2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.115 2002/09/04 18:52:42 stevesk Exp $");
23 /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V
25 #define KEYFILE "/etc/krb5.keytab"
37 #include "pathnames.h"
38 #include "tildexpand.h"
44 static void add_listen_addr(ServerOptions *, char *, u_short);
45 static void add_one_listen_addr(ServerOptions *, char *, u_short);
47 /* AF_UNSPEC or AF_INET or AF_INET6 */
49 /* Use of privilege separation or not */
50 extern int use_privsep;
52 /* Initializes the server options to their default values. */
55 initialize_server_options(ServerOptions *options)
57 memset(options, 0, sizeof(*options));
59 /* Portable-specific options */
60 options->pam_authentication_via_kbd_int = -1;
62 /* Standard Options */
63 options->num_ports = 0;
64 options->ports_from_cmdline = 0;
65 options->listen_addrs = NULL;
66 options->num_host_key_files = 0;
67 options->pid_file = NULL;
68 options->server_key_bits = -1;
69 options->login_grace_time = -1;
70 options->key_regeneration_time = -1;
71 options->permit_root_login = PERMIT_NOT_SET;
72 options->ignore_rhosts = -1;
73 options->ignore_user_known_hosts = -1;
74 options->print_motd = -1;
75 options->print_lastlog = -1;
76 options->x11_forwarding = -1;
77 options->x11_display_offset = -1;
78 options->x11_use_localhost = -1;
79 options->xauth_location = NULL;
80 options->strict_modes = -1;
81 options->keepalives = -1;
82 options->log_facility = SYSLOG_FACILITY_NOT_SET;
83 options->log_level = SYSLOG_LEVEL_NOT_SET;
84 options->rhosts_authentication = -1;
85 options->rhosts_rsa_authentication = -1;
86 options->hostbased_authentication = -1;
87 options->hostbased_uses_name_from_packet_only = -1;
88 options->rsa_authentication = -1;
89 options->pubkey_authentication = -1;
90 #if defined(KRB4) || defined(KRB5)
91 options->kerberos_authentication = -1;
92 options->kerberos_or_local_passwd = -1;
93 options->kerberos_ticket_cleanup = -1;
95 #if defined(AFS) || defined(KRB5)
96 options->kerberos_tgt_passing = -1;
99 options->afs_token_passing = -1;
101 options->password_authentication = -1;
102 options->kbd_interactive_authentication = -1;
103 options->challenge_response_authentication = -1;
104 options->permit_empty_passwd = -1;
105 options->permit_user_env = -1;
106 options->use_login = -1;
107 options->compression = -1;
108 options->allow_tcp_forwarding = -1;
109 options->num_allow_users = 0;
110 options->num_deny_users = 0;
111 options->num_allow_groups = 0;
112 options->num_deny_groups = 0;
113 options->ciphers = NULL;
114 options->macs = NULL;
115 options->protocol = SSH_PROTO_UNKNOWN;
116 options->gateway_ports = -1;
117 options->num_subsystems = 0;
118 options->max_startups_begin = -1;
119 options->max_startups_rate = -1;
120 options->max_startups = -1;
121 options->banner = NULL;
122 options->verify_reverse_mapping = -1;
123 options->client_alive_interval = -1;
124 options->client_alive_count_max = -1;
125 options->authorized_keys_file = NULL;
126 options->authorized_keys_file2 = NULL;
128 /* Needs to be accessable in many places */
133 fill_default_server_options(ServerOptions *options)
135 /* Portable-specific options */
136 if (options->pam_authentication_via_kbd_int == -1)
137 options->pam_authentication_via_kbd_int = 0;
139 /* Standard Options */
140 if (options->protocol == SSH_PROTO_UNKNOWN)
141 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
142 if (options->num_host_key_files == 0) {
143 /* fill default hostkeys for protocols */
144 if (options->protocol & SSH_PROTO_1)
145 options->host_key_files[options->num_host_key_files++] =
147 if (options->protocol & SSH_PROTO_2) {
148 options->host_key_files[options->num_host_key_files++] =
149 _PATH_HOST_DSA_KEY_FILE;
152 if (options->num_ports == 0)
153 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
154 if (options->listen_addrs == NULL)
155 add_listen_addr(options, NULL, 0);
156 if (options->pid_file == NULL)
157 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
158 if (options->server_key_bits == -1)
159 options->server_key_bits = 768;
160 if (options->login_grace_time == -1)
161 options->login_grace_time = 120;
162 if (options->key_regeneration_time == -1)
163 options->key_regeneration_time = 3600;
164 if (options->permit_root_login == PERMIT_NOT_SET)
165 options->permit_root_login = PERMIT_NO;
166 if (options->ignore_rhosts == -1)
167 options->ignore_rhosts = 1;
168 if (options->ignore_user_known_hosts == -1)
169 options->ignore_user_known_hosts = 0;
170 if (options->print_motd == -1)
171 options->print_motd = 1;
172 if (options->print_lastlog == -1)
173 options->print_lastlog = 1;
174 if (options->x11_forwarding == -1)
175 options->x11_forwarding = 1;
176 if (options->x11_display_offset == -1)
177 options->x11_display_offset = 10;
178 if (options->x11_use_localhost == -1)
179 options->x11_use_localhost = 1;
180 if (options->xauth_location == NULL)
181 options->xauth_location = _PATH_XAUTH;
182 if (options->strict_modes == -1)
183 options->strict_modes = 1;
184 if (options->keepalives == -1)
185 options->keepalives = 1;
186 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
187 options->log_facility = SYSLOG_FACILITY_AUTH;
188 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
189 options->log_level = SYSLOG_LEVEL_INFO;
190 if (options->rhosts_authentication == -1)
191 options->rhosts_authentication = 0;
192 if (options->rhosts_rsa_authentication == -1)
193 options->rhosts_rsa_authentication = 0;
194 if (options->hostbased_authentication == -1)
195 options->hostbased_authentication = 0;
196 if (options->hostbased_uses_name_from_packet_only == -1)
197 options->hostbased_uses_name_from_packet_only = 0;
198 if (options->rsa_authentication == -1)
199 options->rsa_authentication = 1;
200 if (options->pubkey_authentication == -1)
201 options->pubkey_authentication = 1;
202 #if defined(KRB4) && defined(KRB5)
203 if (options->kerberos_authentication == -1)
204 options->kerberos_authentication =
205 (access(KEYFILE, R_OK) == 0 ||
206 access(krb5_defkeyname, R_OK) == 0);
208 if (options->kerberos_authentication == -1)
209 options->kerberos_authentication =
210 (access(KEYFILE, R_OK) == 0);
212 if (options->kerberos_authentication == -1)
213 options->kerberos_authentication =
214 (access(krb5_defkeyname, R_OK) == 0);
216 #if defined(KRB4) || defined(KRB5)
217 if (options->kerberos_or_local_passwd == -1)
218 options->kerberos_or_local_passwd = 1;
219 if (options->kerberos_ticket_cleanup == -1)
220 options->kerberos_ticket_cleanup = 1;
222 #if defined(AFS) || defined(KRB5)
223 if (options->kerberos_tgt_passing == -1)
224 options->kerberos_tgt_passing = 0;
227 if (options->afs_token_passing == -1)
228 options->afs_token_passing = 0;
230 if (options->password_authentication == -1)
231 options->password_authentication = 1;
232 if (options->kbd_interactive_authentication == -1)
233 options->kbd_interactive_authentication = 0;
234 if (options->challenge_response_authentication == -1)
235 options->challenge_response_authentication = 1;
236 if (options->permit_empty_passwd == -1)
237 options->permit_empty_passwd = 0;
238 if (options->permit_user_env == -1)
239 options->permit_user_env = 0;
240 if (options->use_login == -1)
241 options->use_login = 0;
242 if (options->compression == -1)
243 options->compression = 1;
244 if (options->allow_tcp_forwarding == -1)
245 options->allow_tcp_forwarding = 1;
246 if (options->gateway_ports == -1)
247 options->gateway_ports = 0;
248 if (options->max_startups == -1)
249 options->max_startups = 10;
250 if (options->max_startups_rate == -1)
251 options->max_startups_rate = 100; /* 100% */
252 if (options->max_startups_begin == -1)
253 options->max_startups_begin = options->max_startups;
254 if (options->verify_reverse_mapping == -1)
255 options->verify_reverse_mapping = 0;
256 if (options->client_alive_interval == -1)
257 options->client_alive_interval = 0;
258 if (options->client_alive_count_max == -1)
259 options->client_alive_count_max = 3;
260 if (options->authorized_keys_file2 == NULL) {
261 /* authorized_keys_file2 falls back to authorized_keys_file */
262 if (options->authorized_keys_file != NULL)
263 options->authorized_keys_file2 = options->authorized_keys_file;
265 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
267 if (options->authorized_keys_file == NULL)
268 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
270 /* Turn privilege separation on by default */
271 if (use_privsep == -1)
275 if (use_privsep && options->compression == 1) {
276 error("This platform does not support both privilege "
277 "separation and compression");
278 error("Compression disabled");
279 options->compression = 0;
285 /* Keyword tokens. */
287 sBadOption, /* == unknown option */
288 /* Portable-specific options */
289 sPAMAuthenticationViaKbdInt,
290 /* Standard Options */
291 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
292 sPermitRootLogin, sLogFacility, sLogLevel,
293 sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
294 #if defined(KRB4) || defined(KRB5)
295 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
297 #if defined(AFS) || defined(KRB5)
303 sChallengeResponseAuthentication,
304 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
305 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
306 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
307 sStrictModes, sEmptyPasswd, sKeepAlives,
308 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
309 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
310 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
311 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
312 sBanner, sVerifyReverseMapping, sHostbasedAuthentication,
313 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
314 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
315 sUsePrivilegeSeparation,
320 /* Textual representation of the tokens. */
323 ServerOpCodes opcode;
325 /* Portable-specific options */
327 { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt },
329 /* Standard Options */
331 { "hostkey", sHostKeyFile },
332 { "hostdsakey", sHostKeyFile }, /* alias */
333 { "pidfile", sPidFile },
334 { "serverkeybits", sServerKeyBits },
335 { "logingracetime", sLoginGraceTime },
336 { "keyregenerationinterval", sKeyRegenerationTime },
337 { "permitrootlogin", sPermitRootLogin },
338 { "syslogfacility", sLogFacility },
339 { "loglevel", sLogLevel },
340 { "rhostsauthentication", sRhostsAuthentication },
341 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
342 { "hostbasedauthentication", sHostbasedAuthentication },
343 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
344 { "rsaauthentication", sRSAAuthentication },
345 { "pubkeyauthentication", sPubkeyAuthentication },
346 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
347 #if defined(KRB4) || defined(KRB5)
348 { "kerberosauthentication", sKerberosAuthentication },
349 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
350 { "kerberosticketcleanup", sKerberosTicketCleanup },
352 #if defined(AFS) || defined(KRB5)
353 { "kerberostgtpassing", sKerberosTgtPassing },
356 { "afstokenpassing", sAFSTokenPassing },
358 { "passwordauthentication", sPasswordAuthentication },
359 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
360 { "challengeresponseauthentication", sChallengeResponseAuthentication },
361 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
362 { "checkmail", sDeprecated },
363 { "listenaddress", sListenAddress },
364 { "printmotd", sPrintMotd },
365 { "printlastlog", sPrintLastLog },
366 { "ignorerhosts", sIgnoreRhosts },
367 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
368 { "x11forwarding", sX11Forwarding },
369 { "x11displayoffset", sX11DisplayOffset },
370 { "x11uselocalhost", sX11UseLocalhost },
371 { "xauthlocation", sXAuthLocation },
372 { "strictmodes", sStrictModes },
373 { "permitemptypasswords", sEmptyPasswd },
374 { "permituserenvironment", sPermitUserEnvironment },
375 { "uselogin", sUseLogin },
376 { "compression", sCompression },
377 { "keepalive", sKeepAlives },
378 { "allowtcpforwarding", sAllowTcpForwarding },
379 { "allowusers", sAllowUsers },
380 { "denyusers", sDenyUsers },
381 { "allowgroups", sAllowGroups },
382 { "denygroups", sDenyGroups },
383 { "ciphers", sCiphers },
385 { "protocol", sProtocol },
386 { "gatewayports", sGatewayPorts },
387 { "subsystem", sSubsystem },
388 { "maxstartups", sMaxStartups },
389 { "banner", sBanner },
390 { "verifyreversemapping", sVerifyReverseMapping },
391 { "reversemappingcheck", sVerifyReverseMapping },
392 { "clientaliveinterval", sClientAliveInterval },
393 { "clientalivecountmax", sClientAliveCountMax },
394 { "authorizedkeysfile", sAuthorizedKeysFile },
395 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
396 { "useprivilegeseparation", sUsePrivilegeSeparation},
397 { "versionaddendum", sVersionAddendum },
402 * Returns the number of the token pointed to by cp or sBadOption.
406 parse_token(const char *cp, const char *filename,
411 for (i = 0; keywords[i].name; i++)
412 if (strcasecmp(cp, keywords[i].name) == 0)
413 return keywords[i].opcode;
415 error("%s: line %d: Bad configuration option: %s",
416 filename, linenum, cp);
421 add_listen_addr(ServerOptions *options, char *addr, u_short port)
425 if (options->num_ports == 0)
426 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
428 for (i = 0; i < options->num_ports; i++)
429 add_one_listen_addr(options, addr, options->ports[i]);
431 add_one_listen_addr(options, addr, port);
435 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
437 struct addrinfo hints, *ai, *aitop;
438 char strport[NI_MAXSERV];
441 memset(&hints, 0, sizeof(hints));
442 hints.ai_family = IPv4or6;
443 hints.ai_socktype = SOCK_STREAM;
444 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
445 snprintf(strport, sizeof strport, "%u", port);
446 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
447 fatal("bad addr or host: %s (%s)",
448 addr ? addr : "<NULL>",
449 gai_strerror(gaierr));
450 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
452 ai->ai_next = options->listen_addrs;
453 options->listen_addrs = aitop;
457 process_server_config_line(ServerOptions *options, char *line,
458 const char *filename, int linenum)
460 char *cp, **charptr, *arg, *p;
461 int *intptr, value, i, n;
462 ServerOpCodes opcode;
466 /* Ignore leading whitespace */
469 if (!arg || !*arg || *arg == '#')
473 opcode = parse_token(arg, filename, linenum);
475 /* Portable-specific options */
476 case sPAMAuthenticationViaKbdInt:
477 intptr = &options->pam_authentication_via_kbd_int;
480 /* Standard Options */
484 /* ignore ports from configfile if cmdline specifies ports */
485 if (options->ports_from_cmdline)
487 if (options->listen_addrs != NULL)
488 fatal("%s line %d: ports must be specified before "
489 "ListenAddress.", filename, linenum);
490 if (options->num_ports >= MAX_PORTS)
491 fatal("%s line %d: too many ports.",
494 if (!arg || *arg == '\0')
495 fatal("%s line %d: missing port number.",
497 options->ports[options->num_ports++] = a2port(arg);
498 if (options->ports[options->num_ports-1] == 0)
499 fatal("%s line %d: Badly formatted port number.",
504 intptr = &options->server_key_bits;
507 if (!arg || *arg == '\0')
508 fatal("%s line %d: missing integer value.",
515 case sLoginGraceTime:
516 intptr = &options->login_grace_time;
519 if (!arg || *arg == '\0')
520 fatal("%s line %d: missing time value.",
522 if ((value = convtime(arg)) == -1)
523 fatal("%s line %d: invalid time value.",
529 case sKeyRegenerationTime:
530 intptr = &options->key_regeneration_time;
535 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
536 fatal("%s line %d: missing inet addr.",
539 if ((p = strchr(arg, ']')) == NULL)
540 fatal("%s line %d: bad ipv6 inet addr usage.",
543 memmove(p, p+1, strlen(p+1)+1);
544 } else if (((p = strchr(arg, ':')) == NULL) ||
545 (strchr(p+1, ':') != NULL)) {
546 add_listen_addr(options, arg, 0);
554 fatal("%s line %d: bad inet addr:port usage.",
558 if ((port = a2port(p)) == 0)
559 fatal("%s line %d: bad port number.",
561 add_listen_addr(options, arg, port);
563 } else if (*p == '\0')
564 add_listen_addr(options, arg, 0);
566 fatal("%s line %d: bad inet addr usage.",
571 intptr = &options->num_host_key_files;
572 if (*intptr >= MAX_HOSTKEYS)
573 fatal("%s line %d: too many host keys specified (max %d).",
574 filename, linenum, MAX_HOSTKEYS);
575 charptr = &options->host_key_files[*intptr];
578 if (!arg || *arg == '\0')
579 fatal("%s line %d: missing file name.",
581 if (*charptr == NULL) {
582 *charptr = tilde_expand_filename(arg, getuid());
583 /* increase optional counter */
585 *intptr = *intptr + 1;
590 charptr = &options->pid_file;
593 case sPermitRootLogin:
594 intptr = &options->permit_root_login;
596 if (!arg || *arg == '\0')
597 fatal("%s line %d: missing yes/"
598 "without-password/forced-commands-only/no "
599 "argument.", filename, linenum);
600 value = 0; /* silence compiler */
601 if (strcmp(arg, "without-password") == 0)
602 value = PERMIT_NO_PASSWD;
603 else if (strcmp(arg, "forced-commands-only") == 0)
604 value = PERMIT_FORCED_ONLY;
605 else if (strcmp(arg, "yes") == 0)
607 else if (strcmp(arg, "no") == 0)
610 fatal("%s line %d: Bad yes/"
611 "without-password/forced-commands-only/no "
612 "argument: %s", filename, linenum, arg);
618 intptr = &options->ignore_rhosts;
621 if (!arg || *arg == '\0')
622 fatal("%s line %d: missing yes/no argument.",
624 value = 0; /* silence compiler */
625 if (strcmp(arg, "yes") == 0)
627 else if (strcmp(arg, "no") == 0)
630 fatal("%s line %d: Bad yes/no argument: %s",
631 filename, linenum, arg);
636 case sIgnoreUserKnownHosts:
637 intptr = &options->ignore_user_known_hosts;
640 case sRhostsAuthentication:
641 intptr = &options->rhosts_authentication;
644 case sRhostsRSAAuthentication:
645 intptr = &options->rhosts_rsa_authentication;
648 case sHostbasedAuthentication:
649 intptr = &options->hostbased_authentication;
652 case sHostbasedUsesNameFromPacketOnly:
653 intptr = &options->hostbased_uses_name_from_packet_only;
656 case sRSAAuthentication:
657 intptr = &options->rsa_authentication;
660 case sPubkeyAuthentication:
661 intptr = &options->pubkey_authentication;
663 #if defined(KRB4) || defined(KRB5)
664 case sKerberosAuthentication:
665 intptr = &options->kerberos_authentication;
668 case sKerberosOrLocalPasswd:
669 intptr = &options->kerberos_or_local_passwd;
672 case sKerberosTicketCleanup:
673 intptr = &options->kerberos_ticket_cleanup;
676 #if defined(AFS) || defined(KRB5)
677 case sKerberosTgtPassing:
678 intptr = &options->kerberos_tgt_passing;
682 case sAFSTokenPassing:
683 intptr = &options->afs_token_passing;
687 case sPasswordAuthentication:
688 intptr = &options->password_authentication;
691 case sKbdInteractiveAuthentication:
692 intptr = &options->kbd_interactive_authentication;
695 case sChallengeResponseAuthentication:
696 intptr = &options->challenge_response_authentication;
700 intptr = &options->print_motd;
704 intptr = &options->print_lastlog;
708 intptr = &options->x11_forwarding;
711 case sX11DisplayOffset:
712 intptr = &options->x11_display_offset;
715 case sX11UseLocalhost:
716 intptr = &options->x11_use_localhost;
720 charptr = &options->xauth_location;
724 intptr = &options->strict_modes;
728 intptr = &options->keepalives;
732 intptr = &options->permit_empty_passwd;
735 case sPermitUserEnvironment:
736 intptr = &options->permit_user_env;
740 intptr = &options->use_login;
744 intptr = &options->compression;
748 intptr = &options->gateway_ports;
751 case sVerifyReverseMapping:
752 intptr = &options->verify_reverse_mapping;
756 intptr = (int *) &options->log_facility;
758 value = log_facility_number(arg);
759 if (value == SYSLOG_FACILITY_NOT_SET)
760 fatal("%.200s line %d: unsupported log facility '%s'",
761 filename, linenum, arg ? arg : "<NONE>");
763 *intptr = (SyslogFacility) value;
767 intptr = (int *) &options->log_level;
769 value = log_level_number(arg);
770 if (value == SYSLOG_LEVEL_NOT_SET)
771 fatal("%.200s line %d: unsupported log level '%s'",
772 filename, linenum, arg ? arg : "<NONE>");
774 *intptr = (LogLevel) value;
777 case sAllowTcpForwarding:
778 intptr = &options->allow_tcp_forwarding;
781 case sUsePrivilegeSeparation:
782 intptr = &use_privsep;
786 while ((arg = strdelim(&cp)) && *arg != '\0') {
787 if (options->num_allow_users >= MAX_ALLOW_USERS)
788 fatal("%s line %d: too many allow users.",
790 options->allow_users[options->num_allow_users++] =
796 while ((arg = strdelim(&cp)) && *arg != '\0') {
797 if (options->num_deny_users >= MAX_DENY_USERS)
798 fatal( "%s line %d: too many deny users.",
800 options->deny_users[options->num_deny_users++] =
806 while ((arg = strdelim(&cp)) && *arg != '\0') {
807 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
808 fatal("%s line %d: too many allow groups.",
810 options->allow_groups[options->num_allow_groups++] =
816 while ((arg = strdelim(&cp)) && *arg != '\0') {
817 if (options->num_deny_groups >= MAX_DENY_GROUPS)
818 fatal("%s line %d: too many deny groups.",
820 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
826 if (!arg || *arg == '\0')
827 fatal("%s line %d: Missing argument.", filename, linenum);
828 if (!ciphers_valid(arg))
829 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
830 filename, linenum, arg ? arg : "<NONE>");
831 if (options->ciphers == NULL)
832 options->ciphers = xstrdup(arg);
837 if (!arg || *arg == '\0')
838 fatal("%s line %d: Missing argument.", filename, linenum);
840 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
841 filename, linenum, arg ? arg : "<NONE>");
842 if (options->macs == NULL)
843 options->macs = xstrdup(arg);
847 intptr = &options->protocol;
849 if (!arg || *arg == '\0')
850 fatal("%s line %d: Missing argument.", filename, linenum);
851 value = proto_spec(arg);
852 if (value == SSH_PROTO_UNKNOWN)
853 fatal("%s line %d: Bad protocol spec '%s'.",
854 filename, linenum, arg ? arg : "<NONE>");
855 if (*intptr == SSH_PROTO_UNKNOWN)
860 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
861 fatal("%s line %d: too many subsystems defined.",
865 if (!arg || *arg == '\0')
866 fatal("%s line %d: Missing subsystem name.",
868 for (i = 0; i < options->num_subsystems; i++)
869 if (strcmp(arg, options->subsystem_name[i]) == 0)
870 fatal("%s line %d: Subsystem '%s' already defined.",
871 filename, linenum, arg);
872 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
874 if (!arg || *arg == '\0')
875 fatal("%s line %d: Missing subsystem command.",
877 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
878 options->num_subsystems++;
883 if (!arg || *arg == '\0')
884 fatal("%s line %d: Missing MaxStartups spec.",
886 if ((n = sscanf(arg, "%d:%d:%d",
887 &options->max_startups_begin,
888 &options->max_startups_rate,
889 &options->max_startups)) == 3) {
890 if (options->max_startups_begin >
891 options->max_startups ||
892 options->max_startups_rate > 100 ||
893 options->max_startups_rate < 1)
894 fatal("%s line %d: Illegal MaxStartups spec.",
897 fatal("%s line %d: Illegal MaxStartups spec.",
900 options->max_startups = options->max_startups_begin;
904 charptr = &options->banner;
907 * These options can contain %X options expanded at
908 * connect time, so that you can specify paths like:
910 * AuthorizedKeysFile /etc/ssh_keys/%u
912 case sAuthorizedKeysFile:
913 case sAuthorizedKeysFile2:
914 charptr = (opcode == sAuthorizedKeysFile ) ?
915 &options->authorized_keys_file :
916 &options->authorized_keys_file2;
919 case sClientAliveInterval:
920 intptr = &options->client_alive_interval;
923 case sClientAliveCountMax:
924 intptr = &options->client_alive_count_max;
927 case sVersionAddendum:
928 ssh_version_set_addendum(strtok(cp, "\n"));
931 } while (arg != NULL && *arg != '\0');
935 log("%s line %d: Deprecated option %s",
936 filename, linenum, arg);
942 fatal("%s line %d: Missing handler for opcode %s (%d)",
943 filename, linenum, arg, opcode);
945 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
946 fatal("%s line %d: garbage at end of line; \"%.200s\".",
947 filename, linenum, arg);
951 /* Reads the server configuration file. */
954 read_server_config(ServerOptions *options, const char *filename)
956 int linenum, bad_options = 0;
960 f = fopen(filename, "r");
966 while (fgets(line, sizeof(line), f)) {
967 /* Update line number counter. */
969 if (process_server_config_line(options, line, filename, linenum) != 0)
974 fatal("%s: terminating, %d bad configuration options",
975 filename, bad_options);