1 /* $OpenBSD: readconf.c,v 1.159 2006/08/03 03:34:42 deraadt Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
20 #include <sys/socket.h>
22 #include <netinet/in.h>
37 #include "pathnames.h"
47 /* Format of the configuration file:
49 # Configuration data is parsed as follows:
50 # 1. command line options
51 # 2. user-specific file
53 # Any configuration value is only changed the first time it is set.
54 # Thus, host-specific definitions should be at the beginning of the
55 # configuration file, and defaults at the end.
57 # Host-specific declarations. These may override anything above. A single
58 # host may match multiple declarations; these are processed in the order
59 # that they are given in.
65 HostName another.host.name.real.org
72 RemoteForward 9999 shadows.cs.hut.fi:9999
78 PasswordAuthentication no
82 ProxyCommand ssh-proxy %h %p
85 PublicKeyAuthentication no
89 PasswordAuthentication no
95 # Defaults for various options
99 PasswordAuthentication yes
100 RSAAuthentication yes
101 RhostsRSAAuthentication yes
102 StrictHostKeyChecking yes
104 IdentityFile ~/.ssh/identity
110 /* Keyword tokens. */
114 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
115 oExitOnForwardFailure,
116 oPasswordAuthentication, oRSAAuthentication,
117 oChallengeResponseAuthentication, oXAuthLocation,
118 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
119 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
120 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
121 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
122 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
123 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
124 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
125 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
126 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
127 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
128 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
129 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
130 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
131 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
132 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
133 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
135 oDeprecated, oUnsupported
138 /* Textual representations of the tokens. */
144 { "forwardagent", oForwardAgent },
145 { "forwardx11", oForwardX11 },
146 { "forwardx11trusted", oForwardX11Trusted },
147 { "exitonforwardfailure", oExitOnForwardFailure },
148 { "xauthlocation", oXAuthLocation },
149 { "gatewayports", oGatewayPorts },
150 { "useprivilegedport", oUsePrivilegedPort },
151 { "rhostsauthentication", oDeprecated },
152 { "passwordauthentication", oPasswordAuthentication },
153 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
154 { "kbdinteractivedevices", oKbdInteractiveDevices },
155 { "rsaauthentication", oRSAAuthentication },
156 { "pubkeyauthentication", oPubkeyAuthentication },
157 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
158 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
159 { "hostbasedauthentication", oHostbasedAuthentication },
160 { "challengeresponseauthentication", oChallengeResponseAuthentication },
161 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
162 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
163 { "kerberosauthentication", oUnsupported },
164 { "kerberostgtpassing", oUnsupported },
165 { "afstokenpassing", oUnsupported },
167 { "gssapiauthentication", oGssAuthentication },
168 { "gssapidelegatecredentials", oGssDelegateCreds },
170 { "gssapiauthentication", oUnsupported },
171 { "gssapidelegatecredentials", oUnsupported },
173 { "fallbacktorsh", oDeprecated },
174 { "usersh", oDeprecated },
175 { "identityfile", oIdentityFile },
176 { "identityfile2", oIdentityFile }, /* alias */
177 { "identitiesonly", oIdentitiesOnly },
178 { "hostname", oHostName },
179 { "hostkeyalias", oHostKeyAlias },
180 { "proxycommand", oProxyCommand },
182 { "cipher", oCipher },
183 { "ciphers", oCiphers },
185 { "protocol", oProtocol },
186 { "remoteforward", oRemoteForward },
187 { "localforward", oLocalForward },
190 { "escapechar", oEscapeChar },
191 { "globalknownhostsfile", oGlobalKnownHostsFile },
192 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
193 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
194 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
195 { "connectionattempts", oConnectionAttempts },
196 { "batchmode", oBatchMode },
197 { "checkhostip", oCheckHostIP },
198 { "stricthostkeychecking", oStrictHostKeyChecking },
199 { "compression", oCompression },
200 { "compressionlevel", oCompressionLevel },
201 { "tcpkeepalive", oTCPKeepAlive },
202 { "keepalive", oTCPKeepAlive }, /* obsolete */
203 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
204 { "loglevel", oLogLevel },
205 { "dynamicforward", oDynamicForward },
206 { "preferredauthentications", oPreferredAuthentications },
207 { "hostkeyalgorithms", oHostKeyAlgorithms },
208 { "bindaddress", oBindAddress },
210 { "smartcarddevice", oSmartcardDevice },
212 { "smartcarddevice", oUnsupported },
214 { "clearallforwardings", oClearAllForwardings },
215 { "enablesshkeysign", oEnableSSHKeysign },
216 { "verifyhostkeydns", oVerifyHostKeyDNS },
217 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
218 { "rekeylimit", oRekeyLimit },
219 { "connecttimeout", oConnectTimeout },
220 { "addressfamily", oAddressFamily },
221 { "serveraliveinterval", oServerAliveInterval },
222 { "serveralivecountmax", oServerAliveCountMax },
223 { "sendenv", oSendEnv },
224 { "controlpath", oControlPath },
225 { "controlmaster", oControlMaster },
226 { "hashknownhosts", oHashKnownHosts },
227 { "tunnel", oTunnel },
228 { "tunneldevice", oTunnelDevice },
229 { "localcommand", oLocalCommand },
230 { "permitlocalcommand", oPermitLocalCommand },
231 { "versionaddendum", oVersionAddendum },
236 * Adds a local TCP/IP port forward to options. Never returns if there is an
241 add_local_forward(Options *options, const Forward *newfwd)
244 #ifndef NO_IPPORT_RESERVED_CONCEPT
245 extern uid_t original_real_uid;
246 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
247 fatal("Privileged ports can only be forwarded by root.");
249 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
250 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
251 fwd = &options->local_forwards[options->num_local_forwards++];
253 fwd->listen_host = (newfwd->listen_host == NULL) ?
254 NULL : xstrdup(newfwd->listen_host);
255 fwd->listen_port = newfwd->listen_port;
256 fwd->connect_host = xstrdup(newfwd->connect_host);
257 fwd->connect_port = newfwd->connect_port;
261 * Adds a remote TCP/IP port forward to options. Never returns if there is
266 add_remote_forward(Options *options, const Forward *newfwd)
269 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
270 fatal("Too many remote forwards (max %d).",
271 SSH_MAX_FORWARDS_PER_DIRECTION);
272 fwd = &options->remote_forwards[options->num_remote_forwards++];
274 fwd->listen_host = (newfwd->listen_host == NULL) ?
275 NULL : xstrdup(newfwd->listen_host);
276 fwd->listen_port = newfwd->listen_port;
277 fwd->connect_host = xstrdup(newfwd->connect_host);
278 fwd->connect_port = newfwd->connect_port;
282 clear_forwardings(Options *options)
286 for (i = 0; i < options->num_local_forwards; i++) {
287 if (options->local_forwards[i].listen_host != NULL)
288 xfree(options->local_forwards[i].listen_host);
289 xfree(options->local_forwards[i].connect_host);
291 options->num_local_forwards = 0;
292 for (i = 0; i < options->num_remote_forwards; i++) {
293 if (options->remote_forwards[i].listen_host != NULL)
294 xfree(options->remote_forwards[i].listen_host);
295 xfree(options->remote_forwards[i].connect_host);
297 options->num_remote_forwards = 0;
298 options->tun_open = SSH_TUNMODE_NO;
302 * Returns the number of the token pointed to by cp or oBadOption.
306 parse_token(const char *cp, const char *filename, int linenum)
310 for (i = 0; keywords[i].name; i++)
311 if (strcasecmp(cp, keywords[i].name) == 0)
312 return keywords[i].opcode;
314 error("%s: line %d: Bad configuration option: %s",
315 filename, linenum, cp);
320 * Processes a single option line as used in the configuration files. This
321 * only sets those values that have not already been set.
323 #define WHITESPACE " \t\r\n"
326 process_config_line(Options *options, const char *host,
327 char *line, const char *filename, int linenum,
330 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
331 int opcode, *intptr, value, value2, scale;
332 long long orig, val64;
336 /* Strip trailing whitespace */
337 for (len = strlen(line) - 1; len > 0; len--) {
338 if (strchr(WHITESPACE, line[len]) == NULL)
344 /* Get the keyword. (Each line is supposed to begin with a keyword). */
345 if ((keyword = strdelim(&s)) == NULL)
347 /* Ignore leading whitespace. */
348 if (*keyword == '\0')
349 keyword = strdelim(&s);
350 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
353 opcode = parse_token(keyword, filename, linenum);
357 /* don't panic, but count bad options */
360 case oConnectTimeout:
361 intptr = &options->connection_timeout;
364 if (!arg || *arg == '\0')
365 fatal("%s line %d: missing time value.",
367 if ((value = convtime(arg)) == -1)
368 fatal("%s line %d: invalid time value.",
375 intptr = &options->forward_agent;
378 if (!arg || *arg == '\0')
379 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
380 value = 0; /* To avoid compiler warning... */
381 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
383 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
386 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
387 if (*activep && *intptr == -1)
392 intptr = &options->forward_x11;
395 case oForwardX11Trusted:
396 intptr = &options->forward_x11_trusted;
400 intptr = &options->gateway_ports;
403 case oExitOnForwardFailure:
404 intptr = &options->exit_on_forward_failure;
407 case oUsePrivilegedPort:
408 intptr = &options->use_privileged_port;
411 case oPasswordAuthentication:
412 intptr = &options->password_authentication;
415 case oKbdInteractiveAuthentication:
416 intptr = &options->kbd_interactive_authentication;
419 case oKbdInteractiveDevices:
420 charptr = &options->kbd_interactive_devices;
423 case oPubkeyAuthentication:
424 intptr = &options->pubkey_authentication;
427 case oRSAAuthentication:
428 intptr = &options->rsa_authentication;
431 case oRhostsRSAAuthentication:
432 intptr = &options->rhosts_rsa_authentication;
435 case oHostbasedAuthentication:
436 intptr = &options->hostbased_authentication;
439 case oChallengeResponseAuthentication:
440 intptr = &options->challenge_response_authentication;
443 case oGssAuthentication:
444 intptr = &options->gss_authentication;
447 case oGssDelegateCreds:
448 intptr = &options->gss_deleg_creds;
452 intptr = &options->batch_mode;
456 intptr = &options->check_host_ip;
459 case oVerifyHostKeyDNS:
460 intptr = &options->verify_host_key_dns;
463 case oStrictHostKeyChecking:
464 intptr = &options->strict_host_key_checking;
467 if (!arg || *arg == '\0')
468 fatal("%.200s line %d: Missing yes/no/ask argument.",
470 value = 0; /* To avoid compiler warning... */
471 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
473 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
475 else if (strcmp(arg, "ask") == 0)
478 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
479 if (*activep && *intptr == -1)
484 intptr = &options->compression;
488 intptr = &options->tcp_keep_alive;
491 case oNoHostAuthenticationForLocalhost:
492 intptr = &options->no_host_authentication_for_localhost;
495 case oNumberOfPasswordPrompts:
496 intptr = &options->number_of_password_prompts;
499 case oCompressionLevel:
500 intptr = &options->compression_level;
504 intptr = &options->rekey_limit;
506 if (!arg || *arg == '\0')
507 fatal("%.200s line %d: Missing argument.", filename, linenum);
508 if (arg[0] < '0' || arg[0] > '9')
509 fatal("%.200s line %d: Bad number.", filename, linenum);
510 orig = val64 = strtoll(arg, &endofnumber, 10);
511 if (arg == endofnumber)
512 fatal("%.200s line %d: Bad number.", filename, linenum);
513 switch (toupper(*endofnumber)) {
527 fatal("%.200s line %d: Invalid RekeyLimit suffix",
531 /* detect integer wrap and too-large limits */
532 if ((val64 / scale) != orig || val64 > INT_MAX)
533 fatal("%.200s line %d: RekeyLimit too large",
536 fatal("%.200s line %d: RekeyLimit too small",
538 if (*activep && *intptr == -1)
539 *intptr = (int)val64;
544 if (!arg || *arg == '\0')
545 fatal("%.200s line %d: Missing argument.", filename, linenum);
547 intptr = &options->num_identity_files;
548 if (*intptr >= SSH_MAX_IDENTITY_FILES)
549 fatal("%.200s line %d: Too many identity files specified (max %d).",
550 filename, linenum, SSH_MAX_IDENTITY_FILES);
551 charptr = &options->identity_files[*intptr];
552 *charptr = xstrdup(arg);
553 *intptr = *intptr + 1;
558 charptr=&options->xauth_location;
562 charptr = &options->user;
565 if (!arg || *arg == '\0')
566 fatal("%.200s line %d: Missing argument.", filename, linenum);
567 if (*activep && *charptr == NULL)
568 *charptr = xstrdup(arg);
571 case oGlobalKnownHostsFile:
572 charptr = &options->system_hostfile;
575 case oUserKnownHostsFile:
576 charptr = &options->user_hostfile;
579 case oGlobalKnownHostsFile2:
580 charptr = &options->system_hostfile2;
583 case oUserKnownHostsFile2:
584 charptr = &options->user_hostfile2;
588 charptr = &options->hostname;
592 charptr = &options->host_key_alias;
595 case oPreferredAuthentications:
596 charptr = &options->preferred_authentications;
600 charptr = &options->bind_address;
603 case oSmartcardDevice:
604 charptr = &options->smartcard_device;
608 charptr = &options->proxy_command;
611 fatal("%.200s line %d: Missing argument.", filename, linenum);
612 len = strspn(s, WHITESPACE "=");
613 if (*activep && *charptr == NULL)
614 *charptr = xstrdup(s + len);
618 intptr = &options->port;
621 if (!arg || *arg == '\0')
622 fatal("%.200s line %d: Missing argument.", filename, linenum);
623 if (arg[0] < '0' || arg[0] > '9')
624 fatal("%.200s line %d: Bad number.", filename, linenum);
626 /* Octal, decimal, or hex format? */
627 value = strtol(arg, &endofnumber, 0);
628 if (arg == endofnumber)
629 fatal("%.200s line %d: Bad number.", filename, linenum);
630 if (*activep && *intptr == -1)
634 case oConnectionAttempts:
635 intptr = &options->connection_attempts;
639 intptr = &options->cipher;
641 if (!arg || *arg == '\0')
642 fatal("%.200s line %d: Missing argument.", filename, linenum);
643 value = cipher_number(arg);
645 fatal("%.200s line %d: Bad cipher '%s'.",
646 filename, linenum, arg ? arg : "<NONE>");
647 if (*activep && *intptr == -1)
653 if (!arg || *arg == '\0')
654 fatal("%.200s line %d: Missing argument.", filename, linenum);
655 if (!ciphers_valid(arg))
656 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
657 filename, linenum, arg ? arg : "<NONE>");
658 if (*activep && options->ciphers == NULL)
659 options->ciphers = xstrdup(arg);
664 if (!arg || *arg == '\0')
665 fatal("%.200s line %d: Missing argument.", filename, linenum);
667 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
668 filename, linenum, arg ? arg : "<NONE>");
669 if (*activep && options->macs == NULL)
670 options->macs = xstrdup(arg);
673 case oHostKeyAlgorithms:
675 if (!arg || *arg == '\0')
676 fatal("%.200s line %d: Missing argument.", filename, linenum);
677 if (!key_names_valid2(arg))
678 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
679 filename, linenum, arg ? arg : "<NONE>");
680 if (*activep && options->hostkeyalgorithms == NULL)
681 options->hostkeyalgorithms = xstrdup(arg);
685 intptr = &options->protocol;
687 if (!arg || *arg == '\0')
688 fatal("%.200s line %d: Missing argument.", filename, linenum);
689 value = proto_spec(arg);
690 if (value == SSH_PROTO_UNKNOWN)
691 fatal("%.200s line %d: Bad protocol spec '%s'.",
692 filename, linenum, arg ? arg : "<NONE>");
693 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
698 intptr = (int *) &options->log_level;
700 value = log_level_number(arg);
701 if (value == SYSLOG_LEVEL_NOT_SET)
702 fatal("%.200s line %d: unsupported log level '%s'",
703 filename, linenum, arg ? arg : "<NONE>");
704 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
705 *intptr = (LogLevel) value;
711 if (arg == NULL || *arg == '\0')
712 fatal("%.200s line %d: Missing port argument.",
715 if (arg2 == NULL || *arg2 == '\0')
716 fatal("%.200s line %d: Missing target argument.",
719 /* construct a string for parse_forward */
720 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
722 if (parse_forward(&fwd, fwdarg) == 0)
723 fatal("%.200s line %d: Bad forwarding specification.",
727 if (opcode == oLocalForward)
728 add_local_forward(options, &fwd);
729 else if (opcode == oRemoteForward)
730 add_remote_forward(options, &fwd);
734 case oDynamicForward:
736 if (!arg || *arg == '\0')
737 fatal("%.200s line %d: Missing port argument.",
739 memset(&fwd, '\0', sizeof(fwd));
740 fwd.connect_host = "socks";
741 fwd.listen_host = hpdelim(&arg);
742 if (fwd.listen_host == NULL ||
743 strlen(fwd.listen_host) >= NI_MAXHOST)
744 fatal("%.200s line %d: Bad forwarding specification.",
747 fwd.listen_port = a2port(arg);
748 fwd.listen_host = cleanhostname(fwd.listen_host);
750 fwd.listen_port = a2port(fwd.listen_host);
751 fwd.listen_host = NULL;
753 if (fwd.listen_port == 0)
754 fatal("%.200s line %d: Badly formatted port number.",
757 add_local_forward(options, &fwd);
760 case oClearAllForwardings:
761 intptr = &options->clear_forwardings;
766 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
767 if (match_pattern(host, arg)) {
768 debug("Applying options for %.100s", arg);
772 /* Avoid garbage check below, as strdelim is done. */
776 intptr = &options->escape_char;
778 if (!arg || *arg == '\0')
779 fatal("%.200s line %d: Missing argument.", filename, linenum);
780 if (arg[0] == '^' && arg[2] == 0 &&
781 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
782 value = (u_char) arg[1] & 31;
783 else if (strlen(arg) == 1)
784 value = (u_char) arg[0];
785 else if (strcmp(arg, "none") == 0)
786 value = SSH_ESCAPECHAR_NONE;
788 fatal("%.200s line %d: Bad escape character.",
791 value = 0; /* Avoid compiler warning. */
793 if (*activep && *intptr == -1)
799 if (!arg || *arg == '\0')
800 fatal("%s line %d: missing address family.",
802 intptr = &options->address_family;
803 if (strcasecmp(arg, "inet") == 0)
805 else if (strcasecmp(arg, "inet6") == 0)
807 else if (strcasecmp(arg, "any") == 0)
810 fatal("Unsupported AddressFamily \"%s\"", arg);
811 if (*activep && *intptr == -1)
815 case oEnableSSHKeysign:
816 intptr = &options->enable_ssh_keysign;
819 case oIdentitiesOnly:
820 intptr = &options->identities_only;
823 case oServerAliveInterval:
824 intptr = &options->server_alive_interval;
827 case oServerAliveCountMax:
828 intptr = &options->server_alive_count_max;
832 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
833 if (strchr(arg, '=') != NULL)
834 fatal("%s line %d: Invalid environment name.",
838 if (options->num_send_env >= MAX_SEND_ENV)
839 fatal("%s line %d: too many send env.",
841 options->send_env[options->num_send_env++] =
847 charptr = &options->control_path;
851 intptr = &options->control_master;
853 if (!arg || *arg == '\0')
854 fatal("%.200s line %d: Missing ControlMaster argument.",
856 value = 0; /* To avoid compiler warning... */
857 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
858 value = SSHCTL_MASTER_YES;
859 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
860 value = SSHCTL_MASTER_NO;
861 else if (strcmp(arg, "auto") == 0)
862 value = SSHCTL_MASTER_AUTO;
863 else if (strcmp(arg, "ask") == 0)
864 value = SSHCTL_MASTER_ASK;
865 else if (strcmp(arg, "autoask") == 0)
866 value = SSHCTL_MASTER_AUTO_ASK;
868 fatal("%.200s line %d: Bad ControlMaster argument.",
870 if (*activep && *intptr == -1)
874 case oHashKnownHosts:
875 intptr = &options->hash_known_hosts;
879 intptr = &options->tun_open;
881 if (!arg || *arg == '\0')
882 fatal("%s line %d: Missing yes/point-to-point/"
883 "ethernet/no argument.", filename, linenum);
884 value = 0; /* silence compiler */
885 if (strcasecmp(arg, "ethernet") == 0)
886 value = SSH_TUNMODE_ETHERNET;
887 else if (strcasecmp(arg, "point-to-point") == 0)
888 value = SSH_TUNMODE_POINTOPOINT;
889 else if (strcasecmp(arg, "yes") == 0)
890 value = SSH_TUNMODE_DEFAULT;
891 else if (strcasecmp(arg, "no") == 0)
892 value = SSH_TUNMODE_NO;
894 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
895 "no argument: %s", filename, linenum, arg);
902 if (!arg || *arg == '\0')
903 fatal("%.200s line %d: Missing argument.", filename, linenum);
904 value = a2tun(arg, &value2);
905 if (value == SSH_TUNID_ERR)
906 fatal("%.200s line %d: Bad tun device.", filename, linenum);
908 options->tun_local = value;
909 options->tun_remote = value2;
914 charptr = &options->local_command;
917 case oPermitLocalCommand:
918 intptr = &options->permit_local_command;
921 case oVersionAddendum:
922 ssh_version_set_addendum(strtok(s, "\n"));
925 } while (arg != NULL && *arg != '\0');
929 debug("%s line %d: Deprecated option \"%s\"",
930 filename, linenum, keyword);
934 error("%s line %d: Unsupported option \"%s\"",
935 filename, linenum, keyword);
939 fatal("process_config_line: Unimplemented opcode %d", opcode);
942 /* Check that there is no garbage at end of line. */
943 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
944 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
945 filename, linenum, arg);
952 * Reads the config file and modifies the options accordingly. Options
953 * should already be initialized before this call. This never returns if
954 * there is an error. If the file does not exist, this returns 0.
958 read_config_file(const char *filename, const char *host, Options *options,
967 if ((f = fopen(filename, "r")) == NULL)
973 if (fstat(fileno(f), &sb) == -1)
974 fatal("fstat %s: %s", filename, strerror(errno));
975 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
976 (sb.st_mode & 022) != 0))
977 fatal("Bad owner or permissions on %s", filename);
980 debug("Reading configuration data %.200s", filename);
983 * Mark that we are now processing the options. This flag is turned
984 * on/off by Host specifications.
988 while (fgets(line, sizeof(line), f)) {
989 /* Update line number counter. */
991 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
996 fatal("%s: terminating, %d bad configuration options",
997 filename, bad_options);
1002 * Initializes options to special values that indicate that they have not yet
1003 * been set. Read_config_file will only set options with this value. Options
1004 * are processed in the following order: command line, user config file,
1005 * system config file. Last, fill_default_options is called.
1009 initialize_options(Options * options)
1011 memset(options, 'X', sizeof(*options));
1012 options->forward_agent = -1;
1013 options->forward_x11 = -1;
1014 options->forward_x11_trusted = -1;
1015 options->exit_on_forward_failure = -1;
1016 options->xauth_location = NULL;
1017 options->gateway_ports = -1;
1018 options->use_privileged_port = -1;
1019 options->rsa_authentication = -1;
1020 options->pubkey_authentication = -1;
1021 options->challenge_response_authentication = -1;
1022 options->gss_authentication = -1;
1023 options->gss_deleg_creds = -1;
1024 options->password_authentication = -1;
1025 options->kbd_interactive_authentication = -1;
1026 options->kbd_interactive_devices = NULL;
1027 options->rhosts_rsa_authentication = -1;
1028 options->hostbased_authentication = -1;
1029 options->batch_mode = -1;
1030 options->check_host_ip = -1;
1031 options->strict_host_key_checking = -1;
1032 options->compression = -1;
1033 options->tcp_keep_alive = -1;
1034 options->compression_level = -1;
1036 options->address_family = -1;
1037 options->connection_attempts = -1;
1038 options->connection_timeout = -1;
1039 options->number_of_password_prompts = -1;
1040 options->cipher = -1;
1041 options->ciphers = NULL;
1042 options->macs = NULL;
1043 options->hostkeyalgorithms = NULL;
1044 options->protocol = SSH_PROTO_UNKNOWN;
1045 options->num_identity_files = 0;
1046 options->hostname = NULL;
1047 options->host_key_alias = NULL;
1048 options->proxy_command = NULL;
1049 options->user = NULL;
1050 options->escape_char = -1;
1051 options->system_hostfile = NULL;
1052 options->user_hostfile = NULL;
1053 options->system_hostfile2 = NULL;
1054 options->user_hostfile2 = NULL;
1055 options->num_local_forwards = 0;
1056 options->num_remote_forwards = 0;
1057 options->clear_forwardings = -1;
1058 options->log_level = SYSLOG_LEVEL_NOT_SET;
1059 options->preferred_authentications = NULL;
1060 options->bind_address = NULL;
1061 options->smartcard_device = NULL;
1062 options->enable_ssh_keysign = - 1;
1063 options->no_host_authentication_for_localhost = - 1;
1064 options->identities_only = - 1;
1065 options->rekey_limit = - 1;
1066 options->verify_host_key_dns = -1;
1067 options->server_alive_interval = -1;
1068 options->server_alive_count_max = -1;
1069 options->num_send_env = 0;
1070 options->control_path = NULL;
1071 options->control_master = -1;
1072 options->hash_known_hosts = -1;
1073 options->tun_open = -1;
1074 options->tun_local = -1;
1075 options->tun_remote = -1;
1076 options->local_command = NULL;
1077 options->permit_local_command = -1;
1081 * Called after processing other sources of option data, this fills those
1082 * options for which no value has been specified with their default values.
1086 fill_default_options(Options * options)
1090 if (options->forward_agent == -1)
1091 options->forward_agent = 0;
1092 if (options->forward_x11 == -1)
1093 options->forward_x11 = 0;
1094 if (options->forward_x11_trusted == -1)
1095 options->forward_x11_trusted = 0;
1096 if (options->exit_on_forward_failure == -1)
1097 options->exit_on_forward_failure = 0;
1098 if (options->xauth_location == NULL)
1099 options->xauth_location = _PATH_XAUTH;
1100 if (options->gateway_ports == -1)
1101 options->gateway_ports = 0;
1102 if (options->use_privileged_port == -1)
1103 options->use_privileged_port = 0;
1104 if (options->rsa_authentication == -1)
1105 options->rsa_authentication = 1;
1106 if (options->pubkey_authentication == -1)
1107 options->pubkey_authentication = 1;
1108 if (options->challenge_response_authentication == -1)
1109 options->challenge_response_authentication = 1;
1110 if (options->gss_authentication == -1)
1111 options->gss_authentication = 0;
1112 if (options->gss_deleg_creds == -1)
1113 options->gss_deleg_creds = 0;
1114 if (options->password_authentication == -1)
1115 options->password_authentication = 1;
1116 if (options->kbd_interactive_authentication == -1)
1117 options->kbd_interactive_authentication = 1;
1118 if (options->rhosts_rsa_authentication == -1)
1119 options->rhosts_rsa_authentication = 0;
1120 if (options->hostbased_authentication == -1)
1121 options->hostbased_authentication = 0;
1122 if (options->batch_mode == -1)
1123 options->batch_mode = 0;
1124 if (options->check_host_ip == -1)
1125 options->check_host_ip = 0;
1126 if (options->strict_host_key_checking == -1)
1127 options->strict_host_key_checking = 2; /* 2 is default */
1128 if (options->compression == -1)
1129 options->compression = 0;
1130 if (options->tcp_keep_alive == -1)
1131 options->tcp_keep_alive = 1;
1132 if (options->compression_level == -1)
1133 options->compression_level = 6;
1134 if (options->port == -1)
1135 options->port = 0; /* Filled in ssh_connect. */
1136 if (options->address_family == -1)
1137 options->address_family = AF_UNSPEC;
1138 if (options->connection_attempts == -1)
1139 options->connection_attempts = 1;
1140 if (options->number_of_password_prompts == -1)
1141 options->number_of_password_prompts = 3;
1142 /* Selected in ssh_login(). */
1143 if (options->cipher == -1)
1144 options->cipher = SSH_CIPHER_NOT_SET;
1145 /* options->ciphers, default set in myproposals.h */
1146 /* options->macs, default set in myproposals.h */
1147 /* options->hostkeyalgorithms, default set in myproposals.h */
1148 if (options->protocol == SSH_PROTO_UNKNOWN)
1149 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1150 if (options->num_identity_files == 0) {
1151 if (options->protocol & SSH_PROTO_1) {
1152 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1153 options->identity_files[options->num_identity_files] =
1155 snprintf(options->identity_files[options->num_identity_files++],
1156 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1158 if (options->protocol & SSH_PROTO_2) {
1159 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1160 options->identity_files[options->num_identity_files] =
1162 snprintf(options->identity_files[options->num_identity_files++],
1163 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1165 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1166 options->identity_files[options->num_identity_files] =
1168 snprintf(options->identity_files[options->num_identity_files++],
1169 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1172 if (options->escape_char == -1)
1173 options->escape_char = '~';
1174 if (options->system_hostfile == NULL)
1175 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1176 if (options->user_hostfile == NULL)
1177 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1178 if (options->system_hostfile2 == NULL)
1179 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1180 if (options->user_hostfile2 == NULL)
1181 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1182 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1183 options->log_level = SYSLOG_LEVEL_INFO;
1184 if (options->clear_forwardings == 1)
1185 clear_forwardings(options);
1186 if (options->no_host_authentication_for_localhost == - 1)
1187 options->no_host_authentication_for_localhost = 0;
1188 if (options->identities_only == -1)
1189 options->identities_only = 0;
1190 if (options->enable_ssh_keysign == -1)
1191 options->enable_ssh_keysign = 0;
1192 if (options->rekey_limit == -1)
1193 options->rekey_limit = 0;
1194 if (options->verify_host_key_dns == -1)
1195 options->verify_host_key_dns = 0;
1196 if (options->server_alive_interval == -1)
1197 options->server_alive_interval = 0;
1198 if (options->server_alive_count_max == -1)
1199 options->server_alive_count_max = 3;
1200 if (options->control_master == -1)
1201 options->control_master = 0;
1202 if (options->hash_known_hosts == -1)
1203 options->hash_known_hosts = 0;
1204 if (options->tun_open == -1)
1205 options->tun_open = SSH_TUNMODE_NO;
1206 if (options->tun_local == -1)
1207 options->tun_local = SSH_TUNID_ANY;
1208 if (options->tun_remote == -1)
1209 options->tun_remote = SSH_TUNID_ANY;
1210 if (options->permit_local_command == -1)
1211 options->permit_local_command = 0;
1212 /* options->local_command should not be set by default */
1213 /* options->proxy_command should not be set by default */
1214 /* options->user will be set in the main program if appropriate */
1215 /* options->hostname will be set in the main program if appropriate */
1216 /* options->host_key_alias should not be set by default */
1217 /* options->preferred_authentications will be set in ssh */
1222 * parses a string containing a port forwarding specification of the form:
1223 * [listenhost:]listenport:connecthost:connectport
1224 * returns number of arguments parsed or zero on error
1227 parse_forward(Forward *fwd, const char *fwdspec)
1230 char *p, *cp, *fwdarg[4];
1232 memset(fwd, '\0', sizeof(*fwd));
1234 cp = p = xstrdup(fwdspec);
1236 /* skip leading spaces */
1237 while (*cp && isspace(*cp))
1240 for (i = 0; i < 4; ++i)
1241 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1244 /* Check for trailing garbage in 4-arg case*/
1246 i = 0; /* failure */
1250 fwd->listen_host = NULL;
1251 fwd->listen_port = a2port(fwdarg[0]);
1252 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1253 fwd->connect_port = a2port(fwdarg[2]);
1257 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1258 fwd->listen_port = a2port(fwdarg[1]);
1259 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1260 fwd->connect_port = a2port(fwdarg[3]);
1263 i = 0; /* failure */
1268 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1271 if (fwd->connect_host != NULL &&
1272 strlen(fwd->connect_host) >= NI_MAXHOST)
1278 if (fwd->connect_host != NULL)
1279 xfree(fwd->connect_host);
1280 if (fwd->listen_host != NULL)
1281 xfree(fwd->listen_host);