1 /* $OpenBSD: servconf.c,v 1.152 2006/07/08 21:47:12 stevesk Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
23 #include "pathnames.h"
29 static void add_listen_addr(ServerOptions *, char *, u_short);
30 static void add_one_listen_addr(ServerOptions *, char *, u_short);
32 /* Use of privilege separation or not */
33 extern int use_privsep;
35 /* Initializes the server options to their default values. */
38 initialize_server_options(ServerOptions *options)
40 memset(options, 0, sizeof(*options));
42 /* Portable-specific options */
43 options->use_pam = -1;
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->address_family = -1;
50 options->num_host_key_files = 0;
51 options->pid_file = NULL;
52 options->server_key_bits = -1;
53 options->login_grace_time = -1;
54 options->key_regeneration_time = -1;
55 options->permit_root_login = PERMIT_NOT_SET;
56 options->ignore_rhosts = -1;
57 options->ignore_user_known_hosts = -1;
58 options->print_motd = -1;
59 options->print_lastlog = -1;
60 options->x11_forwarding = -1;
61 options->x11_display_offset = -1;
62 options->x11_use_localhost = -1;
63 options->xauth_location = NULL;
64 options->strict_modes = -1;
65 options->tcp_keep_alive = -1;
66 options->log_facility = SYSLOG_FACILITY_NOT_SET;
67 options->log_level = SYSLOG_LEVEL_NOT_SET;
68 options->rhosts_rsa_authentication = -1;
69 options->hostbased_authentication = -1;
70 options->hostbased_uses_name_from_packet_only = -1;
71 options->rsa_authentication = -1;
72 options->pubkey_authentication = -1;
73 options->kerberos_authentication = -1;
74 options->kerberos_or_local_passwd = -1;
75 options->kerberos_ticket_cleanup = -1;
76 options->kerberos_get_afs_token = -1;
77 options->gss_authentication=-1;
78 options->gss_cleanup_creds = -1;
79 options->password_authentication = -1;
80 options->kbd_interactive_authentication = -1;
81 options->challenge_response_authentication = -1;
82 options->permit_empty_passwd = -1;
83 options->permit_user_env = -1;
84 options->use_login = -1;
85 options->compression = -1;
86 options->allow_tcp_forwarding = -1;
87 options->num_allow_users = 0;
88 options->num_deny_users = 0;
89 options->num_allow_groups = 0;
90 options->num_deny_groups = 0;
91 options->ciphers = NULL;
93 options->protocol = SSH_PROTO_UNKNOWN;
94 options->gateway_ports = -1;
95 options->num_subsystems = 0;
96 options->max_startups_begin = -1;
97 options->max_startups_rate = -1;
98 options->max_startups = -1;
99 options->max_authtries = -1;
100 options->banner = NULL;
101 options->use_dns = -1;
102 options->client_alive_interval = -1;
103 options->client_alive_count_max = -1;
104 options->authorized_keys_file = NULL;
105 options->authorized_keys_file2 = NULL;
106 options->num_accept_env = 0;
107 options->permit_tun = -1;
109 /* Needs to be accessable in many places */
114 fill_default_server_options(ServerOptions *options)
116 /* Portable-specific options */
117 if (options->use_pam == -1)
118 options->use_pam = 0;
120 /* Standard Options */
121 if (options->protocol == SSH_PROTO_UNKNOWN)
122 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
123 if (options->num_host_key_files == 0) {
124 /* fill default hostkeys for protocols */
125 if (options->protocol & SSH_PROTO_1)
126 options->host_key_files[options->num_host_key_files++] =
128 if (options->protocol & SSH_PROTO_2) {
129 options->host_key_files[options->num_host_key_files++] =
130 _PATH_HOST_RSA_KEY_FILE;
131 options->host_key_files[options->num_host_key_files++] =
132 _PATH_HOST_DSA_KEY_FILE;
135 if (options->num_ports == 0)
136 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
137 if (options->listen_addrs == NULL)
138 add_listen_addr(options, NULL, 0);
139 if (options->pid_file == NULL)
140 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
141 if (options->server_key_bits == -1)
142 options->server_key_bits = 768;
143 if (options->login_grace_time == -1)
144 options->login_grace_time = 120;
145 if (options->key_regeneration_time == -1)
146 options->key_regeneration_time = 3600;
147 if (options->permit_root_login == PERMIT_NOT_SET)
148 options->permit_root_login = PERMIT_YES;
149 if (options->ignore_rhosts == -1)
150 options->ignore_rhosts = 1;
151 if (options->ignore_user_known_hosts == -1)
152 options->ignore_user_known_hosts = 0;
153 if (options->print_motd == -1)
154 options->print_motd = 1;
155 if (options->print_lastlog == -1)
156 options->print_lastlog = 1;
157 if (options->x11_forwarding == -1)
158 options->x11_forwarding = 0;
159 if (options->x11_display_offset == -1)
160 options->x11_display_offset = 10;
161 if (options->x11_use_localhost == -1)
162 options->x11_use_localhost = 1;
163 if (options->xauth_location == NULL)
164 options->xauth_location = _PATH_XAUTH;
165 if (options->strict_modes == -1)
166 options->strict_modes = 1;
167 if (options->tcp_keep_alive == -1)
168 options->tcp_keep_alive = 1;
169 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
170 options->log_facility = SYSLOG_FACILITY_AUTH;
171 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
172 options->log_level = SYSLOG_LEVEL_INFO;
173 if (options->rhosts_rsa_authentication == -1)
174 options->rhosts_rsa_authentication = 0;
175 if (options->hostbased_authentication == -1)
176 options->hostbased_authentication = 0;
177 if (options->hostbased_uses_name_from_packet_only == -1)
178 options->hostbased_uses_name_from_packet_only = 0;
179 if (options->rsa_authentication == -1)
180 options->rsa_authentication = 1;
181 if (options->pubkey_authentication == -1)
182 options->pubkey_authentication = 1;
183 if (options->kerberos_authentication == -1)
184 options->kerberos_authentication = 0;
185 if (options->kerberos_or_local_passwd == -1)
186 options->kerberos_or_local_passwd = 1;
187 if (options->kerberos_ticket_cleanup == -1)
188 options->kerberos_ticket_cleanup = 1;
189 if (options->kerberos_get_afs_token == -1)
190 options->kerberos_get_afs_token = 0;
191 if (options->gss_authentication == -1)
192 options->gss_authentication = 0;
193 if (options->gss_cleanup_creds == -1)
194 options->gss_cleanup_creds = 1;
195 if (options->password_authentication == -1)
196 options->password_authentication = 1;
197 if (options->kbd_interactive_authentication == -1)
198 options->kbd_interactive_authentication = 0;
199 if (options->challenge_response_authentication == -1)
200 options->challenge_response_authentication = 1;
201 if (options->permit_empty_passwd == -1)
202 options->permit_empty_passwd = 0;
203 if (options->permit_user_env == -1)
204 options->permit_user_env = 0;
205 if (options->use_login == -1)
206 options->use_login = 0;
207 if (options->compression == -1)
208 options->compression = COMP_DELAYED;
209 if (options->allow_tcp_forwarding == -1)
210 options->allow_tcp_forwarding = 1;
211 if (options->gateway_ports == -1)
212 options->gateway_ports = 0;
213 if (options->max_startups == -1)
214 options->max_startups = 10;
215 if (options->max_startups_rate == -1)
216 options->max_startups_rate = 100; /* 100% */
217 if (options->max_startups_begin == -1)
218 options->max_startups_begin = options->max_startups;
219 if (options->max_authtries == -1)
220 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
221 if (options->use_dns == -1)
222 options->use_dns = 1;
223 if (options->client_alive_interval == -1)
224 options->client_alive_interval = 0;
225 if (options->client_alive_count_max == -1)
226 options->client_alive_count_max = 3;
227 if (options->authorized_keys_file2 == NULL) {
228 /* authorized_keys_file2 falls back to authorized_keys_file */
229 if (options->authorized_keys_file != NULL)
230 options->authorized_keys_file2 = options->authorized_keys_file;
232 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
234 if (options->authorized_keys_file == NULL)
235 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
236 if (options->permit_tun == -1)
237 options->permit_tun = SSH_TUNMODE_NO;
239 /* Turn privilege separation on by default */
240 if (use_privsep == -1)
244 if (use_privsep && options->compression == 1) {
245 error("This platform does not support both privilege "
246 "separation and compression");
247 error("Compression disabled");
248 options->compression = 0;
254 /* Keyword tokens. */
256 sBadOption, /* == unknown option */
257 /* Portable-specific options */
259 /* Standard Options */
260 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
261 sPermitRootLogin, sLogFacility, sLogLevel,
262 sRhostsRSAAuthentication, sRSAAuthentication,
263 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
264 sKerberosGetAFSToken,
265 sKerberosTgtPassing, sChallengeResponseAuthentication,
266 sPasswordAuthentication, sKbdInteractiveAuthentication,
267 sListenAddress, sAddressFamily,
268 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
269 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
270 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
271 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
272 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
273 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
274 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
275 sMaxStartups, sMaxAuthTries,
276 sBanner, sUseDNS, sHostbasedAuthentication,
277 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
278 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
279 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
280 sUsePrivilegeSeparation,
281 sDeprecated, sUnsupported
284 /* Textual representation of the tokens. */
287 ServerOpCodes opcode;
289 /* Portable-specific options */
291 { "usepam", sUsePAM },
293 { "usepam", sUnsupported },
295 { "pamauthenticationviakbdint", sDeprecated },
296 /* Standard Options */
298 { "hostkey", sHostKeyFile },
299 { "hostdsakey", sHostKeyFile }, /* alias */
300 { "pidfile", sPidFile },
301 { "serverkeybits", sServerKeyBits },
302 { "logingracetime", sLoginGraceTime },
303 { "keyregenerationinterval", sKeyRegenerationTime },
304 { "permitrootlogin", sPermitRootLogin },
305 { "syslogfacility", sLogFacility },
306 { "loglevel", sLogLevel },
307 { "rhostsauthentication", sDeprecated },
308 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
309 { "hostbasedauthentication", sHostbasedAuthentication },
310 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
311 { "rsaauthentication", sRSAAuthentication },
312 { "pubkeyauthentication", sPubkeyAuthentication },
313 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
315 { "kerberosauthentication", sKerberosAuthentication },
316 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
317 { "kerberosticketcleanup", sKerberosTicketCleanup },
319 { "kerberosgetafstoken", sKerberosGetAFSToken },
321 { "kerberosgetafstoken", sUnsupported },
324 { "kerberosauthentication", sUnsupported },
325 { "kerberosorlocalpasswd", sUnsupported },
326 { "kerberosticketcleanup", sUnsupported },
327 { "kerberosgetafstoken", sUnsupported },
329 { "kerberostgtpassing", sUnsupported },
330 { "afstokenpassing", sUnsupported },
332 { "gssapiauthentication", sGssAuthentication },
333 { "gssapicleanupcredentials", sGssCleanupCreds },
335 { "gssapiauthentication", sUnsupported },
336 { "gssapicleanupcredentials", sUnsupported },
338 { "passwordauthentication", sPasswordAuthentication },
339 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
340 { "challengeresponseauthentication", sChallengeResponseAuthentication },
341 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
342 { "checkmail", sDeprecated },
343 { "listenaddress", sListenAddress },
344 { "addressfamily", sAddressFamily },
345 { "printmotd", sPrintMotd },
346 { "printlastlog", sPrintLastLog },
347 { "ignorerhosts", sIgnoreRhosts },
348 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
349 { "x11forwarding", sX11Forwarding },
350 { "x11displayoffset", sX11DisplayOffset },
351 { "x11uselocalhost", sX11UseLocalhost },
352 { "xauthlocation", sXAuthLocation },
353 { "strictmodes", sStrictModes },
354 { "permitemptypasswords", sEmptyPasswd },
355 { "permituserenvironment", sPermitUserEnvironment },
356 { "uselogin", sUseLogin },
357 { "compression", sCompression },
358 { "tcpkeepalive", sTCPKeepAlive },
359 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
360 { "allowtcpforwarding", sAllowTcpForwarding },
361 { "allowusers", sAllowUsers },
362 { "denyusers", sDenyUsers },
363 { "allowgroups", sAllowGroups },
364 { "denygroups", sDenyGroups },
365 { "ciphers", sCiphers },
367 { "protocol", sProtocol },
368 { "gatewayports", sGatewayPorts },
369 { "subsystem", sSubsystem },
370 { "maxstartups", sMaxStartups },
371 { "maxauthtries", sMaxAuthTries },
372 { "banner", sBanner },
373 { "usedns", sUseDNS },
374 { "verifyreversemapping", sDeprecated },
375 { "reversemappingcheck", sDeprecated },
376 { "clientaliveinterval", sClientAliveInterval },
377 { "clientalivecountmax", sClientAliveCountMax },
378 { "authorizedkeysfile", sAuthorizedKeysFile },
379 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
380 { "useprivilegeseparation", sUsePrivilegeSeparation},
381 { "acceptenv", sAcceptEnv },
382 { "permittunnel", sPermitTunnel },
387 * Returns the number of the token pointed to by cp or sBadOption.
391 parse_token(const char *cp, const char *filename,
396 for (i = 0; keywords[i].name; i++)
397 if (strcasecmp(cp, keywords[i].name) == 0)
398 return keywords[i].opcode;
400 error("%s: line %d: Bad configuration option: %s",
401 filename, linenum, cp);
406 add_listen_addr(ServerOptions *options, char *addr, u_short port)
410 if (options->num_ports == 0)
411 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
412 if (options->address_family == -1)
413 options->address_family = AF_UNSPEC;
415 for (i = 0; i < options->num_ports; i++)
416 add_one_listen_addr(options, addr, options->ports[i]);
418 add_one_listen_addr(options, addr, port);
422 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
424 struct addrinfo hints, *ai, *aitop;
425 char strport[NI_MAXSERV];
428 memset(&hints, 0, sizeof(hints));
429 hints.ai_family = options->address_family;
430 hints.ai_socktype = SOCK_STREAM;
431 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
432 snprintf(strport, sizeof strport, "%u", port);
433 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
434 fatal("bad addr or host: %s (%s)",
435 addr ? addr : "<NULL>",
436 gai_strerror(gaierr));
437 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
439 ai->ai_next = options->listen_addrs;
440 options->listen_addrs = aitop;
444 process_server_config_line(ServerOptions *options, char *line,
445 const char *filename, int linenum)
447 char *cp, **charptr, *arg, *p;
448 int *intptr, value, n;
449 ServerOpCodes opcode;
455 if ((arg = strdelim(&cp)) == NULL)
457 /* Ignore leading whitespace */
460 if (!arg || !*arg || *arg == '#')
464 opcode = parse_token(arg, filename, linenum);
466 /* Portable-specific options */
468 intptr = &options->use_pam;
471 /* Standard Options */
475 /* ignore ports from configfile if cmdline specifies ports */
476 if (options->ports_from_cmdline)
478 if (options->listen_addrs != NULL)
479 fatal("%s line %d: ports must be specified before "
480 "ListenAddress.", filename, linenum);
481 if (options->num_ports >= MAX_PORTS)
482 fatal("%s line %d: too many ports.",
485 if (!arg || *arg == '\0')
486 fatal("%s line %d: missing port number.",
488 options->ports[options->num_ports++] = a2port(arg);
489 if (options->ports[options->num_ports-1] == 0)
490 fatal("%s line %d: Badly formatted port number.",
495 intptr = &options->server_key_bits;
498 if (!arg || *arg == '\0')
499 fatal("%s line %d: missing integer value.",
506 case sLoginGraceTime:
507 intptr = &options->login_grace_time;
510 if (!arg || *arg == '\0')
511 fatal("%s line %d: missing time value.",
513 if ((value = convtime(arg)) == -1)
514 fatal("%s line %d: invalid time value.",
520 case sKeyRegenerationTime:
521 intptr = &options->key_regeneration_time;
526 if (arg == NULL || *arg == '\0')
527 fatal("%s line %d: missing address",
529 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
530 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
531 && strchr(p+1, ':') != NULL) {
532 add_listen_addr(options, arg, 0);
537 fatal("%s line %d: bad address:port usage",
539 p = cleanhostname(p);
542 else if ((port = a2port(arg)) == 0)
543 fatal("%s line %d: bad port number", filename, linenum);
545 add_listen_addr(options, p, port);
551 if (!arg || *arg == '\0')
552 fatal("%s line %d: missing address family.",
554 intptr = &options->address_family;
555 if (options->listen_addrs != NULL)
556 fatal("%s line %d: address family must be specified before "
557 "ListenAddress.", filename, linenum);
558 if (strcasecmp(arg, "inet") == 0)
560 else if (strcasecmp(arg, "inet6") == 0)
562 else if (strcasecmp(arg, "any") == 0)
565 fatal("%s line %d: unsupported address family \"%s\".",
566 filename, linenum, arg);
572 intptr = &options->num_host_key_files;
573 if (*intptr >= MAX_HOSTKEYS)
574 fatal("%s line %d: too many host keys specified (max %d).",
575 filename, linenum, MAX_HOSTKEYS);
576 charptr = &options->host_key_files[*intptr];
579 if (!arg || *arg == '\0')
580 fatal("%s line %d: missing file name.",
582 if (*charptr == NULL) {
583 *charptr = tilde_expand_filename(arg, getuid());
584 /* increase optional counter */
586 *intptr = *intptr + 1;
591 charptr = &options->pid_file;
594 case sPermitRootLogin:
595 intptr = &options->permit_root_login;
597 if (!arg || *arg == '\0')
598 fatal("%s line %d: missing yes/"
599 "without-password/forced-commands-only/no "
600 "argument.", filename, linenum);
601 value = 0; /* silence compiler */
602 if (strcmp(arg, "without-password") == 0)
603 value = PERMIT_NO_PASSWD;
604 else if (strcmp(arg, "forced-commands-only") == 0)
605 value = PERMIT_FORCED_ONLY;
606 else if (strcmp(arg, "yes") == 0)
608 else if (strcmp(arg, "no") == 0)
611 fatal("%s line %d: Bad yes/"
612 "without-password/forced-commands-only/no "
613 "argument: %s", filename, linenum, arg);
619 intptr = &options->ignore_rhosts;
622 if (!arg || *arg == '\0')
623 fatal("%s line %d: missing yes/no argument.",
625 value = 0; /* silence compiler */
626 if (strcmp(arg, "yes") == 0)
628 else if (strcmp(arg, "no") == 0)
631 fatal("%s line %d: Bad yes/no argument: %s",
632 filename, linenum, arg);
637 case sIgnoreUserKnownHosts:
638 intptr = &options->ignore_user_known_hosts;
641 case sRhostsRSAAuthentication:
642 intptr = &options->rhosts_rsa_authentication;
645 case sHostbasedAuthentication:
646 intptr = &options->hostbased_authentication;
649 case sHostbasedUsesNameFromPacketOnly:
650 intptr = &options->hostbased_uses_name_from_packet_only;
653 case sRSAAuthentication:
654 intptr = &options->rsa_authentication;
657 case sPubkeyAuthentication:
658 intptr = &options->pubkey_authentication;
661 case sKerberosAuthentication:
662 intptr = &options->kerberos_authentication;
665 case sKerberosOrLocalPasswd:
666 intptr = &options->kerberos_or_local_passwd;
669 case sKerberosTicketCleanup:
670 intptr = &options->kerberos_ticket_cleanup;
673 case sKerberosGetAFSToken:
674 intptr = &options->kerberos_get_afs_token;
677 case sGssAuthentication:
678 intptr = &options->gss_authentication;
681 case sGssCleanupCreds:
682 intptr = &options->gss_cleanup_creds;
685 case sPasswordAuthentication:
686 intptr = &options->password_authentication;
689 case sKbdInteractiveAuthentication:
690 intptr = &options->kbd_interactive_authentication;
693 case sChallengeResponseAuthentication:
694 intptr = &options->challenge_response_authentication;
698 intptr = &options->print_motd;
702 intptr = &options->print_lastlog;
706 intptr = &options->x11_forwarding;
709 case sX11DisplayOffset:
710 intptr = &options->x11_display_offset;
713 case sX11UseLocalhost:
714 intptr = &options->x11_use_localhost;
718 charptr = &options->xauth_location;
722 intptr = &options->strict_modes;
726 intptr = &options->tcp_keep_alive;
730 intptr = &options->permit_empty_passwd;
733 case sPermitUserEnvironment:
734 intptr = &options->permit_user_env;
738 intptr = &options->use_login;
742 intptr = &options->compression;
744 if (!arg || *arg == '\0')
745 fatal("%s line %d: missing yes/no/delayed "
746 "argument.", filename, linenum);
747 value = 0; /* silence compiler */
748 if (strcmp(arg, "delayed") == 0)
749 value = COMP_DELAYED;
750 else if (strcmp(arg, "yes") == 0)
752 else if (strcmp(arg, "no") == 0)
755 fatal("%s line %d: Bad yes/no/delayed "
756 "argument: %s", filename, linenum, arg);
762 intptr = &options->gateway_ports;
764 if (!arg || *arg == '\0')
765 fatal("%s line %d: missing yes/no/clientspecified "
766 "argument.", filename, linenum);
767 value = 0; /* silence compiler */
768 if (strcmp(arg, "clientspecified") == 0)
770 else if (strcmp(arg, "yes") == 0)
772 else if (strcmp(arg, "no") == 0)
775 fatal("%s line %d: Bad yes/no/clientspecified "
776 "argument: %s", filename, linenum, arg);
782 intptr = &options->use_dns;
786 intptr = (int *) &options->log_facility;
788 value = log_facility_number(arg);
789 if (value == SYSLOG_FACILITY_NOT_SET)
790 fatal("%.200s line %d: unsupported log facility '%s'",
791 filename, linenum, arg ? arg : "<NONE>");
793 *intptr = (SyslogFacility) value;
797 intptr = (int *) &options->log_level;
799 value = log_level_number(arg);
800 if (value == SYSLOG_LEVEL_NOT_SET)
801 fatal("%.200s line %d: unsupported log level '%s'",
802 filename, linenum, arg ? arg : "<NONE>");
804 *intptr = (LogLevel) value;
807 case sAllowTcpForwarding:
808 intptr = &options->allow_tcp_forwarding;
811 case sUsePrivilegeSeparation:
812 intptr = &use_privsep;
816 while ((arg = strdelim(&cp)) && *arg != '\0') {
817 if (options->num_allow_users >= MAX_ALLOW_USERS)
818 fatal("%s line %d: too many allow users.",
820 options->allow_users[options->num_allow_users++] =
826 while ((arg = strdelim(&cp)) && *arg != '\0') {
827 if (options->num_deny_users >= MAX_DENY_USERS)
828 fatal( "%s line %d: too many deny users.",
830 options->deny_users[options->num_deny_users++] =
836 while ((arg = strdelim(&cp)) && *arg != '\0') {
837 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
838 fatal("%s line %d: too many allow groups.",
840 options->allow_groups[options->num_allow_groups++] =
846 while ((arg = strdelim(&cp)) && *arg != '\0') {
847 if (options->num_deny_groups >= MAX_DENY_GROUPS)
848 fatal("%s line %d: too many deny groups.",
850 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
856 if (!arg || *arg == '\0')
857 fatal("%s line %d: Missing argument.", filename, linenum);
858 if (!ciphers_valid(arg))
859 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
860 filename, linenum, arg ? arg : "<NONE>");
861 if (options->ciphers == NULL)
862 options->ciphers = xstrdup(arg);
867 if (!arg || *arg == '\0')
868 fatal("%s line %d: Missing argument.", filename, linenum);
870 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
871 filename, linenum, arg ? arg : "<NONE>");
872 if (options->macs == NULL)
873 options->macs = xstrdup(arg);
877 intptr = &options->protocol;
879 if (!arg || *arg == '\0')
880 fatal("%s line %d: Missing argument.", filename, linenum);
881 value = proto_spec(arg);
882 if (value == SSH_PROTO_UNKNOWN)
883 fatal("%s line %d: Bad protocol spec '%s'.",
884 filename, linenum, arg ? arg : "<NONE>");
885 if (*intptr == SSH_PROTO_UNKNOWN)
890 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
891 fatal("%s line %d: too many subsystems defined.",
895 if (!arg || *arg == '\0')
896 fatal("%s line %d: Missing subsystem name.",
898 for (i = 0; i < options->num_subsystems; i++)
899 if (strcmp(arg, options->subsystem_name[i]) == 0)
900 fatal("%s line %d: Subsystem '%s' already defined.",
901 filename, linenum, arg);
902 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
904 if (!arg || *arg == '\0')
905 fatal("%s line %d: Missing subsystem command.",
907 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
909 /* Collect arguments (separate to executable) */
912 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
913 len += 1 + strlen(arg);
914 p = xrealloc(p, 1, len);
915 strlcat(p, " ", len);
916 strlcat(p, arg, len);
918 options->subsystem_args[options->num_subsystems] = p;
919 options->num_subsystems++;
924 if (!arg || *arg == '\0')
925 fatal("%s line %d: Missing MaxStartups spec.",
927 if ((n = sscanf(arg, "%d:%d:%d",
928 &options->max_startups_begin,
929 &options->max_startups_rate,
930 &options->max_startups)) == 3) {
931 if (options->max_startups_begin >
932 options->max_startups ||
933 options->max_startups_rate > 100 ||
934 options->max_startups_rate < 1)
935 fatal("%s line %d: Illegal MaxStartups spec.",
938 fatal("%s line %d: Illegal MaxStartups spec.",
941 options->max_startups = options->max_startups_begin;
945 intptr = &options->max_authtries;
949 charptr = &options->banner;
952 * These options can contain %X options expanded at
953 * connect time, so that you can specify paths like:
955 * AuthorizedKeysFile /etc/ssh_keys/%u
957 case sAuthorizedKeysFile:
958 case sAuthorizedKeysFile2:
959 charptr = (opcode == sAuthorizedKeysFile ) ?
960 &options->authorized_keys_file :
961 &options->authorized_keys_file2;
964 case sClientAliveInterval:
965 intptr = &options->client_alive_interval;
968 case sClientAliveCountMax:
969 intptr = &options->client_alive_count_max;
973 while ((arg = strdelim(&cp)) && *arg != '\0') {
974 if (strchr(arg, '=') != NULL)
975 fatal("%s line %d: Invalid environment name.",
977 if (options->num_accept_env >= MAX_ACCEPT_ENV)
978 fatal("%s line %d: too many allow env.",
980 options->accept_env[options->num_accept_env++] =
986 intptr = &options->permit_tun;
988 if (!arg || *arg == '\0')
989 fatal("%s line %d: Missing yes/point-to-point/"
990 "ethernet/no argument.", filename, linenum);
991 value = 0; /* silence compiler */
992 if (strcasecmp(arg, "ethernet") == 0)
993 value = SSH_TUNMODE_ETHERNET;
994 else if (strcasecmp(arg, "point-to-point") == 0)
995 value = SSH_TUNMODE_POINTOPOINT;
996 else if (strcasecmp(arg, "yes") == 0)
997 value = SSH_TUNMODE_YES;
998 else if (strcasecmp(arg, "no") == 0)
999 value = SSH_TUNMODE_NO;
1001 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1002 "no argument: %s", filename, linenum, arg);
1008 logit("%s line %d: Deprecated option %s",
1009 filename, linenum, arg);
1011 arg = strdelim(&cp);
1015 logit("%s line %d: Unsupported option %s",
1016 filename, linenum, arg);
1018 arg = strdelim(&cp);
1022 fatal("%s line %d: Missing handler for opcode %s (%d)",
1023 filename, linenum, arg, opcode);
1025 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1026 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1027 filename, linenum, arg);
1031 /* Reads the server configuration file. */
1034 load_server_config(const char *filename, Buffer *conf)
1036 char line[1024], *cp;
1039 debug2("%s: filename %s", __func__, filename);
1040 if ((f = fopen(filename, "r")) == NULL) {
1045 while (fgets(line, sizeof(line), f)) {
1047 * Trim out comments and strip whitespace
1048 * NB - preserve newlines, they are needed to reproduce
1049 * line numbers later for error messages
1051 if ((cp = strchr(line, '#')) != NULL)
1052 memcpy(cp, "\n", 2);
1053 cp = line + strspn(line, " \t\r");
1055 buffer_append(conf, cp, strlen(cp));
1057 buffer_append(conf, "\0", 1);
1059 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1063 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1065 int linenum, bad_options = 0;
1066 char *cp, *obuf, *cbuf;
1068 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1070 obuf = cbuf = xstrdup(buffer_ptr(conf));
1072 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1073 if (process_server_config_line(options, cp, filename,
1078 if (bad_options > 0)
1079 fatal("%s: terminating, %d bad configuration options",
1080 filename, bad_options);
andersk / openssh.git / blob