2 /* $OpenBSD: servconf.c,v 1.229 2012/07/13 01:35:21 dtucker Exp $ */
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
35 #include "openbsd-compat/sys-queue.h"
42 #include "pathnames.h"
50 #include "groupaccess.h"
55 static void add_listen_addr(ServerOptions *, char *, int);
56 static void add_one_listen_addr(ServerOptions *, char *, int);
58 /* Use of privilege separation or not */
59 extern int use_privsep;
62 /* Initializes the server options to their default values. */
65 initialize_server_options(ServerOptions *options)
67 memset(options, 0, sizeof(*options));
69 /* Portable-specific options */
70 options->use_pam = -1;
72 /* Standard Options */
73 options->num_ports = 0;
74 options->ports_from_cmdline = 0;
75 options->listen_addrs = NULL;
76 options->address_family = -1;
77 options->num_host_key_files = 0;
78 options->num_host_cert_files = 0;
79 options->pid_file = NULL;
80 options->server_key_bits = -1;
81 options->login_grace_time = -1;
82 options->key_regeneration_time = -1;
83 options->permit_root_login = PERMIT_NOT_SET;
84 options->ignore_rhosts = -1;
85 options->ignore_user_known_hosts = -1;
86 options->print_motd = -1;
87 options->print_lastlog = -1;
88 options->x11_forwarding = -1;
89 options->x11_display_offset = -1;
90 options->x11_use_localhost = -1;
91 options->xauth_location = NULL;
92 options->strict_modes = -1;
93 options->tcp_keep_alive = -1;
94 options->log_facility = SYSLOG_FACILITY_NOT_SET;
95 options->log_level = SYSLOG_LEVEL_NOT_SET;
96 options->rhosts_rsa_authentication = -1;
97 options->hostbased_authentication = -1;
98 options->hostbased_uses_name_from_packet_only = -1;
99 options->rsa_authentication = -1;
100 options->pubkey_authentication = -1;
101 options->kerberos_authentication = -1;
102 options->kerberos_or_local_passwd = -1;
103 options->kerberos_ticket_cleanup = -1;
104 options->kerberos_get_afs_token = -1;
105 options->gss_authentication=-1;
106 options->gss_cleanup_creds = -1;
107 options->password_authentication = -1;
108 options->kbd_interactive_authentication = -1;
109 options->challenge_response_authentication = -1;
110 options->permit_empty_passwd = -1;
111 options->permit_user_env = -1;
112 options->use_login = -1;
113 options->compression = -1;
114 options->allow_tcp_forwarding = -1;
115 options->allow_agent_forwarding = -1;
116 options->num_allow_users = 0;
117 options->num_deny_users = 0;
118 options->num_allow_groups = 0;
119 options->num_deny_groups = 0;
120 options->ciphers = NULL;
121 options->macs = NULL;
122 options->kex_algorithms = NULL;
123 options->protocol = SSH_PROTO_UNKNOWN;
124 options->gateway_ports = -1;
125 options->num_subsystems = 0;
126 options->max_startups_begin = -1;
127 options->max_startups_rate = -1;
128 options->max_startups = -1;
129 options->max_authtries = -1;
130 options->max_sessions = -1;
131 options->banner = NULL;
132 options->use_dns = -1;
133 options->client_alive_interval = -1;
134 options->client_alive_count_max = -1;
135 options->num_authkeys_files = 0;
136 options->num_accept_env = 0;
137 options->permit_tun = -1;
138 options->num_permitted_opens = -1;
139 options->adm_forced_command = NULL;
140 options->chroot_directory = NULL;
141 options->zero_knowledge_password_authentication = -1;
142 options->revoked_keys_file = NULL;
143 options->trusted_user_ca_keys = NULL;
144 options->authorized_principals_file = NULL;
145 options->ip_qos_interactive = -1;
146 options->ip_qos_bulk = -1;
147 options->version_addendum = NULL;
148 options->hpn_disabled = -1;
149 options->hpn_buffer_size = -1;
150 options->tcp_rcv_buf_poll = -1;
151 #ifdef NONE_CIPHER_ENABLED
152 options->none_enabled = -1;
157 fill_default_server_options(ServerOptions *options)
159 /* Portable-specific options */
160 if (options->use_pam == -1)
161 options->use_pam = 1;
163 /* Standard Options */
164 if (options->protocol == SSH_PROTO_UNKNOWN)
165 options->protocol = SSH_PROTO_2;
166 if (options->num_host_key_files == 0) {
167 /* fill default hostkeys for protocols */
168 if (options->protocol & SSH_PROTO_1)
169 options->host_key_files[options->num_host_key_files++] =
171 if (options->protocol & SSH_PROTO_2) {
172 options->host_key_files[options->num_host_key_files++] =
173 _PATH_HOST_RSA_KEY_FILE;
174 options->host_key_files[options->num_host_key_files++] =
175 _PATH_HOST_DSA_KEY_FILE;
176 #ifdef OPENSSL_HAS_ECC
177 options->host_key_files[options->num_host_key_files++] =
178 _PATH_HOST_ECDSA_KEY_FILE;
182 /* No certificates by default */
183 if (options->num_ports == 0)
184 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
185 if (options->listen_addrs == NULL)
186 add_listen_addr(options, NULL, 0);
187 if (options->pid_file == NULL)
188 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
189 if (options->server_key_bits == -1)
190 options->server_key_bits = 1024;
191 if (options->login_grace_time == -1)
192 options->login_grace_time = 120;
193 if (options->key_regeneration_time == -1)
194 options->key_regeneration_time = 3600;
195 if (options->permit_root_login == PERMIT_NOT_SET)
196 options->permit_root_login = PERMIT_NO;
197 if (options->ignore_rhosts == -1)
198 options->ignore_rhosts = 1;
199 if (options->ignore_user_known_hosts == -1)
200 options->ignore_user_known_hosts = 0;
201 if (options->print_motd == -1)
202 options->print_motd = 1;
203 if (options->print_lastlog == -1)
204 options->print_lastlog = 1;
205 if (options->x11_forwarding == -1)
206 options->x11_forwarding = 1;
207 if (options->x11_display_offset == -1)
208 options->x11_display_offset = 10;
209 if (options->x11_use_localhost == -1)
210 options->x11_use_localhost = 1;
211 if (options->xauth_location == NULL)
212 options->xauth_location = _PATH_XAUTH;
213 if (options->strict_modes == -1)
214 options->strict_modes = 1;
215 if (options->tcp_keep_alive == -1)
216 options->tcp_keep_alive = 1;
217 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
218 options->log_facility = SYSLOG_FACILITY_AUTH;
219 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
220 options->log_level = SYSLOG_LEVEL_INFO;
221 if (options->rhosts_rsa_authentication == -1)
222 options->rhosts_rsa_authentication = 0;
223 if (options->hostbased_authentication == -1)
224 options->hostbased_authentication = 0;
225 if (options->hostbased_uses_name_from_packet_only == -1)
226 options->hostbased_uses_name_from_packet_only = 0;
227 if (options->rsa_authentication == -1)
228 options->rsa_authentication = 1;
229 if (options->pubkey_authentication == -1)
230 options->pubkey_authentication = 1;
231 if (options->kerberos_authentication == -1)
232 options->kerberos_authentication = 0;
233 if (options->kerberos_or_local_passwd == -1)
234 options->kerberos_or_local_passwd = 1;
235 if (options->kerberos_ticket_cleanup == -1)
236 options->kerberos_ticket_cleanup = 1;
237 if (options->kerberos_get_afs_token == -1)
238 options->kerberos_get_afs_token = 0;
239 if (options->gss_authentication == -1)
240 options->gss_authentication = 0;
241 if (options->gss_cleanup_creds == -1)
242 options->gss_cleanup_creds = 1;
243 if (options->password_authentication == -1)
244 options->password_authentication = 0;
245 if (options->kbd_interactive_authentication == -1)
246 options->kbd_interactive_authentication = 0;
247 if (options->challenge_response_authentication == -1)
248 options->challenge_response_authentication = 1;
249 if (options->permit_empty_passwd == -1)
250 options->permit_empty_passwd = 0;
251 if (options->permit_user_env == -1)
252 options->permit_user_env = 0;
253 if (options->use_login == -1)
254 options->use_login = 0;
255 if (options->compression == -1)
256 options->compression = COMP_DELAYED;
257 if (options->allow_tcp_forwarding == -1)
258 options->allow_tcp_forwarding = 1;
259 if (options->allow_agent_forwarding == -1)
260 options->allow_agent_forwarding = 1;
261 if (options->gateway_ports == -1)
262 options->gateway_ports = 0;
263 if (options->max_startups == -1)
264 options->max_startups = 10;
265 if (options->max_startups_rate == -1)
266 options->max_startups_rate = 100; /* 100% */
267 if (options->max_startups_begin == -1)
268 options->max_startups_begin = options->max_startups;
269 if (options->max_authtries == -1)
270 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
271 if (options->max_sessions == -1)
272 options->max_sessions = DEFAULT_SESSIONS_MAX;
273 if (options->use_dns == -1)
274 options->use_dns = 1;
275 if (options->client_alive_interval == -1)
276 options->client_alive_interval = 0;
277 if (options->client_alive_count_max == -1)
278 options->client_alive_count_max = 3;
279 if (options->num_authkeys_files == 0) {
280 options->authorized_keys_files[options->num_authkeys_files++] =
281 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
282 options->authorized_keys_files[options->num_authkeys_files++] =
283 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
285 if (options->permit_tun == -1)
286 options->permit_tun = SSH_TUNMODE_NO;
287 if (options->zero_knowledge_password_authentication == -1)
288 options->zero_knowledge_password_authentication = 0;
289 if (options->ip_qos_interactive == -1)
290 options->ip_qos_interactive = IPTOS_LOWDELAY;
291 if (options->ip_qos_bulk == -1)
292 options->ip_qos_bulk = IPTOS_THROUGHPUT;
293 if (options->version_addendum == NULL)
294 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
295 /* Turn privilege separation on by default */
296 if (use_privsep == -1)
297 use_privsep = PRIVSEP_ON;
300 if (use_privsep && options->compression == 1) {
301 error("This platform does not support both privilege "
302 "separation and compression");
303 error("Compression disabled");
304 options->compression = 0;
308 if (options->hpn_disabled == -1)
309 options->hpn_disabled = 0;
310 if (options->hpn_buffer_size == -1) {
312 * HPN buffer size option not explicitly set. Try to figure
313 * out what value to use or resort to default.
315 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
316 if (!options->hpn_disabled) {
317 sock_get_rcvbuf(&options->hpn_buffer_size, 0);
318 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
322 * In the case that the user sets both values in a
323 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
325 if (options->hpn_disabled <= 0) {
328 maxlen = buffer_get_max_len();
329 if (options->hpn_buffer_size == 0)
330 options->hpn_buffer_size = 1;
331 /* Limit the maximum buffer to BUFFER_MAX_LEN. */
332 if (options->hpn_buffer_size > maxlen / 1024)
333 options->hpn_buffer_size = maxlen;
335 options->hpn_buffer_size *= 1024;
337 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
342 /* Keyword tokens. */
344 sBadOption, /* == unknown option */
345 /* Portable-specific options */
347 /* Standard Options */
348 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
349 sPermitRootLogin, sLogFacility, sLogLevel,
350 sRhostsRSAAuthentication, sRSAAuthentication,
351 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
352 sKerberosGetAFSToken,
353 sKerberosTgtPassing, sChallengeResponseAuthentication,
354 sPasswordAuthentication, sKbdInteractiveAuthentication,
355 sListenAddress, sAddressFamily,
356 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
357 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
358 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
359 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
360 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
361 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
362 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
363 sMaxStartups, sMaxAuthTries, sMaxSessions,
364 sBanner, sUseDNS, sHostbasedAuthentication,
365 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
366 sClientAliveCountMax, sAuthorizedKeysFile,
367 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
368 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
369 sUsePrivilegeSeparation, sAllowAgentForwarding,
370 sZeroKnowledgePasswordAuthentication, sHostCertificate,
371 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
372 sKexAlgorithms, sIPQoS, sVersionAddendum,
373 sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
374 #ifdef NONE_CIPHER_ENABLED
377 sDeprecated, sUnsupported
380 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
381 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
382 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
384 /* Textual representation of the tokens. */
387 ServerOpCodes opcode;
390 /* Portable-specific options */
392 { "usepam", sUsePAM, SSHCFG_GLOBAL },
394 { "usepam", sUnsupported, SSHCFG_GLOBAL },
396 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
397 /* Standard Options */
398 { "port", sPort, SSHCFG_GLOBAL },
399 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
400 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
401 { "pidfile", sPidFile, SSHCFG_GLOBAL },
402 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
403 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
404 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
405 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
406 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
407 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
408 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
409 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
410 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
411 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
412 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
413 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
414 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
416 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
417 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
418 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
420 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
422 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
425 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
426 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
427 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
428 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
430 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
431 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
433 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
434 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
436 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
437 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
439 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
440 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
441 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
442 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
444 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
446 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
448 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
449 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
450 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
451 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
452 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
453 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
454 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
455 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
456 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
457 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
458 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
459 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
460 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
461 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
462 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
463 { "compression", sCompression, SSHCFG_GLOBAL },
464 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
465 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
466 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
467 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
468 { "allowusers", sAllowUsers, SSHCFG_ALL },
469 { "denyusers", sDenyUsers, SSHCFG_ALL },
470 { "allowgroups", sAllowGroups, SSHCFG_ALL },
471 { "denygroups", sDenyGroups, SSHCFG_ALL },
472 { "ciphers", sCiphers, SSHCFG_GLOBAL },
473 { "macs", sMacs, SSHCFG_GLOBAL },
474 { "protocol", sProtocol, SSHCFG_GLOBAL },
475 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
476 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
477 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
478 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
479 { "maxsessions", sMaxSessions, SSHCFG_ALL },
480 { "banner", sBanner, SSHCFG_ALL },
481 { "usedns", sUseDNS, SSHCFG_GLOBAL },
482 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
483 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
484 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
485 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
486 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
487 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
488 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
489 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
490 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
491 { "match", sMatch, SSHCFG_ALL },
492 { "permitopen", sPermitOpen, SSHCFG_ALL },
493 { "forcecommand", sForceCommand, SSHCFG_ALL },
494 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
495 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
496 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
497 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
498 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
499 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
500 { "ipqos", sIPQoS, SSHCFG_ALL },
501 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
502 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
503 { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
504 { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
505 { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
506 #ifdef NONE_CIPHER_ENABLED
507 { "noneenabled", sNoneEnabled, SSHCFG_ALL },
509 { NULL, sBadOption, 0 }
516 { SSH_TUNMODE_NO, "no" },
517 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
518 { SSH_TUNMODE_ETHERNET, "ethernet" },
519 { SSH_TUNMODE_YES, "yes" },
524 * Returns the number of the token pointed to by cp or sBadOption.
528 parse_token(const char *cp, const char *filename,
529 int linenum, u_int *flags)
533 for (i = 0; keywords[i].name; i++)
534 if (strcasecmp(cp, keywords[i].name) == 0) {
535 *flags = keywords[i].flags;
536 return keywords[i].opcode;
539 error("%s: line %d: Bad configuration option: %s",
540 filename, linenum, cp);
545 derelativise_path(const char *path)
547 char *expanded, *ret, cwd[MAXPATHLEN];
549 expanded = tilde_expand_filename(path, getuid());
550 if (*expanded == '/')
552 if (getcwd(cwd, sizeof(cwd)) == NULL)
553 fatal("%s: getcwd: %s", __func__, strerror(errno));
554 xasprintf(&ret, "%s/%s", cwd, expanded);
560 add_listen_addr(ServerOptions *options, char *addr, int port)
564 if (options->num_ports == 0)
565 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
566 if (options->address_family == -1)
567 options->address_family = AF_UNSPEC;
569 for (i = 0; i < options->num_ports; i++)
570 add_one_listen_addr(options, addr, options->ports[i]);
572 add_one_listen_addr(options, addr, port);
576 add_one_listen_addr(ServerOptions *options, char *addr, int port)
578 struct addrinfo hints, *ai, *aitop;
579 char strport[NI_MAXSERV];
582 memset(&hints, 0, sizeof(hints));
583 hints.ai_family = options->address_family;
584 hints.ai_socktype = SOCK_STREAM;
585 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
586 snprintf(strport, sizeof strport, "%d", port);
587 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
588 fatal("bad addr or host: %s (%s)",
589 addr ? addr : "<NULL>",
590 ssh_gai_strerror(gaierr));
591 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
593 ai->ai_next = options->listen_addrs;
594 options->listen_addrs = aitop;
597 struct connection_info *
598 get_connection_info(int populate, int use_dns)
600 static struct connection_info ci;
604 ci.host = get_canonical_hostname(use_dns);
605 ci.address = get_remote_ipaddr();
606 ci.laddress = get_local_ipaddr(packet_get_connection_in());
607 ci.lport = get_local_port();
612 * The strategy for the Match blocks is that the config file is parsed twice.
614 * The first time is at startup. activep is initialized to 1 and the
615 * directives in the global context are processed and acted on. Hitting a
616 * Match directive unsets activep and the directives inside the block are
617 * checked for syntax only.
619 * The second time is after a connection has been established but before
620 * authentication. activep is initialized to 2 and global config directives
621 * are ignored since they have already been processed. If the criteria in a
622 * Match block is met, activep is set and the subsequent directives
623 * processed and actioned until EOF or another Match block unsets it. Any
624 * options set are copied into the main server config.
626 * Potential additions/improvements:
627 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
629 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
630 * Match Address 192.168.0.*
635 * AllowTcpForwarding yes
636 * GatewayPorts clientspecified
639 * - Add a PermittedChannelRequests directive
641 * PermittedChannelRequests session,forwarded-tcpip
645 match_cfg_line_group(const char *grps, int line, const char *user)
653 if ((pw = getpwnam(user)) == NULL) {
654 debug("Can't match group at line %d because user %.100s does "
655 "not exist", line, user);
656 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
657 debug("Can't Match group because user %.100s not in any group "
658 "at line %d", user, line);
659 } else if (ga_match_pattern_list(grps) != 1) {
660 debug("user %.100s does not match group list %.100s at line %d",
663 debug("user %.100s matched group list %.100s at line %d", user,
673 * All of the attributes on a single Match line are ANDed together, so we need to check every
674 * attribute and set the result to zero if any attribute does not match.
677 match_cfg_line(char **condition, int line, struct connection_info *ci)
679 int result = 1, port;
680 char *arg, *attrib, *cp = *condition;
684 debug3("checking syntax for 'Match %s'", cp);
686 debug3("checking match for '%s' user %s host %s addr %s "
687 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
688 ci->host ? ci->host : "(null)",
689 ci->address ? ci->address : "(null)",
690 ci->laddress ? ci->laddress : "(null)", ci->lport);
692 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
693 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
694 error("Missing Match criteria for %s", attrib);
698 if (strcasecmp(attrib, "user") == 0) {
699 if (ci == NULL || ci->user == NULL) {
703 if (match_pattern_list(ci->user, arg, len, 0) != 1)
706 debug("user %.100s matched 'User %.100s' at "
707 "line %d", ci->user, arg, line);
708 } else if (strcasecmp(attrib, "group") == 0) {
709 if (ci == NULL || ci->user == NULL) {
713 switch (match_cfg_line_group(arg, line, ci->user)) {
719 } else if (strcasecmp(attrib, "host") == 0) {
720 if (ci == NULL || ci->host == NULL) {
724 if (match_hostname(ci->host, arg, len) != 1)
727 debug("connection from %.100s matched 'Host "
728 "%.100s' at line %d", ci->host, arg, line);
729 } else if (strcasecmp(attrib, "address") == 0) {
730 if (ci == NULL || ci->address == NULL) {
734 switch (addr_match_list(ci->address, arg)) {
736 debug("connection from %.100s matched 'Address "
737 "%.100s' at line %d", ci->address, arg, line);
746 } else if (strcasecmp(attrib, "localaddress") == 0){
747 if (ci == NULL || ci->laddress == NULL) {
751 switch (addr_match_list(ci->laddress, arg)) {
753 debug("connection from %.100s matched "
754 "'LocalAddress %.100s' at line %d",
755 ci->laddress, arg, line);
764 } else if (strcasecmp(attrib, "localport") == 0) {
765 if ((port = a2port(arg)) == -1) {
766 error("Invalid LocalPort '%s' on Match line",
770 if (ci == NULL || ci->lport == 0) {
774 /* TODO support port lists */
775 if (port == ci->lport)
776 debug("connection from %.100s matched "
777 "'LocalPort %d' at line %d",
778 ci->laddress, port, line);
782 error("Unsupported Match attribute %s", attrib);
787 debug3("match %sfound", result ? "" : "not ");
792 #define WHITESPACE " \t\r\n"
794 /* Multistate option parsing */
799 static const struct multistate multistate_addressfamily[] = {
801 { "inet6", AF_INET6 },
802 { "any", AF_UNSPEC },
805 static const struct multistate multistate_permitrootlogin[] = {
806 { "without-password", PERMIT_NO_PASSWD },
807 { "forced-commands-only", PERMIT_FORCED_ONLY },
808 { "yes", PERMIT_YES },
812 static const struct multistate multistate_compression[] = {
813 { "delayed", COMP_DELAYED },
814 { "yes", COMP_ZLIB },
818 static const struct multistate multistate_gatewayports[] = {
819 { "clientspecified", 2 },
824 static const struct multistate multistate_privsep[] = {
825 { "yes", PRIVSEP_NOSANDBOX },
826 { "sandbox", PRIVSEP_ON },
827 { "nosandbox", PRIVSEP_NOSANDBOX },
828 { "no", PRIVSEP_OFF },
833 process_server_config_line(ServerOptions *options, char *line,
834 const char *filename, int linenum, int *activep,
835 struct connection_info *connectinfo)
837 char *cp, **charptr, *arg, *p;
838 int cmdline = 0, *intptr, value, value2, n;
839 SyslogFacility *log_facility_ptr;
840 LogLevel *log_level_ptr;
841 ServerOpCodes opcode;
845 const struct multistate *multistate_ptr;
848 if ((arg = strdelim(&cp)) == NULL)
850 /* Ignore leading whitespace */
853 if (!arg || !*arg || *arg == '#')
857 opcode = parse_token(arg, filename, linenum, &flags);
859 if (activep == NULL) { /* We are processing a command line directive */
863 if (*activep && opcode != sMatch)
864 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
865 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
866 if (connectinfo == NULL) {
867 fatal("%s line %d: Directive '%s' is not allowed "
868 "within a Match block", filename, linenum, arg);
869 } else { /* this is a directive we have already processed */
877 /* Portable-specific options */
879 intptr = &options->use_pam;
882 /* Standard Options */
886 /* ignore ports from configfile if cmdline specifies ports */
887 if (options->ports_from_cmdline)
889 if (options->listen_addrs != NULL)
890 fatal("%s line %d: ports must be specified before "
891 "ListenAddress.", filename, linenum);
892 if (options->num_ports >= MAX_PORTS)
893 fatal("%s line %d: too many ports.",
896 if (!arg || *arg == '\0')
897 fatal("%s line %d: missing port number.",
899 options->ports[options->num_ports++] = a2port(arg);
900 if (options->ports[options->num_ports-1] <= 0)
901 fatal("%s line %d: Badly formatted port number.",
906 intptr = &options->server_key_bits;
909 if (!arg || *arg == '\0')
910 fatal("%s line %d: missing integer value.",
913 if (*activep && *intptr == -1)
917 case sLoginGraceTime:
918 intptr = &options->login_grace_time;
921 if (!arg || *arg == '\0')
922 fatal("%s line %d: missing time value.",
924 if ((value = convtime(arg)) == -1)
925 fatal("%s line %d: invalid time value.",
931 case sKeyRegenerationTime:
932 intptr = &options->key_regeneration_time;
937 if (arg == NULL || *arg == '\0')
938 fatal("%s line %d: missing address",
940 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
941 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
942 && strchr(p+1, ':') != NULL) {
943 add_listen_addr(options, arg, 0);
948 fatal("%s line %d: bad address:port usage",
950 p = cleanhostname(p);
953 else if ((port = a2port(arg)) <= 0)
954 fatal("%s line %d: bad port number", filename, linenum);
956 add_listen_addr(options, p, port);
961 intptr = &options->address_family;
962 multistate_ptr = multistate_addressfamily;
963 if (options->listen_addrs != NULL)
964 fatal("%s line %d: address family must be specified "
965 "before ListenAddress.", filename, linenum);
968 if (!arg || *arg == '\0')
969 fatal("%s line %d: missing argument.",
972 for (i = 0; multistate_ptr[i].key != NULL; i++) {
973 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
974 value = multistate_ptr[i].value;
979 fatal("%s line %d: unsupported option \"%s\".",
980 filename, linenum, arg);
981 if (*activep && *intptr == -1)
986 intptr = &options->num_host_key_files;
987 if (*intptr >= MAX_HOSTKEYS)
988 fatal("%s line %d: too many host keys specified (max %d).",
989 filename, linenum, MAX_HOSTKEYS);
990 charptr = &options->host_key_files[*intptr];
993 if (!arg || *arg == '\0')
994 fatal("%s line %d: missing file name.",
996 if (*activep && *charptr == NULL) {
997 *charptr = derelativise_path(arg);
998 /* increase optional counter */
1000 *intptr = *intptr + 1;
1004 case sHostCertificate:
1005 intptr = &options->num_host_cert_files;
1006 if (*intptr >= MAX_HOSTKEYS)
1007 fatal("%s line %d: too many host certificates "
1008 "specified (max %d).", filename, linenum,
1010 charptr = &options->host_cert_files[*intptr];
1011 goto parse_filename;
1015 charptr = &options->pid_file;
1016 goto parse_filename;
1018 case sPermitRootLogin:
1019 intptr = &options->permit_root_login;
1020 multistate_ptr = multistate_permitrootlogin;
1021 goto parse_multistate;
1024 intptr = &options->ignore_rhosts;
1026 arg = strdelim(&cp);
1027 if (!arg || *arg == '\0')
1028 fatal("%s line %d: missing yes/no argument.",
1030 value = 0; /* silence compiler */
1031 if (strcmp(arg, "yes") == 0)
1033 else if (strcmp(arg, "no") == 0)
1036 fatal("%s line %d: Bad yes/no argument: %s",
1037 filename, linenum, arg);
1038 if (*activep && *intptr == -1)
1042 case sIgnoreUserKnownHosts:
1043 intptr = &options->ignore_user_known_hosts;
1046 case sRhostsRSAAuthentication:
1047 intptr = &options->rhosts_rsa_authentication;
1050 case sHostbasedAuthentication:
1051 intptr = &options->hostbased_authentication;
1054 case sHostbasedUsesNameFromPacketOnly:
1055 intptr = &options->hostbased_uses_name_from_packet_only;
1058 case sRSAAuthentication:
1059 intptr = &options->rsa_authentication;
1062 case sPubkeyAuthentication:
1063 intptr = &options->pubkey_authentication;
1066 case sKerberosAuthentication:
1067 intptr = &options->kerberos_authentication;
1070 case sKerberosOrLocalPasswd:
1071 intptr = &options->kerberos_or_local_passwd;
1074 case sKerberosTicketCleanup:
1075 intptr = &options->kerberos_ticket_cleanup;
1078 case sKerberosGetAFSToken:
1079 intptr = &options->kerberos_get_afs_token;
1082 case sGssAuthentication:
1083 intptr = &options->gss_authentication;
1086 case sGssCleanupCreds:
1087 intptr = &options->gss_cleanup_creds;
1090 case sPasswordAuthentication:
1091 intptr = &options->password_authentication;
1094 case sZeroKnowledgePasswordAuthentication:
1095 intptr = &options->zero_knowledge_password_authentication;
1098 case sKbdInteractiveAuthentication:
1099 intptr = &options->kbd_interactive_authentication;
1102 case sChallengeResponseAuthentication:
1103 intptr = &options->challenge_response_authentication;
1107 intptr = &options->print_motd;
1111 intptr = &options->print_lastlog;
1114 case sX11Forwarding:
1115 intptr = &options->x11_forwarding;
1118 case sX11DisplayOffset:
1119 intptr = &options->x11_display_offset;
1122 case sX11UseLocalhost:
1123 intptr = &options->x11_use_localhost;
1126 case sXAuthLocation:
1127 charptr = &options->xauth_location;
1128 goto parse_filename;
1131 intptr = &options->strict_modes;
1135 intptr = &options->tcp_keep_alive;
1139 intptr = &options->permit_empty_passwd;
1142 case sPermitUserEnvironment:
1143 intptr = &options->permit_user_env;
1147 intptr = &options->use_login;
1151 intptr = &options->compression;
1152 multistate_ptr = multistate_compression;
1153 goto parse_multistate;
1156 intptr = &options->gateway_ports;
1157 multistate_ptr = multistate_gatewayports;
1158 goto parse_multistate;
1161 intptr = &options->use_dns;
1165 log_facility_ptr = &options->log_facility;
1166 arg = strdelim(&cp);
1167 value = log_facility_number(arg);
1168 if (value == SYSLOG_FACILITY_NOT_SET)
1169 fatal("%.200s line %d: unsupported log facility '%s'",
1170 filename, linenum, arg ? arg : "<NONE>");
1171 if (*log_facility_ptr == -1)
1172 *log_facility_ptr = (SyslogFacility) value;
1176 log_level_ptr = &options->log_level;
1177 arg = strdelim(&cp);
1178 value = log_level_number(arg);
1179 if (value == SYSLOG_LEVEL_NOT_SET)
1180 fatal("%.200s line %d: unsupported log level '%s'",
1181 filename, linenum, arg ? arg : "<NONE>");
1182 if (*log_level_ptr == -1)
1183 *log_level_ptr = (LogLevel) value;
1186 case sAllowTcpForwarding:
1187 intptr = &options->allow_tcp_forwarding;
1190 case sAllowAgentForwarding:
1191 intptr = &options->allow_agent_forwarding;
1194 case sUsePrivilegeSeparation:
1195 intptr = &use_privsep;
1196 multistate_ptr = multistate_privsep;
1197 goto parse_multistate;
1200 while ((arg = strdelim(&cp)) && *arg != '\0') {
1201 if (options->num_allow_users >= MAX_ALLOW_USERS)
1202 fatal("%s line %d: too many allow users.",
1206 options->allow_users[options->num_allow_users++] =
1212 while ((arg = strdelim(&cp)) && *arg != '\0') {
1213 if (options->num_deny_users >= MAX_DENY_USERS)
1214 fatal("%s line %d: too many deny users.",
1218 options->deny_users[options->num_deny_users++] =
1224 while ((arg = strdelim(&cp)) && *arg != '\0') {
1225 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1226 fatal("%s line %d: too many allow groups.",
1230 options->allow_groups[options->num_allow_groups++] =
1236 while ((arg = strdelim(&cp)) && *arg != '\0') {
1237 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1238 fatal("%s line %d: too many deny groups.",
1242 options->deny_groups[options->num_deny_groups++] =
1248 arg = strdelim(&cp);
1249 if (!arg || *arg == '\0')
1250 fatal("%s line %d: Missing argument.", filename, linenum);
1251 if (!ciphers_valid(arg))
1252 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1253 filename, linenum, arg ? arg : "<NONE>");
1254 if (options->ciphers == NULL)
1255 options->ciphers = xstrdup(arg);
1259 arg = strdelim(&cp);
1260 if (!arg || *arg == '\0')
1261 fatal("%s line %d: Missing argument.", filename, linenum);
1262 if (!mac_valid(arg))
1263 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1264 filename, linenum, arg ? arg : "<NONE>");
1265 if (options->macs == NULL)
1266 options->macs = xstrdup(arg);
1269 case sKexAlgorithms:
1270 arg = strdelim(&cp);
1271 if (!arg || *arg == '\0')
1272 fatal("%s line %d: Missing argument.",
1274 if (!kex_names_valid(arg))
1275 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1276 filename, linenum, arg ? arg : "<NONE>");
1277 if (options->kex_algorithms == NULL)
1278 options->kex_algorithms = xstrdup(arg);
1282 intptr = &options->protocol;
1283 arg = strdelim(&cp);
1284 if (!arg || *arg == '\0')
1285 fatal("%s line %d: Missing argument.", filename, linenum);
1286 value = proto_spec(arg);
1287 if (value == SSH_PROTO_UNKNOWN)
1288 fatal("%s line %d: Bad protocol spec '%s'.",
1289 filename, linenum, arg ? arg : "<NONE>");
1290 if (*intptr == SSH_PROTO_UNKNOWN)
1295 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1296 fatal("%s line %d: too many subsystems defined.",
1299 arg = strdelim(&cp);
1300 if (!arg || *arg == '\0')
1301 fatal("%s line %d: Missing subsystem name.",
1304 arg = strdelim(&cp);
1307 for (i = 0; i < options->num_subsystems; i++)
1308 if (strcmp(arg, options->subsystem_name[i]) == 0)
1309 fatal("%s line %d: Subsystem '%s' already defined.",
1310 filename, linenum, arg);
1311 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1312 arg = strdelim(&cp);
1313 if (!arg || *arg == '\0')
1314 fatal("%s line %d: Missing subsystem command.",
1316 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1318 /* Collect arguments (separate to executable) */
1320 len = strlen(p) + 1;
1321 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1322 len += 1 + strlen(arg);
1323 p = xrealloc(p, 1, len);
1324 strlcat(p, " ", len);
1325 strlcat(p, arg, len);
1327 options->subsystem_args[options->num_subsystems] = p;
1328 options->num_subsystems++;
1332 arg = strdelim(&cp);
1333 if (!arg || *arg == '\0')
1334 fatal("%s line %d: Missing MaxStartups spec.",
1336 if ((n = sscanf(arg, "%d:%d:%d",
1337 &options->max_startups_begin,
1338 &options->max_startups_rate,
1339 &options->max_startups)) == 3) {
1340 if (options->max_startups_begin >
1341 options->max_startups ||
1342 options->max_startups_rate > 100 ||
1343 options->max_startups_rate < 1)
1344 fatal("%s line %d: Illegal MaxStartups spec.",
1347 fatal("%s line %d: Illegal MaxStartups spec.",
1350 options->max_startups = options->max_startups_begin;
1354 intptr = &options->max_authtries;
1358 intptr = &options->max_sessions;
1362 charptr = &options->banner;
1363 goto parse_filename;
1366 * These options can contain %X options expanded at
1367 * connect time, so that you can specify paths like:
1369 * AuthorizedKeysFile /etc/ssh_keys/%u
1371 case sAuthorizedKeysFile:
1372 if (*activep && options->num_authkeys_files == 0) {
1373 while ((arg = strdelim(&cp)) && *arg != '\0') {
1374 if (options->num_authkeys_files >=
1376 fatal("%s line %d: "
1377 "too many authorized keys files.",
1379 options->authorized_keys_files[
1380 options->num_authkeys_files++] =
1381 tilde_expand_filename(arg, getuid());
1386 case sAuthorizedPrincipalsFile:
1387 charptr = &options->authorized_principals_file;
1388 arg = strdelim(&cp);
1389 if (!arg || *arg == '\0')
1390 fatal("%s line %d: missing file name.",
1392 if (*activep && *charptr == NULL) {
1393 *charptr = tilde_expand_filename(arg, getuid());
1394 /* increase optional counter */
1396 *intptr = *intptr + 1;
1400 case sClientAliveInterval:
1401 intptr = &options->client_alive_interval;
1404 case sClientAliveCountMax:
1405 intptr = &options->client_alive_count_max;
1409 while ((arg = strdelim(&cp)) && *arg != '\0') {
1410 if (strchr(arg, '=') != NULL)
1411 fatal("%s line %d: Invalid environment name.",
1413 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1414 fatal("%s line %d: too many allow env.",
1418 options->accept_env[options->num_accept_env++] =
1424 intptr = &options->permit_tun;
1425 arg = strdelim(&cp);
1426 if (!arg || *arg == '\0')
1427 fatal("%s line %d: Missing yes/point-to-point/"
1428 "ethernet/no argument.", filename, linenum);
1430 for (i = 0; tunmode_desc[i].val != -1; i++)
1431 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1432 value = tunmode_desc[i].val;
1436 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1437 "no argument: %s", filename, linenum, arg);
1444 fatal("Match directive not supported as a command-line "
1446 value = match_cfg_line(&cp, linenum, connectinfo);
1448 fatal("%s line %d: Bad Match condition", filename,
1454 arg = strdelim(&cp);
1455 if (!arg || *arg == '\0')
1456 fatal("%s line %d: missing PermitOpen specification",
1458 n = options->num_permitted_opens; /* modified later */
1459 if (strcmp(arg, "any") == 0) {
1460 if (*activep && n == -1) {
1461 channel_clear_adm_permitted_opens();
1462 options->num_permitted_opens = 0;
1466 if (strcmp(arg, "none") == 0) {
1467 if (*activep && n == -1) {
1468 channel_clear_adm_permitted_opens();
1469 options->num_permitted_opens = 1;
1470 channel_disable_adm_local_opens();
1474 if (*activep && n == -1)
1475 channel_clear_adm_permitted_opens();
1476 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1479 fatal("%s line %d: missing host in PermitOpen",
1481 p = cleanhostname(p);
1482 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1483 fatal("%s line %d: bad port number in "
1484 "PermitOpen", filename, linenum);
1485 if (*activep && n == -1)
1486 options->num_permitted_opens =
1487 channel_add_adm_permitted_opens(p, port);
1493 fatal("%.200s line %d: Missing argument.", filename,
1495 len = strspn(cp, WHITESPACE);
1496 if (*activep && options->adm_forced_command == NULL)
1497 options->adm_forced_command = xstrdup(cp + len);
1500 case sChrootDirectory:
1501 charptr = &options->chroot_directory;
1503 arg = strdelim(&cp);
1504 if (!arg || *arg == '\0')
1505 fatal("%s line %d: missing file name.",
1507 if (*activep && *charptr == NULL)
1508 *charptr = xstrdup(arg);
1511 case sTrustedUserCAKeys:
1512 charptr = &options->trusted_user_ca_keys;
1513 goto parse_filename;
1516 charptr = &options->revoked_keys_file;
1517 goto parse_filename;
1520 arg = strdelim(&cp);
1521 if ((value = parse_ipqos(arg)) == -1)
1522 fatal("%s line %d: Bad IPQoS value: %s",
1523 filename, linenum, arg);
1524 arg = strdelim(&cp);
1527 else if ((value2 = parse_ipqos(arg)) == -1)
1528 fatal("%s line %d: Bad IPQoS value: %s",
1529 filename, linenum, arg);
1531 options->ip_qos_interactive = value;
1532 options->ip_qos_bulk = value2;
1536 case sVersionAddendum:
1538 fatal("%.200s line %d: Missing argument.", filename,
1540 len = strspn(cp, WHITESPACE);
1541 if (*activep && options->version_addendum == NULL) {
1542 if (strcasecmp(cp + len, "none") == 0)
1543 options->version_addendum = xstrdup("");
1544 else if (strchr(cp + len, '\r') != NULL)
1545 fatal("%.200s line %d: Invalid argument",
1548 options->version_addendum = xstrdup(cp + len);
1553 intptr = &options->hpn_disabled;
1556 case sHPNBufferSize:
1557 intptr = &options->hpn_buffer_size;
1560 case sTcpRcvBufPoll:
1561 intptr = &options->tcp_rcv_buf_poll;
1564 #ifdef NONE_CIPHER_ENABLED
1566 intptr = &options->none_enabled;
1571 logit("%s line %d: Deprecated option %s",
1572 filename, linenum, arg);
1574 arg = strdelim(&cp);
1578 logit("%s line %d: Unsupported option %s",
1579 filename, linenum, arg);
1581 arg = strdelim(&cp);
1585 fatal("%s line %d: Missing handler for opcode %s (%d)",
1586 filename, linenum, arg, opcode);
1588 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1589 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1590 filename, linenum, arg);
1594 /* Reads the server configuration file. */
1597 load_server_config(const char *filename, Buffer *conf)
1599 char line[4096], *cp;
1603 debug2("%s: filename %s", __func__, filename);
1604 if ((f = fopen(filename, "r")) == NULL) {
1609 while (fgets(line, sizeof(line), f)) {
1611 if (strlen(line) == sizeof(line) - 1)
1612 fatal("%s line %d too long", filename, lineno);
1614 * Trim out comments and strip whitespace
1615 * NB - preserve newlines, they are needed to reproduce
1616 * line numbers later for error messages
1618 if ((cp = strchr(line, '#')) != NULL)
1619 memcpy(cp, "\n", 2);
1620 cp = line + strspn(line, " \t\r");
1622 buffer_append(conf, cp, strlen(cp));
1624 buffer_append(conf, "\0", 1);
1626 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1630 parse_server_match_config(ServerOptions *options,
1631 struct connection_info *connectinfo)
1635 initialize_server_options(&mo);
1636 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1637 copy_set_server_options(options, &mo, 0);
1640 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1644 while ((p = strsep(&spec, ",")) && *p != '\0') {
1645 if (strncmp(p, "addr=", 5) == 0) {
1646 ci->address = xstrdup(p + 5);
1647 } else if (strncmp(p, "host=", 5) == 0) {
1648 ci->host = xstrdup(p + 5);
1649 } else if (strncmp(p, "user=", 5) == 0) {
1650 ci->user = xstrdup(p + 5);
1651 } else if (strncmp(p, "laddr=", 6) == 0) {
1652 ci->laddress = xstrdup(p + 6);
1653 } else if (strncmp(p, "lport=", 6) == 0) {
1654 ci->lport = a2port(p + 6);
1655 if (ci->lport == -1) {
1656 fprintf(stderr, "Invalid port '%s' in test mode"
1657 " specification %s\n", p+6, p);
1661 fprintf(stderr, "Invalid test mode specification %s\n",
1670 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1673 int server_match_spec_complete(struct connection_info *ci)
1675 if (ci->user && ci->host && ci->address)
1676 return 1; /* complete */
1677 if (!ci->user && !ci->host && !ci->address)
1678 return -1; /* empty */
1679 return 0; /* partial */
1683 #define M_CP_INTOPT(n) do {\
1687 #define M_CP_STROPT(n) do {\
1688 if (src->n != NULL) { \
1689 if (dst->n != NULL) \
1694 #define M_CP_STRARRAYOPT(n, num_n) do {\
1695 if (src->num_n != 0) { \
1696 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1697 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1702 * Copy any supported values that are set.
1704 * If the preauth flag is set, we do not bother copying the string or
1705 * array values that are not used pre-authentication, because any that we
1706 * do use must be explictly sent in mm_getpwnamallow().
1709 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1711 M_CP_INTOPT(password_authentication);
1712 M_CP_INTOPT(gss_authentication);
1713 M_CP_INTOPT(rsa_authentication);
1714 M_CP_INTOPT(pubkey_authentication);
1715 M_CP_INTOPT(kerberos_authentication);
1716 M_CP_INTOPT(hostbased_authentication);
1717 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1718 M_CP_INTOPT(kbd_interactive_authentication);
1719 M_CP_INTOPT(zero_knowledge_password_authentication);
1720 M_CP_INTOPT(permit_root_login);
1721 M_CP_INTOPT(permit_empty_passwd);
1723 M_CP_INTOPT(allow_tcp_forwarding);
1724 M_CP_INTOPT(allow_agent_forwarding);
1725 M_CP_INTOPT(permit_tun);
1726 M_CP_INTOPT(gateway_ports);
1727 M_CP_INTOPT(x11_display_offset);
1728 M_CP_INTOPT(x11_forwarding);
1729 M_CP_INTOPT(x11_use_localhost);
1730 M_CP_INTOPT(max_sessions);
1731 M_CP_INTOPT(max_authtries);
1732 M_CP_INTOPT(ip_qos_interactive);
1733 M_CP_INTOPT(ip_qos_bulk);
1735 /* See comment in servconf.h */
1736 COPY_MATCH_STRING_OPTS();
1739 * The only things that should be below this point are string options
1740 * which are only used after authentication.
1745 M_CP_STROPT(adm_forced_command);
1746 M_CP_STROPT(chroot_directory);
1751 #undef M_CP_STRARRAYOPT
1754 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1755 struct connection_info *connectinfo)
1757 int active, linenum, bad_options = 0;
1758 char *cp, *obuf, *cbuf;
1760 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1762 obuf = cbuf = xstrdup(buffer_ptr(conf));
1763 active = connectinfo ? 0 : 1;
1765 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1766 if (process_server_config_line(options, cp, filename,
1767 linenum++, &active, connectinfo) != 0)
1771 if (bad_options > 0)
1772 fatal("%s: terminating, %d bad configuration options",
1773 filename, bad_options);
1777 fmt_multistate_int(int val, const struct multistate *m)
1781 for (i = 0; m[i].key != NULL; i++) {
1782 if (m[i].value == val)
1789 fmt_intarg(ServerOpCodes code, int val)
1794 case sAddressFamily:
1795 return fmt_multistate_int(val, multistate_addressfamily);
1796 case sPermitRootLogin:
1797 return fmt_multistate_int(val, multistate_permitrootlogin);
1799 return fmt_multistate_int(val, multistate_gatewayports);
1801 return fmt_multistate_int(val, multistate_compression);
1802 case sUsePrivilegeSeparation:
1803 return fmt_multistate_int(val, multistate_privsep);
1810 case (SSH_PROTO_1|SSH_PROTO_2):
1828 lookup_opcode_name(ServerOpCodes code)
1832 for (i = 0; keywords[i].name != NULL; i++)
1833 if (keywords[i].opcode == code)
1834 return(keywords[i].name);
1839 dump_cfg_int(ServerOpCodes code, int val)
1841 printf("%s %d\n", lookup_opcode_name(code), val);
1845 dump_cfg_fmtint(ServerOpCodes code, int val)
1847 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1851 dump_cfg_string(ServerOpCodes code, const char *val)
1855 printf("%s %s\n", lookup_opcode_name(code), val);
1859 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1863 for (i = 0; i < count; i++)
1864 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1868 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1872 printf("%s", lookup_opcode_name(code));
1873 for (i = 0; i < count; i++)
1874 printf(" %s", vals[i]);
1879 dump_config(ServerOptions *o)
1883 struct addrinfo *ai;
1884 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1886 /* these are usually at the top of the config */
1887 for (i = 0; i < o->num_ports; i++)
1888 printf("port %d\n", o->ports[i]);
1889 dump_cfg_fmtint(sProtocol, o->protocol);
1890 dump_cfg_fmtint(sAddressFamily, o->address_family);
1892 /* ListenAddress must be after Port */
1893 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1894 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1895 sizeof(addr), port, sizeof(port),
1896 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1897 error("getnameinfo failed: %.100s",
1898 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1901 if (ai->ai_family == AF_INET6)
1902 printf("listenaddress [%s]:%s\n", addr, port);
1904 printf("listenaddress %s:%s\n", addr, port);
1908 /* integer arguments */
1910 dump_cfg_int(sUsePAM, o->use_pam);
1912 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1913 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1914 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1915 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1916 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1917 dump_cfg_int(sMaxSessions, o->max_sessions);
1918 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1919 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1921 /* formatted integer arguments */
1922 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1923 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1924 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1925 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1926 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1927 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1928 o->hostbased_uses_name_from_packet_only);
1929 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1930 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1932 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1933 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1934 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1936 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1940 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1941 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1944 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1945 o->zero_knowledge_password_authentication);
1947 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1948 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1949 o->kbd_interactive_authentication);
1950 dump_cfg_fmtint(sChallengeResponseAuthentication,
1951 o->challenge_response_authentication);
1952 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1953 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1954 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1955 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1956 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1957 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1958 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1959 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1960 dump_cfg_fmtint(sUseLogin, o->use_login);
1961 dump_cfg_fmtint(sCompression, o->compression);
1962 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1963 dump_cfg_fmtint(sUseDNS, o->use_dns);
1964 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1965 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1967 /* string arguments */
1968 dump_cfg_string(sPidFile, o->pid_file);
1969 dump_cfg_string(sXAuthLocation, o->xauth_location);
1970 dump_cfg_string(sCiphers, o->ciphers);
1971 dump_cfg_string(sMacs, o->macs);
1972 dump_cfg_string(sBanner, o->banner);
1973 dump_cfg_string(sForceCommand, o->adm_forced_command);
1974 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1975 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1976 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1977 dump_cfg_string(sAuthorizedPrincipalsFile,
1978 o->authorized_principals_file);
1979 dump_cfg_string(sVersionAddendum, o->version_addendum);
1981 /* string arguments requiring a lookup */
1982 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1983 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1985 /* string array arguments */
1986 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
1987 o->authorized_keys_files);
1988 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1990 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1991 o->host_cert_files);
1992 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1993 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1994 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1995 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1996 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1998 /* other arguments */
1999 for (i = 0; i < o->num_subsystems; i++)
2000 printf("subsystem %s %s\n", o->subsystem_name[i],
2001 o->subsystem_args[i]);
2003 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2004 o->max_startups_rate, o->max_startups);
2006 for (i = 0; tunmode_desc[i].val != -1; i++)
2007 if (tunmode_desc[i].val == o->permit_tun) {
2008 s = tunmode_desc[i].text;
2011 dump_cfg_string(sPermitTunnel, s);
2013 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2014 printf("%s\n", iptos2str(o->ip_qos_bulk));
2016 channel_print_adm_permitted_opens();