2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
13 RCSID("$OpenBSD: servconf.c,v 1.144 2005/08/06 10:03:12 dtucker Exp $");
21 #include "pathnames.h"
27 static void add_listen_addr(ServerOptions *, char *, u_short);
28 static void add_one_listen_addr(ServerOptions *, char *, u_short);
30 /* Use of privilege separation or not */
31 extern int use_privsep;
33 /* Initializes the server options to their default values. */
36 initialize_server_options(ServerOptions *options)
38 memset(options, 0, sizeof(*options));
40 /* Portable-specific options */
41 options->use_pam = -1;
43 /* Standard Options */
44 options->num_ports = 0;
45 options->ports_from_cmdline = 0;
46 options->listen_addrs = NULL;
47 options->address_family = -1;
48 options->num_host_key_files = 0;
49 options->pid_file = NULL;
50 options->server_key_bits = -1;
51 options->login_grace_time = -1;
52 options->key_regeneration_time = -1;
53 options->permit_root_login = PERMIT_NOT_SET;
54 options->ignore_rhosts = -1;
55 options->ignore_user_known_hosts = -1;
56 options->print_motd = -1;
57 options->print_lastlog = -1;
58 options->x11_forwarding = -1;
59 options->x11_display_offset = -1;
60 options->x11_use_localhost = -1;
61 options->xauth_location = NULL;
62 options->strict_modes = -1;
63 options->tcp_keep_alive = -1;
64 options->log_facility = SYSLOG_FACILITY_NOT_SET;
65 options->log_level = SYSLOG_LEVEL_NOT_SET;
66 options->rhosts_rsa_authentication = -1;
67 options->hostbased_authentication = -1;
68 options->hostbased_uses_name_from_packet_only = -1;
69 options->rsa_authentication = -1;
70 options->pubkey_authentication = -1;
71 options->kerberos_authentication = -1;
72 options->kerberos_or_local_passwd = -1;
73 options->kerberos_ticket_cleanup = -1;
74 options->kerberos_get_afs_token = -1;
75 options->gss_authentication=-1;
76 options->gss_cleanup_creds = -1;
77 options->password_authentication = -1;
78 options->kbd_interactive_authentication = -1;
79 options->challenge_response_authentication = -1;
80 options->permit_empty_passwd = -1;
81 options->permit_user_env = -1;
82 options->use_login = -1;
83 options->compression = -1;
84 options->allow_tcp_forwarding = -1;
85 options->num_allow_users = 0;
86 options->num_deny_users = 0;
87 options->num_allow_groups = 0;
88 options->num_deny_groups = 0;
89 options->ciphers = NULL;
91 options->protocol = SSH_PROTO_UNKNOWN;
92 options->gateway_ports = -1;
93 options->num_subsystems = 0;
94 options->max_startups_begin = -1;
95 options->max_startups_rate = -1;
96 options->max_startups = -1;
97 options->max_authtries = -1;
98 options->banner = NULL;
99 options->use_dns = -1;
100 options->client_alive_interval = -1;
101 options->client_alive_count_max = -1;
102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL;
104 options->num_accept_env = 0;
106 /* Needs to be accessable in many places */
111 fill_default_server_options(ServerOptions *options)
113 /* Portable-specific options */
114 if (options->use_pam == -1)
115 options->use_pam = 1;
117 /* Standard Options */
118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
123 options->host_key_files[options->num_host_key_files++] =
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_DSA_KEY_FILE;
130 if (options->num_ports == 0)
131 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
132 if (options->listen_addrs == NULL)
133 add_listen_addr(options, NULL, 0);
134 if (options->pid_file == NULL)
135 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
136 if (options->server_key_bits == -1)
137 options->server_key_bits = 768;
138 if (options->login_grace_time == -1)
139 options->login_grace_time = 120;
140 if (options->key_regeneration_time == -1)
141 options->key_regeneration_time = 3600;
142 if (options->permit_root_login == PERMIT_NOT_SET)
143 options->permit_root_login = PERMIT_NO;
144 if (options->ignore_rhosts == -1)
145 options->ignore_rhosts = 1;
146 if (options->ignore_user_known_hosts == -1)
147 options->ignore_user_known_hosts = 0;
148 if (options->print_motd == -1)
149 options->print_motd = 1;
150 if (options->print_lastlog == -1)
151 options->print_lastlog = 1;
152 if (options->x11_forwarding == -1)
153 options->x11_forwarding = 1;
154 if (options->x11_display_offset == -1)
155 options->x11_display_offset = 10;
156 if (options->x11_use_localhost == -1)
157 options->x11_use_localhost = 1;
158 if (options->xauth_location == NULL)
159 options->xauth_location = _PATH_XAUTH;
160 if (options->strict_modes == -1)
161 options->strict_modes = 1;
162 if (options->tcp_keep_alive == -1)
163 options->tcp_keep_alive = 1;
164 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
165 options->log_facility = SYSLOG_FACILITY_AUTH;
166 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
167 options->log_level = SYSLOG_LEVEL_INFO;
168 if (options->rhosts_rsa_authentication == -1)
169 options->rhosts_rsa_authentication = 0;
170 if (options->hostbased_authentication == -1)
171 options->hostbased_authentication = 0;
172 if (options->hostbased_uses_name_from_packet_only == -1)
173 options->hostbased_uses_name_from_packet_only = 0;
174 if (options->rsa_authentication == -1)
175 options->rsa_authentication = 1;
176 if (options->pubkey_authentication == -1)
177 options->pubkey_authentication = 1;
178 if (options->kerberos_authentication == -1)
179 options->kerberos_authentication = 0;
180 if (options->kerberos_or_local_passwd == -1)
181 options->kerberos_or_local_passwd = 1;
182 if (options->kerberos_ticket_cleanup == -1)
183 options->kerberos_ticket_cleanup = 1;
184 if (options->kerberos_get_afs_token == -1)
185 options->kerberos_get_afs_token = 0;
186 if (options->gss_authentication == -1)
187 options->gss_authentication = 0;
188 if (options->gss_cleanup_creds == -1)
189 options->gss_cleanup_creds = 1;
190 if (options->password_authentication == -1)
192 options->password_authentication = 0;
194 options->password_authentication = 1;
196 if (options->kbd_interactive_authentication == -1)
197 options->kbd_interactive_authentication = 0;
198 if (options->challenge_response_authentication == -1)
199 options->challenge_response_authentication = 1;
200 if (options->permit_empty_passwd == -1)
201 options->permit_empty_passwd = 0;
202 if (options->permit_user_env == -1)
203 options->permit_user_env = 0;
204 if (options->use_login == -1)
205 options->use_login = 0;
206 if (options->compression == -1)
207 options->compression = COMP_DELAYED;
208 if (options->allow_tcp_forwarding == -1)
209 options->allow_tcp_forwarding = 1;
210 if (options->gateway_ports == -1)
211 options->gateway_ports = 0;
212 if (options->max_startups == -1)
213 options->max_startups = 10;
214 if (options->max_startups_rate == -1)
215 options->max_startups_rate = 100; /* 100% */
216 if (options->max_startups_begin == -1)
217 options->max_startups_begin = options->max_startups;
218 if (options->max_authtries == -1)
219 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
220 if (options->use_dns == -1)
221 options->use_dns = 1;
222 if (options->client_alive_interval == -1)
223 options->client_alive_interval = 0;
224 if (options->client_alive_count_max == -1)
225 options->client_alive_count_max = 3;
226 if (options->authorized_keys_file2 == NULL) {
227 /* authorized_keys_file2 falls back to authorized_keys_file */
228 if (options->authorized_keys_file != NULL)
229 options->authorized_keys_file2 = options->authorized_keys_file;
231 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
233 if (options->authorized_keys_file == NULL)
234 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
236 /* Turn privilege separation on by default */
237 if (use_privsep == -1)
241 if (use_privsep && options->compression == 1) {
242 error("This platform does not support both privilege "
243 "separation and compression");
244 error("Compression disabled");
245 options->compression = 0;
251 /* Keyword tokens. */
253 sBadOption, /* == unknown option */
254 /* Portable-specific options */
256 /* Standard Options */
257 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
258 sPermitRootLogin, sLogFacility, sLogLevel,
259 sRhostsRSAAuthentication, sRSAAuthentication,
260 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
261 sKerberosGetAFSToken,
262 sKerberosTgtPassing, sChallengeResponseAuthentication,
263 sPasswordAuthentication, sKbdInteractiveAuthentication,
264 sListenAddress, sAddressFamily,
265 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
266 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
267 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
268 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
269 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
270 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
271 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
272 sMaxStartups, sMaxAuthTries,
273 sBanner, sUseDNS, sHostbasedAuthentication,
274 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
275 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
276 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
277 sUsePrivilegeSeparation,
279 sDeprecated, sUnsupported
282 /* Textual representation of the tokens. */
285 ServerOpCodes opcode;
287 /* Portable-specific options */
289 { "usepam", sUsePAM },
291 { "usepam", sUnsupported },
293 { "pamauthenticationviakbdint", sDeprecated },
294 /* Standard Options */
296 { "hostkey", sHostKeyFile },
297 { "hostdsakey", sHostKeyFile }, /* alias */
298 { "pidfile", sPidFile },
299 { "serverkeybits", sServerKeyBits },
300 { "logingracetime", sLoginGraceTime },
301 { "keyregenerationinterval", sKeyRegenerationTime },
302 { "permitrootlogin", sPermitRootLogin },
303 { "syslogfacility", sLogFacility },
304 { "loglevel", sLogLevel },
305 { "rhostsauthentication", sDeprecated },
306 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
307 { "hostbasedauthentication", sHostbasedAuthentication },
308 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
309 { "rsaauthentication", sRSAAuthentication },
310 { "pubkeyauthentication", sPubkeyAuthentication },
311 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
313 { "kerberosauthentication", sKerberosAuthentication },
314 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
315 { "kerberosticketcleanup", sKerberosTicketCleanup },
317 { "kerberosgetafstoken", sKerberosGetAFSToken },
319 { "kerberosgetafstoken", sUnsupported },
322 { "kerberosauthentication", sUnsupported },
323 { "kerberosorlocalpasswd", sUnsupported },
324 { "kerberosticketcleanup", sUnsupported },
325 { "kerberosgetafstoken", sUnsupported },
327 { "kerberostgtpassing", sUnsupported },
328 { "afstokenpassing", sUnsupported },
330 { "gssapiauthentication", sGssAuthentication },
331 { "gssapicleanupcredentials", sGssCleanupCreds },
333 { "gssapiauthentication", sUnsupported },
334 { "gssapicleanupcredentials", sUnsupported },
336 { "passwordauthentication", sPasswordAuthentication },
337 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
338 { "challengeresponseauthentication", sChallengeResponseAuthentication },
339 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
340 { "checkmail", sDeprecated },
341 { "listenaddress", sListenAddress },
342 { "addressfamily", sAddressFamily },
343 { "printmotd", sPrintMotd },
344 { "printlastlog", sPrintLastLog },
345 { "ignorerhosts", sIgnoreRhosts },
346 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
347 { "x11forwarding", sX11Forwarding },
348 { "x11displayoffset", sX11DisplayOffset },
349 { "x11uselocalhost", sX11UseLocalhost },
350 { "xauthlocation", sXAuthLocation },
351 { "strictmodes", sStrictModes },
352 { "permitemptypasswords", sEmptyPasswd },
353 { "permituserenvironment", sPermitUserEnvironment },
354 { "uselogin", sUseLogin },
355 { "compression", sCompression },
356 { "tcpkeepalive", sTCPKeepAlive },
357 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
358 { "allowtcpforwarding", sAllowTcpForwarding },
359 { "allowusers", sAllowUsers },
360 { "denyusers", sDenyUsers },
361 { "allowgroups", sAllowGroups },
362 { "denygroups", sDenyGroups },
363 { "ciphers", sCiphers },
365 { "protocol", sProtocol },
366 { "gatewayports", sGatewayPorts },
367 { "subsystem", sSubsystem },
368 { "maxstartups", sMaxStartups },
369 { "maxauthtries", sMaxAuthTries },
370 { "banner", sBanner },
371 { "usedns", sUseDNS },
372 { "verifyreversemapping", sDeprecated },
373 { "reversemappingcheck", sDeprecated },
374 { "clientaliveinterval", sClientAliveInterval },
375 { "clientalivecountmax", sClientAliveCountMax },
376 { "authorizedkeysfile", sAuthorizedKeysFile },
377 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
378 { "useprivilegeseparation", sUsePrivilegeSeparation},
379 { "acceptenv", sAcceptEnv },
380 { "versionaddendum", sVersionAddendum },
385 * Returns the number of the token pointed to by cp or sBadOption.
389 parse_token(const char *cp, const char *filename,
394 for (i = 0; keywords[i].name; i++)
395 if (strcasecmp(cp, keywords[i].name) == 0)
396 return keywords[i].opcode;
398 error("%s: line %d: Bad configuration option: %s",
399 filename, linenum, cp);
404 add_listen_addr(ServerOptions *options, char *addr, u_short port)
408 if (options->num_ports == 0)
409 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
410 if (options->address_family == -1)
411 options->address_family = AF_UNSPEC;
413 for (i = 0; i < options->num_ports; i++)
414 add_one_listen_addr(options, addr, options->ports[i]);
416 add_one_listen_addr(options, addr, port);
420 add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
422 struct addrinfo hints, *ai, *aitop;
423 char strport[NI_MAXSERV];
426 memset(&hints, 0, sizeof(hints));
427 hints.ai_family = options->address_family;
428 hints.ai_socktype = SOCK_STREAM;
429 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
430 snprintf(strport, sizeof strport, "%u", port);
431 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
432 fatal("bad addr or host: %s (%s)",
433 addr ? addr : "<NULL>",
434 gai_strerror(gaierr));
435 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
437 ai->ai_next = options->listen_addrs;
438 options->listen_addrs = aitop;
442 process_server_config_line(ServerOptions *options, char *line,
443 const char *filename, int linenum)
445 char *cp, **charptr, *arg, *p;
446 int *intptr, value, n;
447 ServerOpCodes opcode;
453 /* Ignore leading whitespace */
456 if (!arg || !*arg || *arg == '#')
460 opcode = parse_token(arg, filename, linenum);
462 /* Portable-specific options */
464 intptr = &options->use_pam;
467 /* Standard Options */
471 /* ignore ports from configfile if cmdline specifies ports */
472 if (options->ports_from_cmdline)
474 if (options->listen_addrs != NULL)
475 fatal("%s line %d: ports must be specified before "
476 "ListenAddress.", filename, linenum);
477 if (options->num_ports >= MAX_PORTS)
478 fatal("%s line %d: too many ports.",
481 if (!arg || *arg == '\0')
482 fatal("%s line %d: missing port number.",
484 options->ports[options->num_ports++] = a2port(arg);
485 if (options->ports[options->num_ports-1] == 0)
486 fatal("%s line %d: Badly formatted port number.",
491 intptr = &options->server_key_bits;
494 if (!arg || *arg == '\0')
495 fatal("%s line %d: missing integer value.",
502 case sLoginGraceTime:
503 intptr = &options->login_grace_time;
506 if (!arg || *arg == '\0')
507 fatal("%s line %d: missing time value.",
509 if ((value = convtime(arg)) == -1)
510 fatal("%s line %d: invalid time value.",
516 case sKeyRegenerationTime:
517 intptr = &options->key_regeneration_time;
522 if (arg == NULL || *arg == '\0')
523 fatal("%s line %d: missing address",
525 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
526 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
527 && strchr(p+1, ':') != NULL) {
528 add_listen_addr(options, arg, 0);
533 fatal("%s line %d: bad address:port usage",
535 p = cleanhostname(p);
538 else if ((port = a2port(arg)) == 0)
539 fatal("%s line %d: bad port number", filename, linenum);
541 add_listen_addr(options, p, port);
547 if (!arg || *arg == '\0')
548 fatal("%s line %d: missing address family.",
550 intptr = &options->address_family;
551 if (options->listen_addrs != NULL)
552 fatal("%s line %d: address family must be specified before "
553 "ListenAddress.", filename, linenum);
554 if (strcasecmp(arg, "inet") == 0)
556 else if (strcasecmp(arg, "inet6") == 0)
558 else if (strcasecmp(arg, "any") == 0)
561 fatal("%s line %d: unsupported address family \"%s\".",
562 filename, linenum, arg);
568 intptr = &options->num_host_key_files;
569 if (*intptr >= MAX_HOSTKEYS)
570 fatal("%s line %d: too many host keys specified (max %d).",
571 filename, linenum, MAX_HOSTKEYS);
572 charptr = &options->host_key_files[*intptr];
575 if (!arg || *arg == '\0')
576 fatal("%s line %d: missing file name.",
578 if (*charptr == NULL) {
579 *charptr = tilde_expand_filename(arg, getuid());
580 /* increase optional counter */
582 *intptr = *intptr + 1;
587 charptr = &options->pid_file;
590 case sPermitRootLogin:
591 intptr = &options->permit_root_login;
593 if (!arg || *arg == '\0')
594 fatal("%s line %d: missing yes/"
595 "without-password/forced-commands-only/no "
596 "argument.", filename, linenum);
597 value = 0; /* silence compiler */
598 if (strcmp(arg, "without-password") == 0)
599 value = PERMIT_NO_PASSWD;
600 else if (strcmp(arg, "forced-commands-only") == 0)
601 value = PERMIT_FORCED_ONLY;
602 else if (strcmp(arg, "yes") == 0)
604 else if (strcmp(arg, "no") == 0)
607 fatal("%s line %d: Bad yes/"
608 "without-password/forced-commands-only/no "
609 "argument: %s", filename, linenum, arg);
615 intptr = &options->ignore_rhosts;
618 if (!arg || *arg == '\0')
619 fatal("%s line %d: missing yes/no argument.",
621 value = 0; /* silence compiler */
622 if (strcmp(arg, "yes") == 0)
624 else if (strcmp(arg, "no") == 0)
627 fatal("%s line %d: Bad yes/no argument: %s",
628 filename, linenum, arg);
633 case sIgnoreUserKnownHosts:
634 intptr = &options->ignore_user_known_hosts;
637 case sRhostsRSAAuthentication:
638 intptr = &options->rhosts_rsa_authentication;
641 case sHostbasedAuthentication:
642 intptr = &options->hostbased_authentication;
645 case sHostbasedUsesNameFromPacketOnly:
646 intptr = &options->hostbased_uses_name_from_packet_only;
649 case sRSAAuthentication:
650 intptr = &options->rsa_authentication;
653 case sPubkeyAuthentication:
654 intptr = &options->pubkey_authentication;
657 case sKerberosAuthentication:
658 intptr = &options->kerberos_authentication;
661 case sKerberosOrLocalPasswd:
662 intptr = &options->kerberos_or_local_passwd;
665 case sKerberosTicketCleanup:
666 intptr = &options->kerberos_ticket_cleanup;
669 case sKerberosGetAFSToken:
670 intptr = &options->kerberos_get_afs_token;
673 case sGssAuthentication:
674 intptr = &options->gss_authentication;
677 case sGssCleanupCreds:
678 intptr = &options->gss_cleanup_creds;
681 case sPasswordAuthentication:
682 intptr = &options->password_authentication;
685 case sKbdInteractiveAuthentication:
686 intptr = &options->kbd_interactive_authentication;
689 case sChallengeResponseAuthentication:
690 intptr = &options->challenge_response_authentication;
694 intptr = &options->print_motd;
698 intptr = &options->print_lastlog;
702 intptr = &options->x11_forwarding;
705 case sX11DisplayOffset:
706 intptr = &options->x11_display_offset;
709 case sX11UseLocalhost:
710 intptr = &options->x11_use_localhost;
714 charptr = &options->xauth_location;
718 intptr = &options->strict_modes;
722 intptr = &options->tcp_keep_alive;
726 intptr = &options->permit_empty_passwd;
729 case sPermitUserEnvironment:
730 intptr = &options->permit_user_env;
734 intptr = &options->use_login;
738 intptr = &options->compression;
740 if (!arg || *arg == '\0')
741 fatal("%s line %d: missing yes/no/delayed "
742 "argument.", filename, linenum);
743 value = 0; /* silence compiler */
744 if (strcmp(arg, "delayed") == 0)
745 value = COMP_DELAYED;
746 else if (strcmp(arg, "yes") == 0)
748 else if (strcmp(arg, "no") == 0)
751 fatal("%s line %d: Bad yes/no/delayed "
752 "argument: %s", filename, linenum, arg);
758 intptr = &options->gateway_ports;
760 if (!arg || *arg == '\0')
761 fatal("%s line %d: missing yes/no/clientspecified "
762 "argument.", filename, linenum);
763 value = 0; /* silence compiler */
764 if (strcmp(arg, "clientspecified") == 0)
766 else if (strcmp(arg, "yes") == 0)
768 else if (strcmp(arg, "no") == 0)
771 fatal("%s line %d: Bad yes/no/clientspecified "
772 "argument: %s", filename, linenum, arg);
778 intptr = &options->use_dns;
782 intptr = (int *) &options->log_facility;
784 value = log_facility_number(arg);
785 if (value == SYSLOG_FACILITY_NOT_SET)
786 fatal("%.200s line %d: unsupported log facility '%s'",
787 filename, linenum, arg ? arg : "<NONE>");
789 *intptr = (SyslogFacility) value;
793 intptr = (int *) &options->log_level;
795 value = log_level_number(arg);
796 if (value == SYSLOG_LEVEL_NOT_SET)
797 fatal("%.200s line %d: unsupported log level '%s'",
798 filename, linenum, arg ? arg : "<NONE>");
800 *intptr = (LogLevel) value;
803 case sAllowTcpForwarding:
804 intptr = &options->allow_tcp_forwarding;
807 case sUsePrivilegeSeparation:
808 intptr = &use_privsep;
812 while ((arg = strdelim(&cp)) && *arg != '\0') {
813 if (options->num_allow_users >= MAX_ALLOW_USERS)
814 fatal("%s line %d: too many allow users.",
816 options->allow_users[options->num_allow_users++] =
822 while ((arg = strdelim(&cp)) && *arg != '\0') {
823 if (options->num_deny_users >= MAX_DENY_USERS)
824 fatal( "%s line %d: too many deny users.",
826 options->deny_users[options->num_deny_users++] =
832 while ((arg = strdelim(&cp)) && *arg != '\0') {
833 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
834 fatal("%s line %d: too many allow groups.",
836 options->allow_groups[options->num_allow_groups++] =
842 while ((arg = strdelim(&cp)) && *arg != '\0') {
843 if (options->num_deny_groups >= MAX_DENY_GROUPS)
844 fatal("%s line %d: too many deny groups.",
846 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
852 if (!arg || *arg == '\0')
853 fatal("%s line %d: Missing argument.", filename, linenum);
854 if (!ciphers_valid(arg))
855 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
856 filename, linenum, arg ? arg : "<NONE>");
857 if (options->ciphers == NULL)
858 options->ciphers = xstrdup(arg);
863 if (!arg || *arg == '\0')
864 fatal("%s line %d: Missing argument.", filename, linenum);
866 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
867 filename, linenum, arg ? arg : "<NONE>");
868 if (options->macs == NULL)
869 options->macs = xstrdup(arg);
873 intptr = &options->protocol;
875 if (!arg || *arg == '\0')
876 fatal("%s line %d: Missing argument.", filename, linenum);
877 value = proto_spec(arg);
878 if (value == SSH_PROTO_UNKNOWN)
879 fatal("%s line %d: Bad protocol spec '%s'.",
880 filename, linenum, arg ? arg : "<NONE>");
881 if (*intptr == SSH_PROTO_UNKNOWN)
886 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
887 fatal("%s line %d: too many subsystems defined.",
891 if (!arg || *arg == '\0')
892 fatal("%s line %d: Missing subsystem name.",
894 for (i = 0; i < options->num_subsystems; i++)
895 if (strcmp(arg, options->subsystem_name[i]) == 0)
896 fatal("%s line %d: Subsystem '%s' already defined.",
897 filename, linenum, arg);
898 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
900 if (!arg || *arg == '\0')
901 fatal("%s line %d: Missing subsystem command.",
903 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
904 options->num_subsystems++;
909 if (!arg || *arg == '\0')
910 fatal("%s line %d: Missing MaxStartups spec.",
912 if ((n = sscanf(arg, "%d:%d:%d",
913 &options->max_startups_begin,
914 &options->max_startups_rate,
915 &options->max_startups)) == 3) {
916 if (options->max_startups_begin >
917 options->max_startups ||
918 options->max_startups_rate > 100 ||
919 options->max_startups_rate < 1)
920 fatal("%s line %d: Illegal MaxStartups spec.",
923 fatal("%s line %d: Illegal MaxStartups spec.",
926 options->max_startups = options->max_startups_begin;
930 intptr = &options->max_authtries;
934 charptr = &options->banner;
937 * These options can contain %X options expanded at
938 * connect time, so that you can specify paths like:
940 * AuthorizedKeysFile /etc/ssh_keys/%u
942 case sAuthorizedKeysFile:
943 case sAuthorizedKeysFile2:
944 charptr = (opcode == sAuthorizedKeysFile ) ?
945 &options->authorized_keys_file :
946 &options->authorized_keys_file2;
949 case sClientAliveInterval:
950 intptr = &options->client_alive_interval;
953 case sClientAliveCountMax:
954 intptr = &options->client_alive_count_max;
958 while ((arg = strdelim(&cp)) && *arg != '\0') {
959 if (strchr(arg, '=') != NULL)
960 fatal("%s line %d: Invalid environment name.",
962 if (options->num_accept_env >= MAX_ACCEPT_ENV)
963 fatal("%s line %d: too many allow env.",
965 options->accept_env[options->num_accept_env++] =
970 case sVersionAddendum:
971 ssh_version_set_addendum(strtok(cp, "\n"));
974 } while (arg != NULL && *arg != '\0');
978 logit("%s line %d: Deprecated option %s",
979 filename, linenum, arg);
985 logit("%s line %d: Unsupported option %s",
986 filename, linenum, arg);
992 fatal("%s line %d: Missing handler for opcode %s (%d)",
993 filename, linenum, arg, opcode);
995 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
996 fatal("%s line %d: garbage at end of line; \"%.200s\".",
997 filename, linenum, arg);
1001 /* Reads the server configuration file. */
1004 load_server_config(const char *filename, Buffer *conf)
1006 char line[1024], *cp;
1009 debug2("%s: filename %s", __func__, filename);
1010 if ((f = fopen(filename, "r")) == NULL) {
1015 while (fgets(line, sizeof(line), f)) {
1017 * Trim out comments and strip whitespace
1018 * NB - preserve newlines, they are needed to reproduce
1019 * line numbers later for error messages
1021 if ((cp = strchr(line, '#')) != NULL)
1022 memcpy(cp, "\n", 2);
1023 cp = line + strspn(line, " \t\r");
1025 buffer_append(conf, cp, strlen(cp));
1027 buffer_append(conf, "\0", 1);
1029 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1033 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf)
1035 int linenum, bad_options = 0;
1036 char *cp, *obuf, *cbuf;
1038 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1040 obuf = cbuf = xstrdup(buffer_ptr(conf));
1042 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1043 if (process_server_config_line(options, cp, filename,
1048 if (bad_options > 0)
1049 fatal("%s: terminating, %d bad configuration options",
1050 filename, bad_options);