2 /* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
18 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
40 #include "openbsd-compat/sys-queue.h"
48 #include "pathnames.h"
55 #include "groupaccess.h"
60 #include "myproposal.h"
64 static void add_listen_addr(ServerOptions *, char *, int);
65 static void add_one_listen_addr(ServerOptions *, char *, int);
67 /* Use of privilege separation or not */
68 extern int use_privsep;
71 /* Initializes the server options to their default values. */
74 initialize_server_options(ServerOptions *options)
76 memset(options, 0, sizeof(*options));
78 /* Portable-specific options */
79 options->use_pam = -1;
81 /* Standard Options */
82 options->num_ports = 0;
83 options->ports_from_cmdline = 0;
84 options->queued_listen_addrs = NULL;
85 options->num_queued_listens = 0;
86 options->listen_addrs = NULL;
87 options->address_family = -1;
88 options->num_host_key_files = 0;
89 options->num_host_cert_files = 0;
90 options->host_key_agent = NULL;
91 options->pid_file = NULL;
92 options->login_grace_time = -1;
93 options->permit_root_login = PERMIT_NOT_SET;
94 options->ignore_rhosts = -1;
95 options->ignore_user_known_hosts = -1;
96 options->print_motd = -1;
97 options->print_lastlog = -1;
98 options->x11_forwarding = -1;
99 options->x11_display_offset = -1;
100 options->x11_use_localhost = -1;
101 options->permit_tty = -1;
102 options->permit_user_rc = -1;
103 options->xauth_location = NULL;
104 options->strict_modes = -1;
105 options->tcp_keep_alive = -1;
106 options->log_facility = SYSLOG_FACILITY_NOT_SET;
107 options->log_level = SYSLOG_LEVEL_NOT_SET;
108 options->hostbased_authentication = -1;
109 options->hostbased_uses_name_from_packet_only = -1;
110 options->hostbased_key_types = NULL;
111 options->hostkeyalgorithms = NULL;
112 options->pubkey_authentication = -1;
113 options->pubkey_key_types = NULL;
114 options->kerberos_authentication = -1;
115 options->kerberos_or_local_passwd = -1;
116 options->kerberos_ticket_cleanup = -1;
117 options->kerberos_get_afs_token = -1;
118 options->gss_authentication=-1;
119 options->gss_cleanup_creds = -1;
120 options->gss_strict_acceptor = -1;
121 options->password_authentication = -1;
122 options->kbd_interactive_authentication = -1;
123 options->challenge_response_authentication = -1;
124 options->permit_empty_passwd = -1;
125 options->permit_user_env = -1;
126 options->compression = -1;
127 options->rekey_limit = -1;
128 options->rekey_interval = -1;
129 options->allow_tcp_forwarding = -1;
130 options->allow_streamlocal_forwarding = -1;
131 options->allow_agent_forwarding = -1;
132 options->num_allow_users = 0;
133 options->num_deny_users = 0;
134 options->num_allow_groups = 0;
135 options->num_deny_groups = 0;
136 options->ciphers = NULL;
137 options->macs = NULL;
138 options->kex_algorithms = NULL;
139 options->fwd_opts.gateway_ports = -1;
140 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
141 options->fwd_opts.streamlocal_bind_unlink = -1;
142 options->num_subsystems = 0;
143 options->max_startups_begin = -1;
144 options->max_startups_rate = -1;
145 options->max_startups = -1;
146 options->max_authtries = -1;
147 options->max_sessions = -1;
148 options->banner = NULL;
149 options->use_dns = -1;
150 options->client_alive_interval = -1;
151 options->client_alive_count_max = -1;
152 options->num_authkeys_files = 0;
153 options->num_accept_env = 0;
154 options->permit_tun = -1;
155 options->permitted_opens = NULL;
156 options->adm_forced_command = NULL;
157 options->chroot_directory = NULL;
158 options->authorized_keys_command = NULL;
159 options->authorized_keys_command_user = NULL;
160 options->revoked_keys_file = NULL;
161 options->trusted_user_ca_keys = NULL;
162 options->authorized_principals_file = NULL;
163 options->authorized_principals_command = NULL;
164 options->authorized_principals_command_user = NULL;
165 options->ip_qos_interactive = -1;
166 options->ip_qos_bulk = -1;
167 options->version_addendum = NULL;
168 options->fingerprint_hash = -1;
169 options->disable_forwarding = -1;
170 options->expose_userauth_info = -1;
171 options->use_blacklist = -1;
174 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
176 option_clear_or_none(const char *o)
178 return o == NULL || strcasecmp(o, "none") == 0;
182 assemble_algorithms(ServerOptions *o)
184 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
185 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
186 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
187 kex_assemble_names(KEX_DEFAULT_PK_ALG,
188 &o->hostkeyalgorithms) != 0 ||
189 kex_assemble_names(KEX_DEFAULT_PK_ALG,
190 &o->hostbased_key_types) != 0 ||
191 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
192 fatal("kex_assemble_names failed");
196 fill_default_server_options(ServerOptions *options)
200 /* Portable-specific options */
201 if (options->use_pam == -1)
202 options->use_pam = 1;
204 /* Standard Options */
205 #define add_host_key_file(path) \
207 if (access((path), O_RDONLY) == 0) \
208 options->host_key_files \
209 [options->num_host_key_files++] = (path); \
211 if (options->num_host_key_files == 0) {
212 /* fill default hostkeys for protocols */
213 add_host_key_file(_PATH_HOST_RSA_KEY_FILE);
214 add_host_key_file(_PATH_HOST_DSA_KEY_FILE);
215 #ifdef OPENSSL_HAS_ECC
216 add_host_key_file(_PATH_HOST_ECDSA_KEY_FILE);
218 add_host_key_file(_PATH_HOST_ED25519_KEY_FILE);
220 #undef add_host_key_file
221 if (options->num_host_key_files == 0)
222 fatal("No host key files found");
223 /* No certificates by default */
224 if (options->num_ports == 0)
225 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
226 if (options->address_family == -1)
227 options->address_family = AF_UNSPEC;
228 if (options->listen_addrs == NULL)
229 add_listen_addr(options, NULL, 0);
230 if (options->pid_file == NULL)
231 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
232 if (options->login_grace_time == -1)
233 options->login_grace_time = 120;
234 if (options->permit_root_login == PERMIT_NOT_SET)
235 options->permit_root_login = PERMIT_NO;
236 if (options->ignore_rhosts == -1)
237 options->ignore_rhosts = 1;
238 if (options->ignore_user_known_hosts == -1)
239 options->ignore_user_known_hosts = 0;
240 if (options->print_motd == -1)
241 options->print_motd = 1;
242 if (options->print_lastlog == -1)
243 options->print_lastlog = 1;
244 if (options->x11_forwarding == -1)
245 options->x11_forwarding = 1;
246 if (options->x11_display_offset == -1)
247 options->x11_display_offset = 10;
248 if (options->x11_use_localhost == -1)
249 options->x11_use_localhost = 1;
250 if (options->xauth_location == NULL)
251 options->xauth_location = xstrdup(_PATH_XAUTH);
252 if (options->permit_tty == -1)
253 options->permit_tty = 1;
254 if (options->permit_user_rc == -1)
255 options->permit_user_rc = 1;
256 if (options->strict_modes == -1)
257 options->strict_modes = 1;
258 if (options->tcp_keep_alive == -1)
259 options->tcp_keep_alive = 1;
260 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
261 options->log_facility = SYSLOG_FACILITY_AUTH;
262 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
263 options->log_level = SYSLOG_LEVEL_INFO;
264 if (options->hostbased_authentication == -1)
265 options->hostbased_authentication = 0;
266 if (options->hostbased_uses_name_from_packet_only == -1)
267 options->hostbased_uses_name_from_packet_only = 0;
268 if (options->pubkey_authentication == -1)
269 options->pubkey_authentication = 1;
270 if (options->kerberos_authentication == -1)
271 options->kerberos_authentication = 0;
272 if (options->kerberos_or_local_passwd == -1)
273 options->kerberos_or_local_passwd = 1;
274 if (options->kerberos_ticket_cleanup == -1)
275 options->kerberos_ticket_cleanup = 1;
276 if (options->kerberos_get_afs_token == -1)
277 options->kerberos_get_afs_token = 0;
278 if (options->gss_authentication == -1)
279 options->gss_authentication = 0;
280 if (options->gss_cleanup_creds == -1)
281 options->gss_cleanup_creds = 1;
282 if (options->gss_strict_acceptor == -1)
283 options->gss_strict_acceptor = 1;
284 if (options->password_authentication == -1)
285 options->password_authentication = 0;
286 if (options->kbd_interactive_authentication == -1)
287 options->kbd_interactive_authentication = 0;
288 if (options->challenge_response_authentication == -1)
289 options->challenge_response_authentication = 1;
290 if (options->permit_empty_passwd == -1)
291 options->permit_empty_passwd = 0;
292 if (options->permit_user_env == -1)
293 options->permit_user_env = 0;
294 if (options->compression == -1)
295 options->compression = COMP_DELAYED;
296 if (options->rekey_limit == -1)
297 options->rekey_limit = 0;
298 if (options->rekey_interval == -1)
299 options->rekey_interval = 0;
300 if (options->allow_tcp_forwarding == -1)
301 options->allow_tcp_forwarding = FORWARD_ALLOW;
302 if (options->allow_streamlocal_forwarding == -1)
303 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
304 if (options->allow_agent_forwarding == -1)
305 options->allow_agent_forwarding = 1;
306 if (options->fwd_opts.gateway_ports == -1)
307 options->fwd_opts.gateway_ports = 0;
308 if (options->max_startups == -1)
309 options->max_startups = 100;
310 if (options->max_startups_rate == -1)
311 options->max_startups_rate = 30; /* 30% */
312 if (options->max_startups_begin == -1)
313 options->max_startups_begin = 10;
314 if (options->max_authtries == -1)
315 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
316 if (options->max_sessions == -1)
317 options->max_sessions = DEFAULT_SESSIONS_MAX;
318 if (options->use_dns == -1)
319 options->use_dns = 1;
320 if (options->client_alive_interval == -1)
321 options->client_alive_interval = 0;
322 if (options->client_alive_count_max == -1)
323 options->client_alive_count_max = 3;
324 if (options->num_authkeys_files == 0) {
325 options->authorized_keys_files[options->num_authkeys_files++] =
326 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
327 options->authorized_keys_files[options->num_authkeys_files++] =
328 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
330 if (options->permit_tun == -1)
331 options->permit_tun = SSH_TUNMODE_NO;
332 if (options->ip_qos_interactive == -1)
333 options->ip_qos_interactive = IPTOS_LOWDELAY;
334 if (options->ip_qos_bulk == -1)
335 options->ip_qos_bulk = IPTOS_THROUGHPUT;
336 if (options->version_addendum == NULL)
337 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
338 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
339 options->fwd_opts.streamlocal_bind_mask = 0177;
340 if (options->fwd_opts.streamlocal_bind_unlink == -1)
341 options->fwd_opts.streamlocal_bind_unlink = 0;
342 if (options->fingerprint_hash == -1)
343 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
344 if (options->disable_forwarding == -1)
345 options->disable_forwarding = 0;
346 if (options->expose_userauth_info == -1)
347 options->expose_userauth_info = 0;
348 if (options->use_blacklist == -1)
349 options->use_blacklist = 0;
351 assemble_algorithms(options);
353 /* Turn privilege separation and sandboxing on by default */
354 if (use_privsep == -1)
355 use_privsep = PRIVSEP_ON;
357 #define CLEAR_ON_NONE(v) \
359 if (option_clear_or_none(v)) { \
364 CLEAR_ON_NONE(options->pid_file);
365 CLEAR_ON_NONE(options->xauth_location);
366 CLEAR_ON_NONE(options->banner);
367 CLEAR_ON_NONE(options->trusted_user_ca_keys);
368 CLEAR_ON_NONE(options->revoked_keys_file);
369 CLEAR_ON_NONE(options->authorized_principals_file);
370 CLEAR_ON_NONE(options->adm_forced_command);
371 CLEAR_ON_NONE(options->chroot_directory);
372 for (i = 0; i < options->num_host_key_files; i++)
373 CLEAR_ON_NONE(options->host_key_files[i]);
374 for (i = 0; i < options->num_host_cert_files; i++)
375 CLEAR_ON_NONE(options->host_cert_files[i]);
378 /* Similar handling for AuthenticationMethods=any */
379 if (options->num_auth_methods == 1 &&
380 strcmp(options->auth_methods[0], "any") == 0) {
381 free(options->auth_methods[0]);
382 options->auth_methods[0] = NULL;
383 options->num_auth_methods = 0;
387 if (use_privsep && options->compression == 1) {
388 error("This platform does not support both privilege "
389 "separation and compression");
390 error("Compression disabled");
391 options->compression = 0;
397 /* Keyword tokens. */
399 sBadOption, /* == unknown option */
400 /* Portable-specific options */
402 /* Standard Options */
403 sPort, sHostKeyFile, sLoginGraceTime,
404 sPermitRootLogin, sLogFacility, sLogLevel,
405 sRhostsRSAAuthentication, sRSAAuthentication,
406 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
407 sKerberosGetAFSToken,
408 sKerberosTgtPassing, sChallengeResponseAuthentication,
409 sPasswordAuthentication, sKbdInteractiveAuthentication,
410 sListenAddress, sAddressFamily,
411 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
412 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
413 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
414 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
415 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
416 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
417 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
418 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
419 sBanner, sUseDNS, sHostbasedAuthentication,
420 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
422 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
423 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
424 sAcceptEnv, sPermitTunnel,
425 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
426 sUsePrivilegeSeparation, sAllowAgentForwarding,
428 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
429 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
430 sKexAlgorithms, sIPQoS, sVersionAddendum,
431 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
432 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
433 sStreamLocalBindMask, sStreamLocalBindUnlink,
434 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
437 sDeprecated, sIgnore, sUnsupported
440 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
441 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
442 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
444 /* Textual representation of the tokens. */
447 ServerOpCodes opcode;
450 /* Portable-specific options */
452 { "usepam", sUsePAM, SSHCFG_GLOBAL },
454 { "usepam", sUnsupported, SSHCFG_GLOBAL },
456 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
457 /* Standard Options */
458 { "port", sPort, SSHCFG_GLOBAL },
459 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
460 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
461 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
462 { "pidfile", sPidFile, SSHCFG_GLOBAL },
463 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
464 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
465 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
466 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
467 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
468 { "loglevel", sLogLevel, SSHCFG_ALL },
469 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
470 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
471 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
472 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
473 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
474 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
475 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
476 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
477 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
478 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
480 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
481 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
482 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
484 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
486 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
489 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
490 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
491 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
492 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
494 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
495 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
497 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
498 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
499 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
501 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
502 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
503 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
505 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
506 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
507 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
508 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
509 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
510 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
511 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
512 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
513 #ifdef DISABLE_LASTLOG
514 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
516 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
518 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
519 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
520 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
521 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
522 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
523 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
524 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
525 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
526 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
527 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
528 { "compression", sCompression, SSHCFG_GLOBAL },
529 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
530 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
531 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
532 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
533 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
534 { "allowusers", sAllowUsers, SSHCFG_ALL },
535 { "denyusers", sDenyUsers, SSHCFG_ALL },
536 { "allowgroups", sAllowGroups, SSHCFG_ALL },
537 { "denygroups", sDenyGroups, SSHCFG_ALL },
538 { "ciphers", sCiphers, SSHCFG_GLOBAL },
539 { "macs", sMacs, SSHCFG_GLOBAL },
540 { "protocol", sIgnore, SSHCFG_GLOBAL },
541 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
542 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
543 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
544 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
545 { "maxsessions", sMaxSessions, SSHCFG_ALL },
546 { "banner", sBanner, SSHCFG_ALL },
547 { "usedns", sUseDNS, SSHCFG_GLOBAL },
548 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
549 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
550 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
551 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
552 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
553 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
554 { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
555 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
556 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
557 { "permittty", sPermitTTY, SSHCFG_ALL },
558 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
559 { "match", sMatch, SSHCFG_ALL },
560 { "permitopen", sPermitOpen, SSHCFG_ALL },
561 { "forcecommand", sForceCommand, SSHCFG_ALL },
562 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
563 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
564 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
565 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
566 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
567 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
568 { "ipqos", sIPQoS, SSHCFG_ALL },
569 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
570 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
571 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
572 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
573 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
574 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
575 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
576 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
577 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
578 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
579 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
580 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
581 { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
582 { "noneenabled", sUnsupported, SSHCFG_ALL },
583 { "hpndisabled", sDeprecated, SSHCFG_ALL },
584 { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
585 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
586 { NULL, sBadOption, 0 }
593 { SSH_TUNMODE_NO, "no" },
594 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
595 { SSH_TUNMODE_ETHERNET, "ethernet" },
596 { SSH_TUNMODE_YES, "yes" },
601 * Returns the number of the token pointed to by cp or sBadOption.
605 parse_token(const char *cp, const char *filename,
606 int linenum, u_int *flags)
610 for (i = 0; keywords[i].name; i++)
611 if (strcasecmp(cp, keywords[i].name) == 0) {
612 *flags = keywords[i].flags;
613 return keywords[i].opcode;
616 error("%s: line %d: Bad configuration option: %s",
617 filename, linenum, cp);
622 derelativise_path(const char *path)
624 char *expanded, *ret, cwd[PATH_MAX];
626 if (strcasecmp(path, "none") == 0)
627 return xstrdup("none");
628 expanded = tilde_expand_filename(path, getuid());
629 if (*expanded == '/')
631 if (getcwd(cwd, sizeof(cwd)) == NULL)
632 fatal("%s: getcwd: %s", __func__, strerror(errno));
633 xasprintf(&ret, "%s/%s", cwd, expanded);
639 add_listen_addr(ServerOptions *options, char *addr, int port)
644 for (i = 0; i < options->num_ports; i++)
645 add_one_listen_addr(options, addr, options->ports[i]);
647 add_one_listen_addr(options, addr, port);
651 add_one_listen_addr(ServerOptions *options, char *addr, int port)
653 struct addrinfo hints, *ai, *aitop;
654 char strport[NI_MAXSERV];
657 memset(&hints, 0, sizeof(hints));
658 hints.ai_family = options->address_family;
659 hints.ai_socktype = SOCK_STREAM;
660 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
661 snprintf(strport, sizeof strport, "%d", port);
662 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
663 fatal("bad addr or host: %s (%s)",
664 addr ? addr : "<NULL>",
665 ssh_gai_strerror(gaierr));
666 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
668 ai->ai_next = options->listen_addrs;
669 options->listen_addrs = aitop;
673 * Queue a ListenAddress to be processed once we have all of the Ports
674 * and AddressFamily options.
677 queue_listen_addr(ServerOptions *options, char *addr, int port)
679 options->queued_listen_addrs = xreallocarray(
680 options->queued_listen_addrs, options->num_queued_listens + 1,
682 options->queued_listen_ports = xreallocarray(
683 options->queued_listen_ports, options->num_queued_listens + 1,
685 options->queued_listen_addrs[options->num_queued_listens] =
687 options->queued_listen_ports[options->num_queued_listens] = port;
688 options->num_queued_listens++;
692 * Process queued (text) ListenAddress entries.
695 process_queued_listen_addrs(ServerOptions *options)
699 if (options->num_ports == 0)
700 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
701 if (options->address_family == -1)
702 options->address_family = AF_UNSPEC;
704 for (i = 0; i < options->num_queued_listens; i++) {
705 add_listen_addr(options, options->queued_listen_addrs[i],
706 options->queued_listen_ports[i]);
707 free(options->queued_listen_addrs[i]);
708 options->queued_listen_addrs[i] = NULL;
710 free(options->queued_listen_addrs);
711 options->queued_listen_addrs = NULL;
712 free(options->queued_listen_ports);
713 options->queued_listen_ports = NULL;
714 options->num_queued_listens = 0;
718 * Inform channels layer of permitopen options from configuration.
721 process_permitopen(struct ssh *ssh, ServerOptions *options)
725 char *host, *arg, *oarg;
727 channel_clear_adm_permitted_opens(ssh);
728 if (options->num_permitted_opens == 0)
729 return; /* permit any */
731 /* handle keywords: "any" / "none" */
732 if (options->num_permitted_opens == 1 &&
733 strcmp(options->permitted_opens[0], "any") == 0)
735 if (options->num_permitted_opens == 1 &&
736 strcmp(options->permitted_opens[0], "none") == 0) {
737 channel_disable_adm_local_opens(ssh);
740 /* Otherwise treat it as a list of permitted host:port */
741 for (i = 0; i < options->num_permitted_opens; i++) {
742 oarg = arg = xstrdup(options->permitted_opens[i]);
743 host = hpdelim(&arg);
745 fatal("%s: missing host in PermitOpen", __func__);
746 host = cleanhostname(host);
747 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
748 fatal("%s: bad port number in PermitOpen", __func__);
749 /* Send it to channels layer */
750 channel_add_adm_permitted_opens(ssh, host, port);
755 struct connection_info *
756 get_connection_info(int populate, int use_dns)
758 struct ssh *ssh = active_state; /* XXX */
759 static struct connection_info ci;
763 ci.host = auth_get_canonical_hostname(ssh, use_dns);
764 ci.address = ssh_remote_ipaddr(ssh);
765 ci.laddress = ssh_local_ipaddr(ssh);
766 ci.lport = ssh_local_port(ssh);
771 * The strategy for the Match blocks is that the config file is parsed twice.
773 * The first time is at startup. activep is initialized to 1 and the
774 * directives in the global context are processed and acted on. Hitting a
775 * Match directive unsets activep and the directives inside the block are
776 * checked for syntax only.
778 * The second time is after a connection has been established but before
779 * authentication. activep is initialized to 2 and global config directives
780 * are ignored since they have already been processed. If the criteria in a
781 * Match block is met, activep is set and the subsequent directives
782 * processed and actioned until EOF or another Match block unsets it. Any
783 * options set are copied into the main server config.
785 * Potential additions/improvements:
786 * - Add Match support for pre-kex directives, eg. Ciphers.
788 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
789 * Match Address 192.168.0.*
794 * AllowTcpForwarding yes
795 * GatewayPorts clientspecified
798 * - Add a PermittedChannelRequests directive
800 * PermittedChannelRequests session,forwarded-tcpip
804 match_cfg_line_group(const char *grps, int line, const char *user)
812 if ((pw = getpwnam(user)) == NULL) {
813 debug("Can't match group at line %d because user %.100s does "
814 "not exist", line, user);
815 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
816 debug("Can't Match group because user %.100s not in any group "
817 "at line %d", user, line);
818 } else if (ga_match_pattern_list(grps) != 1) {
819 debug("user %.100s does not match group list %.100s at line %d",
822 debug("user %.100s matched group list %.100s at line %d", user,
832 * All of the attributes on a single Match line are ANDed together, so we need
833 * to check every attribute and set the result to zero if any attribute does
837 match_cfg_line(char **condition, int line, struct connection_info *ci)
839 int result = 1, attributes = 0, port;
840 char *arg, *attrib, *cp = *condition;
843 debug3("checking syntax for 'Match %s'", cp);
845 debug3("checking match for '%s' user %s host %s addr %s "
846 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
847 ci->host ? ci->host : "(null)",
848 ci->address ? ci->address : "(null)",
849 ci->laddress ? ci->laddress : "(null)", ci->lport);
851 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
853 if (strcasecmp(attrib, "all") == 0) {
854 if (attributes != 1 ||
855 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
856 error("'all' cannot be combined with other "
863 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
864 error("Missing Match criteria for %s", attrib);
867 if (strcasecmp(attrib, "user") == 0) {
868 if (ci == NULL || ci->user == NULL) {
872 if (match_pattern_list(ci->user, arg, 0) != 1)
875 debug("user %.100s matched 'User %.100s' at "
876 "line %d", ci->user, arg, line);
877 } else if (strcasecmp(attrib, "group") == 0) {
878 if (ci == NULL || ci->user == NULL) {
882 switch (match_cfg_line_group(arg, line, ci->user)) {
888 } else if (strcasecmp(attrib, "host") == 0) {
889 if (ci == NULL || ci->host == NULL) {
893 if (match_hostname(ci->host, arg) != 1)
896 debug("connection from %.100s matched 'Host "
897 "%.100s' at line %d", ci->host, arg, line);
898 } else if (strcasecmp(attrib, "address") == 0) {
899 if (ci == NULL || ci->address == NULL) {
903 switch (addr_match_list(ci->address, arg)) {
905 debug("connection from %.100s matched 'Address "
906 "%.100s' at line %d", ci->address, arg, line);
915 } else if (strcasecmp(attrib, "localaddress") == 0){
916 if (ci == NULL || ci->laddress == NULL) {
920 switch (addr_match_list(ci->laddress, arg)) {
922 debug("connection from %.100s matched "
923 "'LocalAddress %.100s' at line %d",
924 ci->laddress, arg, line);
933 } else if (strcasecmp(attrib, "localport") == 0) {
934 if ((port = a2port(arg)) == -1) {
935 error("Invalid LocalPort '%s' on Match line",
939 if (ci == NULL || ci->lport == 0) {
943 /* TODO support port lists */
944 if (port == ci->lport)
945 debug("connection from %.100s matched "
946 "'LocalPort %d' at line %d",
947 ci->laddress, port, line);
951 error("Unsupported Match attribute %s", attrib);
955 if (attributes == 0) {
956 error("One or more attributes required for Match");
960 debug3("match %sfound", result ? "" : "not ");
965 #define WHITESPACE " \t\r\n"
967 /* Multistate option parsing */
972 static const struct multistate multistate_addressfamily[] = {
974 { "inet6", AF_INET6 },
975 { "any", AF_UNSPEC },
978 static const struct multistate multistate_permitrootlogin[] = {
979 { "without-password", PERMIT_NO_PASSWD },
980 { "prohibit-password", PERMIT_NO_PASSWD },
981 { "forced-commands-only", PERMIT_FORCED_ONLY },
982 { "yes", PERMIT_YES },
986 static const struct multistate multistate_compression[] = {
987 { "yes", COMP_DELAYED },
988 { "delayed", COMP_DELAYED },
992 static const struct multistate multistate_gatewayports[] = {
993 { "clientspecified", 2 },
998 static const struct multistate multistate_tcpfwd[] = {
999 { "yes", FORWARD_ALLOW },
1000 { "all", FORWARD_ALLOW },
1001 { "no", FORWARD_DENY },
1002 { "remote", FORWARD_REMOTE },
1003 { "local", FORWARD_LOCAL },
1008 process_server_config_line(ServerOptions *options, char *line,
1009 const char *filename, int linenum, int *activep,
1010 struct connection_info *connectinfo)
1012 char *cp, **charptr, *arg, *arg2, *p;
1013 int cmdline = 0, *intptr, value, value2, n, port;
1014 SyslogFacility *log_facility_ptr;
1015 LogLevel *log_level_ptr;
1016 ServerOpCodes opcode;
1020 const struct multistate *multistate_ptr;
1022 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1023 if ((len = strlen(line)) == 0)
1025 for (len--; len > 0; len--) {
1026 if (strchr(WHITESPACE "\f", line[len]) == NULL)
1032 if ((arg = strdelim(&cp)) == NULL)
1034 /* Ignore leading whitespace */
1036 arg = strdelim(&cp);
1037 if (!arg || !*arg || *arg == '#')
1041 opcode = parse_token(arg, filename, linenum, &flags);
1043 if (activep == NULL) { /* We are processing a command line directive */
1047 if (*activep && opcode != sMatch)
1048 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1049 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1050 if (connectinfo == NULL) {
1051 fatal("%s line %d: Directive '%s' is not allowed "
1052 "within a Match block", filename, linenum, arg);
1053 } else { /* this is a directive we have already processed */
1055 arg = strdelim(&cp);
1061 /* Portable-specific options */
1063 intptr = &options->use_pam;
1066 /* Standard Options */
1070 /* ignore ports from configfile if cmdline specifies ports */
1071 if (options->ports_from_cmdline)
1073 if (options->num_ports >= MAX_PORTS)
1074 fatal("%s line %d: too many ports.",
1076 arg = strdelim(&cp);
1077 if (!arg || *arg == '\0')
1078 fatal("%s line %d: missing port number.",
1080 options->ports[options->num_ports++] = a2port(arg);
1081 if (options->ports[options->num_ports-1] <= 0)
1082 fatal("%s line %d: Badly formatted port number.",
1086 case sLoginGraceTime:
1087 intptr = &options->login_grace_time;
1089 arg = strdelim(&cp);
1090 if (!arg || *arg == '\0')
1091 fatal("%s line %d: missing time value.",
1093 if ((value = convtime(arg)) == -1)
1094 fatal("%s line %d: invalid time value.",
1096 if (*activep && *intptr == -1)
1100 case sListenAddress:
1101 arg = strdelim(&cp);
1102 if (arg == NULL || *arg == '\0')
1103 fatal("%s line %d: missing address",
1105 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1106 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1107 && strchr(p+1, ':') != NULL) {
1108 queue_listen_addr(options, arg, 0);
1113 fatal("%s line %d: bad address:port usage",
1115 p = cleanhostname(p);
1118 else if ((port = a2port(arg)) <= 0)
1119 fatal("%s line %d: bad port number", filename, linenum);
1121 queue_listen_addr(options, p, port);
1125 case sAddressFamily:
1126 intptr = &options->address_family;
1127 multistate_ptr = multistate_addressfamily;
1129 arg = strdelim(&cp);
1130 if (!arg || *arg == '\0')
1131 fatal("%s line %d: missing argument.",
1134 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1135 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1136 value = multistate_ptr[i].value;
1141 fatal("%s line %d: unsupported option \"%s\".",
1142 filename, linenum, arg);
1143 if (*activep && *intptr == -1)
1148 intptr = &options->num_host_key_files;
1149 if (*intptr >= MAX_HOSTKEYS)
1150 fatal("%s line %d: too many host keys specified (max %d).",
1151 filename, linenum, MAX_HOSTKEYS);
1152 charptr = &options->host_key_files[*intptr];
1154 arg = strdelim(&cp);
1155 if (!arg || *arg == '\0')
1156 fatal("%s line %d: missing file name.",
1158 if (*activep && *charptr == NULL) {
1159 *charptr = derelativise_path(arg);
1160 /* increase optional counter */
1162 *intptr = *intptr + 1;
1167 charptr = &options->host_key_agent;
1168 arg = strdelim(&cp);
1169 if (!arg || *arg == '\0')
1170 fatal("%s line %d: missing socket name.",
1172 if (*activep && *charptr == NULL)
1173 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1174 xstrdup(arg) : derelativise_path(arg);
1177 case sHostCertificate:
1178 intptr = &options->num_host_cert_files;
1179 if (*intptr >= MAX_HOSTKEYS)
1180 fatal("%s line %d: too many host certificates "
1181 "specified (max %d).", filename, linenum,
1183 charptr = &options->host_cert_files[*intptr];
1184 goto parse_filename;
1187 charptr = &options->pid_file;
1188 goto parse_filename;
1190 case sPermitRootLogin:
1191 intptr = &options->permit_root_login;
1192 multistate_ptr = multistate_permitrootlogin;
1193 goto parse_multistate;
1196 intptr = &options->ignore_rhosts;
1198 arg = strdelim(&cp);
1199 if (!arg || *arg == '\0')
1200 fatal("%s line %d: missing yes/no argument.",
1202 value = 0; /* silence compiler */
1203 if (strcmp(arg, "yes") == 0)
1205 else if (strcmp(arg, "no") == 0)
1208 fatal("%s line %d: Bad yes/no argument: %s",
1209 filename, linenum, arg);
1210 if (*activep && *intptr == -1)
1214 case sIgnoreUserKnownHosts:
1215 intptr = &options->ignore_user_known_hosts;
1218 case sHostbasedAuthentication:
1219 intptr = &options->hostbased_authentication;
1222 case sHostbasedUsesNameFromPacketOnly:
1223 intptr = &options->hostbased_uses_name_from_packet_only;
1226 case sHostbasedAcceptedKeyTypes:
1227 charptr = &options->hostbased_key_types;
1229 arg = strdelim(&cp);
1230 if (!arg || *arg == '\0')
1231 fatal("%s line %d: Missing argument.",
1234 !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1235 fatal("%s line %d: Bad key types '%s'.",
1236 filename, linenum, arg ? arg : "<NONE>");
1237 if (*activep && *charptr == NULL)
1238 *charptr = xstrdup(arg);
1241 case sHostKeyAlgorithms:
1242 charptr = &options->hostkeyalgorithms;
1243 goto parse_keytypes;
1245 case sPubkeyAuthentication:
1246 intptr = &options->pubkey_authentication;
1249 case sPubkeyAcceptedKeyTypes:
1250 charptr = &options->pubkey_key_types;
1251 goto parse_keytypes;
1253 case sKerberosAuthentication:
1254 intptr = &options->kerberos_authentication;
1257 case sKerberosOrLocalPasswd:
1258 intptr = &options->kerberos_or_local_passwd;
1261 case sKerberosTicketCleanup:
1262 intptr = &options->kerberos_ticket_cleanup;
1265 case sKerberosGetAFSToken:
1266 intptr = &options->kerberos_get_afs_token;
1269 case sGssAuthentication:
1270 intptr = &options->gss_authentication;
1273 case sGssCleanupCreds:
1274 intptr = &options->gss_cleanup_creds;
1277 case sGssStrictAcceptor:
1278 intptr = &options->gss_strict_acceptor;
1281 case sPasswordAuthentication:
1282 intptr = &options->password_authentication;
1285 case sKbdInteractiveAuthentication:
1286 intptr = &options->kbd_interactive_authentication;
1289 case sChallengeResponseAuthentication:
1290 intptr = &options->challenge_response_authentication;
1294 intptr = &options->print_motd;
1298 intptr = &options->print_lastlog;
1301 case sX11Forwarding:
1302 intptr = &options->x11_forwarding;
1305 case sX11DisplayOffset:
1306 intptr = &options->x11_display_offset;
1308 arg = strdelim(&cp);
1309 if (!arg || *arg == '\0')
1310 fatal("%s line %d: missing integer value.",
1313 if (*activep && *intptr == -1)
1317 case sX11UseLocalhost:
1318 intptr = &options->x11_use_localhost;
1321 case sXAuthLocation:
1322 charptr = &options->xauth_location;
1323 goto parse_filename;
1326 intptr = &options->permit_tty;
1330 intptr = &options->permit_user_rc;
1334 intptr = &options->strict_modes;
1338 intptr = &options->tcp_keep_alive;
1342 intptr = &options->permit_empty_passwd;
1345 case sPermitUserEnvironment:
1346 intptr = &options->permit_user_env;
1350 intptr = &options->compression;
1351 multistate_ptr = multistate_compression;
1352 goto parse_multistate;
1355 arg = strdelim(&cp);
1356 if (!arg || *arg == '\0')
1357 fatal("%.200s line %d: Missing argument.", filename,
1359 if (strcmp(arg, "default") == 0) {
1362 if (scan_scaled(arg, &val64) == -1)
1363 fatal("%.200s line %d: Bad number '%s': %s",
1364 filename, linenum, arg, strerror(errno));
1365 if (val64 != 0 && val64 < 16)
1366 fatal("%.200s line %d: RekeyLimit too small",
1369 if (*activep && options->rekey_limit == -1)
1370 options->rekey_limit = val64;
1371 if (cp != NULL) { /* optional rekey interval present */
1372 if (strcmp(cp, "none") == 0) {
1373 (void)strdelim(&cp); /* discard */
1376 intptr = &options->rekey_interval;
1382 intptr = &options->fwd_opts.gateway_ports;
1383 multistate_ptr = multistate_gatewayports;
1384 goto parse_multistate;
1387 intptr = &options->use_dns;
1391 log_facility_ptr = &options->log_facility;
1392 arg = strdelim(&cp);
1393 value = log_facility_number(arg);
1394 if (value == SYSLOG_FACILITY_NOT_SET)
1395 fatal("%.200s line %d: unsupported log facility '%s'",
1396 filename, linenum, arg ? arg : "<NONE>");
1397 if (*log_facility_ptr == -1)
1398 *log_facility_ptr = (SyslogFacility) value;
1402 log_level_ptr = &options->log_level;
1403 arg = strdelim(&cp);
1404 value = log_level_number(arg);
1405 if (value == SYSLOG_LEVEL_NOT_SET)
1406 fatal("%.200s line %d: unsupported log level '%s'",
1407 filename, linenum, arg ? arg : "<NONE>");
1408 if (*activep && *log_level_ptr == -1)
1409 *log_level_ptr = (LogLevel) value;
1412 case sAllowTcpForwarding:
1413 intptr = &options->allow_tcp_forwarding;
1414 multistate_ptr = multistate_tcpfwd;
1415 goto parse_multistate;
1417 case sAllowStreamLocalForwarding:
1418 intptr = &options->allow_streamlocal_forwarding;
1419 multistate_ptr = multistate_tcpfwd;
1420 goto parse_multistate;
1422 case sAllowAgentForwarding:
1423 intptr = &options->allow_agent_forwarding;
1426 case sDisableForwarding:
1427 intptr = &options->disable_forwarding;
1431 while ((arg = strdelim(&cp)) && *arg != '\0') {
1432 if (options->num_allow_users >= MAX_ALLOW_USERS)
1433 fatal("%s line %d: too many allow users.",
1435 if (match_user(NULL, NULL, NULL, arg) == -1)
1436 fatal("%s line %d: invalid AllowUsers pattern: "
1437 "\"%.100s\"", filename, linenum, arg);
1440 options->allow_users[options->num_allow_users++] =
1446 while ((arg = strdelim(&cp)) && *arg != '\0') {
1447 if (options->num_deny_users >= MAX_DENY_USERS)
1448 fatal("%s line %d: too many deny users.",
1450 if (match_user(NULL, NULL, NULL, arg) == -1)
1451 fatal("%s line %d: invalid DenyUsers pattern: "
1452 "\"%.100s\"", filename, linenum, arg);
1455 options->deny_users[options->num_deny_users++] =
1461 while ((arg = strdelim(&cp)) && *arg != '\0') {
1462 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1463 fatal("%s line %d: too many allow groups.",
1467 options->allow_groups[options->num_allow_groups++] =
1473 while ((arg = strdelim(&cp)) && *arg != '\0') {
1474 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1475 fatal("%s line %d: too many deny groups.",
1479 options->deny_groups[options->num_deny_groups++] =
1485 arg = strdelim(&cp);
1486 if (!arg || *arg == '\0')
1487 fatal("%s line %d: Missing argument.", filename, linenum);
1488 if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
1489 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1490 filename, linenum, arg ? arg : "<NONE>");
1491 if (options->ciphers == NULL)
1492 options->ciphers = xstrdup(arg);
1496 arg = strdelim(&cp);
1497 if (!arg || *arg == '\0')
1498 fatal("%s line %d: Missing argument.", filename, linenum);
1499 if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
1500 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1501 filename, linenum, arg ? arg : "<NONE>");
1502 if (options->macs == NULL)
1503 options->macs = xstrdup(arg);
1506 case sKexAlgorithms:
1507 arg = strdelim(&cp);
1508 if (!arg || *arg == '\0')
1509 fatal("%s line %d: Missing argument.",
1512 !kex_names_valid(*arg == '+' ? arg + 1 : arg))
1513 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1514 filename, linenum, arg ? arg : "<NONE>");
1515 if (options->kex_algorithms == NULL)
1516 options->kex_algorithms = xstrdup(arg);
1520 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1521 fatal("%s line %d: too many subsystems defined.",
1524 arg = strdelim(&cp);
1525 if (!arg || *arg == '\0')
1526 fatal("%s line %d: Missing subsystem name.",
1529 arg = strdelim(&cp);
1532 for (i = 0; i < options->num_subsystems; i++)
1533 if (strcmp(arg, options->subsystem_name[i]) == 0)
1534 fatal("%s line %d: Subsystem '%s' already defined.",
1535 filename, linenum, arg);
1536 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1537 arg = strdelim(&cp);
1538 if (!arg || *arg == '\0')
1539 fatal("%s line %d: Missing subsystem command.",
1541 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1543 /* Collect arguments (separate to executable) */
1545 len = strlen(p) + 1;
1546 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1547 len += 1 + strlen(arg);
1548 p = xreallocarray(p, 1, len);
1549 strlcat(p, " ", len);
1550 strlcat(p, arg, len);
1552 options->subsystem_args[options->num_subsystems] = p;
1553 options->num_subsystems++;
1557 arg = strdelim(&cp);
1558 if (!arg || *arg == '\0')
1559 fatal("%s line %d: Missing MaxStartups spec.",
1561 if ((n = sscanf(arg, "%d:%d:%d",
1562 &options->max_startups_begin,
1563 &options->max_startups_rate,
1564 &options->max_startups)) == 3) {
1565 if (options->max_startups_begin >
1566 options->max_startups ||
1567 options->max_startups_rate > 100 ||
1568 options->max_startups_rate < 1)
1569 fatal("%s line %d: Illegal MaxStartups spec.",
1572 fatal("%s line %d: Illegal MaxStartups spec.",
1575 options->max_startups = options->max_startups_begin;
1579 intptr = &options->max_authtries;
1583 intptr = &options->max_sessions;
1587 charptr = &options->banner;
1588 goto parse_filename;
1591 * These options can contain %X options expanded at
1592 * connect time, so that you can specify paths like:
1594 * AuthorizedKeysFile /etc/ssh_keys/%u
1596 case sAuthorizedKeysFile:
1597 if (*activep && options->num_authkeys_files == 0) {
1598 while ((arg = strdelim(&cp)) && *arg != '\0') {
1599 if (options->num_authkeys_files >=
1601 fatal("%s line %d: "
1602 "too many authorized keys files.",
1604 options->authorized_keys_files[
1605 options->num_authkeys_files++] =
1606 tilde_expand_filename(arg, getuid());
1611 case sAuthorizedPrincipalsFile:
1612 charptr = &options->authorized_principals_file;
1613 arg = strdelim(&cp);
1614 if (!arg || *arg == '\0')
1615 fatal("%s line %d: missing file name.",
1617 if (*activep && *charptr == NULL) {
1618 *charptr = tilde_expand_filename(arg, getuid());
1619 /* increase optional counter */
1621 *intptr = *intptr + 1;
1625 case sClientAliveInterval:
1626 intptr = &options->client_alive_interval;
1629 case sClientAliveCountMax:
1630 intptr = &options->client_alive_count_max;
1634 while ((arg = strdelim(&cp)) && *arg != '\0') {
1635 if (strchr(arg, '=') != NULL)
1636 fatal("%s line %d: Invalid environment name.",
1638 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1639 fatal("%s line %d: too many allow env.",
1643 options->accept_env[options->num_accept_env++] =
1649 intptr = &options->permit_tun;
1650 arg = strdelim(&cp);
1651 if (!arg || *arg == '\0')
1652 fatal("%s line %d: Missing yes/point-to-point/"
1653 "ethernet/no argument.", filename, linenum);
1655 for (i = 0; tunmode_desc[i].val != -1; i++)
1656 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1657 value = tunmode_desc[i].val;
1661 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1662 "no argument: %s", filename, linenum, arg);
1663 if (*activep && *intptr == -1)
1669 fatal("Match directive not supported as a command-line "
1671 value = match_cfg_line(&cp, linenum, connectinfo);
1673 fatal("%s line %d: Bad Match condition", filename,
1679 arg = strdelim(&cp);
1680 if (!arg || *arg == '\0')
1681 fatal("%s line %d: missing PermitOpen specification",
1683 i = options->num_permitted_opens; /* modified later */
1684 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
1685 if (*activep && i == 0) {
1686 options->num_permitted_opens = 1;
1687 options->permitted_opens = xcalloc(1,
1688 sizeof(*options->permitted_opens));
1689 options->permitted_opens[0] = xstrdup(arg);
1693 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1694 arg2 = xstrdup(arg);
1697 fatal("%s line %d: missing host in PermitOpen",
1699 p = cleanhostname(p);
1700 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1701 fatal("%s line %d: bad port number in "
1702 "PermitOpen", filename, linenum);
1703 if (*activep && i == 0) {
1704 options->permitted_opens = xrecallocarray(
1705 options->permitted_opens,
1706 options->num_permitted_opens,
1707 options->num_permitted_opens + 1,
1708 sizeof(*options->permitted_opens));
1709 i = options->num_permitted_opens++;
1710 options->permitted_opens[i] = arg2;
1717 if (cp == NULL || *cp == '\0')
1718 fatal("%.200s line %d: Missing argument.", filename,
1720 len = strspn(cp, WHITESPACE);
1721 if (*activep && options->adm_forced_command == NULL)
1722 options->adm_forced_command = xstrdup(cp + len);
1725 case sChrootDirectory:
1726 charptr = &options->chroot_directory;
1728 arg = strdelim(&cp);
1729 if (!arg || *arg == '\0')
1730 fatal("%s line %d: missing file name.",
1732 if (*activep && *charptr == NULL)
1733 *charptr = xstrdup(arg);
1736 case sTrustedUserCAKeys:
1737 charptr = &options->trusted_user_ca_keys;
1738 goto parse_filename;
1741 charptr = &options->revoked_keys_file;
1742 goto parse_filename;
1745 arg = strdelim(&cp);
1746 if ((value = parse_ipqos(arg)) == -1)
1747 fatal("%s line %d: Bad IPQoS value: %s",
1748 filename, linenum, arg);
1749 arg = strdelim(&cp);
1752 else if ((value2 = parse_ipqos(arg)) == -1)
1753 fatal("%s line %d: Bad IPQoS value: %s",
1754 filename, linenum, arg);
1756 options->ip_qos_interactive = value;
1757 options->ip_qos_bulk = value2;
1761 case sVersionAddendum:
1762 if (cp == NULL || *cp == '\0')
1763 fatal("%.200s line %d: Missing argument.", filename,
1765 len = strspn(cp, WHITESPACE);
1766 if (*activep && options->version_addendum == NULL) {
1767 if (strcasecmp(cp + len, "none") == 0)
1768 options->version_addendum = xstrdup("");
1769 else if (strchr(cp + len, '\r') != NULL)
1770 fatal("%.200s line %d: Invalid argument",
1773 options->version_addendum = xstrdup(cp + len);
1777 case sAuthorizedKeysCommand:
1779 fatal("%.200s line %d: Missing argument.", filename,
1781 len = strspn(cp, WHITESPACE);
1782 if (*activep && options->authorized_keys_command == NULL) {
1783 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1784 fatal("%.200s line %d: AuthorizedKeysCommand "
1785 "must be an absolute path",
1787 options->authorized_keys_command = xstrdup(cp + len);
1791 case sAuthorizedKeysCommandUser:
1792 charptr = &options->authorized_keys_command_user;
1794 arg = strdelim(&cp);
1795 if (!arg || *arg == '\0')
1796 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1797 "argument.", filename, linenum);
1798 if (*activep && *charptr == NULL)
1799 *charptr = xstrdup(arg);
1802 case sAuthorizedPrincipalsCommand:
1804 fatal("%.200s line %d: Missing argument.", filename,
1806 len = strspn(cp, WHITESPACE);
1808 options->authorized_principals_command == NULL) {
1809 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1810 fatal("%.200s line %d: "
1811 "AuthorizedPrincipalsCommand must be "
1812 "an absolute path", filename, linenum);
1813 options->authorized_principals_command =
1818 case sAuthorizedPrincipalsCommandUser:
1819 charptr = &options->authorized_principals_command_user;
1821 arg = strdelim(&cp);
1822 if (!arg || *arg == '\0')
1823 fatal("%s line %d: missing "
1824 "AuthorizedPrincipalsCommandUser argument.",
1826 if (*activep && *charptr == NULL)
1827 *charptr = xstrdup(arg);
1830 case sAuthenticationMethods:
1831 if (options->num_auth_methods == 0) {
1832 value = 0; /* seen "any" pseudo-method */
1833 value2 = 0; /* sucessfully parsed any method */
1834 while ((arg = strdelim(&cp)) && *arg != '\0') {
1835 if (options->num_auth_methods >=
1837 fatal("%s line %d: "
1838 "too many authentication methods.",
1840 if (strcmp(arg, "any") == 0) {
1841 if (options->num_auth_methods > 0) {
1842 fatal("%s line %d: \"any\" "
1843 "must appear alone in "
1844 "AuthenticationMethods",
1849 fatal("%s line %d: \"any\" must appear "
1850 "alone in AuthenticationMethods",
1852 } else if (auth2_methods_valid(arg, 0) != 0) {
1853 fatal("%s line %d: invalid "
1854 "authentication method list.",
1860 options->auth_methods[
1861 options->num_auth_methods++] = xstrdup(arg);
1864 fatal("%s line %d: no AuthenticationMethods "
1865 "specified", filename, linenum);
1870 case sStreamLocalBindMask:
1871 arg = strdelim(&cp);
1872 if (!arg || *arg == '\0')
1873 fatal("%s line %d: missing StreamLocalBindMask "
1874 "argument.", filename, linenum);
1875 /* Parse mode in octal format */
1876 value = strtol(arg, &p, 8);
1877 if (arg == p || value < 0 || value > 0777)
1878 fatal("%s line %d: Bad mask.", filename, linenum);
1880 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1883 case sStreamLocalBindUnlink:
1884 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1887 case sFingerprintHash:
1888 arg = strdelim(&cp);
1889 if (!arg || *arg == '\0')
1890 fatal("%.200s line %d: Missing argument.",
1892 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1893 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1894 filename, linenum, arg);
1896 options->fingerprint_hash = value;
1899 case sExposeAuthInfo:
1900 intptr = &options->expose_userauth_info;
1904 intptr = &options->use_blacklist;
1910 do_log2(opcode == sIgnore ?
1911 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
1912 "%s line %d: %s option %s", filename, linenum,
1913 opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
1915 arg = strdelim(&cp);
1919 fatal("%s line %d: Missing handler for opcode %s (%d)",
1920 filename, linenum, arg, opcode);
1922 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1923 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1924 filename, linenum, arg);
1928 /* Reads the server configuration file. */
1931 load_server_config(const char *filename, Buffer *conf)
1933 char line[4096], *cp;
1937 debug2("%s: filename %s", __func__, filename);
1938 if ((f = fopen(filename, "r")) == NULL) {
1943 while (fgets(line, sizeof(line), f)) {
1945 if (strlen(line) == sizeof(line) - 1)
1946 fatal("%s line %d too long", filename, lineno);
1948 * Trim out comments and strip whitespace
1949 * NB - preserve newlines, they are needed to reproduce
1950 * line numbers later for error messages
1952 if ((cp = strchr(line, '#')) != NULL)
1953 memcpy(cp, "\n", 2);
1954 cp = line + strspn(line, " \t\r");
1956 buffer_append(conf, cp, strlen(cp));
1958 buffer_append(conf, "\0", 1);
1960 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1964 parse_server_match_config(ServerOptions *options,
1965 struct connection_info *connectinfo)
1969 initialize_server_options(&mo);
1970 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1971 copy_set_server_options(options, &mo, 0);
1974 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1978 while ((p = strsep(&spec, ",")) && *p != '\0') {
1979 if (strncmp(p, "addr=", 5) == 0) {
1980 ci->address = xstrdup(p + 5);
1981 } else if (strncmp(p, "host=", 5) == 0) {
1982 ci->host = xstrdup(p + 5);
1983 } else if (strncmp(p, "user=", 5) == 0) {
1984 ci->user = xstrdup(p + 5);
1985 } else if (strncmp(p, "laddr=", 6) == 0) {
1986 ci->laddress = xstrdup(p + 6);
1987 } else if (strncmp(p, "lport=", 6) == 0) {
1988 ci->lport = a2port(p + 6);
1989 if (ci->lport == -1) {
1990 fprintf(stderr, "Invalid port '%s' in test mode"
1991 " specification %s\n", p+6, p);
1995 fprintf(stderr, "Invalid test mode specification %s\n",
2004 * returns 1 for a complete spec, 0 for partial spec and -1 for an
2007 int server_match_spec_complete(struct connection_info *ci)
2009 if (ci->user && ci->host && ci->address)
2010 return 1; /* complete */
2011 if (!ci->user && !ci->host && !ci->address)
2012 return -1; /* empty */
2013 return 0; /* partial */
2017 * Copy any supported values that are set.
2019 * If the preauth flag is set, we do not bother copying the string or
2020 * array values that are not used pre-authentication, because any that we
2021 * do use must be explictly sent in mm_getpwnamallow().
2024 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2026 #define M_CP_INTOPT(n) do {\
2031 M_CP_INTOPT(password_authentication);
2032 M_CP_INTOPT(gss_authentication);
2033 M_CP_INTOPT(pubkey_authentication);
2034 M_CP_INTOPT(kerberos_authentication);
2035 M_CP_INTOPT(hostbased_authentication);
2036 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2037 M_CP_INTOPT(kbd_interactive_authentication);
2038 M_CP_INTOPT(permit_root_login);
2039 M_CP_INTOPT(permit_empty_passwd);
2041 M_CP_INTOPT(allow_tcp_forwarding);
2042 M_CP_INTOPT(allow_streamlocal_forwarding);
2043 M_CP_INTOPT(allow_agent_forwarding);
2044 M_CP_INTOPT(disable_forwarding);
2045 M_CP_INTOPT(expose_userauth_info);
2046 M_CP_INTOPT(permit_tun);
2047 M_CP_INTOPT(fwd_opts.gateway_ports);
2048 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2049 M_CP_INTOPT(x11_display_offset);
2050 M_CP_INTOPT(x11_forwarding);
2051 M_CP_INTOPT(x11_use_localhost);
2052 M_CP_INTOPT(permit_tty);
2053 M_CP_INTOPT(permit_user_rc);
2054 M_CP_INTOPT(max_sessions);
2055 M_CP_INTOPT(max_authtries);
2056 M_CP_INTOPT(client_alive_count_max);
2057 M_CP_INTOPT(client_alive_interval);
2058 M_CP_INTOPT(ip_qos_interactive);
2059 M_CP_INTOPT(ip_qos_bulk);
2060 M_CP_INTOPT(rekey_limit);
2061 M_CP_INTOPT(rekey_interval);
2062 M_CP_INTOPT(log_level);
2065 * The bind_mask is a mode_t that may be unsigned, so we can't use
2066 * M_CP_INTOPT - it does a signed comparison that causes compiler
2069 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2070 dst->fwd_opts.streamlocal_bind_mask =
2071 src->fwd_opts.streamlocal_bind_mask;
2074 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2075 #define M_CP_STROPT(n) do {\
2076 if (src->n != NULL && dst->n != src->n) { \
2081 #define M_CP_STRARRAYOPT(n, num_n) do {\
2082 if (src->num_n != 0) { \
2083 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2084 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2087 #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
2088 if (src->num_n != 0) { \
2089 dst->n = xcalloc(src->num_n, sizeof(*dst->n)); \
2090 M_CP_STRARRAYOPT(n, num_n); \
2091 dst->num_n = src->num_n; \
2095 /* See comment in servconf.h */
2096 COPY_MATCH_STRING_OPTS();
2098 /* Arguments that accept '+...' need to be expanded */
2099 assemble_algorithms(dst);
2102 * The only things that should be below this point are string options
2103 * which are only used after authentication.
2108 /* These options may be "none" to clear a global setting */
2109 M_CP_STROPT(adm_forced_command);
2110 if (option_clear_or_none(dst->adm_forced_command)) {
2111 free(dst->adm_forced_command);
2112 dst->adm_forced_command = NULL;
2114 M_CP_STROPT(chroot_directory);
2115 if (option_clear_or_none(dst->chroot_directory)) {
2116 free(dst->chroot_directory);
2117 dst->chroot_directory = NULL;
2123 #undef M_CP_STRARRAYOPT
2124 #undef M_CP_STRARRAYOPT_ALLOC
2127 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2128 struct connection_info *connectinfo)
2130 int active, linenum, bad_options = 0;
2131 char *cp, *obuf, *cbuf;
2133 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2135 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2136 fatal("%s: sshbuf_dup_string failed", __func__);
2137 active = connectinfo ? 0 : 1;
2139 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2140 if (process_server_config_line(options, cp, filename,
2141 linenum++, &active, connectinfo) != 0)
2145 if (bad_options > 0)
2146 fatal("%s: terminating, %d bad configuration options",
2147 filename, bad_options);
2148 process_queued_listen_addrs(options);
2152 fmt_multistate_int(int val, const struct multistate *m)
2156 for (i = 0; m[i].key != NULL; i++) {
2157 if (m[i].value == val)
2164 fmt_intarg(ServerOpCodes code, int val)
2169 case sAddressFamily:
2170 return fmt_multistate_int(val, multistate_addressfamily);
2171 case sPermitRootLogin:
2172 return fmt_multistate_int(val, multistate_permitrootlogin);
2174 return fmt_multistate_int(val, multistate_gatewayports);
2176 return fmt_multistate_int(val, multistate_compression);
2177 case sAllowTcpForwarding:
2178 return fmt_multistate_int(val, multistate_tcpfwd);
2179 case sAllowStreamLocalForwarding:
2180 return fmt_multistate_int(val, multistate_tcpfwd);
2181 case sFingerprintHash:
2182 return ssh_digest_alg_name(val);
2196 lookup_opcode_name(ServerOpCodes code)
2200 for (i = 0; keywords[i].name != NULL; i++)
2201 if (keywords[i].opcode == code)
2202 return(keywords[i].name);
2207 dump_cfg_int(ServerOpCodes code, int val)
2209 printf("%s %d\n", lookup_opcode_name(code), val);
2213 dump_cfg_oct(ServerOpCodes code, int val)
2215 printf("%s 0%o\n", lookup_opcode_name(code), val);
2219 dump_cfg_fmtint(ServerOpCodes code, int val)
2221 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2225 dump_cfg_string(ServerOpCodes code, const char *val)
2227 printf("%s %s\n", lookup_opcode_name(code),
2228 val == NULL ? "none" : val);
2232 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2236 for (i = 0; i < count; i++)
2237 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2241 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2245 if (count <= 0 && code != sAuthenticationMethods)
2247 printf("%s", lookup_opcode_name(code));
2248 for (i = 0; i < count; i++)
2249 printf(" %s", vals[i]);
2250 if (code == sAuthenticationMethods && count == 0)
2256 dump_config(ServerOptions *o)
2260 struct addrinfo *ai;
2261 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2262 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2264 /* these are usually at the top of the config */
2265 for (i = 0; i < o->num_ports; i++)
2266 printf("port %d\n", o->ports[i]);
2267 dump_cfg_fmtint(sAddressFamily, o->address_family);
2270 * ListenAddress must be after Port. add_one_listen_addr pushes
2271 * addresses onto a stack, so to maintain ordering we need to
2272 * print these in reverse order.
2274 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2275 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2276 sizeof(addr), port, sizeof(port),
2277 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2278 error("getnameinfo failed: %.100s",
2279 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2283 if (ai->ai_family == AF_INET6)
2284 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2285 addr, port, laddr2);
2287 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2288 addr, port, laddr2);
2292 printf("%s", laddr1);
2295 /* integer arguments */
2297 dump_cfg_fmtint(sUsePAM, o->use_pam);
2299 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2300 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2301 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2302 dump_cfg_int(sMaxSessions, o->max_sessions);
2303 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2304 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2305 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2307 /* formatted integer arguments */
2308 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2309 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2310 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2311 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2312 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2313 o->hostbased_uses_name_from_packet_only);
2314 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2316 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2317 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2318 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2320 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2324 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2325 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2327 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2328 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2329 o->kbd_interactive_authentication);
2330 dump_cfg_fmtint(sChallengeResponseAuthentication,
2331 o->challenge_response_authentication);
2332 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2333 #ifndef DISABLE_LASTLOG
2334 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2336 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2337 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2338 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2339 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2340 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2341 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2342 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2343 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2344 dump_cfg_fmtint(sCompression, o->compression);
2345 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2346 dump_cfg_fmtint(sUseDNS, o->use_dns);
2347 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2348 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2349 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
2350 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2351 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2352 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2353 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
2354 dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
2356 /* string arguments */
2357 dump_cfg_string(sPidFile, o->pid_file);
2358 dump_cfg_string(sXAuthLocation, o->xauth_location);
2359 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2360 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2361 dump_cfg_string(sBanner, o->banner);
2362 dump_cfg_string(sForceCommand, o->adm_forced_command);
2363 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2364 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2365 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2366 dump_cfg_string(sAuthorizedPrincipalsFile,
2367 o->authorized_principals_file);
2368 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2369 ? "none" : o->version_addendum);
2370 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2371 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2372 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2373 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2374 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2375 dump_cfg_string(sKexAlgorithms,
2376 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2377 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2378 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2379 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2380 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2381 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2382 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2384 /* string arguments requiring a lookup */
2385 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2386 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2388 /* string array arguments */
2389 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2390 o->authorized_keys_files);
2391 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2393 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2394 o->host_cert_files);
2395 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2396 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2397 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2398 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2399 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2400 dump_cfg_strarray_oneline(sAuthenticationMethods,
2401 o->num_auth_methods, o->auth_methods);
2403 /* other arguments */
2404 for (i = 0; i < o->num_subsystems; i++)
2405 printf("subsystem %s %s\n", o->subsystem_name[i],
2406 o->subsystem_args[i]);
2408 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2409 o->max_startups_rate, o->max_startups);
2411 for (i = 0; tunmode_desc[i].val != -1; i++)
2412 if (tunmode_desc[i].val == o->permit_tun) {
2413 s = tunmode_desc[i].text;
2416 dump_cfg_string(sPermitTunnel, s);
2418 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2419 printf("%s\n", iptos2str(o->ip_qos_bulk));
2421 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2424 printf("permitopen");
2425 if (o->num_permitted_opens == 0)
2428 for (i = 0; i < o->num_permitted_opens; i++)
2429 printf(" %s", o->permitted_opens[i]);