2 /* $OpenBSD: servconf.c,v 1.392 2023/03/05 05:34:09 dtucker Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
16 #include <sys/types.h>
17 #include <sys/socket.h>
20 #include <sys/sysctl.h>
23 #include <netinet/in.h>
24 #include <netinet/in_systm.h>
25 #include <netinet/ip.h>
26 #ifdef HAVE_NET_ROUTE_H
27 #include <net/route.h>
44 #ifdef USE_SYSTEM_GLOB
47 # include "openbsd-compat/glob.h"
50 #include "openbsd-compat/sys-queue.h"
57 #include "pathnames.h"
64 #include "groupaccess.h"
70 #include "myproposal.h"
74 static void add_listen_addr(ServerOptions *, const char *,
76 static void add_one_listen_addr(ServerOptions *, const char *,
78 static void parse_server_config_depth(ServerOptions *options,
79 const char *filename, struct sshbuf *conf, struct include_list *includes,
80 struct connection_info *connectinfo, int flags, int *activep, int depth);
82 /* Use of privilege separation or not */
83 extern int use_privsep;
84 extern struct sshbuf *cfg;
86 /* Initializes the server options to their default values. */
89 initialize_server_options(ServerOptions *options)
91 memset(options, 0, sizeof(*options));
93 /* Portable-specific options */
94 options->use_pam = -1;
96 /* Standard Options */
97 options->num_ports = 0;
98 options->ports_from_cmdline = 0;
99 options->queued_listen_addrs = NULL;
100 options->num_queued_listens = 0;
101 options->listen_addrs = NULL;
102 options->num_listen_addrs = 0;
103 options->address_family = -1;
104 options->routing_domain = NULL;
105 options->num_host_key_files = 0;
106 options->num_host_cert_files = 0;
107 options->host_key_agent = NULL;
108 options->pid_file = NULL;
109 options->login_grace_time = -1;
110 options->permit_root_login = PERMIT_NOT_SET;
111 options->ignore_rhosts = -1;
112 options->ignore_user_known_hosts = -1;
113 options->print_motd = -1;
114 options->print_lastlog = -1;
115 options->x11_forwarding = -1;
116 options->x11_display_offset = -1;
117 options->x11_use_localhost = -1;
118 options->permit_tty = -1;
119 options->permit_user_rc = -1;
120 options->xauth_location = NULL;
121 options->strict_modes = -1;
122 options->tcp_keep_alive = -1;
123 options->log_facility = SYSLOG_FACILITY_NOT_SET;
124 options->log_level = SYSLOG_LEVEL_NOT_SET;
125 options->num_log_verbose = 0;
126 options->log_verbose = NULL;
127 options->hostbased_authentication = -1;
128 options->hostbased_uses_name_from_packet_only = -1;
129 options->hostbased_accepted_algos = NULL;
130 options->hostkeyalgorithms = NULL;
131 options->pubkey_authentication = -1;
132 options->pubkey_auth_options = -1;
133 options->pubkey_accepted_algos = NULL;
134 options->kerberos_authentication = -1;
135 options->kerberos_or_local_passwd = -1;
136 options->kerberos_ticket_cleanup = -1;
137 options->kerberos_get_afs_token = -1;
138 options->gss_authentication=-1;
139 options->gss_cleanup_creds = -1;
140 options->gss_strict_acceptor = -1;
141 options->password_authentication = -1;
142 options->kbd_interactive_authentication = -1;
143 options->permit_empty_passwd = -1;
144 options->permit_user_env = -1;
145 options->permit_user_env_allowlist = NULL;
146 options->compression = -1;
147 options->rekey_limit = -1;
148 options->rekey_interval = -1;
149 options->allow_tcp_forwarding = -1;
150 options->allow_streamlocal_forwarding = -1;
151 options->allow_agent_forwarding = -1;
152 options->num_allow_users = 0;
153 options->num_deny_users = 0;
154 options->num_allow_groups = 0;
155 options->num_deny_groups = 0;
156 options->ciphers = NULL;
157 options->macs = NULL;
158 options->kex_algorithms = NULL;
159 options->ca_sign_algorithms = NULL;
160 options->fwd_opts.gateway_ports = -1;
161 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
162 options->fwd_opts.streamlocal_bind_unlink = -1;
163 options->num_subsystems = 0;
164 options->max_startups_begin = -1;
165 options->max_startups_rate = -1;
166 options->max_startups = -1;
167 options->per_source_max_startups = -1;
168 options->per_source_masklen_ipv4 = -1;
169 options->per_source_masklen_ipv6 = -1;
170 options->max_authtries = -1;
171 options->max_sessions = -1;
172 options->banner = NULL;
173 options->use_dns = -1;
174 options->client_alive_interval = -1;
175 options->client_alive_count_max = -1;
176 options->num_authkeys_files = 0;
177 options->num_accept_env = 0;
178 options->num_setenv = 0;
179 options->permit_tun = -1;
180 options->permitted_opens = NULL;
181 options->permitted_listens = NULL;
182 options->adm_forced_command = NULL;
183 options->chroot_directory = NULL;
184 options->authorized_keys_command = NULL;
185 options->authorized_keys_command_user = NULL;
186 options->revoked_keys_file = NULL;
187 options->sk_provider = NULL;
188 options->trusted_user_ca_keys = NULL;
189 options->authorized_principals_file = NULL;
190 options->authorized_principals_command = NULL;
191 options->authorized_principals_command_user = NULL;
192 options->ip_qos_interactive = -1;
193 options->ip_qos_bulk = -1;
194 options->version_addendum = NULL;
195 options->fingerprint_hash = -1;
196 options->disable_forwarding = -1;
197 options->expose_userauth_info = -1;
198 options->required_rsa_size = -1;
199 options->channel_timeouts = NULL;
200 options->num_channel_timeouts = 0;
201 options->unused_connection_timeout = -1;
202 options->use_blacklist = -1;
205 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
207 option_clear_or_none(const char *o)
209 return o == NULL || strcasecmp(o, "none") == 0;
213 assemble_algorithms(ServerOptions *o)
215 char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
216 char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
219 all_cipher = cipher_alg_list(',', 0);
220 all_mac = mac_alg_list(',');
221 all_kex = kex_alg_list(',');
222 all_key = sshkey_alg_list(0, 0, 1, ',');
223 all_sig = sshkey_alg_list(0, 1, 1, ',');
224 /* remove unsupported algos from default lists */
225 def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
226 def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
227 def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
228 def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
229 def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
230 #define ASSEMBLE(what, defaults, all) \
232 if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
233 fatal_fr(r, "%s", #what); \
235 ASSEMBLE(ciphers, def_cipher, all_cipher);
236 ASSEMBLE(macs, def_mac, all_mac);
237 ASSEMBLE(kex_algorithms, def_kex, all_kex);
238 ASSEMBLE(hostkeyalgorithms, def_key, all_key);
239 ASSEMBLE(hostbased_accepted_algos, def_key, all_key);
240 ASSEMBLE(pubkey_accepted_algos, def_key, all_key);
241 ASSEMBLE(ca_sign_algorithms, def_sig, all_sig);
255 static const char *defaultkey = "[default]";
258 servconf_add_hostkey(const char *file, const int line,
259 ServerOptions *options, const char *path, int userprovided)
261 char *apath = derelativise_path(path);
263 if (file == defaultkey && access(path, R_OK) != 0)
265 opt_array_append2(file, line, "HostKey",
266 &options->host_key_files, &options->host_key_file_userprovided,
267 &options->num_host_key_files, apath, userprovided);
272 servconf_add_hostcert(const char *file, const int line,
273 ServerOptions *options, const char *path)
275 char *apath = derelativise_path(path);
277 opt_array_append(file, line, "HostCertificate",
278 &options->host_cert_files, &options->num_host_cert_files, apath);
283 fill_default_server_options(ServerOptions *options)
287 /* Portable-specific options */
288 if (options->use_pam == -1)
289 options->use_pam = 1;
291 /* Standard Options */
292 if (options->num_host_key_files == 0) {
293 /* fill default hostkeys for protocols */
294 servconf_add_hostkey(defaultkey, 0, options,
295 _PATH_HOST_RSA_KEY_FILE, 0);
296 #ifdef OPENSSL_HAS_ECC
297 servconf_add_hostkey(defaultkey, 0, options,
298 _PATH_HOST_ECDSA_KEY_FILE, 0);
300 servconf_add_hostkey(defaultkey, 0, options,
301 _PATH_HOST_ED25519_KEY_FILE, 0);
303 servconf_add_hostkey(defaultkey, 0, options,
304 _PATH_HOST_XMSS_KEY_FILE, 0);
305 #endif /* WITH_XMSS */
307 if (options->num_host_key_files == 0)
308 fatal("No host key files found");
309 /* No certificates by default */
310 if (options->num_ports == 0)
311 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
312 if (options->address_family == -1)
313 options->address_family = AF_UNSPEC;
314 if (options->listen_addrs == NULL)
315 add_listen_addr(options, NULL, NULL, 0);
316 if (options->pid_file == NULL)
317 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
318 if (options->moduli_file == NULL)
319 options->moduli_file = xstrdup(_PATH_DH_MODULI);
320 if (options->login_grace_time == -1)
321 options->login_grace_time = 120;
322 if (options->permit_root_login == PERMIT_NOT_SET)
323 options->permit_root_login = PERMIT_NO;
324 if (options->ignore_rhosts == -1)
325 options->ignore_rhosts = 1;
326 if (options->ignore_user_known_hosts == -1)
327 options->ignore_user_known_hosts = 0;
328 if (options->print_motd == -1)
329 options->print_motd = 1;
330 if (options->print_lastlog == -1)
331 options->print_lastlog = 1;
332 if (options->x11_forwarding == -1)
333 options->x11_forwarding = 0;
334 if (options->x11_display_offset == -1)
335 options->x11_display_offset = 10;
336 if (options->x11_use_localhost == -1)
337 options->x11_use_localhost = 1;
338 if (options->xauth_location == NULL)
339 options->xauth_location = xstrdup(_PATH_XAUTH);
340 if (options->permit_tty == -1)
341 options->permit_tty = 1;
342 if (options->permit_user_rc == -1)
343 options->permit_user_rc = 1;
344 if (options->strict_modes == -1)
345 options->strict_modes = 1;
346 if (options->tcp_keep_alive == -1)
347 options->tcp_keep_alive = 1;
348 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
349 options->log_facility = SYSLOG_FACILITY_AUTH;
350 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
351 options->log_level = SYSLOG_LEVEL_INFO;
352 if (options->hostbased_authentication == -1)
353 options->hostbased_authentication = 0;
354 if (options->hostbased_uses_name_from_packet_only == -1)
355 options->hostbased_uses_name_from_packet_only = 0;
356 if (options->pubkey_authentication == -1)
357 options->pubkey_authentication = 1;
358 if (options->pubkey_auth_options == -1)
359 options->pubkey_auth_options = 0;
360 if (options->kerberos_authentication == -1)
361 options->kerberos_authentication = 0;
362 if (options->kerberos_or_local_passwd == -1)
363 options->kerberos_or_local_passwd = 1;
364 if (options->kerberos_ticket_cleanup == -1)
365 options->kerberos_ticket_cleanup = 1;
366 if (options->kerberos_get_afs_token == -1)
367 options->kerberos_get_afs_token = 0;
368 if (options->gss_authentication == -1)
369 options->gss_authentication = 0;
370 if (options->gss_cleanup_creds == -1)
371 options->gss_cleanup_creds = 1;
372 if (options->gss_strict_acceptor == -1)
373 options->gss_strict_acceptor = 1;
374 if (options->password_authentication == -1)
375 options->password_authentication = 0;
376 if (options->kbd_interactive_authentication == -1)
377 options->kbd_interactive_authentication = 1;
378 if (options->permit_empty_passwd == -1)
379 options->permit_empty_passwd = 0;
380 if (options->permit_user_env == -1) {
381 options->permit_user_env = 0;
382 options->permit_user_env_allowlist = NULL;
384 if (options->compression == -1)
386 options->compression = COMP_DELAYED;
388 options->compression = COMP_NONE;
391 if (options->rekey_limit == -1)
392 options->rekey_limit = 0;
393 if (options->rekey_interval == -1)
394 options->rekey_interval = 0;
395 if (options->allow_tcp_forwarding == -1)
396 options->allow_tcp_forwarding = FORWARD_ALLOW;
397 if (options->allow_streamlocal_forwarding == -1)
398 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
399 if (options->allow_agent_forwarding == -1)
400 options->allow_agent_forwarding = 1;
401 if (options->fwd_opts.gateway_ports == -1)
402 options->fwd_opts.gateway_ports = 0;
403 if (options->max_startups == -1)
404 options->max_startups = 100;
405 if (options->max_startups_rate == -1)
406 options->max_startups_rate = 30; /* 30% */
407 if (options->max_startups_begin == -1)
408 options->max_startups_begin = 10;
409 if (options->per_source_max_startups == -1)
410 options->per_source_max_startups = INT_MAX;
411 if (options->per_source_masklen_ipv4 == -1)
412 options->per_source_masklen_ipv4 = 32;
413 if (options->per_source_masklen_ipv6 == -1)
414 options->per_source_masklen_ipv6 = 128;
415 if (options->max_authtries == -1)
416 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
417 if (options->max_sessions == -1)
418 options->max_sessions = DEFAULT_SESSIONS_MAX;
419 if (options->use_dns == -1)
420 options->use_dns = 1;
421 if (options->client_alive_interval == -1)
422 options->client_alive_interval = 0;
423 if (options->client_alive_count_max == -1)
424 options->client_alive_count_max = 3;
425 if (options->num_authkeys_files == 0) {
426 opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
427 &options->authorized_keys_files,
428 &options->num_authkeys_files,
429 _PATH_SSH_USER_PERMITTED_KEYS);
430 opt_array_append(defaultkey, 0, "AuthorizedKeysFiles",
431 &options->authorized_keys_files,
432 &options->num_authkeys_files,
433 _PATH_SSH_USER_PERMITTED_KEYS2);
435 if (options->permit_tun == -1)
436 options->permit_tun = SSH_TUNMODE_NO;
437 if (options->ip_qos_interactive == -1)
438 options->ip_qos_interactive = IPTOS_DSCP_AF21;
439 if (options->ip_qos_bulk == -1)
440 options->ip_qos_bulk = IPTOS_DSCP_CS1;
441 if (options->version_addendum == NULL)
442 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
443 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
444 options->fwd_opts.streamlocal_bind_mask = 0177;
445 if (options->fwd_opts.streamlocal_bind_unlink == -1)
446 options->fwd_opts.streamlocal_bind_unlink = 0;
447 if (options->fingerprint_hash == -1)
448 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
449 if (options->disable_forwarding == -1)
450 options->disable_forwarding = 0;
451 if (options->expose_userauth_info == -1)
452 options->expose_userauth_info = 0;
453 if (options->sk_provider == NULL)
454 options->sk_provider = xstrdup("internal");
455 if (options->required_rsa_size == -1)
456 options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE;
457 if (options->unused_connection_timeout == -1)
458 options->unused_connection_timeout = 0;
459 if (options->use_blacklist == -1)
460 options->use_blacklist = 0;
462 assemble_algorithms(options);
464 /* Turn privilege separation and sandboxing on by default */
465 if (use_privsep == -1)
466 use_privsep = PRIVSEP_ON;
468 #define CLEAR_ON_NONE(v) \
470 if (option_clear_or_none(v)) { \
475 #define CLEAR_ON_NONE_ARRAY(v, nv, none) \
477 if (options->nv == 1 && \
478 strcasecmp(options->v[0], none) == 0) { \
479 free(options->v[0]); \
485 CLEAR_ON_NONE(options->pid_file);
486 CLEAR_ON_NONE(options->xauth_location);
487 CLEAR_ON_NONE(options->banner);
488 CLEAR_ON_NONE(options->trusted_user_ca_keys);
489 CLEAR_ON_NONE(options->revoked_keys_file);
490 CLEAR_ON_NONE(options->sk_provider);
491 CLEAR_ON_NONE(options->authorized_principals_file);
492 CLEAR_ON_NONE(options->adm_forced_command);
493 CLEAR_ON_NONE(options->chroot_directory);
494 CLEAR_ON_NONE(options->routing_domain);
495 CLEAR_ON_NONE(options->host_key_agent);
497 for (i = 0; i < options->num_host_key_files; i++)
498 CLEAR_ON_NONE(options->host_key_files[i]);
499 for (i = 0; i < options->num_host_cert_files; i++)
500 CLEAR_ON_NONE(options->host_cert_files[i]);
502 CLEAR_ON_NONE_ARRAY(channel_timeouts, num_channel_timeouts, "none");
503 CLEAR_ON_NONE_ARRAY(auth_methods, num_auth_methods, "any");
505 #undef CLEAR_ON_NONE_ARRAY
508 /* Keyword tokens. */
510 sBadOption, /* == unknown option */
511 /* Portable-specific options */
513 /* Standard Options */
514 sPort, sHostKeyFile, sLoginGraceTime,
515 sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
516 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
517 sKerberosGetAFSToken, sPasswordAuthentication,
518 sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
519 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
520 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
521 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
522 sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
523 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
524 sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile, sModuliFile,
525 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedAlgorithms,
526 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
527 sBanner, sUseDNS, sHostbasedAuthentication,
528 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
529 sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
530 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
531 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
532 sAcceptEnv, sSetEnv, sPermitTunnel,
533 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
534 sUsePrivilegeSeparation, sAllowAgentForwarding,
535 sHostCertificate, sInclude,
536 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
537 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
538 sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
539 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
540 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
541 sStreamLocalBindMask, sStreamLocalBindUnlink,
542 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
543 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
544 sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout,
546 sDeprecated, sIgnore, sUnsupported
549 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of config */
550 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
551 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
552 #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
553 #define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
555 /* Textual representation of the tokens. */
558 ServerOpCodes opcode;
561 /* Portable-specific options */
563 { "usepam", sUsePAM, SSHCFG_GLOBAL },
565 { "usepam", sUnsupported, SSHCFG_GLOBAL },
567 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
568 /* Standard Options */
569 { "port", sPort, SSHCFG_GLOBAL },
570 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
571 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
572 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
573 { "pidfile", sPidFile, SSHCFG_GLOBAL },
574 { "modulifile", sModuliFile, SSHCFG_GLOBAL },
575 { "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
576 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
577 { "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
578 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
579 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
580 { "loglevel", sLogLevel, SSHCFG_ALL },
581 { "logverbose", sLogVerbose, SSHCFG_ALL },
582 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
583 { "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
584 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
585 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
586 { "hostbasedacceptedalgorithms", sHostbasedAcceptedAlgorithms, SSHCFG_ALL },
587 { "hostbasedacceptedkeytypes", sHostbasedAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
588 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
589 { "rsaauthentication", sDeprecated, SSHCFG_ALL },
590 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
591 { "pubkeyacceptedalgorithms", sPubkeyAcceptedAlgorithms, SSHCFG_ALL },
592 { "pubkeyacceptedkeytypes", sPubkeyAcceptedAlgorithms, SSHCFG_ALL }, /* obsolete */
593 { "pubkeyauthoptions", sPubkeyAuthOptions, SSHCFG_ALL },
594 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
596 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
597 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
598 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
600 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
602 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
605 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
606 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
607 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
608 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
610 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
611 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
613 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
614 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
615 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
617 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
618 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
619 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
621 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
622 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
623 { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
624 { "skeyauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
625 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
626 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
627 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
628 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
629 #ifdef DISABLE_LASTLOG
630 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
632 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
634 { "ignorerhosts", sIgnoreRhosts, SSHCFG_ALL },
635 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
636 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
637 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
638 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
639 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
640 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
641 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
642 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
643 { "uselogin", sDeprecated, SSHCFG_GLOBAL },
644 { "compression", sCompression, SSHCFG_GLOBAL },
645 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
646 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
647 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
648 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
649 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
650 { "allowusers", sAllowUsers, SSHCFG_ALL },
651 { "denyusers", sDenyUsers, SSHCFG_ALL },
652 { "allowgroups", sAllowGroups, SSHCFG_ALL },
653 { "denygroups", sDenyGroups, SSHCFG_ALL },
654 { "ciphers", sCiphers, SSHCFG_GLOBAL },
655 { "macs", sMacs, SSHCFG_GLOBAL },
656 { "protocol", sIgnore, SSHCFG_GLOBAL },
657 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
658 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
659 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
660 { "persourcemaxstartups", sPerSourceMaxStartups, SSHCFG_GLOBAL },
661 { "persourcenetblocksize", sPerSourceNetBlockSize, SSHCFG_GLOBAL },
662 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
663 { "maxsessions", sMaxSessions, SSHCFG_ALL },
664 { "banner", sBanner, SSHCFG_ALL },
665 { "usedns", sUseDNS, SSHCFG_GLOBAL },
666 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
667 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
668 { "clientaliveinterval", sClientAliveInterval, SSHCFG_ALL },
669 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_ALL },
670 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
671 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
672 { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
673 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
674 { "setenv", sSetEnv, SSHCFG_ALL },
675 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
676 { "permittty", sPermitTTY, SSHCFG_ALL },
677 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
678 { "match", sMatch, SSHCFG_ALL },
679 { "permitopen", sPermitOpen, SSHCFG_ALL },
680 { "permitlisten", sPermitListen, SSHCFG_ALL },
681 { "forcecommand", sForceCommand, SSHCFG_ALL },
682 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
683 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
684 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
685 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
686 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
687 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
688 { "include", sInclude, SSHCFG_ALL },
689 { "ipqos", sIPQoS, SSHCFG_ALL },
690 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
691 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
692 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
693 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
694 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
695 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
696 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
697 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
698 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
699 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
700 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
701 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
702 { "rdomain", sRDomain, SSHCFG_ALL },
703 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
704 { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
705 { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
706 { "channeltimeout", sChannelTimeout, SSHCFG_ALL },
707 { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
708 { "useblacklist", sUseBlacklist, SSHCFG_GLOBAL },
709 { "useblocklist", sUseBlacklist, SSHCFG_GLOBAL }, /* alias */
711 { NULL, sBadOption, 0 }
718 { SSH_TUNMODE_NO, "no" },
719 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
720 { SSH_TUNMODE_ETHERNET, "ethernet" },
721 { SSH_TUNMODE_YES, "yes" },
725 /* Returns an opcode name from its number */
728 lookup_opcode_name(ServerOpCodes code)
732 for (i = 0; keywords[i].name != NULL; i++)
733 if (keywords[i].opcode == code)
734 return(keywords[i].name);
740 * Returns the number of the token pointed to by cp or sBadOption.
744 parse_token(const char *cp, const char *filename,
745 int linenum, u_int *flags)
749 for (i = 0; keywords[i].name; i++)
750 if (strcasecmp(cp, keywords[i].name) == 0) {
751 *flags = keywords[i].flags;
752 return keywords[i].opcode;
755 error("%s: line %d: Bad configuration option: %s",
756 filename, linenum, cp);
761 derelativise_path(const char *path)
763 char *expanded, *ret, cwd[PATH_MAX];
765 if (strcasecmp(path, "none") == 0)
766 return xstrdup("none");
767 expanded = tilde_expand_filename(path, getuid());
768 if (path_absolute(expanded))
770 if (getcwd(cwd, sizeof(cwd)) == NULL)
771 fatal_f("getcwd: %s", strerror(errno));
772 xasprintf(&ret, "%s/%s", cwd, expanded);
778 add_listen_addr(ServerOptions *options, const char *addr,
779 const char *rdomain, int port)
784 add_one_listen_addr(options, addr, rdomain, port);
786 for (i = 0; i < options->num_ports; i++) {
787 add_one_listen_addr(options, addr, rdomain,
794 add_one_listen_addr(ServerOptions *options, const char *addr,
795 const char *rdomain, int port)
797 struct addrinfo hints, *ai, *aitop;
798 char strport[NI_MAXSERV];
802 /* Find listen_addrs entry for this rdomain */
803 for (i = 0; i < options->num_listen_addrs; i++) {
804 if (rdomain == NULL && options->listen_addrs[i].rdomain == NULL)
806 if (rdomain == NULL || options->listen_addrs[i].rdomain == NULL)
808 if (strcmp(rdomain, options->listen_addrs[i].rdomain) == 0)
811 if (i >= options->num_listen_addrs) {
812 /* No entry for this rdomain; allocate one */
814 fatal_f("too many listen addresses");
815 options->listen_addrs = xrecallocarray(options->listen_addrs,
816 options->num_listen_addrs, options->num_listen_addrs + 1,
817 sizeof(*options->listen_addrs));
818 i = options->num_listen_addrs++;
820 options->listen_addrs[i].rdomain = xstrdup(rdomain);
822 /* options->listen_addrs[i] points to the addresses for this rdomain */
824 memset(&hints, 0, sizeof(hints));
825 hints.ai_family = options->address_family;
826 hints.ai_socktype = SOCK_STREAM;
827 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
828 snprintf(strport, sizeof strport, "%d", port);
829 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
830 fatal("bad addr or host: %s (%s)",
831 addr ? addr : "<NULL>",
832 ssh_gai_strerror(gaierr));
833 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
835 ai->ai_next = options->listen_addrs[i].addrs;
836 options->listen_addrs[i].addrs = aitop;
839 /* Returns nonzero if the routing domain name is valid */
841 valid_rdomain(const char *name)
843 #if defined(HAVE_SYS_VALID_RDOMAIN)
844 return sys_valid_rdomain(name);
845 #elif defined(__OpenBSD__)
848 struct rt_tableinfo info;
850 size_t miblen = sizeof(mib);
855 num = strtonum(name, 0, 255, &errstr);
859 /* Check whether the table actually exists */
860 memset(mib, 0, sizeof(mib));
863 mib[4] = NET_RT_TABLE;
865 if (sysctl(mib, 6, &info, &miblen, NULL, 0) == -1)
869 #else /* defined(__OpenBSD__) */
870 error("Routing domains are not supported on this platform");
876 * Queue a ListenAddress to be processed once we have all of the Ports
877 * and AddressFamily options.
880 queue_listen_addr(ServerOptions *options, const char *addr,
881 const char *rdomain, int port)
883 struct queued_listenaddr *qla;
885 options->queued_listen_addrs = xrecallocarray(
886 options->queued_listen_addrs,
887 options->num_queued_listens, options->num_queued_listens + 1,
888 sizeof(*options->queued_listen_addrs));
889 qla = &options->queued_listen_addrs[options->num_queued_listens++];
890 qla->addr = xstrdup(addr);
892 qla->rdomain = rdomain == NULL ? NULL : xstrdup(rdomain);
896 * Process queued (text) ListenAddress entries.
899 process_queued_listen_addrs(ServerOptions *options)
902 struct queued_listenaddr *qla;
904 if (options->num_ports == 0)
905 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
906 if (options->address_family == -1)
907 options->address_family = AF_UNSPEC;
909 for (i = 0; i < options->num_queued_listens; i++) {
910 qla = &options->queued_listen_addrs[i];
911 add_listen_addr(options, qla->addr, qla->rdomain, qla->port);
915 free(options->queued_listen_addrs);
916 options->queued_listen_addrs = NULL;
917 options->num_queued_listens = 0;
921 * Inform channels layer of permitopen options for a single forwarding
922 * direction (local/remote).
925 process_permitopen_list(struct ssh *ssh, ServerOpCodes opcode,
926 char **opens, u_int num_opens)
930 char *host, *arg, *oarg;
931 int where = opcode == sPermitOpen ? FORWARD_LOCAL : FORWARD_REMOTE;
932 const char *what = lookup_opcode_name(opcode);
934 channel_clear_permission(ssh, FORWARD_ADM, where);
936 return; /* permit any */
938 /* handle keywords: "any" / "none" */
939 if (num_opens == 1 && strcmp(opens[0], "any") == 0)
941 if (num_opens == 1 && strcmp(opens[0], "none") == 0) {
942 channel_disable_admin(ssh, where);
945 /* Otherwise treat it as a list of permitted host:port */
946 for (i = 0; i < num_opens; i++) {
947 oarg = arg = xstrdup(opens[i]);
948 host = hpdelim(&arg);
950 fatal_f("missing host in %s", what);
951 host = cleanhostname(host);
952 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
953 fatal_f("bad port number in %s", what);
954 /* Send it to channels layer */
955 channel_add_permission(ssh, FORWARD_ADM,
962 * Inform channels layer of permitopen options from configuration.
965 process_permitopen(struct ssh *ssh, ServerOptions *options)
967 process_permitopen_list(ssh, sPermitOpen,
968 options->permitted_opens, options->num_permitted_opens);
969 process_permitopen_list(ssh, sPermitListen,
970 options->permitted_listens,
971 options->num_permitted_listens);
974 /* Parse a ChannelTimeout clause "pattern=interval" */
976 parse_timeout(const char *s, char **typep, u_int *secsp)
989 if ((cp = strchr(sdup, '=')) == NULL || cp == sdup) {
994 if ((secs = convtime(cp)) < 0) {
1000 *typep = xstrdup(sdup);
1002 *secsp = (u_int)secs;
1008 process_channel_timeouts(struct ssh *ssh, ServerOptions *options)
1013 debug3_f("setting %u timeouts", options->num_channel_timeouts);
1014 channel_clear_timeouts(ssh);
1015 for (i = 0; i < options->num_channel_timeouts; i++) {
1016 if (parse_timeout(options->channel_timeouts[i],
1017 &type, &secs) != 0) {
1018 fatal_f("internal error: bad timeout %s",
1019 options->channel_timeouts[i]);
1021 channel_add_timeout(ssh, type, secs);
1026 struct connection_info *
1027 get_connection_info(struct ssh *ssh, int populate, int use_dns)
1029 static struct connection_info ci;
1031 if (ssh == NULL || !populate)
1033 ci.host = auth_get_canonical_hostname(ssh, use_dns);
1034 ci.address = ssh_remote_ipaddr(ssh);
1035 ci.laddress = ssh_local_ipaddr(ssh);
1036 ci.lport = ssh_local_port(ssh);
1037 ci.rdomain = ssh_packet_rdomain_in(ssh);
1042 * The strategy for the Match blocks is that the config file is parsed twice.
1044 * The first time is at startup. activep is initialized to 1 and the
1045 * directives in the global context are processed and acted on. Hitting a
1046 * Match directive unsets activep and the directives inside the block are
1047 * checked for syntax only.
1049 * The second time is after a connection has been established but before
1050 * authentication. activep is initialized to 2 and global config directives
1051 * are ignored since they have already been processed. If the criteria in a
1052 * Match block is met, activep is set and the subsequent directives
1053 * processed and actioned until EOF or another Match block unsets it. Any
1054 * options set are copied into the main server config.
1056 * Potential additions/improvements:
1057 * - Add Match support for pre-kex directives, eg. Ciphers.
1059 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
1060 * Match Address 192.168.0.*
1065 * AllowTcpForwarding yes
1066 * GatewayPorts clientspecified
1069 * - Add a PermittedChannelRequests directive
1071 * PermittedChannelRequests session,forwarded-tcpip
1075 match_cfg_line_group(const char *grps, int line, const char *user)
1083 if ((pw = getpwnam(user)) == NULL) {
1084 debug("Can't match group at line %d because user %.100s does "
1085 "not exist", line, user);
1086 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
1087 debug("Can't Match group because user %.100s not in any group "
1088 "at line %d", user, line);
1089 } else if (ga_match_pattern_list(grps) != 1) {
1090 debug("user %.100s does not match group list %.100s at line %d",
1093 debug("user %.100s matched group list %.100s at line %d", user,
1103 match_test_missing_fatal(const char *criteria, const char *attrib)
1105 fatal("'Match %s' in configuration but '%s' not in connection "
1106 "test specification.", criteria, attrib);
1110 * All of the attributes on a single Match line are ANDed together, so we need
1111 * to check every attribute and set the result to zero if any attribute does
1115 match_cfg_line(char **condition, int line, struct connection_info *ci)
1117 int result = 1, attributes = 0, port;
1118 char *arg, *attrib, *cp = *condition;
1121 debug3("checking syntax for 'Match %s'", cp);
1123 debug3("checking match for '%s' user %s host %s addr %s "
1124 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
1125 ci->host ? ci->host : "(null)",
1126 ci->address ? ci->address : "(null)",
1127 ci->laddress ? ci->laddress : "(null)", ci->lport);
1129 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
1130 /* Terminate on comment */
1131 if (*attrib == '#') {
1132 cp = NULL; /* mark all arguments consumed */
1137 /* Criterion "all" has no argument and must appear alone */
1138 if (strcasecmp(attrib, "all") == 0) {
1139 if (attributes > 1 || ((arg = strdelim(&cp)) != NULL &&
1140 *arg != '\0' && *arg != '#')) {
1141 error("'all' cannot be combined with other "
1142 "Match attributes");
1145 if (arg != NULL && *arg == '#')
1146 cp = NULL; /* mark all arguments consumed */
1150 /* All other criteria require an argument */
1151 if ((arg = strdelim(&cp)) == NULL ||
1152 *arg == '\0' || *arg == '#') {
1153 error("Missing Match criteria for %s", attrib);
1156 if (strcasecmp(attrib, "user") == 0) {
1157 if (ci == NULL || (ci->test && ci->user == NULL)) {
1161 if (ci->user == NULL)
1162 match_test_missing_fatal("User", "user");
1163 if (match_usergroup_pattern_list(ci->user, arg) != 1)
1166 debug("user %.100s matched 'User %.100s' at "
1167 "line %d", ci->user, arg, line);
1168 } else if (strcasecmp(attrib, "group") == 0) {
1169 if (ci == NULL || (ci->test && ci->user == NULL)) {
1173 if (ci->user == NULL)
1174 match_test_missing_fatal("Group", "user");
1175 switch (match_cfg_line_group(arg, line, ci->user)) {
1181 } else if (strcasecmp(attrib, "host") == 0) {
1182 if (ci == NULL || (ci->test && ci->host == NULL)) {
1186 if (ci->host == NULL)
1187 match_test_missing_fatal("Host", "host");
1188 if (match_hostname(ci->host, arg) != 1)
1191 debug("connection from %.100s matched 'Host "
1192 "%.100s' at line %d", ci->host, arg, line);
1193 } else if (strcasecmp(attrib, "address") == 0) {
1194 if (ci == NULL || (ci->test && ci->address == NULL)) {
1195 if (addr_match_list(NULL, arg) != 0)
1196 fatal("Invalid Match address argument "
1197 "'%s' at line %d", arg, line);
1201 if (ci->address == NULL)
1202 match_test_missing_fatal("Address", "addr");
1203 switch (addr_match_list(ci->address, arg)) {
1205 debug("connection from %.100s matched 'Address "
1206 "%.100s' at line %d", ci->address, arg, line);
1215 } else if (strcasecmp(attrib, "localaddress") == 0){
1216 if (ci == NULL || (ci->test && ci->laddress == NULL)) {
1217 if (addr_match_list(NULL, arg) != 0)
1218 fatal("Invalid Match localaddress "
1219 "argument '%s' at line %d", arg,
1224 if (ci->laddress == NULL)
1225 match_test_missing_fatal("LocalAddress",
1227 switch (addr_match_list(ci->laddress, arg)) {
1229 debug("connection from %.100s matched "
1230 "'LocalAddress %.100s' at line %d",
1231 ci->laddress, arg, line);
1240 } else if (strcasecmp(attrib, "localport") == 0) {
1241 if ((port = a2port(arg)) == -1) {
1242 error("Invalid LocalPort '%s' on Match line",
1246 if (ci == NULL || (ci->test && ci->lport == -1)) {
1251 match_test_missing_fatal("LocalPort", "lport");
1252 /* TODO support port lists */
1253 if (port == ci->lport)
1254 debug("connection from %.100s matched "
1255 "'LocalPort %d' at line %d",
1256 ci->laddress, port, line);
1259 } else if (strcasecmp(attrib, "rdomain") == 0) {
1260 if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
1264 if (ci->rdomain == NULL)
1265 match_test_missing_fatal("RDomain", "rdomain");
1266 if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1269 debug("user %.100s matched 'RDomain %.100s' at "
1270 "line %d", ci->rdomain, arg, line);
1272 error("Unsupported Match attribute %s", attrib);
1276 if (attributes == 0) {
1277 error("One or more attributes required for Match");
1281 debug3("match %sfound", result ? "" : "not ");
1286 #define WHITESPACE " \t\r\n"
1288 /* Multistate option parsing */
1293 static const struct multistate multistate_flag[] = {
1298 static const struct multistate multistate_ignore_rhosts[] = {
1299 { "yes", IGNORE_RHOSTS_YES },
1300 { "no", IGNORE_RHOSTS_NO },
1301 { "shosts-only", IGNORE_RHOSTS_SHOSTS },
1304 static const struct multistate multistate_addressfamily[] = {
1305 { "inet", AF_INET },
1306 { "inet6", AF_INET6 },
1307 { "any", AF_UNSPEC },
1310 static const struct multistate multistate_permitrootlogin[] = {
1311 { "without-password", PERMIT_NO_PASSWD },
1312 { "prohibit-password", PERMIT_NO_PASSWD },
1313 { "forced-commands-only", PERMIT_FORCED_ONLY },
1314 { "yes", PERMIT_YES },
1315 { "no", PERMIT_NO },
1318 static const struct multistate multistate_compression[] = {
1320 { "yes", COMP_DELAYED },
1321 { "delayed", COMP_DELAYED },
1323 { "no", COMP_NONE },
1326 static const struct multistate multistate_gatewayports[] = {
1327 { "clientspecified", 2 },
1332 static const struct multistate multistate_tcpfwd[] = {
1333 { "yes", FORWARD_ALLOW },
1334 { "all", FORWARD_ALLOW },
1335 { "no", FORWARD_DENY },
1336 { "remote", FORWARD_REMOTE },
1337 { "local", FORWARD_LOCAL },
1342 process_server_config_line_depth(ServerOptions *options, char *line,
1343 const char *filename, int linenum, int *activep,
1344 struct connection_info *connectinfo, int *inc_flags, int depth,
1345 struct include_list *includes)
1347 char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword;
1348 int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found;
1349 SyslogFacility *log_facility_ptr;
1350 LogLevel *log_level_ptr;
1351 ServerOpCodes opcode;
1352 u_int i, *uintptr, uvalue, flags = 0;
1355 const struct multistate *multistate_ptr;
1357 struct include_item *item;
1359 char **oav = NULL, **av;
1363 /* Strip trailing whitespace. Allow \f (form feed) at EOL only */
1364 if ((len = strlen(line)) == 0)
1366 for (len--; len > 0; len--) {
1367 if (strchr(WHITESPACE "\f", line[len]) == NULL)
1373 if ((keyword = strdelim(&str)) == NULL)
1375 /* Ignore leading whitespace */
1376 if (*keyword == '\0')
1377 keyword = strdelim(&str);
1378 if (!keyword || !*keyword || *keyword == '#')
1380 if (str == NULL || *str == '\0') {
1381 error("%s line %d: no argument after keyword \"%s\"",
1382 filename, linenum, keyword);
1387 opcode = parse_token(keyword, filename, linenum, &flags);
1389 if (argv_split(str, &oac, &oav, 1) != 0) {
1390 error("%s line %d: invalid quotes", filename, linenum);
1396 if (activep == NULL) { /* We are processing a command line directive */
1400 if (*activep && opcode != sMatch && opcode != sInclude)
1401 debug3("%s:%d setting %s %s", filename, linenum, keyword, str);
1402 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1403 if (connectinfo == NULL) {
1404 fatal("%s line %d: Directive '%s' is not allowed "
1405 "within a Match block", filename, linenum, keyword);
1406 } else { /* this is a directive we have already processed */
1413 /* Portable-specific options */
1415 intptr = &options->use_pam;
1418 /* Standard Options */
1422 /* ignore ports from configfile if cmdline specifies ports */
1423 if (options->ports_from_cmdline) {
1427 if (options->num_ports >= MAX_PORTS)
1428 fatal("%s line %d: too many ports.",
1430 arg = argv_next(&ac, &av);
1431 if (!arg || *arg == '\0')
1432 fatal("%s line %d: missing port number.",
1434 options->ports[options->num_ports++] = a2port(arg);
1435 if (options->ports[options->num_ports-1] <= 0)
1436 fatal("%s line %d: Badly formatted port number.",
1440 case sLoginGraceTime:
1441 intptr = &options->login_grace_time;
1443 arg = argv_next(&ac, &av);
1444 if (!arg || *arg == '\0')
1445 fatal("%s line %d: missing time value.",
1447 if ((value = convtime(arg)) == -1)
1448 fatal("%s line %d: invalid time value.",
1450 if (*activep && *intptr == -1)
1454 case sListenAddress:
1455 arg = argv_next(&ac, &av);
1456 if (arg == NULL || *arg == '\0')
1457 fatal("%s line %d: missing address",
1459 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1460 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1461 && strchr(p+1, ':') != NULL) {
1468 fatal("%s line %d: bad address:port usage",
1470 p = cleanhostname(p);
1473 else if ((port = a2port(arg)) <= 0)
1474 fatal("%s line %d: bad port number",
1477 /* Optional routing table */
1479 if ((arg = argv_next(&ac, &av)) != NULL) {
1480 if (strcmp(arg, "rdomain") != 0 ||
1481 (arg2 = argv_next(&ac, &av)) == NULL)
1482 fatal("%s line %d: bad ListenAddress syntax",
1484 if (!valid_rdomain(arg2))
1485 fatal("%s line %d: bad routing domain",
1488 queue_listen_addr(options, p, arg2, port);
1492 case sAddressFamily:
1493 intptr = &options->address_family;
1494 multistate_ptr = multistate_addressfamily;
1496 arg = argv_next(&ac, &av);
1497 if (!arg || *arg == '\0')
1498 fatal("%s line %d: missing argument.",
1501 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1502 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1503 value = multistate_ptr[i].value;
1508 fatal("%s line %d: unsupported option \"%s\".",
1509 filename, linenum, arg);
1510 if (*activep && *intptr == -1)
1515 arg = argv_next(&ac, &av);
1516 if (!arg || *arg == '\0')
1517 fatal("%s line %d: missing file name.",
1520 servconf_add_hostkey(filename, linenum,
1526 charptr = &options->host_key_agent;
1527 arg = argv_next(&ac, &av);
1528 if (!arg || *arg == '\0')
1529 fatal("%s line %d: missing socket name.",
1531 if (*activep && *charptr == NULL)
1532 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1533 xstrdup(arg) : derelativise_path(arg);
1536 case sHostCertificate:
1537 arg = argv_next(&ac, &av);
1538 if (!arg || *arg == '\0')
1539 fatal("%s line %d: missing file name.",
1542 servconf_add_hostcert(filename, linenum, options, arg);
1546 charptr = &options->pid_file;
1548 arg = argv_next(&ac, &av);
1549 if (!arg || *arg == '\0')
1550 fatal("%s line %d: missing file name.",
1552 if (*activep && *charptr == NULL) {
1553 *charptr = derelativise_path(arg);
1554 /* increase optional counter */
1556 *intptr = *intptr + 1;
1561 charptr = &options->moduli_file;
1562 goto parse_filename;
1564 case sPermitRootLogin:
1565 intptr = &options->permit_root_login;
1566 multistate_ptr = multistate_permitrootlogin;
1567 goto parse_multistate;
1570 intptr = &options->ignore_rhosts;
1571 multistate_ptr = multistate_ignore_rhosts;
1572 goto parse_multistate;
1574 case sIgnoreUserKnownHosts:
1575 intptr = &options->ignore_user_known_hosts;
1577 multistate_ptr = multistate_flag;
1578 goto parse_multistate;
1580 case sHostbasedAuthentication:
1581 intptr = &options->hostbased_authentication;
1584 case sHostbasedUsesNameFromPacketOnly:
1585 intptr = &options->hostbased_uses_name_from_packet_only;
1588 case sHostbasedAcceptedAlgorithms:
1589 charptr = &options->hostbased_accepted_algos;
1591 arg = argv_next(&ac, &av);
1592 if (!arg || *arg == '\0')
1593 fatal("%s line %d: Missing argument.",
1596 !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
1598 fatal("%s line %d: Bad key types '%s'.",
1599 filename, linenum, arg ? arg : "<NONE>");
1600 if (*activep && *charptr == NULL)
1601 *charptr = xstrdup(arg);
1604 case sHostKeyAlgorithms:
1605 charptr = &options->hostkeyalgorithms;
1606 goto parse_pubkey_algos;
1608 case sCASignatureAlgorithms:
1609 charptr = &options->ca_sign_algorithms;
1610 goto parse_pubkey_algos;
1612 case sPubkeyAuthentication:
1613 intptr = &options->pubkey_authentication;
1616 case sPubkeyAcceptedAlgorithms:
1617 charptr = &options->pubkey_accepted_algos;
1618 goto parse_pubkey_algos;
1620 case sPubkeyAuthOptions:
1621 intptr = &options->pubkey_auth_options;
1623 while ((arg = argv_next(&ac, &av)) != NULL) {
1624 if (strcasecmp(arg, "none") == 0)
1626 if (strcasecmp(arg, "touch-required") == 0)
1627 value |= PUBKEYAUTH_TOUCH_REQUIRED;
1628 else if (strcasecmp(arg, "verify-required") == 0)
1629 value |= PUBKEYAUTH_VERIFY_REQUIRED;
1631 error("%s line %d: unsupported %s option %s",
1632 filename, linenum, keyword, arg);
1636 if (*activep && *intptr == -1)
1640 case sKerberosAuthentication:
1641 intptr = &options->kerberos_authentication;
1644 case sKerberosOrLocalPasswd:
1645 intptr = &options->kerberos_or_local_passwd;
1648 case sKerberosTicketCleanup:
1649 intptr = &options->kerberos_ticket_cleanup;
1652 case sKerberosGetAFSToken:
1653 intptr = &options->kerberos_get_afs_token;
1656 case sGssAuthentication:
1657 intptr = &options->gss_authentication;
1660 case sGssCleanupCreds:
1661 intptr = &options->gss_cleanup_creds;
1664 case sGssStrictAcceptor:
1665 intptr = &options->gss_strict_acceptor;
1668 case sPasswordAuthentication:
1669 intptr = &options->password_authentication;
1672 case sKbdInteractiveAuthentication:
1673 intptr = &options->kbd_interactive_authentication;
1677 intptr = &options->print_motd;
1681 intptr = &options->print_lastlog;
1684 case sX11Forwarding:
1685 intptr = &options->x11_forwarding;
1688 case sX11DisplayOffset:
1689 intptr = &options->x11_display_offset;
1691 arg = argv_next(&ac, &av);
1692 if ((errstr = atoi_err(arg, &value)) != NULL)
1693 fatal("%s line %d: %s integer value %s.",
1694 filename, linenum, keyword, errstr);
1695 if (*activep && *intptr == -1)
1699 case sX11UseLocalhost:
1700 intptr = &options->x11_use_localhost;
1703 case sXAuthLocation:
1704 charptr = &options->xauth_location;
1705 goto parse_filename;
1708 intptr = &options->permit_tty;
1712 intptr = &options->permit_user_rc;
1716 intptr = &options->strict_modes;
1720 intptr = &options->tcp_keep_alive;
1724 intptr = &options->permit_empty_passwd;
1727 case sPermitUserEnvironment:
1728 intptr = &options->permit_user_env;
1729 charptr = &options->permit_user_env_allowlist;
1730 arg = argv_next(&ac, &av);
1731 if (!arg || *arg == '\0')
1732 fatal("%s line %d: %s missing argument.",
1733 filename, linenum, keyword);
1736 if (strcmp(arg, "yes") == 0)
1738 else if (strcmp(arg, "no") == 0)
1741 /* Pattern-list specified */
1745 if (*activep && *intptr == -1) {
1754 intptr = &options->compression;
1755 multistate_ptr = multistate_compression;
1756 goto parse_multistate;
1759 arg = argv_next(&ac, &av);
1760 if (!arg || *arg == '\0')
1761 fatal("%s line %d: %s missing argument.",
1762 filename, linenum, keyword);
1763 if (strcmp(arg, "default") == 0) {
1766 if (scan_scaled(arg, &val64) == -1)
1767 fatal("%.200s line %d: Bad %s number '%s': %s",
1768 filename, linenum, keyword,
1769 arg, strerror(errno));
1770 if (val64 != 0 && val64 < 16)
1771 fatal("%.200s line %d: %s too small",
1772 filename, linenum, keyword);
1774 if (*activep && options->rekey_limit == -1)
1775 options->rekey_limit = val64;
1776 if (ac != 0) { /* optional rekey interval present */
1777 if (strcmp(av[0], "none") == 0) {
1778 (void)argv_next(&ac, &av); /* discard */
1781 intptr = &options->rekey_interval;
1787 intptr = &options->fwd_opts.gateway_ports;
1788 multistate_ptr = multistate_gatewayports;
1789 goto parse_multistate;
1792 intptr = &options->use_dns;
1796 log_facility_ptr = &options->log_facility;
1797 arg = argv_next(&ac, &av);
1798 value = log_facility_number(arg);
1799 if (value == SYSLOG_FACILITY_NOT_SET)
1800 fatal("%.200s line %d: unsupported log facility '%s'",
1801 filename, linenum, arg ? arg : "<NONE>");
1802 if (*log_facility_ptr == -1)
1803 *log_facility_ptr = (SyslogFacility) value;
1807 log_level_ptr = &options->log_level;
1808 arg = argv_next(&ac, &av);
1809 value = log_level_number(arg);
1810 if (value == SYSLOG_LEVEL_NOT_SET)
1811 fatal("%.200s line %d: unsupported log level '%s'",
1812 filename, linenum, arg ? arg : "<NONE>");
1813 if (*activep && *log_level_ptr == -1)
1814 *log_level_ptr = (LogLevel) value;
1818 found = options->num_log_verbose == 0;
1820 while ((arg = argv_next(&ac, &av)) != NULL) {
1822 error("%s line %d: keyword %s empty argument",
1823 filename, linenum, keyword);
1826 /* Allow "none" only in first position */
1827 if (strcasecmp(arg, "none") == 0) {
1828 if (i > 0 || ac > 0) {
1829 error("%s line %d: keyword %s \"none\" "
1830 "argument must appear alone.",
1831 filename, linenum, keyword);
1836 if (!found || !*activep)
1838 opt_array_append(filename, linenum, keyword,
1839 &options->log_verbose, &options->num_log_verbose,
1844 case sAllowTcpForwarding:
1845 intptr = &options->allow_tcp_forwarding;
1846 multistate_ptr = multistate_tcpfwd;
1847 goto parse_multistate;
1849 case sAllowStreamLocalForwarding:
1850 intptr = &options->allow_streamlocal_forwarding;
1851 multistate_ptr = multistate_tcpfwd;
1852 goto parse_multistate;
1854 case sAllowAgentForwarding:
1855 intptr = &options->allow_agent_forwarding;
1858 case sDisableForwarding:
1859 intptr = &options->disable_forwarding;
1863 chararrayptr = &options->allow_users;
1864 uintptr = &options->num_allow_users;
1865 parse_allowdenyusers:
1866 while ((arg = argv_next(&ac, &av)) != NULL) {
1868 match_user(NULL, NULL, NULL, arg) == -1)
1869 fatal("%s line %d: invalid %s pattern: \"%s\"",
1870 filename, linenum, keyword, arg);
1873 opt_array_append(filename, linenum, keyword,
1874 chararrayptr, uintptr, arg);
1879 chararrayptr = &options->deny_users;
1880 uintptr = &options->num_deny_users;
1881 goto parse_allowdenyusers;
1884 chararrayptr = &options->allow_groups;
1885 uintptr = &options->num_allow_groups;
1886 parse_allowdenygroups:
1887 while ((arg = argv_next(&ac, &av)) != NULL) {
1889 fatal("%s line %d: empty %s pattern",
1890 filename, linenum, keyword);
1893 opt_array_append(filename, linenum, keyword,
1894 chararrayptr, uintptr, arg);
1899 chararrayptr = &options->deny_groups;
1900 uintptr = &options->num_deny_groups;
1901 goto parse_allowdenygroups;
1904 arg = argv_next(&ac, &av);
1905 if (!arg || *arg == '\0')
1906 fatal("%s line %d: %s missing argument.",
1907 filename, linenum, keyword);
1909 !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1910 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1911 filename, linenum, arg ? arg : "<NONE>");
1912 if (options->ciphers == NULL)
1913 options->ciphers = xstrdup(arg);
1917 arg = argv_next(&ac, &av);
1918 if (!arg || *arg == '\0')
1919 fatal("%s line %d: %s missing argument.",
1920 filename, linenum, keyword);
1922 !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
1923 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1924 filename, linenum, arg ? arg : "<NONE>");
1925 if (options->macs == NULL)
1926 options->macs = xstrdup(arg);
1929 case sKexAlgorithms:
1930 arg = argv_next(&ac, &av);
1931 if (!arg || *arg == '\0')
1932 fatal("%s line %d: %s missing argument.",
1933 filename, linenum, keyword);
1935 !kex_names_valid(*arg == '+' || *arg == '^' ?
1937 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1938 filename, linenum, arg ? arg : "<NONE>");
1939 if (options->kex_algorithms == NULL)
1940 options->kex_algorithms = xstrdup(arg);
1944 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1945 fatal("%s line %d: too many subsystems defined.",
1948 arg = argv_next(&ac, &av);
1949 if (!arg || *arg == '\0')
1950 fatal("%s line %d: %s missing argument.",
1951 filename, linenum, keyword);
1953 arg = argv_next(&ac, &av);
1956 for (i = 0; i < options->num_subsystems; i++)
1957 if (strcmp(arg, options->subsystem_name[i]) == 0)
1958 fatal("%s line %d: Subsystem '%s' "
1959 "already defined.", filename, linenum, arg);
1960 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1961 arg = argv_next(&ac, &av);
1962 if (!arg || *arg == '\0')
1963 fatal("%s line %d: Missing subsystem command.",
1965 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1967 /* Collect arguments (separate to executable) */
1969 len = strlen(p) + 1;
1970 while ((arg = argv_next(&ac, &av)) != NULL) {
1971 len += 1 + strlen(arg);
1972 p = xreallocarray(p, 1, len);
1973 strlcat(p, " ", len);
1974 strlcat(p, arg, len);
1976 options->subsystem_args[options->num_subsystems] = p;
1977 options->num_subsystems++;
1981 arg = argv_next(&ac, &av);
1982 if (!arg || *arg == '\0')
1983 fatal("%s line %d: %s missing argument.",
1984 filename, linenum, keyword);
1985 if ((n = sscanf(arg, "%d:%d:%d",
1986 &options->max_startups_begin,
1987 &options->max_startups_rate,
1988 &options->max_startups)) == 3) {
1989 if (options->max_startups_begin >
1990 options->max_startups ||
1991 options->max_startups_rate > 100 ||
1992 options->max_startups_rate < 1)
1993 fatal("%s line %d: Invalid %s spec.",
1994 filename, linenum, keyword);
1996 fatal("%s line %d: Invalid %s spec.",
1997 filename, linenum, keyword);
1999 options->max_startups = options->max_startups_begin;
2000 if (options->max_startups <= 0 ||
2001 options->max_startups_begin <= 0)
2002 fatal("%s line %d: Invalid %s spec.",
2003 filename, linenum, keyword);
2006 case sPerSourceNetBlockSize:
2007 arg = argv_next(&ac, &av);
2008 if (!arg || *arg == '\0')
2009 fatal("%s line %d: %s missing argument.",
2010 filename, linenum, keyword);
2011 switch (n = sscanf(arg, "%d:%d", &value, &value2)) {
2013 if (value2 < 0 || value2 > 128)
2017 if (value < 0 || value > 32)
2020 if (n != 1 && n != 2)
2021 fatal("%s line %d: Invalid %s spec.",
2022 filename, linenum, keyword);
2024 options->per_source_masklen_ipv4 = value;
2025 options->per_source_masklen_ipv6 = value2;
2029 case sPerSourceMaxStartups:
2030 arg = argv_next(&ac, &av);
2031 if (!arg || *arg == '\0')
2032 fatal("%s line %d: %s missing argument.",
2033 filename, linenum, keyword);
2034 if (strcmp(arg, "none") == 0) { /* no limit */
2037 if ((errstr = atoi_err(arg, &value)) != NULL)
2038 fatal("%s line %d: %s integer value %s.",
2039 filename, linenum, keyword, errstr);
2042 options->per_source_max_startups = value;
2046 intptr = &options->max_authtries;
2050 intptr = &options->max_sessions;
2054 charptr = &options->banner;
2055 goto parse_filename;
2058 * These options can contain %X options expanded at
2059 * connect time, so that you can specify paths like:
2061 * AuthorizedKeysFile /etc/ssh_keys/%u
2063 case sAuthorizedKeysFile:
2064 uvalue = options->num_authkeys_files;
2065 while ((arg = argv_next(&ac, &av)) != NULL) {
2067 error("%s line %d: keyword %s empty argument",
2068 filename, linenum, keyword);
2071 arg2 = tilde_expand_filename(arg, getuid());
2072 if (*activep && uvalue == 0) {
2073 opt_array_append(filename, linenum, keyword,
2074 &options->authorized_keys_files,
2075 &options->num_authkeys_files, arg2);
2081 case sAuthorizedPrincipalsFile:
2082 charptr = &options->authorized_principals_file;
2083 arg = argv_next(&ac, &av);
2084 if (!arg || *arg == '\0')
2085 fatal("%s line %d: %s missing argument.",
2086 filename, linenum, keyword);
2087 if (*activep && *charptr == NULL) {
2088 *charptr = tilde_expand_filename(arg, getuid());
2089 /* increase optional counter */
2091 *intptr = *intptr + 1;
2095 case sClientAliveInterval:
2096 intptr = &options->client_alive_interval;
2099 case sClientAliveCountMax:
2100 intptr = &options->client_alive_count_max;
2104 while ((arg = argv_next(&ac, &av)) != NULL) {
2105 if (*arg == '\0' || strchr(arg, '=') != NULL)
2106 fatal("%s line %d: Invalid environment name.",
2110 opt_array_append(filename, linenum, keyword,
2111 &options->accept_env, &options->num_accept_env,
2117 uvalue = options->num_setenv;
2118 while ((arg = argv_next(&ac, &av)) != NULL) {
2119 if (*arg == '\0' || strchr(arg, '=') == NULL)
2120 fatal("%s line %d: Invalid environment.",
2122 if (!*activep || uvalue != 0)
2124 if (lookup_setenv_in_list(arg, options->setenv,
2125 options->num_setenv) != NULL) {
2126 debug2("%s line %d: ignoring duplicate env "
2127 "name \"%.64s\"", filename, linenum, arg);
2130 opt_array_append(filename, linenum, keyword,
2131 &options->setenv, &options->num_setenv, arg);
2136 intptr = &options->permit_tun;
2137 arg = argv_next(&ac, &av);
2138 if (!arg || *arg == '\0')
2139 fatal("%s line %d: %s missing argument.",
2140 filename, linenum, keyword);
2142 for (i = 0; tunmode_desc[i].val != -1; i++)
2143 if (strcmp(tunmode_desc[i].text, arg) == 0) {
2144 value = tunmode_desc[i].val;
2148 fatal("%s line %d: bad %s argument %s",
2149 filename, linenum, keyword, arg);
2150 if (*activep && *intptr == -1)
2156 fatal("Include directive not supported as a "
2157 "command-line option");
2160 while ((arg2 = argv_next(&ac, &av)) != NULL) {
2161 if (*arg2 == '\0') {
2162 error("%s line %d: keyword %s empty argument",
2163 filename, linenum, keyword);
2168 if (*arg2 != '/' && *arg2 != '~') {
2169 xasprintf(&arg, "%s/%s", SSHDIR, arg2);
2171 arg = xstrdup(arg2);
2174 * Don't let included files clobber the containing
2175 * file's Match state.
2179 /* consult cache of include files */
2180 TAILQ_FOREACH(item, includes, entry) {
2181 if (strcmp(item->selector, arg) != 0)
2183 if (item->filename != NULL) {
2184 parse_server_config_depth(options,
2185 item->filename, item->contents,
2186 includes, connectinfo,
2187 (*inc_flags & SSHCFG_MATCH_ONLY
2188 ? SSHCFG_MATCH_ONLY : (oactive
2189 ? 0 : SSHCFG_NEVERMATCH)),
2190 activep, depth + 1);
2200 /* requested glob was not in cache */
2201 debug2("%s line %d: new include %s",
2202 filename, linenum, arg);
2203 if ((r = glob(arg, 0, NULL, &gbuf)) != 0) {
2204 if (r != GLOB_NOMATCH) {
2205 fatal("%s line %d: include \"%s\" glob "
2206 "failed", filename, linenum, arg);
2209 * If no entry matched then record a
2210 * placeholder to skip later glob calls.
2212 debug2("%s line %d: no match for %s",
2213 filename, linenum, arg);
2214 item = xcalloc(1, sizeof(*item));
2215 item->selector = strdup(arg);
2216 TAILQ_INSERT_TAIL(includes,
2219 if (gbuf.gl_pathc > INT_MAX)
2220 fatal_f("too many glob results");
2221 for (n = 0; n < (int)gbuf.gl_pathc; n++) {
2222 debug2("%s line %d: including %s",
2223 filename, linenum, gbuf.gl_pathv[n]);
2224 item = xcalloc(1, sizeof(*item));
2225 item->selector = strdup(arg);
2226 item->filename = strdup(gbuf.gl_pathv[n]);
2227 if ((item->contents = sshbuf_new()) == NULL)
2228 fatal_f("sshbuf_new failed");
2229 load_server_config(item->filename,
2231 parse_server_config_depth(options,
2232 item->filename, item->contents,
2233 includes, connectinfo,
2234 (*inc_flags & SSHCFG_MATCH_ONLY
2235 ? SSHCFG_MATCH_ONLY : (oactive
2236 ? 0 : SSHCFG_NEVERMATCH)),
2237 activep, depth + 1);
2239 TAILQ_INSERT_TAIL(includes, item, entry);
2245 fatal("%s line %d: %s missing filename argument",
2246 filename, linenum, keyword);
2252 fatal("Match directive not supported as a command-line "
2254 value = match_cfg_line(&str, linenum,
2255 (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
2257 fatal("%s line %d: Bad Match condition", filename,
2259 *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
2261 * The MATCH_ONLY flag is applicable only until the first
2264 *inc_flags &= ~SSHCFG_MATCH_ONLY;
2266 * If match_cfg_line() didn't consume all its arguments then
2267 * arrange for the extra arguments check below to fail.
2269 if (str == NULL || *str == '\0')
2275 if (opcode == sPermitListen) {
2276 uintptr = &options->num_permitted_listens;
2277 chararrayptr = &options->permitted_listens;
2279 uintptr = &options->num_permitted_opens;
2280 chararrayptr = &options->permitted_opens;
2282 arg = argv_next(&ac, &av);
2283 if (!arg || *arg == '\0')
2284 fatal("%s line %d: %s missing argument.",
2285 filename, linenum, keyword);
2286 uvalue = *uintptr; /* modified later */
2287 if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
2288 if (*activep && uvalue == 0) {
2290 *chararrayptr = xcalloc(1,
2291 sizeof(**chararrayptr));
2292 (*chararrayptr)[0] = xstrdup(arg);
2296 for (; arg != NULL && *arg != '\0'; arg = argv_next(&ac, &av)) {
2297 if (opcode == sPermitListen &&
2298 strchr(arg, ':') == NULL) {
2300 * Allow bare port number for PermitListen
2301 * to indicate a wildcard listen host.
2303 xasprintf(&arg2, "*:%s", arg);
2305 arg2 = xstrdup(arg);
2308 fatal("%s line %d: %s missing host",
2309 filename, linenum, keyword);
2311 p = cleanhostname(p);
2314 ((port = permitopen_port(arg)) < 0)) {
2315 fatal("%s line %d: %s bad port number",
2316 filename, linenum, keyword);
2318 if (*activep && uvalue == 0) {
2319 opt_array_append(filename, linenum, keyword,
2320 chararrayptr, uintptr, arg2);
2327 if (str == NULL || *str == '\0')
2328 fatal("%s line %d: %s missing argument.",
2329 filename, linenum, keyword);
2330 len = strspn(str, WHITESPACE);
2331 if (*activep && options->adm_forced_command == NULL)
2332 options->adm_forced_command = xstrdup(str + len);
2336 case sChrootDirectory:
2337 charptr = &options->chroot_directory;
2339 arg = argv_next(&ac, &av);
2340 if (!arg || *arg == '\0')
2341 fatal("%s line %d: %s missing argument.",
2342 filename, linenum, keyword);
2343 if (*activep && *charptr == NULL)
2344 *charptr = xstrdup(arg);
2347 case sTrustedUserCAKeys:
2348 charptr = &options->trusted_user_ca_keys;
2349 goto parse_filename;
2352 charptr = &options->revoked_keys_file;
2353 goto parse_filename;
2355 case sSecurityKeyProvider:
2356 charptr = &options->sk_provider;
2357 arg = argv_next(&ac, &av);
2358 if (!arg || *arg == '\0')
2359 fatal("%s line %d: %s missing argument.",
2360 filename, linenum, keyword);
2361 if (*activep && *charptr == NULL) {
2362 *charptr = strcasecmp(arg, "internal") == 0 ?
2363 xstrdup(arg) : derelativise_path(arg);
2364 /* increase optional counter */
2366 *intptr = *intptr + 1;
2371 arg = argv_next(&ac, &av);
2372 if (!arg || *arg == '\0')
2373 fatal("%s line %d: %s missing argument.",
2374 filename, linenum, keyword);
2375 if ((value = parse_ipqos(arg)) == -1)
2376 fatal("%s line %d: Bad %s value: %s",
2377 filename, linenum, keyword, arg);
2378 arg = argv_next(&ac, &av);
2381 else if ((value2 = parse_ipqos(arg)) == -1)
2382 fatal("%s line %d: Bad %s value: %s",
2383 filename, linenum, keyword, arg);
2385 options->ip_qos_interactive = value;
2386 options->ip_qos_bulk = value2;
2390 case sVersionAddendum:
2391 if (str == NULL || *str == '\0')
2392 fatal("%s line %d: %s missing argument.",
2393 filename, linenum, keyword);
2394 len = strspn(str, WHITESPACE);
2395 if (strchr(str + len, '\r') != NULL) {
2396 fatal("%.200s line %d: Invalid %s argument",
2397 filename, linenum, keyword);
2399 if ((arg = strchr(line, '#')) != NULL) {
2403 if (*activep && options->version_addendum == NULL) {
2404 if (strcasecmp(str + len, "none") == 0)
2405 options->version_addendum = xstrdup("");
2407 options->version_addendum = xstrdup(str + len);
2412 case sAuthorizedKeysCommand:
2413 charptr = &options->authorized_keys_command;
2415 len = strspn(str, WHITESPACE);
2416 if (str[len] != '/' && strcasecmp(str + len, "none") != 0) {
2417 fatal("%.200s line %d: %s must be an absolute path",
2418 filename, linenum, keyword);
2420 if (*activep && options->authorized_keys_command == NULL)
2421 *charptr = xstrdup(str + len);
2425 case sAuthorizedKeysCommandUser:
2426 charptr = &options->authorized_keys_command_user;
2428 arg = argv_next(&ac, &av);
2429 if (!arg || *arg == '\0') {
2430 fatal("%s line %d: missing %s argument.",
2431 filename, linenum, keyword);
2433 if (*activep && *charptr == NULL)
2434 *charptr = xstrdup(arg);
2437 case sAuthorizedPrincipalsCommand:
2438 charptr = &options->authorized_principals_command;
2441 case sAuthorizedPrincipalsCommandUser:
2442 charptr = &options->authorized_principals_command_user;
2443 goto parse_localuser;
2445 case sAuthenticationMethods:
2446 found = options->num_auth_methods == 0;
2447 value = 0; /* seen "any" pseudo-method */
2448 value2 = 0; /* successfully parsed any method */
2449 while ((arg = argv_next(&ac, &av)) != NULL) {
2450 if (strcmp(arg, "any") == 0) {
2451 if (options->num_auth_methods > 0) {
2452 fatal("%s line %d: \"any\" must "
2453 "appear alone in %s",
2454 filename, linenum, keyword);
2458 fatal("%s line %d: \"any\" must appear "
2459 "alone in %s", filename, linenum, keyword);
2460 } else if (auth2_methods_valid(arg, 0) != 0) {
2461 fatal("%s line %d: invalid %s method list.",
2462 filename, linenum, keyword);
2465 if (!found || !*activep)
2467 opt_array_append(filename, linenum, keyword,
2468 &options->auth_methods,
2469 &options->num_auth_methods, arg);
2472 fatal("%s line %d: no %s specified",
2473 filename, linenum, keyword);
2477 case sStreamLocalBindMask:
2478 arg = argv_next(&ac, &av);
2479 if (!arg || *arg == '\0')
2480 fatal("%s line %d: %s missing argument.",
2481 filename, linenum, keyword);
2482 /* Parse mode in octal format */
2483 value = strtol(arg, &p, 8);
2484 if (arg == p || value < 0 || value > 0777)
2485 fatal("%s line %d: Invalid %s.",
2486 filename, linenum, keyword);
2488 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
2491 case sStreamLocalBindUnlink:
2492 intptr = &options->fwd_opts.streamlocal_bind_unlink;
2495 case sFingerprintHash:
2496 arg = argv_next(&ac, &av);
2497 if (!arg || *arg == '\0')
2498 fatal("%s line %d: %s missing argument.",
2499 filename, linenum, keyword);
2500 if ((value = ssh_digest_alg_by_name(arg)) == -1)
2501 fatal("%.200s line %d: Invalid %s algorithm \"%s\".",
2502 filename, linenum, keyword, arg);
2504 options->fingerprint_hash = value;
2507 case sExposeAuthInfo:
2508 intptr = &options->expose_userauth_info;
2512 #if !defined(__OpenBSD__) && !defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
2513 fatal("%s line %d: setting RDomain not supported on this "
2514 "platform.", filename, linenum);
2516 charptr = &options->routing_domain;
2517 arg = argv_next(&ac, &av);
2518 if (!arg || *arg == '\0')
2519 fatal("%s line %d: %s missing argument.",
2520 filename, linenum, keyword);
2521 if (strcasecmp(arg, "none") != 0 && strcmp(arg, "%D") != 0 &&
2522 !valid_rdomain(arg))
2523 fatal("%s line %d: invalid routing domain",
2525 if (*activep && *charptr == NULL)
2526 *charptr = xstrdup(arg);
2529 case sRequiredRSASize:
2530 intptr = &options->required_rsa_size;
2533 case sChannelTimeout:
2534 uvalue = options->num_channel_timeouts;
2536 while ((arg = argv_next(&ac, &av)) != NULL) {
2537 /* Allow "none" only in first position */
2538 if (strcasecmp(arg, "none") == 0) {
2539 if (i > 0 || ac > 0) {
2540 error("%s line %d: keyword %s \"none\" "
2541 "argument must appear alone.",
2542 filename, linenum, keyword);
2545 } else if (parse_timeout(arg, NULL, NULL) != 0) {
2546 fatal("%s line %d: invalid channel timeout %s",
2547 filename, linenum, arg);
2549 if (!*activep || uvalue != 0)
2551 opt_array_append(filename, linenum, keyword,
2552 &options->channel_timeouts,
2553 &options->num_channel_timeouts, arg);
2557 case sUnusedConnectionTimeout:
2558 intptr = &options->unused_connection_timeout;
2559 /* peek at first arg for "none" so we can reuse parse_time */
2560 if (av[0] != NULL && strcasecmp(av[0], "none") == 0) {
2561 (void)argv_next(&ac, &av); /* consume arg */
2569 intptr = &options->use_blacklist;
2575 do_log2(opcode == sIgnore ?
2576 SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
2577 "%s line %d: %s option %s", filename, linenum,
2578 opcode == sUnsupported ? "Unsupported" : "Deprecated",
2584 fatal("%s line %d: Missing handler for opcode %s (%d)",
2585 filename, linenum, keyword, opcode);
2587 /* Check that there is no garbage at end of line. */
2589 error("%.200s line %d: keyword %s extra arguments "
2590 "at end of line", filename, linenum, keyword);
2597 argv_free(oav, oac);
2602 process_server_config_line(ServerOptions *options, char *line,
2603 const char *filename, int linenum, int *activep,
2604 struct connection_info *connectinfo, struct include_list *includes)
2608 return process_server_config_line_depth(options, line, filename,
2609 linenum, activep, connectinfo, &inc_flags, 0, includes);
2613 /* Reads the server configuration file. */
2616 load_server_config(const char *filename, struct sshbuf *conf)
2619 char *line = NULL, *cp;
2620 size_t linesize = 0;
2624 debug2_f("filename %s", filename);
2625 if ((f = fopen(filename, "r")) == NULL) {
2630 /* grow buffer, so realloc is avoided for large config files */
2631 if (fstat(fileno(f), &st) == 0 && st.st_size > 0 &&
2632 (r = sshbuf_allocate(conf, st.st_size)) != 0)
2633 fatal_fr(r, "allocate");
2634 while (getline(&line, &linesize, f) != -1) {
2637 * NB - preserve newlines, they are needed to reproduce
2638 * line numbers later for error messages
2640 cp = line + strspn(line, " \t\r");
2641 if ((r = sshbuf_put(conf, cp, strlen(cp))) != 0)
2642 fatal_fr(r, "sshbuf_put");
2645 if ((r = sshbuf_put_u8(conf, 0)) != 0)
2646 fatal_fr(r, "sshbuf_put_u8");
2648 debug2_f("done config len = %zu", sshbuf_len(conf));
2652 parse_server_match_config(ServerOptions *options,
2653 struct include_list *includes, struct connection_info *connectinfo)
2657 initialize_server_options(&mo);
2658 parse_server_config(&mo, "reprocess config", cfg, includes,
2660 copy_set_server_options(options, &mo, 0);
2663 int parse_server_match_testspec(struct connection_info *ci, char *spec)
2667 while ((p = strsep(&spec, ",")) && *p != '\0') {
2668 if (strncmp(p, "addr=", 5) == 0) {
2669 ci->address = xstrdup(p + 5);
2670 } else if (strncmp(p, "host=", 5) == 0) {
2671 ci->host = xstrdup(p + 5);
2672 } else if (strncmp(p, "user=", 5) == 0) {
2673 ci->user = xstrdup(p + 5);
2674 } else if (strncmp(p, "laddr=", 6) == 0) {
2675 ci->laddress = xstrdup(p + 6);
2676 } else if (strncmp(p, "rdomain=", 8) == 0) {
2677 ci->rdomain = xstrdup(p + 8);
2678 } else if (strncmp(p, "lport=", 6) == 0) {
2679 ci->lport = a2port(p + 6);
2680 if (ci->lport == -1) {
2681 fprintf(stderr, "Invalid port '%s' in test mode"
2682 " specification %s\n", p+6, p);
2686 fprintf(stderr, "Invalid test mode specification %s\n",
2695 * Copy any supported values that are set.
2697 * If the preauth flag is set, we do not bother copying the string or
2698 * array values that are not used pre-authentication, because any that we
2699 * do use must be explicitly sent in mm_getpwnamallow().
2702 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2704 #define M_CP_INTOPT(n) do {\
2709 M_CP_INTOPT(password_authentication);
2710 M_CP_INTOPT(gss_authentication);
2711 M_CP_INTOPT(pubkey_authentication);
2712 M_CP_INTOPT(pubkey_auth_options);
2713 M_CP_INTOPT(kerberos_authentication);
2714 M_CP_INTOPT(hostbased_authentication);
2715 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2716 M_CP_INTOPT(kbd_interactive_authentication);
2717 M_CP_INTOPT(permit_root_login);
2718 M_CP_INTOPT(permit_empty_passwd);
2719 M_CP_INTOPT(ignore_rhosts);
2721 M_CP_INTOPT(allow_tcp_forwarding);
2722 M_CP_INTOPT(allow_streamlocal_forwarding);
2723 M_CP_INTOPT(allow_agent_forwarding);
2724 M_CP_INTOPT(disable_forwarding);
2725 M_CP_INTOPT(expose_userauth_info);
2726 M_CP_INTOPT(permit_tun);
2727 M_CP_INTOPT(fwd_opts.gateway_ports);
2728 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2729 M_CP_INTOPT(x11_display_offset);
2730 M_CP_INTOPT(x11_forwarding);
2731 M_CP_INTOPT(x11_use_localhost);
2732 M_CP_INTOPT(permit_tty);
2733 M_CP_INTOPT(permit_user_rc);
2734 M_CP_INTOPT(max_sessions);
2735 M_CP_INTOPT(max_authtries);
2736 M_CP_INTOPT(client_alive_count_max);
2737 M_CP_INTOPT(client_alive_interval);
2738 M_CP_INTOPT(ip_qos_interactive);
2739 M_CP_INTOPT(ip_qos_bulk);
2740 M_CP_INTOPT(rekey_limit);
2741 M_CP_INTOPT(rekey_interval);
2742 M_CP_INTOPT(log_level);
2743 M_CP_INTOPT(required_rsa_size);
2744 M_CP_INTOPT(unused_connection_timeout);
2747 * The bind_mask is a mode_t that may be unsigned, so we can't use
2748 * M_CP_INTOPT - it does a signed comparison that causes compiler
2751 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2752 dst->fwd_opts.streamlocal_bind_mask =
2753 src->fwd_opts.streamlocal_bind_mask;
2756 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2757 #define M_CP_STROPT(n) do {\
2758 if (src->n != NULL && dst->n != src->n) { \
2763 #define M_CP_STRARRAYOPT(s, num_s) do {\
2765 if (src->num_s != 0) { \
2766 for (i = 0; i < dst->num_s; i++) \
2769 dst->s = xcalloc(src->num_s, sizeof(*dst->s)); \
2770 for (i = 0; i < src->num_s; i++) \
2771 dst->s[i] = xstrdup(src->s[i]); \
2772 dst->num_s = src->num_s; \
2776 /* See comment in servconf.h */
2777 COPY_MATCH_STRING_OPTS();
2779 /* Arguments that accept '+...' need to be expanded */
2780 assemble_algorithms(dst);
2783 * The only things that should be below this point are string options
2784 * which are only used after authentication.
2789 /* These options may be "none" to clear a global setting */
2790 M_CP_STROPT(adm_forced_command);
2791 if (option_clear_or_none(dst->adm_forced_command)) {
2792 free(dst->adm_forced_command);
2793 dst->adm_forced_command = NULL;
2795 M_CP_STROPT(chroot_directory);
2796 if (option_clear_or_none(dst->chroot_directory)) {
2797 free(dst->chroot_directory);
2798 dst->chroot_directory = NULL;
2804 #undef M_CP_STRARRAYOPT
2806 #define SERVCONF_MAX_DEPTH 16
2808 parse_server_config_depth(ServerOptions *options, const char *filename,
2809 struct sshbuf *conf, struct include_list *includes,
2810 struct connection_info *connectinfo, int flags, int *activep, int depth)
2812 int linenum, bad_options = 0;
2813 char *cp, *obuf, *cbuf;
2815 if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
2816 fatal("Too many recursive configuration includes");
2818 debug2_f("config %s len %zu%s", filename, sshbuf_len(conf),
2819 (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
2821 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2822 fatal_f("sshbuf_dup_string failed");
2824 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2825 if (process_server_config_line_depth(options, cp,
2826 filename, linenum++, activep, connectinfo, &flags,
2827 depth, includes) != 0)
2831 if (bad_options > 0)
2832 fatal("%s: terminating, %d bad configuration options",
2833 filename, bad_options);
2837 parse_server_config(ServerOptions *options, const char *filename,
2838 struct sshbuf *conf, struct include_list *includes,
2839 struct connection_info *connectinfo, int reexec)
2841 int active = connectinfo ? 0 : 1;
2842 parse_server_config_depth(options, filename, conf, includes,
2843 connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
2845 process_queued_listen_addrs(options);
2849 fmt_multistate_int(int val, const struct multistate *m)
2853 for (i = 0; m[i].key != NULL; i++) {
2854 if (m[i].value == val)
2861 fmt_intarg(ServerOpCodes code, int val)
2866 case sAddressFamily:
2867 return fmt_multistate_int(val, multistate_addressfamily);
2868 case sPermitRootLogin:
2869 return fmt_multistate_int(val, multistate_permitrootlogin);
2871 return fmt_multistate_int(val, multistate_gatewayports);
2873 return fmt_multistate_int(val, multistate_compression);
2874 case sAllowTcpForwarding:
2875 return fmt_multistate_int(val, multistate_tcpfwd);
2876 case sAllowStreamLocalForwarding:
2877 return fmt_multistate_int(val, multistate_tcpfwd);
2879 return fmt_multistate_int(val, multistate_ignore_rhosts);
2880 case sFingerprintHash:
2881 return ssh_digest_alg_name(val);
2895 dump_cfg_int(ServerOpCodes code, int val)
2897 if (code == sUnusedConnectionTimeout && val == 0) {
2898 printf("%s none\n", lookup_opcode_name(code));
2901 printf("%s %d\n", lookup_opcode_name(code), val);
2905 dump_cfg_oct(ServerOpCodes code, int val)
2907 printf("%s 0%o\n", lookup_opcode_name(code), val);
2911 dump_cfg_fmtint(ServerOpCodes code, int val)
2913 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2917 dump_cfg_string(ServerOpCodes code, const char *val)
2919 printf("%s %s\n", lookup_opcode_name(code),
2920 val == NULL ? "none" : val);
2924 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2928 for (i = 0; i < count; i++)
2929 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2933 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2938 case sAuthenticationMethods:
2939 case sChannelTimeout:
2947 printf("%s", lookup_opcode_name(code));
2948 for (i = 0; i < count; i++)
2949 printf(" %s", vals[i]);
2950 if (code == sAuthenticationMethods && count == 0)
2952 else if (code == sChannelTimeout && count == 0)
2958 format_listen_addrs(struct listenaddr *la)
2961 struct addrinfo *ai;
2962 char addr[NI_MAXHOST], port[NI_MAXSERV];
2963 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2966 * ListenAddress must be after Port. add_one_listen_addr pushes
2967 * addresses onto a stack, so to maintain ordering we need to
2968 * print these in reverse order.
2970 for (ai = la->addrs; ai; ai = ai->ai_next) {
2971 if ((r = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2972 sizeof(addr), port, sizeof(port),
2973 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2974 error("getnameinfo: %.100s", ssh_gai_strerror(r));
2978 if (ai->ai_family == AF_INET6) {
2979 xasprintf(&laddr1, "listenaddress [%s]:%s%s%s\n%s",
2981 la->rdomain == NULL ? "" : " rdomain ",
2982 la->rdomain == NULL ? "" : la->rdomain,
2985 xasprintf(&laddr1, "listenaddress %s:%s%s%s\n%s",
2987 la->rdomain == NULL ? "" : " rdomain ",
2988 la->rdomain == NULL ? "" : la->rdomain,
2997 dump_config(ServerOptions *o)
3002 /* these are usually at the top of the config */
3003 for (i = 0; i < o->num_ports; i++)
3004 printf("port %d\n", o->ports[i]);
3005 dump_cfg_fmtint(sAddressFamily, o->address_family);
3007 for (i = 0; i < o->num_listen_addrs; i++) {
3008 s = format_listen_addrs(&o->listen_addrs[i]);
3013 /* integer arguments */
3015 dump_cfg_fmtint(sUsePAM, o->use_pam);
3017 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
3018 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
3019 dump_cfg_int(sMaxAuthTries, o->max_authtries);
3020 dump_cfg_int(sMaxSessions, o->max_sessions);
3021 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
3022 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
3023 dump_cfg_int(sRequiredRSASize, o->required_rsa_size);
3024 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
3025 dump_cfg_int(sUnusedConnectionTimeout, o->unused_connection_timeout);
3027 /* formatted integer arguments */
3028 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
3029 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
3030 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
3031 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
3032 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
3033 o->hostbased_uses_name_from_packet_only);
3034 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
3036 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
3037 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
3038 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
3040 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
3044 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
3045 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
3047 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
3048 dump_cfg_fmtint(sKbdInteractiveAuthentication,
3049 o->kbd_interactive_authentication);
3050 dump_cfg_fmtint(sPrintMotd, o->print_motd);
3051 #ifndef DISABLE_LASTLOG
3052 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
3054 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
3055 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
3056 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
3057 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
3058 dump_cfg_fmtint(sStrictModes, o->strict_modes);
3059 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
3060 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
3061 dump_cfg_fmtint(sCompression, o->compression);
3062 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
3063 dump_cfg_fmtint(sUseDNS, o->use_dns);
3064 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
3065 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
3066 dump_cfg_fmtint(sDisableForwarding, o->disable_forwarding);
3067 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
3068 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
3069 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
3070 dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info);
3071 dump_cfg_fmtint(sUseBlacklist, o->use_blacklist);
3073 /* string arguments */
3074 dump_cfg_string(sPidFile, o->pid_file);
3075 dump_cfg_string(sModuliFile, o->moduli_file);
3076 dump_cfg_string(sXAuthLocation, o->xauth_location);
3077 dump_cfg_string(sCiphers, o->ciphers);
3078 dump_cfg_string(sMacs, o->macs);
3079 dump_cfg_string(sBanner, o->banner);
3080 dump_cfg_string(sForceCommand, o->adm_forced_command);
3081 dump_cfg_string(sChrootDirectory, o->chroot_directory);
3082 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
3083 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
3084 dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
3085 dump_cfg_string(sAuthorizedPrincipalsFile,
3086 o->authorized_principals_file);
3087 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
3088 ? "none" : o->version_addendum);
3089 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
3090 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
3091 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
3092 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
3093 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
3094 dump_cfg_string(sKexAlgorithms, o->kex_algorithms);
3095 dump_cfg_string(sCASignatureAlgorithms, o->ca_sign_algorithms);
3096 dump_cfg_string(sHostbasedAcceptedAlgorithms, o->hostbased_accepted_algos);
3097 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms);
3098 dump_cfg_string(sPubkeyAcceptedAlgorithms, o->pubkey_accepted_algos);
3099 #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN)
3100 dump_cfg_string(sRDomain, o->routing_domain);
3103 /* string arguments requiring a lookup */
3104 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
3105 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
3107 /* string array arguments */
3108 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
3109 o->authorized_keys_files);
3110 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
3112 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
3113 o->host_cert_files);
3114 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
3115 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
3116 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
3117 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
3118 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
3119 dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
3120 dump_cfg_strarray_oneline(sAuthenticationMethods,
3121 o->num_auth_methods, o->auth_methods);
3122 dump_cfg_strarray_oneline(sLogVerbose,
3123 o->num_log_verbose, o->log_verbose);
3124 dump_cfg_strarray_oneline(sChannelTimeout,
3125 o->num_channel_timeouts, o->channel_timeouts);
3127 /* other arguments */
3128 for (i = 0; i < o->num_subsystems; i++)
3129 printf("subsystem %s %s\n", o->subsystem_name[i],
3130 o->subsystem_args[i]);
3132 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
3133 o->max_startups_rate, o->max_startups);
3134 printf("persourcemaxstartups ");
3135 if (o->per_source_max_startups == INT_MAX)
3138 printf("%d\n", o->per_source_max_startups);
3139 printf("persourcenetblocksize %d:%d\n", o->per_source_masklen_ipv4,
3140 o->per_source_masklen_ipv6);
3143 for (i = 0; tunmode_desc[i].val != -1; i++) {
3144 if (tunmode_desc[i].val == o->permit_tun) {
3145 s = tunmode_desc[i].text;
3149 dump_cfg_string(sPermitTunnel, s);
3151 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
3152 printf("%s\n", iptos2str(o->ip_qos_bulk));
3154 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
3157 printf("permitopen");
3158 if (o->num_permitted_opens == 0)
3161 for (i = 0; i < o->num_permitted_opens; i++)
3162 printf(" %s", o->permitted_opens[i]);
3165 printf("permitlisten");
3166 if (o->num_permitted_listens == 0)
3169 for (i = 0; i < o->num_permitted_listens; i++)
3170 printf(" %s", o->permitted_listens[i]);
3174 if (o->permit_user_env_allowlist == NULL) {
3175 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
3177 printf("permituserenvironment %s\n",
3178 o->permit_user_env_allowlist);
3181 printf("pubkeyauthoptions");
3182 if (o->pubkey_auth_options == 0)
3184 if (o->pubkey_auth_options & PUBKEYAUTH_TOUCH_REQUIRED)
3185 printf(" touch-required");
3186 if (o->pubkey_auth_options & PUBKEYAUTH_VERIFY_REQUIRED)
3187 printf(" verify-required");