ignorerhosts", sIgnoreRhosts },
350 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
351 { "x11forwarding", sX11Forwarding },
352 { "x11displayoffset", sX11DisplayOffset },
353 { "x11uselocalhost", sX11UseLocalhost },
354 { "xauthlocation", sXAuthLocation },
355 { "strictmodes", sStrictModes },
356 { "permitemptypasswords", sEmptyPasswd },
357 { "uselogin", sUseLogin },
358 { "compression", sCompression },
359 { "keepalive", sKeepAlives },
360 { "allowtcpforwarding", sAllowTcpForwarding },
361 { "allowusers", sAllowUsers },
362 { "denyusers", sDenyUsers },
363 { "allowgroups", sAllowGroups },
364 { "denygroups", sDenyGroups },
365 { "ciphers", sCiphers },
367 { "protocol", sProtocol },
368 { "gatewayports", sGatewayPorts },
369 { "subsystem", sSubsystem },
370 { "maxstartups", sMaxStartups },
371 { "banner", sBanner },
372 { "verifyreversemapping", sVerifyReverseMapping },
373 { "reversemappingcheck", sVerifyReverseMapping },
374 { "clientaliveinterval", sClientAliveInterval },
375 { "clientalivecountmax", sClientAliveCountMax },
376 { "authorizedkeysfile", sAuthorizedKeysFile },
377 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
378 { "useprivilegeseparation", sUsePrivilegeSeparation},
383 * Returns the number of the token pointed to by cp or sBadOption.
387 parse_token(const char *cp, const char *filename,
392 for (i = 0; keywords[i].name; i++)
393 if (strcasecmp(cp, keywords[i].name) == 0)
394 return keywords[i].opcode;
396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
402 add_listen_addr(ServerOptions *options, char *addr, u_short port)
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
409 for (i = 0; i < options->num_ports; i++)
410 add_one_listen_addr(options, addr, options->ports[i]);
412 add_one_listen_addr(options, addr, port);
416 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
418 struct addrinfo hints, *ai, *aitop;
419 char strport[NI_MAXSERV];
422 memset(&hints, 0, sizeof(hints));
423 hints.ai_family = IPv4or6;
424 hints.ai_socktype = SOCK_STREAM;
425 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
426 snprintf(strport, sizeof strport, "%u", port);
427 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
428 fatal("bad addr or host: %s (%s)",
429 addr ? addr : "<NULL>",
430 gai_strerror(gaierr));
431 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
433 ai->ai_next = options->listen_addrs;
434 options->listen_addrs = aitop;
438 process_server_config_line(ServerOptions *options, char *line,
439 const char *filename, int linenum)
441 char *cp, **charptr, *arg, *p;
442 int *intptr, value, i, n;
443 ServerOpCodes opcode;
447 /* Ignore leading whitespace */
450 if (!arg || !*arg || *arg == '#')
454 opcode = parse_token(arg, filename, linenum);
456 /* Portable-specific options */
457 case sPAMAuthenticationViaKbdInt:
458 intptr = &options->pam_authentication_via_kbd_int;
461 /* Standard Options */
465 /* ignore ports from configfile if cmdline specifies ports */
466 if (options->ports_from_cmdline)
468 if (options->listen_addrs != NULL)
469 fatal("%s line %d: ports must be specified before "
470 "ListenAddress.", filename, linenum);
471 if (options->num_ports >= MAX_PORTS)
472 fatal("%s line %d: too many ports.",
475 if (!arg || *arg == '\0')
476 fatal("%s line %d: missing port number.",
478 options->ports[options->num_ports++] = a2port(arg);
479 if (options->ports[options->num_ports-1] == 0)
480 fatal("%s line %d: Badly formatted port number.",
485 intptr = &options->server_key_bits;
488 if (!arg || *arg == '\0')
489 fatal("%s line %d: missing integer value.",
496 case sLoginGraceTime:
497 intptr = &options->login_grace_time;
500 if (!arg || *arg == '\0')
501 fatal("%s line %d: missing time value.",
503 if ((value = convtime(arg)) == -1)
504 fatal("%s line %d: invalid time value.",
510 case sKeyRegenerationTime:
511 intptr = &options->key_regeneration_time;
516 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
517 fatal("%s line %d: missing inet addr.",
520 if ((p = strchr(arg, ']')) == NULL)
521 fatal("%s line %d: bad ipv6 inet addr usage.",
524 memmove(p, p+1, strlen(p+1)+1);
525 } else if (((p = strchr(arg, ':')) == NULL) ||
526 (strchr(p+1, ':') != NULL)) {
527 add_listen_addr(options, arg, 0);
535 fatal("%s line %d: bad inet addr:port usage.",
539 if ((port = a2port(p)) == 0)
540 fatal("%s line %d: bad port number.",
542 add_listen_addr(options, arg, port);
544 } else if (*p == '\0')
545 add_listen_addr(options, arg, 0);
547 fatal("%s line %d: bad inet addr usage.",
552 intptr = &options->num_host_key_files;
553 if (*intptr >= MAX_HOSTKEYS)
554 fatal("%s line %d: too many host keys specified (max %d).",
555 filename, linenum, MAX_HOSTKEYS);
556 charptr = &options->host_key_files[*intptr];
559 if (!arg || *arg == '\0')
560 fatal("%s line %d: missing file name.",
562 if (*charptr == NULL) {
563 *charptr = tilde_expand_filename(arg, getuid());
564 /* increase optional counter */
566 *intptr = *intptr + 1;
571 charptr = &options->pid_file;
574 case sPermitRootLogin:
575 intptr = &options->permit_root_login;
577 if (!arg || *arg == '\0')
578 fatal("%s line %d: missing yes/"
579 "without-password/forced-commands-only/no "
580 "argument.", filename, linenum);
581 value = 0; /* silence compiler */
582 if (strcmp(arg, "without-password") == 0)
583 value = PERMIT_NO_PASSWD;
584 else if (strcmp(arg, "forced-commands-only") == 0)
585 value = PERMIT_FORCED_ONLY;
586 else if (strcmp(arg, "yes") == 0)
588 else if (strcmp(arg, "no") == 0)
591 fatal("%s line %d: Bad yes/"
592 "without-password/forced-commands-only/no "
593 "argument: %s", filename, linenum, arg);
599 intptr = &options->ignore_rhosts;
602 if (!arg || *arg == '\0')
603 fatal("%s line %d: missing yes/no argument.",
605 value = 0; /* silence compiler */
606 if (strcmp(arg, "yes") == 0)
608 else if (strcmp(arg, "no") == 0)
611 fatal("%s line %d: Bad yes/no argument: %s",
612 filename, linenum, arg);
617 case sIgnoreUserKnownHosts:
618 intptr = &options->ignore_user_known_hosts;
621 case sRhostsAuthentication:
622 intptr = &options->rhosts_authentication;
625 case sRhostsRSAAuthentication:
626 intptr = &options->rhosts_rsa_authentication;
629 case sHostbasedAuthentication:
630 intptr = &options->hostbased_authentication;
633 case sHostbasedUsesNameFromPacketOnly:
634 intptr = &options->hostbased_uses_name_from_packet_only;
637 case sRSAAuthentication:
638 intptr = &options->rsa_authentication;
641 case sPubkeyAuthentication:
642 intptr = &options->pubkey_authentication;
644 #if defined(KRB4) || defined(KRB5)
645 case sKerberosAuthentication:
646 intptr = &options->kerberos_authentication;
649 case sKerberosOrLocalPasswd:
650 intptr = &options->kerberos_or_local_passwd;
653 case sKerberosTicketCleanup:
654 intptr = &options->kerberos_ticket_cleanup;
657 #if defined(AFS) || defined(KRB5)
658 case sKerberosTgtPassing:
659 intptr = &options->kerberos_tgt_passing;
663 case sAFSTokenPassing:
664 intptr = &options->afs_token_passing;
668 case sPasswordAuthentication:
669 intptr = &options->password_authentication;
672 case sKbdInteractiveAuthentication:
673 intptr = &options->kbd_interactive_authentication;
676 case sChallengeResponseAuthentication:
677 intptr = &options->challenge_response_authentication;
681 intptr = &options->print_motd;
685 intptr = &options->print_lastlog;
689 intptr = &options->x11_forwarding;
692 case sX11DisplayOffset:
693 intptr = &options->x11_display_offset;
696 case sX11UseLocalhost:
697 intptr = &options->x11_use_localhost;
701 charptr = &options->xauth_location;
705 intptr = &options->strict_modes;
709 intptr = &options->keepalives;
713 intptr = &options->permit_empty_passwd;
717 intptr = &options->use_login;
721 intptr = &options->compression;
725 intptr = &options->gateway_ports;
728 case sVerifyReverseMapping:
729 intptr = &options->verify_reverse_mapping;
733 intptr = (int *) &options->log_facility;
735 value = log_facility_number(arg);
736 if (value == SYSLOG_FACILITY_NOT_SET)
737 fatal("%.200s line %d: unsupported log facility '%s'",
738 filename, linenum, arg ? arg : "<NONE>");
740 *intptr = (SyslogFacility) value;
744 intptr = (int *) &options->log_level;
746 value = log_level_number(arg);
747 if (value == SYSLOG_LEVEL_NOT_SET)
748 fatal("%.200s line %d: unsupported log level '%s'",
749 filename, linenum, arg ? arg : "<NONE>");
751 *intptr = (LogLevel) value;
754 case sAllowTcpForwarding:
755 intptr = &options->allow_tcp_forwarding;
758 case sUsePrivilegeSeparation:
759 intptr = &use_privsep;
763 while ((arg = strdelim(&cp)) && *arg != '\0') {
764 if (options->num_allow_users >= MAX_ALLOW_USERS)
765 fatal("%s line %d: too many allow users.",
767 options->allow_users[options->num_allow_users++] =
773 while ((arg = strdelim(&cp)) && *arg != '\0') {
774 if (options->num_deny_users >= MAX_DENY_USERS)
775 fatal( "%s line %d: too many deny users.",
777 options->deny_users[options->num_deny_users++] =
783 while ((arg = strdelim(&cp)) && *arg != '\0') {
784 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
785 fatal("%s line %d: too many allow groups.",
787 options->allow_groups[options->num_allow_groups++] =
793 while ((arg = strdelim(&cp)) && *arg != '\0') {
794 if (options->num_deny_groups >= MAX_DENY_GROUPS)
795 fatal("%s line %d: too many deny groups.",
797 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
803 if (!arg || *arg == '\0')
804 fatal("%s line %d: Missing argument.", filename, linenum);
805 if (!ciphers_valid(arg))
806 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
807 filename, linenum, arg ? arg : "<NONE>");
808 if (options->ciphers == NULL)
809 options->ciphers = xstrdup(arg);
814 if (!arg || *arg == '\0')
815 fatal("%s line %d: Missing argument.", filename, linenum);
817 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
818 filename, linenum, arg ? arg : "<NONE>");
819 if (options->macs == NULL)
820 options->macs = xstrdup(arg);
824 intptr = &options->protocol;
826 if (!arg || *arg == '\0')
827 fatal("%s line %d: Missing argument.", filename, linenum);
828 value = proto_spec(arg);
829 if (value == SSH_PROTO_UNKNOWN)
830 fatal("%s line %d: Bad protocol spec '%s'.",
831 filename, linenum, arg ? arg : "<NONE>");
832 if (*intptr == SSH_PROTO_UNKNOWN)
837 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
838 fatal("%s line %d: too many subsystems defined.",
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing subsystem name.",
845 for (i = 0; i < options->num_subsystems; i++)
846 if (strcmp(arg, options->subsystem_name[i]) == 0)
847 fatal("%s line %d: Subsystem '%s' already defined.",
848 filename, linenum, arg);
849 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
851 if (!arg || *arg == '\0')
852 fatal("%s line %d: Missing subsystem command.",
854 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
855 options->num_subsystems++;
860 if (!arg || *arg == '\0')
861 fatal("%s line %d: Missing MaxStartups spec.",
863 if ((n = sscanf(arg, "%d:%d:%d",
864 &options->max_startups_begin,
865 &options->max_startups_rate,
866 &options->max_startups)) == 3) {
867 if (options->max_startups_begin >
868 options->max_startups ||
869 options->max_startups_rate > 100 ||
870 options->max_startups_rate < 1)
871 fatal("%s line %d: Illegal MaxStartups spec.",
874 fatal("%s line %d: Illegal MaxStartups spec.",
877 options->max_startups = options->max_startups_begin;
881 charptr = &options->banner;
884 * These options can contain %X options expanded at
885 * connect time, so that you can specify paths like:
887 * AuthorizedKeysFile /etc/ssh_keys/%u
889 case sAuthorizedKeysFile:
890 case sAuthorizedKeysFile2:
891 charptr = (opcode == sAuthorizedKeysFile ) ?
892 &options->authorized_keys_file :
893 &options->authorized_keys_file2;
896 case sClientAliveInterval:
897 intptr = &options->client_alive_interval;
900 case sClientAliveCountMax:
901 intptr = &options->client_alive_count_max;
905 log("%s line %d: Deprecated option %s",
906 filename, linenum, arg);
912 fatal("%s line %d: Missing handler for opcode %s (%d)",
913 filename, linenum, arg, opcode);
915 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
916 fatal("%s line %d: garbage at end of line; \"%.200s\".",
917 filename, linenum, arg);
921 /* Reads the server configuration file. */
924 read_server_config(ServerOptions *options, const char *filename)
926 int linenum, bad_options = 0;
930 f = fopen(filename, "r");
936 while (fgets(line, sizeof(line), f)) {
937 /* Update line number counter. */
939 if (process_server_config_line(options, line, filename, linenum) != 0)
944 fatal("%s: terminating, %d bad configuration options",
945 filename, bad_options);