1 /* $OpenBSD: readconf.c,v 1.183 2010/02/08 10:50:20 markus Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Functions for reading the configuration files.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <sys/sysctl.h>
24 #include <netinet/in.h>
39 #include "pathnames.h"
50 /* Format of the configuration file:
52 # Configuration data is parsed as follows:
53 # 1. command line options
54 # 2. user-specific file
56 # Any configuration value is only changed the first time it is set.
57 # Thus, host-specific definitions should be at the beginning of the
58 # configuration file, and defaults at the end.
60 # Host-specific declarations. These may override anything above. A single
61 # host may match multiple declarations; these are processed in the order
62 # that they are given in.
68 HostName another.host.name.real.org
75 RemoteForward 9999 shadows.cs.hut.fi:9999
81 PasswordAuthentication no
85 ProxyCommand ssh-proxy %h %p
88 PublicKeyAuthentication no
92 PasswordAuthentication no
98 # Defaults for various options
102 PasswordAuthentication yes
103 RSAAuthentication yes
104 RhostsRSAAuthentication yes
105 StrictHostKeyChecking yes
107 IdentityFile ~/.ssh/identity
113 /* Keyword tokens. */
117 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
118 oExitOnForwardFailure,
119 oPasswordAuthentication, oRSAAuthentication,
120 oChallengeResponseAuthentication, oXAuthLocation,
121 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
122 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
123 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
124 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
125 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
126 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
127 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
128 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
129 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
130 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
131 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
132 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
133 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
134 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
135 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
136 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
137 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
138 oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
139 #ifdef NONE_CIPHER_ENABLED
140 oNoneEnabled, oNoneSwitch,
143 oDeprecated, oUnsupported
146 /* Textual representations of the tokens. */
152 { "forwardagent", oForwardAgent },
153 { "forwardx11", oForwardX11 },
154 { "forwardx11trusted", oForwardX11Trusted },
155 { "exitonforwardfailure", oExitOnForwardFailure },
156 { "xauthlocation", oXAuthLocation },
157 { "gatewayports", oGatewayPorts },
158 { "useprivilegedport", oUsePrivilegedPort },
159 { "rhostsauthentication", oDeprecated },
160 { "passwordauthentication", oPasswordAuthentication },
161 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
162 { "kbdinteractivedevices", oKbdInteractiveDevices },
163 { "rsaauthentication", oRSAAuthentication },
164 { "pubkeyauthentication", oPubkeyAuthentication },
165 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
166 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
167 { "hostbasedauthentication", oHostbasedAuthentication },
168 { "challengeresponseauthentication", oChallengeResponseAuthentication },
169 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
170 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
171 { "kerberosauthentication", oUnsupported },
172 { "kerberostgtpassing", oUnsupported },
173 { "afstokenpassing", oUnsupported },
175 { "gssapiauthentication", oGssAuthentication },
176 { "gssapidelegatecredentials", oGssDelegateCreds },
178 { "gssapiauthentication", oUnsupported },
179 { "gssapidelegatecredentials", oUnsupported },
181 { "fallbacktorsh", oDeprecated },
182 { "usersh", oDeprecated },
183 { "identityfile", oIdentityFile },
184 { "identityfile2", oIdentityFile }, /* obsolete */
185 { "identitiesonly", oIdentitiesOnly },
186 { "hostname", oHostName },
187 { "hostkeyalias", oHostKeyAlias },
188 { "proxycommand", oProxyCommand },
190 { "cipher", oCipher },
191 { "ciphers", oCiphers },
193 { "protocol", oProtocol },
194 { "remoteforward", oRemoteForward },
195 { "localforward", oLocalForward },
198 { "escapechar", oEscapeChar },
199 { "globalknownhostsfile", oGlobalKnownHostsFile },
200 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
201 { "userknownhostsfile", oUserKnownHostsFile },
202 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
203 { "connectionattempts", oConnectionAttempts },
204 { "batchmode", oBatchMode },
205 { "checkhostip", oCheckHostIP },
206 { "stricthostkeychecking", oStrictHostKeyChecking },
207 { "compression", oCompression },
208 { "compressionlevel", oCompressionLevel },
209 { "tcpkeepalive", oTCPKeepAlive },
210 { "keepalive", oTCPKeepAlive }, /* obsolete */
211 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
212 { "loglevel", oLogLevel },
213 { "dynamicforward", oDynamicForward },
214 { "preferredauthentications", oPreferredAuthentications },
215 { "hostkeyalgorithms", oHostKeyAlgorithms },
216 { "bindaddress", oBindAddress },
218 { "smartcarddevice", oPKCS11Provider },
219 { "pkcs11provider", oPKCS11Provider },
221 { "smartcarddevice", oUnsupported },
222 { "pkcs11provider", oUnsupported },
224 { "clearallforwardings", oClearAllForwardings },
225 { "enablesshkeysign", oEnableSSHKeysign },
226 { "verifyhostkeydns", oVerifyHostKeyDNS },
227 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
228 { "rekeylimit", oRekeyLimit },
229 { "connecttimeout", oConnectTimeout },
230 { "addressfamily", oAddressFamily },
231 { "serveraliveinterval", oServerAliveInterval },
232 { "serveralivecountmax", oServerAliveCountMax },
233 { "sendenv", oSendEnv },
234 { "controlpath", oControlPath },
235 { "controlmaster", oControlMaster },
236 { "hashknownhosts", oHashKnownHosts },
237 { "tunnel", oTunnel },
238 { "tunneldevice", oTunnelDevice },
239 { "localcommand", oLocalCommand },
240 { "permitlocalcommand", oPermitLocalCommand },
241 { "visualhostkey", oVisualHostKey },
242 { "useroaming", oUseRoaming },
244 { "zeroknowledgepasswordauthentication",
245 oZeroKnowledgePasswordAuthentication },
247 { "zeroknowledgepasswordauthentication", oUnsupported },
249 { "hpndisabled", oHPNDisabled },
250 { "hpnbuffersize", oHPNBufferSize },
251 { "tcprcvbufpoll", oTcpRcvBufPoll },
252 { "tcprcvbuf", oTcpRcvBuf },
253 #ifdef NONE_CIPHER_ENABLED
254 { "noneenabled", oNoneEnabled },
255 { "noneswitch", oNoneSwitch },
258 { "versionaddendum", oVersionAddendum },
263 * Adds a local TCP/IP port forward to options. Never returns if there is an
268 add_local_forward(Options *options, const Forward *newfwd)
271 #ifndef NO_IPPORT_RESERVED_CONCEPT
272 extern uid_t original_real_uid;
275 size_t len_ipport_reserved = sizeof(ipport_reserved);
277 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
278 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
279 ipport_reserved = IPPORT_RESERVED;
283 ipport_reserved = IPPORT_RESERVED;
285 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
286 fatal("Privileged ports can only be forwarded by root.");
288 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
289 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
290 fwd = &options->local_forwards[options->num_local_forwards++];
292 fwd->listen_host = newfwd->listen_host;
293 fwd->listen_port = newfwd->listen_port;
294 fwd->connect_host = newfwd->connect_host;
295 fwd->connect_port = newfwd->connect_port;
299 * Adds a remote TCP/IP port forward to options. Never returns if there is
304 add_remote_forward(Options *options, const Forward *newfwd)
307 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
308 fatal("Too many remote forwards (max %d).",
309 SSH_MAX_FORWARDS_PER_DIRECTION);
310 fwd = &options->remote_forwards[options->num_remote_forwards++];
312 fwd->listen_host = newfwd->listen_host;
313 fwd->listen_port = newfwd->listen_port;
314 fwd->connect_host = newfwd->connect_host;
315 fwd->connect_port = newfwd->connect_port;
319 clear_forwardings(Options *options)
323 for (i = 0; i < options->num_local_forwards; i++) {
324 if (options->local_forwards[i].listen_host != NULL)
325 xfree(options->local_forwards[i].listen_host);
326 xfree(options->local_forwards[i].connect_host);
328 options->num_local_forwards = 0;
329 for (i = 0; i < options->num_remote_forwards; i++) {
330 if (options->remote_forwards[i].listen_host != NULL)
331 xfree(options->remote_forwards[i].listen_host);
332 xfree(options->remote_forwards[i].connect_host);
334 options->num_remote_forwards = 0;
335 options->tun_open = SSH_TUNMODE_NO;
339 * Returns the number of the token pointed to by cp or oBadOption.
343 parse_token(const char *cp, const char *filename, int linenum)
347 for (i = 0; keywords[i].name; i++)
348 if (strcasecmp(cp, keywords[i].name) == 0)
349 return keywords[i].opcode;
351 error("%s: line %d: Bad configuration option: %s",
352 filename, linenum, cp);
357 * Processes a single option line as used in the configuration files. This
358 * only sets those values that have not already been set.
360 #define WHITESPACE " \t\r\n"
363 process_config_line(Options *options, const char *host,
364 char *line, const char *filename, int linenum,
367 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
368 int opcode, *intptr, value, value2, scale;
369 LogLevel *log_level_ptr;
370 long long orig, val64;
374 /* Strip trailing whitespace */
375 for (len = strlen(line) - 1; len > 0; len--) {
376 if (strchr(WHITESPACE, line[len]) == NULL)
382 /* Get the keyword. (Each line is supposed to begin with a keyword). */
383 if ((keyword = strdelim(&s)) == NULL)
385 /* Ignore leading whitespace. */
386 if (*keyword == '\0')
387 keyword = strdelim(&s);
388 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
391 opcode = parse_token(keyword, filename, linenum);
395 /* don't panic, but count bad options */
398 case oConnectTimeout:
399 intptr = &options->connection_timeout;
402 if (!arg || *arg == '\0')
403 fatal("%s line %d: missing time value.",
405 if ((value = convtime(arg)) == -1)
406 fatal("%s line %d: invalid time value.",
408 if (*activep && *intptr == -1)
413 intptr = &options->forward_agent;
416 if (!arg || *arg == '\0')
417 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
418 value = 0; /* To avoid compiler warning... */
419 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
421 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
424 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
425 if (*activep && *intptr == -1)
430 intptr = &options->forward_x11;
433 case oForwardX11Trusted:
434 intptr = &options->forward_x11_trusted;
438 intptr = &options->gateway_ports;
441 case oExitOnForwardFailure:
442 intptr = &options->exit_on_forward_failure;
445 case oUsePrivilegedPort:
446 intptr = &options->use_privileged_port;
449 case oPasswordAuthentication:
450 intptr = &options->password_authentication;
453 case oZeroKnowledgePasswordAuthentication:
454 intptr = &options->zero_knowledge_password_authentication;
457 case oKbdInteractiveAuthentication:
458 intptr = &options->kbd_interactive_authentication;
461 case oKbdInteractiveDevices:
462 charptr = &options->kbd_interactive_devices;
465 case oPubkeyAuthentication:
466 intptr = &options->pubkey_authentication;
469 case oRSAAuthentication:
470 intptr = &options->rsa_authentication;
473 case oRhostsRSAAuthentication:
474 intptr = &options->rhosts_rsa_authentication;
477 case oHostbasedAuthentication:
478 intptr = &options->hostbased_authentication;
481 case oChallengeResponseAuthentication:
482 intptr = &options->challenge_response_authentication;
485 case oGssAuthentication:
486 intptr = &options->gss_authentication;
489 case oGssDelegateCreds:
490 intptr = &options->gss_deleg_creds;
494 intptr = &options->batch_mode;
498 intptr = &options->check_host_ip;
501 case oVerifyHostKeyDNS:
502 intptr = &options->verify_host_key_dns;
505 case oStrictHostKeyChecking:
506 intptr = &options->strict_host_key_checking;
509 if (!arg || *arg == '\0')
510 fatal("%.200s line %d: Missing yes/no/ask argument.",
512 value = 0; /* To avoid compiler warning... */
513 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
515 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
517 else if (strcmp(arg, "ask") == 0)
520 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
521 if (*activep && *intptr == -1)
526 intptr = &options->compression;
530 intptr = &options->tcp_keep_alive;
533 case oNoHostAuthenticationForLocalhost:
534 intptr = &options->no_host_authentication_for_localhost;
537 case oNumberOfPasswordPrompts:
538 intptr = &options->number_of_password_prompts;
541 case oCompressionLevel:
542 intptr = &options->compression_level;
547 if (!arg || *arg == '\0')
548 fatal("%.200s line %d: Missing argument.", filename, linenum);
549 if (arg[0] < '0' || arg[0] > '9')
550 fatal("%.200s line %d: Bad number.", filename, linenum);
551 orig = val64 = strtoll(arg, &endofnumber, 10);
552 if (arg == endofnumber)
553 fatal("%.200s line %d: Bad number.", filename, linenum);
554 switch (toupper(*endofnumber)) {
568 fatal("%.200s line %d: Invalid RekeyLimit suffix",
572 /* detect integer wrap and too-large limits */
573 if ((val64 / scale) != orig || val64 > UINT_MAX)
574 fatal("%.200s line %d: RekeyLimit too large",
577 fatal("%.200s line %d: RekeyLimit too small",
579 if (*activep && options->rekey_limit == -1)
580 options->rekey_limit = (u_int32_t)val64;
585 if (!arg || *arg == '\0')
586 fatal("%.200s line %d: Missing argument.", filename, linenum);
588 intptr = &options->num_identity_files;
589 if (*intptr >= SSH_MAX_IDENTITY_FILES)
590 fatal("%.200s line %d: Too many identity files specified (max %d).",
591 filename, linenum, SSH_MAX_IDENTITY_FILES);
592 charptr = &options->identity_files[*intptr];
593 *charptr = xstrdup(arg);
594 *intptr = *intptr + 1;
599 charptr=&options->xauth_location;
603 charptr = &options->user;
606 if (!arg || *arg == '\0')
607 fatal("%.200s line %d: Missing argument.", filename, linenum);
608 if (*activep && *charptr == NULL)
609 *charptr = xstrdup(arg);
612 case oGlobalKnownHostsFile:
613 charptr = &options->system_hostfile;
616 case oUserKnownHostsFile:
617 charptr = &options->user_hostfile;
620 case oGlobalKnownHostsFile2:
621 charptr = &options->system_hostfile2;
624 case oUserKnownHostsFile2:
625 charptr = &options->user_hostfile2;
629 charptr = &options->hostname;
633 charptr = &options->host_key_alias;
636 case oPreferredAuthentications:
637 charptr = &options->preferred_authentications;
641 charptr = &options->bind_address;
644 case oPKCS11Provider:
645 charptr = &options->pkcs11_provider;
649 charptr = &options->proxy_command;
652 fatal("%.200s line %d: Missing argument.", filename, linenum);
653 len = strspn(s, WHITESPACE "=");
654 if (*activep && *charptr == NULL)
655 *charptr = xstrdup(s + len);
659 intptr = &options->port;
662 if (!arg || *arg == '\0')
663 fatal("%.200s line %d: Missing argument.", filename, linenum);
664 if (arg[0] < '0' || arg[0] > '9')
665 fatal("%.200s line %d: Bad number.", filename, linenum);
667 /* Octal, decimal, or hex format? */
668 value = strtol(arg, &endofnumber, 0);
669 if (arg == endofnumber)
670 fatal("%.200s line %d: Bad number.", filename, linenum);
671 if (*activep && *intptr == -1)
675 case oConnectionAttempts:
676 intptr = &options->connection_attempts;
680 intptr = &options->cipher;
682 if (!arg || *arg == '\0')
683 fatal("%.200s line %d: Missing argument.", filename, linenum);
684 value = cipher_number(arg);
686 fatal("%.200s line %d: Bad cipher '%s'.",
687 filename, linenum, arg ? arg : "<NONE>");
688 if (*activep && *intptr == -1)
694 if (!arg || *arg == '\0')
695 fatal("%.200s line %d: Missing argument.", filename, linenum);
696 if (!ciphers_valid(arg))
697 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
698 filename, linenum, arg ? arg : "<NONE>");
699 if (*activep && options->ciphers == NULL)
700 options->ciphers = xstrdup(arg);
705 if (!arg || *arg == '\0')
706 fatal("%.200s line %d: Missing argument.", filename, linenum);
708 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
709 filename, linenum, arg ? arg : "<NONE>");
710 if (*activep && options->macs == NULL)
711 options->macs = xstrdup(arg);
714 case oHostKeyAlgorithms:
716 if (!arg || *arg == '\0')
717 fatal("%.200s line %d: Missing argument.", filename, linenum);
718 if (!key_names_valid2(arg))
719 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
720 filename, linenum, arg ? arg : "<NONE>");
721 if (*activep && options->hostkeyalgorithms == NULL)
722 options->hostkeyalgorithms = xstrdup(arg);
726 intptr = &options->protocol;
728 if (!arg || *arg == '\0')
729 fatal("%.200s line %d: Missing argument.", filename, linenum);
730 value = proto_spec(arg);
731 if (value == SSH_PROTO_UNKNOWN)
732 fatal("%.200s line %d: Bad protocol spec '%s'.",
733 filename, linenum, arg ? arg : "<NONE>");
734 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
739 log_level_ptr = &options->log_level;
741 value = log_level_number(arg);
742 if (value == SYSLOG_LEVEL_NOT_SET)
743 fatal("%.200s line %d: unsupported log level '%s'",
744 filename, linenum, arg ? arg : "<NONE>");
745 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
746 *log_level_ptr = (LogLevel) value;
751 case oDynamicForward:
753 if (arg == NULL || *arg == '\0')
754 fatal("%.200s line %d: Missing port argument.",
757 if (opcode == oLocalForward ||
758 opcode == oRemoteForward) {
760 if (arg2 == NULL || *arg2 == '\0')
761 fatal("%.200s line %d: Missing target argument.",
764 /* construct a string for parse_forward */
765 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
766 } else if (opcode == oDynamicForward) {
767 strlcpy(fwdarg, arg, sizeof(fwdarg));
770 if (parse_forward(&fwd, fwdarg,
771 opcode == oDynamicForward ? 1 : 0,
772 opcode == oRemoteForward ? 1 : 0) == 0)
773 fatal("%.200s line %d: Bad forwarding specification.",
777 if (opcode == oLocalForward ||
778 opcode == oDynamicForward)
779 add_local_forward(options, &fwd);
780 else if (opcode == oRemoteForward)
781 add_remote_forward(options, &fwd);
785 case oClearAllForwardings:
786 intptr = &options->clear_forwardings;
791 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
792 if (match_pattern(host, arg)) {
793 debug("Applying options for %.100s", arg);
797 /* Avoid garbage check below, as strdelim is done. */
801 intptr = &options->escape_char;
803 if (!arg || *arg == '\0')
804 fatal("%.200s line %d: Missing argument.", filename, linenum);
805 if (arg[0] == '^' && arg[2] == 0 &&
806 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
807 value = (u_char) arg[1] & 31;
808 else if (strlen(arg) == 1)
809 value = (u_char) arg[0];
810 else if (strcmp(arg, "none") == 0)
811 value = SSH_ESCAPECHAR_NONE;
813 fatal("%.200s line %d: Bad escape character.",
816 value = 0; /* Avoid compiler warning. */
818 if (*activep && *intptr == -1)
824 if (!arg || *arg == '\0')
825 fatal("%s line %d: missing address family.",
827 intptr = &options->address_family;
828 if (strcasecmp(arg, "inet") == 0)
830 else if (strcasecmp(arg, "inet6") == 0)
832 else if (strcasecmp(arg, "any") == 0)
835 fatal("Unsupported AddressFamily \"%s\"", arg);
836 if (*activep && *intptr == -1)
840 case oEnableSSHKeysign:
841 intptr = &options->enable_ssh_keysign;
844 case oIdentitiesOnly:
845 intptr = &options->identities_only;
848 case oServerAliveInterval:
849 intptr = &options->server_alive_interval;
852 case oServerAliveCountMax:
853 intptr = &options->server_alive_count_max;
857 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
858 if (strchr(arg, '=') != NULL)
859 fatal("%s line %d: Invalid environment name.",
863 if (options->num_send_env >= MAX_SEND_ENV)
864 fatal("%s line %d: too many send env.",
866 options->send_env[options->num_send_env++] =
872 charptr = &options->control_path;
876 intptr = &options->control_master;
878 if (!arg || *arg == '\0')
879 fatal("%.200s line %d: Missing ControlMaster argument.",
881 value = 0; /* To avoid compiler warning... */
882 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
883 value = SSHCTL_MASTER_YES;
884 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
885 value = SSHCTL_MASTER_NO;
886 else if (strcmp(arg, "auto") == 0)
887 value = SSHCTL_MASTER_AUTO;
888 else if (strcmp(arg, "ask") == 0)
889 value = SSHCTL_MASTER_ASK;
890 else if (strcmp(arg, "autoask") == 0)
891 value = SSHCTL_MASTER_AUTO_ASK;
893 fatal("%.200s line %d: Bad ControlMaster argument.",
895 if (*activep && *intptr == -1)
899 case oHashKnownHosts:
900 intptr = &options->hash_known_hosts;
904 intptr = &options->tun_open;
906 if (!arg || *arg == '\0')
907 fatal("%s line %d: Missing yes/point-to-point/"
908 "ethernet/no argument.", filename, linenum);
909 value = 0; /* silence compiler */
910 if (strcasecmp(arg, "ethernet") == 0)
911 value = SSH_TUNMODE_ETHERNET;
912 else if (strcasecmp(arg, "point-to-point") == 0)
913 value = SSH_TUNMODE_POINTOPOINT;
914 else if (strcasecmp(arg, "yes") == 0)
915 value = SSH_TUNMODE_DEFAULT;
916 else if (strcasecmp(arg, "no") == 0)
917 value = SSH_TUNMODE_NO;
919 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
920 "no argument: %s", filename, linenum, arg);
927 if (!arg || *arg == '\0')
928 fatal("%.200s line %d: Missing argument.", filename, linenum);
929 value = a2tun(arg, &value2);
930 if (value == SSH_TUNID_ERR)
931 fatal("%.200s line %d: Bad tun device.", filename, linenum);
933 options->tun_local = value;
934 options->tun_remote = value2;
939 charptr = &options->local_command;
942 case oPermitLocalCommand:
943 intptr = &options->permit_local_command;
947 intptr = &options->visual_host_key;
951 intptr = &options->use_roaming;
954 case oVersionAddendum:
955 ssh_version_set_addendum(strtok(s, "\n"));
958 } while (arg != NULL && *arg != '\0');
962 intptr = &options->hpn_disabled;
966 intptr = &options->hpn_buffer_size;
970 intptr = &options->tcp_rcv_buf_poll;
974 intptr = &options->tcp_rcv_buf;
977 #ifdef NONE_CIPHER_ENABLED
979 intptr = &options->none_enabled;
983 * We check to see if the command comes from the command line or not.
984 * If it does then enable it otherwise fail. NONE must never be a
985 * default configuration.
988 if (strcmp(filename,"command-line") == 0) {
989 intptr = &options->none_switch;
992 debug("NoneSwitch directive found in %.200s.",
994 error("NoneSwitch is found in %.200s.\n"
995 "You may only use this configuration option "
996 "from the command line", filename);
997 error("Continuing...");
1003 debug("%s line %d: Deprecated option \"%s\"",
1004 filename, linenum, keyword);
1008 error("%s line %d: Unsupported option \"%s\"",
1009 filename, linenum, keyword);
1013 fatal("process_config_line: Unimplemented opcode %d", opcode);
1016 /* Check that there is no garbage at end of line. */
1017 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1018 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1019 filename, linenum, arg);
1026 * Reads the config file and modifies the options accordingly. Options
1027 * should already be initialized before this call. This never returns if
1028 * there is an error. If the file does not exist, this returns 0.
1032 read_config_file(const char *filename, const char *host, Options *options,
1037 int active, linenum;
1038 int bad_options = 0;
1040 if ((f = fopen(filename, "r")) == NULL)
1046 if (fstat(fileno(f), &sb) == -1)
1047 fatal("fstat %s: %s", filename, strerror(errno));
1048 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1049 (sb.st_mode & 022) != 0))
1050 fatal("Bad owner or permissions on %s", filename);
1053 debug("Reading configuration data %.200s", filename);
1056 * Mark that we are now processing the options. This flag is turned
1057 * on/off by Host specifications.
1061 while (fgets(line, sizeof(line), f)) {
1062 /* Update line number counter. */
1064 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1068 if (bad_options > 0)
1069 fatal("%s: terminating, %d bad configuration options",
1070 filename, bad_options);
1075 * Initializes options to special values that indicate that they have not yet
1076 * been set. Read_config_file will only set options with this value. Options
1077 * are processed in the following order: command line, user config file,
1078 * system config file. Last, fill_default_options is called.
1082 initialize_options(Options * options)
1084 memset(options, 'X', sizeof(*options));
1085 options->forward_agent = -1;
1086 options->forward_x11 = -1;
1087 options->forward_x11_trusted = -1;
1088 options->exit_on_forward_failure = -1;
1089 options->xauth_location = NULL;
1090 options->gateway_ports = -1;
1091 options->use_privileged_port = -1;
1092 options->rsa_authentication = -1;
1093 options->pubkey_authentication = -1;
1094 options->challenge_response_authentication = -1;
1095 options->gss_authentication = -1;
1096 options->gss_deleg_creds = -1;
1097 options->password_authentication = -1;
1098 options->kbd_interactive_authentication = -1;
1099 options->kbd_interactive_devices = NULL;
1100 options->rhosts_rsa_authentication = -1;
1101 options->hostbased_authentication = -1;
1102 options->batch_mode = -1;
1103 options->check_host_ip = -1;
1104 options->strict_host_key_checking = -1;
1105 options->compression = -1;
1106 options->tcp_keep_alive = -1;
1107 options->compression_level = -1;
1109 options->address_family = -1;
1110 options->connection_attempts = -1;
1111 options->connection_timeout = -1;
1112 options->number_of_password_prompts = -1;
1113 options->cipher = -1;
1114 options->ciphers = NULL;
1115 options->macs = NULL;
1116 options->hostkeyalgorithms = NULL;
1117 options->protocol = SSH_PROTO_UNKNOWN;
1118 options->num_identity_files = 0;
1119 options->hostname = NULL;
1120 options->host_key_alias = NULL;
1121 options->proxy_command = NULL;
1122 options->user = NULL;
1123 options->escape_char = -1;
1124 options->system_hostfile = NULL;
1125 options->user_hostfile = NULL;
1126 options->system_hostfile2 = NULL;
1127 options->user_hostfile2 = NULL;
1128 options->num_local_forwards = 0;
1129 options->num_remote_forwards = 0;
1130 options->clear_forwardings = -1;
1131 options->log_level = SYSLOG_LEVEL_NOT_SET;
1132 options->preferred_authentications = NULL;
1133 options->bind_address = NULL;
1134 options->pkcs11_provider = NULL;
1135 options->enable_ssh_keysign = - 1;
1136 options->no_host_authentication_for_localhost = - 1;
1137 options->identities_only = - 1;
1138 options->rekey_limit = - 1;
1139 options->verify_host_key_dns = -1;
1140 options->server_alive_interval = -1;
1141 options->server_alive_count_max = -1;
1142 options->num_send_env = 0;
1143 options->control_path = NULL;
1144 options->control_master = -1;
1145 options->hash_known_hosts = -1;
1146 options->tun_open = -1;
1147 options->tun_local = -1;
1148 options->tun_remote = -1;
1149 options->local_command = NULL;
1150 options->permit_local_command = -1;
1151 options->use_roaming = -1;
1152 options->visual_host_key = -1;
1153 options->zero_knowledge_password_authentication = -1;
1154 options->hpn_disabled = -1;
1155 options->hpn_buffer_size = -1;
1156 options->tcp_rcv_buf_poll = -1;
1157 options->tcp_rcv_buf = -1;
1158 #ifdef NONE_CIPHER_ENABLED
1159 options->none_enabled = -1;
1160 options->none_switch = -1;
1165 * Called after processing other sources of option data, this fills those
1166 * options for which no value has been specified with their default values.
1170 fill_default_options(Options * options)
1174 if (options->forward_agent == -1)
1175 options->forward_agent = 0;
1176 if (options->forward_x11 == -1)
1177 options->forward_x11 = 0;
1178 if (options->forward_x11_trusted == -1)
1179 options->forward_x11_trusted = 0;
1180 if (options->exit_on_forward_failure == -1)
1181 options->exit_on_forward_failure = 0;
1182 if (options->xauth_location == NULL)
1183 options->xauth_location = _PATH_XAUTH;
1184 if (options->gateway_ports == -1)
1185 options->gateway_ports = 0;
1186 if (options->use_privileged_port == -1)
1187 options->use_privileged_port = 0;
1188 if (options->rsa_authentication == -1)
1189 options->rsa_authentication = 1;
1190 if (options->pubkey_authentication == -1)
1191 options->pubkey_authentication = 1;
1192 if (options->challenge_response_authentication == -1)
1193 options->challenge_response_authentication = 1;
1194 if (options->gss_authentication == -1)
1195 options->gss_authentication = 0;
1196 if (options->gss_deleg_creds == -1)
1197 options->gss_deleg_creds = 0;
1198 if (options->password_authentication == -1)
1199 options->password_authentication = 1;
1200 if (options->kbd_interactive_authentication == -1)
1201 options->kbd_interactive_authentication = 1;
1202 if (options->rhosts_rsa_authentication == -1)
1203 options->rhosts_rsa_authentication = 0;
1204 if (options->hostbased_authentication == -1)
1205 options->hostbased_authentication = 0;
1206 if (options->batch_mode == -1)
1207 options->batch_mode = 0;
1208 if (options->check_host_ip == -1)
1209 options->check_host_ip = 0;
1210 if (options->strict_host_key_checking == -1)
1211 options->strict_host_key_checking = 2; /* 2 is default */
1212 if (options->compression == -1)
1213 options->compression = 0;
1214 if (options->tcp_keep_alive == -1)
1215 options->tcp_keep_alive = 1;
1216 if (options->compression_level == -1)
1217 options->compression_level = 6;
1218 if (options->port == -1)
1219 options->port = 0; /* Filled in ssh_connect. */
1220 if (options->address_family == -1)
1221 options->address_family = AF_UNSPEC;
1222 if (options->connection_attempts == -1)
1223 options->connection_attempts = 1;
1224 if (options->number_of_password_prompts == -1)
1225 options->number_of_password_prompts = 3;
1226 /* Selected in ssh_login(). */
1227 if (options->cipher == -1)
1228 options->cipher = SSH_CIPHER_NOT_SET;
1229 /* options->ciphers, default set in myproposals.h */
1230 /* options->macs, default set in myproposals.h */
1231 /* options->hostkeyalgorithms, default set in myproposals.h */
1232 if (options->protocol == SSH_PROTO_UNKNOWN)
1233 options->protocol = SSH_PROTO_2;
1234 if (options->num_identity_files == 0) {
1235 if (options->protocol & SSH_PROTO_1) {
1236 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1237 options->identity_files[options->num_identity_files] =
1239 snprintf(options->identity_files[options->num_identity_files++],
1240 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1242 if (options->protocol & SSH_PROTO_2) {
1243 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1244 options->identity_files[options->num_identity_files] =
1246 snprintf(options->identity_files[options->num_identity_files++],
1247 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1249 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1250 options->identity_files[options->num_identity_files] =
1252 snprintf(options->identity_files[options->num_identity_files++],
1253 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1256 if (options->escape_char == -1)
1257 options->escape_char = '~';
1258 if (options->system_hostfile == NULL)
1259 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1260 if (options->user_hostfile == NULL)
1261 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1262 if (options->system_hostfile2 == NULL)
1263 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1264 if (options->user_hostfile2 == NULL)
1265 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1266 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1267 options->log_level = SYSLOG_LEVEL_INFO;
1268 if (options->clear_forwardings == 1)
1269 clear_forwardings(options);
1270 if (options->no_host_authentication_for_localhost == - 1)
1271 options->no_host_authentication_for_localhost = 0;
1272 if (options->identities_only == -1)
1273 options->identities_only = 0;
1274 if (options->enable_ssh_keysign == -1)
1275 options->enable_ssh_keysign = 0;
1276 if (options->rekey_limit == -1)
1277 options->rekey_limit = 0;
1278 if (options->verify_host_key_dns == -1)
1279 options->verify_host_key_dns = 0;
1280 if (options->server_alive_interval == -1)
1281 options->server_alive_interval = 0;
1282 if (options->server_alive_count_max == -1)
1283 options->server_alive_count_max = 3;
1284 if (options->control_master == -1)
1285 options->control_master = 0;
1286 if (options->hash_known_hosts == -1)
1287 options->hash_known_hosts = 0;
1288 if (options->tun_open == -1)
1289 options->tun_open = SSH_TUNMODE_NO;
1290 if (options->tun_local == -1)
1291 options->tun_local = SSH_TUNID_ANY;
1292 if (options->tun_remote == -1)
1293 options->tun_remote = SSH_TUNID_ANY;
1294 if (options->permit_local_command == -1)
1295 options->permit_local_command = 0;
1296 if (options->use_roaming == -1)
1297 options->use_roaming = 1;
1298 if (options->visual_host_key == -1)
1299 options->visual_host_key = 0;
1300 if (options->zero_knowledge_password_authentication == -1)
1301 options->zero_knowledge_password_authentication = 0;
1302 /* options->local_command should not be set by default */
1303 /* options->proxy_command should not be set by default */
1304 /* options->user will be set in the main program if appropriate */
1305 /* options->hostname will be set in the main program if appropriate */
1306 /* options->host_key_alias should not be set by default */
1307 /* options->preferred_authentications will be set in ssh */
1308 if (options->hpn_disabled == -1)
1309 options->hpn_disabled = 0;
1310 if (options->hpn_buffer_size > -1)
1314 /* If a user tries to set the size to 0 set it to 1KB. */
1315 if (options->hpn_buffer_size == 0)
1316 options->hpn_buffer_size = 1024;
1317 /* Limit the buffer to BUFFER_MAX_LEN. */
1318 maxlen = buffer_get_max_len();
1319 if (options->hpn_buffer_size > (maxlen / 1024)) {
1320 debug("User requested buffer larger than %ub: %ub. "
1321 "Request reverted to %ub", maxlen,
1322 options->hpn_buffer_size * 1024, maxlen);
1323 options->hpn_buffer_size = maxlen;
1325 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1327 if (options->tcp_rcv_buf == 0)
1328 options->tcp_rcv_buf = 1;
1329 if (options->tcp_rcv_buf > -1)
1330 options->tcp_rcv_buf *= 1024;
1331 if (options->tcp_rcv_buf_poll == -1)
1332 options->tcp_rcv_buf_poll = 1;
1333 #ifdef NONE_CIPHER_ENABLED
1334 /* options->none_enabled must not be set by default */
1335 if (options->none_switch == -1)
1336 options->none_switch = 0;
1342 * parses a string containing a port forwarding specification of the form:
1344 * [listenhost:]listenport:connecthost:connectport
1346 * [listenhost:]listenport
1347 * returns number of arguments parsed or zero on error
1350 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1353 char *p, *cp, *fwdarg[4];
1355 memset(fwd, '\0', sizeof(*fwd));
1357 cp = p = xstrdup(fwdspec);
1359 /* skip leading spaces */
1360 while (isspace(*cp))
1363 for (i = 0; i < 4; ++i)
1364 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1367 /* Check for trailing garbage */
1369 i = 0; /* failure */
1373 fwd->listen_host = NULL;
1374 fwd->listen_port = a2port(fwdarg[0]);
1375 fwd->connect_host = xstrdup("socks");
1379 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1380 fwd->listen_port = a2port(fwdarg[1]);
1381 fwd->connect_host = xstrdup("socks");
1385 fwd->listen_host = NULL;
1386 fwd->listen_port = a2port(fwdarg[0]);
1387 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1388 fwd->connect_port = a2port(fwdarg[2]);
1392 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1393 fwd->listen_port = a2port(fwdarg[1]);
1394 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1395 fwd->connect_port = a2port(fwdarg[3]);
1398 i = 0; /* failure */
1404 if (!(i == 1 || i == 2))
1407 if (!(i == 3 || i == 4))
1409 if (fwd->connect_port <= 0)
1413 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1416 if (fwd->connect_host != NULL &&
1417 strlen(fwd->connect_host) >= NI_MAXHOST)
1419 if (fwd->listen_host != NULL &&
1420 strlen(fwd->listen_host) >= NI_MAXHOST)
1427 if (fwd->connect_host != NULL) {
1428 xfree(fwd->connect_host);
1429 fwd->connect_host = NULL;
1431 if (fwd->listen_host != NULL) {
1432 xfree(fwd->listen_host);
1433 fwd->listen_host = NULL;