1 /* $OpenBSD: readconf.c,v 1.218 2014/02/23 20:11:36 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <sys/sysctl.h>
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
26 #include <netinet/ip.h>
27 #include <arpa/inet.h>
50 #include "pathnames.h"
62 /* Format of the configuration file:
64 # Configuration data is parsed as follows:
65 # 1. command line options
66 # 2. user-specific file
68 # Any configuration value is only changed the first time it is set.
69 # Thus, host-specific definitions should be at the beginning of the
70 # configuration file, and defaults at the end.
72 # Host-specific declarations. These may override anything above. A single
73 # host may match multiple declarations; these are processed in the order
74 # that they are given in.
80 HostName another.host.name.real.org
87 RemoteForward 9999 shadows.cs.hut.fi:9999
93 PasswordAuthentication no
97 ProxyCommand ssh-proxy %h %p
100 PublicKeyAuthentication no
104 PasswordAuthentication no
110 # Defaults for various options
114 PasswordAuthentication yes
115 RSAAuthentication yes
116 RhostsRSAAuthentication yes
117 StrictHostKeyChecking yes
119 IdentityFile ~/.ssh/identity
125 /* Keyword tokens. */
130 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
131 oGatewayPorts, oExitOnForwardFailure,
132 oPasswordAuthentication, oRSAAuthentication,
133 oChallengeResponseAuthentication, oXAuthLocation,
134 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
135 oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
136 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
137 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
138 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
139 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
140 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
141 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
142 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
143 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
144 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
145 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
146 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
147 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
148 oSendEnv, oControlPath, oControlMaster, oControlPersist,
150 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
151 oVisualHostKey, oUseRoaming,
152 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
153 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
154 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
156 oIgnoredUnknownOption, oDeprecated, oUnsupported
159 /* Textual representations of the tokens. */
165 { "forwardagent", oForwardAgent },
166 { "forwardx11", oForwardX11 },
167 { "forwardx11trusted", oForwardX11Trusted },
168 { "forwardx11timeout", oForwardX11Timeout },
169 { "exitonforwardfailure", oExitOnForwardFailure },
170 { "xauthlocation", oXAuthLocation },
171 { "gatewayports", oGatewayPorts },
172 { "useprivilegedport", oUsePrivilegedPort },
173 { "rhostsauthentication", oDeprecated },
174 { "passwordauthentication", oPasswordAuthentication },
175 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
176 { "kbdinteractivedevices", oKbdInteractiveDevices },
177 { "rsaauthentication", oRSAAuthentication },
178 { "pubkeyauthentication", oPubkeyAuthentication },
179 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
180 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
181 { "hostbasedauthentication", oHostbasedAuthentication },
182 { "challengeresponseauthentication", oChallengeResponseAuthentication },
183 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
184 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
185 { "kerberosauthentication", oUnsupported },
186 { "kerberostgtpassing", oUnsupported },
187 { "afstokenpassing", oUnsupported },
189 { "gssapiauthentication", oGssAuthentication },
190 { "gssapidelegatecredentials", oGssDelegateCreds },
192 { "gssapiauthentication", oUnsupported },
193 { "gssapidelegatecredentials", oUnsupported },
195 { "fallbacktorsh", oDeprecated },
196 { "usersh", oDeprecated },
197 { "identityfile", oIdentityFile },
198 { "identityfile2", oIdentityFile }, /* obsolete */
199 { "identitiesonly", oIdentitiesOnly },
200 { "hostname", oHostName },
201 { "hostkeyalias", oHostKeyAlias },
202 { "proxycommand", oProxyCommand },
204 { "cipher", oCipher },
205 { "ciphers", oCiphers },
207 { "protocol", oProtocol },
208 { "remoteforward", oRemoteForward },
209 { "localforward", oLocalForward },
213 { "escapechar", oEscapeChar },
214 { "globalknownhostsfile", oGlobalKnownHostsFile },
215 { "globalknownhostsfile2", oDeprecated },
216 { "userknownhostsfile", oUserKnownHostsFile },
217 { "userknownhostsfile2", oDeprecated },
218 { "connectionattempts", oConnectionAttempts },
219 { "batchmode", oBatchMode },
220 { "checkhostip", oCheckHostIP },
221 { "stricthostkeychecking", oStrictHostKeyChecking },
222 { "compression", oCompression },
223 { "compressionlevel", oCompressionLevel },
224 { "tcpkeepalive", oTCPKeepAlive },
225 { "keepalive", oTCPKeepAlive }, /* obsolete */
226 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
227 { "loglevel", oLogLevel },
228 { "dynamicforward", oDynamicForward },
229 { "preferredauthentications", oPreferredAuthentications },
230 { "hostkeyalgorithms", oHostKeyAlgorithms },
231 { "bindaddress", oBindAddress },
233 { "smartcarddevice", oPKCS11Provider },
234 { "pkcs11provider", oPKCS11Provider },
236 { "smartcarddevice", oUnsupported },
237 { "pkcs11provider", oUnsupported },
239 { "clearallforwardings", oClearAllForwardings },
240 { "enablesshkeysign", oEnableSSHKeysign },
241 { "verifyhostkeydns", oVerifyHostKeyDNS },
242 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
243 { "rekeylimit", oRekeyLimit },
244 { "connecttimeout", oConnectTimeout },
245 { "addressfamily", oAddressFamily },
246 { "serveraliveinterval", oServerAliveInterval },
247 { "serveralivecountmax", oServerAliveCountMax },
248 { "sendenv", oSendEnv },
249 { "controlpath", oControlPath },
250 { "controlmaster", oControlMaster },
251 { "controlpersist", oControlPersist },
252 { "hashknownhosts", oHashKnownHosts },
253 { "tunnel", oTunnel },
254 { "tunneldevice", oTunnelDevice },
255 { "localcommand", oLocalCommand },
256 { "permitlocalcommand", oPermitLocalCommand },
257 { "visualhostkey", oVisualHostKey },
258 { "useroaming", oUseRoaming },
259 { "kexalgorithms", oKexAlgorithms },
261 { "requesttty", oRequestTTY },
262 { "proxyusefdpass", oProxyUseFdpass },
263 { "canonicaldomains", oCanonicalDomains },
264 { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
265 { "canonicalizehostname", oCanonicalizeHostname },
266 { "canonicalizemaxdots", oCanonicalizeMaxDots },
267 { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
268 { "ignoreunknown", oIgnoreUnknown },
269 { "hpndisabled", oDeprecated },
270 { "hpnbuffersize", oDeprecated },
271 { "tcprcvbufpoll", oDeprecated },
272 { "tcprcvbuf", oDeprecated },
273 { "versionaddendum", oVersionAddendum },
279 * Adds a local TCP/IP port forward to options. Never returns if there is an
284 add_local_forward(Options *options, const Forward *newfwd)
287 #ifndef NO_IPPORT_RESERVED_CONCEPT
288 extern uid_t original_real_uid;
291 size_t len_ipport_reserved = sizeof(ipport_reserved);
293 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
294 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
295 ipport_reserved = IPPORT_RESERVED;
299 ipport_reserved = IPPORT_RESERVED;
301 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
302 fatal("Privileged ports can only be forwarded by root.");
304 options->local_forwards = xrealloc(options->local_forwards,
305 options->num_local_forwards + 1,
306 sizeof(*options->local_forwards));
307 fwd = &options->local_forwards[options->num_local_forwards++];
309 fwd->listen_host = newfwd->listen_host;
310 fwd->listen_port = newfwd->listen_port;
311 fwd->connect_host = newfwd->connect_host;
312 fwd->connect_port = newfwd->connect_port;
316 * Adds a remote TCP/IP port forward to options. Never returns if there is
321 add_remote_forward(Options *options, const Forward *newfwd)
325 options->remote_forwards = xrealloc(options->remote_forwards,
326 options->num_remote_forwards + 1,
327 sizeof(*options->remote_forwards));
328 fwd = &options->remote_forwards[options->num_remote_forwards++];
330 fwd->listen_host = newfwd->listen_host;
331 fwd->listen_port = newfwd->listen_port;
332 fwd->connect_host = newfwd->connect_host;
333 fwd->connect_port = newfwd->connect_port;
334 fwd->handle = newfwd->handle;
335 fwd->allocated_port = 0;
339 clear_forwardings(Options *options)
343 for (i = 0; i < options->num_local_forwards; i++) {
344 free(options->local_forwards[i].listen_host);
345 free(options->local_forwards[i].connect_host);
347 if (options->num_local_forwards > 0) {
348 free(options->local_forwards);
349 options->local_forwards = NULL;
351 options->num_local_forwards = 0;
352 for (i = 0; i < options->num_remote_forwards; i++) {
353 free(options->remote_forwards[i].listen_host);
354 free(options->remote_forwards[i].connect_host);
356 if (options->num_remote_forwards > 0) {
357 free(options->remote_forwards);
358 options->remote_forwards = NULL;
360 options->num_remote_forwards = 0;
361 options->tun_open = SSH_TUNMODE_NO;
365 add_identity_file(Options *options, const char *dir, const char *filename,
370 if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES)
371 fatal("Too many identity files specified (max %d)",
372 SSH_MAX_IDENTITY_FILES);
374 if (dir == NULL) /* no dir, filename is absolute */
375 path = xstrdup(filename);
377 (void)xasprintf(&path, "%.100s%.100s", dir, filename);
379 options->identity_file_userprovided[options->num_identity_files] =
381 options->identity_files[options->num_identity_files++] = path;
385 default_ssh_port(void)
391 sp = getservbyname(SSH_SERVICE_NAME, "tcp");
392 port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
398 * Execute a command in a shell.
399 * Return its exit status or -1 on abnormal exit.
402 execute_in_shell(const char *cmd)
404 char *shell, *command_string;
407 extern uid_t original_real_uid;
409 if ((shell = getenv("SHELL")) == NULL)
410 shell = _PATH_BSHELL;
413 * Use "exec" to avoid "sh -c" processes on some platforms
416 xasprintf(&command_string, "exec %s", cmd);
418 /* Need this to redirect subprocess stdin/out */
419 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1)
420 fatal("open(/dev/null): %s", strerror(errno));
422 debug("Executing command: '%.500s'", cmd);
424 /* Fork and execute the command. */
425 if ((pid = fork()) == 0) {
428 /* Child. Permanently give up superuser privileges. */
429 permanently_drop_suid(original_real_uid);
431 /* Redirect child stdin and stdout. Leave stderr */
432 if (dup2(devnull, STDIN_FILENO) == -1)
433 fatal("dup2: %s", strerror(errno));
434 if (dup2(devnull, STDOUT_FILENO) == -1)
435 fatal("dup2: %s", strerror(errno));
436 if (devnull > STDERR_FILENO)
438 closefrom(STDERR_FILENO + 1);
442 argv[2] = command_string;
445 execv(argv[0], argv);
446 error("Unable to execute '%.100s': %s", cmd, strerror(errno));
447 /* Die with signal to make this error apparent to parent. */
448 signal(SIGTERM, SIG_DFL);
449 kill(getpid(), SIGTERM);
454 fatal("%s: fork: %.100s", __func__, strerror(errno));
457 free(command_string);
459 while (waitpid(pid, &status, 0) == -1) {
460 if (errno != EINTR && errno != EAGAIN)
461 fatal("%s: waitpid: %s", __func__, strerror(errno));
463 if (!WIFEXITED(status)) {
464 error("command '%.100s' exited abnormally", cmd);
467 debug3("command returned status %d", WEXITSTATUS(status));
468 return WEXITSTATUS(status);
472 * Parse and execute a Match directive.
475 match_cfg_line(Options *options, char **condition, struct passwd *pw,
476 const char *host_arg, const char *filename, int linenum)
478 char *arg, *attrib, *cmd, *cp = *condition, *host;
480 int r, port, result = 1, attributes = 0;
482 char thishost[NI_MAXHOST], shorthost[NI_MAXHOST], portstr[NI_MAXSERV];
485 * Configuration is likely to be incomplete at this point so we
486 * must be prepared to use default values.
488 port = options->port <= 0 ? default_ssh_port() : options->port;
489 ruser = options->user == NULL ? pw->pw_name : options->user;
490 if (options->hostname != NULL) {
491 /* NB. Please keep in sync with ssh.c:main() */
492 host = percent_expand(options->hostname,
493 "h", host_arg, (char *)NULL);
495 host = xstrdup(host_arg);
497 debug3("checking match for '%s' host %s", cp, host);
498 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
500 if (strcasecmp(attrib, "all") == 0) {
501 if (attributes != 1 ||
502 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
503 error("'all' cannot be combined with other "
512 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
513 error("Missing Match criteria for %s", attrib);
518 if (strcasecmp(attrib, "host") == 0) {
519 if (match_hostname(host, arg, len) != 1)
522 debug("%.200s line %d: matched 'Host %.100s' ",
523 filename, linenum, host);
524 } else if (strcasecmp(attrib, "originalhost") == 0) {
525 if (match_hostname(host_arg, arg, len) != 1)
528 debug("%.200s line %d: matched "
529 "'OriginalHost %.100s' ",
530 filename, linenum, host_arg);
531 } else if (strcasecmp(attrib, "user") == 0) {
532 if (match_pattern_list(ruser, arg, len, 0) != 1)
535 debug("%.200s line %d: matched 'User %.100s' ",
536 filename, linenum, ruser);
537 } else if (strcasecmp(attrib, "localuser") == 0) {
538 if (match_pattern_list(pw->pw_name, arg, len, 0) != 1)
541 debug("%.200s line %d: matched "
542 "'LocalUser %.100s' ",
543 filename, linenum, pw->pw_name);
544 } else if (strcasecmp(attrib, "exec") == 0) {
545 if (gethostname(thishost, sizeof(thishost)) == -1)
546 fatal("gethostname: %s", strerror(errno));
547 strlcpy(shorthost, thishost, sizeof(shorthost));
548 shorthost[strcspn(thishost, ".")] = '\0';
549 snprintf(portstr, sizeof(portstr), "%d", port);
551 cmd = percent_expand(arg,
562 /* skip execution if prior predicate failed */
563 debug("%.200s line %d: skipped exec \"%.100s\"",
564 filename, linenum, cmd);
566 r = execute_in_shell(cmd);
568 fatal("%.200s line %d: match exec "
569 "'%.100s' error", filename,
572 debug("%.200s line %d: matched "
573 "'exec \"%.100s\"'", filename,
576 debug("%.200s line %d: no match "
577 "'exec \"%.100s\"'", filename,
584 error("Unsupported Match attribute %s", attrib);
589 if (attributes == 0) {
590 error("One or more attributes required for Match");
594 debug3("match %sfound", result ? "" : "not ");
601 /* Check and prepare a domain name: removes trailing '.' and lowercases */
603 valid_domain(char *name, const char *filename, int linenum)
605 size_t i, l = strlen(name);
606 u_char c, last = '\0';
609 fatal("%s line %d: empty hostname suffix", filename, linenum);
610 if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0]))
611 fatal("%s line %d: hostname suffix \"%.100s\" "
612 "starts with invalid character", filename, linenum, name);
613 for (i = 0; i < l; i++) {
614 c = tolower((u_char)name[i]);
616 if (last == '.' && c == '.')
617 fatal("%s line %d: hostname suffix \"%.100s\" contains "
618 "consecutive separators", filename, linenum, name);
619 if (c != '.' && c != '-' && !isalnum(c) &&
620 c != '_') /* technically invalid, but common */
621 fatal("%s line %d: hostname suffix \"%.100s\" contains "
622 "invalid characters", filename, linenum, name);
625 if (name[l - 1] == '.')
630 * Returns the number of the token pointed to by cp or oBadOption.
633 parse_token(const char *cp, const char *filename, int linenum,
634 const char *ignored_unknown)
638 for (i = 0; keywords[i].name; i++)
639 if (strcmp(cp, keywords[i].name) == 0)
640 return keywords[i].opcode;
641 if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
642 strlen(ignored_unknown), 1) == 1)
643 return oIgnoredUnknownOption;
644 error("%s: line %d: Bad configuration option: %s",
645 filename, linenum, cp);
649 /* Multistate option parsing */
654 static const struct multistate multistate_flag[] = {
661 static const struct multistate multistate_yesnoask[] = {
669 static const struct multistate multistate_addressfamily[] = {
671 { "inet6", AF_INET6 },
672 { "any", AF_UNSPEC },
675 static const struct multistate multistate_controlmaster[] = {
676 { "true", SSHCTL_MASTER_YES },
677 { "yes", SSHCTL_MASTER_YES },
678 { "false", SSHCTL_MASTER_NO },
679 { "no", SSHCTL_MASTER_NO },
680 { "auto", SSHCTL_MASTER_AUTO },
681 { "ask", SSHCTL_MASTER_ASK },
682 { "autoask", SSHCTL_MASTER_AUTO_ASK },
685 static const struct multistate multistate_tunnel[] = {
686 { "ethernet", SSH_TUNMODE_ETHERNET },
687 { "point-to-point", SSH_TUNMODE_POINTOPOINT },
688 { "true", SSH_TUNMODE_DEFAULT },
689 { "yes", SSH_TUNMODE_DEFAULT },
690 { "false", SSH_TUNMODE_NO },
691 { "no", SSH_TUNMODE_NO },
694 static const struct multistate multistate_requesttty[] = {
695 { "true", REQUEST_TTY_YES },
696 { "yes", REQUEST_TTY_YES },
697 { "false", REQUEST_TTY_NO },
698 { "no", REQUEST_TTY_NO },
699 { "force", REQUEST_TTY_FORCE },
700 { "auto", REQUEST_TTY_AUTO },
703 static const struct multistate multistate_canonicalizehostname[] = {
704 { "true", SSH_CANONICALISE_YES },
705 { "false", SSH_CANONICALISE_NO },
706 { "yes", SSH_CANONICALISE_YES },
707 { "no", SSH_CANONICALISE_NO },
708 { "always", SSH_CANONICALISE_ALWAYS },
713 * Processes a single option line as used in the configuration files. This
714 * only sets those values that have not already been set.
716 #define WHITESPACE " \t\r\n"
718 process_config_line(Options *options, struct passwd *pw, const char *host,
719 char *line, const char *filename, int linenum, int *activep, int userconfig)
721 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
722 char **cpptr, fwdarg[256];
723 u_int i, *uintptr, max_entries = 0;
724 int negated, opcode, *intptr, value, value2, cmdline = 0;
725 LogLevel *log_level_ptr;
729 const struct multistate *multistate_ptr;
730 struct allowed_cname *cname;
732 if (activep == NULL) { /* We are processing a command line directive */
737 /* Strip trailing whitespace */
738 for (len = strlen(line) - 1; len > 0; len--) {
739 if (strchr(WHITESPACE, line[len]) == NULL)
745 /* Get the keyword. (Each line is supposed to begin with a keyword). */
746 if ((keyword = strdelim(&s)) == NULL)
748 /* Ignore leading whitespace. */
749 if (*keyword == '\0')
750 keyword = strdelim(&s);
751 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
753 /* Match lowercase keyword */
756 opcode = parse_token(keyword, filename, linenum,
757 options->ignored_unknown);
761 /* don't panic, but count bad options */
764 case oIgnoredUnknownOption:
765 debug("%s line %d: Ignored unknown option \"%s\"",
766 filename, linenum, keyword);
768 case oConnectTimeout:
769 intptr = &options->connection_timeout;
772 if (!arg || *arg == '\0')
773 fatal("%s line %d: missing time value.",
775 if ((value = convtime(arg)) == -1)
776 fatal("%s line %d: invalid time value.",
778 if (*activep && *intptr == -1)
783 intptr = &options->forward_agent;
785 multistate_ptr = multistate_flag;
788 if (!arg || *arg == '\0')
789 fatal("%s line %d: missing argument.",
792 for (i = 0; multistate_ptr[i].key != NULL; i++) {
793 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
794 value = multistate_ptr[i].value;
799 fatal("%s line %d: unsupported option \"%s\".",
800 filename, linenum, arg);
801 if (*activep && *intptr == -1)
806 intptr = &options->forward_x11;
809 case oForwardX11Trusted:
810 intptr = &options->forward_x11_trusted;
813 case oForwardX11Timeout:
814 intptr = &options->forward_x11_timeout;
818 intptr = &options->gateway_ports;
821 case oExitOnForwardFailure:
822 intptr = &options->exit_on_forward_failure;
825 case oUsePrivilegedPort:
826 intptr = &options->use_privileged_port;
829 case oPasswordAuthentication:
830 intptr = &options->password_authentication;
833 case oKbdInteractiveAuthentication:
834 intptr = &options->kbd_interactive_authentication;
837 case oKbdInteractiveDevices:
838 charptr = &options->kbd_interactive_devices;
841 case oPubkeyAuthentication:
842 intptr = &options->pubkey_authentication;
845 case oRSAAuthentication:
846 intptr = &options->rsa_authentication;
849 case oRhostsRSAAuthentication:
850 intptr = &options->rhosts_rsa_authentication;
853 case oHostbasedAuthentication:
854 intptr = &options->hostbased_authentication;
857 case oChallengeResponseAuthentication:
858 intptr = &options->challenge_response_authentication;
861 case oGssAuthentication:
862 intptr = &options->gss_authentication;
865 case oGssDelegateCreds:
866 intptr = &options->gss_deleg_creds;
870 intptr = &options->batch_mode;
874 intptr = &options->check_host_ip;
877 case oVerifyHostKeyDNS:
878 intptr = &options->verify_host_key_dns;
879 multistate_ptr = multistate_yesnoask;
880 goto parse_multistate;
882 case oStrictHostKeyChecking:
883 intptr = &options->strict_host_key_checking;
884 multistate_ptr = multistate_yesnoask;
885 goto parse_multistate;
888 intptr = &options->compression;
892 intptr = &options->tcp_keep_alive;
895 case oNoHostAuthenticationForLocalhost:
896 intptr = &options->no_host_authentication_for_localhost;
899 case oNumberOfPasswordPrompts:
900 intptr = &options->number_of_password_prompts;
903 case oCompressionLevel:
904 intptr = &options->compression_level;
909 if (!arg || *arg == '\0')
910 fatal("%.200s line %d: Missing argument.", filename,
912 if (strcmp(arg, "default") == 0) {
915 if (scan_scaled(arg, &val64) == -1)
916 fatal("%.200s line %d: Bad number '%s': %s",
917 filename, linenum, arg, strerror(errno));
918 /* check for too-large or too-small limits */
919 if (val64 > UINT_MAX)
920 fatal("%.200s line %d: RekeyLimit too large",
922 if (val64 != 0 && val64 < 16)
923 fatal("%.200s line %d: RekeyLimit too small",
926 if (*activep && options->rekey_limit == -1)
927 options->rekey_limit = (u_int32_t)val64;
928 if (s != NULL) { /* optional rekey interval present */
929 if (strcmp(s, "none") == 0) {
930 (void)strdelim(&s); /* discard */
933 intptr = &options->rekey_interval;
940 if (!arg || *arg == '\0')
941 fatal("%.200s line %d: Missing argument.", filename, linenum);
943 intptr = &options->num_identity_files;
944 if (*intptr >= SSH_MAX_IDENTITY_FILES)
945 fatal("%.200s line %d: Too many identity files specified (max %d).",
946 filename, linenum, SSH_MAX_IDENTITY_FILES);
947 add_identity_file(options, NULL, arg, userconfig);
952 charptr=&options->xauth_location;
956 charptr = &options->user;
959 if (!arg || *arg == '\0')
960 fatal("%.200s line %d: Missing argument.",
962 if (*activep && *charptr == NULL)
963 *charptr = xstrdup(arg);
966 case oGlobalKnownHostsFile:
967 cpptr = (char **)&options->system_hostfiles;
968 uintptr = &options->num_system_hostfiles;
969 max_entries = SSH_MAX_HOSTS_FILES;
971 if (*activep && *uintptr == 0) {
972 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
973 if ((*uintptr) >= max_entries)
975 "too many authorized keys files.",
977 cpptr[(*uintptr)++] = xstrdup(arg);
982 case oUserKnownHostsFile:
983 cpptr = (char **)&options->user_hostfiles;
984 uintptr = &options->num_user_hostfiles;
985 max_entries = SSH_MAX_HOSTS_FILES;
986 goto parse_char_array;
989 charptr = &options->hostname;
993 charptr = &options->host_key_alias;
996 case oPreferredAuthentications:
997 charptr = &options->preferred_authentications;
1001 charptr = &options->bind_address;
1004 case oPKCS11Provider:
1005 charptr = &options->pkcs11_provider;
1009 charptr = &options->proxy_command;
1012 fatal("%.200s line %d: Missing argument.", filename, linenum);
1013 len = strspn(s, WHITESPACE "=");
1014 if (*activep && *charptr == NULL)
1015 *charptr = xstrdup(s + len);
1019 intptr = &options->port;
1022 if (!arg || *arg == '\0')
1023 fatal("%.200s line %d: Missing argument.", filename, linenum);
1024 if (arg[0] < '0' || arg[0] > '9')
1025 fatal("%.200s line %d: Bad number.", filename, linenum);
1027 /* Octal, decimal, or hex format? */
1028 value = strtol(arg, &endofnumber, 0);
1029 if (arg == endofnumber)
1030 fatal("%.200s line %d: Bad number.", filename, linenum);
1031 if (*activep && *intptr == -1)
1035 case oConnectionAttempts:
1036 intptr = &options->connection_attempts;
1040 intptr = &options->cipher;
1042 if (!arg || *arg == '\0')
1043 fatal("%.200s line %d: Missing argument.", filename, linenum);
1044 value = cipher_number(arg);
1046 fatal("%.200s line %d: Bad cipher '%s'.",
1047 filename, linenum, arg ? arg : "<NONE>");
1048 if (*activep && *intptr == -1)
1054 if (!arg || *arg == '\0')
1055 fatal("%.200s line %d: Missing argument.", filename, linenum);
1056 if (!ciphers_valid(arg))
1057 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1058 filename, linenum, arg ? arg : "<NONE>");
1059 if (*activep && options->ciphers == NULL)
1060 options->ciphers = xstrdup(arg);
1065 if (!arg || *arg == '\0')
1066 fatal("%.200s line %d: Missing argument.", filename, linenum);
1067 if (!mac_valid(arg))
1068 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1069 filename, linenum, arg ? arg : "<NONE>");
1070 if (*activep && options->macs == NULL)
1071 options->macs = xstrdup(arg);
1074 case oKexAlgorithms:
1076 if (!arg || *arg == '\0')
1077 fatal("%.200s line %d: Missing argument.",
1079 if (!kex_names_valid(arg))
1080 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1081 filename, linenum, arg ? arg : "<NONE>");
1082 if (*activep && options->kex_algorithms == NULL)
1083 options->kex_algorithms = xstrdup(arg);
1086 case oHostKeyAlgorithms:
1088 if (!arg || *arg == '\0')
1089 fatal("%.200s line %d: Missing argument.", filename, linenum);
1090 if (!key_names_valid2(arg))
1091 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
1092 filename, linenum, arg ? arg : "<NONE>");
1093 if (*activep && options->hostkeyalgorithms == NULL)
1094 options->hostkeyalgorithms = xstrdup(arg);
1098 intptr = &options->protocol;
1100 if (!arg || *arg == '\0')
1101 fatal("%.200s line %d: Missing argument.", filename, linenum);
1102 value = proto_spec(arg);
1103 if (value == SSH_PROTO_UNKNOWN)
1104 fatal("%.200s line %d: Bad protocol spec '%s'.",
1105 filename, linenum, arg ? arg : "<NONE>");
1106 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
1111 log_level_ptr = &options->log_level;
1113 value = log_level_number(arg);
1114 if (value == SYSLOG_LEVEL_NOT_SET)
1115 fatal("%.200s line %d: unsupported log level '%s'",
1116 filename, linenum, arg ? arg : "<NONE>");
1117 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
1118 *log_level_ptr = (LogLevel) value;
1122 case oRemoteForward:
1123 case oDynamicForward:
1125 if (arg == NULL || *arg == '\0')
1126 fatal("%.200s line %d: Missing port argument.",
1129 if (opcode == oLocalForward ||
1130 opcode == oRemoteForward) {
1131 arg2 = strdelim(&s);
1132 if (arg2 == NULL || *arg2 == '\0')
1133 fatal("%.200s line %d: Missing target argument.",
1136 /* construct a string for parse_forward */
1137 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
1138 } else if (opcode == oDynamicForward) {
1139 strlcpy(fwdarg, arg, sizeof(fwdarg));
1142 if (parse_forward(&fwd, fwdarg,
1143 opcode == oDynamicForward ? 1 : 0,
1144 opcode == oRemoteForward ? 1 : 0) == 0)
1145 fatal("%.200s line %d: Bad forwarding specification.",
1149 if (opcode == oLocalForward ||
1150 opcode == oDynamicForward)
1151 add_local_forward(options, &fwd);
1152 else if (opcode == oRemoteForward)
1153 add_remote_forward(options, &fwd);
1157 case oClearAllForwardings:
1158 intptr = &options->clear_forwardings;
1163 fatal("Host directive not supported as a command-line "
1167 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1168 negated = *arg == '!';
1171 if (match_pattern(host, arg)) {
1173 debug("%.200s line %d: Skipping Host "
1174 "block because of negated match "
1175 "for %.100s", filename, linenum,
1181 arg2 = arg; /* logged below */
1186 debug("%.200s line %d: Applying options for %.100s",
1187 filename, linenum, arg2);
1188 /* Avoid garbage check below, as strdelim is done. */
1193 fatal("Host directive not supported as a command-line "
1195 value = match_cfg_line(options, &s, pw, host,
1198 fatal("%.200s line %d: Bad Match condition", filename,
1204 intptr = &options->escape_char;
1206 if (!arg || *arg == '\0')
1207 fatal("%.200s line %d: Missing argument.", filename, linenum);
1208 if (arg[0] == '^' && arg[2] == 0 &&
1209 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
1210 value = (u_char) arg[1] & 31;
1211 else if (strlen(arg) == 1)
1212 value = (u_char) arg[0];
1213 else if (strcmp(arg, "none") == 0)
1214 value = SSH_ESCAPECHAR_NONE;
1216 fatal("%.200s line %d: Bad escape character.",
1219 value = 0; /* Avoid compiler warning. */
1221 if (*activep && *intptr == -1)
1225 case oAddressFamily:
1226 intptr = &options->address_family;
1227 multistate_ptr = multistate_addressfamily;
1228 goto parse_multistate;
1230 case oEnableSSHKeysign:
1231 intptr = &options->enable_ssh_keysign;
1234 case oIdentitiesOnly:
1235 intptr = &options->identities_only;
1238 case oServerAliveInterval:
1239 intptr = &options->server_alive_interval;
1242 case oServerAliveCountMax:
1243 intptr = &options->server_alive_count_max;
1247 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1248 if (strchr(arg, '=') != NULL)
1249 fatal("%s line %d: Invalid environment name.",
1253 if (options->num_send_env >= MAX_SEND_ENV)
1254 fatal("%s line %d: too many send env.",
1256 options->send_env[options->num_send_env++] =
1262 charptr = &options->control_path;
1265 case oControlMaster:
1266 intptr = &options->control_master;
1267 multistate_ptr = multistate_controlmaster;
1268 goto parse_multistate;
1270 case oControlPersist:
1271 /* no/false/yes/true, or a time spec */
1272 intptr = &options->control_persist;
1274 if (!arg || *arg == '\0')
1275 fatal("%.200s line %d: Missing ControlPersist"
1276 " argument.", filename, linenum);
1278 value2 = 0; /* timeout */
1279 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
1281 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
1283 else if ((value2 = convtime(arg)) >= 0)
1286 fatal("%.200s line %d: Bad ControlPersist argument.",
1288 if (*activep && *intptr == -1) {
1290 options->control_persist_timeout = value2;
1294 case oHashKnownHosts:
1295 intptr = &options->hash_known_hosts;
1299 intptr = &options->tun_open;
1300 multistate_ptr = multistate_tunnel;
1301 goto parse_multistate;
1305 if (!arg || *arg == '\0')
1306 fatal("%.200s line %d: Missing argument.", filename, linenum);
1307 value = a2tun(arg, &value2);
1308 if (value == SSH_TUNID_ERR)
1309 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1311 options->tun_local = value;
1312 options->tun_remote = value2;
1317 charptr = &options->local_command;
1320 case oPermitLocalCommand:
1321 intptr = &options->permit_local_command;
1324 case oVisualHostKey:
1325 intptr = &options->visual_host_key;
1330 if ((value = parse_ipqos(arg)) == -1)
1331 fatal("%s line %d: Bad IPQoS value: %s",
1332 filename, linenum, arg);
1336 else if ((value2 = parse_ipqos(arg)) == -1)
1337 fatal("%s line %d: Bad IPQoS value: %s",
1338 filename, linenum, arg);
1340 options->ip_qos_interactive = value;
1341 options->ip_qos_bulk = value2;
1346 intptr = &options->use_roaming;
1350 intptr = &options->request_tty;
1351 multistate_ptr = multistate_requesttty;
1352 goto parse_multistate;
1354 case oVersionAddendum:
1356 fatal("%.200s line %d: Missing argument.", filename,
1358 len = strspn(s, WHITESPACE);
1359 if (*activep && options->version_addendum == NULL) {
1360 if (strcasecmp(s + len, "none") == 0)
1361 options->version_addendum = xstrdup("");
1362 else if (strchr(s + len, '\r') != NULL)
1363 fatal("%.200s line %d: Invalid argument",
1366 options->version_addendum = xstrdup(s + len);
1370 case oIgnoreUnknown:
1371 charptr = &options->ignored_unknown;
1374 case oProxyUseFdpass:
1375 intptr = &options->proxy_use_fdpass;
1378 case oCanonicalDomains:
1379 value = options->num_canonical_domains != 0;
1380 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1381 valid_domain(arg, filename, linenum);
1382 if (!*activep || value)
1384 if (options->num_canonical_domains >= MAX_CANON_DOMAINS)
1385 fatal("%s line %d: too many hostname suffixes.",
1387 options->canonical_domains[
1388 options->num_canonical_domains++] = xstrdup(arg);
1392 case oCanonicalizePermittedCNAMEs:
1393 value = options->num_permitted_cnames != 0;
1394 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1395 /* Either '*' for everything or 'list:list' */
1396 if (strcmp(arg, "*") == 0)
1400 if ((arg2 = strchr(arg, ':')) == NULL ||
1402 fatal("%s line %d: "
1403 "Invalid permitted CNAME \"%s\"",
1404 filename, linenum, arg);
1409 if (!*activep || value)
1411 if (options->num_permitted_cnames >= MAX_CANON_DOMAINS)
1412 fatal("%s line %d: too many permitted CNAMEs.",
1414 cname = options->permitted_cnames +
1415 options->num_permitted_cnames++;
1416 cname->source_list = xstrdup(arg);
1417 cname->target_list = xstrdup(arg2);
1421 case oCanonicalizeHostname:
1422 intptr = &options->canonicalize_hostname;
1423 multistate_ptr = multistate_canonicalizehostname;
1424 goto parse_multistate;
1426 case oCanonicalizeMaxDots:
1427 intptr = &options->canonicalize_max_dots;
1430 case oCanonicalizeFallbackLocal:
1431 intptr = &options->canonicalize_fallback_local;
1435 debug("%s line %d: Deprecated option \"%s\"",
1436 filename, linenum, keyword);
1440 error("%s line %d: Unsupported option \"%s\"",
1441 filename, linenum, keyword);
1445 fatal("process_config_line: Unimplemented opcode %d", opcode);
1448 /* Check that there is no garbage at end of line. */
1449 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1450 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1451 filename, linenum, arg);
1458 * Reads the config file and modifies the options accordingly. Options
1459 * should already be initialized before this call. This never returns if
1460 * there is an error. If the file does not exist, this returns 0.
1464 read_config_file(const char *filename, struct passwd *pw, const char *host,
1465 Options *options, int flags)
1469 int active, linenum;
1470 int bad_options = 0;
1472 if ((f = fopen(filename, "r")) == NULL)
1475 if (flags & SSHCONF_CHECKPERM) {
1478 if (fstat(fileno(f), &sb) == -1)
1479 fatal("fstat %s: %s", filename, strerror(errno));
1480 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1481 (sb.st_mode & 022) != 0))
1482 fatal("Bad owner or permissions on %s", filename);
1485 debug("Reading configuration data %.200s", filename);
1488 * Mark that we are now processing the options. This flag is turned
1489 * on/off by Host specifications.
1493 while (fgets(line, sizeof(line), f)) {
1494 /* Update line number counter. */
1496 if (process_config_line(options, pw, host, line, filename,
1497 linenum, &active, flags & SSHCONF_USERCONF) != 0)
1501 if (bad_options > 0)
1502 fatal("%s: terminating, %d bad configuration options",
1503 filename, bad_options);
1507 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
1509 option_clear_or_none(const char *o)
1511 return o == NULL || strcasecmp(o, "none") == 0;
1515 * Initializes options to special values that indicate that they have not yet
1516 * been set. Read_config_file will only set options with this value. Options
1517 * are processed in the following order: command line, user config file,
1518 * system config file. Last, fill_default_options is called.
1522 initialize_options(Options * options)
1524 memset(options, 'X', sizeof(*options));
1525 options->forward_agent = -1;
1526 options->forward_x11 = -1;
1527 options->forward_x11_trusted = -1;
1528 options->forward_x11_timeout = -1;
1529 options->exit_on_forward_failure = -1;
1530 options->xauth_location = NULL;
1531 options->gateway_ports = -1;
1532 options->use_privileged_port = -1;
1533 options->rsa_authentication = -1;
1534 options->pubkey_authentication = -1;
1535 options->challenge_response_authentication = -1;
1536 options->gss_authentication = -1;
1537 options->gss_deleg_creds = -1;
1538 options->password_authentication = -1;
1539 options->kbd_interactive_authentication = -1;
1540 options->kbd_interactive_devices = NULL;
1541 options->rhosts_rsa_authentication = -1;
1542 options->hostbased_authentication = -1;
1543 options->batch_mode = -1;
1544 options->check_host_ip = -1;
1545 options->strict_host_key_checking = -1;
1546 options->compression = -1;
1547 options->tcp_keep_alive = -1;
1548 options->compression_level = -1;
1550 options->address_family = -1;
1551 options->connection_attempts = -1;
1552 options->connection_timeout = -1;
1553 options->number_of_password_prompts = -1;
1554 options->cipher = -1;
1555 options->ciphers = NULL;
1556 options->macs = NULL;
1557 options->kex_algorithms = NULL;
1558 options->hostkeyalgorithms = NULL;
1559 options->protocol = SSH_PROTO_UNKNOWN;
1560 options->num_identity_files = 0;
1561 options->hostname = NULL;
1562 options->host_key_alias = NULL;
1563 options->proxy_command = NULL;
1564 options->user = NULL;
1565 options->escape_char = -1;
1566 options->num_system_hostfiles = 0;
1567 options->num_user_hostfiles = 0;
1568 options->local_forwards = NULL;
1569 options->num_local_forwards = 0;
1570 options->remote_forwards = NULL;
1571 options->num_remote_forwards = 0;
1572 options->clear_forwardings = -1;
1573 options->log_level = SYSLOG_LEVEL_NOT_SET;
1574 options->preferred_authentications = NULL;
1575 options->bind_address = NULL;
1576 options->pkcs11_provider = NULL;
1577 options->enable_ssh_keysign = - 1;
1578 options->no_host_authentication_for_localhost = - 1;
1579 options->identities_only = - 1;
1580 options->rekey_limit = - 1;
1581 options->rekey_interval = -1;
1582 options->verify_host_key_dns = -1;
1583 options->server_alive_interval = -1;
1584 options->server_alive_count_max = -1;
1585 options->num_send_env = 0;
1586 options->control_path = NULL;
1587 options->control_master = -1;
1588 options->control_persist = -1;
1589 options->control_persist_timeout = 0;
1590 options->hash_known_hosts = -1;
1591 options->tun_open = -1;
1592 options->tun_local = -1;
1593 options->tun_remote = -1;
1594 options->local_command = NULL;
1595 options->permit_local_command = -1;
1596 options->use_roaming = 0;
1597 options->visual_host_key = -1;
1598 options->ip_qos_interactive = -1;
1599 options->ip_qos_bulk = -1;
1600 options->request_tty = -1;
1601 options->proxy_use_fdpass = -1;
1602 options->ignored_unknown = NULL;
1603 options->num_canonical_domains = 0;
1604 options->num_permitted_cnames = 0;
1605 options->canonicalize_max_dots = -1;
1606 options->canonicalize_fallback_local = -1;
1607 options->canonicalize_hostname = -1;
1608 options->version_addendum = NULL;
1612 * A petite version of fill_default_options() that just fills the options
1613 * needed for hostname canonicalization to proceed.
1616 fill_default_options_for_canonicalization(Options *options)
1618 if (options->canonicalize_max_dots == -1)
1619 options->canonicalize_max_dots = 1;
1620 if (options->canonicalize_fallback_local == -1)
1621 options->canonicalize_fallback_local = 1;
1622 if (options->canonicalize_hostname == -1)
1623 options->canonicalize_hostname = SSH_CANONICALISE_NO;
1627 * Called after processing other sources of option data, this fills those
1628 * options for which no value has been specified with their default values.
1631 fill_default_options(Options * options)
1633 if (options->forward_agent == -1)
1634 options->forward_agent = 0;
1635 if (options->forward_x11 == -1)
1636 options->forward_x11 = 0;
1637 if (options->forward_x11_trusted == -1)
1638 options->forward_x11_trusted = 0;
1639 if (options->forward_x11_timeout == -1)
1640 options->forward_x11_timeout = 1200;
1641 if (options->exit_on_forward_failure == -1)
1642 options->exit_on_forward_failure = 0;
1643 if (options->xauth_location == NULL)
1644 options->xauth_location = _PATH_XAUTH;
1645 if (options->gateway_ports == -1)
1646 options->gateway_ports = 0;
1647 if (options->use_privileged_port == -1)
1648 options->use_privileged_port = 0;
1649 if (options->rsa_authentication == -1)
1650 options->rsa_authentication = 1;
1651 if (options->pubkey_authentication == -1)
1652 options->pubkey_authentication = 1;
1653 if (options->challenge_response_authentication == -1)
1654 options->challenge_response_authentication = 1;
1655 if (options->gss_authentication == -1)
1656 options->gss_authentication = 0;
1657 if (options->gss_deleg_creds == -1)
1658 options->gss_deleg_creds = 0;
1659 if (options->password_authentication == -1)
1660 options->password_authentication = 1;
1661 if (options->kbd_interactive_authentication == -1)
1662 options->kbd_interactive_authentication = 1;
1663 if (options->rhosts_rsa_authentication == -1)
1664 options->rhosts_rsa_authentication = 0;
1665 if (options->hostbased_authentication == -1)
1666 options->hostbased_authentication = 0;
1667 if (options->batch_mode == -1)
1668 options->batch_mode = 0;
1669 if (options->check_host_ip == -1)
1670 options->check_host_ip = 0;
1671 if (options->strict_host_key_checking == -1)
1672 options->strict_host_key_checking = 2; /* 2 is default */
1673 if (options->compression == -1)
1674 options->compression = 0;
1675 if (options->tcp_keep_alive == -1)
1676 options->tcp_keep_alive = 1;
1677 if (options->compression_level == -1)
1678 options->compression_level = 6;
1679 if (options->port == -1)
1680 options->port = 0; /* Filled in ssh_connect. */
1681 if (options->address_family == -1)
1682 options->address_family = AF_UNSPEC;
1683 if (options->connection_attempts == -1)
1684 options->connection_attempts = 1;
1685 if (options->number_of_password_prompts == -1)
1686 options->number_of_password_prompts = 3;
1687 /* Selected in ssh_login(). */
1688 if (options->cipher == -1)
1689 options->cipher = SSH_CIPHER_NOT_SET;
1690 /* options->ciphers, default set in myproposals.h */
1691 /* options->macs, default set in myproposals.h */
1692 /* options->kex_algorithms, default set in myproposals.h */
1693 /* options->hostkeyalgorithms, default set in myproposals.h */
1694 if (options->protocol == SSH_PROTO_UNKNOWN)
1695 options->protocol = SSH_PROTO_2;
1696 if (options->num_identity_files == 0) {
1697 if (options->protocol & SSH_PROTO_1) {
1698 add_identity_file(options, "~/",
1699 _PATH_SSH_CLIENT_IDENTITY, 0);
1701 if (options->protocol & SSH_PROTO_2) {
1702 add_identity_file(options, "~/",
1703 _PATH_SSH_CLIENT_ID_RSA, 0);
1704 add_identity_file(options, "~/",
1705 _PATH_SSH_CLIENT_ID_DSA, 0);
1706 #ifdef OPENSSL_HAS_ECC
1707 add_identity_file(options, "~/",
1708 _PATH_SSH_CLIENT_ID_ECDSA, 0);
1710 add_identity_file(options, "~/",
1711 _PATH_SSH_CLIENT_ID_ED25519, 0);
1714 if (options->escape_char == -1)
1715 options->escape_char = '~';
1716 if (options->num_system_hostfiles == 0) {
1717 options->system_hostfiles[options->num_system_hostfiles++] =
1718 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1719 options->system_hostfiles[options->num_system_hostfiles++] =
1720 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1722 if (options->num_user_hostfiles == 0) {
1723 options->user_hostfiles[options->num_user_hostfiles++] =
1724 xstrdup(_PATH_SSH_USER_HOSTFILE);
1725 options->user_hostfiles[options->num_user_hostfiles++] =
1726 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1728 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1729 options->log_level = SYSLOG_LEVEL_INFO;
1730 if (options->clear_forwardings == 1)
1731 clear_forwardings(options);
1732 if (options->no_host_authentication_for_localhost == - 1)
1733 options->no_host_authentication_for_localhost = 0;
1734 if (options->identities_only == -1)
1735 options->identities_only = 0;
1736 if (options->enable_ssh_keysign == -1)
1737 options->enable_ssh_keysign = 0;
1738 if (options->rekey_limit == -1)
1739 options->rekey_limit = 0;
1740 if (options->rekey_interval == -1)
1741 options->rekey_interval = 0;
1743 if (options->verify_host_key_dns == -1)
1744 /* automatically trust a verified SSHFP record */
1745 options->verify_host_key_dns = 1;
1747 if (options->verify_host_key_dns == -1)
1748 options->verify_host_key_dns = 0;
1750 if (options->server_alive_interval == -1)
1751 options->server_alive_interval = 0;
1752 if (options->server_alive_count_max == -1)
1753 options->server_alive_count_max = 3;
1754 if (options->control_master == -1)
1755 options->control_master = 0;
1756 if (options->control_persist == -1) {
1757 options->control_persist = 0;
1758 options->control_persist_timeout = 0;
1760 if (options->hash_known_hosts == -1)
1761 options->hash_known_hosts = 0;
1762 if (options->tun_open == -1)
1763 options->tun_open = SSH_TUNMODE_NO;
1764 if (options->tun_local == -1)
1765 options->tun_local = SSH_TUNID_ANY;
1766 if (options->tun_remote == -1)
1767 options->tun_remote = SSH_TUNID_ANY;
1768 if (options->permit_local_command == -1)
1769 options->permit_local_command = 0;
1770 options->use_roaming = 0;
1771 if (options->visual_host_key == -1)
1772 options->visual_host_key = 0;
1773 if (options->ip_qos_interactive == -1)
1774 options->ip_qos_interactive = IPTOS_LOWDELAY;
1775 if (options->ip_qos_bulk == -1)
1776 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1777 if (options->request_tty == -1)
1778 options->request_tty = REQUEST_TTY_AUTO;
1779 if (options->proxy_use_fdpass == -1)
1780 options->proxy_use_fdpass = 0;
1781 if (options->canonicalize_max_dots == -1)
1782 options->canonicalize_max_dots = 1;
1783 if (options->canonicalize_fallback_local == -1)
1784 options->canonicalize_fallback_local = 1;
1785 if (options->canonicalize_hostname == -1)
1786 options->canonicalize_hostname = SSH_CANONICALISE_NO;
1787 #define CLEAR_ON_NONE(v) \
1789 if (option_clear_or_none(v)) { \
1794 CLEAR_ON_NONE(options->local_command);
1795 CLEAR_ON_NONE(options->proxy_command);
1796 CLEAR_ON_NONE(options->control_path);
1797 /* options->user will be set in the main program if appropriate */
1798 /* options->hostname will be set in the main program if appropriate */
1799 /* options->host_key_alias should not be set by default */
1800 /* options->preferred_authentications will be set in ssh */
1801 if (options->version_addendum == NULL)
1802 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
1807 * parses a string containing a port forwarding specification of the form:
1809 * [listenhost:]listenport:connecthost:connectport
1811 * [listenhost:]listenport
1812 * returns number of arguments parsed or zero on error
1815 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1818 char *p, *cp, *fwdarg[4];
1820 memset(fwd, '\0', sizeof(*fwd));
1822 cp = p = xstrdup(fwdspec);
1824 /* skip leading spaces */
1825 while (isspace((u_char)*cp))
1828 for (i = 0; i < 4; ++i)
1829 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1832 /* Check for trailing garbage */
1834 i = 0; /* failure */
1838 fwd->listen_host = NULL;
1839 fwd->listen_port = a2port(fwdarg[0]);
1840 fwd->connect_host = xstrdup("socks");
1844 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1845 fwd->listen_port = a2port(fwdarg[1]);
1846 fwd->connect_host = xstrdup("socks");
1850 fwd->listen_host = NULL;
1851 fwd->listen_port = a2port(fwdarg[0]);
1852 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1853 fwd->connect_port = a2port(fwdarg[2]);
1857 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1858 fwd->listen_port = a2port(fwdarg[1]);
1859 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1860 fwd->connect_port = a2port(fwdarg[3]);
1863 i = 0; /* failure */
1869 if (!(i == 1 || i == 2))
1872 if (!(i == 3 || i == 4))
1874 if (fwd->connect_port <= 0)
1878 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1881 if (fwd->connect_host != NULL &&
1882 strlen(fwd->connect_host) >= NI_MAXHOST)
1884 if (fwd->listen_host != NULL &&
1885 strlen(fwd->listen_host) >= NI_MAXHOST)
1892 free(fwd->connect_host);
1893 fwd->connect_host = NULL;
1894 free(fwd->listen_host);
1895 fwd->listen_host = NULL;