1 /* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Functions for reading the configuration files.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
18 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <sys/sysctl.h>
23 #include <netinet/in.h>
38 #include "pathnames.h"
49 /* Format of the configuration file:
51 # Configuration data is parsed as follows:
52 # 1. command line options
53 # 2. user-specific file
55 # Any configuration value is only changed the first time it is set.
56 # Thus, host-specific definitions should be at the beginning of the
57 # configuration file, and defaults at the end.
59 # Host-specific declarations. These may override anything above. A single
60 # host may match multiple declarations; these are processed in the order
61 # that they are given in.
67 HostName another.host.name.real.org
74 RemoteForward 9999 shadows.cs.hut.fi:9999
80 PasswordAuthentication no
84 ProxyCommand ssh-proxy %h %p
87 PublicKeyAuthentication no
91 PasswordAuthentication no
97 # Defaults for various options
101 PasswordAuthentication yes
102 RSAAuthentication yes
103 RhostsRSAAuthentication yes
104 StrictHostKeyChecking yes
106 IdentityFile ~/.ssh/identity
112 /* Keyword tokens. */
116 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
117 oExitOnForwardFailure,
118 oPasswordAuthentication, oRSAAuthentication,
119 oChallengeResponseAuthentication, oXAuthLocation,
120 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
121 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
122 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
123 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
124 oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
125 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
126 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
127 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
128 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
129 oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
130 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
131 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
132 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
133 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
134 oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
135 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
136 oVisualHostKey, oZeroKnowledgePasswordAuthentication,
138 oDeprecated, oUnsupported
141 /* Textual representations of the tokens. */
147 { "forwardagent", oForwardAgent },
148 { "forwardx11", oForwardX11 },
149 { "forwardx11trusted", oForwardX11Trusted },
150 { "exitonforwardfailure", oExitOnForwardFailure },
151 { "xauthlocation", oXAuthLocation },
152 { "gatewayports", oGatewayPorts },
153 { "useprivilegedport", oUsePrivilegedPort },
154 { "rhostsauthentication", oDeprecated },
155 { "passwordauthentication", oPasswordAuthentication },
156 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
157 { "kbdinteractivedevices", oKbdInteractiveDevices },
158 { "rsaauthentication", oRSAAuthentication },
159 { "pubkeyauthentication", oPubkeyAuthentication },
160 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
161 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
162 { "hostbasedauthentication", oHostbasedAuthentication },
163 { "challengeresponseauthentication", oChallengeResponseAuthentication },
164 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
165 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
166 { "kerberosauthentication", oUnsupported },
167 { "kerberostgtpassing", oUnsupported },
168 { "afstokenpassing", oUnsupported },
170 { "gssapiauthentication", oGssAuthentication },
171 { "gssapidelegatecredentials", oGssDelegateCreds },
173 { "gssapiauthentication", oUnsupported },
174 { "gssapidelegatecredentials", oUnsupported },
176 { "fallbacktorsh", oDeprecated },
177 { "usersh", oDeprecated },
178 { "identityfile", oIdentityFile },
179 { "identityfile2", oIdentityFile }, /* obsolete */
180 { "identitiesonly", oIdentitiesOnly },
181 { "hostname", oHostName },
182 { "hostkeyalias", oHostKeyAlias },
183 { "proxycommand", oProxyCommand },
185 { "cipher", oCipher },
186 { "ciphers", oCiphers },
188 { "protocol", oProtocol },
189 { "remoteforward", oRemoteForward },
190 { "localforward", oLocalForward },
193 { "escapechar", oEscapeChar },
194 { "globalknownhostsfile", oGlobalKnownHostsFile },
195 { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
196 { "userknownhostsfile", oUserKnownHostsFile },
197 { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
198 { "connectionattempts", oConnectionAttempts },
199 { "batchmode", oBatchMode },
200 { "checkhostip", oCheckHostIP },
201 { "stricthostkeychecking", oStrictHostKeyChecking },
202 { "compression", oCompression },
203 { "compressionlevel", oCompressionLevel },
204 { "tcpkeepalive", oTCPKeepAlive },
205 { "keepalive", oTCPKeepAlive }, /* obsolete */
206 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
207 { "loglevel", oLogLevel },
208 { "dynamicforward", oDynamicForward },
209 { "preferredauthentications", oPreferredAuthentications },
210 { "hostkeyalgorithms", oHostKeyAlgorithms },
211 { "bindaddress", oBindAddress },
213 { "smartcarddevice", oSmartcardDevice },
215 { "smartcarddevice", oUnsupported },
217 { "clearallforwardings", oClearAllForwardings },
218 { "enablesshkeysign", oEnableSSHKeysign },
219 { "verifyhostkeydns", oVerifyHostKeyDNS },
220 { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
221 { "rekeylimit", oRekeyLimit },
222 { "connecttimeout", oConnectTimeout },
223 { "addressfamily", oAddressFamily },
224 { "serveraliveinterval", oServerAliveInterval },
225 { "serveralivecountmax", oServerAliveCountMax },
226 { "sendenv", oSendEnv },
227 { "controlpath", oControlPath },
228 { "controlmaster", oControlMaster },
229 { "hashknownhosts", oHashKnownHosts },
230 { "tunnel", oTunnel },
231 { "tunneldevice", oTunnelDevice },
232 { "localcommand", oLocalCommand },
233 { "permitlocalcommand", oPermitLocalCommand },
234 { "visualhostkey", oVisualHostKey },
236 { "zeroknowledgepasswordauthentication",
237 oZeroKnowledgePasswordAuthentication },
239 { "zeroknowledgepasswordauthentication", oUnsupported },
242 { "versionaddendum", oVersionAddendum },
247 * Adds a local TCP/IP port forward to options. Never returns if there is an
252 add_local_forward(Options *options, const Forward *newfwd)
255 #ifndef NO_IPPORT_RESERVED_CONCEPT
256 extern uid_t original_real_uid;
259 size_t len_ipport_reserved = sizeof(ipport_reserved);
261 if (sysctlbyname("net.inet.ip.portrange.reservedhigh",
262 &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0)
263 ipport_reserved = IPPORT_RESERVED;
267 ipport_reserved = IPPORT_RESERVED;
269 if (newfwd->listen_port < ipport_reserved && original_real_uid != 0)
270 fatal("Privileged ports can only be forwarded by root.");
272 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
273 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
274 fwd = &options->local_forwards[options->num_local_forwards++];
276 fwd->listen_host = newfwd->listen_host;
277 fwd->listen_port = newfwd->listen_port;
278 fwd->connect_host = newfwd->connect_host;
279 fwd->connect_port = newfwd->connect_port;
283 * Adds a remote TCP/IP port forward to options. Never returns if there is
288 add_remote_forward(Options *options, const Forward *newfwd)
291 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
292 fatal("Too many remote forwards (max %d).",
293 SSH_MAX_FORWARDS_PER_DIRECTION);
294 fwd = &options->remote_forwards[options->num_remote_forwards++];
296 fwd->listen_host = newfwd->listen_host;
297 fwd->listen_port = newfwd->listen_port;
298 fwd->connect_host = newfwd->connect_host;
299 fwd->connect_port = newfwd->connect_port;
303 clear_forwardings(Options *options)
307 for (i = 0; i < options->num_local_forwards; i++) {
308 if (options->local_forwards[i].listen_host != NULL)
309 xfree(options->local_forwards[i].listen_host);
310 xfree(options->local_forwards[i].connect_host);
312 options->num_local_forwards = 0;
313 for (i = 0; i < options->num_remote_forwards; i++) {
314 if (options->remote_forwards[i].listen_host != NULL)
315 xfree(options->remote_forwards[i].listen_host);
316 xfree(options->remote_forwards[i].connect_host);
318 options->num_remote_forwards = 0;
319 options->tun_open = SSH_TUNMODE_NO;
323 * Returns the number of the token pointed to by cp or oBadOption.
327 parse_token(const char *cp, const char *filename, int linenum)
331 for (i = 0; keywords[i].name; i++)
332 if (strcasecmp(cp, keywords[i].name) == 0)
333 return keywords[i].opcode;
335 error("%s: line %d: Bad configuration option: %s",
336 filename, linenum, cp);
341 * Processes a single option line as used in the configuration files. This
342 * only sets those values that have not already been set.
344 #define WHITESPACE " \t\r\n"
347 process_config_line(Options *options, const char *host,
348 char *line, const char *filename, int linenum,
351 char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
352 int opcode, *intptr, value, value2, scale;
353 LogLevel *log_level_ptr;
354 long long orig, val64;
358 /* Strip trailing whitespace */
359 for (len = strlen(line) - 1; len > 0; len--) {
360 if (strchr(WHITESPACE, line[len]) == NULL)
366 /* Get the keyword. (Each line is supposed to begin with a keyword). */
367 if ((keyword = strdelim(&s)) == NULL)
369 /* Ignore leading whitespace. */
370 if (*keyword == '\0')
371 keyword = strdelim(&s);
372 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
375 opcode = parse_token(keyword, filename, linenum);
379 /* don't panic, but count bad options */
382 case oConnectTimeout:
383 intptr = &options->connection_timeout;
386 if (!arg || *arg == '\0')
387 fatal("%s line %d: missing time value.",
389 if ((value = convtime(arg)) == -1)
390 fatal("%s line %d: invalid time value.",
392 if (*activep && *intptr == -1)
397 intptr = &options->forward_agent;
400 if (!arg || *arg == '\0')
401 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
402 value = 0; /* To avoid compiler warning... */
403 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
405 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
408 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
409 if (*activep && *intptr == -1)
414 intptr = &options->forward_x11;
417 case oForwardX11Trusted:
418 intptr = &options->forward_x11_trusted;
422 intptr = &options->gateway_ports;
425 case oExitOnForwardFailure:
426 intptr = &options->exit_on_forward_failure;
429 case oUsePrivilegedPort:
430 intptr = &options->use_privileged_port;
433 case oPasswordAuthentication:
434 intptr = &options->password_authentication;
437 case oZeroKnowledgePasswordAuthentication:
438 intptr = &options->zero_knowledge_password_authentication;
441 case oKbdInteractiveAuthentication:
442 intptr = &options->kbd_interactive_authentication;
445 case oKbdInteractiveDevices:
446 charptr = &options->kbd_interactive_devices;
449 case oPubkeyAuthentication:
450 intptr = &options->pubkey_authentication;
453 case oRSAAuthentication:
454 intptr = &options->rsa_authentication;
457 case oRhostsRSAAuthentication:
458 intptr = &options->rhosts_rsa_authentication;
461 case oHostbasedAuthentication:
462 intptr = &options->hostbased_authentication;
465 case oChallengeResponseAuthentication:
466 intptr = &options->challenge_response_authentication;
469 case oGssAuthentication:
470 intptr = &options->gss_authentication;
473 case oGssDelegateCreds:
474 intptr = &options->gss_deleg_creds;
478 intptr = &options->batch_mode;
482 intptr = &options->check_host_ip;
485 case oVerifyHostKeyDNS:
486 intptr = &options->verify_host_key_dns;
489 case oStrictHostKeyChecking:
490 intptr = &options->strict_host_key_checking;
493 if (!arg || *arg == '\0')
494 fatal("%.200s line %d: Missing yes/no/ask argument.",
496 value = 0; /* To avoid compiler warning... */
497 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
499 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
501 else if (strcmp(arg, "ask") == 0)
504 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
505 if (*activep && *intptr == -1)
510 intptr = &options->compression;
514 intptr = &options->tcp_keep_alive;
517 case oNoHostAuthenticationForLocalhost:
518 intptr = &options->no_host_authentication_for_localhost;
521 case oNumberOfPasswordPrompts:
522 intptr = &options->number_of_password_prompts;
525 case oCompressionLevel:
526 intptr = &options->compression_level;
531 if (!arg || *arg == '\0')
532 fatal("%.200s line %d: Missing argument.", filename, linenum);
533 if (arg[0] < '0' || arg[0] > '9')
534 fatal("%.200s line %d: Bad number.", filename, linenum);
535 orig = val64 = strtoll(arg, &endofnumber, 10);
536 if (arg == endofnumber)
537 fatal("%.200s line %d: Bad number.", filename, linenum);
538 switch (toupper(*endofnumber)) {
552 fatal("%.200s line %d: Invalid RekeyLimit suffix",
556 /* detect integer wrap and too-large limits */
557 if ((val64 / scale) != orig || val64 > UINT_MAX)
558 fatal("%.200s line %d: RekeyLimit too large",
561 fatal("%.200s line %d: RekeyLimit too small",
563 if (*activep && options->rekey_limit == -1)
564 options->rekey_limit = (u_int32_t)val64;
569 if (!arg || *arg == '\0')
570 fatal("%.200s line %d: Missing argument.", filename, linenum);
572 intptr = &options->num_identity_files;
573 if (*intptr >= SSH_MAX_IDENTITY_FILES)
574 fatal("%.200s line %d: Too many identity files specified (max %d).",
575 filename, linenum, SSH_MAX_IDENTITY_FILES);
576 charptr = &options->identity_files[*intptr];
577 *charptr = xstrdup(arg);
578 *intptr = *intptr + 1;
583 charptr=&options->xauth_location;
587 charptr = &options->user;
590 if (!arg || *arg == '\0')
591 fatal("%.200s line %d: Missing argument.", filename, linenum);
592 if (*activep && *charptr == NULL)
593 *charptr = xstrdup(arg);
596 case oGlobalKnownHostsFile:
597 charptr = &options->system_hostfile;
600 case oUserKnownHostsFile:
601 charptr = &options->user_hostfile;
604 case oGlobalKnownHostsFile2:
605 charptr = &options->system_hostfile2;
608 case oUserKnownHostsFile2:
609 charptr = &options->user_hostfile2;
613 charptr = &options->hostname;
617 charptr = &options->host_key_alias;
620 case oPreferredAuthentications:
621 charptr = &options->preferred_authentications;
625 charptr = &options->bind_address;
628 case oSmartcardDevice:
629 charptr = &options->smartcard_device;
633 charptr = &options->proxy_command;
636 fatal("%.200s line %d: Missing argument.", filename, linenum);
637 len = strspn(s, WHITESPACE "=");
638 if (*activep && *charptr == NULL)
639 *charptr = xstrdup(s + len);
643 intptr = &options->port;
646 if (!arg || *arg == '\0')
647 fatal("%.200s line %d: Missing argument.", filename, linenum);
648 if (arg[0] < '0' || arg[0] > '9')
649 fatal("%.200s line %d: Bad number.", filename, linenum);
651 /* Octal, decimal, or hex format? */
652 value = strtol(arg, &endofnumber, 0);
653 if (arg == endofnumber)
654 fatal("%.200s line %d: Bad number.", filename, linenum);
655 if (*activep && *intptr == -1)
659 case oConnectionAttempts:
660 intptr = &options->connection_attempts;
664 intptr = &options->cipher;
666 if (!arg || *arg == '\0')
667 fatal("%.200s line %d: Missing argument.", filename, linenum);
668 value = cipher_number(arg);
670 fatal("%.200s line %d: Bad cipher '%s'.",
671 filename, linenum, arg ? arg : "<NONE>");
672 if (*activep && *intptr == -1)
678 if (!arg || *arg == '\0')
679 fatal("%.200s line %d: Missing argument.", filename, linenum);
680 if (!ciphers_valid(arg))
681 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
682 filename, linenum, arg ? arg : "<NONE>");
683 if (*activep && options->ciphers == NULL)
684 options->ciphers = xstrdup(arg);
689 if (!arg || *arg == '\0')
690 fatal("%.200s line %d: Missing argument.", filename, linenum);
692 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
693 filename, linenum, arg ? arg : "<NONE>");
694 if (*activep && options->macs == NULL)
695 options->macs = xstrdup(arg);
698 case oHostKeyAlgorithms:
700 if (!arg || *arg == '\0')
701 fatal("%.200s line %d: Missing argument.", filename, linenum);
702 if (!key_names_valid2(arg))
703 fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
704 filename, linenum, arg ? arg : "<NONE>");
705 if (*activep && options->hostkeyalgorithms == NULL)
706 options->hostkeyalgorithms = xstrdup(arg);
710 intptr = &options->protocol;
712 if (!arg || *arg == '\0')
713 fatal("%.200s line %d: Missing argument.", filename, linenum);
714 value = proto_spec(arg);
715 if (value == SSH_PROTO_UNKNOWN)
716 fatal("%.200s line %d: Bad protocol spec '%s'.",
717 filename, linenum, arg ? arg : "<NONE>");
718 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
723 log_level_ptr = &options->log_level;
725 value = log_level_number(arg);
726 if (value == SYSLOG_LEVEL_NOT_SET)
727 fatal("%.200s line %d: unsupported log level '%s'",
728 filename, linenum, arg ? arg : "<NONE>");
729 if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
730 *log_level_ptr = (LogLevel) value;
735 case oDynamicForward:
737 if (arg == NULL || *arg == '\0')
738 fatal("%.200s line %d: Missing port argument.",
741 if (opcode == oLocalForward ||
742 opcode == oRemoteForward) {
744 if (arg2 == NULL || *arg2 == '\0')
745 fatal("%.200s line %d: Missing target argument.",
748 /* construct a string for parse_forward */
749 snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
750 } else if (opcode == oDynamicForward) {
751 strlcpy(fwdarg, arg, sizeof(fwdarg));
754 if (parse_forward(&fwd, fwdarg,
755 opcode == oDynamicForward ? 1 : 0,
756 opcode == oRemoteForward ? 1 : 0) == 0)
757 fatal("%.200s line %d: Bad forwarding specification.",
761 if (opcode == oLocalForward ||
762 opcode == oDynamicForward)
763 add_local_forward(options, &fwd);
764 else if (opcode == oRemoteForward)
765 add_remote_forward(options, &fwd);
769 case oClearAllForwardings:
770 intptr = &options->clear_forwardings;
775 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
776 if (match_pattern(host, arg)) {
777 debug("Applying options for %.100s", arg);
781 /* Avoid garbage check below, as strdelim is done. */
785 intptr = &options->escape_char;
787 if (!arg || *arg == '\0')
788 fatal("%.200s line %d: Missing argument.", filename, linenum);
789 if (arg[0] == '^' && arg[2] == 0 &&
790 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
791 value = (u_char) arg[1] & 31;
792 else if (strlen(arg) == 1)
793 value = (u_char) arg[0];
794 else if (strcmp(arg, "none") == 0)
795 value = SSH_ESCAPECHAR_NONE;
797 fatal("%.200s line %d: Bad escape character.",
800 value = 0; /* Avoid compiler warning. */
802 if (*activep && *intptr == -1)
808 if (!arg || *arg == '\0')
809 fatal("%s line %d: missing address family.",
811 intptr = &options->address_family;
812 if (strcasecmp(arg, "inet") == 0)
814 else if (strcasecmp(arg, "inet6") == 0)
816 else if (strcasecmp(arg, "any") == 0)
819 fatal("Unsupported AddressFamily \"%s\"", arg);
820 if (*activep && *intptr == -1)
824 case oEnableSSHKeysign:
825 intptr = &options->enable_ssh_keysign;
828 case oIdentitiesOnly:
829 intptr = &options->identities_only;
832 case oServerAliveInterval:
833 intptr = &options->server_alive_interval;
836 case oServerAliveCountMax:
837 intptr = &options->server_alive_count_max;
841 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
842 if (strchr(arg, '=') != NULL)
843 fatal("%s line %d: Invalid environment name.",
847 if (options->num_send_env >= MAX_SEND_ENV)
848 fatal("%s line %d: too many send env.",
850 options->send_env[options->num_send_env++] =
856 charptr = &options->control_path;
860 intptr = &options->control_master;
862 if (!arg || *arg == '\0')
863 fatal("%.200s line %d: Missing ControlMaster argument.",
865 value = 0; /* To avoid compiler warning... */
866 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
867 value = SSHCTL_MASTER_YES;
868 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
869 value = SSHCTL_MASTER_NO;
870 else if (strcmp(arg, "auto") == 0)
871 value = SSHCTL_MASTER_AUTO;
872 else if (strcmp(arg, "ask") == 0)
873 value = SSHCTL_MASTER_ASK;
874 else if (strcmp(arg, "autoask") == 0)
875 value = SSHCTL_MASTER_AUTO_ASK;
877 fatal("%.200s line %d: Bad ControlMaster argument.",
879 if (*activep && *intptr == -1)
883 case oHashKnownHosts:
884 intptr = &options->hash_known_hosts;
888 intptr = &options->tun_open;
890 if (!arg || *arg == '\0')
891 fatal("%s line %d: Missing yes/point-to-point/"
892 "ethernet/no argument.", filename, linenum);
893 value = 0; /* silence compiler */
894 if (strcasecmp(arg, "ethernet") == 0)
895 value = SSH_TUNMODE_ETHERNET;
896 else if (strcasecmp(arg, "point-to-point") == 0)
897 value = SSH_TUNMODE_POINTOPOINT;
898 else if (strcasecmp(arg, "yes") == 0)
899 value = SSH_TUNMODE_DEFAULT;
900 else if (strcasecmp(arg, "no") == 0)
901 value = SSH_TUNMODE_NO;
903 fatal("%s line %d: Bad yes/point-to-point/ethernet/"
904 "no argument: %s", filename, linenum, arg);
911 if (!arg || *arg == '\0')
912 fatal("%.200s line %d: Missing argument.", filename, linenum);
913 value = a2tun(arg, &value2);
914 if (value == SSH_TUNID_ERR)
915 fatal("%.200s line %d: Bad tun device.", filename, linenum);
917 options->tun_local = value;
918 options->tun_remote = value2;
923 charptr = &options->local_command;
926 case oPermitLocalCommand:
927 intptr = &options->permit_local_command;
931 intptr = &options->visual_host_key;
934 case oVersionAddendum:
935 ssh_version_set_addendum(strtok(s, "\n"));
938 } while (arg != NULL && *arg != '\0');
942 debug("%s line %d: Deprecated option \"%s\"",
943 filename, linenum, keyword);
947 error("%s line %d: Unsupported option \"%s\"",
948 filename, linenum, keyword);
952 fatal("process_config_line: Unimplemented opcode %d", opcode);
955 /* Check that there is no garbage at end of line. */
956 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
957 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
958 filename, linenum, arg);
965 * Reads the config file and modifies the options accordingly. Options
966 * should already be initialized before this call. This never returns if
967 * there is an error. If the file does not exist, this returns 0.
971 read_config_file(const char *filename, const char *host, Options *options,
979 if ((f = fopen(filename, "r")) == NULL)
985 if (fstat(fileno(f), &sb) == -1)
986 fatal("fstat %s: %s", filename, strerror(errno));
987 if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
988 (sb.st_mode & 022) != 0))
989 fatal("Bad owner or permissions on %s", filename);
992 debug("Reading configuration data %.200s", filename);
995 * Mark that we are now processing the options. This flag is turned
996 * on/off by Host specifications.
1000 while (fgets(line, sizeof(line), f)) {
1001 /* Update line number counter. */
1003 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
1007 if (bad_options > 0)
1008 fatal("%s: terminating, %d bad configuration options",
1009 filename, bad_options);
1014 * Initializes options to special values that indicate that they have not yet
1015 * been set. Read_config_file will only set options with this value. Options
1016 * are processed in the following order: command line, user config file,
1017 * system config file. Last, fill_default_options is called.
1021 initialize_options(Options * options)
1023 memset(options, 'X', sizeof(*options));
1024 options->forward_agent = -1;
1025 options->forward_x11 = -1;
1026 options->forward_x11_trusted = -1;
1027 options->exit_on_forward_failure = -1;
1028 options->xauth_location = NULL;
1029 options->gateway_ports = -1;
1030 options->use_privileged_port = -1;
1031 options->rsa_authentication = -1;
1032 options->pubkey_authentication = -1;
1033 options->challenge_response_authentication = -1;
1034 options->gss_authentication = -1;
1035 options->gss_deleg_creds = -1;
1036 options->password_authentication = -1;
1037 options->kbd_interactive_authentication = -1;
1038 options->kbd_interactive_devices = NULL;
1039 options->rhosts_rsa_authentication = -1;
1040 options->hostbased_authentication = -1;
1041 options->batch_mode = -1;
1042 options->check_host_ip = -1;
1043 options->strict_host_key_checking = -1;
1044 options->compression = -1;
1045 options->tcp_keep_alive = -1;
1046 options->compression_level = -1;
1048 options->address_family = -1;
1049 options->connection_attempts = -1;
1050 options->connection_timeout = -1;
1051 options->number_of_password_prompts = -1;
1052 options->cipher = -1;
1053 options->ciphers = NULL;
1054 options->macs = NULL;
1055 options->hostkeyalgorithms = NULL;
1056 options->protocol = SSH_PROTO_UNKNOWN;
1057 options->num_identity_files = 0;
1058 options->hostname = NULL;
1059 options->host_key_alias = NULL;
1060 options->proxy_command = NULL;
1061 options->user = NULL;
1062 options->escape_char = -1;
1063 options->system_hostfile = NULL;
1064 options->user_hostfile = NULL;
1065 options->system_hostfile2 = NULL;
1066 options->user_hostfile2 = NULL;
1067 options->num_local_forwards = 0;
1068 options->num_remote_forwards = 0;
1069 options->clear_forwardings = -1;
1070 options->log_level = SYSLOG_LEVEL_NOT_SET;
1071 options->preferred_authentications = NULL;
1072 options->bind_address = NULL;
1073 options->smartcard_device = NULL;
1074 options->enable_ssh_keysign = - 1;
1075 options->no_host_authentication_for_localhost = - 1;
1076 options->identities_only = - 1;
1077 options->rekey_limit = - 1;
1078 options->verify_host_key_dns = -1;
1079 options->server_alive_interval = -1;
1080 options->server_alive_count_max = -1;
1081 options->num_send_env = 0;
1082 options->control_path = NULL;
1083 options->control_master = -1;
1084 options->hash_known_hosts = -1;
1085 options->tun_open = -1;
1086 options->tun_local = -1;
1087 options->tun_remote = -1;
1088 options->local_command = NULL;
1089 options->permit_local_command = -1;
1090 options->visual_host_key = -1;
1091 options->zero_knowledge_password_authentication = -1;
1095 * Called after processing other sources of option data, this fills those
1096 * options for which no value has been specified with their default values.
1100 fill_default_options(Options * options)
1104 if (options->forward_agent == -1)
1105 options->forward_agent = 0;
1106 if (options->forward_x11 == -1)
1107 options->forward_x11 = 0;
1108 if (options->forward_x11_trusted == -1)
1109 options->forward_x11_trusted = 0;
1110 if (options->exit_on_forward_failure == -1)
1111 options->exit_on_forward_failure = 0;
1112 if (options->xauth_location == NULL)
1113 options->xauth_location = _PATH_XAUTH;
1114 if (options->gateway_ports == -1)
1115 options->gateway_ports = 0;
1116 if (options->use_privileged_port == -1)
1117 options->use_privileged_port = 0;
1118 if (options->rsa_authentication == -1)
1119 options->rsa_authentication = 1;
1120 if (options->pubkey_authentication == -1)
1121 options->pubkey_authentication = 1;
1122 if (options->challenge_response_authentication == -1)
1123 options->challenge_response_authentication = 1;
1124 if (options->gss_authentication == -1)
1125 options->gss_authentication = 0;
1126 if (options->gss_deleg_creds == -1)
1127 options->gss_deleg_creds = 0;
1128 if (options->password_authentication == -1)
1129 options->password_authentication = 1;
1130 if (options->kbd_interactive_authentication == -1)
1131 options->kbd_interactive_authentication = 1;
1132 if (options->rhosts_rsa_authentication == -1)
1133 options->rhosts_rsa_authentication = 0;
1134 if (options->hostbased_authentication == -1)
1135 options->hostbased_authentication = 0;
1136 if (options->batch_mode == -1)
1137 options->batch_mode = 0;
1138 if (options->check_host_ip == -1)
1139 options->check_host_ip = 0;
1140 if (options->strict_host_key_checking == -1)
1141 options->strict_host_key_checking = 2; /* 2 is default */
1142 if (options->compression == -1)
1143 options->compression = 0;
1144 if (options->tcp_keep_alive == -1)
1145 options->tcp_keep_alive = 1;
1146 if (options->compression_level == -1)
1147 options->compression_level = 6;
1148 if (options->port == -1)
1149 options->port = 0; /* Filled in ssh_connect. */
1150 if (options->address_family == -1)
1151 options->address_family = AF_UNSPEC;
1152 if (options->connection_attempts == -1)
1153 options->connection_attempts = 1;
1154 if (options->number_of_password_prompts == -1)
1155 options->number_of_password_prompts = 3;
1156 /* Selected in ssh_login(). */
1157 if (options->cipher == -1)
1158 options->cipher = SSH_CIPHER_NOT_SET;
1159 /* options->ciphers, default set in myproposals.h */
1160 /* options->macs, default set in myproposals.h */
1161 /* options->hostkeyalgorithms, default set in myproposals.h */
1162 if (options->protocol == SSH_PROTO_UNKNOWN)
1163 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
1164 if (options->num_identity_files == 0) {
1165 if (options->protocol & SSH_PROTO_1) {
1166 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
1167 options->identity_files[options->num_identity_files] =
1169 snprintf(options->identity_files[options->num_identity_files++],
1170 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
1172 if (options->protocol & SSH_PROTO_2) {
1173 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
1174 options->identity_files[options->num_identity_files] =
1176 snprintf(options->identity_files[options->num_identity_files++],
1177 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
1179 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
1180 options->identity_files[options->num_identity_files] =
1182 snprintf(options->identity_files[options->num_identity_files++],
1183 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
1186 if (options->escape_char == -1)
1187 options->escape_char = '~';
1188 if (options->system_hostfile == NULL)
1189 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
1190 if (options->user_hostfile == NULL)
1191 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
1192 if (options->system_hostfile2 == NULL)
1193 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
1194 if (options->user_hostfile2 == NULL)
1195 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
1196 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
1197 options->log_level = SYSLOG_LEVEL_INFO;
1198 if (options->clear_forwardings == 1)
1199 clear_forwardings(options);
1200 if (options->no_host_authentication_for_localhost == - 1)
1201 options->no_host_authentication_for_localhost = 0;
1202 if (options->identities_only == -1)
1203 options->identities_only = 0;
1204 if (options->enable_ssh_keysign == -1)
1205 options->enable_ssh_keysign = 0;
1206 if (options->rekey_limit == -1)
1207 options->rekey_limit = 0;
1208 if (options->verify_host_key_dns == -1)
1209 options->verify_host_key_dns = 0;
1210 if (options->server_alive_interval == -1)
1211 options->server_alive_interval = 0;
1212 if (options->server_alive_count_max == -1)
1213 options->server_alive_count_max = 3;
1214 if (options->control_master == -1)
1215 options->control_master = 0;
1216 if (options->hash_known_hosts == -1)
1217 options->hash_known_hosts = 0;
1218 if (options->tun_open == -1)
1219 options->tun_open = SSH_TUNMODE_NO;
1220 if (options->tun_local == -1)
1221 options->tun_local = SSH_TUNID_ANY;
1222 if (options->tun_remote == -1)
1223 options->tun_remote = SSH_TUNID_ANY;
1224 if (options->permit_local_command == -1)
1225 options->permit_local_command = 0;
1226 if (options->visual_host_key == -1)
1227 options->visual_host_key = 0;
1228 if (options->zero_knowledge_password_authentication == -1)
1229 options->zero_knowledge_password_authentication = 0;
1230 /* options->local_command should not be set by default */
1231 /* options->proxy_command should not be set by default */
1232 /* options->user will be set in the main program if appropriate */
1233 /* options->hostname will be set in the main program if appropriate */
1234 /* options->host_key_alias should not be set by default */
1235 /* options->preferred_authentications will be set in ssh */
1240 * parses a string containing a port forwarding specification of the form:
1242 * [listenhost:]listenport:connecthost:connectport
1244 * [listenhost:]listenport
1245 * returns number of arguments parsed or zero on error
1248 parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
1251 char *p, *cp, *fwdarg[4];
1253 memset(fwd, '\0', sizeof(*fwd));
1255 cp = p = xstrdup(fwdspec);
1257 /* skip leading spaces */
1258 while (isspace(*cp))
1261 for (i = 0; i < 4; ++i)
1262 if ((fwdarg[i] = hpdelim(&cp)) == NULL)
1265 /* Check for trailing garbage */
1267 i = 0; /* failure */
1271 fwd->listen_host = NULL;
1272 fwd->listen_port = a2port(fwdarg[0]);
1273 fwd->connect_host = xstrdup("socks");
1277 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1278 fwd->listen_port = a2port(fwdarg[1]);
1279 fwd->connect_host = xstrdup("socks");
1283 fwd->listen_host = NULL;
1284 fwd->listen_port = a2port(fwdarg[0]);
1285 fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
1286 fwd->connect_port = a2port(fwdarg[2]);
1290 fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
1291 fwd->listen_port = a2port(fwdarg[1]);
1292 fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
1293 fwd->connect_port = a2port(fwdarg[3]);
1296 i = 0; /* failure */
1302 if (!(i == 1 || i == 2))
1305 if (!(i == 3 || i == 4))
1307 if (fwd->connect_port <= 0)
1311 if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
1314 if (fwd->connect_host != NULL &&
1315 strlen(fwd->connect_host) >= NI_MAXHOST)
1317 if (fwd->listen_host != NULL &&
1318 strlen(fwd->listen_host) >= NI_MAXHOST)
1325 if (fwd->connect_host != NULL) {
1326 xfree(fwd->connect_host);
1327 fwd->connect_host = NULL;
1329 if (fwd->listen_host != NULL) {
1330 xfree(fwd->listen_host);
1331 fwd->listen_host = NULL;