2 /* $OpenBSD: servconf.c,v 1.292 2016/06/23 05:17:51 djm Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
18 #include <sys/socket.h>
20 #include <netinet/in.h>
21 #include <netinet/in_systm.h>
22 #include <netinet/ip.h>
39 #include "openbsd-compat/sys-queue.h"
47 #include "pathnames.h"
54 #include "groupaccess.h"
59 #include "myproposal.h"
63 static void add_listen_addr(ServerOptions *, char *, int);
64 static void add_one_listen_addr(ServerOptions *, char *, int);
66 /* Use of privilege separation or not */
67 extern int use_privsep;
70 /* Initializes the server options to their default values. */
73 initialize_server_options(ServerOptions *options)
75 memset(options, 0, sizeof(*options));
77 /* Portable-specific options */
78 options->use_pam = -1;
80 /* Standard Options */
81 options->num_ports = 0;
82 options->ports_from_cmdline = 0;
83 options->queued_listen_addrs = NULL;
84 options->num_queued_listens = 0;
85 options->listen_addrs = NULL;
86 options->address_family = -1;
87 options->num_host_key_files = 0;
88 options->num_host_cert_files = 0;
89 options->host_key_agent = NULL;
90 options->pid_file = NULL;
91 options->server_key_bits = -1;
92 options->login_grace_time = -1;
93 options->key_regeneration_time = -1;
94 options->permit_root_login = PERMIT_NOT_SET;
95 options->ignore_rhosts = -1;
96 options->ignore_user_known_hosts = -1;
97 options->print_motd = -1;
98 options->print_lastlog = -1;
99 options->x11_forwarding = -1;
100 options->x11_display_offset = -1;
101 options->x11_use_localhost = -1;
102 options->permit_tty = -1;
103 options->permit_user_rc = -1;
104 options->xauth_location = NULL;
105 options->strict_modes = -1;
106 options->tcp_keep_alive = -1;
107 options->log_facility = SYSLOG_FACILITY_NOT_SET;
108 options->log_level = SYSLOG_LEVEL_NOT_SET;
109 options->rhosts_rsa_authentication = -1;
110 options->hostbased_authentication = -1;
111 options->hostbased_uses_name_from_packet_only = -1;
112 options->hostbased_key_types = NULL;
113 options->hostkeyalgorithms = NULL;
114 options->rsa_authentication = -1;
115 options->pubkey_authentication = -1;
116 options->pubkey_key_types = NULL;
117 options->kerberos_authentication = -1;
118 options->kerberos_or_local_passwd = -1;
119 options->kerberos_ticket_cleanup = -1;
120 options->kerberos_get_afs_token = -1;
121 options->gss_authentication=-1;
122 options->gss_cleanup_creds = -1;
123 options->gss_strict_acceptor = -1;
124 options->password_authentication = -1;
125 options->kbd_interactive_authentication = -1;
126 options->challenge_response_authentication = -1;
127 options->permit_empty_passwd = -1;
128 options->permit_user_env = -1;
129 options->use_login = -1;
130 options->compression = -1;
131 options->rekey_limit = -1;
132 options->rekey_interval = -1;
133 options->allow_tcp_forwarding = -1;
134 options->allow_streamlocal_forwarding = -1;
135 options->allow_agent_forwarding = -1;
136 options->num_allow_users = 0;
137 options->num_deny_users = 0;
138 options->num_allow_groups = 0;
139 options->num_deny_groups = 0;
140 options->ciphers = NULL;
141 options->macs = NULL;
142 options->kex_algorithms = NULL;
143 options->protocol = SSH_PROTO_UNKNOWN;
144 options->fwd_opts.gateway_ports = -1;
145 options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
146 options->fwd_opts.streamlocal_bind_unlink = -1;
147 options->num_subsystems = 0;
148 options->max_startups_begin = -1;
149 options->max_startups_rate = -1;
150 options->max_startups = -1;
151 options->max_authtries = -1;
152 options->max_sessions = -1;
153 options->banner = NULL;
154 options->use_dns = -1;
155 options->client_alive_interval = -1;
156 options->client_alive_count_max = -1;
157 options->num_authkeys_files = 0;
158 options->num_accept_env = 0;
159 options->permit_tun = -1;
160 options->num_permitted_opens = -1;
161 options->adm_forced_command = NULL;
162 options->chroot_directory = NULL;
163 options->authorized_keys_command = NULL;
164 options->authorized_keys_command_user = NULL;
165 options->revoked_keys_file = NULL;
166 options->trusted_user_ca_keys = NULL;
167 options->authorized_principals_file = NULL;
168 options->authorized_principals_command = NULL;
169 options->authorized_principals_command_user = NULL;
170 options->ip_qos_interactive = -1;
171 options->ip_qos_bulk = -1;
172 options->version_addendum = NULL;
173 options->fingerprint_hash = -1;
176 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
178 option_clear_or_none(const char *o)
180 return o == NULL || strcasecmp(o, "none") == 0;
184 assemble_algorithms(ServerOptions *o)
186 if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
187 kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
188 kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
189 kex_assemble_names(KEX_DEFAULT_PK_ALG,
190 &o->hostkeyalgorithms) != 0 ||
191 kex_assemble_names(KEX_DEFAULT_PK_ALG,
192 &o->hostbased_key_types) != 0 ||
193 kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
194 fatal("kex_assemble_names failed");
198 fill_default_server_options(ServerOptions *options)
202 /* Portable-specific options */
203 if (options->use_pam == -1)
204 options->use_pam = 1;
206 /* Standard Options */
207 if (options->protocol == SSH_PROTO_UNKNOWN)
208 options->protocol = SSH_PROTO_2;
209 if (options->protocol & SSH_PROTO_1)
210 error("WARNING: SSH protocol version 1 enabled");
211 if (options->num_host_key_files == 0) {
212 /* fill default hostkeys for protocols */
213 if (options->protocol & SSH_PROTO_1)
214 options->host_key_files[options->num_host_key_files++] =
216 if (options->protocol & SSH_PROTO_2) {
217 options->host_key_files[options->num_host_key_files++] =
218 _PATH_HOST_RSA_KEY_FILE;
219 options->host_key_files[options->num_host_key_files++] =
220 _PATH_HOST_DSA_KEY_FILE;
221 #ifdef OPENSSL_HAS_ECC
222 options->host_key_files[options->num_host_key_files++] =
223 _PATH_HOST_ECDSA_KEY_FILE;
225 options->host_key_files[options->num_host_key_files++] =
226 _PATH_HOST_ED25519_KEY_FILE;
229 /* No certificates by default */
230 if (options->num_ports == 0)
231 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
232 if (options->address_family == -1)
233 options->address_family = AF_UNSPEC;
234 if (options->listen_addrs == NULL)
235 add_listen_addr(options, NULL, 0);
236 if (options->pid_file == NULL)
237 options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
238 if (options->server_key_bits == -1)
239 options->server_key_bits = 1024;
240 if (options->login_grace_time == -1)
241 options->login_grace_time = 120;
242 if (options->key_regeneration_time == -1)
243 options->key_regeneration_time = 3600;
244 if (options->permit_root_login == PERMIT_NOT_SET)
245 options->permit_root_login = PERMIT_NO;
246 if (options->ignore_rhosts == -1)
247 options->ignore_rhosts = 1;
248 if (options->ignore_user_known_hosts == -1)
249 options->ignore_user_known_hosts = 0;
250 if (options->print_motd == -1)
251 options->print_motd = 1;
252 if (options->print_lastlog == -1)
253 options->print_lastlog = 1;
254 if (options->x11_forwarding == -1)
255 options->x11_forwarding = 1;
256 if (options->x11_display_offset == -1)
257 options->x11_display_offset = 10;
258 if (options->x11_use_localhost == -1)
259 options->x11_use_localhost = 1;
260 if (options->xauth_location == NULL)
261 options->xauth_location = xstrdup(_PATH_XAUTH);
262 if (options->permit_tty == -1)
263 options->permit_tty = 1;
264 if (options->permit_user_rc == -1)
265 options->permit_user_rc = 1;
266 if (options->strict_modes == -1)
267 options->strict_modes = 1;
268 if (options->tcp_keep_alive == -1)
269 options->tcp_keep_alive = 1;
270 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
271 options->log_facility = SYSLOG_FACILITY_AUTH;
272 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
273 options->log_level = SYSLOG_LEVEL_INFO;
274 if (options->rhosts_rsa_authentication == -1)
275 options->rhosts_rsa_authentication = 0;
276 if (options->hostbased_authentication == -1)
277 options->hostbased_authentication = 0;
278 if (options->hostbased_uses_name_from_packet_only == -1)
279 options->hostbased_uses_name_from_packet_only = 0;
280 if (options->rsa_authentication == -1)
281 options->rsa_authentication = 1;
282 if (options->pubkey_authentication == -1)
283 options->pubkey_authentication = 1;
284 if (options->kerberos_authentication == -1)
285 options->kerberos_authentication = 0;
286 if (options->kerberos_or_local_passwd == -1)
287 options->kerberos_or_local_passwd = 1;
288 if (options->kerberos_ticket_cleanup == -1)
289 options->kerberos_ticket_cleanup = 1;
290 if (options->kerberos_get_afs_token == -1)
291 options->kerberos_get_afs_token = 0;
292 if (options->gss_authentication == -1)
293 options->gss_authentication = 0;
294 if (options->gss_cleanup_creds == -1)
295 options->gss_cleanup_creds = 1;
296 if (options->gss_strict_acceptor == -1)
297 options->gss_strict_acceptor = 0;
298 if (options->password_authentication == -1)
299 options->password_authentication = 0;
300 if (options->kbd_interactive_authentication == -1)
301 options->kbd_interactive_authentication = 0;
302 if (options->challenge_response_authentication == -1)
303 options->challenge_response_authentication = 1;
304 if (options->permit_empty_passwd == -1)
305 options->permit_empty_passwd = 0;
306 if (options->permit_user_env == -1)
307 options->permit_user_env = 0;
308 if (options->use_login == -1)
309 options->use_login = 0;
310 if (options->compression == -1)
311 options->compression = COMP_DELAYED;
312 if (options->rekey_limit == -1)
313 options->rekey_limit = 0;
314 if (options->rekey_interval == -1)
315 options->rekey_interval = 0;
316 if (options->allow_tcp_forwarding == -1)
317 options->allow_tcp_forwarding = FORWARD_ALLOW;
318 if (options->allow_streamlocal_forwarding == -1)
319 options->allow_streamlocal_forwarding = FORWARD_ALLOW;
320 if (options->allow_agent_forwarding == -1)
321 options->allow_agent_forwarding = 1;
322 if (options->fwd_opts.gateway_ports == -1)
323 options->fwd_opts.gateway_ports = 0;
324 if (options->max_startups == -1)
325 options->max_startups = 100;
326 if (options->max_startups_rate == -1)
327 options->max_startups_rate = 30; /* 30% */
328 if (options->max_startups_begin == -1)
329 options->max_startups_begin = 10;
330 if (options->max_authtries == -1)
331 options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
332 if (options->max_sessions == -1)
333 options->max_sessions = DEFAULT_SESSIONS_MAX;
334 if (options->use_dns == -1)
335 options->use_dns = 1;
336 if (options->client_alive_interval == -1)
337 options->client_alive_interval = 0;
338 if (options->client_alive_count_max == -1)
339 options->client_alive_count_max = 3;
340 if (options->num_authkeys_files == 0) {
341 options->authorized_keys_files[options->num_authkeys_files++] =
342 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS);
343 options->authorized_keys_files[options->num_authkeys_files++] =
344 xstrdup(_PATH_SSH_USER_PERMITTED_KEYS2);
346 if (options->permit_tun == -1)
347 options->permit_tun = SSH_TUNMODE_NO;
348 if (options->ip_qos_interactive == -1)
349 options->ip_qos_interactive = IPTOS_LOWDELAY;
350 if (options->ip_qos_bulk == -1)
351 options->ip_qos_bulk = IPTOS_THROUGHPUT;
352 if (options->version_addendum == NULL)
353 options->version_addendum = xstrdup(SSH_VERSION_FREEBSD);
354 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
355 options->fwd_opts.streamlocal_bind_mask = 0177;
356 if (options->fwd_opts.streamlocal_bind_unlink == -1)
357 options->fwd_opts.streamlocal_bind_unlink = 0;
358 if (options->fingerprint_hash == -1)
359 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
361 assemble_algorithms(options);
363 /* Turn privilege separation and sandboxing on by default */
364 if (use_privsep == -1)
365 use_privsep = PRIVSEP_ON;
367 #define CLEAR_ON_NONE(v) \
369 if (option_clear_or_none(v)) { \
374 CLEAR_ON_NONE(options->pid_file);
375 CLEAR_ON_NONE(options->xauth_location);
376 CLEAR_ON_NONE(options->banner);
377 CLEAR_ON_NONE(options->trusted_user_ca_keys);
378 CLEAR_ON_NONE(options->revoked_keys_file);
379 CLEAR_ON_NONE(options->authorized_principals_file);
380 CLEAR_ON_NONE(options->adm_forced_command);
381 CLEAR_ON_NONE(options->chroot_directory);
382 for (i = 0; i < options->num_host_key_files; i++)
383 CLEAR_ON_NONE(options->host_key_files[i]);
384 for (i = 0; i < options->num_host_cert_files; i++)
385 CLEAR_ON_NONE(options->host_cert_files[i]);
388 /* Similar handling for AuthenticationMethods=any */
389 if (options->num_auth_methods == 1 &&
390 strcmp(options->auth_methods[0], "any") == 0) {
391 free(options->auth_methods[0]);
392 options->auth_methods[0] = NULL;
393 options->num_auth_methods = 0;
397 if (use_privsep && options->compression == 1) {
398 error("This platform does not support both privilege "
399 "separation and compression");
400 error("Compression disabled");
401 options->compression = 0;
407 /* Keyword tokens. */
409 sBadOption, /* == unknown option */
410 /* Portable-specific options */
412 /* Standard Options */
413 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime,
414 sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
415 sRhostsRSAAuthentication, sRSAAuthentication,
416 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
417 sKerberosGetAFSToken,
418 sKerberosTgtPassing, sChallengeResponseAuthentication,
419 sPasswordAuthentication, sKbdInteractiveAuthentication,
420 sListenAddress, sAddressFamily,
421 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
422 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
423 sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
424 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
425 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
426 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
427 sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
428 sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
429 sBanner, sUseDNS, sHostbasedAuthentication,
430 sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
432 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
433 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
434 sAcceptEnv, sPermitTunnel,
435 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
436 sUsePrivilegeSeparation, sAllowAgentForwarding,
438 sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
439 sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
440 sKexAlgorithms, sIPQoS, sVersionAddendum,
441 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
442 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
443 sStreamLocalBindMask, sStreamLocalBindUnlink,
444 sAllowStreamLocalForwarding, sFingerprintHash,
445 sDeprecated, sUnsupported
448 #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */
449 #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
450 #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
452 /* Textual representation of the tokens. */
455 ServerOpCodes opcode;
458 /* Portable-specific options */
460 { "usepam", sUsePAM, SSHCFG_GLOBAL },
462 { "usepam", sUnsupported, SSHCFG_GLOBAL },
464 { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
465 /* Standard Options */
466 { "port", sPort, SSHCFG_GLOBAL },
467 { "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
468 { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */
469 { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL },
470 { "pidfile", sPidFile, SSHCFG_GLOBAL },
471 { "serverkeybits", sServerKeyBits, SSHCFG_GLOBAL },
472 { "logingracetime", sLoginGraceTime, SSHCFG_GLOBAL },
473 { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
474 { "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
475 { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
476 { "loglevel", sLogLevel, SSHCFG_GLOBAL },
477 { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
478 { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_ALL },
479 { "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
480 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly, SSHCFG_ALL },
481 { "hostbasedacceptedkeytypes", sHostbasedAcceptedKeyTypes, SSHCFG_ALL },
482 { "hostkeyalgorithms", sHostKeyAlgorithms, SSHCFG_GLOBAL },
483 { "rsaauthentication", sRSAAuthentication, SSHCFG_ALL },
484 { "pubkeyauthentication", sPubkeyAuthentication, SSHCFG_ALL },
485 { "pubkeyacceptedkeytypes", sPubkeyAcceptedKeyTypes, SSHCFG_ALL },
486 { "dsaauthentication", sPubkeyAuthentication, SSHCFG_GLOBAL }, /* alias */
488 { "kerberosauthentication", sKerberosAuthentication, SSHCFG_ALL },
489 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd, SSHCFG_GLOBAL },
490 { "kerberosticketcleanup", sKerberosTicketCleanup, SSHCFG_GLOBAL },
492 { "kerberosgetafstoken", sKerberosGetAFSToken, SSHCFG_GLOBAL },
494 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
497 { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
498 { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
499 { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
500 { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
502 { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
503 { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
505 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
506 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
507 { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
509 { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
510 { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
511 { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
513 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
514 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
515 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
516 { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
517 { "checkmail", sDeprecated, SSHCFG_GLOBAL },
518 { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
519 { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
520 { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
521 #ifdef DISABLE_LASTLOG
522 { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
524 { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
526 { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
527 { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
528 { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
529 { "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
530 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
531 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
532 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
533 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
534 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
535 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
536 { "compression", sCompression, SSHCFG_GLOBAL },
537 { "rekeylimit", sRekeyLimit, SSHCFG_ALL },
538 { "tcpkeepalive", sTCPKeepAlive, SSHCFG_GLOBAL },
539 { "keepalive", sTCPKeepAlive, SSHCFG_GLOBAL }, /* obsolete alias */
540 { "allowtcpforwarding", sAllowTcpForwarding, SSHCFG_ALL },
541 { "allowagentforwarding", sAllowAgentForwarding, SSHCFG_ALL },
542 { "allowusers", sAllowUsers, SSHCFG_ALL },
543 { "denyusers", sDenyUsers, SSHCFG_ALL },
544 { "allowgroups", sAllowGroups, SSHCFG_ALL },
545 { "denygroups", sDenyGroups, SSHCFG_ALL },
546 { "ciphers", sCiphers, SSHCFG_GLOBAL },
547 { "macs", sMacs, SSHCFG_GLOBAL },
548 { "protocol", sProtocol, SSHCFG_GLOBAL },
549 { "gatewayports", sGatewayPorts, SSHCFG_ALL },
550 { "subsystem", sSubsystem, SSHCFG_GLOBAL },
551 { "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
552 { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
553 { "maxsessions", sMaxSessions, SSHCFG_ALL },
554 { "banner", sBanner, SSHCFG_ALL },
555 { "usedns", sUseDNS, SSHCFG_GLOBAL },
556 { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
557 { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
558 { "clientaliveinterval", sClientAliveInterval, SSHCFG_GLOBAL },
559 { "clientalivecountmax", sClientAliveCountMax, SSHCFG_GLOBAL },
560 { "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG_ALL },
561 { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
562 { "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG_GLOBAL},
563 { "acceptenv", sAcceptEnv, SSHCFG_ALL },
564 { "permittunnel", sPermitTunnel, SSHCFG_ALL },
565 { "permittty", sPermitTTY, SSHCFG_ALL },
566 { "permituserrc", sPermitUserRC, SSHCFG_ALL },
567 { "match", sMatch, SSHCFG_ALL },
568 { "permitopen", sPermitOpen, SSHCFG_ALL },
569 { "forcecommand", sForceCommand, SSHCFG_ALL },
570 { "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
571 { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
572 { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
573 { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
574 { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
575 { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
576 { "ipqos", sIPQoS, SSHCFG_ALL },
577 { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
578 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
579 { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL },
580 { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL },
581 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
582 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
583 { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
584 { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
585 { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
586 { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
587 { "noneenabled", sUnsupported, SSHCFG_ALL },
588 { "hpndisabled", sDeprecated, SSHCFG_ALL },
589 { "hpnbuffersize", sDeprecated, SSHCFG_ALL },
590 { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
591 { NULL, sBadOption, 0 }
598 { SSH_TUNMODE_NO, "no" },
599 { SSH_TUNMODE_POINTOPOINT, "point-to-point" },
600 { SSH_TUNMODE_ETHERNET, "ethernet" },
601 { SSH_TUNMODE_YES, "yes" },
606 * Returns the number of the token pointed to by cp or sBadOption.
610 parse_token(const char *cp, const char *filename,
611 int linenum, u_int *flags)
615 for (i = 0; keywords[i].name; i++)
616 if (strcasecmp(cp, keywords[i].name) == 0) {
617 *flags = keywords[i].flags;
618 return keywords[i].opcode;
621 error("%s: line %d: Bad configuration option: %s",
622 filename, linenum, cp);
627 derelativise_path(const char *path)
629 char *expanded, *ret, cwd[PATH_MAX];
631 if (strcasecmp(path, "none") == 0)
632 return xstrdup("none");
633 expanded = tilde_expand_filename(path, getuid());
634 if (*expanded == '/')
636 if (getcwd(cwd, sizeof(cwd)) == NULL)
637 fatal("%s: getcwd: %s", __func__, strerror(errno));
638 xasprintf(&ret, "%s/%s", cwd, expanded);
644 add_listen_addr(ServerOptions *options, char *addr, int port)
649 for (i = 0; i < options->num_ports; i++)
650 add_one_listen_addr(options, addr, options->ports[i]);
652 add_one_listen_addr(options, addr, port);
656 add_one_listen_addr(ServerOptions *options, char *addr, int port)
658 struct addrinfo hints, *ai, *aitop;
659 char strport[NI_MAXSERV];
662 memset(&hints, 0, sizeof(hints));
663 hints.ai_family = options->address_family;
664 hints.ai_socktype = SOCK_STREAM;
665 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
666 snprintf(strport, sizeof strport, "%d", port);
667 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
668 fatal("bad addr or host: %s (%s)",
669 addr ? addr : "<NULL>",
670 ssh_gai_strerror(gaierr));
671 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
673 ai->ai_next = options->listen_addrs;
674 options->listen_addrs = aitop;
678 * Queue a ListenAddress to be processed once we have all of the Ports
679 * and AddressFamily options.
682 queue_listen_addr(ServerOptions *options, char *addr, int port)
684 options->queued_listen_addrs = xreallocarray(
685 options->queued_listen_addrs, options->num_queued_listens + 1,
687 options->queued_listen_ports = xreallocarray(
688 options->queued_listen_ports, options->num_queued_listens + 1,
690 options->queued_listen_addrs[options->num_queued_listens] =
692 options->queued_listen_ports[options->num_queued_listens] = port;
693 options->num_queued_listens++;
697 * Process queued (text) ListenAddress entries.
700 process_queued_listen_addrs(ServerOptions *options)
704 if (options->num_ports == 0)
705 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
706 if (options->address_family == -1)
707 options->address_family = AF_UNSPEC;
709 for (i = 0; i < options->num_queued_listens; i++) {
710 add_listen_addr(options, options->queued_listen_addrs[i],
711 options->queued_listen_ports[i]);
712 free(options->queued_listen_addrs[i]);
713 options->queued_listen_addrs[i] = NULL;
715 free(options->queued_listen_addrs);
716 options->queued_listen_addrs = NULL;
717 free(options->queued_listen_ports);
718 options->queued_listen_ports = NULL;
719 options->num_queued_listens = 0;
722 struct connection_info *
723 get_connection_info(int populate, int use_dns)
725 struct ssh *ssh = active_state; /* XXX */
726 static struct connection_info ci;
730 ci.host = auth_get_canonical_hostname(ssh, use_dns);
731 ci.address = ssh_remote_ipaddr(ssh);
732 ci.laddress = ssh_local_ipaddr(ssh);
733 ci.lport = ssh_local_port(ssh);
738 * The strategy for the Match blocks is that the config file is parsed twice.
740 * The first time is at startup. activep is initialized to 1 and the
741 * directives in the global context are processed and acted on. Hitting a
742 * Match directive unsets activep and the directives inside the block are
743 * checked for syntax only.
745 * The second time is after a connection has been established but before
746 * authentication. activep is initialized to 2 and global config directives
747 * are ignored since they have already been processed. If the criteria in a
748 * Match block is met, activep is set and the subsequent directives
749 * processed and actioned until EOF or another Match block unsets it. Any
750 * options set are copied into the main server config.
752 * Potential additions/improvements:
753 * - Add Match support for pre-kex directives, eg Protocol, Ciphers.
755 * - Add a Tag directive (idea from David Leonard) ala pf, eg:
756 * Match Address 192.168.0.*
761 * AllowTcpForwarding yes
762 * GatewayPorts clientspecified
765 * - Add a PermittedChannelRequests directive
767 * PermittedChannelRequests session,forwarded-tcpip
771 match_cfg_line_group(const char *grps, int line, const char *user)
779 if ((pw = getpwnam(user)) == NULL) {
780 debug("Can't match group at line %d because user %.100s does "
781 "not exist", line, user);
782 } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
783 debug("Can't Match group because user %.100s not in any group "
784 "at line %d", user, line);
785 } else if (ga_match_pattern_list(grps) != 1) {
786 debug("user %.100s does not match group list %.100s at line %d",
789 debug("user %.100s matched group list %.100s at line %d", user,
799 * All of the attributes on a single Match line are ANDed together, so we need
800 * to check every attribute and set the result to zero if any attribute does
804 match_cfg_line(char **condition, int line, struct connection_info *ci)
806 int result = 1, attributes = 0, port;
807 char *arg, *attrib, *cp = *condition;
810 debug3("checking syntax for 'Match %s'", cp);
812 debug3("checking match for '%s' user %s host %s addr %s "
813 "laddr %s lport %d", cp, ci->user ? ci->user : "(null)",
814 ci->host ? ci->host : "(null)",
815 ci->address ? ci->address : "(null)",
816 ci->laddress ? ci->laddress : "(null)", ci->lport);
818 while ((attrib = strdelim(&cp)) && *attrib != '\0') {
820 if (strcasecmp(attrib, "all") == 0) {
821 if (attributes != 1 ||
822 ((arg = strdelim(&cp)) != NULL && *arg != '\0')) {
823 error("'all' cannot be combined with other "
830 if ((arg = strdelim(&cp)) == NULL || *arg == '\0') {
831 error("Missing Match criteria for %s", attrib);
834 if (strcasecmp(attrib, "user") == 0) {
835 if (ci == NULL || ci->user == NULL) {
839 if (match_pattern_list(ci->user, arg, 0) != 1)
842 debug("user %.100s matched 'User %.100s' at "
843 "line %d", ci->user, arg, line);
844 } else if (strcasecmp(attrib, "group") == 0) {
845 if (ci == NULL || ci->user == NULL) {
849 switch (match_cfg_line_group(arg, line, ci->user)) {
855 } else if (strcasecmp(attrib, "host") == 0) {
856 if (ci == NULL || ci->host == NULL) {
860 if (match_hostname(ci->host, arg) != 1)
863 debug("connection from %.100s matched 'Host "
864 "%.100s' at line %d", ci->host, arg, line);
865 } else if (strcasecmp(attrib, "address") == 0) {
866 if (ci == NULL || ci->address == NULL) {
870 switch (addr_match_list(ci->address, arg)) {
872 debug("connection from %.100s matched 'Address "
873 "%.100s' at line %d", ci->address, arg, line);
882 } else if (strcasecmp(attrib, "localaddress") == 0){
883 if (ci == NULL || ci->laddress == NULL) {
887 switch (addr_match_list(ci->laddress, arg)) {
889 debug("connection from %.100s matched "
890 "'LocalAddress %.100s' at line %d",
891 ci->laddress, arg, line);
900 } else if (strcasecmp(attrib, "localport") == 0) {
901 if ((port = a2port(arg)) == -1) {
902 error("Invalid LocalPort '%s' on Match line",
906 if (ci == NULL || ci->lport == 0) {
910 /* TODO support port lists */
911 if (port == ci->lport)
912 debug("connection from %.100s matched "
913 "'LocalPort %d' at line %d",
914 ci->laddress, port, line);
918 error("Unsupported Match attribute %s", attrib);
922 if (attributes == 0) {
923 error("One or more attributes required for Match");
927 debug3("match %sfound", result ? "" : "not ");
932 #define WHITESPACE " \t\r\n"
934 /* Multistate option parsing */
939 static const struct multistate multistate_addressfamily[] = {
941 { "inet6", AF_INET6 },
942 { "any", AF_UNSPEC },
945 static const struct multistate multistate_permitrootlogin[] = {
946 { "without-password", PERMIT_NO_PASSWD },
947 { "prohibit-password", PERMIT_NO_PASSWD },
948 { "forced-commands-only", PERMIT_FORCED_ONLY },
949 { "yes", PERMIT_YES },
953 static const struct multistate multistate_compression[] = {
954 { "delayed", COMP_DELAYED },
955 { "yes", COMP_ZLIB },
959 static const struct multistate multistate_gatewayports[] = {
960 { "clientspecified", 2 },
965 static const struct multistate multistate_privsep[] = {
966 { "yes", PRIVSEP_NOSANDBOX },
967 { "sandbox", PRIVSEP_ON },
968 { "nosandbox", PRIVSEP_NOSANDBOX },
969 { "no", PRIVSEP_OFF },
972 static const struct multistate multistate_tcpfwd[] = {
973 { "yes", FORWARD_ALLOW },
974 { "all", FORWARD_ALLOW },
975 { "no", FORWARD_DENY },
976 { "remote", FORWARD_REMOTE },
977 { "local", FORWARD_LOCAL },
982 process_server_config_line(ServerOptions *options, char *line,
983 const char *filename, int linenum, int *activep,
984 struct connection_info *connectinfo)
986 char *cp, **charptr, *arg, *p;
987 int cmdline = 0, *intptr, value, value2, n, port;
988 SyslogFacility *log_facility_ptr;
989 LogLevel *log_level_ptr;
990 ServerOpCodes opcode;
994 const struct multistate *multistate_ptr;
997 if ((arg = strdelim(&cp)) == NULL)
999 /* Ignore leading whitespace */
1001 arg = strdelim(&cp);
1002 if (!arg || !*arg || *arg == '#')
1006 opcode = parse_token(arg, filename, linenum, &flags);
1008 if (activep == NULL) { /* We are processing a command line directive */
1012 if (*activep && opcode != sMatch)
1013 debug3("%s:%d setting %s %s", filename, linenum, arg, cp);
1014 if (*activep == 0 && !(flags & SSHCFG_MATCH)) {
1015 if (connectinfo == NULL) {
1016 fatal("%s line %d: Directive '%s' is not allowed "
1017 "within a Match block", filename, linenum, arg);
1018 } else { /* this is a directive we have already processed */
1020 arg = strdelim(&cp);
1026 /* Portable-specific options */
1028 intptr = &options->use_pam;
1031 /* Standard Options */
1035 /* ignore ports from configfile if cmdline specifies ports */
1036 if (options->ports_from_cmdline)
1038 if (options->num_ports >= MAX_PORTS)
1039 fatal("%s line %d: too many ports.",
1041 arg = strdelim(&cp);
1042 if (!arg || *arg == '\0')
1043 fatal("%s line %d: missing port number.",
1045 options->ports[options->num_ports++] = a2port(arg);
1046 if (options->ports[options->num_ports-1] <= 0)
1047 fatal("%s line %d: Badly formatted port number.",
1051 case sServerKeyBits:
1052 intptr = &options->server_key_bits;
1054 arg = strdelim(&cp);
1055 if (!arg || *arg == '\0')
1056 fatal("%s line %d: missing integer value.",
1059 if (*activep && *intptr == -1)
1063 case sLoginGraceTime:
1064 intptr = &options->login_grace_time;
1066 arg = strdelim(&cp);
1067 if (!arg || *arg == '\0')
1068 fatal("%s line %d: missing time value.",
1070 if ((value = convtime(arg)) == -1)
1071 fatal("%s line %d: invalid time value.",
1073 if (*activep && *intptr == -1)
1077 case sKeyRegenerationTime:
1078 intptr = &options->key_regeneration_time;
1081 case sListenAddress:
1082 arg = strdelim(&cp);
1083 if (arg == NULL || *arg == '\0')
1084 fatal("%s line %d: missing address",
1086 /* check for bare IPv6 address: no "[]" and 2 or more ":" */
1087 if (strchr(arg, '[') == NULL && (p = strchr(arg, ':')) != NULL
1088 && strchr(p+1, ':') != NULL) {
1089 queue_listen_addr(options, arg, 0);
1094 fatal("%s line %d: bad address:port usage",
1096 p = cleanhostname(p);
1099 else if ((port = a2port(arg)) <= 0)
1100 fatal("%s line %d: bad port number", filename, linenum);
1102 queue_listen_addr(options, p, port);
1106 case sAddressFamily:
1107 intptr = &options->address_family;
1108 multistate_ptr = multistate_addressfamily;
1110 arg = strdelim(&cp);
1111 if (!arg || *arg == '\0')
1112 fatal("%s line %d: missing argument.",
1115 for (i = 0; multistate_ptr[i].key != NULL; i++) {
1116 if (strcasecmp(arg, multistate_ptr[i].key) == 0) {
1117 value = multistate_ptr[i].value;
1122 fatal("%s line %d: unsupported option \"%s\".",
1123 filename, linenum, arg);
1124 if (*activep && *intptr == -1)
1129 intptr = &options->num_host_key_files;
1130 if (*intptr >= MAX_HOSTKEYS)
1131 fatal("%s line %d: too many host keys specified (max %d).",
1132 filename, linenum, MAX_HOSTKEYS);
1133 charptr = &options->host_key_files[*intptr];
1135 arg = strdelim(&cp);
1136 if (!arg || *arg == '\0')
1137 fatal("%s line %d: missing file name.",
1139 if (*activep && *charptr == NULL) {
1140 *charptr = derelativise_path(arg);
1141 /* increase optional counter */
1143 *intptr = *intptr + 1;
1148 charptr = &options->host_key_agent;
1149 arg = strdelim(&cp);
1150 if (!arg || *arg == '\0')
1151 fatal("%s line %d: missing socket name.",
1153 if (*activep && *charptr == NULL)
1154 *charptr = !strcmp(arg, SSH_AUTHSOCKET_ENV_NAME) ?
1155 xstrdup(arg) : derelativise_path(arg);
1158 case sHostCertificate:
1159 intptr = &options->num_host_cert_files;
1160 if (*intptr >= MAX_HOSTKEYS)
1161 fatal("%s line %d: too many host certificates "
1162 "specified (max %d).", filename, linenum,
1164 charptr = &options->host_cert_files[*intptr];
1165 goto parse_filename;
1169 charptr = &options->pid_file;
1170 goto parse_filename;
1172 case sPermitRootLogin:
1173 intptr = &options->permit_root_login;
1174 multistate_ptr = multistate_permitrootlogin;
1175 goto parse_multistate;
1178 intptr = &options->ignore_rhosts;
1180 arg = strdelim(&cp);
1181 if (!arg || *arg == '\0')
1182 fatal("%s line %d: missing yes/no argument.",
1184 value = 0; /* silence compiler */
1185 if (strcmp(arg, "yes") == 0)
1187 else if (strcmp(arg, "no") == 0)
1190 fatal("%s line %d: Bad yes/no argument: %s",
1191 filename, linenum, arg);
1192 if (*activep && *intptr == -1)
1196 case sIgnoreUserKnownHosts:
1197 intptr = &options->ignore_user_known_hosts;
1200 case sRhostsRSAAuthentication:
1201 intptr = &options->rhosts_rsa_authentication;
1204 case sHostbasedAuthentication:
1205 intptr = &options->hostbased_authentication;
1208 case sHostbasedUsesNameFromPacketOnly:
1209 intptr = &options->hostbased_uses_name_from_packet_only;
1212 case sHostbasedAcceptedKeyTypes:
1213 charptr = &options->hostbased_key_types;
1215 arg = strdelim(&cp);
1216 if (!arg || *arg == '\0')
1217 fatal("%s line %d: Missing argument.",
1219 if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1220 fatal("%s line %d: Bad key types '%s'.",
1221 filename, linenum, arg ? arg : "<NONE>");
1222 if (*activep && *charptr == NULL)
1223 *charptr = xstrdup(arg);
1226 case sHostKeyAlgorithms:
1227 charptr = &options->hostkeyalgorithms;
1228 goto parse_keytypes;
1230 case sRSAAuthentication:
1231 intptr = &options->rsa_authentication;
1234 case sPubkeyAuthentication:
1235 intptr = &options->pubkey_authentication;
1238 case sPubkeyAcceptedKeyTypes:
1239 charptr = &options->pubkey_key_types;
1240 goto parse_keytypes;
1242 case sKerberosAuthentication:
1243 intptr = &options->kerberos_authentication;
1246 case sKerberosOrLocalPasswd:
1247 intptr = &options->kerberos_or_local_passwd;
1250 case sKerberosTicketCleanup:
1251 intptr = &options->kerberos_ticket_cleanup;
1254 case sKerberosGetAFSToken:
1255 intptr = &options->kerberos_get_afs_token;
1258 case sGssAuthentication:
1259 intptr = &options->gss_authentication;
1262 case sGssCleanupCreds:
1263 intptr = &options->gss_cleanup_creds;
1266 case sGssStrictAcceptor:
1267 intptr = &options->gss_strict_acceptor;
1270 case sPasswordAuthentication:
1271 intptr = &options->password_authentication;
1274 case sKbdInteractiveAuthentication:
1275 intptr = &options->kbd_interactive_authentication;
1278 case sChallengeResponseAuthentication:
1279 intptr = &options->challenge_response_authentication;
1283 intptr = &options->print_motd;
1287 intptr = &options->print_lastlog;
1290 case sX11Forwarding:
1291 intptr = &options->x11_forwarding;
1294 case sX11DisplayOffset:
1295 intptr = &options->x11_display_offset;
1298 case sX11UseLocalhost:
1299 intptr = &options->x11_use_localhost;
1302 case sXAuthLocation:
1303 charptr = &options->xauth_location;
1304 goto parse_filename;
1307 intptr = &options->permit_tty;
1311 intptr = &options->permit_user_rc;
1315 intptr = &options->strict_modes;
1319 intptr = &options->tcp_keep_alive;
1323 intptr = &options->permit_empty_passwd;
1326 case sPermitUserEnvironment:
1327 intptr = &options->permit_user_env;
1331 intptr = &options->use_login;
1335 intptr = &options->compression;
1336 multistate_ptr = multistate_compression;
1337 goto parse_multistate;
1340 arg = strdelim(&cp);
1341 if (!arg || *arg == '\0')
1342 fatal("%.200s line %d: Missing argument.", filename,
1344 if (strcmp(arg, "default") == 0) {
1347 if (scan_scaled(arg, &val64) == -1)
1348 fatal("%.200s line %d: Bad number '%s': %s",
1349 filename, linenum, arg, strerror(errno));
1350 if (val64 != 0 && val64 < 16)
1351 fatal("%.200s line %d: RekeyLimit too small",
1354 if (*activep && options->rekey_limit == -1)
1355 options->rekey_limit = val64;
1356 if (cp != NULL) { /* optional rekey interval present */
1357 if (strcmp(cp, "none") == 0) {
1358 (void)strdelim(&cp); /* discard */
1361 intptr = &options->rekey_interval;
1367 intptr = &options->fwd_opts.gateway_ports;
1368 multistate_ptr = multistate_gatewayports;
1369 goto parse_multistate;
1372 intptr = &options->use_dns;
1376 log_facility_ptr = &options->log_facility;
1377 arg = strdelim(&cp);
1378 value = log_facility_number(arg);
1379 if (value == SYSLOG_FACILITY_NOT_SET)
1380 fatal("%.200s line %d: unsupported log facility '%s'",
1381 filename, linenum, arg ? arg : "<NONE>");
1382 if (*log_facility_ptr == -1)
1383 *log_facility_ptr = (SyslogFacility) value;
1387 log_level_ptr = &options->log_level;
1388 arg = strdelim(&cp);
1389 value = log_level_number(arg);
1390 if (value == SYSLOG_LEVEL_NOT_SET)
1391 fatal("%.200s line %d: unsupported log level '%s'",
1392 filename, linenum, arg ? arg : "<NONE>");
1393 if (*log_level_ptr == -1)
1394 *log_level_ptr = (LogLevel) value;
1397 case sAllowTcpForwarding:
1398 intptr = &options->allow_tcp_forwarding;
1399 multistate_ptr = multistate_tcpfwd;
1400 goto parse_multistate;
1402 case sAllowStreamLocalForwarding:
1403 intptr = &options->allow_streamlocal_forwarding;
1404 multistate_ptr = multistate_tcpfwd;
1405 goto parse_multistate;
1407 case sAllowAgentForwarding:
1408 intptr = &options->allow_agent_forwarding;
1411 case sUsePrivilegeSeparation:
1412 intptr = &use_privsep;
1413 multistate_ptr = multistate_privsep;
1414 goto parse_multistate;
1417 while ((arg = strdelim(&cp)) && *arg != '\0') {
1418 if (options->num_allow_users >= MAX_ALLOW_USERS)
1419 fatal("%s line %d: too many allow users.",
1423 options->allow_users[options->num_allow_users++] =
1429 while ((arg = strdelim(&cp)) && *arg != '\0') {
1430 if (options->num_deny_users >= MAX_DENY_USERS)
1431 fatal("%s line %d: too many deny users.",
1435 options->deny_users[options->num_deny_users++] =
1441 while ((arg = strdelim(&cp)) && *arg != '\0') {
1442 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
1443 fatal("%s line %d: too many allow groups.",
1447 options->allow_groups[options->num_allow_groups++] =
1453 while ((arg = strdelim(&cp)) && *arg != '\0') {
1454 if (options->num_deny_groups >= MAX_DENY_GROUPS)
1455 fatal("%s line %d: too many deny groups.",
1459 options->deny_groups[options->num_deny_groups++] =
1465 arg = strdelim(&cp);
1466 if (!arg || *arg == '\0')
1467 fatal("%s line %d: Missing argument.", filename, linenum);
1468 if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))
1469 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1470 filename, linenum, arg ? arg : "<NONE>");
1471 if (options->ciphers == NULL)
1472 options->ciphers = xstrdup(arg);
1476 arg = strdelim(&cp);
1477 if (!arg || *arg == '\0')
1478 fatal("%s line %d: Missing argument.", filename, linenum);
1479 if (!mac_valid(*arg == '+' ? arg + 1 : arg))
1480 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1481 filename, linenum, arg ? arg : "<NONE>");
1482 if (options->macs == NULL)
1483 options->macs = xstrdup(arg);
1486 case sKexAlgorithms:
1487 arg = strdelim(&cp);
1488 if (!arg || *arg == '\0')
1489 fatal("%s line %d: Missing argument.",
1491 if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1492 fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1493 filename, linenum, arg ? arg : "<NONE>");
1494 if (options->kex_algorithms == NULL)
1495 options->kex_algorithms = xstrdup(arg);
1499 intptr = &options->protocol;
1500 arg = strdelim(&cp);
1501 if (!arg || *arg == '\0')
1502 fatal("%s line %d: Missing argument.", filename, linenum);
1503 value = proto_spec(arg);
1504 if (value == SSH_PROTO_UNKNOWN)
1505 fatal("%s line %d: Bad protocol spec '%s'.",
1506 filename, linenum, arg ? arg : "<NONE>");
1507 if (*intptr == SSH_PROTO_UNKNOWN)
1512 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
1513 fatal("%s line %d: too many subsystems defined.",
1516 arg = strdelim(&cp);
1517 if (!arg || *arg == '\0')
1518 fatal("%s line %d: Missing subsystem name.",
1521 arg = strdelim(&cp);
1524 for (i = 0; i < options->num_subsystems; i++)
1525 if (strcmp(arg, options->subsystem_name[i]) == 0)
1526 fatal("%s line %d: Subsystem '%s' already defined.",
1527 filename, linenum, arg);
1528 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
1529 arg = strdelim(&cp);
1530 if (!arg || *arg == '\0')
1531 fatal("%s line %d: Missing subsystem command.",
1533 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
1535 /* Collect arguments (separate to executable) */
1537 len = strlen(p) + 1;
1538 while ((arg = strdelim(&cp)) != NULL && *arg != '\0') {
1539 len += 1 + strlen(arg);
1540 p = xreallocarray(p, 1, len);
1541 strlcat(p, " ", len);
1542 strlcat(p, arg, len);
1544 options->subsystem_args[options->num_subsystems] = p;
1545 options->num_subsystems++;
1549 arg = strdelim(&cp);
1550 if (!arg || *arg == '\0')
1551 fatal("%s line %d: Missing MaxStartups spec.",
1553 if ((n = sscanf(arg, "%d:%d:%d",
1554 &options->max_startups_begin,
1555 &options->max_startups_rate,
1556 &options->max_startups)) == 3) {
1557 if (options->max_startups_begin >
1558 options->max_startups ||
1559 options->max_startups_rate > 100 ||
1560 options->max_startups_rate < 1)
1561 fatal("%s line %d: Illegal MaxStartups spec.",
1564 fatal("%s line %d: Illegal MaxStartups spec.",
1567 options->max_startups = options->max_startups_begin;
1571 intptr = &options->max_authtries;
1575 intptr = &options->max_sessions;
1579 charptr = &options->banner;
1580 goto parse_filename;
1583 * These options can contain %X options expanded at
1584 * connect time, so that you can specify paths like:
1586 * AuthorizedKeysFile /etc/ssh_keys/%u
1588 case sAuthorizedKeysFile:
1589 if (*activep && options->num_authkeys_files == 0) {
1590 while ((arg = strdelim(&cp)) && *arg != '\0') {
1591 if (options->num_authkeys_files >=
1593 fatal("%s line %d: "
1594 "too many authorized keys files.",
1596 options->authorized_keys_files[
1597 options->num_authkeys_files++] =
1598 tilde_expand_filename(arg, getuid());
1603 case sAuthorizedPrincipalsFile:
1604 charptr = &options->authorized_principals_file;
1605 arg = strdelim(&cp);
1606 if (!arg || *arg == '\0')
1607 fatal("%s line %d: missing file name.",
1609 if (*activep && *charptr == NULL) {
1610 *charptr = tilde_expand_filename(arg, getuid());
1611 /* increase optional counter */
1613 *intptr = *intptr + 1;
1617 case sClientAliveInterval:
1618 intptr = &options->client_alive_interval;
1621 case sClientAliveCountMax:
1622 intptr = &options->client_alive_count_max;
1626 while ((arg = strdelim(&cp)) && *arg != '\0') {
1627 if (strchr(arg, '=') != NULL)
1628 fatal("%s line %d: Invalid environment name.",
1630 if (options->num_accept_env >= MAX_ACCEPT_ENV)
1631 fatal("%s line %d: too many allow env.",
1635 options->accept_env[options->num_accept_env++] =
1641 intptr = &options->permit_tun;
1642 arg = strdelim(&cp);
1643 if (!arg || *arg == '\0')
1644 fatal("%s line %d: Missing yes/point-to-point/"
1645 "ethernet/no argument.", filename, linenum);
1647 for (i = 0; tunmode_desc[i].val != -1; i++)
1648 if (strcmp(tunmode_desc[i].text, arg) == 0) {
1649 value = tunmode_desc[i].val;
1653 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
1654 "no argument: %s", filename, linenum, arg);
1655 if (*activep && *intptr == -1)
1661 fatal("Match directive not supported as a command-line "
1663 value = match_cfg_line(&cp, linenum, connectinfo);
1665 fatal("%s line %d: Bad Match condition", filename,
1671 arg = strdelim(&cp);
1672 if (!arg || *arg == '\0')
1673 fatal("%s line %d: missing PermitOpen specification",
1675 n = options->num_permitted_opens; /* modified later */
1676 if (strcmp(arg, "any") == 0) {
1677 if (*activep && n == -1) {
1678 channel_clear_adm_permitted_opens();
1679 options->num_permitted_opens = 0;
1683 if (strcmp(arg, "none") == 0) {
1684 if (*activep && n == -1) {
1685 options->num_permitted_opens = 1;
1686 channel_disable_adm_local_opens();
1690 if (*activep && n == -1)
1691 channel_clear_adm_permitted_opens();
1692 for (; arg != NULL && *arg != '\0'; arg = strdelim(&cp)) {
1695 fatal("%s line %d: missing host in PermitOpen",
1697 p = cleanhostname(p);
1698 if (arg == NULL || ((port = permitopen_port(arg)) < 0))
1699 fatal("%s line %d: bad port number in "
1700 "PermitOpen", filename, linenum);
1701 if (*activep && n == -1)
1702 options->num_permitted_opens =
1703 channel_add_adm_permitted_opens(p, port);
1708 if (cp == NULL || *cp == '\0')
1709 fatal("%.200s line %d: Missing argument.", filename,
1711 len = strspn(cp, WHITESPACE);
1712 if (*activep && options->adm_forced_command == NULL)
1713 options->adm_forced_command = xstrdup(cp + len);
1716 case sChrootDirectory:
1717 charptr = &options->chroot_directory;
1719 arg = strdelim(&cp);
1720 if (!arg || *arg == '\0')
1721 fatal("%s line %d: missing file name.",
1723 if (*activep && *charptr == NULL)
1724 *charptr = xstrdup(arg);
1727 case sTrustedUserCAKeys:
1728 charptr = &options->trusted_user_ca_keys;
1729 goto parse_filename;
1732 charptr = &options->revoked_keys_file;
1733 goto parse_filename;
1736 arg = strdelim(&cp);
1737 if ((value = parse_ipqos(arg)) == -1)
1738 fatal("%s line %d: Bad IPQoS value: %s",
1739 filename, linenum, arg);
1740 arg = strdelim(&cp);
1743 else if ((value2 = parse_ipqos(arg)) == -1)
1744 fatal("%s line %d: Bad IPQoS value: %s",
1745 filename, linenum, arg);
1747 options->ip_qos_interactive = value;
1748 options->ip_qos_bulk = value2;
1752 case sVersionAddendum:
1753 if (cp == NULL || *cp == '\0')
1754 fatal("%.200s line %d: Missing argument.", filename,
1756 len = strspn(cp, WHITESPACE);
1757 if (*activep && options->version_addendum == NULL) {
1758 if (strcasecmp(cp + len, "none") == 0)
1759 options->version_addendum = xstrdup("");
1760 else if (strchr(cp + len, '\r') != NULL)
1761 fatal("%.200s line %d: Invalid argument",
1764 options->version_addendum = xstrdup(cp + len);
1768 case sAuthorizedKeysCommand:
1770 fatal("%.200s line %d: Missing argument.", filename,
1772 len = strspn(cp, WHITESPACE);
1773 if (*activep && options->authorized_keys_command == NULL) {
1774 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1775 fatal("%.200s line %d: AuthorizedKeysCommand "
1776 "must be an absolute path",
1778 options->authorized_keys_command = xstrdup(cp + len);
1782 case sAuthorizedKeysCommandUser:
1783 charptr = &options->authorized_keys_command_user;
1785 arg = strdelim(&cp);
1786 if (!arg || *arg == '\0')
1787 fatal("%s line %d: missing AuthorizedKeysCommandUser "
1788 "argument.", filename, linenum);
1789 if (*activep && *charptr == NULL)
1790 *charptr = xstrdup(arg);
1793 case sAuthorizedPrincipalsCommand:
1795 fatal("%.200s line %d: Missing argument.", filename,
1797 len = strspn(cp, WHITESPACE);
1799 options->authorized_principals_command == NULL) {
1800 if (cp[len] != '/' && strcasecmp(cp + len, "none") != 0)
1801 fatal("%.200s line %d: "
1802 "AuthorizedPrincipalsCommand must be "
1803 "an absolute path", filename, linenum);
1804 options->authorized_principals_command =
1809 case sAuthorizedPrincipalsCommandUser:
1810 charptr = &options->authorized_principals_command_user;
1812 arg = strdelim(&cp);
1813 if (!arg || *arg == '\0')
1814 fatal("%s line %d: missing "
1815 "AuthorizedPrincipalsCommandUser argument.",
1817 if (*activep && *charptr == NULL)
1818 *charptr = xstrdup(arg);
1821 case sAuthenticationMethods:
1822 if (options->num_auth_methods == 0) {
1823 value = 0; /* seen "any" pseudo-method */
1824 value2 = 0; /* sucessfully parsed any method */
1825 while ((arg = strdelim(&cp)) && *arg != '\0') {
1826 if (options->num_auth_methods >=
1828 fatal("%s line %d: "
1829 "too many authentication methods.",
1831 if (strcmp(arg, "any") == 0) {
1832 if (options->num_auth_methods > 0) {
1833 fatal("%s line %d: \"any\" "
1834 "must appear alone in "
1835 "AuthenticationMethods",
1840 fatal("%s line %d: \"any\" must appear "
1841 "alone in AuthenticationMethods",
1843 } else if (auth2_methods_valid(arg, 0) != 0) {
1844 fatal("%s line %d: invalid "
1845 "authentication method list.",
1851 options->auth_methods[
1852 options->num_auth_methods++] = xstrdup(arg);
1855 fatal("%s line %d: no AuthenticationMethods "
1856 "specified", filename, linenum);
1861 case sStreamLocalBindMask:
1862 arg = strdelim(&cp);
1863 if (!arg || *arg == '\0')
1864 fatal("%s line %d: missing StreamLocalBindMask "
1865 "argument.", filename, linenum);
1866 /* Parse mode in octal format */
1867 value = strtol(arg, &p, 8);
1868 if (arg == p || value < 0 || value > 0777)
1869 fatal("%s line %d: Bad mask.", filename, linenum);
1871 options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
1874 case sStreamLocalBindUnlink:
1875 intptr = &options->fwd_opts.streamlocal_bind_unlink;
1878 case sFingerprintHash:
1879 arg = strdelim(&cp);
1880 if (!arg || *arg == '\0')
1881 fatal("%.200s line %d: Missing argument.",
1883 if ((value = ssh_digest_alg_by_name(arg)) == -1)
1884 fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
1885 filename, linenum, arg);
1887 options->fingerprint_hash = value;
1891 logit("%s line %d: Deprecated option %s",
1892 filename, linenum, arg);
1894 arg = strdelim(&cp);
1898 logit("%s line %d: Unsupported option %s",
1899 filename, linenum, arg);
1901 arg = strdelim(&cp);
1905 fatal("%s line %d: Missing handler for opcode %s (%d)",
1906 filename, linenum, arg, opcode);
1908 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
1909 fatal("%s line %d: garbage at end of line; \"%.200s\".",
1910 filename, linenum, arg);
1914 /* Reads the server configuration file. */
1917 load_server_config(const char *filename, Buffer *conf)
1919 char line[4096], *cp;
1923 debug2("%s: filename %s", __func__, filename);
1924 if ((f = fopen(filename, "r")) == NULL) {
1929 while (fgets(line, sizeof(line), f)) {
1931 if (strlen(line) == sizeof(line) - 1)
1932 fatal("%s line %d too long", filename, lineno);
1934 * Trim out comments and strip whitespace
1935 * NB - preserve newlines, they are needed to reproduce
1936 * line numbers later for error messages
1938 if ((cp = strchr(line, '#')) != NULL)
1939 memcpy(cp, "\n", 2);
1940 cp = line + strspn(line, " \t\r");
1942 buffer_append(conf, cp, strlen(cp));
1944 buffer_append(conf, "\0", 1);
1946 debug2("%s: done config len = %d", __func__, buffer_len(conf));
1950 parse_server_match_config(ServerOptions *options,
1951 struct connection_info *connectinfo)
1955 initialize_server_options(&mo);
1956 parse_server_config(&mo, "reprocess config", &cfg, connectinfo);
1957 copy_set_server_options(options, &mo, 0);
1960 int parse_server_match_testspec(struct connection_info *ci, char *spec)
1964 while ((p = strsep(&spec, ",")) && *p != '\0') {
1965 if (strncmp(p, "addr=", 5) == 0) {
1966 ci->address = xstrdup(p + 5);
1967 } else if (strncmp(p, "host=", 5) == 0) {
1968 ci->host = xstrdup(p + 5);
1969 } else if (strncmp(p, "user=", 5) == 0) {
1970 ci->user = xstrdup(p + 5);
1971 } else if (strncmp(p, "laddr=", 6) == 0) {
1972 ci->laddress = xstrdup(p + 6);
1973 } else if (strncmp(p, "lport=", 6) == 0) {
1974 ci->lport = a2port(p + 6);
1975 if (ci->lport == -1) {
1976 fprintf(stderr, "Invalid port '%s' in test mode"
1977 " specification %s\n", p+6, p);
1981 fprintf(stderr, "Invalid test mode specification %s\n",
1990 * returns 1 for a complete spec, 0 for partial spec and -1 for an
1993 int server_match_spec_complete(struct connection_info *ci)
1995 if (ci->user && ci->host && ci->address)
1996 return 1; /* complete */
1997 if (!ci->user && !ci->host && !ci->address)
1998 return -1; /* empty */
1999 return 0; /* partial */
2003 * Copy any supported values that are set.
2005 * If the preauth flag is set, we do not bother copying the string or
2006 * array values that are not used pre-authentication, because any that we
2007 * do use must be explictly sent in mm_getpwnamallow().
2010 copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
2012 #define M_CP_INTOPT(n) do {\
2017 M_CP_INTOPT(password_authentication);
2018 M_CP_INTOPT(gss_authentication);
2019 M_CP_INTOPT(rsa_authentication);
2020 M_CP_INTOPT(pubkey_authentication);
2021 M_CP_INTOPT(kerberos_authentication);
2022 M_CP_INTOPT(hostbased_authentication);
2023 M_CP_INTOPT(hostbased_uses_name_from_packet_only);
2024 M_CP_INTOPT(kbd_interactive_authentication);
2025 M_CP_INTOPT(permit_root_login);
2026 M_CP_INTOPT(permit_empty_passwd);
2028 M_CP_INTOPT(allow_tcp_forwarding);
2029 M_CP_INTOPT(allow_streamlocal_forwarding);
2030 M_CP_INTOPT(allow_agent_forwarding);
2031 M_CP_INTOPT(permit_tun);
2032 M_CP_INTOPT(fwd_opts.gateway_ports);
2033 M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
2034 M_CP_INTOPT(x11_display_offset);
2035 M_CP_INTOPT(x11_forwarding);
2036 M_CP_INTOPT(x11_use_localhost);
2037 M_CP_INTOPT(permit_tty);
2038 M_CP_INTOPT(permit_user_rc);
2039 M_CP_INTOPT(max_sessions);
2040 M_CP_INTOPT(max_authtries);
2041 M_CP_INTOPT(ip_qos_interactive);
2042 M_CP_INTOPT(ip_qos_bulk);
2043 M_CP_INTOPT(rekey_limit);
2044 M_CP_INTOPT(rekey_interval);
2047 * The bind_mask is a mode_t that may be unsigned, so we can't use
2048 * M_CP_INTOPT - it does a signed comparison that causes compiler
2051 if (src->fwd_opts.streamlocal_bind_mask != (mode_t)-1) {
2052 dst->fwd_opts.streamlocal_bind_mask =
2053 src->fwd_opts.streamlocal_bind_mask;
2056 /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
2057 #define M_CP_STROPT(n) do {\
2058 if (src->n != NULL && dst->n != src->n) { \
2063 #define M_CP_STRARRAYOPT(n, num_n) do {\
2064 if (src->num_n != 0) { \
2065 for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
2066 dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
2070 /* See comment in servconf.h */
2071 COPY_MATCH_STRING_OPTS();
2073 /* Arguments that accept '+...' need to be expanded */
2074 assemble_algorithms(dst);
2077 * The only things that should be below this point are string options
2078 * which are only used after authentication.
2083 /* These options may be "none" to clear a global setting */
2084 M_CP_STROPT(adm_forced_command);
2085 if (option_clear_or_none(dst->adm_forced_command)) {
2086 free(dst->adm_forced_command);
2087 dst->adm_forced_command = NULL;
2089 M_CP_STROPT(chroot_directory);
2090 if (option_clear_or_none(dst->chroot_directory)) {
2091 free(dst->chroot_directory);
2092 dst->chroot_directory = NULL;
2098 #undef M_CP_STRARRAYOPT
2101 parse_server_config(ServerOptions *options, const char *filename, Buffer *conf,
2102 struct connection_info *connectinfo)
2104 int active, linenum, bad_options = 0;
2105 char *cp, *obuf, *cbuf;
2107 debug2("%s: config %s len %d", __func__, filename, buffer_len(conf));
2109 if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
2110 fatal("%s: sshbuf_dup_string failed", __func__);
2111 active = connectinfo ? 0 : 1;
2113 while ((cp = strsep(&cbuf, "\n")) != NULL) {
2114 if (process_server_config_line(options, cp, filename,
2115 linenum++, &active, connectinfo) != 0)
2119 if (bad_options > 0)
2120 fatal("%s: terminating, %d bad configuration options",
2121 filename, bad_options);
2122 process_queued_listen_addrs(options);
2126 fmt_multistate_int(int val, const struct multistate *m)
2130 for (i = 0; m[i].key != NULL; i++) {
2131 if (m[i].value == val)
2138 fmt_intarg(ServerOpCodes code, int val)
2143 case sAddressFamily:
2144 return fmt_multistate_int(val, multistate_addressfamily);
2145 case sPermitRootLogin:
2146 return fmt_multistate_int(val, multistate_permitrootlogin);
2148 return fmt_multistate_int(val, multistate_gatewayports);
2150 return fmt_multistate_int(val, multistate_compression);
2151 case sUsePrivilegeSeparation:
2152 return fmt_multistate_int(val, multistate_privsep);
2153 case sAllowTcpForwarding:
2154 return fmt_multistate_int(val, multistate_tcpfwd);
2155 case sAllowStreamLocalForwarding:
2156 return fmt_multistate_int(val, multistate_tcpfwd);
2157 case sFingerprintHash:
2158 return ssh_digest_alg_name(val);
2165 case (SSH_PROTO_1|SSH_PROTO_2):
2183 lookup_opcode_name(ServerOpCodes code)
2187 for (i = 0; keywords[i].name != NULL; i++)
2188 if (keywords[i].opcode == code)
2189 return(keywords[i].name);
2194 dump_cfg_int(ServerOpCodes code, int val)
2196 printf("%s %d\n", lookup_opcode_name(code), val);
2200 dump_cfg_oct(ServerOpCodes code, int val)
2202 printf("%s 0%o\n", lookup_opcode_name(code), val);
2206 dump_cfg_fmtint(ServerOpCodes code, int val)
2208 printf("%s %s\n", lookup_opcode_name(code), fmt_intarg(code, val));
2212 dump_cfg_string(ServerOpCodes code, const char *val)
2216 printf("%s %s\n", lookup_opcode_name(code),
2217 val == NULL ? "none" : val);
2221 dump_cfg_strarray(ServerOpCodes code, u_int count, char **vals)
2225 for (i = 0; i < count; i++)
2226 printf("%s %s\n", lookup_opcode_name(code), vals[i]);
2230 dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
2234 if (count <= 0 && code != sAuthenticationMethods)
2236 printf("%s", lookup_opcode_name(code));
2237 for (i = 0; i < count; i++)
2238 printf(" %s", vals[i]);
2239 if (code == sAuthenticationMethods && count == 0)
2245 dump_config(ServerOptions *o)
2249 struct addrinfo *ai;
2250 char addr[NI_MAXHOST], port[NI_MAXSERV], *s = NULL;
2251 char *laddr1 = xstrdup(""), *laddr2 = NULL;
2253 /* these are usually at the top of the config */
2254 for (i = 0; i < o->num_ports; i++)
2255 printf("port %d\n", o->ports[i]);
2256 dump_cfg_fmtint(sProtocol, o->protocol);
2257 dump_cfg_fmtint(sAddressFamily, o->address_family);
2260 * ListenAddress must be after Port. add_one_listen_addr pushes
2261 * addresses onto a stack, so to maintain ordering we need to
2262 * print these in reverse order.
2264 for (ai = o->listen_addrs; ai; ai = ai->ai_next) {
2265 if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, addr,
2266 sizeof(addr), port, sizeof(port),
2267 NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
2268 error("getnameinfo failed: %.100s",
2269 (ret != EAI_SYSTEM) ? gai_strerror(ret) :
2273 if (ai->ai_family == AF_INET6)
2274 xasprintf(&laddr1, "listenaddress [%s]:%s\n%s",
2275 addr, port, laddr2);
2277 xasprintf(&laddr1, "listenaddress %s:%s\n%s",
2278 addr, port, laddr2);
2282 printf("%s", laddr1);
2285 /* integer arguments */
2287 dump_cfg_fmtint(sUsePAM, o->use_pam);
2289 dump_cfg_int(sServerKeyBits, o->server_key_bits);
2290 dump_cfg_int(sLoginGraceTime, o->login_grace_time);
2291 dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
2292 dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
2293 dump_cfg_int(sMaxAuthTries, o->max_authtries);
2294 dump_cfg_int(sMaxSessions, o->max_sessions);
2295 dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
2296 dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
2297 dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
2299 /* formatted integer arguments */
2300 dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
2301 dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts);
2302 dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts);
2303 dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication);
2304 dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication);
2305 dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly,
2306 o->hostbased_uses_name_from_packet_only);
2307 dump_cfg_fmtint(sRSAAuthentication, o->rsa_authentication);
2308 dump_cfg_fmtint(sPubkeyAuthentication, o->pubkey_authentication);
2310 dump_cfg_fmtint(sKerberosAuthentication, o->kerberos_authentication);
2311 dump_cfg_fmtint(sKerberosOrLocalPasswd, o->kerberos_or_local_passwd);
2312 dump_cfg_fmtint(sKerberosTicketCleanup, o->kerberos_ticket_cleanup);
2314 dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
2318 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
2319 dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
2321 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2322 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2323 o->kbd_interactive_authentication);
2324 dump_cfg_fmtint(sChallengeResponseAuthentication,
2325 o->challenge_response_authentication);
2326 dump_cfg_fmtint(sPrintMotd, o->print_motd);
2327 #ifndef DISABLE_LASTLOG
2328 dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
2330 dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
2331 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
2332 dump_cfg_fmtint(sPermitTTY, o->permit_tty);
2333 dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
2334 dump_cfg_fmtint(sStrictModes, o->strict_modes);
2335 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
2336 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
2337 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
2338 dump_cfg_fmtint(sUseLogin, o->use_login);
2339 dump_cfg_fmtint(sCompression, o->compression);
2340 dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
2341 dump_cfg_fmtint(sUseDNS, o->use_dns);
2342 dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
2343 dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
2344 dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
2345 dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
2346 dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
2347 dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
2349 /* string arguments */
2350 dump_cfg_string(sPidFile, o->pid_file);
2351 dump_cfg_string(sXAuthLocation, o->xauth_location);
2352 dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
2353 dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
2354 dump_cfg_string(sBanner, o->banner);
2355 dump_cfg_string(sForceCommand, o->adm_forced_command);
2356 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2357 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2358 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2359 dump_cfg_string(sAuthorizedPrincipalsFile,
2360 o->authorized_principals_file);
2361 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
2362 ? "none" : o->version_addendum);
2363 dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
2364 dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
2365 dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
2366 dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
2367 dump_cfg_string(sHostKeyAgent, o->host_key_agent);
2368 dump_cfg_string(sKexAlgorithms,
2369 o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
2370 dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
2371 o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
2372 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2373 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2374 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2375 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2377 /* string arguments requiring a lookup */
2378 dump_cfg_string(sLogLevel, log_level_name(o->log_level));
2379 dump_cfg_string(sLogFacility, log_facility_name(o->log_facility));
2381 /* string array arguments */
2382 dump_cfg_strarray_oneline(sAuthorizedKeysFile, o->num_authkeys_files,
2383 o->authorized_keys_files);
2384 dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
2386 dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
2387 o->host_cert_files);
2388 dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
2389 dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
2390 dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
2391 dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
2392 dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
2393 dump_cfg_strarray_oneline(sAuthenticationMethods,
2394 o->num_auth_methods, o->auth_methods);
2396 /* other arguments */
2397 for (i = 0; i < o->num_subsystems; i++)
2398 printf("subsystem %s %s\n", o->subsystem_name[i],
2399 o->subsystem_args[i]);
2401 printf("maxstartups %d:%d:%d\n", o->max_startups_begin,
2402 o->max_startups_rate, o->max_startups);
2404 for (i = 0; tunmode_desc[i].val != -1; i++)
2405 if (tunmode_desc[i].val == o->permit_tun) {
2406 s = tunmode_desc[i].text;
2409 dump_cfg_string(sPermitTunnel, s);
2411 printf("ipqos %s ", iptos2str(o->ip_qos_interactive));
2412 printf("%s\n", iptos2str(o->ip_qos_bulk));
2414 printf("rekeylimit %llu %d\n", (unsigned long long)o->rekey_limit,
2417 channel_print_adm_permitted_opens();