2 /* $OpenBSD: servconf.c,v 1.285 2016/02/17 05:29:04 djm Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
18 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
40 #include "openbsd-compat/sys-queue.h"
48 #include "pathnames.h"
55 #include "groupaccess.h"
60 #include "myproposal.h"
64 static void add_listen_addr(ServerOptions *, char *, int);
65 static void add_one_listen_addr(ServerOptions *, char *, int);
67 /* Use of privilege separation or not */
68 extern int use_privsep;
71 /* Initializes the server options to their default values. */
74 initialize_server_options(ServerOptions *options)
76 memset(options, 0, sizeof(*options));
78 /* Portable-specific options */
79 options->use_pam = -1;
81 /* Standard Options */
82 options->num_ports = 0;
83 options->ports_from_cmdline = 0;
84 options->queued_listen_addrs = NULL;
85 options->num_queued_listens = 0;
86 options->listen_addrs = NULL;
87 options->address_family = -1;
88 options->num_host_key_files = 0;
89 options->num_host_cert_files = 0;
90 options->host_key_agent = NULL;
91 options->pid_file = NULL;
92 options->server_key_bits = -1;
93 options->login_grace_time = -1;
94 options->key_regeneration_time = -1;
95 options->permit_root_login = PERMIT_NOT_SET;
96 options->ignore_rhosts = -1;
97 options->ignore_user_known_hosts = -1;
98 options->print_motd = -1;
99 options->print_lastlog = -1;
100 options->x11_forwarding = -1;
101 options->x11_display_offset = -1;
102 options->x11_use_localhost = -1;
103 options->permit_tty = -1;
104 options->permit_user_rc = -1;
105 options->xauth_location = NULL;
106 options->strict_modes = -1;
107 options->tcp_keep_alive = -1;
108 options->log_facility = SYSLOG_FACILITY_NOT_SET;
109 options->log_level = SYSLOG_LEVEL_NOT_SET;
110 options->rhosts_rsa_authentication = -1;
111 options->hostbased_authentication = -1;
112 options->hostbased_uses_name_from_packet_only = -1;
113 options->hostbased_key_types = NULL;
114 options->hostkeyalgorithms = NULL;
115 options->rsa_authentication = -1;
116 options->pubkey_authentication = -1;
117 options->pubkey_key_types = NULL;
118 options->kerberos_authentication = -1;
119 options->kerberos_or_local_passwd = -1;
120 options->kerberos_ticket_cleanup = -1;
121 options->kerberos_get_afs_token = -1;
122 options->gss_authentication=-1;
123 options->gss_cleanup_creds = -1;
124 options->gss_strict_acceptor = -1;
125 options->password_authentication = -1;
126 options->kbd_interactive_authentication = -1;
127 options->challenge_response_authentication = -1;
128 options->permit_empty_passwd = -1;
129 options->permit_user_env = -1;
130 options->use_login = -1;
131 options->compression = -1;
132 options->rekey_limit = -1;
133 options->rekey_interval = -1;
134 options->allow_tcp_forwarding = -1;
135 options->allow_streamlocal_forwarding = -1;
136 options->allow_agent_forwarding = -1;
137 options->num_allow_users = 0;
138 options->num_deny_users = 0;
139 options->num_allow_groups = 0;
140 options->num_deny_groups = 0;
141 options->ciphers = NULL;
142 options->macs = NULL;
143 options->kex_algorithms = NULL;
144 options->protocol = SSH_PROTO_UNKNOWN;
145 options->fwd_opts.gateway_ports = -1;
146 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
147 options->fwd_opts.streamlocal_bind_unlink = -1;
148 options->num_subsystems = 0;
149 options->max_startups_begin = -1;
150 options->max_startups_rate = -1;
151 options->max_startups = -1;
152 options->max_authtries = -1;
153 options->max_sessions = -1;
154 options->banner = NULL;
155 options->use_dns = -1;
156 options->client_alive_interval = -1;
157 options->client_alive_count_max = -1;
158 options->num_authkeys_files = 0;
159 options->num_accept_env = 0;
160 options->permit_tun = -1;
161 options->num_permitted_opens = -1;
162 options->adm_forced_command = NULL;
163 options->chroot_directory = NULL;
164 options->authorized_keys_command = NULL;
165 options->authorized_keys_command_user = NULL;
166 options->revoked_keys_file = NULL;
167 options->trusted_user_ca_keys = NULL;
168 options->authorized_principals_file = NULL;
169 options->authorized_principals_command = NULL;
170 options->authorized_principals_command_user = NULL;
171 options->ip_qos_interactive = -1;
172 options->ip_qos_bulk = -1;
173 options->version_addendum = NULL;
174 options->fingerprint_hash = -1;
177 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
179 option_clear_or_none(const char *o)
181 return o == NULL || strcasecmp(o, "none") == 0;
185 assemble_algorithms(ServerOptions *o)
187 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
188 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
189 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
190 kex_assemble_names(KEX_DEFAULT_PK_ALG,
191 &o->hostkeyalgorithms) != 0 ||
192 kex_assemble_names(KEX_DEFAULT_PK_ALG,
193 &o->hostbased_key_types) != 0 ||
194 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
195 fatal("kex_assemble_names failed");
199 fill_default_server_options(ServerOptions *options)
203 /* Portable-specific options */
204 if (options->use_pam == -1)
205 options->use_pam = 1;
207 /* Standard Options */
208 if (options->protocol == SSH_PROTO_UNKNOWN)
209 options->protocol = SSH_PROTO_2;
210 #define add_host_key_file(path) \
212 if (access((path), O_RDONLY) == 0) \
213 options->host_key_files \
214 [options->num_host_key_files++] = (path); \
216 if (options->num_host_key_files == 0) {
217 /* fill default hostkeys for protocols */
218 if (options->protocol & SSH_PROTO_1)
219 add_host_key_file(_PATH_HOST_KEY_FILE);
220 if (options->protocol & SSH_PROTO_2) {
221 add_host_key_file(_PATH_HOST_RSA_KEY_FILE);
222 add_host_key_file(_PATH_HOST_DSA_KEY_FILE);
223 #ifdef OPENSSL_HAS_ECC
224 add_host_key_file(_PATH_HOST_ECDSA_KEY_FILE);
226 add_host_key_file(_PATH_HOST_ED25519_KEY_FILE);
229 #undef add_host_key_file
230 if (options->num_host_key_files == 0)
231 fatal("No host key files found");
232 /* No certificates by default */
233 if (options->num_ports == 0)
234 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
235 if (options->address_family == -1)
236 options->address_family = AF_UNSPEC;
237 if (options->listen_addrs == NULL)
238 add_listen_addr(options, NULL, 0);
239 if (options->pid_file == NULL)
240 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
241 if (options->server_key_bits == -1)
242 options->server_key_bits = 1024;
243 if (options->login_grace_time == -1)
244 options->login_grace_time = 120;
245 if (options->key_regeneration_time == -1)
246 options->key_regeneration_time = 3600;
247 if (options->permit_root_login == PERMIT_NOT_SET)
248 options->permit_root_login = PERMIT_NO;
249 if (options->ignore_rhosts == -1)
250 options->ignore_rhosts = 1;
251 if (options->ignore_user_known_hosts == -1)
252 options->ignore_user_known_hosts = 0;
253 if (options->print_motd == -1)
254 options->print_motd = 1;
255 if (options->print_lastlog == -1)
256 options->print_lastlog = 1;
257 if (options->x11_forwarding == -1)
258 options->x11_forwarding = 1;
259 if (options->x11_display_offset == -1)
260 options->x11_display_offset = 10;
261 if (options->x11_use_localhost == -1)
262 options->x11_use_localhost = 1;
263 if (options->xauth_location == NULL)
264 options->xauth_location = xstrdup(_PATH_XAUTH);
265 if (options->permit_tty == -1)
266 options->permit_tty = 1;
267 if (options->permit_user_rc == -1)
268 options->permit_user_rc = 1;
269 if (options->strict_modes == -1)
270 options->strict_modes = 1;
271 if (options->tcp_keep_alive == -1)
272 options->tcp_keep_alive = 1;
273 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
274 options->log_facility = SYSLOG_FACILITY_AUTH;
275 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
276 options->log_level = SYSLOG_LEVEL_INFO;
277 if (options->rhosts_rsa_authentication == -1)
278 options->rhosts_rsa_authentication = 0;
279 if (options->hostbased_authentication == -1)
280 options->hostbased_authentication = 0;
281 if (options->hostbased_uses_name_from_packet_only == -1)
282 options->hostbased_uses_name_from_packet_only = 0;
283 if (options->rsa_authentication == -1)
284 options->rsa_authentication = 1;
285 if (options->pubkey_authentication == -1)
286 options->pubkey_authentication = 1;
287 if (options->kerberos_authentication == -1)
288 options->kerberos_authentication = 0;
289 if (options->kerberos_or_local_passwd == -1)
290 options->kerberos_or_local_passwd = 1;
291 if (options->kerberos_ticket_cleanup == -1)
292 options->kerberos_ticket_cleanup = 1;
293 if (options->kerberos_get_afs_token == -1)
294 options->kerberos_get_afs_token = 0;
295 if (options->gss_authentication == -1)
296 options->gss_authentication = 0;
297 if (options->gss_cleanup_creds == -1)
298 options->gss_cleanup_creds = 1;
299 if (options->gss_strict_acceptor == -1)
300 options->gss_strict_acceptor = 0;
301 if (options->password_authentication == -1)
302 options->password_authentication = 0;
303 if (options->kbd_interactive_authentication == -1)
304 options->kbd_interactive_authentication = 0;
305 if (options->challenge_response_authentication == -1)
306 options->challenge_response_authentication = 1;
307 if (options->permit_empty_passwd == -1)
308 options->permit_empty_passwd = 0;
309 if (options->permit_user_env == -1)
310 options->permit_user_env = 0;
311 if (options->use_login == -1)
312 options->use_login = 0;
313 if (options->compression == -1)
314 options->compression = COMP_DELAYED;
315 if (options->rekey_limit == -1)
316 options->rekey_limit = 0;
317 if (options->rekey_interval == -1)
318 options->rekey_interval = 0;
319 if (options->allow_tcp_forwarding == -1)
320 options->allow_tcp_forwarding = FORWARD_ALLOW;
321 if (options->allow_streamlocal_forwarding == -1)
322 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
323 if (options->allow_agent_forwarding == -1)
324 options->allow_agent_forwarding = 1;
325 if (options->fwd_opts.gateway_ports == -1)
326 options->fwd_opts.gateway_ports = 0;
327 if (options->max_startups == -1)
328 options->max_startups = 100;
329 if (options->max_startups_rate == -1)
330 options->max_startups_rate = 30; /* 30% */
331 if (options->max_startups_begin == -1)
332 options->max_startups_begin = 10;
333 if (options->max_authtries == -1)
334 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
335 if (options->max_sessions == -1)
336 options->max_sessions = DEFAULT_SESSIONS_MAX;
337 if (options->use_dns == -1)
338 options->use_dns = 1;
339 if (options->client_alive_interval == -1)
340 options->client_alive_interval = 0;
341 if (options->client_alive_count_max == -1)
342 options->client_alive_count_max = 3;
343 if (options->num_authkeys_files == 0) {
344 options->authorized_keys_files[options->num_authkeys_files++] =
345 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
346 options->authorized_keys_files[options->num_authkeys_files++] =
347 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
349 if (options->permit_tun == -1)
350 options->permit_tun = SSH_TUNMODE_NO;
351 if (options->ip_qos_interactive == -1)
352 options->ip_qos_interactive = IPTOS_LOWDELAY;
353 if (options->ip_qos_bulk == -1)
354 options->ip_qos_bulk = IPTOS_THROUGHPUT;
355 if (options->version_addendum == NULL)
356 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
357 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
358 options->fwd_opts.streamlocal_bind_mask = 0177;
359 if (options->fwd_opts.streamlocal_bind_unlink == -1)
360 options->fwd_opts.streamlocal_bind_unlink = 0;
361 if (options->fingerprint_hash == -1)
362 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
364 assemble_algorithms(options);
366 /* Turn privilege separation and sandboxing on by default */
367 if (use_privsep == -1)
368 use_privsep = PRIVSEP_ON;
370 #define CLEAR_ON_NONE(v) \
372 if (option_clear_or_none(v)) { \
377 CLEAR_ON_NONE(options->pid_file);
378 CLEAR_ON_NONE(options->xauth_location);
379 CLEAR_ON_NONE(options->banner);
380 CLEAR_ON_NONE(options->trusted_user_ca_keys);
381 CLEAR_ON_NONE(options->revoked_keys_file);
382 CLEAR_ON_NONE(options->authorized_principals_file);
383 CLEAR_ON_NONE(options->adm_forced_command);
384 CLEAR_ON_NONE(options->chroot_directory);
385 for (i = 0; i < options->num_host_key_files; i++)
386 CLEAR_ON_NONE(options->host_key_files[i]);
387 for (i = 0; i < options->num_host_cert_files; i++)
388 CLEAR_ON_NONE(options->host_cert_files[i]);
392 if (use_privsep && options->compression == 1) {
393 error("This platform does not support both privilege "
394 "separation and compression");
395 error("Compression disabled");
396 options->compression = 0;
402 /* Keyword tokens. */
404 sBadOption, /* == unknown option */
405 /* Portable-specific options */
407 /* Standard Options */
408 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
409 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
410 sRhostsRSAAuthentication, sRSAAuthentication,
411 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
412 sKerberosGetAFSToken,
413 sKerberosTgtPassing, sChallengeResponseAuthentication,
414 sPasswordAuthentication, sKbdInteractiveAuthentication,
415 sListenAddress, sAddressFamily,
416 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
417 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
418 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
419 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
420 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
421 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
422 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
423 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
424 sBanner, sUseDNS, sHostbasedAuthentication,
425 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
427 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
428 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
429 sAcceptEnv, sPermitTunnel,
430 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
431 sUsePrivilegeSeparation, sAllowAgentForwarding,
433 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
434 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
435 sKexAlgorithms, sIPQoS, sVersionAddendum,
436 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
437 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
438 sStreamLocalBindMask, sStreamLocalBindUnlink,
439 sAllowStreamLocalForwarding, sFingerprintHash,
440 sDeprecated, sUnsupported
443 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
444 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
445 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
447 /* Textual representation of the tokens. */
450 ServerOpCodes opcode;
453 /* Portable-specific options */
455 { "usepam", sUsePAM, SSHCFG_GLOBAL },
457 { "usepam", sUnsupported, SSHCFG_GLOBAL },
459 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
460 /* Standard Options */
461 { "port", sPort, SSHCFG_GLOBAL },
462 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
463 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
464 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
465 { "pidfile", sPidFile, SSHCFG_GLOBAL },
466 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
467 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
468 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
469 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
470 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
471 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
472 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
473 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
474 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
475 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
476 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
477 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
478 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
479 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
480 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
481 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
483 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
484 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
485 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
487 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
489 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
492 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
493 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
494 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
495 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
497 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
498 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
500 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
501 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
502 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
504 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
505 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
506 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
508 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
509 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
510 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
511 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
512 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
513 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
514 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
515 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
516 #ifdef DISABLE_LASTLOG
517 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
519 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
521 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
522 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
523 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
524 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
525 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
526 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
527 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
528 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
529 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
530 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
531 { "compression", sCompression, SSHCFG_GLOBAL },
532 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
533 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
534 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
535 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
536 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
537 { "allowusers", sAllowUsers, SSHCFG_ALL },
538 { "denyusers", sDenyUsers, SSHCFG_ALL },
539 { "allowgroups", sAllowGroups, SSHCFG_ALL },
540 { "denygroups", sDenyGroups, SSHCFG_ALL },
541 { "ciphers", sCiphers, SSHCFG_GLOBAL },
542 { "macs", sMacs, SSHCFG_GLOBAL },
543 { "protocol", sProtocol, SSHCFG_GLOBAL },
544 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
545 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
546 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
547 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
548 { "maxsessions", sMaxSessions, SSHCFG_ALL },
549 { "banner", sBanner, SSHCFG_ALL },
550 { "usedns", sUseDNS, SSHCFG_GLOBAL },
551 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
552 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
553 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
554 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
555 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
556 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
557 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
558 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
559 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
560 { "permittty", sPermitTTY, SSHCFG_ALL },
561 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
562 { "match", sMatch, SSHCFG_ALL },
563 { "permitopen", sPermitOpen, SSHCFG_ALL },
564 { "forcecommand", sForceCommand, SSHCFG_ALL },
565 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
566 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
567 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
568 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
569 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
570 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
571 { "ipqos", sIPQoS, SSHCFG_ALL },
572 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
573 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
574 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
575 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
576 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
577 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
578 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
579 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
580 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
581 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
582 { "noneenabled", sUnsupported, SSHCFG_ALL },
583 { "hpndisabled", sDeprecated, SSHCFG_ALL },
584 { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
585 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
586 { NULL, sBadOption, 0 }
593 { SSH_TUNMODE_NO, "no" },
594 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
595 { SSH_TUNMODE_ETHERNET, "ethernet" },
596 { SSH_TUNMODE_YES, "yes" },
601 * Returns the number of the token pointed to by cp or sBadOption.
605 parse_token(const char *cp, const char *filename,
606 int linenum, u_int *flags)
610 for (i = 0; keywords[i].name; i++)
611 if (strcasecmp(cp, keywords[i].name) == 0) {
612 *flags = keywords[i].flags;
613 return keywords[i].opcode;
616 error("%s: line %d: Bad configuration option: %s",
617 filename, linenum, cp);
622 derelativise_path(const char *path)
624 char *expanded, *ret, cwd[PATH_MAX];
626 if (strcasecmp(path, "none") == 0)
627 return xstrdup("none");
628 expanded = tilde_expand_filename(path, getuid());
629 if (*expanded == '/')
631 if (getcwd(cwd, sizeof(cwd)) == NULL)
632 fatal("%s: getcwd: %s", __func__, strerror(errno));
633 xasprintf(&ret, "%s/%s", cwd, expanded);
639 add_listen_addr(ServerOptions *options, char *addr, int port)
644 for (i = 0; i < options->num_ports; i++)
645 add_one_listen_addr(options, addr, options->ports[i]);
647 add_one_listen_addr(options, addr, port);
651 add_one_listen_addr(ServerOptions *options, char *addr, int port)
653 struct addrinfo hints, *ai, *aitop;
654 char strport[NI_MAXSERV];
657 memset(&hints, 0, sizeof(hints));
658 hints.ai_family = options->address_family;
659 hints.ai_socktype = SOCK_STREAM;
660 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
661 snprintf(strport, sizeof strport, "%d", port);
662 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
663 fatal("bad addr or host: %s (%s)",
664 addr ? addr : "<NULL>",
665 ssh_gai_strerror(gaierr));
666 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
668 ai->ai_next = options->listen_addrs;
669 options->listen_addrs = aitop;
673 * Queue a ListenAddress to be processed once we have all of the Ports
674 * and AddressFamily options.
677 queue_listen_addr(ServerOptions *options, char *addr, int port)
679 options->queued_listen_addrs = xreallocarray(
680 options->queued_listen_addrs, options->num_queued_listens + 1,
682 options->queued_listen_ports = xreallocarray(
683 options->queued_listen_ports, options->num_queued_listens + 1,
685 options->queued_listen_addrs[options->num_queued_listens] =
687 options->queued_listen_ports[options->num_queued_listens] = port;
688 options->num_queued_listens++;
692 * Process queued (text) ListenAddress entries.
695 process_queued_listen_addrs(ServerOptions *options)
699 if (options->num_ports == 0)
700 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
701 if (options->address_family == -1)
702 options->address_family = AF_UNSPEC;
704 for (i = 0; i < options->num_queued_listens; i++) {
705 add_listen_addr(options, options->queued_listen_addrs[i],
706 options->queued_listen_ports[i]);
707 free(options->queued_listen_addrs[i]);
708 options->queued_listen_addrs[i] = NULL;
710 free(options->queued_listen_addrs);
711 options->queued_listen_addrs = NULL;
712 free(options->queued_listen_ports);
713 options->queued_listen_ports = NULL;
714 options->num_queued_listens = 0;
717 struct connection_info *
718 get_connection_info(int populate, int use_dns)
720 static struct connection_info ci;
724 ci.host = get_canonical_hostname(use_dns);
725 ci.address = get_remote_ipaddr();
726 ci.laddress = get_local_ipaddr(packet_get_connection_in());
727 ci.lport = get_local_port();
732 * The strategy for the Match blocks is that the config file is parsed twice.
734 * The first time is at startup. activep is initialized to 1 and the
735 * directives in the global context are processed and acted on. Hitting a
736 * Match directive unsets activep and the directives inside the block are
737 * checked for syntax only.
739 * The second time is after a connection has been established but before
740 * authentication. activep is initialized to 2 and global config directives
741 * are ignored since they have already been processed. If the criteria in a
742 * Match block is met, activep is set and the subsequent directives
743 * processed and actioned until EOF or another Match block unsets it. Any
744 * options set are copied into the main server config.
746 * Potential additions/improvements:
747 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
749 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
750 * Match Address 192.168.0.*
755 * AllowTcpForwarding yes
756 * GatewayPorts clientspecified
759 * - Add a PermittedChannelRequests directive
761 * PermittedChannelRequests session,forwarded-tcpip
765 match_cfg_line_group(const char *grps, int line, const char *user)
773 if ((pw = getpwnam(user)) == NULL) {
774 debug("Can't match group at line %d because user %.100s does "
775 "not exist", line, user);
776 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
777 debug("Can't Match group because user %.100s not in any group "
778 "at line %d", user, line);
779 } else if (ga_match_pattern_list(grps) != 1) {
780 debug("user %.100s does not match group list %.100s at line %d",
783 debug("user %.100s matched group list %.100s at line %d", user,
793 * All of the attributes on a single Match line are ANDed together, so we need
794 * to check every attribute and set the result to zero if any attribute does
798 match_cfg_line(char **condition, int line, struct connection_info *ci)
800 int result = 1, attributes = 0, port;
801 char *arg, *attrib, *cp = *condition;
804 debug3("checking syntax for 'Match %s'", cp);
806 debug3("checking match for '%s' user %s host %s addr %s "
807 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
808 ci->host ? ci->host : "(null)",
809 ci->address ? ci->address : "(null)",
810 ci->laddress ? ci->laddress : "(null)", ci->lport);
812 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
814 if (strcasecmp(attrib, "all") == 0) {
815 if (attributes != 1 ||
816 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
817 error("'all' cannot be combined with other "
824 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
825 error("Missing Match criteria for %s", attrib);
828 if (strcasecmp(attrib, "user") == 0) {
829 if (ci == NULL || ci->user == NULL) {
833 if (match_pattern_list(ci->user, arg, 0) != 1)
836 debug("user %.100s matched 'User %.100s' at "
837 "line %d", ci->user, arg, line);
838 } else if (strcasecmp(attrib, "group") == 0) {
839 if (ci == NULL || ci->user == NULL) {
843 switch (match_cfg_line_group(arg, line, ci->user)) {
849 } else if (strcasecmp(attrib, "host") == 0) {
850 if (ci == NULL || ci->host == NULL) {
854 if (match_hostname(ci->host, arg) != 1)
857 debug("connection from %.100s matched 'Host "
858 "%.100s' at line %d", ci->host, arg, line);
859 } else if (strcasecmp(attrib, "address") == 0) {
860 if (ci == NULL || ci->address == NULL) {
864 switch (addr_match_list(ci->address, arg)) {
866 debug("connection from %.100s matched 'Address "
867 "%.100s' at line %d", ci->address, arg, line);
876 } else if (strcasecmp(attrib, "localaddress") == 0){
877 if (ci == NULL || ci->laddress == NULL) {
881 switch (addr_match_list(ci->laddress, arg)) {
883 debug("connection from %.100s matched "
884 "'LocalAddress %.100s' at line %d",
885 ci->laddress, arg, line);
894 } else if (strcasecmp(attrib, "localport") == 0) {
895 if ((port = a2port(arg)) == -1) {
896 error("Invalid LocalPort '%s' on Match line",
900 if (ci == NULL || ci->lport == 0) {
904 /* TODO support port lists */
905 if (port == ci->lport)
906 debug("connection from %.100s matched "
907 "'LocalPort %d' at line %d",
908 ci->laddress, port, line);
912 error("Unsupported Match attribute %s", attrib);
916 if (attributes == 0) {
917 error("One or more attributes required for Match");
921 debug3("match %sfound", result ? "" : "not ");
926 #define WHITESPACE " \t\r\n"
928 /* Multistate option parsing */
933 static const struct multistate multistate_addressfamily[] = {
935 { "inet6", AF_INET6 },
936 { "any", AF_UNSPEC },
939 static const struct multistate multistate_permitrootlogin[] = {
940 { "without-password", PERMIT_NO_PASSWD },
941 { "prohibit-password", PERMIT_NO_PASSWD },
942 { "forced-commands-only", PERMIT_FORCED_ONLY },
943 { "yes", PERMIT_YES },
947 static const struct multistate multistate_compression[] = {
948 { "delayed", COMP_DELAYED },
949 { "yes", COMP_ZLIB },
953 static const struct multistate multistate_gatewayports[] = {
954 { "clientspecified", 2 },
959 static const struct multistate multistate_privsep[] = {
960 { "yes", PRIVSEP_NOSANDBOX },
961 { "sandbox", PRIVSEP_ON },
962 { "nosandbox", PRIVSEP_NOSANDBOX },
963 { "no", PRIVSEP_OFF },
966 static const struct multistate multistate_tcpfwd[] = {
967 { "yes", FORWARD_ALLOW },
968 { "all", FORWARD_ALLOW },
969 { "no", FORWARD_DENY },
970 { "remote", FORWARD_REMOTE },
971 { "local", FORWARD_LOCAL },
976 process_server_config_line(ServerOptions *options, char *line,
977 const char *filename, int linenum, int *activep,
978 struct connection_info *connectinfo)
980 char *cp, **charptr, *arg, *p;
981 int cmdline = 0, *intptr, value, value2, n, port;
982 SyslogFacility *log_facility_ptr;
983 LogLevel *log_level_ptr;
984 ServerOpCodes opcode;
988 const struct multistate *multistate_ptr;
991 if ((arg = strdelim(&cp)) == NULL)
993 /* Ignore leading whitespace */
996 if (!arg || !*arg || *arg == '#')
1000 opcode = parse_token(arg, filename, linenum, &flags);
1002 if (activep == NULL) { /* We are processing a command line directive */
1006 if (*activep && opcode != sMatch)
1007 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1008 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1009 if (connectinfo == NULL) {
1010 fatal("%s line %d: Directive '%s' is not allowed "
1011 "within a Match block", filename, linenum, arg);
1012 } else { /* this is a directive we have already processed */
1014 arg = strdelim(&cp);
1020 /* Portable-specific options */
1022 intptr = &options->use_pam;
1025 /* Standard Options */
1029 /* ignore ports from configfile if cmdline specifies ports */
1030 if (options->ports_from_cmdline)
1032 if (options->num_ports >= MAX_PORTS)
1033 fatal("%s line %d: too many ports.",
1035 arg = strdelim(&cp);
1036 if (!arg || *arg == '\0')
1037 fatal("%s line %d: missing port number.",
1039 options->ports[options->num_ports++] = a2port(arg);
1040 if (options->ports[options->num_ports-1] <= 0)
1041 fatal("%s line %d: Badly formatted port number.",
1045 case sServerKeyBits:
1046 intptr = &options->server_key_bits;
1048 arg = strdelim(&cp);
1049 if (!arg || *arg == '\0')
1050 fatal("%s line %d: missing integer value.",
1053 if (*activep && *intptr == -1)
1057 case sLoginGraceTime:
1058 intptr = &options->login_grace_time;
1060 arg = strdelim(&cp);
1061 if (!arg || *arg == '\0')
1062 fatal("%s line %d: missing time value.",
1064 if ((value = convtime(arg)) == -1)
1065 fatal("%s line %d: invalid time value.",
1067 if (*activep && *intptr == -1)
1071 case sKeyRegenerationTime:
1072 intptr = &options->key_regeneration_time;
1075 case sListenAddress:
1076 arg = strdelim(&cp);
1077 if (arg == NULL || *arg == '\0')
1078 fatal("%s line %d: missing address",
1080 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1081 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1082 && strchr(p+1, ':') != NULL) {
1083 queue_listen_addr(options, arg, 0);
1088 fatal("%s line %d: bad address:port usage",
1090 p = cleanhostname(p);
1093 else if ((port = a2port(arg)) <= 0)
1094 fatal("%s line %d: bad port number", filename, linenum);
1096 queue_listen_addr(options, p, port);
1100 case sAddressFamily:
1101 intptr = &options->address_family;
1102 multistate_ptr = multistate_addressfamily;
1104 arg = strdelim(&cp);
1105 if (!arg || *arg == '\0')
1106 fatal("%s line %d: missing argument.",
1109 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1110 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1111 value = multistate_ptr[i].value;
1116 fatal("%s line %d: unsupported option \"%s\".",
1117 filename, linenum, arg);
1118 if (*activep && *intptr == -1)
1123 intptr = &options->num_host_key_files;
1124 if (*intptr >= MAX_HOSTKEYS)
1125 fatal("%s line %d: too many host keys specified (max %d).",
1126 filename, linenum, MAX_HOSTKEYS);
1127 charptr = &options->host_key_files[*intptr];
1129 arg = strdelim(&cp);
1130 if (!arg || *arg == '\0')
1131 fatal("%s line %d: missing file name.",
1133 if (*activep && *charptr == NULL) {
1134 *charptr = derelativise_path(arg);
1135 /* increase optional counter */
1137 *intptr = *intptr + 1;
1142 charptr = &options->host_key_agent;
1143 arg = strdelim(&cp);
1144 if (!arg || *arg == '\0')
1145 fatal("%s line %d: missing socket name.",
1147 if (*activep && *charptr == NULL)
1148 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1149 xstrdup(arg) : derelativise_path(arg);
1152 case sHostCertificate:
1153 intptr = &options->num_host_cert_files;
1154 if (*intptr >= MAX_HOSTKEYS)
1155 fatal("%s line %d: too many host certificates "
1156 "specified (max %d).", filename, linenum,
1158 charptr = &options->host_cert_files[*intptr];
1159 goto parse_filename;
1163 charptr = &options->pid_file;
1164 goto parse_filename;
1166 case sPermitRootLogin:
1167 intptr = &options->permit_root_login;
1168 multistate_ptr = multistate_permitrootlogin;
1169 goto parse_multistate;
1172 intptr = &options->ignore_rhosts;
1174 arg = strdelim(&cp);
1175 if (!arg || *arg == '\0')
1176 fatal("%s line %d: missing yes/no argument.",
1178 value = 0; /* silence compiler */
1179 if (strcmp(arg, "yes") == 0)
1181 else if (strcmp(arg, "no") == 0)
1184 fatal("%s line %d: Bad yes/no argument: %s",
1185 filename, linenum, arg);
1186 if (*activep && *intptr == -1)
1190 case sIgnoreUserKnownHosts:
1191 intptr = &options->ignore_user_known_hosts;
1194 case sRhostsRSAAuthentication:
1195 intptr = &options->rhosts_rsa_authentication;
1198 case sHostbasedAuthentication:
1199 intptr = &options->hostbased_authentication;
1202 case sHostbasedUsesNameFromPacketOnly:
1203 intptr = &options->hostbased_uses_name_from_packet_only;
1206 case sHostbasedAcceptedKeyTypes:
1207 charptr = &options->hostbased_key_types;
1209 arg = strdelim(&cp);
1210 if (!arg || *arg == '\0')
1211 fatal("%s line %d: Missing argument.",
1213 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1214 fatal("%s line %d: Bad key types '%s'.",
1215 filename, linenum, arg ? arg : "<NONE>");
1216 if (*activep && *charptr == NULL)
1217 *charptr = xstrdup(arg);
1220 case sHostKeyAlgorithms:
1221 charptr = &options->hostkeyalgorithms;
1222 goto parse_keytypes;
1224 case sRSAAuthentication:
1225 intptr = &options->rsa_authentication;
1228 case sPubkeyAuthentication:
1229 intptr = &options->pubkey_authentication;
1232 case sPubkeyAcceptedKeyTypes:
1233 charptr = &options->pubkey_key_types;
1234 goto parse_keytypes;
1236 case sKerberosAuthentication:
1237 intptr = &options->kerberos_authentication;
1240 case sKerberosOrLocalPasswd:
1241 intptr = &options->kerberos_or_local_passwd;
1244 case sKerberosTicketCleanup:
1245 intptr = &options->kerberos_ticket_cleanup;
1248 case sKerberosGetAFSToken:
1249 intptr = &options->kerberos_get_afs_token;
1252 case sGssAuthentication:
1253 intptr = &options->gss_authentication;
1256 case sGssCleanupCreds:
1257 intptr = &options->gss_cleanup_creds;
1260 case sGssStrictAcceptor:
1261 intptr = &options->gss_strict_acceptor;
1264 case sPasswordAuthentication:
1265 intptr = &options->password_authentication;
1268 case sKbdInteractiveAuthentication:
1269 intptr = &options->kbd_interactive_authentication;
1272 case sChallengeResponseAuthentication:
1273 intptr = &options->challenge_response_authentication;
1277 intptr = &options->print_motd;
1281 intptr = &options->print_lastlog;
1284 case sX11Forwarding:
1285 intptr = &options->x11_forwarding;
1288 case sX11DisplayOffset:
1289 intptr = &options->x11_display_offset;
1292 case sX11UseLocalhost:
1293 intptr = &options->x11_use_localhost;
1296 case sXAuthLocation:
1297 charptr = &options->xauth_location;
1298 goto parse_filename;
1301 intptr = &options->permit_tty;
1305 intptr = &options->permit_user_rc;
1309 intptr = &options->strict_modes;
1313 intptr = &options->tcp_keep_alive;
1317 intptr = &options->permit_empty_passwd;
1320 case sPermitUserEnvironment:
1321 intptr = &options->permit_user_env;
1325 intptr = &options->use_login;
1329 intptr = &options->compression;
1330 multistate_ptr = multistate_compression;
1331 goto parse_multistate;
1334 arg = strdelim(&cp);
1335 if (!arg || *arg == '\0')
1336 fatal("%.200s line %d: Missing argument.", filename,
1338 if (strcmp(arg, "default") == 0) {
1341 if (scan_scaled(arg, &val64) == -1)
1342 fatal("%.200s line %d: Bad number '%s': %s",
1343 filename, linenum, arg, strerror(errno));
1344 if (val64 != 0 && val64 < 16)
1345 fatal("%.200s line %d: RekeyLimit too small",
1348 if (*activep && options->rekey_limit == -1)
1349 options->rekey_limit = val64;
1350 if (cp != NULL) { /* optional rekey interval present */
1351 if (strcmp(cp, "none") == 0) {
1352 (void)strdelim(&cp); /* discard */
1355 intptr = &options->rekey_interval;
1361 intptr = &options->fwd_opts.gateway_ports;
1362 multistate_ptr = multistate_gatewayports;
1363 goto parse_multistate;
1366 intptr = &options->use_dns;
1370 log_facility_ptr = &options->log_facility;
1371 arg = strdelim(&cp);
1372 value = log_facility_number(arg);
1373 if (value == SYSLOG_FACILITY_NOT_SET)
1374 fatal("%.200s line %d: unsupported log facility '%s'",
1375 filename, linenum, arg ? arg : "<NONE>");
1376 if (*log_facility_ptr == -1)
1377 *log_facility_ptr = (SyslogFacility) value;
1381 log_level_ptr = &options->log_level;
1382 arg = strdelim(&cp);
1383 value = log_level_number(arg);
1384 if (value == SYSLOG_LEVEL_NOT_SET)
1385 fatal("%.200s line %d: unsupported log level '%s'",
1386 filename, linenum, arg ? arg : "<NONE>");
1387 if (*log_level_ptr == -1)
1388 *log_level_ptr = (LogLevel) value;
1391 case sAllowTcpForwarding:
1392 intptr = &options->allow_tcp_forwarding;
1393 multistate_ptr = multistate_tcpfwd;
1394 goto parse_multistate;
1396 case sAllowStreamLocalForwarding:
1397 intptr = &options->allow_streamlocal_forwarding;
1398 multistate_ptr = multistate_tcpfwd;
1399 goto parse_multistate;
1401 case sAllowAgentForwarding:
1402 intptr = &options->allow_agent_forwarding;
1405 case sUsePrivilegeSeparation:
1406 intptr = &use_privsep;
1407 multistate_ptr = multistate_privsep;
1408 goto parse_multistate;
1411 while ((arg = strdelim(&cp)) && *arg != '\0') {
1412 if (options->num_allow_users >= MAX_ALLOW_USERS)
1413 fatal("%s line %d: too many allow users.",
1417 options->allow_users[options->num_allow_users++] =
1423 while ((arg = strdelim(&cp)) && *arg != '\0') {
1424 if (options->num_deny_users >= MAX_DENY_USERS)
1425 fatal("%s line %d: too many deny users.",
1429 options->deny_users[options->num_deny_users++] =
1435 while ((arg = strdelim(&cp)) && *arg != '\0') {
1436 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1437 fatal("%s line %d: too many allow groups.",
1441 options->allow_groups[options->num_allow_groups++] =
1447 while ((arg = strdelim(&cp)) && *arg != '\0') {
1448 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1449 fatal("%s line %d: too many deny groups.",
1453 options->deny_groups[options->num_deny_groups++] =
1459 arg = strdelim(&cp);
1460 if (!arg || *arg == '\0')
1461 fatal("%s line %d: Missing argument.", filename, linenum);
1462 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1463 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1464 filename, linenum, arg ? arg : "<NONE>");
1465 if (options->ciphers == NULL)
1466 options->ciphers = xstrdup(arg);
1470 arg = strdelim(&cp);
1471 if (!arg || *arg == '\0')
1472 fatal("%s line %d: Missing argument.", filename, linenum);
1473 if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1474 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1475 filename, linenum, arg ? arg : "<NONE>");
1476 if (options->macs == NULL)
1477 options->macs = xstrdup(arg);
1480 case sKexAlgorithms:
1481 arg = strdelim(&cp);
1482 if (!arg || *arg == '\0')
1483 fatal("%s line %d: Missing argument.",
1485 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1486 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1487 filename, linenum, arg ? arg : "<NONE>");
1488 if (options->kex_algorithms == NULL)
1489 options->kex_algorithms = xstrdup(arg);
1493 intptr = &options->protocol;
1494 arg = strdelim(&cp);
1495 if (!arg || *arg == '\0')
1496 fatal("%s line %d: Missing argument.", filename, linenum);
1497 value = proto_spec(arg);
1498 if (value == SSH_PROTO_UNKNOWN)
1499 fatal("%s line %d: Bad protocol spec '%s'.",
1500 filename, linenum, arg ? arg : "<NONE>");
1501 if (*intptr == SSH_PROTO_UNKNOWN)
1506 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1507 fatal("%s line %d: too many subsystems defined.",
1510 arg = strdelim(&cp);
1511 if (!arg || *arg == '\0')
1512 fatal("%s line %d: Missing subsystem name.",
1515 arg = strdelim(&cp);
1518 for (i = 0; i < options->num_subsystems; i++)
1519 if (strcmp(arg, options->subsystem_name[i]) == 0)
1520 fatal("%s line %d: Subsystem '%s' already defined.",
1521 filename, linenum, arg);
1522 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1523 arg = strdelim(&cp);
1524 if (!arg || *arg == '\0')
1525 fatal("%s line %d: Missing subsystem command.",
1527 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1529 /* Collect arguments (separate to executable) */
1531 len = strlen(p) + 1;
1532 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1533 len += 1 + strlen(arg);
1534 p = xreallocarray(p, 1, len);
1535 strlcat(p, " ", len);
1536 strlcat(p, arg, len);
1538 options->subsystem_args[options->num_subsystems] = p;
1539 options->num_subsystems++;
1543 arg = strdelim(&cp);
1544 if (!arg || *arg == '\0')
1545 fatal("%s line %d: Missing MaxStartups spec.",
1547 if ((n = sscanf(arg, "%d:%d:%d",
1548 &options->max_startups_begin,
1549 &options->max_startups_rate,
1550 &options->max_startups)) == 3) {
1551 if (options->max_startups_begin >
1552 options->max_startups ||
1553 options->max_startups_rate > 100 ||
1554 options->max_startups_rate < 1)
1555 fatal("%s line %d: Illegal MaxStartups spec.",
1558 fatal("%s line %d: Illegal MaxStartups spec.",
1561 options->max_startups = options->max_startups_begin;
1565 intptr = &options->max_authtries;
1569 intptr = &options->max_sessions;
1573 charptr = &options->banner;
1574 goto parse_filename;
1577 * These options can contain %X options expanded at
1578 * connect time, so that you can specify paths like:
1580 * AuthorizedKeysFile /etc/ssh_keys/%u
1582 case sAuthorizedKeysFile:
1583 if (*activep && options->num_authkeys_files == 0) {
1584 while ((arg = strdelim(&cp)) && *arg != '\0') {
1585 if (options->num_authkeys_files >=
1587 fatal("%s line %d: "
1588 "too many authorized keys files.",
1590 options->authorized_keys_files[
1591 options->num_authkeys_files++] =
1592 tilde_expand_filename(arg, getuid());
1597 case sAuthorizedPrincipalsFile:
1598 charptr = &options->authorized_principals_file;
1599 arg = strdelim(&cp);
1600 if (!arg || *arg == '\0')
1601 fatal("%s line %d: missing file name.",
1603 if (*activep && *charptr == NULL) {
1604 *charptr = tilde_expand_filename(arg, getuid());
1605 /* increase optional counter */
1607 *intptr = *intptr + 1;
1611 case sClientAliveInterval:
1612 intptr = &options->client_alive_interval;
1615 case sClientAliveCountMax:
1616 intptr = &options->client_alive_count_max;
1620 while ((arg = strdelim(&cp)) && *arg != '\0') {
1621 if (strchr(arg, '=') != NULL)
1622 fatal("%s line %d: Invalid environment name.",
1624 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1625 fatal("%s line %d: too many allow env.",
1629 options->accept_env[options->num_accept_env++] =
1635 intptr = &options->permit_tun;
1636 arg = strdelim(&cp);
1637 if (!arg || *arg == '\0')
1638 fatal("%s line %d: Missing yes/point-to-point/"
1639 "ethernet/no argument.", filename, linenum);
1641 for (i = 0; tunmode_desc[i].val != -1; i++)
1642 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1643 value = tunmode_desc[i].val;
1647 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1648 "no argument: %s", filename, linenum, arg);
1649 if (*activep && *intptr == -1)
1655 fatal("Match directive not supported as a command-line "
1657 value = match_cfg_line(&cp, linenum, connectinfo);
1659 fatal("%s line %d: Bad Match condition", filename,
1665 arg = strdelim(&cp);
1666 if (!arg || *arg == '\0')
1667 fatal("%s line %d: missing PermitOpen specification",
1669 n = options->num_permitted_opens; /* modified later */
1670 if (strcmp(arg, "any") == 0) {
1671 if (*activep && n == -1) {
1672 channel_clear_adm_permitted_opens();
1673 options->num_permitted_opens = 0;
1677 if (strcmp(arg, "none") == 0) {
1678 if (*activep && n == -1) {
1679 options->num_permitted_opens = 1;
1680 channel_disable_adm_local_opens();
1684 if (*activep && n == -1)
1685 channel_clear_adm_permitted_opens();
1686 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1689 fatal("%s line %d: missing host in PermitOpen",
1691 p = cleanhostname(p);
1692 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1693 fatal("%s line %d: bad port number in "
1694 "PermitOpen", filename, linenum);
1695 if (*activep && n == -1)
1696 options->num_permitted_opens =
1697 channel_add_adm_permitted_opens(p, port);
1702 if (cp == NULL || *cp == '\0')
1703 fatal("%.200s line %d: Missing argument.", filename,
1705 len = strspn(cp, WHITESPACE);
1706 if (*activep && options->adm_forced_command == NULL)
1707 options->adm_forced_command = xstrdup(cp + len);
1710 case sChrootDirectory:
1711 charptr = &options->chroot_directory;
1713 arg = strdelim(&cp);
1714 if (!arg || *arg == '\0')
1715 fatal("%s line %d: missing file name.",
1717 if (*activep && *charptr == NULL)
1718 *charptr = xstrdup(arg);
1721 case sTrustedUserCAKeys:
1722 charptr = &options->trusted_user_ca_keys;
1723 goto parse_filename;
1726 charptr = &options->revoked_keys_file;
1727 goto parse_filename;
1730 arg = strdelim(&cp);
1731 if ((value = parse_ipqos(arg)) == -1)
1732 fatal("%s line %d: Bad IPQoS value: %s",
1733 filename, linenum, arg);
1734 arg = strdelim(&cp);
1737 else if ((value2 = parse_ipqos(arg)) == -1)
1738 fatal("%s line %d: Bad IPQoS value: %s",
1739 filename, linenum, arg);
1741 options->ip_qos_interactive = value;
1742 options->ip_qos_bulk = value2;
1746 case sVersionAddendum:
1747 if (cp == NULL || *cp == '\0')
1748 fatal("%.200s line %d: Missing argument.", filename,
1750 len = strspn(cp, WHITESPACE);
1751 if (*activep && options->version_addendum == NULL) {
1752 if (strcasecmp(cp + len, "none") == 0)
1753 options->version_addendum = xstrdup("");
1754 else if (strchr(cp + len, '\r') != NULL)
1755 fatal("%.200s line %d: Invalid argument",
1758 options->version_addendum = xstrdup(cp + len);
1762 case sAuthorizedKeysCommand:
1764 fatal("%.200s line %d: Missing argument.", filename,
1766 len = strspn(cp, WHITESPACE);
1767 if (*activep && options->authorized_keys_command == NULL) {
1768 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1769 fatal("%.200s line %d: AuthorizedKeysCommand "
1770 "must be an absolute path",
1772 options->authorized_keys_command = xstrdup(cp + len);
1776 case sAuthorizedKeysCommandUser:
1777 charptr = &options->authorized_keys_command_user;
1779 arg = strdelim(&cp);
1780 if (!arg || *arg == '\0')
1781 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1782 "argument.", filename, linenum);
1783 if (*activep && *charptr == NULL)
1784 *charptr = xstrdup(arg);
1787 case sAuthorizedPrincipalsCommand:
1789 fatal("%.200s line %d: Missing argument.", filename,
1791 len = strspn(cp, WHITESPACE);
1793 options->authorized_principals_command == NULL) {
1794 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1795 fatal("%.200s line %d: "
1796 "AuthorizedPrincipalsCommand must be "
1797 "an absolute path", filename, linenum);
1798 options->authorized_principals_command =
1803 case sAuthorizedPrincipalsCommandUser:
1804 charptr = &options->authorized_principals_command_user;
1806 arg = strdelim(&cp);
1807 if (!arg || *arg == '\0')
1808 fatal("%s line %d: missing "
1809 "AuthorizedPrincipalsCommandUser argument.",
1811 if (*activep && *charptr == NULL)
1812 *charptr = xstrdup(arg);
1815 case sAuthenticationMethods:
1816 if (options->num_auth_methods == 0) {
1817 while ((arg = strdelim(&cp)) && *arg != '\0') {
1818 if (options->num_auth_methods >=
1820 fatal("%s line %d: "
1821 "too many authentication methods.",
1823 if (auth2_methods_valid(arg, 0) != 0)
1824 fatal("%s line %d: invalid "
1825 "authentication method list.",
1829 options->auth_methods[
1830 options->num_auth_methods++] = xstrdup(arg);
1835 case sStreamLocalBindMask:
1836 arg = strdelim(&cp);
1837 if (!arg || *arg == '\0')
1838 fatal("%s line %d: missing StreamLocalBindMask "
1839 "argument.", filename, linenum);
1840 /* Parse mode in octal format */
1841 value = strtol(arg, &p, 8);
1842 if (arg == p || value < 0 || value > 0777)
1843 fatal("%s line %d: Bad mask.", filename, linenum);
1845 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1848 case sStreamLocalBindUnlink:
1849 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1852 case sFingerprintHash:
1853 arg = strdelim(&cp);
1854 if (!arg || *arg == '\0')
1855 fatal("%.200s line %d: Missing argument.",
1857 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1858 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1859 filename, linenum, arg);
1861 options->fingerprint_hash = value;
1865 logit("%s line %d: Deprecated option %s",
1866 filename, linenum, arg);
1868 arg = strdelim(&cp);
1872 logit("%s line %d: Unsupported option %s",
1873 filename, linenum, arg);
1875 arg = strdelim(&cp);
1879 fatal("%s line %d: Missing handler for opcode %s (%d)",
1880 filename, linenum, arg, opcode);
1882 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1883 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1884 filename, linenum, arg);
1888 /* Reads the server configuration file. */
1891 load_server_config(const char *filename, Buffer *conf)
1893 char line[4096], *cp;
1897 debug2("%s: filename %s", __func__, filename);
1898 if ((f = fopen(filename, "r")) == NULL) {
1903 while (fgets(line, sizeof(line), f)) {
1905 if (strlen(line) == sizeof(line) - 1)
1906 fatal("%s line %d too long", filename, lineno);
1908 * Trim out comments and strip whitespace
1909 * NB - preserve newlines, they are needed to reproduce
1910 * line numbers later for error messages
1912 if ((cp = strchr(line, '#')) != NULL)
1913 memcpy(cp, "\n", 2);
1914 cp = line + strspn(line, " \t\r");
1916 buffer_append(conf, cp, strlen(cp));
1918 buffer_append(conf, "\0", 1);
1920 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1924 parse_server_match_config(ServerOptions *options,
1925 struct connection_info *connectinfo)
1929 initialize_server_options(&mo);
1930 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1931 copy_set_server_options(options, &mo, 0);
1934 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1938 while ((p = strsep(&spec, ",")) && *p != '\0') {
1939 if (strncmp(p, "addr=", 5) == 0) {
1940 ci->address = xstrdup(p + 5);
1941 } else if (strncmp(p, "host=", 5) == 0) {
1942 ci->host = xstrdup(p + 5);
1943 } else if (strncmp(p, "user=", 5) == 0) {
1944 ci->user = xstrdup(p + 5);
1945 } else if (strncmp(p, "laddr=", 6) == 0) {
1946 ci->laddress = xstrdup(p + 6);
1947 } else if (strncmp(p, "lport=", 6) == 0) {
1948 ci->lport = a2port(p + 6);
1949 if (ci->lport == -1) {
1950 fprintf(stderr, "Invalid port '%s' in test mode"
1951 " specification %s\n", p+6, p);
1955 fprintf(stderr, "Invalid test mode specification %s\n",
1964 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1967 int server_match_spec_complete(struct connection_info *ci)
1969 if (ci->user && ci->host && ci->address)
1970 return 1; /* complete */
1971 if (!ci->user && !ci->host && !ci->address)
1972 return -1; /* empty */
1973 return 0; /* partial */
1977 * Copy any supported values that are set.
1979 * If the preauth flag is set, we do not bother copying the string or
1980 * array values that are not used pre-authentication, because any that we
1981 * do use must be explictly sent in mm_getpwnamallow().
1984 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1986 #define M_CP_INTOPT(n) do {\
1991 M_CP_INTOPT(password_authentication);
1992 M_CP_INTOPT(gss_authentication);
1993 M_CP_INTOPT(rsa_authentication);
1994 M_CP_INTOPT(pubkey_authentication);
1995 M_CP_INTOPT(kerberos_authentication);
1996 M_CP_INTOPT(hostbased_authentication);
1997 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1998 M_CP_INTOPT(kbd_interactive_authentication);
1999 M_CP_INTOPT(permit_root_login);
2000 M_CP_INTOPT(permit_empty_passwd);
2002 M_CP_INTOPT(allow_tcp_forwarding);
2003 M_CP_INTOPT(allow_streamlocal_forwarding);
2004 M_CP_INTOPT(allow_agent_forwarding);
2005 M_CP_INTOPT(permit_tun);
2006 M_CP_INTOPT(fwd_opts.gateway_ports);
2007 M_CP_INTOPT(x11_display_offset);
2008 M_CP_INTOPT(x11_forwarding);
2009 M_CP_INTOPT(x11_use_localhost);
2010 M_CP_INTOPT(permit_tty);
2011 M_CP_INTOPT(permit_user_rc);
2012 M_CP_INTOPT(max_sessions);
2013 M_CP_INTOPT(max_authtries);
2014 M_CP_INTOPT(ip_qos_interactive);
2015 M_CP_INTOPT(ip_qos_bulk);
2016 M_CP_INTOPT(rekey_limit);
2017 M_CP_INTOPT(rekey_interval);
2019 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2020 #define M_CP_STROPT(n) do {\
2021 if (src->n != NULL && dst->n != src->n) { \
2026 #define M_CP_STRARRAYOPT(n, num_n) do {\
2027 if (src->num_n != 0) { \
2028 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2029 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2033 /* See comment in servconf.h */
2034 COPY_MATCH_STRING_OPTS();
2036 /* Arguments that accept '+...' need to be expanded */
2037 assemble_algorithms(dst);
2040 * The only things that should be below this point are string options
2041 * which are only used after authentication.
2046 /* These options may be "none" to clear a global setting */
2047 M_CP_STROPT(adm_forced_command);
2048 if (option_clear_or_none(dst->adm_forced_command)) {
2049 free(dst->adm_forced_command);
2050 dst->adm_forced_command = NULL;
2052 M_CP_STROPT(chroot_directory);
2053 if (option_clear_or_none(dst->chroot_directory)) {
2054 free(dst->chroot_directory);
2055 dst->chroot_directory = NULL;
2061 #undef M_CP_STRARRAYOPT
2064 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2065 struct connection_info *connectinfo)
2067 int active, linenum, bad_options = 0;
2068 char *cp, *obuf, *cbuf;
2070 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2072 obuf = cbuf = xstrdup(buffer_ptr(conf));
2073 active = connectinfo ? 0 : 1;
2075 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2076 if (process_server_config_line(options, cp, filename,
2077 linenum++, &active, connectinfo) != 0)
2081 if (bad_options > 0)
2082 fatal("%s: terminating, %d bad configuration options",
2083 filename, bad_options);
2084 process_queued_listen_addrs(options);
2088 fmt_multistate_int(int val, const struct multistate *m)
2092 for (i = 0; m[i].key != NULL; i++) {
2093 if (m[i].value == val)
2100 fmt_intarg(ServerOpCodes code, int val)
2105 case sAddressFamily:
2106 return fmt_multistate_int(val, multistate_addressfamily);
2107 case sPermitRootLogin:
2108 return fmt_multistate_int(val, multistate_permitrootlogin);
2110 return fmt_multistate_int(val, multistate_gatewayports);
2112 return fmt_multistate_int(val, multistate_compression);
2113 case sUsePrivilegeSeparation:
2114 return fmt_multistate_int(val, multistate_privsep);
2115 case sAllowTcpForwarding:
2116 return fmt_multistate_int(val, multistate_tcpfwd);
2117 case sAllowStreamLocalForwarding:
2118 return fmt_multistate_int(val, multistate_tcpfwd);
2119 case sFingerprintHash:
2120 return ssh_digest_alg_name(val);
2127 case (SSH_PROTO_1|SSH_PROTO_2):
2145 lookup_opcode_name(ServerOpCodes code)
2149 for (i = 0; keywords[i].name != NULL; i++)
2150 if (keywords[i].opcode == code)
2151 return(keywords[i].name);
2156 dump_cfg_int(ServerOpCodes code, int val)
2158 printf("%s %d\n", lookup_opcode_name(code), val);
2162 dump_cfg_oct(ServerOpCodes code, int val)
2164 printf("%s 0%o\n", lookup_opcode_name(code), val);
2168 dump_cfg_fmtint(ServerOpCodes code, int val)
2170 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2174 dump_cfg_string(ServerOpCodes code, const char *val)
2178 printf("%s %s\n", lookup_opcode_name(code),
2179 val == NULL ? "none" : val);
2183 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2187 for (i = 0; i < count; i++)
2188 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2192 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2198 printf("%s", lookup_opcode_name(code));
2199 for (i = 0; i < count; i++)
2200 printf(" %s", vals[i]);
2205 dump_config(ServerOptions *o)
2209 struct addrinfo *ai;
2210 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2211 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2213 /* these are usually at the top of the config */
2214 for (i = 0; i < o->num_ports; i++)
2215 printf("port %d\n", o->ports[i]);
2216 dump_cfg_fmtint(sProtocol, o->protocol);
2217 dump_cfg_fmtint(sAddressFamily, o->address_family);
2220 * ListenAddress must be after Port. add_one_listen_addr pushes
2221 * addresses onto a stack, so to maintain ordering we need to
2222 * print these in reverse order.
2224 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2225 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2226 sizeof(addr), port, sizeof(port),
2227 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2228 error("getnameinfo failed: %.100s",
2229 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2233 if (ai->ai_family == AF_INET6)
2234 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2235 addr, port, laddr2);
2237 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2238 addr, port, laddr2);
2242 printf("%s", laddr1);
2245 /* integer arguments */
2247 dump_cfg_fmtint(sUsePAM, o->use_pam);
2249 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2250 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2251 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2252 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2253 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2254 dump_cfg_int(sMaxSessions, o->max_sessions);
2255 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2256 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2257 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2259 /* formatted integer arguments */
2260 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2261 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2262 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2263 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2264 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2265 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2266 o->hostbased_uses_name_from_packet_only);
2267 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2268 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2270 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2271 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2272 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2274 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2278 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2279 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2281 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2282 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2283 o->kbd_interactive_authentication);
2284 dump_cfg_fmtint(sChallengeResponseAuthentication,
2285 o->challenge_response_authentication);
2286 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2287 #ifndef DISABLE_LASTLOG
2288 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2290 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2291 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2292 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2293 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2294 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2295 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2296 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2297 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2298 dump_cfg_fmtint(sUseLogin, o->use_login);
2299 dump_cfg_fmtint(sCompression, o->compression);
2300 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2301 dump_cfg_fmtint(sUseDNS, o->use_dns);
2302 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2303 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2304 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2305 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2306 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2308 /* string arguments */
2309 dump_cfg_string(sPidFile, o->pid_file);
2310 dump_cfg_string(sXAuthLocation, o->xauth_location);
2311 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2312 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2313 dump_cfg_string(sBanner, o->banner);
2314 dump_cfg_string(sForceCommand, o->adm_forced_command);
2315 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2316 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2317 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2318 dump_cfg_string(sAuthorizedPrincipalsFile,
2319 o->authorized_principals_file);
2320 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2321 ? "none" : o->version_addendum);
2322 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2323 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2324 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2325 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2326 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2327 dump_cfg_string(sKexAlgorithms,
2328 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2329 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2330 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2331 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2332 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2333 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2334 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2336 /* string arguments requiring a lookup */
2337 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2338 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2340 /* string array arguments */
2341 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2342 o->authorized_keys_files);
2343 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2345 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2346 o->host_cert_files);
2347 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2348 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2349 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2350 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2351 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2352 dump_cfg_strarray_oneline(sAuthenticationMethods,
2353 o->num_auth_methods, o->auth_methods);
2355 /* other arguments */
2356 for (i = 0; i < o->num_subsystems; i++)
2357 printf("subsystem %s %s\n", o->subsystem_name[i],
2358 o->subsystem_args[i]);
2360 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2361 o->max_startups_rate, o->max_startups);
2363 for (i = 0; tunmode_desc[i].val != -1; i++)
2364 if (tunmode_desc[i].val == o->permit_tun) {
2365 s = tunmode_desc[i].text;
2368 dump_cfg_string(sPermitTunnel, s);
2370 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2371 printf("%s\n", iptos2str(o->ip_qos_bulk));
2373 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2376 channel_print_adm_permitted_opens();