1 /* $OpenBSD: readconf.c,v 1.204 2013/06/10 19:19:44 dtucker Exp $ */
4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * Functions for reading the configuration files.
9 * As far as I am concerned, the code I have written for this software
10 * can be used freely for any purpose. Any derived versions of this
11 * software must be clearly marked as such, and if the derived work is
12 * incompatible with the protocol description in the RFC file, it must be
13 * called by a name other than "ssh" or "Secure Shell".
19 #include <sys/types.h>
21 #include <sys/socket.h>
22 #include <sys/sysctl.h>
24 #include <netinet/in.h>
25 #include <netinet/in_systm.h>
26 #include <netinet/ip.h>
44 #include "pathnames.h"
55 /* Format of the configuration file:
57 # Configuration data is parsed as follows:
58 # 1. command line options
59 # 2. user-specific file
61 # Any configuration value is only changed the first time it is set.
62 # Thus, host-specific definitions should be at the beginning of the
63 # configuration file, and defaults at the end.
65 # Host-specific declarations. These may override anything above. A single
66 # host may match multiple declarations; these are processed in the order
67 # that they are given in.
73 HostName another.host.name.real.org
80 RemoteForward 9999 shadows.cs.hut.fi:9999
86 PasswordAuthentication no
90 ProxyCommand ssh-proxy %h %p
93 PublicKeyAuthentication no
97 PasswordAuthentication no
103 # Defaults for various options
107 PasswordAuthentication yes
108 RSAAuthentication yes
109 RhostsRSAAuthentication yes
110 StrictHostKeyChecking yes
112 IdentityFile ~/.ssh/identity
118 /* Keyword tokens. */
122 oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
123 oGatewayPorts, oExitOnForwardFailure,
124 oPasswordAuthentication, oRSAAuthentication,
125 oChallengeResponseAuthentication, oXAuthLocation,
126 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
127 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
128 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
129 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
130 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
131 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
132 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
133 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
134 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
135 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
136 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
137 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
138 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
139 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
140 oSendEnv, oControlPath, oControlMaster, oControlPersist,
142 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
143 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
144 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
145 oIgnoredUnknownOption,
146 oHPNDisabled, oHPNBufferSize, oTcpRcvBufPoll, oTcpRcvBuf,
147 #ifdef NONE_CIPHER_ENABLED
148 oNoneEnabled, oNoneSwitch,
150 oVersionAddendum, oDeprecated, oUnsupported
153 /* Textual representations of the tokens. */
159 { "forwardagent", oForwardAgent },
160 { "forwardx11", oForwardX11 },
161 { "forwardx11trusted", oForwardX11Trusted },
162 { "forwardx11timeout", oForwardX11Timeout },
163 { "exitonforwardfailure", oExitOnForwardFailure },
164 { "xauthlocation", oXAuthLocation },
165 { "gatewayports", oGatewayPorts },
166 { "useprivilegedport", oUsePrivilegedPort },
167 { "rhostsauthentication", oDeprecated },
168 { "passwordauthentication", oPasswordAuthentication },
169 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
170 { "kbdinteractivedevices", oKbdInteractiveDevices },
171 { "rsaauthentication", oRSAAuthentication },
172 { "pubkeyauthentication", oPubkeyAuthentication },
173 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
174 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
175 { "hostbasedauthentication", oHostbasedAuthentication },
176 { "challengeresponseauthentication", oChallengeResponseAuthentication },
177 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
178 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
179 { "kerberosauthentication", oUnsupported },
180 { "kerberostgtpassing", oUnsupported },
181 { "afstokenpassing", oUnsupported },
183 { "gssapiauthentication", oGssAuthentication },
184 { "gssapidelegatecredentials", oGssDelegateCreds },
186 { "gssapiauthentication", oUnsupported },
187 { "gssapidelegatecredentials", oUnsupported },
189 { "fallbacktorsh", oDeprecated },
190 { "usersh", oDeprecated },
191 { "identityfile", oIdentityFile },
192 { "identityfile2", oIdentityFile }, /* obsolete */
193 { "identitiesonly", oIdentitiesOnly },
194 { "hostname", oHostName },
195 { "hostkeyalias", oHostKeyAlias },
196 { "proxycommand", oProxyCommand },
198 { "cipher", oCipher },
199 { "ciphers", oCiphers },
201 { "protocol", oProtocol },
202 { "remoteforward", oRemoteForward },
203 { "localforward", oLocalForward },
206 { "escapechar", oEscapeChar },
207 { "globalknownhostsfile", oGlobalKnownHostsFile },
208 { "globalknownhostsfile2", oDeprecated },
209 { "userknownhostsfile", oUserKnownHostsFile },
210 { "userknownhostsfile2", oDeprecated },
211 { "connectionattempts", oConnectionAttempts },
212 { "batchmode", oBatchMode },
213 { "checkhostip", oCheckHostIP },
214 { "stricthostkeychecking", oStrictHostKeyChecking },
215 { "compression", oCompression },
216 { "compressionlevel", oCompressionLevel },
217 { "tcpkeepalive", oTCPKeepAlive },
218 { "keepalive", oTCPKeepAlive }, /* obsolete */
219 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
220 { "loglevel", oLogLevel },
221 { "dynamicforward", oDynamicForward },
222 { "preferredauthentications", oPreferredAuthentications },
223 { "hostkeyalgorithms", oHostKeyAlgorithms },
224 { "bindaddress", oBindAddress },
226 { "smartcarddevice", oPKCS11Provider },
227 { "pkcs11provider", oPKCS11Provider },
229 { "smartcarddevice", oUnsupported },
230 { "pkcs11provider", oUnsupported },
232 { "clearallforwardings", oClearAllForwardings },
233 { "enablesshkeysign", oEnableSSHKeysign },
234 { "verifyhostkeydns", oVerifyHostKeyDNS },
235 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
236 { "rekeylimit", oRekeyLimit },
237 { "connecttimeout", oConnectTimeout },
238 { "addressfamily", oAddressFamily },
239 { "serveraliveinterval", oServerAliveInterval },
240 { "serveralivecountmax", oServerAliveCountMax },
241 { "sendenv", oSendEnv },
242 { "controlpath", oControlPath },
243 { "controlmaster", oControlMaster },
244 { "controlpersist", oControlPersist },
245 { "hashknownhosts", oHashKnownHosts },
246 { "tunnel", oTunnel },
247 { "tunneldevice", oTunnelDevice },
248 { "localcommand", oLocalCommand },
249 { "permitlocalcommand", oPermitLocalCommand },
250 { "visualhostkey", oVisualHostKey },
251 { "useroaming", oUseRoaming },
253 { "zeroknowledgepasswordauthentication",
254 oZeroKnowledgePasswordAuthentication },
256 { "zeroknowledgepasswordauthentication", oUnsupported },
258 { "kexalgorithms", oKexAlgorithms },
260 { "requesttty", oRequestTTY },
261 { "ignoreunknown", oIgnoreUnknown },
262 { "hpndisabled", oHPNDisabled },
263 { "hpnbuffersize", oHPNBufferSize },
264 { "tcprcvbufpoll", oTcpRcvBufPoll },
265 { "tcprcvbuf", oTcpRcvBuf },
266 #ifdef NONE_CIPHER_ENABLED
267 { "noneenabled", oNoneEnabled },
268 { "noneswitch", oNoneSwitch },
270 { "versionaddendum", oVersionAddendum },
276 * Adds a local TCP/IP port forward to options. Never returns if there is an
281 add_local_forward(Options *options, const Forward *newfwd)
284 #ifndef NO_IPPORT_RESERVED_CONCEPT
285 extern uid_t original_real_uid;
288 size_t len_ipport_reserved = sizeof(ipport_reserved);
290 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
291 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
292 ipport_reserved = IPPORT_RESERVED;
296 ipport_reserved = IPPORT_RESERVED;
298 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
299 fatal("Privileged ports can only be forwarded by root.");
301 options->local_forwards = xrealloc(options->local_forwards,
302 options->num_local_forwards + 1,
303 sizeof(*options->local_forwards));
304 fwd = &options->local_forwards[options->num_local_forwards++];
306 fwd->listen_host = newfwd->listen_host;
307 fwd->listen_port = newfwd->listen_port;
308 fwd->connect_host = newfwd->connect_host;
309 fwd->connect_port = newfwd->connect_port;
313 * Adds a remote TCP/IP port forward to options. Never returns if there is
318 add_remote_forward(Options *options, const Forward *newfwd)
322 options->remote_forwards = xrealloc(options->remote_forwards,
323 options->num_remote_forwards + 1,
324 sizeof(*options->remote_forwards));
325 fwd = &options->remote_forwards[options->num_remote_forwards++];
327 fwd->listen_host = newfwd->listen_host;
328 fwd->listen_port = newfwd->listen_port;
329 fwd->connect_host = newfwd->connect_host;
330 fwd->connect_port = newfwd->connect_port;
331 fwd->handle = newfwd->handle;
332 fwd->allocated_port = 0;
336 clear_forwardings(Options *options)
340 for (i = 0; i < options->num_local_forwards; i++) {
341 free(options->local_forwards[i].listen_host);
342 free(options->local_forwards[i].connect_host);
344 if (options->num_local_forwards > 0) {
345 free(options->local_forwards);
346 options->local_forwards = NULL;
348 options->num_local_forwards = 0;
349 for (i = 0; i < options->num_remote_forwards; i++) {
350 free(options->remote_forwards[i].listen_host);
351 free(options->remote_forwards[i].connect_host);
353 if (options->num_remote_forwards > 0) {
354 free(options->remote_forwards);
355 options->remote_forwards = NULL;
357 options->num_remote_forwards = 0;
358 options->tun_open = SSH_TUNMODE_NO;
362 add_identity_file(Options *options, const char *dir, const char *filename,
367 if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES)
368 fatal("Too many identity files specified (max %d)",
369 SSH_MAX_IDENTITY_FILES);
371 if (dir == NULL) /* no dir, filename is absolute */
372 path = xstrdup(filename);
374 (void)xasprintf(&path, "%.100s%.100s", dir, filename);
376 options->identity_file_userprovided[options->num_identity_files] =
378 options->identity_files[options->num_identity_files++] = path;
382 * Returns the number of the token pointed to by cp or oBadOption.
386 parse_token(const char *cp, const char *filename, int linenum,
387 const char *ignored_unknown)
391 for (i = 0; keywords[i].name; i++)
392 if (strcmp(cp, keywords[i].name) == 0)
393 return keywords[i].opcode;
394 if (ignored_unknown != NULL && match_pattern_list(cp, ignored_unknown,
395 strlen(ignored_unknown), 1) == 1)
396 return oIgnoredUnknownOption;
397 error("%s: line %d: Bad configuration option: %s",
398 filename, linenum, cp);
403 * Processes a single option line as used in the configuration files. This
404 * only sets those values that have not already been set.
406 #define WHITESPACE " \t\r\n"
409 process_config_line(Options *options, const char *host,
410 char *line, const char *filename, int linenum,
411 int *activep, int userconfig)
413 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
414 char **cpptr, fwdarg[256];
415 u_int i, *uintptr, max_entries = 0;
416 int negated, opcode, *intptr, value, value2;
417 LogLevel *log_level_ptr;
422 /* Strip trailing whitespace */
423 for (len = strlen(line) - 1; len > 0; len--) {
424 if (strchr(WHITESPACE, line[len]) == NULL)
430 /* Get the keyword. (Each line is supposed to begin with a keyword). */
431 if ((keyword = strdelim(&s)) == NULL)
433 /* Ignore leading whitespace. */
434 if (*keyword == '\0')
435 keyword = strdelim(&s);
436 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
438 /* Match lowercase keyword */
439 for (i = 0; i < strlen(keyword); i++)
440 keyword[i] = tolower(keyword[i]);
442 opcode = parse_token(keyword, filename, linenum,
443 options->ignored_unknown);
447 /* don't panic, but count bad options */
450 case oIgnoredUnknownOption:
451 debug("%s line %d: Ignored unknown option \"%s\"",
452 filename, linenum, keyword);
454 case oConnectTimeout:
455 intptr = &options->connection_timeout;
458 if (!arg || *arg == '\0')
459 fatal("%s line %d: missing time value.",
461 if ((value = convtime(arg)) == -1)
462 fatal("%s line %d: invalid time value.",
464 if (*activep && *intptr == -1)
469 intptr = &options->forward_agent;
472 if (!arg || *arg == '\0')
473 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
474 value = 0; /* To avoid compiler warning... */
475 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
477 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
480 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
481 if (*activep && *intptr == -1)
486 intptr = &options->forward_x11;
489 case oForwardX11Trusted:
490 intptr = &options->forward_x11_trusted;
493 case oForwardX11Timeout:
494 intptr = &options->forward_x11_timeout;
498 intptr = &options->gateway_ports;
501 case oExitOnForwardFailure:
502 intptr = &options->exit_on_forward_failure;
505 case oUsePrivilegedPort:
506 intptr = &options->use_privileged_port;
509 case oPasswordAuthentication:
510 intptr = &options->password_authentication;
513 case oZeroKnowledgePasswordAuthentication:
514 intptr = &options->zero_knowledge_password_authentication;
517 case oKbdInteractiveAuthentication:
518 intptr = &options->kbd_interactive_authentication;
521 case oKbdInteractiveDevices:
522 charptr = &options->kbd_interactive_devices;
525 case oPubkeyAuthentication:
526 intptr = &options->pubkey_authentication;
529 case oRSAAuthentication:
530 intptr = &options->rsa_authentication;
533 case oRhostsRSAAuthentication:
534 intptr = &options->rhosts_rsa_authentication;
537 case oHostbasedAuthentication:
538 intptr = &options->hostbased_authentication;
541 case oChallengeResponseAuthentication:
542 intptr = &options->challenge_response_authentication;
545 case oGssAuthentication:
546 intptr = &options->gss_authentication;
549 case oGssDelegateCreds:
550 intptr = &options->gss_deleg_creds;
554 intptr = &options->batch_mode;
558 intptr = &options->check_host_ip;
561 case oVerifyHostKeyDNS:
562 intptr = &options->verify_host_key_dns;
565 case oStrictHostKeyChecking:
566 intptr = &options->strict_host_key_checking;
569 if (!arg || *arg == '\0')
570 fatal("%.200s line %d: Missing yes/no/ask argument.",
572 value = 0; /* To avoid compiler warning... */
573 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
575 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
577 else if (strcmp(arg, "ask") == 0)
580 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
581 if (*activep && *intptr == -1)
586 intptr = &options->compression;
590 intptr = &options->tcp_keep_alive;
593 case oNoHostAuthenticationForLocalhost:
594 intptr = &options->no_host_authentication_for_localhost;
597 case oNumberOfPasswordPrompts:
598 intptr = &options->number_of_password_prompts;
601 case oCompressionLevel:
602 intptr = &options->compression_level;
607 if (!arg || *arg == '\0')
608 fatal("%.200s line %d: Missing argument.", filename,
610 if (strcmp(arg, "default") == 0) {
613 if (scan_scaled(arg, &val64) == -1)
614 fatal("%.200s line %d: Bad number '%s': %s",
615 filename, linenum, arg, strerror(errno));
616 /* check for too-large or too-small limits */
617 if (val64 > UINT_MAX)
618 fatal("%.200s line %d: RekeyLimit too large",
620 if (val64 != 0 && val64 < 16)
621 fatal("%.200s line %d: RekeyLimit too small",
624 if (*activep && options->rekey_limit == -1)
625 options->rekey_limit = (u_int32_t)val64;
626 if (s != NULL) { /* optional rekey interval present */
627 if (strcmp(s, "none") == 0) {
628 (void)strdelim(&s); /* discard */
631 intptr = &options->rekey_interval;
638 if (!arg || *arg == '\0')
639 fatal("%.200s line %d: Missing argument.", filename, linenum);
641 intptr = &options->num_identity_files;
642 if (*intptr >= SSH_MAX_IDENTITY_FILES)
643 fatal("%.200s line %d: Too many identity files specified (max %d).",
644 filename, linenum, SSH_MAX_IDENTITY_FILES);
645 add_identity_file(options, NULL, arg, userconfig);
650 charptr=&options->xauth_location;
654 charptr = &options->user;
657 if (!arg || *arg == '\0')
658 fatal("%.200s line %d: Missing argument.",
660 if (*activep && *charptr == NULL)
661 *charptr = xstrdup(arg);
664 case oGlobalKnownHostsFile:
665 cpptr = (char **)&options->system_hostfiles;
666 uintptr = &options->num_system_hostfiles;
667 max_entries = SSH_MAX_HOSTS_FILES;
669 if (*activep && *uintptr == 0) {
670 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
671 if ((*uintptr) >= max_entries)
673 "too many authorized keys files.",
675 cpptr[(*uintptr)++] = xstrdup(arg);
680 case oUserKnownHostsFile:
681 cpptr = (char **)&options->user_hostfiles;
682 uintptr = &options->num_user_hostfiles;
683 max_entries = SSH_MAX_HOSTS_FILES;
684 goto parse_char_array;
687 charptr = &options->hostname;
691 charptr = &options->host_key_alias;
694 case oPreferredAuthentications:
695 charptr = &options->preferred_authentications;
699 charptr = &options->bind_address;
702 case oPKCS11Provider:
703 charptr = &options->pkcs11_provider;
707 charptr = &options->proxy_command;
710 fatal("%.200s line %d: Missing argument.", filename, linenum);
711 len = strspn(s, WHITESPACE "=");
712 if (*activep && *charptr == NULL)
713 *charptr = xstrdup(s + len);
717 intptr = &options->port;
720 if (!arg || *arg == '\0')
721 fatal("%.200s line %d: Missing argument.", filename, linenum);
722 if (arg[0] < '0' || arg[0] > '9')
723 fatal("%.200s line %d: Bad number.", filename, linenum);
725 /* Octal, decimal, or hex format? */
726 value = strtol(arg, &endofnumber, 0);
727 if (arg == endofnumber)
728 fatal("%.200s line %d: Bad number.", filename, linenum);
729 if (*activep && *intptr == -1)
733 case oConnectionAttempts:
734 intptr = &options->connection_attempts;
738 intptr = &options->cipher;
740 if (!arg || *arg == '\0')
741 fatal("%.200s line %d: Missing argument.", filename, linenum);
742 value = cipher_number(arg);
744 fatal("%.200s line %d: Bad cipher '%s'.",
745 filename, linenum, arg ? arg : "<NONE>");
746 if (*activep && *intptr == -1)
752 if (!arg || *arg == '\0')
753 fatal("%.200s line %d: Missing argument.", filename, linenum);
754 if (!ciphers_valid(arg))
755 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
756 filename, linenum, arg ? arg : "<NONE>");
757 if (*activep && options->ciphers == NULL)
758 options->ciphers = xstrdup(arg);
763 if (!arg || *arg == '\0')
764 fatal("%.200s line %d: Missing argument.", filename, linenum);
766 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
767 filename, linenum, arg ? arg : "<NONE>");
768 if (*activep && options->macs == NULL)
769 options->macs = xstrdup(arg);
774 if (!arg || *arg == '\0')
775 fatal("%.200s line %d: Missing argument.",
777 if (!kex_names_valid(arg))
778 fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
779 filename, linenum, arg ? arg : "<NONE>");
780 if (*activep && options->kex_algorithms == NULL)
781 options->kex_algorithms = xstrdup(arg);
784 case oHostKeyAlgorithms:
786 if (!arg || *arg == '\0')
787 fatal("%.200s line %d: Missing argument.", filename, linenum);
788 if (!key_names_valid2(arg))
789 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
790 filename, linenum, arg ? arg : "<NONE>");
791 if (*activep && options->hostkeyalgorithms == NULL)
792 options->hostkeyalgorithms = xstrdup(arg);
796 intptr = &options->protocol;
798 if (!arg || *arg == '\0')
799 fatal("%.200s line %d: Missing argument.", filename, linenum);
800 value = proto_spec(arg);
801 if (value == SSH_PROTO_UNKNOWN)
802 fatal("%.200s line %d: Bad protocol spec '%s'.",
803 filename, linenum, arg ? arg : "<NONE>");
804 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
809 log_level_ptr = &options->log_level;
811 value = log_level_number(arg);
812 if (value == SYSLOG_LEVEL_NOT_SET)
813 fatal("%.200s line %d: unsupported log level '%s'",
814 filename, linenum, arg ? arg : "<NONE>");
815 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
816 *log_level_ptr = (LogLevel) value;
821 case oDynamicForward:
823 if (arg == NULL || *arg == '\0')
824 fatal("%.200s line %d: Missing port argument.",
827 if (opcode == oLocalForward ||
828 opcode == oRemoteForward) {
830 if (arg2 == NULL || *arg2 == '\0')
831 fatal("%.200s line %d: Missing target argument.",
834 /* construct a string for parse_forward */
835 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
836 } else if (opcode == oDynamicForward) {
837 strlcpy(fwdarg, arg, sizeof(fwdarg));
840 if (parse_forward(&fwd, fwdarg,
841 opcode == oDynamicForward ? 1 : 0,
842 opcode == oRemoteForward ? 1 : 0) == 0)
843 fatal("%.200s line %d: Bad forwarding specification.",
847 if (opcode == oLocalForward ||
848 opcode == oDynamicForward)
849 add_local_forward(options, &fwd);
850 else if (opcode == oRemoteForward)
851 add_remote_forward(options, &fwd);
855 case oClearAllForwardings:
856 intptr = &options->clear_forwardings;
862 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
863 negated = *arg == '!';
866 if (match_pattern(host, arg)) {
868 debug("%.200s line %d: Skipping Host "
869 "block because of negated match "
870 "for %.100s", filename, linenum,
876 arg2 = arg; /* logged below */
881 debug("%.200s line %d: Applying options for %.100s",
882 filename, linenum, arg2);
883 /* Avoid garbage check below, as strdelim is done. */
887 intptr = &options->escape_char;
889 if (!arg || *arg == '\0')
890 fatal("%.200s line %d: Missing argument.", filename, linenum);
891 if (arg[0] == '^' && arg[2] == 0 &&
892 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
893 value = (u_char) arg[1] & 31;
894 else if (strlen(arg) == 1)
895 value = (u_char) arg[0];
896 else if (strcmp(arg, "none") == 0)
897 value = SSH_ESCAPECHAR_NONE;
899 fatal("%.200s line %d: Bad escape character.",
902 value = 0; /* Avoid compiler warning. */
904 if (*activep && *intptr == -1)
910 if (!arg || *arg == '\0')
911 fatal("%s line %d: missing address family.",
913 intptr = &options->address_family;
914 if (strcasecmp(arg, "inet") == 0)
916 else if (strcasecmp(arg, "inet6") == 0)
918 else if (strcasecmp(arg, "any") == 0)
921 fatal("Unsupported AddressFamily \"%s\"", arg);
922 if (*activep && *intptr == -1)
926 case oEnableSSHKeysign:
927 intptr = &options->enable_ssh_keysign;
930 case oIdentitiesOnly:
931 intptr = &options->identities_only;
934 case oServerAliveInterval:
935 intptr = &options->server_alive_interval;
938 case oServerAliveCountMax:
939 intptr = &options->server_alive_count_max;
943 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
944 if (strchr(arg, '=') != NULL)
945 fatal("%s line %d: Invalid environment name.",
949 if (options->num_send_env >= MAX_SEND_ENV)
950 fatal("%s line %d: too many send env.",
952 options->send_env[options->num_send_env++] =
958 charptr = &options->control_path;
962 intptr = &options->control_master;
964 if (!arg || *arg == '\0')
965 fatal("%.200s line %d: Missing ControlMaster argument.",
967 value = 0; /* To avoid compiler warning... */
968 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
969 value = SSHCTL_MASTER_YES;
970 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
971 value = SSHCTL_MASTER_NO;
972 else if (strcmp(arg, "auto") == 0)
973 value = SSHCTL_MASTER_AUTO;
974 else if (strcmp(arg, "ask") == 0)
975 value = SSHCTL_MASTER_ASK;
976 else if (strcmp(arg, "autoask") == 0)
977 value = SSHCTL_MASTER_AUTO_ASK;
979 fatal("%.200s line %d: Bad ControlMaster argument.",
981 if (*activep && *intptr == -1)
985 case oControlPersist:
986 /* no/false/yes/true, or a time spec */
987 intptr = &options->control_persist;
989 if (!arg || *arg == '\0')
990 fatal("%.200s line %d: Missing ControlPersist"
991 " argument.", filename, linenum);
993 value2 = 0; /* timeout */
994 if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
996 else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
998 else if ((value2 = convtime(arg)) >= 0)
1001 fatal("%.200s line %d: Bad ControlPersist argument.",
1003 if (*activep && *intptr == -1) {
1005 options->control_persist_timeout = value2;
1009 case oHashKnownHosts:
1010 intptr = &options->hash_known_hosts;
1014 intptr = &options->tun_open;
1016 if (!arg || *arg == '\0')
1017 fatal("%s line %d: Missing yes/point-to-point/"
1018 "ethernet/no argument.", filename, linenum);
1019 value = 0; /* silence compiler */
1020 if (strcasecmp(arg, "ethernet") == 0)
1021 value = SSH_TUNMODE_ETHERNET;
1022 else if (strcasecmp(arg, "point-to-point") == 0)
1023 value = SSH_TUNMODE_POINTOPOINT;
1024 else if (strcasecmp(arg, "yes") == 0)
1025 value = SSH_TUNMODE_DEFAULT;
1026 else if (strcasecmp(arg, "no") == 0)
1027 value = SSH_TUNMODE_NO;
1029 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1030 "no argument: %s", filename, linenum, arg);
1037 if (!arg || *arg == '\0')
1038 fatal("%.200s line %d: Missing argument.", filename, linenum);
1039 value = a2tun(arg, &value2);
1040 if (value == SSH_TUNID_ERR)
1041 fatal("%.200s line %d: Bad tun device.", filename, linenum);
1043 options->tun_local = value;
1044 options->tun_remote = value2;
1049 charptr = &options->local_command;
1052 case oPermitLocalCommand:
1053 intptr = &options->permit_local_command;
1056 case oVisualHostKey:
1057 intptr = &options->visual_host_key;
1062 if ((value = parse_ipqos(arg)) == -1)
1063 fatal("%s line %d: Bad IPQoS value: %s",
1064 filename, linenum, arg);
1068 else if ((value2 = parse_ipqos(arg)) == -1)
1069 fatal("%s line %d: Bad IPQoS value: %s",
1070 filename, linenum, arg);
1072 options->ip_qos_interactive = value;
1073 options->ip_qos_bulk = value2;
1078 intptr = &options->use_roaming;
1083 if (!arg || *arg == '\0')
1084 fatal("%s line %d: missing argument.",
1086 intptr = &options->request_tty;
1087 if (strcasecmp(arg, "yes") == 0)
1088 value = REQUEST_TTY_YES;
1089 else if (strcasecmp(arg, "no") == 0)
1090 value = REQUEST_TTY_NO;
1091 else if (strcasecmp(arg, "force") == 0)
1092 value = REQUEST_TTY_FORCE;
1093 else if (strcasecmp(arg, "auto") == 0)
1094 value = REQUEST_TTY_AUTO;
1096 fatal("Unsupported RequestTTY \"%s\"", arg);
1097 if (*activep && *intptr == -1)
1102 intptr = &options->hpn_disabled;
1105 case oHPNBufferSize:
1106 intptr = &options->hpn_buffer_size;
1109 case oTcpRcvBufPoll:
1110 intptr = &options->tcp_rcv_buf_poll;
1114 intptr = &options->tcp_rcv_buf;
1117 #ifdef NONE_CIPHER_ENABLED
1119 intptr = &options->none_enabled;
1123 * We check to see if the command comes from the command line or not.
1124 * If it does then enable it otherwise fail. NONE must never be a
1125 * default configuration.
1128 if (strcmp(filename,"command-line") == 0) {
1129 intptr = &options->none_switch;
1132 debug("NoneSwitch directive found in %.200s.",
1134 error("NoneSwitch is found in %.200s.\n"
1135 "You may only use this configuration option "
1136 "from the command line", filename);
1137 error("Continuing...");
1142 case oVersionAddendum:
1144 fatal("%.200s line %d: Missing argument.", filename,
1146 len = strspn(s, WHITESPACE);
1147 if (*activep && options->version_addendum == NULL) {
1148 if (strcasecmp(s + len, "none") == 0)
1149 options->version_addendum = xstrdup("");
1150 else if (strchr(s + len, '\r') != NULL)
1151 fatal("%.200s line %d: Invalid argument",
1154 options->version_addendum = xstrdup(s + len);
1158 case oIgnoreUnknown:
1159 charptr = &options->ignored_unknown;
1163 debug("%s line %d: Deprecated option \"%s\"",
1164 filename, linenum, keyword);
1168 error("%s line %d: Unsupported option \"%s\"",
1169 filename, linenum, keyword);
1173 fatal("process_config_line: Unimplemented opcode %d", opcode);
1176 /* Check that there is no garbage at end of line. */
1177 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
1178 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
1179 filename, linenum, arg);
1186 * Reads the config file and modifies the options accordingly. Options
1187 * should already be initialized before this call. This never returns if
1188 * there is an error. If the file does not exist, this returns 0.
1192 read_config_file(const char *filename, const char *host, Options *options,
1197 int active, linenum;
1198 int bad_options = 0;
1200 if ((f = fopen(filename, "r")) == NULL)
1203 if (flags & SSHCONF_CHECKPERM) {
1206 if (fstat(fileno(f), &sb) == -1)
1207 fatal("fstat %s: %s", filename, strerror(errno));
1208 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
1209 (sb.st_mode & 022) != 0))
1210 fatal("Bad owner or permissions on %s", filename);
1213 debug("Reading configuration data %.200s", filename);
1216 * Mark that we are now processing the options. This flag is turned
1217 * on/off by Host specifications.
1221 while (fgets(line, sizeof(line), f)) {
1222 /* Update line number counter. */
1224 if (process_config_line(options, host, line, filename, linenum,
1225 &active, flags & SSHCONF_USERCONF) != 0)
1229 if (bad_options > 0)
1230 fatal("%s: terminating, %d bad configuration options",
1231 filename, bad_options);
1236 * Initializes options to special values that indicate that they have not yet
1237 * been set. Read_config_file will only set options with this value. Options
1238 * are processed in the following order: command line, user config file,
1239 * system config file. Last, fill_default_options is called.
1243 initialize_options(Options * options)
1245 memset(options, 'X', sizeof(*options));
1246 options->forward_agent = -1;
1247 options->forward_x11 = -1;
1248 options->forward_x11_trusted = -1;
1249 options->forward_x11_timeout = -1;
1250 options->exit_on_forward_failure = -1;
1251 options->xauth_location = NULL;
1252 options->gateway_ports = -1;
1253 options->use_privileged_port = -1;
1254 options->rsa_authentication = -1;
1255 options->pubkey_authentication = -1;
1256 options->challenge_response_authentication = -1;
1257 options->gss_authentication = -1;
1258 options->gss_deleg_creds = -1;
1259 options->password_authentication = -1;
1260 options->kbd_interactive_authentication = -1;
1261 options->kbd_interactive_devices = NULL;
1262 options->rhosts_rsa_authentication = -1;
1263 options->hostbased_authentication = -1;
1264 options->batch_mode = -1;
1265 options->check_host_ip = -1;
1266 options->strict_host_key_checking = -1;
1267 options->compression = -1;
1268 options->tcp_keep_alive = -1;
1269 options->compression_level = -1;
1271 options->address_family = -1;
1272 options->connection_attempts = -1;
1273 options->connection_timeout = -1;
1274 options->number_of_password_prompts = -1;
1275 options->cipher = -1;
1276 options->ciphers = NULL;
1277 options->macs = NULL;
1278 options->kex_algorithms = NULL;
1279 options->hostkeyalgorithms = NULL;
1280 options->protocol = SSH_PROTO_UNKNOWN;
1281 options->num_identity_files = 0;
1282 options->hostname = NULL;
1283 options->host_key_alias = NULL;
1284 options->proxy_command = NULL;
1285 options->user = NULL;
1286 options->escape_char = -1;
1287 options->num_system_hostfiles = 0;
1288 options->num_user_hostfiles = 0;
1289 options->local_forwards = NULL;
1290 options->num_local_forwards = 0;
1291 options->remote_forwards = NULL;
1292 options->num_remote_forwards = 0;
1293 options->clear_forwardings = -1;
1294 options->log_level = SYSLOG_LEVEL_NOT_SET;
1295 options->preferred_authentications = NULL;
1296 options->bind_address = NULL;
1297 options->pkcs11_provider = NULL;
1298 options->enable_ssh_keysign = - 1;
1299 options->no_host_authentication_for_localhost = - 1;
1300 options->identities_only = - 1;
1301 options->rekey_limit = - 1;
1302 options->rekey_interval = -1;
1303 options->verify_host_key_dns = -1;
1304 options->server_alive_interval = -1;
1305 options->server_alive_count_max = -1;
1306 options->num_send_env = 0;
1307 options->control_path = NULL;
1308 options->control_master = -1;
1309 options->control_persist = -1;
1310 options->control_persist_timeout = 0;
1311 options->hash_known_hosts = -1;
1312 options->tun_open = -1;
1313 options->tun_local = -1;
1314 options->tun_remote = -1;
1315 options->local_command = NULL;
1316 options->permit_local_command = -1;
1317 options->use_roaming = -1;
1318 options->visual_host_key = -1;
1319 options->zero_knowledge_password_authentication = -1;
1320 options->ip_qos_interactive = -1;
1321 options->ip_qos_bulk = -1;
1322 options->request_tty = -1;
1323 options->version_addendum = NULL;
1324 options->ignored_unknown = NULL;
1325 options->hpn_disabled = -1;
1326 options->hpn_buffer_size = -1;
1327 options->tcp_rcv_buf_poll = -1;
1328 options->tcp_rcv_buf = -1;
1329 #ifdef NONE_CIPHER_ENABLED
1330 options->none_enabled = -1;
1331 options->none_switch = -1;
1336 * Called after processing other sources of option data, this fills those
1337 * options for which no value has been specified with their default values.
1341 fill_default_options(Options * options)
1343 if (options->forward_agent == -1)
1344 options->forward_agent = 0;
1345 if (options->forward_x11 == -1)
1346 options->forward_x11 = 0;
1347 if (options->forward_x11_trusted == -1)
1348 options->forward_x11_trusted = 0;
1349 if (options->forward_x11_timeout == -1)
1350 options->forward_x11_timeout = 1200;
1351 if (options->exit_on_forward_failure == -1)
1352 options->exit_on_forward_failure = 0;
1353 if (options->xauth_location == NULL)
1354 options->xauth_location = _PATH_XAUTH;
1355 if (options->gateway_ports == -1)
1356 options->gateway_ports = 0;
1357 if (options->use_privileged_port == -1)
1358 options->use_privileged_port = 0;
1359 if (options->rsa_authentication == -1)
1360 options->rsa_authentication = 1;
1361 if (options->pubkey_authentication == -1)
1362 options->pubkey_authentication = 1;
1363 if (options->challenge_response_authentication == -1)
1364 options->challenge_response_authentication = 1;
1365 if (options->gss_authentication == -1)
1366 options->gss_authentication = 0;
1367 if (options->gss_deleg_creds == -1)
1368 options->gss_deleg_creds = 0;
1369 if (options->password_authentication == -1)
1370 options->password_authentication = 1;
1371 if (options->kbd_interactive_authentication == -1)
1372 options->kbd_interactive_authentication = 1;
1373 if (options->rhosts_rsa_authentication == -1)
1374 options->rhosts_rsa_authentication = 0;
1375 if (options->hostbased_authentication == -1)
1376 options->hostbased_authentication = 0;
1377 if (options->batch_mode == -1)
1378 options->batch_mode = 0;
1379 if (options->check_host_ip == -1)
1380 options->check_host_ip = 0;
1381 if (options->strict_host_key_checking == -1)
1382 options->strict_host_key_checking = 2; /* 2 is default */
1383 if (options->compression == -1)
1384 options->compression = 0;
1385 if (options->tcp_keep_alive == -1)
1386 options->tcp_keep_alive = 1;
1387 if (options->compression_level == -1)
1388 options->compression_level = 6;
1389 if (options->port == -1)
1390 options->port = 0; /* Filled in ssh_connect. */
1391 if (options->address_family == -1)
1392 options->address_family = AF_UNSPEC;
1393 if (options->connection_attempts == -1)
1394 options->connection_attempts = 1;
1395 if (options->number_of_password_prompts == -1)
1396 options->number_of_password_prompts = 3;
1397 /* Selected in ssh_login(). */
1398 if (options->cipher == -1)
1399 options->cipher = SSH_CIPHER_NOT_SET;
1400 /* options->ciphers, default set in myproposals.h */
1401 /* options->macs, default set in myproposals.h */
1402 /* options->kex_algorithms, default set in myproposals.h */
1403 /* options->hostkeyalgorithms, default set in myproposals.h */
1404 if (options->protocol == SSH_PROTO_UNKNOWN)
1405 options->protocol = SSH_PROTO_2;
1406 if (options->num_identity_files == 0) {
1407 if (options->protocol & SSH_PROTO_1) {
1408 add_identity_file(options, "~/",
1409 _PATH_SSH_CLIENT_IDENTITY, 0);
1411 if (options->protocol & SSH_PROTO_2) {
1412 add_identity_file(options, "~/",
1413 _PATH_SSH_CLIENT_ID_RSA, 0);
1414 add_identity_file(options, "~/",
1415 _PATH_SSH_CLIENT_ID_DSA, 0);
1416 #ifdef OPENSSL_HAS_ECC
1417 add_identity_file(options, "~/",
1418 _PATH_SSH_CLIENT_ID_ECDSA, 0);
1422 if (options->escape_char == -1)
1423 options->escape_char = '~';
1424 if (options->num_system_hostfiles == 0) {
1425 options->system_hostfiles[options->num_system_hostfiles++] =
1426 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE);
1427 options->system_hostfiles[options->num_system_hostfiles++] =
1428 xstrdup(_PATH_SSH_SYSTEM_HOSTFILE2);
1430 if (options->num_user_hostfiles == 0) {
1431 options->user_hostfiles[options->num_user_hostfiles++] =
1432 xstrdup(_PATH_SSH_USER_HOSTFILE);
1433 options->user_hostfiles[options->num_user_hostfiles++] =
1434 xstrdup(_PATH_SSH_USER_HOSTFILE2);
1436 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1437 options->log_level = SYSLOG_LEVEL_INFO;
1438 if (options->clear_forwardings == 1)
1439 clear_forwardings(options);
1440 if (options->no_host_authentication_for_localhost == - 1)
1441 options->no_host_authentication_for_localhost = 0;
1442 if (options->identities_only == -1)
1443 options->identities_only = 0;
1444 if (options->enable_ssh_keysign == -1)
1445 options->enable_ssh_keysign = 0;
1446 if (options->rekey_limit == -1)
1447 options->rekey_limit = 0;
1448 if (options->rekey_interval == -1)
1449 options->rekey_interval = 0;
1451 if (options->verify_host_key_dns == -1)
1452 /* automatically trust a verified SSHFP record */
1453 options->verify_host_key_dns = 1;
1455 if (options->verify_host_key_dns == -1)
1456 options->verify_host_key_dns = 0;
1458 if (options->server_alive_interval == -1)
1459 options->server_alive_interval = 0;
1460 if (options->server_alive_count_max == -1)
1461 options->server_alive_count_max = 3;
1462 if (options->control_master == -1)
1463 options->control_master = 0;
1464 if (options->control_persist == -1) {
1465 options->control_persist = 0;
1466 options->control_persist_timeout = 0;
1468 if (options->hash_known_hosts == -1)
1469 options->hash_known_hosts = 0;
1470 if (options->tun_open == -1)
1471 options->tun_open = SSH_TUNMODE_NO;
1472 if (options->tun_local == -1)
1473 options->tun_local = SSH_TUNID_ANY;
1474 if (options->tun_remote == -1)
1475 options->tun_remote = SSH_TUNID_ANY;
1476 if (options->permit_local_command == -1)
1477 options->permit_local_command = 0;
1478 if (options->use_roaming == -1)
1479 options->use_roaming = 1;
1480 if (options->visual_host_key == -1)
1481 options->visual_host_key = 0;
1482 if (options->zero_knowledge_password_authentication == -1)
1483 options->zero_knowledge_password_authentication = 0;
1484 if (options->ip_qos_interactive == -1)
1485 options->ip_qos_interactive = IPTOS_LOWDELAY;
1486 if (options->ip_qos_bulk == -1)
1487 options->ip_qos_bulk = IPTOS_THROUGHPUT;
1488 if (options->request_tty == -1)
1489 options->request_tty = REQUEST_TTY_AUTO;
1490 /* options->local_command should not be set by default */
1491 /* options->proxy_command should not be set by default */
1492 /* options->user will be set in the main program if appropriate */
1493 /* options->hostname will be set in the main program if appropriate */
1494 /* options->host_key_alias should not be set by default */
1495 /* options->preferred_authentications will be set in ssh */
1496 if (options->version_addendum == NULL)
1497 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
1498 if (options->hpn_disabled == -1)
1499 options->hpn_disabled = 0;
1500 if (options->hpn_buffer_size > -1)
1504 /* If a user tries to set the size to 0 set it to 1KB. */
1505 if (options->hpn_buffer_size == 0)
1506 options->hpn_buffer_size = 1024;
1507 /* Limit the buffer to BUFFER_MAX_LEN. */
1508 maxlen = buffer_get_max_len();
1509 if (options->hpn_buffer_size > (maxlen / 1024)) {
1510 debug("User requested buffer larger than %ub: %ub. "
1511 "Request reverted to %ub", maxlen,
1512 options->hpn_buffer_size * 1024, maxlen);
1513 options->hpn_buffer_size = maxlen;
1515 debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
1517 if (options->tcp_rcv_buf == 0)
1518 options->tcp_rcv_buf = 1;
1519 if (options->tcp_rcv_buf > -1)
1520 options->tcp_rcv_buf *= 1024;
1521 if (options->tcp_rcv_buf_poll == -1)
1522 options->tcp_rcv_buf_poll = 1;
1523 #ifdef NONE_CIPHER_ENABLED
1524 /* options->none_enabled must not be set by default */
1525 if (options->none_switch == -1)
1526 options->none_switch = 0;
1532 * parses a string containing a port forwarding specification of the form:
1534 * [listenhost:]listenport:connecthost:connectport
1536 * [listenhost:]listenport
1537 * returns number of arguments parsed or zero on error
1540 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1543 char *p, *cp, *fwdarg[4];
1545 memset(fwd, '\0', sizeof(*fwd));
1547 cp = p = xstrdup(fwdspec);
1549 /* skip leading spaces */
1550 while (isspace(*cp))
1553 for (i = 0; i < 4; ++i)
1554 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1557 /* Check for trailing garbage */
1559 i = 0; /* failure */
1563 fwd->listen_host = NULL;
1564 fwd->listen_port = a2port(fwdarg[0]);
1565 fwd->connect_host = xstrdup("socks");
1569 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1570 fwd->listen_port = a2port(fwdarg[1]);
1571 fwd->connect_host = xstrdup("socks");
1575 fwd->listen_host = NULL;
1576 fwd->listen_port = a2port(fwdarg[0]);
1577 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1578 fwd->connect_port = a2port(fwdarg[2]);
1582 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1583 fwd->listen_port = a2port(fwdarg[1]);
1584 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1585 fwd->connect_port = a2port(fwdarg[3]);
1588 i = 0; /* failure */
1594 if (!(i == 1 || i == 2))
1597 if (!(i == 3 || i == 4))
1599 if (fwd->connect_port <= 0)
1603 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1606 if (fwd->connect_host != NULL &&
1607 strlen(fwd->connect_host) >= NI_MAXHOST)
1609 if (fwd->listen_host != NULL &&
1610 strlen(fwd->listen_host) >= NI_MAXHOST)
1617 free(fwd->connect_host);
1618 fwd->connect_host = NULL;
1619 free(fwd->listen_host);
1620 fwd->listen_host = NULL;