2 /* $OpenBSD: servconf.c,v 1.240 2013/07/19 07:37:48 markus Exp $ */
5 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
19 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
39 #include "openbsd-compat/sys-queue.h"
46 #include "pathnames.h"
54 #include "groupaccess.h"
61 static void add_listen_addr(ServerOptions *, char *, int);
62 static void add_one_listen_addr(ServerOptions *, char *, int);
64 /* Use of privilege separation or not */
65 extern int use_privsep;
68 /* Initializes the server options to their default values. */
71 initialize_server_options(ServerOptions *options)
73 memset(options, 0, sizeof(*options));
75 /* Portable-specific options */
76 options->use_pam = -1;
78 /* Standard Options */
79 options->num_ports = 0;
80 options->ports_from_cmdline = 0;
81 options->listen_addrs = NULL;
82 options->address_family = -1;
83 options->num_host_key_files = 0;
84 options->num_host_cert_files = 0;
85 options->host_key_agent = NULL;
86 options->pid_file = NULL;
87 options->server_key_bits = -1;
88 options->login_grace_time = -1;
89 options->key_regeneration_time = -1;
90 options->permit_root_login = PERMIT_NOT_SET;
91 options->ignore_rhosts = -1;
92 options->ignore_user_known_hosts = -1;
93 options->print_motd = -1;
94 options->print_lastlog = -1;
95 options->x11_forwarding = -1;
96 options->x11_display_offset = -1;
97 options->x11_use_localhost = -1;
98 options->xauth_location = NULL;
99 options->strict_modes = -1;
100 options->tcp_keep_alive = -1;
101 options->log_facility = SYSLOG_FACILITY_NOT_SET;
102 options->log_level = SYSLOG_LEVEL_NOT_SET;
103 options->rhosts_rsa_authentication = -1;
104 options->hostbased_authentication = -1;
105 options->hostbased_uses_name_from_packet_only = -1;
106 options->rsa_authentication = -1;
107 options->pubkey_authentication = -1;
108 options->kerberos_authentication = -1;
109 options->kerberos_or_local_passwd = -1;
110 options->kerberos_ticket_cleanup = -1;
111 options->kerberos_get_afs_token = -1;
112 options->gss_authentication=-1;
113 options->gss_cleanup_creds = -1;
114 options->password_authentication = -1;
115 options->kbd_interactive_authentication = -1;
116 options->challenge_response_authentication = -1;
117 options->permit_empty_passwd = -1;
118 options->permit_user_env = -1;
119 options->use_login = -1;
120 options->compression = -1;
121 options->rekey_limit = -1;
122 options->rekey_interval = -1;
123 options->allow_tcp_forwarding = -1;
124 options->allow_agent_forwarding = -1;
125 options->num_allow_users = 0;
126 options->num_deny_users = 0;
127 options->num_allow_groups = 0;
128 options->num_deny_groups = 0;
129 options->ciphers = NULL;
130 options->macs = NULL;
131 options->kex_algorithms = NULL;
132 options->protocol = SSH_PROTO_UNKNOWN;
133 options->gateway_ports = -1;
134 options->num_subsystems = 0;
135 options->max_startups_begin = -1;
136 options->max_startups_rate = -1;
137 options->max_startups = -1;
138 options->max_authtries = -1;
139 options->max_sessions = -1;
140 options->banner = NULL;
141 options->use_dns = -1;
142 options->client_alive_interval = -1;
143 options->client_alive_count_max = -1;
144 options->num_authkeys_files = 0;
145 options->num_accept_env = 0;
146 options->permit_tun = -1;
147 options->num_permitted_opens = -1;
148 options->adm_forced_command = NULL;
149 options->chroot_directory = NULL;
150 options->authorized_keys_command = NULL;
151 options->authorized_keys_command_user = NULL;
152 options->zero_knowledge_password_authentication = -1;
153 options->revoked_keys_file = NULL;
154 options->trusted_user_ca_keys = NULL;
155 options->authorized_principals_file = NULL;
156 options->ip_qos_interactive = -1;
157 options->ip_qos_bulk = -1;
158 options->version_addendum = NULL;
159 options->hpn_disabled = -1;
160 options->hpn_buffer_size = -1;
161 options->tcp_rcv_buf_poll = -1;
162 #ifdef NONE_CIPHER_ENABLED
163 options->none_enabled = -1;
168 fill_default_server_options(ServerOptions *options)
170 /* Portable-specific options */
171 if (options->use_pam == -1)
172 options->use_pam = 1;
174 /* Standard Options */
175 if (options->protocol == SSH_PROTO_UNKNOWN)
176 options->protocol = SSH_PROTO_2;
177 if (options->num_host_key_files == 0) {
178 /* fill default hostkeys for protocols */
179 if (options->protocol & SSH_PROTO_1)
180 options->host_key_files[options->num_host_key_files++] =
182 if (options->protocol & SSH_PROTO_2) {
183 options->host_key_files[options->num_host_key_files++] =
184 _PATH_HOST_RSA_KEY_FILE;
185 options->host_key_files[options->num_host_key_files++] =
186 _PATH_HOST_DSA_KEY_FILE;
187 #ifdef OPENSSL_HAS_ECC
188 options->host_key_files[options->num_host_key_files++] =
189 _PATH_HOST_ECDSA_KEY_FILE;
193 /* No certificates by default */
194 if (options->num_ports == 0)
195 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
196 if (options->listen_addrs == NULL)
197 add_listen_addr(options, NULL, 0);
198 if (options->pid_file == NULL)
199 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
200 if (options->server_key_bits == -1)
201 options->server_key_bits = 1024;
202 if (options->login_grace_time == -1)
203 options->login_grace_time = 120;
204 if (options->key_regeneration_time == -1)
205 options->key_regeneration_time = 3600;
206 if (options->permit_root_login == PERMIT_NOT_SET)
207 options->permit_root_login = PERMIT_NO;
208 if (options->ignore_rhosts == -1)
209 options->ignore_rhosts = 1;
210 if (options->ignore_user_known_hosts == -1)
211 options->ignore_user_known_hosts = 0;
212 if (options->print_motd == -1)
213 options->print_motd = 1;
214 if (options->print_lastlog == -1)
215 options->print_lastlog = 1;
216 if (options->x11_forwarding == -1)
217 options->x11_forwarding = 1;
218 if (options->x11_display_offset == -1)
219 options->x11_display_offset = 10;
220 if (options->x11_use_localhost == -1)
221 options->x11_use_localhost = 1;
222 if (options->xauth_location == NULL)
223 options->xauth_location = _PATH_XAUTH;
224 if (options->strict_modes == -1)
225 options->strict_modes = 1;
226 if (options->tcp_keep_alive == -1)
227 options->tcp_keep_alive = 1;
228 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
229 options->log_facility = SYSLOG_FACILITY_AUTH;
230 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
231 options->log_level = SYSLOG_LEVEL_INFO;
232 if (options->rhosts_rsa_authentication == -1)
233 options->rhosts_rsa_authentication = 0;
234 if (options->hostbased_authentication == -1)
235 options->hostbased_authentication = 0;
236 if (options->hostbased_uses_name_from_packet_only == -1)
237 options->hostbased_uses_name_from_packet_only = 0;
238 if (options->rsa_authentication == -1)
239 options->rsa_authentication = 1;
240 if (options->pubkey_authentication == -1)
241 options->pubkey_authentication = 1;
242 if (options->kerberos_authentication == -1)
243 options->kerberos_authentication = 0;
244 if (options->kerberos_or_local_passwd == -1)
245 options->kerberos_or_local_passwd = 1;
246 if (options->kerberos_ticket_cleanup == -1)
247 options->kerberos_ticket_cleanup = 1;
248 if (options->kerberos_get_afs_token == -1)
249 options->kerberos_get_afs_token = 0;
250 if (options->gss_authentication == -1)
251 options->gss_authentication = 0;
252 if (options->gss_cleanup_creds == -1)
253 options->gss_cleanup_creds = 1;
254 if (options->password_authentication == -1)
255 options->password_authentication = 0;
256 if (options->kbd_interactive_authentication == -1)
257 options->kbd_interactive_authentication = 0;
258 if (options->challenge_response_authentication == -1)
259 options->challenge_response_authentication = 1;
260 if (options->permit_empty_passwd == -1)
261 options->permit_empty_passwd = 0;
262 if (options->permit_user_env == -1)
263 options->permit_user_env = 0;
264 if (options->use_login == -1)
265 options->use_login = 0;
266 if (options->compression == -1)
267 options->compression = COMP_DELAYED;
268 if (options->rekey_limit == -1)
269 options->rekey_limit = 0;
270 if (options->rekey_interval == -1)
271 options->rekey_interval = 0;
272 if (options->allow_tcp_forwarding == -1)
273 options->allow_tcp_forwarding = FORWARD_ALLOW;
274 if (options->allow_agent_forwarding == -1)
275 options->allow_agent_forwarding = 1;
276 if (options->gateway_ports == -1)
277 options->gateway_ports = 0;
278 if (options->max_startups == -1)
279 options->max_startups = 100;
280 if (options->max_startups_rate == -1)
281 options->max_startups_rate = 30; /* 30% */
282 if (options->max_startups_begin == -1)
283 options->max_startups_begin = 10;
284 if (options->max_authtries == -1)
285 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
286 if (options->max_sessions == -1)
287 options->max_sessions = DEFAULT_SESSIONS_MAX;
288 if (options->use_dns == -1)
289 options->use_dns = 1;
290 if (options->client_alive_interval == -1)
291 options->client_alive_interval = 0;
292 if (options->client_alive_count_max == -1)
293 options->client_alive_count_max = 3;
294 if (options->num_authkeys_files == 0) {
295 options->authorized_keys_files[options->num_authkeys_files++] =
296 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
297 options->authorized_keys_files[options->num_authkeys_files++] =
298 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
300 if (options->permit_tun == -1)
301 options->permit_tun = SSH_TUNMODE_NO;
302 if (options->zero_knowledge_password_authentication == -1)
303 options->zero_knowledge_password_authentication = 0;
304 if (options->ip_qos_interactive == -1)
305 options->ip_qos_interactive = IPTOS_LOWDELAY;
306 if (options->ip_qos_bulk == -1)
307 options->ip_qos_bulk = IPTOS_THROUGHPUT;
308 if (options->version_addendum == NULL)
309 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
310 /* Turn privilege separation on by default */
311 if (use_privsep == -1)
312 use_privsep = PRIVSEP_NOSANDBOX;
315 if (use_privsep && options->compression == 1) {
316 error("This platform does not support both privilege "
317 "separation and compression");
318 error("Compression disabled");
319 options->compression = 0;
323 if (options->hpn_disabled == -1)
324 options->hpn_disabled = 0;
325 if (options->hpn_buffer_size == -1) {
327 * HPN buffer size option not explicitly set. Try to figure
328 * out what value to use or resort to default.
330 options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
331 if (!options->hpn_disabled) {
332 sock_get_rcvbuf(&options->hpn_buffer_size, 0);
333 debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
337 * In the case that the user sets both values in a
338 * contradictory manner hpn_disabled overrrides hpn_buffer_size.
340 if (options->hpn_disabled <= 0) {
343 maxlen = buffer_get_max_len();
344 if (options->hpn_buffer_size == 0)
345 options->hpn_buffer_size = 1;
346 /* Limit the maximum buffer to BUFFER_MAX_LEN. */
347 if (options->hpn_buffer_size > maxlen / 1024)
348 options->hpn_buffer_size = maxlen;
350 options->hpn_buffer_size *= 1024;
352 options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
357 /* Keyword tokens. */
359 sBadOption, /* == unknown option */
360 /* Portable-specific options */
362 /* Standard Options */
363 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
364 sPermitRootLogin, sLogFacility, sLogLevel,
365 sRhostsRSAAuthentication, sRSAAuthentication,
366 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
367 sKerberosGetAFSToken,
368 sKerberosTgtPassing, sChallengeResponseAuthentication,
369 sPasswordAuthentication, sKbdInteractiveAuthentication,
370 sListenAddress, sAddressFamily,
371 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
372 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
373 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
374 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
375 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
376 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
377 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
378 sMaxStartups, sMaxAuthTries, sMaxSessions,
379 sBanner, sUseDNS, sHostbasedAuthentication,
380 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
381 sClientAliveCountMax, sAuthorizedKeysFile,
382 sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
383 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
384 sUsePrivilegeSeparation, sAllowAgentForwarding,
385 sZeroKnowledgePasswordAuthentication, sHostCertificate,
386 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
387 sKexAlgorithms, sIPQoS, sVersionAddendum,
388 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
389 sAuthenticationMethods, sHostKeyAgent,
390 sHPNDisabled, sHPNBufferSize, sTcpRcvBufPoll,
391 #ifdef NONE_CIPHER_ENABLED
394 sDeprecated, sUnsupported
397 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
398 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
399 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
401 /* Textual representation of the tokens. */
404 ServerOpCodes opcode;
407 /* Portable-specific options */
409 { "usepam", sUsePAM, SSHCFG_GLOBAL },
411 { "usepam", sUnsupported, SSHCFG_GLOBAL },
413 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
414 /* Standard Options */
415 { "port", sPort, SSHCFG_GLOBAL },
416 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
417 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
418 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
419 { "pidfile", sPidFile, SSHCFG_GLOBAL },
420 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
421 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
422 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
423 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
424 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
425 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
426 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
427 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
428 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
429 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
430 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
431 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
432 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
434 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
435 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
436 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
438 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
440 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
443 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
444 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
445 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
446 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
448 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
449 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
451 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
452 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
454 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
455 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
457 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
458 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
459 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
460 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
462 { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
464 { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
466 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
467 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
468 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
469 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
470 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
471 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
472 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
473 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
474 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
475 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
476 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
477 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
478 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
479 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
480 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
481 { "compression", sCompression, SSHCFG_GLOBAL },
482 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
483 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
484 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
485 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
486 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
487 { "allowusers", sAllowUsers, SSHCFG_ALL },
488 { "denyusers", sDenyUsers, SSHCFG_ALL },
489 { "allowgroups", sAllowGroups, SSHCFG_ALL },
490 { "denygroups", sDenyGroups, SSHCFG_ALL },
491 { "ciphers", sCiphers, SSHCFG_GLOBAL },
492 { "macs", sMacs, SSHCFG_GLOBAL },
493 { "protocol", sProtocol, SSHCFG_GLOBAL },
494 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
495 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
496 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
497 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
498 { "maxsessions", sMaxSessions, SSHCFG_ALL },
499 { "banner", sBanner, SSHCFG_ALL },
500 { "usedns", sUseDNS, SSHCFG_GLOBAL },
501 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
502 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
503 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
504 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
505 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
506 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
507 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
508 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
509 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
510 { "match", sMatch, SSHCFG_ALL },
511 { "permitopen", sPermitOpen, SSHCFG_ALL },
512 { "forcecommand", sForceCommand, SSHCFG_ALL },
513 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
514 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
515 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
516 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
517 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
518 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
519 { "ipqos", sIPQoS, SSHCFG_ALL },
520 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
521 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
522 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
523 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
524 { "hpndisabled", sHPNDisabled, SSHCFG_ALL },
525 { "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
526 { "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
527 #ifdef NONE_CIPHER_ENABLED
528 { "noneenabled", sNoneEnabled, SSHCFG_ALL },
530 { NULL, sBadOption, 0 }
537 { SSH_TUNMODE_NO, "no" },
538 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
539 { SSH_TUNMODE_ETHERNET, "ethernet" },
540 { SSH_TUNMODE_YES, "yes" },
545 * Returns the number of the token pointed to by cp or sBadOption.
549 parse_token(const char *cp, const char *filename,
550 int linenum, u_int *flags)
554 for (i = 0; keywords[i].name; i++)
555 if (strcasecmp(cp, keywords[i].name) == 0) {
556 *flags = keywords[i].flags;
557 return keywords[i].opcode;
560 error("%s: line %d: Bad configuration option: %s",
561 filename, linenum, cp);
566 derelativise_path(const char *path)
568 char *expanded, *ret, cwd[MAXPATHLEN];
570 expanded = tilde_expand_filename(path, getuid());
571 if (*expanded == '/')
573 if (getcwd(cwd, sizeof(cwd)) == NULL)
574 fatal("%s: getcwd: %s", __func__, strerror(errno));
575 xasprintf(&ret, "%s/%s", cwd, expanded);
581 add_listen_addr(ServerOptions *options, char *addr, int port)
585 if (options->num_ports == 0)
586 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
587 if (options->address_family == -1)
588 options->address_family = AF_UNSPEC;
590 for (i = 0; i < options->num_ports; i++)
591 add_one_listen_addr(options, addr, options->ports[i]);
593 add_one_listen_addr(options, addr, port);
597 add_one_listen_addr(ServerOptions *options, char *addr, int port)
599 struct addrinfo hints, *ai, *aitop;
600 char strport[NI_MAXSERV];
603 memset(&hints, 0, sizeof(hints));
604 hints.ai_family = options->address_family;
605 hints.ai_socktype = SOCK_STREAM;
606 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
607 snprintf(strport, sizeof strport, "%d", port);
608 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
609 fatal("bad addr or host: %s (%s)",
610 addr ? addr : "<NULL>",
611 ssh_gai_strerror(gaierr));
612 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
614 ai->ai_next = options->listen_addrs;
615 options->listen_addrs = aitop;
618 struct connection_info *
619 get_connection_info(int populate, int use_dns)
621 static struct connection_info ci;
625 ci.host = get_canonical_hostname(use_dns);
626 ci.address = get_remote_ipaddr();
627 ci.laddress = get_local_ipaddr(packet_get_connection_in());
628 ci.lport = get_local_port();
633 * The strategy for the Match blocks is that the config file is parsed twice.
635 * The first time is at startup. activep is initialized to 1 and the
636 * directives in the global context are processed and acted on. Hitting a
637 * Match directive unsets activep and the directives inside the block are
638 * checked for syntax only.
640 * The second time is after a connection has been established but before
641 * authentication. activep is initialized to 2 and global config directives
642 * are ignored since they have already been processed. If the criteria in a
643 * Match block is met, activep is set and the subsequent directives
644 * processed and actioned until EOF or another Match block unsets it. Any
645 * options set are copied into the main server config.
647 * Potential additions/improvements:
648 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
650 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
651 * Match Address 192.168.0.*
656 * AllowTcpForwarding yes
657 * GatewayPorts clientspecified
660 * - Add a PermittedChannelRequests directive
662 * PermittedChannelRequests session,forwarded-tcpip
666 match_cfg_line_group(const char *grps, int line, const char *user)
674 if ((pw = getpwnam(user)) == NULL) {
675 debug("Can't match group at line %d because user %.100s does "
676 "not exist", line, user);
677 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
678 debug("Can't Match group because user %.100s not in any group "
679 "at line %d", user, line);
680 } else if (ga_match_pattern_list(grps) != 1) {
681 debug("user %.100s does not match group list %.100s at line %d",
684 debug("user %.100s matched group list %.100s at line %d", user,
694 * All of the attributes on a single Match line are ANDed together, so we need
695 * to check every * attribute and set the result to zero if any attribute does
699 match_cfg_line(char **condition, int line, struct connection_info *ci)
701 int result = 1, port;
702 char *arg, *attrib, *cp = *condition;
706 debug3("checking syntax for 'Match %s'", cp);
708 debug3("checking match for '%s' user %s host %s addr %s "
709 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
710 ci->host ? ci->host : "(null)",
711 ci->address ? ci->address : "(null)",
712 ci->laddress ? ci->laddress : "(null)", ci->lport);
714 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
715 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
716 error("Missing Match criteria for %s", attrib);
720 if (strcasecmp(attrib, "user") == 0) {
721 if (ci == NULL || ci->user == NULL) {
725 if (match_pattern_list(ci->user, arg, len, 0) != 1)
728 debug("user %.100s matched 'User %.100s' at "
729 "line %d", ci->user, arg, line);
730 } else if (strcasecmp(attrib, "group") == 0) {
731 if (ci == NULL || ci->user == NULL) {
735 switch (match_cfg_line_group(arg, line, ci->user)) {
741 } else if (strcasecmp(attrib, "host") == 0) {
742 if (ci == NULL || ci->host == NULL) {
746 if (match_hostname(ci->host, arg, len) != 1)
749 debug("connection from %.100s matched 'Host "
750 "%.100s' at line %d", ci->host, arg, line);
751 } else if (strcasecmp(attrib, "address") == 0) {
752 if (ci == NULL || ci->address == NULL) {
756 switch (addr_match_list(ci->address, arg)) {
758 debug("connection from %.100s matched 'Address "
759 "%.100s' at line %d", ci->address, arg, line);
768 } else if (strcasecmp(attrib, "localaddress") == 0){
769 if (ci == NULL || ci->laddress == NULL) {
773 switch (addr_match_list(ci->laddress, arg)) {
775 debug("connection from %.100s matched "
776 "'LocalAddress %.100s' at line %d",
777 ci->laddress, arg, line);
786 } else if (strcasecmp(attrib, "localport") == 0) {
787 if ((port = a2port(arg)) == -1) {
788 error("Invalid LocalPort '%s' on Match line",
792 if (ci == NULL || ci->lport == 0) {
796 /* TODO support port lists */
797 if (port == ci->lport)
798 debug("connection from %.100s matched "
799 "'LocalPort %d' at line %d",
800 ci->laddress, port, line);
804 error("Unsupported Match attribute %s", attrib);
809 debug3("match %sfound", result ? "" : "not ");
814 #define WHITESPACE " \t\r\n"
816 /* Multistate option parsing */
821 static const struct multistate multistate_addressfamily[] = {
823 { "inet6", AF_INET6 },
824 { "any", AF_UNSPEC },
827 static const struct multistate multistate_permitrootlogin[] = {
828 { "without-password", PERMIT_NO_PASSWD },
829 { "forced-commands-only", PERMIT_FORCED_ONLY },
830 { "yes", PERMIT_YES },
834 static const struct multistate multistate_compression[] = {
835 { "delayed", COMP_DELAYED },
836 { "yes", COMP_ZLIB },
840 static const struct multistate multistate_gatewayports[] = {
841 { "clientspecified", 2 },
846 static const struct multistate multistate_privsep[] = {
847 { "yes", PRIVSEP_NOSANDBOX },
848 { "sandbox", PRIVSEP_ON },
849 { "nosandbox", PRIVSEP_NOSANDBOX },
850 { "no", PRIVSEP_OFF },
853 static const struct multistate multistate_tcpfwd[] = {
854 { "yes", FORWARD_ALLOW },
855 { "all", FORWARD_ALLOW },
856 { "no", FORWARD_DENY },
857 { "remote", FORWARD_REMOTE },
858 { "local", FORWARD_LOCAL },
863 process_server_config_line(ServerOptions *options, char *line,
864 const char *filename, int linenum, int *activep,
865 struct connection_info *connectinfo)
867 char *cp, **charptr, *arg, *p;
868 int cmdline = 0, *intptr, value, value2, n, port;
869 SyslogFacility *log_facility_ptr;
870 LogLevel *log_level_ptr;
871 ServerOpCodes opcode;
875 const struct multistate *multistate_ptr;
878 if ((arg = strdelim(&cp)) == NULL)
880 /* Ignore leading whitespace */
883 if (!arg || !*arg || *arg == '#')
887 opcode = parse_token(arg, filename, linenum, &flags);
889 if (activep == NULL) { /* We are processing a command line directive */
893 if (*activep && opcode != sMatch)
894 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
895 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
896 if (connectinfo == NULL) {
897 fatal("%s line %d: Directive '%s' is not allowed "
898 "within a Match block", filename, linenum, arg);
899 } else { /* this is a directive we have already processed */
907 /* Portable-specific options */
909 intptr = &options->use_pam;
912 /* Standard Options */
916 /* ignore ports from configfile if cmdline specifies ports */
917 if (options->ports_from_cmdline)
919 if (options->listen_addrs != NULL)
920 fatal("%s line %d: ports must be specified before "
921 "ListenAddress.", filename, linenum);
922 if (options->num_ports >= MAX_PORTS)
923 fatal("%s line %d: too many ports.",
926 if (!arg || *arg == '\0')
927 fatal("%s line %d: missing port number.",
929 options->ports[options->num_ports++] = a2port(arg);
930 if (options->ports[options->num_ports-1] <= 0)
931 fatal("%s line %d: Badly formatted port number.",
936 intptr = &options->server_key_bits;
939 if (!arg || *arg == '\0')
940 fatal("%s line %d: missing integer value.",
943 if (*activep && *intptr == -1)
947 case sLoginGraceTime:
948 intptr = &options->login_grace_time;
951 if (!arg || *arg == '\0')
952 fatal("%s line %d: missing time value.",
954 if ((value = convtime(arg)) == -1)
955 fatal("%s line %d: invalid time value.",
961 case sKeyRegenerationTime:
962 intptr = &options->key_regeneration_time;
967 if (arg == NULL || *arg == '\0')
968 fatal("%s line %d: missing address",
970 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
971 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
972 && strchr(p+1, ':') != NULL) {
973 add_listen_addr(options, arg, 0);
978 fatal("%s line %d: bad address:port usage",
980 p = cleanhostname(p);
983 else if ((port = a2port(arg)) <= 0)
984 fatal("%s line %d: bad port number", filename, linenum);
986 add_listen_addr(options, p, port);
991 intptr = &options->address_family;
992 multistate_ptr = multistate_addressfamily;
993 if (options->listen_addrs != NULL)
994 fatal("%s line %d: address family must be specified "
995 "before ListenAddress.", filename, linenum);
998 if (!arg || *arg == '\0')
999 fatal("%s line %d: missing argument.",
1002 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1003 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1004 value = multistate_ptr[i].value;
1009 fatal("%s line %d: unsupported option \"%s\".",
1010 filename, linenum, arg);
1011 if (*activep && *intptr == -1)
1016 intptr = &options->num_host_key_files;
1017 if (*intptr >= MAX_HOSTKEYS)
1018 fatal("%s line %d: too many host keys specified (max %d).",
1019 filename, linenum, MAX_HOSTKEYS);
1020 charptr = &options->host_key_files[*intptr];
1022 arg = strdelim(&cp);
1023 if (!arg || *arg == '\0')
1024 fatal("%s line %d: missing file name.",
1026 if (*activep && *charptr == NULL) {
1027 *charptr = derelativise_path(arg);
1028 /* increase optional counter */
1030 *intptr = *intptr + 1;
1035 charptr = &options->host_key_agent;
1036 arg = strdelim(&cp);
1037 if (!arg || *arg == '\0')
1038 fatal("%s line %d: missing socket name.",
1040 if (*activep && *charptr == NULL)
1041 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1042 xstrdup(arg) : derelativise_path(arg);
1045 case sHostCertificate:
1046 intptr = &options->num_host_cert_files;
1047 if (*intptr >= MAX_HOSTKEYS)
1048 fatal("%s line %d: too many host certificates "
1049 "specified (max %d).", filename, linenum,
1051 charptr = &options->host_cert_files[*intptr];
1052 goto parse_filename;
1056 charptr = &options->pid_file;
1057 goto parse_filename;
1059 case sPermitRootLogin:
1060 intptr = &options->permit_root_login;
1061 multistate_ptr = multistate_permitrootlogin;
1062 goto parse_multistate;
1065 intptr = &options->ignore_rhosts;
1067 arg = strdelim(&cp);
1068 if (!arg || *arg == '\0')
1069 fatal("%s line %d: missing yes/no argument.",
1071 value = 0; /* silence compiler */
1072 if (strcmp(arg, "yes") == 0)
1074 else if (strcmp(arg, "no") == 0)
1077 fatal("%s line %d: Bad yes/no argument: %s",
1078 filename, linenum, arg);
1079 if (*activep && *intptr == -1)
1083 case sIgnoreUserKnownHosts:
1084 intptr = &options->ignore_user_known_hosts;
1087 case sRhostsRSAAuthentication:
1088 intptr = &options->rhosts_rsa_authentication;
1091 case sHostbasedAuthentication:
1092 intptr = &options->hostbased_authentication;
1095 case sHostbasedUsesNameFromPacketOnly:
1096 intptr = &options->hostbased_uses_name_from_packet_only;
1099 case sRSAAuthentication:
1100 intptr = &options->rsa_authentication;
1103 case sPubkeyAuthentication:
1104 intptr = &options->pubkey_authentication;
1107 case sKerberosAuthentication:
1108 intptr = &options->kerberos_authentication;
1111 case sKerberosOrLocalPasswd:
1112 intptr = &options->kerberos_or_local_passwd;
1115 case sKerberosTicketCleanup:
1116 intptr = &options->kerberos_ticket_cleanup;
1119 case sKerberosGetAFSToken:
1120 intptr = &options->kerberos_get_afs_token;
1123 case sGssAuthentication:
1124 intptr = &options->gss_authentication;
1127 case sGssCleanupCreds:
1128 intptr = &options->gss_cleanup_creds;
1131 case sPasswordAuthentication:
1132 intptr = &options->password_authentication;
1135 case sZeroKnowledgePasswordAuthentication:
1136 intptr = &options->zero_knowledge_password_authentication;
1139 case sKbdInteractiveAuthentication:
1140 intptr = &options->kbd_interactive_authentication;
1143 case sChallengeResponseAuthentication:
1144 intptr = &options->challenge_response_authentication;
1148 intptr = &options->print_motd;
1152 intptr = &options->print_lastlog;
1155 case sX11Forwarding:
1156 intptr = &options->x11_forwarding;
1159 case sX11DisplayOffset:
1160 intptr = &options->x11_display_offset;
1163 case sX11UseLocalhost:
1164 intptr = &options->x11_use_localhost;
1167 case sXAuthLocation:
1168 charptr = &options->xauth_location;
1169 goto parse_filename;
1172 intptr = &options->strict_modes;
1176 intptr = &options->tcp_keep_alive;
1180 intptr = &options->permit_empty_passwd;
1183 case sPermitUserEnvironment:
1184 intptr = &options->permit_user_env;
1188 intptr = &options->use_login;
1192 intptr = &options->compression;
1193 multistate_ptr = multistate_compression;
1194 goto parse_multistate;
1197 arg = strdelim(&cp);
1198 if (!arg || *arg == '\0')
1199 fatal("%.200s line %d: Missing argument.", filename,
1201 if (strcmp(arg, "default") == 0) {
1204 if (scan_scaled(arg, &val64) == -1)
1205 fatal("%.200s line %d: Bad number '%s': %s",
1206 filename, linenum, arg, strerror(errno));
1207 /* check for too-large or too-small limits */
1208 if (val64 > UINT_MAX)
1209 fatal("%.200s line %d: RekeyLimit too large",
1211 if (val64 != 0 && val64 < 16)
1212 fatal("%.200s line %d: RekeyLimit too small",
1215 if (*activep && options->rekey_limit == -1)
1216 options->rekey_limit = (u_int32_t)val64;
1217 if (cp != NULL) { /* optional rekey interval present */
1218 if (strcmp(cp, "none") == 0) {
1219 (void)strdelim(&cp); /* discard */
1222 intptr = &options->rekey_interval;
1228 intptr = &options->gateway_ports;
1229 multistate_ptr = multistate_gatewayports;
1230 goto parse_multistate;
1233 intptr = &options->use_dns;
1237 log_facility_ptr = &options->log_facility;
1238 arg = strdelim(&cp);
1239 value = log_facility_number(arg);
1240 if (value == SYSLOG_FACILITY_NOT_SET)
1241 fatal("%.200s line %d: unsupported log facility '%s'",
1242 filename, linenum, arg ? arg : "<NONE>");
1243 if (*log_facility_ptr == -1)
1244 *log_facility_ptr = (SyslogFacility) value;
1248 log_level_ptr = &options->log_level;
1249 arg = strdelim(&cp);
1250 value = log_level_number(arg);
1251 if (value == SYSLOG_LEVEL_NOT_SET)
1252 fatal("%.200s line %d: unsupported log level '%s'",
1253 filename, linenum, arg ? arg : "<NONE>");
1254 if (*log_level_ptr == -1)
1255 *log_level_ptr = (LogLevel) value;
1258 case sAllowTcpForwarding:
1259 intptr = &options->allow_tcp_forwarding;
1260 multistate_ptr = multistate_tcpfwd;
1261 goto parse_multistate;
1263 case sAllowAgentForwarding:
1264 intptr = &options->allow_agent_forwarding;
1267 case sUsePrivilegeSeparation:
1268 intptr = &use_privsep;
1269 multistate_ptr = multistate_privsep;
1270 goto parse_multistate;
1273 while ((arg = strdelim(&cp)) && *arg != '\0') {
1274 if (options->num_allow_users >= MAX_ALLOW_USERS)
1275 fatal("%s line %d: too many allow users.",
1279 options->allow_users[options->num_allow_users++] =
1285 while ((arg = strdelim(&cp)) && *arg != '\0') {
1286 if (options->num_deny_users >= MAX_DENY_USERS)
1287 fatal("%s line %d: too many deny users.",
1291 options->deny_users[options->num_deny_users++] =
1297 while ((arg = strdelim(&cp)) && *arg != '\0') {
1298 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1299 fatal("%s line %d: too many allow groups.",
1303 options->allow_groups[options->num_allow_groups++] =
1309 while ((arg = strdelim(&cp)) && *arg != '\0') {
1310 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1311 fatal("%s line %d: too many deny groups.",
1315 options->deny_groups[options->num_deny_groups++] =
1321 arg = strdelim(&cp);
1322 if (!arg || *arg == '\0')
1323 fatal("%s line %d: Missing argument.", filename, linenum);
1324 if (!ciphers_valid(arg))
1325 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1326 filename, linenum, arg ? arg : "<NONE>");
1327 if (options->ciphers == NULL)
1328 options->ciphers = xstrdup(arg);
1332 arg = strdelim(&cp);
1333 if (!arg || *arg == '\0')
1334 fatal("%s line %d: Missing argument.", filename, linenum);
1335 if (!mac_valid(arg))
1336 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1337 filename, linenum, arg ? arg : "<NONE>");
1338 if (options->macs == NULL)
1339 options->macs = xstrdup(arg);
1342 case sKexAlgorithms:
1343 arg = strdelim(&cp);
1344 if (!arg || *arg == '\0')
1345 fatal("%s line %d: Missing argument.",
1347 if (!kex_names_valid(arg))
1348 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1349 filename, linenum, arg ? arg : "<NONE>");
1350 if (options->kex_algorithms == NULL)
1351 options->kex_algorithms = xstrdup(arg);
1355 intptr = &options->protocol;
1356 arg = strdelim(&cp);
1357 if (!arg || *arg == '\0')
1358 fatal("%s line %d: Missing argument.", filename, linenum);
1359 value = proto_spec(arg);
1360 if (value == SSH_PROTO_UNKNOWN)
1361 fatal("%s line %d: Bad protocol spec '%s'.",
1362 filename, linenum, arg ? arg : "<NONE>");
1363 if (*intptr == SSH_PROTO_UNKNOWN)
1368 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1369 fatal("%s line %d: too many subsystems defined.",
1372 arg = strdelim(&cp);
1373 if (!arg || *arg == '\0')
1374 fatal("%s line %d: Missing subsystem name.",
1377 arg = strdelim(&cp);
1380 for (i = 0; i < options->num_subsystems; i++)
1381 if (strcmp(arg, options->subsystem_name[i]) == 0)
1382 fatal("%s line %d: Subsystem '%s' already defined.",
1383 filename, linenum, arg);
1384 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1385 arg = strdelim(&cp);
1386 if (!arg || *arg == '\0')
1387 fatal("%s line %d: Missing subsystem command.",
1389 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1391 /* Collect arguments (separate to executable) */
1393 len = strlen(p) + 1;
1394 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1395 len += 1 + strlen(arg);
1396 p = xrealloc(p, 1, len);
1397 strlcat(p, " ", len);
1398 strlcat(p, arg, len);
1400 options->subsystem_args[options->num_subsystems] = p;
1401 options->num_subsystems++;
1405 arg = strdelim(&cp);
1406 if (!arg || *arg == '\0')
1407 fatal("%s line %d: Missing MaxStartups spec.",
1409 if ((n = sscanf(arg, "%d:%d:%d",
1410 &options->max_startups_begin,
1411 &options->max_startups_rate,
1412 &options->max_startups)) == 3) {
1413 if (options->max_startups_begin >
1414 options->max_startups ||
1415 options->max_startups_rate > 100 ||
1416 options->max_startups_rate < 1)
1417 fatal("%s line %d: Illegal MaxStartups spec.",
1420 fatal("%s line %d: Illegal MaxStartups spec.",
1423 options->max_startups = options->max_startups_begin;
1427 intptr = &options->max_authtries;
1431 intptr = &options->max_sessions;
1435 charptr = &options->banner;
1436 goto parse_filename;
1439 * These options can contain %X options expanded at
1440 * connect time, so that you can specify paths like:
1442 * AuthorizedKeysFile /etc/ssh_keys/%u
1444 case sAuthorizedKeysFile:
1445 if (*activep && options->num_authkeys_files == 0) {
1446 while ((arg = strdelim(&cp)) && *arg != '\0') {
1447 if (options->num_authkeys_files >=
1449 fatal("%s line %d: "
1450 "too many authorized keys files.",
1452 options->authorized_keys_files[
1453 options->num_authkeys_files++] =
1454 tilde_expand_filename(arg, getuid());
1459 case sAuthorizedPrincipalsFile:
1460 charptr = &options->authorized_principals_file;
1461 arg = strdelim(&cp);
1462 if (!arg || *arg == '\0')
1463 fatal("%s line %d: missing file name.",
1465 if (*activep && *charptr == NULL) {
1466 *charptr = tilde_expand_filename(arg, getuid());
1467 /* increase optional counter */
1469 *intptr = *intptr + 1;
1473 case sClientAliveInterval:
1474 intptr = &options->client_alive_interval;
1477 case sClientAliveCountMax:
1478 intptr = &options->client_alive_count_max;
1482 while ((arg = strdelim(&cp)) && *arg != '\0') {
1483 if (strchr(arg, '=') != NULL)
1484 fatal("%s line %d: Invalid environment name.",
1486 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1487 fatal("%s line %d: too many allow env.",
1491 options->accept_env[options->num_accept_env++] =
1497 intptr = &options->permit_tun;
1498 arg = strdelim(&cp);
1499 if (!arg || *arg == '\0')
1500 fatal("%s line %d: Missing yes/point-to-point/"
1501 "ethernet/no argument.", filename, linenum);
1503 for (i = 0; tunmode_desc[i].val != -1; i++)
1504 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1505 value = tunmode_desc[i].val;
1509 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1510 "no argument: %s", filename, linenum, arg);
1517 fatal("Match directive not supported as a command-line "
1519 value = match_cfg_line(&cp, linenum, connectinfo);
1521 fatal("%s line %d: Bad Match condition", filename,
1527 arg = strdelim(&cp);
1528 if (!arg || *arg == '\0')
1529 fatal("%s line %d: missing PermitOpen specification",
1531 n = options->num_permitted_opens; /* modified later */
1532 if (strcmp(arg, "any") == 0) {
1533 if (*activep && n == -1) {
1534 channel_clear_adm_permitted_opens();
1535 options->num_permitted_opens = 0;
1539 if (strcmp(arg, "none") == 0) {
1540 if (*activep && n == -1) {
1541 options->num_permitted_opens = 1;
1542 channel_disable_adm_local_opens();
1546 if (*activep && n == -1)
1547 channel_clear_adm_permitted_opens();
1548 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1551 fatal("%s line %d: missing host in PermitOpen",
1553 p = cleanhostname(p);
1554 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1555 fatal("%s line %d: bad port number in "
1556 "PermitOpen", filename, linenum);
1557 if (*activep && n == -1)
1558 options->num_permitted_opens =
1559 channel_add_adm_permitted_opens(p, port);
1565 fatal("%.200s line %d: Missing argument.", filename,
1567 len = strspn(cp, WHITESPACE);
1568 if (*activep && options->adm_forced_command == NULL)
1569 options->adm_forced_command = xstrdup(cp + len);
1572 case sChrootDirectory:
1573 charptr = &options->chroot_directory;
1575 arg = strdelim(&cp);
1576 if (!arg || *arg == '\0')
1577 fatal("%s line %d: missing file name.",
1579 if (*activep && *charptr == NULL)
1580 *charptr = xstrdup(arg);
1583 case sTrustedUserCAKeys:
1584 charptr = &options->trusted_user_ca_keys;
1585 goto parse_filename;
1588 charptr = &options->revoked_keys_file;
1589 goto parse_filename;
1592 arg = strdelim(&cp);
1593 if ((value = parse_ipqos(arg)) == -1)
1594 fatal("%s line %d: Bad IPQoS value: %s",
1595 filename, linenum, arg);
1596 arg = strdelim(&cp);
1599 else if ((value2 = parse_ipqos(arg)) == -1)
1600 fatal("%s line %d: Bad IPQoS value: %s",
1601 filename, linenum, arg);
1603 options->ip_qos_interactive = value;
1604 options->ip_qos_bulk = value2;
1608 case sVersionAddendum:
1610 fatal("%.200s line %d: Missing argument.", filename,
1612 len = strspn(cp, WHITESPACE);
1613 if (*activep && options->version_addendum == NULL) {
1614 if (strcasecmp(cp + len, "none") == 0)
1615 options->version_addendum = xstrdup("");
1616 else if (strchr(cp + len, '\r') != NULL)
1617 fatal("%.200s line %d: Invalid argument",
1620 options->version_addendum = xstrdup(cp + len);
1624 case sAuthorizedKeysCommand:
1625 len = strspn(cp, WHITESPACE);
1626 if (*activep && options->authorized_keys_command == NULL) {
1627 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1628 fatal("%.200s line %d: AuthorizedKeysCommand "
1629 "must be an absolute path",
1631 options->authorized_keys_command = xstrdup(cp + len);
1635 case sAuthorizedKeysCommandUser:
1636 charptr = &options->authorized_keys_command_user;
1638 arg = strdelim(&cp);
1639 if (*activep && *charptr == NULL)
1640 *charptr = xstrdup(arg);
1643 case sAuthenticationMethods:
1644 if (*activep && options->num_auth_methods == 0) {
1645 while ((arg = strdelim(&cp)) && *arg != '\0') {
1646 if (options->num_auth_methods >=
1648 fatal("%s line %d: "
1649 "too many authentication methods.",
1651 if (auth2_methods_valid(arg, 0) != 0)
1652 fatal("%s line %d: invalid "
1653 "authentication method list.",
1655 options->auth_methods[
1656 options->num_auth_methods++] = xstrdup(arg);
1662 intptr = &options->hpn_disabled;
1665 case sHPNBufferSize:
1666 intptr = &options->hpn_buffer_size;
1669 case sTcpRcvBufPoll:
1670 intptr = &options->tcp_rcv_buf_poll;
1673 #ifdef NONE_CIPHER_ENABLED
1675 intptr = &options->none_enabled;
1680 logit("%s line %d: Deprecated option %s",
1681 filename, linenum, arg);
1683 arg = strdelim(&cp);
1687 logit("%s line %d: Unsupported option %s",
1688 filename, linenum, arg);
1690 arg = strdelim(&cp);
1694 fatal("%s line %d: Missing handler for opcode %s (%d)",
1695 filename, linenum, arg, opcode);
1697 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1698 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1699 filename, linenum, arg);
1703 /* Reads the server configuration file. */
1706 load_server_config(const char *filename, Buffer *conf)
1708 char line[4096], *cp;
1712 debug2("%s: filename %s", __func__, filename);
1713 if ((f = fopen(filename, "r")) == NULL) {
1718 while (fgets(line, sizeof(line), f)) {
1720 if (strlen(line) == sizeof(line) - 1)
1721 fatal("%s line %d too long", filename, lineno);
1723 * Trim out comments and strip whitespace
1724 * NB - preserve newlines, they are needed to reproduce
1725 * line numbers later for error messages
1727 if ((cp = strchr(line, '#')) != NULL)
1728 memcpy(cp, "\n", 2);
1729 cp = line + strspn(line, " \t\r");
1731 buffer_append(conf, cp, strlen(cp));
1733 buffer_append(conf, "\0", 1);
1735 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1739 parse_server_match_config(ServerOptions *options,
1740 struct connection_info *connectinfo)
1744 initialize_server_options(&mo);
1745 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1746 copy_set_server_options(options, &mo, 0);
1749 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1753 while ((p = strsep(&spec, ",")) && *p != '\0') {
1754 if (strncmp(p, "addr=", 5) == 0) {
1755 ci->address = xstrdup(p + 5);
1756 } else if (strncmp(p, "host=", 5) == 0) {
1757 ci->host = xstrdup(p + 5);
1758 } else if (strncmp(p, "user=", 5) == 0) {
1759 ci->user = xstrdup(p + 5);
1760 } else if (strncmp(p, "laddr=", 6) == 0) {
1761 ci->laddress = xstrdup(p + 6);
1762 } else if (strncmp(p, "lport=", 6) == 0) {
1763 ci->lport = a2port(p + 6);
1764 if (ci->lport == -1) {
1765 fprintf(stderr, "Invalid port '%s' in test mode"
1766 " specification %s\n", p+6, p);
1770 fprintf(stderr, "Invalid test mode specification %s\n",
1779 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1782 int server_match_spec_complete(struct connection_info *ci)
1784 if (ci->user && ci->host && ci->address)
1785 return 1; /* complete */
1786 if (!ci->user && !ci->host && !ci->address)
1787 return -1; /* empty */
1788 return 0; /* partial */
1792 #define M_CP_INTOPT(n) do {\
1796 #define M_CP_STROPT(n) do {\
1797 if (src->n != NULL) { \
1802 #define M_CP_STRARRAYOPT(n, num_n) do {\
1803 if (src->num_n != 0) { \
1804 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
1805 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
1810 * Copy any supported values that are set.
1812 * If the preauth flag is set, we do not bother copying the string or
1813 * array values that are not used pre-authentication, because any that we
1814 * do use must be explictly sent in mm_getpwnamallow().
1817 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
1819 M_CP_INTOPT(password_authentication);
1820 M_CP_INTOPT(gss_authentication);
1821 M_CP_INTOPT(rsa_authentication);
1822 M_CP_INTOPT(pubkey_authentication);
1823 M_CP_INTOPT(kerberos_authentication);
1824 M_CP_INTOPT(hostbased_authentication);
1825 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
1826 M_CP_INTOPT(kbd_interactive_authentication);
1827 M_CP_INTOPT(zero_knowledge_password_authentication);
1828 M_CP_STROPT(authorized_keys_command);
1829 M_CP_STROPT(authorized_keys_command_user);
1830 M_CP_INTOPT(permit_root_login);
1831 M_CP_INTOPT(permit_empty_passwd);
1833 M_CP_INTOPT(allow_tcp_forwarding);
1834 M_CP_INTOPT(allow_agent_forwarding);
1835 M_CP_INTOPT(permit_tun);
1836 M_CP_INTOPT(gateway_ports);
1837 M_CP_INTOPT(x11_display_offset);
1838 M_CP_INTOPT(x11_forwarding);
1839 M_CP_INTOPT(x11_use_localhost);
1840 M_CP_INTOPT(max_sessions);
1841 M_CP_INTOPT(max_authtries);
1842 M_CP_INTOPT(ip_qos_interactive);
1843 M_CP_INTOPT(ip_qos_bulk);
1844 M_CP_INTOPT(rekey_limit);
1845 M_CP_INTOPT(rekey_interval);
1847 /* See comment in servconf.h */
1848 COPY_MATCH_STRING_OPTS();
1851 * The only things that should be below this point are string options
1852 * which are only used after authentication.
1857 M_CP_STROPT(adm_forced_command);
1858 M_CP_STROPT(chroot_directory);
1863 #undef M_CP_STRARRAYOPT
1866 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
1867 struct connection_info *connectinfo)
1869 int active, linenum, bad_options = 0;
1870 char *cp, *obuf, *cbuf;
1872 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
1874 obuf = cbuf = xstrdup(buffer_ptr(conf));
1875 active = connectinfo ? 0 : 1;
1877 while ((cp = strsep(&cbuf, "\n")) != NULL) {
1878 if (process_server_config_line(options, cp, filename,
1879 linenum++, &active, connectinfo) != 0)
1883 if (bad_options > 0)
1884 fatal("%s: terminating, %d bad configuration options",
1885 filename, bad_options);
1889 fmt_multistate_int(int val, const struct multistate *m)
1893 for (i = 0; m[i].key != NULL; i++) {
1894 if (m[i].value == val)
1901 fmt_intarg(ServerOpCodes code, int val)
1906 case sAddressFamily:
1907 return fmt_multistate_int(val, multistate_addressfamily);
1908 case sPermitRootLogin:
1909 return fmt_multistate_int(val, multistate_permitrootlogin);
1911 return fmt_multistate_int(val, multistate_gatewayports);
1913 return fmt_multistate_int(val, multistate_compression);
1914 case sUsePrivilegeSeparation:
1915 return fmt_multistate_int(val, multistate_privsep);
1916 case sAllowTcpForwarding:
1917 return fmt_multistate_int(val, multistate_tcpfwd);
1924 case (SSH_PROTO_1|SSH_PROTO_2):
1942 lookup_opcode_name(ServerOpCodes code)
1946 for (i = 0; keywords[i].name != NULL; i++)
1947 if (keywords[i].opcode == code)
1948 return(keywords[i].name);
1953 dump_cfg_int(ServerOpCodes code, int val)
1955 printf("%s %d\n", lookup_opcode_name(code), val);
1959 dump_cfg_fmtint(ServerOpCodes code, int val)
1961 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
1965 dump_cfg_string(ServerOpCodes code, const char *val)
1969 printf("%s %s\n", lookup_opcode_name(code), val);
1973 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
1977 for (i = 0; i < count; i++)
1978 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
1982 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
1986 printf("%s", lookup_opcode_name(code));
1987 for (i = 0; i < count; i++)
1988 printf(" %s", vals[i]);
1993 dump_config(ServerOptions *o)
1997 struct addrinfo *ai;
1998 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2000 /* these are usually at the top of the config */
2001 for (i = 0; i < o->num_ports; i++)
2002 printf("port %d\n", o->ports[i]);
2003 dump_cfg_fmtint(sProtocol, o->protocol);
2004 dump_cfg_fmtint(sAddressFamily, o->address_family);
2006 /* ListenAddress must be after Port */
2007 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2008 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2009 sizeof(addr), port, sizeof(port),
2010 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2011 error("getnameinfo failed: %.100s",
2012 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2015 if (ai->ai_family == AF_INET6)
2016 printf("listenaddress [%s]:%s\n", addr, port);
2018 printf("listenaddress %s:%s\n", addr, port);
2022 /* integer arguments */
2024 dump_cfg_int(sUsePAM, o->use_pam);
2026 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2027 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2028 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2029 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2030 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2031 dump_cfg_int(sMaxSessions, o->max_sessions);
2032 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2033 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2035 /* formatted integer arguments */
2036 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2037 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2038 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2039 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2040 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2041 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2042 o->hostbased_uses_name_from_packet_only);
2043 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2044 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2046 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2047 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2048 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2050 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2054 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2055 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2058 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2059 o->zero_knowledge_password_authentication);
2061 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2062 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2063 o->kbd_interactive_authentication);
2064 dump_cfg_fmtint(sChallengeResponseAuthentication,
2065 o->challenge_response_authentication);
2066 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2067 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2068 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2069 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2070 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2071 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2072 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2073 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2074 dump_cfg_fmtint(sUseLogin, o->use_login);
2075 dump_cfg_fmtint(sCompression, o->compression);
2076 dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
2077 dump_cfg_fmtint(sUseDNS, o->use_dns);
2078 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2079 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2081 /* string arguments */
2082 dump_cfg_string(sPidFile, o->pid_file);
2083 dump_cfg_string(sXAuthLocation, o->xauth_location);
2084 dump_cfg_string(sCiphers, o->ciphers);
2085 dump_cfg_string(sMacs, o->macs);
2086 dump_cfg_string(sBanner, o->banner);
2087 dump_cfg_string(sForceCommand, o->adm_forced_command);
2088 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2089 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2090 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2091 dump_cfg_string(sAuthorizedPrincipalsFile,
2092 o->authorized_principals_file);
2093 dump_cfg_string(sVersionAddendum, o->version_addendum);
2094 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2095 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2096 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2098 /* string arguments requiring a lookup */
2099 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2100 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2102 /* string array arguments */
2103 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2104 o->authorized_keys_files);
2105 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2107 dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
2108 o->host_cert_files);
2109 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2110 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2111 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2112 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2113 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2114 dump_cfg_strarray_oneline(sAuthenticationMethods,
2115 o->num_auth_methods, o->auth_methods);
2117 /* other arguments */
2118 for (i = 0; i < o->num_subsystems; i++)
2119 printf("subsystem %s %s\n", o->subsystem_name[i],
2120 o->subsystem_args[i]);
2122 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2123 o->max_startups_rate, o->max_startups);
2125 for (i = 0; tunmode_desc[i].val != -1; i++)
2126 if (tunmode_desc[i].val == o->permit_tun) {
2127 s = tunmode_desc[i].text;
2130 dump_cfg_string(sPermitTunnel, s);
2132 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2133 printf("%s\n", iptos2str(o->ip_qos_bulk));
2135 printf("rekeylimit %lld %d\n", (long long)o->rekey_limit,
2138 channel_print_adm_permitted_opens();