1 /* $OpenBSD: readconf.c,v 1.153 2006/07/11 18:50:48 markus Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
29 #include "pathnames.h"
37 /* Format of the configuration file:
39 # Configuration data is parsed as follows:
40 # 1. command line options
41 # 2. user-specific file
43 # Any configuration value is only changed the first time it is set.
44 # Thus, host-specific definitions should be at the beginning of the
45 # configuration file, and defaults at the end.
47 # Host-specific declarations. These may override anything above. A single
48 # host may match multiple declarations; these are processed in the order
49 # that they are given in.
55 HostName another.host.name.real.org
62 RemoteForward 9999 shadows.cs.hut.fi:9999
68 PasswordAuthentication no
72 ProxyCommand ssh-proxy %h %p
75 PublicKeyAuthentication no
79 PasswordAuthentication no
85 # Defaults for various options
89 PasswordAuthentication yes
91 RhostsRSAAuthentication yes
92 StrictHostKeyChecking yes
94 IdentityFile ~/.ssh/identity
100 /* Keyword tokens. */
104 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
105 oExitOnForwardFailure,
106 oPasswordAuthentication, oRSAAuthentication,
107 oChallengeResponseAuthentication, oXAuthLocation,
108 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
109 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
110 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
111 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
112 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
113 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
114 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
115 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
116 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
117 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
118 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
119 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
120 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
121 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
122 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
123 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
124 oDeprecated, oUnsupported
127 /* Textual representations of the tokens. */
133 { "forwardagent", oForwardAgent },
134 { "forwardx11", oForwardX11 },
135 { "forwardx11trusted", oForwardX11Trusted },
136 { "exitonforwardfailure", oExitOnForwardFailure },
137 { "xauthlocation", oXAuthLocation },
138 { "gatewayports", oGatewayPorts },
139 { "useprivilegedport", oUsePrivilegedPort },
140 { "rhostsauthentication", oDeprecated },
141 { "passwordauthentication", oPasswordAuthentication },
142 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
143 { "kbdinteractivedevices", oKbdInteractiveDevices },
144 { "rsaauthentication", oRSAAuthentication },
145 { "pubkeyauthentication", oPubkeyAuthentication },
146 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
147 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
148 { "hostbasedauthentication", oHostbasedAuthentication },
149 { "challengeresponseauthentication", oChallengeResponseAuthentication },
150 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
151 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
152 { "kerberosauthentication", oUnsupported },
153 { "kerberostgtpassing", oUnsupported },
154 { "afstokenpassing", oUnsupported },
156 { "gssapiauthentication", oGssAuthentication },
157 { "gssapidelegatecredentials", oGssDelegateCreds },
159 { "gssapiauthentication", oUnsupported },
160 { "gssapidelegatecredentials", oUnsupported },
162 { "fallbacktorsh", oDeprecated },
163 { "usersh", oDeprecated },
164 { "identityfile", oIdentityFile },
165 { "identityfile2", oIdentityFile }, /* alias */
166 { "identitiesonly", oIdentitiesOnly },
167 { "hostname", oHostName },
168 { "hostkeyalias", oHostKeyAlias },
169 { "proxycommand", oProxyCommand },
171 { "cipher", oCipher },
172 { "ciphers", oCiphers },
174 { "protocol", oProtocol },
175 { "remoteforward", oRemoteForward },
176 { "localforward", oLocalForward },
179 { "escapechar", oEscapeChar },
180 { "globalknownhostsfile", oGlobalKnownHostsFile },
181 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
182 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
183 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
184 { "connectionattempts", oConnectionAttempts },
185 { "batchmode", oBatchMode },
186 { "checkhostip", oCheckHostIP },
187 { "stricthostkeychecking", oStrictHostKeyChecking },
188 { "compression", oCompression },
189 { "compressionlevel", oCompressionLevel },
190 { "tcpkeepalive", oTCPKeepAlive },
191 { "keepalive", oTCPKeepAlive }, /* obsolete */
192 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
193 { "loglevel", oLogLevel },
194 { "dynamicforward", oDynamicForward },
195 { "preferredauthentications", oPreferredAuthentications },
196 { "hostkeyalgorithms", oHostKeyAlgorithms },
197 { "bindaddress", oBindAddress },
199 { "smartcarddevice", oSmartcardDevice },
201 { "smartcarddevice", oUnsupported },
203 { "clearallforwardings", oClearAllForwardings },
204 { "enablesshkeysign", oEnableSSHKeysign },
205 { "verifyhostkeydns", oVerifyHostKeyDNS },
206 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
207 { "rekeylimit", oRekeyLimit },
208 { "connecttimeout", oConnectTimeout },
209 { "addressfamily", oAddressFamily },
210 { "serveraliveinterval", oServerAliveInterval },
211 { "serveralivecountmax", oServerAliveCountMax },
212 { "sendenv", oSendEnv },
213 { "controlpath", oControlPath },
214 { "controlmaster", oControlMaster },
215 { "hashknownhosts", oHashKnownHosts },
216 { "tunnel", oTunnel },
217 { "tunneldevice", oTunnelDevice },
218 { "localcommand", oLocalCommand },
219 { "permitlocalcommand", oPermitLocalCommand },
224 * Adds a local TCP/IP port forward to options. Never returns if there is an
229 add_local_forward(Options *options, const Forward *newfwd)
232 #ifndef NO_IPPORT_RESERVED_CONCEPT
233 extern uid_t original_real_uid;
234 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
235 fatal("Privileged ports can only be forwarded by root.");
237 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
238 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
239 fwd = &options->local_forwards[options->num_local_forwards++];
241 fwd->listen_host = (newfwd->listen_host == NULL) ?
242 NULL : xstrdup(newfwd->listen_host);
243 fwd->listen_port = newfwd->listen_port;
244 fwd->connect_host = xstrdup(newfwd->connect_host);
245 fwd->connect_port = newfwd->connect_port;
249 * Adds a remote TCP/IP port forward to options. Never returns if there is
254 add_remote_forward(Options *options, const Forward *newfwd)
257 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
258 fatal("Too many remote forwards (max %d).",
259 SSH_MAX_FORWARDS_PER_DIRECTION);
260 fwd = &options->remote_forwards[options->num_remote_forwards++];
262 fwd->listen_host = (newfwd->listen_host == NULL) ?
263 NULL : xstrdup(newfwd->listen_host);
264 fwd->listen_port = newfwd->listen_port;
265 fwd->connect_host = xstrdup(newfwd->connect_host);
266 fwd->connect_port = newfwd->connect_port;
270 clear_forwardings(Options *options)
274 for (i = 0; i < options->num_local_forwards; i++) {
275 if (options->local_forwards[i].listen_host != NULL)
276 xfree(options->local_forwards[i].listen_host);
277 xfree(options->local_forwards[i].connect_host);
279 options->num_local_forwards = 0;
280 for (i = 0; i < options->num_remote_forwards; i++) {
281 if (options->remote_forwards[i].listen_host != NULL)
282 xfree(options->remote_forwards[i].listen_host);
283 xfree(options->remote_forwards[i].connect_host);
285 options->num_remote_forwards = 0;
286 options->tun_open = SSH_TUNMODE_NO;
290 * Returns the number of the token pointed to by cp or oBadOption.
294 parse_token(const char *cp, const char *filename, int linenum)
298 for (i = 0; keywords[i].name; i++)
299 if (strcasecmp(cp, keywords[i].name) == 0)
300 return keywords[i].opcode;
302 error("%s: line %d: Bad configuration option: %s",
303 filename, linenum, cp);
308 * Processes a single option line as used in the configuration files. This
309 * only sets those values that have not already been set.
311 #define WHITESPACE " \t\r\n"
314 process_config_line(Options *options, const char *host,
315 char *line, const char *filename, int linenum,
318 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
319 int opcode, *intptr, value, value2, scale;
320 long long orig, val64;
324 /* Strip trailing whitespace */
325 for (len = strlen(line) - 1; len > 0; len--) {
326 if (strchr(WHITESPACE, line[len]) == NULL)
332 /* Get the keyword. (Each line is supposed to begin with a keyword). */
333 if ((keyword = strdelim(&s)) == NULL)
335 /* Ignore leading whitespace. */
336 if (*keyword == '\0')
337 keyword = strdelim(&s);
338 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
341 opcode = parse_token(keyword, filename, linenum);
345 /* don't panic, but count bad options */
348 case oConnectTimeout:
349 intptr = &options->connection_timeout;
352 if (!arg || *arg == '\0')
353 fatal("%s line %d: missing time value.",
355 if ((value = convtime(arg)) == -1)
356 fatal("%s line %d: invalid time value.",
363 intptr = &options->forward_agent;
366 if (!arg || *arg == '\0')
367 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
368 value = 0; /* To avoid compiler warning... */
369 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
371 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
374 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
375 if (*activep && *intptr == -1)
380 intptr = &options->forward_x11;
383 case oForwardX11Trusted:
384 intptr = &options->forward_x11_trusted;
388 intptr = &options->gateway_ports;
391 case oExitOnForwardFailure:
392 intptr = &options->exit_on_forward_failure;
395 case oUsePrivilegedPort:
396 intptr = &options->use_privileged_port;
399 case oPasswordAuthentication:
400 intptr = &options->password_authentication;
403 case oKbdInteractiveAuthentication:
404 intptr = &options->kbd_interactive_authentication;
407 case oKbdInteractiveDevices:
408 charptr = &options->kbd_interactive_devices;
411 case oPubkeyAuthentication:
412 intptr = &options->pubkey_authentication;
415 case oRSAAuthentication:
416 intptr = &options->rsa_authentication;
419 case oRhostsRSAAuthentication:
420 intptr = &options->rhosts_rsa_authentication;
423 case oHostbasedAuthentication:
424 intptr = &options->hostbased_authentication;
427 case oChallengeResponseAuthentication:
428 intptr = &options->challenge_response_authentication;
431 case oGssAuthentication:
432 intptr = &options->gss_authentication;
435 case oGssDelegateCreds:
436 intptr = &options->gss_deleg_creds;
440 intptr = &options->batch_mode;
444 intptr = &options->check_host_ip;
447 case oVerifyHostKeyDNS:
448 intptr = &options->verify_host_key_dns;
451 case oStrictHostKeyChecking:
452 intptr = &options->strict_host_key_checking;
455 if (!arg || *arg == '\0')
456 fatal("%.200s line %d: Missing yes/no/ask argument.",
458 value = 0; /* To avoid compiler warning... */
459 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
461 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
463 else if (strcmp(arg, "ask") == 0)
466 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
467 if (*activep && *intptr == -1)
472 intptr = &options->compression;
476 intptr = &options->tcp_keep_alive;
479 case oNoHostAuthenticationForLocalhost:
480 intptr = &options->no_host_authentication_for_localhost;
483 case oNumberOfPasswordPrompts:
484 intptr = &options->number_of_password_prompts;
487 case oCompressionLevel:
488 intptr = &options->compression_level;
492 intptr = &options->rekey_limit;
494 if (!arg || *arg == '\0')
495 fatal("%.200s line %d: Missing argument.", filename, linenum);
496 if (arg[0] < '0' || arg[0] > '9')
497 fatal("%.200s line %d: Bad number.", filename, linenum);
498 orig = val64 = strtoll(arg, &endofnumber, 10);
499 if (arg == endofnumber)
500 fatal("%.200s line %d: Bad number.", filename, linenum);
501 switch (toupper(*endofnumber)) {
515 fatal("%.200s line %d: Invalid RekeyLimit suffix",
519 /* detect integer wrap and too-large limits */
520 if ((val64 / scale) != orig || val64 > INT_MAX)
521 fatal("%.200s line %d: RekeyLimit too large",
524 fatal("%.200s line %d: RekeyLimit too small",
526 if (*activep && *intptr == -1)
527 *intptr = (int)val64;
532 if (!arg || *arg == '\0')
533 fatal("%.200s line %d: Missing argument.", filename, linenum);
535 intptr = &options->num_identity_files;
536 if (*intptr >= SSH_MAX_IDENTITY_FILES)
537 fatal("%.200s line %d: Too many identity files specified (max %d).",
538 filename, linenum, SSH_MAX_IDENTITY_FILES);
539 charptr = &options->identity_files[*intptr];
540 *charptr = xstrdup(arg);
541 *intptr = *intptr + 1;
546 charptr=&options->xauth_location;
550 charptr = &options->user;
553 if (!arg || *arg == '\0')
554 fatal("%.200s line %d: Missing argument.", filename, linenum);
555 if (*activep && *charptr == NULL)
556 *charptr = xstrdup(arg);
559 case oGlobalKnownHostsFile:
560 charptr = &options->system_hostfile;
563 case oUserKnownHostsFile:
564 charptr = &options->user_hostfile;
567 case oGlobalKnownHostsFile2:
568 charptr = &options->system_hostfile2;
571 case oUserKnownHostsFile2:
572 charptr = &options->user_hostfile2;
576 charptr = &options->hostname;
580 charptr = &options->host_key_alias;
583 case oPreferredAuthentications:
584 charptr = &options->preferred_authentications;
588 charptr = &options->bind_address;
591 case oSmartcardDevice:
592 charptr = &options->smartcard_device;
596 charptr = &options->proxy_command;
599 fatal("%.200s line %d: Missing argument.", filename, linenum);
600 len = strspn(s, WHITESPACE "=");
601 if (*activep && *charptr == NULL)
602 *charptr = xstrdup(s + len);
606 intptr = &options->port;
609 if (!arg || *arg == '\0')
610 fatal("%.200s line %d: Missing argument.", filename, linenum);
611 if (arg[0] < '0' || arg[0] > '9')
612 fatal("%.200s line %d: Bad number.", filename, linenum);
614 /* Octal, decimal, or hex format? */
615 value = strtol(arg, &endofnumber, 0);
616 if (arg == endofnumber)
617 fatal("%.200s line %d: Bad number.", filename, linenum);
618 if (*activep && *intptr == -1)
622 case oConnectionAttempts:
623 intptr = &options->connection_attempts;
627 intptr = &options->cipher;
629 if (!arg || *arg == '\0')
630 fatal("%.200s line %d: Missing argument.", filename, linenum);
631 value = cipher_number(arg);
633 fatal("%.200s line %d: Bad cipher '%s'.",
634 filename, linenum, arg ? arg : "<NONE>");
635 if (*activep && *intptr == -1)
641 if (!arg || *arg == '\0')
642 fatal("%.200s line %d: Missing argument.", filename, linenum);
643 if (!ciphers_valid(arg))
644 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
645 filename, linenum, arg ? arg : "<NONE>");
646 if (*activep && options->ciphers == NULL)
647 options->ciphers = xstrdup(arg);
652 if (!arg || *arg == '\0')
653 fatal("%.200s line %d: Missing argument.", filename, linenum);
655 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
656 filename, linenum, arg ? arg : "<NONE>");
657 if (*activep && options->macs == NULL)
658 options->macs = xstrdup(arg);
661 case oHostKeyAlgorithms:
663 if (!arg || *arg == '\0')
664 fatal("%.200s line %d: Missing argument.", filename, linenum);
665 if (!key_names_valid2(arg))
666 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
667 filename, linenum, arg ? arg : "<NONE>");
668 if (*activep && options->hostkeyalgorithms == NULL)
669 options->hostkeyalgorithms = xstrdup(arg);
673 intptr = &options->protocol;
675 if (!arg || *arg == '\0')
676 fatal("%.200s line %d: Missing argument.", filename, linenum);
677 value = proto_spec(arg);
678 if (value == SSH_PROTO_UNKNOWN)
679 fatal("%.200s line %d: Bad protocol spec '%s'.",
680 filename, linenum, arg ? arg : "<NONE>");
681 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
686 intptr = (int *) &options->log_level;
688 value = log_level_number(arg);
689 if (value == SYSLOG_LEVEL_NOT_SET)
690 fatal("%.200s line %d: unsupported log level '%s'",
691 filename, linenum, arg ? arg : "<NONE>");
692 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
693 *intptr = (LogLevel) value;
699 if (arg == NULL || *arg == '\0')
700 fatal("%.200s line %d: Missing port argument.",
703 if (arg2 == NULL || *arg2 == '\0')
704 fatal("%.200s line %d: Missing target argument.",
707 /* construct a string for parse_forward */
708 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
710 if (parse_forward(&fwd, fwdarg) == 0)
711 fatal("%.200s line %d: Bad forwarding specification.",
715 if (opcode == oLocalForward)
716 add_local_forward(options, &fwd);
717 else if (opcode == oRemoteForward)
718 add_remote_forward(options, &fwd);
722 case oDynamicForward:
724 if (!arg || *arg == '\0')
725 fatal("%.200s line %d: Missing port argument.",
727 memset(&fwd, '\0', sizeof(fwd));
728 fwd.connect_host = "socks";
729 fwd.listen_host = hpdelim(&arg);
730 if (fwd.listen_host == NULL ||
731 strlen(fwd.listen_host) >= NI_MAXHOST)
732 fatal("%.200s line %d: Bad forwarding specification.",
735 fwd.listen_port = a2port(arg);
736 fwd.listen_host = cleanhostname(fwd.listen_host);
738 fwd.listen_port = a2port(fwd.listen_host);
739 fwd.listen_host = NULL;
741 if (fwd.listen_port == 0)
742 fatal("%.200s line %d: Badly formatted port number.",
745 add_local_forward(options, &fwd);
748 case oClearAllForwardings:
749 intptr = &options->clear_forwardings;
754 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
755 if (match_pattern(host, arg)) {
756 debug("Applying options for %.100s", arg);
760 /* Avoid garbage check below, as strdelim is done. */
764 intptr = &options->escape_char;
766 if (!arg || *arg == '\0')
767 fatal("%.200s line %d: Missing argument.", filename, linenum);
768 if (arg[0] == '^' && arg[2] == 0 &&
769 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
770 value = (u_char) arg[1] & 31;
771 else if (strlen(arg) == 1)
772 value = (u_char) arg[0];
773 else if (strcmp(arg, "none") == 0)
774 value = SSH_ESCAPECHAR_NONE;
776 fatal("%.200s line %d: Bad escape character.",
779 value = 0; /* Avoid compiler warning. */
781 if (*activep && *intptr == -1)
787 if (!arg || *arg == '\0')
788 fatal("%s line %d: missing address family.",
790 intptr = &options->address_family;
791 if (strcasecmp(arg, "inet") == 0)
793 else if (strcasecmp(arg, "inet6") == 0)
795 else if (strcasecmp(arg, "any") == 0)
798 fatal("Unsupported AddressFamily \"%s\"", arg);
799 if (*activep && *intptr == -1)
803 case oEnableSSHKeysign:
804 intptr = &options->enable_ssh_keysign;
807 case oIdentitiesOnly:
808 intptr = &options->identities_only;
811 case oServerAliveInterval:
812 intptr = &options->server_alive_interval;
815 case oServerAliveCountMax:
816 intptr = &options->server_alive_count_max;
820 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
821 if (strchr(arg, '=') != NULL)
822 fatal("%s line %d: Invalid environment name.",
826 if (options->num_send_env >= MAX_SEND_ENV)
827 fatal("%s line %d: too many send env.",
829 options->send_env[options->num_send_env++] =
835 charptr = &options->control_path;
839 intptr = &options->control_master;
841 if (!arg || *arg == '\0')
842 fatal("%.200s line %d: Missing ControlMaster argument.",
844 value = 0; /* To avoid compiler warning... */
845 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
846 value = SSHCTL_MASTER_YES;
847 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
848 value = SSHCTL_MASTER_NO;
849 else if (strcmp(arg, "auto") == 0)
850 value = SSHCTL_MASTER_AUTO;
851 else if (strcmp(arg, "ask") == 0)
852 value = SSHCTL_MASTER_ASK;
853 else if (strcmp(arg, "autoask") == 0)
854 value = SSHCTL_MASTER_AUTO_ASK;
856 fatal("%.200s line %d: Bad ControlMaster argument.",
858 if (*activep && *intptr == -1)
862 case oHashKnownHosts:
863 intptr = &options->hash_known_hosts;
867 intptr = &options->tun_open;
869 if (!arg || *arg == '\0')
870 fatal("%s line %d: Missing yes/point-to-point/"
871 "ethernet/no argument.", filename, linenum);
872 value = 0; /* silence compiler */
873 if (strcasecmp(arg, "ethernet") == 0)
874 value = SSH_TUNMODE_ETHERNET;
875 else if (strcasecmp(arg, "point-to-point") == 0)
876 value = SSH_TUNMODE_POINTOPOINT;
877 else if (strcasecmp(arg, "yes") == 0)
878 value = SSH_TUNMODE_DEFAULT;
879 else if (strcasecmp(arg, "no") == 0)
880 value = SSH_TUNMODE_NO;
882 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
883 "no argument: %s", filename, linenum, arg);
890 if (!arg || *arg == '\0')
891 fatal("%.200s line %d: Missing argument.", filename, linenum);
892 value = a2tun(arg, &value2);
893 if (value == SSH_TUNID_ERR)
894 fatal("%.200s line %d: Bad tun device.", filename, linenum);
896 options->tun_local = value;
897 options->tun_remote = value2;
902 charptr = &options->local_command;
905 case oPermitLocalCommand:
906 intptr = &options->permit_local_command;
910 debug("%s line %d: Deprecated option \"%s\"",
911 filename, linenum, keyword);
915 error("%s line %d: Unsupported option \"%s\"",
916 filename, linenum, keyword);
920 fatal("process_config_line: Unimplemented opcode %d", opcode);
923 /* Check that there is no garbage at end of line. */
924 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
925 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
926 filename, linenum, arg);
933 * Reads the config file and modifies the options accordingly. Options
934 * should already be initialized before this call. This never returns if
935 * there is an error. If the file does not exist, this returns 0.
939 read_config_file(const char *filename, const char *host, Options *options,
948 if ((f = fopen(filename, "r")) == NULL)
954 if (fstat(fileno(f), &sb) == -1)
955 fatal("fstat %s: %s", filename, strerror(errno));
956 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
957 (sb.st_mode & 022) != 0))
958 fatal("Bad owner or permissions on %s", filename);
961 debug("Reading configuration data %.200s", filename);
964 * Mark that we are now processing the options. This flag is turned
965 * on/off by Host specifications.
969 while (fgets(line, sizeof(line), f)) {
970 /* Update line number counter. */
972 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
977 fatal("%s: terminating, %d bad configuration options",
978 filename, bad_options);
983 * Initializes options to special values that indicate that they have not yet
984 * been set. Read_config_file will only set options with this value. Options
985 * are processed in the following order: command line, user config file,
986 * system config file. Last, fill_default_options is called.
990 initialize_options(Options * options)
992 memset(options, 'X', sizeof(*options));
993 options->forward_agent = -1;
994 options->forward_x11 = -1;
995 options->forward_x11_trusted = -1;
996 options->exit_on_forward_failure = -1;
997 options->xauth_location = NULL;
998 options->gateway_ports = -1;
999 options->use_privileged_port = -1;
1000 options->rsa_authentication = -1;
1001 options->pubkey_authentication = -1;
1002 options->challenge_response_authentication = -1;
1003 options->gss_authentication = -1;
1004 options->gss_deleg_creds = -1;
1005 options->password_authentication = -1;
1006 options->kbd_interactive_authentication = -1;
1007 options->kbd_interactive_devices = NULL;
1008 options->rhosts_rsa_authentication = -1;
1009 options->hostbased_authentication = -1;
1010 options->batch_mode = -1;
1011 options->check_host_ip = -1;
1012 options->strict_host_key_checking = -1;
1013 options->compression = -1;
1014 options->tcp_keep_alive = -1;
1015 options->compression_level = -1;
1017 options->address_family = -1;
1018 options->connection_attempts = -1;
1019 options->connection_timeout = -1;
1020 options->number_of_password_prompts = -1;
1021 options->cipher = -1;
1022 options->ciphers = NULL;
1023 options->macs = NULL;
1024 options->hostkeyalgorithms = NULL;
1025 options->protocol = SSH_PROTO_UNKNOWN;
1026 options->num_identity_files = 0;
1027 options->hostname = NULL;
1028 options->host_key_alias = NULL;
1029 options->proxy_command = NULL;
1030 options->user = NULL;
1031 options->escape_char = -1;
1032 options->system_hostfile = NULL;
1033 options->user_hostfile = NULL;
1034 options->system_hostfile2 = NULL;
1035 options->user_hostfile2 = NULL;
1036 options->num_local_forwards = 0;
1037 options->num_remote_forwards = 0;
1038 options->clear_forwardings = -1;
1039 options->log_level = SYSLOG_LEVEL_NOT_SET;
1040 options->preferred_authentications = NULL;
1041 options->bind_address = NULL;
1042 options->smartcard_device = NULL;
1043 options->enable_ssh_keysign = - 1;
1044 options->no_host_authentication_for_localhost = - 1;
1045 options->identities_only = - 1;
1046 options->rekey_limit = - 1;
1047 options->verify_host_key_dns = -1;
1048 options->server_alive_interval = -1;
1049 options->server_alive_count_max = -1;
1050 options->num_send_env = 0;
1051 options->control_path = NULL;
1052 options->control_master = -1;
1053 options->hash_known_hosts = -1;
1054 options->tun_open = -1;
1055 options->tun_local = -1;
1056 options->tun_remote = -1;
1057 options->local_command = NULL;
1058 options->permit_local_command = -1;
1062 * Called after processing other sources of option data, this fills those
1063 * options for which no value has been specified with their default values.
1067 fill_default_options(Options * options)
1071 if (options->forward_agent == -1)
1072 options->forward_agent = 0;
1073 if (options->forward_x11 == -1)
1074 options->forward_x11 = 0;
1075 if (options->forward_x11_trusted == -1)
1076 options->forward_x11_trusted = 0;
1077 if (options->exit_on_forward_failure == -1)
1078 options->exit_on_forward_failure = 0;
1079 if (options->xauth_location == NULL)
1080 options->xauth_location = _PATH_XAUTH;
1081 if (options->gateway_ports == -1)
1082 options->gateway_ports = 0;
1083 if (options->use_privileged_port == -1)
1084 options->use_privileged_port = 0;
1085 if (options->rsa_authentication == -1)
1086 options->rsa_authentication = 1;
1087 if (options->pubkey_authentication == -1)
1088 options->pubkey_authentication = 1;
1089 if (options->challenge_response_authentication == -1)
1090 options->challenge_response_authentication = 1;
1091 if (options->gss_authentication == -1)
1092 options->gss_authentication = 0;
1093 if (options->gss_deleg_creds == -1)
1094 options->gss_deleg_creds = 0;
1095 if (options->password_authentication == -1)
1096 options->password_authentication = 1;
1097 if (options->kbd_interactive_authentication == -1)
1098 options->kbd_interactive_authentication = 1;
1099 if (options->rhosts_rsa_authentication == -1)
1100 options->rhosts_rsa_authentication = 0;
1101 if (options->hostbased_authentication == -1)
1102 options->hostbased_authentication = 0;
1103 if (options->batch_mode == -1)
1104 options->batch_mode = 0;
1105 if (options->check_host_ip == -1)
1106 options->check_host_ip = 1;
1107 if (options->strict_host_key_checking == -1)
1108 options->strict_host_key_checking = 2; /* 2 is default */
1109 if (options->compression == -1)
1110 options->compression = 0;
1111 if (options->tcp_keep_alive == -1)
1112 options->tcp_keep_alive = 1;
1113 if (options->compression_level == -1)
1114 options->compression_level = 6;
1115 if (options->port == -1)
1116 options->port = 0; /* Filled in ssh_connect. */
1117 if (options->address_family == -1)
1118 options->address_family = AF_UNSPEC;
1119 if (options->connection_attempts == -1)
1120 options->connection_attempts = 1;
1121 if (options->number_of_password_prompts == -1)
1122 options->number_of_password_prompts = 3;
1123 /* Selected in ssh_login(). */
1124 if (options->cipher == -1)
1125 options->cipher = SSH_CIPHER_NOT_SET;
1126 /* options->ciphers, default set in myproposals.h */
1127 /* options->macs, default set in myproposals.h */
1128 /* options->hostkeyalgorithms, default set in myproposals.h */
1129 if (options->protocol == SSH_PROTO_UNKNOWN)
1130 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1131 if (options->num_identity_files == 0) {
1132 if (options->protocol & SSH_PROTO_1) {
1133 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1134 options->identity_files[options->num_identity_files] =
1136 snprintf(options->identity_files[options->num_identity_files++],
1137 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1139 if (options->protocol & SSH_PROTO_2) {
1140 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1141 options->identity_files[options->num_identity_files] =
1143 snprintf(options->identity_files[options->num_identity_files++],
1144 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1146 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1147 options->identity_files[options->num_identity_files] =
1149 snprintf(options->identity_files[options->num_identity_files++],
1150 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1153 if (options->escape_char == -1)
1154 options->escape_char = '~';
1155 if (options->system_hostfile == NULL)
1156 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1157 if (options->user_hostfile == NULL)
1158 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1159 if (options->system_hostfile2 == NULL)
1160 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1161 if (options->user_hostfile2 == NULL)
1162 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1163 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1164 options->log_level = SYSLOG_LEVEL_INFO;
1165 if (options->clear_forwardings == 1)
1166 clear_forwardings(options);
1167 if (options->no_host_authentication_for_localhost == - 1)
1168 options->no_host_authentication_for_localhost = 0;
1169 if (options->identities_only == -1)
1170 options->identities_only = 0;
1171 if (options->enable_ssh_keysign == -1)
1172 options->enable_ssh_keysign = 0;
1173 if (options->rekey_limit == -1)
1174 options->rekey_limit = 0;
1175 if (options->verify_host_key_dns == -1)
1176 options->verify_host_key_dns = 0;
1177 if (options->server_alive_interval == -1)
1178 options->server_alive_interval = 0;
1179 if (options->server_alive_count_max == -1)
1180 options->server_alive_count_max = 3;
1181 if (options->control_master == -1)
1182 options->control_master = 0;
1183 if (options->hash_known_hosts == -1)
1184 options->hash_known_hosts = 0;
1185 if (options->tun_open == -1)
1186 options->tun_open = SSH_TUNMODE_NO;
1187 if (options->tun_local == -1)
1188 options->tun_local = SSH_TUNID_ANY;
1189 if (options->tun_remote == -1)
1190 options->tun_remote = SSH_TUNID_ANY;
1191 if (options->permit_local_command == -1)
1192 options->permit_local_command = 0;
1193 /* options->local_command should not be set by default */
1194 /* options->proxy_command should not be set by default */
1195 /* options->user will be set in the main program if appropriate */
1196 /* options->hostname will be set in the main program if appropriate */
1197 /* options->host_key_alias should not be set by default */
1198 /* options->preferred_authentications will be set in ssh */
1203 * parses a string containing a port forwarding specification of the form:
1204 * [listenhost:]listenport:connecthost:connectport
1205 * returns number of arguments parsed or zero on error
1208 parse_forward(Forward *fwd, const char *fwdspec)
1211 char *p, *cp, *fwdarg[4];
1213 memset(fwd, '\0', sizeof(*fwd));
1215 cp = p = xstrdup(fwdspec);
1217 /* skip leading spaces */
1218 while (*cp && isspace(*cp))
1221 for (i = 0; i < 4; ++i)
1222 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1225 /* Check for trailing garbage in 4-arg case*/
1227 i = 0; /* failure */
1231 fwd->listen_host = NULL;
1232 fwd->listen_port = a2port(fwdarg[0]);
1233 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1234 fwd->connect_port = a2port(fwdarg[2]);
1238 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1239 fwd->listen_port = a2port(fwdarg[1]);
1240 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1241 fwd->connect_port = a2port(fwdarg[3]);
1244 i = 0; /* failure */
1249 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1252 if (fwd->connect_host != NULL &&
1253 strlen(fwd->connect_host) >= NI_MAXHOST)
1259 if (fwd->connect_host != NULL)
1260 xfree(fwd->connect_host);
1261 if (fwd->listen_host != NULL)
1262 xfree(fwd->listen_host);