2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.124 2003/08/13 08:46:30 markus Exp $");
20 #include "pathnames.h"
21 #include "tildexpand.h"
27 static void add_listen_addr(ServerOptions *, char *, u_short);
28 static void add_one_listen_addr(ServerOptions *, char *, u_short);
30 /* AF_UNSPEC or AF_INET or AF_INET6 */
32 /* Use of privilege separation or not */
33 extern int use_privsep;
35 /* Initializes the server options to their default values. */
38 initialize_server_options(ServerOptions *options)
40 memset(options, 0, sizeof(*options));
42 /* Portable-specific options */
43 options->use_pam = -1;
45 /* Standard Options */
46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
49 options->num_host_key_files = 0;
50 options->pid_file = NULL;
51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
54 options->permit_root_login = PERMIT_NOT_SET;
55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
58 options->print_lastlog = -1;
59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
61 options->x11_use_localhost = -1;
62 options->xauth_location = NULL;
63 options->strict_modes = -1;
64 options->keepalives = -1;
65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
67 options->rhosts_rsa_authentication = -1;
68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
70 options->rsa_authentication = -1;
71 options->pubkey_authentication = -1;
72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
75 options->kerberos_tgt_passing = -1;
76 options->password_authentication = -1;
77 options->kbd_interactive_authentication = -1;
78 options->challenge_response_authentication = -1;
79 options->permit_empty_passwd = -1;
80 options->permit_user_env = -1;
81 options->use_login = -1;
82 options->compression = -1;
83 options->allow_tcp_forwarding = -1;
84 options->num_allow_users = 0;
85 options->num_deny_users = 0;
86 options->num_allow_groups = 0;
87 options->num_deny_groups = 0;
88 options->ciphers = NULL;
90 options->protocol = SSH_PROTO_UNKNOWN;
91 options->gateway_ports = -1;
92 options->num_subsystems = 0;
93 options->max_startups_begin = -1;
94 options->max_startups_rate = -1;
95 options->max_startups = -1;
96 options->banner = NULL;
97 options->use_dns = -1;
98 options->client_alive_interval = -1;
99 options->client_alive_count_max = -1;
100 options->authorized_keys_file = NULL;
101 options->authorized_keys_file2 = NULL;
103 /* Needs to be accessable in many places */
108 fill_default_server_options(ServerOptions *options)
110 /* Portable-specific options */
111 if (options->use_pam == -1)
112 options->use_pam = 1;
114 /* Standard Options */
115 if (options->protocol == SSH_PROTO_UNKNOWN)
116 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
117 if (options->num_host_key_files == 0) {
118 /* fill default hostkeys for protocols */
119 if (options->protocol & SSH_PROTO_1)
120 options->host_key_files[options->num_host_key_files++] =
122 if (options->protocol & SSH_PROTO_2) {
123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_RSA_KEY_FILE;
125 options->host_key_files[options->num_host_key_files++] =
126 _PATH_HOST_DSA_KEY_FILE;
129 if (options->num_ports == 0)
130 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
131 if (options->listen_addrs == NULL)
132 add_listen_addr(options, NULL, 0);
133 if (options->pid_file == NULL)
134 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
135 if (options->server_key_bits == -1)
136 options->server_key_bits = 768;
137 if (options->login_grace_time == -1)
138 options->login_grace_time = 120;
139 if (options->key_regeneration_time == -1)
140 options->key_regeneration_time = 3600;
141 if (options->permit_root_login == PERMIT_NOT_SET)
142 options->permit_root_login = PERMIT_YES;
143 if (options->ignore_rhosts == -1)
144 options->ignore_rhosts = 1;
145 if (options->ignore_user_known_hosts == -1)
146 options->ignore_user_known_hosts = 0;
147 if (options->print_motd == -1)
148 options->print_motd = 1;
149 if (options->print_lastlog == -1)
150 options->print_lastlog = 1;
151 if (options->x11_forwarding == -1)
152 options->x11_forwarding = 0;
153 if (options->x11_display_offset == -1)
154 options->x11_display_offset = 10;
155 if (options->x11_use_localhost == -1)
156 options->x11_use_localhost = 1;
157 if (options->xauth_location == NULL)
158 options->xauth_location = _PATH_XAUTH;
159 if (options->strict_modes == -1)
160 options->strict_modes = 1;
161 if (options->keepalives == -1)
162 options->keepalives = 1;
163 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
164 options->log_facility = SYSLOG_FACILITY_AUTH;
165 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
166 options->log_level = SYSLOG_LEVEL_INFO;
167 if (options->rhosts_rsa_authentication == -1)
168 options->rhosts_rsa_authentication = 0;
169 if (options->hostbased_authentication == -1)
170 options->hostbased_authentication = 0;
171 if (options->hostbased_uses_name_from_packet_only == -1)
172 options->hostbased_uses_name_from_packet_only = 0;
173 if (options->rsa_authentication == -1)
174 options->rsa_authentication = 1;
175 if (options->pubkey_authentication == -1)
176 options->pubkey_authentication = 1;
177 if (options->kerberos_authentication == -1)
178 options->kerberos_authentication = 0;
179 if (options->kerberos_or_local_passwd == -1)
180 options->kerberos_or_local_passwd = 1;
181 if (options->kerberos_ticket_cleanup == -1)
182 options->kerberos_ticket_cleanup = 1;
183 if (options->kerberos_tgt_passing == -1)
184 options->kerberos_tgt_passing = 0;
185 if (options->password_authentication == -1)
186 options->password_authentication = 1;
187 if (options->kbd_interactive_authentication == -1)
188 options->kbd_interactive_authentication = 0;
189 if (options->challenge_response_authentication == -1)
190 options->challenge_response_authentication = 1;
191 if (options->permit_empty_passwd == -1)
192 options->permit_empty_passwd = 0;
193 if (options->permit_user_env == -1)
194 options->permit_user_env = 0;
195 if (options->use_login == -1)
196 options->use_login = 0;
197 if (options->compression == -1)
198 options->compression = 1;
199 if (options->allow_tcp_forwarding == -1)
200 options->allow_tcp_forwarding = 1;
201 if (options->gateway_ports == -1)
202 options->gateway_ports = 0;
203 if (options->max_startups == -1)
204 options->max_startups = 10;
205 if (options->max_startups_rate == -1)
206 options->max_startups_rate = 100; /* 100% */
207 if (options->max_startups_begin == -1)
208 options->max_startups_begin = options->max_startups;
209 if (options->use_dns == -1)
210 options->use_dns = 1;
211 if (options->client_alive_interval == -1)
212 options->client_alive_interval = 0;
213 if (options->client_alive_count_max == -1)
214 options->client_alive_count_max = 3;
215 if (options->authorized_keys_file2 == NULL) {
216 /* authorized_keys_file2 falls back to authorized_keys_file */
217 if (options->authorized_keys_file != NULL)
218 options->authorized_keys_file2 = options->authorized_keys_file;
220 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
222 if (options->authorized_keys_file == NULL)
223 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
225 /* Turn privilege separation on by default */
226 if (use_privsep == -1)
230 if (use_privsep && options->compression == 1) {
231 error("This platform does not support both privilege "
232 "separation and compression");
233 error("Compression disabled");
234 options->compression = 0;
240 /* Keyword tokens. */
242 sBadOption, /* == unknown option */
243 /* Portable-specific options */
245 /* Standard Options */
246 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
247 sPermitRootLogin, sLogFacility, sLogLevel,
248 sRhostsRSAAuthentication, sRSAAuthentication,
249 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
250 sKerberosTgtPassing, sChallengeResponseAuthentication,
251 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
252 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
253 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
254 sStrictModes, sEmptyPasswd, sKeepAlives,
255 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
256 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
257 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
258 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
259 sBanner, sUseDNS, sHostbasedAuthentication,
260 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
261 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
262 sUsePrivilegeSeparation,
263 sDeprecated, sUnsupported
266 /* Textual representation of the tokens. */
269 ServerOpCodes opcode;
271 /* Portable-specific options */
273 { "usepam", sUsePAM },
275 { "usepam", sUnsupported },
277 { "pamauthenticationviakbdint", sDeprecated },
278 /* Standard Options */
280 { "hostkey", sHostKeyFile },
281 { "hostdsakey", sHostKeyFile }, /* alias */
282 { "pidfile", sPidFile },
283 { "serverkeybits", sServerKeyBits },
284 { "logingracetime", sLoginGraceTime },
285 { "keyregenerationinterval", sKeyRegenerationTime },
286 { "permitrootlogin", sPermitRootLogin },
287 { "syslogfacility", sLogFacility },
288 { "loglevel", sLogLevel },
289 { "rhostsauthentication", sDeprecated },
290 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
291 { "hostbasedauthentication", sHostbasedAuthentication },
292 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
293 { "rsaauthentication", sRSAAuthentication },
294 { "pubkeyauthentication", sPubkeyAuthentication },
295 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
297 { "kerberosauthentication", sKerberosAuthentication },
298 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
299 { "kerberosticketcleanup", sKerberosTicketCleanup },
300 { "kerberostgtpassing", sKerberosTgtPassing },
302 { "kerberosauthentication", sUnsupported },
303 { "kerberosorlocalpasswd", sUnsupported },
304 { "kerberosticketcleanup", sUnsupported },
305 { "kerberostgtpassing", sUnsupported },
307 { "afstokenpassing", sUnsupported },
308 { "passwordauthentication", sPasswordAuthentication },
309 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
310 { "challengeresponseauthentication", sChallengeResponseAuthentication },
311 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
312 { "checkmail", sDeprecated },
313 { "listenaddress", sListenAddress },
314 { "printmotd", sPrintMotd },
315 { "printlastlog", sPrintLastLog },
316 { "ignorerhosts", sIgnoreRhosts },
317 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
318 { "x11forwarding", sX11Forwarding },
319 { "x11displayoffset", sX11DisplayOffset },
320 { "x11uselocalhost", sX11UseLocalhost },
321 { "xauthlocation", sXAuthLocation },
322 { "strictmodes", sStrictModes },
323 { "permitemptypasswords", sEmptyPasswd },
324 { "permituserenvironment", sPermitUserEnvironment },
325 { "uselogin", sUseLogin },
326 { "compression", sCompression },
327 { "keepalive", sKeepAlives },
328 { "allowtcpforwarding", sAllowTcpForwarding },
329 { "allowusers", sAllowUsers },
330 { "denyusers", sDenyUsers },
331 { "allowgroups", sAllowGroups },
332 { "denygroups", sDenyGroups },
333 { "ciphers", sCiphers },
335 { "protocol", sProtocol },
336 { "gatewayports", sGatewayPorts },
337 { "subsystem", sSubsystem },
338 { "maxstartups", sMaxStartups },
339 { "banner", sBanner },
340 { "usedns", sUseDNS },
341 { "verifyreversemapping", sDeprecated },
342 { "reversemappingcheck", sDeprecated },
343 { "clientaliveinterval", sClientAliveInterval },
344 { "clientalivecountmax", sClientAliveCountMax },
345 { "authorizedkeysfile", sAuthorizedKeysFile },
346 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
347 { "useprivilegeseparation", sUsePrivilegeSeparation},
352 * Returns the number of the token pointed to by cp or sBadOption.
356 parse_token(const char *cp, const char *filename,
361 for (i = 0; keywords[i].name; i++)
362 if (strcasecmp(cp, keywords[i].name) == 0)
363 return keywords[i].opcode;
365 error("%s: line %d: Bad configuration option: %s",
366 filename, linenum, cp);
371 add_listen_addr(ServerOptions *options, char *addr, u_short port)
375 if (options->num_ports == 0)
376 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
378 for (i = 0; i < options->num_ports; i++)
379 add_one_listen_addr(options, addr, options->ports[i]);
381 add_one_listen_addr(options, addr, port);
385 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
387 struct addrinfo hints, *ai, *aitop;
388 char strport[NI_MAXSERV];
391 memset(&hints, 0, sizeof(hints));
392 hints.ai_family = IPv4or6;
393 hints.ai_socktype = SOCK_STREAM;
394 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
395 snprintf(strport, sizeof strport, "%u", port);
396 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
397 fatal("bad addr or host: %s (%s)",
398 addr ? addr : "<NULL>",
399 gai_strerror(gaierr));
400 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
402 ai->ai_next = options->listen_addrs;
403 options->listen_addrs = aitop;
407 process_server_config_line(ServerOptions *options, char *line,
408 const char *filename, int linenum)
410 char *cp, **charptr, *arg, *p;
411 int *intptr, value, i, n;
412 ServerOpCodes opcode;
416 /* Ignore leading whitespace */
419 if (!arg || !*arg || *arg == '#')
423 opcode = parse_token(arg, filename, linenum);
425 /* Portable-specific options */
427 intptr = &options->use_pam;
430 /* Standard Options */
434 /* ignore ports from configfile if cmdline specifies ports */
435 if (options->ports_from_cmdline)
437 if (options->listen_addrs != NULL)
438 fatal("%s line %d: ports must be specified before "
439 "ListenAddress.", filename, linenum);
440 if (options->num_ports >= MAX_PORTS)
441 fatal("%s line %d: too many ports.",
444 if (!arg || *arg == '\0')
445 fatal("%s line %d: missing port number.",
447 options->ports[options->num_ports++] = a2port(arg);
448 if (options->ports[options->num_ports-1] == 0)
449 fatal("%s line %d: Badly formatted port number.",
454 intptr = &options->server_key_bits;
457 if (!arg || *arg == '\0')
458 fatal("%s line %d: missing integer value.",
465 case sLoginGraceTime:
466 intptr = &options->login_grace_time;
469 if (!arg || *arg == '\0')
470 fatal("%s line %d: missing time value.",
472 if ((value = convtime(arg)) == -1)
473 fatal("%s line %d: invalid time value.",
479 case sKeyRegenerationTime:
480 intptr = &options->key_regeneration_time;
485 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
486 fatal("%s line %d: missing inet addr.",
489 if ((p = strchr(arg, ']')) == NULL)
490 fatal("%s line %d: bad ipv6 inet addr usage.",
493 memmove(p, p+1, strlen(p+1)+1);
494 } else if (((p = strchr(arg, ':')) == NULL) ||
495 (strchr(p+1, ':') != NULL)) {
496 add_listen_addr(options, arg, 0);
504 fatal("%s line %d: bad inet addr:port usage.",
508 if ((port = a2port(p)) == 0)
509 fatal("%s line %d: bad port number.",
511 add_listen_addr(options, arg, port);
513 } else if (*p == '\0')
514 add_listen_addr(options, arg, 0);
516 fatal("%s line %d: bad inet addr usage.",
521 intptr = &options->num_host_key_files;
522 if (*intptr >= MAX_HOSTKEYS)
523 fatal("%s line %d: too many host keys specified (max %d).",
524 filename, linenum, MAX_HOSTKEYS);
525 charptr = &options->host_key_files[*intptr];
528 if (!arg || *arg == '\0')
529 fatal("%s line %d: missing file name.",
531 if (*charptr == NULL) {
532 *charptr = tilde_expand_filename(arg, getuid());
533 /* increase optional counter */
535 *intptr = *intptr + 1;
540 charptr = &options->pid_file;
543 case sPermitRootLogin:
544 intptr = &options->permit_root_login;
546 if (!arg || *arg == '\0')
547 fatal("%s line %d: missing yes/"
548 "without-password/forced-commands-only/no "
549 "argument.", filename, linenum);
550 value = 0; /* silence compiler */
551 if (strcmp(arg, "without-password") == 0)
552 value = PERMIT_NO_PASSWD;
553 else if (strcmp(arg, "forced-commands-only") == 0)
554 value = PERMIT_FORCED_ONLY;
555 else if (strcmp(arg, "yes") == 0)
557 else if (strcmp(arg, "no") == 0)
560 fatal("%s line %d: Bad yes/"
561 "without-password/forced-commands-only/no "
562 "argument: %s", filename, linenum, arg);
568 intptr = &options->ignore_rhosts;
571 if (!arg || *arg == '\0')
572 fatal("%s line %d: missing yes/no argument.",
574 value = 0; /* silence compiler */
575 if (strcmp(arg, "yes") == 0)
577 else if (strcmp(arg, "no") == 0)
580 fatal("%s line %d: Bad yes/no argument: %s",
581 filename, linenum, arg);
586 case sIgnoreUserKnownHosts:
587 intptr = &options->ignore_user_known_hosts;
590 case sRhostsRSAAuthentication:
591 intptr = &options->rhosts_rsa_authentication;
594 case sHostbasedAuthentication:
595 intptr = &options->hostbased_authentication;
598 case sHostbasedUsesNameFromPacketOnly:
599 intptr = &options->hostbased_uses_name_from_packet_only;
602 case sRSAAuthentication:
603 intptr = &options->rsa_authentication;
606 case sPubkeyAuthentication:
607 intptr = &options->pubkey_authentication;
610 case sKerberosAuthentication:
611 intptr = &options->kerberos_authentication;
614 case sKerberosOrLocalPasswd:
615 intptr = &options->kerberos_or_local_passwd;
618 case sKerberosTicketCleanup:
619 intptr = &options->kerberos_ticket_cleanup;
622 case sKerberosTgtPassing:
623 intptr = &options->kerberos_tgt_passing;
626 case sPasswordAuthentication:
627 intptr = &options->password_authentication;
630 case sKbdInteractiveAuthentication:
631 intptr = &options->kbd_interactive_authentication;
634 case sChallengeResponseAuthentication:
635 intptr = &options->challenge_response_authentication;
639 intptr = &options->print_motd;
643 intptr = &options->print_lastlog;
647 intptr = &options->x11_forwarding;
650 case sX11DisplayOffset:
651 intptr = &options->x11_display_offset;
654 case sX11UseLocalhost:
655 intptr = &options->x11_use_localhost;
659 charptr = &options->xauth_location;
663 intptr = &options->strict_modes;
667 intptr = &options->keepalives;
671 intptr = &options->permit_empty_passwd;
674 case sPermitUserEnvironment:
675 intptr = &options->permit_user_env;
679 intptr = &options->use_login;
683 intptr = &options->compression;
687 intptr = &options->gateway_ports;
691 intptr = &options->use_dns;
695 intptr = (int *) &options->log_facility;
697 value = log_facility_number(arg);
698 if (value == SYSLOG_FACILITY_NOT_SET)
699 fatal("%.200s line %d: unsupported log facility '%s'",
700 filename, linenum, arg ? arg : "<NONE>");
702 *intptr = (SyslogFacility) value;
706 intptr = (int *) &options->log_level;
708 value = log_level_number(arg);
709 if (value == SYSLOG_LEVEL_NOT_SET)
710 fatal("%.200s line %d: unsupported log level '%s'",
711 filename, linenum, arg ? arg : "<NONE>");
713 *intptr = (LogLevel) value;
716 case sAllowTcpForwarding:
717 intptr = &options->allow_tcp_forwarding;
720 case sUsePrivilegeSeparation:
721 intptr = &use_privsep;
725 while ((arg = strdelim(&cp)) && *arg != '\0') {
726 if (options->num_allow_users >= MAX_ALLOW_USERS)
727 fatal("%s line %d: too many allow users.",
729 options->allow_users[options->num_allow_users++] =
735 while ((arg = strdelim(&cp)) && *arg != '\0') {
736 if (options->num_deny_users >= MAX_DENY_USERS)
737 fatal( "%s line %d: too many deny users.",
739 options->deny_users[options->num_deny_users++] =
745 while ((arg = strdelim(&cp)) && *arg != '\0') {
746 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
747 fatal("%s line %d: too many allow groups.",
749 options->allow_groups[options->num_allow_groups++] =
755 while ((arg = strdelim(&cp)) && *arg != '\0') {
756 if (options->num_deny_groups >= MAX_DENY_GROUPS)
757 fatal("%s line %d: too many deny groups.",
759 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
765 if (!arg || *arg == '\0')
766 fatal("%s line %d: Missing argument.", filename, linenum);
767 if (!ciphers_valid(arg))
768 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
769 filename, linenum, arg ? arg : "<NONE>");
770 if (options->ciphers == NULL)
771 options->ciphers = xstrdup(arg);
776 if (!arg || *arg == '\0')
777 fatal("%s line %d: Missing argument.", filename, linenum);
779 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
780 filename, linenum, arg ? arg : "<NONE>");
781 if (options->macs == NULL)
782 options->macs = xstrdup(arg);
786 intptr = &options->protocol;
788 if (!arg || *arg == '\0')
789 fatal("%s line %d: Missing argument.", filename, linenum);
790 value = proto_spec(arg);
791 if (value == SSH_PROTO_UNKNOWN)
792 fatal("%s line %d: Bad protocol spec '%s'.",
793 filename, linenum, arg ? arg : "<NONE>");
794 if (*intptr == SSH_PROTO_UNKNOWN)
799 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
800 fatal("%s line %d: too many subsystems defined.",
804 if (!arg || *arg == '\0')
805 fatal("%s line %d: Missing subsystem name.",
807 for (i = 0; i < options->num_subsystems; i++)
808 if (strcmp(arg, options->subsystem_name[i]) == 0)
809 fatal("%s line %d: Subsystem '%s' already defined.",
810 filename, linenum, arg);
811 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
813 if (!arg || *arg == '\0')
814 fatal("%s line %d: Missing subsystem command.",
816 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
817 options->num_subsystems++;
822 if (!arg || *arg == '\0')
823 fatal("%s line %d: Missing MaxStartups spec.",
825 if ((n = sscanf(arg, "%d:%d:%d",
826 &options->max_startups_begin,
827 &options->max_startups_rate,
828 &options->max_startups)) == 3) {
829 if (options->max_startups_begin >
830 options->max_startups ||
831 options->max_startups_rate > 100 ||
832 options->max_startups_rate < 1)
833 fatal("%s line %d: Illegal MaxStartups spec.",
836 fatal("%s line %d: Illegal MaxStartups spec.",
839 options->max_startups = options->max_startups_begin;
843 charptr = &options->banner;
846 * These options can contain %X options expanded at
847 * connect time, so that you can specify paths like:
849 * AuthorizedKeysFile /etc/ssh_keys/%u
851 case sAuthorizedKeysFile:
852 case sAuthorizedKeysFile2:
853 charptr = (opcode == sAuthorizedKeysFile ) ?
854 &options->authorized_keys_file :
855 &options->authorized_keys_file2;
858 case sClientAliveInterval:
859 intptr = &options->client_alive_interval;
862 case sClientAliveCountMax:
863 intptr = &options->client_alive_count_max;
867 logit("%s line %d: Deprecated option %s",
868 filename, linenum, arg);
874 logit("%s line %d: Unsupported option %s",
875 filename, linenum, arg);
881 fatal("%s line %d: Missing handler for opcode %s (%d)",
882 filename, linenum, arg, opcode);
884 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
885 fatal("%s line %d: garbage at end of line; \"%.200s\".",
886 filename, linenum, arg);
890 /* Reads the server configuration file. */
893 read_server_config(ServerOptions *options, const char *filename)
895 int linenum, bad_options = 0;
899 debug2("read_server_config: filename %s", filename);
900 f = fopen(filename, "r");
906 while (fgets(line, sizeof(line), f)) {
907 /* Update line number counter. */
909 if (process_server_config_line(options, line, filename, linenum) != 0)
914 fatal("%s: terminating, %d bad configuration options",
915 filename, bad_options);