2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Functions for reading the configuration files.
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
15 RCSID("$OpenBSD: readconf.c,v 1.145 2005/12/08 18:34:11 reyk Exp $");
22 #include "pathnames.h"
30 /* Format of the configuration file:
32 # Configuration data is parsed as follows:
33 # 1. command line options
34 # 2. user-specific file
36 # Any configuration value is only changed the first time it is set.
37 # Thus, host-specific definitions should be at the beginning of the
38 # configuration file, and defaults at the end.
40 # Host-specific declarations. These may override anything above. A single
41 # host may match multiple declarations; these are processed in the order
42 # that they are given in.
48 HostName another.host.name.real.org
55 RemoteForward 9999 shadows.cs.hut.fi:9999
61 PasswordAuthentication no
65 ProxyCommand ssh-proxy %h %p
68 PublicKeyAuthentication no
72 PasswordAuthentication no
78 # Defaults for various options
82 PasswordAuthentication yes
84 RhostsRSAAuthentication yes
85 StrictHostKeyChecking yes
87 IdentityFile ~/.ssh/identity
97 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
98 oPasswordAuthentication, oRSAAuthentication,
99 oChallengeResponseAuthentication, oXAuthLocation,
100 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
101 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
102 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
103 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
104 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
105 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
106 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
107 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
108 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
109 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
110 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
111 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
112 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
113 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
114 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
115 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
117 oDeprecated, oUnsupported
120 /* Textual representations of the tokens. */
126 { "forwardagent", oForwardAgent },
127 { "forwardx11", oForwardX11 },
128 { "forwardx11trusted", oForwardX11Trusted },
129 { "xauthlocation", oXAuthLocation },
130 { "gatewayports", oGatewayPorts },
131 { "useprivilegedport", oUsePrivilegedPort },
132 { "rhostsauthentication", oDeprecated },
133 { "passwordauthentication", oPasswordAuthentication },
134 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
135 { "kbdinteractivedevices", oKbdInteractiveDevices },
136 { "rsaauthentication", oRSAAuthentication },
137 { "pubkeyauthentication", oPubkeyAuthentication },
138 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
139 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
140 { "hostbasedauthentication", oHostbasedAuthentication },
141 { "challengeresponseauthentication", oChallengeResponseAuthentication },
142 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
143 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
144 { "kerberosauthentication", oUnsupported },
145 { "kerberostgtpassing", oUnsupported },
146 { "afstokenpassing", oUnsupported },
148 { "gssapiauthentication", oGssAuthentication },
149 { "gssapidelegatecredentials", oGssDelegateCreds },
151 { "gssapiauthentication", oUnsupported },
152 { "gssapidelegatecredentials", oUnsupported },
154 { "fallbacktorsh", oDeprecated },
155 { "usersh", oDeprecated },
156 { "identityfile", oIdentityFile },
157 { "identityfile2", oIdentityFile }, /* alias */
158 { "identitiesonly", oIdentitiesOnly },
159 { "hostname", oHostName },
160 { "hostkeyalias", oHostKeyAlias },
161 { "proxycommand", oProxyCommand },
163 { "cipher", oCipher },
164 { "ciphers", oCiphers },
166 { "protocol", oProtocol },
167 { "remoteforward", oRemoteForward },
168 { "localforward", oLocalForward },
171 { "escapechar", oEscapeChar },
172 { "globalknownhostsfile", oGlobalKnownHostsFile },
173 { "userknownhostsfile", oUserKnownHostsFile }, /* obsolete */
174 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
175 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
176 { "connectionattempts", oConnectionAttempts },
177 { "batchmode", oBatchMode },
178 { "checkhostip", oCheckHostIP },
179 { "stricthostkeychecking", oStrictHostKeyChecking },
180 { "compression", oCompression },
181 { "compressionlevel", oCompressionLevel },
182 { "tcpkeepalive", oTCPKeepAlive },
183 { "keepalive", oTCPKeepAlive }, /* obsolete */
184 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
185 { "loglevel", oLogLevel },
186 { "dynamicforward", oDynamicForward },
187 { "preferredauthentications", oPreferredAuthentications },
188 { "hostkeyalgorithms", oHostKeyAlgorithms },
189 { "bindaddress", oBindAddress },
191 { "smartcarddevice", oSmartcardDevice },
193 { "smartcarddevice", oUnsupported },
195 { "clearallforwardings", oClearAllForwardings },
196 { "enablesshkeysign", oEnableSSHKeysign },
197 { "verifyhostkeydns", oVerifyHostKeyDNS },
198 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
199 { "rekeylimit", oRekeyLimit },
200 { "connecttimeout", oConnectTimeout },
201 { "addressfamily", oAddressFamily },
202 { "serveraliveinterval", oServerAliveInterval },
203 { "serveralivecountmax", oServerAliveCountMax },
204 { "sendenv", oSendEnv },
205 { "controlpath", oControlPath },
206 { "controlmaster", oControlMaster },
207 { "hashknownhosts", oHashKnownHosts },
208 { "tunnel", oTunnel },
209 { "tunneldevice", oTunnelDevice },
210 { "localcommand", oLocalCommand },
211 { "permitlocalcommand", oPermitLocalCommand },
212 { "versionaddendum", oVersionAddendum },
217 * Adds a local TCP/IP port forward to options. Never returns if there is an
222 add_local_forward(Options *options, const Forward *newfwd)
225 #ifndef NO_IPPORT_RESERVED_CONCEPT
226 extern uid_t original_real_uid;
227 if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
228 fatal("Privileged ports can only be forwarded by root.");
230 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
231 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
232 fwd = &options->local_forwards[options->num_local_forwards++];
234 fwd->listen_host = (newfwd->listen_host == NULL) ?
235 NULL : xstrdup(newfwd->listen_host);
236 fwd->listen_port = newfwd->listen_port;
237 fwd->connect_host = xstrdup(newfwd->connect_host);
238 fwd->connect_port = newfwd->connect_port;
242 * Adds a remote TCP/IP port forward to options. Never returns if there is
247 add_remote_forward(Options *options, const Forward *newfwd)
250 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
251 fatal("Too many remote forwards (max %d).",
252 SSH_MAX_FORWARDS_PER_DIRECTION);
253 fwd = &options->remote_forwards[options->num_remote_forwards++];
255 fwd->listen_host = (newfwd->listen_host == NULL) ?
256 NULL : xstrdup(newfwd->listen_host);
257 fwd->listen_port = newfwd->listen_port;
258 fwd->connect_host = xstrdup(newfwd->connect_host);
259 fwd->connect_port = newfwd->connect_port;
263 clear_forwardings(Options *options)
267 for (i = 0; i < options->num_local_forwards; i++) {
268 if (options->local_forwards[i].listen_host != NULL)
269 xfree(options->local_forwards[i].listen_host);
270 xfree(options->local_forwards[i].connect_host);
272 options->num_local_forwards = 0;
273 for (i = 0; i < options->num_remote_forwards; i++) {
274 if (options->remote_forwards[i].listen_host != NULL)
275 xfree(options->remote_forwards[i].listen_host);
276 xfree(options->remote_forwards[i].connect_host);
278 options->num_remote_forwards = 0;
279 options->tun_open = SSH_TUNMODE_NO;
283 * Returns the number of the token pointed to by cp or oBadOption.
287 parse_token(const char *cp, const char *filename, int linenum)
291 for (i = 0; keywords[i].name; i++)
292 if (strcasecmp(cp, keywords[i].name) == 0)
293 return keywords[i].opcode;
295 error("%s: line %d: Bad configuration option: %s",
296 filename, linenum, cp);
301 * Processes a single option line as used in the configuration files. This
302 * only sets those values that have not already been set.
304 #define WHITESPACE " \t\r\n"
307 process_config_line(Options *options, const char *host,
308 char *line, const char *filename, int linenum,
311 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
312 int opcode, *intptr, value, value2;
316 /* Strip trailing whitespace */
317 for (len = strlen(line) - 1; len > 0; len--) {
318 if (strchr(WHITESPACE, line[len]) == NULL)
324 /* Get the keyword. (Each line is supposed to begin with a keyword). */
325 keyword = strdelim(&s);
326 /* Ignore leading whitespace. */
327 if (*keyword == '\0')
328 keyword = strdelim(&s);
329 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
332 opcode = parse_token(keyword, filename, linenum);
336 /* don't panic, but count bad options */
339 case oConnectTimeout:
340 intptr = &options->connection_timeout;
343 if (!arg || *arg == '\0')
344 fatal("%s line %d: missing time value.",
346 if ((value = convtime(arg)) == -1)
347 fatal("%s line %d: invalid time value.",
354 intptr = &options->forward_agent;
357 if (!arg || *arg == '\0')
358 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
359 value = 0; /* To avoid compiler warning... */
360 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
362 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
365 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
366 if (*activep && *intptr == -1)
371 intptr = &options->forward_x11;
374 case oForwardX11Trusted:
375 intptr = &options->forward_x11_trusted;
379 intptr = &options->gateway_ports;
382 case oUsePrivilegedPort:
383 intptr = &options->use_privileged_port;
386 case oPasswordAuthentication:
387 intptr = &options->password_authentication;
390 case oKbdInteractiveAuthentication:
391 intptr = &options->kbd_interactive_authentication;
394 case oKbdInteractiveDevices:
395 charptr = &options->kbd_interactive_devices;
398 case oPubkeyAuthentication:
399 intptr = &options->pubkey_authentication;
402 case oRSAAuthentication:
403 intptr = &options->rsa_authentication;
406 case oRhostsRSAAuthentication:
407 intptr = &options->rhosts_rsa_authentication;
410 case oHostbasedAuthentication:
411 intptr = &options->hostbased_authentication;
414 case oChallengeResponseAuthentication:
415 intptr = &options->challenge_response_authentication;
418 case oGssAuthentication:
419 intptr = &options->gss_authentication;
422 case oGssDelegateCreds:
423 intptr = &options->gss_deleg_creds;
427 intptr = &options->batch_mode;
431 intptr = &options->check_host_ip;
434 case oVerifyHostKeyDNS:
435 intptr = &options->verify_host_key_dns;
438 case oStrictHostKeyChecking:
439 intptr = &options->strict_host_key_checking;
442 if (!arg || *arg == '\0')
443 fatal("%.200s line %d: Missing yes/no/ask argument.",
445 value = 0; /* To avoid compiler warning... */
446 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
448 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
450 else if (strcmp(arg, "ask") == 0)
453 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
454 if (*activep && *intptr == -1)
459 intptr = &options->compression;
463 intptr = &options->tcp_keep_alive;
466 case oNoHostAuthenticationForLocalhost:
467 intptr = &options->no_host_authentication_for_localhost;
470 case oNumberOfPasswordPrompts:
471 intptr = &options->number_of_password_prompts;
474 case oCompressionLevel:
475 intptr = &options->compression_level;
479 intptr = &options->rekey_limit;
481 if (!arg || *arg == '\0')
482 fatal("%.200s line %d: Missing argument.", filename, linenum);
483 if (arg[0] < '0' || arg[0] > '9')
484 fatal("%.200s line %d: Bad number.", filename, linenum);
485 value = strtol(arg, &endofnumber, 10);
486 if (arg == endofnumber)
487 fatal("%.200s line %d: Bad number.", filename, linenum);
488 switch (toupper(*endofnumber)) {
499 if (*activep && *intptr == -1)
505 if (!arg || *arg == '\0')
506 fatal("%.200s line %d: Missing argument.", filename, linenum);
508 intptr = &options->num_identity_files;
509 if (*intptr >= SSH_MAX_IDENTITY_FILES)
510 fatal("%.200s line %d: Too many identity files specified (max %d).",
511 filename, linenum, SSH_MAX_IDENTITY_FILES);
512 charptr = &options->identity_files[*intptr];
513 *charptr = xstrdup(arg);
514 *intptr = *intptr + 1;
519 charptr=&options->xauth_location;
523 charptr = &options->user;
526 if (!arg || *arg == '\0')
527 fatal("%.200s line %d: Missing argument.", filename, linenum);
528 if (*activep && *charptr == NULL)
529 *charptr = xstrdup(arg);
532 case oGlobalKnownHostsFile:
533 charptr = &options->system_hostfile;
536 case oUserKnownHostsFile:
537 charptr = &options->user_hostfile;
540 case oGlobalKnownHostsFile2:
541 charptr = &options->system_hostfile2;
544 case oUserKnownHostsFile2:
545 charptr = &options->user_hostfile2;
549 charptr = &options->hostname;
553 charptr = &options->host_key_alias;
556 case oPreferredAuthentications:
557 charptr = &options->preferred_authentications;
561 charptr = &options->bind_address;
564 case oSmartcardDevice:
565 charptr = &options->smartcard_device;
569 charptr = &options->proxy_command;
572 fatal("%.200s line %d: Missing argument.", filename, linenum);
573 len = strspn(s, WHITESPACE "=");
574 if (*activep && *charptr == NULL)
575 *charptr = xstrdup(s + len);
579 intptr = &options->port;
582 if (!arg || *arg == '\0')
583 fatal("%.200s line %d: Missing argument.", filename, linenum);
584 if (arg[0] < '0' || arg[0] > '9')
585 fatal("%.200s line %d: Bad number.", filename, linenum);
587 /* Octal, decimal, or hex format? */
588 value = strtol(arg, &endofnumber, 0);
589 if (arg == endofnumber)
590 fatal("%.200s line %d: Bad number.", filename, linenum);
591 if (*activep && *intptr == -1)
595 case oConnectionAttempts:
596 intptr = &options->connection_attempts;
600 intptr = &options->cipher;
602 if (!arg || *arg == '\0')
603 fatal("%.200s line %d: Missing argument.", filename, linenum);
604 value = cipher_number(arg);
606 fatal("%.200s line %d: Bad cipher '%s'.",
607 filename, linenum, arg ? arg : "<NONE>");
608 if (*activep && *intptr == -1)
614 if (!arg || *arg == '\0')
615 fatal("%.200s line %d: Missing argument.", filename, linenum);
616 if (!ciphers_valid(arg))
617 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
618 filename, linenum, arg ? arg : "<NONE>");
619 if (*activep && options->ciphers == NULL)
620 options->ciphers = xstrdup(arg);
625 if (!arg || *arg == '\0')
626 fatal("%.200s line %d: Missing argument.", filename, linenum);
628 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
629 filename, linenum, arg ? arg : "<NONE>");
630 if (*activep && options->macs == NULL)
631 options->macs = xstrdup(arg);
634 case oHostKeyAlgorithms:
636 if (!arg || *arg == '\0')
637 fatal("%.200s line %d: Missing argument.", filename, linenum);
638 if (!key_names_valid2(arg))
639 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
640 filename, linenum, arg ? arg : "<NONE>");
641 if (*activep && options->hostkeyalgorithms == NULL)
642 options->hostkeyalgorithms = xstrdup(arg);
646 intptr = &options->protocol;
648 if (!arg || *arg == '\0')
649 fatal("%.200s line %d: Missing argument.", filename, linenum);
650 value = proto_spec(arg);
651 if (value == SSH_PROTO_UNKNOWN)
652 fatal("%.200s line %d: Bad protocol spec '%s'.",
653 filename, linenum, arg ? arg : "<NONE>");
654 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
659 intptr = (int *) &options->log_level;
661 value = log_level_number(arg);
662 if (value == SYSLOG_LEVEL_NOT_SET)
663 fatal("%.200s line %d: unsupported log level '%s'",
664 filename, linenum, arg ? arg : "<NONE>");
665 if (*activep && (LogLevel) *intptr == SYSLOG_LEVEL_NOT_SET)
666 *intptr = (LogLevel) value;
672 if (arg == NULL || *arg == '\0')
673 fatal("%.200s line %d: Missing port argument.",
676 if (arg2 == NULL || *arg2 == '\0')
677 fatal("%.200s line %d: Missing target argument.",
680 /* construct a string for parse_forward */
681 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
683 if (parse_forward(&fwd, fwdarg) == 0)
684 fatal("%.200s line %d: Bad forwarding specification.",
688 if (opcode == oLocalForward)
689 add_local_forward(options, &fwd);
690 else if (opcode == oRemoteForward)
691 add_remote_forward(options, &fwd);
695 case oDynamicForward:
697 if (!arg || *arg == '\0')
698 fatal("%.200s line %d: Missing port argument.",
700 memset(&fwd, '\0', sizeof(fwd));
701 fwd.connect_host = "socks";
702 fwd.listen_host = hpdelim(&arg);
703 if (fwd.listen_host == NULL ||
704 strlen(fwd.listen_host) >= NI_MAXHOST)
705 fatal("%.200s line %d: Bad forwarding specification.",
708 fwd.listen_port = a2port(arg);
709 fwd.listen_host = cleanhostname(fwd.listen_host);
711 fwd.listen_port = a2port(fwd.listen_host);
712 fwd.listen_host = NULL;
714 if (fwd.listen_port == 0)
715 fatal("%.200s line %d: Badly formatted port number.",
718 add_local_forward(options, &fwd);
721 case oClearAllForwardings:
722 intptr = &options->clear_forwardings;
727 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
728 if (match_pattern(host, arg)) {
729 debug("Applying options for %.100s", arg);
733 /* Avoid garbage check below, as strdelim is done. */
737 intptr = &options->escape_char;
739 if (!arg || *arg == '\0')
740 fatal("%.200s line %d: Missing argument.", filename, linenum);
741 if (arg[0] == '^' && arg[2] == 0 &&
742 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
743 value = (u_char) arg[1] & 31;
744 else if (strlen(arg) == 1)
745 value = (u_char) arg[0];
746 else if (strcmp(arg, "none") == 0)
747 value = SSH_ESCAPECHAR_NONE;
749 fatal("%.200s line %d: Bad escape character.",
752 value = 0; /* Avoid compiler warning. */
754 if (*activep && *intptr == -1)
760 if (!arg || *arg == '\0')
761 fatal("%s line %d: missing address family.",
763 intptr = &options->address_family;
764 if (strcasecmp(arg, "inet") == 0)
766 else if (strcasecmp(arg, "inet6") == 0)
768 else if (strcasecmp(arg, "any") == 0)
771 fatal("Unsupported AddressFamily \"%s\"", arg);
772 if (*activep && *intptr == -1)
776 case oEnableSSHKeysign:
777 intptr = &options->enable_ssh_keysign;
780 case oIdentitiesOnly:
781 intptr = &options->identities_only;
784 case oServerAliveInterval:
785 intptr = &options->server_alive_interval;
788 case oServerAliveCountMax:
789 intptr = &options->server_alive_count_max;
793 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
794 if (strchr(arg, '=') != NULL)
795 fatal("%s line %d: Invalid environment name.",
799 if (options->num_send_env >= MAX_SEND_ENV)
800 fatal("%s line %d: too many send env.",
802 options->send_env[options->num_send_env++] =
808 charptr = &options->control_path;
812 intptr = &options->control_master;
814 if (!arg || *arg == '\0')
815 fatal("%.200s line %d: Missing ControlMaster argument.",
817 value = 0; /* To avoid compiler warning... */
818 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
819 value = SSHCTL_MASTER_YES;
820 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
821 value = SSHCTL_MASTER_NO;
822 else if (strcmp(arg, "auto") == 0)
823 value = SSHCTL_MASTER_AUTO;
824 else if (strcmp(arg, "ask") == 0)
825 value = SSHCTL_MASTER_ASK;
826 else if (strcmp(arg, "autoask") == 0)
827 value = SSHCTL_MASTER_AUTO_ASK;
829 fatal("%.200s line %d: Bad ControlMaster argument.",
831 if (*activep && *intptr == -1)
835 case oHashKnownHosts:
836 intptr = &options->hash_known_hosts;
840 intptr = &options->tun_open;
842 if (!arg || *arg == '\0')
843 fatal("%s line %d: Missing yes/point-to-point/"
844 "ethernet/no argument.", filename, linenum);
845 value = 0; /* silence compiler */
846 if (strcasecmp(arg, "ethernet") == 0)
847 value = SSH_TUNMODE_ETHERNET;
848 else if (strcasecmp(arg, "point-to-point") == 0)
849 value = SSH_TUNMODE_POINTOPOINT;
850 else if (strcasecmp(arg, "yes") == 0)
851 value = SSH_TUNMODE_DEFAULT;
852 else if (strcasecmp(arg, "no") == 0)
853 value = SSH_TUNMODE_NO;
855 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
856 "no argument: %s", filename, linenum, arg);
863 if (!arg || *arg == '\0')
864 fatal("%.200s line %d: Missing argument.", filename, linenum);
865 value = a2tun(arg, &value2);
866 if (value == SSH_TUNID_ERR)
867 fatal("%.200s line %d: Bad tun device.", filename, linenum);
869 options->tun_local = value;
870 options->tun_remote = value2;
875 charptr = &options->local_command;
878 case oPermitLocalCommand:
879 intptr = &options->permit_local_command;
882 case oVersionAddendum:
883 ssh_version_set_addendum(strtok(s, "\n"));
886 } while (arg != NULL && *arg != '\0');
890 debug("%s line %d: Deprecated option \"%s\"",
891 filename, linenum, keyword);
895 error("%s line %d: Unsupported option \"%s\"",
896 filename, linenum, keyword);
900 fatal("process_config_line: Unimplemented opcode %d", opcode);
903 /* Check that there is no garbage at end of line. */
904 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
905 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
906 filename, linenum, arg);
913 * Reads the config file and modifies the options accordingly. Options
914 * should already be initialized before this call. This never returns if
915 * there is an error. If the file does not exist, this returns 0.
919 read_config_file(const char *filename, const char *host, Options *options,
928 if ((f = fopen(filename, "r")) == NULL)
934 if (fstat(fileno(f), &sb) == -1)
935 fatal("fstat %s: %s", filename, strerror(errno));
936 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
937 (sb.st_mode & 022) != 0))
938 fatal("Bad owner or permissions on %s", filename);
941 debug("Reading configuration data %.200s", filename);
944 * Mark that we are now processing the options. This flag is turned
945 * on/off by Host specifications.
949 while (fgets(line, sizeof(line), f)) {
950 /* Update line number counter. */
952 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
957 fatal("%s: terminating, %d bad configuration options",
958 filename, bad_options);
963 * Initializes options to special values that indicate that they have not yet
964 * been set. Read_config_file will only set options with this value. Options
965 * are processed in the following order: command line, user config file,
966 * system config file. Last, fill_default_options is called.
970 initialize_options(Options * options)
972 memset(options, 'X', sizeof(*options));
973 options->forward_agent = -1;
974 options->forward_x11 = -1;
975 options->forward_x11_trusted = -1;
976 options->xauth_location = NULL;
977 options->gateway_ports = -1;
978 options->use_privileged_port = -1;
979 options->rsa_authentication = -1;
980 options->pubkey_authentication = -1;
981 options->challenge_response_authentication = -1;
982 options->gss_authentication = -1;
983 options->gss_deleg_creds = -1;
984 options->password_authentication = -1;
985 options->kbd_interactive_authentication = -1;
986 options->kbd_interactive_devices = NULL;
987 options->rhosts_rsa_authentication = -1;
988 options->hostbased_authentication = -1;
989 options->batch_mode = -1;
990 options->check_host_ip = -1;
991 options->strict_host_key_checking = -1;
992 options->compression = -1;
993 options->tcp_keep_alive = -1;
994 options->compression_level = -1;
996 options->address_family = -1;
997 options->connection_attempts = -1;
998 options->connection_timeout = -1;
999 options->number_of_password_prompts = -1;
1000 options->cipher = -1;
1001 options->ciphers = NULL;
1002 options->macs = NULL;
1003 options->hostkeyalgorithms = NULL;
1004 options->protocol = SSH_PROTO_UNKNOWN;
1005 options->num_identity_files = 0;
1006 options->hostname = NULL;
1007 options->host_key_alias = NULL;
1008 options->proxy_command = NULL;
1009 options->user = NULL;
1010 options->escape_char = -1;
1011 options->system_hostfile = NULL;
1012 options->user_hostfile = NULL;
1013 options->system_hostfile2 = NULL;
1014 options->user_hostfile2 = NULL;
1015 options->num_local_forwards = 0;
1016 options->num_remote_forwards = 0;
1017 options->clear_forwardings = -1;
1018 options->log_level = SYSLOG_LEVEL_NOT_SET;
1019 options->preferred_authentications = NULL;
1020 options->bind_address = NULL;
1021 options->smartcard_device = NULL;
1022 options->enable_ssh_keysign = - 1;
1023 options->no_host_authentication_for_localhost = - 1;
1024 options->identities_only = - 1;
1025 options->rekey_limit = - 1;
1026 options->verify_host_key_dns = -1;
1027 options->server_alive_interval = -1;
1028 options->server_alive_count_max = -1;
1029 options->num_send_env = 0;
1030 options->control_path = NULL;
1031 options->control_master = -1;
1032 options->hash_known_hosts = -1;
1033 options->tun_open = -1;
1034 options->tun_local = -1;
1035 options->tun_remote = -1;
1036 options->local_command = NULL;
1037 options->permit_local_command = -1;
1041 * Called after processing other sources of option data, this fills those
1042 * options for which no value has been specified with their default values.
1046 fill_default_options(Options * options)
1050 if (options->forward_agent == -1)
1051 options->forward_agent = 0;
1052 if (options->forward_x11 == -1)
1053 options->forward_x11 = 0;
1054 if (options->forward_x11_trusted == -1)
1055 options->forward_x11_trusted = 0;
1056 if (options->xauth_location == NULL)
1057 options->xauth_location = _PATH_XAUTH;
1058 if (options->gateway_ports == -1)
1059 options->gateway_ports = 0;
1060 if (options->use_privileged_port == -1)
1061 options->use_privileged_port = 0;
1062 if (options->rsa_authentication == -1)
1063 options->rsa_authentication = 1;
1064 if (options->pubkey_authentication == -1)
1065 options->pubkey_authentication = 1;
1066 if (options->challenge_response_authentication == -1)
1067 options->challenge_response_authentication = 1;
1068 if (options->gss_authentication == -1)
1069 options->gss_authentication = 0;
1070 if (options->gss_deleg_creds == -1)
1071 options->gss_deleg_creds = 0;
1072 if (options->password_authentication == -1)
1073 options->password_authentication = 1;
1074 if (options->kbd_interactive_authentication == -1)
1075 options->kbd_interactive_authentication = 1;
1076 if (options->rhosts_rsa_authentication == -1)
1077 options->rhosts_rsa_authentication = 0;
1078 if (options->hostbased_authentication == -1)
1079 options->hostbased_authentication = 0;
1080 if (options->batch_mode == -1)
1081 options->batch_mode = 0;
1082 if (options->check_host_ip == -1)
1083 options->check_host_ip = 0;
1084 if (options->strict_host_key_checking == -1)
1085 options->strict_host_key_checking = 2; /* 2 is default */
1086 if (options->compression == -1)
1087 options->compression = 0;
1088 if (options->tcp_keep_alive == -1)
1089 options->tcp_keep_alive = 1;
1090 if (options->compression_level == -1)
1091 options->compression_level = 6;
1092 if (options->port == -1)
1093 options->port = 0; /* Filled in ssh_connect. */
1094 if (options->address_family == -1)
1095 options->address_family = AF_UNSPEC;
1096 if (options->connection_attempts == -1)
1097 options->connection_attempts = 1;
1098 if (options->number_of_password_prompts == -1)
1099 options->number_of_password_prompts = 3;
1100 /* Selected in ssh_login(). */
1101 if (options->cipher == -1)
1102 options->cipher = SSH_CIPHER_NOT_SET;
1103 /* options->ciphers, default set in myproposals.h */
1104 /* options->macs, default set in myproposals.h */
1105 /* options->hostkeyalgorithms, default set in myproposals.h */
1106 if (options->protocol == SSH_PROTO_UNKNOWN)
1107 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1108 if (options->num_identity_files == 0) {
1109 if (options->protocol & SSH_PROTO_1) {
1110 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1111 options->identity_files[options->num_identity_files] =
1113 snprintf(options->identity_files[options->num_identity_files++],
1114 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1116 if (options->protocol & SSH_PROTO_2) {
1117 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1118 options->identity_files[options->num_identity_files] =
1120 snprintf(options->identity_files[options->num_identity_files++],
1121 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1123 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1124 options->identity_files[options->num_identity_files] =
1126 snprintf(options->identity_files[options->num_identity_files++],
1127 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1130 if (options->escape_char == -1)
1131 options->escape_char = '~';
1132 if (options->system_hostfile == NULL)
1133 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1134 if (options->user_hostfile == NULL)
1135 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1136 if (options->system_hostfile2 == NULL)
1137 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1138 if (options->user_hostfile2 == NULL)
1139 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1140 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1141 options->log_level = SYSLOG_LEVEL_INFO;
1142 if (options->clear_forwardings == 1)
1143 clear_forwardings(options);
1144 if (options->no_host_authentication_for_localhost == - 1)
1145 options->no_host_authentication_for_localhost = 0;
1146 if (options->identities_only == -1)
1147 options->identities_only = 0;
1148 if (options->enable_ssh_keysign == -1)
1149 options->enable_ssh_keysign = 0;
1150 if (options->rekey_limit == -1)
1151 options->rekey_limit = 0;
1152 if (options->verify_host_key_dns == -1)
1153 options->verify_host_key_dns = 0;
1154 if (options->server_alive_interval == -1)
1155 options->server_alive_interval = 0;
1156 if (options->server_alive_count_max == -1)
1157 options->server_alive_count_max = 3;
1158 if (options->control_master == -1)
1159 options->control_master = 0;
1160 if (options->hash_known_hosts == -1)
1161 options->hash_known_hosts = 0;
1162 if (options->tun_open == -1)
1163 options->tun_open = SSH_TUNMODE_NO;
1164 if (options->tun_local == -1)
1165 options->tun_local = SSH_TUNID_ANY;
1166 if (options->tun_remote == -1)
1167 options->tun_remote = SSH_TUNID_ANY;
1168 if (options->permit_local_command == -1)
1169 options->permit_local_command = 0;
1170 /* options->local_command should not be set by default */
1171 /* options->proxy_command should not be set by default */
1172 /* options->user will be set in the main program if appropriate */
1173 /* options->hostname will be set in the main program if appropriate */
1174 /* options->host_key_alias should not be set by default */
1175 /* options->preferred_authentications will be set in ssh */
1180 * parses a string containing a port forwarding specification of the form:
1181 * [listenhost:]listenport:connecthost:connectport
1182 * returns number of arguments parsed or zero on error
1185 parse_forward(Forward *fwd, const char *fwdspec)
1188 char *p, *cp, *fwdarg[4];
1190 memset(fwd, '\0', sizeof(*fwd));
1192 cp = p = xstrdup(fwdspec);
1194 /* skip leading spaces */
1195 while (*cp && isspace(*cp))
1198 for (i = 0; i < 4; ++i)
1199 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1202 /* Check for trailing garbage in 4-arg case*/
1204 i = 0; /* failure */
1208 fwd->listen_host = NULL;
1209 fwd->listen_port = a2port(fwdarg[0]);
1210 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1211 fwd->connect_port = a2port(fwdarg[2]);
1215 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1216 fwd->listen_port = a2port(fwdarg[1]);
1217 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1218 fwd->connect_port = a2port(fwdarg[3]);
1221 i = 0; /* failure */
1226 if (fwd->listen_port == 0 && fwd->connect_port == 0)
1229 if (fwd->connect_host != NULL &&
1230 strlen(fwd->connect_host) >= NI_MAXHOST)
1236 if (fwd->connect_host != NULL)
1237 xfree(fwd->connect_host);
1238 if (fwd->listen_host != NULL)
1239 xfree(fwd->listen_host);