2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
19 #include "pathnames.h"
25 static void add_listen_addr(ServerOptions *, char *, u_short);
26 static void add_one_listen_addr(ServerOptions *, char *, u_short);
28 /* Use of privilege separation or not */
29 extern int use_privsep;
31 /* Initializes the server options to their default values. */
34 initialize_server_options(ServerOptions *options)
36 memset(options, 0, sizeof(*options));
38 /* Portable-specific options */
39 options->use_pam = -1;
41 /* Standard Options */
42 options->num_ports = 0;
43 options->ports_from_cmdline = 0;
44 options->listen_addrs = NULL;
45 options->address_family = -1;
46 options->num_host_key_files = 0;
47 options->pid_file = NULL;
48 options->server_key_bits = -1;
49 options->login_grace_time = -1;
50 options->key_regeneration_time = -1;
51 options->permit_root_login = PERMIT_NOT_SET;
52 options->ignore_rhosts = -1;
53 options->ignore_user_known_hosts = -1;
54 options->print_motd = -1;
55 options->print_lastlog = -1;
56 options->x11_forwarding = -1;
57 options->x11_display_offset = -1;
58 options->x11_use_localhost = -1;
59 options->xauth_location = NULL;
60 options->strict_modes = -1;
61 options->tcp_keep_alive = -1;
62 options->log_facility = SYSLOG_FACILITY_NOT_SET;
63 options->log_level = SYSLOG_LEVEL_NOT_SET;
64 options->rhosts_rsa_authentication = -1;
65 options->hostbased_authentication = -1;
66 options->hostbased_uses_name_from_packet_only = -1;
67 options->rsa_authentication = -1;
68 options->pubkey_authentication = -1;
69 options->kerberos_authentication = -1;
70 options->kerberos_or_local_passwd = -1;
71 options->kerberos_ticket_cleanup = -1;
72 options->kerberos_get_afs_token = -1;
73 options->gss_authentication=-1;
74 options->gss_cleanup_creds = -1;
75 options->password_authentication = -1;
76 options->kbd_interactive_authentication = -1;
77 options->challenge_response_authentication = -1;
78 options->permit_empty_passwd = -1;
79 options->permit_user_env = -1;
80 options->use_login = -1;
81 options->compression = -1;
82 options->allow_tcp_forwarding = -1;
83 options->num_allow_users = 0;
84 options->num_deny_users = 0;
85 options->num_allow_groups = 0;
86 options->num_deny_groups = 0;
87 options->ciphers = NULL;
89 options->protocol = SSH_PROTO_UNKNOWN;
90 options->gateway_ports = -1;
91 options->num_subsystems = 0;
92 options->max_startups_begin = -1;
93 options->max_startups_rate = -1;
94 options->max_startups = -1;
95 options->max_authtries = -1;
96 options->banner = NULL;
97 options->use_dns = -1;
98 options->client_alive_interval = -1;
99 options->client_alive_count_max = -1;
100 options->authorized_keys_file = NULL;
101 options->authorized_keys_file2 = NULL;
102 options->num_accept_env = 0;
103 options->permit_tun = -1;
105 /* Needs to be accessable in many places */
110 fill_default_server_options(ServerOptions *options)
112 /* Portable-specific options */
113 if (options->use_pam == -1)
114 options->use_pam = 0;
116 /* Standard Options */
117 if (options->protocol == SSH_PROTO_UNKNOWN)
118 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
119 if (options->num_host_key_files == 0) {
120 /* fill default hostkeys for protocols */
121 if (options->protocol & SSH_PROTO_1)
122 options->host_key_files[options->num_host_key_files++] =
124 if (options->protocol & SSH_PROTO_2) {
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_RSA_KEY_FILE;
127 options->host_key_files[options->num_host_key_files++] =
128 _PATH_HOST_DSA_KEY_FILE;
131 if (options->num_ports == 0)
132 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
133 if (options->listen_addrs == NULL)
134 add_listen_addr(options, NULL, 0);
135 if (options->pid_file == NULL)
136 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
137 if (options->server_key_bits == -1)
138 options->server_key_bits = 768;
139 if (options->login_grace_time == -1)
140 options->login_grace_time = 120;
141 if (options->key_regeneration_time == -1)
142 options->key_regeneration_time = 3600;
143 if (options->permit_root_login == PERMIT_NOT_SET)
144 options->permit_root_login = PERMIT_YES;
145 if (options->ignore_rhosts == -1)
146 options->ignore_rhosts = 1;
147 if (options->ignore_user_known_hosts == -1)
148 options->ignore_user_known_hosts = 0;
149 if (options->print_motd == -1)
150 options->print_motd = 1;
151 if (options->print_lastlog == -1)
152 options->print_lastlog = 1;
153 if (options->x11_forwarding == -1)
154 options->x11_forwarding = 0;
155 if (options->x11_display_offset == -1)
156 options->x11_display_offset = 10;
157 if (options->x11_use_localhost == -1)
158 options->x11_use_localhost = 1;
159 if (options->xauth_location == NULL)
160 options->xauth_location = _PATH_XAUTH;
161 if (options->strict_modes == -1)
162 options->strict_modes = 1;
163 if (options->tcp_keep_alive == -1)
164 options->tcp_keep_alive = 1;
165 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
166 options->log_facility = SYSLOG_FACILITY_AUTH;
167 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
168 options->log_level = SYSLOG_LEVEL_INFO;
169 if (options->rhosts_rsa_authentication == -1)
170 options->rhosts_rsa_authentication = 0;
171 if (options->hostbased_authentication == -1)
172 options->hostbased_authentication = 0;
173 if (options->hostbased_uses_name_from_packet_only == -1)
174 options->hostbased_uses_name_from_packet_only = 0;
175 if (options->rsa_authentication == -1)
176 options->rsa_authentication = 1;
177 if (options->pubkey_authentication == -1)
178 options->pubkey_authentication = 1;
179 if (options->kerberos_authentication == -1)
180 options->kerberos_authentication = 0;
181 if (options->kerberos_or_local_passwd == -1)
182 options->kerberos_or_local_passwd = 1;
183 if (options->kerberos_ticket_cleanup == -1)
184 options->kerberos_ticket_cleanup = 1;
185 if (options->kerberos_get_afs_token == -1)
186 options->kerberos_get_afs_token = 0;
187 if (options->gss_authentication == -1)
188 options->gss_authentication = 0;
189 if (options->gss_cleanup_creds == -1)
190 options->gss_cleanup_creds = 1;
191 if (options->password_authentication == -1)
192 options->password_authentication = 1;
193 if (options->kbd_interactive_authentication == -1)
194 options->kbd_interactive_authentication = 0;
195 if (options->challenge_response_authentication == -1)
196 options->challenge_response_authentication = 1;
197 if (options->permit_empty_passwd == -1)
198 options->permit_empty_passwd = 0;
199 if (options->permit_user_env == -1)
200 options->permit_user_env = 0;
201 if (options->use_login == -1)
202 options->use_login = 0;
203 if (options->compression == -1)
204 options->compression = COMP_DELAYED;
205 if (options->allow_tcp_forwarding == -1)
206 options->allow_tcp_forwarding = 1;
207 if (options->gateway_ports == -1)
208 options->gateway_ports = 0;
209 if (options->max_startups == -1)
210 options->max_startups = 10;
211 if (options->max_startups_rate == -1)
212 options->max_startups_rate = 100; /* 100% */
213 if (options->max_startups_begin == -1)
214 options->max_startups_begin = options->max_startups;
215 if (options->max_authtries == -1)
216 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
217 if (options->use_dns == -1)
218 options->use_dns = 1;
219 if (options->client_alive_interval == -1)
220 options->client_alive_interval = 0;
221 if (options->client_alive_count_max == -1)
222 options->client_alive_count_max = 3;
223 if (options->authorized_keys_file2 == NULL) {
224 /* authorized_keys_file2 falls back to authorized_keys_file */
225 if (options->authorized_keys_file != NULL)
226 options->authorized_keys_file2 = options->authorized_keys_file;
228 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
230 if (options->authorized_keys_file == NULL)
231 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
232 if (options->permit_tun == -1)
233 options->permit_tun = SSH_TUNMODE_NO;
235 /* Turn privilege separation on by default */
236 if (use_privsep == -1)
240 if (use_privsep && options->compression == 1) {
241 error("This platform does not support both privilege "
242 "separation and compression");
243 error("Compression disabled");
244 options->compression = 0;
250 /* Keyword tokens. */
252 sBadOption, /* == unknown option */
253 /* Portable-specific options */
255 /* Standard Options */
256 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
257 sPermitRootLogin, sLogFacility, sLogLevel,
258 sRhostsRSAAuthentication, sRSAAuthentication,
259 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
260 sKerberosGetAFSToken,
261 sKerberosTgtPassing, sChallengeResponseAuthentication,
262 sPasswordAuthentication, sKbdInteractiveAuthentication,
263 sListenAddress, sAddressFamily,
264 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
265 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
266 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
267 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
268 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
269 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
270 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
271 sMaxStartups, sMaxAuthTries,
272 sBanner, sUseDNS, sHostbasedAuthentication,
273 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
274 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
275 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
276 sUsePrivilegeSeparation,
277 sDeprecated, sUnsupported
280 /* Textual representation of the tokens. */
283 ServerOpCodes opcode;
285 /* Portable-specific options */
287 { "usepam", sUsePAM },
289 { "usepam", sUnsupported },
291 { "pamauthenticationviakbdint", sDeprecated },
292 /* Standard Options */
294 { "hostkey", sHostKeyFile },
295 { "hostdsakey", sHostKeyFile }, /* alias */
296 { "pidfile", sPidFile },
297 { "serverkeybits", sServerKeyBits },
298 { "logingracetime", sLoginGraceTime },
299 { "keyregenerationinterval", sKeyRegenerationTime },
300 { "permitrootlogin", sPermitRootLogin },
301 { "syslogfacility", sLogFacility },
302 { "loglevel", sLogLevel },
303 { "rhostsauthentication", sDeprecated },
304 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
305 { "hostbasedauthentication", sHostbasedAuthentication },
306 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
307 { "rsaauthentication", sRSAAuthentication },
308 { "pubkeyauthentication", sPubkeyAuthentication },
309 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
311 { "kerberosauthentication", sKerberosAuthentication },
312 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
313 { "kerberosticketcleanup", sKerberosTicketCleanup },
315 { "kerberosgetafstoken", sKerberosGetAFSToken },
317 { "kerberosgetafstoken", sUnsupported },
320 { "kerberosauthentication", sUnsupported },
321 { "kerberosorlocalpasswd", sUnsupported },
322 { "kerberosticketcleanup", sUnsupported },
323 { "kerberosgetafstoken", sUnsupported },
325 { "kerberostgtpassing", sUnsupported },
326 { "afstokenpassing", sUnsupported },
328 { "gssapiauthentication", sGssAuthentication },
329 { "gssapicleanupcredentials", sGssCleanupCreds },
331 { "gssapiauthentication", sUnsupported },
332 { "gssapicleanupcredentials", sUnsupported },
334 { "passwordauthentication", sPasswordAuthentication },
335 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
336 { "challengeresponseauthentication", sChallengeResponseAuthentication },
337 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
338 { "checkmail", sDeprecated },
339 { "listenaddress", sListenAddress },
340 { "addressfamily", sAddressFamily },
341 { "printmotd", sPrintMotd },
342 { "printlastlog", sPrintLastLog },
343 { "ignorerhosts", sIgnoreRhosts },
344 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
345 { "x11forwarding", sX11Forwarding },
346 { "x11displayoffset", sX11DisplayOffset },
347 { "x11uselocalhost", sX11UseLocalhost },
348 { "xauthlocation", sXAuthLocation },
349 { "strictmodes", sStrictModes },
350 { "permitemptypasswords", sEmptyPasswd },
351 { "permituserenvironment", sPermitUserEnvironment },
352 { "uselogin", sUseLogin },
353 { "compression", sCompression },
354 { "tcpkeepalive", sTCPKeepAlive },
355 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
356 { "allowtcpforwarding", sAllowTcpForwarding },
357 { "allowusers", sAllowUsers },
358 { "denyusers", sDenyUsers },
359 { "allowgroups", sAllowGroups },
360 { "denygroups", sDenyGroups },
361 { "ciphers", sCiphers },
363 { "protocol", sProtocol },
364 { "gatewayports", sGatewayPorts },
365 { "subsystem", sSubsystem },
366 { "maxstartups", sMaxStartups },
367 { "maxauthtries", sMaxAuthTries },
368 { "banner", sBanner },
369 { "usedns", sUseDNS },
370 { "verifyreversemapping", sDeprecated },
371 { "reversemappingcheck", sDeprecated },
372 { "clientaliveinterval", sClientAliveInterval },
373 { "clientalivecountmax", sClientAliveCountMax },
374 { "authorizedkeysfile", sAuthorizedKeysFile },
375 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
376 { "useprivilegeseparation", sUsePrivilegeSeparation},
377 { "acceptenv", sAcceptEnv },
378 { "permittunnel", sPermitTunnel },
383 * Returns the number of the token pointed to by cp or sBadOption.
387 parse_token(const char *cp, const char *filename,
392 for (i = 0; keywords[i].name; i++)
393 if (strcasecmp(cp, keywords[i].name) == 0)
394 return keywords[i].opcode;
396 error("%s: line %d: Bad configuration option: %s",
397 filename, linenum, cp);
402 add_listen_addr(ServerOptions *options, char *addr, u_short port)
406 if (options->num_ports == 0)
407 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
408 if (options->address_family == -1)
409 options->address_family = AF_UNSPEC;
411 for (i = 0; i < options->num_ports; i++)
412 add_one_listen_addr(options, addr, options->ports[i]);
414 add_one_listen_addr(options, addr, port);
418 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
420 struct addrinfo hints, *ai, *aitop;
421 char strport[NI_MAXSERV];
424 memset(&hints, 0, sizeof(hints));
425 hints.ai_family = options->address_family;
426 hints.ai_socktype = SOCK_STREAM;
427 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
428 snprintf(strport, sizeof strport, "%u", port);
429 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
430 fatal("bad addr or host: %s (%s)",
431 addr ? addr : "<NULL>",
432 gai_strerror(gaierr));
433 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
435 ai->ai_next = options->listen_addrs;
436 options->listen_addrs = aitop;
440 process_server_config_line(ServerOptions *options, char *line,
441 const char *filename, int linenum)
443 char *cp, **charptr, *arg, *p;
444 int *intptr, value, n;
445 ServerOpCodes opcode;
451 /* Ignore leading whitespace */
454 if (!arg || !*arg || *arg == '#')
458 opcode = parse_token(arg, filename, linenum);
460 /* Portable-specific options */
462 intptr = &options->use_pam;
465 /* Standard Options */
469 /* ignore ports from configfile if cmdline specifies ports */
470 if (options->ports_from_cmdline)
472 if (options->listen_addrs != NULL)
473 fatal("%s line %d: ports must be specified before "
474 "ListenAddress.", filename, linenum);
475 if (options->num_ports >= MAX_PORTS)
476 fatal("%s line %d: too many ports.",
479 if (!arg || *arg == '\0')
480 fatal("%s line %d: missing port number.",
482 options->ports[options->num_ports++] = a2port(arg);
483 if (options->ports[options->num_ports-1] == 0)
484 fatal("%s line %d: Badly formatted port number.",
489 intptr = &options->server_key_bits;
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing integer value.",
500 case sLoginGraceTime:
501 intptr = &options->login_grace_time;
504 if (!arg || *arg == '\0')
505 fatal("%s line %d: missing time value.",
507 if ((value = convtime(arg)) == -1)
508 fatal("%s line %d: invalid time value.",
514 case sKeyRegenerationTime:
515 intptr = &options->key_regeneration_time;
520 if (arg == NULL || *arg == '\0')
521 fatal("%s line %d: missing address",
523 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
524 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
525 && strchr(p+1, ':') != NULL) {
526 add_listen_addr(options, arg, 0);
531 fatal("%s line %d: bad address:port usage",
533 p = cleanhostname(p);
536 else if ((port = a2port(arg)) == 0)
537 fatal("%s line %d: bad port number", filename, linenum);
539 add_listen_addr(options, p, port);
545 if (!arg || *arg == '\0')
546 fatal("%s line %d: missing address family.",
548 intptr = &options->address_family;
549 if (options->listen_addrs != NULL)
550 fatal("%s line %d: address family must be specified before "
551 "ListenAddress.", filename, linenum);
552 if (strcasecmp(arg, "inet") == 0)
554 else if (strcasecmp(arg, "inet6") == 0)
556 else if (strcasecmp(arg, "any") == 0)
559 fatal("%s line %d: unsupported address family \"%s\".",
560 filename, linenum, arg);
566 intptr = &options->num_host_key_files;
567 if (*intptr >= MAX_HOSTKEYS)
568 fatal("%s line %d: too many host keys specified (max %d).",
569 filename, linenum, MAX_HOSTKEYS);
570 charptr = &options->host_key_files[*intptr];
573 if (!arg || *arg == '\0')
574 fatal("%s line %d: missing file name.",
576 if (*charptr == NULL) {
577 *charptr = tilde_expand_filename(arg, getuid());
578 /* increase optional counter */
580 *intptr = *intptr + 1;
585 charptr = &options->pid_file;
588 case sPermitRootLogin:
589 intptr = &options->permit_root_login;
591 if (!arg || *arg == '\0')
592 fatal("%s line %d: missing yes/"
593 "without-password/forced-commands-only/no "
594 "argument.", filename, linenum);
595 value = 0; /* silence compiler */
596 if (strcmp(arg, "without-password") == 0)
597 value = PERMIT_NO_PASSWD;
598 else if (strcmp(arg, "forced-commands-only") == 0)
599 value = PERMIT_FORCED_ONLY;
600 else if (strcmp(arg, "yes") == 0)
602 else if (strcmp(arg, "no") == 0)
605 fatal("%s line %d: Bad yes/"
606 "without-password/forced-commands-only/no "
607 "argument: %s", filename, linenum, arg);
613 intptr = &options->ignore_rhosts;
616 if (!arg || *arg == '\0')
617 fatal("%s line %d: missing yes/no argument.",
619 value = 0; /* silence compiler */
620 if (strcmp(arg, "yes") == 0)
622 else if (strcmp(arg, "no") == 0)
625 fatal("%s line %d: Bad yes/no argument: %s",
626 filename, linenum, arg);
631 case sIgnoreUserKnownHosts:
632 intptr = &options->ignore_user_known_hosts;
635 case sRhostsRSAAuthentication:
636 intptr = &options->rhosts_rsa_authentication;
639 case sHostbasedAuthentication:
640 intptr = &options->hostbased_authentication;
643 case sHostbasedUsesNameFromPacketOnly:
644 intptr = &options->hostbased_uses_name_from_packet_only;
647 case sRSAAuthentication:
648 intptr = &options->rsa_authentication;
651 case sPubkeyAuthentication:
652 intptr = &options->pubkey_authentication;
655 case sKerberosAuthentication:
656 intptr = &options->kerberos_authentication;
659 case sKerberosOrLocalPasswd:
660 intptr = &options->kerberos_or_local_passwd;
663 case sKerberosTicketCleanup:
664 intptr = &options->kerberos_ticket_cleanup;
667 case sKerberosGetAFSToken:
668 intptr = &options->kerberos_get_afs_token;
671 case sGssAuthentication:
672 intptr = &options->gss_authentication;
675 case sGssCleanupCreds:
676 intptr = &options->gss_cleanup_creds;
679 case sPasswordAuthentication:
680 intptr = &options->password_authentication;
683 case sKbdInteractiveAuthentication:
684 intptr = &options->kbd_interactive_authentication;
687 case sChallengeResponseAuthentication:
688 intptr = &options->challenge_response_authentication;
692 intptr = &options->print_motd;
696 intptr = &options->print_lastlog;
700 intptr = &options->x11_forwarding;
703 case sX11DisplayOffset:
704 intptr = &options->x11_display_offset;
707 case sX11UseLocalhost:
708 intptr = &options->x11_use_localhost;
712 charptr = &options->xauth_location;
716 intptr = &options->strict_modes;
720 intptr = &options->tcp_keep_alive;
724 intptr = &options->permit_empty_passwd;
727 case sPermitUserEnvironment:
728 intptr = &options->permit_user_env;
732 intptr = &options->use_login;
736 intptr = &options->compression;
738 if (!arg || *arg == '\0')
739 fatal("%s line %d: missing yes/no/delayed "
740 "argument.", filename, linenum);
741 value = 0; /* silence compiler */
742 if (strcmp(arg, "delayed") == 0)
743 value = COMP_DELAYED;
744 else if (strcmp(arg, "yes") == 0)
746 else if (strcmp(arg, "no") == 0)
749 fatal("%s line %d: Bad yes/no/delayed "
750 "argument: %s", filename, linenum, arg);
756 intptr = &options->gateway_ports;
758 if (!arg || *arg == '\0')
759 fatal("%s line %d: missing yes/no/clientspecified "
760 "argument.", filename, linenum);
761 value = 0; /* silence compiler */
762 if (strcmp(arg, "clientspecified") == 0)
764 else if (strcmp(arg, "yes") == 0)
766 else if (strcmp(arg, "no") == 0)
769 fatal("%s line %d: Bad yes/no/clientspecified "
770 "argument: %s", filename, linenum, arg);
776 intptr = &options->use_dns;
780 intptr = (int *) &options->log_facility;
782 value = log_facility_number(arg);
783 if (value == SYSLOG_FACILITY_NOT_SET)
784 fatal("%.200s line %d: unsupported log facility '%s'",
785 filename, linenum, arg ? arg : "<NONE>");
787 *intptr = (SyslogFacility) value;
791 intptr = (int *) &options->log_level;
793 value = log_level_number(arg);
794 if (value == SYSLOG_LEVEL_NOT_SET)
795 fatal("%.200s line %d: unsupported log level '%s'",
796 filename, linenum, arg ? arg : "<NONE>");
798 *intptr = (LogLevel) value;
801 case sAllowTcpForwarding:
802 intptr = &options->allow_tcp_forwarding;
805 case sUsePrivilegeSeparation:
806 intptr = &use_privsep;
810 while ((arg = strdelim(&cp)) && *arg != '\0') {
811 if (options->num_allow_users >= MAX_ALLOW_USERS)
812 fatal("%s line %d: too many allow users.",
814 options->allow_users[options->num_allow_users++] =
820 while ((arg = strdelim(&cp)) && *arg != '\0') {
821 if (options->num_deny_users >= MAX_DENY_USERS)
822 fatal( "%s line %d: too many deny users.",
824 options->deny_users[options->num_deny_users++] =
830 while ((arg = strdelim(&cp)) && *arg != '\0') {
831 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
832 fatal("%s line %d: too many allow groups.",
834 options->allow_groups[options->num_allow_groups++] =
840 while ((arg = strdelim(&cp)) && *arg != '\0') {
841 if (options->num_deny_groups >= MAX_DENY_GROUPS)
842 fatal("%s line %d: too many deny groups.",
844 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
850 if (!arg || *arg == '\0')
851 fatal("%s line %d: Missing argument.", filename, linenum);
852 if (!ciphers_valid(arg))
853 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
854 filename, linenum, arg ? arg : "<NONE>");
855 if (options->ciphers == NULL)
856 options->ciphers = xstrdup(arg);
861 if (!arg || *arg == '\0')
862 fatal("%s line %d: Missing argument.", filename, linenum);
864 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
865 filename, linenum, arg ? arg : "<NONE>");
866 if (options->macs == NULL)
867 options->macs = xstrdup(arg);
871 intptr = &options->protocol;
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: Missing argument.", filename, linenum);
875 value = proto_spec(arg);
876 if (value == SSH_PROTO_UNKNOWN)
877 fatal("%s line %d: Bad protocol spec '%s'.",
878 filename, linenum, arg ? arg : "<NONE>");
879 if (*intptr == SSH_PROTO_UNKNOWN)
884 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
885 fatal("%s line %d: too many subsystems defined.",
889 if (!arg || *arg == '\0')
890 fatal("%s line %d: Missing subsystem name.",
892 for (i = 0; i < options->num_subsystems; i++)
893 if (strcmp(arg, options->subsystem_name[i]) == 0)
894 fatal("%s line %d: Subsystem '%s' already defined.",
895 filename, linenum, arg);
896 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
898 if (!arg || *arg == '\0')
899 fatal("%s line %d: Missing subsystem command.",
901 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
902 options->num_subsystems++;
907 if (!arg || *arg == '\0')
908 fatal("%s line %d: Missing MaxStartups spec.",
910 if ((n = sscanf(arg, "%d:%d:%d",
911 &options->max_startups_begin,
912 &options->max_startups_rate,
913 &options->max_startups)) == 3) {
914 if (options->max_startups_begin >
915 options->max_startups ||
916 options->max_startups_rate > 100 ||
917 options->max_startups_rate < 1)
918 fatal("%s line %d: Illegal MaxStartups spec.",
921 fatal("%s line %d: Illegal MaxStartups spec.",
924 options->max_startups = options->max_startups_begin;
928 intptr = &options->max_authtries;
932 charptr = &options->banner;
935 * These options can contain %X options expanded at
936 * connect time, so that you can specify paths like:
938 * AuthorizedKeysFile /etc/ssh_keys/%u
940 case sAuthorizedKeysFile:
941 case sAuthorizedKeysFile2:
942 charptr = (opcode == sAuthorizedKeysFile ) ?
943 &options->authorized_keys_file :
944 &options->authorized_keys_file2;
947 case sClientAliveInterval:
948 intptr = &options->client_alive_interval;
951 case sClientAliveCountMax:
952 intptr = &options->client_alive_count_max;
956 while ((arg = strdelim(&cp)) && *arg != '\0') {
957 if (strchr(arg, '=') != NULL)
958 fatal("%s line %d: Invalid environment name.",
960 if (options->num_accept_env >= MAX_ACCEPT_ENV)
961 fatal("%s line %d: too many allow env.",
963 options->accept_env[options->num_accept_env++] =
969 intptr = &options->permit_tun;
971 if (!arg || *arg == '\0')
972 fatal("%s line %d: Missing yes/point-to-point/"
973 "ethernet/no argument.", filename, linenum);
974 value = 0; /* silence compiler */
975 if (strcasecmp(arg, "ethernet") == 0)
976 value = SSH_TUNMODE_ETHERNET;
977 else if (strcasecmp(arg, "point-to-point") == 0)
978 value = SSH_TUNMODE_POINTOPOINT;
979 else if (strcasecmp(arg, "yes") == 0)
980 value = SSH_TUNMODE_YES;
981 else if (strcasecmp(arg, "no") == 0)
982 value = SSH_TUNMODE_NO;
984 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
985 "no argument: %s", filename, linenum, arg);
991 logit("%s line %d: Deprecated option %s",
992 filename, linenum, arg);
998 logit("%s line %d: Unsupported option %s",
999 filename, linenum, arg);
1001 arg = strdelim(&cp);
1005 fatal("%s line %d: Missing handler for opcode %s (%d)",
1006 filename, linenum, arg, opcode);
1008 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1009 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1010 filename, linenum, arg);
1014 /* Reads the server configuration file. */
1017 load_server_config(const char *filename, Buffer *conf)
1019 char line[1024], *cp;
1022 debug2("%s: filename %s", __func__, filename);
1023 if ((f = fopen(filename, "r")) == NULL) {
1028 while (fgets(line, sizeof(line), f)) {
1030 * Trim out comments and strip whitespace
1031 * NB - preserve newlines, they are needed to reproduce
1032 * line numbers later for error messages
1034 if ((cp = strchr(line, '#')) != NULL)
1035 memcpy(cp, "\n", 2);
1036 cp = line + strspn(line, " \t\r");
1038 buffer_append(conf, cp, strlen(cp));
1040 buffer_append(conf, "\0", 1);
1042 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1046 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1048 int linenum, bad_options = 0;
1049 char *cp, *obuf, *cbuf;
1051 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1053 obuf = cbuf = xstrdup(buffer_ptr(conf));
1055 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1056 if (process_server_config_line(options, cp, filename,
1061 if (bad_options > 0)
1062 fatal("%s: terminating, %d bad configuration options",
1063 filename, bad_options);