1 /* $OpenBSD: readconf.c,v 1.183 2010/02/08 10:50:20 markus Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <sys/sysctl.h>
23 #include <netinet/in.h>
38 #include "pathnames.h"
49 /* Format of the configuration file:
51 # Configuration data is parsed as follows:
52 # 1. command line options
53 # 2. user-specific file
55 # Any configuration value is only changed the first time it is set.
56 # Thus, host-specific definitions should be at the beginning of the
57 # configuration file, and defaults at the end.
59 # Host-specific declarations. These may override anything above. A single
60 # host may match multiple declarations; these are processed in the order
61 # that they are given in.
67 HostName another.host.name.real.org
74 RemoteForward 9999 shadows.cs.hut.fi:9999
80 PasswordAuthentication no
84 ProxyCommand ssh-proxy %h %p
87 PublicKeyAuthentication no
91 PasswordAuthentication no
97 # Defaults for various options
101 PasswordAuthentication yes
102 RSAAuthentication yes
103 RhostsRSAAuthentication yes
104 StrictHostKeyChecking yes
106 IdentityFile ~/.ssh/identity
112 /* Keyword tokens. */
116 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
117 oExitOnForwardFailure,
118 oPasswordAuthentication, oRSAAuthentication,
119 oChallengeResponseAuthentication, oXAuthLocation,
120 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
121 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
122 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
123 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
124 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
125 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
126 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
127 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
128 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
129 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
132 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
133 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
134 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
135 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
136 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
138 oDeprecated, oUnsupported
141 /* Textual representations of the tokens. */
147 { "forwardagent", oForwardAgent },
148 { "forwardx11", oForwardX11 },
149 { "forwardx11trusted", oForwardX11Trusted },
150 { "exitonforwardfailure", oExitOnForwardFailure },
151 { "xauthlocation", oXAuthLocation },
152 { "gatewayports", oGatewayPorts },
153 { "useprivilegedport", oUsePrivilegedPort },
154 { "rhostsauthentication", oDeprecated },
155 { "passwordauthentication", oPasswordAuthentication },
156 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
157 { "kbdinteractivedevices", oKbdInteractiveDevices },
158 { "rsaauthentication", oRSAAuthentication },
159 { "pubkeyauthentication", oPubkeyAuthentication },
160 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
161 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
162 { "hostbasedauthentication", oHostbasedAuthentication },
163 { "challengeresponseauthentication", oChallengeResponseAuthentication },
164 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
166 { "kerberosauthentication", oUnsupported },
167 { "kerberostgtpassing", oUnsupported },
168 { "afstokenpassing", oUnsupported },
170 { "gssapiauthentication", oGssAuthentication },
171 { "gssapidelegatecredentials", oGssDelegateCreds },
173 { "gssapiauthentication", oUnsupported },
174 { "gssapidelegatecredentials", oUnsupported },
176 { "fallbacktorsh", oDeprecated },
177 { "usersh", oDeprecated },
178 { "identityfile", oIdentityFile },
179 { "identityfile2", oIdentityFile }, /* obsolete */
180 { "identitiesonly", oIdentitiesOnly },
181 { "hostname", oHostName },
182 { "hostkeyalias", oHostKeyAlias },
183 { "proxycommand", oProxyCommand },
185 { "cipher", oCipher },
186 { "ciphers", oCiphers },
188 { "protocol", oProtocol },
189 { "remoteforward", oRemoteForward },
190 { "localforward", oLocalForward },
193 { "escapechar", oEscapeChar },
194 { "globalknownhostsfile", oGlobalKnownHostsFile },
195 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
196 { "userknownhostsfile", oUserKnownHostsFile },
197 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
198 { "connectionattempts", oConnectionAttempts },
199 { "batchmode", oBatchMode },
200 { "checkhostip", oCheckHostIP },
201 { "stricthostkeychecking", oStrictHostKeyChecking },
202 { "compression", oCompression },
203 { "compressionlevel", oCompressionLevel },
204 { "tcpkeepalive", oTCPKeepAlive },
205 { "keepalive", oTCPKeepAlive }, /* obsolete */
206 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
207 { "loglevel", oLogLevel },
208 { "dynamicforward", oDynamicForward },
209 { "preferredauthentications", oPreferredAuthentications },
210 { "hostkeyalgorithms", oHostKeyAlgorithms },
211 { "bindaddress", oBindAddress },
213 { "smartcarddevice", oPKCS11Provider },
214 { "pkcs11provider", oPKCS11Provider },
216 { "smartcarddevice", oUnsupported },
217 { "pkcs11provider", oUnsupported },
219 { "clearallforwardings", oClearAllForwardings },
220 { "enablesshkeysign", oEnableSSHKeysign },
221 { "verifyhostkeydns", oVerifyHostKeyDNS },
222 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
223 { "rekeylimit", oRekeyLimit },
224 { "connecttimeout", oConnectTimeout },
225 { "addressfamily", oAddressFamily },
226 { "serveraliveinterval", oServerAliveInterval },
227 { "serveralivecountmax", oServerAliveCountMax },
228 { "sendenv", oSendEnv },
229 { "controlpath", oControlPath },
230 { "controlmaster", oControlMaster },
231 { "hashknownhosts", oHashKnownHosts },
232 { "tunnel", oTunnel },
233 { "tunneldevice", oTunnelDevice },
234 { "localcommand", oLocalCommand },
235 { "permitlocalcommand", oPermitLocalCommand },
236 { "visualhostkey", oVisualHostKey },
237 { "useroaming", oUseRoaming },
239 { "zeroknowledgepasswordauthentication",
240 oZeroKnowledgePasswordAuthentication },
242 { "zeroknowledgepasswordauthentication", oUnsupported },
245 { "versionaddendum", oVersionAddendum },
250 * Adds a local TCP/IP port forward to options. Never returns if there is an
255 add_local_forward(Options *options, const Forward *newfwd)
258 #ifndef NO_IPPORT_RESERVED_CONCEPT
259 extern uid_t original_real_uid;
262 size_t len_ipport_reserved = sizeof(ipport_reserved);
264 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
265 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
266 ipport_reserved = IPPORT_RESERVED;
270 ipport_reserved = IPPORT_RESERVED;
272 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
273 fatal("Privileged ports can only be forwarded by root.");
275 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
276 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
277 fwd = &options->local_forwards[options->num_local_forwards++];
279 fwd->listen_host = newfwd->listen_host;
280 fwd->listen_port = newfwd->listen_port;
281 fwd->connect_host = newfwd->connect_host;
282 fwd->connect_port = newfwd->connect_port;
286 * Adds a remote TCP/IP port forward to options. Never returns if there is
291 add_remote_forward(Options *options, const Forward *newfwd)
294 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
295 fatal("Too many remote forwards (max %d).",
296 SSH_MAX_FORWARDS_PER_DIRECTION);
297 fwd = &options->remote_forwards[options->num_remote_forwards++];
299 fwd->listen_host = newfwd->listen_host;
300 fwd->listen_port = newfwd->listen_port;
301 fwd->connect_host = newfwd->connect_host;
302 fwd->connect_port = newfwd->connect_port;
306 clear_forwardings(Options *options)
310 for (i = 0; i < options->num_local_forwards; i++) {
311 if (options->local_forwards[i].listen_host != NULL)
312 xfree(options->local_forwards[i].listen_host);
313 xfree(options->local_forwards[i].connect_host);
315 options->num_local_forwards = 0;
316 for (i = 0; i < options->num_remote_forwards; i++) {
317 if (options->remote_forwards[i].listen_host != NULL)
318 xfree(options->remote_forwards[i].listen_host);
319 xfree(options->remote_forwards[i].connect_host);
321 options->num_remote_forwards = 0;
322 options->tun_open = SSH_TUNMODE_NO;
326 * Returns the number of the token pointed to by cp or oBadOption.
330 parse_token(const char *cp, const char *filename, int linenum)
334 for (i = 0; keywords[i].name; i++)
335 if (strcasecmp(cp, keywords[i].name) == 0)
336 return keywords[i].opcode;
338 error("%s: line %d: Bad configuration option: %s",
339 filename, linenum, cp);
344 * Processes a single option line as used in the configuration files. This
345 * only sets those values that have not already been set.
347 #define WHITESPACE " \t\r\n"
350 process_config_line(Options *options, const char *host,
351 char *line, const char *filename, int linenum,
354 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
355 int opcode, *intptr, value, value2, scale;
356 LogLevel *log_level_ptr;
357 long long orig, val64;
361 /* Strip trailing whitespace */
362 for (len = strlen(line) - 1; len > 0; len--) {
363 if (strchr(WHITESPACE, line[len]) == NULL)
369 /* Get the keyword. (Each line is supposed to begin with a keyword). */
370 if ((keyword = strdelim(&s)) == NULL)
372 /* Ignore leading whitespace. */
373 if (*keyword == '\0')
374 keyword = strdelim(&s);
375 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
378 opcode = parse_token(keyword, filename, linenum);
382 /* don't panic, but count bad options */
385 case oConnectTimeout:
386 intptr = &options->connection_timeout;
389 if (!arg || *arg == '\0')
390 fatal("%s line %d: missing time value.",
392 if ((value = convtime(arg)) == -1)
393 fatal("%s line %d: invalid time value.",
395 if (*activep && *intptr == -1)
400 intptr = &options->forward_agent;
403 if (!arg || *arg == '\0')
404 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
405 value = 0; /* To avoid compiler warning... */
406 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
408 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
411 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
412 if (*activep && *intptr == -1)
417 intptr = &options->forward_x11;
420 case oForwardX11Trusted:
421 intptr = &options->forward_x11_trusted;
425 intptr = &options->gateway_ports;
428 case oExitOnForwardFailure:
429 intptr = &options->exit_on_forward_failure;
432 case oUsePrivilegedPort:
433 intptr = &options->use_privileged_port;
436 case oPasswordAuthentication:
437 intptr = &options->password_authentication;
440 case oZeroKnowledgePasswordAuthentication:
441 intptr = &options->zero_knowledge_password_authentication;
444 case oKbdInteractiveAuthentication:
445 intptr = &options->kbd_interactive_authentication;
448 case oKbdInteractiveDevices:
449 charptr = &options->kbd_interactive_devices;
452 case oPubkeyAuthentication:
453 intptr = &options->pubkey_authentication;
456 case oRSAAuthentication:
457 intptr = &options->rsa_authentication;
460 case oRhostsRSAAuthentication:
461 intptr = &options->rhosts_rsa_authentication;
464 case oHostbasedAuthentication:
465 intptr = &options->hostbased_authentication;
468 case oChallengeResponseAuthentication:
469 intptr = &options->challenge_response_authentication;
472 case oGssAuthentication:
473 intptr = &options->gss_authentication;
476 case oGssDelegateCreds:
477 intptr = &options->gss_deleg_creds;
481 intptr = &options->batch_mode;
485 intptr = &options->check_host_ip;
488 case oVerifyHostKeyDNS:
489 intptr = &options->verify_host_key_dns;
492 case oStrictHostKeyChecking:
493 intptr = &options->strict_host_key_checking;
496 if (!arg || *arg == '\0')
497 fatal("%.200s line %d: Missing yes/no/ask argument.",
499 value = 0; /* To avoid compiler warning... */
500 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
502 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
504 else if (strcmp(arg, "ask") == 0)
507 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
508 if (*activep && *intptr == -1)
513 intptr = &options->compression;
517 intptr = &options->tcp_keep_alive;
520 case oNoHostAuthenticationForLocalhost:
521 intptr = &options->no_host_authentication_for_localhost;
524 case oNumberOfPasswordPrompts:
525 intptr = &options->number_of_password_prompts;
528 case oCompressionLevel:
529 intptr = &options->compression_level;
534 if (!arg || *arg == '\0')
535 fatal("%.200s line %d: Missing argument.", filename, linenum);
536 if (arg[0] < '0' || arg[0] > '9')
537 fatal("%.200s line %d: Bad number.", filename, linenum);
538 orig = val64 = strtoll(arg, &endofnumber, 10);
539 if (arg == endofnumber)
540 fatal("%.200s line %d: Bad number.", filename, linenum);
541 switch (toupper(*endofnumber)) {
555 fatal("%.200s line %d: Invalid RekeyLimit suffix",
559 /* detect integer wrap and too-large limits */
560 if ((val64 / scale) != orig || val64 > UINT_MAX)
561 fatal("%.200s line %d: RekeyLimit too large",
564 fatal("%.200s line %d: RekeyLimit too small",
566 if (*activep && options->rekey_limit == -1)
567 options->rekey_limit = (u_int32_t)val64;
572 if (!arg || *arg == '\0')
573 fatal("%.200s line %d: Missing argument.", filename, linenum);
575 intptr = &options->num_identity_files;
576 if (*intptr >= SSH_MAX_IDENTITY_FILES)
577 fatal("%.200s line %d: Too many identity files specified (max %d).",
578 filename, linenum, SSH_MAX_IDENTITY_FILES);
579 charptr = &options->identity_files[*intptr];
580 *charptr = xstrdup(arg);
581 *intptr = *intptr + 1;
586 charptr=&options->xauth_location;
590 charptr = &options->user;
593 if (!arg || *arg == '\0')
594 fatal("%.200s line %d: Missing argument.", filename, linenum);
595 if (*activep && *charptr == NULL)
596 *charptr = xstrdup(arg);
599 case oGlobalKnownHostsFile:
600 charptr = &options->system_hostfile;
603 case oUserKnownHostsFile:
604 charptr = &options->user_hostfile;
607 case oGlobalKnownHostsFile2:
608 charptr = &options->system_hostfile2;
611 case oUserKnownHostsFile2:
612 charptr = &options->user_hostfile2;
616 charptr = &options->hostname;
620 charptr = &options->host_key_alias;
623 case oPreferredAuthentications:
624 charptr = &options->preferred_authentications;
628 charptr = &options->bind_address;
631 case oPKCS11Provider:
632 charptr = &options->pkcs11_provider;
636 charptr = &options->proxy_command;
639 fatal("%.200s line %d: Missing argument.", filename, linenum);
640 len = strspn(s, WHITESPACE "=");
641 if (*activep && *charptr == NULL)
642 *charptr = xstrdup(s + len);
646 intptr = &options->port;
649 if (!arg || *arg == '\0')
650 fatal("%.200s line %d: Missing argument.", filename, linenum);
651 if (arg[0] < '0' || arg[0] > '9')
652 fatal("%.200s line %d: Bad number.", filename, linenum);
654 /* Octal, decimal, or hex format? */
655 value = strtol(arg, &endofnumber, 0);
656 if (arg == endofnumber)
657 fatal("%.200s line %d: Bad number.", filename, linenum);
658 if (*activep && *intptr == -1)
662 case oConnectionAttempts:
663 intptr = &options->connection_attempts;
667 intptr = &options->cipher;
669 if (!arg || *arg == '\0')
670 fatal("%.200s line %d: Missing argument.", filename, linenum);
671 value = cipher_number(arg);
673 fatal("%.200s line %d: Bad cipher '%s'.",
674 filename, linenum, arg ? arg : "<NONE>");
675 if (*activep && *intptr == -1)
681 if (!arg || *arg == '\0')
682 fatal("%.200s line %d: Missing argument.", filename, linenum);
683 if (!ciphers_valid(arg))
684 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
685 filename, linenum, arg ? arg : "<NONE>");
686 if (*activep && options->ciphers == NULL)
687 options->ciphers = xstrdup(arg);
692 if (!arg || *arg == '\0')
693 fatal("%.200s line %d: Missing argument.", filename, linenum);
695 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
696 filename, linenum, arg ? arg : "<NONE>");
697 if (*activep && options->macs == NULL)
698 options->macs = xstrdup(arg);
701 case oHostKeyAlgorithms:
703 if (!arg || *arg == '\0')
704 fatal("%.200s line %d: Missing argument.", filename, linenum);
705 if (!key_names_valid2(arg))
706 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
707 filename, linenum, arg ? arg : "<NONE>");
708 if (*activep && options->hostkeyalgorithms == NULL)
709 options->hostkeyalgorithms = xstrdup(arg);
713 intptr = &options->protocol;
715 if (!arg || *arg == '\0')
716 fatal("%.200s line %d: Missing argument.", filename, linenum);
717 value = proto_spec(arg);
718 if (value == SSH_PROTO_UNKNOWN)
719 fatal("%.200s line %d: Bad protocol spec '%s'.",
720 filename, linenum, arg ? arg : "<NONE>");
721 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
726 log_level_ptr = &options->log_level;
728 value = log_level_number(arg);
729 if (value == SYSLOG_LEVEL_NOT_SET)
730 fatal("%.200s line %d: unsupported log level '%s'",
731 filename, linenum, arg ? arg : "<NONE>");
732 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
733 *log_level_ptr = (LogLevel) value;
738 case oDynamicForward:
740 if (arg == NULL || *arg == '\0')
741 fatal("%.200s line %d: Missing port argument.",
744 if (opcode == oLocalForward ||
745 opcode == oRemoteForward) {
747 if (arg2 == NULL || *arg2 == '\0')
748 fatal("%.200s line %d: Missing target argument.",
751 /* construct a string for parse_forward */
752 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
753 } else if (opcode == oDynamicForward) {
754 strlcpy(fwdarg, arg, sizeof(fwdarg));
757 if (parse_forward(&fwd, fwdarg,
758 opcode == oDynamicForward ? 1 : 0,
759 opcode == oRemoteForward ? 1 : 0) == 0)
760 fatal("%.200s line %d: Bad forwarding specification.",
764 if (opcode == oLocalForward ||
765 opcode == oDynamicForward)
766 add_local_forward(options, &fwd);
767 else if (opcode == oRemoteForward)
768 add_remote_forward(options, &fwd);
772 case oClearAllForwardings:
773 intptr = &options->clear_forwardings;
778 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
779 if (match_pattern(host, arg)) {
780 debug("Applying options for %.100s", arg);
784 /* Avoid garbage check below, as strdelim is done. */
788 intptr = &options->escape_char;
790 if (!arg || *arg == '\0')
791 fatal("%.200s line %d: Missing argument.", filename, linenum);
792 if (arg[0] == '^' && arg[2] == 0 &&
793 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
794 value = (u_char) arg[1] & 31;
795 else if (strlen(arg) == 1)
796 value = (u_char) arg[0];
797 else if (strcmp(arg, "none") == 0)
798 value = SSH_ESCAPECHAR_NONE;
800 fatal("%.200s line %d: Bad escape character.",
803 value = 0; /* Avoid compiler warning. */
805 if (*activep && *intptr == -1)
811 if (!arg || *arg == '\0')
812 fatal("%s line %d: missing address family.",
814 intptr = &options->address_family;
815 if (strcasecmp(arg, "inet") == 0)
817 else if (strcasecmp(arg, "inet6") == 0)
819 else if (strcasecmp(arg, "any") == 0)
822 fatal("Unsupported AddressFamily \"%s\"", arg);
823 if (*activep && *intptr == -1)
827 case oEnableSSHKeysign:
828 intptr = &options->enable_ssh_keysign;
831 case oIdentitiesOnly:
832 intptr = &options->identities_only;
835 case oServerAliveInterval:
836 intptr = &options->server_alive_interval;
839 case oServerAliveCountMax:
840 intptr = &options->server_alive_count_max;
844 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
845 if (strchr(arg, '=') != NULL)
846 fatal("%s line %d: Invalid environment name.",
850 if (options->num_send_env >= MAX_SEND_ENV)
851 fatal("%s line %d: too many send env.",
853 options->send_env[options->num_send_env++] =
859 charptr = &options->control_path;
863 intptr = &options->control_master;
865 if (!arg || *arg == '\0')
866 fatal("%.200s line %d: Missing ControlMaster argument.",
868 value = 0; /* To avoid compiler warning... */
869 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
870 value = SSHCTL_MASTER_YES;
871 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
872 value = SSHCTL_MASTER_NO;
873 else if (strcmp(arg, "auto") == 0)
874 value = SSHCTL_MASTER_AUTO;
875 else if (strcmp(arg, "ask") == 0)
876 value = SSHCTL_MASTER_ASK;
877 else if (strcmp(arg, "autoask") == 0)
878 value = SSHCTL_MASTER_AUTO_ASK;
880 fatal("%.200s line %d: Bad ControlMaster argument.",
882 if (*activep && *intptr == -1)
886 case oHashKnownHosts:
887 intptr = &options->hash_known_hosts;
891 intptr = &options->tun_open;
893 if (!arg || *arg == '\0')
894 fatal("%s line %d: Missing yes/point-to-point/"
895 "ethernet/no argument.", filename, linenum);
896 value = 0; /* silence compiler */
897 if (strcasecmp(arg, "ethernet") == 0)
898 value = SSH_TUNMODE_ETHERNET;
899 else if (strcasecmp(arg, "point-to-point") == 0)
900 value = SSH_TUNMODE_POINTOPOINT;
901 else if (strcasecmp(arg, "yes") == 0)
902 value = SSH_TUNMODE_DEFAULT;
903 else if (strcasecmp(arg, "no") == 0)
904 value = SSH_TUNMODE_NO;
906 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
907 "no argument: %s", filename, linenum, arg);
914 if (!arg || *arg == '\0')
915 fatal("%.200s line %d: Missing argument.", filename, linenum);
916 value = a2tun(arg, &value2);
917 if (value == SSH_TUNID_ERR)
918 fatal("%.200s line %d: Bad tun device.", filename, linenum);
920 options->tun_local = value;
921 options->tun_remote = value2;
926 charptr = &options->local_command;
929 case oPermitLocalCommand:
930 intptr = &options->permit_local_command;
934 intptr = &options->visual_host_key;
938 intptr = &options->use_roaming;
941 case oVersionAddendum:
942 ssh_version_set_addendum(strtok(s, "\n"));
945 } while (arg != NULL && *arg != '\0');
949 debug("%s line %d: Deprecated option \"%s\"",
950 filename, linenum, keyword);
954 error("%s line %d: Unsupported option \"%s\"",
955 filename, linenum, keyword);
959 fatal("process_config_line: Unimplemented opcode %d", opcode);
962 /* Check that there is no garbage at end of line. */
963 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
964 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
965 filename, linenum, arg);
972 * Reads the config file and modifies the options accordingly. Options
973 * should already be initialized before this call. This never returns if
974 * there is an error. If the file does not exist, this returns 0.
978 read_config_file(const char *filename, const char *host, Options *options,
986 if ((f = fopen(filename, "r")) == NULL)
992 if (fstat(fileno(f), &sb) == -1)
993 fatal("fstat %s: %s", filename, strerror(errno));
994 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
995 (sb.st_mode & 022) != 0))
996 fatal("Bad owner or permissions on %s", filename);
999 debug("Reading configuration data %.200s", filename);
1002 * Mark that we are now processing the options. This flag is turned
1003 * on/off by Host specifications.
1007 while (fgets(line, sizeof(line), f)) {
1008 /* Update line number counter. */
1010 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1014 if (bad_options > 0)
1015 fatal("%s: terminating, %d bad configuration options",
1016 filename, bad_options);
1021 * Initializes options to special values that indicate that they have not yet
1022 * been set. Read_config_file will only set options with this value. Options
1023 * are processed in the following order: command line, user config file,
1024 * system config file. Last, fill_default_options is called.
1028 initialize_options(Options * options)
1030 memset(options, 'X', sizeof(*options));
1031 options->forward_agent = -1;
1032 options->forward_x11 = -1;
1033 options->forward_x11_trusted = -1;
1034 options->exit_on_forward_failure = -1;
1035 options->xauth_location = NULL;
1036 options->gateway_ports = -1;
1037 options->use_privileged_port = -1;
1038 options->rsa_authentication = -1;
1039 options->pubkey_authentication = -1;
1040 options->challenge_response_authentication = -1;
1041 options->gss_authentication = -1;
1042 options->gss_deleg_creds = -1;
1043 options->password_authentication = -1;
1044 options->kbd_interactive_authentication = -1;
1045 options->kbd_interactive_devices = NULL;
1046 options->rhosts_rsa_authentication = -1;
1047 options->hostbased_authentication = -1;
1048 options->batch_mode = -1;
1049 options->check_host_ip = -1;
1050 options->strict_host_key_checking = -1;
1051 options->compression = -1;
1052 options->tcp_keep_alive = -1;
1053 options->compression_level = -1;
1055 options->address_family = -1;
1056 options->connection_attempts = -1;
1057 options->connection_timeout = -1;
1058 options->number_of_password_prompts = -1;
1059 options->cipher = -1;
1060 options->ciphers = NULL;
1061 options->macs = NULL;
1062 options->hostkeyalgorithms = NULL;
1063 options->protocol = SSH_PROTO_UNKNOWN;
1064 options->num_identity_files = 0;
1065 options->hostname = NULL;
1066 options->host_key_alias = NULL;
1067 options->proxy_command = NULL;
1068 options->user = NULL;
1069 options->escape_char = -1;
1070 options->system_hostfile = NULL;
1071 options->user_hostfile = NULL;
1072 options->system_hostfile2 = NULL;
1073 options->user_hostfile2 = NULL;
1074 options->num_local_forwards = 0;
1075 options->num_remote_forwards = 0;
1076 options->clear_forwardings = -1;
1077 options->log_level = SYSLOG_LEVEL_NOT_SET;
1078 options->preferred_authentications = NULL;
1079 options->bind_address = NULL;
1080 options->pkcs11_provider = NULL;
1081 options->enable_ssh_keysign = - 1;
1082 options->no_host_authentication_for_localhost = - 1;
1083 options->identities_only = - 1;
1084 options->rekey_limit = - 1;
1085 options->verify_host_key_dns = -1;
1086 options->server_alive_interval = -1;
1087 options->server_alive_count_max = -1;
1088 options->num_send_env = 0;
1089 options->control_path = NULL;
1090 options->control_master = -1;
1091 options->hash_known_hosts = -1;
1092 options->tun_open = -1;
1093 options->tun_local = -1;
1094 options->tun_remote = -1;
1095 options->local_command = NULL;
1096 options->permit_local_command = -1;
1097 options->use_roaming = -1;
1098 options->visual_host_key = -1;
1099 options->zero_knowledge_password_authentication = -1;
1103 * Called after processing other sources of option data, this fills those
1104 * options for which no value has been specified with their default values.
1108 fill_default_options(Options * options)
1112 if (options->forward_agent == -1)
1113 options->forward_agent = 0;
1114 if (options->forward_x11 == -1)
1115 options->forward_x11 = 0;
1116 if (options->forward_x11_trusted == -1)
1117 options->forward_x11_trusted = 0;
1118 if (options->exit_on_forward_failure == -1)
1119 options->exit_on_forward_failure = 0;
1120 if (options->xauth_location == NULL)
1121 options->xauth_location = _PATH_XAUTH;
1122 if (options->gateway_ports == -1)
1123 options->gateway_ports = 0;
1124 if (options->use_privileged_port == -1)
1125 options->use_privileged_port = 0;
1126 if (options->rsa_authentication == -1)
1127 options->rsa_authentication = 1;
1128 if (options->pubkey_authentication == -1)
1129 options->pubkey_authentication = 1;
1130 if (options->challenge_response_authentication == -1)
1131 options->challenge_response_authentication = 1;
1132 if (options->gss_authentication == -1)
1133 options->gss_authentication = 0;
1134 if (options->gss_deleg_creds == -1)
1135 options->gss_deleg_creds = 0;
1136 if (options->password_authentication == -1)
1137 options->password_authentication = 1;
1138 if (options->kbd_interactive_authentication == -1)
1139 options->kbd_interactive_authentication = 1;
1140 if (options->rhosts_rsa_authentication == -1)
1141 options->rhosts_rsa_authentication = 0;
1142 if (options->hostbased_authentication == -1)
1143 options->hostbased_authentication = 0;
1144 if (options->batch_mode == -1)
1145 options->batch_mode = 0;
1146 if (options->check_host_ip == -1)
1147 options->check_host_ip = 0;
1148 if (options->strict_host_key_checking == -1)
1149 options->strict_host_key_checking = 2; /* 2 is default */
1150 if (options->compression == -1)
1151 options->compression = 0;
1152 if (options->tcp_keep_alive == -1)
1153 options->tcp_keep_alive = 1;
1154 if (options->compression_level == -1)
1155 options->compression_level = 6;
1156 if (options->port == -1)
1157 options->port = 0; /* Filled in ssh_connect. */
1158 if (options->address_family == -1)
1159 options->address_family = AF_UNSPEC;
1160 if (options->connection_attempts == -1)
1161 options->connection_attempts = 1;
1162 if (options->number_of_password_prompts == -1)
1163 options->number_of_password_prompts = 3;
1164 /* Selected in ssh_login(). */
1165 if (options->cipher == -1)
1166 options->cipher = SSH_CIPHER_NOT_SET;
1167 /* options->ciphers, default set in myproposals.h */
1168 /* options->macs, default set in myproposals.h */
1169 /* options->hostkeyalgorithms, default set in myproposals.h */
1170 if (options->protocol == SSH_PROTO_UNKNOWN)
1171 options->protocol = SSH_PROTO_2;
1172 if (options->num_identity_files == 0) {
1173 if (options->protocol & SSH_PROTO_1) {
1174 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1175 options->identity_files[options->num_identity_files] =
1177 snprintf(options->identity_files[options->num_identity_files++],
1178 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1180 if (options->protocol & SSH_PROTO_2) {
1181 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1182 options->identity_files[options->num_identity_files] =
1184 snprintf(options->identity_files[options->num_identity_files++],
1185 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1187 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1188 options->identity_files[options->num_identity_files] =
1190 snprintf(options->identity_files[options->num_identity_files++],
1191 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1194 if (options->escape_char == -1)
1195 options->escape_char = '~';
1196 if (options->system_hostfile == NULL)
1197 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1198 if (options->user_hostfile == NULL)
1199 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1200 if (options->system_hostfile2 == NULL)
1201 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1202 if (options->user_hostfile2 == NULL)
1203 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1204 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1205 options->log_level = SYSLOG_LEVEL_INFO;
1206 if (options->clear_forwardings == 1)
1207 clear_forwardings(options);
1208 if (options->no_host_authentication_for_localhost == - 1)
1209 options->no_host_authentication_for_localhost = 0;
1210 if (options->identities_only == -1)
1211 options->identities_only = 0;
1212 if (options->enable_ssh_keysign == -1)
1213 options->enable_ssh_keysign = 0;
1214 if (options->rekey_limit == -1)
1215 options->rekey_limit = 0;
1216 if (options->verify_host_key_dns == -1)
1217 options->verify_host_key_dns = 0;
1218 if (options->server_alive_interval == -1)
1219 options->server_alive_interval = 0;
1220 if (options->server_alive_count_max == -1)
1221 options->server_alive_count_max = 3;
1222 if (options->control_master == -1)
1223 options->control_master = 0;
1224 if (options->hash_known_hosts == -1)
1225 options->hash_known_hosts = 0;
1226 if (options->tun_open == -1)
1227 options->tun_open = SSH_TUNMODE_NO;
1228 if (options->tun_local == -1)
1229 options->tun_local = SSH_TUNID_ANY;
1230 if (options->tun_remote == -1)
1231 options->tun_remote = SSH_TUNID_ANY;
1232 if (options->permit_local_command == -1)
1233 options->permit_local_command = 0;
1234 if (options->use_roaming == -1)
1235 options->use_roaming = 1;
1236 if (options->visual_host_key == -1)
1237 options->visual_host_key = 0;
1238 if (options->zero_knowledge_password_authentication == -1)
1239 options->zero_knowledge_password_authentication = 0;
1240 /* options->local_command should not be set by default */
1241 /* options->proxy_command should not be set by default */
1242 /* options->user will be set in the main program if appropriate */
1243 /* options->hostname will be set in the main program if appropriate */
1244 /* options->host_key_alias should not be set by default */
1245 /* options->preferred_authentications will be set in ssh */
1250 * parses a string containing a port forwarding specification of the form:
1252 * [listenhost:]listenport:connecthost:connectport
1254 * [listenhost:]listenport
1255 * returns number of arguments parsed or zero on error
1258 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1261 char *p, *cp, *fwdarg[4];
1263 memset(fwd, '\0', sizeof(*fwd));
1265 cp = p = xstrdup(fwdspec);
1267 /* skip leading spaces */
1268 while (isspace(*cp))
1271 for (i = 0; i < 4; ++i)
1272 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1275 /* Check for trailing garbage */
1277 i = 0; /* failure */
1281 fwd->listen_host = NULL;
1282 fwd->listen_port = a2port(fwdarg[0]);
1283 fwd->connect_host = xstrdup("socks");
1287 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1288 fwd->listen_port = a2port(fwdarg[1]);
1289 fwd->connect_host = xstrdup("socks");
1293 fwd->listen_host = NULL;
1294 fwd->listen_port = a2port(fwdarg[0]);
1295 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1296 fwd->connect_port = a2port(fwdarg[2]);
1300 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1301 fwd->listen_port = a2port(fwdarg[1]);
1302 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1303 fwd->connect_port = a2port(fwdarg[3]);
1306 i = 0; /* failure */
1312 if (!(i == 1 || i == 2))
1315 if (!(i == 3 || i == 4))
1317 if (fwd->connect_port <= 0)
1321 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1324 if (fwd->connect_host != NULL &&
1325 strlen(fwd->connect_host) >= NI_MAXHOST)
1327 if (fwd->listen_host != NULL &&
1328 strlen(fwd->listen_host) >= NI_MAXHOST)
1335 if (fwd->connect_host != NULL) {
1336 xfree(fwd->connect_host);
1337 fwd->connect_host = NULL;
1339 if (fwd->listen_host != NULL) {
1340 xfree(fwd->listen_host);
1341 fwd->listen_host = NULL;