1 /* $OpenBSD: servconf.c,v 1.151 2006/07/06 10:47:05 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
20 #include "pathnames.h"
26 static void add_listen_addr(ServerOptions *, char *, u_short);
27 static void add_one_listen_addr(ServerOptions *, char *, u_short);
29 /* Use of privilege separation or not */
30 extern int use_privsep;
32 /* Initializes the server options to their default values. */
35 initialize_server_options(ServerOptions *options)
37 memset(options, 0, sizeof(*options));
39 /* Portable-specific options */
40 options->use_pam = -1;
42 /* Standard Options */
43 options->num_ports = 0;
44 options->ports_from_cmdline = 0;
45 options->listen_addrs = NULL;
46 options->address_family = -1;
47 options->num_host_key_files = 0;
48 options->pid_file = NULL;
49 options->server_key_bits = -1;
50 options->login_grace_time = -1;
51 options->key_regeneration_time = -1;
52 options->permit_root_login = PERMIT_NOT_SET;
53 options->ignore_rhosts = -1;
54 options->ignore_user_known_hosts = -1;
55 options->print_motd = -1;
56 options->print_lastlog = -1;
57 options->x11_forwarding = -1;
58 options->x11_display_offset = -1;
59 options->x11_use_localhost = -1;
60 options->xauth_location = NULL;
61 options->strict_modes = -1;
62 options->tcp_keep_alive = -1;
63 options->log_facility = SYSLOG_FACILITY_NOT_SET;
64 options->log_level = SYSLOG_LEVEL_NOT_SET;
65 options->rhosts_rsa_authentication = -1;
66 options->hostbased_authentication = -1;
67 options->hostbased_uses_name_from_packet_only = -1;
68 options->rsa_authentication = -1;
69 options->pubkey_authentication = -1;
70 options->kerberos_authentication = -1;
71 options->kerberos_or_local_passwd = -1;
72 options->kerberos_ticket_cleanup = -1;
73 options->kerberos_get_afs_token = -1;
74 options->gss_authentication=-1;
75 options->gss_cleanup_creds = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->max_authtries = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
103 options->num_accept_env = 0;
104 options->permit_tun = -1;
106 /* Needs to be accessable in many places */
111 fill_default_server_options(ServerOptions *options)
113 /* Portable-specific options */
114 if (options->use_pam == -1)
115 options->use_pam = 0;
117 /* Standard Options */
118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
123 options->host_key_files[options->num_host_key_files++] =
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
135 add_listen_addr(options, NULL, 0);
136 if (options->pid_file == NULL)
137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
141 options->login_grace_time = 120;
142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
146 if (options->ignore_rhosts == -1)
147 options->ignore_rhosts = 1;
148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
150 if (options->print_motd == -1)
151 options->print_motd = 1;
152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
154 if (options->x11_forwarding == -1)
155 options->x11_forwarding = 0;
156 if (options->x11_display_offset == -1)
157 options->x11_display_offset = 10;
158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
160 if (options->xauth_location == NULL)
161 options->xauth_location = _PATH_XAUTH;
162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
167 options->log_facility = SYSLOG_FACILITY_AUTH;
168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
169 options->log_level = SYSLOG_LEVEL_INFO;
170 if (options->rhosts_rsa_authentication == -1)
171 options->rhosts_rsa_authentication = 0;
172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
180 if (options->kerberos_authentication == -1)
181 options->kerberos_authentication = 0;
182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
198 if (options->permit_empty_passwd == -1)
199 options->permit_empty_passwd = 0;
200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
202 if (options->use_login == -1)
203 options->use_login = 0;
204 if (options->compression == -1)
205 options->compression = COMP_DELAYED;
206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
210 if (options->max_startups == -1)
211 options->max_startups = 10;
212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
216 if (options->max_authtries == -1)
217 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
218 if (options->use_dns == -1)
219 options->use_dns = 1;
220 if (options->client_alive_interval == -1)
221 options->client_alive_interval = 0;
222 if (options->client_alive_count_max == -1)
223 options->client_alive_count_max = 3;
224 if (options->authorized_keys_file2 == NULL) {
225 /* authorized_keys_file2 falls back to authorized_keys_file */
226 if (options->authorized_keys_file != NULL)
227 options->authorized_keys_file2 = options->authorized_keys_file;
229 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
231 if (options->authorized_keys_file == NULL)
232 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
233 if (options->permit_tun == -1)
234 options->permit_tun = SSH_TUNMODE_NO;
236 /* Turn privilege separation on by default */
237 if (use_privsep == -1)
241 if (use_privsep && options->compression == 1) {
242 error("This platform does not support both privilege "
243 "separation and compression");
244 error("Compression disabled");
245 options->compression = 0;
251 /* Keyword tokens. */
253 sBadOption, /* == unknown option */
254 /* Portable-specific options */
256 /* Standard Options */
257 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
258 sPermitRootLogin, sLogFacility, sLogLevel,
259 sRhostsRSAAuthentication, sRSAAuthentication,
260 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
261 sKerberosGetAFSToken,
262 sKerberosTgtPassing, sChallengeResponseAuthentication,
263 sPasswordAuthentication, sKbdInteractiveAuthentication,
264 sListenAddress, sAddressFamily,
265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
273 sBanner, sUseDNS, sHostbasedAuthentication,
274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
277 sUsePrivilegeSeparation,
278 sDeprecated, sUnsupported
281 /* Textual representation of the tokens. */
284 ServerOpCodes opcode;
286 /* Portable-specific options */
288 { "usepam", sUsePAM },
290 { "usepam", sUnsupported },
292 { "pamauthenticationviakbdint", sDeprecated },
293 /* Standard Options */
295 { "hostkey", sHostKeyFile },
296 { "hostdsakey", sHostKeyFile }, /* alias */
297 { "pidfile", sPidFile },
298 { "serverkeybits", sServerKeyBits },
299 { "logingracetime", sLoginGraceTime },
300 { "keyregenerationinterval", sKeyRegenerationTime },
301 { "permitrootlogin", sPermitRootLogin },
302 { "syslogfacility", sLogFacility },
303 { "loglevel", sLogLevel },
304 { "rhostsauthentication", sDeprecated },
305 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
306 { "hostbasedauthentication", sHostbasedAuthentication },
307 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
308 { "rsaauthentication", sRSAAuthentication },
309 { "pubkeyauthentication", sPubkeyAuthentication },
310 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
312 { "kerberosauthentication", sKerberosAuthentication },
313 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
314 { "kerberosticketcleanup", sKerberosTicketCleanup },
316 { "kerberosgetafstoken", sKerberosGetAFSToken },
318 { "kerberosgetafstoken", sUnsupported },
321 { "kerberosauthentication", sUnsupported },
322 { "kerberosorlocalpasswd", sUnsupported },
323 { "kerberosticketcleanup", sUnsupported },
324 { "kerberosgetafstoken", sUnsupported },
326 { "kerberostgtpassing", sUnsupported },
327 { "afstokenpassing", sUnsupported },
329 { "gssapiauthentication", sGssAuthentication },
330 { "gssapicleanupcredentials", sGssCleanupCreds },
332 { "gssapiauthentication", sUnsupported },
333 { "gssapicleanupcredentials", sUnsupported },
335 { "passwordauthentication", sPasswordAuthentication },
336 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
337 { "challengeresponseauthentication", sChallengeResponseAuthentication },
338 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
339 { "checkmail", sDeprecated },
340 { "listenaddress", sListenAddress },
341 { "addressfamily", sAddressFamily },
342 { "printmotd", sPrintMotd },
343 { "printlastlog", sPrintLastLog },
344 { "ignorerhosts", sIgnoreRhosts },
345 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
346 { "x11forwarding", sX11Forwarding },
347 { "x11displayoffset", sX11DisplayOffset },
348 { "x11uselocalhost", sX11UseLocalhost },
349 { "xauthlocation", sXAuthLocation },
350 { "strictmodes", sStrictModes },
351 { "permitemptypasswords", sEmptyPasswd },
352 { "permituserenvironment", sPermitUserEnvironment },
353 { "uselogin", sUseLogin },
354 { "compression", sCompression },
355 { "tcpkeepalive", sTCPKeepAlive },
356 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
357 { "allowtcpforwarding", sAllowTcpForwarding },
358 { "allowusers", sAllowUsers },
359 { "denyusers", sDenyUsers },
360 { "allowgroups", sAllowGroups },
361 { "denygroups", sDenyGroups },
362 { "ciphers", sCiphers },
364 { "protocol", sProtocol },
365 { "gatewayports", sGatewayPorts },
366 { "subsystem", sSubsystem },
367 { "maxstartups", sMaxStartups },
368 { "maxauthtries", sMaxAuthTries },
369 { "banner", sBanner },
370 { "usedns", sUseDNS },
371 { "verifyreversemapping", sDeprecated },
372 { "reversemappingcheck", sDeprecated },
373 { "clientaliveinterval", sClientAliveInterval },
374 { "clientalivecountmax", sClientAliveCountMax },
375 { "authorizedkeysfile", sAuthorizedKeysFile },
376 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
377 { "useprivilegeseparation", sUsePrivilegeSeparation},
378 { "acceptenv", sAcceptEnv },
379 { "permittunnel", sPermitTunnel },
384 * Returns the number of the token pointed to by cp or sBadOption.
388 parse_token(const char *cp, const char *filename,
393 for (i = 0; keywords[i].name; i++)
394 if (strcasecmp(cp, keywords[i].name) == 0)
395 return keywords[i].opcode;
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
403 add_listen_addr(ServerOptions *options, char *addr, u_short port)
407 if (options->num_ports == 0)
408 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
409 if (options->address_family == -1)
410 options->address_family = AF_UNSPEC;
412 for (i = 0; i < options->num_ports; i++)
413 add_one_listen_addr(options, addr, options->ports[i]);
415 add_one_listen_addr(options, addr, port);
419 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
421 struct addrinfo hints, *ai, *aitop;
422 char strport[NI_MAXSERV];
425 memset(&hints, 0, sizeof(hints));
426 hints.ai_family = options->address_family;
427 hints.ai_socktype = SOCK_STREAM;
428 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
429 snprintf(strport, sizeof strport, "%u", port);
430 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
431 fatal("bad addr or host: %s (%s)",
432 addr ? addr : "<NULL>",
433 gai_strerror(gaierr));
434 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
436 ai->ai_next = options->listen_addrs;
437 options->listen_addrs = aitop;
441 process_server_config_line(ServerOptions *options, char *line,
442 const char *filename, int linenum)
444 char *cp, **charptr, *arg, *p;
445 int *intptr, value, n;
446 ServerOpCodes opcode;
452 if ((arg = strdelim(&cp)) == NULL)
454 /* Ignore leading whitespace */
457 if (!arg || !*arg || *arg == '#')
461 opcode = parse_token(arg, filename, linenum);
463 /* Portable-specific options */
465 intptr = &options->use_pam;
468 /* Standard Options */
472 /* ignore ports from configfile if cmdline specifies ports */
473 if (options->ports_from_cmdline)
475 if (options->listen_addrs != NULL)
476 fatal("%s line %d: ports must be specified before "
477 "ListenAddress.", filename, linenum);
478 if (options->num_ports >= MAX_PORTS)
479 fatal("%s line %d: too many ports.",
482 if (!arg || *arg == '\0')
483 fatal("%s line %d: missing port number.",
485 options->ports[options->num_ports++] = a2port(arg);
486 if (options->ports[options->num_ports-1] == 0)
487 fatal("%s line %d: Badly formatted port number.",
492 intptr = &options->server_key_bits;
495 if (!arg || *arg == '\0')
496 fatal("%s line %d: missing integer value.",
503 case sLoginGraceTime:
504 intptr = &options->login_grace_time;
507 if (!arg || *arg == '\0')
508 fatal("%s line %d: missing time value.",
510 if ((value = convtime(arg)) == -1)
511 fatal("%s line %d: invalid time value.",
517 case sKeyRegenerationTime:
518 intptr = &options->key_regeneration_time;
523 if (arg == NULL || *arg == '\0')
524 fatal("%s line %d: missing address",
526 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
527 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
528 && strchr(p+1, ':') != NULL) {
529 add_listen_addr(options, arg, 0);
534 fatal("%s line %d: bad address:port usage",
536 p = cleanhostname(p);
539 else if ((port = a2port(arg)) == 0)
540 fatal("%s line %d: bad port number", filename, linenum);
542 add_listen_addr(options, p, port);
548 if (!arg || *arg == '\0')
549 fatal("%s line %d: missing address family.",
551 intptr = &options->address_family;
552 if (options->listen_addrs != NULL)
553 fatal("%s line %d: address family must be specified before "
554 "ListenAddress.", filename, linenum);
555 if (strcasecmp(arg, "inet") == 0)
557 else if (strcasecmp(arg, "inet6") == 0)
559 else if (strcasecmp(arg, "any") == 0)
562 fatal("%s line %d: unsupported address family \"%s\".",
563 filename, linenum, arg);
569 intptr = &options->num_host_key_files;
570 if (*intptr >= MAX_HOSTKEYS)
571 fatal("%s line %d: too many host keys specified (max %d).",
572 filename, linenum, MAX_HOSTKEYS);
573 charptr = &options->host_key_files[*intptr];
576 if (!arg || *arg == '\0')
577 fatal("%s line %d: missing file name.",
579 if (*charptr == NULL) {
580 *charptr = tilde_expand_filename(arg, getuid());
581 /* increase optional counter */
583 *intptr = *intptr + 1;
588 charptr = &options->pid_file;
591 case sPermitRootLogin:
592 intptr = &options->permit_root_login;
594 if (!arg || *arg == '\0')
595 fatal("%s line %d: missing yes/"
596 "without-password/forced-commands-only/no "
597 "argument.", filename, linenum);
598 value = 0; /* silence compiler */
599 if (strcmp(arg, "without-password") == 0)
600 value = PERMIT_NO_PASSWD;
601 else if (strcmp(arg, "forced-commands-only") == 0)
602 value = PERMIT_FORCED_ONLY;
603 else if (strcmp(arg, "yes") == 0)
605 else if (strcmp(arg, "no") == 0)
608 fatal("%s line %d: Bad yes/"
609 "without-password/forced-commands-only/no "
610 "argument: %s", filename, linenum, arg);
616 intptr = &options->ignore_rhosts;
619 if (!arg || *arg == '\0')
620 fatal("%s line %d: missing yes/no argument.",
622 value = 0; /* silence compiler */
623 if (strcmp(arg, "yes") == 0)
625 else if (strcmp(arg, "no") == 0)
628 fatal("%s line %d: Bad yes/no argument: %s",
629 filename, linenum, arg);
634 case sIgnoreUserKnownHosts:
635 intptr = &options->ignore_user_known_hosts;
638 case sRhostsRSAAuthentication:
639 intptr = &options->rhosts_rsa_authentication;
642 case sHostbasedAuthentication:
643 intptr = &options->hostbased_authentication;
646 case sHostbasedUsesNameFromPacketOnly:
647 intptr = &options->hostbased_uses_name_from_packet_only;
650 case sRSAAuthentication:
651 intptr = &options->rsa_authentication;
654 case sPubkeyAuthentication:
655 intptr = &options->pubkey_authentication;
658 case sKerberosAuthentication:
659 intptr = &options->kerberos_authentication;
662 case sKerberosOrLocalPasswd:
663 intptr = &options->kerberos_or_local_passwd;
666 case sKerberosTicketCleanup:
667 intptr = &options->kerberos_ticket_cleanup;
670 case sKerberosGetAFSToken:
671 intptr = &options->kerberos_get_afs_token;
674 case sGssAuthentication:
675 intptr = &options->gss_authentication;
678 case sGssCleanupCreds:
679 intptr = &options->gss_cleanup_creds;
682 case sPasswordAuthentication:
683 intptr = &options->password_authentication;
686 case sKbdInteractiveAuthentication:
687 intptr = &options->kbd_interactive_authentication;
690 case sChallengeResponseAuthentication:
691 intptr = &options->challenge_response_authentication;
695 intptr = &options->print_motd;
699 intptr = &options->print_lastlog;
703 intptr = &options->x11_forwarding;
706 case sX11DisplayOffset:
707 intptr = &options->x11_display_offset;
710 case sX11UseLocalhost:
711 intptr = &options->x11_use_localhost;
715 charptr = &options->xauth_location;
719 intptr = &options->strict_modes;
723 intptr = &options->tcp_keep_alive;
727 intptr = &options->permit_empty_passwd;
730 case sPermitUserEnvironment:
731 intptr = &options->permit_user_env;
735 intptr = &options->use_login;
739 intptr = &options->compression;
741 if (!arg || *arg == '\0')
742 fatal("%s line %d: missing yes/no/delayed "
743 "argument.", filename, linenum);
744 value = 0; /* silence compiler */
745 if (strcmp(arg, "delayed") == 0)
746 value = COMP_DELAYED;
747 else if (strcmp(arg, "yes") == 0)
749 else if (strcmp(arg, "no") == 0)
752 fatal("%s line %d: Bad yes/no/delayed "
753 "argument: %s", filename, linenum, arg);
759 intptr = &options->gateway_ports;
761 if (!arg || *arg == '\0')
762 fatal("%s line %d: missing yes/no/clientspecified "
763 "argument.", filename, linenum);
764 value = 0; /* silence compiler */
765 if (strcmp(arg, "clientspecified") == 0)
767 else if (strcmp(arg, "yes") == 0)
769 else if (strcmp(arg, "no") == 0)
772 fatal("%s line %d: Bad yes/no/clientspecified "
773 "argument: %s", filename, linenum, arg);
779 intptr = &options->use_dns;
783 intptr = (int *) &options->log_facility;
785 value = log_facility_number(arg);
786 if (value == SYSLOG_FACILITY_NOT_SET)
787 fatal("%.200s line %d: unsupported log facility '%s'",
788 filename, linenum, arg ? arg : "<NONE>");
790 *intptr = (SyslogFacility) value;
794 intptr = (int *) &options->log_level;
796 value = log_level_number(arg);
797 if (value == SYSLOG_LEVEL_NOT_SET)
798 fatal("%.200s line %d: unsupported log level '%s'",
799 filename, linenum, arg ? arg : "<NONE>");
801 *intptr = (LogLevel) value;
804 case sAllowTcpForwarding:
805 intptr = &options->allow_tcp_forwarding;
808 case sUsePrivilegeSeparation:
809 intptr = &use_privsep;
813 while ((arg = strdelim(&cp)) && *arg != '\0') {
814 if (options->num_allow_users >= MAX_ALLOW_USERS)
815 fatal("%s line %d: too many allow users.",
817 options->allow_users[options->num_allow_users++] =
823 while ((arg = strdelim(&cp)) && *arg != '\0') {
824 if (options->num_deny_users >= MAX_DENY_USERS)
825 fatal( "%s line %d: too many deny users.",
827 options->deny_users[options->num_deny_users++] =
833 while ((arg = strdelim(&cp)) && *arg != '\0') {
834 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
835 fatal("%s line %d: too many allow groups.",
837 options->allow_groups[options->num_allow_groups++] =
843 while ((arg = strdelim(&cp)) && *arg != '\0') {
844 if (options->num_deny_groups >= MAX_DENY_GROUPS)
845 fatal("%s line %d: too many deny groups.",
847 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: Missing argument.", filename, linenum);
855 if (!ciphers_valid(arg))
856 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
857 filename, linenum, arg ? arg : "<NONE>");
858 if (options->ciphers == NULL)
859 options->ciphers = xstrdup(arg);
864 if (!arg || *arg == '\0')
865 fatal("%s line %d: Missing argument.", filename, linenum);
867 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
868 filename, linenum, arg ? arg : "<NONE>");
869 if (options->macs == NULL)
870 options->macs = xstrdup(arg);
874 intptr = &options->protocol;
876 if (!arg || *arg == '\0')
877 fatal("%s line %d: Missing argument.", filename, linenum);
878 value = proto_spec(arg);
879 if (value == SSH_PROTO_UNKNOWN)
880 fatal("%s line %d: Bad protocol spec '%s'.",
881 filename, linenum, arg ? arg : "<NONE>");
882 if (*intptr == SSH_PROTO_UNKNOWN)
887 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
888 fatal("%s line %d: too many subsystems defined.",
892 if (!arg || *arg == '\0')
893 fatal("%s line %d: Missing subsystem name.",
895 for (i = 0; i < options->num_subsystems; i++)
896 if (strcmp(arg, options->subsystem_name[i]) == 0)
897 fatal("%s line %d: Subsystem '%s' already defined.",
898 filename, linenum, arg);
899 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
901 if (!arg || *arg == '\0')
902 fatal("%s line %d: Missing subsystem command.",
904 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
906 /* Collect arguments (separate to executable) */
909 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
910 len += 1 + strlen(arg);
911 p = xrealloc(p, 1, len);
912 strlcat(p, " ", len);
913 strlcat(p, arg, len);
915 options->subsystem_args[options->num_subsystems] = p;
916 options->num_subsystems++;
921 if (!arg || *arg == '\0')
922 fatal("%s line %d: Missing MaxStartups spec.",
924 if ((n = sscanf(arg, "%d:%d:%d",
925 &options->max_startups_begin,
926 &options->max_startups_rate,
927 &options->max_startups)) == 3) {
928 if (options->max_startups_begin >
929 options->max_startups ||
930 options->max_startups_rate > 100 ||
931 options->max_startups_rate < 1)
932 fatal("%s line %d: Illegal MaxStartups spec.",
935 fatal("%s line %d: Illegal MaxStartups spec.",
938 options->max_startups = options->max_startups_begin;
942 intptr = &options->max_authtries;
946 charptr = &options->banner;
949 * These options can contain %X options expanded at
950 * connect time, so that you can specify paths like:
952 * AuthorizedKeysFile /etc/ssh_keys/%u
954 case sAuthorizedKeysFile:
955 case sAuthorizedKeysFile2:
956 charptr = (opcode == sAuthorizedKeysFile ) ?
957 &options->authorized_keys_file :
958 &options->authorized_keys_file2;
961 case sClientAliveInterval:
962 intptr = &options->client_alive_interval;
965 case sClientAliveCountMax:
966 intptr = &options->client_alive_count_max;
970 while ((arg = strdelim(&cp)) && *arg != '\0') {
971 if (strchr(arg, '=') != NULL)
972 fatal("%s line %d: Invalid environment name.",
974 if (options->num_accept_env >= MAX_ACCEPT_ENV)
975 fatal("%s line %d: too many allow env.",
977 options->accept_env[options->num_accept_env++] =
983 intptr = &options->permit_tun;
985 if (!arg || *arg == '\0')
986 fatal("%s line %d: Missing yes/point-to-point/"
987 "ethernet/no argument.", filename, linenum);
988 value = 0; /* silence compiler */
989 if (strcasecmp(arg, "ethernet") == 0)
990 value = SSH_TUNMODE_ETHERNET;
991 else if (strcasecmp(arg, "point-to-point") == 0)
992 value = SSH_TUNMODE_POINTOPOINT;
993 else if (strcasecmp(arg, "yes") == 0)
994 value = SSH_TUNMODE_YES;
995 else if (strcasecmp(arg, "no") == 0)
996 value = SSH_TUNMODE_NO;
998 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
999 "no argument: %s", filename, linenum, arg);
1005 logit("%s line %d: Deprecated option %s",
1006 filename, linenum, arg);
1008 arg = strdelim(&cp);
1012 logit("%s line %d: Unsupported option %s",
1013 filename, linenum, arg);
1015 arg = strdelim(&cp);
1019 fatal("%s line %d: Missing handler for opcode %s (%d)",
1020 filename, linenum, arg, opcode);
1022 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1023 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1024 filename, linenum, arg);
1028 /* Reads the server configuration file. */
1031 load_server_config(const char *filename, Buffer *conf)
1033 char line[1024], *cp;
1036 debug2("%s: filename %s", __func__, filename);
1037 if ((f = fopen(filename, "r")) == NULL) {
1042 while (fgets(line, sizeof(line), f)) {
1044 * Trim out comments and strip whitespace
1045 * NB - preserve newlines, they are needed to reproduce
1046 * line numbers later for error messages
1048 if ((cp = strchr(line, '#')) != NULL)
1049 memcpy(cp, "\n", 2);
1050 cp = line + strspn(line, " \t\r");
1052 buffer_append(conf, cp, strlen(cp));
1054 buffer_append(conf, "\0", 1);
1056 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1060 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1062 int linenum, bad_options = 0;
1063 char *cp, *obuf, *cbuf;
1065 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1067 obuf = cbuf = xstrdup(buffer_ptr(conf));
1069 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1070 if (process_server_config_line(options, cp, filename,
1075 if (bad_options > 0)
1076 fatal("%s: terminating, %d bad configuration options",
1077 filename, bad_options);