2 /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
18 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
40 #include "openbsd-compat/sys-queue.h"
48 #include "pathnames.h"
55 #include "groupaccess.h"
60 #include "myproposal.h"
64 static void add_listen_addr(ServerOptions *, char *, int);
65 static void add_one_listen_addr(ServerOptions *, char *, int);
67 /* Use of privilege separation or not */
68 extern int use_privsep;
71 /* Initializes the server options to their default values. */
74 initialize_server_options(ServerOptions *options)
76 memset(options, 0, sizeof(*options));
78 /* Portable-specific options */
79 options->use_pam = -1;
81 /* Standard Options */
82 options->num_ports = 0;
83 options->ports_from_cmdline = 0;
84 options->queued_listen_addrs = NULL;
85 options->num_queued_listens = 0;
86 options->listen_addrs = NULL;
87 options->address_family = -1;
88 options->num_host_key_files = 0;
89 options->num_host_cert_files = 0;
90 options->host_key_agent = NULL;
91 options->pid_file = NULL;
92 options->server_key_bits = -1;
93 options->login_grace_time = -1;
94 options->key_regeneration_time = -1;
95 options->permit_root_login = PERMIT_NOT_SET;
96 options->ignore_rhosts = -1;
97 options->ignore_user_known_hosts = -1;
98 options->print_motd = -1;
99 options->print_lastlog = -1;
100 options->x11_forwarding = -1;
101 options->x11_display_offset = -1;
102 options->x11_use_localhost = -1;
103 options->permit_tty = -1;
104 options->permit_user_rc = -1;
105 options->xauth_location = NULL;
106 options->strict_modes = -1;
107 options->tcp_keep_alive = -1;
108 options->log_facility = SYSLOG_FACILITY_NOT_SET;
109 options->log_level = SYSLOG_LEVEL_NOT_SET;
110 options->rhosts_rsa_authentication = -1;
111 options->hostbased_authentication = -1;
112 options->hostbased_uses_name_from_packet_only = -1;
113 options->hostbased_key_types = NULL;
114 options->hostkeyalgorithms = NULL;
115 options->rsa_authentication = -1;
116 options->pubkey_authentication = -1;
117 options->pubkey_key_types = NULL;
118 options->kerberos_authentication = -1;
119 options->kerberos_or_local_passwd = -1;
120 options->kerberos_ticket_cleanup = -1;
121 options->kerberos_get_afs_token = -1;
122 options->gss_authentication=-1;
123 options->gss_cleanup_creds = -1;
124 options->gss_strict_acceptor = -1;
125 options->password_authentication = -1;
126 options->kbd_interactive_authentication = -1;
127 options->challenge_response_authentication = -1;
128 options->permit_empty_passwd = -1;
129 options->permit_user_env = -1;
130 options->use_login = -1;
131 options->compression = -1;
132 options->rekey_limit = -1;
133 options->rekey_interval = -1;
134 options->allow_tcp_forwarding = -1;
135 options->allow_streamlocal_forwarding = -1;
136 options->allow_agent_forwarding = -1;
137 options->num_allow_users = 0;
138 options->num_deny_users = 0;
139 options->num_allow_groups = 0;
140 options->num_deny_groups = 0;
141 options->ciphers = NULL;
142 options->macs = NULL;
143 options->kex_algorithms = NULL;
144 options->protocol = SSH_PROTO_UNKNOWN;
145 options->fwd_opts.gateway_ports = -1;
146 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
147 options->fwd_opts.streamlocal_bind_unlink = -1;
148 options->num_subsystems = 0;
149 options->max_startups_begin = -1;
150 options->max_startups_rate = -1;
151 options->max_startups = -1;
152 options->max_authtries = -1;
153 options->max_sessions = -1;
154 options->banner = NULL;
155 options->use_dns = -1;
156 options->client_alive_interval = -1;
157 options->client_alive_count_max = -1;
158 options->num_authkeys_files = 0;
159 options->num_accept_env = 0;
160 options->permit_tun = -1;
161 options->num_permitted_opens = -1;
162 options->adm_forced_command = NULL;
163 options->chroot_directory = NULL;
164 options->authorized_keys_command = NULL;
165 options->authorized_keys_command_user = NULL;
166 options->revoked_keys_file = NULL;
167 options->trusted_user_ca_keys = NULL;
168 options->authorized_principals_file = NULL;
169 options->authorized_principals_command = NULL;
170 options->authorized_principals_command_user = NULL;
171 options->ip_qos_interactive = -1;
172 options->ip_qos_bulk = -1;
173 options->version_addendum = NULL;
174 options->fingerprint_hash = -1;
175 options->use_blacklist = -1;
178 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
180 option_clear_or_none(const char *o)
182 return o == NULL || strcasecmp(o, "none") == 0;
186 assemble_algorithms(ServerOptions *o)
188 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
189 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
190 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
191 kex_assemble_names(KEX_DEFAULT_PK_ALG,
192 &o->hostkeyalgorithms) != 0 ||
193 kex_assemble_names(KEX_DEFAULT_PK_ALG,
194 &o->hostbased_key_types) != 0 ||
195 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
196 fatal("kex_assemble_names failed");
200 fill_default_server_options(ServerOptions *options)
204 /* Portable-specific options */
205 if (options->use_pam == -1)
206 options->use_pam = 1;
208 /* Standard Options */
209 if (options->protocol == SSH_PROTO_UNKNOWN)
210 options->protocol = SSH_PROTO_2;
211 #define add_host_key_file(path) \
213 if (access((path), O_RDONLY) == 0) \
214 options->host_key_files \
215 [options->num_host_key_files++] = (path); \
217 if (options->num_host_key_files == 0) {
218 /* fill default hostkeys for protocols */
219 if (options->protocol & SSH_PROTO_1)
220 add_host_key_file(_PATH_HOST_KEY_FILE);
221 if (options->protocol & SSH_PROTO_2) {
222 add_host_key_file(_PATH_HOST_RSA_KEY_FILE);
223 add_host_key_file(_PATH_HOST_DSA_KEY_FILE);
224 #ifdef OPENSSL_HAS_ECC
225 add_host_key_file(_PATH_HOST_ECDSA_KEY_FILE);
227 add_host_key_file(_PATH_HOST_ED25519_KEY_FILE);
230 #undef add_host_key_file
231 if (options->num_host_key_files == 0)
232 fatal("No host key files found");
233 /* No certificates by default */
234 if (options->num_ports == 0)
235 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
236 if (options->address_family == -1)
237 options->address_family = AF_UNSPEC;
238 if (options->listen_addrs == NULL)
239 add_listen_addr(options, NULL, 0);
240 if (options->pid_file == NULL)
241 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
242 if (options->server_key_bits == -1)
243 options->server_key_bits = 1024;
244 if (options->login_grace_time == -1)
245 options->login_grace_time = 120;
246 if (options->key_regeneration_time == -1)
247 options->key_regeneration_time = 3600;
248 if (options->permit_root_login == PERMIT_NOT_SET)
249 options->permit_root_login = PERMIT_NO;
250 if (options->ignore_rhosts == -1)
251 options->ignore_rhosts = 1;
252 if (options->ignore_user_known_hosts == -1)
253 options->ignore_user_known_hosts = 0;
254 if (options->print_motd == -1)
255 options->print_motd = 1;
256 if (options->print_lastlog == -1)
257 options->print_lastlog = 1;
258 if (options->x11_forwarding == -1)
259 options->x11_forwarding = 1;
260 if (options->x11_display_offset == -1)
261 options->x11_display_offset = 10;
262 if (options->x11_use_localhost == -1)
263 options->x11_use_localhost = 1;
264 if (options->xauth_location == NULL)
265 options->xauth_location = xstrdup(_PATH_XAUTH);
266 if (options->permit_tty == -1)
267 options->permit_tty = 1;
268 if (options->permit_user_rc == -1)
269 options->permit_user_rc = 1;
270 if (options->strict_modes == -1)
271 options->strict_modes = 1;
272 if (options->tcp_keep_alive == -1)
273 options->tcp_keep_alive = 1;
274 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
275 options->log_facility = SYSLOG_FACILITY_AUTH;
276 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
277 options->log_level = SYSLOG_LEVEL_INFO;
278 if (options->rhosts_rsa_authentication == -1)
279 options->rhosts_rsa_authentication = 0;
280 if (options->hostbased_authentication == -1)
281 options->hostbased_authentication = 0;
282 if (options->hostbased_uses_name_from_packet_only == -1)
283 options->hostbased_uses_name_from_packet_only = 0;
284 if (options->rsa_authentication == -1)
285 options->rsa_authentication = 1;
286 if (options->pubkey_authentication == -1)
287 options->pubkey_authentication = 1;
288 if (options->kerberos_authentication == -1)
289 options->kerberos_authentication = 0;
290 if (options->kerberos_or_local_passwd == -1)
291 options->kerberos_or_local_passwd = 1;
292 if (options->kerberos_ticket_cleanup == -1)
293 options->kerberos_ticket_cleanup = 1;
294 if (options->kerberos_get_afs_token == -1)
295 options->kerberos_get_afs_token = 0;
296 if (options->gss_authentication == -1)
297 options->gss_authentication = 0;
298 if (options->gss_cleanup_creds == -1)
299 options->gss_cleanup_creds = 1;
300 if (options->gss_strict_acceptor == -1)
301 options->gss_strict_acceptor = 0;
302 if (options->password_authentication == -1)
303 options->password_authentication = 0;
304 if (options->kbd_interactive_authentication == -1)
305 options->kbd_interactive_authentication = 0;
306 if (options->challenge_response_authentication == -1)
307 options->challenge_response_authentication = 1;
308 if (options->permit_empty_passwd == -1)
309 options->permit_empty_passwd = 0;
310 if (options->permit_user_env == -1)
311 options->permit_user_env = 0;
312 if (options->use_login == -1)
313 options->use_login = 0;
314 if (options->compression == -1)
315 options->compression = COMP_DELAYED;
316 if (options->rekey_limit == -1)
317 options->rekey_limit = 0;
318 if (options->rekey_interval == -1)
319 options->rekey_interval = 0;
320 if (options->allow_tcp_forwarding == -1)
321 options->allow_tcp_forwarding = FORWARD_ALLOW;
322 if (options->allow_streamlocal_forwarding == -1)
323 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
324 if (options->allow_agent_forwarding == -1)
325 options->allow_agent_forwarding = 1;
326 if (options->fwd_opts.gateway_ports == -1)
327 options->fwd_opts.gateway_ports = 0;
328 if (options->max_startups == -1)
329 options->max_startups = 100;
330 if (options->max_startups_rate == -1)
331 options->max_startups_rate = 30; /* 30% */
332 if (options->max_startups_begin == -1)
333 options->max_startups_begin = 10;
334 if (options->max_authtries == -1)
335 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
336 if (options->max_sessions == -1)
337 options->max_sessions = DEFAULT_SESSIONS_MAX;
338 if (options->use_dns == -1)
339 options->use_dns = 1;
340 if (options->client_alive_interval == -1)
341 options->client_alive_interval = 0;
342 if (options->client_alive_count_max == -1)
343 options->client_alive_count_max = 3;
344 if (options->num_authkeys_files == 0) {
345 options->authorized_keys_files[options->num_authkeys_files++] =
346 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
347 options->authorized_keys_files[options->num_authkeys_files++] =
348 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
350 if (options->permit_tun == -1)
351 options->permit_tun = SSH_TUNMODE_NO;
352 if (options->ip_qos_interactive == -1)
353 options->ip_qos_interactive = IPTOS_LOWDELAY;
354 if (options->ip_qos_bulk == -1)
355 options->ip_qos_bulk = IPTOS_THROUGHPUT;
356 if (options->version_addendum == NULL)
357 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
358 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
359 options->fwd_opts.streamlocal_bind_mask = 0177;
360 if (options->fwd_opts.streamlocal_bind_unlink == -1)
361 options->fwd_opts.streamlocal_bind_unlink = 0;
362 if (options->fingerprint_hash == -1)
363 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
364 if (options->use_blacklist == -1)
365 options->use_blacklist = 0;
367 assemble_algorithms(options);
369 /* Turn privilege separation and sandboxing on by default */
370 if (use_privsep == -1)
371 use_privsep = PRIVSEP_ON;
373 #define CLEAR_ON_NONE(v) \
375 if (option_clear_or_none(v)) { \
380 CLEAR_ON_NONE(options->pid_file);
381 CLEAR_ON_NONE(options->xauth_location);
382 CLEAR_ON_NONE(options->banner);
383 CLEAR_ON_NONE(options->trusted_user_ca_keys);
384 CLEAR_ON_NONE(options->revoked_keys_file);
385 CLEAR_ON_NONE(options->authorized_principals_file);
386 CLEAR_ON_NONE(options->adm_forced_command);
387 CLEAR_ON_NONE(options->chroot_directory);
388 for (i = 0; i < options->num_host_key_files; i++)
389 CLEAR_ON_NONE(options->host_key_files[i]);
390 for (i = 0; i < options->num_host_cert_files; i++)
391 CLEAR_ON_NONE(options->host_cert_files[i]);
395 if (use_privsep && options->compression == 1) {
396 error("This platform does not support both privilege "
397 "separation and compression");
398 error("Compression disabled");
399 options->compression = 0;
405 /* Keyword tokens. */
407 sBadOption, /* == unknown option */
408 /* Portable-specific options */
410 /* Standard Options */
411 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
412 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
413 sRhostsRSAAuthentication, sRSAAuthentication,
414 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
415 sKerberosGetAFSToken,
416 sKerberosTgtPassing, sChallengeResponseAuthentication,
417 sPasswordAuthentication, sKbdInteractiveAuthentication,
418 sListenAddress, sAddressFamily,
419 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
420 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
421 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
422 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
423 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
424 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
425 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
426 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
427 sBanner, sUseDNS, sHostbasedAuthentication,
428 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
430 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
431 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
432 sAcceptEnv, sPermitTunnel,
433 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
434 sUsePrivilegeSeparation, sAllowAgentForwarding,
436 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
437 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
438 sKexAlgorithms, sIPQoS, sVersionAddendum,
439 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
440 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
441 sStreamLocalBindMask, sStreamLocalBindUnlink,
442 sAllowStreamLocalForwarding, sFingerprintHash,
444 sDeprecated, sUnsupported
447 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
448 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
449 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
451 /* Textual representation of the tokens. */
454 ServerOpCodes opcode;
457 /* Portable-specific options */
459 { "usepam", sUsePAM, SSHCFG_GLOBAL },
461 { "usepam", sUnsupported, SSHCFG_GLOBAL },
463 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
464 /* Standard Options */
465 { "port", sPort, SSHCFG_GLOBAL },
466 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
467 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
468 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
469 { "pidfile", sPidFile, SSHCFG_GLOBAL },
470 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
471 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
472 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
473 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
474 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
475 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
476 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
477 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
478 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
479 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
480 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
481 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
482 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
483 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
484 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
485 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
487 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
488 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
489 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
491 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
493 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
496 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
497 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
498 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
499 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
501 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
502 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
504 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
505 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
506 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
508 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
509 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
510 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
512 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
513 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
514 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
515 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
516 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
517 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
518 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
519 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
520 #ifdef DISABLE_LASTLOG
521 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
523 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
525 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
526 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
527 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
528 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
529 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
530 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
531 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
532 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
533 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
534 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
535 { "compression", sCompression, SSHCFG_GLOBAL },
536 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
537 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
538 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
539 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
540 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
541 { "allowusers", sAllowUsers, SSHCFG_ALL },
542 { "denyusers", sDenyUsers, SSHCFG_ALL },
543 { "allowgroups", sAllowGroups, SSHCFG_ALL },
544 { "denygroups", sDenyGroups, SSHCFG_ALL },
545 { "ciphers", sCiphers, SSHCFG_GLOBAL },
546 { "macs", sMacs, SSHCFG_GLOBAL },
547 { "protocol", sProtocol, SSHCFG_GLOBAL },
548 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
549 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
550 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
551 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
552 { "maxsessions", sMaxSessions, SSHCFG_ALL },
553 { "banner", sBanner, SSHCFG_ALL },
554 { "usedns", sUseDNS, SSHCFG_GLOBAL },
555 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
556 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
557 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
558 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
559 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
560 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
561 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
562 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
563 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
564 { "permittty", sPermitTTY, SSHCFG_ALL },
565 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
566 { "match", sMatch, SSHCFG_ALL },
567 { "permitopen", sPermitOpen, SSHCFG_ALL },
568 { "forcecommand", sForceCommand, SSHCFG_ALL },
569 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
570 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
571 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
572 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
573 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
574 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
575 { "ipqos", sIPQoS, SSHCFG_ALL },
576 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
577 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
578 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
579 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
580 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
581 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
582 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
583 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
584 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
585 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
586 { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
587 { "noneenabled", sUnsupported, SSHCFG_ALL },
588 { "hpndisabled", sDeprecated, SSHCFG_ALL },
589 { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
590 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
591 { NULL, sBadOption, 0 }
598 { SSH_TUNMODE_NO, "no" },
599 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
600 { SSH_TUNMODE_ETHERNET, "ethernet" },
601 { SSH_TUNMODE_YES, "yes" },
606 * Returns the number of the token pointed to by cp or sBadOption.
610 parse_token(const char *cp, const char *filename,
611 int linenum, u_int *flags)
615 for (i = 0; keywords[i].name; i++)
616 if (strcasecmp(cp, keywords[i].name) == 0) {
617 *flags = keywords[i].flags;
618 return keywords[i].opcode;
621 error("%s: line %d: Bad configuration option: %s",
622 filename, linenum, cp);
627 derelativise_path(const char *path)
629 char *expanded, *ret, cwd[PATH_MAX];
631 if (strcasecmp(path, "none") == 0)
632 return xstrdup("none");
633 expanded = tilde_expand_filename(path, getuid());
634 if (*expanded == '/')
636 if (getcwd(cwd, sizeof(cwd)) == NULL)
637 fatal("%s: getcwd: %s", __func__, strerror(errno));
638 xasprintf(&ret, "%s/%s", cwd, expanded);
644 add_listen_addr(ServerOptions *options, char *addr, int port)
649 for (i = 0; i < options->num_ports; i++)
650 add_one_listen_addr(options, addr, options->ports[i]);
652 add_one_listen_addr(options, addr, port);
656 add_one_listen_addr(ServerOptions *options, char *addr, int port)
658 struct addrinfo hints, *ai, *aitop;
659 char strport[NI_MAXSERV];
662 memset(&hints, 0, sizeof(hints));
663 hints.ai_family = options->address_family;
664 hints.ai_socktype = SOCK_STREAM;
665 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
666 snprintf(strport, sizeof strport, "%d", port);
667 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
668 fatal("bad addr or host: %s (%s)",
669 addr ? addr : "<NULL>",
670 ssh_gai_strerror(gaierr));
671 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
673 ai->ai_next = options->listen_addrs;
674 options->listen_addrs = aitop;
678 * Queue a ListenAddress to be processed once we have all of the Ports
679 * and AddressFamily options.
682 queue_listen_addr(ServerOptions *options, char *addr, int port)
684 options->queued_listen_addrs = xreallocarray(
685 options->queued_listen_addrs, options->num_queued_listens + 1,
687 options->queued_listen_ports = xreallocarray(
688 options->queued_listen_ports, options->num_queued_listens + 1,
690 options->queued_listen_addrs[options->num_queued_listens] =
692 options->queued_listen_ports[options->num_queued_listens] = port;
693 options->num_queued_listens++;
697 * Process queued (text) ListenAddress entries.
700 process_queued_listen_addrs(ServerOptions *options)
704 if (options->num_ports == 0)
705 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
706 if (options->address_family == -1)
707 options->address_family = AF_UNSPEC;
709 for (i = 0; i < options->num_queued_listens; i++) {
710 add_listen_addr(options, options->queued_listen_addrs[i],
711 options->queued_listen_ports[i]);
712 free(options->queued_listen_addrs[i]);
713 options->queued_listen_addrs[i] = NULL;
715 free(options->queued_listen_addrs);
716 options->queued_listen_addrs = NULL;
717 free(options->queued_listen_ports);
718 options->queued_listen_ports = NULL;
719 options->num_queued_listens = 0;
722 struct connection_info *
723 get_connection_info(int populate, int use_dns)
725 static struct connection_info ci;
729 ci.host = get_canonical_hostname(use_dns);
730 ci.address = get_remote_ipaddr();
731 ci.laddress = get_local_ipaddr(packet_get_connection_in());
732 ci.lport = get_local_port();
737 * The strategy for the Match blocks is that the config file is parsed twice.
739 * The first time is at startup. activep is initialized to 1 and the
740 * directives in the global context are processed and acted on. Hitting a
741 * Match directive unsets activep and the directives inside the block are
742 * checked for syntax only.
744 * The second time is after a connection has been established but before
745 * authentication. activep is initialized to 2 and global config directives
746 * are ignored since they have already been processed. If the criteria in a
747 * Match block is met, activep is set and the subsequent directives
748 * processed and actioned until EOF or another Match block unsets it. Any
749 * options set are copied into the main server config.
751 * Potential additions/improvements:
752 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
754 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
755 * Match Address 192.168.0.*
760 * AllowTcpForwarding yes
761 * GatewayPorts clientspecified
764 * - Add a PermittedChannelRequests directive
766 * PermittedChannelRequests session,forwarded-tcpip
770 match_cfg_line_group(const char *grps, int line, const char *user)
778 if ((pw = getpwnam(user)) == NULL) {
779 debug("Can't match group at line %d because user %.100s does "
780 "not exist", line, user);
781 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
782 debug("Can't Match group because user %.100s not in any group "
783 "at line %d", user, line);
784 } else if (ga_match_pattern_list(grps) != 1) {
785 debug("user %.100s does not match group list %.100s at line %d",
788 debug("user %.100s matched group list %.100s at line %d", user,
798 * All of the attributes on a single Match line are ANDed together, so we need
799 * to check every attribute and set the result to zero if any attribute does
803 match_cfg_line(char **condition, int line, struct connection_info *ci)
805 int result = 1, attributes = 0, port;
806 char *arg, *attrib, *cp = *condition;
809 debug3("checking syntax for 'Match %s'", cp);
811 debug3("checking match for '%s' user %s host %s addr %s "
812 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
813 ci->host ? ci->host : "(null)",
814 ci->address ? ci->address : "(null)",
815 ci->laddress ? ci->laddress : "(null)", ci->lport);
817 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
819 if (strcasecmp(attrib, "all") == 0) {
820 if (attributes != 1 ||
821 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
822 error("'all' cannot be combined with other "
829 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
830 error("Missing Match criteria for %s", attrib);
833 if (strcasecmp(attrib, "user") == 0) {
834 if (ci == NULL || ci->user == NULL) {
838 if (match_pattern_list(ci->user, arg, 0) != 1)
841 debug("user %.100s matched 'User %.100s' at "
842 "line %d", ci->user, arg, line);
843 } else if (strcasecmp(attrib, "group") == 0) {
844 if (ci == NULL || ci->user == NULL) {
848 switch (match_cfg_line_group(arg, line, ci->user)) {
854 } else if (strcasecmp(attrib, "host") == 0) {
855 if (ci == NULL || ci->host == NULL) {
859 if (match_hostname(ci->host, arg) != 1)
862 debug("connection from %.100s matched 'Host "
863 "%.100s' at line %d", ci->host, arg, line);
864 } else if (strcasecmp(attrib, "address") == 0) {
865 if (ci == NULL || ci->address == NULL) {
869 switch (addr_match_list(ci->address, arg)) {
871 debug("connection from %.100s matched 'Address "
872 "%.100s' at line %d", ci->address, arg, line);
881 } else if (strcasecmp(attrib, "localaddress") == 0){
882 if (ci == NULL || ci->laddress == NULL) {
886 switch (addr_match_list(ci->laddress, arg)) {
888 debug("connection from %.100s matched "
889 "'LocalAddress %.100s' at line %d",
890 ci->laddress, arg, line);
899 } else if (strcasecmp(attrib, "localport") == 0) {
900 if ((port = a2port(arg)) == -1) {
901 error("Invalid LocalPort '%s' on Match line",
905 if (ci == NULL || ci->lport == 0) {
909 /* TODO support port lists */
910 if (port == ci->lport)
911 debug("connection from %.100s matched "
912 "'LocalPort %d' at line %d",
913 ci->laddress, port, line);
917 error("Unsupported Match attribute %s", attrib);
921 if (attributes == 0) {
922 error("One or more attributes required for Match");
926 debug3("match %sfound", result ? "" : "not ");
931 #define WHITESPACE " \t\r\n"
933 /* Multistate option parsing */
938 static const struct multistate multistate_addressfamily[] = {
940 { "inet6", AF_INET6 },
941 { "any", AF_UNSPEC },
944 static const struct multistate multistate_permitrootlogin[] = {
945 { "without-password", PERMIT_NO_PASSWD },
946 { "prohibit-password", PERMIT_NO_PASSWD },
947 { "forced-commands-only", PERMIT_FORCED_ONLY },
948 { "yes", PERMIT_YES },
952 static const struct multistate multistate_compression[] = {
953 { "delayed", COMP_DELAYED },
954 { "yes", COMP_ZLIB },
958 static const struct multistate multistate_gatewayports[] = {
959 { "clientspecified", 2 },
964 static const struct multistate multistate_privsep[] = {
965 { "yes", PRIVSEP_NOSANDBOX },
966 { "sandbox", PRIVSEP_ON },
967 { "nosandbox", PRIVSEP_NOSANDBOX },
968 { "no", PRIVSEP_OFF },
971 static const struct multistate multistate_tcpfwd[] = {
972 { "yes", FORWARD_ALLOW },
973 { "all", FORWARD_ALLOW },
974 { "no", FORWARD_DENY },
975 { "remote", FORWARD_REMOTE },
976 { "local", FORWARD_LOCAL },
981 process_server_config_line(ServerOptions *options, char *line,
982 const char *filename, int linenum, int *activep,
983 struct connection_info *connectinfo)
985 char *cp, **charptr, *arg, *p;
986 int cmdline = 0, *intptr, value, value2, n, port;
987 SyslogFacility *log_facility_ptr;
988 LogLevel *log_level_ptr;
989 ServerOpCodes opcode;
993 const struct multistate *multistate_ptr;
996 if ((arg = strdelim(&cp)) == NULL)
998 /* Ignore leading whitespace */
1000 arg = strdelim(&cp);
1001 if (!arg || !*arg || *arg == '#')
1005 opcode = parse_token(arg, filename, linenum, &flags);
1007 if (activep == NULL) { /* We are processing a command line directive */
1011 if (*activep && opcode != sMatch)
1012 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1013 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1014 if (connectinfo == NULL) {
1015 fatal("%s line %d: Directive '%s' is not allowed "
1016 "within a Match block", filename, linenum, arg);
1017 } else { /* this is a directive we have already processed */
1019 arg = strdelim(&cp);
1025 /* Portable-specific options */
1027 intptr = &options->use_pam;
1030 /* Standard Options */
1034 /* ignore ports from configfile if cmdline specifies ports */
1035 if (options->ports_from_cmdline)
1037 if (options->num_ports >= MAX_PORTS)
1038 fatal("%s line %d: too many ports.",
1040 arg = strdelim(&cp);
1041 if (!arg || *arg == '\0')
1042 fatal("%s line %d: missing port number.",
1044 options->ports[options->num_ports++] = a2port(arg);
1045 if (options->ports[options->num_ports-1] <= 0)
1046 fatal("%s line %d: Badly formatted port number.",
1050 case sServerKeyBits:
1051 intptr = &options->server_key_bits;
1053 arg = strdelim(&cp);
1054 if (!arg || *arg == '\0')
1055 fatal("%s line %d: missing integer value.",
1058 if (*activep && *intptr == -1)
1062 case sLoginGraceTime:
1063 intptr = &options->login_grace_time;
1065 arg = strdelim(&cp);
1066 if (!arg || *arg == '\0')
1067 fatal("%s line %d: missing time value.",
1069 if ((value = convtime(arg)) == -1)
1070 fatal("%s line %d: invalid time value.",
1072 if (*activep && *intptr == -1)
1076 case sKeyRegenerationTime:
1077 intptr = &options->key_regeneration_time;
1080 case sListenAddress:
1081 arg = strdelim(&cp);
1082 if (arg == NULL || *arg == '\0')
1083 fatal("%s line %d: missing address",
1085 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1086 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1087 && strchr(p+1, ':') != NULL) {
1088 queue_listen_addr(options, arg, 0);
1093 fatal("%s line %d: bad address:port usage",
1095 p = cleanhostname(p);
1098 else if ((port = a2port(arg)) <= 0)
1099 fatal("%s line %d: bad port number", filename, linenum);
1101 queue_listen_addr(options, p, port);
1105 case sAddressFamily:
1106 intptr = &options->address_family;
1107 multistate_ptr = multistate_addressfamily;
1109 arg = strdelim(&cp);
1110 if (!arg || *arg == '\0')
1111 fatal("%s line %d: missing argument.",
1114 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1115 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1116 value = multistate_ptr[i].value;
1121 fatal("%s line %d: unsupported option \"%s\".",
1122 filename, linenum, arg);
1123 if (*activep && *intptr == -1)
1128 intptr = &options->num_host_key_files;
1129 if (*intptr >= MAX_HOSTKEYS)
1130 fatal("%s line %d: too many host keys specified (max %d).",
1131 filename, linenum, MAX_HOSTKEYS);
1132 charptr = &options->host_key_files[*intptr];
1134 arg = strdelim(&cp);
1135 if (!arg || *arg == '\0')
1136 fatal("%s line %d: missing file name.",
1138 if (*activep && *charptr == NULL) {
1139 *charptr = derelativise_path(arg);
1140 /* increase optional counter */
1142 *intptr = *intptr + 1;
1147 charptr = &options->host_key_agent;
1148 arg = strdelim(&cp);
1149 if (!arg || *arg == '\0')
1150 fatal("%s line %d: missing socket name.",
1152 if (*activep && *charptr == NULL)
1153 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1154 xstrdup(arg) : derelativise_path(arg);
1157 case sHostCertificate:
1158 intptr = &options->num_host_cert_files;
1159 if (*intptr >= MAX_HOSTKEYS)
1160 fatal("%s line %d: too many host certificates "
1161 "specified (max %d).", filename, linenum,
1163 charptr = &options->host_cert_files[*intptr];
1164 goto parse_filename;
1168 charptr = &options->pid_file;
1169 goto parse_filename;
1171 case sPermitRootLogin:
1172 intptr = &options->permit_root_login;
1173 multistate_ptr = multistate_permitrootlogin;
1174 goto parse_multistate;
1177 intptr = &options->ignore_rhosts;
1179 arg = strdelim(&cp);
1180 if (!arg || *arg == '\0')
1181 fatal("%s line %d: missing yes/no argument.",
1183 value = 0; /* silence compiler */
1184 if (strcmp(arg, "yes") == 0)
1186 else if (strcmp(arg, "no") == 0)
1189 fatal("%s line %d: Bad yes/no argument: %s",
1190 filename, linenum, arg);
1191 if (*activep && *intptr == -1)
1195 case sIgnoreUserKnownHosts:
1196 intptr = &options->ignore_user_known_hosts;
1199 case sRhostsRSAAuthentication:
1200 intptr = &options->rhosts_rsa_authentication;
1203 case sHostbasedAuthentication:
1204 intptr = &options->hostbased_authentication;
1207 case sHostbasedUsesNameFromPacketOnly:
1208 intptr = &options->hostbased_uses_name_from_packet_only;
1211 case sHostbasedAcceptedKeyTypes:
1212 charptr = &options->hostbased_key_types;
1214 arg = strdelim(&cp);
1215 if (!arg || *arg == '\0')
1216 fatal("%s line %d: Missing argument.",
1218 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1219 fatal("%s line %d: Bad key types '%s'.",
1220 filename, linenum, arg ? arg : "<NONE>");
1221 if (*activep && *charptr == NULL)
1222 *charptr = xstrdup(arg);
1225 case sHostKeyAlgorithms:
1226 charptr = &options->hostkeyalgorithms;
1227 goto parse_keytypes;
1229 case sRSAAuthentication:
1230 intptr = &options->rsa_authentication;
1233 case sPubkeyAuthentication:
1234 intptr = &options->pubkey_authentication;
1237 case sPubkeyAcceptedKeyTypes:
1238 charptr = &options->pubkey_key_types;
1239 goto parse_keytypes;
1241 case sKerberosAuthentication:
1242 intptr = &options->kerberos_authentication;
1245 case sKerberosOrLocalPasswd:
1246 intptr = &options->kerberos_or_local_passwd;
1249 case sKerberosTicketCleanup:
1250 intptr = &options->kerberos_ticket_cleanup;
1253 case sKerberosGetAFSToken:
1254 intptr = &options->kerberos_get_afs_token;
1257 case sGssAuthentication:
1258 intptr = &options->gss_authentication;
1261 case sGssCleanupCreds:
1262 intptr = &options->gss_cleanup_creds;
1265 case sGssStrictAcceptor:
1266 intptr = &options->gss_strict_acceptor;
1269 case sPasswordAuthentication:
1270 intptr = &options->password_authentication;
1273 case sKbdInteractiveAuthentication:
1274 intptr = &options->kbd_interactive_authentication;
1277 case sChallengeResponseAuthentication:
1278 intptr = &options->challenge_response_authentication;
1282 intptr = &options->print_motd;
1286 intptr = &options->print_lastlog;
1289 case sX11Forwarding:
1290 intptr = &options->x11_forwarding;
1293 case sX11DisplayOffset:
1294 intptr = &options->x11_display_offset;
1297 case sX11UseLocalhost:
1298 intptr = &options->x11_use_localhost;
1301 case sXAuthLocation:
1302 charptr = &options->xauth_location;
1303 goto parse_filename;
1306 intptr = &options->permit_tty;
1310 intptr = &options->permit_user_rc;
1314 intptr = &options->strict_modes;
1318 intptr = &options->tcp_keep_alive;
1322 intptr = &options->permit_empty_passwd;
1325 case sPermitUserEnvironment:
1326 intptr = &options->permit_user_env;
1330 intptr = &options->use_login;
1334 intptr = &options->compression;
1335 multistate_ptr = multistate_compression;
1336 goto parse_multistate;
1339 arg = strdelim(&cp);
1340 if (!arg || *arg == '\0')
1341 fatal("%.200s line %d: Missing argument.", filename,
1343 if (strcmp(arg, "default") == 0) {
1346 if (scan_scaled(arg, &val64) == -1)
1347 fatal("%.200s line %d: Bad number '%s': %s",
1348 filename, linenum, arg, strerror(errno));
1349 if (val64 != 0 && val64 < 16)
1350 fatal("%.200s line %d: RekeyLimit too small",
1353 if (*activep && options->rekey_limit == -1)
1354 options->rekey_limit = val64;
1355 if (cp != NULL) { /* optional rekey interval present */
1356 if (strcmp(cp, "none") == 0) {
1357 (void)strdelim(&cp); /* discard */
1360 intptr = &options->rekey_interval;
1366 intptr = &options->fwd_opts.gateway_ports;
1367 multistate_ptr = multistate_gatewayports;
1368 goto parse_multistate;
1371 intptr = &options->use_dns;
1375 log_facility_ptr = &options->log_facility;
1376 arg = strdelim(&cp);
1377 value = log_facility_number(arg);
1378 if (value == SYSLOG_FACILITY_NOT_SET)
1379 fatal("%.200s line %d: unsupported log facility '%s'",
1380 filename, linenum, arg ? arg : "<NONE>");
1381 if (*log_facility_ptr == -1)
1382 *log_facility_ptr = (SyslogFacility) value;
1386 log_level_ptr = &options->log_level;
1387 arg = strdelim(&cp);
1388 value = log_level_number(arg);
1389 if (value == SYSLOG_LEVEL_NOT_SET)
1390 fatal("%.200s line %d: unsupported log level '%s'",
1391 filename, linenum, arg ? arg : "<NONE>");
1392 if (*log_level_ptr == -1)
1393 *log_level_ptr = (LogLevel) value;
1396 case sAllowTcpForwarding:
1397 intptr = &options->allow_tcp_forwarding;
1398 multistate_ptr = multistate_tcpfwd;
1399 goto parse_multistate;
1401 case sAllowStreamLocalForwarding:
1402 intptr = &options->allow_streamlocal_forwarding;
1403 multistate_ptr = multistate_tcpfwd;
1404 goto parse_multistate;
1406 case sAllowAgentForwarding:
1407 intptr = &options->allow_agent_forwarding;
1410 case sUsePrivilegeSeparation:
1411 intptr = &use_privsep;
1412 multistate_ptr = multistate_privsep;
1413 goto parse_multistate;
1416 while ((arg = strdelim(&cp)) && *arg != '\0') {
1417 if (options->num_allow_users >= MAX_ALLOW_USERS)
1418 fatal("%s line %d: too many allow users.",
1422 options->allow_users[options->num_allow_users++] =
1428 while ((arg = strdelim(&cp)) && *arg != '\0') {
1429 if (options->num_deny_users >= MAX_DENY_USERS)
1430 fatal("%s line %d: too many deny users.",
1434 options->deny_users[options->num_deny_users++] =
1440 while ((arg = strdelim(&cp)) && *arg != '\0') {
1441 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1442 fatal("%s line %d: too many allow groups.",
1446 options->allow_groups[options->num_allow_groups++] =
1452 while ((arg = strdelim(&cp)) && *arg != '\0') {
1453 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1454 fatal("%s line %d: too many deny groups.",
1458 options->deny_groups[options->num_deny_groups++] =
1464 arg = strdelim(&cp);
1465 if (!arg || *arg == '\0')
1466 fatal("%s line %d: Missing argument.", filename, linenum);
1467 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1468 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1469 filename, linenum, arg ? arg : "<NONE>");
1470 if (options->ciphers == NULL)
1471 options->ciphers = xstrdup(arg);
1475 arg = strdelim(&cp);
1476 if (!arg || *arg == '\0')
1477 fatal("%s line %d: Missing argument.", filename, linenum);
1478 if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1479 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1480 filename, linenum, arg ? arg : "<NONE>");
1481 if (options->macs == NULL)
1482 options->macs = xstrdup(arg);
1485 case sKexAlgorithms:
1486 arg = strdelim(&cp);
1487 if (!arg || *arg == '\0')
1488 fatal("%s line %d: Missing argument.",
1490 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1491 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1492 filename, linenum, arg ? arg : "<NONE>");
1493 if (options->kex_algorithms == NULL)
1494 options->kex_algorithms = xstrdup(arg);
1498 intptr = &options->protocol;
1499 arg = strdelim(&cp);
1500 if (!arg || *arg == '\0')
1501 fatal("%s line %d: Missing argument.", filename, linenum);
1502 value = proto_spec(arg);
1503 if (value == SSH_PROTO_UNKNOWN)
1504 fatal("%s line %d: Bad protocol spec '%s'.",
1505 filename, linenum, arg ? arg : "<NONE>");
1506 if (*intptr == SSH_PROTO_UNKNOWN)
1511 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1512 fatal("%s line %d: too many subsystems defined.",
1515 arg = strdelim(&cp);
1516 if (!arg || *arg == '\0')
1517 fatal("%s line %d: Missing subsystem name.",
1520 arg = strdelim(&cp);
1523 for (i = 0; i < options->num_subsystems; i++)
1524 if (strcmp(arg, options->subsystem_name[i]) == 0)
1525 fatal("%s line %d: Subsystem '%s' already defined.",
1526 filename, linenum, arg);
1527 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1528 arg = strdelim(&cp);
1529 if (!arg || *arg == '\0')
1530 fatal("%s line %d: Missing subsystem command.",
1532 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1534 /* Collect arguments (separate to executable) */
1536 len = strlen(p) + 1;
1537 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1538 len += 1 + strlen(arg);
1539 p = xreallocarray(p, 1, len);
1540 strlcat(p, " ", len);
1541 strlcat(p, arg, len);
1543 options->subsystem_args[options->num_subsystems] = p;
1544 options->num_subsystems++;
1548 arg = strdelim(&cp);
1549 if (!arg || *arg == '\0')
1550 fatal("%s line %d: Missing MaxStartups spec.",
1552 if ((n = sscanf(arg, "%d:%d:%d",
1553 &options->max_startups_begin,
1554 &options->max_startups_rate,
1555 &options->max_startups)) == 3) {
1556 if (options->max_startups_begin >
1557 options->max_startups ||
1558 options->max_startups_rate > 100 ||
1559 options->max_startups_rate < 1)
1560 fatal("%s line %d: Illegal MaxStartups spec.",
1563 fatal("%s line %d: Illegal MaxStartups spec.",
1566 options->max_startups = options->max_startups_begin;
1570 intptr = &options->max_authtries;
1574 intptr = &options->max_sessions;
1578 charptr = &options->banner;
1579 goto parse_filename;
1582 * These options can contain %X options expanded at
1583 * connect time, so that you can specify paths like:
1585 * AuthorizedKeysFile /etc/ssh_keys/%u
1587 case sAuthorizedKeysFile:
1588 if (*activep && options->num_authkeys_files == 0) {
1589 while ((arg = strdelim(&cp)) && *arg != '\0') {
1590 if (options->num_authkeys_files >=
1592 fatal("%s line %d: "
1593 "too many authorized keys files.",
1595 options->authorized_keys_files[
1596 options->num_authkeys_files++] =
1597 tilde_expand_filename(arg, getuid());
1602 case sAuthorizedPrincipalsFile:
1603 charptr = &options->authorized_principals_file;
1604 arg = strdelim(&cp);
1605 if (!arg || *arg == '\0')
1606 fatal("%s line %d: missing file name.",
1608 if (*activep && *charptr == NULL) {
1609 *charptr = tilde_expand_filename(arg, getuid());
1610 /* increase optional counter */
1612 *intptr = *intptr + 1;
1616 case sClientAliveInterval:
1617 intptr = &options->client_alive_interval;
1620 case sClientAliveCountMax:
1621 intptr = &options->client_alive_count_max;
1625 while ((arg = strdelim(&cp)) && *arg != '\0') {
1626 if (strchr(arg, '=') != NULL)
1627 fatal("%s line %d: Invalid environment name.",
1629 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1630 fatal("%s line %d: too many allow env.",
1634 options->accept_env[options->num_accept_env++] =
1640 intptr = &options->permit_tun;
1641 arg = strdelim(&cp);
1642 if (!arg || *arg == '\0')
1643 fatal("%s line %d: Missing yes/point-to-point/"
1644 "ethernet/no argument.", filename, linenum);
1646 for (i = 0; tunmode_desc[i].val != -1; i++)
1647 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1648 value = tunmode_desc[i].val;
1652 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1653 "no argument: %s", filename, linenum, arg);
1654 if (*activep && *intptr == -1)
1660 fatal("Match directive not supported as a command-line "
1662 value = match_cfg_line(&cp, linenum, connectinfo);
1664 fatal("%s line %d: Bad Match condition", filename,
1670 arg = strdelim(&cp);
1671 if (!arg || *arg == '\0')
1672 fatal("%s line %d: missing PermitOpen specification",
1674 n = options->num_permitted_opens; /* modified later */
1675 if (strcmp(arg, "any") == 0) {
1676 if (*activep && n == -1) {
1677 channel_clear_adm_permitted_opens();
1678 options->num_permitted_opens = 0;
1682 if (strcmp(arg, "none") == 0) {
1683 if (*activep && n == -1) {
1684 options->num_permitted_opens = 1;
1685 channel_disable_adm_local_opens();
1689 if (*activep && n == -1)
1690 channel_clear_adm_permitted_opens();
1691 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1694 fatal("%s line %d: missing host in PermitOpen",
1696 p = cleanhostname(p);
1697 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1698 fatal("%s line %d: bad port number in "
1699 "PermitOpen", filename, linenum);
1700 if (*activep && n == -1)
1701 options->num_permitted_opens =
1702 channel_add_adm_permitted_opens(p, port);
1707 if (cp == NULL || *cp == '\0')
1708 fatal("%.200s line %d: Missing argument.", filename,
1710 len = strspn(cp, WHITESPACE);
1711 if (*activep && options->adm_forced_command == NULL)
1712 options->adm_forced_command = xstrdup(cp + len);
1715 case sChrootDirectory:
1716 charptr = &options->chroot_directory;
1718 arg = strdelim(&cp);
1719 if (!arg || *arg == '\0')
1720 fatal("%s line %d: missing file name.",
1722 if (*activep && *charptr == NULL)
1723 *charptr = xstrdup(arg);
1726 case sTrustedUserCAKeys:
1727 charptr = &options->trusted_user_ca_keys;
1728 goto parse_filename;
1731 charptr = &options->revoked_keys_file;
1732 goto parse_filename;
1735 arg = strdelim(&cp);
1736 if ((value = parse_ipqos(arg)) == -1)
1737 fatal("%s line %d: Bad IPQoS value: %s",
1738 filename, linenum, arg);
1739 arg = strdelim(&cp);
1742 else if ((value2 = parse_ipqos(arg)) == -1)
1743 fatal("%s line %d: Bad IPQoS value: %s",
1744 filename, linenum, arg);
1746 options->ip_qos_interactive = value;
1747 options->ip_qos_bulk = value2;
1751 case sVersionAddendum:
1752 if (cp == NULL || *cp == '\0')
1753 fatal("%.200s line %d: Missing argument.", filename,
1755 len = strspn(cp, WHITESPACE);
1756 if (*activep && options->version_addendum == NULL) {
1757 if (strcasecmp(cp + len, "none") == 0)
1758 options->version_addendum = xstrdup("");
1759 else if (strchr(cp + len, '\r') != NULL)
1760 fatal("%.200s line %d: Invalid argument",
1763 options->version_addendum = xstrdup(cp + len);
1767 case sAuthorizedKeysCommand:
1769 fatal("%.200s line %d: Missing argument.", filename,
1771 len = strspn(cp, WHITESPACE);
1772 if (*activep && options->authorized_keys_command == NULL) {
1773 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1774 fatal("%.200s line %d: AuthorizedKeysCommand "
1775 "must be an absolute path",
1777 options->authorized_keys_command = xstrdup(cp + len);
1781 case sAuthorizedKeysCommandUser:
1782 charptr = &options->authorized_keys_command_user;
1784 arg = strdelim(&cp);
1785 if (!arg || *arg == '\0')
1786 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1787 "argument.", filename, linenum);
1788 if (*activep && *charptr == NULL)
1789 *charptr = xstrdup(arg);
1792 case sAuthorizedPrincipalsCommand:
1794 fatal("%.200s line %d: Missing argument.", filename,
1796 len = strspn(cp, WHITESPACE);
1798 options->authorized_principals_command == NULL) {
1799 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1800 fatal("%.200s line %d: "
1801 "AuthorizedPrincipalsCommand must be "
1802 "an absolute path", filename, linenum);
1803 options->authorized_principals_command =
1808 case sAuthorizedPrincipalsCommandUser:
1809 charptr = &options->authorized_principals_command_user;
1811 arg = strdelim(&cp);
1812 if (!arg || *arg == '\0')
1813 fatal("%s line %d: missing "
1814 "AuthorizedPrincipalsCommandUser argument.",
1816 if (*activep && *charptr == NULL)
1817 *charptr = xstrdup(arg);
1820 case sAuthenticationMethods:
1821 if (options->num_auth_methods == 0) {
1822 while ((arg = strdelim(&cp)) && *arg != '\0') {
1823 if (options->num_auth_methods >=
1825 fatal("%s line %d: "
1826 "too many authentication methods.",
1828 if (auth2_methods_valid(arg, 0) != 0)
1829 fatal("%s line %d: invalid "
1830 "authentication method list.",
1834 options->auth_methods[
1835 options->num_auth_methods++] = xstrdup(arg);
1840 case sStreamLocalBindMask:
1841 arg = strdelim(&cp);
1842 if (!arg || *arg == '\0')
1843 fatal("%s line %d: missing StreamLocalBindMask "
1844 "argument.", filename, linenum);
1845 /* Parse mode in octal format */
1846 value = strtol(arg, &p, 8);
1847 if (arg == p || value < 0 || value > 0777)
1848 fatal("%s line %d: Bad mask.", filename, linenum);
1850 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1853 case sStreamLocalBindUnlink:
1854 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1857 case sFingerprintHash:
1858 arg = strdelim(&cp);
1859 if (!arg || *arg == '\0')
1860 fatal("%.200s line %d: Missing argument.",
1862 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1863 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1864 filename, linenum, arg);
1866 options->fingerprint_hash = value;
1870 intptr = &options->use_blacklist;
1874 logit("%s line %d: Deprecated option %s",
1875 filename, linenum, arg);
1877 arg = strdelim(&cp);
1881 logit("%s line %d: Unsupported option %s",
1882 filename, linenum, arg);
1884 arg = strdelim(&cp);
1888 fatal("%s line %d: Missing handler for opcode %s (%d)",
1889 filename, linenum, arg, opcode);
1891 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1892 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1893 filename, linenum, arg);
1897 /* Reads the server configuration file. */
1900 load_server_config(const char *filename, Buffer *conf)
1902 char line[4096], *cp;
1906 debug2("%s: filename %s", __func__, filename);
1907 if ((f = fopen(filename, "r")) == NULL) {
1912 while (fgets(line, sizeof(line), f)) {
1914 if (strlen(line) == sizeof(line) - 1)
1915 fatal("%s line %d too long", filename, lineno);
1917 * Trim out comments and strip whitespace
1918 * NB - preserve newlines, they are needed to reproduce
1919 * line numbers later for error messages
1921 if ((cp = strchr(line, '#')) != NULL)
1922 memcpy(cp, "\n", 2);
1923 cp = line + strspn(line, " \t\r");
1925 buffer_append(conf, cp, strlen(cp));
1927 buffer_append(conf, "\0", 1);
1929 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1933 parse_server_match_config(ServerOptions *options,
1934 struct connection_info *connectinfo)
1938 initialize_server_options(&mo);
1939 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1940 copy_set_server_options(options, &mo, 0);
1943 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1947 while ((p = strsep(&spec, ",")) && *p != '\0') {
1948 if (strncmp(p, "addr=", 5) == 0) {
1949 ci->address = xstrdup(p + 5);
1950 } else if (strncmp(p, "host=", 5) == 0) {
1951 ci->host = xstrdup(p + 5);
1952 } else if (strncmp(p, "user=", 5) == 0) {
1953 ci->user = xstrdup(p + 5);
1954 } else if (strncmp(p, "laddr=", 6) == 0) {
1955 ci->laddress = xstrdup(p + 6);
1956 } else if (strncmp(p, "lport=", 6) == 0) {
1957 ci->lport = a2port(p + 6);
1958 if (ci->lport == -1) {
1959 fprintf(stderr, "Invalid port '%s' in test mode"
1960 " specification %s\n", p+6, p);
1964 fprintf(stderr, "Invalid test mode specification %s\n",
1973 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1976 int server_match_spec_complete(struct connection_info *ci)
1978 if (ci->user && ci->host && ci->address)
1979 return 1; /* complete */
1980 if (!ci->user && !ci->host && !ci->address)
1981 return -1; /* empty */
1982 return 0; /* partial */
1986 * Copy any supported values that are set.
1988 * If the preauth flag is set, we do not bother copying the string or
1989 * array values that are not used pre-authentication, because any that we
1990 * do use must be explictly sent in mm_getpwnamallow().
1993 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1995 #define M_CP_INTOPT(n) do {\
2000 M_CP_INTOPT(password_authentication);
2001 M_CP_INTOPT(gss_authentication);
2002 M_CP_INTOPT(rsa_authentication);
2003 M_CP_INTOPT(pubkey_authentication);
2004 M_CP_INTOPT(kerberos_authentication);
2005 M_CP_INTOPT(hostbased_authentication);
2006 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2007 M_CP_INTOPT(kbd_interactive_authentication);
2008 M_CP_INTOPT(permit_root_login);
2009 M_CP_INTOPT(permit_empty_passwd);
2011 M_CP_INTOPT(allow_tcp_forwarding);
2012 M_CP_INTOPT(allow_streamlocal_forwarding);
2013 M_CP_INTOPT(allow_agent_forwarding);
2014 M_CP_INTOPT(permit_tun);
2015 M_CP_INTOPT(fwd_opts.gateway_ports);
2016 M_CP_INTOPT(x11_display_offset);
2017 M_CP_INTOPT(x11_forwarding);
2018 M_CP_INTOPT(x11_use_localhost);
2019 M_CP_INTOPT(permit_tty);
2020 M_CP_INTOPT(permit_user_rc);
2021 M_CP_INTOPT(max_sessions);
2022 M_CP_INTOPT(max_authtries);
2023 M_CP_INTOPT(ip_qos_interactive);
2024 M_CP_INTOPT(ip_qos_bulk);
2025 M_CP_INTOPT(rekey_limit);
2026 M_CP_INTOPT(rekey_interval);
2028 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2029 #define M_CP_STROPT(n) do {\
2030 if (src->n != NULL && dst->n != src->n) { \
2035 #define M_CP_STRARRAYOPT(n, num_n) do {\
2036 if (src->num_n != 0) { \
2037 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2038 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2042 /* See comment in servconf.h */
2043 COPY_MATCH_STRING_OPTS();
2045 /* Arguments that accept '+...' need to be expanded */
2046 assemble_algorithms(dst);
2049 * The only things that should be below this point are string options
2050 * which are only used after authentication.
2055 /* These options may be "none" to clear a global setting */
2056 M_CP_STROPT(adm_forced_command);
2057 if (option_clear_or_none(dst->adm_forced_command)) {
2058 free(dst->adm_forced_command);
2059 dst->adm_forced_command = NULL;
2061 M_CP_STROPT(chroot_directory);
2062 if (option_clear_or_none(dst->chroot_directory)) {
2063 free(dst->chroot_directory);
2064 dst->chroot_directory = NULL;
2070 #undef M_CP_STRARRAYOPT
2073 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2074 struct connection_info *connectinfo)
2076 int active, linenum, bad_options = 0;
2077 char *cp, *obuf, *cbuf;
2079 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2081 obuf = cbuf = xstrdup(buffer_ptr(conf));
2082 active = connectinfo ? 0 : 1;
2084 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2085 if (process_server_config_line(options, cp, filename,
2086 linenum++, &active, connectinfo) != 0)
2090 if (bad_options > 0)
2091 fatal("%s: terminating, %d bad configuration options",
2092 filename, bad_options);
2093 process_queued_listen_addrs(options);
2097 fmt_multistate_int(int val, const struct multistate *m)
2101 for (i = 0; m[i].key != NULL; i++) {
2102 if (m[i].value == val)
2109 fmt_intarg(ServerOpCodes code, int val)
2114 case sAddressFamily:
2115 return fmt_multistate_int(val, multistate_addressfamily);
2116 case sPermitRootLogin:
2117 return fmt_multistate_int(val, multistate_permitrootlogin);
2119 return fmt_multistate_int(val, multistate_gatewayports);
2121 return fmt_multistate_int(val, multistate_compression);
2122 case sUsePrivilegeSeparation:
2123 return fmt_multistate_int(val, multistate_privsep);
2124 case sAllowTcpForwarding:
2125 return fmt_multistate_int(val, multistate_tcpfwd);
2126 case sAllowStreamLocalForwarding:
2127 return fmt_multistate_int(val, multistate_tcpfwd);
2128 case sFingerprintHash:
2129 return ssh_digest_alg_name(val);
2136 case (SSH_PROTO_1|SSH_PROTO_2):
2154 lookup_opcode_name(ServerOpCodes code)
2158 for (i = 0; keywords[i].name != NULL; i++)
2159 if (keywords[i].opcode == code)
2160 return(keywords[i].name);
2165 dump_cfg_int(ServerOpCodes code, int val)
2167 printf("%s %d\n", lookup_opcode_name(code), val);
2171 dump_cfg_oct(ServerOpCodes code, int val)
2173 printf("%s 0%o\n", lookup_opcode_name(code), val);
2177 dump_cfg_fmtint(ServerOpCodes code, int val)
2179 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2183 dump_cfg_string(ServerOpCodes code, const char *val)
2187 printf("%s %s\n", lookup_opcode_name(code),
2188 val == NULL ? "none" : val);
2192 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2196 for (i = 0; i < count; i++)
2197 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2201 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2207 printf("%s", lookup_opcode_name(code));
2208 for (i = 0; i < count; i++)
2209 printf(" %s", vals[i]);
2214 dump_config(ServerOptions *o)
2218 struct addrinfo *ai;
2219 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2220 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2222 /* these are usually at the top of the config */
2223 for (i = 0; i < o->num_ports; i++)
2224 printf("port %d\n", o->ports[i]);
2225 dump_cfg_fmtint(sProtocol, o->protocol);
2226 dump_cfg_fmtint(sAddressFamily, o->address_family);
2229 * ListenAddress must be after Port. add_one_listen_addr pushes
2230 * addresses onto a stack, so to maintain ordering we need to
2231 * print these in reverse order.
2233 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2234 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2235 sizeof(addr), port, sizeof(port),
2236 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2237 error("getnameinfo failed: %.100s",
2238 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2242 if (ai->ai_family == AF_INET6)
2243 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2244 addr, port, laddr2);
2246 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2247 addr, port, laddr2);
2251 printf("%s", laddr1);
2254 /* integer arguments */
2256 dump_cfg_fmtint(sUsePAM, o->use_pam);
2258 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2259 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2260 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2261 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2262 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2263 dump_cfg_int(sMaxSessions, o->max_sessions);
2264 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2265 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2266 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2268 /* formatted integer arguments */
2269 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2270 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2271 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2272 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2273 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2274 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2275 o->hostbased_uses_name_from_packet_only);
2276 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2277 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2279 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2280 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2281 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2283 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2287 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2288 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2290 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2291 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2292 o->kbd_interactive_authentication);
2293 dump_cfg_fmtint(sChallengeResponseAuthentication,
2294 o->challenge_response_authentication);
2295 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2296 #ifndef DISABLE_LASTLOG
2297 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2299 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2300 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2301 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2302 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2303 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2304 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2305 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2306 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2307 dump_cfg_fmtint(sUseLogin, o->use_login);
2308 dump_cfg_fmtint(sCompression, o->compression);
2309 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2310 dump_cfg_fmtint(sUseDNS, o->use_dns);
2311 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2312 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2313 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2314 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2315 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2316 dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
2318 /* string arguments */
2319 dump_cfg_string(sPidFile, o->pid_file);
2320 dump_cfg_string(sXAuthLocation, o->xauth_location);
2321 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2322 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2323 dump_cfg_string(sBanner, o->banner);
2324 dump_cfg_string(sForceCommand, o->adm_forced_command);
2325 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2326 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2327 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2328 dump_cfg_string(sAuthorizedPrincipalsFile,
2329 o->authorized_principals_file);
2330 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2331 ? "none" : o->version_addendum);
2332 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2333 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2334 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2335 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2336 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2337 dump_cfg_string(sKexAlgorithms,
2338 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2339 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2340 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2341 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2342 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2343 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2344 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2346 /* string arguments requiring a lookup */
2347 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2348 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2350 /* string array arguments */
2351 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2352 o->authorized_keys_files);
2353 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2355 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2356 o->host_cert_files);
2357 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2358 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2359 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2360 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2361 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2362 dump_cfg_strarray_oneline(sAuthenticationMethods,
2363 o->num_auth_methods, o->auth_methods);
2365 /* other arguments */
2366 for (i = 0; i < o->num_subsystems; i++)
2367 printf("subsystem %s %s\n", o->subsystem_name[i],
2368 o->subsystem_args[i]);
2370 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2371 o->max_startups_rate, o->max_startups);
2373 for (i = 0; tunmode_desc[i].val != -1; i++)
2374 if (tunmode_desc[i].val == o->permit_tun) {
2375 s = tunmode_desc[i].text;
2378 dump_cfg_string(sPermitTunnel, s);
2380 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2381 printf("%s\n", iptos2str(o->ip_qos_bulk));
2383 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2386 channel_print_adm_permitted_opens();