1 /* $OpenBSD: readconf.c,v 1.177 2009/06/27 09:35:06 andreas Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <sys/sysctl.h>
23 #include <netinet/in.h>
38 #include "pathnames.h"
49 /* Format of the configuration file:
51 # Configuration data is parsed as follows:
52 # 1. command line options
53 # 2. user-specific file
55 # Any configuration value is only changed the first time it is set.
56 # Thus, host-specific definitions should be at the beginning of the
57 # configuration file, and defaults at the end.
59 # Host-specific declarations. These may override anything above. A single
60 # host may match multiple declarations; these are processed in the order
61 # that they are given in.
67 HostName another.host.name.real.org
74 RemoteForward 9999 shadows.cs.hut.fi:9999
80 PasswordAuthentication no
84 ProxyCommand ssh-proxy %h %p
87 PublicKeyAuthentication no
91 PasswordAuthentication no
97 # Defaults for various options
101 PasswordAuthentication yes
102 RSAAuthentication yes
103 RhostsRSAAuthentication yes
104 StrictHostKeyChecking yes
106 IdentityFile ~/.ssh/identity
112 /* Keyword tokens. */
116 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
117 oExitOnForwardFailure,
118 oPasswordAuthentication, oRSAAuthentication,
119 oChallengeResponseAuthentication, oXAuthLocation,
120 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
121 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
122 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
123 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
124 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
125 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
126 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
127 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
128 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
129 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
132 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
133 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
134 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
135 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
136 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
138 oDeprecated, oUnsupported
141 /* Textual representations of the tokens. */
147 { "forwardagent", oForwardAgent },
148 { "forwardx11", oForwardX11 },
149 { "forwardx11trusted", oForwardX11Trusted },
150 { "exitonforwardfailure", oExitOnForwardFailure },
151 { "xauthlocation", oXAuthLocation },
152 { "gatewayports", oGatewayPorts },
153 { "useprivilegedport", oUsePrivilegedPort },
154 { "rhostsauthentication", oDeprecated },
155 { "passwordauthentication", oPasswordAuthentication },
156 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
157 { "kbdinteractivedevices", oKbdInteractiveDevices },
158 { "rsaauthentication", oRSAAuthentication },
159 { "pubkeyauthentication", oPubkeyAuthentication },
160 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
161 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
162 { "hostbasedauthentication", oHostbasedAuthentication },
163 { "challengeresponseauthentication", oChallengeResponseAuthentication },
164 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
166 { "kerberosauthentication", oUnsupported },
167 { "kerberostgtpassing", oUnsupported },
168 { "afstokenpassing", oUnsupported },
170 { "gssapiauthentication", oGssAuthentication },
171 { "gssapidelegatecredentials", oGssDelegateCreds },
173 { "gssapiauthentication", oUnsupported },
174 { "gssapidelegatecredentials", oUnsupported },
176 { "fallbacktorsh", oDeprecated },
177 { "usersh", oDeprecated },
178 { "identityfile", oIdentityFile },
179 { "identityfile2", oIdentityFile }, /* obsolete */
180 { "identitiesonly", oIdentitiesOnly },
181 { "hostname", oHostName },
182 { "hostkeyalias", oHostKeyAlias },
183 { "proxycommand", oProxyCommand },
185 { "cipher", oCipher },
186 { "ciphers", oCiphers },
188 { "protocol", oProtocol },
189 { "remoteforward", oRemoteForward },
190 { "localforward", oLocalForward },
193 { "escapechar", oEscapeChar },
194 { "globalknownhostsfile", oGlobalKnownHostsFile },
195 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
196 { "userknownhostsfile", oUserKnownHostsFile },
197 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
198 { "connectionattempts", oConnectionAttempts },
199 { "batchmode", oBatchMode },
200 { "checkhostip", oCheckHostIP },
201 { "stricthostkeychecking", oStrictHostKeyChecking },
202 { "compression", oCompression },
203 { "compressionlevel", oCompressionLevel },
204 { "tcpkeepalive", oTCPKeepAlive },
205 { "keepalive", oTCPKeepAlive }, /* obsolete */
206 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
207 { "loglevel", oLogLevel },
208 { "dynamicforward", oDynamicForward },
209 { "preferredauthentications", oPreferredAuthentications },
210 { "hostkeyalgorithms", oHostKeyAlgorithms },
211 { "bindaddress", oBindAddress },
213 { "smartcarddevice", oSmartcardDevice },
215 { "smartcarddevice", oUnsupported },
217 { "clearallforwardings", oClearAllForwardings },
218 { "enablesshkeysign", oEnableSSHKeysign },
219 { "verifyhostkeydns", oVerifyHostKeyDNS },
220 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
221 { "rekeylimit", oRekeyLimit },
222 { "connecttimeout", oConnectTimeout },
223 { "addressfamily", oAddressFamily },
224 { "serveraliveinterval", oServerAliveInterval },
225 { "serveralivecountmax", oServerAliveCountMax },
226 { "sendenv", oSendEnv },
227 { "controlpath", oControlPath },
228 { "controlmaster", oControlMaster },
229 { "hashknownhosts", oHashKnownHosts },
230 { "tunnel", oTunnel },
231 { "tunneldevice", oTunnelDevice },
232 { "localcommand", oLocalCommand },
233 { "permitlocalcommand", oPermitLocalCommand },
234 { "visualhostkey", oVisualHostKey },
235 { "useroaming", oUseRoaming },
237 { "zeroknowledgepasswordauthentication",
238 oZeroKnowledgePasswordAuthentication },
240 { "zeroknowledgepasswordauthentication", oUnsupported },
243 { "versionaddendum", oVersionAddendum },
248 * Adds a local TCP/IP port forward to options. Never returns if there is an
253 add_local_forward(Options *options, const Forward *newfwd)
256 #ifndef NO_IPPORT_RESERVED_CONCEPT
257 extern uid_t original_real_uid;
260 size_t len_ipport_reserved = sizeof(ipport_reserved);
262 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
263 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
264 ipport_reserved = IPPORT_RESERVED;
268 ipport_reserved = IPPORT_RESERVED;
270 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
271 fatal("Privileged ports can only be forwarded by root.");
273 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
274 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
275 fwd = &options->local_forwards[options->num_local_forwards++];
277 fwd->listen_host = newfwd->listen_host;
278 fwd->listen_port = newfwd->listen_port;
279 fwd->connect_host = newfwd->connect_host;
280 fwd->connect_port = newfwd->connect_port;
284 * Adds a remote TCP/IP port forward to options. Never returns if there is
289 add_remote_forward(Options *options, const Forward *newfwd)
292 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
293 fatal("Too many remote forwards (max %d).",
294 SSH_MAX_FORWARDS_PER_DIRECTION);
295 fwd = &options->remote_forwards[options->num_remote_forwards++];
297 fwd->listen_host = newfwd->listen_host;
298 fwd->listen_port = newfwd->listen_port;
299 fwd->connect_host = newfwd->connect_host;
300 fwd->connect_port = newfwd->connect_port;
304 clear_forwardings(Options *options)
308 for (i = 0; i < options->num_local_forwards; i++) {
309 if (options->local_forwards[i].listen_host != NULL)
310 xfree(options->local_forwards[i].listen_host);
311 xfree(options->local_forwards[i].connect_host);
313 options->num_local_forwards = 0;
314 for (i = 0; i < options->num_remote_forwards; i++) {
315 if (options->remote_forwards[i].listen_host != NULL)
316 xfree(options->remote_forwards[i].listen_host);
317 xfree(options->remote_forwards[i].connect_host);
319 options->num_remote_forwards = 0;
320 options->tun_open = SSH_TUNMODE_NO;
324 * Returns the number of the token pointed to by cp or oBadOption.
328 parse_token(const char *cp, const char *filename, int linenum)
332 for (i = 0; keywords[i].name; i++)
333 if (strcasecmp(cp, keywords[i].name) == 0)
334 return keywords[i].opcode;
336 error("%s: line %d: Bad configuration option: %s",
337 filename, linenum, cp);
342 * Processes a single option line as used in the configuration files. This
343 * only sets those values that have not already been set.
345 #define WHITESPACE " \t\r\n"
348 process_config_line(Options *options, const char *host,
349 char *line, const char *filename, int linenum,
352 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
353 int opcode, *intptr, value, value2, scale;
354 LogLevel *log_level_ptr;
355 long long orig, val64;
359 /* Strip trailing whitespace */
360 for (len = strlen(line) - 1; len > 0; len--) {
361 if (strchr(WHITESPACE, line[len]) == NULL)
367 /* Get the keyword. (Each line is supposed to begin with a keyword). */
368 if ((keyword = strdelim(&s)) == NULL)
370 /* Ignore leading whitespace. */
371 if (*keyword == '\0')
372 keyword = strdelim(&s);
373 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
376 opcode = parse_token(keyword, filename, linenum);
380 /* don't panic, but count bad options */
383 case oConnectTimeout:
384 intptr = &options->connection_timeout;
387 if (!arg || *arg == '\0')
388 fatal("%s line %d: missing time value.",
390 if ((value = convtime(arg)) == -1)
391 fatal("%s line %d: invalid time value.",
393 if (*activep && *intptr == -1)
398 intptr = &options->forward_agent;
401 if (!arg || *arg == '\0')
402 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
403 value = 0; /* To avoid compiler warning... */
404 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
406 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
409 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
410 if (*activep && *intptr == -1)
415 intptr = &options->forward_x11;
418 case oForwardX11Trusted:
419 intptr = &options->forward_x11_trusted;
423 intptr = &options->gateway_ports;
426 case oExitOnForwardFailure:
427 intptr = &options->exit_on_forward_failure;
430 case oUsePrivilegedPort:
431 intptr = &options->use_privileged_port;
434 case oPasswordAuthentication:
435 intptr = &options->password_authentication;
438 case oZeroKnowledgePasswordAuthentication:
439 intptr = &options->zero_knowledge_password_authentication;
442 case oKbdInteractiveAuthentication:
443 intptr = &options->kbd_interactive_authentication;
446 case oKbdInteractiveDevices:
447 charptr = &options->kbd_interactive_devices;
450 case oPubkeyAuthentication:
451 intptr = &options->pubkey_authentication;
454 case oRSAAuthentication:
455 intptr = &options->rsa_authentication;
458 case oRhostsRSAAuthentication:
459 intptr = &options->rhosts_rsa_authentication;
462 case oHostbasedAuthentication:
463 intptr = &options->hostbased_authentication;
466 case oChallengeResponseAuthentication:
467 intptr = &options->challenge_response_authentication;
470 case oGssAuthentication:
471 intptr = &options->gss_authentication;
474 case oGssDelegateCreds:
475 intptr = &options->gss_deleg_creds;
479 intptr = &options->batch_mode;
483 intptr = &options->check_host_ip;
486 case oVerifyHostKeyDNS:
487 intptr = &options->verify_host_key_dns;
490 case oStrictHostKeyChecking:
491 intptr = &options->strict_host_key_checking;
494 if (!arg || *arg == '\0')
495 fatal("%.200s line %d: Missing yes/no/ask argument.",
497 value = 0; /* To avoid compiler warning... */
498 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
500 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
502 else if (strcmp(arg, "ask") == 0)
505 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
506 if (*activep && *intptr == -1)
511 intptr = &options->compression;
515 intptr = &options->tcp_keep_alive;
518 case oNoHostAuthenticationForLocalhost:
519 intptr = &options->no_host_authentication_for_localhost;
522 case oNumberOfPasswordPrompts:
523 intptr = &options->number_of_password_prompts;
526 case oCompressionLevel:
527 intptr = &options->compression_level;
532 if (!arg || *arg == '\0')
533 fatal("%.200s line %d: Missing argument.", filename, linenum);
534 if (arg[0] < '0' || arg[0] > '9')
535 fatal("%.200s line %d: Bad number.", filename, linenum);
536 orig = val64 = strtoll(arg, &endofnumber, 10);
537 if (arg == endofnumber)
538 fatal("%.200s line %d: Bad number.", filename, linenum);
539 switch (toupper(*endofnumber)) {
553 fatal("%.200s line %d: Invalid RekeyLimit suffix",
557 /* detect integer wrap and too-large limits */
558 if ((val64 / scale) != orig || val64 > UINT_MAX)
559 fatal("%.200s line %d: RekeyLimit too large",
562 fatal("%.200s line %d: RekeyLimit too small",
564 if (*activep && options->rekey_limit == -1)
565 options->rekey_limit = (u_int32_t)val64;
570 if (!arg || *arg == '\0')
571 fatal("%.200s line %d: Missing argument.", filename, linenum);
573 intptr = &options->num_identity_files;
574 if (*intptr >= SSH_MAX_IDENTITY_FILES)
575 fatal("%.200s line %d: Too many identity files specified (max %d).",
576 filename, linenum, SSH_MAX_IDENTITY_FILES);
577 charptr = &options->identity_files[*intptr];
578 *charptr = xstrdup(arg);
579 *intptr = *intptr + 1;
584 charptr=&options->xauth_location;
588 charptr = &options->user;
591 if (!arg || *arg == '\0')
592 fatal("%.200s line %d: Missing argument.", filename, linenum);
593 if (*activep && *charptr == NULL)
594 *charptr = xstrdup(arg);
597 case oGlobalKnownHostsFile:
598 charptr = &options->system_hostfile;
601 case oUserKnownHostsFile:
602 charptr = &options->user_hostfile;
605 case oGlobalKnownHostsFile2:
606 charptr = &options->system_hostfile2;
609 case oUserKnownHostsFile2:
610 charptr = &options->user_hostfile2;
614 charptr = &options->hostname;
618 charptr = &options->host_key_alias;
621 case oPreferredAuthentications:
622 charptr = &options->preferred_authentications;
626 charptr = &options->bind_address;
629 case oSmartcardDevice:
630 charptr = &options->smartcard_device;
634 charptr = &options->proxy_command;
637 fatal("%.200s line %d: Missing argument.", filename, linenum);
638 len = strspn(s, WHITESPACE "=");
639 if (*activep && *charptr == NULL)
640 *charptr = xstrdup(s + len);
644 intptr = &options->port;
647 if (!arg || *arg == '\0')
648 fatal("%.200s line %d: Missing argument.", filename, linenum);
649 if (arg[0] < '0' || arg[0] > '9')
650 fatal("%.200s line %d: Bad number.", filename, linenum);
652 /* Octal, decimal, or hex format? */
653 value = strtol(arg, &endofnumber, 0);
654 if (arg == endofnumber)
655 fatal("%.200s line %d: Bad number.", filename, linenum);
656 if (*activep && *intptr == -1)
660 case oConnectionAttempts:
661 intptr = &options->connection_attempts;
665 intptr = &options->cipher;
667 if (!arg || *arg == '\0')
668 fatal("%.200s line %d: Missing argument.", filename, linenum);
669 value = cipher_number(arg);
671 fatal("%.200s line %d: Bad cipher '%s'.",
672 filename, linenum, arg ? arg : "<NONE>");
673 if (*activep && *intptr == -1)
679 if (!arg || *arg == '\0')
680 fatal("%.200s line %d: Missing argument.", filename, linenum);
681 if (!ciphers_valid(arg))
682 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
683 filename, linenum, arg ? arg : "<NONE>");
684 if (*activep && options->ciphers == NULL)
685 options->ciphers = xstrdup(arg);
690 if (!arg || *arg == '\0')
691 fatal("%.200s line %d: Missing argument.", filename, linenum);
693 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
694 filename, linenum, arg ? arg : "<NONE>");
695 if (*activep && options->macs == NULL)
696 options->macs = xstrdup(arg);
699 case oHostKeyAlgorithms:
701 if (!arg || *arg == '\0')
702 fatal("%.200s line %d: Missing argument.", filename, linenum);
703 if (!key_names_valid2(arg))
704 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
705 filename, linenum, arg ? arg : "<NONE>");
706 if (*activep && options->hostkeyalgorithms == NULL)
707 options->hostkeyalgorithms = xstrdup(arg);
711 intptr = &options->protocol;
713 if (!arg || *arg == '\0')
714 fatal("%.200s line %d: Missing argument.", filename, linenum);
715 value = proto_spec(arg);
716 if (value == SSH_PROTO_UNKNOWN)
717 fatal("%.200s line %d: Bad protocol spec '%s'.",
718 filename, linenum, arg ? arg : "<NONE>");
719 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
724 log_level_ptr = &options->log_level;
726 value = log_level_number(arg);
727 if (value == SYSLOG_LEVEL_NOT_SET)
728 fatal("%.200s line %d: unsupported log level '%s'",
729 filename, linenum, arg ? arg : "<NONE>");
730 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
731 *log_level_ptr = (LogLevel) value;
736 case oDynamicForward:
738 if (arg == NULL || *arg == '\0')
739 fatal("%.200s line %d: Missing port argument.",
742 if (opcode == oLocalForward ||
743 opcode == oRemoteForward) {
745 if (arg2 == NULL || *arg2 == '\0')
746 fatal("%.200s line %d: Missing target argument.",
749 /* construct a string for parse_forward */
750 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
751 } else if (opcode == oDynamicForward) {
752 strlcpy(fwdarg, arg, sizeof(fwdarg));
755 if (parse_forward(&fwd, fwdarg,
756 opcode == oDynamicForward ? 1 : 0,
757 opcode == oRemoteForward ? 1 : 0) == 0)
758 fatal("%.200s line %d: Bad forwarding specification.",
762 if (opcode == oLocalForward ||
763 opcode == oDynamicForward)
764 add_local_forward(options, &fwd);
765 else if (opcode == oRemoteForward)
766 add_remote_forward(options, &fwd);
770 case oClearAllForwardings:
771 intptr = &options->clear_forwardings;
776 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
777 if (match_pattern(host, arg)) {
778 debug("Applying options for %.100s", arg);
782 /* Avoid garbage check below, as strdelim is done. */
786 intptr = &options->escape_char;
788 if (!arg || *arg == '\0')
789 fatal("%.200s line %d: Missing argument.", filename, linenum);
790 if (arg[0] == '^' && arg[2] == 0 &&
791 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
792 value = (u_char) arg[1] & 31;
793 else if (strlen(arg) == 1)
794 value = (u_char) arg[0];
795 else if (strcmp(arg, "none") == 0)
796 value = SSH_ESCAPECHAR_NONE;
798 fatal("%.200s line %d: Bad escape character.",
801 value = 0; /* Avoid compiler warning. */
803 if (*activep && *intptr == -1)
809 if (!arg || *arg == '\0')
810 fatal("%s line %d: missing address family.",
812 intptr = &options->address_family;
813 if (strcasecmp(arg, "inet") == 0)
815 else if (strcasecmp(arg, "inet6") == 0)
817 else if (strcasecmp(arg, "any") == 0)
820 fatal("Unsupported AddressFamily \"%s\"", arg);
821 if (*activep && *intptr == -1)
825 case oEnableSSHKeysign:
826 intptr = &options->enable_ssh_keysign;
829 case oIdentitiesOnly:
830 intptr = &options->identities_only;
833 case oServerAliveInterval:
834 intptr = &options->server_alive_interval;
837 case oServerAliveCountMax:
838 intptr = &options->server_alive_count_max;
842 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
843 if (strchr(arg, '=') != NULL)
844 fatal("%s line %d: Invalid environment name.",
848 if (options->num_send_env >= MAX_SEND_ENV)
849 fatal("%s line %d: too many send env.",
851 options->send_env[options->num_send_env++] =
857 charptr = &options->control_path;
861 intptr = &options->control_master;
863 if (!arg || *arg == '\0')
864 fatal("%.200s line %d: Missing ControlMaster argument.",
866 value = 0; /* To avoid compiler warning... */
867 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
868 value = SSHCTL_MASTER_YES;
869 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
870 value = SSHCTL_MASTER_NO;
871 else if (strcmp(arg, "auto") == 0)
872 value = SSHCTL_MASTER_AUTO;
873 else if (strcmp(arg, "ask") == 0)
874 value = SSHCTL_MASTER_ASK;
875 else if (strcmp(arg, "autoask") == 0)
876 value = SSHCTL_MASTER_AUTO_ASK;
878 fatal("%.200s line %d: Bad ControlMaster argument.",
880 if (*activep && *intptr == -1)
884 case oHashKnownHosts:
885 intptr = &options->hash_known_hosts;
889 intptr = &options->tun_open;
891 if (!arg || *arg == '\0')
892 fatal("%s line %d: Missing yes/point-to-point/"
893 "ethernet/no argument.", filename, linenum);
894 value = 0; /* silence compiler */
895 if (strcasecmp(arg, "ethernet") == 0)
896 value = SSH_TUNMODE_ETHERNET;
897 else if (strcasecmp(arg, "point-to-point") == 0)
898 value = SSH_TUNMODE_POINTOPOINT;
899 else if (strcasecmp(arg, "yes") == 0)
900 value = SSH_TUNMODE_DEFAULT;
901 else if (strcasecmp(arg, "no") == 0)
902 value = SSH_TUNMODE_NO;
904 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
905 "no argument: %s", filename, linenum, arg);
912 if (!arg || *arg == '\0')
913 fatal("%.200s line %d: Missing argument.", filename, linenum);
914 value = a2tun(arg, &value2);
915 if (value == SSH_TUNID_ERR)
916 fatal("%.200s line %d: Bad tun device.", filename, linenum);
918 options->tun_local = value;
919 options->tun_remote = value2;
924 charptr = &options->local_command;
927 case oPermitLocalCommand:
928 intptr = &options->permit_local_command;
932 intptr = &options->visual_host_key;
936 intptr = &options->use_roaming;
939 case oVersionAddendum:
940 ssh_version_set_addendum(strtok(s, "\n"));
943 } while (arg != NULL && *arg != '\0');
947 debug("%s line %d: Deprecated option \"%s\"",
948 filename, linenum, keyword);
952 error("%s line %d: Unsupported option \"%s\"",
953 filename, linenum, keyword);
957 fatal("process_config_line: Unimplemented opcode %d", opcode);
960 /* Check that there is no garbage at end of line. */
961 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
962 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
963 filename, linenum, arg);
970 * Reads the config file and modifies the options accordingly. Options
971 * should already be initialized before this call. This never returns if
972 * there is an error. If the file does not exist, this returns 0.
976 read_config_file(const char *filename, const char *host, Options *options,
984 if ((f = fopen(filename, "r")) == NULL)
990 if (fstat(fileno(f), &sb) == -1)
991 fatal("fstat %s: %s", filename, strerror(errno));
992 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
993 (sb.st_mode & 022) != 0))
994 fatal("Bad owner or permissions on %s", filename);
997 debug("Reading configuration data %.200s", filename);
1000 * Mark that we are now processing the options. This flag is turned
1001 * on/off by Host specifications.
1005 while (fgets(line, sizeof(line), f)) {
1006 /* Update line number counter. */
1008 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1012 if (bad_options > 0)
1013 fatal("%s: terminating, %d bad configuration options",
1014 filename, bad_options);
1019 * Initializes options to special values that indicate that they have not yet
1020 * been set. Read_config_file will only set options with this value. Options
1021 * are processed in the following order: command line, user config file,
1022 * system config file. Last, fill_default_options is called.
1026 initialize_options(Options * options)
1028 memset(options, 'X', sizeof(*options));
1029 options->forward_agent = -1;
1030 options->forward_x11 = -1;
1031 options->forward_x11_trusted = -1;
1032 options->exit_on_forward_failure = -1;
1033 options->xauth_location = NULL;
1034 options->gateway_ports = -1;
1035 options->use_privileged_port = -1;
1036 options->rsa_authentication = -1;
1037 options->pubkey_authentication = -1;
1038 options->challenge_response_authentication = -1;
1039 options->gss_authentication = -1;
1040 options->gss_deleg_creds = -1;
1041 options->password_authentication = -1;
1042 options->kbd_interactive_authentication = -1;
1043 options->kbd_interactive_devices = NULL;
1044 options->rhosts_rsa_authentication = -1;
1045 options->hostbased_authentication = -1;
1046 options->batch_mode = -1;
1047 options->check_host_ip = -1;
1048 options->strict_host_key_checking = -1;
1049 options->compression = -1;
1050 options->tcp_keep_alive = -1;
1051 options->compression_level = -1;
1053 options->address_family = -1;
1054 options->connection_attempts = -1;
1055 options->connection_timeout = -1;
1056 options->number_of_password_prompts = -1;
1057 options->cipher = -1;
1058 options->ciphers = NULL;
1059 options->macs = NULL;
1060 options->hostkeyalgorithms = NULL;
1061 options->protocol = SSH_PROTO_UNKNOWN;
1062 options->num_identity_files = 0;
1063 options->hostname = NULL;
1064 options->host_key_alias = NULL;
1065 options->proxy_command = NULL;
1066 options->user = NULL;
1067 options->escape_char = -1;
1068 options->system_hostfile = NULL;
1069 options->user_hostfile = NULL;
1070 options->system_hostfile2 = NULL;
1071 options->user_hostfile2 = NULL;
1072 options->num_local_forwards = 0;
1073 options->num_remote_forwards = 0;
1074 options->clear_forwardings = -1;
1075 options->log_level = SYSLOG_LEVEL_NOT_SET;
1076 options->preferred_authentications = NULL;
1077 options->bind_address = NULL;
1078 options->smartcard_device = NULL;
1079 options->enable_ssh_keysign = - 1;
1080 options->no_host_authentication_for_localhost = - 1;
1081 options->identities_only = - 1;
1082 options->rekey_limit = - 1;
1083 options->verify_host_key_dns = -1;
1084 options->server_alive_interval = -1;
1085 options->server_alive_count_max = -1;
1086 options->num_send_env = 0;
1087 options->control_path = NULL;
1088 options->control_master = -1;
1089 options->hash_known_hosts = -1;
1090 options->tun_open = -1;
1091 options->tun_local = -1;
1092 options->tun_remote = -1;
1093 options->local_command = NULL;
1094 options->permit_local_command = -1;
1095 options->use_roaming = -1;
1096 options->visual_host_key = -1;
1097 options->zero_knowledge_password_authentication = -1;
1101 * Called after processing other sources of option data, this fills those
1102 * options for which no value has been specified with their default values.
1106 fill_default_options(Options * options)
1110 if (options->forward_agent == -1)
1111 options->forward_agent = 0;
1112 if (options->forward_x11 == -1)
1113 options->forward_x11 = 0;
1114 if (options->forward_x11_trusted == -1)
1115 options->forward_x11_trusted = 0;
1116 if (options->exit_on_forward_failure == -1)
1117 options->exit_on_forward_failure = 0;
1118 if (options->xauth_location == NULL)
1119 options->xauth_location = _PATH_XAUTH;
1120 if (options->gateway_ports == -1)
1121 options->gateway_ports = 0;
1122 if (options->use_privileged_port == -1)
1123 options->use_privileged_port = 0;
1124 if (options->rsa_authentication == -1)
1125 options->rsa_authentication = 1;
1126 if (options->pubkey_authentication == -1)
1127 options->pubkey_authentication = 1;
1128 if (options->challenge_response_authentication == -1)
1129 options->challenge_response_authentication = 1;
1130 if (options->gss_authentication == -1)
1131 options->gss_authentication = 0;
1132 if (options->gss_deleg_creds == -1)
1133 options->gss_deleg_creds = 0;
1134 if (options->password_authentication == -1)
1135 options->password_authentication = 1;
1136 if (options->kbd_interactive_authentication == -1)
1137 options->kbd_interactive_authentication = 1;
1138 if (options->rhosts_rsa_authentication == -1)
1139 options->rhosts_rsa_authentication = 0;
1140 if (options->hostbased_authentication == -1)
1141 options->hostbased_authentication = 0;
1142 if (options->batch_mode == -1)
1143 options->batch_mode = 0;
1144 if (options->check_host_ip == -1)
1145 options->check_host_ip = 0;
1146 if (options->strict_host_key_checking == -1)
1147 options->strict_host_key_checking = 2; /* 2 is default */
1148 if (options->compression == -1)
1149 options->compression = 0;
1150 if (options->tcp_keep_alive == -1)
1151 options->tcp_keep_alive = 1;
1152 if (options->compression_level == -1)
1153 options->compression_level = 6;
1154 if (options->port == -1)
1155 options->port = 0; /* Filled in ssh_connect. */
1156 if (options->address_family == -1)
1157 options->address_family = AF_UNSPEC;
1158 if (options->connection_attempts == -1)
1159 options->connection_attempts = 1;
1160 if (options->number_of_password_prompts == -1)
1161 options->number_of_password_prompts = 3;
1162 /* Selected in ssh_login(). */
1163 if (options->cipher == -1)
1164 options->cipher = SSH_CIPHER_NOT_SET;
1165 /* options->ciphers, default set in myproposals.h */
1166 /* options->macs, default set in myproposals.h */
1167 /* options->hostkeyalgorithms, default set in myproposals.h */
1168 if (options->protocol == SSH_PROTO_UNKNOWN)
1169 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1170 if (options->num_identity_files == 0) {
1171 if (options->protocol & SSH_PROTO_1) {
1172 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1173 options->identity_files[options->num_identity_files] =
1175 snprintf(options->identity_files[options->num_identity_files++],
1176 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1178 if (options->protocol & SSH_PROTO_2) {
1179 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1180 options->identity_files[options->num_identity_files] =
1182 snprintf(options->identity_files[options->num_identity_files++],
1183 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1185 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1186 options->identity_files[options->num_identity_files] =
1188 snprintf(options->identity_files[options->num_identity_files++],
1189 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1192 if (options->escape_char == -1)
1193 options->escape_char = '~';
1194 if (options->system_hostfile == NULL)
1195 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1196 if (options->user_hostfile == NULL)
1197 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1198 if (options->system_hostfile2 == NULL)
1199 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1200 if (options->user_hostfile2 == NULL)
1201 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1202 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1203 options->log_level = SYSLOG_LEVEL_INFO;
1204 if (options->clear_forwardings == 1)
1205 clear_forwardings(options);
1206 if (options->no_host_authentication_for_localhost == - 1)
1207 options->no_host_authentication_for_localhost = 0;
1208 if (options->identities_only == -1)
1209 options->identities_only = 0;
1210 if (options->enable_ssh_keysign == -1)
1211 options->enable_ssh_keysign = 0;
1212 if (options->rekey_limit == -1)
1213 options->rekey_limit = 0;
1214 if (options->verify_host_key_dns == -1)
1215 options->verify_host_key_dns = 0;
1216 if (options->server_alive_interval == -1)
1217 options->server_alive_interval = 0;
1218 if (options->server_alive_count_max == -1)
1219 options->server_alive_count_max = 3;
1220 if (options->control_master == -1)
1221 options->control_master = 0;
1222 if (options->hash_known_hosts == -1)
1223 options->hash_known_hosts = 0;
1224 if (options->tun_open == -1)
1225 options->tun_open = SSH_TUNMODE_NO;
1226 if (options->tun_local == -1)
1227 options->tun_local = SSH_TUNID_ANY;
1228 if (options->tun_remote == -1)
1229 options->tun_remote = SSH_TUNID_ANY;
1230 if (options->permit_local_command == -1)
1231 options->permit_local_command = 0;
1232 if (options->use_roaming == -1)
1233 options->use_roaming = 1;
1234 if (options->visual_host_key == -1)
1235 options->visual_host_key = 0;
1236 if (options->zero_knowledge_password_authentication == -1)
1237 options->zero_knowledge_password_authentication = 0;
1238 /* options->local_command should not be set by default */
1239 /* options->proxy_command should not be set by default */
1240 /* options->user will be set in the main program if appropriate */
1241 /* options->hostname will be set in the main program if appropriate */
1242 /* options->host_key_alias should not be set by default */
1243 /* options->preferred_authentications will be set in ssh */
1248 * parses a string containing a port forwarding specification of the form:
1250 * [listenhost:]listenport:connecthost:connectport
1252 * [listenhost:]listenport
1253 * returns number of arguments parsed or zero on error
1256 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1259 char *p, *cp, *fwdarg[4];
1261 memset(fwd, '\0', sizeof(*fwd));
1263 cp = p = xstrdup(fwdspec);
1265 /* skip leading spaces */
1266 while (isspace(*cp))
1269 for (i = 0; i < 4; ++i)
1270 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1273 /* Check for trailing garbage */
1275 i = 0; /* failure */
1279 fwd->listen_host = NULL;
1280 fwd->listen_port = a2port(fwdarg[0]);
1281 fwd->connect_host = xstrdup("socks");
1285 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1286 fwd->listen_port = a2port(fwdarg[1]);
1287 fwd->connect_host = xstrdup("socks");
1291 fwd->listen_host = NULL;
1292 fwd->listen_port = a2port(fwdarg[0]);
1293 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1294 fwd->connect_port = a2port(fwdarg[2]);
1298 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1299 fwd->listen_port = a2port(fwdarg[1]);
1300 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1301 fwd->connect_port = a2port(fwdarg[3]);
1304 i = 0; /* failure */
1310 if (!(i == 1 || i == 2))
1313 if (!(i == 3 || i == 4))
1315 if (fwd->connect_port <= 0)
1319 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1322 if (fwd->connect_host != NULL &&
1323 strlen(fwd->connect_host) >= NI_MAXHOST)
1325 if (fwd->listen_host != NULL &&
1326 strlen(fwd->listen_host) >= NI_MAXHOST)
1333 if (fwd->connect_host != NULL) {
1334 xfree(fwd->connect_host);
1335 fwd->connect_host = NULL;
1337 if (fwd->listen_host != NULL) {
1338 xfree(fwd->listen_host);
1339 fwd->listen_host = NULL;