X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/eea39c0272a730e084139c86449282fb2f03fa60..1d3c30dbe232d224145556c245d27d1be1e01a1e:/servconf.c diff --git a/servconf.c b/servconf.c index fb42d74e..075eed40 100644 --- a/servconf.c +++ b/servconf.c @@ -10,16 +10,33 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.57 2001/01/08 22:29:05 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.71 2001/03/05 15:44:51 stevesk Exp $"); + +#ifdef KRB4 +#include +#endif +#ifdef AFS +#include +#endif #include "ssh.h" +#include "log.h" #include "servconf.h" #include "xmalloc.h" #include "compat.h" +#include "pathnames.h" +#include "tildexpand.h" +#include "misc.h" +#include "cipher.h" +#include "kex.h" +#include "mac.h" /* add listen address */ void add_listen_addr(ServerOptions *options, char *addr); +/* AF_UNSPEC or AF_INET or AF_INET6 */ +extern int IPv4or6; + /* Initializes the server options to their default values. */ void @@ -34,7 +51,7 @@ initialize_server_options(ServerOptions *options) options->server_key_bits = -1; options->login_grace_time = -1; options->key_regeneration_time = -1; - options->permit_root_login = -1; + options->permit_root_login = PERMIT_NOT_SET; options->ignore_rhosts = -1; options->ignore_user_known_hosts = -1; options->print_motd = -1; @@ -61,9 +78,7 @@ initialize_server_options(ServerOptions *options) #endif options->password_authentication = -1; options->kbd_interactive_authentication = -1; -#ifdef SKEY - options->skey_authentication = -1; -#endif + options->challenge_reponse_authentication = -1; options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; @@ -72,6 +87,7 @@ initialize_server_options(ServerOptions *options) options->num_allow_groups = 0; options->num_deny_groups = 0; options->ciphers = NULL; + options->macs = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->gateway_ports = -1; options->num_subsystems = 0; @@ -79,6 +95,7 @@ initialize_server_options(ServerOptions *options) options->max_startups_rate = -1; options->max_startups = -1; options->banner = NULL; + options->reverse_mapping_check = -1; } void @@ -89,24 +106,24 @@ fill_default_server_options(ServerOptions *options) if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) - options->host_key_files[options->num_host_key_files++] = HOST_KEY_FILE; + options->host_key_files[options->num_host_key_files++] = _PATH_HOST_KEY_FILE; if (options->protocol & SSH_PROTO_2) - options->host_key_files[options->num_host_key_files++] = HOST_DSA_KEY_FILE; + options->host_key_files[options->num_host_key_files++] = _PATH_HOST_DSA_KEY_FILE; } if (options->num_ports == 0) options->ports[options->num_ports++] = SSH_DEFAULT_PORT; if (options->listen_addrs == NULL) add_listen_addr(options, NULL); if (options->pid_file == NULL) - options->pid_file = SSH_DAEMON_PID_FILE; + options->pid_file = _PATH_SSH_DAEMON_PID_FILE; if (options->server_key_bits == -1) options->server_key_bits = 768; if (options->login_grace_time == -1) options->login_grace_time = 600; if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; - if (options->permit_root_login == -1) - options->permit_root_login = 1; /* yes */ + if (options->permit_root_login == PERMIT_NOT_SET) + options->permit_root_login = PERMIT_YES; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) @@ -130,7 +147,7 @@ fill_default_server_options(ServerOptions *options) if (options->log_facility == (SyslogFacility) (-1)) options->log_facility = SYSLOG_FACILITY_AUTH; if (options->log_level == (LogLevel) (-1)) - options->log_level = SYSLOG_LEVEL_NOTICE; + options->log_level = SYSLOG_LEVEL_INFO; if (options->rhosts_authentication == -1) options->rhosts_authentication = 0; if (options->rhosts_rsa_authentication == -1) @@ -157,10 +174,8 @@ fill_default_server_options(ServerOptions *options) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 0; -#ifdef SKEY - if (options->skey_authentication == -1) - options->skey_authentication = 1; -#endif + if (options->challenge_reponse_authentication == -1) + options->challenge_reponse_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; if (options->use_login == -1) @@ -175,6 +190,8 @@ fill_default_server_options(ServerOptions *options) options->max_startups_rate = 100; /* 100% */ if (options->max_startups_begin == -1) options->max_startups_begin = options->max_startups; + if (options->reverse_mapping_check == -1) + options->reverse_mapping_check = 0; } /* Keyword tokens. */ @@ -189,17 +206,15 @@ typedef enum { #ifdef AFS sKerberosTgtPassing, sAFSTokenPassing, #endif -#ifdef SKEY - sSkeyAuthentication, -#endif + sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, + sStrictModes, sEmptyPasswd, sKeepAlives, sCheckMail, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts, sCiphers, sProtocol, sPidFile, + sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, - sBanner + sBanner, sReverseMappingCheck } ServerOpCodes; /* Textual representation of the tokens. */ @@ -210,7 +225,7 @@ static struct { { "port", sPort }, { "hostkey", sHostKeyFile }, { "hostdsakey", sHostKeyFile }, /* alias */ - { "pidfile", sPidFile }, + { "pidfile", sPidFile }, { "serverkeybits", sServerKeyBits }, { "logingracetime", sLoginGraceTime }, { "keyregenerationinterval", sKeyRegenerationTime }, @@ -233,9 +248,8 @@ static struct { #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, -#ifdef SKEY - { "skeyauthentication", sSkeyAuthentication }, -#endif + { "challengeresponseauthentication", sChallengeResponseAuthentication }, + { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ { "checkmail", sCheckMail }, { "listenaddress", sListenAddress }, { "printmotd", sPrintMotd }, @@ -247,7 +261,6 @@ static struct { { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, - { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, @@ -255,11 +268,13 @@ static struct { { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, { "ciphers", sCiphers }, + { "macs", sMacs }, { "protocol", sProtocol }, { "gatewayports", sGatewayPorts }, { "subsystem", sSubsystem }, { "maxstartups", sMaxStartups }, { "banner", sBanner }, + { "reversemappingcheck", sReverseMappingCheck }, { NULL, 0 } }; @@ -289,7 +304,6 @@ parse_token(const char *cp, const char *filename, void add_listen_addr(ServerOptions *options, char *addr) { - extern int IPv4or6; struct addrinfo hints, *ai, *aitop; char strport[NI_MAXSERV]; int gaierr; @@ -304,7 +318,7 @@ add_listen_addr(ServerOptions *options, char *addr) hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; snprintf(strport, sizeof strport, "%d", options->ports[i]); if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) - fatal("bad addr or host: %s (%s)\n", + fatal("bad addr or host: %s (%s)", addr ? addr : "", gai_strerror(gaierr)); for (ai = aitop; ai->ai_next; ai = ai->ai_next) @@ -340,7 +354,7 @@ read_server_config(ServerOptions *options, const char *filename) /* Ignore leading whitespace */ if (*arg == '\0') arg = strdelim(&cp); - if (!*arg || *arg == '#') + if (!arg || !*arg || *arg == '#') continue; intptr = NULL; charptr = NULL; @@ -357,11 +371,11 @@ read_server_config(ServerOptions *options, const char *filename) fatal("%s line %d: ports must be specified before " "ListenAdress.\n", filename, linenum); if (options->num_ports >= MAX_PORTS) - fatal("%s line %d: too many ports.\n", + fatal("%s line %d: too many ports.", filename, linenum); arg = strdelim(&cp); if (!arg || *arg == '\0') - fatal("%s line %d: missing port number.\n", + fatal("%s line %d: missing port number.", filename, linenum); options->ports[options->num_ports++] = atoi(arg); break; @@ -391,7 +405,7 @@ parse_int: case sListenAddress: arg = strdelim(&cp); if (!arg || *arg == '\0') - fatal("%s line %d: missing inet addr.\n", + fatal("%s line %d: missing inet addr.", filename, linenum); add_listen_addr(options, arg); break; @@ -399,7 +413,8 @@ parse_int: case sHostKeyFile: intptr = &options->num_host_key_files; if (*intptr >= MAX_HOSTKEYS) { - fprintf(stderr, "%s line %d: to many host keys specified (max %d).\n", + fprintf(stderr, + "%s line %d: too many host keys specified (max %d).\n", filename, linenum, MAX_HOSTKEYS); exit(1); } @@ -423,29 +438,27 @@ parse_filename: charptr = &options->pid_file; goto parse_filename; - case sRandomSeedFile: - fprintf(stderr, "%s line %d: \"randomseed\" option is obsolete.\n", - filename, linenum); - arg = strdelim(&cp); - break; - case sPermitRootLogin: intptr = &options->permit_root_login; arg = strdelim(&cp); if (!arg || *arg == '\0') { - fprintf(stderr, "%s line %d: missing yes/without-password/no argument.\n", - filename, linenum); + fprintf(stderr, "%s line %d: missing yes/" + "without-password/forced-commands-only/no " + "argument.\n", filename, linenum); exit(1); } if (strcmp(arg, "without-password") == 0) - value = 2; + value = PERMIT_NO_PASSWD; + else if (strcmp(arg, "forced-commands-only") == 0) + value = PERMIT_FORCED_ONLY; else if (strcmp(arg, "yes") == 0) - value = 1; + value = PERMIT_YES; else if (strcmp(arg, "no") == 0) - value = 0; + value = PERMIT_NO; else { - fprintf(stderr, "%s line %d: Bad yes/without-password/no argument: %s\n", - filename, linenum, arg); + fprintf(stderr, "%s line %d: Bad yes/" + "without-password/forced-commands-only/no " + "argument: %s\n", filename, linenum, arg); exit(1); } if (*intptr == -1) @@ -530,11 +543,9 @@ parse_flag: intptr = &options->check_mail; goto parse_flag; -#ifdef SKEY - case sSkeyAuthentication: - intptr = &options->skey_authentication; + case sChallengeResponseAuthentication: + intptr = &options->challenge_reponse_authentication; goto parse_flag; -#endif case sPrintMotd: intptr = &options->print_motd; @@ -551,7 +562,7 @@ parse_flag: case sXAuthLocation: charptr = &options->xauth_location; goto parse_filename; - + case sStrictModes: intptr = &options->strict_modes; goto parse_flag; @@ -572,12 +583,16 @@ parse_flag: intptr = &options->gateway_ports; goto parse_flag; + case sReverseMappingCheck: + intptr = &options->reverse_mapping_check; + goto parse_flag; + case sLogFacility: intptr = (int *) &options->log_facility; arg = strdelim(&cp); value = log_facility_number(arg); if (value == (SyslogFacility) - 1) - fatal("%.200s line %d: unsupported log facility '%s'\n", + fatal("%.200s line %d: unsupported log facility '%s'", filename, linenum, arg ? arg : ""); if (*intptr == -1) *intptr = (SyslogFacility) value; @@ -588,7 +603,7 @@ parse_flag: arg = strdelim(&cp); value = log_level_number(arg); if (value == (LogLevel) - 1) - fatal("%.200s line %d: unsupported log level '%s'\n", + fatal("%.200s line %d: unsupported log level '%s'", filename, linenum, arg ? arg : ""); if (*intptr == -1) *intptr = (LogLevel) value; @@ -601,7 +616,7 @@ parse_flag: case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) - fatal("%s line %d: too many allow users.\n", + fatal("%s line %d: too many allow users.", filename, linenum); options->allow_users[options->num_allow_users++] = xstrdup(arg); } @@ -610,7 +625,7 @@ parse_flag: case sDenyUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_deny_users >= MAX_DENY_USERS) - fatal( "%s line %d: too many deny users.\n", + fatal( "%s line %d: too many deny users.", filename, linenum); options->deny_users[options->num_deny_users++] = xstrdup(arg); } @@ -619,7 +634,7 @@ parse_flag: case sAllowGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_groups >= MAX_ALLOW_GROUPS) - fatal("%s line %d: too many allow groups.\n", + fatal("%s line %d: too many allow groups.", filename, linenum); options->allow_groups[options->num_allow_groups++] = xstrdup(arg); } @@ -628,7 +643,7 @@ parse_flag: case sDenyGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_deny_groups >= MAX_DENY_GROUPS) - fatal("%s line %d: too many deny groups.\n", + fatal("%s line %d: too many deny groups.", filename, linenum); options->deny_groups[options->num_deny_groups++] = xstrdup(arg); } @@ -645,6 +660,17 @@ parse_flag: options->ciphers = xstrdup(arg); break; + case sMacs: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + if (!mac_valid(arg)) + fatal("%s line %d: Bad SSH2 mac spec '%s'.", + filename, linenum, arg ? arg : ""); + if (options->macs == NULL) + options->macs = xstrdup(arg); + break; + case sProtocol: intptr = &options->protocol; arg = strdelim(&cp); @@ -703,14 +729,14 @@ parse_flag: case sBanner: charptr = &options->banner; goto parse_filename; - + default: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", filename, linenum, arg, opcode); exit(1); } if ((arg = strdelim(&cp)) != NULL && *arg != '\0') { - fprintf(stderr, + fprintf(stderr, "%s line %d: garbage at end of line; \"%.200s\".\n", filename, linenum, arg); exit(1);