2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $");
20 #include "pathnames.h"
21 #include "tildexpand.h"
27 static void add_listen_addr(ServerOptions *, char *, u_short);
28 static void add_one_listen_addr(ServerOptions *, char *, u_short);
30 /* AF_UNSPEC or AF_INET or AF_INET6 */
32 /* Use of privilege separation or not */
33 extern int use_privsep;
35 /* Initializes the server options to their default values. */
38 initialize_server_options(ServerOptions *options)
40 memset(options, 0, sizeof(*options));
42 /* Portable-specific options */
43 options->use_pam = -1;
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
61 options->x11_use_localhost = -1;
62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->tcp_keep_alive = -1;
65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
75 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1;
77 options->password_authentication = -1;
78 options->kbd_interactive_authentication = -1;
79 options->challenge_response_authentication = -1;
80 options->permit_empty_passwd = -1;
81 options->permit_user_env = -1;
82 options->use_login = -1;
83 options->compression = -1;
84 options->allow_tcp_forwarding = -1;
85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
89 options->ciphers = NULL;
91 options->protocol = SSH_PROTO_UNKNOWN;
92 options->gateway_ports = -1;
93 options->num_subsystems = 0;
94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
96 options->max_startups = -1;
97 options->banner = NULL;
98 options->use_dns = -1;
99 options->client_alive_interval = -1;
100 options->client_alive_count_max = -1;
101 options->authorized_keys_file = NULL;
102 options->authorized_keys_file2 = NULL;
104 /* Needs to be accessable in many places */
109 fill_default_server_options(ServerOptions *options)
111 /* Portable-specific options */
112 if (options->use_pam == -1)
113 options->use_pam = 0;
115 /* Standard Options */
116 if (options->protocol == SSH_PROTO_UNKNOWN)
117 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
118 if (options->num_host_key_files == 0) {
119 /* fill default hostkeys for protocols */
120 if (options->protocol & SSH_PROTO_1)
121 options->host_key_files[options->num_host_key_files++] =
123 if (options->protocol & SSH_PROTO_2) {
124 options->host_key_files[options->num_host_key_files++] =
125 _PATH_HOST_RSA_KEY_FILE;
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_DSA_KEY_FILE;
130 if (options->num_ports == 0)
131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
132 if (options->listen_addrs == NULL)
133 add_listen_addr(options, NULL, 0);
134 if (options->pid_file == NULL)
135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
136 if (options->server_key_bits == -1)
137 options->server_key_bits = 768;
138 if (options->login_grace_time == -1)
139 options->login_grace_time = 120;
140 if (options->key_regeneration_time == -1)
141 options->key_regeneration_time = 3600;
142 if (options->permit_root_login == PERMIT_NOT_SET)
143 options->permit_root_login = PERMIT_YES;
144 if (options->ignore_rhosts == -1)
145 options->ignore_rhosts = 1;
146 if (options->ignore_user_known_hosts == -1)
147 options->ignore_user_known_hosts = 0;
148 if (options->print_motd == -1)
149 options->print_motd = 1;
150 if (options->print_lastlog == -1)
151 options->print_lastlog = 1;
152 if (options->x11_forwarding == -1)
153 options->x11_forwarding = 0;
154 if (options->x11_display_offset == -1)
155 options->x11_display_offset = 10;
156 if (options->x11_use_localhost == -1)
157 options->x11_use_localhost = 1;
158 if (options->xauth_location == NULL)
159 options->xauth_location = _PATH_XAUTH;
160 if (options->strict_modes == -1)
161 options->strict_modes = 1;
162 if (options->tcp_keep_alive == -1)
163 options->tcp_keep_alive = 1;
164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
165 options->log_facility = SYSLOG_FACILITY_AUTH;
166 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
167 options->log_level = SYSLOG_LEVEL_INFO;
168 if (options->rhosts_rsa_authentication == -1)
169 options->rhosts_rsa_authentication = 0;
170 if (options->hostbased_authentication == -1)
171 options->hostbased_authentication = 0;
172 if (options->hostbased_uses_name_from_packet_only == -1)
173 options->hostbased_uses_name_from_packet_only = 0;
174 if (options->rsa_authentication == -1)
175 options->rsa_authentication = 1;
176 if (options->pubkey_authentication == -1)
177 options->pubkey_authentication = 1;
178 if (options->kerberos_authentication == -1)
179 options->kerberos_authentication = 0;
180 if (options->kerberos_or_local_passwd == -1)
181 options->kerberos_or_local_passwd = 1;
182 if (options->kerberos_ticket_cleanup == -1)
183 options->kerberos_ticket_cleanup = 1;
184 if (options->gss_authentication == -1)
185 options->gss_authentication = 0;
186 if (options->gss_cleanup_creds == -1)
187 options->gss_cleanup_creds = 1;
188 if (options->password_authentication == -1)
189 options->password_authentication = 1;
190 if (options->kbd_interactive_authentication == -1)
191 options->kbd_interactive_authentication = 0;
192 if (options->challenge_response_authentication == -1)
193 options->challenge_response_authentication = 1;
194 if (options->permit_empty_passwd == -1)
195 options->permit_empty_passwd = 0;
196 if (options->permit_user_env == -1)
197 options->permit_user_env = 0;
198 if (options->use_login == -1)
199 options->use_login = 0;
200 if (options->compression == -1)
201 options->compression = 1;
202 if (options->allow_tcp_forwarding == -1)
203 options->allow_tcp_forwarding = 1;
204 if (options->gateway_ports == -1)
205 options->gateway_ports = 0;
206 if (options->max_startups == -1)
207 options->max_startups = 10;
208 if (options->max_startups_rate == -1)
209 options->max_startups_rate = 100; /* 100% */
210 if (options->max_startups_begin == -1)
211 options->max_startups_begin = options->max_startups;
212 if (options->use_dns == -1)
213 options->use_dns = 1;
214 if (options->client_alive_interval == -1)
215 options->client_alive_interval = 0;
216 if (options->client_alive_count_max == -1)
217 options->client_alive_count_max = 3;
218 if (options->authorized_keys_file2 == NULL) {
219 /* authorized_keys_file2 falls back to authorized_keys_file */
220 if (options->authorized_keys_file != NULL)
221 options->authorized_keys_file2 = options->authorized_keys_file;
223 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
225 if (options->authorized_keys_file == NULL)
226 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
228 /* Turn privilege separation on by default */
229 if (use_privsep == -1)
233 if (use_privsep && options->compression == 1) {
234 error("This platform does not support both privilege "
235 "separation and compression");
236 error("Compression disabled");
237 options->compression = 0;
243 /* Keyword tokens. */
245 sBadOption, /* == unknown option */
246 /* Portable-specific options */
248 /* Standard Options */
249 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
250 sPermitRootLogin, sLogFacility, sLogLevel,
251 sRhostsRSAAuthentication, sRSAAuthentication,
252 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
253 sKerberosTgtPassing, sChallengeResponseAuthentication,
254 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
255 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
256 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
257 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
258 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
259 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
260 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
261 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
262 sBanner, sUseDNS, sHostbasedAuthentication,
263 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
264 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
265 sGssAuthentication, sGssCleanupCreds,
266 sUsePrivilegeSeparation,
267 sDeprecated, sUnsupported
270 /* Textual representation of the tokens. */
273 ServerOpCodes opcode;
275 /* Portable-specific options */
277 { "usepam", sUsePAM },
279 { "usepam", sUnsupported },
281 { "pamauthenticationviakbdint", sDeprecated },
282 /* Standard Options */
284 { "hostkey", sHostKeyFile },
285 { "hostdsakey", sHostKeyFile }, /* alias */
286 { "pidfile", sPidFile },
287 { "serverkeybits", sServerKeyBits },
288 { "logingracetime", sLoginGraceTime },
289 { "keyregenerationinterval", sKeyRegenerationTime },
290 { "permitrootlogin", sPermitRootLogin },
291 { "syslogfacility", sLogFacility },
292 { "loglevel", sLogLevel },
293 { "rhostsauthentication", sDeprecated },
294 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
295 { "hostbasedauthentication", sHostbasedAuthentication },
296 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
297 { "rsaauthentication", sRSAAuthentication },
298 { "pubkeyauthentication", sPubkeyAuthentication },
299 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
301 { "kerberosauthentication", sKerberosAuthentication },
302 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
303 { "kerberosticketcleanup", sKerberosTicketCleanup },
305 { "kerberosauthentication", sUnsupported },
306 { "kerberosorlocalpasswd", sUnsupported },
307 { "kerberosticketcleanup", sUnsupported },
309 { "kerberostgtpassing", sUnsupported },
310 { "afstokenpassing", sUnsupported },
312 { "gssapiauthentication", sGssAuthentication },
313 { "gssapicleanupcredentials", sGssCleanupCreds },
315 { "gssapiauthentication", sUnsupported },
316 { "gssapicleanupcredentials", sUnsupported },
318 { "passwordauthentication", sPasswordAuthentication },
319 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
320 { "challengeresponseauthentication", sChallengeResponseAuthentication },
321 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
322 { "checkmail", sDeprecated },
323 { "listenaddress", sListenAddress },
324 { "printmotd", sPrintMotd },
325 { "printlastlog", sPrintLastLog },
326 { "ignorerhosts", sIgnoreRhosts },
327 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
328 { "x11forwarding", sX11Forwarding },
329 { "x11displayoffset", sX11DisplayOffset },
330 { "x11uselocalhost", sX11UseLocalhost },
331 { "xauthlocation", sXAuthLocation },
332 { "strictmodes", sStrictModes },
333 { "permitemptypasswords", sEmptyPasswd },
334 { "permituserenvironment", sPermitUserEnvironment },
335 { "uselogin", sUseLogin },
336 { "compression", sCompression },
337 { "tcpkeepalive", sTCPKeepAlive },
338 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
339 { "allowtcpforwarding", sAllowTcpForwarding },
340 { "allowusers", sAllowUsers },
341 { "denyusers", sDenyUsers },
342 { "allowgroups", sAllowGroups },
343 { "denygroups", sDenyGroups },
344 { "ciphers", sCiphers },
346 { "protocol", sProtocol },
347 { "gatewayports", sGatewayPorts },
348 { "subsystem", sSubsystem },
349 { "maxstartups", sMaxStartups },
350 { "banner", sBanner },
351 { "usedns", sUseDNS },
352 { "verifyreversemapping", sDeprecated },
353 { "reversemappingcheck", sDeprecated },
354 { "clientaliveinterval", sClientAliveInterval },
355 { "clientalivecountmax", sClientAliveCountMax },
356 { "authorizedkeysfile", sAuthorizedKeysFile },
357 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
358 { "useprivilegeseparation", sUsePrivilegeSeparation},
363 * Returns the number of the token pointed to by cp or sBadOption.
367 parse_token(const char *cp, const char *filename,
372 for (i = 0; keywords[i].name; i++)
373 if (strcasecmp(cp, keywords[i].name) == 0)
374 return keywords[i].opcode;
376 error("%s: line %d: Bad configuration option: %s",
377 filename, linenum, cp);
382 add_listen_addr(ServerOptions *options, char *addr, u_short port)
386 if (options->num_ports == 0)
387 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
389 for (i = 0; i < options->num_ports; i++)
390 add_one_listen_addr(options, addr, options->ports[i]);
392 add_one_listen_addr(options, addr, port);
396 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
398 struct addrinfo hints, *ai, *aitop;
399 char strport[NI_MAXSERV];
402 memset(&hints, 0, sizeof(hints));
403 hints.ai_family = IPv4or6;
404 hints.ai_socktype = SOCK_STREAM;
405 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
406 snprintf(strport, sizeof strport, "%u", port);
407 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
408 fatal("bad addr or host: %s (%s)",
409 addr ? addr : "<NULL>",
410 gai_strerror(gaierr));
411 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
413 ai->ai_next = options->listen_addrs;
414 options->listen_addrs = aitop;
418 process_server_config_line(ServerOptions *options, char *line,
419 const char *filename, int linenum)
421 char *cp, **charptr, *arg, *p;
422 int *intptr, value, i, n;
423 ServerOpCodes opcode;
427 /* Ignore leading whitespace */
430 if (!arg || !*arg || *arg == '#')
434 opcode = parse_token(arg, filename, linenum);
436 /* Portable-specific options */
438 intptr = &options->use_pam;
441 /* Standard Options */
445 /* ignore ports from configfile if cmdline specifies ports */
446 if (options->ports_from_cmdline)
448 if (options->listen_addrs != NULL)
449 fatal("%s line %d: ports must be specified before "
450 "ListenAddress.", filename, linenum);
451 if (options->num_ports >= MAX_PORTS)
452 fatal("%s line %d: too many ports.",
455 if (!arg || *arg == '\0')
456 fatal("%s line %d: missing port number.",
458 options->ports[options->num_ports++] = a2port(arg);
459 if (options->ports[options->num_ports-1] == 0)
460 fatal("%s line %d: Badly formatted port number.",
465 intptr = &options->server_key_bits;
468 if (!arg || *arg == '\0')
469 fatal("%s line %d: missing integer value.",
476 case sLoginGraceTime:
477 intptr = &options->login_grace_time;
480 if (!arg || *arg == '\0')
481 fatal("%s line %d: missing time value.",
483 if ((value = convtime(arg)) == -1)
484 fatal("%s line %d: invalid time value.",
490 case sKeyRegenerationTime:
491 intptr = &options->key_regeneration_time;
496 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
497 fatal("%s line %d: missing inet addr.",
500 if ((p = strchr(arg, ']')) == NULL)
501 fatal("%s line %d: bad ipv6 inet addr usage.",
504 memmove(p, p+1, strlen(p+1)+1);
505 } else if (((p = strchr(arg, ':')) == NULL) ||
506 (strchr(p+1, ':') != NULL)) {
507 add_listen_addr(options, arg, 0);
515 fatal("%s line %d: bad inet addr:port usage.",
519 if ((port = a2port(p)) == 0)
520 fatal("%s line %d: bad port number.",
522 add_listen_addr(options, arg, port);
524 } else if (*p == '\0')
525 add_listen_addr(options, arg, 0);
527 fatal("%s line %d: bad inet addr usage.",
532 intptr = &options->num_host_key_files;
533 if (*intptr >= MAX_HOSTKEYS)
534 fatal("%s line %d: too many host keys specified (max %d).",
535 filename, linenum, MAX_HOSTKEYS);
536 charptr = &options->host_key_files[*intptr];
539 if (!arg || *arg == '\0')
540 fatal("%s line %d: missing file name.",
542 if (*charptr == NULL) {
543 *charptr = tilde_expand_filename(arg, getuid());
544 /* increase optional counter */
546 *intptr = *intptr + 1;
551 charptr = &options->pid_file;
554 case sPermitRootLogin:
555 intptr = &options->permit_root_login;
557 if (!arg || *arg == '\0')
558 fatal("%s line %d: missing yes/"
559 "without-password/forced-commands-only/no "
560 "argument.", filename, linenum);
561 value = 0; /* silence compiler */
562 if (strcmp(arg, "without-password") == 0)
563 value = PERMIT_NO_PASSWD;
564 else if (strcmp(arg, "forced-commands-only") == 0)
565 value = PERMIT_FORCED_ONLY;
566 else if (strcmp(arg, "yes") == 0)
568 else if (strcmp(arg, "no") == 0)
571 fatal("%s line %d: Bad yes/"
572 "without-password/forced-commands-only/no "
573 "argument: %s", filename, linenum, arg);
579 intptr = &options->ignore_rhosts;
582 if (!arg || *arg == '\0')
583 fatal("%s line %d: missing yes/no argument.",
585 value = 0; /* silence compiler */
586 if (strcmp(arg, "yes") == 0)
588 else if (strcmp(arg, "no") == 0)
591 fatal("%s line %d: Bad yes/no argument: %s",
592 filename, linenum, arg);
597 case sIgnoreUserKnownHosts:
598 intptr = &options->ignore_user_known_hosts;
601 case sRhostsRSAAuthentication:
602 intptr = &options->rhosts_rsa_authentication;
605 case sHostbasedAuthentication:
606 intptr = &options->hostbased_authentication;
609 case sHostbasedUsesNameFromPacketOnly:
610 intptr = &options->hostbased_uses_name_from_packet_only;
613 case sRSAAuthentication:
614 intptr = &options->rsa_authentication;
617 case sPubkeyAuthentication:
618 intptr = &options->pubkey_authentication;
621 case sKerberosAuthentication:
622 intptr = &options->kerberos_authentication;
625 case sKerberosOrLocalPasswd:
626 intptr = &options->kerberos_or_local_passwd;
629 case sKerberosTicketCleanup:
630 intptr = &options->kerberos_ticket_cleanup;
633 case sGssAuthentication:
634 intptr = &options->gss_authentication;
637 case sGssCleanupCreds:
638 intptr = &options->gss_cleanup_creds;
641 case sPasswordAuthentication:
642 intptr = &options->password_authentication;
645 case sKbdInteractiveAuthentication:
646 intptr = &options->kbd_interactive_authentication;
649 case sChallengeResponseAuthentication:
650 intptr = &options->challenge_response_authentication;
654 intptr = &options->print_motd;
658 intptr = &options->print_lastlog;
662 intptr = &options->x11_forwarding;
665 case sX11DisplayOffset:
666 intptr = &options->x11_display_offset;
669 case sX11UseLocalhost:
670 intptr = &options->x11_use_localhost;
674 charptr = &options->xauth_location;
678 intptr = &options->strict_modes;
682 intptr = &options->tcp_keep_alive;
686 intptr = &options->permit_empty_passwd;
689 case sPermitUserEnvironment:
690 intptr = &options->permit_user_env;
694 intptr = &options->use_login;
698 intptr = &options->compression;
702 intptr = &options->gateway_ports;
706 intptr = &options->use_dns;
710 intptr = (int *) &options->log_facility;
712 value = log_facility_number(arg);
713 if (value == SYSLOG_FACILITY_NOT_SET)
714 fatal("%.200s line %d: unsupported log facility '%s'",
715 filename, linenum, arg ? arg : "<NONE>");
717 *intptr = (SyslogFacility) value;
721 intptr = (int *) &options->log_level;
723 value = log_level_number(arg);
724 if (value == SYSLOG_LEVEL_NOT_SET)
725 fatal("%.200s line %d: unsupported log level '%s'",
726 filename, linenum, arg ? arg : "<NONE>");
728 *intptr = (LogLevel) value;
731 case sAllowTcpForwarding:
732 intptr = &options->allow_tcp_forwarding;
735 case sUsePrivilegeSeparation:
736 intptr = &use_privsep;
740 while ((arg = strdelim(&cp)) && *arg != '\0') {
741 if (options->num_allow_users >= MAX_ALLOW_USERS)
742 fatal("%s line %d: too many allow users.",
744 options->allow_users[options->num_allow_users++] =
750 while ((arg = strdelim(&cp)) && *arg != '\0') {
751 if (options->num_deny_users >= MAX_DENY_USERS)
752 fatal( "%s line %d: too many deny users.",
754 options->deny_users[options->num_deny_users++] =
760 while ((arg = strdelim(&cp)) && *arg != '\0') {
761 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
762 fatal("%s line %d: too many allow groups.",
764 options->allow_groups[options->num_allow_groups++] =
770 while ((arg = strdelim(&cp)) && *arg != '\0') {
771 if (options->num_deny_groups >= MAX_DENY_GROUPS)
772 fatal("%s line %d: too many deny groups.",
774 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
780 if (!arg || *arg == '\0')
781 fatal("%s line %d: Missing argument.", filename, linenum);
782 if (!ciphers_valid(arg))
783 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
784 filename, linenum, arg ? arg : "<NONE>");
785 if (options->ciphers == NULL)
786 options->ciphers = xstrdup(arg);
791 if (!arg || *arg == '\0')
792 fatal("%s line %d: Missing argument.", filename, linenum);
794 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
795 filename, linenum, arg ? arg : "<NONE>");
796 if (options->macs == NULL)
797 options->macs = xstrdup(arg);
801 intptr = &options->protocol;
803 if (!arg || *arg == '\0')
804 fatal("%s line %d: Missing argument.", filename, linenum);
805 value = proto_spec(arg);
806 if (value == SSH_PROTO_UNKNOWN)
807 fatal("%s line %d: Bad protocol spec '%s'.",
808 filename, linenum, arg ? arg : "<NONE>");
809 if (*intptr == SSH_PROTO_UNKNOWN)
814 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
815 fatal("%s line %d: too many subsystems defined.",
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing subsystem name.",
822 for (i = 0; i < options->num_subsystems; i++)
823 if (strcmp(arg, options->subsystem_name[i]) == 0)
824 fatal("%s line %d: Subsystem '%s' already defined.",
825 filename, linenum, arg);
826 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
828 if (!arg || *arg == '\0')
829 fatal("%s line %d: Missing subsystem command.",
831 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
832 options->num_subsystems++;
837 if (!arg || *arg == '\0')
838 fatal("%s line %d: Missing MaxStartups spec.",
840 if ((n = sscanf(arg, "%d:%d:%d",
841 &options->max_startups_begin,
842 &options->max_startups_rate,
843 &options->max_startups)) == 3) {
844 if (options->max_startups_begin >
845 options->max_startups ||
846 options->max_startups_rate > 100 ||
847 options->max_startups_rate < 1)
848 fatal("%s line %d: Illegal MaxStartups spec.",
851 fatal("%s line %d: Illegal MaxStartups spec.",
854 options->max_startups = options->max_startups_begin;
858 charptr = &options->banner;
861 * These options can contain %X options expanded at
862 * connect time, so that you can specify paths like:
864 * AuthorizedKeysFile /etc/ssh_keys/%u
866 case sAuthorizedKeysFile:
867 case sAuthorizedKeysFile2:
868 charptr = (opcode == sAuthorizedKeysFile ) ?
869 &options->authorized_keys_file :
870 &options->authorized_keys_file2;
873 case sClientAliveInterval:
874 intptr = &options->client_alive_interval;
877 case sClientAliveCountMax:
878 intptr = &options->client_alive_count_max;
882 logit("%s line %d: Deprecated option %s",
883 filename, linenum, arg);
889 logit("%s line %d: Unsupported option %s",
890 filename, linenum, arg);
896 fatal("%s line %d: Missing handler for opcode %s (%d)",
897 filename, linenum, arg, opcode);
899 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
900 fatal("%s line %d: garbage at end of line; \"%.200s\".",
901 filename, linenum, arg);
905 /* Reads the server configuration file. */
908 read_server_config(ServerOptions *options, const char *filename)
910 int linenum, bad_options = 0;
914 debug2("read_server_config: filename %s", filename);
915 f = fopen(filename, "r");
921 while (fgets(line, sizeof(line), f)) {
922 /* Update line number counter. */
924 if (process_server_config_line(options, line, filename, linenum) != 0)
929 fatal("%s: terminating, %d bad configuration options",
930 filename, bad_options);