1 /* $OpenBSD: servconf.c,v 1.197 2009/10/28 16:38:18 reyk Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
15 #include <sys/types.h>
16 #include <sys/socket.h>
28 #include "openbsd-compat/sys-queue.h"
35 #include "pathnames.h"
43 #include "groupaccess.h"
45 static void add_listen_addr(ServerOptions *, char *, int);
46 static void add_one_listen_addr(ServerOptions *, char *, int);
48 /* Use of privilege separation or not */
49 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->use_pam = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->address_family = -1;
67 options->num_host_key_files = 0;
68 options->pid_file = NULL;
69 options->server_key_bits = -1;
70 options->login_grace_time = -1;
71 options->key_regeneration_time = -1;
72 options->permit_root_login = PERMIT_NOT_SET;
73 options->ignore_rhosts = -1;
74 options->ignore_user_known_hosts = -1;
75 options->print_motd = -1;
76 options->print_lastlog = -1;
77 options->x11_forwarding = -1;
78 options->x11_display_offset = -1;
79 options->x11_use_localhost = -1;
80 options->xauth_location = NULL;
81 options->strict_modes = -1;
82 options->tcp_keep_alive = -1;
83 options->log_facility = SYSLOG_FACILITY_NOT_SET;
84 options->log_level = SYSLOG_LEVEL_NOT_SET;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 options->kerberos_authentication = -1;
91 options->kerberos_or_local_passwd = -1;
92 options->kerberos_ticket_cleanup = -1;
93 options->kerberos_get_afs_token = -1;
94 options->gss_authentication=-1;
95 options->gss_cleanup_creds = -1;
96 options->password_authentication = -1;
97 options->kbd_interactive_authentication = -1;
98 options->challenge_response_authentication = -1;
99 options->permit_empty_passwd = -1;
100 options->permit_user_env = -1;
101 options->use_login = -1;
102 options->compression = -1;
103 options->allow_tcp_forwarding = -1;
104 options->allow_agent_forwarding = -1;
105 options->num_allow_users = 0;
106 options->num_deny_users = 0;
107 options->num_allow_groups = 0;
108 options->num_deny_groups = 0;
109 options->ciphers = NULL;
110 options->macs = NULL;
111 options->protocol = SSH_PROTO_UNKNOWN;
112 options->gateway_ports = -1;
113 options->num_subsystems = 0;
114 options->max_startups_begin = -1;
115 options->max_startups_rate = -1;
116 options->max_startups = -1;
117 options->max_authtries = -1;
118 options->max_sessions = -1;
119 options->banner = NULL;
120 options->use_dns = -1;
121 options->client_alive_interval = -1;
122 options->client_alive_count_max = -1;
123 options->authorized_keys_file = NULL;
124 options->authorized_keys_file2 = NULL;
125 options->num_accept_env = 0;
126 options->permit_tun = -1;
127 options->num_permitted_opens = -1;
128 options->adm_forced_command = NULL;
129 options->chroot_directory = NULL;
130 options->zero_knowledge_password_authentication = -1;
131 options->rdomain = -1;
135 fill_default_server_options(ServerOptions *options)
137 /* Portable-specific options */
138 if (options->use_pam == -1)
139 options->use_pam = 0;
141 /* Standard Options */
142 if (options->protocol == SSH_PROTO_UNKNOWN)
143 options->protocol = SSH_PROTO_2;
144 if (options->num_host_key_files == 0) {
145 /* fill default hostkeys for protocols */
146 if (options->protocol & SSH_PROTO_1)
147 options->host_key_files[options->num_host_key_files++] =
149 if (options->protocol & SSH_PROTO_2) {
150 options->host_key_files[options->num_host_key_files++] =
151 _PATH_HOST_RSA_KEY_FILE;
152 options->host_key_files[options->num_host_key_files++] =
153 _PATH_HOST_DSA_KEY_FILE;
156 if (options->num_ports == 0)
157 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
158 if (options->listen_addrs == NULL)
159 add_listen_addr(options, NULL, 0);
160 if (options->pid_file == NULL)
161 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
162 if (options->server_key_bits == -1)
163 options->server_key_bits = 1024;
164 if (options->login_grace_time == -1)
165 options->login_grace_time = 120;
166 if (options->key_regeneration_time == -1)
167 options->key_regeneration_time = 3600;
168 if (options->permit_root_login == PERMIT_NOT_SET)
169 options->permit_root_login = PERMIT_YES;
170 if (options->ignore_rhosts == -1)
171 options->ignore_rhosts = 1;
172 if (options->ignore_user_known_hosts == -1)
173 options->ignore_user_known_hosts = 0;
174 if (options->print_motd == -1)
175 options->print_motd = 1;
176 if (options->print_lastlog == -1)
177 options->print_lastlog = 1;
178 if (options->x11_forwarding == -1)
179 options->x11_forwarding = 0;
180 if (options->x11_display_offset == -1)
181 options->x11_display_offset = 10;
182 if (options->x11_use_localhost == -1)
183 options->x11_use_localhost = 1;
184 if (options->xauth_location == NULL)
185 options->xauth_location = _PATH_XAUTH;
186 if (options->strict_modes == -1)
187 options->strict_modes = 1;
188 if (options->tcp_keep_alive == -1)
189 options->tcp_keep_alive = 1;
190 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
191 options->log_facility = SYSLOG_FACILITY_AUTH;
192 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
193 options->log_level = SYSLOG_LEVEL_INFO;
194 if (options->rhosts_rsa_authentication == -1)
195 options->rhosts_rsa_authentication = 0;
196 if (options->hostbased_authentication == -1)
197 options->hostbased_authentication = 0;
198 if (options->hostbased_uses_name_from_packet_only == -1)
199 options->hostbased_uses_name_from_packet_only = 0;
200 if (options->rsa_authentication == -1)
201 options->rsa_authentication = 1;
202 if (options->pubkey_authentication == -1)
203 options->pubkey_authentication = 1;
204 if (options->kerberos_authentication == -1)
205 options->kerberos_authentication = 0;
206 if (options->kerberos_or_local_passwd == -1)
207 options->kerberos_or_local_passwd = 1;
208 if (options->kerberos_ticket_cleanup == -1)
209 options->kerberos_ticket_cleanup = 1;
210 if (options->kerberos_get_afs_token == -1)
211 options->kerberos_get_afs_token = 0;
212 if (options->gss_authentication == -1)
213 options->gss_authentication = 0;
214 if (options->gss_cleanup_creds == -1)
215 options->gss_cleanup_creds = 1;
216 if (options->password_authentication == -1)
217 options->password_authentication = 1;
218 if (options->kbd_interactive_authentication == -1)
219 options->kbd_interactive_authentication = 0;
220 if (options->challenge_response_authentication == -1)
221 options->challenge_response_authentication = 1;
222 if (options->permit_empty_passwd == -1)
223 options->permit_empty_passwd = 0;
224 if (options->permit_user_env == -1)
225 options->permit_user_env = 0;
226 if (options->use_login == -1)
227 options->use_login = 0;
228 if (options->compression == -1)
229 options->compression = COMP_DELAYED;
230 if (options->allow_tcp_forwarding == -1)
231 options->allow_tcp_forwarding = 1;
232 if (options->allow_agent_forwarding == -1)
233 options->allow_agent_forwarding = 1;
234 if (options->gateway_ports == -1)
235 options->gateway_ports = 0;
236 if (options->max_startups == -1)
237 options->max_startups = 10;
238 if (options->max_startups_rate == -1)
239 options->max_startups_rate = 100; /* 100% */
240 if (options->max_startups_begin == -1)
241 options->max_startups_begin = options->max_startups;
242 if (options->max_authtries == -1)
243 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
244 if (options->max_sessions == -1)
245 options->max_sessions = DEFAULT_SESSIONS_MAX;
246 if (options->use_dns == -1)
247 options->use_dns = 1;
248 if (options->client_alive_interval == -1)
249 options->client_alive_interval = 0;
250 if (options->client_alive_count_max == -1)
251 options->client_alive_count_max = 3;
252 if (options->authorized_keys_file2 == NULL) {
253 /* authorized_keys_file2 falls back to authorized_keys_file */
254 if (options->authorized_keys_file != NULL)
255 options->authorized_keys_file2 = options->authorized_keys_file;
257 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
259 if (options->authorized_keys_file == NULL)
260 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
261 if (options->permit_tun == -1)
262 options->permit_tun = SSH_TUNMODE_NO;
263 if (options->zero_knowledge_password_authentication == -1)
264 options->zero_knowledge_password_authentication = 0;
266 /* Turn privilege separation on by default */
267 if (use_privsep == -1)
271 if (use_privsep && options->compression == 1) {
272 error("This platform does not support both privilege "
273 "separation and compression");
274 error("Compression disabled");
275 options->compression = 0;
281 /* Keyword tokens. */
283 sBadOption, /* == unknown option */
284 /* Portable-specific options */
286 /* Standard Options */
287 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
288 sPermitRootLogin, sLogFacility, sLogLevel,
289 sRhostsRSAAuthentication, sRSAAuthentication,
290 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
291 sKerberosGetAFSToken,
292 sKerberosTgtPassing, sChallengeResponseAuthentication,
293 sPasswordAuthentication, sKbdInteractiveAuthentication,
294 sListenAddress, sAddressFamily,
295 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
296 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
297 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
298 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
299 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
300 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
301 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
302 sMaxStartups, sMaxAuthTries, sMaxSessions,
303 sBanner, sUseDNS, sHostbasedAuthentication,
304 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
305 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
306 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
307 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
308 sUsePrivilegeSeparation, sAllowAgentForwarding, sRDomain,
309 sZeroKnowledgePasswordAuthentication,
310 sDeprecated, sUnsupported
313 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
314 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
315 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
317 /* Textual representation of the tokens. */
320 ServerOpCodes opcode;
323 /* Portable-specific options */
325 { "usepam", sUsePAM, SSHCFG_GLOBAL },
327 { "usepam", sUnsupported, SSHCFG_GLOBAL },
329 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
330 /* Standard Options */
331 { "port", sPort, SSHCFG_GLOBAL },
332 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
333 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
334 { "pidfile", sPidFile, SSHCFG_GLOBAL },
335 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
336 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
337 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
338 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
339 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
340 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
341 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
342 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
343 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
344 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
345 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
346 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
347 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
349 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
350 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
351 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
353 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
355 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
358 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
359 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
360 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
361 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
363 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
364 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
366 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
367 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
369 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
370 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
372 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
373 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
374 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
375 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
377 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
379 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
381 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
382 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
383 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
384 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
385 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
386 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
387 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
388 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
389 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
390 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
391 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
392 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
393 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
394 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
395 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
396 { "compression", sCompression, SSHCFG_GLOBAL },
397 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
398 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
399 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
400 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
401 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
402 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
403 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
404 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
405 { "ciphers", sCiphers, SSHCFG_GLOBAL },
406 { "macs", sMacs, SSHCFG_GLOBAL },
407 { "protocol", sProtocol, SSHCFG_GLOBAL },
408 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
409 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
410 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
411 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
412 { "maxsessions", sMaxSessions, SSHCFG_ALL },
413 { "banner", sBanner, SSHCFG_ALL },
414 { "usedns", sUseDNS, SSHCFG_GLOBAL },
415 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
416 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
417 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
418 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
419 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
420 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
421 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
422 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
423 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
424 { "match", sMatch, SSHCFG_ALL },
425 { "permitopen", sPermitOpen, SSHCFG_ALL },
426 { "forcecommand", sForceCommand, SSHCFG_ALL },
427 { "rdomain", sRDomain, SSHCFG_GLOBAL },
428 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
429 { NULL, sBadOption, 0 }
436 { SSH_TUNMODE_NO, "no" },
437 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
438 { SSH_TUNMODE_ETHERNET, "ethernet" },
439 { SSH_TUNMODE_YES, "yes" },
444 * Returns the number of the token pointed to by cp or sBadOption.
448 parse_token(const char *cp, const char *filename,
449 int linenum, u_int *flags)
453 for (i = 0; keywords[i].name; i++)
454 if (strcasecmp(cp, keywords[i].name) == 0) {
455 *flags = keywords[i].flags;
456 return keywords[i].opcode;
459 error("%s: line %d: Bad configuration option: %s",
460 filename, linenum, cp);
465 add_listen_addr(ServerOptions *options, char *addr, int port)
469 if (options->num_ports == 0)
470 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
471 if (options->address_family == -1)
472 options->address_family = AF_UNSPEC;
474 for (i = 0; i < options->num_ports; i++)
475 add_one_listen_addr(options, addr, options->ports[i]);
477 add_one_listen_addr(options, addr, port);
481 add_one_listen_addr(ServerOptions *options, char *addr, int port)
483 struct addrinfo hints, *ai, *aitop;
484 char strport[NI_MAXSERV];
487 memset(&hints, 0, sizeof(hints));
488 hints.ai_family = options->address_family;
489 hints.ai_socktype = SOCK_STREAM;
490 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
491 snprintf(strport, sizeof strport, "%d", port);
492 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
493 fatal("bad addr or host: %s (%s)",
494 addr ? addr : "<NULL>",
495 ssh_gai_strerror(gaierr));
496 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
498 ai->ai_next = options->listen_addrs;
499 options->listen_addrs = aitop;
503 * The strategy for the Match blocks is that the config file is parsed twice.
505 * The first time is at startup. activep is initialized to 1 and the
506 * directives in the global context are processed and acted on. Hitting a
507 * Match directive unsets activep and the directives inside the block are
508 * checked for syntax only.
510 * The second time is after a connection has been established but before
511 * authentication. activep is initialized to 2 and global config directives
512 * are ignored since they have already been processed. If the criteria in a
513 * Match block is met, activep is set and the subsequent directives
514 * processed and actioned until EOF or another Match block unsets it. Any
515 * options set are copied into the main server config.
517 * Potential additions/improvements:
518 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
520 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
521 * Match Address 192.168.0.*
526 * AllowTcpForwarding yes
527 * GatewayPorts clientspecified
530 * - Add a PermittedChannelRequests directive
532 * PermittedChannelRequests session,forwarded-tcpip
536 match_cfg_line_group(const char *grps, int line, const char *user)
544 if ((pw = getpwnam(user)) == NULL) {
545 debug("Can't match group at line %d because user %.100s does "
546 "not exist", line, user);
547 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
548 debug("Can't Match group because user %.100s not in any group "
549 "at line %d", user, line);
550 } else if (ga_match_pattern_list(grps) != 1) {
551 debug("user %.100s does not match group list %.100s at line %d",
554 debug("user %.100s matched group list %.100s at line %d", user,
564 match_cfg_line(char **condition, int line, const char *user, const char *host,
568 char *arg, *attrib, *cp = *condition;
572 debug3("checking syntax for 'Match %s'", cp);
574 debug3("checking match for '%s' user %s host %s addr %s", cp,
575 user ? user : "(null)", host ? host : "(null)",
576 address ? address : "(null)");
578 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
579 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
580 error("Missing Match criteria for %s", attrib);
584 if (strcasecmp(attrib, "user") == 0) {
589 if (match_pattern_list(user, arg, len, 0) != 1)
592 debug("user %.100s matched 'User %.100s' at "
593 "line %d", user, arg, line);
594 } else if (strcasecmp(attrib, "group") == 0) {
595 switch (match_cfg_line_group(arg, line, user)) {
601 } else if (strcasecmp(attrib, "host") == 0) {
606 if (match_hostname(host, arg, len) != 1)
609 debug("connection from %.100s matched 'Host "
610 "%.100s' at line %d", host, arg, line);
611 } else if (strcasecmp(attrib, "address") == 0) {
612 switch (addr_match_list(address, arg)) {
614 debug("connection from %.100s matched 'Address "
615 "%.100s' at line %d", address, arg, line);
625 error("Unsupported Match attribute %s", attrib);
630 debug3("match %sfound", result ? "" : "not ");
635 #define WHITESPACE " \t\r\n"
638 process_server_config_line(ServerOptions *options, char *line,
639 const char *filename, int linenum, int *activep, const char *user,
640 const char *host, const char *address)
642 char *cp, **charptr, *arg, *p;
643 int cmdline = 0, *intptr, value, n;
644 SyslogFacility *log_facility_ptr;
645 LogLevel *log_level_ptr;
646 ServerOpCodes opcode;
652 if ((arg = strdelim(&cp)) == NULL)
654 /* Ignore leading whitespace */
657 if (!arg || !*arg || *arg == '#')
661 opcode = parse_token(arg, filename, linenum, &flags);
663 if (activep == NULL) { /* We are processing a command line directive */
667 if (*activep && opcode != sMatch)
668 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
669 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
671 fatal("%s line %d: Directive '%s' is not allowed "
672 "within a Match block", filename, linenum, arg);
673 } else { /* this is a directive we have already processed */
681 /* Portable-specific options */
683 intptr = &options->use_pam;
686 /* Standard Options */
690 /* ignore ports from configfile if cmdline specifies ports */
691 if (options->ports_from_cmdline)
693 if (options->listen_addrs != NULL)
694 fatal("%s line %d: ports must be specified before "
695 "ListenAddress.", filename, linenum);
696 if (options->num_ports >= MAX_PORTS)
697 fatal("%s line %d: too many ports.",
700 if (!arg || *arg == '\0')
701 fatal("%s line %d: missing port number.",
703 options->ports[options->num_ports++] = a2port(arg);
704 if (options->ports[options->num_ports-1] <= 0)
705 fatal("%s line %d: Badly formatted port number.",
710 intptr = &options->server_key_bits;
713 if (!arg || *arg == '\0')
714 fatal("%s line %d: missing integer value.",
717 if (*activep && *intptr == -1)
721 case sLoginGraceTime:
722 intptr = &options->login_grace_time;
725 if (!arg || *arg == '\0')
726 fatal("%s line %d: missing time value.",
728 if ((value = convtime(arg)) == -1)
729 fatal("%s line %d: invalid time value.",
735 case sKeyRegenerationTime:
736 intptr = &options->key_regeneration_time;
741 if (arg == NULL || *arg == '\0')
742 fatal("%s line %d: missing address",
744 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
745 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
746 && strchr(p+1, ':') != NULL) {
747 add_listen_addr(options, arg, 0);
752 fatal("%s line %d: bad address:port usage",
754 p = cleanhostname(p);
757 else if ((port = a2port(arg)) <= 0)
758 fatal("%s line %d: bad port number", filename, linenum);
760 add_listen_addr(options, p, port);
766 if (!arg || *arg == '\0')
767 fatal("%s line %d: missing address family.",
769 intptr = &options->address_family;
770 if (options->listen_addrs != NULL)
771 fatal("%s line %d: address family must be specified before "
772 "ListenAddress.", filename, linenum);
773 if (strcasecmp(arg, "inet") == 0)
775 else if (strcasecmp(arg, "inet6") == 0)
777 else if (strcasecmp(arg, "any") == 0)
780 fatal("%s line %d: unsupported address family \"%s\".",
781 filename, linenum, arg);
787 intptr = &options->num_host_key_files;
788 if (*intptr >= MAX_HOSTKEYS)
789 fatal("%s line %d: too many host keys specified (max %d).",
790 filename, linenum, MAX_HOSTKEYS);
791 charptr = &options->host_key_files[*intptr];
794 if (!arg || *arg == '\0')
795 fatal("%s line %d: missing file name.",
797 if (*activep && *charptr == NULL) {
798 *charptr = tilde_expand_filename(arg, getuid());
799 /* increase optional counter */
801 *intptr = *intptr + 1;
806 charptr = &options->pid_file;
809 case sPermitRootLogin:
810 intptr = &options->permit_root_login;
812 if (!arg || *arg == '\0')
813 fatal("%s line %d: missing yes/"
814 "without-password/forced-commands-only/no "
815 "argument.", filename, linenum);
816 value = 0; /* silence compiler */
817 if (strcmp(arg, "without-password") == 0)
818 value = PERMIT_NO_PASSWD;
819 else if (strcmp(arg, "forced-commands-only") == 0)
820 value = PERMIT_FORCED_ONLY;
821 else if (strcmp(arg, "yes") == 0)
823 else if (strcmp(arg, "no") == 0)
826 fatal("%s line %d: Bad yes/"
827 "without-password/forced-commands-only/no "
828 "argument: %s", filename, linenum, arg);
829 if (*activep && *intptr == -1)
834 intptr = &options->ignore_rhosts;
837 if (!arg || *arg == '\0')
838 fatal("%s line %d: missing yes/no argument.",
840 value = 0; /* silence compiler */
841 if (strcmp(arg, "yes") == 0)
843 else if (strcmp(arg, "no") == 0)
846 fatal("%s line %d: Bad yes/no argument: %s",
847 filename, linenum, arg);
848 if (*activep && *intptr == -1)
852 case sIgnoreUserKnownHosts:
853 intptr = &options->ignore_user_known_hosts;
856 case sRhostsRSAAuthentication:
857 intptr = &options->rhosts_rsa_authentication;
860 case sHostbasedAuthentication:
861 intptr = &options->hostbased_authentication;
864 case sHostbasedUsesNameFromPacketOnly:
865 intptr = &options->hostbased_uses_name_from_packet_only;
868 case sRSAAuthentication:
869 intptr = &options->rsa_authentication;
872 case sPubkeyAuthentication:
873 intptr = &options->pubkey_authentication;
876 case sKerberosAuthentication:
877 intptr = &options->kerberos_authentication;
880 case sKerberosOrLocalPasswd:
881 intptr = &options->kerberos_or_local_passwd;
884 case sKerberosTicketCleanup:
885 intptr = &options->kerberos_ticket_cleanup;
888 case sKerberosGetAFSToken:
889 intptr = &options->kerberos_get_afs_token;
892 case sGssAuthentication:
893 intptr = &options->gss_authentication;
896 case sGssCleanupCreds:
897 intptr = &options->gss_cleanup_creds;
900 case sPasswordAuthentication:
901 intptr = &options->password_authentication;
904 case sZeroKnowledgePasswordAuthentication:
905 intptr = &options->zero_knowledge_password_authentication;
908 case sKbdInteractiveAuthentication:
909 intptr = &options->kbd_interactive_authentication;
912 case sChallengeResponseAuthentication:
913 intptr = &options->challenge_response_authentication;
917 intptr = &options->print_motd;
921 intptr = &options->print_lastlog;
925 intptr = &options->x11_forwarding;
928 case sX11DisplayOffset:
929 intptr = &options->x11_display_offset;
932 case sX11UseLocalhost:
933 intptr = &options->x11_use_localhost;
937 charptr = &options->xauth_location;
941 intptr = &options->strict_modes;
945 intptr = &options->tcp_keep_alive;
949 intptr = &options->permit_empty_passwd;
952 case sPermitUserEnvironment:
953 intptr = &options->permit_user_env;
957 intptr = &options->use_login;
961 intptr = &options->compression;
963 if (!arg || *arg == '\0')
964 fatal("%s line %d: missing yes/no/delayed "
965 "argument.", filename, linenum);
966 value = 0; /* silence compiler */
967 if (strcmp(arg, "delayed") == 0)
968 value = COMP_DELAYED;
969 else if (strcmp(arg, "yes") == 0)
971 else if (strcmp(arg, "no") == 0)
974 fatal("%s line %d: Bad yes/no/delayed "
975 "argument: %s", filename, linenum, arg);
981 intptr = &options->gateway_ports;
983 if (!arg || *arg == '\0')
984 fatal("%s line %d: missing yes/no/clientspecified "
985 "argument.", filename, linenum);
986 value = 0; /* silence compiler */
987 if (strcmp(arg, "clientspecified") == 0)
989 else if (strcmp(arg, "yes") == 0)
991 else if (strcmp(arg, "no") == 0)
994 fatal("%s line %d: Bad yes/no/clientspecified "
995 "argument: %s", filename, linenum, arg);
996 if (*activep && *intptr == -1)
1001 intptr = &options->use_dns;
1005 log_facility_ptr = &options->log_facility;
1006 arg = strdelim(&cp);
1007 value = log_facility_number(arg);
1008 if (value == SYSLOG_FACILITY_NOT_SET)
1009 fatal("%.200s line %d: unsupported log facility '%s'",
1010 filename, linenum, arg ? arg : "<NONE>");
1011 if (*log_facility_ptr == -1)
1012 *log_facility_ptr = (SyslogFacility) value;
1016 log_level_ptr = &options->log_level;
1017 arg = strdelim(&cp);
1018 value = log_level_number(arg);
1019 if (value == SYSLOG_LEVEL_NOT_SET)
1020 fatal("%.200s line %d: unsupported log level '%s'",
1021 filename, linenum, arg ? arg : "<NONE>");
1022 if (*log_level_ptr == -1)
1023 *log_level_ptr = (LogLevel) value;
1026 case sAllowTcpForwarding:
1027 intptr = &options->allow_tcp_forwarding;
1030 case sAllowAgentForwarding:
1031 intptr = &options->allow_agent_forwarding;
1034 case sUsePrivilegeSeparation:
1035 intptr = &use_privsep;
1039 while ((arg = strdelim(&cp)) && *arg != '\0') {
1040 if (options->num_allow_users >= MAX_ALLOW_USERS)
1041 fatal("%s line %d: too many allow users.",
1043 options->allow_users[options->num_allow_users++] =
1049 while ((arg = strdelim(&cp)) && *arg != '\0') {
1050 if (options->num_deny_users >= MAX_DENY_USERS)
1051 fatal("%s line %d: too many deny users.",
1053 options->deny_users[options->num_deny_users++] =
1059 while ((arg = strdelim(&cp)) && *arg != '\0') {
1060 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1061 fatal("%s line %d: too many allow groups.",
1063 options->allow_groups[options->num_allow_groups++] =
1069 while ((arg = strdelim(&cp)) && *arg != '\0') {
1070 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1071 fatal("%s line %d: too many deny groups.",
1073 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1078 arg = strdelim(&cp);
1079 if (!arg || *arg == '\0')
1080 fatal("%s line %d: Missing argument.", filename, linenum);
1081 if (!ciphers_valid(arg))
1082 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1083 filename, linenum, arg ? arg : "<NONE>");
1084 if (options->ciphers == NULL)
1085 options->ciphers = xstrdup(arg);
1089 arg = strdelim(&cp);
1090 if (!arg || *arg == '\0')
1091 fatal("%s line %d: Missing argument.", filename, linenum);
1092 if (!mac_valid(arg))
1093 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1094 filename, linenum, arg ? arg : "<NONE>");
1095 if (options->macs == NULL)
1096 options->macs = xstrdup(arg);
1100 intptr = &options->protocol;
1101 arg = strdelim(&cp);
1102 if (!arg || *arg == '\0')
1103 fatal("%s line %d: Missing argument.", filename, linenum);
1104 value = proto_spec(arg);
1105 if (value == SSH_PROTO_UNKNOWN)
1106 fatal("%s line %d: Bad protocol spec '%s'.",
1107 filename, linenum, arg ? arg : "<NONE>");
1108 if (*intptr == SSH_PROTO_UNKNOWN)
1113 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1114 fatal("%s line %d: too many subsystems defined.",
1117 arg = strdelim(&cp);
1118 if (!arg || *arg == '\0')
1119 fatal("%s line %d: Missing subsystem name.",
1122 arg = strdelim(&cp);
1125 for (i = 0; i < options->num_subsystems; i++)
1126 if (strcmp(arg, options->subsystem_name[i]) == 0)
1127 fatal("%s line %d: Subsystem '%s' already defined.",
1128 filename, linenum, arg);
1129 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1130 arg = strdelim(&cp);
1131 if (!arg || *arg == '\0')
1132 fatal("%s line %d: Missing subsystem command.",
1134 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1136 /* Collect arguments (separate to executable) */
1138 len = strlen(p) + 1;
1139 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1140 len += 1 + strlen(arg);
1141 p = xrealloc(p, 1, len);
1142 strlcat(p, " ", len);
1143 strlcat(p, arg, len);
1145 options->subsystem_args[options->num_subsystems] = p;
1146 options->num_subsystems++;
1150 arg = strdelim(&cp);
1151 if (!arg || *arg == '\0')
1152 fatal("%s line %d: Missing MaxStartups spec.",
1154 if ((n = sscanf(arg, "%d:%d:%d",
1155 &options->max_startups_begin,
1156 &options->max_startups_rate,
1157 &options->max_startups)) == 3) {
1158 if (options->max_startups_begin >
1159 options->max_startups ||
1160 options->max_startups_rate > 100 ||
1161 options->max_startups_rate < 1)
1162 fatal("%s line %d: Illegal MaxStartups spec.",
1165 fatal("%s line %d: Illegal MaxStartups spec.",
1168 options->max_startups = options->max_startups_begin;
1172 intptr = &options->max_authtries;
1176 intptr = &options->max_sessions;
1180 charptr = &options->banner;
1181 goto parse_filename;
1184 * These options can contain %X options expanded at
1185 * connect time, so that you can specify paths like:
1187 * AuthorizedKeysFile /etc/ssh_keys/%u
1189 case sAuthorizedKeysFile:
1190 case sAuthorizedKeysFile2:
1191 charptr = (opcode == sAuthorizedKeysFile) ?
1192 &options->authorized_keys_file :
1193 &options->authorized_keys_file2;
1194 goto parse_filename;
1196 case sClientAliveInterval:
1197 intptr = &options->client_alive_interval;
1200 case sClientAliveCountMax:
1201 intptr = &options->client_alive_count_max;
1205 while ((arg = strdelim(&cp)) && *arg != '\0') {
1206 if (strchr(arg, '=') != NULL)
1207 fatal("%s line %d: Invalid environment name.",
1209 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1210 fatal("%s line %d: too many allow env.",
1214 options->accept_env[options->num_accept_env++] =
1220 intptr = &options->permit_tun;
1221 arg = strdelim(&cp);
1222 if (!arg || *arg == '\0')
1223 fatal("%s line %d: Missing yes/point-to-point/"
1224 "ethernet/no argument.", filename, linenum);
1226 for (i = 0; tunmode_desc[i].val != -1; i++)
1227 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1228 value = tunmode_desc[i].val;
1232 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1233 "no argument: %s", filename, linenum, arg);
1240 fatal("Match directive not supported as a command-line "
1242 value = match_cfg_line(&cp, linenum, user, host, address);
1244 fatal("%s line %d: Bad Match condition", filename,
1250 arg = strdelim(&cp);
1251 if (!arg || *arg == '\0')
1252 fatal("%s line %d: missing PermitOpen specification",
1254 n = options->num_permitted_opens; /* modified later */
1255 if (strcmp(arg, "any") == 0) {
1256 if (*activep && n == -1) {
1257 channel_clear_adm_permitted_opens();
1258 options->num_permitted_opens = 0;
1262 if (*activep && n == -1)
1263 channel_clear_adm_permitted_opens();
1264 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1267 fatal("%s line %d: missing host in PermitOpen",
1269 p = cleanhostname(p);
1270 if (arg == NULL || (port = a2port(arg)) <= 0)
1271 fatal("%s line %d: bad port number in "
1272 "PermitOpen", filename, linenum);
1273 if (*activep && n == -1)
1274 options->num_permitted_opens =
1275 channel_add_adm_permitted_opens(p, port);
1281 fatal("%.200s line %d: Missing argument.", filename,
1283 len = strspn(cp, WHITESPACE);
1284 if (*activep && options->adm_forced_command == NULL)
1285 options->adm_forced_command = xstrdup(cp + len);
1288 case sChrootDirectory:
1289 charptr = &options->chroot_directory;
1291 arg = strdelim(&cp);
1292 if (!arg || *arg == '\0')
1293 fatal("%s line %d: missing file name.",
1295 if (*activep && *charptr == NULL)
1296 *charptr = xstrdup(arg);
1300 intptr = &options->rdomain;
1304 logit("%s line %d: Deprecated option %s",
1305 filename, linenum, arg);
1307 arg = strdelim(&cp);
1311 logit("%s line %d: Unsupported option %s",
1312 filename, linenum, arg);
1314 arg = strdelim(&cp);
1318 fatal("%s line %d: Missing handler for opcode %s (%d)",
1319 filename, linenum, arg, opcode);
1321 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1322 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1323 filename, linenum, arg);
1327 /* Reads the server configuration file. */
1330 load_server_config(const char *filename, Buffer *conf)
1332 char line[1024], *cp;
1335 debug2("%s: filename %s", __func__, filename);
1336 if ((f = fopen(filename, "r")) == NULL) {
1341 while (fgets(line, sizeof(line), f)) {
1343 * Trim out comments and strip whitespace
1344 * NB - preserve newlines, they are needed to reproduce
1345 * line numbers later for error messages
1347 if ((cp = strchr(line, '#')) != NULL)
1348 memcpy(cp, "\n", 2);
1349 cp = line + strspn(line, " \t\r");
1351 buffer_append(conf, cp, strlen(cp));
1353 buffer_append(conf, "\0", 1);
1355 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1359 parse_server_match_config(ServerOptions *options, const char *user,
1360 const char *host, const char *address)
1364 initialize_server_options(&mo);
1365 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1366 copy_set_server_options(options, &mo, 0);
1370 #define M_CP_INTOPT(n) do {\
1374 #define M_CP_STROPT(n) do {\
1375 if (src->n != NULL) { \
1376 if (dst->n != NULL) \
1383 * Copy any supported values that are set.
1385 * If the preauth flag is set, we do not bother copying the string or
1386 * array values that are not used pre-authentication, because any that we
1387 * do use must be explictly sent in mm_getpwnamallow().
1390 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1392 M_CP_INTOPT(password_authentication);
1393 M_CP_INTOPT(gss_authentication);
1394 M_CP_INTOPT(rsa_authentication);
1395 M_CP_INTOPT(pubkey_authentication);
1396 M_CP_INTOPT(kerberos_authentication);
1397 M_CP_INTOPT(hostbased_authentication);
1398 M_CP_INTOPT(kbd_interactive_authentication);
1399 M_CP_INTOPT(zero_knowledge_password_authentication);
1400 M_CP_INTOPT(permit_root_login);
1401 M_CP_INTOPT(permit_empty_passwd);
1403 M_CP_INTOPT(allow_tcp_forwarding);
1404 M_CP_INTOPT(allow_agent_forwarding);
1405 M_CP_INTOPT(gateway_ports);
1406 M_CP_INTOPT(x11_display_offset);
1407 M_CP_INTOPT(x11_forwarding);
1408 M_CP_INTOPT(x11_use_localhost);
1409 M_CP_INTOPT(max_sessions);
1410 M_CP_INTOPT(max_authtries);
1412 M_CP_STROPT(banner);
1415 M_CP_STROPT(adm_forced_command);
1416 M_CP_STROPT(chroot_directory);
1423 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1424 const char *user, const char *host, const char *address)
1426 int active, linenum, bad_options = 0;
1427 char *cp, *obuf, *cbuf;
1429 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1431 obuf = cbuf = xstrdup(buffer_ptr(conf));
1432 active = user ? 0 : 1;
1434 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1435 if (process_server_config_line(options, cp, filename,
1436 linenum++, &active, user, host, address) != 0)
1440 if (bad_options > 0)
1441 fatal("%s: terminating, %d bad configuration options",
1442 filename, bad_options);
1446 fmt_intarg(ServerOpCodes code, int val)
1448 if (code == sAddressFamily) {
1460 if (code == sPermitRootLogin) {
1462 case PERMIT_NO_PASSWD:
1463 return "without-password";
1464 case PERMIT_FORCED_ONLY:
1465 return "forced-commands-only";
1470 if (code == sProtocol) {
1476 case (SSH_PROTO_1|SSH_PROTO_2):
1482 if (code == sGatewayPorts && val == 2)
1483 return "clientspecified";
1484 if (code == sCompression && val == COMP_DELAYED)
1498 lookup_opcode_name(ServerOpCodes code)
1502 for (i = 0; keywords[i].name != NULL; i++)
1503 if (keywords[i].opcode == code)
1504 return(keywords[i].name);
1509 dump_cfg_int(ServerOpCodes code, int val)
1511 printf("%s %d\n", lookup_opcode_name(code), val);
1515 dump_cfg_fmtint(ServerOpCodes code, int val)
1517 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1521 dump_cfg_string(ServerOpCodes code, const char *val)
1525 printf("%s %s\n", lookup_opcode_name(code), val);
1529 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1533 for (i = 0; i < count; i++)
1534 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1538 dump_config(ServerOptions *o)
1542 struct addrinfo *ai;
1543 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1545 /* these are usually at the top of the config */
1546 for (i = 0; i < o->num_ports; i++)
1547 printf("port %d\n", o->ports[i]);
1548 dump_cfg_fmtint(sProtocol, o->protocol);
1549 dump_cfg_fmtint(sAddressFamily, o->address_family);
1551 /* ListenAddress must be after Port */
1552 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1553 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1554 sizeof(addr), port, sizeof(port),
1555 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1556 error("getnameinfo failed: %.100s",
1557 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1560 if (ai->ai_family == AF_INET6)
1561 printf("listenaddress [%s]:%s\n", addr, port);
1563 printf("listenaddress %s:%s\n", addr, port);
1567 /* integer arguments */
1569 dump_cfg_int(sUsePAM, o->use_pam);
1571 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1572 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1573 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1574 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1575 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1576 dump_cfg_int(sMaxSessions, o->max_sessions);
1577 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1578 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1579 dump_cfg_int(sRDomain, o->rdomain);
1581 /* formatted integer arguments */
1582 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1583 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1584 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1585 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1586 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1587 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1588 o->hostbased_uses_name_from_packet_only);
1589 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1590 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1592 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1593 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1594 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1596 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1600 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1601 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1604 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1605 o->zero_knowledge_password_authentication);
1607 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1608 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1609 o->kbd_interactive_authentication);
1610 dump_cfg_fmtint(sChallengeResponseAuthentication,
1611 o->challenge_response_authentication);
1612 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1613 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1614 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1615 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1616 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1617 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1618 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1619 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1620 dump_cfg_fmtint(sUseLogin, o->use_login);
1621 dump_cfg_fmtint(sCompression, o->compression);
1622 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1623 dump_cfg_fmtint(sUseDNS, o->use_dns);
1624 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1625 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1627 /* string arguments */
1628 dump_cfg_string(sPidFile, o->pid_file);
1629 dump_cfg_string(sXAuthLocation, o->xauth_location);
1630 dump_cfg_string(sCiphers, o->ciphers);
1631 dump_cfg_string(sMacs, o->macs);
1632 dump_cfg_string(sBanner, o->banner);
1633 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1634 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1635 dump_cfg_string(sForceCommand, o->adm_forced_command);
1637 /* string arguments requiring a lookup */
1638 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1639 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1641 /* string array arguments */
1642 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1644 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1645 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1646 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1647 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1648 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1650 /* other arguments */
1651 for (i = 0; i < o->num_subsystems; i++)
1652 printf("subsystem %s %s\n", o->subsystem_name[i],
1653 o->subsystem_args[i]);
1655 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1656 o->max_startups_rate, o->max_startups);
1658 for (i = 0; tunmode_desc[i].val != -1; i++)
1659 if (tunmode_desc[i].val == o->permit_tun) {
1660 s = tunmode_desc[i].text;
1663 dump_cfg_string(sPermitTunnel, s);
1665 channel_print_adm_permitted_opens();