2 /* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
39 #include "openbsd-compat/sys-queue.h"
46 #include "pathnames.h"
54 #include "groupaccess.h"
61 static void add_listen_addr(ServerOptions *, char *, int);
62 static void add_one_listen_addr(ServerOptions *, char *, int);
64 /* Use of privilege separation or not */
65 extern int use_privsep;
68 /* Initializes the server options to their default values. */
71 initialize_server_options(ServerOptions *options)
73 memset(options, 0, sizeof(*options));
75 /* Portable-specific options */
76 options->use_pam = -1;
78 /* Standard Options */
79 options->num_ports = 0;
80 options->ports_from_cmdline = 0;
81 options->listen_addrs = NULL;
82 options->address_family = -1;
83 options->num_host_key_files = 0;
84 options->num_host_cert_files = 0;
85 options->host_key_agent = NULL;
86 options->pid_file = NULL;
87 options->server_key_bits = -1;
88 options->login_grace_time = -1;
89 options->key_regeneration_time = -1;
90 options->permit_root_login = PERMIT_NOT_SET;
91 options->ignore_rhosts = -1;
92 options->ignore_user_known_hosts = -1;
93 options->print_motd = -1;
94 options->print_lastlog = -1;
95 options->x11_forwarding = -1;
96 options->x11_display_offset = -1;
97 options->x11_use_localhost = -1;
98 options->permit_tty = -1;
99 options->xauth_location = NULL;
100 options->strict_modes = -1;
101 options->tcp_keep_alive = -1;
102 options->log_facility = SYSLOG_FACILITY_NOT_SET;
103 options->log_level = SYSLOG_LEVEL_NOT_SET;
104 options->rhosts_rsa_authentication = -1;
105 options->hostbased_authentication = -1;
106 options->hostbased_uses_name_from_packet_only = -1;
107 options->rsa_authentication = -1;
108 options->pubkey_authentication = -1;
109 options->kerberos_authentication = -1;
110 options->kerberos_or_local_passwd = -1;
111 options->kerberos_ticket_cleanup = -1;
112 options->kerberos_get_afs_token = -1;
113 options->gss_authentication=-1;
114 options->gss_cleanup_creds = -1;
115 options->password_authentication = -1;
116 options->kbd_interactive_authentication = -1;
117 options->challenge_response_authentication = -1;
118 options->permit_empty_passwd = -1;
119 options->permit_user_env = -1;
120 options->use_login = -1;
121 options->compression = -1;
122 options->rekey_limit = -1;
123 options->rekey_interval = -1;
124 options->allow_tcp_forwarding = -1;
125 options->allow_agent_forwarding = -1;
126 options->num_allow_users = 0;
127 options->num_deny_users = 0;
128 options->num_allow_groups = 0;
129 options->num_deny_groups = 0;
130 options->ciphers = NULL;
131 options->macs = NULL;
132 options->kex_algorithms = NULL;
133 options->protocol = SSH_PROTO_UNKNOWN;
134 options->gateway_ports = -1;
135 options->num_subsystems = 0;
136 options->max_startups_begin = -1;
137 options->max_startups_rate = -1;
138 options->max_startups = -1;
139 options->max_authtries = -1;
140 options->max_sessions = -1;
141 options->banner = NULL;
142 options->use_dns = -1;
143 options->client_alive_interval = -1;
144 options->client_alive_count_max = -1;
145 options->num_authkeys_files = 0;
146 options->num_accept_env = 0;
147 options->permit_tun = -1;
148 options->num_permitted_opens = -1;
149 options->adm_forced_command = NULL;
150 options->chroot_directory = NULL;
151 options->authorized_keys_command = NULL;
152 options->authorized_keys_command_user = NULL;
153 options->revoked_keys_file = NULL;
154 options->trusted_user_ca_keys = NULL;
155 options->authorized_principals_file = NULL;
156 options->ip_qos_interactive = -1;
157 options->ip_qos_bulk = -1;
158 options->version_addendum = NULL;
159 options->hpn_disabled = -1;
160 options->hpn_buffer_size = -1;
161 options->tcp_rcv_buf_poll = -1;
162 #ifdef NONE_CIPHER_ENABLED
163 options->none_enabled = -1;
168 fill_default_server_options(ServerOptions *options)
170 /* Portable-specific options */
171 if (options->use_pam == -1)
172 options->use_pam = 1;
174 /* Standard Options */
175 if (options->protocol == SSH_PROTO_UNKNOWN)
176 options->protocol = SSH_PROTO_2;
177 if (options->num_host_key_files == 0) {
178 /* fill default hostkeys for protocols */
179 if (options->protocol & SSH_PROTO_1)
180 options->host_key_files[options->num_host_key_files++] =
182 if (options->protocol & SSH_PROTO_2) {
183 options->host_key_files[options->num_host_key_files++] =
184 _PATH_HOST_RSA_KEY_FILE;
185 options->host_key_files[options->num_host_key_files++] =
186 _PATH_HOST_DSA_KEY_FILE;
187 #ifdef OPENSSL_HAS_ECC
188 options->host_key_files[options->num_host_key_files++] =
189 _PATH_HOST_ECDSA_KEY_FILE;
191 options->host_key_files[options->num_host_key_files++] =
192 _PATH_HOST_ED25519_KEY_FILE;
195 /* No certificates by default */
196 if (options->num_ports == 0)
197 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
198 if (options->listen_addrs == NULL)
199 add_listen_addr(options, NULL, 0);
200 if (options->pid_file == NULL)
201 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
202 if (options->server_key_bits == -1)
203 options->server_key_bits = 1024;
204 if (options->login_grace_time == -1)
205 options->login_grace_time = 120;
206 if (options->key_regeneration_time == -1)
207 options->key_regeneration_time = 3600;
208 if (options->permit_root_login == PERMIT_NOT_SET)
209 options->permit_root_login = PERMIT_NO;
210 if (options->ignore_rhosts == -1)
211 options->ignore_rhosts = 1;
212 if (options->ignore_user_known_hosts == -1)
213 options->ignore_user_known_hosts = 0;
214 if (options->print_motd == -1)
215 options->print_motd = 1;
216 if (options->print_lastlog == -1)
217 options->print_lastlog = 1;
218 if (options->x11_forwarding == -1)
219 options->x11_forwarding = 1;
220 if (options->x11_display_offset == -1)
221 options->x11_display_offset = 10;
222 if (options->x11_use_localhost == -1)
223 options->x11_use_localhost = 1;
224 if (options->xauth_location == NULL)
225 options->xauth_location = _PATH_XAUTH;
226 if (options->permit_tty == -1)
227 options->permit_tty = 1;
228 if (options->strict_modes == -1)
229 options->strict_modes = 1;
230 if (options->tcp_keep_alive == -1)
231 options->tcp_keep_alive = 1;
232 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
233 options->log_facility = SYSLOG_FACILITY_AUTH;
234 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
235 options->log_level = SYSLOG_LEVEL_INFO;
236 if (options->rhosts_rsa_authentication == -1)
237 options->rhosts_rsa_authentication = 0;
238 if (options->hostbased_authentication == -1)
239 options->hostbased_authentication = 0;
240 if (options->hostbased_uses_name_from_packet_only == -1)
241 options->hostbased_uses_name_from_packet_only = 0;
242 if (options->rsa_authentication == -1)
243 options->rsa_authentication = 1;
244 if (options->pubkey_authentication == -1)
245 options->pubkey_authentication = 1;
246 if (options->kerberos_authentication == -1)
247 options->kerberos_authentication = 0;
248 if (options->kerberos_or_local_passwd == -1)
249 options->kerberos_or_local_passwd = 1;
250 if (options->kerberos_ticket_cleanup == -1)
251 options->kerberos_ticket_cleanup = 1;
252 if (options->kerberos_get_afs_token == -1)
253 options->kerberos_get_afs_token = 0;
254 if (options->gss_authentication == -1)
255 options->gss_authentication = 0;
256 if (options->gss_cleanup_creds == -1)
257 options->gss_cleanup_creds = 1;
258 if (options->password_authentication == -1)
259 options->password_authentication = 0;
260 if (options->kbd_interactive_authentication == -1)
261 options->kbd_interactive_authentication = 0;
262 if (options->challenge_response_authentication == -1)
263 options->challenge_response_authentication = 1;
264 if (options->permit_empty_passwd == -1)
265 options->permit_empty_passwd = 0;
266 if (options->permit_user_env == -1)
267 options->permit_user_env = 0;
268 if (options->use_login == -1)
269 options->use_login = 0;
270 if (options->compression == -1)
271 options->compression = COMP_DELAYED;
272 if (options->rekey_limit == -1)
273 options->rekey_limit = 0;
274 if (options->rekey_interval == -1)
275 options->rekey_interval = 0;
276 if (options->allow_tcp_forwarding == -1)
277 options->allow_tcp_forwarding = FORWARD_ALLOW;
278 if (options->allow_agent_forwarding == -1)
279 options->allow_agent_forwarding = 1;
280 if (options->gateway_ports == -1)
281 options->gateway_ports = 0;
282 if (options->max_startups == -1)
283 options->max_startups = 100;
284 if (options->max_startups_rate == -1)
285 options->max_startups_rate = 30; /* 30% */
286 if (options->max_startups_begin == -1)
287 options->max_startups_begin = 10;
288 if (options->max_authtries == -1)
289 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
290 if (options->max_sessions == -1)
291 options->max_sessions = DEFAULT_SESSIONS_MAX;
292 if (options->use_dns == -1)
293 options->use_dns = 1;
294 if (options->client_alive_interval == -1)
295 options->client_alive_interval = 0;
296 if (options->client_alive_count_max == -1)
297 options->client_alive_count_max = 3;
298 if (options->num_authkeys_files == 0) {
299 options->authorized_keys_files[options->num_authkeys_files++] =
300 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
301 options->authorized_keys_files[options->num_authkeys_files++] =
302 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
304 if (options->permit_tun == -1)
305 options->permit_tun = SSH_TUNMODE_NO;
306 if (options->ip_qos_interactive == -1)
307 options->ip_qos_interactive = IPTOS_LOWDELAY;
308 if (options->ip_qos_bulk == -1)
309 options->ip_qos_bulk = IPTOS_THROUGHPUT;
310 if (options->version_addendum == NULL)
311 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
312 /* Turn privilege separation on by default */
313 if (use_privsep == -1)
314 use_privsep = PRIVSEP_ON;
317 if (use_privsep && options->compression == 1) {
318 error("This platform does not support both privilege "
319 "separation and compression");
320 error("Compression disabled");
321 options->compression = 0;
325 if (options->hpn_disabled == -1)
326 options->hpn_disabled = 0;
327 if (options->hpn_buffer_size == -1) {
329 * HPN buffer size option not explicitly set. Try to figure
330 * out what value to use or resort to default.
332 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
333 if (!options->hpn_disabled) {
334 sock_get_rcvbuf(&options->hpn_buffer_size, 0);
335 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
339 * In the case that the user sets both values in a
340 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
342 if (options->hpn_disabled <= 0) {
345 maxlen = buffer_get_max_len();
346 if (options->hpn_buffer_size == 0)
347 options->hpn_buffer_size = 1;
348 /* Limit the maximum buffer to BUFFER_MAX_LEN. */
349 if (options->hpn_buffer_size > maxlen / 1024)
350 options->hpn_buffer_size = maxlen;
352 options->hpn_buffer_size *= 1024;
354 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
359 /* Keyword tokens. */
361 sBadOption, /* == unknown option */
362 /* Portable-specific options */
364 /* Standard Options */
365 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
366 sPermitRootLogin, sLogFacility, sLogLevel,
367 sRhostsRSAAuthentication, sRSAAuthentication,
368 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
369 sKerberosGetAFSToken,
370 sKerberosTgtPassing, sChallengeResponseAuthentication,
371 sPasswordAuthentication, sKbdInteractiveAuthentication,
372 sListenAddress, sAddressFamily,
373 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
374 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
375 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
376 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
377 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
378 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
379 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
380 sMaxStartups, sMaxAuthTries, sMaxSessions,
381 sBanner, sUseDNS, sHostbasedAuthentication,
382 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
383 sClientAliveCountMax, sAuthorizedKeysFile,
384 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
385 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
386 sUsePrivilegeSeparation, sAllowAgentForwarding,
388 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
389 sKexAlgorithms, sIPQoS, sVersionAddendum,
390 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
391 sAuthenticationMethods, sHostKeyAgent,
392 sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
393 #ifdef NONE_CIPHER_ENABLED
396 sDeprecated, sUnsupported
399 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
400 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
401 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
403 /* Textual representation of the tokens. */
406 ServerOpCodes opcode;
409 /* Portable-specific options */
411 { "usepam", sUsePAM, SSHCFG_GLOBAL },
413 { "usepam", sUnsupported, SSHCFG_GLOBAL },
415 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
416 /* Standard Options */
417 { "port", sPort, SSHCFG_GLOBAL },
418 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
419 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
420 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
421 { "pidfile", sPidFile, SSHCFG_GLOBAL },
422 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
423 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
424 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
425 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
426 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
427 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
428 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
429 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
430 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
431 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
432 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
433 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
434 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
436 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
437 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
438 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
440 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
442 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
445 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
446 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
447 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
448 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
450 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
451 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
453 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
454 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
456 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
457 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
459 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
460 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
461 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
462 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
463 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
464 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
465 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
466 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
467 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
468 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
469 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
470 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
471 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
472 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
473 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
474 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
475 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
476 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
477 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
478 { "compression", sCompression, SSHCFG_GLOBAL },
479 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
480 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
481 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
482 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
483 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
484 { "allowusers", sAllowUsers, SSHCFG_ALL },
485 { "denyusers", sDenyUsers, SSHCFG_ALL },
486 { "allowgroups", sAllowGroups, SSHCFG_ALL },
487 { "denygroups", sDenyGroups, SSHCFG_ALL },
488 { "ciphers", sCiphers, SSHCFG_GLOBAL },
489 { "macs", sMacs, SSHCFG_GLOBAL },
490 { "protocol", sProtocol, SSHCFG_GLOBAL },
491 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
492 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
493 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
494 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
495 { "maxsessions", sMaxSessions, SSHCFG_ALL },
496 { "banner", sBanner, SSHCFG_ALL },
497 { "usedns", sUseDNS, SSHCFG_GLOBAL },
498 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
499 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
500 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
501 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
502 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
503 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
504 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
505 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
506 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
507 { "permittty", sPermitTTY, SSHCFG_ALL },
508 { "match", sMatch, SSHCFG_ALL },
509 { "permitopen", sPermitOpen, SSHCFG_ALL },
510 { "forcecommand", sForceCommand, SSHCFG_ALL },
511 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
512 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
513 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
514 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
515 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
516 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
517 { "ipqos", sIPQoS, SSHCFG_ALL },
518 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
519 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
520 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
521 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
522 { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
523 { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
524 { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
525 #ifdef NONE_CIPHER_ENABLED
526 { "noneenabled", sNoneEnabled, SSHCFG_ALL },
528 { NULL, sBadOption, 0 }
535 { SSH_TUNMODE_NO, "no" },
536 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
537 { SSH_TUNMODE_ETHERNET, "ethernet" },
538 { SSH_TUNMODE_YES, "yes" },
543 * Returns the number of the token pointed to by cp or sBadOption.
547 parse_token(const char *cp, const char *filename,
548 int linenum, u_int *flags)
552 for (i = 0; keywords[i].name; i++)
553 if (strcasecmp(cp, keywords[i].name) == 0) {
554 *flags = keywords[i].flags;
555 return keywords[i].opcode;
558 error("%s: line %d: Bad configuration option: %s",
559 filename, linenum, cp);
564 derelativise_path(const char *path)
566 char *expanded, *ret, cwd[MAXPATHLEN];
568 expanded = tilde_expand_filename(path, getuid());
569 if (*expanded == '/')
571 if (getcwd(cwd, sizeof(cwd)) == NULL)
572 fatal("%s: getcwd: %s", __func__, strerror(errno));
573 xasprintf(&ret, "%s/%s", cwd, expanded);
579 add_listen_addr(ServerOptions *options, char *addr, int port)
583 if (options->num_ports == 0)
584 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
585 if (options->address_family == -1)
586 options->address_family = AF_UNSPEC;
588 for (i = 0; i < options->num_ports; i++)
589 add_one_listen_addr(options, addr, options->ports[i]);
591 add_one_listen_addr(options, addr, port);
595 add_one_listen_addr(ServerOptions *options, char *addr, int port)
597 struct addrinfo hints, *ai, *aitop;
598 char strport[NI_MAXSERV];
601 memset(&hints, 0, sizeof(hints));
602 hints.ai_family = options->address_family;
603 hints.ai_socktype = SOCK_STREAM;
604 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
605 snprintf(strport, sizeof strport, "%d", port);
606 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
607 fatal("bad addr or host: %s (%s)",
608 addr ? addr : "<NULL>",
609 ssh_gai_strerror(gaierr));
610 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
612 ai->ai_next = options->listen_addrs;
613 options->listen_addrs = aitop;
616 struct connection_info *
617 get_connection_info(int populate, int use_dns)
619 static struct connection_info ci;
623 ci.host = get_canonical_hostname(use_dns);
624 ci.address = get_remote_ipaddr();
625 ci.laddress = get_local_ipaddr(packet_get_connection_in());
626 ci.lport = get_local_port();
631 * The strategy for the Match blocks is that the config file is parsed twice.
633 * The first time is at startup. activep is initialized to 1 and the
634 * directives in the global context are processed and acted on. Hitting a
635 * Match directive unsets activep and the directives inside the block are
636 * checked for syntax only.
638 * The second time is after a connection has been established but before
639 * authentication. activep is initialized to 2 and global config directives
640 * are ignored since they have already been processed. If the criteria in a
641 * Match block is met, activep is set and the subsequent directives
642 * processed and actioned until EOF or another Match block unsets it. Any
643 * options set are copied into the main server config.
645 * Potential additions/improvements:
646 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
648 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
649 * Match Address 192.168.0.*
654 * AllowTcpForwarding yes
655 * GatewayPorts clientspecified
658 * - Add a PermittedChannelRequests directive
660 * PermittedChannelRequests session,forwarded-tcpip
664 match_cfg_line_group(const char *grps, int line, const char *user)
672 if ((pw = getpwnam(user)) == NULL) {
673 debug("Can't match group at line %d because user %.100s does "
674 "not exist", line, user);
675 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
676 debug("Can't Match group because user %.100s not in any group "
677 "at line %d", user, line);
678 } else if (ga_match_pattern_list(grps) != 1) {
679 debug("user %.100s does not match group list %.100s at line %d",
682 debug("user %.100s matched group list %.100s at line %d", user,
692 * All of the attributes on a single Match line are ANDed together, so we need
693 * to check every attribute and set the result to zero if any attribute does
697 match_cfg_line(char **condition, int line, struct connection_info *ci)
699 int result = 1, attributes = 0, port;
700 char *arg, *attrib, *cp = *condition;
704 debug3("checking syntax for 'Match %s'", cp);
706 debug3("checking match for '%s' user %s host %s addr %s "
707 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
708 ci->host ? ci->host : "(null)",
709 ci->address ? ci->address : "(null)",
710 ci->laddress ? ci->laddress : "(null)", ci->lport);
712 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
714 if (strcasecmp(attrib, "all") == 0) {
715 if (attributes != 1 ||
716 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
717 error("'all' cannot be combined with other "
724 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
725 error("Missing Match criteria for %s", attrib);
729 if (strcasecmp(attrib, "user") == 0) {
730 if (ci == NULL || ci->user == NULL) {
734 if (match_pattern_list(ci->user, arg, len, 0) != 1)
737 debug("user %.100s matched 'User %.100s' at "
738 "line %d", ci->user, arg, line);
739 } else if (strcasecmp(attrib, "group") == 0) {
740 if (ci == NULL || ci->user == NULL) {
744 switch (match_cfg_line_group(arg, line, ci->user)) {
750 } else if (strcasecmp(attrib, "host") == 0) {
751 if (ci == NULL || ci->host == NULL) {
755 if (match_hostname(ci->host, arg, len) != 1)
758 debug("connection from %.100s matched 'Host "
759 "%.100s' at line %d", ci->host, arg, line);
760 } else if (strcasecmp(attrib, "address") == 0) {
761 if (ci == NULL || ci->address == NULL) {
765 switch (addr_match_list(ci->address, arg)) {
767 debug("connection from %.100s matched 'Address "
768 "%.100s' at line %d", ci->address, arg, line);
777 } else if (strcasecmp(attrib, "localaddress") == 0){
778 if (ci == NULL || ci->laddress == NULL) {
782 switch (addr_match_list(ci->laddress, arg)) {
784 debug("connection from %.100s matched "
785 "'LocalAddress %.100s' at line %d",
786 ci->laddress, arg, line);
795 } else if (strcasecmp(attrib, "localport") == 0) {
796 if ((port = a2port(arg)) == -1) {
797 error("Invalid LocalPort '%s' on Match line",
801 if (ci == NULL || ci->lport == 0) {
805 /* TODO support port lists */
806 if (port == ci->lport)
807 debug("connection from %.100s matched "
808 "'LocalPort %d' at line %d",
809 ci->laddress, port, line);
813 error("Unsupported Match attribute %s", attrib);
817 if (attributes == 0) {
818 error("One or more attributes required for Match");
822 debug3("match %sfound", result ? "" : "not ");
827 #define WHITESPACE " \t\r\n"
829 /* Multistate option parsing */
834 static const struct multistate multistate_addressfamily[] = {
836 { "inet6", AF_INET6 },
837 { "any", AF_UNSPEC },
840 static const struct multistate multistate_permitrootlogin[] = {
841 { "without-password", PERMIT_NO_PASSWD },
842 { "forced-commands-only", PERMIT_FORCED_ONLY },
843 { "yes", PERMIT_YES },
847 static const struct multistate multistate_compression[] = {
848 { "delayed", COMP_DELAYED },
849 { "yes", COMP_ZLIB },
853 static const struct multistate multistate_gatewayports[] = {
854 { "clientspecified", 2 },
859 static const struct multistate multistate_privsep[] = {
860 { "yes", PRIVSEP_NOSANDBOX },
861 { "sandbox", PRIVSEP_ON },
862 { "nosandbox", PRIVSEP_NOSANDBOX },
863 { "no", PRIVSEP_OFF },
866 static const struct multistate multistate_tcpfwd[] = {
867 { "yes", FORWARD_ALLOW },
868 { "all", FORWARD_ALLOW },
869 { "no", FORWARD_DENY },
870 { "remote", FORWARD_REMOTE },
871 { "local", FORWARD_LOCAL },
876 process_server_config_line(ServerOptions *options, char *line,
877 const char *filename, int linenum, int *activep,
878 struct connection_info *connectinfo)
880 char *cp, **charptr, *arg, *p;
881 int cmdline = 0, *intptr, value, value2, n, port;
882 SyslogFacility *log_facility_ptr;
883 LogLevel *log_level_ptr;
884 ServerOpCodes opcode;
888 const struct multistate *multistate_ptr;
891 if ((arg = strdelim(&cp)) == NULL)
893 /* Ignore leading whitespace */
896 if (!arg || !*arg || *arg == '#')
900 opcode = parse_token(arg, filename, linenum, &flags);
902 if (activep == NULL) { /* We are processing a command line directive */
906 if (*activep && opcode != sMatch)
907 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
908 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
909 if (connectinfo == NULL) {
910 fatal("%s line %d: Directive '%s' is not allowed "
911 "within a Match block", filename, linenum, arg);
912 } else { /* this is a directive we have already processed */
920 /* Portable-specific options */
922 intptr = &options->use_pam;
925 /* Standard Options */
929 /* ignore ports from configfile if cmdline specifies ports */
930 if (options->ports_from_cmdline)
932 if (options->listen_addrs != NULL)
933 fatal("%s line %d: ports must be specified before "
934 "ListenAddress.", filename, linenum);
935 if (options->num_ports >= MAX_PORTS)
936 fatal("%s line %d: too many ports.",
939 if (!arg || *arg == '\0')
940 fatal("%s line %d: missing port number.",
942 options->ports[options->num_ports++] = a2port(arg);
943 if (options->ports[options->num_ports-1] <= 0)
944 fatal("%s line %d: Badly formatted port number.",
949 intptr = &options->server_key_bits;
952 if (!arg || *arg == '\0')
953 fatal("%s line %d: missing integer value.",
956 if (*activep && *intptr == -1)
960 case sLoginGraceTime:
961 intptr = &options->login_grace_time;
964 if (!arg || *arg == '\0')
965 fatal("%s line %d: missing time value.",
967 if ((value = convtime(arg)) == -1)
968 fatal("%s line %d: invalid time value.",
974 case sKeyRegenerationTime:
975 intptr = &options->key_regeneration_time;
980 if (arg == NULL || *arg == '\0')
981 fatal("%s line %d: missing address",
983 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
984 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
985 && strchr(p+1, ':') != NULL) {
986 add_listen_addr(options, arg, 0);
991 fatal("%s line %d: bad address:port usage",
993 p = cleanhostname(p);
996 else if ((port = a2port(arg)) <= 0)
997 fatal("%s line %d: bad port number", filename, linenum);
999 add_listen_addr(options, p, port);
1003 case sAddressFamily:
1004 intptr = &options->address_family;
1005 multistate_ptr = multistate_addressfamily;
1006 if (options->listen_addrs != NULL)
1007 fatal("%s line %d: address family must be specified "
1008 "before ListenAddress.", filename, linenum);
1010 arg = strdelim(&cp);
1011 if (!arg || *arg == '\0')
1012 fatal("%s line %d: missing argument.",
1015 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1016 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1017 value = multistate_ptr[i].value;
1022 fatal("%s line %d: unsupported option \"%s\".",
1023 filename, linenum, arg);
1024 if (*activep && *intptr == -1)
1029 intptr = &options->num_host_key_files;
1030 if (*intptr >= MAX_HOSTKEYS)
1031 fatal("%s line %d: too many host keys specified (max %d).",
1032 filename, linenum, MAX_HOSTKEYS);
1033 charptr = &options->host_key_files[*intptr];
1035 arg = strdelim(&cp);
1036 if (!arg || *arg == '\0')
1037 fatal("%s line %d: missing file name.",
1039 if (*activep && *charptr == NULL) {
1040 *charptr = derelativise_path(arg);
1041 /* increase optional counter */
1043 *intptr = *intptr + 1;
1048 charptr = &options->host_key_agent;
1049 arg = strdelim(&cp);
1050 if (!arg || *arg == '\0')
1051 fatal("%s line %d: missing socket name.",
1053 if (*activep && *charptr == NULL)
1054 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1055 xstrdup(arg) : derelativise_path(arg);
1058 case sHostCertificate:
1059 intptr = &options->num_host_cert_files;
1060 if (*intptr >= MAX_HOSTKEYS)
1061 fatal("%s line %d: too many host certificates "
1062 "specified (max %d).", filename, linenum,
1064 charptr = &options->host_cert_files[*intptr];
1065 goto parse_filename;
1069 charptr = &options->pid_file;
1070 goto parse_filename;
1072 case sPermitRootLogin:
1073 intptr = &options->permit_root_login;
1074 multistate_ptr = multistate_permitrootlogin;
1075 goto parse_multistate;
1078 intptr = &options->ignore_rhosts;
1080 arg = strdelim(&cp);
1081 if (!arg || *arg == '\0')
1082 fatal("%s line %d: missing yes/no argument.",
1084 value = 0; /* silence compiler */
1085 if (strcmp(arg, "yes") == 0)
1087 else if (strcmp(arg, "no") == 0)
1090 fatal("%s line %d: Bad yes/no argument: %s",
1091 filename, linenum, arg);
1092 if (*activep && *intptr == -1)
1096 case sIgnoreUserKnownHosts:
1097 intptr = &options->ignore_user_known_hosts;
1100 case sRhostsRSAAuthentication:
1101 intptr = &options->rhosts_rsa_authentication;
1104 case sHostbasedAuthentication:
1105 intptr = &options->hostbased_authentication;
1108 case sHostbasedUsesNameFromPacketOnly:
1109 intptr = &options->hostbased_uses_name_from_packet_only;
1112 case sRSAAuthentication:
1113 intptr = &options->rsa_authentication;
1116 case sPubkeyAuthentication:
1117 intptr = &options->pubkey_authentication;
1120 case sKerberosAuthentication:
1121 intptr = &options->kerberos_authentication;
1124 case sKerberosOrLocalPasswd:
1125 intptr = &options->kerberos_or_local_passwd;
1128 case sKerberosTicketCleanup:
1129 intptr = &options->kerberos_ticket_cleanup;
1132 case sKerberosGetAFSToken:
1133 intptr = &options->kerberos_get_afs_token;
1136 case sGssAuthentication:
1137 intptr = &options->gss_authentication;
1140 case sGssCleanupCreds:
1141 intptr = &options->gss_cleanup_creds;
1144 case sPasswordAuthentication:
1145 intptr = &options->password_authentication;
1148 case sKbdInteractiveAuthentication:
1149 intptr = &options->kbd_interactive_authentication;
1152 case sChallengeResponseAuthentication:
1153 intptr = &options->challenge_response_authentication;
1157 intptr = &options->print_motd;
1161 intptr = &options->print_lastlog;
1164 case sX11Forwarding:
1165 intptr = &options->x11_forwarding;
1168 case sX11DisplayOffset:
1169 intptr = &options->x11_display_offset;
1172 case sX11UseLocalhost:
1173 intptr = &options->x11_use_localhost;
1176 case sXAuthLocation:
1177 charptr = &options->xauth_location;
1178 goto parse_filename;
1181 intptr = &options->permit_tty;
1185 intptr = &options->strict_modes;
1189 intptr = &options->tcp_keep_alive;
1193 intptr = &options->permit_empty_passwd;
1196 case sPermitUserEnvironment:
1197 intptr = &options->permit_user_env;
1201 intptr = &options->use_login;
1205 intptr = &options->compression;
1206 multistate_ptr = multistate_compression;
1207 goto parse_multistate;
1210 arg = strdelim(&cp);
1211 if (!arg || *arg == '\0')
1212 fatal("%.200s line %d: Missing argument.", filename,
1214 if (strcmp(arg, "default") == 0) {
1217 if (scan_scaled(arg, &val64) == -1)
1218 fatal("%.200s line %d: Bad number '%s': %s",
1219 filename, linenum, arg, strerror(errno));
1220 /* check for too-large or too-small limits */
1221 if (val64 > UINT_MAX)
1222 fatal("%.200s line %d: RekeyLimit too large",
1224 if (val64 != 0 && val64 < 16)
1225 fatal("%.200s line %d: RekeyLimit too small",
1228 if (*activep && options->rekey_limit == -1)
1229 options->rekey_limit = (u_int32_t)val64;
1230 if (cp != NULL) { /* optional rekey interval present */
1231 if (strcmp(cp, "none") == 0) {
1232 (void)strdelim(&cp); /* discard */
1235 intptr = &options->rekey_interval;
1241 intptr = &options->gateway_ports;
1242 multistate_ptr = multistate_gatewayports;
1243 goto parse_multistate;
1246 intptr = &options->use_dns;
1250 log_facility_ptr = &options->log_facility;
1251 arg = strdelim(&cp);
1252 value = log_facility_number(arg);
1253 if (value == SYSLOG_FACILITY_NOT_SET)
1254 fatal("%.200s line %d: unsupported log facility '%s'",
1255 filename, linenum, arg ? arg : "<NONE>");
1256 if (*log_facility_ptr == -1)
1257 *log_facility_ptr = (SyslogFacility) value;
1261 log_level_ptr = &options->log_level;
1262 arg = strdelim(&cp);
1263 value = log_level_number(arg);
1264 if (value == SYSLOG_LEVEL_NOT_SET)
1265 fatal("%.200s line %d: unsupported log level '%s'",
1266 filename, linenum, arg ? arg : "<NONE>");
1267 if (*log_level_ptr == -1)
1268 *log_level_ptr = (LogLevel) value;
1271 case sAllowTcpForwarding:
1272 intptr = &options->allow_tcp_forwarding;
1273 multistate_ptr = multistate_tcpfwd;
1274 goto parse_multistate;
1276 case sAllowAgentForwarding:
1277 intptr = &options->allow_agent_forwarding;
1280 case sUsePrivilegeSeparation:
1281 intptr = &use_privsep;
1282 multistate_ptr = multistate_privsep;
1283 goto parse_multistate;
1286 while ((arg = strdelim(&cp)) && *arg != '\0') {
1287 if (options->num_allow_users >= MAX_ALLOW_USERS)
1288 fatal("%s line %d: too many allow users.",
1292 options->allow_users[options->num_allow_users++] =
1298 while ((arg = strdelim(&cp)) && *arg != '\0') {
1299 if (options->num_deny_users >= MAX_DENY_USERS)
1300 fatal("%s line %d: too many deny users.",
1304 options->deny_users[options->num_deny_users++] =
1310 while ((arg = strdelim(&cp)) && *arg != '\0') {
1311 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1312 fatal("%s line %d: too many allow groups.",
1316 options->allow_groups[options->num_allow_groups++] =
1322 while ((arg = strdelim(&cp)) && *arg != '\0') {
1323 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1324 fatal("%s line %d: too many deny groups.",
1328 options->deny_groups[options->num_deny_groups++] =
1334 arg = strdelim(&cp);
1335 if (!arg || *arg == '\0')
1336 fatal("%s line %d: Missing argument.", filename, linenum);
1337 if (!ciphers_valid(arg))
1338 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1339 filename, linenum, arg ? arg : "<NONE>");
1340 if (options->ciphers == NULL)
1341 options->ciphers = xstrdup(arg);
1345 arg = strdelim(&cp);
1346 if (!arg || *arg == '\0')
1347 fatal("%s line %d: Missing argument.", filename, linenum);
1348 if (!mac_valid(arg))
1349 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1350 filename, linenum, arg ? arg : "<NONE>");
1351 if (options->macs == NULL)
1352 options->macs = xstrdup(arg);
1355 case sKexAlgorithms:
1356 arg = strdelim(&cp);
1357 if (!arg || *arg == '\0')
1358 fatal("%s line %d: Missing argument.",
1360 if (!kex_names_valid(arg))
1361 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1362 filename, linenum, arg ? arg : "<NONE>");
1363 if (options->kex_algorithms == NULL)
1364 options->kex_algorithms = xstrdup(arg);
1368 intptr = &options->protocol;
1369 arg = strdelim(&cp);
1370 if (!arg || *arg == '\0')
1371 fatal("%s line %d: Missing argument.", filename, linenum);
1372 value = proto_spec(arg);
1373 if (value == SSH_PROTO_UNKNOWN)
1374 fatal("%s line %d: Bad protocol spec '%s'.",
1375 filename, linenum, arg ? arg : "<NONE>");
1376 if (*intptr == SSH_PROTO_UNKNOWN)
1381 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1382 fatal("%s line %d: too many subsystems defined.",
1385 arg = strdelim(&cp);
1386 if (!arg || *arg == '\0')
1387 fatal("%s line %d: Missing subsystem name.",
1390 arg = strdelim(&cp);
1393 for (i = 0; i < options->num_subsystems; i++)
1394 if (strcmp(arg, options->subsystem_name[i]) == 0)
1395 fatal("%s line %d: Subsystem '%s' already defined.",
1396 filename, linenum, arg);
1397 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1398 arg = strdelim(&cp);
1399 if (!arg || *arg == '\0')
1400 fatal("%s line %d: Missing subsystem command.",
1402 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1404 /* Collect arguments (separate to executable) */
1406 len = strlen(p) + 1;
1407 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1408 len += 1 + strlen(arg);
1409 p = xrealloc(p, 1, len);
1410 strlcat(p, " ", len);
1411 strlcat(p, arg, len);
1413 options->subsystem_args[options->num_subsystems] = p;
1414 options->num_subsystems++;
1418 arg = strdelim(&cp);
1419 if (!arg || *arg == '\0')
1420 fatal("%s line %d: Missing MaxStartups spec.",
1422 if ((n = sscanf(arg, "%d:%d:%d",
1423 &options->max_startups_begin,
1424 &options->max_startups_rate,
1425 &options->max_startups)) == 3) {
1426 if (options->max_startups_begin >
1427 options->max_startups ||
1428 options->max_startups_rate > 100 ||
1429 options->max_startups_rate < 1)
1430 fatal("%s line %d: Illegal MaxStartups spec.",
1433 fatal("%s line %d: Illegal MaxStartups spec.",
1436 options->max_startups = options->max_startups_begin;
1440 intptr = &options->max_authtries;
1444 intptr = &options->max_sessions;
1448 charptr = &options->banner;
1449 goto parse_filename;
1452 * These options can contain %X options expanded at
1453 * connect time, so that you can specify paths like:
1455 * AuthorizedKeysFile /etc/ssh_keys/%u
1457 case sAuthorizedKeysFile:
1458 if (*activep && options->num_authkeys_files == 0) {
1459 while ((arg = strdelim(&cp)) && *arg != '\0') {
1460 if (options->num_authkeys_files >=
1462 fatal("%s line %d: "
1463 "too many authorized keys files.",
1465 options->authorized_keys_files[
1466 options->num_authkeys_files++] =
1467 tilde_expand_filename(arg, getuid());
1472 case sAuthorizedPrincipalsFile:
1473 charptr = &options->authorized_principals_file;
1474 arg = strdelim(&cp);
1475 if (!arg || *arg == '\0')
1476 fatal("%s line %d: missing file name.",
1478 if (*activep && *charptr == NULL) {
1479 *charptr = tilde_expand_filename(arg, getuid());
1480 /* increase optional counter */
1482 *intptr = *intptr + 1;
1486 case sClientAliveInterval:
1487 intptr = &options->client_alive_interval;
1490 case sClientAliveCountMax:
1491 intptr = &options->client_alive_count_max;
1495 while ((arg = strdelim(&cp)) && *arg != '\0') {
1496 if (strchr(arg, '=') != NULL)
1497 fatal("%s line %d: Invalid environment name.",
1499 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1500 fatal("%s line %d: too many allow env.",
1504 options->accept_env[options->num_accept_env++] =
1510 intptr = &options->permit_tun;
1511 arg = strdelim(&cp);
1512 if (!arg || *arg == '\0')
1513 fatal("%s line %d: Missing yes/point-to-point/"
1514 "ethernet/no argument.", filename, linenum);
1516 for (i = 0; tunmode_desc[i].val != -1; i++)
1517 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1518 value = tunmode_desc[i].val;
1522 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1523 "no argument: %s", filename, linenum, arg);
1530 fatal("Match directive not supported as a command-line "
1532 value = match_cfg_line(&cp, linenum, connectinfo);
1534 fatal("%s line %d: Bad Match condition", filename,
1540 arg = strdelim(&cp);
1541 if (!arg || *arg == '\0')
1542 fatal("%s line %d: missing PermitOpen specification",
1544 n = options->num_permitted_opens; /* modified later */
1545 if (strcmp(arg, "any") == 0) {
1546 if (*activep && n == -1) {
1547 channel_clear_adm_permitted_opens();
1548 options->num_permitted_opens = 0;
1552 if (strcmp(arg, "none") == 0) {
1553 if (*activep && n == -1) {
1554 options->num_permitted_opens = 1;
1555 channel_disable_adm_local_opens();
1559 if (*activep && n == -1)
1560 channel_clear_adm_permitted_opens();
1561 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1564 fatal("%s line %d: missing host in PermitOpen",
1566 p = cleanhostname(p);
1567 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1568 fatal("%s line %d: bad port number in "
1569 "PermitOpen", filename, linenum);
1570 if (*activep && n == -1)
1571 options->num_permitted_opens =
1572 channel_add_adm_permitted_opens(p, port);
1578 fatal("%.200s line %d: Missing argument.", filename,
1580 len = strspn(cp, WHITESPACE);
1581 if (*activep && options->adm_forced_command == NULL)
1582 options->adm_forced_command = xstrdup(cp + len);
1585 case sChrootDirectory:
1586 charptr = &options->chroot_directory;
1588 arg = strdelim(&cp);
1589 if (!arg || *arg == '\0')
1590 fatal("%s line %d: missing file name.",
1592 if (*activep && *charptr == NULL)
1593 *charptr = xstrdup(arg);
1596 case sTrustedUserCAKeys:
1597 charptr = &options->trusted_user_ca_keys;
1598 goto parse_filename;
1601 charptr = &options->revoked_keys_file;
1602 goto parse_filename;
1605 arg = strdelim(&cp);
1606 if ((value = parse_ipqos(arg)) == -1)
1607 fatal("%s line %d: Bad IPQoS value: %s",
1608 filename, linenum, arg);
1609 arg = strdelim(&cp);
1612 else if ((value2 = parse_ipqos(arg)) == -1)
1613 fatal("%s line %d: Bad IPQoS value: %s",
1614 filename, linenum, arg);
1616 options->ip_qos_interactive = value;
1617 options->ip_qos_bulk = value2;
1621 case sVersionAddendum:
1623 fatal("%.200s line %d: Missing argument.", filename,
1625 len = strspn(cp, WHITESPACE);
1626 if (*activep && options->version_addendum == NULL) {
1627 if (strcasecmp(cp + len, "none") == 0)
1628 options->version_addendum = xstrdup("");
1629 else if (strchr(cp + len, '\r') != NULL)
1630 fatal("%.200s line %d: Invalid argument",
1633 options->version_addendum = xstrdup(cp + len);
1637 case sAuthorizedKeysCommand:
1638 len = strspn(cp, WHITESPACE);
1639 if (*activep && options->authorized_keys_command == NULL) {
1640 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1641 fatal("%.200s line %d: AuthorizedKeysCommand "
1642 "must be an absolute path",
1644 options->authorized_keys_command = xstrdup(cp + len);
1648 case sAuthorizedKeysCommandUser:
1649 charptr = &options->authorized_keys_command_user;
1651 arg = strdelim(&cp);
1652 if (*activep && *charptr == NULL)
1653 *charptr = xstrdup(arg);
1656 case sAuthenticationMethods:
1657 if (*activep && options->num_auth_methods == 0) {
1658 while ((arg = strdelim(&cp)) && *arg != '\0') {
1659 if (options->num_auth_methods >=
1661 fatal("%s line %d: "
1662 "too many authentication methods.",
1664 if (auth2_methods_valid(arg, 0) != 0)
1665 fatal("%s line %d: invalid "
1666 "authentication method list.",
1668 options->auth_methods[
1669 options->num_auth_methods++] = xstrdup(arg);
1675 intptr = &options->hpn_disabled;
1678 case sHPNBufferSize:
1679 intptr = &options->hpn_buffer_size;
1682 case sTcpRcvBufPoll:
1683 intptr = &options->tcp_rcv_buf_poll;
1686 #ifdef NONE_CIPHER_ENABLED
1688 intptr = &options->none_enabled;
1693 logit("%s line %d: Deprecated option %s",
1694 filename, linenum, arg);
1696 arg = strdelim(&cp);
1700 logit("%s line %d: Unsupported option %s",
1701 filename, linenum, arg);
1703 arg = strdelim(&cp);
1707 fatal("%s line %d: Missing handler for opcode %s (%d)",
1708 filename, linenum, arg, opcode);
1710 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1711 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1712 filename, linenum, arg);
1716 /* Reads the server configuration file. */
1719 load_server_config(const char *filename, Buffer *conf)
1721 char line[4096], *cp;
1725 debug2("%s: filename %s", __func__, filename);
1726 if ((f = fopen(filename, "r")) == NULL) {
1731 while (fgets(line, sizeof(line), f)) {
1733 if (strlen(line) == sizeof(line) - 1)
1734 fatal("%s line %d too long", filename, lineno);
1736 * Trim out comments and strip whitespace
1737 * NB - preserve newlines, they are needed to reproduce
1738 * line numbers later for error messages
1740 if ((cp = strchr(line, '#')) != NULL)
1741 memcpy(cp, "\n", 2);
1742 cp = line + strspn(line, " \t\r");
1744 buffer_append(conf, cp, strlen(cp));
1746 buffer_append(conf, "\0", 1);
1748 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1752 parse_server_match_config(ServerOptions *options,
1753 struct connection_info *connectinfo)
1757 initialize_server_options(&mo);
1758 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1759 copy_set_server_options(options, &mo, 0);
1762 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1766 while ((p = strsep(&spec, ",")) && *p != '\0') {
1767 if (strncmp(p, "addr=", 5) == 0) {
1768 ci->address = xstrdup(p + 5);
1769 } else if (strncmp(p, "host=", 5) == 0) {
1770 ci->host = xstrdup(p + 5);
1771 } else if (strncmp(p, "user=", 5) == 0) {
1772 ci->user = xstrdup(p + 5);
1773 } else if (strncmp(p, "laddr=", 6) == 0) {
1774 ci->laddress = xstrdup(p + 6);
1775 } else if (strncmp(p, "lport=", 6) == 0) {
1776 ci->lport = a2port(p + 6);
1777 if (ci->lport == -1) {
1778 fprintf(stderr, "Invalid port '%s' in test mode"
1779 " specification %s\n", p+6, p);
1783 fprintf(stderr, "Invalid test mode specification %s\n",
1792 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1795 int server_match_spec_complete(struct connection_info *ci)
1797 if (ci->user && ci->host && ci->address)
1798 return 1; /* complete */
1799 if (!ci->user && !ci->host && !ci->address)
1800 return -1; /* empty */
1801 return 0; /* partial */
1805 * Copy any supported values that are set.
1807 * If the preauth flag is set, we do not bother copying the string or
1808 * array values that are not used pre-authentication, because any that we
1809 * do use must be explictly sent in mm_getpwnamallow().
1812 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1814 #define M_CP_INTOPT(n) do {\
1819 M_CP_INTOPT(password_authentication);
1820 M_CP_INTOPT(gss_authentication);
1821 M_CP_INTOPT(rsa_authentication);
1822 M_CP_INTOPT(pubkey_authentication);
1823 M_CP_INTOPT(kerberos_authentication);
1824 M_CP_INTOPT(hostbased_authentication);
1825 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1826 M_CP_INTOPT(kbd_interactive_authentication);
1827 M_CP_INTOPT(permit_root_login);
1828 M_CP_INTOPT(permit_empty_passwd);
1830 M_CP_INTOPT(allow_tcp_forwarding);
1831 M_CP_INTOPT(allow_agent_forwarding);
1832 M_CP_INTOPT(permit_tun);
1833 M_CP_INTOPT(gateway_ports);
1834 M_CP_INTOPT(x11_display_offset);
1835 M_CP_INTOPT(x11_forwarding);
1836 M_CP_INTOPT(x11_use_localhost);
1837 M_CP_INTOPT(permit_tty);
1838 M_CP_INTOPT(max_sessions);
1839 M_CP_INTOPT(max_authtries);
1840 M_CP_INTOPT(ip_qos_interactive);
1841 M_CP_INTOPT(ip_qos_bulk);
1842 M_CP_INTOPT(rekey_limit);
1843 M_CP_INTOPT(rekey_interval);
1845 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
1846 #define M_CP_STROPT(n) do {\
1847 if (src->n != NULL && dst->n != src->n) { \
1852 #define M_CP_STRARRAYOPT(n, num_n) do {\
1853 if (src->num_n != 0) { \
1854 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1855 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1859 /* See comment in servconf.h */
1860 COPY_MATCH_STRING_OPTS();
1863 * The only things that should be below this point are string options
1864 * which are only used after authentication.
1869 M_CP_STROPT(adm_forced_command);
1870 M_CP_STROPT(chroot_directory);
1875 #undef M_CP_STRARRAYOPT
1878 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1879 struct connection_info *connectinfo)
1881 int active, linenum, bad_options = 0;
1882 char *cp, *obuf, *cbuf;
1884 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1886 obuf = cbuf = xstrdup(buffer_ptr(conf));
1887 active = connectinfo ? 0 : 1;
1889 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1890 if (process_server_config_line(options, cp, filename,
1891 linenum++, &active, connectinfo) != 0)
1895 if (bad_options > 0)
1896 fatal("%s: terminating, %d bad configuration options",
1897 filename, bad_options);
1901 fmt_multistate_int(int val, const struct multistate *m)
1905 for (i = 0; m[i].key != NULL; i++) {
1906 if (m[i].value == val)
1913 fmt_intarg(ServerOpCodes code, int val)
1918 case sAddressFamily:
1919 return fmt_multistate_int(val, multistate_addressfamily);
1920 case sPermitRootLogin:
1921 return fmt_multistate_int(val, multistate_permitrootlogin);
1923 return fmt_multistate_int(val, multistate_gatewayports);
1925 return fmt_multistate_int(val, multistate_compression);
1926 case sUsePrivilegeSeparation:
1927 return fmt_multistate_int(val, multistate_privsep);
1928 case sAllowTcpForwarding:
1929 return fmt_multistate_int(val, multistate_tcpfwd);
1936 case (SSH_PROTO_1|SSH_PROTO_2):
1954 lookup_opcode_name(ServerOpCodes code)
1958 for (i = 0; keywords[i].name != NULL; i++)
1959 if (keywords[i].opcode == code)
1960 return(keywords[i].name);
1965 dump_cfg_int(ServerOpCodes code, int val)
1967 printf("%s %d\n", lookup_opcode_name(code), val);
1971 dump_cfg_fmtint(ServerOpCodes code, int val)
1973 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1977 dump_cfg_string(ServerOpCodes code, const char *val)
1981 printf("%s %s\n", lookup_opcode_name(code), val);
1985 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1989 for (i = 0; i < count; i++)
1990 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1994 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1998 printf("%s", lookup_opcode_name(code));
1999 for (i = 0; i < count; i++)
2000 printf(" %s", vals[i]);
2005 dump_config(ServerOptions *o)
2009 struct addrinfo *ai;
2010 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2012 /* these are usually at the top of the config */
2013 for (i = 0; i < o->num_ports; i++)
2014 printf("port %d\n", o->ports[i]);
2015 dump_cfg_fmtint(sProtocol, o->protocol);
2016 dump_cfg_fmtint(sAddressFamily, o->address_family);
2018 /* ListenAddress must be after Port */
2019 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2020 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2021 sizeof(addr), port, sizeof(port),
2022 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2023 error("getnameinfo failed: %.100s",
2024 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2027 if (ai->ai_family == AF_INET6)
2028 printf("listenaddress [%s]:%s\n", addr, port);
2030 printf("listenaddress %s:%s\n", addr, port);
2034 /* integer arguments */
2036 dump_cfg_int(sUsePAM, o->use_pam);
2038 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2039 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2040 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2041 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2042 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2043 dump_cfg_int(sMaxSessions, o->max_sessions);
2044 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2045 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2047 /* formatted integer arguments */
2048 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2049 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2050 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2051 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2052 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2053 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2054 o->hostbased_uses_name_from_packet_only);
2055 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2056 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2058 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2059 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2060 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2062 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2066 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2067 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2069 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2070 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2071 o->kbd_interactive_authentication);
2072 dump_cfg_fmtint(sChallengeResponseAuthentication,
2073 o->challenge_response_authentication);
2074 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2075 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2076 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2077 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2078 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2079 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2080 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2081 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2082 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2083 dump_cfg_fmtint(sUseLogin, o->use_login);
2084 dump_cfg_fmtint(sCompression, o->compression);
2085 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
2086 dump_cfg_fmtint(sUseDNS, o->use_dns);
2087 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2088 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2090 /* string arguments */
2091 dump_cfg_string(sPidFile, o->pid_file);
2092 dump_cfg_string(sXAuthLocation, o->xauth_location);
2093 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
2094 cipher_alg_list(',', 0));
2095 dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
2096 dump_cfg_string(sBanner, o->banner);
2097 dump_cfg_string(sForceCommand, o->adm_forced_command);
2098 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2099 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2100 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2101 dump_cfg_string(sAuthorizedPrincipalsFile,
2102 o->authorized_principals_file);
2103 dump_cfg_string(sVersionAddendum, o->version_addendum);
2104 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2105 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2106 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2107 dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
2110 /* string arguments requiring a lookup */
2111 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2112 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2114 /* string array arguments */
2115 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2116 o->authorized_keys_files);
2117 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2119 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2120 o->host_cert_files);
2121 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2122 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2123 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2124 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2125 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2126 dump_cfg_strarray_oneline(sAuthenticationMethods,
2127 o->num_auth_methods, o->auth_methods);
2129 /* other arguments */
2130 for (i = 0; i < o->num_subsystems; i++)
2131 printf("subsystem %s %s\n", o->subsystem_name[i],
2132 o->subsystem_args[i]);
2134 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2135 o->max_startups_rate, o->max_startups);
2137 for (i = 0; tunmode_desc[i].val != -1; i++)
2138 if (tunmode_desc[i].val == o->permit_tun) {
2139 s = tunmode_desc[i].text;
2142 dump_cfg_string(sPermitTunnel, s);
2144 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2145 printf("%s\n", iptos2str(o->ip_qos_bulk));
2147 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2150 channel_print_adm_permitted_opens();