1 /* $OpenBSD: readconf.c,v 1.218 2014/02/23 20:11:36 djm Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Functions for reading the configuration files.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <sys/sysctl.h>
25 #include <netinet/in.h>
26 #include <netinet/in_systm.h>
27 #include <netinet/ip.h>
28 #include <arpa/inet.h>
51 #include "pathnames.h"
63 /* Format of the configuration file:
65 # Configuration data is parsed as follows:
66 # 1. command line options
67 # 2. user-specific file
69 # Any configuration value is only changed the first time it is set.
70 # Thus, host-specific definitions should be at the beginning of the
71 # configuration file, and defaults at the end.
73 # Host-specific declarations. These may override anything above. A single
74 # host may match multiple declarations; these are processed in the order
75 # that they are given in.
81 HostName another.host.name.real.org
88 RemoteForward 9999 shadows.cs.hut.fi:9999
94 PasswordAuthentication no
98 ProxyCommand ssh-proxy %h %p
101 PublicKeyAuthentication no
105 PasswordAuthentication no
111 # Defaults for various options
115 PasswordAuthentication yes
116 RSAAuthentication yes
117 RhostsRSAAuthentication yes
118 StrictHostKeyChecking yes
120 IdentityFile ~/.ssh/identity
126 /* Keyword tokens. */
131 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
132 oGatewayPorts, oExitOnForwardFailure,
133 oPasswordAuthentication, oRSAAuthentication,
134 oChallengeResponseAuthentication, oXAuthLocation,
135 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
136 oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
137 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
138 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
139 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
140 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
141 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
142 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
143 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
144 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
145 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
146 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
147 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
148 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
149 oSendEnv, oControlPath, oControlMaster, oControlPersist,
151 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
152 oVisualHostKey, oUseRoaming,
153 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
154 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
155 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
156 oIgnoredUnknownOption,
157 oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
158 #ifdef NONE_CIPHER_ENABLED
159 oNoneEnabled, oNoneSwitch,
161 oVersionAddendum, oDeprecated, oUnsupported
164 /* Textual representations of the tokens. */
170 { "forwardagent", oForwardAgent },
171 { "forwardx11", oForwardX11 },
172 { "forwardx11trusted", oForwardX11Trusted },
173 { "forwardx11timeout", oForwardX11Timeout },
174 { "exitonforwardfailure", oExitOnForwardFailure },
175 { "xauthlocation", oXAuthLocation },
176 { "gatewayports", oGatewayPorts },
177 { "useprivilegedport", oUsePrivilegedPort },
178 { "rhostsauthentication", oDeprecated },
179 { "passwordauthentication", oPasswordAuthentication },
180 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
181 { "kbdinteractivedevices", oKbdInteractiveDevices },
182 { "rsaauthentication", oRSAAuthentication },
183 { "pubkeyauthentication", oPubkeyAuthentication },
184 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
185 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
186 { "hostbasedauthentication", oHostbasedAuthentication },
187 { "challengeresponseauthentication", oChallengeResponseAuthentication },
188 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
189 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
190 { "kerberosauthentication", oUnsupported },
191 { "kerberostgtpassing", oUnsupported },
192 { "afstokenpassing", oUnsupported },
194 { "gssapiauthentication", oGssAuthentication },
195 { "gssapidelegatecredentials", oGssDelegateCreds },
197 { "gssapiauthentication", oUnsupported },
198 { "gssapidelegatecredentials", oUnsupported },
200 { "fallbacktorsh", oDeprecated },
201 { "usersh", oDeprecated },
202 { "identityfile", oIdentityFile },
203 { "identityfile2", oIdentityFile }, /* obsolete */
204 { "identitiesonly", oIdentitiesOnly },
205 { "hostname", oHostName },
206 { "hostkeyalias", oHostKeyAlias },
207 { "proxycommand", oProxyCommand },
209 { "cipher", oCipher },
210 { "ciphers", oCiphers },
212 { "protocol", oProtocol },
213 { "remoteforward", oRemoteForward },
214 { "localforward", oLocalForward },
218 { "escapechar", oEscapeChar },
219 { "globalknownhostsfile", oGlobalKnownHostsFile },
220 { "globalknownhostsfile2", oDeprecated },
221 { "userknownhostsfile", oUserKnownHostsFile },
222 { "userknownhostsfile2", oDeprecated },
223 { "connectionattempts", oConnectionAttempts },
224 { "batchmode", oBatchMode },
225 { "checkhostip", oCheckHostIP },
226 { "stricthostkeychecking", oStrictHostKeyChecking },
227 { "compression", oCompression },
228 { "compressionlevel", oCompressionLevel },
229 { "tcpkeepalive", oTCPKeepAlive },
230 { "keepalive", oTCPKeepAlive }, /* obsolete */
231 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
232 { "loglevel", oLogLevel },
233 { "dynamicforward", oDynamicForward },
234 { "preferredauthentications", oPreferredAuthentications },
235 { "hostkeyalgorithms", oHostKeyAlgorithms },
236 { "bindaddress", oBindAddress },
238 { "smartcarddevice", oPKCS11Provider },
239 { "pkcs11provider", oPKCS11Provider },
241 { "smartcarddevice", oUnsupported },
242 { "pkcs11provider", oUnsupported },
244 { "clearallforwardings", oClearAllForwardings },
245 { "enablesshkeysign", oEnableSSHKeysign },
246 { "verifyhostkeydns", oVerifyHostKeyDNS },
247 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
248 { "rekeylimit", oRekeyLimit },
249 { "connecttimeout", oConnectTimeout },
250 { "addressfamily", oAddressFamily },
251 { "serveraliveinterval", oServerAliveInterval },
252 { "serveralivecountmax", oServerAliveCountMax },
253 { "sendenv", oSendEnv },
254 { "controlpath", oControlPath },
255 { "controlmaster", oControlMaster },
256 { "controlpersist", oControlPersist },
257 { "hashknownhosts", oHashKnownHosts },
258 { "tunnel", oTunnel },
259 { "tunneldevice", oTunnelDevice },
260 { "localcommand", oLocalCommand },
261 { "permitlocalcommand", oPermitLocalCommand },
262 { "visualhostkey", oVisualHostKey },
263 { "useroaming", oUseRoaming },
264 { "kexalgorithms", oKexAlgorithms },
266 { "requesttty", oRequestTTY },
267 { "proxyusefdpass", oProxyUseFdpass },
268 { "canonicaldomains", oCanonicalDomains },
269 { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
270 { "canonicalizehostname", oCanonicalizeHostname },
271 { "canonicalizemaxdots", oCanonicalizeMaxDots },
272 { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
273 { "ignoreunknown", oIgnoreUnknown },
274 { "hpndisabled", oHPNDisabled },
275 { "hpnbuffersize", oHPNBufferSize },
276 { "tcprcvbufpoll", oTcpRcvBufPoll },
277 { "tcprcvbuf", oTcpRcvBuf },
278 #ifdef NONE_CIPHER_ENABLED
279 { "noneenabled", oNoneEnabled },
280 { "noneswitch", oNoneSwitch },
282 { "versionaddendum", oVersionAddendum },
288 * Adds a local TCP/IP port forward to options. Never returns if there is an
293 add_local_forward(Options *options, const Forward *newfwd)
296 #ifndef NO_IPPORT_RESERVED_CONCEPT
297 extern uid_t original_real_uid;
300 size_t len_ipport_reserved = sizeof(ipport_reserved);
302 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
303 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
304 ipport_reserved = IPPORT_RESERVED;
308 ipport_reserved = IPPORT_RESERVED;
310 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
311 fatal("Privileged ports can only be forwarded by root.");
313 options->local_forwards = xrealloc(options->local_forwards,
314 options->num_local_forwards + 1,
315 sizeof(*options->local_forwards));
316 fwd = &options->local_forwards[options->num_local_forwards++];
318 fwd->listen_host = newfwd->listen_host;
319 fwd->listen_port = newfwd->listen_port;
320 fwd->connect_host = newfwd->connect_host;
321 fwd->connect_port = newfwd->connect_port;
325 * Adds a remote TCP/IP port forward to options. Never returns if there is
330 add_remote_forward(Options *options, const Forward *newfwd)
334 options->remote_forwards = xrealloc(options->remote_forwards,
335 options->num_remote_forwards + 1,
336 sizeof(*options->remote_forwards));
337 fwd = &options->remote_forwards[options->num_remote_forwards++];
339 fwd->listen_host = newfwd->listen_host;
340 fwd->listen_port = newfwd->listen_port;
341 fwd->connect_host = newfwd->connect_host;
342 fwd->connect_port = newfwd->connect_port;
343 fwd->handle = newfwd->handle;
344 fwd->allocated_port = 0;
348 clear_forwardings(Options *options)
352 for (i = 0; i < options->num_local_forwards; i++) {
353 free(options->local_forwards[i].listen_host);
354 free(options->local_forwards[i].connect_host);
356 if (options->num_local_forwards > 0) {
357 free(options->local_forwards);
358 options->local_forwards = NULL;
360 options->num_local_forwards = 0;
361 for (i = 0; i < options->num_remote_forwards; i++) {
362 free(options->remote_forwards[i].listen_host);
363 free(options->remote_forwards[i].connect_host);
365 if (options->num_remote_forwards > 0) {
366 free(options->remote_forwards);
367 options->remote_forwards = NULL;
369 options->num_remote_forwards = 0;
370 options->tun_open = SSH_TUNMODE_NO;
374 add_identity_file(Options *options, const char *dir, const char *filename,
379 if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES)
380 fatal("Too many identity files specified (max %d)",
381 SSH_MAX_IDENTITY_FILES);
383 if (dir == NULL) /* no dir, filename is absolute */
384 path = xstrdup(filename);
386 (void)xasprintf(&path, "%.100s%.100s", dir, filename);
388 options->identity_file_userprovided[options->num_identity_files] =
390 options->identity_files[options->num_identity_files++] = path;
394 default_ssh_port(void)
400 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
401 port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
407 * Execute a command in a shell.
408 * Return its exit status or -1 on abnormal exit.
411 execute_in_shell(const char *cmd)
413 char *shell, *command_string;
416 extern uid_t original_real_uid;
418 if ((shell = getenv("SHELL")) == NULL)
419 shell = _PATH_BSHELL;
422 * Use "exec" to avoid "sh -c" processes on some platforms
425 xasprintf(&command_string, "exec %s", cmd);
427 /* Need this to redirect subprocess stdin/out */
428 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1)
429 fatal("open(/dev/null): %s", strerror(errno));
431 debug("Executing command: '%.500s'", cmd);
433 /* Fork and execute the command. */
434 if ((pid = fork()) == 0) {
437 /* Child. Permanently give up superuser privileges. */
438 permanently_drop_suid(original_real_uid);
440 /* Redirect child stdin and stdout. Leave stderr */
441 if (dup2(devnull, STDIN_FILENO) == -1)
442 fatal("dup2: %s", strerror(errno));
443 if (dup2(devnull, STDOUT_FILENO) == -1)
444 fatal("dup2: %s", strerror(errno));
445 if (devnull > STDERR_FILENO)
447 closefrom(STDERR_FILENO + 1);
451 argv[2] = command_string;
454 execv(argv[0], argv);
455 error("Unable to execute '%.100s': %s", cmd, strerror(errno));
456 /* Die with signal to make this error apparent to parent. */
457 signal(SIGTERM, SIG_DFL);
458 kill(getpid(), SIGTERM);
463 fatal("%s: fork: %.100s", __func__, strerror(errno));
466 free(command_string);
468 while (waitpid(pid, &status, 0) == -1) {
469 if (errno != EINTR && errno != EAGAIN)
470 fatal("%s: waitpid: %s", __func__, strerror(errno));
472 if (!WIFEXITED(status)) {
473 error("command '%.100s' exited abnormally", cmd);
476 debug3("command returned status %d", WEXITSTATUS(status));
477 return WEXITSTATUS(status);
481 * Parse and execute a Match directive.
484 match_cfg_line(Options *options, char **condition, struct passwd *pw,
485 const char *host_arg, const char *filename, int linenum)
487 char *arg, *attrib, *cmd, *cp = *condition, *host;
489 int r, port, result = 1, attributes = 0;
491 char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
494 * Configuration is likely to be incomplete at this point so we
495 * must be prepared to use default values.
497 port = options->port <= 0 ? default_ssh_port() : options->port;
498 ruser = options->user == NULL ? pw->pw_name : options->user;
499 if (options->hostname != NULL) {
500 /* NB. Please keep in sync with ssh.c:main() */
501 host = percent_expand(options->hostname,
502 "h", host_arg, (char *)NULL);
504 host = xstrdup(host_arg);
506 debug3("checking match for '%s' host %s", cp, host);
507 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
509 if (strcasecmp(attrib, "all") == 0) {
510 if (attributes != 1 ||
511 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
512 error("'all' cannot be combined with other "
521 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
522 error("Missing Match criteria for %s", attrib);
527 if (strcasecmp(attrib, "host") == 0) {
528 if (match_hostname(host, arg, len) != 1)
531 debug("%.200s line %d: matched 'Host %.100s' ",
532 filename, linenum, host);
533 } else if (strcasecmp(attrib, "originalhost") == 0) {
534 if (match_hostname(host_arg, arg, len) != 1)
537 debug("%.200s line %d: matched "
538 "'OriginalHost %.100s' ",
539 filename, linenum, host_arg);
540 } else if (strcasecmp(attrib, "user") == 0) {
541 if (match_pattern_list(ruser, arg, len, 0) != 1)
544 debug("%.200s line %d: matched 'User %.100s' ",
545 filename, linenum, ruser);
546 } else if (strcasecmp(attrib, "localuser") == 0) {
547 if (match_pattern_list(pw->pw_name, arg, len, 0) != 1)
550 debug("%.200s line %d: matched "
551 "'LocalUser %.100s' ",
552 filename, linenum, pw->pw_name);
553 } else if (strcasecmp(attrib, "exec") == 0) {
554 if (gethostname(thishost, sizeof(thishost)) == -1)
555 fatal("gethostname: %s", strerror(errno));
556 strlcpy(shorthost, thishost, sizeof(shorthost));
557 shorthost[strcspn(thishost, ".")] = '\0';
558 snprintf(portstr, sizeof(portstr), "%d", port);
560 cmd = percent_expand(arg,
571 /* skip execution if prior predicate failed */
572 debug("%.200s line %d: skipped exec \"%.100s\"",
573 filename, linenum, cmd);
575 r = execute_in_shell(cmd);
577 fatal("%.200s line %d: match exec "
578 "'%.100s' error", filename,
581 debug("%.200s line %d: matched "
582 "'exec \"%.100s\"'", filename,
585 debug("%.200s line %d: no match "
586 "'exec \"%.100s\"'", filename,
593 error("Unsupported Match attribute %s", attrib);
598 if (attributes == 0) {
599 error("One or more attributes required for Match");
603 debug3("match %sfound", result ? "" : "not ");
610 /* Check and prepare a domain name: removes trailing '.' and lowercases */
612 valid_domain(char *name, const char *filename, int linenum)
614 size_t i, l = strlen(name);
615 u_char c, last = '\0';
618 fatal("%s line %d: empty hostname suffix", filename, linenum);
619 if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0]))
620 fatal("%s line %d: hostname suffix \"%.100s\" "
621 "starts with invalid character", filename, linenum, name);
622 for (i = 0; i < l; i++) {
623 c = tolower((u_char)name[i]);
625 if (last == '.' && c == '.')
626 fatal("%s line %d: hostname suffix \"%.100s\" contains "
627 "consecutive separators", filename, linenum, name);
628 if (c != '.' && c != '-' && !isalnum(c) &&
629 c != '_') /* technically invalid, but common */
630 fatal("%s line %d: hostname suffix \"%.100s\" contains "
631 "invalid characters", filename, linenum, name);
634 if (name[l - 1] == '.')
639 * Returns the number of the token pointed to by cp or oBadOption.
642 parse_token(const char *cp, const char *filename, int linenum,
643 const char *ignored_unknown)
647 for (i = 0; keywords[i].name; i++)
648 if (strcmp(cp, keywords[i].name) == 0)
649 return keywords[i].opcode;
650 if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
651 strlen(ignored_unknown), 1) == 1)
652 return oIgnoredUnknownOption;
653 error("%s: line %d: Bad configuration option: %s",
654 filename, linenum, cp);
658 /* Multistate option parsing */
663 static const struct multistate multistate_flag[] = {
670 static const struct multistate multistate_yesnoask[] = {
678 static const struct multistate multistate_addressfamily[] = {
680 { "inet6", AF_INET6 },
681 { "any", AF_UNSPEC },
684 static const struct multistate multistate_controlmaster[] = {
685 { "true", SSHCTL_MASTER_YES },
686 { "yes", SSHCTL_MASTER_YES },
687 { "false", SSHCTL_MASTER_NO },
688 { "no", SSHCTL_MASTER_NO },
689 { "auto", SSHCTL_MASTER_AUTO },
690 { "ask", SSHCTL_MASTER_ASK },
691 { "autoask", SSHCTL_MASTER_AUTO_ASK },
694 static const struct multistate multistate_tunnel[] = {
695 { "ethernet", SSH_TUNMODE_ETHERNET },
696 { "point-to-point", SSH_TUNMODE_POINTOPOINT },
697 { "true", SSH_TUNMODE_DEFAULT },
698 { "yes", SSH_TUNMODE_DEFAULT },
699 { "false", SSH_TUNMODE_NO },
700 { "no", SSH_TUNMODE_NO },
703 static const struct multistate multistate_requesttty[] = {
704 { "true", REQUEST_TTY_YES },
705 { "yes", REQUEST_TTY_YES },
706 { "false", REQUEST_TTY_NO },
707 { "no", REQUEST_TTY_NO },
708 { "force", REQUEST_TTY_FORCE },
709 { "auto", REQUEST_TTY_AUTO },
712 static const struct multistate multistate_canonicalizehostname[] = {
713 { "true", SSH_CANONICALISE_YES },
714 { "false", SSH_CANONICALISE_NO },
715 { "yes", SSH_CANONICALISE_YES },
716 { "no", SSH_CANONICALISE_NO },
717 { "always", SSH_CANONICALISE_ALWAYS },
722 * Processes a single option line as used in the configuration files. This
723 * only sets those values that have not already been set.
725 #define WHITESPACE " \t\r\n"
727 process_config_line(Options *options, struct passwd *pw, const char *host,
728 char *line, const char *filename, int linenum, int *activep, int userconfig)
730 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
731 char **cpptr, fwdarg[256];
732 u_int i, *uintptr, max_entries = 0;
733 int negated, opcode, *intptr, value, value2, cmdline = 0;
734 LogLevel *log_level_ptr;
738 const struct multistate *multistate_ptr;
739 struct allowed_cname *cname;
741 if (activep == NULL) { /* We are processing a command line directive */
746 /* Strip trailing whitespace */
747 for (len = strlen(line) - 1; len > 0; len--) {
748 if (strchr(WHITESPACE, line[len]) == NULL)
754 /* Get the keyword. (Each line is supposed to begin with a keyword). */
755 if ((keyword = strdelim(&s)) == NULL)
757 /* Ignore leading whitespace. */
758 if (*keyword == '\0')
759 keyword = strdelim(&s);
760 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
762 /* Match lowercase keyword */
765 opcode = parse_token(keyword, filename, linenum,
766 options->ignored_unknown);
770 /* don't panic, but count bad options */
773 case oIgnoredUnknownOption:
774 debug("%s line %d: Ignored unknown option \"%s\"",
775 filename, linenum, keyword);
777 case oConnectTimeout:
778 intptr = &options->connection_timeout;
781 if (!arg || *arg == '\0')
782 fatal("%s line %d: missing time value.",
784 if ((value = convtime(arg)) == -1)
785 fatal("%s line %d: invalid time value.",
787 if (*activep && *intptr == -1)
792 intptr = &options->forward_agent;
794 multistate_ptr = multistate_flag;
797 if (!arg || *arg == '\0')
798 fatal("%s line %d: missing argument.",
801 for (i = 0; multistate_ptr[i].key != NULL; i++) {
802 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
803 value = multistate_ptr[i].value;
808 fatal("%s line %d: unsupported option \"%s\".",
809 filename, linenum, arg);
810 if (*activep && *intptr == -1)
815 intptr = &options->forward_x11;
818 case oForwardX11Trusted:
819 intptr = &options->forward_x11_trusted;
822 case oForwardX11Timeout:
823 intptr = &options->forward_x11_timeout;
827 intptr = &options->gateway_ports;
830 case oExitOnForwardFailure:
831 intptr = &options->exit_on_forward_failure;
834 case oUsePrivilegedPort:
835 intptr = &options->use_privileged_port;
838 case oPasswordAuthentication:
839 intptr = &options->password_authentication;
842 case oKbdInteractiveAuthentication:
843 intptr = &options->kbd_interactive_authentication;
846 case oKbdInteractiveDevices:
847 charptr = &options->kbd_interactive_devices;
850 case oPubkeyAuthentication:
851 intptr = &options->pubkey_authentication;
854 case oRSAAuthentication:
855 intptr = &options->rsa_authentication;
858 case oRhostsRSAAuthentication:
859 intptr = &options->rhosts_rsa_authentication;
862 case oHostbasedAuthentication:
863 intptr = &options->hostbased_authentication;
866 case oChallengeResponseAuthentication:
867 intptr = &options->challenge_response_authentication;
870 case oGssAuthentication:
871 intptr = &options->gss_authentication;
874 case oGssDelegateCreds:
875 intptr = &options->gss_deleg_creds;
879 intptr = &options->batch_mode;
883 intptr = &options->check_host_ip;
886 case oVerifyHostKeyDNS:
887 intptr = &options->verify_host_key_dns;
888 multistate_ptr = multistate_yesnoask;
889 goto parse_multistate;
891 case oStrictHostKeyChecking:
892 intptr = &options->strict_host_key_checking;
893 multistate_ptr = multistate_yesnoask;
894 goto parse_multistate;
897 intptr = &options->compression;
901 intptr = &options->tcp_keep_alive;
904 case oNoHostAuthenticationForLocalhost:
905 intptr = &options->no_host_authentication_for_localhost;
908 case oNumberOfPasswordPrompts:
909 intptr = &options->number_of_password_prompts;
912 case oCompressionLevel:
913 intptr = &options->compression_level;
918 if (!arg || *arg == '\0')
919 fatal("%.200s line %d: Missing argument.", filename,
921 if (strcmp(arg, "default") == 0) {
924 if (scan_scaled(arg, &val64) == -1)
925 fatal("%.200s line %d: Bad number '%s': %s",
926 filename, linenum, arg, strerror(errno));
927 /* check for too-large or too-small limits */
928 if (val64 > UINT_MAX)
929 fatal("%.200s line %d: RekeyLimit too large",
931 if (val64 != 0 && val64 < 16)
932 fatal("%.200s line %d: RekeyLimit too small",
935 if (*activep && options->rekey_limit == -1)
936 options->rekey_limit = (u_int32_t)val64;
937 if (s != NULL) { /* optional rekey interval present */
938 if (strcmp(s, "none") == 0) {
939 (void)strdelim(&s); /* discard */
942 intptr = &options->rekey_interval;
949 if (!arg || *arg == '\0')
950 fatal("%.200s line %d: Missing argument.", filename, linenum);
952 intptr = &options->num_identity_files;
953 if (*intptr >= SSH_MAX_IDENTITY_FILES)
954 fatal("%.200s line %d: Too many identity files specified (max %d).",
955 filename, linenum, SSH_MAX_IDENTITY_FILES);
956 add_identity_file(options, NULL, arg, userconfig);
961 charptr=&options->xauth_location;
965 charptr = &options->user;
968 if (!arg || *arg == '\0')
969 fatal("%.200s line %d: Missing argument.",
971 if (*activep && *charptr == NULL)
972 *charptr = xstrdup(arg);
975 case oGlobalKnownHostsFile:
976 cpptr = (char **)&options->system_hostfiles;
977 uintptr = &options->num_system_hostfiles;
978 max_entries = SSH_MAX_HOSTS_FILES;
980 if (*activep && *uintptr == 0) {
981 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
982 if ((*uintptr) >= max_entries)
984 "too many authorized keys files.",
986 cpptr[(*uintptr)++] = xstrdup(arg);
991 case oUserKnownHostsFile:
992 cpptr = (char **)&options->user_hostfiles;
993 uintptr = &options->num_user_hostfiles;
994 max_entries = SSH_MAX_HOSTS_FILES;
995 goto parse_char_array;
998 charptr = &options->hostname;
1002 charptr = &options->host_key_alias;
1005 case oPreferredAuthentications:
1006 charptr = &options->preferred_authentications;
1010 charptr = &options->bind_address;
1013 case oPKCS11Provider:
1014 charptr = &options->pkcs11_provider;
1018 charptr = &options->proxy_command;
1021 fatal("%.200s line %d: Missing argument.", filename, linenum);
1022 len = strspn(s, WHITESPACE "=");
1023 if (*activep && *charptr == NULL)
1024 *charptr = xstrdup(s + len);
1028 intptr = &options->port;
1031 if (!arg || *arg == '\0')
1032 fatal("%.200s line %d: Missing argument.", filename, linenum);
1033 if (arg[0] < '0' || arg[0] > '9')
1034 fatal("%.200s line %d: Bad number.", filename, linenum);
1036 /* Octal, decimal, or hex format? */
1037 value = strtol(arg, &endofnumber, 0);
1038 if (arg == endofnumber)
1039 fatal("%.200s line %d: Bad number.", filename, linenum);
1040 if (*activep && *intptr == -1)
1044 case oConnectionAttempts:
1045 intptr = &options->connection_attempts;
1049 intptr = &options->cipher;
1051 if (!arg || *arg == '\0')
1052 fatal("%.200s line %d: Missing argument.", filename, linenum);
1053 value = cipher_number(arg);
1055 fatal("%.200s line %d: Bad cipher '%s'.",
1056 filename, linenum, arg ? arg : "<NONE>");
1057 if (*activep && *intptr == -1)
1063 if (!arg || *arg == '\0')
1064 fatal("%.200s line %d: Missing argument.", filename, linenum);
1065 if (!ciphers_valid(arg))
1066 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1067 filename, linenum, arg ? arg : "<NONE>");
1068 if (*activep && options->ciphers == NULL)
1069 options->ciphers = xstrdup(arg);
1074 if (!arg || *arg == '\0')
1075 fatal("%.200s line %d: Missing argument.", filename, linenum);
1076 if (!mac_valid(arg))
1077 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1078 filename, linenum, arg ? arg : "<NONE>");
1079 if (*activep && options->macs == NULL)
1080 options->macs = xstrdup(arg);
1083 case oKexAlgorithms:
1085 if (!arg || *arg == '\0')
1086 fatal("%.200s line %d: Missing argument.",
1088 if (!kex_names_valid(arg))
1089 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1090 filename, linenum, arg ? arg : "<NONE>");
1091 if (*activep && options->kex_algorithms == NULL)
1092 options->kex_algorithms = xstrdup(arg);
1095 case oHostKeyAlgorithms:
1097 if (!arg || *arg == '\0')
1098 fatal("%.200s line %d: Missing argument.", filename, linenum);
1099 if (!key_names_valid2(arg))
1100 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
1101 filename, linenum, arg ? arg : "<NONE>");
1102 if (*activep && options->hostkeyalgorithms == NULL)
1103 options->hostkeyalgorithms = xstrdup(arg);
1107 intptr = &options->protocol;
1109 if (!arg || *arg == '\0')
1110 fatal("%.200s line %d: Missing argument.", filename, linenum);
1111 value = proto_spec(arg);
1112 if (value == SSH_PROTO_UNKNOWN)
1113 fatal("%.200s line %d: Bad protocol spec '%s'.",
1114 filename, linenum, arg ? arg : "<NONE>");
1115 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
1120 log_level_ptr = &options->log_level;
1122 value = log_level_number(arg);
1123 if (value == SYSLOG_LEVEL_NOT_SET)
1124 fatal("%.200s line %d: unsupported log level '%s'",
1125 filename, linenum, arg ? arg : "<NONE>");
1126 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
1127 *log_level_ptr = (LogLevel) value;
1131 case oRemoteForward:
1132 case oDynamicForward:
1134 if (arg == NULL || *arg == '\0')
1135 fatal("%.200s line %d: Missing port argument.",
1138 if (opcode == oLocalForward ||
1139 opcode == oRemoteForward) {
1140 arg2 = strdelim(&s);
1141 if (arg2 == NULL || *arg2 == '\0')
1142 fatal("%.200s line %d: Missing target argument.",
1145 /* construct a string for parse_forward */
1146 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
1147 } else if (opcode == oDynamicForward) {
1148 strlcpy(fwdarg, arg, sizeof(fwdarg));
1151 if (parse_forward(&fwd, fwdarg,
1152 opcode == oDynamicForward ? 1 : 0,
1153 opcode == oRemoteForward ? 1 : 0) == 0)
1154 fatal("%.200s line %d: Bad forwarding specification.",
1158 if (opcode == oLocalForward ||
1159 opcode == oDynamicForward)
1160 add_local_forward(options, &fwd);
1161 else if (opcode == oRemoteForward)
1162 add_remote_forward(options, &fwd);
1166 case oClearAllForwardings:
1167 intptr = &options->clear_forwardings;
1172 fatal("Host directive not supported as a command-line "
1176 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1177 negated = *arg == '!';
1180 if (match_pattern(host, arg)) {
1182 debug("%.200s line %d: Skipping Host "
1183 "block because of negated match "
1184 "for %.100s", filename, linenum,
1190 arg2 = arg; /* logged below */
1195 debug("%.200s line %d: Applying options for %.100s",
1196 filename, linenum, arg2);
1197 /* Avoid garbage check below, as strdelim is done. */
1202 fatal("Host directive not supported as a command-line "
1204 value = match_cfg_line(options, &s, pw, host,
1207 fatal("%.200s line %d: Bad Match condition", filename,
1213 intptr = &options->escape_char;
1215 if (!arg || *arg == '\0')
1216 fatal("%.200s line %d: Missing argument.", filename, linenum);
1217 if (arg[0] == '^' && arg[2] == 0 &&
1218 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
1219 value = (u_char) arg[1] & 31;
1220 else if (strlen(arg) == 1)
1221 value = (u_char) arg[0];
1222 else if (strcmp(arg, "none") == 0)
1223 value = SSH_ESCAPECHAR_NONE;
1225 fatal("%.200s line %d: Bad escape character.",
1228 value = 0; /* Avoid compiler warning. */
1230 if (*activep && *intptr == -1)
1234 case oAddressFamily:
1235 intptr = &options->address_family;
1236 multistate_ptr = multistate_addressfamily;
1237 goto parse_multistate;
1239 case oEnableSSHKeysign:
1240 intptr = &options->enable_ssh_keysign;
1243 case oIdentitiesOnly:
1244 intptr = &options->identities_only;
1247 case oServerAliveInterval:
1248 intptr = &options->server_alive_interval;
1251 case oServerAliveCountMax:
1252 intptr = &options->server_alive_count_max;
1256 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1257 if (strchr(arg, '=') != NULL)
1258 fatal("%s line %d: Invalid environment name.",
1262 if (options->num_send_env >= MAX_SEND_ENV)
1263 fatal("%s line %d: too many send env.",
1265 options->send_env[options->num_send_env++] =
1271 charptr = &options->control_path;
1274 case oControlMaster:
1275 intptr = &options->control_master;
1276 multistate_ptr = multistate_controlmaster;
1277 goto parse_multistate;
1279 case oControlPersist:
1280 /* no/false/yes/true, or a time spec */
1281 intptr = &options->control_persist;
1283 if (!arg || *arg == '\0')
1284 fatal("%.200s line %d: Missing ControlPersist"
1285 " argument.", filename, linenum);
1287 value2 = 0; /* timeout */
1288 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
1290 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
1292 else if ((value2 = convtime(arg)) >= 0)
1295 fatal("%.200s line %d: Bad ControlPersist argument.",
1297 if (*activep && *intptr == -1) {
1299 options->control_persist_timeout = value2;
1303 case oHashKnownHosts:
1304 intptr = &options->hash_known_hosts;
1308 intptr = &options->tun_open;
1309 multistate_ptr = multistate_tunnel;
1310 goto parse_multistate;
1314 if (!arg || *arg == '\0')
1315 fatal("%.200s line %d: Missing argument.", filename, linenum);
1316 value = a2tun(arg, &value2);
1317 if (value == SSH_TUNID_ERR)
1318 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1320 options->tun_local = value;
1321 options->tun_remote = value2;
1326 charptr = &options->local_command;
1329 case oPermitLocalCommand:
1330 intptr = &options->permit_local_command;
1333 case oVisualHostKey:
1334 intptr = &options->visual_host_key;
1339 if ((value = parse_ipqos(arg)) == -1)
1340 fatal("%s line %d: Bad IPQoS value: %s",
1341 filename, linenum, arg);
1345 else if ((value2 = parse_ipqos(arg)) == -1)
1346 fatal("%s line %d: Bad IPQoS value: %s",
1347 filename, linenum, arg);
1349 options->ip_qos_interactive = value;
1350 options->ip_qos_bulk = value2;
1355 intptr = &options->use_roaming;
1359 intptr = &options->request_tty;
1360 multistate_ptr = multistate_requesttty;
1361 goto parse_multistate;
1364 intptr = &options->hpn_disabled;
1367 case oHPNBufferSize:
1368 intptr = &options->hpn_buffer_size;
1371 case oTcpRcvBufPoll:
1372 intptr = &options->tcp_rcv_buf_poll;
1376 intptr = &options->tcp_rcv_buf;
1379 #ifdef NONE_CIPHER_ENABLED
1381 intptr = &options->none_enabled;
1385 * We check to see if the command comes from the command line or not.
1386 * If it does then enable it otherwise fail. NONE must never be a
1387 * default configuration.
1390 if (strcmp(filename,"command-line") == 0) {
1391 intptr = &options->none_switch;
1394 debug("NoneSwitch directive found in %.200s.",
1396 error("NoneSwitch is found in %.200s.\n"
1397 "You may only use this configuration option "
1398 "from the command line", filename);
1399 error("Continuing...");
1404 case oVersionAddendum:
1406 fatal("%.200s line %d: Missing argument.", filename,
1408 len = strspn(s, WHITESPACE);
1409 if (*activep && options->version_addendum == NULL) {
1410 if (strcasecmp(s + len, "none") == 0)
1411 options->version_addendum = xstrdup("");
1412 else if (strchr(s + len, '\r') != NULL)
1413 fatal("%.200s line %d: Invalid argument",
1416 options->version_addendum = xstrdup(s + len);
1420 case oIgnoreUnknown:
1421 charptr = &options->ignored_unknown;
1424 case oProxyUseFdpass:
1425 intptr = &options->proxy_use_fdpass;
1428 case oCanonicalDomains:
1429 value = options->num_canonical_domains != 0;
1430 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1431 valid_domain(arg, filename, linenum);
1432 if (!*activep || value)
1434 if (options->num_canonical_domains >= MAX_CANON_DOMAINS)
1435 fatal("%s line %d: too many hostname suffixes.",
1437 options->canonical_domains[
1438 options->num_canonical_domains++] = xstrdup(arg);
1442 case oCanonicalizePermittedCNAMEs:
1443 value = options->num_permitted_cnames != 0;
1444 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1445 /* Either '*' for everything or 'list:list' */
1446 if (strcmp(arg, "*") == 0)
1450 if ((arg2 = strchr(arg, ':')) == NULL ||
1452 fatal("%s line %d: "
1453 "Invalid permitted CNAME \"%s\"",
1454 filename, linenum, arg);
1459 if (!*activep || value)
1461 if (options->num_permitted_cnames >= MAX_CANON_DOMAINS)
1462 fatal("%s line %d: too many permitted CNAMEs.",
1464 cname = options->permitted_cnames +
1465 options->num_permitted_cnames++;
1466 cname->source_list = xstrdup(arg);
1467 cname->target_list = xstrdup(arg2);
1471 case oCanonicalizeHostname:
1472 intptr = &options->canonicalize_hostname;
1473 multistate_ptr = multistate_canonicalizehostname;
1474 goto parse_multistate;
1476 case oCanonicalizeMaxDots:
1477 intptr = &options->canonicalize_max_dots;
1480 case oCanonicalizeFallbackLocal:
1481 intptr = &options->canonicalize_fallback_local;
1485 debug("%s line %d: Deprecated option \"%s\"",
1486 filename, linenum, keyword);
1490 error("%s line %d: Unsupported option \"%s\"",
1491 filename, linenum, keyword);
1495 fatal("process_config_line: Unimplemented opcode %d", opcode);
1498 /* Check that there is no garbage at end of line. */
1499 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1500 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1501 filename, linenum, arg);
1508 * Reads the config file and modifies the options accordingly. Options
1509 * should already be initialized before this call. This never returns if
1510 * there is an error. If the file does not exist, this returns 0.
1514 read_config_file(const char *filename, struct passwd *pw, const char *host,
1515 Options *options, int flags)
1519 int active, linenum;
1520 int bad_options = 0;
1522 if ((f = fopen(filename, "r")) == NULL)
1525 if (flags & SSHCONF_CHECKPERM) {
1528 if (fstat(fileno(f), &sb) == -1)
1529 fatal("fstat %s: %s", filename, strerror(errno));
1530 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1531 (sb.st_mode & 022) != 0))
1532 fatal("Bad owner or permissions on %s", filename);
1535 debug("Reading configuration data %.200s", filename);
1538 * Mark that we are now processing the options. This flag is turned
1539 * on/off by Host specifications.
1543 while (fgets(line, sizeof(line), f)) {
1544 /* Update line number counter. */
1546 if (process_config_line(options, pw, host, line, filename,
1547 linenum, &active, flags & SSHCONF_USERCONF) != 0)
1551 if (bad_options > 0)
1552 fatal("%s: terminating, %d bad configuration options",
1553 filename, bad_options);
1557 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
1559 option_clear_or_none(const char *o)
1561 return o == NULL || strcasecmp(o, "none") == 0;
1565 * Initializes options to special values that indicate that they have not yet
1566 * been set. Read_config_file will only set options with this value. Options
1567 * are processed in the following order: command line, user config file,
1568 * system config file. Last, fill_default_options is called.
1572 initialize_options(Options * options)
1574 memset(options, 'X', sizeof(*options));
1575 options->forward_agent = -1;
1576 options->forward_x11 = -1;
1577 options->forward_x11_trusted = -1;
1578 options->forward_x11_timeout = -1;
1579 options->exit_on_forward_failure = -1;
1580 options->xauth_location = NULL;
1581 options->gateway_ports = -1;
1582 options->use_privileged_port = -1;
1583 options->rsa_authentication = -1;
1584 options->pubkey_authentication = -1;
1585 options->challenge_response_authentication = -1;
1586 options->gss_authentication = -1;
1587 options->gss_deleg_creds = -1;
1588 options->password_authentication = -1;
1589 options->kbd_interactive_authentication = -1;
1590 options->kbd_interactive_devices = NULL;
1591 options->rhosts_rsa_authentication = -1;
1592 options->hostbased_authentication = -1;
1593 options->batch_mode = -1;
1594 options->check_host_ip = -1;
1595 options->strict_host_key_checking = -1;
1596 options->compression = -1;
1597 options->tcp_keep_alive = -1;
1598 options->compression_level = -1;
1600 options->address_family = -1;
1601 options->connection_attempts = -1;
1602 options->connection_timeout = -1;
1603 options->number_of_password_prompts = -1;
1604 options->cipher = -1;
1605 options->ciphers = NULL;
1606 options->macs = NULL;
1607 options->kex_algorithms = NULL;
1608 options->hostkeyalgorithms = NULL;
1609 options->protocol = SSH_PROTO_UNKNOWN;
1610 options->num_identity_files = 0;
1611 options->hostname = NULL;
1612 options->host_key_alias = NULL;
1613 options->proxy_command = NULL;
1614 options->user = NULL;
1615 options->escape_char = -1;
1616 options->num_system_hostfiles = 0;
1617 options->num_user_hostfiles = 0;
1618 options->local_forwards = NULL;
1619 options->num_local_forwards = 0;
1620 options->remote_forwards = NULL;
1621 options->num_remote_forwards = 0;
1622 options->clear_forwardings = -1;
1623 options->log_level = SYSLOG_LEVEL_NOT_SET;
1624 options->preferred_authentications = NULL;
1625 options->bind_address = NULL;
1626 options->pkcs11_provider = NULL;
1627 options->enable_ssh_keysign = - 1;
1628 options->no_host_authentication_for_localhost = - 1;
1629 options->identities_only = - 1;
1630 options->rekey_limit = - 1;
1631 options->rekey_interval = -1;
1632 options->verify_host_key_dns = -1;
1633 options->server_alive_interval = -1;
1634 options->server_alive_count_max = -1;
1635 options->num_send_env = 0;
1636 options->control_path = NULL;
1637 options->control_master = -1;
1638 options->control_persist = -1;
1639 options->control_persist_timeout = 0;
1640 options->hash_known_hosts = -1;
1641 options->tun_open = -1;
1642 options->tun_local = -1;
1643 options->tun_remote = -1;
1644 options->local_command = NULL;
1645 options->permit_local_command = -1;
1646 options->use_roaming = -1;
1647 options->visual_host_key = -1;
1648 options->ip_qos_interactive = -1;
1649 options->ip_qos_bulk = -1;
1650 options->request_tty = -1;
1651 options->proxy_use_fdpass = -1;
1652 options->ignored_unknown = NULL;
1653 options->num_canonical_domains = 0;
1654 options->num_permitted_cnames = 0;
1655 options->canonicalize_max_dots = -1;
1656 options->canonicalize_fallback_local = -1;
1657 options->canonicalize_hostname = -1;
1658 options->version_addendum = NULL;
1659 options->hpn_disabled = -1;
1660 options->hpn_buffer_size = -1;
1661 options->tcp_rcv_buf_poll = -1;
1662 options->tcp_rcv_buf = -1;
1663 #ifdef NONE_CIPHER_ENABLED
1664 options->none_enabled = -1;
1665 options->none_switch = -1;
1670 * A petite version of fill_default_options() that just fills the options
1671 * needed for hostname canonicalization to proceed.
1674 fill_default_options_for_canonicalization(Options *options)
1676 if (options->canonicalize_max_dots == -1)
1677 options->canonicalize_max_dots = 1;
1678 if (options->canonicalize_fallback_local == -1)
1679 options->canonicalize_fallback_local = 1;
1680 if (options->canonicalize_hostname == -1)
1681 options->canonicalize_hostname = SSH_CANONICALISE_NO;
1685 * Called after processing other sources of option data, this fills those
1686 * options for which no value has been specified with their default values.
1689 fill_default_options(Options * options)
1691 if (options->forward_agent == -1)
1692 options->forward_agent = 0;
1693 if (options->forward_x11 == -1)
1694 options->forward_x11 = 0;
1695 if (options->forward_x11_trusted == -1)
1696 options->forward_x11_trusted = 0;
1697 if (options->forward_x11_timeout == -1)
1698 options->forward_x11_timeout = 1200;
1699 if (options->exit_on_forward_failure == -1)
1700 options->exit_on_forward_failure = 0;
1701 if (options->xauth_location == NULL)
1702 options->xauth_location = _PATH_XAUTH;
1703 if (options->gateway_ports == -1)
1704 options->gateway_ports = 0;
1705 if (options->use_privileged_port == -1)
1706 options->use_privileged_port = 0;
1707 if (options->rsa_authentication == -1)
1708 options->rsa_authentication = 1;
1709 if (options->pubkey_authentication == -1)
1710 options->pubkey_authentication = 1;
1711 if (options->challenge_response_authentication == -1)
1712 options->challenge_response_authentication = 1;
1713 if (options->gss_authentication == -1)
1714 options->gss_authentication = 0;
1715 if (options->gss_deleg_creds == -1)
1716 options->gss_deleg_creds = 0;
1717 if (options->password_authentication == -1)
1718 options->password_authentication = 1;
1719 if (options->kbd_interactive_authentication == -1)
1720 options->kbd_interactive_authentication = 1;
1721 if (options->rhosts_rsa_authentication == -1)
1722 options->rhosts_rsa_authentication = 0;
1723 if (options->hostbased_authentication == -1)
1724 options->hostbased_authentication = 0;
1725 if (options->batch_mode == -1)
1726 options->batch_mode = 0;
1727 if (options->check_host_ip == -1)
1728 options->check_host_ip = 0;
1729 if (options->strict_host_key_checking == -1)
1730 options->strict_host_key_checking = 2; /* 2 is default */
1731 if (options->compression == -1)
1732 options->compression = 0;
1733 if (options->tcp_keep_alive == -1)
1734 options->tcp_keep_alive = 1;
1735 if (options->compression_level == -1)
1736 options->compression_level = 6;
1737 if (options->port == -1)
1738 options->port = 0; /* Filled in ssh_connect. */
1739 if (options->address_family == -1)
1740 options->address_family = AF_UNSPEC;
1741 if (options->connection_attempts == -1)
1742 options->connection_attempts = 1;
1743 if (options->number_of_password_prompts == -1)
1744 options->number_of_password_prompts = 3;
1745 /* Selected in ssh_login(). */
1746 if (options->cipher == -1)
1747 options->cipher = SSH_CIPHER_NOT_SET;
1748 /* options->ciphers, default set in myproposals.h */
1749 /* options->macs, default set in myproposals.h */
1750 /* options->kex_algorithms, default set in myproposals.h */
1751 /* options->hostkeyalgorithms, default set in myproposals.h */
1752 if (options->protocol == SSH_PROTO_UNKNOWN)
1753 options->protocol = SSH_PROTO_2;
1754 if (options->num_identity_files == 0) {
1755 if (options->protocol & SSH_PROTO_1) {
1756 add_identity_file(options, "~/",
1757 _PATH_SSH_CLIENT_IDENTITY, 0);
1759 if (options->protocol & SSH_PROTO_2) {
1760 add_identity_file(options, "~/",
1761 _PATH_SSH_CLIENT_ID_RSA, 0);
1762 add_identity_file(options, "~/",
1763 _PATH_SSH_CLIENT_ID_DSA, 0);
1764 #ifdef OPENSSL_HAS_ECC
1765 add_identity_file(options, "~/",
1766 _PATH_SSH_CLIENT_ID_ECDSA, 0);
1768 add_identity_file(options, "~/",
1769 _PATH_SSH_CLIENT_ID_ED25519, 0);
1772 if (options->escape_char == -1)
1773 options->escape_char = '~';
1774 if (options->num_system_hostfiles == 0) {
1775 options->system_hostfiles[options->num_system_hostfiles++] =
1776 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1777 options->system_hostfiles[options->num_system_hostfiles++] =
1778 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1780 if (options->num_user_hostfiles == 0) {
1781 options->user_hostfiles[options->num_user_hostfiles++] =
1782 xstrdup(_PATH_SSH_USER_HOSTFILE);
1783 options->user_hostfiles[options->num_user_hostfiles++] =
1784 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1786 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1787 options->log_level = SYSLOG_LEVEL_INFO;
1788 if (options->clear_forwardings == 1)
1789 clear_forwardings(options);
1790 if (options->no_host_authentication_for_localhost == - 1)
1791 options->no_host_authentication_for_localhost = 0;
1792 if (options->identities_only == -1)
1793 options->identities_only = 0;
1794 if (options->enable_ssh_keysign == -1)
1795 options->enable_ssh_keysign = 0;
1796 if (options->rekey_limit == -1)
1797 options->rekey_limit = 0;
1798 if (options->rekey_interval == -1)
1799 options->rekey_interval = 0;
1801 if (options->verify_host_key_dns == -1)
1802 /* automatically trust a verified SSHFP record */
1803 options->verify_host_key_dns = 1;
1805 if (options->verify_host_key_dns == -1)
1806 options->verify_host_key_dns = 0;
1808 if (options->server_alive_interval == -1)
1809 options->server_alive_interval = 0;
1810 if (options->server_alive_count_max == -1)
1811 options->server_alive_count_max = 3;
1812 if (options->control_master == -1)
1813 options->control_master = 0;
1814 if (options->control_persist == -1) {
1815 options->control_persist = 0;
1816 options->control_persist_timeout = 0;
1818 if (options->hash_known_hosts == -1)
1819 options->hash_known_hosts = 0;
1820 if (options->tun_open == -1)
1821 options->tun_open = SSH_TUNMODE_NO;
1822 if (options->tun_local == -1)
1823 options->tun_local = SSH_TUNID_ANY;
1824 if (options->tun_remote == -1)
1825 options->tun_remote = SSH_TUNID_ANY;
1826 if (options->permit_local_command == -1)
1827 options->permit_local_command = 0;
1828 if (options->use_roaming == -1)
1829 options->use_roaming = 1;
1830 if (options->visual_host_key == -1)
1831 options->visual_host_key = 0;
1832 if (options->ip_qos_interactive == -1)
1833 options->ip_qos_interactive = IPTOS_LOWDELAY;
1834 if (options->ip_qos_bulk == -1)
1835 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1836 if (options->request_tty == -1)
1837 options->request_tty = REQUEST_TTY_AUTO;
1838 if (options->proxy_use_fdpass == -1)
1839 options->proxy_use_fdpass = 0;
1840 if (options->canonicalize_max_dots == -1)
1841 options->canonicalize_max_dots = 1;
1842 if (options->canonicalize_fallback_local == -1)
1843 options->canonicalize_fallback_local = 1;
1844 if (options->canonicalize_hostname == -1)
1845 options->canonicalize_hostname = SSH_CANONICALISE_NO;
1846 #define CLEAR_ON_NONE(v) \
1848 if (option_clear_or_none(v)) { \
1853 CLEAR_ON_NONE(options->local_command);
1854 CLEAR_ON_NONE(options->proxy_command);
1855 CLEAR_ON_NONE(options->control_path);
1856 /* options->user will be set in the main program if appropriate */
1857 /* options->hostname will be set in the main program if appropriate */
1858 /* options->host_key_alias should not be set by default */
1859 /* options->preferred_authentications will be set in ssh */
1860 if (options->version_addendum == NULL)
1861 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
1862 if (options->hpn_disabled == -1)
1863 options->hpn_disabled = 0;
1864 if (options->hpn_buffer_size > -1)
1868 /* If a user tries to set the size to 0 set it to 1KB. */
1869 if (options->hpn_buffer_size == 0)
1870 options->hpn_buffer_size = 1024;
1871 /* Limit the buffer to BUFFER_MAX_LEN. */
1872 maxlen = buffer_get_max_len();
1873 if (options->hpn_buffer_size > (maxlen / 1024)) {
1874 debug("User requested buffer larger than %ub: %ub. "
1875 "Request reverted to %ub", maxlen,
1876 options->hpn_buffer_size * 1024, maxlen);
1877 options->hpn_buffer_size = maxlen;
1879 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1881 if (options->tcp_rcv_buf == 0)
1882 options->tcp_rcv_buf = 1;
1883 if (options->tcp_rcv_buf > -1)
1884 options->tcp_rcv_buf *= 1024;
1885 if (options->tcp_rcv_buf_poll == -1)
1886 options->tcp_rcv_buf_poll = 1;
1887 #ifdef NONE_CIPHER_ENABLED
1888 /* options->none_enabled must not be set by default */
1889 if (options->none_switch == -1)
1890 options->none_switch = 0;
1896 * parses a string containing a port forwarding specification of the form:
1898 * [listenhost:]listenport:connecthost:connectport
1900 * [listenhost:]listenport
1901 * returns number of arguments parsed or zero on error
1904 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1907 char *p, *cp, *fwdarg[4];
1909 memset(fwd, '\0', sizeof(*fwd));
1911 cp = p = xstrdup(fwdspec);
1913 /* skip leading spaces */
1914 while (isspace((u_char)*cp))
1917 for (i = 0; i < 4; ++i)
1918 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1921 /* Check for trailing garbage */
1923 i = 0; /* failure */
1927 fwd->listen_host = NULL;
1928 fwd->listen_port = a2port(fwdarg[0]);
1929 fwd->connect_host = xstrdup("socks");
1933 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1934 fwd->listen_port = a2port(fwdarg[1]);
1935 fwd->connect_host = xstrdup("socks");
1939 fwd->listen_host = NULL;
1940 fwd->listen_port = a2port(fwdarg[0]);
1941 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1942 fwd->connect_port = a2port(fwdarg[2]);
1946 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1947 fwd->listen_port = a2port(fwdarg[1]);
1948 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1949 fwd->connect_port = a2port(fwdarg[3]);
1952 i = 0; /* failure */
1958 if (!(i == 1 || i == 2))
1961 if (!(i == 3 || i == 4))
1963 if (fwd->connect_port <= 0)
1967 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1970 if (fwd->connect_host != NULL &&
1971 strlen(fwd->connect_host) >= NI_MAXHOST)
1973 if (fwd->listen_host != NULL &&
1974 strlen(fwd->listen_host) >= NI_MAXHOST)
1981 free(fwd->connect_host);
1982 fwd->connect_host = NULL;
1983 free(fwd->listen_host);
1984 fwd->listen_host = NULL;