1 /* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
29 #include "openbsd-compat/sys-queue.h"
36 #include "pathnames.h"
44 #include "groupaccess.h"
47 static void add_listen_addr(ServerOptions *, char *, int);
48 static void add_one_listen_addr(ServerOptions *, char *, int);
50 /* Use of privilege separation or not */
51 extern int use_privsep;
54 /* Initializes the server options to their default values. */
57 initialize_server_options(ServerOptions *options)
59 memset(options, 0, sizeof(*options));
61 /* Portable-specific options */
62 options->use_pam = -1;
64 /* Standard Options */
65 options->num_ports = 0;
66 options->ports_from_cmdline = 0;
67 options->listen_addrs = NULL;
68 options->address_family = -1;
69 options->num_host_key_files = 0;
70 options->num_host_cert_files = 0;
71 options->pid_file = NULL;
72 options->server_key_bits = -1;
73 options->login_grace_time = -1;
74 options->key_regeneration_time = -1;
75 options->permit_root_login = PERMIT_NOT_SET;
76 options->ignore_rhosts = -1;
77 options->ignore_user_known_hosts = -1;
78 options->print_motd = -1;
79 options->print_lastlog = -1;
80 options->x11_forwarding = -1;
81 options->x11_display_offset = -1;
82 options->x11_use_localhost = -1;
83 options->xauth_location = NULL;
84 options->strict_modes = -1;
85 options->tcp_keep_alive = -1;
86 options->log_facility = SYSLOG_FACILITY_NOT_SET;
87 options->log_level = SYSLOG_LEVEL_NOT_SET;
88 options->rhosts_rsa_authentication = -1;
89 options->hostbased_authentication = -1;
90 options->hostbased_uses_name_from_packet_only = -1;
91 options->rsa_authentication = -1;
92 options->pubkey_authentication = -1;
93 options->kerberos_authentication = -1;
94 options->kerberos_or_local_passwd = -1;
95 options->kerberos_ticket_cleanup = -1;
96 options->kerberos_get_afs_token = -1;
97 options->gss_authentication=-1;
98 options->gss_cleanup_creds = -1;
99 options->password_authentication = -1;
100 options->kbd_interactive_authentication = -1;
101 options->challenge_response_authentication = -1;
102 options->permit_empty_passwd = -1;
103 options->permit_user_env = -1;
104 options->use_login = -1;
105 options->compression = -1;
106 options->allow_tcp_forwarding = -1;
107 options->allow_agent_forwarding = -1;
108 options->num_allow_users = 0;
109 options->num_deny_users = 0;
110 options->num_allow_groups = 0;
111 options->num_deny_groups = 0;
112 options->ciphers = NULL;
113 options->macs = NULL;
114 options->protocol = SSH_PROTO_UNKNOWN;
115 options->gateway_ports = -1;
116 options->num_subsystems = 0;
117 options->max_startups_begin = -1;
118 options->max_startups_rate = -1;
119 options->max_startups = -1;
120 options->max_authtries = -1;
121 options->max_sessions = -1;
122 options->banner = NULL;
123 options->use_dns = -1;
124 options->client_alive_interval = -1;
125 options->client_alive_count_max = -1;
126 options->authorized_keys_file = NULL;
127 options->authorized_keys_file2 = NULL;
128 options->num_accept_env = 0;
129 options->permit_tun = -1;
130 options->num_permitted_opens = -1;
131 options->adm_forced_command = NULL;
132 options->chroot_directory = NULL;
133 options->zero_knowledge_password_authentication = -1;
134 options->revoked_keys_file = NULL;
135 options->trusted_user_ca_keys = NULL;
139 fill_default_server_options(ServerOptions *options)
141 /* Portable-specific options */
142 if (options->use_pam == -1)
143 options->use_pam = 1;
145 /* Standard Options */
146 if (options->protocol == SSH_PROTO_UNKNOWN)
147 options->protocol = SSH_PROTO_2;
148 if (options->num_host_key_files == 0) {
149 /* fill default hostkeys for protocols */
150 if (options->protocol & SSH_PROTO_1)
151 options->host_key_files[options->num_host_key_files++] =
153 if (options->protocol & SSH_PROTO_2) {
154 options->host_key_files[options->num_host_key_files++] =
155 _PATH_HOST_RSA_KEY_FILE;
156 options->host_key_files[options->num_host_key_files++] =
157 _PATH_HOST_DSA_KEY_FILE;
160 /* No certificates by default */
161 if (options->num_ports == 0)
162 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
163 if (options->listen_addrs == NULL)
164 add_listen_addr(options, NULL, 0);
165 if (options->pid_file == NULL)
166 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
167 if (options->server_key_bits == -1)
168 options->server_key_bits = 1024;
169 if (options->login_grace_time == -1)
170 options->login_grace_time = 120;
171 if (options->key_regeneration_time == -1)
172 options->key_regeneration_time = 3600;
173 if (options->permit_root_login == PERMIT_NOT_SET)
174 options->permit_root_login = PERMIT_NO;
175 if (options->ignore_rhosts == -1)
176 options->ignore_rhosts = 1;
177 if (options->ignore_user_known_hosts == -1)
178 options->ignore_user_known_hosts = 0;
179 if (options->print_motd == -1)
180 options->print_motd = 1;
181 if (options->print_lastlog == -1)
182 options->print_lastlog = 1;
183 if (options->x11_forwarding == -1)
184 options->x11_forwarding = 1;
185 if (options->x11_display_offset == -1)
186 options->x11_display_offset = 10;
187 if (options->x11_use_localhost == -1)
188 options->x11_use_localhost = 1;
189 if (options->xauth_location == NULL)
190 options->xauth_location = _PATH_XAUTH;
191 if (options->strict_modes == -1)
192 options->strict_modes = 1;
193 if (options->tcp_keep_alive == -1)
194 options->tcp_keep_alive = 1;
195 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
196 options->log_facility = SYSLOG_FACILITY_AUTH;
197 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
198 options->log_level = SYSLOG_LEVEL_INFO;
199 if (options->rhosts_rsa_authentication == -1)
200 options->rhosts_rsa_authentication = 0;
201 if (options->hostbased_authentication == -1)
202 options->hostbased_authentication = 0;
203 if (options->hostbased_uses_name_from_packet_only == -1)
204 options->hostbased_uses_name_from_packet_only = 0;
205 if (options->rsa_authentication == -1)
206 options->rsa_authentication = 1;
207 if (options->pubkey_authentication == -1)
208 options->pubkey_authentication = 1;
209 if (options->kerberos_authentication == -1)
210 options->kerberos_authentication = 0;
211 if (options->kerberos_or_local_passwd == -1)
212 options->kerberos_or_local_passwd = 1;
213 if (options->kerberos_ticket_cleanup == -1)
214 options->kerberos_ticket_cleanup = 1;
215 if (options->kerberos_get_afs_token == -1)
216 options->kerberos_get_afs_token = 0;
217 if (options->gss_authentication == -1)
218 options->gss_authentication = 0;
219 if (options->gss_cleanup_creds == -1)
220 options->gss_cleanup_creds = 1;
221 if (options->password_authentication == -1)
222 options->password_authentication = 0;
223 if (options->kbd_interactive_authentication == -1)
224 options->kbd_interactive_authentication = 0;
225 if (options->challenge_response_authentication == -1)
226 options->challenge_response_authentication = 1;
227 if (options->permit_empty_passwd == -1)
228 options->permit_empty_passwd = 0;
229 if (options->permit_user_env == -1)
230 options->permit_user_env = 0;
231 if (options->use_login == -1)
232 options->use_login = 0;
233 if (options->compression == -1)
234 options->compression = COMP_DELAYED;
235 if (options->allow_tcp_forwarding == -1)
236 options->allow_tcp_forwarding = 1;
237 if (options->allow_agent_forwarding == -1)
238 options->allow_agent_forwarding = 1;
239 if (options->gateway_ports == -1)
240 options->gateway_ports = 0;
241 if (options->max_startups == -1)
242 options->max_startups = 10;
243 if (options->max_startups_rate == -1)
244 options->max_startups_rate = 100; /* 100% */
245 if (options->max_startups_begin == -1)
246 options->max_startups_begin = options->max_startups;
247 if (options->max_authtries == -1)
248 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
249 if (options->max_sessions == -1)
250 options->max_sessions = DEFAULT_SESSIONS_MAX;
251 if (options->use_dns == -1)
252 options->use_dns = 1;
253 if (options->client_alive_interval == -1)
254 options->client_alive_interval = 0;
255 if (options->client_alive_count_max == -1)
256 options->client_alive_count_max = 3;
257 if (options->authorized_keys_file2 == NULL) {
258 /* authorized_keys_file2 falls back to authorized_keys_file */
259 if (options->authorized_keys_file != NULL)
260 options->authorized_keys_file2 = options->authorized_keys_file;
262 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
264 if (options->authorized_keys_file == NULL)
265 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
266 if (options->permit_tun == -1)
267 options->permit_tun = SSH_TUNMODE_NO;
268 if (options->zero_knowledge_password_authentication == -1)
269 options->zero_knowledge_password_authentication = 0;
271 /* Turn privilege separation on by default */
272 if (use_privsep == -1)
276 if (use_privsep && options->compression == 1) {
277 error("This platform does not support both privilege "
278 "separation and compression");
279 error("Compression disabled");
280 options->compression = 0;
286 /* Keyword tokens. */
288 sBadOption, /* == unknown option */
289 /* Portable-specific options */
291 /* Standard Options */
292 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
293 sPermitRootLogin, sLogFacility, sLogLevel,
294 sRhostsRSAAuthentication, sRSAAuthentication,
295 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
296 sKerberosGetAFSToken,
297 sKerberosTgtPassing, sChallengeResponseAuthentication,
298 sPasswordAuthentication, sKbdInteractiveAuthentication,
299 sListenAddress, sAddressFamily,
300 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
301 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
302 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
303 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
304 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
305 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
306 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
307 sMaxStartups, sMaxAuthTries, sMaxSessions,
308 sBanner, sUseDNS, sHostbasedAuthentication,
309 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
310 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
311 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
312 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
313 sUsePrivilegeSeparation, sAllowAgentForwarding,
314 sZeroKnowledgePasswordAuthentication, sHostCertificate,
315 sRevokedKeys, sTrustedUserCAKeys,
317 sDeprecated, sUnsupported
320 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
321 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
322 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
324 /* Textual representation of the tokens. */
327 ServerOpCodes opcode;
330 /* Portable-specific options */
332 { "usepam", sUsePAM, SSHCFG_GLOBAL },
334 { "usepam", sUnsupported, SSHCFG_GLOBAL },
336 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
337 /* Standard Options */
338 { "port", sPort, SSHCFG_GLOBAL },
339 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
340 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
341 { "pidfile", sPidFile, SSHCFG_GLOBAL },
342 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
343 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
344 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
345 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
346 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
347 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
348 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
349 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
350 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
351 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_GLOBAL },
352 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
353 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
354 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
356 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
357 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
358 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
360 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
362 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
365 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
366 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
367 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
368 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
370 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
371 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
373 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
374 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
376 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
377 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
379 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
380 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
381 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
382 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
384 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
386 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
388 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
389 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
390 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
391 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
392 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
393 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
394 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
395 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
396 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
397 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
398 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
399 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
400 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
401 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
402 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
403 { "compression", sCompression, SSHCFG_GLOBAL },
404 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
405 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
406 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
407 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
408 { "allowusers", sAllowUsers, SSHCFG_GLOBAL },
409 { "denyusers", sDenyUsers, SSHCFG_GLOBAL },
410 { "allowgroups", sAllowGroups, SSHCFG_GLOBAL },
411 { "denygroups", sDenyGroups, SSHCFG_GLOBAL },
412 { "ciphers", sCiphers, SSHCFG_GLOBAL },
413 { "macs", sMacs, SSHCFG_GLOBAL },
414 { "protocol", sProtocol, SSHCFG_GLOBAL },
415 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
416 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
417 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
418 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
419 { "maxsessions", sMaxSessions, SSHCFG_ALL },
420 { "banner", sBanner, SSHCFG_ALL },
421 { "usedns", sUseDNS, SSHCFG_GLOBAL },
422 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
423 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
424 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
425 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
426 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_GLOBAL },
427 { "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG_GLOBAL },
428 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
429 { "acceptenv", sAcceptEnv, SSHCFG_GLOBAL },
430 { "permittunnel", sPermitTunnel, SSHCFG_GLOBAL },
431 { "match", sMatch, SSHCFG_ALL },
432 { "permitopen", sPermitOpen, SSHCFG_ALL },
433 { "forcecommand", sForceCommand, SSHCFG_ALL },
434 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
435 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
436 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
437 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
438 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
439 { NULL, sBadOption, 0 }
446 { SSH_TUNMODE_NO, "no" },
447 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
448 { SSH_TUNMODE_ETHERNET, "ethernet" },
449 { SSH_TUNMODE_YES, "yes" },
454 * Returns the number of the token pointed to by cp or sBadOption.
458 parse_token(const char *cp, const char *filename,
459 int linenum, u_int *flags)
463 for (i = 0; keywords[i].name; i++)
464 if (strcasecmp(cp, keywords[i].name) == 0) {
465 *flags = keywords[i].flags;
466 return keywords[i].opcode;
469 error("%s: line %d: Bad configuration option: %s",
470 filename, linenum, cp);
475 derelativise_path(const char *path)
477 char *expanded, *ret, *cwd;
479 expanded = tilde_expand_filename(path, getuid());
480 if (*expanded == '/')
482 if ((cwd = getcwd(NULL, 0)) == NULL)
483 fatal("%s: getcwd: %s", __func__, strerror(errno));
484 xasprintf(&ret, "%s/%s", cwd, expanded);
491 add_listen_addr(ServerOptions *options, char *addr, int port)
495 if (options->num_ports == 0)
496 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
497 if (options->address_family == -1)
498 options->address_family = AF_UNSPEC;
500 for (i = 0; i < options->num_ports; i++)
501 add_one_listen_addr(options, addr, options->ports[i]);
503 add_one_listen_addr(options, addr, port);
507 add_one_listen_addr(ServerOptions *options, char *addr, int port)
509 struct addrinfo hints, *ai, *aitop;
510 char strport[NI_MAXSERV];
513 memset(&hints, 0, sizeof(hints));
514 hints.ai_family = options->address_family;
515 hints.ai_socktype = SOCK_STREAM;
516 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
517 snprintf(strport, sizeof strport, "%d", port);
518 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
519 fatal("bad addr or host: %s (%s)",
520 addr ? addr : "<NULL>",
521 ssh_gai_strerror(gaierr));
522 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
524 ai->ai_next = options->listen_addrs;
525 options->listen_addrs = aitop;
529 * The strategy for the Match blocks is that the config file is parsed twice.
531 * The first time is at startup. activep is initialized to 1 and the
532 * directives in the global context are processed and acted on. Hitting a
533 * Match directive unsets activep and the directives inside the block are
534 * checked for syntax only.
536 * The second time is after a connection has been established but before
537 * authentication. activep is initialized to 2 and global config directives
538 * are ignored since they have already been processed. If the criteria in a
539 * Match block is met, activep is set and the subsequent directives
540 * processed and actioned until EOF or another Match block unsets it. Any
541 * options set are copied into the main server config.
543 * Potential additions/improvements:
544 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
546 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
547 * Match Address 192.168.0.*
552 * AllowTcpForwarding yes
553 * GatewayPorts clientspecified
556 * - Add a PermittedChannelRequests directive
558 * PermittedChannelRequests session,forwarded-tcpip
562 match_cfg_line_group(const char *grps, int line, const char *user)
570 if ((pw = getpwnam(user)) == NULL) {
571 debug("Can't match group at line %d because user %.100s does "
572 "not exist", line, user);
573 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
574 debug("Can't Match group because user %.100s not in any group "
575 "at line %d", user, line);
576 } else if (ga_match_pattern_list(grps) != 1) {
577 debug("user %.100s does not match group list %.100s at line %d",
580 debug("user %.100s matched group list %.100s at line %d", user,
590 match_cfg_line(char **condition, int line, const char *user, const char *host,
594 char *arg, *attrib, *cp = *condition;
598 debug3("checking syntax for 'Match %s'", cp);
600 debug3("checking match for '%s' user %s host %s addr %s", cp,
601 user ? user : "(null)", host ? host : "(null)",
602 address ? address : "(null)");
604 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
605 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
606 error("Missing Match criteria for %s", attrib);
610 if (strcasecmp(attrib, "user") == 0) {
615 if (match_pattern_list(user, arg, len, 0) != 1)
618 debug("user %.100s matched 'User %.100s' at "
619 "line %d", user, arg, line);
620 } else if (strcasecmp(attrib, "group") == 0) {
621 switch (match_cfg_line_group(arg, line, user)) {
627 } else if (strcasecmp(attrib, "host") == 0) {
632 if (match_hostname(host, arg, len) != 1)
635 debug("connection from %.100s matched 'Host "
636 "%.100s' at line %d", host, arg, line);
637 } else if (strcasecmp(attrib, "address") == 0) {
638 switch (addr_match_list(address, arg)) {
640 debug("connection from %.100s matched 'Address "
641 "%.100s' at line %d", address, arg, line);
651 error("Unsupported Match attribute %s", attrib);
656 debug3("match %sfound", result ? "" : "not ");
661 #define WHITESPACE " \t\r\n"
664 process_server_config_line(ServerOptions *options, char *line,
665 const char *filename, int linenum, int *activep, const char *user,
666 const char *host, const char *address)
668 char *cp, **charptr, *arg, *p;
669 int cmdline = 0, *intptr, value, n;
670 SyslogFacility *log_facility_ptr;
671 LogLevel *log_level_ptr;
672 ServerOpCodes opcode;
678 if ((arg = strdelim(&cp)) == NULL)
680 /* Ignore leading whitespace */
683 if (!arg || !*arg || *arg == '#')
687 opcode = parse_token(arg, filename, linenum, &flags);
689 if (activep == NULL) { /* We are processing a command line directive */
693 if (*activep && opcode != sMatch)
694 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
695 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
697 fatal("%s line %d: Directive '%s' is not allowed "
698 "within a Match block", filename, linenum, arg);
699 } else { /* this is a directive we have already processed */
707 /* Portable-specific options */
709 intptr = &options->use_pam;
712 /* Standard Options */
716 /* ignore ports from configfile if cmdline specifies ports */
717 if (options->ports_from_cmdline)
719 if (options->listen_addrs != NULL)
720 fatal("%s line %d: ports must be specified before "
721 "ListenAddress.", filename, linenum);
722 if (options->num_ports >= MAX_PORTS)
723 fatal("%s line %d: too many ports.",
726 if (!arg || *arg == '\0')
727 fatal("%s line %d: missing port number.",
729 options->ports[options->num_ports++] = a2port(arg);
730 if (options->ports[options->num_ports-1] <= 0)
731 fatal("%s line %d: Badly formatted port number.",
736 intptr = &options->server_key_bits;
739 if (!arg || *arg == '\0')
740 fatal("%s line %d: missing integer value.",
743 if (*activep && *intptr == -1)
747 case sLoginGraceTime:
748 intptr = &options->login_grace_time;
751 if (!arg || *arg == '\0')
752 fatal("%s line %d: missing time value.",
754 if ((value = convtime(arg)) == -1)
755 fatal("%s line %d: invalid time value.",
761 case sKeyRegenerationTime:
762 intptr = &options->key_regeneration_time;
767 if (arg == NULL || *arg == '\0')
768 fatal("%s line %d: missing address",
770 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
771 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
772 && strchr(p+1, ':') != NULL) {
773 add_listen_addr(options, arg, 0);
778 fatal("%s line %d: bad address:port usage",
780 p = cleanhostname(p);
783 else if ((port = a2port(arg)) <= 0)
784 fatal("%s line %d: bad port number", filename, linenum);
786 add_listen_addr(options, p, port);
792 if (!arg || *arg == '\0')
793 fatal("%s line %d: missing address family.",
795 intptr = &options->address_family;
796 if (options->listen_addrs != NULL)
797 fatal("%s line %d: address family must be specified before "
798 "ListenAddress.", filename, linenum);
799 if (strcasecmp(arg, "inet") == 0)
801 else if (strcasecmp(arg, "inet6") == 0)
803 else if (strcasecmp(arg, "any") == 0)
806 fatal("%s line %d: unsupported address family \"%s\".",
807 filename, linenum, arg);
813 intptr = &options->num_host_key_files;
814 if (*intptr >= MAX_HOSTKEYS)
815 fatal("%s line %d: too many host keys specified (max %d).",
816 filename, linenum, MAX_HOSTKEYS);
817 charptr = &options->host_key_files[*intptr];
820 if (!arg || *arg == '\0')
821 fatal("%s line %d: missing file name.",
823 if (*activep && *charptr == NULL) {
824 *charptr = derelativise_path(arg);
825 /* increase optional counter */
827 *intptr = *intptr + 1;
831 case sHostCertificate:
832 intptr = &options->num_host_cert_files;
833 if (*intptr >= MAX_HOSTKEYS)
834 fatal("%s line %d: too many host certificates "
835 "specified (max %d).", filename, linenum,
837 charptr = &options->host_cert_files[*intptr];
842 charptr = &options->pid_file;
845 case sPermitRootLogin:
846 intptr = &options->permit_root_login;
848 if (!arg || *arg == '\0')
849 fatal("%s line %d: missing yes/"
850 "without-password/forced-commands-only/no "
851 "argument.", filename, linenum);
852 value = 0; /* silence compiler */
853 if (strcmp(arg, "without-password") == 0)
854 value = PERMIT_NO_PASSWD;
855 else if (strcmp(arg, "forced-commands-only") == 0)
856 value = PERMIT_FORCED_ONLY;
857 else if (strcmp(arg, "yes") == 0)
859 else if (strcmp(arg, "no") == 0)
862 fatal("%s line %d: Bad yes/"
863 "without-password/forced-commands-only/no "
864 "argument: %s", filename, linenum, arg);
865 if (*activep && *intptr == -1)
870 intptr = &options->ignore_rhosts;
873 if (!arg || *arg == '\0')
874 fatal("%s line %d: missing yes/no argument.",
876 value = 0; /* silence compiler */
877 if (strcmp(arg, "yes") == 0)
879 else if (strcmp(arg, "no") == 0)
882 fatal("%s line %d: Bad yes/no argument: %s",
883 filename, linenum, arg);
884 if (*activep && *intptr == -1)
888 case sIgnoreUserKnownHosts:
889 intptr = &options->ignore_user_known_hosts;
892 case sRhostsRSAAuthentication:
893 intptr = &options->rhosts_rsa_authentication;
896 case sHostbasedAuthentication:
897 intptr = &options->hostbased_authentication;
900 case sHostbasedUsesNameFromPacketOnly:
901 intptr = &options->hostbased_uses_name_from_packet_only;
904 case sRSAAuthentication:
905 intptr = &options->rsa_authentication;
908 case sPubkeyAuthentication:
909 intptr = &options->pubkey_authentication;
912 case sKerberosAuthentication:
913 intptr = &options->kerberos_authentication;
916 case sKerberosOrLocalPasswd:
917 intptr = &options->kerberos_or_local_passwd;
920 case sKerberosTicketCleanup:
921 intptr = &options->kerberos_ticket_cleanup;
924 case sKerberosGetAFSToken:
925 intptr = &options->kerberos_get_afs_token;
928 case sGssAuthentication:
929 intptr = &options->gss_authentication;
932 case sGssCleanupCreds:
933 intptr = &options->gss_cleanup_creds;
936 case sPasswordAuthentication:
937 intptr = &options->password_authentication;
940 case sZeroKnowledgePasswordAuthentication:
941 intptr = &options->zero_knowledge_password_authentication;
944 case sKbdInteractiveAuthentication:
945 intptr = &options->kbd_interactive_authentication;
948 case sChallengeResponseAuthentication:
949 intptr = &options->challenge_response_authentication;
953 intptr = &options->print_motd;
957 intptr = &options->print_lastlog;
961 intptr = &options->x11_forwarding;
964 case sX11DisplayOffset:
965 intptr = &options->x11_display_offset;
968 case sX11UseLocalhost:
969 intptr = &options->x11_use_localhost;
973 charptr = &options->xauth_location;
977 intptr = &options->strict_modes;
981 intptr = &options->tcp_keep_alive;
985 intptr = &options->permit_empty_passwd;
988 case sPermitUserEnvironment:
989 intptr = &options->permit_user_env;
993 intptr = &options->use_login;
997 intptr = &options->compression;
999 if (!arg || *arg == '\0')
1000 fatal("%s line %d: missing yes/no/delayed "
1001 "argument.", filename, linenum);
1002 value = 0; /* silence compiler */
1003 if (strcmp(arg, "delayed") == 0)
1004 value = COMP_DELAYED;
1005 else if (strcmp(arg, "yes") == 0)
1007 else if (strcmp(arg, "no") == 0)
1010 fatal("%s line %d: Bad yes/no/delayed "
1011 "argument: %s", filename, linenum, arg);
1017 intptr = &options->gateway_ports;
1018 arg = strdelim(&cp);
1019 if (!arg || *arg == '\0')
1020 fatal("%s line %d: missing yes/no/clientspecified "
1021 "argument.", filename, linenum);
1022 value = 0; /* silence compiler */
1023 if (strcmp(arg, "clientspecified") == 0)
1025 else if (strcmp(arg, "yes") == 0)
1027 else if (strcmp(arg, "no") == 0)
1030 fatal("%s line %d: Bad yes/no/clientspecified "
1031 "argument: %s", filename, linenum, arg);
1032 if (*activep && *intptr == -1)
1037 intptr = &options->use_dns;
1041 log_facility_ptr = &options->log_facility;
1042 arg = strdelim(&cp);
1043 value = log_facility_number(arg);
1044 if (value == SYSLOG_FACILITY_NOT_SET)
1045 fatal("%.200s line %d: unsupported log facility '%s'",
1046 filename, linenum, arg ? arg : "<NONE>");
1047 if (*log_facility_ptr == -1)
1048 *log_facility_ptr = (SyslogFacility) value;
1052 log_level_ptr = &options->log_level;
1053 arg = strdelim(&cp);
1054 value = log_level_number(arg);
1055 if (value == SYSLOG_LEVEL_NOT_SET)
1056 fatal("%.200s line %d: unsupported log level '%s'",
1057 filename, linenum, arg ? arg : "<NONE>");
1058 if (*log_level_ptr == -1)
1059 *log_level_ptr = (LogLevel) value;
1062 case sAllowTcpForwarding:
1063 intptr = &options->allow_tcp_forwarding;
1066 case sAllowAgentForwarding:
1067 intptr = &options->allow_agent_forwarding;
1070 case sUsePrivilegeSeparation:
1071 intptr = &use_privsep;
1075 while ((arg = strdelim(&cp)) && *arg != '\0') {
1076 if (options->num_allow_users >= MAX_ALLOW_USERS)
1077 fatal("%s line %d: too many allow users.",
1079 options->allow_users[options->num_allow_users++] =
1085 while ((arg = strdelim(&cp)) && *arg != '\0') {
1086 if (options->num_deny_users >= MAX_DENY_USERS)
1087 fatal("%s line %d: too many deny users.",
1089 options->deny_users[options->num_deny_users++] =
1095 while ((arg = strdelim(&cp)) && *arg != '\0') {
1096 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1097 fatal("%s line %d: too many allow groups.",
1099 options->allow_groups[options->num_allow_groups++] =
1105 while ((arg = strdelim(&cp)) && *arg != '\0') {
1106 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1107 fatal("%s line %d: too many deny groups.",
1109 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
1114 arg = strdelim(&cp);
1115 if (!arg || *arg == '\0')
1116 fatal("%s line %d: Missing argument.", filename, linenum);
1117 if (!ciphers_valid(arg))
1118 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1119 filename, linenum, arg ? arg : "<NONE>");
1120 if (options->ciphers == NULL)
1121 options->ciphers = xstrdup(arg);
1125 arg = strdelim(&cp);
1126 if (!arg || *arg == '\0')
1127 fatal("%s line %d: Missing argument.", filename, linenum);
1128 if (!mac_valid(arg))
1129 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1130 filename, linenum, arg ? arg : "<NONE>");
1131 if (options->macs == NULL)
1132 options->macs = xstrdup(arg);
1136 intptr = &options->protocol;
1137 arg = strdelim(&cp);
1138 if (!arg || *arg == '\0')
1139 fatal("%s line %d: Missing argument.", filename, linenum);
1140 value = proto_spec(arg);
1141 if (value == SSH_PROTO_UNKNOWN)
1142 fatal("%s line %d: Bad protocol spec '%s'.",
1143 filename, linenum, arg ? arg : "<NONE>");
1144 if (*intptr == SSH_PROTO_UNKNOWN)
1149 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1150 fatal("%s line %d: too many subsystems defined.",
1153 arg = strdelim(&cp);
1154 if (!arg || *arg == '\0')
1155 fatal("%s line %d: Missing subsystem name.",
1158 arg = strdelim(&cp);
1161 for (i = 0; i < options->num_subsystems; i++)
1162 if (strcmp(arg, options->subsystem_name[i]) == 0)
1163 fatal("%s line %d: Subsystem '%s' already defined.",
1164 filename, linenum, arg);
1165 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1166 arg = strdelim(&cp);
1167 if (!arg || *arg == '\0')
1168 fatal("%s line %d: Missing subsystem command.",
1170 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1172 /* Collect arguments (separate to executable) */
1174 len = strlen(p) + 1;
1175 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1176 len += 1 + strlen(arg);
1177 p = xrealloc(p, 1, len);
1178 strlcat(p, " ", len);
1179 strlcat(p, arg, len);
1181 options->subsystem_args[options->num_subsystems] = p;
1182 options->num_subsystems++;
1186 arg = strdelim(&cp);
1187 if (!arg || *arg == '\0')
1188 fatal("%s line %d: Missing MaxStartups spec.",
1190 if ((n = sscanf(arg, "%d:%d:%d",
1191 &options->max_startups_begin,
1192 &options->max_startups_rate,
1193 &options->max_startups)) == 3) {
1194 if (options->max_startups_begin >
1195 options->max_startups ||
1196 options->max_startups_rate > 100 ||
1197 options->max_startups_rate < 1)
1198 fatal("%s line %d: Illegal MaxStartups spec.",
1201 fatal("%s line %d: Illegal MaxStartups spec.",
1204 options->max_startups = options->max_startups_begin;
1208 intptr = &options->max_authtries;
1212 intptr = &options->max_sessions;
1216 charptr = &options->banner;
1217 goto parse_filename;
1220 * These options can contain %X options expanded at
1221 * connect time, so that you can specify paths like:
1223 * AuthorizedKeysFile /etc/ssh_keys/%u
1225 case sAuthorizedKeysFile:
1226 case sAuthorizedKeysFile2:
1227 charptr = (opcode == sAuthorizedKeysFile) ?
1228 &options->authorized_keys_file :
1229 &options->authorized_keys_file2;
1230 goto parse_filename;
1232 case sClientAliveInterval:
1233 intptr = &options->client_alive_interval;
1236 case sClientAliveCountMax:
1237 intptr = &options->client_alive_count_max;
1241 while ((arg = strdelim(&cp)) && *arg != '\0') {
1242 if (strchr(arg, '=') != NULL)
1243 fatal("%s line %d: Invalid environment name.",
1245 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1246 fatal("%s line %d: too many allow env.",
1250 options->accept_env[options->num_accept_env++] =
1256 intptr = &options->permit_tun;
1257 arg = strdelim(&cp);
1258 if (!arg || *arg == '\0')
1259 fatal("%s line %d: Missing yes/point-to-point/"
1260 "ethernet/no argument.", filename, linenum);
1262 for (i = 0; tunmode_desc[i].val != -1; i++)
1263 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1264 value = tunmode_desc[i].val;
1268 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1269 "no argument: %s", filename, linenum, arg);
1276 fatal("Match directive not supported as a command-line "
1278 value = match_cfg_line(&cp, linenum, user, host, address);
1280 fatal("%s line %d: Bad Match condition", filename,
1286 arg = strdelim(&cp);
1287 if (!arg || *arg == '\0')
1288 fatal("%s line %d: missing PermitOpen specification",
1290 n = options->num_permitted_opens; /* modified later */
1291 if (strcmp(arg, "any") == 0) {
1292 if (*activep && n == -1) {
1293 channel_clear_adm_permitted_opens();
1294 options->num_permitted_opens = 0;
1298 if (*activep && n == -1)
1299 channel_clear_adm_permitted_opens();
1300 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1303 fatal("%s line %d: missing host in PermitOpen",
1305 p = cleanhostname(p);
1306 if (arg == NULL || (port = a2port(arg)) <= 0)
1307 fatal("%s line %d: bad port number in "
1308 "PermitOpen", filename, linenum);
1309 if (*activep && n == -1)
1310 options->num_permitted_opens =
1311 channel_add_adm_permitted_opens(p, port);
1317 fatal("%.200s line %d: Missing argument.", filename,
1319 len = strspn(cp, WHITESPACE);
1320 if (*activep && options->adm_forced_command == NULL)
1321 options->adm_forced_command = xstrdup(cp + len);
1324 case sChrootDirectory:
1325 charptr = &options->chroot_directory;
1327 arg = strdelim(&cp);
1328 if (!arg || *arg == '\0')
1329 fatal("%s line %d: missing file name.",
1331 if (*activep && *charptr == NULL)
1332 *charptr = xstrdup(arg);
1335 case sTrustedUserCAKeys:
1336 charptr = &options->trusted_user_ca_keys;
1337 goto parse_filename;
1340 charptr = &options->revoked_keys_file;
1341 goto parse_filename;
1343 case sVersionAddendum:
1344 ssh_version_set_addendum(strtok(cp, "\n"));
1346 arg = strdelim(&cp);
1347 } while (arg != NULL && *arg != '\0');
1351 logit("%s line %d: Deprecated option %s",
1352 filename, linenum, arg);
1354 arg = strdelim(&cp);
1358 logit("%s line %d: Unsupported option %s",
1359 filename, linenum, arg);
1361 arg = strdelim(&cp);
1365 fatal("%s line %d: Missing handler for opcode %s (%d)",
1366 filename, linenum, arg, opcode);
1368 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1369 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1370 filename, linenum, arg);
1374 /* Reads the server configuration file. */
1377 load_server_config(const char *filename, Buffer *conf)
1379 char line[1024], *cp;
1382 debug2("%s: filename %s", __func__, filename);
1383 if ((f = fopen(filename, "r")) == NULL) {
1388 while (fgets(line, sizeof(line), f)) {
1390 * Trim out comments and strip whitespace
1391 * NB - preserve newlines, they are needed to reproduce
1392 * line numbers later for error messages
1394 if ((cp = strchr(line, '#')) != NULL)
1395 memcpy(cp, "\n", 2);
1396 cp = line + strspn(line, " \t\r");
1398 buffer_append(conf, cp, strlen(cp));
1400 buffer_append(conf, "\0", 1);
1402 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1406 parse_server_match_config(ServerOptions *options, const char *user,
1407 const char *host, const char *address)
1411 initialize_server_options(&mo);
1412 parse_server_config(&mo, "reprocess config", &cfg, user, host, address);
1413 copy_set_server_options(options, &mo, 0);
1417 #define M_CP_INTOPT(n) do {\
1421 #define M_CP_STROPT(n) do {\
1422 if (src->n != NULL) { \
1423 if (dst->n != NULL) \
1430 * Copy any supported values that are set.
1432 * If the preauth flag is set, we do not bother copying the string or
1433 * array values that are not used pre-authentication, because any that we
1434 * do use must be explictly sent in mm_getpwnamallow().
1437 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1439 M_CP_INTOPT(password_authentication);
1440 M_CP_INTOPT(gss_authentication);
1441 M_CP_INTOPT(rsa_authentication);
1442 M_CP_INTOPT(pubkey_authentication);
1443 M_CP_INTOPT(kerberos_authentication);
1444 M_CP_INTOPT(hostbased_authentication);
1445 M_CP_INTOPT(kbd_interactive_authentication);
1446 M_CP_INTOPT(zero_knowledge_password_authentication);
1447 M_CP_INTOPT(permit_root_login);
1448 M_CP_INTOPT(permit_empty_passwd);
1450 M_CP_INTOPT(allow_tcp_forwarding);
1451 M_CP_INTOPT(allow_agent_forwarding);
1452 M_CP_INTOPT(gateway_ports);
1453 M_CP_INTOPT(x11_display_offset);
1454 M_CP_INTOPT(x11_forwarding);
1455 M_CP_INTOPT(x11_use_localhost);
1456 M_CP_INTOPT(max_sessions);
1457 M_CP_INTOPT(max_authtries);
1459 M_CP_STROPT(banner);
1462 M_CP_STROPT(adm_forced_command);
1463 M_CP_STROPT(chroot_directory);
1464 M_CP_STROPT(trusted_user_ca_keys);
1465 M_CP_STROPT(revoked_keys_file);
1472 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1473 const char *user, const char *host, const char *address)
1475 int active, linenum, bad_options = 0;
1476 char *cp, *obuf, *cbuf;
1478 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1480 obuf = cbuf = xstrdup(buffer_ptr(conf));
1481 active = user ? 0 : 1;
1483 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1484 if (process_server_config_line(options, cp, filename,
1485 linenum++, &active, user, host, address) != 0)
1489 if (bad_options > 0)
1490 fatal("%s: terminating, %d bad configuration options",
1491 filename, bad_options);
1495 fmt_intarg(ServerOpCodes code, int val)
1497 if (code == sAddressFamily) {
1509 if (code == sPermitRootLogin) {
1511 case PERMIT_NO_PASSWD:
1512 return "without-password";
1513 case PERMIT_FORCED_ONLY:
1514 return "forced-commands-only";
1519 if (code == sProtocol) {
1525 case (SSH_PROTO_1|SSH_PROTO_2):
1531 if (code == sGatewayPorts && val == 2)
1532 return "clientspecified";
1533 if (code == sCompression && val == COMP_DELAYED)
1547 lookup_opcode_name(ServerOpCodes code)
1551 for (i = 0; keywords[i].name != NULL; i++)
1552 if (keywords[i].opcode == code)
1553 return(keywords[i].name);
1558 dump_cfg_int(ServerOpCodes code, int val)
1560 printf("%s %d\n", lookup_opcode_name(code), val);
1564 dump_cfg_fmtint(ServerOpCodes code, int val)
1566 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1570 dump_cfg_string(ServerOpCodes code, const char *val)
1574 printf("%s %s\n", lookup_opcode_name(code), val);
1578 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1582 for (i = 0; i < count; i++)
1583 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1587 dump_config(ServerOptions *o)
1591 struct addrinfo *ai;
1592 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
1594 /* these are usually at the top of the config */
1595 for (i = 0; i < o->num_ports; i++)
1596 printf("port %d\n", o->ports[i]);
1597 dump_cfg_fmtint(sProtocol, o->protocol);
1598 dump_cfg_fmtint(sAddressFamily, o->address_family);
1600 /* ListenAddress must be after Port */
1601 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
1602 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
1603 sizeof(addr), port, sizeof(port),
1604 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
1605 error("getnameinfo failed: %.100s",
1606 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
1609 if (ai->ai_family == AF_INET6)
1610 printf("listenaddress [%s]:%s\n", addr, port);
1612 printf("listenaddress %s:%s\n", addr, port);
1616 /* integer arguments */
1618 dump_cfg_int(sUsePAM, o->use_pam);
1620 dump_cfg_int(sServerKeyBits, o->server_key_bits);
1621 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
1622 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
1623 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
1624 dump_cfg_int(sMaxAuthTries, o->max_authtries);
1625 dump_cfg_int(sMaxSessions, o->max_sessions);
1626 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
1627 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
1629 /* formatted integer arguments */
1630 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
1631 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
1632 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
1633 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
1634 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
1635 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
1636 o->hostbased_uses_name_from_packet_only);
1637 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
1638 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
1640 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
1641 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
1642 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
1644 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
1648 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
1649 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
1652 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
1653 o->zero_knowledge_password_authentication);
1655 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
1656 dump_cfg_fmtint(sKbdInteractiveAuthentication,
1657 o->kbd_interactive_authentication);
1658 dump_cfg_fmtint(sChallengeResponseAuthentication,
1659 o->challenge_response_authentication);
1660 dump_cfg_fmtint(sPrintMotd, o->print_motd);
1661 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
1662 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
1663 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
1664 dump_cfg_fmtint(sStrictModes, o->strict_modes);
1665 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
1666 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
1667 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
1668 dump_cfg_fmtint(sUseLogin, o->use_login);
1669 dump_cfg_fmtint(sCompression, o->compression);
1670 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
1671 dump_cfg_fmtint(sUseDNS, o->use_dns);
1672 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
1673 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
1675 /* string arguments */
1676 dump_cfg_string(sPidFile, o->pid_file);
1677 dump_cfg_string(sXAuthLocation, o->xauth_location);
1678 dump_cfg_string(sCiphers, o->ciphers);
1679 dump_cfg_string(sMacs, o->macs);
1680 dump_cfg_string(sBanner, o->banner);
1681 dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1682 dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1683 dump_cfg_string(sForceCommand, o->adm_forced_command);
1684 dump_cfg_string(sChrootDirectory, o->chroot_directory);
1685 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
1686 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
1688 /* string arguments requiring a lookup */
1689 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
1690 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
1692 /* string array arguments */
1693 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
1695 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
1696 o->host_cert_files);
1697 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
1698 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
1699 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
1700 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
1701 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
1703 /* other arguments */
1704 for (i = 0; i < o->num_subsystems; i++)
1705 printf("subsystem %s %s\n", o->subsystem_name[i],
1706 o->subsystem_args[i]);
1708 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
1709 o->max_startups_rate, o->max_startups);
1711 for (i = 0; tunmode_desc[i].val != -1; i++)
1712 if (tunmode_desc[i].val == o->permit_tun) {
1713 s = tunmode_desc[i].text;
1716 dump_cfg_string(sPermitTunnel, s);
1718 channel_print_adm_permitted_opens();
projects / FreeBSD / stable / 8.git / blob