2 /* $OpenBSD: servconf.c,v 1.392 2023/03/05 05:34:09 dtucker Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
20 #include <sys/sysctl.h>
23 #include <netinet/in.h>
24 #include <netinet/in_systm.h>
25 #include <netinet/ip.h>
26 #ifdef HAVE_NET_ROUTE_H
27 #include <net/route.h>
44 #ifdef USE_SYSTEM_GLOB
47 # include "openbsd-compat/glob.h"
50 #include "openbsd-compat/sys-queue.h"
57 #include "pathnames.h"
64 #include "groupaccess.h"
70 #include "myproposal.h"
74 static void add_listen_addr(ServerOptions *, const char *,
76 static void add_one_listen_addr(ServerOptions *, const char *,
78 static void parse_server_config_depth(ServerOptions *options,
79 const char *filename, struct sshbuf *conf, struct include_list *includes,
80 struct connection_info *connectinfo, int flags, int *activep, int depth);
82 /* Use of privilege separation or not */
83 extern int use_privsep;
84 extern struct sshbuf *cfg;
86 /* Initializes the server options to their default values. */
89 initialize_server_options(ServerOptions *options)
91 memset(options, 0, sizeof(*options));
93 /* Portable-specific options */
94 options->use_pam = -1;
96 /* Standard Options */
97 options->num_ports = 0;
98 options->ports_from_cmdline = 0;
99 options->queued_listen_addrs = NULL;
100 options->num_queued_listens = 0;
101 options->listen_addrs = NULL;
102 options->num_listen_addrs = 0;
103 options->address_family = -1;
104 options->routing_domain = NULL;
105 options->num_host_key_files = 0;
106 options->num_host_cert_files = 0;
107 options->host_key_agent = NULL;
108 options->pid_file = NULL;
109 options->login_grace_time = -1;
110 options->permit_root_login = PERMIT_NOT_SET;
111 options->ignore_rhosts = -1;
112 options->ignore_user_known_hosts = -1;
113 options->print_motd = -1;
114 options->print_lastlog = -1;
115 options->x11_forwarding = -1;
116 options->x11_display_offset = -1;
117 options->x11_use_localhost = -1;
118 options->permit_tty = -1;
119 options->permit_user_rc = -1;
120 options->xauth_location = NULL;
121 options->strict_modes = -1;
122 options->tcp_keep_alive = -1;
123 options->log_facility = SYSLOG_FACILITY_NOT_SET;
124 options->log_level = SYSLOG_LEVEL_NOT_SET;
125 options->num_log_verbose = 0;
126 options->log_verbose = NULL;
127 options->hostbased_authentication = -1;
128 options->hostbased_uses_name_from_packet_only = -1;
129 options->hostbased_accepted_algos = NULL;
130 options->hostkeyalgorithms = NULL;
131 options->pubkey_authentication = -1;
132 options->pubkey_auth_options = -1;
133 options->pubkey_accepted_algos = NULL;
134 options->kerberos_authentication = -1;
135 options->kerberos_or_local_passwd = -1;
136 options->kerberos_ticket_cleanup = -1;
137 options->kerberos_get_afs_token = -1;
138 options->gss_authentication=-1;
139 options->gss_cleanup_creds = -1;
140 options->gss_strict_acceptor = -1;
141 options->password_authentication = -1;
142 options->kbd_interactive_authentication = -1;
143 options->permit_empty_passwd = -1;
144 options->permit_user_env = -1;
145 options->permit_user_env_allowlist = NULL;
146 options->compression = -1;
147 options->rekey_limit = -1;
148 options->rekey_interval = -1;
149 options->allow_tcp_forwarding = -1;
150 options->allow_streamlocal_forwarding = -1;
151 options->allow_agent_forwarding = -1;
152 options->num_allow_users = 0;
153 options->num_deny_users = 0;
154 options->num_allow_groups = 0;
155 options->num_deny_groups = 0;
156 options->ciphers = NULL;
157 options->macs = NULL;
158 options->kex_algorithms = NULL;
159 options->ca_sign_algorithms = NULL;
160 options->fwd_opts.gateway_ports = -1;
161 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
162 options->fwd_opts.streamlocal_bind_unlink = -1;
163 options->num_subsystems = 0;
164 options->max_startups_begin = -1;
165 options->max_startups_rate = -1;
166 options->max_startups = -1;
167 options->per_source_max_startups = -1;
168 options->per_source_masklen_ipv4 = -1;
169 options->per_source_masklen_ipv6 = -1;
170 options->max_authtries = -1;
171 options->max_sessions = -1;
172 options->banner = NULL;
173 options->use_dns = -1;
174 options->client_alive_interval = -1;
175 options->client_alive_count_max = -1;
176 options->num_authkeys_files = 0;
177 options->num_accept_env = 0;
178 options->num_setenv = 0;
179 options->permit_tun = -1;
180 options->permitted_opens = NULL;
181 options->permitted_listens = NULL;
182 options->adm_forced_command = NULL;
183 options->chroot_directory = NULL;
184 options->authorized_keys_command = NULL;
185 options->authorized_keys_command_user = NULL;
186 options->revoked_keys_file = NULL;
187 options->sk_provider = NULL;
188 options->trusted_user_ca_keys = NULL;
189 options->authorized_principals_file = NULL;
190 options->authorized_principals_command = NULL;
191 options->authorized_principals_command_user = NULL;
192 options->ip_qos_interactive = -1;
193 options->ip_qos_bulk = -1;
194 options->version_addendum = NULL;
195 options->fingerprint_hash = -1;
196 options->disable_forwarding = -1;
197 options->expose_userauth_info = -1;
198 options->required_rsa_size = -1;
199 options->channel_timeouts = NULL;
200 options->num_channel_timeouts = 0;
201 options->unused_connection_timeout = -1;
202 options->use_blacklist = -1;
205 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
207 option_clear_or_none(const char *o)
209 return o == NULL || strcasecmp(o, "none") == 0;
213 assemble_algorithms(ServerOptions *o)
215 char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
216 char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
219 all_cipher = cipher_alg_list(',', 0);
220 all_mac = mac_alg_list(',');
221 all_kex = kex_alg_list(',');
222 all_key = sshkey_alg_list(0, 0, 1, ',');
223 all_sig = sshkey_alg_list(0, 1, 1, ',');
224 /* remove unsupported algos from default lists */
225 def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
226 def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
227 def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
228 def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
229 def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
230 #define ASSEMBLE(what, defaults, all) \
232 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
233 fatal_fr(r, "%s", #what); \
235 ASSEMBLE(ciphers, def_cipher, all_cipher);
236 ASSEMBLE(macs, def_mac, all_mac);
237 ASSEMBLE(kex_algorithms, def_kex, all_kex);
238 ASSEMBLE(hostkeyalgorithms, def_key, all_key);
239 ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
240 ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
241 ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
255 static const char *defaultkey = "[default]";
258 servconf_add_hostkey(const char *file, const int line,
259 ServerOptions *options, const char *path, int userprovided)
261 char *apath = derelativise_path(path);
263 if (file == defaultkey && access(path, R_OK) != 0)
265 opt_array_append2(file, line, "HostKey",
266 &options->host_key_files, &options->host_key_file_userprovided,
267 &options->num_host_key_files, apath, userprovided);
272 servconf_add_hostcert(const char *file, const int line,
273 ServerOptions *options, const char *path)
275 char *apath = derelativise_path(path);
277 opt_array_append(file, line, "HostCertificate",
278 &options->host_cert_files, &options->num_host_cert_files, apath);
283 fill_default_server_options(ServerOptions *options)
287 /* Portable-specific options */
288 if (options->use_pam == -1)
289 options->use_pam = 1;
291 /* Standard Options */
292 if (options->num_host_key_files == 0) {
293 /* fill default hostkeys for protocols */
294 servconf_add_hostkey(defaultkey, 0, options,
295 _PATH_HOST_RSA_KEY_FILE, 0);
296 #ifdef OPENSSL_HAS_ECC
297 servconf_add_hostkey(defaultkey, 0, options,
298 _PATH_HOST_ECDSA_KEY_FILE, 0);
300 servconf_add_hostkey(defaultkey, 0, options,
301 _PATH_HOST_ED25519_KEY_FILE, 0);
303 servconf_add_hostkey(defaultkey, 0, options,
304 _PATH_HOST_XMSS_KEY_FILE, 0);
305 #endif /* WITH_XMSS */
307 if (options->num_host_key_files == 0)
308 fatal("No host key files found");
309 /* No certificates by default */
310 if (options->num_ports == 0)
311 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
312 if (options->address_family == -1)
313 options->address_family = AF_UNSPEC;
314 if (options->listen_addrs == NULL)
315 add_listen_addr(options, NULL, NULL, 0);
316 if (options->pid_file == NULL)
317 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
318 if (options->moduli_file == NULL)
319 options->moduli_file = xstrdup(_PATH_DH_MODULI);
320 if (options->login_grace_time == -1)
321 options->login_grace_time = 120;
322 if (options->permit_root_login == PERMIT_NOT_SET)
323 options->permit_root_login = PERMIT_NO;
324 if (options->ignore_rhosts == -1)
325 options->ignore_rhosts = 1;
326 if (options->ignore_user_known_hosts == -1)
327 options->ignore_user_known_hosts = 0;
328 if (options->print_motd == -1)
329 options->print_motd = 1;
330 if (options->print_lastlog == -1)
331 options->print_lastlog = 1;
332 if (options->x11_forwarding == -1)
333 options->x11_forwarding = 0;
334 if (options->x11_display_offset == -1)
335 options->x11_display_offset = 10;
336 if (options->x11_use_localhost == -1)
337 options->x11_use_localhost = 1;
338 if (options->xauth_location == NULL)
339 options->xauth_location = xstrdup(_PATH_XAUTH);
340 if (options->permit_tty == -1)
341 options->permit_tty = 1;
342 if (options->permit_user_rc == -1)
343 options->permit_user_rc = 1;
344 if (options->strict_modes == -1)
345 options->strict_modes = 1;
346 if (options->tcp_keep_alive == -1)
347 options->tcp_keep_alive = 1;
348 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
349 options->log_facility = SYSLOG_FACILITY_AUTH;
350 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
351 options->log_level = SYSLOG_LEVEL_INFO;
352 if (options->hostbased_authentication == -1)
353 options->hostbased_authentication = 0;
354 if (options->hostbased_uses_name_from_packet_only == -1)
355 options->hostbased_uses_name_from_packet_only = 0;
356 if (options->pubkey_authentication == -1)
357 options->pubkey_authentication = 1;
358 if (options->pubkey_auth_options == -1)
359 options->pubkey_auth_options = 0;
360 if (options->kerberos_authentication == -1)
361 options->kerberos_authentication = 0;
362 if (options->kerberos_or_local_passwd == -1)
363 options->kerberos_or_local_passwd = 1;
364 if (options->kerberos_ticket_cleanup == -1)
365 options->kerberos_ticket_cleanup = 1;
366 if (options->kerberos_get_afs_token == -1)
367 options->kerberos_get_afs_token = 0;
368 if (options->gss_authentication == -1)
369 options->gss_authentication = 0;
370 if (options->gss_cleanup_creds == -1)
371 options->gss_cleanup_creds = 1;
372 if (options->gss_strict_acceptor == -1)
373 options->gss_strict_acceptor = 1;
374 if (options->password_authentication == -1)
375 options->password_authentication = 0;
376 if (options->kbd_interactive_authentication == -1)
377 options->kbd_interactive_authentication = 1;
378 if (options->permit_empty_passwd == -1)
379 options->permit_empty_passwd = 0;
380 if (options->permit_user_env == -1) {
381 options->permit_user_env = 0;
382 options->permit_user_env_allowlist = NULL;
384 if (options->compression == -1)
386 options->compression = COMP_DELAYED;
388 options->compression = COMP_NONE;
391 if (options->rekey_limit == -1)
392 options->rekey_limit = 0;
393 if (options->rekey_interval == -1)
394 options->rekey_interval = 0;
395 if (options->allow_tcp_forwarding == -1)
396 options->allow_tcp_forwarding = FORWARD_ALLOW;
397 if (options->allow_streamlocal_forwarding == -1)
398 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
399 if (options->allow_agent_forwarding == -1)
400 options->allow_agent_forwarding = 1;
401 if (options->fwd_opts.gateway_ports == -1)
402 options->fwd_opts.gateway_ports = 0;
403 if (options->max_startups == -1)
404 options->max_startups = 100;
405 if (options->max_startups_rate == -1)
406 options->max_startups_rate = 30; /* 30% */
407 if (options->max_startups_begin == -1)
408 options->max_startups_begin = 10;
409 if (options->per_source_max_startups == -1)
410 options->per_source_max_startups = INT_MAX;
411 if (options->per_source_masklen_ipv4 == -1)
412 options->per_source_masklen_ipv4 = 32;
413 if (options->per_source_masklen_ipv6 == -1)
414 options->per_source_masklen_ipv6 = 128;
415 if (options->max_authtries == -1)
416 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
417 if (options->max_sessions == -1)
418 options->max_sessions = DEFAULT_SESSIONS_MAX;
419 if (options->use_dns == -1)
420 options->use_dns = 1;
421 if (options->client_alive_interval == -1)
422 options->client_alive_interval = 0;
423 if (options->client_alive_count_max == -1)
424 options->client_alive_count_max = 3;
425 if (options->num_authkeys_files == 0) {
426 opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
427 &options->authorized_keys_files,
428 &options->num_authkeys_files,
429 _PATH_SSH_USER_PERMITTED_KEYS);
430 opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
431 &options->authorized_keys_files,
432 &options->num_authkeys_files,
433 _PATH_SSH_USER_PERMITTED_KEYS2);
435 if (options->permit_tun == -1)
436 options->permit_tun = SSH_TUNMODE_NO;
437 if (options->ip_qos_interactive == -1)
438 options->ip_qos_interactive = IPTOS_DSCP_AF21;
439 if (options->ip_qos_bulk == -1)
440 options->ip_qos_bulk = IPTOS_DSCP_CS1;
441 if (options->version_addendum == NULL)
442 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
443 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
444 options->fwd_opts.streamlocal_bind_mask = 0177;
445 if (options->fwd_opts.streamlocal_bind_unlink == -1)
446 options->fwd_opts.streamlocal_bind_unlink = 0;
447 if (options->fingerprint_hash == -1)
448 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
449 if (options->disable_forwarding == -1)
450 options->disable_forwarding = 0;
451 if (options->expose_userauth_info == -1)
452 options->expose_userauth_info = 0;
453 if (options->sk_provider == NULL)
454 options->sk_provider = xstrdup("internal");
455 if (options->required_rsa_size == -1)
456 options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
457 if (options->unused_connection_timeout == -1)
458 options->unused_connection_timeout = 0;
459 if (options->use_blacklist == -1)
460 options->use_blacklist = 0;
462 assemble_algorithms(options);
464 /* Turn privilege separation and sandboxing on by default */
465 if (use_privsep == -1)
466 use_privsep = PRIVSEP_ON;
468 #define CLEAR_ON_NONE(v) \
470 if (option_clear_or_none(v)) { \
475 #define CLEAR_ON_NONE_ARRAY(v, nv, none) \
477 if (options->nv == 1 && \
478 strcasecmp(options->v[0], none) == 0) { \
479 free(options->v[0]); \
485 CLEAR_ON_NONE(options->pid_file);
486 CLEAR_ON_NONE(options->xauth_location);
487 CLEAR_ON_NONE(options->banner);
488 CLEAR_ON_NONE(options->trusted_user_ca_keys);
489 CLEAR_ON_NONE(options->revoked_keys_file);
490 CLEAR_ON_NONE(options->sk_provider);
491 CLEAR_ON_NONE(options->authorized_principals_file);
492 CLEAR_ON_NONE(options->adm_forced_command);
493 CLEAR_ON_NONE(options->chroot_directory);
494 CLEAR_ON_NONE(options->routing_domain);
495 CLEAR_ON_NONE(options->host_key_agent);
497 for (i = 0; i < options->num_host_key_files; i++)
498 CLEAR_ON_NONE(options->host_key_files[i]);
499 for (i = 0; i < options->num_host_cert_files; i++)
500 CLEAR_ON_NONE(options->host_cert_files[i]);
502 CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none");
503 CLEAR_ON_NONE_ARRAY(auth_methods, num_auth_methods, "any");
505 #undef CLEAR_ON_NONE_ARRAY
508 /* Keyword tokens. */
510 sBadOption, /* == unknown option */
511 /* Portable-specific options */
513 /* Standard Options */
514 sPort, sHostKeyFile, sLoginGraceTime,
515 sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
516 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
517 sKerberosGetAFSToken, sPasswordAuthentication,
518 sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
519 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
520 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
521 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
522 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
523 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
524 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
525 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
526 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
527 sBanner, sUseDNS, sHostbasedAuthentication,
528 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
529 sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
530 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
531 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
532 sAcceptEnv, sSetEnv, sPermitTunnel,
533 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
534 sUsePrivilegeSeparation, sAllowAgentForwarding,
535 sHostCertificate, sInclude,
536 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
537 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
538 sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
539 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
540 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
541 sStreamLocalBindMask, sStreamLocalBindUnlink,
542 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
543 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
544 sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
546 sDeprecated, sIgnore, sUnsupported
549 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of config */
550 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
551 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
552 #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
553 #define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
555 /* Textual representation of the tokens. */
558 ServerOpCodes opcode;
561 /* Portable-specific options */
563 { "usepam", sUsePAM, SSHCFG_GLOBAL },
565 { "usepam", sUnsupported, SSHCFG_GLOBAL },
567 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
568 /* Standard Options */
569 { "port", sPort, SSHCFG_GLOBAL },
570 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
571 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
572 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
573 { "pidfile", sPidFile, SSHCFG_GLOBAL },
574 { "modulifile", sModuliFile, SSHCFG_GLOBAL },
575 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
576 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
577 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
578 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
579 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
580 { "loglevel", sLogLevel, SSHCFG_ALL },
581 { "logverbose", sLogVerbose, SSHCFG_ALL },
582 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
583 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
584 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
585 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
586 { "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
587 { "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
588 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
589 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
590 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
591 { "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
592 { "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
593 { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
594 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
596 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
597 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
598 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
600 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
602 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
605 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
606 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
607 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
608 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
610 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
611 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
613 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
614 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
615 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
617 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
618 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
619 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
621 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
622 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
623 { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
624 { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
625 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
626 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
627 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
628 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
629 #ifdef DISABLE_LASTLOG
630 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
632 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
634 { "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
635 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
636 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
637 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
638 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
639 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
640 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
641 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
642 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
643 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
644 { "compression", sCompression, SSHCFG_GLOBAL },
645 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
646 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
647 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
648 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
649 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
650 { "allowusers", sAllowUsers, SSHCFG_ALL },
651 { "denyusers", sDenyUsers, SSHCFG_ALL },
652 { "allowgroups", sAllowGroups, SSHCFG_ALL },
653 { "denygroups", sDenyGroups, SSHCFG_ALL },
654 { "ciphers", sCiphers, SSHCFG_GLOBAL },
655 { "macs", sMacs, SSHCFG_GLOBAL },
656 { "protocol", sIgnore, SSHCFG_GLOBAL },
657 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
658 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
659 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
660 { "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
661 { "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
662 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
663 { "maxsessions", sMaxSessions, SSHCFG_ALL },
664 { "banner", sBanner, SSHCFG_ALL },
665 { "usedns", sUseDNS, SSHCFG_GLOBAL },
666 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
667 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
668 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
669 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
670 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
671 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
672 { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
673 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
674 { "setenv", sSetEnv, SSHCFG_ALL },
675 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
676 { "permittty", sPermitTTY, SSHCFG_ALL },
677 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
678 { "match", sMatch, SSHCFG_ALL },
679 { "permitopen", sPermitOpen, SSHCFG_ALL },
680 { "permitlisten", sPermitListen, SSHCFG_ALL },
681 { "forcecommand", sForceCommand, SSHCFG_ALL },
682 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
683 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
684 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
685 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
686 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
687 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
688 { "include", sInclude, SSHCFG_ALL },
689 { "ipqos", sIPQoS, SSHCFG_ALL },
690 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
691 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
692 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
693 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
694 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
695 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
696 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
697 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
698 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
699 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
700 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
701 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
702 { "rdomain", sRDomain, SSHCFG_ALL },
703 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
704 { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
705 { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
706 { "channeltimeout", sChannelTimeout, SSHCFG_ALL },
707 { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
708 { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
709 { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
710 { "noneenabled", sUnsupported, SSHCFG_ALL },
711 { "hpndisabled", sDeprecated, SSHCFG_ALL },
712 { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
713 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
714 { NULL, sBadOption, 0 }
721 { SSH_TUNMODE_NO, "no" },
722 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
723 { SSH_TUNMODE_ETHERNET, "ethernet" },
724 { SSH_TUNMODE_YES, "yes" },
728 /* Returns an opcode name from its number */
731 lookup_opcode_name(ServerOpCodes code)
735 for (i = 0; keywords[i].name != NULL; i++)
736 if (keywords[i].opcode == code)
737 return(keywords[i].name);
743 * Returns the number of the token pointed to by cp or sBadOption.
747 parse_token(const char *cp, const char *filename,
748 int linenum, u_int *flags)
752 for (i = 0; keywords[i].name; i++)
753 if (strcasecmp(cp, keywords[i].name) == 0) {
754 *flags = keywords[i].flags;
755 return keywords[i].opcode;
758 error("%s: line %d: Bad configuration option: %s",
759 filename, linenum, cp);
764 derelativise_path(const char *path)
766 char *expanded, *ret, cwd[PATH_MAX];
768 if (strcasecmp(path, "none") == 0)
769 return xstrdup("none");
770 expanded = tilde_expand_filename(path, getuid());
771 if (path_absolute(expanded))
773 if (getcwd(cwd, sizeof(cwd)) == NULL)
774 fatal_f("getcwd: %s", strerror(errno));
775 xasprintf(&ret, "%s/%s", cwd, expanded);
781 add_listen_addr(ServerOptions *options, const char *addr,
782 const char *rdomain, int port)
787 add_one_listen_addr(options, addr, rdomain, port);
789 for (i = 0; i < options->num_ports; i++) {
790 add_one_listen_addr(options, addr, rdomain,
797 add_one_listen_addr(ServerOptions *options, const char *addr,
798 const char *rdomain, int port)
800 struct addrinfo hints, *ai, *aitop;
801 char strport[NI_MAXSERV];
805 /* Find listen_addrs entry for this rdomain */
806 for (i = 0; i < options->num_listen_addrs; i++) {
807 if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
809 if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
811 if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
814 if (i >= options->num_listen_addrs) {
815 /* No entry for this rdomain; allocate one */
817 fatal_f("too many listen addresses");
818 options->listen_addrs = xrecallocarray(options->listen_addrs,
819 options->num_listen_addrs, options->num_listen_addrs + 1,
820 sizeof(*options->listen_addrs));
821 i = options->num_listen_addrs++;
823 options->listen_addrs[i].rdomain = xstrdup(rdomain);
825 /* options->listen_addrs[i] points to the addresses for this rdomain */
827 memset(&hints, 0, sizeof(hints));
828 hints.ai_family = options->address_family;
829 hints.ai_socktype = SOCK_STREAM;
830 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
831 snprintf(strport, sizeof strport, "%d", port);
832 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
833 fatal("bad addr or host: %s (%s)",
834 addr ? addr : "<NULL>",
835 ssh_gai_strerror(gaierr));
836 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
838 ai->ai_next = options->listen_addrs[i].addrs;
839 options->listen_addrs[i].addrs = aitop;
842 /* Returns nonzero if the routing domain name is valid */
844 valid_rdomain(const char *name)
846 #if defined(HAVE_SYS_VALID_RDOMAIN)
847 return sys_valid_rdomain(name);
848 #elif defined(__OpenBSD__)
851 struct rt_tableinfo info;
853 size_t miblen = sizeof(mib);
858 num = strtonum(name, 0, 255, &errstr);
862 /* Check whether the table actually exists */
863 memset(mib, 0, sizeof(mib));
866 mib[4] = NET_RT_TABLE;
868 if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
872 #else /* defined(__OpenBSD__) */
873 error("Routing domains are not supported on this platform");
879 * Queue a ListenAddress to be processed once we have all of the Ports
880 * and AddressFamily options.
883 queue_listen_addr(ServerOptions *options, const char *addr,
884 const char *rdomain, int port)
886 struct queued_listenaddr *qla;
888 options->queued_listen_addrs = xrecallocarray(
889 options->queued_listen_addrs,
890 options->num_queued_listens, options->num_queued_listens + 1,
891 sizeof(*options->queued_listen_addrs));
892 qla = &options->queued_listen_addrs[options->num_queued_listens++];
893 qla->addr = xstrdup(addr);
895 qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
899 * Process queued (text) ListenAddress entries.
902 process_queued_listen_addrs(ServerOptions *options)
905 struct queued_listenaddr *qla;
907 if (options->num_ports == 0)
908 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
909 if (options->address_family == -1)
910 options->address_family = AF_UNSPEC;
912 for (i = 0; i < options->num_queued_listens; i++) {
913 qla = &options->queued_listen_addrs[i];
914 add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
918 free(options->queued_listen_addrs);
919 options->queued_listen_addrs = NULL;
920 options->num_queued_listens = 0;
924 * Inform channels layer of permitopen options for a single forwarding
925 * direction (local/remote).
928 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
929 char **opens, u_int num_opens)
933 char *host, *arg, *oarg;
934 int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
935 const char *what = lookup_opcode_name(opcode);
937 channel_clear_permission(ssh, FORWARD_ADM, where);
939 return; /* permit any */
941 /* handle keywords: "any" / "none" */
942 if (num_opens == 1 && strcmp(opens[0], "any") == 0)
944 if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
945 channel_disable_admin(ssh, where);
948 /* Otherwise treat it as a list of permitted host:port */
949 for (i = 0; i < num_opens; i++) {
950 oarg = arg = xstrdup(opens[i]);
951 host = hpdelim(&arg);
953 fatal_f("missing host in %s", what);
954 host = cleanhostname(host);
955 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
956 fatal_f("bad port number in %s", what);
957 /* Send it to channels layer */
958 channel_add_permission(ssh, FORWARD_ADM,
965 * Inform channels layer of permitopen options from configuration.
968 process_permitopen(struct ssh *ssh, ServerOptions *options)
970 process_permitopen_list(ssh, sPermitOpen,
971 options->permitted_opens, options->num_permitted_opens);
972 process_permitopen_list(ssh, sPermitListen,
973 options->permitted_listens,
974 options->num_permitted_listens);
977 /* Parse a ChannelTimeout clause "pattern=interval" */
979 parse_timeout(const char *s, char **typep, u_int *secsp)
992 if ((cp = strchr(sdup, '=')) == NULL || cp == sdup) {
997 if ((secs = convtime(cp)) < 0) {
1003 *typep = xstrdup(sdup);
1005 *secsp = (u_int)secs;
1011 process_channel_timeouts(struct ssh *ssh, ServerOptions *options)
1016 debug3_f("setting %u timeouts", options->num_channel_timeouts);
1017 channel_clear_timeouts(ssh);
1018 for (i = 0; i < options->num_channel_timeouts; i++) {
1019 if (parse_timeout(options->channel_timeouts[i],
1020 &type, &secs) != 0) {
1021 fatal_f("internal error: bad timeout %s",
1022 options->channel_timeouts[i]);
1024 channel_add_timeout(ssh, type, secs);
1029 struct connection_info *
1030 get_connection_info(struct ssh *ssh, int populate, int use_dns)
1032 static struct connection_info ci;
1034 if (ssh == NULL || !populate)
1036 ci.host = auth_get_canonical_hostname(ssh, use_dns);
1037 ci.address = ssh_remote_ipaddr(ssh);
1038 ci.laddress = ssh_local_ipaddr(ssh);
1039 ci.lport = ssh_local_port(ssh);
1040 ci.rdomain = ssh_packet_rdomain_in(ssh);
1045 * The strategy for the Match blocks is that the config file is parsed twice.
1047 * The first time is at startup. activep is initialized to 1 and the
1048 * directives in the global context are processed and acted on. Hitting a
1049 * Match directive unsets activep and the directives inside the block are
1050 * checked for syntax only.
1052 * The second time is after a connection has been established but before
1053 * authentication. activep is initialized to 2 and global config directives
1054 * are ignored since they have already been processed. If the criteria in a
1055 * Match block is met, activep is set and the subsequent directives
1056 * processed and actioned until EOF or another Match block unsets it. Any
1057 * options set are copied into the main server config.
1059 * Potential additions/improvements:
1060 * - Add Match support for pre-kex directives, eg. Ciphers.
1062 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
1063 * Match Address 192.168.0.*
1068 * AllowTcpForwarding yes
1069 * GatewayPorts clientspecified
1072 * - Add a PermittedChannelRequests directive
1074 * PermittedChannelRequests session,forwarded-tcpip
1078 match_cfg_line_group(const char *grps, int line, const char *user)
1086 if ((pw = getpwnam(user)) == NULL) {
1087 debug("Can't match group at line %d because user %.100s does "
1088 "not exist", line, user);
1089 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1090 debug("Can't Match group because user %.100s not in any group "
1091 "at line %d", user, line);
1092 } else if (ga_match_pattern_list(grps) != 1) {
1093 debug("user %.100s does not match group list %.100s at line %d",
1096 debug("user %.100s matched group list %.100s at line %d", user,
1106 match_test_missing_fatal(const char *criteria, const char *attrib)
1108 fatal("'Match %s' in configuration but '%s' not in connection "
1109 "test specification.", criteria, attrib);
1113 * All of the attributes on a single Match line are ANDed together, so we need
1114 * to check every attribute and set the result to zero if any attribute does
1118 match_cfg_line(char **condition, int line, struct connection_info *ci)
1120 int result = 1, attributes = 0, port;
1121 char *arg, *attrib, *cp = *condition;
1124 debug3("checking syntax for 'Match %s'", cp);
1126 debug3("checking match for '%s' user %s host %s addr %s "
1127 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1128 ci->host ? ci->host : "(null)",
1129 ci->address ? ci->address : "(null)",
1130 ci->laddress ? ci->laddress : "(null)", ci->lport);
1132 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1133 /* Terminate on comment */
1134 if (*attrib == '#') {
1135 cp = NULL; /* mark all arguments consumed */
1140 /* Criterion "all" has no argument and must appear alone */
1141 if (strcasecmp(attrib, "all") == 0) {
1142 if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
1143 *arg != '\0' && *arg != '#')) {
1144 error("'all' cannot be combined with other "
1145 "Match attributes");
1148 if (arg != NULL && *arg == '#')
1149 cp = NULL; /* mark all arguments consumed */
1153 /* All other criteria require an argument */
1154 if ((arg = strdelim(&cp)) == NULL ||
1155 *arg == '\0' || *arg == '#') {
1156 error("Missing Match criteria for %s", attrib);
1159 if (strcasecmp(attrib, "user") == 0) {
1160 if (ci == NULL || (ci->test && ci->user == NULL)) {
1164 if (ci->user == NULL)
1165 match_test_missing_fatal("User", "user");
1166 if (match_usergroup_pattern_list(ci->user, arg) != 1)
1169 debug("user %.100s matched 'User %.100s' at "
1170 "line %d", ci->user, arg, line);
1171 } else if (strcasecmp(attrib, "group") == 0) {
1172 if (ci == NULL || (ci->test && ci->user == NULL)) {
1176 if (ci->user == NULL)
1177 match_test_missing_fatal("Group", "user");
1178 switch (match_cfg_line_group(arg, line, ci->user)) {
1184 } else if (strcasecmp(attrib, "host") == 0) {
1185 if (ci == NULL || (ci->test && ci->host == NULL)) {
1189 if (ci->host == NULL)
1190 match_test_missing_fatal("Host", "host");
1191 if (match_hostname(ci->host, arg) != 1)
1194 debug("connection from %.100s matched 'Host "
1195 "%.100s' at line %d", ci->host, arg, line);
1196 } else if (strcasecmp(attrib, "address") == 0) {
1197 if (ci == NULL || (ci->test && ci->address == NULL)) {
1198 if (addr_match_list(NULL, arg) != 0)
1199 fatal("Invalid Match address argument "
1200 "'%s' at line %d", arg, line);
1204 if (ci->address == NULL)
1205 match_test_missing_fatal("Address", "addr");
1206 switch (addr_match_list(ci->address, arg)) {
1208 debug("connection from %.100s matched 'Address "
1209 "%.100s' at line %d", ci->address, arg, line);
1218 } else if (strcasecmp(attrib, "localaddress") == 0){
1219 if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1220 if (addr_match_list(NULL, arg) != 0)
1221 fatal("Invalid Match localaddress "
1222 "argument '%s' at line %d", arg,
1227 if (ci->laddress == NULL)
1228 match_test_missing_fatal("LocalAddress",
1230 switch (addr_match_list(ci->laddress, arg)) {
1232 debug("connection from %.100s matched "
1233 "'LocalAddress %.100s' at line %d",
1234 ci->laddress, arg, line);
1243 } else if (strcasecmp(attrib, "localport") == 0) {
1244 if ((port = a2port(arg)) == -1) {
1245 error("Invalid LocalPort '%s' on Match line",
1249 if (ci == NULL || (ci->test && ci->lport == -1)) {
1254 match_test_missing_fatal("LocalPort", "lport");
1255 /* TODO support port lists */
1256 if (port == ci->lport)
1257 debug("connection from %.100s matched "
1258 "'LocalPort %d' at line %d",
1259 ci->laddress, port, line);
1262 } else if (strcasecmp(attrib, "rdomain") == 0) {
1263 if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1267 if (ci->rdomain == NULL)
1268 match_test_missing_fatal("RDomain", "rdomain");
1269 if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1272 debug("user %.100s matched 'RDomain %.100s' at "
1273 "line %d", ci->rdomain, arg, line);
1275 error("Unsupported Match attribute %s", attrib);
1279 if (attributes == 0) {
1280 error("One or more attributes required for Match");
1284 debug3("match %sfound", result ? "" : "not ");
1289 #define WHITESPACE " \t\r\n"
1291 /* Multistate option parsing */
1296 static const struct multistate multistate_flag[] = {
1301 static const struct multistate multistate_ignore_rhosts[] = {
1302 { "yes", IGNORE_RHOSTS_YES },
1303 { "no", IGNORE_RHOSTS_NO },
1304 { "shosts-only", IGNORE_RHOSTS_SHOSTS },
1307 static const struct multistate multistate_addressfamily[] = {
1308 { "inet", AF_INET },
1309 { "inet6", AF_INET6 },
1310 { "any", AF_UNSPEC },
1313 static const struct multistate multistate_permitrootlogin[] = {
1314 { "without-password", PERMIT_NO_PASSWD },
1315 { "prohibit-password", PERMIT_NO_PASSWD },
1316 { "forced-commands-only", PERMIT_FORCED_ONLY },
1317 { "yes", PERMIT_YES },
1318 { "no", PERMIT_NO },
1321 static const struct multistate multistate_compression[] = {
1323 { "yes", COMP_DELAYED },
1324 { "delayed", COMP_DELAYED },
1326 { "no", COMP_NONE },
1329 static const struct multistate multistate_gatewayports[] = {
1330 { "clientspecified", 2 },
1335 static const struct multistate multistate_tcpfwd[] = {
1336 { "yes", FORWARD_ALLOW },
1337 { "all", FORWARD_ALLOW },
1338 { "no", FORWARD_DENY },
1339 { "remote", FORWARD_REMOTE },
1340 { "local", FORWARD_LOCAL },
1345 process_server_config_line_depth(ServerOptions *options, char *line,
1346 const char *filename, int linenum, int *activep,
1347 struct connection_info *connectinfo, int *inc_flags, int depth,
1348 struct include_list *includes)
1350 char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
1351 int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1352 SyslogFacility *log_facility_ptr;
1353 LogLevel *log_level_ptr;
1354 ServerOpCodes opcode;
1355 u_int i, *uintptr, uvalue, flags = 0;
1358 const struct multistate *multistate_ptr;
1360 struct include_item *item;
1362 char **oav = NULL, **av;
1366 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1367 if ((len = strlen(line)) == 0)
1369 for (len--; len > 0; len--) {
1370 if (strchr(WHITESPACE "\f", line[len]) == NULL)
1376 if ((keyword = strdelim(&str)) == NULL)
1378 /* Ignore leading whitespace */
1379 if (*keyword == '\0')
1380 keyword = strdelim(&str);
1381 if (!keyword || !*keyword || *keyword == '#')
1383 if (str == NULL || *str == '\0') {
1384 error("%s line %d: no argument after keyword \"%s\"",
1385 filename, linenum, keyword);
1390 opcode = parse_token(keyword, filename, linenum, &flags);
1392 if (argv_split(str, &oac, &oav, 1) != 0) {
1393 error("%s line %d: invalid quotes", filename, linenum);
1399 if (activep == NULL) { /* We are processing a command line directive */
1403 if (*activep && opcode != sMatch && opcode != sInclude)
1404 debug3("%s:%d setting %s %s", filename, linenum, keyword, str);
1405 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1406 if (connectinfo == NULL) {
1407 fatal("%s line %d: Directive '%s' is not allowed "
1408 "within a Match block", filename, linenum, keyword);
1409 } else { /* this is a directive we have already processed */
1416 /* Portable-specific options */
1418 intptr = &options->use_pam;
1421 /* Standard Options */
1425 /* ignore ports from configfile if cmdline specifies ports */
1426 if (options->ports_from_cmdline) {
1430 if (options->num_ports >= MAX_PORTS)
1431 fatal("%s line %d: too many ports.",
1433 arg = argv_next(&ac, &av);
1434 if (!arg || *arg == '\0')
1435 fatal("%s line %d: missing port number.",
1437 options->ports[options->num_ports++] = a2port(arg);
1438 if (options->ports[options->num_ports-1] <= 0)
1439 fatal("%s line %d: Badly formatted port number.",
1443 case sLoginGraceTime:
1444 intptr = &options->login_grace_time;
1446 arg = argv_next(&ac, &av);
1447 if (!arg || *arg == '\0')
1448 fatal("%s line %d: missing time value.",
1450 if ((value = convtime(arg)) == -1)
1451 fatal("%s line %d: invalid time value.",
1453 if (*activep && *intptr == -1)
1457 case sListenAddress:
1458 arg = argv_next(&ac, &av);
1459 if (arg == NULL || *arg == '\0')
1460 fatal("%s line %d: missing address",
1462 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1463 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1464 && strchr(p+1, ':') != NULL) {
1471 fatal("%s line %d: bad address:port usage",
1473 p = cleanhostname(p);
1476 else if ((port = a2port(arg)) <= 0)
1477 fatal("%s line %d: bad port number",
1480 /* Optional routing table */
1482 if ((arg = argv_next(&ac, &av)) != NULL) {
1483 if (strcmp(arg, "rdomain") != 0 ||
1484 (arg2 = argv_next(&ac, &av)) == NULL)
1485 fatal("%s line %d: bad ListenAddress syntax",
1487 if (!valid_rdomain(arg2))
1488 fatal("%s line %d: bad routing domain",
1491 queue_listen_addr(options, p, arg2, port);
1495 case sAddressFamily:
1496 intptr = &options->address_family;
1497 multistate_ptr = multistate_addressfamily;
1499 arg = argv_next(&ac, &av);
1500 if (!arg || *arg == '\0')
1501 fatal("%s line %d: missing argument.",
1504 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1505 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1506 value = multistate_ptr[i].value;
1511 fatal("%s line %d: unsupported option \"%s\".",
1512 filename, linenum, arg);
1513 if (*activep && *intptr == -1)
1518 arg = argv_next(&ac, &av);
1519 if (!arg || *arg == '\0')
1520 fatal("%s line %d: missing file name.",
1523 servconf_add_hostkey(filename, linenum,
1529 charptr = &options->host_key_agent;
1530 arg = argv_next(&ac, &av);
1531 if (!arg || *arg == '\0')
1532 fatal("%s line %d: missing socket name.",
1534 if (*activep && *charptr == NULL)
1535 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1536 xstrdup(arg) : derelativise_path(arg);
1539 case sHostCertificate:
1540 arg = argv_next(&ac, &av);
1541 if (!arg || *arg == '\0')
1542 fatal("%s line %d: missing file name.",
1545 servconf_add_hostcert(filename, linenum, options, arg);
1549 charptr = &options->pid_file;
1551 arg = argv_next(&ac, &av);
1552 if (!arg || *arg == '\0')
1553 fatal("%s line %d: missing file name.",
1555 if (*activep && *charptr == NULL) {
1556 *charptr = derelativise_path(arg);
1557 /* increase optional counter */
1559 *intptr = *intptr + 1;
1564 charptr = &options->moduli_file;
1565 goto parse_filename;
1567 case sPermitRootLogin:
1568 intptr = &options->permit_root_login;
1569 multistate_ptr = multistate_permitrootlogin;
1570 goto parse_multistate;
1573 intptr = &options->ignore_rhosts;
1574 multistate_ptr = multistate_ignore_rhosts;
1575 goto parse_multistate;
1577 case sIgnoreUserKnownHosts:
1578 intptr = &options->ignore_user_known_hosts;
1580 multistate_ptr = multistate_flag;
1581 goto parse_multistate;
1583 case sHostbasedAuthentication:
1584 intptr = &options->hostbased_authentication;
1587 case sHostbasedUsesNameFromPacketOnly:
1588 intptr = &options->hostbased_uses_name_from_packet_only;
1591 case sHostbasedAcceptedAlgorithms:
1592 charptr = &options->hostbased_accepted_algos;
1594 arg = argv_next(&ac, &av);
1595 if (!arg || *arg == '\0')
1596 fatal("%s line %d: Missing argument.",
1599 !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1601 fatal("%s line %d: Bad key types '%s'.",
1602 filename, linenum, arg ? arg : "<NONE>");
1603 if (*activep && *charptr == NULL)
1604 *charptr = xstrdup(arg);
1607 case sHostKeyAlgorithms:
1608 charptr = &options->hostkeyalgorithms;
1609 goto parse_pubkey_algos;
1611 case sCASignatureAlgorithms:
1612 charptr = &options->ca_sign_algorithms;
1613 goto parse_pubkey_algos;
1615 case sPubkeyAuthentication:
1616 intptr = &options->pubkey_authentication;
1619 case sPubkeyAcceptedAlgorithms:
1620 charptr = &options->pubkey_accepted_algos;
1621 goto parse_pubkey_algos;
1623 case sPubkeyAuthOptions:
1624 intptr = &options->pubkey_auth_options;
1626 while ((arg = argv_next(&ac, &av)) != NULL) {
1627 if (strcasecmp(arg, "none") == 0)
1629 if (strcasecmp(arg, "touch-required") == 0)
1630 value |= PUBKEYAUTH_TOUCH_REQUIRED;
1631 else if (strcasecmp(arg, "verify-required") == 0)
1632 value |= PUBKEYAUTH_VERIFY_REQUIRED;
1634 error("%s line %d: unsupported %s option %s",
1635 filename, linenum, keyword, arg);
1639 if (*activep && *intptr == -1)
1643 case sKerberosAuthentication:
1644 intptr = &options->kerberos_authentication;
1647 case sKerberosOrLocalPasswd:
1648 intptr = &options->kerberos_or_local_passwd;
1651 case sKerberosTicketCleanup:
1652 intptr = &options->kerberos_ticket_cleanup;
1655 case sKerberosGetAFSToken:
1656 intptr = &options->kerberos_get_afs_token;
1659 case sGssAuthentication:
1660 intptr = &options->gss_authentication;
1663 case sGssCleanupCreds:
1664 intptr = &options->gss_cleanup_creds;
1667 case sGssStrictAcceptor:
1668 intptr = &options->gss_strict_acceptor;
1671 case sPasswordAuthentication:
1672 intptr = &options->password_authentication;
1675 case sKbdInteractiveAuthentication:
1676 intptr = &options->kbd_interactive_authentication;
1680 intptr = &options->print_motd;
1684 intptr = &options->print_lastlog;
1687 case sX11Forwarding:
1688 intptr = &options->x11_forwarding;
1691 case sX11DisplayOffset:
1692 intptr = &options->x11_display_offset;
1694 arg = argv_next(&ac, &av);
1695 if ((errstr = atoi_err(arg, &value)) != NULL)
1696 fatal("%s line %d: %s integer value %s.",
1697 filename, linenum, keyword, errstr);
1698 if (*activep && *intptr == -1)
1702 case sX11UseLocalhost:
1703 intptr = &options->x11_use_localhost;
1706 case sXAuthLocation:
1707 charptr = &options->xauth_location;
1708 goto parse_filename;
1711 intptr = &options->permit_tty;
1715 intptr = &options->permit_user_rc;
1719 intptr = &options->strict_modes;
1723 intptr = &options->tcp_keep_alive;
1727 intptr = &options->permit_empty_passwd;
1730 case sPermitUserEnvironment:
1731 intptr = &options->permit_user_env;
1732 charptr = &options->permit_user_env_allowlist;
1733 arg = argv_next(&ac, &av);
1734 if (!arg || *arg == '\0')
1735 fatal("%s line %d: %s missing argument.",
1736 filename, linenum, keyword);
1739 if (strcmp(arg, "yes") == 0)
1741 else if (strcmp(arg, "no") == 0)
1744 /* Pattern-list specified */
1748 if (*activep && *intptr == -1) {
1757 intptr = &options->compression;
1758 multistate_ptr = multistate_compression;
1759 goto parse_multistate;
1762 arg = argv_next(&ac, &av);
1763 if (!arg || *arg == '\0')
1764 fatal("%s line %d: %s missing argument.",
1765 filename, linenum, keyword);
1766 if (strcmp(arg, "default") == 0) {
1769 if (scan_scaled(arg, &val64) == -1)
1770 fatal("%.200s line %d: Bad %s number '%s': %s",
1771 filename, linenum, keyword,
1772 arg, strerror(errno));
1773 if (val64 != 0 && val64 < 16)
1774 fatal("%.200s line %d: %s too small",
1775 filename, linenum, keyword);
1777 if (*activep && options->rekey_limit == -1)
1778 options->rekey_limit = val64;
1779 if (ac != 0) { /* optional rekey interval present */
1780 if (strcmp(av[0], "none") == 0) {
1781 (void)argv_next(&ac, &av); /* discard */
1784 intptr = &options->rekey_interval;
1790 intptr = &options->fwd_opts.gateway_ports;
1791 multistate_ptr = multistate_gatewayports;
1792 goto parse_multistate;
1795 intptr = &options->use_dns;
1799 log_facility_ptr = &options->log_facility;
1800 arg = argv_next(&ac, &av);
1801 value = log_facility_number(arg);
1802 if (value == SYSLOG_FACILITY_NOT_SET)
1803 fatal("%.200s line %d: unsupported log facility '%s'",
1804 filename, linenum, arg ? arg : "<NONE>");
1805 if (*log_facility_ptr == -1)
1806 *log_facility_ptr = (SyslogFacility) value;
1810 log_level_ptr = &options->log_level;
1811 arg = argv_next(&ac, &av);
1812 value = log_level_number(arg);
1813 if (value == SYSLOG_LEVEL_NOT_SET)
1814 fatal("%.200s line %d: unsupported log level '%s'",
1815 filename, linenum, arg ? arg : "<NONE>");
1816 if (*activep && *log_level_ptr == -1)
1817 *log_level_ptr = (LogLevel) value;
1821 found = options->num_log_verbose == 0;
1823 while ((arg = argv_next(&ac, &av)) != NULL) {
1825 error("%s line %d: keyword %s empty argument",
1826 filename, linenum, keyword);
1829 /* Allow "none" only in first position */
1830 if (strcasecmp(arg, "none") == 0) {
1831 if (i > 0 || ac > 0) {
1832 error("%s line %d: keyword %s \"none\" "
1833 "argument must appear alone.",
1834 filename, linenum, keyword);
1839 if (!found || !*activep)
1841 opt_array_append(filename, linenum, keyword,
1842 &options->log_verbose, &options->num_log_verbose,
1847 case sAllowTcpForwarding:
1848 intptr = &options->allow_tcp_forwarding;
1849 multistate_ptr = multistate_tcpfwd;
1850 goto parse_multistate;
1852 case sAllowStreamLocalForwarding:
1853 intptr = &options->allow_streamlocal_forwarding;
1854 multistate_ptr = multistate_tcpfwd;
1855 goto parse_multistate;
1857 case sAllowAgentForwarding:
1858 intptr = &options->allow_agent_forwarding;
1861 case sDisableForwarding:
1862 intptr = &options->disable_forwarding;
1866 chararrayptr = &options->allow_users;
1867 uintptr = &options->num_allow_users;
1868 parse_allowdenyusers:
1869 while ((arg = argv_next(&ac, &av)) != NULL) {
1871 match_user(NULL, NULL, NULL, arg) == -1)
1872 fatal("%s line %d: invalid %s pattern: \"%s\"",
1873 filename, linenum, keyword, arg);
1876 opt_array_append(filename, linenum, keyword,
1877 chararrayptr, uintptr, arg);
1882 chararrayptr = &options->deny_users;
1883 uintptr = &options->num_deny_users;
1884 goto parse_allowdenyusers;
1887 chararrayptr = &options->allow_groups;
1888 uintptr = &options->num_allow_groups;
1889 parse_allowdenygroups:
1890 while ((arg = argv_next(&ac, &av)) != NULL) {
1892 fatal("%s line %d: empty %s pattern",
1893 filename, linenum, keyword);
1896 opt_array_append(filename, linenum, keyword,
1897 chararrayptr, uintptr, arg);
1902 chararrayptr = &options->deny_groups;
1903 uintptr = &options->num_deny_groups;
1904 goto parse_allowdenygroups;
1907 arg = argv_next(&ac, &av);
1908 if (!arg || *arg == '\0')
1909 fatal("%s line %d: %s missing argument.",
1910 filename, linenum, keyword);
1912 !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1913 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1914 filename, linenum, arg ? arg : "<NONE>");
1915 if (options->ciphers == NULL)
1916 options->ciphers = xstrdup(arg);
1920 arg = argv_next(&ac, &av);
1921 if (!arg || *arg == '\0')
1922 fatal("%s line %d: %s missing argument.",
1923 filename, linenum, keyword);
1925 !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1926 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1927 filename, linenum, arg ? arg : "<NONE>");
1928 if (options->macs == NULL)
1929 options->macs = xstrdup(arg);
1932 case sKexAlgorithms:
1933 arg = argv_next(&ac, &av);
1934 if (!arg || *arg == '\0')
1935 fatal("%s line %d: %s missing argument.",
1936 filename, linenum, keyword);
1938 !kex_names_valid(*arg == '+' || *arg == '^' ?
1940 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1941 filename, linenum, arg ? arg : "<NONE>");
1942 if (options->kex_algorithms == NULL)
1943 options->kex_algorithms = xstrdup(arg);
1947 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1948 fatal("%s line %d: too many subsystems defined.",
1951 arg = argv_next(&ac, &av);
1952 if (!arg || *arg == '\0')
1953 fatal("%s line %d: %s missing argument.",
1954 filename, linenum, keyword);
1956 arg = argv_next(&ac, &av);
1959 for (i = 0; i < options->num_subsystems; i++)
1960 if (strcmp(arg, options->subsystem_name[i]) == 0)
1961 fatal("%s line %d: Subsystem '%s' "
1962 "already defined.", filename, linenum, arg);
1963 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1964 arg = argv_next(&ac, &av);
1965 if (!arg || *arg == '\0')
1966 fatal("%s line %d: Missing subsystem command.",
1968 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1970 /* Collect arguments (separate to executable) */
1972 len = strlen(p) + 1;
1973 while ((arg = argv_next(&ac, &av)) != NULL) {
1974 len += 1 + strlen(arg);
1975 p = xreallocarray(p, 1, len);
1976 strlcat(p, " ", len);
1977 strlcat(p, arg, len);
1979 options->subsystem_args[options->num_subsystems] = p;
1980 options->num_subsystems++;
1984 arg = argv_next(&ac, &av);
1985 if (!arg || *arg == '\0')
1986 fatal("%s line %d: %s missing argument.",
1987 filename, linenum, keyword);
1988 if ((n = sscanf(arg, "%d:%d:%d",
1989 &options->max_startups_begin,
1990 &options->max_startups_rate,
1991 &options->max_startups)) == 3) {
1992 if (options->max_startups_begin >
1993 options->max_startups ||
1994 options->max_startups_rate > 100 ||
1995 options->max_startups_rate < 1)
1996 fatal("%s line %d: Invalid %s spec.",
1997 filename, linenum, keyword);
1999 fatal("%s line %d: Invalid %s spec.",
2000 filename, linenum, keyword);
2002 options->max_startups = options->max_startups_begin;
2003 if (options->max_startups <= 0 ||
2004 options->max_startups_begin <= 0)
2005 fatal("%s line %d: Invalid %s spec.",
2006 filename, linenum, keyword);
2009 case sPerSourceNetBlockSize:
2010 arg = argv_next(&ac, &av);
2011 if (!arg || *arg == '\0')
2012 fatal("%s line %d: %s missing argument.",
2013 filename, linenum, keyword);
2014 switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
2016 if (value2 < 0 || value2 > 128)
2020 if (value < 0 || value > 32)
2023 if (n != 1 && n != 2)
2024 fatal("%s line %d: Invalid %s spec.",
2025 filename, linenum, keyword);
2027 options->per_source_masklen_ipv4 = value;
2028 options->per_source_masklen_ipv6 = value2;
2032 case sPerSourceMaxStartups:
2033 arg = argv_next(&ac, &av);
2034 if (!arg || *arg == '\0')
2035 fatal("%s line %d: %s missing argument.",
2036 filename, linenum, keyword);
2037 if (strcmp(arg, "none") == 0) { /* no limit */
2040 if ((errstr = atoi_err(arg, &value)) != NULL)
2041 fatal("%s line %d: %s integer value %s.",
2042 filename, linenum, keyword, errstr);
2045 options->per_source_max_startups = value;
2049 intptr = &options->max_authtries;
2053 intptr = &options->max_sessions;
2057 charptr = &options->banner;
2058 goto parse_filename;
2061 * These options can contain %X options expanded at
2062 * connect time, so that you can specify paths like:
2064 * AuthorizedKeysFile /etc/ssh_keys/%u
2066 case sAuthorizedKeysFile:
2067 uvalue = options->num_authkeys_files;
2068 while ((arg = argv_next(&ac, &av)) != NULL) {
2070 error("%s line %d: keyword %s empty argument",
2071 filename, linenum, keyword);
2074 arg2 = tilde_expand_filename(arg, getuid());
2075 if (*activep && uvalue == 0) {
2076 opt_array_append(filename, linenum, keyword,
2077 &options->authorized_keys_files,
2078 &options->num_authkeys_files, arg2);
2084 case sAuthorizedPrincipalsFile:
2085 charptr = &options->authorized_principals_file;
2086 arg = argv_next(&ac, &av);
2087 if (!arg || *arg == '\0')
2088 fatal("%s line %d: %s missing argument.",
2089 filename, linenum, keyword);
2090 if (*activep && *charptr == NULL) {
2091 *charptr = tilde_expand_filename(arg, getuid());
2092 /* increase optional counter */
2094 *intptr = *intptr + 1;
2098 case sClientAliveInterval:
2099 intptr = &options->client_alive_interval;
2102 case sClientAliveCountMax:
2103 intptr = &options->client_alive_count_max;
2107 while ((arg = argv_next(&ac, &av)) != NULL) {
2108 if (*arg == '\0' || strchr(arg, '=') != NULL)
2109 fatal("%s line %d: Invalid environment name.",
2113 opt_array_append(filename, linenum, keyword,
2114 &options->accept_env, &options->num_accept_env,
2120 uvalue = options->num_setenv;
2121 while ((arg = argv_next(&ac, &av)) != NULL) {
2122 if (*arg == '\0' || strchr(arg, '=') == NULL)
2123 fatal("%s line %d: Invalid environment.",
2125 if (!*activep || uvalue != 0)
2127 if (lookup_setenv_in_list(arg, options->setenv,
2128 options->num_setenv) != NULL) {
2129 debug2("%s line %d: ignoring duplicate env "
2130 "name \"%.64s\"", filename, linenum, arg);
2133 opt_array_append(filename, linenum, keyword,
2134 &options->setenv, &options->num_setenv, arg);
2139 intptr = &options->permit_tun;
2140 arg = argv_next(&ac, &av);
2141 if (!arg || *arg == '\0')
2142 fatal("%s line %d: %s missing argument.",
2143 filename, linenum, keyword);
2145 for (i = 0; tunmode_desc[i].val != -1; i++)
2146 if (strcmp(tunmode_desc[i].text, arg) == 0) {
2147 value = tunmode_desc[i].val;
2151 fatal("%s line %d: bad %s argument %s",
2152 filename, linenum, keyword, arg);
2153 if (*activep && *intptr == -1)
2159 fatal("Include directive not supported as a "
2160 "command-line option");
2163 while ((arg2 = argv_next(&ac, &av)) != NULL) {
2164 if (*arg2 == '\0') {
2165 error("%s line %d: keyword %s empty argument",
2166 filename, linenum, keyword);
2171 if (*arg2 != '/' && *arg2 != '~') {
2172 xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2174 arg = xstrdup(arg2);
2177 * Don't let included files clobber the containing
2178 * file's Match state.
2182 /* consult cache of include files */
2183 TAILQ_FOREACH(item, includes, entry) {
2184 if (strcmp(item->selector, arg) != 0)
2186 if (item->filename != NULL) {
2187 parse_server_config_depth(options,
2188 item->filename, item->contents,
2189 includes, connectinfo,
2190 (*inc_flags & SSHCFG_MATCH_ONLY
2191 ? SSHCFG_MATCH_ONLY : (oactive
2192 ? 0 : SSHCFG_NEVERMATCH)),
2193 activep, depth + 1);
2203 /* requested glob was not in cache */
2204 debug2("%s line %d: new include %s",
2205 filename, linenum, arg);
2206 if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2207 if (r != GLOB_NOMATCH) {
2208 fatal("%s line %d: include \"%s\" glob "
2209 "failed", filename, linenum, arg);
2212 * If no entry matched then record a
2213 * placeholder to skip later glob calls.
2215 debug2("%s line %d: no match for %s",
2216 filename, linenum, arg);
2217 item = xcalloc(1, sizeof(*item));
2218 item->selector = strdup(arg);
2219 TAILQ_INSERT_TAIL(includes,
2222 if (gbuf.gl_pathc > INT_MAX)
2223 fatal_f("too many glob results");
2224 for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2225 debug2("%s line %d: including %s",
2226 filename, linenum, gbuf.gl_pathv[n]);
2227 item = xcalloc(1, sizeof(*item));
2228 item->selector = strdup(arg);
2229 item->filename = strdup(gbuf.gl_pathv[n]);
2230 if ((item->contents = sshbuf_new()) == NULL)
2231 fatal_f("sshbuf_new failed");
2232 load_server_config(item->filename,
2234 parse_server_config_depth(options,
2235 item->filename, item->contents,
2236 includes, connectinfo,
2237 (*inc_flags & SSHCFG_MATCH_ONLY
2238 ? SSHCFG_MATCH_ONLY : (oactive
2239 ? 0 : SSHCFG_NEVERMATCH)),
2240 activep, depth + 1);
2242 TAILQ_INSERT_TAIL(includes, item, entry);
2248 fatal("%s line %d: %s missing filename argument",
2249 filename, linenum, keyword);
2255 fatal("Match directive not supported as a command-line "
2257 value = match_cfg_line(&str, linenum,
2258 (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2260 fatal("%s line %d: Bad Match condition", filename,
2262 *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2264 * The MATCH_ONLY flag is applicable only until the first
2267 *inc_flags &= ~SSHCFG_MATCH_ONLY;
2269 * If match_cfg_line() didn't consume all its arguments then
2270 * arrange for the extra arguments check below to fail.
2272 if (str == NULL || *str == '\0')
2278 if (opcode == sPermitListen) {
2279 uintptr = &options->num_permitted_listens;
2280 chararrayptr = &options->permitted_listens;
2282 uintptr = &options->num_permitted_opens;
2283 chararrayptr = &options->permitted_opens;
2285 arg = argv_next(&ac, &av);
2286 if (!arg || *arg == '\0')
2287 fatal("%s line %d: %s missing argument.",
2288 filename, linenum, keyword);
2289 uvalue = *uintptr; /* modified later */
2290 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2291 if (*activep && uvalue == 0) {
2293 *chararrayptr = xcalloc(1,
2294 sizeof(**chararrayptr));
2295 (*chararrayptr)[0] = xstrdup(arg);
2299 for (; arg != NULL && *arg != '\0'; arg = argv_next(&ac, &av)) {
2300 if (opcode == sPermitListen &&
2301 strchr(arg, ':') == NULL) {
2303 * Allow bare port number for PermitListen
2304 * to indicate a wildcard listen host.
2306 xasprintf(&arg2, "*:%s", arg);
2308 arg2 = xstrdup(arg);
2311 fatal("%s line %d: %s missing host",
2312 filename, linenum, keyword);
2314 p = cleanhostname(p);
2317 ((port = permitopen_port(arg)) < 0)) {
2318 fatal("%s line %d: %s bad port number",
2319 filename, linenum, keyword);
2321 if (*activep && uvalue == 0) {
2322 opt_array_append(filename, linenum, keyword,
2323 chararrayptr, uintptr, arg2);
2330 if (str == NULL || *str == '\0')
2331 fatal("%s line %d: %s missing argument.",
2332 filename, linenum, keyword);
2333 len = strspn(str, WHITESPACE);
2334 if (*activep && options->adm_forced_command == NULL)
2335 options->adm_forced_command = xstrdup(str + len);
2339 case sChrootDirectory:
2340 charptr = &options->chroot_directory;
2342 arg = argv_next(&ac, &av);
2343 if (!arg || *arg == '\0')
2344 fatal("%s line %d: %s missing argument.",
2345 filename, linenum, keyword);
2346 if (*activep && *charptr == NULL)
2347 *charptr = xstrdup(arg);
2350 case sTrustedUserCAKeys:
2351 charptr = &options->trusted_user_ca_keys;
2352 goto parse_filename;
2355 charptr = &options->revoked_keys_file;
2356 goto parse_filename;
2358 case sSecurityKeyProvider:
2359 charptr = &options->sk_provider;
2360 arg = argv_next(&ac, &av);
2361 if (!arg || *arg == '\0')
2362 fatal("%s line %d: %s missing argument.",
2363 filename, linenum, keyword);
2364 if (*activep && *charptr == NULL) {
2365 *charptr = strcasecmp(arg, "internal") == 0 ?
2366 xstrdup(arg) : derelativise_path(arg);
2367 /* increase optional counter */
2369 *intptr = *intptr + 1;
2374 arg = argv_next(&ac, &av);
2375 if (!arg || *arg == '\0')
2376 fatal("%s line %d: %s missing argument.",
2377 filename, linenum, keyword);
2378 if ((value = parse_ipqos(arg)) == -1)
2379 fatal("%s line %d: Bad %s value: %s",
2380 filename, linenum, keyword, arg);
2381 arg = argv_next(&ac, &av);
2384 else if ((value2 = parse_ipqos(arg)) == -1)
2385 fatal("%s line %d: Bad %s value: %s",
2386 filename, linenum, keyword, arg);
2388 options->ip_qos_interactive = value;
2389 options->ip_qos_bulk = value2;
2393 case sVersionAddendum:
2394 if (str == NULL || *str == '\0')
2395 fatal("%s line %d: %s missing argument.",
2396 filename, linenum, keyword);
2397 len = strspn(str, WHITESPACE);
2398 if (strchr(str + len, '\r') != NULL) {
2399 fatal("%.200s line %d: Invalid %s argument",
2400 filename, linenum, keyword);
2402 if ((arg = strchr(line, '#')) != NULL) {
2406 if (*activep && options->version_addendum == NULL) {
2407 if (strcasecmp(str + len, "none") == 0)
2408 options->version_addendum = xstrdup("");
2410 options->version_addendum = xstrdup(str + len);
2415 case sAuthorizedKeysCommand:
2416 charptr = &options->authorized_keys_command;
2418 len = strspn(str, WHITESPACE);
2419 if (str[len] != '/' && strcasecmp(str + len, "none") != 0) {
2420 fatal("%.200s line %d: %s must be an absolute path",
2421 filename, linenum, keyword);
2423 if (*activep && options->authorized_keys_command == NULL)
2424 *charptr = xstrdup(str + len);
2428 case sAuthorizedKeysCommandUser:
2429 charptr = &options->authorized_keys_command_user;
2431 arg = argv_next(&ac, &av);
2432 if (!arg || *arg == '\0') {
2433 fatal("%s line %d: missing %s argument.",
2434 filename, linenum, keyword);
2436 if (*activep && *charptr == NULL)
2437 *charptr = xstrdup(arg);
2440 case sAuthorizedPrincipalsCommand:
2441 charptr = &options->authorized_principals_command;
2444 case sAuthorizedPrincipalsCommandUser:
2445 charptr = &options->authorized_principals_command_user;
2446 goto parse_localuser;
2448 case sAuthenticationMethods:
2449 found = options->num_auth_methods == 0;
2450 value = 0; /* seen "any" pseudo-method */
2451 value2 = 0; /* successfully parsed any method */
2452 while ((arg = argv_next(&ac, &av)) != NULL) {
2453 if (strcmp(arg, "any") == 0) {
2454 if (options->num_auth_methods > 0) {
2455 fatal("%s line %d: \"any\" must "
2456 "appear alone in %s",
2457 filename, linenum, keyword);
2461 fatal("%s line %d: \"any\" must appear "
2462 "alone in %s", filename, linenum, keyword);
2463 } else if (auth2_methods_valid(arg, 0) != 0) {
2464 fatal("%s line %d: invalid %s method list.",
2465 filename, linenum, keyword);
2468 if (!found || !*activep)
2470 opt_array_append(filename, linenum, keyword,
2471 &options->auth_methods,
2472 &options->num_auth_methods, arg);
2475 fatal("%s line %d: no %s specified",
2476 filename, linenum, keyword);
2480 case sStreamLocalBindMask:
2481 arg = argv_next(&ac, &av);
2482 if (!arg || *arg == '\0')
2483 fatal("%s line %d: %s missing argument.",
2484 filename, linenum, keyword);
2485 /* Parse mode in octal format */
2486 value = strtol(arg, &p, 8);
2487 if (arg == p || value < 0 || value > 0777)
2488 fatal("%s line %d: Invalid %s.",
2489 filename, linenum, keyword);
2491 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2494 case sStreamLocalBindUnlink:
2495 intptr = &options->fwd_opts.streamlocal_bind_unlink;
2498 case sFingerprintHash:
2499 arg = argv_next(&ac, &av);
2500 if (!arg || *arg == '\0')
2501 fatal("%s line %d: %s missing argument.",
2502 filename, linenum, keyword);
2503 if ((value = ssh_digest_alg_by_name(arg)) == -1)
2504 fatal("%.200s line %d: Invalid %s algorithm \"%s\".",
2505 filename, linenum, keyword, arg);
2507 options->fingerprint_hash = value;
2510 case sExposeAuthInfo:
2511 intptr = &options->expose_userauth_info;
2515 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2516 fatal("%s line %d: setting RDomain not supported on this "
2517 "platform.", filename, linenum);
2519 charptr = &options->routing_domain;
2520 arg = argv_next(&ac, &av);
2521 if (!arg || *arg == '\0')
2522 fatal("%s line %d: %s missing argument.",
2523 filename, linenum, keyword);
2524 if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2525 !valid_rdomain(arg))
2526 fatal("%s line %d: invalid routing domain",
2528 if (*activep && *charptr == NULL)
2529 *charptr = xstrdup(arg);
2532 case sRequiredRSASize:
2533 intptr = &options->required_rsa_size;
2536 case sChannelTimeout:
2537 uvalue = options->num_channel_timeouts;
2539 while ((arg = argv_next(&ac, &av)) != NULL) {
2540 /* Allow "none" only in first position */
2541 if (strcasecmp(arg, "none") == 0) {
2542 if (i > 0 || ac > 0) {
2543 error("%s line %d: keyword %s \"none\" "
2544 "argument must appear alone.",
2545 filename, linenum, keyword);
2548 } else if (parse_timeout(arg, NULL, NULL) != 0) {
2549 fatal("%s line %d: invalid channel timeout %s",
2550 filename, linenum, arg);
2552 if (!*activep || uvalue != 0)
2554 opt_array_append(filename, linenum, keyword,
2555 &options->channel_timeouts,
2556 &options->num_channel_timeouts, arg);
2560 case sUnusedConnectionTimeout:
2561 intptr = &options->unused_connection_timeout;
2562 /* peek at first arg for "none" so we can reuse parse_time */
2563 if (av[0] != NULL && strcasecmp(av[0], "none") == 0) {
2564 (void)argv_next(&ac, &av); /* consume arg */
2572 intptr = &options->use_blacklist;
2578 do_log2(opcode == sIgnore ?
2579 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2580 "%s line %d: %s option %s", filename, linenum,
2581 opcode == sUnsupported ? "Unsupported" : "Deprecated",
2587 fatal("%s line %d: Missing handler for opcode %s (%d)",
2588 filename, linenum, keyword, opcode);
2590 /* Check that there is no garbage at end of line. */
2592 error("%.200s line %d: keyword %s extra arguments "
2593 "at end of line", filename, linenum, keyword);
2600 argv_free(oav, oac);
2605 process_server_config_line(ServerOptions *options, char *line,
2606 const char *filename, int linenum, int *activep,
2607 struct connection_info *connectinfo, struct include_list *includes)
2611 return process_server_config_line_depth(options, line, filename,
2612 linenum, activep, connectinfo, &inc_flags, 0, includes);
2616 /* Reads the server configuration file. */
2619 load_server_config(const char *filename, struct sshbuf *conf)
2622 char *line = NULL, *cp;
2623 size_t linesize = 0;
2627 debug2_f("filename %s", filename);
2628 if ((f = fopen(filename, "r")) == NULL) {
2633 /* grow buffer, so realloc is avoided for large config files */
2634 if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2635 (r = sshbuf_allocate(conf, st.st_size)) != 0)
2636 fatal_fr(r, "allocate");
2637 while (getline(&line, &linesize, f) != -1) {
2640 * NB - preserve newlines, they are needed to reproduce
2641 * line numbers later for error messages
2643 cp = line + strspn(line, " \t\r");
2644 if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2645 fatal_fr(r, "sshbuf_put");
2648 if ((r = sshbuf_put_u8(conf, 0)) != 0)
2649 fatal_fr(r, "sshbuf_put_u8");
2651 debug2_f("done config len = %zu", sshbuf_len(conf));
2655 parse_server_match_config(ServerOptions *options,
2656 struct include_list *includes, struct connection_info *connectinfo)
2660 initialize_server_options(&mo);
2661 parse_server_config(&mo, "reprocess config", cfg, includes,
2663 copy_set_server_options(options, &mo, 0);
2666 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2670 while ((p = strsep(&spec, ",")) && *p != '\0') {
2671 if (strncmp(p, "addr=", 5) == 0) {
2672 ci->address = xstrdup(p + 5);
2673 } else if (strncmp(p, "host=", 5) == 0) {
2674 ci->host = xstrdup(p + 5);
2675 } else if (strncmp(p, "user=", 5) == 0) {
2676 ci->user = xstrdup(p + 5);
2677 } else if (strncmp(p, "laddr=", 6) == 0) {
2678 ci->laddress = xstrdup(p + 6);
2679 } else if (strncmp(p, "rdomain=", 8) == 0) {
2680 ci->rdomain = xstrdup(p + 8);
2681 } else if (strncmp(p, "lport=", 6) == 0) {
2682 ci->lport = a2port(p + 6);
2683 if (ci->lport == -1) {
2684 fprintf(stderr, "Invalid port '%s' in test mode"
2685 " specification %s\n", p+6, p);
2689 fprintf(stderr, "Invalid test mode specification %s\n",
2698 * Copy any supported values that are set.
2700 * If the preauth flag is set, we do not bother copying the string or
2701 * array values that are not used pre-authentication, because any that we
2702 * do use must be explicitly sent in mm_getpwnamallow().
2705 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2707 #define M_CP_INTOPT(n) do {\
2712 M_CP_INTOPT(password_authentication);
2713 M_CP_INTOPT(gss_authentication);
2714 M_CP_INTOPT(pubkey_authentication);
2715 M_CP_INTOPT(pubkey_auth_options);
2716 M_CP_INTOPT(kerberos_authentication);
2717 M_CP_INTOPT(hostbased_authentication);
2718 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2719 M_CP_INTOPT(kbd_interactive_authentication);
2720 M_CP_INTOPT(permit_root_login);
2721 M_CP_INTOPT(permit_empty_passwd);
2722 M_CP_INTOPT(ignore_rhosts);
2724 M_CP_INTOPT(allow_tcp_forwarding);
2725 M_CP_INTOPT(allow_streamlocal_forwarding);
2726 M_CP_INTOPT(allow_agent_forwarding);
2727 M_CP_INTOPT(disable_forwarding);
2728 M_CP_INTOPT(expose_userauth_info);
2729 M_CP_INTOPT(permit_tun);
2730 M_CP_INTOPT(fwd_opts.gateway_ports);
2731 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2732 M_CP_INTOPT(x11_display_offset);
2733 M_CP_INTOPT(x11_forwarding);
2734 M_CP_INTOPT(x11_use_localhost);
2735 M_CP_INTOPT(permit_tty);
2736 M_CP_INTOPT(permit_user_rc);
2737 M_CP_INTOPT(max_sessions);
2738 M_CP_INTOPT(max_authtries);
2739 M_CP_INTOPT(client_alive_count_max);
2740 M_CP_INTOPT(client_alive_interval);
2741 M_CP_INTOPT(ip_qos_interactive);
2742 M_CP_INTOPT(ip_qos_bulk);
2743 M_CP_INTOPT(rekey_limit);
2744 M_CP_INTOPT(rekey_interval);
2745 M_CP_INTOPT(log_level);
2746 M_CP_INTOPT(required_rsa_size);
2747 M_CP_INTOPT(unused_connection_timeout);
2750 * The bind_mask is a mode_t that may be unsigned, so we can't use
2751 * M_CP_INTOPT - it does a signed comparison that causes compiler
2754 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2755 dst->fwd_opts.streamlocal_bind_mask =
2756 src->fwd_opts.streamlocal_bind_mask;
2759 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2760 #define M_CP_STROPT(n) do {\
2761 if (src->n != NULL && dst->n != src->n) { \
2766 #define M_CP_STRARRAYOPT(s, num_s) do {\
2768 if (src->num_s != 0) { \
2769 for (i = 0; i < dst->num_s; i++) \
2772 dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2773 for (i = 0; i < src->num_s; i++) \
2774 dst->s[i] = xstrdup(src->s[i]); \
2775 dst->num_s = src->num_s; \
2779 /* See comment in servconf.h */
2780 COPY_MATCH_STRING_OPTS();
2782 /* Arguments that accept '+...' need to be expanded */
2783 assemble_algorithms(dst);
2786 * The only things that should be below this point are string options
2787 * which are only used after authentication.
2792 /* These options may be "none" to clear a global setting */
2793 M_CP_STROPT(adm_forced_command);
2794 if (option_clear_or_none(dst->adm_forced_command)) {
2795 free(dst->adm_forced_command);
2796 dst->adm_forced_command = NULL;
2798 M_CP_STROPT(chroot_directory);
2799 if (option_clear_or_none(dst->chroot_directory)) {
2800 free(dst->chroot_directory);
2801 dst->chroot_directory = NULL;
2807 #undef M_CP_STRARRAYOPT
2809 #define SERVCONF_MAX_DEPTH 16
2811 parse_server_config_depth(ServerOptions *options, const char *filename,
2812 struct sshbuf *conf, struct include_list *includes,
2813 struct connection_info *connectinfo, int flags, int *activep, int depth)
2815 int linenum, bad_options = 0;
2816 char *cp, *obuf, *cbuf;
2818 if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2819 fatal("Too many recursive configuration includes");
2821 debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2822 (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2824 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2825 fatal_f("sshbuf_dup_string failed");
2827 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2828 if (process_server_config_line_depth(options, cp,
2829 filename, linenum++, activep, connectinfo, &flags,
2830 depth, includes) != 0)
2834 if (bad_options > 0)
2835 fatal("%s: terminating, %d bad configuration options",
2836 filename, bad_options);
2840 parse_server_config(ServerOptions *options, const char *filename,
2841 struct sshbuf *conf, struct include_list *includes,
2842 struct connection_info *connectinfo, int reexec)
2844 int active = connectinfo ? 0 : 1;
2845 parse_server_config_depth(options, filename, conf, includes,
2846 connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2848 process_queued_listen_addrs(options);
2852 fmt_multistate_int(int val, const struct multistate *m)
2856 for (i = 0; m[i].key != NULL; i++) {
2857 if (m[i].value == val)
2864 fmt_intarg(ServerOpCodes code, int val)
2869 case sAddressFamily:
2870 return fmt_multistate_int(val, multistate_addressfamily);
2871 case sPermitRootLogin:
2872 return fmt_multistate_int(val, multistate_permitrootlogin);
2874 return fmt_multistate_int(val, multistate_gatewayports);
2876 return fmt_multistate_int(val, multistate_compression);
2877 case sAllowTcpForwarding:
2878 return fmt_multistate_int(val, multistate_tcpfwd);
2879 case sAllowStreamLocalForwarding:
2880 return fmt_multistate_int(val, multistate_tcpfwd);
2882 return fmt_multistate_int(val, multistate_ignore_rhosts);
2883 case sFingerprintHash:
2884 return ssh_digest_alg_name(val);
2898 dump_cfg_int(ServerOpCodes code, int val)
2900 if (code == sUnusedConnectionTimeout && val == 0) {
2901 printf("%s none\n", lookup_opcode_name(code));
2904 printf("%s %d\n", lookup_opcode_name(code), val);
2908 dump_cfg_oct(ServerOpCodes code, int val)
2910 printf("%s 0%o\n", lookup_opcode_name(code), val);
2914 dump_cfg_fmtint(ServerOpCodes code, int val)
2916 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2920 dump_cfg_string(ServerOpCodes code, const char *val)
2922 printf("%s %s\n", lookup_opcode_name(code),
2923 val == NULL ? "none" : val);
2927 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2931 for (i = 0; i < count; i++)
2932 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2936 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2941 case sAuthenticationMethods:
2942 case sChannelTimeout:
2950 printf("%s", lookup_opcode_name(code));
2951 for (i = 0; i < count; i++)
2952 printf(" %s", vals[i]);
2953 if (code == sAuthenticationMethods && count == 0)
2955 else if (code == sChannelTimeout && count == 0)
2961 format_listen_addrs(struct listenaddr *la)
2964 struct addrinfo *ai;
2965 char addr[NI_MAXHOST], port[NI_MAXSERV];
2966 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2969 * ListenAddress must be after Port. add_one_listen_addr pushes
2970 * addresses onto a stack, so to maintain ordering we need to
2971 * print these in reverse order.
2973 for (ai = la->addrs; ai; ai = ai->ai_next) {
2974 if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2975 sizeof(addr), port, sizeof(port),
2976 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2977 error("getnameinfo: %.100s", ssh_gai_strerror(r));
2981 if (ai->ai_family == AF_INET6) {
2982 xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2984 la->rdomain == NULL ? "" : " rdomain ",
2985 la->rdomain == NULL ? "" : la->rdomain,
2988 xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2990 la->rdomain == NULL ? "" : " rdomain ",
2991 la->rdomain == NULL ? "" : la->rdomain,
3000 dump_config(ServerOptions *o)
3005 /* these are usually at the top of the config */
3006 for (i = 0; i < o->num_ports; i++)
3007 printf("port %d\n", o->ports[i]);
3008 dump_cfg_fmtint(sAddressFamily, o->address_family);
3010 for (i = 0; i < o->num_listen_addrs; i++) {
3011 s = format_listen_addrs(&o->listen_addrs[i]);
3016 /* integer arguments */
3018 dump_cfg_fmtint(sUsePAM, o->use_pam);
3020 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
3021 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
3022 dump_cfg_int(sMaxAuthTries, o->max_authtries);
3023 dump_cfg_int(sMaxSessions, o->max_sessions);
3024 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
3025 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
3026 dump_cfg_int(sRequiredRSASize, o->required_rsa_size);
3027 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
3028 dump_cfg_int(sUnusedConnectionTimeout, o->unused_connection_timeout);
3030 /* formatted integer arguments */
3031 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
3032 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
3033 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
3034 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
3035 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
3036 o->hostbased_uses_name_from_packet_only);
3037 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
3039 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
3040 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
3041 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
3043 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
3047 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3048 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
3050 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3051 dump_cfg_fmtint(sKbdInteractiveAuthentication,
3052 o->kbd_interactive_authentication);
3053 dump_cfg_fmtint(sPrintMotd, o->print_motd);
3054 #ifndef DISABLE_LASTLOG
3055 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
3057 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
3058 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
3059 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
3060 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
3061 dump_cfg_fmtint(sStrictModes, o->strict_modes);
3062 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
3063 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
3064 dump_cfg_fmtint(sCompression, o->compression);
3065 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
3066 dump_cfg_fmtint(sUseDNS, o->use_dns);
3067 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
3068 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
3069 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
3070 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
3071 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
3072 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
3073 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
3074 dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
3076 /* string arguments */
3077 dump_cfg_string(sPidFile, o->pid_file);
3078 dump_cfg_string(sModuliFile, o->moduli_file);
3079 dump_cfg_string(sXAuthLocation, o->xauth_location);
3080 dump_cfg_string(sCiphers, o->ciphers);
3081 dump_cfg_string(sMacs, o->macs);
3082 dump_cfg_string(sBanner, o->banner);
3083 dump_cfg_string(sForceCommand, o->adm_forced_command);
3084 dump_cfg_string(sChrootDirectory, o->chroot_directory);
3085 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
3086 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
3087 dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
3088 dump_cfg_string(sAuthorizedPrincipalsFile,
3089 o->authorized_principals_file);
3090 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
3091 ? "none" : o->version_addendum);
3092 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
3093 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
3094 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
3095 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
3096 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
3097 dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
3098 dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
3099 dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos);
3100 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
3101 dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
3102 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
3103 dump_cfg_string(sRDomain, o->routing_domain);
3106 /* string arguments requiring a lookup */
3107 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
3108 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
3110 /* string array arguments */
3111 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
3112 o->authorized_keys_files);
3113 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
3115 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
3116 o->host_cert_files);
3117 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
3118 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
3119 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
3120 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
3121 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
3122 dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
3123 dump_cfg_strarray_oneline(sAuthenticationMethods,
3124 o->num_auth_methods, o->auth_methods);
3125 dump_cfg_strarray_oneline(sLogVerbose,
3126 o->num_log_verbose, o->log_verbose);
3127 dump_cfg_strarray_oneline(sChannelTimeout,
3128 o->num_channel_timeouts, o->channel_timeouts);
3130 /* other arguments */
3131 for (i = 0; i < o->num_subsystems; i++)
3132 printf("subsystem %s %s\n", o->subsystem_name[i],
3133 o->subsystem_args[i]);
3135 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
3136 o->max_startups_rate, o->max_startups);
3137 printf("persourcemaxstartups ");
3138 if (o->per_source_max_startups == INT_MAX)
3141 printf("%d\n", o->per_source_max_startups);
3142 printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4,
3143 o->per_source_masklen_ipv6);
3146 for (i = 0; tunmode_desc[i].val != -1; i++) {
3147 if (tunmode_desc[i].val == o->permit_tun) {
3148 s = tunmode_desc[i].text;
3152 dump_cfg_string(sPermitTunnel, s);
3154 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
3155 printf("%s\n", iptos2str(o->ip_qos_bulk));
3157 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
3160 printf("permitopen");
3161 if (o->num_permitted_opens == 0)
3164 for (i = 0; i < o->num_permitted_opens; i++)
3165 printf(" %s", o->permitted_opens[i]);
3168 printf("permitlisten");
3169 if (o->num_permitted_listens == 0)
3172 for (i = 0; i < o->num_permitted_listens; i++)
3173 printf(" %s", o->permitted_listens[i]);
3177 if (o->permit_user_env_allowlist == NULL) {
3178 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
3180 printf("permituserenvironment %s\n",
3181 o->permit_user_env_allowlist);
3184 printf("pubkeyauthoptions");
3185 if (o->pubkey_auth_options == 0)
3187 if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
3188 printf(" touch-required");
3189 if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
3190 printf(" verify-required");