1 /* $OpenBSD: readconf.c,v 1.167 2008/06/26 11:46:31 grunk Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <sys/sysctl.h>
23 #include <netinet/in.h>
38 #include "pathnames.h"
48 /* Format of the configuration file:
50 # Configuration data is parsed as follows:
51 # 1. command line options
52 # 2. user-specific file
54 # Any configuration value is only changed the first time it is set.
55 # Thus, host-specific definitions should be at the beginning of the
56 # configuration file, and defaults at the end.
58 # Host-specific declarations. These may override anything above. A single
59 # host may match multiple declarations; these are processed in the order
60 # that they are given in.
66 HostName another.host.name.real.org
73 RemoteForward 9999 shadows.cs.hut.fi:9999
79 PasswordAuthentication no
83 ProxyCommand ssh-proxy %h %p
86 PublicKeyAuthentication no
90 PasswordAuthentication no
96 # Defaults for various options
100 PasswordAuthentication yes
101 RSAAuthentication yes
102 RhostsRSAAuthentication yes
103 StrictHostKeyChecking yes
105 IdentityFile ~/.ssh/identity
111 /* Keyword tokens. */
115 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
116 oExitOnForwardFailure,
117 oPasswordAuthentication, oRSAAuthentication,
118 oChallengeResponseAuthentication, oXAuthLocation,
119 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
120 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
121 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
122 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
123 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
124 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
125 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
126 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
127 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
128 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
129 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
130 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
131 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
132 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
133 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
134 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
137 oDeprecated, oUnsupported
140 /* Textual representations of the tokens. */
146 { "forwardagent", oForwardAgent },
147 { "forwardx11", oForwardX11 },
148 { "forwardx11trusted", oForwardX11Trusted },
149 { "exitonforwardfailure", oExitOnForwardFailure },
150 { "xauthlocation", oXAuthLocation },
151 { "gatewayports", oGatewayPorts },
152 { "useprivilegedport", oUsePrivilegedPort },
153 { "rhostsauthentication", oDeprecated },
154 { "passwordauthentication", oPasswordAuthentication },
155 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
156 { "kbdinteractivedevices", oKbdInteractiveDevices },
157 { "rsaauthentication", oRSAAuthentication },
158 { "pubkeyauthentication", oPubkeyAuthentication },
159 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
160 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
161 { "hostbasedauthentication", oHostbasedAuthentication },
162 { "challengeresponseauthentication", oChallengeResponseAuthentication },
163 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
164 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "kerberosauthentication", oUnsupported },
166 { "kerberostgtpassing", oUnsupported },
167 { "afstokenpassing", oUnsupported },
169 { "gssapiauthentication", oGssAuthentication },
170 { "gssapidelegatecredentials", oGssDelegateCreds },
172 { "gssapiauthentication", oUnsupported },
173 { "gssapidelegatecredentials", oUnsupported },
175 { "fallbacktorsh", oDeprecated },
176 { "usersh", oDeprecated },
177 { "identityfile", oIdentityFile },
178 { "identityfile2", oIdentityFile }, /* alias */
179 { "identitiesonly", oIdentitiesOnly },
180 { "hostname", oHostName },
181 { "hostkeyalias", oHostKeyAlias },
182 { "proxycommand", oProxyCommand },
184 { "cipher", oCipher },
185 { "ciphers", oCiphers },
187 { "protocol", oProtocol },
188 { "remoteforward", oRemoteForward },
189 { "localforward", oLocalForward },
192 { "escapechar", oEscapeChar },
193 { "globalknownhostsfile", oGlobalKnownHostsFile },
194 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
195 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
196 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
197 { "connectionattempts", oConnectionAttempts },
198 { "batchmode", oBatchMode },
199 { "checkhostip", oCheckHostIP },
200 { "stricthostkeychecking", oStrictHostKeyChecking },
201 { "compression", oCompression },
202 { "compressionlevel", oCompressionLevel },
203 { "tcpkeepalive", oTCPKeepAlive },
204 { "keepalive", oTCPKeepAlive }, /* obsolete */
205 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
206 { "loglevel", oLogLevel },
207 { "dynamicforward", oDynamicForward },
208 { "preferredauthentications", oPreferredAuthentications },
209 { "hostkeyalgorithms", oHostKeyAlgorithms },
210 { "bindaddress", oBindAddress },
212 { "smartcarddevice", oSmartcardDevice },
214 { "smartcarddevice", oUnsupported },
216 { "clearallforwardings", oClearAllForwardings },
217 { "enablesshkeysign", oEnableSSHKeysign },
218 { "verifyhostkeydns", oVerifyHostKeyDNS },
219 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
220 { "rekeylimit", oRekeyLimit },
221 { "connecttimeout", oConnectTimeout },
222 { "addressfamily", oAddressFamily },
223 { "serveraliveinterval", oServerAliveInterval },
224 { "serveralivecountmax", oServerAliveCountMax },
225 { "sendenv", oSendEnv },
226 { "controlpath", oControlPath },
227 { "controlmaster", oControlMaster },
228 { "hashknownhosts", oHashKnownHosts },
229 { "tunnel", oTunnel },
230 { "tunneldevice", oTunnelDevice },
231 { "localcommand", oLocalCommand },
232 { "permitlocalcommand", oPermitLocalCommand },
233 { "visualhostkey", oVisualHostKey },
234 { "versionaddendum", oVersionAddendum },
239 * Adds a local TCP/IP port forward to options. Never returns if there is an
244 add_local_forward(Options *options, const Forward *newfwd)
247 #ifndef NO_IPPORT_RESERVED_CONCEPT
248 extern uid_t original_real_uid;
251 size_t len_ipport_reserved = sizeof(ipport_reserved);
253 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
254 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
255 ipport_reserved = IPPORT_RESERVED;
259 ipport_reserved = IPPORT_RESERVED;
261 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
262 fatal("Privileged ports can only be forwarded by root.");
264 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
265 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
266 fwd = &options->local_forwards[options->num_local_forwards++];
268 fwd->listen_host = (newfwd->listen_host == NULL) ?
269 NULL : xstrdup(newfwd->listen_host);
270 fwd->listen_port = newfwd->listen_port;
271 fwd->connect_host = xstrdup(newfwd->connect_host);
272 fwd->connect_port = newfwd->connect_port;
276 * Adds a remote TCP/IP port forward to options. Never returns if there is
281 add_remote_forward(Options *options, const Forward *newfwd)
284 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
285 fatal("Too many remote forwards (max %d).",
286 SSH_MAX_FORWARDS_PER_DIRECTION);
287 fwd = &options->remote_forwards[options->num_remote_forwards++];
289 fwd->listen_host = (newfwd->listen_host == NULL) ?
290 NULL : xstrdup(newfwd->listen_host);
291 fwd->listen_port = newfwd->listen_port;
292 fwd->connect_host = xstrdup(newfwd->connect_host);
293 fwd->connect_port = newfwd->connect_port;
297 clear_forwardings(Options *options)
301 for (i = 0; i < options->num_local_forwards; i++) {
302 if (options->local_forwards[i].listen_host != NULL)
303 xfree(options->local_forwards[i].listen_host);
304 xfree(options->local_forwards[i].connect_host);
306 options->num_local_forwards = 0;
307 for (i = 0; i < options->num_remote_forwards; i++) {
308 if (options->remote_forwards[i].listen_host != NULL)
309 xfree(options->remote_forwards[i].listen_host);
310 xfree(options->remote_forwards[i].connect_host);
312 options->num_remote_forwards = 0;
313 options->tun_open = SSH_TUNMODE_NO;
317 * Returns the number of the token pointed to by cp or oBadOption.
321 parse_token(const char *cp, const char *filename, int linenum)
325 for (i = 0; keywords[i].name; i++)
326 if (strcasecmp(cp, keywords[i].name) == 0)
327 return keywords[i].opcode;
329 error("%s: line %d: Bad configuration option: %s",
330 filename, linenum, cp);
335 * Processes a single option line as used in the configuration files. This
336 * only sets those values that have not already been set.
338 #define WHITESPACE " \t\r\n"
341 process_config_line(Options *options, const char *host,
342 char *line, const char *filename, int linenum,
345 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
346 int opcode, *intptr, value, value2, scale;
347 LogLevel *log_level_ptr;
348 long long orig, val64;
352 /* Strip trailing whitespace */
353 for (len = strlen(line) - 1; len > 0; len--) {
354 if (strchr(WHITESPACE, line[len]) == NULL)
360 /* Get the keyword. (Each line is supposed to begin with a keyword). */
361 if ((keyword = strdelim(&s)) == NULL)
363 /* Ignore leading whitespace. */
364 if (*keyword == '\0')
365 keyword = strdelim(&s);
366 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
369 opcode = parse_token(keyword, filename, linenum);
373 /* don't panic, but count bad options */
376 case oConnectTimeout:
377 intptr = &options->connection_timeout;
380 if (!arg || *arg == '\0')
381 fatal("%s line %d: missing time value.",
383 if ((value = convtime(arg)) == -1)
384 fatal("%s line %d: invalid time value.",
386 if (*activep && *intptr == -1)
391 intptr = &options->forward_agent;
394 if (!arg || *arg == '\0')
395 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
396 value = 0; /* To avoid compiler warning... */
397 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
399 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
402 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
403 if (*activep && *intptr == -1)
408 intptr = &options->forward_x11;
411 case oForwardX11Trusted:
412 intptr = &options->forward_x11_trusted;
416 intptr = &options->gateway_ports;
419 case oExitOnForwardFailure:
420 intptr = &options->exit_on_forward_failure;
423 case oUsePrivilegedPort:
424 intptr = &options->use_privileged_port;
427 case oPasswordAuthentication:
428 intptr = &options->password_authentication;
431 case oKbdInteractiveAuthentication:
432 intptr = &options->kbd_interactive_authentication;
435 case oKbdInteractiveDevices:
436 charptr = &options->kbd_interactive_devices;
439 case oPubkeyAuthentication:
440 intptr = &options->pubkey_authentication;
443 case oRSAAuthentication:
444 intptr = &options->rsa_authentication;
447 case oRhostsRSAAuthentication:
448 intptr = &options->rhosts_rsa_authentication;
451 case oHostbasedAuthentication:
452 intptr = &options->hostbased_authentication;
455 case oChallengeResponseAuthentication:
456 intptr = &options->challenge_response_authentication;
459 case oGssAuthentication:
460 intptr = &options->gss_authentication;
463 case oGssDelegateCreds:
464 intptr = &options->gss_deleg_creds;
468 intptr = &options->batch_mode;
472 intptr = &options->check_host_ip;
475 case oVerifyHostKeyDNS:
476 intptr = &options->verify_host_key_dns;
479 case oStrictHostKeyChecking:
480 intptr = &options->strict_host_key_checking;
483 if (!arg || *arg == '\0')
484 fatal("%.200s line %d: Missing yes/no/ask argument.",
486 value = 0; /* To avoid compiler warning... */
487 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
489 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
491 else if (strcmp(arg, "ask") == 0)
494 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
495 if (*activep && *intptr == -1)
500 intptr = &options->compression;
504 intptr = &options->tcp_keep_alive;
507 case oNoHostAuthenticationForLocalhost:
508 intptr = &options->no_host_authentication_for_localhost;
511 case oNumberOfPasswordPrompts:
512 intptr = &options->number_of_password_prompts;
515 case oCompressionLevel:
516 intptr = &options->compression_level;
521 if (!arg || *arg == '\0')
522 fatal("%.200s line %d: Missing argument.", filename, linenum);
523 if (arg[0] < '0' || arg[0] > '9')
524 fatal("%.200s line %d: Bad number.", filename, linenum);
525 orig = val64 = strtoll(arg, &endofnumber, 10);
526 if (arg == endofnumber)
527 fatal("%.200s line %d: Bad number.", filename, linenum);
528 switch (toupper(*endofnumber)) {
542 fatal("%.200s line %d: Invalid RekeyLimit suffix",
546 /* detect integer wrap and too-large limits */
547 if ((val64 / scale) != orig || val64 > UINT_MAX)
548 fatal("%.200s line %d: RekeyLimit too large",
551 fatal("%.200s line %d: RekeyLimit too small",
553 if (*activep && options->rekey_limit == -1)
554 options->rekey_limit = (u_int32_t)val64;
559 if (!arg || *arg == '\0')
560 fatal("%.200s line %d: Missing argument.", filename, linenum);
562 intptr = &options->num_identity_files;
563 if (*intptr >= SSH_MAX_IDENTITY_FILES)
564 fatal("%.200s line %d: Too many identity files specified (max %d).",
565 filename, linenum, SSH_MAX_IDENTITY_FILES);
566 charptr = &options->identity_files[*intptr];
567 *charptr = xstrdup(arg);
568 *intptr = *intptr + 1;
573 charptr=&options->xauth_location;
577 charptr = &options->user;
580 if (!arg || *arg == '\0')
581 fatal("%.200s line %d: Missing argument.", filename, linenum);
582 if (*activep && *charptr == NULL)
583 *charptr = xstrdup(arg);
586 case oGlobalKnownHostsFile:
587 charptr = &options->system_hostfile;
590 case oUserKnownHostsFile:
591 charptr = &options->user_hostfile;
594 case oGlobalKnownHostsFile2:
595 charptr = &options->system_hostfile2;
598 case oUserKnownHostsFile2:
599 charptr = &options->user_hostfile2;
603 charptr = &options->hostname;
607 charptr = &options->host_key_alias;
610 case oPreferredAuthentications:
611 charptr = &options->preferred_authentications;
615 charptr = &options->bind_address;
618 case oSmartcardDevice:
619 charptr = &options->smartcard_device;
623 charptr = &options->proxy_command;
626 fatal("%.200s line %d: Missing argument.", filename, linenum);
627 len = strspn(s, WHITESPACE "=");
628 if (*activep && *charptr == NULL)
629 *charptr = xstrdup(s + len);
633 intptr = &options->port;
636 if (!arg || *arg == '\0')
637 fatal("%.200s line %d: Missing argument.", filename, linenum);
638 if (arg[0] < '0' || arg[0] > '9')
639 fatal("%.200s line %d: Bad number.", filename, linenum);
641 /* Octal, decimal, or hex format? */
642 value = strtol(arg, &endofnumber, 0);
643 if (arg == endofnumber)
644 fatal("%.200s line %d: Bad number.", filename, linenum);
645 if (*activep && *intptr == -1)
649 case oConnectionAttempts:
650 intptr = &options->connection_attempts;
654 intptr = &options->cipher;
656 if (!arg || *arg == '\0')
657 fatal("%.200s line %d: Missing argument.", filename, linenum);
658 value = cipher_number(arg);
660 fatal("%.200s line %d: Bad cipher '%s'.",
661 filename, linenum, arg ? arg : "<NONE>");
662 if (*activep && *intptr == -1)
668 if (!arg || *arg == '\0')
669 fatal("%.200s line %d: Missing argument.", filename, linenum);
670 if (!ciphers_valid(arg))
671 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
672 filename, linenum, arg ? arg : "<NONE>");
673 if (*activep && options->ciphers == NULL)
674 options->ciphers = xstrdup(arg);
679 if (!arg || *arg == '\0')
680 fatal("%.200s line %d: Missing argument.", filename, linenum);
682 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
683 filename, linenum, arg ? arg : "<NONE>");
684 if (*activep && options->macs == NULL)
685 options->macs = xstrdup(arg);
688 case oHostKeyAlgorithms:
690 if (!arg || *arg == '\0')
691 fatal("%.200s line %d: Missing argument.", filename, linenum);
692 if (!key_names_valid2(arg))
693 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
694 filename, linenum, arg ? arg : "<NONE>");
695 if (*activep && options->hostkeyalgorithms == NULL)
696 options->hostkeyalgorithms = xstrdup(arg);
700 intptr = &options->protocol;
702 if (!arg || *arg == '\0')
703 fatal("%.200s line %d: Missing argument.", filename, linenum);
704 value = proto_spec(arg);
705 if (value == SSH_PROTO_UNKNOWN)
706 fatal("%.200s line %d: Bad protocol spec '%s'.",
707 filename, linenum, arg ? arg : "<NONE>");
708 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
713 log_level_ptr = &options->log_level;
715 value = log_level_number(arg);
716 if (value == SYSLOG_LEVEL_NOT_SET)
717 fatal("%.200s line %d: unsupported log level '%s'",
718 filename, linenum, arg ? arg : "<NONE>");
719 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
720 *log_level_ptr = (LogLevel) value;
726 if (arg == NULL || *arg == '\0')
727 fatal("%.200s line %d: Missing port argument.",
730 if (arg2 == NULL || *arg2 == '\0')
731 fatal("%.200s line %d: Missing target argument.",
734 /* construct a string for parse_forward */
735 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
737 if (parse_forward(&fwd, fwdarg) == 0)
738 fatal("%.200s line %d: Bad forwarding specification.",
742 if (opcode == oLocalForward)
743 add_local_forward(options, &fwd);
744 else if (opcode == oRemoteForward)
745 add_remote_forward(options, &fwd);
749 case oDynamicForward:
751 if (!arg || *arg == '\0')
752 fatal("%.200s line %d: Missing port argument.",
754 memset(&fwd, '\0', sizeof(fwd));
755 fwd.connect_host = "socks";
756 fwd.listen_host = hpdelim(&arg);
757 if (fwd.listen_host == NULL ||
758 strlen(fwd.listen_host) >= NI_MAXHOST)
759 fatal("%.200s line %d: Bad forwarding specification.",
762 fwd.listen_port = a2port(arg);
763 fwd.listen_host = cleanhostname(fwd.listen_host);
765 fwd.listen_port = a2port(fwd.listen_host);
766 fwd.listen_host = NULL;
768 if (fwd.listen_port == 0)
769 fatal("%.200s line %d: Badly formatted port number.",
772 add_local_forward(options, &fwd);
775 case oClearAllForwardings:
776 intptr = &options->clear_forwardings;
781 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
782 if (match_pattern(host, arg)) {
783 debug("Applying options for %.100s", arg);
787 /* Avoid garbage check below, as strdelim is done. */
791 intptr = &options->escape_char;
793 if (!arg || *arg == '\0')
794 fatal("%.200s line %d: Missing argument.", filename, linenum);
795 if (arg[0] == '^' && arg[2] == 0 &&
796 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
797 value = (u_char) arg[1] & 31;
798 else if (strlen(arg) == 1)
799 value = (u_char) arg[0];
800 else if (strcmp(arg, "none") == 0)
801 value = SSH_ESCAPECHAR_NONE;
803 fatal("%.200s line %d: Bad escape character.",
806 value = 0; /* Avoid compiler warning. */
808 if (*activep && *intptr == -1)
814 if (!arg || *arg == '\0')
815 fatal("%s line %d: missing address family.",
817 intptr = &options->address_family;
818 if (strcasecmp(arg, "inet") == 0)
820 else if (strcasecmp(arg, "inet6") == 0)
822 else if (strcasecmp(arg, "any") == 0)
825 fatal("Unsupported AddressFamily \"%s\"", arg);
826 if (*activep && *intptr == -1)
830 case oEnableSSHKeysign:
831 intptr = &options->enable_ssh_keysign;
834 case oIdentitiesOnly:
835 intptr = &options->identities_only;
838 case oServerAliveInterval:
839 intptr = &options->server_alive_interval;
842 case oServerAliveCountMax:
843 intptr = &options->server_alive_count_max;
847 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
848 if (strchr(arg, '=') != NULL)
849 fatal("%s line %d: Invalid environment name.",
853 if (options->num_send_env >= MAX_SEND_ENV)
854 fatal("%s line %d: too many send env.",
856 options->send_env[options->num_send_env++] =
862 charptr = &options->control_path;
866 intptr = &options->control_master;
868 if (!arg || *arg == '\0')
869 fatal("%.200s line %d: Missing ControlMaster argument.",
871 value = 0; /* To avoid compiler warning... */
872 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
873 value = SSHCTL_MASTER_YES;
874 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
875 value = SSHCTL_MASTER_NO;
876 else if (strcmp(arg, "auto") == 0)
877 value = SSHCTL_MASTER_AUTO;
878 else if (strcmp(arg, "ask") == 0)
879 value = SSHCTL_MASTER_ASK;
880 else if (strcmp(arg, "autoask") == 0)
881 value = SSHCTL_MASTER_AUTO_ASK;
883 fatal("%.200s line %d: Bad ControlMaster argument.",
885 if (*activep && *intptr == -1)
889 case oHashKnownHosts:
890 intptr = &options->hash_known_hosts;
894 intptr = &options->tun_open;
896 if (!arg || *arg == '\0')
897 fatal("%s line %d: Missing yes/point-to-point/"
898 "ethernet/no argument.", filename, linenum);
899 value = 0; /* silence compiler */
900 if (strcasecmp(arg, "ethernet") == 0)
901 value = SSH_TUNMODE_ETHERNET;
902 else if (strcasecmp(arg, "point-to-point") == 0)
903 value = SSH_TUNMODE_POINTOPOINT;
904 else if (strcasecmp(arg, "yes") == 0)
905 value = SSH_TUNMODE_DEFAULT;
906 else if (strcasecmp(arg, "no") == 0)
907 value = SSH_TUNMODE_NO;
909 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
910 "no argument: %s", filename, linenum, arg);
917 if (!arg || *arg == '\0')
918 fatal("%.200s line %d: Missing argument.", filename, linenum);
919 value = a2tun(arg, &value2);
920 if (value == SSH_TUNID_ERR)
921 fatal("%.200s line %d: Bad tun device.", filename, linenum);
923 options->tun_local = value;
924 options->tun_remote = value2;
929 charptr = &options->local_command;
932 case oPermitLocalCommand:
933 intptr = &options->permit_local_command;
937 intptr = &options->visual_host_key;
940 case oVersionAddendum:
941 ssh_version_set_addendum(strtok(s, "\n"));
944 } while (arg != NULL && *arg != '\0');
948 debug("%s line %d: Deprecated option \"%s\"",
949 filename, linenum, keyword);
953 error("%s line %d: Unsupported option \"%s\"",
954 filename, linenum, keyword);
958 fatal("process_config_line: Unimplemented opcode %d", opcode);
961 /* Check that there is no garbage at end of line. */
962 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
963 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
964 filename, linenum, arg);
971 * Reads the config file and modifies the options accordingly. Options
972 * should already be initialized before this call. This never returns if
973 * there is an error. If the file does not exist, this returns 0.
977 read_config_file(const char *filename, const char *host, Options *options,
986 if ((f = fopen(filename, "r")) == NULL)
992 if (fstat(fileno(f), &sb) == -1)
993 fatal("fstat %s: %s", filename, strerror(errno));
994 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
995 (sb.st_mode & 022) != 0))
996 fatal("Bad owner or permissions on %s", filename);
999 debug("Reading configuration data %.200s", filename);
1002 * Mark that we are now processing the options. This flag is turned
1003 * on/off by Host specifications.
1007 while (fgets(line, sizeof(line), f)) {
1008 /* Update line number counter. */
1010 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1014 if (bad_options > 0)
1015 fatal("%s: terminating, %d bad configuration options",
1016 filename, bad_options);
1021 * Initializes options to special values that indicate that they have not yet
1022 * been set. Read_config_file will only set options with this value. Options
1023 * are processed in the following order: command line, user config file,
1024 * system config file. Last, fill_default_options is called.
1028 initialize_options(Options * options)
1030 memset(options, 'X', sizeof(*options));
1031 options->forward_agent = -1;
1032 options->forward_x11 = -1;
1033 options->forward_x11_trusted = -1;
1034 options->exit_on_forward_failure = -1;
1035 options->xauth_location = NULL;
1036 options->gateway_ports = -1;
1037 options->use_privileged_port = -1;
1038 options->rsa_authentication = -1;
1039 options->pubkey_authentication = -1;
1040 options->challenge_response_authentication = -1;
1041 options->gss_authentication = -1;
1042 options->gss_deleg_creds = -1;
1043 options->password_authentication = -1;
1044 options->kbd_interactive_authentication = -1;
1045 options->kbd_interactive_devices = NULL;
1046 options->rhosts_rsa_authentication = -1;
1047 options->hostbased_authentication = -1;
1048 options->batch_mode = -1;
1049 options->check_host_ip = -1;
1050 options->strict_host_key_checking = -1;
1051 options->compression = -1;
1052 options->tcp_keep_alive = -1;
1053 options->compression_level = -1;
1055 options->address_family = -1;
1056 options->connection_attempts = -1;
1057 options->connection_timeout = -1;
1058 options->number_of_password_prompts = -1;
1059 options->cipher = -1;
1060 options->ciphers = NULL;
1061 options->macs = NULL;
1062 options->hostkeyalgorithms = NULL;
1063 options->protocol = SSH_PROTO_UNKNOWN;
1064 options->num_identity_files = 0;
1065 options->hostname = NULL;
1066 options->host_key_alias = NULL;
1067 options->proxy_command = NULL;
1068 options->user = NULL;
1069 options->escape_char = -1;
1070 options->system_hostfile = NULL;
1071 options->user_hostfile = NULL;
1072 options->system_hostfile2 = NULL;
1073 options->user_hostfile2 = NULL;
1074 options->num_local_forwards = 0;
1075 options->num_remote_forwards = 0;
1076 options->clear_forwardings = -1;
1077 options->log_level = SYSLOG_LEVEL_NOT_SET;
1078 options->preferred_authentications = NULL;
1079 options->bind_address = NULL;
1080 options->smartcard_device = NULL;
1081 options->enable_ssh_keysign = - 1;
1082 options->no_host_authentication_for_localhost = - 1;
1083 options->identities_only = - 1;
1084 options->rekey_limit = - 1;
1085 options->verify_host_key_dns = -1;
1086 options->server_alive_interval = -1;
1087 options->server_alive_count_max = -1;
1088 options->num_send_env = 0;
1089 options->control_path = NULL;
1090 options->control_master = -1;
1091 options->hash_known_hosts = -1;
1092 options->tun_open = -1;
1093 options->tun_local = -1;
1094 options->tun_remote = -1;
1095 options->local_command = NULL;
1096 options->permit_local_command = -1;
1097 options->visual_host_key = -1;
1101 * Called after processing other sources of option data, this fills those
1102 * options for which no value has been specified with their default values.
1106 fill_default_options(Options * options)
1110 if (options->forward_agent == -1)
1111 options->forward_agent = 0;
1112 if (options->forward_x11 == -1)
1113 options->forward_x11 = 0;
1114 if (options->forward_x11_trusted == -1)
1115 options->forward_x11_trusted = 0;
1116 if (options->exit_on_forward_failure == -1)
1117 options->exit_on_forward_failure = 0;
1118 if (options->xauth_location == NULL)
1119 options->xauth_location = _PATH_XAUTH;
1120 if (options->gateway_ports == -1)
1121 options->gateway_ports = 0;
1122 if (options->use_privileged_port == -1)
1123 options->use_privileged_port = 0;
1124 if (options->rsa_authentication == -1)
1125 options->rsa_authentication = 1;
1126 if (options->pubkey_authentication == -1)
1127 options->pubkey_authentication = 1;
1128 if (options->challenge_response_authentication == -1)
1129 options->challenge_response_authentication = 1;
1130 if (options->gss_authentication == -1)
1131 options->gss_authentication = 0;
1132 if (options->gss_deleg_creds == -1)
1133 options->gss_deleg_creds = 0;
1134 if (options->password_authentication == -1)
1135 options->password_authentication = 1;
1136 if (options->kbd_interactive_authentication == -1)
1137 options->kbd_interactive_authentication = 1;
1138 if (options->rhosts_rsa_authentication == -1)
1139 options->rhosts_rsa_authentication = 0;
1140 if (options->hostbased_authentication == -1)
1141 options->hostbased_authentication = 0;
1142 if (options->batch_mode == -1)
1143 options->batch_mode = 0;
1144 if (options->check_host_ip == -1)
1145 options->check_host_ip = 0;
1146 if (options->strict_host_key_checking == -1)
1147 options->strict_host_key_checking = 2; /* 2 is default */
1148 if (options->compression == -1)
1149 options->compression = 0;
1150 if (options->tcp_keep_alive == -1)
1151 options->tcp_keep_alive = 1;
1152 if (options->compression_level == -1)
1153 options->compression_level = 6;
1154 if (options->port == -1)
1155 options->port = 0; /* Filled in ssh_connect. */
1156 if (options->address_family == -1)
1157 options->address_family = AF_UNSPEC;
1158 if (options->connection_attempts == -1)
1159 options->connection_attempts = 1;
1160 if (options->number_of_password_prompts == -1)
1161 options->number_of_password_prompts = 3;
1162 /* Selected in ssh_login(). */
1163 if (options->cipher == -1)
1164 options->cipher = SSH_CIPHER_NOT_SET;
1165 /* options->ciphers, default set in myproposals.h */
1166 /* options->macs, default set in myproposals.h */
1167 /* options->hostkeyalgorithms, default set in myproposals.h */
1168 if (options->protocol == SSH_PROTO_UNKNOWN)
1169 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1170 if (options->num_identity_files == 0) {
1171 if (options->protocol & SSH_PROTO_1) {
1172 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1173 options->identity_files[options->num_identity_files] =
1175 snprintf(options->identity_files[options->num_identity_files++],
1176 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1178 if (options->protocol & SSH_PROTO_2) {
1179 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1180 options->identity_files[options->num_identity_files] =
1182 snprintf(options->identity_files[options->num_identity_files++],
1183 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1185 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1186 options->identity_files[options->num_identity_files] =
1188 snprintf(options->identity_files[options->num_identity_files++],
1189 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1192 if (options->escape_char == -1)
1193 options->escape_char = '~';
1194 if (options->system_hostfile == NULL)
1195 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1196 if (options->user_hostfile == NULL)
1197 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1198 if (options->system_hostfile2 == NULL)
1199 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1200 if (options->user_hostfile2 == NULL)
1201 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1202 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1203 options->log_level = SYSLOG_LEVEL_INFO;
1204 if (options->clear_forwardings == 1)
1205 clear_forwardings(options);
1206 if (options->no_host_authentication_for_localhost == - 1)
1207 options->no_host_authentication_for_localhost = 0;
1208 if (options->identities_only == -1)
1209 options->identities_only = 0;
1210 if (options->enable_ssh_keysign == -1)
1211 options->enable_ssh_keysign = 0;
1212 if (options->rekey_limit == -1)
1213 options->rekey_limit = 0;
1214 if (options->verify_host_key_dns == -1)
1215 options->verify_host_key_dns = 0;
1216 if (options->server_alive_interval == -1)
1217 options->server_alive_interval = 0;
1218 if (options->server_alive_count_max == -1)
1219 options->server_alive_count_max = 3;
1220 if (options->control_master == -1)
1221 options->control_master = 0;
1222 if (options->hash_known_hosts == -1)
1223 options->hash_known_hosts = 0;
1224 if (options->tun_open == -1)
1225 options->tun_open = SSH_TUNMODE_NO;
1226 if (options->tun_local == -1)
1227 options->tun_local = SSH_TUNID_ANY;
1228 if (options->tun_remote == -1)
1229 options->tun_remote = SSH_TUNID_ANY;
1230 if (options->permit_local_command == -1)
1231 options->permit_local_command = 0;
1232 if (options->visual_host_key == -1)
1233 options->visual_host_key = 0;
1234 /* options->local_command should not be set by default */
1235 /* options->proxy_command should not be set by default */
1236 /* options->user will be set in the main program if appropriate */
1237 /* options->hostname will be set in the main program if appropriate */
1238 /* options->host_key_alias should not be set by default */
1239 /* options->preferred_authentications will be set in ssh */
1244 * parses a string containing a port forwarding specification of the form:
1245 * [listenhost:]listenport:connecthost:connectport
1246 * returns number of arguments parsed or zero on error
1249 parse_forward(Forward *fwd, const char *fwdspec)
1252 char *p, *cp, *fwdarg[4];
1254 memset(fwd, '\0', sizeof(*fwd));
1256 cp = p = xstrdup(fwdspec);
1258 /* skip leading spaces */
1259 while (isspace(*cp))
1262 for (i = 0; i < 4; ++i)
1263 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1266 /* Check for trailing garbage in 4-arg case*/
1268 i = 0; /* failure */
1272 fwd->listen_host = NULL;
1273 fwd->listen_port = a2port(fwdarg[0]);
1274 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1275 fwd->connect_port = a2port(fwdarg[2]);
1279 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1280 fwd->listen_port = a2port(fwdarg[1]);
1281 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1282 fwd->connect_port = a2port(fwdarg[3]);
1285 i = 0; /* failure */
1290 if (fwd->listen_port == 0 || fwd->connect_port == 0)
1293 if (fwd->connect_host != NULL &&
1294 strlen(fwd->connect_host) >= NI_MAXHOST)
1300 if (fwd->connect_host != NULL)
1301 xfree(fwd->connect_host);
1302 if (fwd->listen_host != NULL)
1303 xfree(fwd->listen_host);