1 /* $OpenBSD: servconf.c,v 1.150 2006/03/25 13:17:02 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
20 #include "pathnames.h"
26 static void add_listen_addr(ServerOptions *, char *, u_short);
27 static void add_one_listen_addr(ServerOptions *, char *, u_short);
29 /* Use of privilege separation or not */
30 extern int use_privsep;
32 /* Initializes the server options to their default values. */
35 initialize_server_options(ServerOptions *options)
37 memset(options, 0, sizeof(*options));
39 /* Portable-specific options */
40 options->use_pam = -1;
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
46 options->address_family = -1;
47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
59 options->x11_use_localhost = -1;
60 options->xauth_location = NULL;
61 options->strict_modes = -1;
62 options->tcp_keep_alive = -1;
63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->max_authtries = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0;
104 options->permit_tun = -1;
106 /* Needs to be accessable in many places */
111 fill_default_server_options(ServerOptions *options)
113 /* Portable-specific options */
114 if (options->use_pam == -1)
115 options->use_pam = 0;
117 /* Standard Options */
118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
123 options->host_key_files[options->num_host_key_files++] =
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
135 add_listen_addr(options, NULL, 0);
136 if (options->pid_file == NULL)
137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
141 options->login_grace_time = 120;
142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
146 if (options->ignore_rhosts == -1)
147 options->ignore_rhosts = 1;
148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
150 if (options->print_motd == -1)
151 options->print_motd = 1;
152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
154 if (options->x11_forwarding == -1)
155 options->x11_forwarding = 0;
156 if (options->x11_display_offset == -1)
157 options->x11_display_offset = 10;
158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
160 if (options->xauth_location == NULL)
161 options->xauth_location = _PATH_XAUTH;
162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
167 options->log_facility = SYSLOG_FACILITY_AUTH;
168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
169 options->log_level = SYSLOG_LEVEL_INFO;
170 if (options->rhosts_rsa_authentication == -1)
171 options->rhosts_rsa_authentication = 0;
172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
180 if (options->kerberos_authentication == -1)
181 options->kerberos_authentication = 0;
182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
198 if (options->permit_empty_passwd == -1)
199 options->permit_empty_passwd = 0;
200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
202 if (options->use_login == -1)
203 options->use_login = 0;
204 if (options->compression == -1)
205 options->compression = COMP_DELAYED;
206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
210 if (options->max_startups == -1)
211 options->max_startups = 10;
212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
218 if (options->use_dns == -1)
219 options->use_dns = 1;
220 if (options->client_alive_interval == -1)
221 options->client_alive_interval = 0;
222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233 if (options->permit_tun == -1)
234 options->permit_tun = SSH_TUNMODE_NO;
236 /* Turn privilege separation on by default */
237 if (use_privsep == -1)
241 if (use_privsep && options->compression == 1) {
242 error("This platform does not support both privilege "
243 "separation and compression");
244 error("Compression disabled");
245 options->compression = 0;
251 /* Keyword tokens. */
253 sBadOption, /* == unknown option */
254 /* Portable-specific options */
256 /* Standard Options */
257 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
258 sPermitRootLogin, sLogFacility, sLogLevel,
259 sRhostsRSAAuthentication, sRSAAuthentication,
260 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
261 sKerberosGetAFSToken,
262 sKerberosTgtPassing, sChallengeResponseAuthentication,
263 sPasswordAuthentication, sKbdInteractiveAuthentication,
264 sListenAddress, sAddressFamily,
265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
273 sBanner, sUseDNS, sHostbasedAuthentication,
274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
277 sUsePrivilegeSeparation,
278 sDeprecated, sUnsupported
281 /* Textual representation of the tokens. */
284 ServerOpCodes opcode;
286 /* Portable-specific options */
288 { "usepam", sUsePAM },
290 { "usepam", sUnsupported },
292 { "pamauthenticationviakbdint", sDeprecated },
293 /* Standard Options */
295 { "hostkey", sHostKeyFile },
296 { "hostdsakey", sHostKeyFile }, /* alias */
297 { "pidfile", sPidFile },
298 { "serverkeybits", sServerKeyBits },
299 { "logingracetime", sLoginGraceTime },
300 { "keyregenerationinterval", sKeyRegenerationTime },
301 { "permitrootlogin", sPermitRootLogin },
302 { "syslogfacility", sLogFacility },
303 { "loglevel", sLogLevel },
304 { "rhostsauthentication", sDeprecated },
305 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
306 { "hostbasedauthentication", sHostbasedAuthentication },
307 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
308 { "rsaauthentication", sRSAAuthentication },
309 { "pubkeyauthentication", sPubkeyAuthentication },
310 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
312 { "kerberosauthentication", sKerberosAuthentication },
313 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
314 { "kerberosticketcleanup", sKerberosTicketCleanup },
316 { "kerberosgetafstoken", sKerberosGetAFSToken },
318 { "kerberosgetafstoken", sUnsupported },
321 { "kerberosauthentication", sUnsupported },
322 { "kerberosorlocalpasswd", sUnsupported },
323 { "kerberosticketcleanup", sUnsupported },
324 { "kerberosgetafstoken", sUnsupported },
326 { "kerberostgtpassing", sUnsupported },
327 { "afstokenpassing", sUnsupported },
329 { "gssapiauthentication", sGssAuthentication },
330 { "gssapicleanupcredentials", sGssCleanupCreds },
332 { "gssapiauthentication", sUnsupported },
333 { "gssapicleanupcredentials", sUnsupported },
335 { "passwordauthentication", sPasswordAuthentication },
336 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
337 { "challengeresponseauthentication", sChallengeResponseAuthentication },
338 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
339 { "checkmail", sDeprecated },
340 { "listenaddress", sListenAddress },
341 { "addressfamily", sAddressFamily },
342 { "printmotd", sPrintMotd },
343 { "printlastlog", sPrintLastLog },
344 { "ignorerhosts", sIgnoreRhosts },
345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
346 { "x11forwarding", sX11Forwarding },
347 { "x11displayoffset", sX11DisplayOffset },
348 { "x11uselocalhost", sX11UseLocalhost },
349 { "xauthlocation", sXAuthLocation },
350 { "strictmodes", sStrictModes },
351 { "permitemptypasswords", sEmptyPasswd },
352 { "permituserenvironment", sPermitUserEnvironment },
353 { "uselogin", sUseLogin },
354 { "compression", sCompression },
355 { "tcpkeepalive", sTCPKeepAlive },
356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
357 { "allowtcpforwarding", sAllowTcpForwarding },
358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
362 { "ciphers", sCiphers },
364 { "protocol", sProtocol },
365 { "gatewayports", sGatewayPorts },
366 { "subsystem", sSubsystem },
367 { "maxstartups", sMaxStartups },
368 { "maxauthtries", sMaxAuthTries },
369 { "banner", sBanner },
370 { "usedns", sUseDNS },
371 { "verifyreversemapping", sDeprecated },
372 { "reversemappingcheck", sDeprecated },
373 { "clientaliveinterval", sClientAliveInterval },
374 { "clientalivecountmax", sClientAliveCountMax },
375 { "authorizedkeysfile", sAuthorizedKeysFile },
376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
377 { "useprivilegeseparation", sUsePrivilegeSeparation},
378 { "acceptenv", sAcceptEnv },
379 { "permittunnel", sPermitTunnel },
384 * Returns the number of the token pointed to by cp or sBadOption.
388 parse_token(const char *cp, const char *filename,
393 for (i = 0; keywords[i].name; i++)
394 if (strcasecmp(cp, keywords[i].name) == 0)
395 return keywords[i].opcode;
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
403 add_listen_addr(ServerOptions *options, char *addr, u_short port)
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
409 if (options->address_family == -1)
410 options->address_family = AF_UNSPEC;
412 for (i = 0; i < options->num_ports; i++)
413 add_one_listen_addr(options, addr, options->ports[i]);
415 add_one_listen_addr(options, addr, port);
419 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
421 struct addrinfo hints, *ai, *aitop;
422 char strport[NI_MAXSERV];
425 memset(&hints, 0, sizeof(hints));
426 hints.ai_family = options->address_family;
427 hints.ai_socktype = SOCK_STREAM;
428 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
429 snprintf(strport, sizeof strport, "%u", port);
430 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
431 fatal("bad addr or host: %s (%s)",
432 addr ? addr : "<NULL>",
433 gai_strerror(gaierr));
434 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
436 ai->ai_next = options->listen_addrs;
437 options->listen_addrs = aitop;
441 process_server_config_line(ServerOptions *options, char *line,
442 const char *filename, int linenum)
444 char *cp, **charptr, *arg, *p;
445 int *intptr, value, n;
446 ServerOpCodes opcode;
451 if ((arg = strdelim(&cp)) == NULL)
453 /* Ignore leading whitespace */
456 if (!arg || !*arg || *arg == '#')
460 opcode = parse_token(arg, filename, linenum);
462 /* Portable-specific options */
464 intptr = &options->use_pam;
467 /* Standard Options */
471 /* ignore ports from configfile if cmdline specifies ports */
472 if (options->ports_from_cmdline)
474 if (options->listen_addrs != NULL)
475 fatal("%s line %d: ports must be specified before "
476 "ListenAddress.", filename, linenum);
477 if (options->num_ports >= MAX_PORTS)
478 fatal("%s line %d: too many ports.",
481 if (!arg || *arg == '\0')
482 fatal("%s line %d: missing port number.",
484 options->ports[options->num_ports++] = a2port(arg);
485 if (options->ports[options->num_ports-1] == 0)
486 fatal("%s line %d: Badly formatted port number.",
491 intptr = &options->server_key_bits;
494 if (!arg || *arg == '\0')
495 fatal("%s line %d: missing integer value.",
502 case sLoginGraceTime:
503 intptr = &options->login_grace_time;
506 if (!arg || *arg == '\0')
507 fatal("%s line %d: missing time value.",
509 if ((value = convtime(arg)) == -1)
510 fatal("%s line %d: invalid time value.",
516 case sKeyRegenerationTime:
517 intptr = &options->key_regeneration_time;
522 if (arg == NULL || *arg == '\0')
523 fatal("%s line %d: missing address",
525 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
526 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
527 && strchr(p+1, ':') != NULL) {
528 add_listen_addr(options, arg, 0);
533 fatal("%s line %d: bad address:port usage",
535 p = cleanhostname(p);
538 else if ((port = a2port(arg)) == 0)
539 fatal("%s line %d: bad port number", filename, linenum);
541 add_listen_addr(options, p, port);
547 if (!arg || *arg == '\0')
548 fatal("%s line %d: missing address family.",
550 intptr = &options->address_family;
551 if (options->listen_addrs != NULL)
552 fatal("%s line %d: address family must be specified before "
553 "ListenAddress.", filename, linenum);
554 if (strcasecmp(arg, "inet") == 0)
556 else if (strcasecmp(arg, "inet6") == 0)
558 else if (strcasecmp(arg, "any") == 0)
561 fatal("%s line %d: unsupported address family \"%s\".",
562 filename, linenum, arg);
568 intptr = &options->num_host_key_files;
569 if (*intptr >= MAX_HOSTKEYS)
570 fatal("%s line %d: too many host keys specified (max %d).",
571 filename, linenum, MAX_HOSTKEYS);
572 charptr = &options->host_key_files[*intptr];
575 if (!arg || *arg == '\0')
576 fatal("%s line %d: missing file name.",
578 if (*charptr == NULL) {
579 *charptr = tilde_expand_filename(arg, getuid());
580 /* increase optional counter */
582 *intptr = *intptr + 1;
587 charptr = &options->pid_file;
590 case sPermitRootLogin:
591 intptr = &options->permit_root_login;
593 if (!arg || *arg == '\0')
594 fatal("%s line %d: missing yes/"
595 "without-password/forced-commands-only/no "
596 "argument.", filename, linenum);
597 value = 0; /* silence compiler */
598 if (strcmp(arg, "without-password") == 0)
599 value = PERMIT_NO_PASSWD;
600 else if (strcmp(arg, "forced-commands-only") == 0)
601 value = PERMIT_FORCED_ONLY;
602 else if (strcmp(arg, "yes") == 0)
604 else if (strcmp(arg, "no") == 0)
607 fatal("%s line %d: Bad yes/"
608 "without-password/forced-commands-only/no "
609 "argument: %s", filename, linenum, arg);
615 intptr = &options->ignore_rhosts;
618 if (!arg || *arg == '\0')
619 fatal("%s line %d: missing yes/no argument.",
621 value = 0; /* silence compiler */
622 if (strcmp(arg, "yes") == 0)
624 else if (strcmp(arg, "no") == 0)
627 fatal("%s line %d: Bad yes/no argument: %s",
628 filename, linenum, arg);
633 case sIgnoreUserKnownHosts:
634 intptr = &options->ignore_user_known_hosts;
637 case sRhostsRSAAuthentication:
638 intptr = &options->rhosts_rsa_authentication;
641 case sHostbasedAuthentication:
642 intptr = &options->hostbased_authentication;
645 case sHostbasedUsesNameFromPacketOnly:
646 intptr = &options->hostbased_uses_name_from_packet_only;
649 case sRSAAuthentication:
650 intptr = &options->rsa_authentication;
653 case sPubkeyAuthentication:
654 intptr = &options->pubkey_authentication;
657 case sKerberosAuthentication:
658 intptr = &options->kerberos_authentication;
661 case sKerberosOrLocalPasswd:
662 intptr = &options->kerberos_or_local_passwd;
665 case sKerberosTicketCleanup:
666 intptr = &options->kerberos_ticket_cleanup;
669 case sKerberosGetAFSToken:
670 intptr = &options->kerberos_get_afs_token;
673 case sGssAuthentication:
674 intptr = &options->gss_authentication;
677 case sGssCleanupCreds:
678 intptr = &options->gss_cleanup_creds;
681 case sPasswordAuthentication:
682 intptr = &options->password_authentication;
685 case sKbdInteractiveAuthentication:
686 intptr = &options->kbd_interactive_authentication;
689 case sChallengeResponseAuthentication:
690 intptr = &options->challenge_response_authentication;
694 intptr = &options->print_motd;
698 intptr = &options->print_lastlog;
702 intptr = &options->x11_forwarding;
705 case sX11DisplayOffset:
706 intptr = &options->x11_display_offset;
709 case sX11UseLocalhost:
710 intptr = &options->x11_use_localhost;
714 charptr = &options->xauth_location;
718 intptr = &options->strict_modes;
722 intptr = &options->tcp_keep_alive;
726 intptr = &options->permit_empty_passwd;
729 case sPermitUserEnvironment:
730 intptr = &options->permit_user_env;
734 intptr = &options->use_login;
738 intptr = &options->compression;
740 if (!arg || *arg == '\0')
741 fatal("%s line %d: missing yes/no/delayed "
742 "argument.", filename, linenum);
743 value = 0; /* silence compiler */
744 if (strcmp(arg, "delayed") == 0)
745 value = COMP_DELAYED;
746 else if (strcmp(arg, "yes") == 0)
748 else if (strcmp(arg, "no") == 0)
751 fatal("%s line %d: Bad yes/no/delayed "
752 "argument: %s", filename, linenum, arg);
758 intptr = &options->gateway_ports;
760 if (!arg || *arg == '\0')
761 fatal("%s line %d: missing yes/no/clientspecified "
762 "argument.", filename, linenum);
763 value = 0; /* silence compiler */
764 if (strcmp(arg, "clientspecified") == 0)
766 else if (strcmp(arg, "yes") == 0)
768 else if (strcmp(arg, "no") == 0)
771 fatal("%s line %d: Bad yes/no/clientspecified "
772 "argument: %s", filename, linenum, arg);
778 intptr = &options->use_dns;
782 intptr = (int *) &options->log_facility;
784 value = log_facility_number(arg);
785 if (value == SYSLOG_FACILITY_NOT_SET)
786 fatal("%.200s line %d: unsupported log facility '%s'",
787 filename, linenum, arg ? arg : "<NONE>");
789 *intptr = (SyslogFacility) value;
793 intptr = (int *) &options->log_level;
795 value = log_level_number(arg);
796 if (value == SYSLOG_LEVEL_NOT_SET)
797 fatal("%.200s line %d: unsupported log level '%s'",
798 filename, linenum, arg ? arg : "<NONE>");
800 *intptr = (LogLevel) value;
803 case sAllowTcpForwarding:
804 intptr = &options->allow_tcp_forwarding;
807 case sUsePrivilegeSeparation:
808 intptr = &use_privsep;
812 while ((arg = strdelim(&cp)) && *arg != '\0') {
813 if (options->num_allow_users >= MAX_ALLOW_USERS)
814 fatal("%s line %d: too many allow users.",
816 options->allow_users[options->num_allow_users++] =
822 while ((arg = strdelim(&cp)) && *arg != '\0') {
823 if (options->num_deny_users >= MAX_DENY_USERS)
824 fatal( "%s line %d: too many deny users.",
826 options->deny_users[options->num_deny_users++] =
832 while ((arg = strdelim(&cp)) && *arg != '\0') {
833 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
834 fatal("%s line %d: too many allow groups.",
836 options->allow_groups[options->num_allow_groups++] =
842 while ((arg = strdelim(&cp)) && *arg != '\0') {
843 if (options->num_deny_groups >= MAX_DENY_GROUPS)
844 fatal("%s line %d: too many deny groups.",
846 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing argument.", filename, linenum);
854 if (!ciphers_valid(arg))
855 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
856 filename, linenum, arg ? arg : "<NONE>");
857 if (options->ciphers == NULL)
858 options->ciphers = xstrdup(arg);
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing argument.", filename, linenum);
866 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
867 filename, linenum, arg ? arg : "<NONE>");
868 if (options->macs == NULL)
869 options->macs = xstrdup(arg);
873 intptr = &options->protocol;
875 if (!arg || *arg == '\0')
876 fatal("%s line %d: Missing argument.", filename, linenum);
877 value = proto_spec(arg);
878 if (value == SSH_PROTO_UNKNOWN)
879 fatal("%s line %d: Bad protocol spec '%s'.",
880 filename, linenum, arg ? arg : "<NONE>");
881 if (*intptr == SSH_PROTO_UNKNOWN)
886 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
887 fatal("%s line %d: too many subsystems defined.",
891 if (!arg || *arg == '\0')
892 fatal("%s line %d: Missing subsystem name.",
894 for (i = 0; i < options->num_subsystems; i++)
895 if (strcmp(arg, options->subsystem_name[i]) == 0)
896 fatal("%s line %d: Subsystem '%s' already defined.",
897 filename, linenum, arg);
898 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
900 if (!arg || *arg == '\0')
901 fatal("%s line %d: Missing subsystem command.",
903 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
904 options->num_subsystems++;
909 if (!arg || *arg == '\0')
910 fatal("%s line %d: Missing MaxStartups spec.",
912 if ((n = sscanf(arg, "%d:%d:%d",
913 &options->max_startups_begin,
914 &options->max_startups_rate,
915 &options->max_startups)) == 3) {
916 if (options->max_startups_begin >
917 options->max_startups ||
918 options->max_startups_rate > 100 ||
919 options->max_startups_rate < 1)
920 fatal("%s line %d: Illegal MaxStartups spec.",
923 fatal("%s line %d: Illegal MaxStartups spec.",
926 options->max_startups = options->max_startups_begin;
930 intptr = &options->max_authtries;
934 charptr = &options->banner;
937 * These options can contain %X options expanded at
938 * connect time, so that you can specify paths like:
940 * AuthorizedKeysFile /etc/ssh_keys/%u
942 case sAuthorizedKeysFile:
943 case sAuthorizedKeysFile2:
944 charptr = (opcode == sAuthorizedKeysFile ) ?
945 &options->authorized_keys_file :
946 &options->authorized_keys_file2;
949 case sClientAliveInterval:
950 intptr = &options->client_alive_interval;
953 case sClientAliveCountMax:
954 intptr = &options->client_alive_count_max;
958 while ((arg = strdelim(&cp)) && *arg != '\0') {
959 if (strchr(arg, '=') != NULL)
960 fatal("%s line %d: Invalid environment name.",
962 if (options->num_accept_env >= MAX_ACCEPT_ENV)
963 fatal("%s line %d: too many allow env.",
965 options->accept_env[options->num_accept_env++] =
971 intptr = &options->permit_tun;
973 if (!arg || *arg == '\0')
974 fatal("%s line %d: Missing yes/point-to-point/"
975 "ethernet/no argument.", filename, linenum);
976 value = 0; /* silence compiler */
977 if (strcasecmp(arg, "ethernet") == 0)
978 value = SSH_TUNMODE_ETHERNET;
979 else if (strcasecmp(arg, "point-to-point") == 0)
980 value = SSH_TUNMODE_POINTOPOINT;
981 else if (strcasecmp(arg, "yes") == 0)
982 value = SSH_TUNMODE_YES;
983 else if (strcasecmp(arg, "no") == 0)
984 value = SSH_TUNMODE_NO;
986 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
987 "no argument: %s", filename, linenum, arg);
993 logit("%s line %d: Deprecated option %s",
994 filename, linenum, arg);
1000 logit("%s line %d: Unsupported option %s",
1001 filename, linenum, arg);
1003 arg = strdelim(&cp);
1007 fatal("%s line %d: Missing handler for opcode %s (%d)",
1008 filename, linenum, arg, opcode);
1010 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1011 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1012 filename, linenum, arg);
1016 /* Reads the server configuration file. */
1019 load_server_config(const char *filename, Buffer *conf)
1021 char line[1024], *cp;
1024 debug2("%s: filename %s", __func__, filename);
1025 if ((f = fopen(filename, "r")) == NULL) {
1030 while (fgets(line, sizeof(line), f)) {
1032 * Trim out comments and strip whitespace
1033 * NB - preserve newlines, they are needed to reproduce
1034 * line numbers later for error messages
1036 if ((cp = strchr(line, '#')) != NULL)
1037 memcpy(cp, "\n", 2);
1038 cp = line + strspn(line, " \t\r");
1040 buffer_append(conf, cp, strlen(cp));
1042 buffer_append(conf, "\0", 1);
1044 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1048 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1050 int linenum, bad_options = 0;
1051 char *cp, *obuf, *cbuf;
1053 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1055 obuf = cbuf = xstrdup(buffer_ptr(conf));
1057 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1058 if (process_server_config_line(options, cp, filename,
1063 if (bad_options > 0)
1064 fatal("%s: terminating, %d bad configuration options",
1065 filename, bad_options);