1 /* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Functions for reading the configuration files.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <sys/sysctl.h>
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
26 #include <netinet/ip.h>
41 #include "pathnames.h"
52 /* Format of the configuration file:
54 # Configuration data is parsed as follows:
55 # 1. command line options
56 # 2. user-specific file
58 # Any configuration value is only changed the first time it is set.
59 # Thus, host-specific definitions should be at the beginning of the
60 # configuration file, and defaults at the end.
62 # Host-specific declarations. These may override anything above. A single
63 # host may match multiple declarations; these are processed in the order
64 # that they are given in.
70 HostName another.host.name.real.org
77 RemoteForward 9999 shadows.cs.hut.fi:9999
83 PasswordAuthentication no
87 ProxyCommand ssh-proxy %h %p
90 PublicKeyAuthentication no
94 PasswordAuthentication no
100 # Defaults for various options
104 PasswordAuthentication yes
105 RSAAuthentication yes
106 RhostsRSAAuthentication yes
107 StrictHostKeyChecking yes
109 IdentityFile ~/.ssh/identity
115 /* Keyword tokens. */
119 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
120 oGatewayPorts, oExitOnForwardFailure,
121 oPasswordAuthentication, oRSAAuthentication,
122 oChallengeResponseAuthentication, oXAuthLocation,
123 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
124 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
125 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
126 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
127 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
128 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
129 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
130 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
131 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
132 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
133 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
134 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
135 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
136 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
137 oSendEnv, oControlPath, oControlMaster, oControlPersist,
139 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
140 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
141 oKexAlgorithms, oIPQoS, oRequestTTY,
142 oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
143 #ifdef NONE_CIPHER_ENABLED
144 oNoneEnabled, oNoneSwitch,
147 oDeprecated, oUnsupported
150 /* Textual representations of the tokens. */
156 { "forwardagent", oForwardAgent },
157 { "forwardx11", oForwardX11 },
158 { "forwardx11trusted", oForwardX11Trusted },
159 { "forwardx11timeout", oForwardX11Timeout },
160 { "exitonforwardfailure", oExitOnForwardFailure },
161 { "xauthlocation", oXAuthLocation },
162 { "gatewayports", oGatewayPorts },
163 { "useprivilegedport", oUsePrivilegedPort },
164 { "rhostsauthentication", oDeprecated },
165 { "passwordauthentication", oPasswordAuthentication },
166 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
167 { "kbdinteractivedevices", oKbdInteractiveDevices },
168 { "rsaauthentication", oRSAAuthentication },
169 { "pubkeyauthentication", oPubkeyAuthentication },
170 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
171 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
172 { "hostbasedauthentication", oHostbasedAuthentication },
173 { "challengeresponseauthentication", oChallengeResponseAuthentication },
174 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
175 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
176 { "kerberosauthentication", oUnsupported },
177 { "kerberostgtpassing", oUnsupported },
178 { "afstokenpassing", oUnsupported },
180 { "gssapiauthentication", oGssAuthentication },
181 { "gssapidelegatecredentials", oGssDelegateCreds },
183 { "gssapiauthentication", oUnsupported },
184 { "gssapidelegatecredentials", oUnsupported },
186 { "fallbacktorsh", oDeprecated },
187 { "usersh", oDeprecated },
188 { "identityfile", oIdentityFile },
189 { "identityfile2", oIdentityFile }, /* obsolete */
190 { "identitiesonly", oIdentitiesOnly },
191 { "hostname", oHostName },
192 { "hostkeyalias", oHostKeyAlias },
193 { "proxycommand", oProxyCommand },
195 { "cipher", oCipher },
196 { "ciphers", oCiphers },
198 { "protocol", oProtocol },
199 { "remoteforward", oRemoteForward },
200 { "localforward", oLocalForward },
203 { "escapechar", oEscapeChar },
204 { "globalknownhostsfile", oGlobalKnownHostsFile },
205 { "globalknownhostsfile2", oDeprecated },
206 { "userknownhostsfile", oUserKnownHostsFile },
207 { "userknownhostsfile2", oDeprecated },
208 { "connectionattempts", oConnectionAttempts },
209 { "batchmode", oBatchMode },
210 { "checkhostip", oCheckHostIP },
211 { "stricthostkeychecking", oStrictHostKeyChecking },
212 { "compression", oCompression },
213 { "compressionlevel", oCompressionLevel },
214 { "tcpkeepalive", oTCPKeepAlive },
215 { "keepalive", oTCPKeepAlive }, /* obsolete */
216 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
217 { "loglevel", oLogLevel },
218 { "dynamicforward", oDynamicForward },
219 { "preferredauthentications", oPreferredAuthentications },
220 { "hostkeyalgorithms", oHostKeyAlgorithms },
221 { "bindaddress", oBindAddress },
223 { "smartcarddevice", oPKCS11Provider },
224 { "pkcs11provider", oPKCS11Provider },
226 { "smartcarddevice", oUnsupported },
227 { "pkcs11provider", oUnsupported },
229 { "clearallforwardings", oClearAllForwardings },
230 { "enablesshkeysign", oEnableSSHKeysign },
231 { "verifyhostkeydns", oVerifyHostKeyDNS },
232 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
233 { "rekeylimit", oRekeyLimit },
234 { "connecttimeout", oConnectTimeout },
235 { "addressfamily", oAddressFamily },
236 { "serveraliveinterval", oServerAliveInterval },
237 { "serveralivecountmax", oServerAliveCountMax },
238 { "sendenv", oSendEnv },
239 { "controlpath", oControlPath },
240 { "controlmaster", oControlMaster },
241 { "controlpersist", oControlPersist },
242 { "hashknownhosts", oHashKnownHosts },
243 { "tunnel", oTunnel },
244 { "tunneldevice", oTunnelDevice },
245 { "localcommand", oLocalCommand },
246 { "permitlocalcommand", oPermitLocalCommand },
247 { "visualhostkey", oVisualHostKey },
248 { "useroaming", oUseRoaming },
250 { "zeroknowledgepasswordauthentication",
251 oZeroKnowledgePasswordAuthentication },
253 { "zeroknowledgepasswordauthentication", oUnsupported },
255 { "kexalgorithms", oKexAlgorithms },
257 { "requesttty", oRequestTTY },
258 { "hpndisabled", oHPNDisabled },
259 { "hpnbuffersize", oHPNBufferSize },
260 { "tcprcvbufpoll", oTcpRcvBufPoll },
261 { "tcprcvbuf", oTcpRcvBuf },
262 #ifdef NONE_CIPHER_ENABLED
263 { "noneenabled", oNoneEnabled },
264 { "noneswitch", oNoneSwitch },
266 { "versionaddendum", oVersionAddendum },
272 * Adds a local TCP/IP port forward to options. Never returns if there is an
277 add_local_forward(Options *options, const Forward *newfwd)
280 #ifndef NO_IPPORT_RESERVED_CONCEPT
281 extern uid_t original_real_uid;
284 size_t len_ipport_reserved = sizeof(ipport_reserved);
286 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
287 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
288 ipport_reserved = IPPORT_RESERVED;
292 ipport_reserved = IPPORT_RESERVED;
294 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
295 fatal("Privileged ports can only be forwarded by root.");
297 options->local_forwards = xrealloc(options->local_forwards,
298 options->num_local_forwards + 1,
299 sizeof(*options->local_forwards));
300 fwd = &options->local_forwards[options->num_local_forwards++];
302 fwd->listen_host = newfwd->listen_host;
303 fwd->listen_port = newfwd->listen_port;
304 fwd->connect_host = newfwd->connect_host;
305 fwd->connect_port = newfwd->connect_port;
309 * Adds a remote TCP/IP port forward to options. Never returns if there is
314 add_remote_forward(Options *options, const Forward *newfwd)
318 options->remote_forwards = xrealloc(options->remote_forwards,
319 options->num_remote_forwards + 1,
320 sizeof(*options->remote_forwards));
321 fwd = &options->remote_forwards[options->num_remote_forwards++];
323 fwd->listen_host = newfwd->listen_host;
324 fwd->listen_port = newfwd->listen_port;
325 fwd->connect_host = newfwd->connect_host;
326 fwd->connect_port = newfwd->connect_port;
327 fwd->handle = newfwd->handle;
328 fwd->allocated_port = 0;
332 clear_forwardings(Options *options)
336 for (i = 0; i < options->num_local_forwards; i++) {
337 if (options->local_forwards[i].listen_host != NULL)
338 xfree(options->local_forwards[i].listen_host);
339 xfree(options->local_forwards[i].connect_host);
341 if (options->num_local_forwards > 0) {
342 xfree(options->local_forwards);
343 options->local_forwards = NULL;
345 options->num_local_forwards = 0;
346 for (i = 0; i < options->num_remote_forwards; i++) {
347 if (options->remote_forwards[i].listen_host != NULL)
348 xfree(options->remote_forwards[i].listen_host);
349 xfree(options->remote_forwards[i].connect_host);
351 if (options->num_remote_forwards > 0) {
352 xfree(options->remote_forwards);
353 options->remote_forwards = NULL;
355 options->num_remote_forwards = 0;
356 options->tun_open = SSH_TUNMODE_NO;
360 add_identity_file(Options *options, const char *dir, const char *filename,
365 if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES)
366 fatal("Too many identity files specified (max %d)",
367 SSH_MAX_IDENTITY_FILES);
369 if (dir == NULL) /* no dir, filename is absolute */
370 path = xstrdup(filename);
372 (void)xasprintf(&path, "%.100s%.100s", dir, filename);
374 options->identity_file_userprovided[options->num_identity_files] =
376 options->identity_files[options->num_identity_files++] = path;
380 * Returns the number of the token pointed to by cp or oBadOption.
384 parse_token(const char *cp, const char *filename, int linenum)
388 for (i = 0; keywords[i].name; i++)
389 if (strcasecmp(cp, keywords[i].name) == 0)
390 return keywords[i].opcode;
392 error("%s: line %d: Bad configuration option: %s",
393 filename, linenum, cp);
398 * Processes a single option line as used in the configuration files. This
399 * only sets those values that have not already been set.
401 #define WHITESPACE " \t\r\n"
404 process_config_line(Options *options, const char *host,
405 char *line, const char *filename, int linenum,
406 int *activep, int userconfig)
408 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
409 char **cpptr, fwdarg[256];
410 u_int *uintptr, max_entries = 0;
411 int negated, opcode, *intptr, value, value2, scale;
412 LogLevel *log_level_ptr;
413 long long orig, val64;
417 /* Strip trailing whitespace */
418 for (len = strlen(line) - 1; len > 0; len--) {
419 if (strchr(WHITESPACE, line[len]) == NULL)
425 /* Get the keyword. (Each line is supposed to begin with a keyword). */
426 if ((keyword = strdelim(&s)) == NULL)
428 /* Ignore leading whitespace. */
429 if (*keyword == '\0')
430 keyword = strdelim(&s);
431 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
434 opcode = parse_token(keyword, filename, linenum);
438 /* don't panic, but count bad options */
441 case oConnectTimeout:
442 intptr = &options->connection_timeout;
445 if (!arg || *arg == '\0')
446 fatal("%s line %d: missing time value.",
448 if ((value = convtime(arg)) == -1)
449 fatal("%s line %d: invalid time value.",
451 if (*activep && *intptr == -1)
456 intptr = &options->forward_agent;
459 if (!arg || *arg == '\0')
460 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
461 value = 0; /* To avoid compiler warning... */
462 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
464 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
467 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
468 if (*activep && *intptr == -1)
473 intptr = &options->forward_x11;
476 case oForwardX11Trusted:
477 intptr = &options->forward_x11_trusted;
480 case oForwardX11Timeout:
481 intptr = &options->forward_x11_timeout;
485 intptr = &options->gateway_ports;
488 case oExitOnForwardFailure:
489 intptr = &options->exit_on_forward_failure;
492 case oUsePrivilegedPort:
493 intptr = &options->use_privileged_port;
496 case oPasswordAuthentication:
497 intptr = &options->password_authentication;
500 case oZeroKnowledgePasswordAuthentication:
501 intptr = &options->zero_knowledge_password_authentication;
504 case oKbdInteractiveAuthentication:
505 intptr = &options->kbd_interactive_authentication;
508 case oKbdInteractiveDevices:
509 charptr = &options->kbd_interactive_devices;
512 case oPubkeyAuthentication:
513 intptr = &options->pubkey_authentication;
516 case oRSAAuthentication:
517 intptr = &options->rsa_authentication;
520 case oRhostsRSAAuthentication:
521 intptr = &options->rhosts_rsa_authentication;
524 case oHostbasedAuthentication:
525 intptr = &options->hostbased_authentication;
528 case oChallengeResponseAuthentication:
529 intptr = &options->challenge_response_authentication;
532 case oGssAuthentication:
533 intptr = &options->gss_authentication;
536 case oGssDelegateCreds:
537 intptr = &options->gss_deleg_creds;
541 intptr = &options->batch_mode;
545 intptr = &options->check_host_ip;
548 case oVerifyHostKeyDNS:
549 intptr = &options->verify_host_key_dns;
552 case oStrictHostKeyChecking:
553 intptr = &options->strict_host_key_checking;
556 if (!arg || *arg == '\0')
557 fatal("%.200s line %d: Missing yes/no/ask argument.",
559 value = 0; /* To avoid compiler warning... */
560 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
562 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
564 else if (strcmp(arg, "ask") == 0)
567 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
568 if (*activep && *intptr == -1)
573 intptr = &options->compression;
577 intptr = &options->tcp_keep_alive;
580 case oNoHostAuthenticationForLocalhost:
581 intptr = &options->no_host_authentication_for_localhost;
584 case oNumberOfPasswordPrompts:
585 intptr = &options->number_of_password_prompts;
588 case oCompressionLevel:
589 intptr = &options->compression_level;
594 if (!arg || *arg == '\0')
595 fatal("%.200s line %d: Missing argument.", filename, linenum);
596 if (arg[0] < '0' || arg[0] > '9')
597 fatal("%.200s line %d: Bad number.", filename, linenum);
598 orig = val64 = strtoll(arg, &endofnumber, 10);
599 if (arg == endofnumber)
600 fatal("%.200s line %d: Bad number.", filename, linenum);
601 switch (toupper(*endofnumber)) {
615 fatal("%.200s line %d: Invalid RekeyLimit suffix",
619 /* detect integer wrap and too-large limits */
620 if ((val64 / scale) != orig || val64 > UINT_MAX)
621 fatal("%.200s line %d: RekeyLimit too large",
624 fatal("%.200s line %d: RekeyLimit too small",
626 if (*activep && options->rekey_limit == -1)
627 options->rekey_limit = (u_int32_t)val64;
632 if (!arg || *arg == '\0')
633 fatal("%.200s line %d: Missing argument.", filename, linenum);
635 intptr = &options->num_identity_files;
636 if (*intptr >= SSH_MAX_IDENTITY_FILES)
637 fatal("%.200s line %d: Too many identity files specified (max %d).",
638 filename, linenum, SSH_MAX_IDENTITY_FILES);
639 add_identity_file(options, NULL, arg, userconfig);
644 charptr=&options->xauth_location;
648 charptr = &options->user;
651 if (!arg || *arg == '\0')
652 fatal("%.200s line %d: Missing argument.",
654 if (*activep && *charptr == NULL)
655 *charptr = xstrdup(arg);
658 case oGlobalKnownHostsFile:
659 cpptr = (char **)&options->system_hostfiles;
660 uintptr = &options->num_system_hostfiles;
661 max_entries = SSH_MAX_HOSTS_FILES;
663 if (*activep && *uintptr == 0) {
664 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
665 if ((*uintptr) >= max_entries)
667 "too many authorized keys files.",
669 cpptr[(*uintptr)++] = xstrdup(arg);
674 case oUserKnownHostsFile:
675 cpptr = (char **)&options->user_hostfiles;
676 uintptr = &options->num_user_hostfiles;
677 max_entries = SSH_MAX_HOSTS_FILES;
678 goto parse_char_array;
681 charptr = &options->hostname;
685 charptr = &options->host_key_alias;
688 case oPreferredAuthentications:
689 charptr = &options->preferred_authentications;
693 charptr = &options->bind_address;
696 case oPKCS11Provider:
697 charptr = &options->pkcs11_provider;
701 charptr = &options->proxy_command;
704 fatal("%.200s line %d: Missing argument.", filename, linenum);
705 len = strspn(s, WHITESPACE "=");
706 if (*activep && *charptr == NULL)
707 *charptr = xstrdup(s + len);
711 intptr = &options->port;
714 if (!arg || *arg == '\0')
715 fatal("%.200s line %d: Missing argument.", filename, linenum);
716 if (arg[0] < '0' || arg[0] > '9')
717 fatal("%.200s line %d: Bad number.", filename, linenum);
719 /* Octal, decimal, or hex format? */
720 value = strtol(arg, &endofnumber, 0);
721 if (arg == endofnumber)
722 fatal("%.200s line %d: Bad number.", filename, linenum);
723 if (*activep && *intptr == -1)
727 case oConnectionAttempts:
728 intptr = &options->connection_attempts;
732 intptr = &options->cipher;
734 if (!arg || *arg == '\0')
735 fatal("%.200s line %d: Missing argument.", filename, linenum);
736 value = cipher_number(arg);
738 fatal("%.200s line %d: Bad cipher '%s'.",
739 filename, linenum, arg ? arg : "<NONE>");
740 if (*activep && *intptr == -1)
746 if (!arg || *arg == '\0')
747 fatal("%.200s line %d: Missing argument.", filename, linenum);
748 if (!ciphers_valid(arg))
749 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
750 filename, linenum, arg ? arg : "<NONE>");
751 if (*activep && options->ciphers == NULL)
752 options->ciphers = xstrdup(arg);
757 if (!arg || *arg == '\0')
758 fatal("%.200s line %d: Missing argument.", filename, linenum);
760 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
761 filename, linenum, arg ? arg : "<NONE>");
762 if (*activep && options->macs == NULL)
763 options->macs = xstrdup(arg);
768 if (!arg || *arg == '\0')
769 fatal("%.200s line %d: Missing argument.",
771 if (!kex_names_valid(arg))
772 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
773 filename, linenum, arg ? arg : "<NONE>");
774 if (*activep && options->kex_algorithms == NULL)
775 options->kex_algorithms = xstrdup(arg);
778 case oHostKeyAlgorithms:
780 if (!arg || *arg == '\0')
781 fatal("%.200s line %d: Missing argument.", filename, linenum);
782 if (!key_names_valid2(arg))
783 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
784 filename, linenum, arg ? arg : "<NONE>");
785 if (*activep && options->hostkeyalgorithms == NULL)
786 options->hostkeyalgorithms = xstrdup(arg);
790 intptr = &options->protocol;
792 if (!arg || *arg == '\0')
793 fatal("%.200s line %d: Missing argument.", filename, linenum);
794 value = proto_spec(arg);
795 if (value == SSH_PROTO_UNKNOWN)
796 fatal("%.200s line %d: Bad protocol spec '%s'.",
797 filename, linenum, arg ? arg : "<NONE>");
798 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
803 log_level_ptr = &options->log_level;
805 value = log_level_number(arg);
806 if (value == SYSLOG_LEVEL_NOT_SET)
807 fatal("%.200s line %d: unsupported log level '%s'",
808 filename, linenum, arg ? arg : "<NONE>");
809 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
810 *log_level_ptr = (LogLevel) value;
815 case oDynamicForward:
817 if (arg == NULL || *arg == '\0')
818 fatal("%.200s line %d: Missing port argument.",
821 if (opcode == oLocalForward ||
822 opcode == oRemoteForward) {
824 if (arg2 == NULL || *arg2 == '\0')
825 fatal("%.200s line %d: Missing target argument.",
828 /* construct a string for parse_forward */
829 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
830 } else if (opcode == oDynamicForward) {
831 strlcpy(fwdarg, arg, sizeof(fwdarg));
834 if (parse_forward(&fwd, fwdarg,
835 opcode == oDynamicForward ? 1 : 0,
836 opcode == oRemoteForward ? 1 : 0) == 0)
837 fatal("%.200s line %d: Bad forwarding specification.",
841 if (opcode == oLocalForward ||
842 opcode == oDynamicForward)
843 add_local_forward(options, &fwd);
844 else if (opcode == oRemoteForward)
845 add_remote_forward(options, &fwd);
849 case oClearAllForwardings:
850 intptr = &options->clear_forwardings;
856 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
857 negated = *arg == '!';
860 if (match_pattern(host, arg)) {
862 debug("%.200s line %d: Skipping Host "
863 "block because of negated match "
864 "for %.100s", filename, linenum,
870 arg2 = arg; /* logged below */
875 debug("%.200s line %d: Applying options for %.100s",
876 filename, linenum, arg2);
877 /* Avoid garbage check below, as strdelim is done. */
881 intptr = &options->escape_char;
883 if (!arg || *arg == '\0')
884 fatal("%.200s line %d: Missing argument.", filename, linenum);
885 if (arg[0] == '^' && arg[2] == 0 &&
886 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
887 value = (u_char) arg[1] & 31;
888 else if (strlen(arg) == 1)
889 value = (u_char) arg[0];
890 else if (strcmp(arg, "none") == 0)
891 value = SSH_ESCAPECHAR_NONE;
893 fatal("%.200s line %d: Bad escape character.",
896 value = 0; /* Avoid compiler warning. */
898 if (*activep && *intptr == -1)
904 if (!arg || *arg == '\0')
905 fatal("%s line %d: missing address family.",
907 intptr = &options->address_family;
908 if (strcasecmp(arg, "inet") == 0)
910 else if (strcasecmp(arg, "inet6") == 0)
912 else if (strcasecmp(arg, "any") == 0)
915 fatal("Unsupported AddressFamily \"%s\"", arg);
916 if (*activep && *intptr == -1)
920 case oEnableSSHKeysign:
921 intptr = &options->enable_ssh_keysign;
924 case oIdentitiesOnly:
925 intptr = &options->identities_only;
928 case oServerAliveInterval:
929 intptr = &options->server_alive_interval;
932 case oServerAliveCountMax:
933 intptr = &options->server_alive_count_max;
937 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
938 if (strchr(arg, '=') != NULL)
939 fatal("%s line %d: Invalid environment name.",
943 if (options->num_send_env >= MAX_SEND_ENV)
944 fatal("%s line %d: too many send env.",
946 options->send_env[options->num_send_env++] =
952 charptr = &options->control_path;
956 intptr = &options->control_master;
958 if (!arg || *arg == '\0')
959 fatal("%.200s line %d: Missing ControlMaster argument.",
961 value = 0; /* To avoid compiler warning... */
962 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
963 value = SSHCTL_MASTER_YES;
964 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
965 value = SSHCTL_MASTER_NO;
966 else if (strcmp(arg, "auto") == 0)
967 value = SSHCTL_MASTER_AUTO;
968 else if (strcmp(arg, "ask") == 0)
969 value = SSHCTL_MASTER_ASK;
970 else if (strcmp(arg, "autoask") == 0)
971 value = SSHCTL_MASTER_AUTO_ASK;
973 fatal("%.200s line %d: Bad ControlMaster argument.",
975 if (*activep && *intptr == -1)
979 case oControlPersist:
980 /* no/false/yes/true, or a time spec */
981 intptr = &options->control_persist;
983 if (!arg || *arg == '\0')
984 fatal("%.200s line %d: Missing ControlPersist"
985 " argument.", filename, linenum);
987 value2 = 0; /* timeout */
988 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
990 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
992 else if ((value2 = convtime(arg)) >= 0)
995 fatal("%.200s line %d: Bad ControlPersist argument.",
997 if (*activep && *intptr == -1) {
999 options->control_persist_timeout = value2;
1003 case oHashKnownHosts:
1004 intptr = &options->hash_known_hosts;
1008 intptr = &options->tun_open;
1010 if (!arg || *arg == '\0')
1011 fatal("%s line %d: Missing yes/point-to-point/"
1012 "ethernet/no argument.", filename, linenum);
1013 value = 0; /* silence compiler */
1014 if (strcasecmp(arg, "ethernet") == 0)
1015 value = SSH_TUNMODE_ETHERNET;
1016 else if (strcasecmp(arg, "point-to-point") == 0)
1017 value = SSH_TUNMODE_POINTOPOINT;
1018 else if (strcasecmp(arg, "yes") == 0)
1019 value = SSH_TUNMODE_DEFAULT;
1020 else if (strcasecmp(arg, "no") == 0)
1021 value = SSH_TUNMODE_NO;
1023 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1024 "no argument: %s", filename, linenum, arg);
1031 if (!arg || *arg == '\0')
1032 fatal("%.200s line %d: Missing argument.", filename, linenum);
1033 value = a2tun(arg, &value2);
1034 if (value == SSH_TUNID_ERR)
1035 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1037 options->tun_local = value;
1038 options->tun_remote = value2;
1043 charptr = &options->local_command;
1046 case oPermitLocalCommand:
1047 intptr = &options->permit_local_command;
1050 case oVisualHostKey:
1051 intptr = &options->visual_host_key;
1056 if ((value = parse_ipqos(arg)) == -1)
1057 fatal("%s line %d: Bad IPQoS value: %s",
1058 filename, linenum, arg);
1062 else if ((value2 = parse_ipqos(arg)) == -1)
1063 fatal("%s line %d: Bad IPQoS value: %s",
1064 filename, linenum, arg);
1066 options->ip_qos_interactive = value;
1067 options->ip_qos_bulk = value2;
1072 intptr = &options->use_roaming;
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: missing argument.",
1080 intptr = &options->request_tty;
1081 if (strcasecmp(arg, "yes") == 0)
1082 value = REQUEST_TTY_YES;
1083 else if (strcasecmp(arg, "no") == 0)
1084 value = REQUEST_TTY_NO;
1085 else if (strcasecmp(arg, "force") == 0)
1086 value = REQUEST_TTY_FORCE;
1087 else if (strcasecmp(arg, "auto") == 0)
1088 value = REQUEST_TTY_AUTO;
1090 fatal("Unsupported RequestTTY \"%s\"", arg);
1091 if (*activep && *intptr == -1)
1096 intptr = &options->hpn_disabled;
1099 case oHPNBufferSize:
1100 intptr = &options->hpn_buffer_size;
1103 case oTcpRcvBufPoll:
1104 intptr = &options->tcp_rcv_buf_poll;
1108 intptr = &options->tcp_rcv_buf;
1111 #ifdef NONE_CIPHER_ENABLED
1113 intptr = &options->none_enabled;
1117 * We check to see if the command comes from the command line or not.
1118 * If it does then enable it otherwise fail. NONE must never be a
1119 * default configuration.
1122 if (strcmp(filename,"command-line") == 0) {
1123 intptr = &options->none_switch;
1126 debug("NoneSwitch directive found in %.200s.",
1128 error("NoneSwitch is found in %.200s.\n"
1129 "You may only use this configuration option "
1130 "from the command line", filename);
1131 error("Continuing...");
1136 case oVersionAddendum:
1138 fatal("%.200s line %d: Missing argument.", filename,
1140 len = strspn(s, WHITESPACE);
1141 if (*activep && options->version_addendum == NULL) {
1142 if (strcasecmp(s + len, "none") == 0)
1143 options->version_addendum = xstrdup("");
1144 else if (strchr(s + len, '\r') != NULL)
1145 fatal("%.200s line %d: Invalid argument",
1148 options->version_addendum = xstrdup(s + len);
1153 debug("%s line %d: Deprecated option \"%s\"",
1154 filename, linenum, keyword);
1158 error("%s line %d: Unsupported option \"%s\"",
1159 filename, linenum, keyword);
1163 fatal("process_config_line: Unimplemented opcode %d", opcode);
1166 /* Check that there is no garbage at end of line. */
1167 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1168 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1169 filename, linenum, arg);
1176 * Reads the config file and modifies the options accordingly. Options
1177 * should already be initialized before this call. This never returns if
1178 * there is an error. If the file does not exist, this returns 0.
1182 read_config_file(const char *filename, const char *host, Options *options,
1187 int active, linenum;
1188 int bad_options = 0;
1190 if ((f = fopen(filename, "r")) == NULL)
1193 if (flags & SSHCONF_CHECKPERM) {
1196 if (fstat(fileno(f), &sb) == -1)
1197 fatal("fstat %s: %s", filename, strerror(errno));
1198 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1199 (sb.st_mode & 022) != 0))
1200 fatal("Bad owner or permissions on %s", filename);
1203 debug("Reading configuration data %.200s", filename);
1206 * Mark that we are now processing the options. This flag is turned
1207 * on/off by Host specifications.
1211 while (fgets(line, sizeof(line), f)) {
1212 /* Update line number counter. */
1214 if (process_config_line(options, host, line, filename, linenum,
1215 &active, flags & SSHCONF_USERCONF) != 0)
1219 if (bad_options > 0)
1220 fatal("%s: terminating, %d bad configuration options",
1221 filename, bad_options);
1226 * Initializes options to special values that indicate that they have not yet
1227 * been set. Read_config_file will only set options with this value. Options
1228 * are processed in the following order: command line, user config file,
1229 * system config file. Last, fill_default_options is called.
1233 initialize_options(Options * options)
1235 memset(options, 'X', sizeof(*options));
1236 options->forward_agent = -1;
1237 options->forward_x11 = -1;
1238 options->forward_x11_trusted = -1;
1239 options->forward_x11_timeout = -1;
1240 options->exit_on_forward_failure = -1;
1241 options->xauth_location = NULL;
1242 options->gateway_ports = -1;
1243 options->use_privileged_port = -1;
1244 options->rsa_authentication = -1;
1245 options->pubkey_authentication = -1;
1246 options->challenge_response_authentication = -1;
1247 options->gss_authentication = -1;
1248 options->gss_deleg_creds = -1;
1249 options->password_authentication = -1;
1250 options->kbd_interactive_authentication = -1;
1251 options->kbd_interactive_devices = NULL;
1252 options->rhosts_rsa_authentication = -1;
1253 options->hostbased_authentication = -1;
1254 options->batch_mode = -1;
1255 options->check_host_ip = -1;
1256 options->strict_host_key_checking = -1;
1257 options->compression = -1;
1258 options->tcp_keep_alive = -1;
1259 options->compression_level = -1;
1261 options->address_family = -1;
1262 options->connection_attempts = -1;
1263 options->connection_timeout = -1;
1264 options->number_of_password_prompts = -1;
1265 options->cipher = -1;
1266 options->ciphers = NULL;
1267 options->macs = NULL;
1268 options->kex_algorithms = NULL;
1269 options->hostkeyalgorithms = NULL;
1270 options->protocol = SSH_PROTO_UNKNOWN;
1271 options->num_identity_files = 0;
1272 options->hostname = NULL;
1273 options->host_key_alias = NULL;
1274 options->proxy_command = NULL;
1275 options->user = NULL;
1276 options->escape_char = -1;
1277 options->num_system_hostfiles = 0;
1278 options->num_user_hostfiles = 0;
1279 options->local_forwards = NULL;
1280 options->num_local_forwards = 0;
1281 options->remote_forwards = NULL;
1282 options->num_remote_forwards = 0;
1283 options->clear_forwardings = -1;
1284 options->log_level = SYSLOG_LEVEL_NOT_SET;
1285 options->preferred_authentications = NULL;
1286 options->bind_address = NULL;
1287 options->pkcs11_provider = NULL;
1288 options->enable_ssh_keysign = - 1;
1289 options->no_host_authentication_for_localhost = - 1;
1290 options->identities_only = - 1;
1291 options->rekey_limit = - 1;
1292 options->verify_host_key_dns = -1;
1293 options->server_alive_interval = -1;
1294 options->server_alive_count_max = -1;
1295 options->num_send_env = 0;
1296 options->control_path = NULL;
1297 options->control_master = -1;
1298 options->control_persist = -1;
1299 options->control_persist_timeout = 0;
1300 options->hash_known_hosts = -1;
1301 options->tun_open = -1;
1302 options->tun_local = -1;
1303 options->tun_remote = -1;
1304 options->local_command = NULL;
1305 options->permit_local_command = -1;
1306 options->use_roaming = -1;
1307 options->visual_host_key = -1;
1308 options->zero_knowledge_password_authentication = -1;
1309 options->ip_qos_interactive = -1;
1310 options->ip_qos_bulk = -1;
1311 options->request_tty = -1;
1312 options->version_addendum = NULL;
1313 options->hpn_disabled = -1;
1314 options->hpn_buffer_size = -1;
1315 options->tcp_rcv_buf_poll = -1;
1316 options->tcp_rcv_buf = -1;
1317 #ifdef NONE_CIPHER_ENABLED
1318 options->none_enabled = -1;
1319 options->none_switch = -1;
1324 * Called after processing other sources of option data, this fills those
1325 * options for which no value has been specified with their default values.
1329 fill_default_options(Options * options)
1333 if (options->forward_agent == -1)
1334 options->forward_agent = 0;
1335 if (options->forward_x11 == -1)
1336 options->forward_x11 = 0;
1337 if (options->forward_x11_trusted == -1)
1338 options->forward_x11_trusted = 0;
1339 if (options->forward_x11_timeout == -1)
1340 options->forward_x11_timeout = 1200;
1341 if (options->exit_on_forward_failure == -1)
1342 options->exit_on_forward_failure = 0;
1343 if (options->xauth_location == NULL)
1344 options->xauth_location = _PATH_XAUTH;
1345 if (options->gateway_ports == -1)
1346 options->gateway_ports = 0;
1347 if (options->use_privileged_port == -1)
1348 options->use_privileged_port = 0;
1349 if (options->rsa_authentication == -1)
1350 options->rsa_authentication = 1;
1351 if (options->pubkey_authentication == -1)
1352 options->pubkey_authentication = 1;
1353 if (options->challenge_response_authentication == -1)
1354 options->challenge_response_authentication = 1;
1355 if (options->gss_authentication == -1)
1356 options->gss_authentication = 0;
1357 if (options->gss_deleg_creds == -1)
1358 options->gss_deleg_creds = 0;
1359 if (options->password_authentication == -1)
1360 options->password_authentication = 1;
1361 if (options->kbd_interactive_authentication == -1)
1362 options->kbd_interactive_authentication = 1;
1363 if (options->rhosts_rsa_authentication == -1)
1364 options->rhosts_rsa_authentication = 0;
1365 if (options->hostbased_authentication == -1)
1366 options->hostbased_authentication = 0;
1367 if (options->batch_mode == -1)
1368 options->batch_mode = 0;
1369 if (options->check_host_ip == -1)
1370 options->check_host_ip = 0;
1371 if (options->strict_host_key_checking == -1)
1372 options->strict_host_key_checking = 2; /* 2 is default */
1373 if (options->compression == -1)
1374 options->compression = 0;
1375 if (options->tcp_keep_alive == -1)
1376 options->tcp_keep_alive = 1;
1377 if (options->compression_level == -1)
1378 options->compression_level = 6;
1379 if (options->port == -1)
1380 options->port = 0; /* Filled in ssh_connect. */
1381 if (options->address_family == -1)
1382 options->address_family = AF_UNSPEC;
1383 if (options->connection_attempts == -1)
1384 options->connection_attempts = 1;
1385 if (options->number_of_password_prompts == -1)
1386 options->number_of_password_prompts = 3;
1387 /* Selected in ssh_login(). */
1388 if (options->cipher == -1)
1389 options->cipher = SSH_CIPHER_NOT_SET;
1390 /* options->ciphers, default set in myproposals.h */
1391 /* options->macs, default set in myproposals.h */
1392 /* options->kex_algorithms, default set in myproposals.h */
1393 /* options->hostkeyalgorithms, default set in myproposals.h */
1394 if (options->protocol == SSH_PROTO_UNKNOWN)
1395 options->protocol = SSH_PROTO_2;
1396 if (options->num_identity_files == 0) {
1397 if (options->protocol & SSH_PROTO_1) {
1398 add_identity_file(options, "~/",
1399 _PATH_SSH_CLIENT_IDENTITY, 0);
1401 if (options->protocol & SSH_PROTO_2) {
1402 add_identity_file(options, "~/",
1403 _PATH_SSH_CLIENT_ID_RSA, 0);
1404 add_identity_file(options, "~/",
1405 _PATH_SSH_CLIENT_ID_DSA, 0);
1406 #ifdef OPENSSL_HAS_ECC
1407 add_identity_file(options, "~/",
1408 _PATH_SSH_CLIENT_ID_ECDSA, 0);
1412 if (options->escape_char == -1)
1413 options->escape_char = '~';
1414 if (options->num_system_hostfiles == 0) {
1415 options->system_hostfiles[options->num_system_hostfiles++] =
1416 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1417 options->system_hostfiles[options->num_system_hostfiles++] =
1418 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1420 if (options->num_user_hostfiles == 0) {
1421 options->user_hostfiles[options->num_user_hostfiles++] =
1422 xstrdup(_PATH_SSH_USER_HOSTFILE);
1423 options->user_hostfiles[options->num_user_hostfiles++] =
1424 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1426 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1427 options->log_level = SYSLOG_LEVEL_INFO;
1428 if (options->clear_forwardings == 1)
1429 clear_forwardings(options);
1430 if (options->no_host_authentication_for_localhost == - 1)
1431 options->no_host_authentication_for_localhost = 0;
1432 if (options->identities_only == -1)
1433 options->identities_only = 0;
1434 if (options->enable_ssh_keysign == -1)
1435 options->enable_ssh_keysign = 0;
1436 if (options->rekey_limit == -1)
1437 options->rekey_limit = 0;
1438 if (options->verify_host_key_dns == -1)
1439 options->verify_host_key_dns = 0;
1440 if (options->server_alive_interval == -1)
1441 options->server_alive_interval = 0;
1442 if (options->server_alive_count_max == -1)
1443 options->server_alive_count_max = 3;
1444 if (options->control_master == -1)
1445 options->control_master = 0;
1446 if (options->control_persist == -1) {
1447 options->control_persist = 0;
1448 options->control_persist_timeout = 0;
1450 if (options->hash_known_hosts == -1)
1451 options->hash_known_hosts = 0;
1452 if (options->tun_open == -1)
1453 options->tun_open = SSH_TUNMODE_NO;
1454 if (options->tun_local == -1)
1455 options->tun_local = SSH_TUNID_ANY;
1456 if (options->tun_remote == -1)
1457 options->tun_remote = SSH_TUNID_ANY;
1458 if (options->permit_local_command == -1)
1459 options->permit_local_command = 0;
1460 if (options->use_roaming == -1)
1461 options->use_roaming = 1;
1462 if (options->visual_host_key == -1)
1463 options->visual_host_key = 0;
1464 if (options->zero_knowledge_password_authentication == -1)
1465 options->zero_knowledge_password_authentication = 0;
1466 if (options->ip_qos_interactive == -1)
1467 options->ip_qos_interactive = IPTOS_LOWDELAY;
1468 if (options->ip_qos_bulk == -1)
1469 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1470 if (options->request_tty == -1)
1471 options->request_tty = REQUEST_TTY_AUTO;
1472 /* options->local_command should not be set by default */
1473 /* options->proxy_command should not be set by default */
1474 /* options->user will be set in the main program if appropriate */
1475 /* options->hostname will be set in the main program if appropriate */
1476 /* options->host_key_alias should not be set by default */
1477 /* options->preferred_authentications will be set in ssh */
1478 if (options->version_addendum == NULL)
1479 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
1480 if (options->hpn_disabled == -1)
1481 options->hpn_disabled = 0;
1482 if (options->hpn_buffer_size > -1)
1486 /* If a user tries to set the size to 0 set it to 1KB. */
1487 if (options->hpn_buffer_size == 0)
1488 options->hpn_buffer_size = 1024;
1489 /* Limit the buffer to BUFFER_MAX_LEN. */
1490 maxlen = buffer_get_max_len();
1491 if (options->hpn_buffer_size > (maxlen / 1024)) {
1492 debug("User requested buffer larger than %ub: %ub. "
1493 "Request reverted to %ub", maxlen,
1494 options->hpn_buffer_size * 1024, maxlen);
1495 options->hpn_buffer_size = maxlen;
1497 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1499 if (options->tcp_rcv_buf == 0)
1500 options->tcp_rcv_buf = 1;
1501 if (options->tcp_rcv_buf > -1)
1502 options->tcp_rcv_buf *= 1024;
1503 if (options->tcp_rcv_buf_poll == -1)
1504 options->tcp_rcv_buf_poll = 1;
1505 #ifdef NONE_CIPHER_ENABLED
1506 /* options->none_enabled must not be set by default */
1507 if (options->none_switch == -1)
1508 options->none_switch = 0;
1514 * parses a string containing a port forwarding specification of the form:
1516 * [listenhost:]listenport:connecthost:connectport
1518 * [listenhost:]listenport
1519 * returns number of arguments parsed or zero on error
1522 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1525 char *p, *cp, *fwdarg[4];
1527 memset(fwd, '\0', sizeof(*fwd));
1529 cp = p = xstrdup(fwdspec);
1531 /* skip leading spaces */
1532 while (isspace(*cp))
1535 for (i = 0; i < 4; ++i)
1536 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1539 /* Check for trailing garbage */
1541 i = 0; /* failure */
1545 fwd->listen_host = NULL;
1546 fwd->listen_port = a2port(fwdarg[0]);
1547 fwd->connect_host = xstrdup("socks");
1551 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1552 fwd->listen_port = a2port(fwdarg[1]);
1553 fwd->connect_host = xstrdup("socks");
1557 fwd->listen_host = NULL;
1558 fwd->listen_port = a2port(fwdarg[0]);
1559 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1560 fwd->connect_port = a2port(fwdarg[2]);
1564 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1565 fwd->listen_port = a2port(fwdarg[1]);
1566 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1567 fwd->connect_port = a2port(fwdarg[3]);
1570 i = 0; /* failure */
1576 if (!(i == 1 || i == 2))
1579 if (!(i == 3 || i == 4))
1581 if (fwd->connect_port <= 0)
1585 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1588 if (fwd->connect_host != NULL &&
1589 strlen(fwd->connect_host) >= NI_MAXHOST)
1591 if (fwd->listen_host != NULL &&
1592 strlen(fwd->listen_host) >= NI_MAXHOST)
1599 if (fwd->connect_host != NULL) {
1600 xfree(fwd->connect_host);
1601 fwd->connect_host = NULL;
1603 if (fwd->listen_host != NULL) {
1604 xfree(fwd->listen_host);
1605 fwd->listen_host = NULL;