1 /* $OpenBSD: readconf.c,v 1.193 2011/05/24 07:15:47 djm Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Functions for reading the configuration files.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <sys/sysctl.h>
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
26 #include <netinet/ip.h>
41 #include "pathnames.h"
52 /* Format of the configuration file:
54 # Configuration data is parsed as follows:
55 # 1. command line options
56 # 2. user-specific file
58 # Any configuration value is only changed the first time it is set.
59 # Thus, host-specific definitions should be at the beginning of the
60 # configuration file, and defaults at the end.
62 # Host-specific declarations. These may override anything above. A single
63 # host may match multiple declarations; these are processed in the order
64 # that they are given in.
70 HostName another.host.name.real.org
77 RemoteForward 9999 shadows.cs.hut.fi:9999
83 PasswordAuthentication no
87 ProxyCommand ssh-proxy %h %p
90 PublicKeyAuthentication no
94 PasswordAuthentication no
100 # Defaults for various options
104 PasswordAuthentication yes
105 RSAAuthentication yes
106 RhostsRSAAuthentication yes
107 StrictHostKeyChecking yes
109 IdentityFile ~/.ssh/identity
115 /* Keyword tokens. */
119 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
120 oGatewayPorts, oExitOnForwardFailure,
121 oPasswordAuthentication, oRSAAuthentication,
122 oChallengeResponseAuthentication, oXAuthLocation,
123 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
124 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
125 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
126 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
127 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
128 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
129 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
130 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
131 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
132 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
133 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
134 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
135 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
136 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
137 oSendEnv, oControlPath, oControlMaster, oControlPersist,
139 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
140 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
141 oKexAlgorithms, oIPQoS, oRequestTTY,
142 oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
143 #ifdef NONE_CIPHER_ENABLED
144 oNoneEnabled, oNoneSwitch,
147 oDeprecated, oUnsupported
150 /* Textual representations of the tokens. */
156 { "forwardagent", oForwardAgent },
157 { "forwardx11", oForwardX11 },
158 { "forwardx11trusted", oForwardX11Trusted },
159 { "forwardx11timeout", oForwardX11Timeout },
160 { "exitonforwardfailure", oExitOnForwardFailure },
161 { "xauthlocation", oXAuthLocation },
162 { "gatewayports", oGatewayPorts },
163 { "useprivilegedport", oUsePrivilegedPort },
164 { "rhostsauthentication", oDeprecated },
165 { "passwordauthentication", oPasswordAuthentication },
166 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
167 { "kbdinteractivedevices", oKbdInteractiveDevices },
168 { "rsaauthentication", oRSAAuthentication },
169 { "pubkeyauthentication", oPubkeyAuthentication },
170 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
171 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
172 { "hostbasedauthentication", oHostbasedAuthentication },
173 { "challengeresponseauthentication", oChallengeResponseAuthentication },
174 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
175 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
176 { "kerberosauthentication", oUnsupported },
177 { "kerberostgtpassing", oUnsupported },
178 { "afstokenpassing", oUnsupported },
180 { "gssapiauthentication", oGssAuthentication },
181 { "gssapidelegatecredentials", oGssDelegateCreds },
183 { "gssapiauthentication", oUnsupported },
184 { "gssapidelegatecredentials", oUnsupported },
186 { "fallbacktorsh", oDeprecated },
187 { "usersh", oDeprecated },
188 { "identityfile", oIdentityFile },
189 { "identityfile2", oIdentityFile }, /* obsolete */
190 { "identitiesonly", oIdentitiesOnly },
191 { "hostname", oHostName },
192 { "hostkeyalias", oHostKeyAlias },
193 { "proxycommand", oProxyCommand },
195 { "cipher", oCipher },
196 { "ciphers", oCiphers },
198 { "protocol", oProtocol },
199 { "remoteforward", oRemoteForward },
200 { "localforward", oLocalForward },
203 { "escapechar", oEscapeChar },
204 { "globalknownhostsfile", oGlobalKnownHostsFile },
205 { "globalknownhostsfile2", oDeprecated },
206 { "userknownhostsfile", oUserKnownHostsFile },
207 { "userknownhostsfile2", oDeprecated },
208 { "connectionattempts", oConnectionAttempts },
209 { "batchmode", oBatchMode },
210 { "checkhostip", oCheckHostIP },
211 { "stricthostkeychecking", oStrictHostKeyChecking },
212 { "compression", oCompression },
213 { "compressionlevel", oCompressionLevel },
214 { "tcpkeepalive", oTCPKeepAlive },
215 { "keepalive", oTCPKeepAlive }, /* obsolete */
216 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
217 { "loglevel", oLogLevel },
218 { "dynamicforward", oDynamicForward },
219 { "preferredauthentications", oPreferredAuthentications },
220 { "hostkeyalgorithms", oHostKeyAlgorithms },
221 { "bindaddress", oBindAddress },
223 { "smartcarddevice", oPKCS11Provider },
224 { "pkcs11provider", oPKCS11Provider },
226 { "smartcarddevice", oUnsupported },
227 { "pkcs11provider", oUnsupported },
229 { "clearallforwardings", oClearAllForwardings },
230 { "enablesshkeysign", oEnableSSHKeysign },
231 { "verifyhostkeydns", oVerifyHostKeyDNS },
232 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
233 { "rekeylimit", oRekeyLimit },
234 { "connecttimeout", oConnectTimeout },
235 { "addressfamily", oAddressFamily },
236 { "serveraliveinterval", oServerAliveInterval },
237 { "serveralivecountmax", oServerAliveCountMax },
238 { "sendenv", oSendEnv },
239 { "controlpath", oControlPath },
240 { "controlmaster", oControlMaster },
241 { "controlpersist", oControlPersist },
242 { "hashknownhosts", oHashKnownHosts },
243 { "tunnel", oTunnel },
244 { "tunneldevice", oTunnelDevice },
245 { "localcommand", oLocalCommand },
246 { "permitlocalcommand", oPermitLocalCommand },
247 { "visualhostkey", oVisualHostKey },
248 { "useroaming", oUseRoaming },
250 { "zeroknowledgepasswordauthentication",
251 oZeroKnowledgePasswordAuthentication },
253 { "zeroknowledgepasswordauthentication", oUnsupported },
255 { "kexalgorithms", oKexAlgorithms },
257 { "requesttty", oRequestTTY },
258 { "hpndisabled", oHPNDisabled },
259 { "hpnbuffersize", oHPNBufferSize },
260 { "tcprcvbufpoll", oTcpRcvBufPoll },
261 { "tcprcvbuf", oTcpRcvBuf },
262 #ifdef NONE_CIPHER_ENABLED
263 { "noneenabled", oNoneEnabled },
264 { "noneswitch", oNoneSwitch },
266 { "versionaddendum", oVersionAddendum },
271 * Adds a local TCP/IP port forward to options. Never returns if there is an
276 add_local_forward(Options *options, const Forward *newfwd)
279 #ifndef NO_IPPORT_RESERVED_CONCEPT
280 extern uid_t original_real_uid;
283 size_t len_ipport_reserved = sizeof(ipport_reserved);
285 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
286 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
287 ipport_reserved = IPPORT_RESERVED;
291 ipport_reserved = IPPORT_RESERVED;
293 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
294 fatal("Privileged ports can only be forwarded by root.");
296 options->local_forwards = xrealloc(options->local_forwards,
297 options->num_local_forwards + 1,
298 sizeof(*options->local_forwards));
299 fwd = &options->local_forwards[options->num_local_forwards++];
301 fwd->listen_host = newfwd->listen_host;
302 fwd->listen_port = newfwd->listen_port;
303 fwd->connect_host = newfwd->connect_host;
304 fwd->connect_port = newfwd->connect_port;
308 * Adds a remote TCP/IP port forward to options. Never returns if there is
313 add_remote_forward(Options *options, const Forward *newfwd)
317 options->remote_forwards = xrealloc(options->remote_forwards,
318 options->num_remote_forwards + 1,
319 sizeof(*options->remote_forwards));
320 fwd = &options->remote_forwards[options->num_remote_forwards++];
322 fwd->listen_host = newfwd->listen_host;
323 fwd->listen_port = newfwd->listen_port;
324 fwd->connect_host = newfwd->connect_host;
325 fwd->connect_port = newfwd->connect_port;
326 fwd->allocated_port = 0;
330 clear_forwardings(Options *options)
334 for (i = 0; i < options->num_local_forwards; i++) {
335 if (options->local_forwards[i].listen_host != NULL)
336 xfree(options->local_forwards[i].listen_host);
337 xfree(options->local_forwards[i].connect_host);
339 if (options->num_local_forwards > 0) {
340 xfree(options->local_forwards);
341 options->local_forwards = NULL;
343 options->num_local_forwards = 0;
344 for (i = 0; i < options->num_remote_forwards; i++) {
345 if (options->remote_forwards[i].listen_host != NULL)
346 xfree(options->remote_forwards[i].listen_host);
347 xfree(options->remote_forwards[i].connect_host);
349 if (options->num_remote_forwards > 0) {
350 xfree(options->remote_forwards);
351 options->remote_forwards = NULL;
353 options->num_remote_forwards = 0;
354 options->tun_open = SSH_TUNMODE_NO;
358 * Returns the number of the token pointed to by cp or oBadOption.
362 parse_token(const char *cp, const char *filename, int linenum)
366 for (i = 0; keywords[i].name; i++)
367 if (strcasecmp(cp, keywords[i].name) == 0)
368 return keywords[i].opcode;
370 error("%s: line %d: Bad configuration option: %s",
371 filename, linenum, cp);
376 * Processes a single option line as used in the configuration files. This
377 * only sets those values that have not already been set.
379 #define WHITESPACE " \t\r\n"
382 process_config_line(Options *options, const char *host,
383 char *line, const char *filename, int linenum,
386 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
387 char **cpptr, fwdarg[256];
388 u_int *uintptr, max_entries = 0;
389 int negated, opcode, *intptr, value, value2, scale;
390 LogLevel *log_level_ptr;
391 long long orig, val64;
395 /* Strip trailing whitespace */
396 for (len = strlen(line) - 1; len > 0; len--) {
397 if (strchr(WHITESPACE, line[len]) == NULL)
403 /* Get the keyword. (Each line is supposed to begin with a keyword). */
404 if ((keyword = strdelim(&s)) == NULL)
406 /* Ignore leading whitespace. */
407 if (*keyword == '\0')
408 keyword = strdelim(&s);
409 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
412 opcode = parse_token(keyword, filename, linenum);
416 /* don't panic, but count bad options */
419 case oConnectTimeout:
420 intptr = &options->connection_timeout;
423 if (!arg || *arg == '\0')
424 fatal("%s line %d: missing time value.",
426 if ((value = convtime(arg)) == -1)
427 fatal("%s line %d: invalid time value.",
429 if (*activep && *intptr == -1)
434 intptr = &options->forward_agent;
437 if (!arg || *arg == '\0')
438 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
439 value = 0; /* To avoid compiler warning... */
440 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
442 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
445 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
446 if (*activep && *intptr == -1)
451 intptr = &options->forward_x11;
454 case oForwardX11Trusted:
455 intptr = &options->forward_x11_trusted;
458 case oForwardX11Timeout:
459 intptr = &options->forward_x11_timeout;
463 intptr = &options->gateway_ports;
466 case oExitOnForwardFailure:
467 intptr = &options->exit_on_forward_failure;
470 case oUsePrivilegedPort:
471 intptr = &options->use_privileged_port;
474 case oPasswordAuthentication:
475 intptr = &options->password_authentication;
478 case oZeroKnowledgePasswordAuthentication:
479 intptr = &options->zero_knowledge_password_authentication;
482 case oKbdInteractiveAuthentication:
483 intptr = &options->kbd_interactive_authentication;
486 case oKbdInteractiveDevices:
487 charptr = &options->kbd_interactive_devices;
490 case oPubkeyAuthentication:
491 intptr = &options->pubkey_authentication;
494 case oRSAAuthentication:
495 intptr = &options->rsa_authentication;
498 case oRhostsRSAAuthentication:
499 intptr = &options->rhosts_rsa_authentication;
502 case oHostbasedAuthentication:
503 intptr = &options->hostbased_authentication;
506 case oChallengeResponseAuthentication:
507 intptr = &options->challenge_response_authentication;
510 case oGssAuthentication:
511 intptr = &options->gss_authentication;
514 case oGssDelegateCreds:
515 intptr = &options->gss_deleg_creds;
519 intptr = &options->batch_mode;
523 intptr = &options->check_host_ip;
526 case oVerifyHostKeyDNS:
527 intptr = &options->verify_host_key_dns;
530 case oStrictHostKeyChecking:
531 intptr = &options->strict_host_key_checking;
534 if (!arg || *arg == '\0')
535 fatal("%.200s line %d: Missing yes/no/ask argument.",
537 value = 0; /* To avoid compiler warning... */
538 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
540 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
542 else if (strcmp(arg, "ask") == 0)
545 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
546 if (*activep && *intptr == -1)
551 intptr = &options->compression;
555 intptr = &options->tcp_keep_alive;
558 case oNoHostAuthenticationForLocalhost:
559 intptr = &options->no_host_authentication_for_localhost;
562 case oNumberOfPasswordPrompts:
563 intptr = &options->number_of_password_prompts;
566 case oCompressionLevel:
567 intptr = &options->compression_level;
572 if (!arg || *arg == '\0')
573 fatal("%.200s line %d: Missing argument.", filename, linenum);
574 if (arg[0] < '0' || arg[0] > '9')
575 fatal("%.200s line %d: Bad number.", filename, linenum);
576 orig = val64 = strtoll(arg, &endofnumber, 10);
577 if (arg == endofnumber)
578 fatal("%.200s line %d: Bad number.", filename, linenum);
579 switch (toupper(*endofnumber)) {
593 fatal("%.200s line %d: Invalid RekeyLimit suffix",
597 /* detect integer wrap and too-large limits */
598 if ((val64 / scale) != orig || val64 > UINT_MAX)
599 fatal("%.200s line %d: RekeyLimit too large",
602 fatal("%.200s line %d: RekeyLimit too small",
604 if (*activep && options->rekey_limit == -1)
605 options->rekey_limit = (u_int32_t)val64;
610 if (!arg || *arg == '\0')
611 fatal("%.200s line %d: Missing argument.", filename, linenum);
613 intptr = &options->num_identity_files;
614 if (*intptr >= SSH_MAX_IDENTITY_FILES)
615 fatal("%.200s line %d: Too many identity files specified (max %d).",
616 filename, linenum, SSH_MAX_IDENTITY_FILES);
617 charptr = &options->identity_files[*intptr];
618 *charptr = xstrdup(arg);
619 *intptr = *intptr + 1;
624 charptr=&options->xauth_location;
628 charptr = &options->user;
631 if (!arg || *arg == '\0')
632 fatal("%.200s line %d: Missing argument.",
634 if (*activep && *charptr == NULL)
635 *charptr = xstrdup(arg);
638 case oGlobalKnownHostsFile:
639 cpptr = (char **)&options->system_hostfiles;
640 uintptr = &options->num_system_hostfiles;
641 max_entries = SSH_MAX_HOSTS_FILES;
643 if (*activep && *uintptr == 0) {
644 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
645 if ((*uintptr) >= max_entries)
647 "too many authorized keys files.",
649 cpptr[(*uintptr)++] = xstrdup(arg);
654 case oUserKnownHostsFile:
655 cpptr = (char **)&options->user_hostfiles;
656 uintptr = &options->num_user_hostfiles;
657 max_entries = SSH_MAX_HOSTS_FILES;
658 goto parse_char_array;
661 charptr = &options->hostname;
665 charptr = &options->host_key_alias;
668 case oPreferredAuthentications:
669 charptr = &options->preferred_authentications;
673 charptr = &options->bind_address;
676 case oPKCS11Provider:
677 charptr = &options->pkcs11_provider;
681 charptr = &options->proxy_command;
684 fatal("%.200s line %d: Missing argument.", filename, linenum);
685 len = strspn(s, WHITESPACE "=");
686 if (*activep && *charptr == NULL)
687 *charptr = xstrdup(s + len);
691 intptr = &options->port;
694 if (!arg || *arg == '\0')
695 fatal("%.200s line %d: Missing argument.", filename, linenum);
696 if (arg[0] < '0' || arg[0] > '9')
697 fatal("%.200s line %d: Bad number.", filename, linenum);
699 /* Octal, decimal, or hex format? */
700 value = strtol(arg, &endofnumber, 0);
701 if (arg == endofnumber)
702 fatal("%.200s line %d: Bad number.", filename, linenum);
703 if (*activep && *intptr == -1)
707 case oConnectionAttempts:
708 intptr = &options->connection_attempts;
712 intptr = &options->cipher;
714 if (!arg || *arg == '\0')
715 fatal("%.200s line %d: Missing argument.", filename, linenum);
716 value = cipher_number(arg);
718 fatal("%.200s line %d: Bad cipher '%s'.",
719 filename, linenum, arg ? arg : "<NONE>");
720 if (*activep && *intptr == -1)
726 if (!arg || *arg == '\0')
727 fatal("%.200s line %d: Missing argument.", filename, linenum);
728 if (!ciphers_valid(arg))
729 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
730 filename, linenum, arg ? arg : "<NONE>");
731 if (*activep && options->ciphers == NULL)
732 options->ciphers = xstrdup(arg);
737 if (!arg || *arg == '\0')
738 fatal("%.200s line %d: Missing argument.", filename, linenum);
740 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
741 filename, linenum, arg ? arg : "<NONE>");
742 if (*activep && options->macs == NULL)
743 options->macs = xstrdup(arg);
748 if (!arg || *arg == '\0')
749 fatal("%.200s line %d: Missing argument.",
751 if (!kex_names_valid(arg))
752 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
753 filename, linenum, arg ? arg : "<NONE>");
754 if (*activep && options->kex_algorithms == NULL)
755 options->kex_algorithms = xstrdup(arg);
758 case oHostKeyAlgorithms:
760 if (!arg || *arg == '\0')
761 fatal("%.200s line %d: Missing argument.", filename, linenum);
762 if (!key_names_valid2(arg))
763 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
764 filename, linenum, arg ? arg : "<NONE>");
765 if (*activep && options->hostkeyalgorithms == NULL)
766 options->hostkeyalgorithms = xstrdup(arg);
770 intptr = &options->protocol;
772 if (!arg || *arg == '\0')
773 fatal("%.200s line %d: Missing argument.", filename, linenum);
774 value = proto_spec(arg);
775 if (value == SSH_PROTO_UNKNOWN)
776 fatal("%.200s line %d: Bad protocol spec '%s'.",
777 filename, linenum, arg ? arg : "<NONE>");
778 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
783 log_level_ptr = &options->log_level;
785 value = log_level_number(arg);
786 if (value == SYSLOG_LEVEL_NOT_SET)
787 fatal("%.200s line %d: unsupported log level '%s'",
788 filename, linenum, arg ? arg : "<NONE>");
789 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
790 *log_level_ptr = (LogLevel) value;
795 case oDynamicForward:
797 if (arg == NULL || *arg == '\0')
798 fatal("%.200s line %d: Missing port argument.",
801 if (opcode == oLocalForward ||
802 opcode == oRemoteForward) {
804 if (arg2 == NULL || *arg2 == '\0')
805 fatal("%.200s line %d: Missing target argument.",
808 /* construct a string for parse_forward */
809 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
810 } else if (opcode == oDynamicForward) {
811 strlcpy(fwdarg, arg, sizeof(fwdarg));
814 if (parse_forward(&fwd, fwdarg,
815 opcode == oDynamicForward ? 1 : 0,
816 opcode == oRemoteForward ? 1 : 0) == 0)
817 fatal("%.200s line %d: Bad forwarding specification.",
821 if (opcode == oLocalForward ||
822 opcode == oDynamicForward)
823 add_local_forward(options, &fwd);
824 else if (opcode == oRemoteForward)
825 add_remote_forward(options, &fwd);
829 case oClearAllForwardings:
830 intptr = &options->clear_forwardings;
836 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
837 negated = *arg == '!';
840 if (match_pattern(host, arg)) {
842 debug("%.200s line %d: Skipping Host "
843 "block because of negated match "
844 "for %.100s", filename, linenum,
850 arg2 = arg; /* logged below */
855 debug("%.200s line %d: Applying options for %.100s",
856 filename, linenum, arg2);
857 /* Avoid garbage check below, as strdelim is done. */
861 intptr = &options->escape_char;
863 if (!arg || *arg == '\0')
864 fatal("%.200s line %d: Missing argument.", filename, linenum);
865 if (arg[0] == '^' && arg[2] == 0 &&
866 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
867 value = (u_char) arg[1] & 31;
868 else if (strlen(arg) == 1)
869 value = (u_char) arg[0];
870 else if (strcmp(arg, "none") == 0)
871 value = SSH_ESCAPECHAR_NONE;
873 fatal("%.200s line %d: Bad escape character.",
876 value = 0; /* Avoid compiler warning. */
878 if (*activep && *intptr == -1)
884 if (!arg || *arg == '\0')
885 fatal("%s line %d: missing address family.",
887 intptr = &options->address_family;
888 if (strcasecmp(arg, "inet") == 0)
890 else if (strcasecmp(arg, "inet6") == 0)
892 else if (strcasecmp(arg, "any") == 0)
895 fatal("Unsupported AddressFamily \"%s\"", arg);
896 if (*activep && *intptr == -1)
900 case oEnableSSHKeysign:
901 intptr = &options->enable_ssh_keysign;
904 case oIdentitiesOnly:
905 intptr = &options->identities_only;
908 case oServerAliveInterval:
909 intptr = &options->server_alive_interval;
912 case oServerAliveCountMax:
913 intptr = &options->server_alive_count_max;
917 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
918 if (strchr(arg, '=') != NULL)
919 fatal("%s line %d: Invalid environment name.",
923 if (options->num_send_env >= MAX_SEND_ENV)
924 fatal("%s line %d: too many send env.",
926 options->send_env[options->num_send_env++] =
932 charptr = &options->control_path;
936 intptr = &options->control_master;
938 if (!arg || *arg == '\0')
939 fatal("%.200s line %d: Missing ControlMaster argument.",
941 value = 0; /* To avoid compiler warning... */
942 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
943 value = SSHCTL_MASTER_YES;
944 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
945 value = SSHCTL_MASTER_NO;
946 else if (strcmp(arg, "auto") == 0)
947 value = SSHCTL_MASTER_AUTO;
948 else if (strcmp(arg, "ask") == 0)
949 value = SSHCTL_MASTER_ASK;
950 else if (strcmp(arg, "autoask") == 0)
951 value = SSHCTL_MASTER_AUTO_ASK;
953 fatal("%.200s line %d: Bad ControlMaster argument.",
955 if (*activep && *intptr == -1)
959 case oControlPersist:
960 /* no/false/yes/true, or a time spec */
961 intptr = &options->control_persist;
963 if (!arg || *arg == '\0')
964 fatal("%.200s line %d: Missing ControlPersist"
965 " argument.", filename, linenum);
967 value2 = 0; /* timeout */
968 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
970 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
972 else if ((value2 = convtime(arg)) >= 0)
975 fatal("%.200s line %d: Bad ControlPersist argument.",
977 if (*activep && *intptr == -1) {
979 options->control_persist_timeout = value2;
983 case oHashKnownHosts:
984 intptr = &options->hash_known_hosts;
988 intptr = &options->tun_open;
990 if (!arg || *arg == '\0')
991 fatal("%s line %d: Missing yes/point-to-point/"
992 "ethernet/no argument.", filename, linenum);
993 value = 0; /* silence compiler */
994 if (strcasecmp(arg, "ethernet") == 0)
995 value = SSH_TUNMODE_ETHERNET;
996 else if (strcasecmp(arg, "point-to-point") == 0)
997 value = SSH_TUNMODE_POINTOPOINT;
998 else if (strcasecmp(arg, "yes") == 0)
999 value = SSH_TUNMODE_DEFAULT;
1000 else if (strcasecmp(arg, "no") == 0)
1001 value = SSH_TUNMODE_NO;
1003 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1004 "no argument: %s", filename, linenum, arg);
1011 if (!arg || *arg == '\0')
1012 fatal("%.200s line %d: Missing argument.", filename, linenum);
1013 value = a2tun(arg, &value2);
1014 if (value == SSH_TUNID_ERR)
1015 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1017 options->tun_local = value;
1018 options->tun_remote = value2;
1023 charptr = &options->local_command;
1026 case oPermitLocalCommand:
1027 intptr = &options->permit_local_command;
1030 case oVisualHostKey:
1031 intptr = &options->visual_host_key;
1036 if ((value = parse_ipqos(arg)) == -1)
1037 fatal("%s line %d: Bad IPQoS value: %s",
1038 filename, linenum, arg);
1042 else if ((value2 = parse_ipqos(arg)) == -1)
1043 fatal("%s line %d: Bad IPQoS value: %s",
1044 filename, linenum, arg);
1046 options->ip_qos_interactive = value;
1047 options->ip_qos_bulk = value2;
1052 intptr = &options->use_roaming;
1057 if (!arg || *arg == '\0')
1058 fatal("%s line %d: missing argument.",
1060 intptr = &options->request_tty;
1061 if (strcasecmp(arg, "yes") == 0)
1062 value = REQUEST_TTY_YES;
1063 else if (strcasecmp(arg, "no") == 0)
1064 value = REQUEST_TTY_NO;
1065 else if (strcasecmp(arg, "force") == 0)
1066 value = REQUEST_TTY_FORCE;
1067 else if (strcasecmp(arg, "auto") == 0)
1068 value = REQUEST_TTY_AUTO;
1070 fatal("Unsupported RequestTTY \"%s\"", arg);
1071 if (*activep && *intptr == -1)
1076 intptr = &options->hpn_disabled;
1079 case oHPNBufferSize:
1080 intptr = &options->hpn_buffer_size;
1083 case oTcpRcvBufPoll:
1084 intptr = &options->tcp_rcv_buf_poll;
1088 intptr = &options->tcp_rcv_buf;
1091 #ifdef NONE_CIPHER_ENABLED
1093 intptr = &options->none_enabled;
1097 * We check to see if the command comes from the command line or not.
1098 * If it does then enable it otherwise fail. NONE must never be a
1099 * default configuration.
1102 if (strcmp(filename,"command-line") == 0) {
1103 intptr = &options->none_switch;
1106 debug("NoneSwitch directive found in %.200s.",
1108 error("NoneSwitch is found in %.200s.\n"
1109 "You may only use this configuration option "
1110 "from the command line", filename);
1111 error("Continuing...");
1116 case oVersionAddendum:
1117 ssh_version_set_addendum(strtok(s, "\n"));
1120 } while (arg != NULL && *arg != '\0');
1124 debug("%s line %d: Deprecated option \"%s\"",
1125 filename, linenum, keyword);
1129 error("%s line %d: Unsupported option \"%s\"",
1130 filename, linenum, keyword);
1134 fatal("process_config_line: Unimplemented opcode %d", opcode);
1137 /* Check that there is no garbage at end of line. */
1138 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1139 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1140 filename, linenum, arg);
1147 * Reads the config file and modifies the options accordingly. Options
1148 * should already be initialized before this call. This never returns if
1149 * there is an error. If the file does not exist, this returns 0.
1153 read_config_file(const char *filename, const char *host, Options *options,
1158 int active, linenum;
1159 int bad_options = 0;
1161 if ((f = fopen(filename, "r")) == NULL)
1167 if (fstat(fileno(f), &sb) == -1)
1168 fatal("fstat %s: %s", filename, strerror(errno));
1169 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1170 (sb.st_mode & 022) != 0))
1171 fatal("Bad owner or permissions on %s", filename);
1174 debug("Reading configuration data %.200s", filename);
1177 * Mark that we are now processing the options. This flag is turned
1178 * on/off by Host specifications.
1182 while (fgets(line, sizeof(line), f)) {
1183 /* Update line number counter. */
1185 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1189 if (bad_options > 0)
1190 fatal("%s: terminating, %d bad configuration options",
1191 filename, bad_options);
1196 * Initializes options to special values that indicate that they have not yet
1197 * been set. Read_config_file will only set options with this value. Options
1198 * are processed in the following order: command line, user config file,
1199 * system config file. Last, fill_default_options is called.
1203 initialize_options(Options * options)
1205 memset(options, 'X', sizeof(*options));
1206 options->forward_agent = -1;
1207 options->forward_x11 = -1;
1208 options->forward_x11_trusted = -1;
1209 options->forward_x11_timeout = -1;
1210 options->exit_on_forward_failure = -1;
1211 options->xauth_location = NULL;
1212 options->gateway_ports = -1;
1213 options->use_privileged_port = -1;
1214 options->rsa_authentication = -1;
1215 options->pubkey_authentication = -1;
1216 options->challenge_response_authentication = -1;
1217 options->gss_authentication = -1;
1218 options->gss_deleg_creds = -1;
1219 options->password_authentication = -1;
1220 options->kbd_interactive_authentication = -1;
1221 options->kbd_interactive_devices = NULL;
1222 options->rhosts_rsa_authentication = -1;
1223 options->hostbased_authentication = -1;
1224 options->batch_mode = -1;
1225 options->check_host_ip = -1;
1226 options->strict_host_key_checking = -1;
1227 options->compression = -1;
1228 options->tcp_keep_alive = -1;
1229 options->compression_level = -1;
1231 options->address_family = -1;
1232 options->connection_attempts = -1;
1233 options->connection_timeout = -1;
1234 options->number_of_password_prompts = -1;
1235 options->cipher = -1;
1236 options->ciphers = NULL;
1237 options->macs = NULL;
1238 options->kex_algorithms = NULL;
1239 options->hostkeyalgorithms = NULL;
1240 options->protocol = SSH_PROTO_UNKNOWN;
1241 options->num_identity_files = 0;
1242 options->hostname = NULL;
1243 options->host_key_alias = NULL;
1244 options->proxy_command = NULL;
1245 options->user = NULL;
1246 options->escape_char = -1;
1247 options->num_system_hostfiles = 0;
1248 options->num_user_hostfiles = 0;
1249 options->local_forwards = NULL;
1250 options->num_local_forwards = 0;
1251 options->remote_forwards = NULL;
1252 options->num_remote_forwards = 0;
1253 options->clear_forwardings = -1;
1254 options->log_level = SYSLOG_LEVEL_NOT_SET;
1255 options->preferred_authentications = NULL;
1256 options->bind_address = NULL;
1257 options->pkcs11_provider = NULL;
1258 options->enable_ssh_keysign = - 1;
1259 options->no_host_authentication_for_localhost = - 1;
1260 options->identities_only = - 1;
1261 options->rekey_limit = - 1;
1262 options->verify_host_key_dns = -1;
1263 options->server_alive_interval = -1;
1264 options->server_alive_count_max = -1;
1265 options->num_send_env = 0;
1266 options->control_path = NULL;
1267 options->control_master = -1;
1268 options->control_persist = -1;
1269 options->control_persist_timeout = 0;
1270 options->hash_known_hosts = -1;
1271 options->tun_open = -1;
1272 options->tun_local = -1;
1273 options->tun_remote = -1;
1274 options->local_command = NULL;
1275 options->permit_local_command = -1;
1276 options->use_roaming = -1;
1277 options->visual_host_key = -1;
1278 options->zero_knowledge_password_authentication = -1;
1279 options->ip_qos_interactive = -1;
1280 options->ip_qos_bulk = -1;
1281 options->request_tty = -1;
1282 options->hpn_disabled = -1;
1283 options->hpn_buffer_size = -1;
1284 options->tcp_rcv_buf_poll = -1;
1285 options->tcp_rcv_buf = -1;
1286 #ifdef NONE_CIPHER_ENABLED
1287 options->none_enabled = -1;
1288 options->none_switch = -1;
1293 * Called after processing other sources of option data, this fills those
1294 * options for which no value has been specified with their default values.
1298 fill_default_options(Options * options)
1302 if (options->forward_agent == -1)
1303 options->forward_agent = 0;
1304 if (options->forward_x11 == -1)
1305 options->forward_x11 = 0;
1306 if (options->forward_x11_trusted == -1)
1307 options->forward_x11_trusted = 0;
1308 if (options->forward_x11_timeout == -1)
1309 options->forward_x11_timeout = 1200;
1310 if (options->exit_on_forward_failure == -1)
1311 options->exit_on_forward_failure = 0;
1312 if (options->xauth_location == NULL)
1313 options->xauth_location = _PATH_XAUTH;
1314 if (options->gateway_ports == -1)
1315 options->gateway_ports = 0;
1316 if (options->use_privileged_port == -1)
1317 options->use_privileged_port = 0;
1318 if (options->rsa_authentication == -1)
1319 options->rsa_authentication = 1;
1320 if (options->pubkey_authentication == -1)
1321 options->pubkey_authentication = 1;
1322 if (options->challenge_response_authentication == -1)
1323 options->challenge_response_authentication = 1;
1324 if (options->gss_authentication == -1)
1325 options->gss_authentication = 0;
1326 if (options->gss_deleg_creds == -1)
1327 options->gss_deleg_creds = 0;
1328 if (options->password_authentication == -1)
1329 options->password_authentication = 1;
1330 if (options->kbd_interactive_authentication == -1)
1331 options->kbd_interactive_authentication = 1;
1332 if (options->rhosts_rsa_authentication == -1)
1333 options->rhosts_rsa_authentication = 0;
1334 if (options->hostbased_authentication == -1)
1335 options->hostbased_authentication = 0;
1336 if (options->batch_mode == -1)
1337 options->batch_mode = 0;
1338 if (options->check_host_ip == -1)
1339 options->check_host_ip = 0;
1340 if (options->strict_host_key_checking == -1)
1341 options->strict_host_key_checking = 2; /* 2 is default */
1342 if (options->compression == -1)
1343 options->compression = 0;
1344 if (options->tcp_keep_alive == -1)
1345 options->tcp_keep_alive = 1;
1346 if (options->compression_level == -1)
1347 options->compression_level = 6;
1348 if (options->port == -1)
1349 options->port = 0; /* Filled in ssh_connect. */
1350 if (options->address_family == -1)
1351 options->address_family = AF_UNSPEC;
1352 if (options->connection_attempts == -1)
1353 options->connection_attempts = 1;
1354 if (options->number_of_password_prompts == -1)
1355 options->number_of_password_prompts = 3;
1356 /* Selected in ssh_login(). */
1357 if (options->cipher == -1)
1358 options->cipher = SSH_CIPHER_NOT_SET;
1359 /* options->ciphers, default set in myproposals.h */
1360 /* options->macs, default set in myproposals.h */
1361 /* options->kex_algorithms, default set in myproposals.h */
1362 /* options->hostkeyalgorithms, default set in myproposals.h */
1363 if (options->protocol == SSH_PROTO_UNKNOWN)
1364 options->protocol = SSH_PROTO_2;
1365 if (options->num_identity_files == 0) {
1366 if (options->protocol & SSH_PROTO_1) {
1367 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1368 options->identity_files[options->num_identity_files] =
1370 snprintf(options->identity_files[options->num_identity_files++],
1371 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1373 if (options->protocol & SSH_PROTO_2) {
1374 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1375 options->identity_files[options->num_identity_files] =
1377 snprintf(options->identity_files[options->num_identity_files++],
1378 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1380 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1381 options->identity_files[options->num_identity_files] =
1383 snprintf(options->identity_files[options->num_identity_files++],
1384 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1385 #ifdef OPENSSL_HAS_ECC
1386 len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1;
1387 options->identity_files[options->num_identity_files] =
1389 snprintf(options->identity_files[options->num_identity_files++],
1390 len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA);
1394 if (options->escape_char == -1)
1395 options->escape_char = '~';
1396 if (options->num_system_hostfiles == 0) {
1397 options->system_hostfiles[options->num_system_hostfiles++] =
1398 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1399 options->system_hostfiles[options->num_system_hostfiles++] =
1400 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1402 if (options->num_user_hostfiles == 0) {
1403 options->user_hostfiles[options->num_user_hostfiles++] =
1404 xstrdup(_PATH_SSH_USER_HOSTFILE);
1405 options->user_hostfiles[options->num_user_hostfiles++] =
1406 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1408 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1409 options->log_level = SYSLOG_LEVEL_INFO;
1410 if (options->clear_forwardings == 1)
1411 clear_forwardings(options);
1412 if (options->no_host_authentication_for_localhost == - 1)
1413 options->no_host_authentication_for_localhost = 0;
1414 if (options->identities_only == -1)
1415 options->identities_only = 0;
1416 if (options->enable_ssh_keysign == -1)
1417 options->enable_ssh_keysign = 0;
1418 if (options->rekey_limit == -1)
1419 options->rekey_limit = 0;
1420 if (options->verify_host_key_dns == -1)
1421 options->verify_host_key_dns = 0;
1422 if (options->server_alive_interval == -1)
1423 options->server_alive_interval = 0;
1424 if (options->server_alive_count_max == -1)
1425 options->server_alive_count_max = 3;
1426 if (options->control_master == -1)
1427 options->control_master = 0;
1428 if (options->control_persist == -1) {
1429 options->control_persist = 0;
1430 options->control_persist_timeout = 0;
1432 if (options->hash_known_hosts == -1)
1433 options->hash_known_hosts = 0;
1434 if (options->tun_open == -1)
1435 options->tun_open = SSH_TUNMODE_NO;
1436 if (options->tun_local == -1)
1437 options->tun_local = SSH_TUNID_ANY;
1438 if (options->tun_remote == -1)
1439 options->tun_remote = SSH_TUNID_ANY;
1440 if (options->permit_local_command == -1)
1441 options->permit_local_command = 0;
1442 if (options->use_roaming == -1)
1443 options->use_roaming = 1;
1444 if (options->visual_host_key == -1)
1445 options->visual_host_key = 0;
1446 if (options->zero_knowledge_password_authentication == -1)
1447 options->zero_knowledge_password_authentication = 0;
1448 if (options->ip_qos_interactive == -1)
1449 options->ip_qos_interactive = IPTOS_LOWDELAY;
1450 if (options->ip_qos_bulk == -1)
1451 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1452 if (options->request_tty == -1)
1453 options->request_tty = REQUEST_TTY_AUTO;
1454 /* options->local_command should not be set by default */
1455 /* options->proxy_command should not be set by default */
1456 /* options->user will be set in the main program if appropriate */
1457 /* options->hostname will be set in the main program if appropriate */
1458 /* options->host_key_alias should not be set by default */
1459 /* options->preferred_authentications will be set in ssh */
1460 if (options->hpn_disabled == -1)
1461 options->hpn_disabled = 0;
1462 if (options->hpn_buffer_size > -1)
1466 /* If a user tries to set the size to 0 set it to 1KB. */
1467 if (options->hpn_buffer_size == 0)
1468 options->hpn_buffer_size = 1024;
1469 /* Limit the buffer to BUFFER_MAX_LEN. */
1470 maxlen = buffer_get_max_len();
1471 if (options->hpn_buffer_size > (maxlen / 1024)) {
1472 debug("User requested buffer larger than %ub: %ub. "
1473 "Request reverted to %ub", maxlen,
1474 options->hpn_buffer_size * 1024, maxlen);
1475 options->hpn_buffer_size = maxlen;
1477 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1479 if (options->tcp_rcv_buf == 0)
1480 options->tcp_rcv_buf = 1;
1481 if (options->tcp_rcv_buf > -1)
1482 options->tcp_rcv_buf *= 1024;
1483 if (options->tcp_rcv_buf_poll == -1)
1484 options->tcp_rcv_buf_poll = 1;
1485 #ifdef NONE_CIPHER_ENABLED
1486 /* options->none_enabled must not be set by default */
1487 if (options->none_switch == -1)
1488 options->none_switch = 0;
1494 * parses a string containing a port forwarding specification of the form:
1496 * [listenhost:]listenport:connecthost:connectport
1498 * [listenhost:]listenport
1499 * returns number of arguments parsed or zero on error
1502 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1505 char *p, *cp, *fwdarg[4];
1507 memset(fwd, '\0', sizeof(*fwd));
1509 cp = p = xstrdup(fwdspec);
1511 /* skip leading spaces */
1512 while (isspace(*cp))
1515 for (i = 0; i < 4; ++i)
1516 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1519 /* Check for trailing garbage */
1521 i = 0; /* failure */
1525 fwd->listen_host = NULL;
1526 fwd->listen_port = a2port(fwdarg[0]);
1527 fwd->connect_host = xstrdup("socks");
1531 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1532 fwd->listen_port = a2port(fwdarg[1]);
1533 fwd->connect_host = xstrdup("socks");
1537 fwd->listen_host = NULL;
1538 fwd->listen_port = a2port(fwdarg[0]);
1539 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1540 fwd->connect_port = a2port(fwdarg[2]);
1544 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1545 fwd->listen_port = a2port(fwdarg[1]);
1546 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1547 fwd->connect_port = a2port(fwdarg[3]);
1550 i = 0; /* failure */
1556 if (!(i == 1 || i == 2))
1559 if (!(i == 3 || i == 4))
1561 if (fwd->connect_port <= 0)
1565 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1568 if (fwd->connect_host != NULL &&
1569 strlen(fwd->connect_host) >= NI_MAXHOST)
1571 if (fwd->listen_host != NULL &&
1572 strlen(fwd->listen_host) >= NI_MAXHOST)
1579 if (fwd->connect_host != NULL) {
1580 xfree(fwd->connect_host);
1581 fwd->connect_host = NULL;
1583 if (fwd->listen_host != NULL) {
1584 xfree(fwd->listen_host);
1585 fwd->listen_host = NULL;